Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #53

July 6, 2018

****************************************************************************

SANS NewsBites                July 6, 2018                 Vol. 20, Num. 053

****************************************************************************

TOP OF THE NEWS

 

 

Cyber Attacks Coming to UK Banks says Bank of England

 

National Geospatial Intelligence Agency Created Ultrasecure App Store

 

Lawrence Livermore National Laboratory Leads Cyber Defense Challenge for Area School Students

REST OF THE WEEKS NEWS

 

IRS Active Directory Technical Advisory Board Not Performing its Function

 

ADB Firmware Updates for Broadband Gateways

 

California Legislators Restore Tough Net Neutrality Bill Provisions

 

Thunderbird Updates to Version 52.9; Includes Fix for EFAIL Vulnerability

 

Former Employee Charged with Trying to Sell Companys Intellectual Property

 

Firefox and Chrome Pull Stylish Browser Extension

 

USB Fans Given to Singapore Summit Journalists Raise Cyber Hygiene Issue

INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By AlgoSec  ***************************


Register to hear the discussion between Prof Avishai Wool, CTO of AlgoSec and David Shackleford, Principal Consultant of Voodoo Security and Senior Instructor at the SANS Institute,  entitled "Cloud Security Visibility: Establishing security control of the cloud estate" http://www.sans.org/info/205205


*****************************************************************************


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018


-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018


-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018


-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018


-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018


-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018


-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018


-- SANS London September 2018 | September 17-22  https://www.sans.org/event/london-september-2018


-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9 iPad Pro with Smart Keyboard, HP ProBook 450 G5, or take $400 Off with Any OnDemand or vLive Course, Offer Ends July 18.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************

TOP OF THE NEWS


--

Cyber Attacks Coming to UK Banks says Bank of England

(July 6, 2018)

Bank boards and senior management should assume that individual systems and processes that support business services will be disrupted, and increase the focus on back-up plans, responses and recovery options, the Bank of England and the Financial Conduct Authority said The discussion paper published July 5 is part of the regulators effort to bolster the resilience of financial firms in response to a rising number of operational failures. The focus is on ensuring continuity of business services that are essential for the economy.

Read more in:

Big Law Business: BOE Tells U.K. Banks Cyber Attacks Coming, Now Get Ready

https://biglawbusiness.com/boe-tells-u-k-banks-cyber-attacks-coming-now-get-ready/



--

National Geospatial Intelligence Agency Created Ultrasecure App Store

(July 3, 2018)

In 2012, the National Geospatial Intelligence Agency (NGA) undertook the task of creating a super-secure app store for Department of Defense (DOD). Critical to the success of the mission was to get developers to provide the code of their apps for review and analysis. The NGA GEOINT App store allows DOD employees access to parts of the store based on clearance and need.  


[Editor Comments]

[Pescatore] Note that the NGA director says that the key to having an app store that is both secure and flexible was  getting developers to agree to hand over the source code of their apps for in-depth analysis and review. They also added a cybersecurity contractor to develop and managed the Innovative GEOINT Application Provider Program process to work with app vendors and have those reviews occur earlier in the development processa strong but flexible supply chain security process, also used by many large companies in private industry.

 

[Murray] Real security professionals avoid such claims as ultrasecure.  It is the equivalent of painting a target on ones back.   Moreover, security is a process, while ultrasecure implies a state, difficult to achieve for such an application, even harder to maintain.


[Neely] A strong security testing and vetting process is key in modern SDLC, particularly for mobile apps. NGAs licensing and need-to-know requirements precluded putting the resultant apps in a public app store and is a good example of where a corporate app store is the better solution for distributing sensitive or proprietary apps.


Read more in:

Wired: The DODs App Store Does This One Crucial Thing to Stay Secure

https://www.wired.com/story/dod-app-store-does-this-one-crucial-thing-to-stay-secure/

 

--

Lawrence Livermore National Laboratory Leads Cyber Defense Challenge for Area School Students

(July 3, 2018)

Lawrence Livermore National Laboratorys Computation employees and Cyber Defender summer interns led the Cyber Defense Challenge for students in grades 6-12. The focus of the Cyber Defense Challenge is to spread awareness about cybersecurity to a wider audience and demonstrate that it is more than just coding and hacking, said Pablo Arias, Lab employee and the challenges system administrator.


[Editor Comments]


[Neely] The interns were also involved in the CTF challenge development, so not only were the students learning about cyber security but also the Cyber Defender Interns are learning how to teach others.


