SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #58
July 24, 2018****************************************************************************
SANS NewsBites July 24, 2018 Vol. 20, Num. 058
****************************************************************************
TOP OF THE NEWS
DHS: Russian Hackers Have Access to Utilities Control Rooms
Voting Machine Manufacturer Admits It Installed Remote Access Software on Some Systems
REST OF THE WEEKS NEWS
Carnegie Mellon CERT Warns of Cryptographic Flaw
Automobile Manufacturer Supply Chain Data Leak
Google Chrome HTTPS by Default Deadline is Here
Googles Physical Two-Factor Authentication Keys Has Prevented Account Takeovers
Singapore Health Data Stolen
ComplyRight Breach Compromised Tax Data
Online Thieves Exploited Outdated Router to Access Bank Network
Russian Government Vulnerabilities Review Could Be Passing Info on to Military
Greek Court Allows Russian Cybercrime Suspect to be Extradited to France
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Gartner Names Splunk a Security Monitoring Leader in 2017 Critical Capabilities for SIEM!
Gartner recently published its 2017 Critical Capabilities for Security Information and Event Management (SIEM) where Splunk had the highest score in the security monitoring use case. CISOs, CIOs, and security and risk leaders should read the report to make the best-informed buying decision for security and learn about Splunks leadership position in the market. http://www.sans.org/info/205585
*****************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018
-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018
-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018
-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018
-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Best Offers of the Year: Get a 12.9 iPad Pro, Microsoft Surface Pro, or take $350 Off with Any OnDemand or vLive Course, Offer Ends August 1.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
DHS: Russian Hackers Have Access to Utilities Control Rooms
(July 23, 2018)
At a briefing on Monday, July 23, officials at the US Department of Homeland Security (DHS) said that Russian hackers managed to compromise computers that manage control rooms at US utility companies. The officials said that with the access the intruders had, they could have caused blackouts. The hackers made their way into the air-gapped control rooms by first infecting vendors who worked with the utilities. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Paller] The challenge now is how to get them out and keep them from getting back in. Utilities have faced a stark shortage of people capable of identifying and reverse-engineering malware that gets into the control room systems quickly enough to avoid the attackers burrowing so deep they may never be removed. Even DHS has had trouble building a substantial world-class team. However, I am more than hopeful that the new CyberStart initiative that reliably identifies elite talent and the new immersion collegiate and graduate programs for training them in advanced cyber skills for control systems will give at least some utilities the means to make their systems defensible.
Read more in:
WSJ: Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say
Reuters: Russian hackers penetrated networks of U.S. electric utilities: WSJ
--
Voting Machine Manufacturer Admits It Installed Remote Access Software on Some Systems
(July 17, 2018)
Voting machine maker Election Systems and Software (ES&S) has admitted that it installed remote access software on some of its election management systems. The revelation came in response to a March 6, 2018 letter from US Senator Ron Wyden (D-Oregon). The systems in question were sold between 2000 and 2006. Election management systems are not machines for casting ballots; they hold the software used to program all of those machines and they tabulate voting results from those machines.
[Editor Comments]
[Pescatore] Volkswagen paid about $5B in fines after it was discovered that their executives lied and cheated in calculating the performance of emission controls in their diesel engines. This looks like a similar case of lying and cheating. The manufacturers have been saying for more than a decade the voting systems are not Internet-accessible, while just about every serious security investigation finds Internet-accessible paths.
[Murray] Intuition tells us that the risk in election systems is in the recording step while experience tells us that it is in the counting and reporting steps. Security is a space where intuition does not serve us well.
Read more in:
Motherboard: Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States
Wyden: Wydens March 2018 Letter to ES&S
https://www.wyden.senate.gov/imo/media/doc/wyden-2nd-election-cybersecurity-letter-to-ess.pdf
************************** SPONSORED LINKS ********************************
1) Find out how you can stop exploits and persistent, real-time hacks. Learn More
http://www.sans.org/info/205590
2) Are you attending Black Hat? Visit Unisys at Booth #1420 to learn how microsegmentation can help minimize security threats.
http://www.sans.org/info/205595
3) Don't Miss: "Windows Defender ATPs Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints" Register: http://www.sans.org/info/205605
*****************************************************************************
REST OF THE WEEKS NEWS
--
Carnegie Mellon CERT Warns of Cryptographic Flaw
(July 24, 2018)
Carnegie Mellon CERT has issued a vulnerability advisory warning of a cryptographic flaw that affects Bluetooth firmware and operating system software drivers. Because the affected firmware and drivers skip a necessary cryptographic step, an attacker could potentially launch a man-in-the-middle attack. Companies are expected to release software and firmware updates over the next few weeks.
Read more in:
CERT: Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange
https://www.kb.cert.org/vuls/id/304725
The Register: Big bad Bluetooth blunder bug batteredcheck for security fixes
http://www.theregister.co.uk/2018/07/24/bluetooth_cryptography_bug/
--
Automobile Manufacturer Supply Chain Data Leak
(July 23, 2018)
Several well-known car manufacturers have learned that their sensitive data were exposed through a supply chain vulnerability. All of the affected companies used Leven One Robotics, which provides industrial automation. The issue was due to an insufficiently secured rsync file transfer protocol server.
[Editor Comments]
[Pescatore] This exposure due to a poorly configured rsync server is similar to many recent exposures in the news for poorly configured S3 buckets and other cloud services left publicly accessible. Supply chain security is a high priority topic for CISOs but their corporate vendor-risk management-programs focus too often on paperwork and not on measuring and monitoring the basic security hygiene level of connected business partners.
