SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #51
June 29, 2018****************************************************************************
SANS NewsBites June 29, 2018 Vol. 20, Num. 051
****************************************************************************
TOP OF THE NEWS
Russian Cyberattack Threat is Growing
Ukraine Says Russians Setting Up Big Cyber Attack
REST OF THE WEEK'S NEWS
California Data Privacy Bill Becomes Law
Equifax Agrees to Cybersecurity Requirements; Former Employee Charged with Insider Trading
Exactis Data Breach
Ticketmaster UK Acknowledges Data Breach
Contractor Who Leaked Election Meddling Info Sentenced to Prison
RAMpage Vulnerability Affects Android Devices
Firefox Updates
Information Sharing is Still Largely a One-Way Street
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By RedCanary ************************
"Putting Out the Fire: Improving SecOps Retention From Day One" This webcast will share how Red Canary built and executed a new training model to reinvent personnel training and professional development. Learn how to apply a repeatable process to help new analysts of any skill level become fully functional and self-sufficient within a month. Register: http://www.sans.org/info/205085
*****************************************************************************
-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018
-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018
-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018
-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018
-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018
-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- SANS London September 2018 | September 17-22 https://www.sans.org/event/london-september-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Best Offers of the Year: Get a 12.9" iPad Pro with Smart Keyboard, HP ProBook 450 G5, or take $400 Off with Any OnDemand or vLive Course, Offer Ends July 18.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
Russian Cyberattack Threat is Growing
(June 25, 2018)
Ciaran Martin, the head of the UK's National Cyber Security Centre at GCHQ told parliament's National Security Strategy Committee that there has been a "consistent rise in the appetite for attack from Russia on critical sectors." Martin also told the committee that the National Cyber Security Centre is sponsoring 500 university students GBP 4,000 ($5,230 USD) each toward tuition and fees in return for their commitment to work in cybersecurity when they graduate.
[Editor Comments]
[Murray] However one may feel about the legitimacy of the Russian activity, it is now part of their foreign policy implementation; it is not going away. It is a part of the threat profile and we must secure accordingly.
Read more in:
The National: Threat of cyber attack from Russia has intensified, British MPs told
--
Ukraine Says Russians Setting Up Big Cyber Attack
(June 26, 2018)
Ukraine's cyber police chief says that Russian hackers are infecting systems at Ukrainian companies to lay groundwork for a larger, coordinated attack. Serhiy Demedyuk said that analysis of the malware indicates it is being set up to activate on a specific day.
[Editor Comments]
[Murray] And we must be prepared for the Russian to move from espionage to sabotage.
Read more in:
Reuters: Exclusive: Ukraine says Russian hackers preparing massive strike
************************** SPONSORED LINKS ********************************
1) "Cloud Security Visibility: Establishing security control of the cloud estate" with Dave Shackleford. Register: http://www.sans.org/info/205090
2) Don't Miss: "Enterprise Security with a Fluid Perimeter" Register to get the associated whitepaper: http://www.sans.org/info/205095
3) How is your incident response team coping with protecting their organization? Take the SANS 2018 Incident Response Survey at http://www.sans.org/info/205100 and enter to win a $400 Amazon gift card!
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
California Data Privacy Bill Becomes Law
(June 28, 2018)
California Governor Jerry brown has signed the California Consumer Privacy Act of 2018. Taking effect on January 1, 2020, the law will give California residents the right to know what data companies collect about them and how that information is shared. Consumers will also have the authority to prohibit companies from selling their data. The bill bears similarities to the EU's General Data Protection Regulation (GDPR), which went into effect in late May. The bill's passage has prompted the withdrawal of a state ballot initiative that would have accomplished many of the same things. One of the differences is that the ballot initiative would have prohibited companies from denying services to consumers who choose not to have their data stored and tracked; the bill allows companies to charge consumers varying rates for service depending on the level of data sharing they have chosen.
[Editor Comments]
[Neely] With the increasing frequency of data breaches, see Exactis story below, legislation like this is needed to allow consumers to have known where their data is used and to put a stop to it when needed. While threats of diluting the bill over the next 18 months are being raised, each amendment requires a 2/3 majority vote to take effect.
Read more in:
Wired: California Unanimously Passes Historic Privacy Bill
https://www.wired.com/story/california-unanimously-passes-historic-privacy-bill/
CNN: California passes strictest online privacy law in the country
http://money.cnn.com/2018/06/28/technology/california-consumer-privacy-act/index.html
Fortune: California Passes Groundbreaking Consumer Data Privacy Law With Fines for Violations
http://fortune.com/2018/06/28/california-law-consumer-privacy-gdpr-fines-violations/
Mercury News: California data privacy bill signed to head off ballot initiative
--
Equifax Agrees to Cybersecurity Requirements; Former Employee Charged with Insider Trading
(June 28, 2018)
Equifax has agreed to comply with security requirements put in place by financial regulators from eight US states. The requirements are a response to the massive data breach that compromised information belonging to more than 147 million individuals. In a related story, a former Equifax employee has been charged with insider trading. Sudhakar Reddy Bonthu, who was one of the Equifax employees orchestrating the company's public response to the breach, allegedly profited from making trades prior to the breach's disclosure.