Read more in:

LLNL: Kids learn about cybersecurity through gaming

https://www.llnl.gov/news/kids-learn-about-cybersecurity-through-gaming


**************************  SPONSORED LINKS  ********************************


1) Don't Miss:  "Hiding in plain sight: the menace of Business Email Compromise And Why undertaking a regular compromise assessment is key" Register: http://www.sans.org/info/205210


2) Organizations are finding their network perimeters, and thus their attack surfaces, are changing daily. Learn More: http://www.sans.org/info/205215


3) How is your incident response team coping with protecting their organization? Take the SANS 2018 Incident Response Survey at http://www.sans.org/info/205220 and enter to win a $400 Amazon gift card!


*****************************************************************************

THE REST OF THE WEEKS NEWS

 

--

IRS Active Directory Technical Advisory Board Not Performing its Function

(July 5, 2018)

According to a June 27, 2018 audit report from Treasury Inspector General for Tax Administration (TIGTA), the Internal Revenue Services (IRSs) Active Directory Technical Advisory Board (ADTAB) is not fulfilling its obligations. ADTAB was created in 2013 to finalize and enforce forest design criteria, develop standards, oversee trusts, and ensure that unauthorized forests or domains are not implemented. The audit report found that ADTAB members, [said] that they did not know how many active forests currently exist within the IRS. They were also unable to provide any documentation that identified or summarized the various AD (Active Directory) forest environments agencywide. The audit also found nearly 90 physical security weaknesses at the locations that house IRS criminal investigations unit domain controllers.    


Read more in:

Nextgov: Theres Even More Bad News About IRS Information Security

https://www.nextgov.com/cybersecurity/2018/07/theres-even-more-bad-news-about-irs-information-security/149499/

Treasury: Active Directory Oversight Needs Improvement and Criminal Investigation Computer Rooms Lack Minimum Security Controls

https://www.treasury.gov/tigta/auditreports/2018reports/201820034fr.pdf

 

--

ADB Firmware Updates for Broadband Gateways

(July 5, 2018)

Last year, Advanced Digital Broadcast (ADB) released firmware updates to fix three vulnerabilities in its broadband gateways. The flawsa privilege escalation issue, an authorization bypass vulnerability, and a local jailbreak bugwere first detected nearly two years ago. The patches first began to be rolled out last July, but were not publicly disclosed until July 4, 2018. ADB manufactures equipment for broadband and communications companies around the world.


Read more in:

Threatpost: Year-Old Critical Vulnerabilities Patched in ISP Broadband Gear

https://threatpost.com/year-old-critical-vulnerabilities-patched-in-isp-broadband-gear/133702/

 

--

California Legislators Restore Tough Net Neutrality Bill Provisions

(July 5, 2018)

Provisions struck from Californias proposed state net neutrality law have been largely restored, which would make the billif it passes -- one of the toughest in the country. Several weeks ago, the California state assembly removed provisions from the proposed law, bowing to pressure from Internet providers. Earlier this week, members of both chambers of the statehouse met and agreed to restore the tough provisions protecting consumers.


[Editor Comments]


[Neely] California is poised to join Oregon, Vermont and Washington in enacting their own legislation in lieu of federal regulation. Unlike the other states, which are directing ISP behavior when servicing government customers to drive similar service to all consumers, Californias legislation puts outright bans on certain ISP behavior regardless of the customer. It will be interesting to see if the FCC follows through on threats to sue states that attempt to circumvent their repealed net neutrality rules.


Read more in:

Washington Post: Californias net neutrality bill is back, and as tough as ever

https://www.washingtonpost.com/technology/2018/07/05/californias-net-neutrality-bill-is-back-tough-ever/


 

--

Thunderbird Updates to Version 52.9; Includes Fix for EFAIL Vulnerability

(July 5, 2018)

Mozilla has updated Thunderbird to version 52.9, addressing fixes for a dozen flaws, including three rated critical. Two of the fixes address the EFAIL vulnerability.


Read more in:

The Register: Thunderbird gets its EFAIL patch

http://www.theregister.co.uk/2018/07/05/thunderbird_52_9_fixes_efail_crytpo_bug/

Thunderbird: Thunderbird Release Notes

https://www.thunderbird.net/en-US/thunderbird/52.9.0/releasenotes/

Mozilla: Security vulnerabilities fixed in Thunderbird 52.9

https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/

 
 

Former Employee Charged with Trying to Sell Companys Intellectual Property

(July 5, 2018)

A former employee of an Israeli cybersecurity firm has been arrested for allegedly trying to sell the companys intellectual property on the dark net. The former employee was also charged with attempting to harm property in a manner that could hurt state security, employee theft, and attempting to market security matter without an appropriate license.


[Editor Comments]


[Northcutt] You postulate a credible risk of insider threat. Set a few monitoring stations. When a station alerts, you remediate. Its actually pretty similar to how you manage Formosan termites.

Read more in:


The Hill: Ex-employee of Israeli cyber firm charged with trying to sell stolen tech on the dark web

http://thehill.com/policy/cybersecurity/395596-ex-employee-of-israeli-cyber-firm-charged-with-trying-to-sell-stolen

Reuters: Israel charges former employee of NSO Group with cyber crimes

https://www.reuters.com/article/us-cyber-israel-nso/israel-charges-former-employee-of-nso-group-with-cyber-crimes-idUSKBN1JV18E

Bloomberg: Israeli Accused of Trying to Sell Stolen Spyware for $50 Million

https://www.bloomberg.com/news/articles/2018-07-05/israeli-accused-of-trying-to-sell-stolen-spyware-for-50-million

Cyberscoop: NSO Group employee allegedly stole source code worth 'hundreds of millions of dollars'

https://www.cyberscoop.com/nso-group-employee-allegedly-stole-source-code-worth-hundreds-millions-dollars/?category_news=technology

 

--

Firefox and Chrome Pull Stylish Browser Extension

(July 4 & 5, 2018)

Initially designed as a tool to manage websites appearances, Stylish has more recently been found to be used as a surveillance tool. For the past year and a half, Stylish has been collecting data about users browser histories. Stylishs original owner, which was also the add-ons creator, sold it in August 2016; it was resold in January 2017, since which time it has changed its way of operating. The Stylish Firefox page has been removed; Mozilla will disable Stylish in users browsers along with a message explaining the decision. The Google Chrome Stylish page returns a 404 error.


[Editor Comments]


[Ullrich] This scenario has played itself out a number of times now. A well respected and useful extension is sold to a not very reputable buyer. The new owner updates the extension by adding various malicious components to it. It is very difficult to defend against this attack as it is not always obvious when an extension changes ownership, and like in this case, ownership may change hands a couple of times and it may take months for the malicious code to show up.

 

[Murray] One more reason to isolate browsing activity or lock down devices that are shared between browsing and other applications.

 

Read more in:

The Register: Chrome, Firefox pull invasive browser extension

http://www.theregister.co.uk/2018/07/05/browsers_pull_stylish_but_invasive_browser_extension/

Bleeping Computer: Chrome and Firefox Pull Stylish Add-On After Report It Logged Browser History

https://www.bleepingcomputer.com/news/software/chrome-and-firefox-pull-stylish-add-on-after-report-it-logged-browser-history/

SC Magazine: Google, Mozilla boot Stylish from add-on stores after it collects data on browsing histories

https://www.scmagazine.com/google-mozilla-boot-stylish-from-add-on-stores-after-it-collects-data-on-browsing-histories/article/778703/

 
 

--

USB Fans Given to Singapore Summit Journalists Raise Cyber Hygiene Issue

(July 3, 2018)

The welcome bags given to journalists covering the US/North Korea summit in Singapore last month included a small fan that connects to a computers USB port. A researcher who took apart one of the fans found no evidence of malware, but noted that people should not let down their guard about USB devices, which have been used to spread malware. In 2011, the US Department of Homeland Security (DHS) conducted a test: they left USB drives and CDs in government parking lots to see if employees would plug them into their work computers. Sixty percent of the people who picked up the planted devices did plug them into their work machines; when the devices were imprinted with official government logos, the plug-in rate rose to 90 percent.     


[Editor Comments]


[Williams] While the one fan discovered didn't contain any malware, it is obviously a sample size of one. In an intelligence operation, a well-funded adversary might deploy a hundred fans without malware and one with it, just to exploit that one target. Plugging in devices of unknown origin should always be seen as unsafe. As we enter the summer conference season, it's important to remember that even USB drives from trusted parties have contained malware in the past (mostly owed to supply chain issues). Best practices require that we assume compromise for all devices with unknown origin.


[Neely] Just because the USB device is shrink-wrapped and in the event swag bag, doesnt mean its safe. Fancy logos and innocuous devices such as lights, trees or fans can all include embedded payloads. This too must be part of your cyber awareness training program.


Read more in:

Washington Post: What was on a USB fan given at the Trump-Kim summit? Security experts say nothing? ?but dont plug it in.

https://www.washingtonpost.com/technology/2018/07/03/what-was-usb-fan-given-trump-kim-summit-security-experts-say-nothing-but-dont-plug-it/

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER

Progress Indication For Scripts in Windows

https://isc.sans.edu/forums/diary/Progress+indication+for+scripts+on+Windows/23830/


Stylish Extension Steals History

https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/


Data Leaks From Android Apps

https://recon.meddle.mobi/panoptispy/


Gentoo GitHub Breach Post Mortem

https://wiki.gentoo.org/wiki/Github/2018-06-28


Hamas Sets World Cup Trap for Israeli Soldiers

https://www.reuters.com/article/us-israel-palestinians-cyber/israel-says-hamas-tried-to-snare-soldiers-in-world-cup-cyber-trap-idUSKBN1JT1ZX

  

******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create