[Editor Comments]
[Pescatore] Mega-breaches like this one get a lot of press attention but the scale is so large that they usually aren't great examples to use with CEOs and boards unless you are of similar scale. However, it is good to use this one to emphasize that Equifax lacked basic security hygiene processes ("...security audits at least once a year, developing written data protection policies and guides, more closely monitoring its outside technology vendors, and improving its software patch management controls.") that, if in place, would have easily avoided the $250M incident.
[Henry] While I'm a believer in states' rights, I believe that requiring organizations to respond to requirements imposed by 50 or more different governing agencies is onerous and self-defeating. It stretches limited resources, and in some cases can actually be conflicting. These breach-issues do not know geographic boundaries, and the implementation of national standards is an option that should be explored. I also appreciate pursuing charges against those alleged to have personally profited while innocent victims suffered. A breach is a calamity which requires executives to respond expeditiously to protect the company and its customers. Exploiting this crisis for personal gain is abhorrent, and law enforcement actions are appropriate to deter others from doing the same.
[Murray] The problem here goes beyond illegitimate access to this data. We need a change in the legal regime that legitimizes this industry to give the subject of the data the right to free access to all the data about him, to all changes to that data, and to all sales and uses of that data. I plan to keep saying it at least until the question is debated in the Congress.
Read more in:
NYT: 8 States Impose New Rules on Equifax After Data Breach
https://www.nytimes.com/2018/06/27/business/equifax-data-security.html
SC Magazine: Equifax agrees to cybersecurity regulations set forth by 8 U.S. States
Reuters: U.S. charges former Equifax manager with insider trading
CNET: Former Equifax exec charged with insider trading following data breach
https://www.cnet.com/news/former-equifax-exec-charged-with-insider-trading-following-data-breach/
DOJ: Charges filed against second defendant for insider trading related to the Equifax data breach
--
Exactis Data Breach
(June 27, 2018)
Exactis, a US marketing and data aggregation company, has acknowledged that a leak exposed one of its databases publicly on the Internet, compromising more than 340 million records. The situation was detected earlier this month through Shodan. The person who found the exposed information said, "It seems like this is a database with pretty much every US citizen in it." Exactis has reportedly taken steps to make sure the database is no longer accessible.
[Weatherford] The security issue is huge but is, unfortunately, only one of the problems with this story. Security is hard, we get that, and no one is ever going to be 100% perfect 100% of the time but seriously folks. I don't like to make physical security analogies but the Crown Jewels of England are kept secure in the Tower of London and you can't get to them via a public tool like Shodan. Secondly and perhaps most importantly, this is another frustrating example of a company most of us have never heard of but which has purchased and aggregated all of our personal data without our knowledge. This is exactly the reason the EU created GDPR and while I'm no fan of regulation, without some kind of compliance incentive, businesses simply will not do everything we think they should do to protect this kind of data. It's the future of privacy.
Read more in:
Wired: Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records
https://www.wired.com/story/exactis-database-leak-340-million-records/
--
Ticketmaster UK Acknowledges Data Breach
(June 28, 2018)
A data breach of Ticketmaster UK exposed sensitive customer information, including payment card data. Malware was found in a third-party hosted customer chat section of Ticketmaster UK website. The breach affects users who purchased or attempted to purchase tickets through the site between September 2017 and June 23, 2018.
[Editor Comments]
[Honan] With the ever increasing use of third party scripts and apps on websites, it is becoming more and more important that you have processes in place to ensure those apps and scripts do not undermine the security of your site.
Read more in:
eWeek: Ticketmaster Breach Exposes Supply Chain Risks
http://www.eweek.com/security/ticketmaster-breach-exposes-supply-chain-risks
Threatpost: Ticketmaster Chat Feature Leads to Credit-Card Breach
https://threatpost.com/ticketmaster-chat-feature-leads-to-credit-card-breach/133188/
--
Contractor Who Leaked Election Meddling Info Sentenced to Prison
(June 26 & 28, 2018)
Reality Leigh Winner, a former NSA contractor who leaked classified information, has been sentenced to 63 months in prison. Winner admitted to printing out a copy of a report on Russian operative meddling in the US 2016 election, and sharing the report with the media.
[Editor Comments]
[Henry] Leaks of classified and sensitive information can be extremely harmful to investigations, national security, and can even be life-threatening when human sources are unveiled. These violations are occurring far too often, and aggressive prosecution and swift and serious consequences are necessary to deter this illegal activity.
Read more in:
Threatpost: Reality Winner, N.S.A. Contractor, Sentenced to 5+ Years in Leak Case
https://threatpost.com/reality-winner-n-s-a-contractor-sentenced-to-5-years-in-leak-case/133130/
NYT: Reality Winner, N.S.A. Contractor Accused in Leak, Pleads Guilty
https://www.nytimes.com/2018/06/26/us/reality-winner-nsa-leak-guilty-plea.html
--
RAMpage Vulnerability Affects Android Devices
(June 28, 2018)
A variant of the Rowhammer vulnerability known as RAMpage affects nearly all Android devices made since 2012. Researchers from Vrije University Amsterdam, Amrita University India, UC Santa Barbara, and EURECOM have published a paper detailing the issue, noting that "a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device."
[Editor Comments]
[Murray] Real security professionals publish workarounds, not just vulnerabilities.
[Williams] This paper details practical exploitation scenarios for this vulnerability. In the Android ecosystem, we are largely dependent on device manufacturers to update their Android builds. However, this vulnerability is less serious than other Rowhammer vulnerabilities that are present on multi-user systems. This vulnerability allows a malicious application to bypass the application security sandbox and gain kernel level access. However, the exploitation vector would almost certainly be the installation of a malicious application. Yet again, basic security hygiene secures you from exploitation.
[Neely] This is an expansion on the first Rowhammer Android attack, DRammer, which exploits the ION subsystem which is responsible for memory management and application memory isolation. The ION subsystem was introduced in Android 4.0 and is still in use in the current Android OS. Google has released updates to reduce the effectiveness of a Rowhammer attacks by reducing contiguous pool sizes and disabling the contiguous heap, researchers propose a further mitigation, GuardION , be incorporated into ION to provide fine-grained memory isolation as a complete fix, to be incorporated into future versions of the Android OS.
Read more in:
Bleeping Computer: Every Android Device Since 2012 Impacted by RAMpage Vulnerability
VvdVeen: GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM (PDF)
https://vvdveen.com/publications/dimva2018.pdf
--
Firefox Updates
(June 27, 2018)
Mozilla has released fixes for Firefox ESR 52.9, Firefox ESR 60.1, and Firefox 61. Of the 15 issues fixed, five are rated critical. They include a buffer overflow flaw, a use-after-free vulnerability, an integer overflow flaw, and memory safety bugs.
[Editor Comments]
[Murray]
The browser remains the Achilles heel of the desktop. Systems should be configured in such a way that browsers cannot make persistent changes to the underlying system. See the Safari/iOS implementation for an example of how to do this. While the example may be no more than 80% effective, it is an efficient measure.
Read more in:
SC Magazine: Mozilla issues critical patches for Firefox ESR 52.9, Firefox ESR 60.1, and Firefox 61
Mozilla: Mozilla Foundation Security Advisory 2018-16
https://www.mozilla.org/en-US/security/advisories/mfsa2018-16/
--
Information Sharing is Still Largely a One-Way Street
(June 27, 2018)
Despite legislation passed in 2015 that provides incentives for private sector organizations to share cyber threat information with the US government, just six companies and non-federal government organizations are actually sharing information. In contrast, 190 organizations and roughly 60 federal departments and agencies are receiving threat intelligence from the Department of Homeland Security's (DHS's) automated indicator sharing program.
[Editor Comments]
[Pescatore] The article references the November 2017 DHS Office of the Inspector General report, which clearly placed the blame on the quality of the DHS threat sharing program: "Given that NPPD emphasizes timeliness, velocity, and volume in cybersecurity information sharing, the system DHS currently uses does not provide the quality, contextual data needed to effectively defend against ever-evolving threats." In the open market, there is no need to sign up for high volume, low quality threat data!
[Neely] Building the needed trust to share information is hard. Both sides need a track record of producing quality actionable data, without retribution. DHS has been dinged for high volume data without proper context which will drive companies to participate in other more relevant threat feeds.
[Murray] Like most of us, DHS must be overwhelmed by the volume of open source intelligence available. This is about the sharing of real-time threatening traffic. We are waiting for DHS to tell us how to identify such traffic and where to send it. I do not sense a reluctance to share so much as a lack of knowledge about what to do.
Read more in:
Nextgov: Only 6 Non-Federal Groups Share Cyber Threat Info with Homeland Security
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Analyzing XPS Files
https://isc.sans.edu/forums/diary/Analyzing+XPS+files/23804/
WPA3 Standard Finalized
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-certified-wpa3-security
Executing Code with SettingContent-ms Files
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
EFF Analysis of STARTTLS
https://www.eff.org/deeplinks/2018/06/technical-deep-dive-starttls-everywhere
Secret Office 365 Activity Log API Unveiled (plus tool to extract logs)
http://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/
Anonymizing Printers
Silently Profiling Unknown Malware Samples
https://isc.sans.edu/forums/diary/Silently+Profiling+Unknown+Malware+Samples/23808/
Cisco CVE-2018-0296 Exploited
Less Greedy Cryptominers
https://isc.sans.edu/forums/diary/New+and+Improved+Cryptominers+Now+with+50+less+Greed/23812/
Disassemling Webassembly
https://www.forcepoint.com/blog/security-labs/analyzing-webassembly-binaries
Spectre Browser Mitigation Bypass
https://alephsecurity.com/2018/06/26/spectre-browser-query-cache/
Gentoo Github Repository Compromise
https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002