[Honan] Do you rely solely on compliance checklists for your supply chain or do you actually measure cybersecurity with technical assessments?
Read more in:
SC Magazine: Tesla, VW data was left exposed by supply chain vendor Level One Robotics
The Register: Robo-drop: Factory bot biz 'leaks' automakers' secrets onto the web
http://www.theregister.co.uk/2018/07/23/car_factory_rsync_server_leak/
InfoSecurityMagazine: Supplier Error Leaks Decade of Data from Carmakers
https://www.infosecurity-magazine.com/news/robotics-supplier-error-leaks/
--
Google Chrome HTTPS by Default Deadline is Here
(July 23, 2018)
Starting Tuesday, July 24, Chrome users visiting websites that do not use HTTPS will see a not secure warning in the address bar. The change will affect Chrome version 68. Security firm Cloudflare said that more than half of the top one million websites do not redirect to HTTPS.
[Editor Comments]
[Neely] Users will likely switch to possibly less secure browsers if they cannot access desired websites. While the majority of websites have converted to HTTPS, make sure your projects are nearing completion, both internal and external sites to support good online habits.
Read more in:
The Register: Google Chrome: HTTPS by default D-Day is tomorrow, folks
http://www.theregister.co.uk/2018/07/23/https_dday_google_chrome/
CNET: Chrome's HTTP warning seeks to cut web surveillance, tampering
https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
Twitter: Cloudflare
https://twitter.com/Cloudflare/status/1021196369313353728
--
Googles Physical Two-Factor Authentication Keys Has Prevented Account Takeovers
(July 23, 2018)
In early 2017, Google began requiring employees to use physical security keys instead of passwords and one time codes send to mobile devices for two-factor authentication. Since the new policy was implemented, none of Googles employees have been successfully phished, meaning that there have been no reported account takeovers.
[Editor Comments]
[Pescatore] There will be the usual outcry that two-factor authentication is man-in-the-middle-able, etc. Strong authentication is not perfect, but then neither is a bank vaultbut both raise the bar way higher than most attackers will leap.
[Murray] It should not surprise anyone that strong authentication works. The number that would be interesting is what percentage of Google users, not their employees, opt in to Googles strong authentication. That is, what percentage of the user population is willing to sacrifice some convenience for security. The preference for weak passwords would suggest that it is not high but hope springs eternal.
Read more in:
KrebsOnSecurity: Google: Security Keys Neutralized Employee Phishing
https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
--
Singapore Health Data Stolen
(July 20, 2018)
Hackers stole data belonging to 1.5 million citizens of Singapore from a healthcare database. According to an official government statement, investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) confirmed that this was a deliberate, targeted and well-planned cyberattack. The incident was detected on July 4, 2018; the data thieves had been exfiltrating information since June 27, 2018.
[Editor Comments]
[Murray] Better time-to-detection of this breach than for most breaches. Nonetheless, as long as breaches are inevitable, we need to be quicker in detecting them.
Read more in:
Reuters: Cyberattack on Singapore health database steals details of 1.5 million, including PM
ZDNet: Singapore suffers 'most serious' data breach, affecting 1.5M healthcare patients including Prime Minister
--
ComplyRight Breach Compromised Tax Data
(July 19 & 20, 2018)
Cloud-based human resources company ComplyRight has acknowledged that it suffered a website security breach that compromised some customer data. More than 75,000 companies use ComplyRight to prepare their employees and contractors 1099 and W-2 tax forms. ComplyRight learned of the breach on May 22, 2018; intruders first accessed the system on April 20, 2018.
[Editor Comments]
[Murray] Credit bureaus are part of the problem. Even new utility accounts require credit checks. However, most of us should have our credit frozen most of the time. Good security always involves some loss of convenience. (Senator Wyden introduced a bill to prohibit a consumer reporting agency from charging a consumer a fee for placing, temporarily lifting, or fully removing a credit freeze. While it languishes, credit bureaus continue to be rewarded for their vulnerability and that of their customers.)
Read more in:
KrebsOnSecurity: Human Resources Firm ComplyRight Breached
https://krebsonsecurity.com/2018/07/human-resources-firm-complyright-breached/
SC Magazine: HR firm ComplyRight breached compromising PII
https://www.scmagazine.com/hr-firm-complyright-breached-compromising-pii/article/782411/
ComplyRight: ComplyRight Data Security Incident Notice
https://www.complyright.com/data-security-notice
--
Online Thieves Exploited Outdated Router to Access Bank Network
(July 19 & 20, 2018)
On-line bank thieves stole at least 58 million rubles ($921,000 USD) from Russias PIR Bank. The group was able to make its way into the banks network thanks to an outdated router at a branch office. The particular router in use has not been supported since 2016. The bank managed to recover some of the stolen funds. The group believed to be responsible for the theft has used similar tactics in at least three other online heists.
[Editor Comments]
[Neely] It is easy to overlook equipment at a remote location that is just working particularly as so much focus is on endpoint security, patching and updating/replacing network equipment, particularly boundary protection cant be overlooked.
Read more in:
Ars Technica: $1 million heist on Russian bank started with hack of branch router
BankInfoSecurity: Bank Hackers Exploit Outdated Router to Steal $1 Million
https://www.bankinfosecurity.com/bank-hackers-exploit-outdated-router-to-steal-1-million-a-11227
--
Russian Government Vulnerabilities Review Could Be Passing Info on to Military
(July 16, 2018)
Russias Federal Service for Technical and Export Control (FSTEC) is the government agency responsible for reviewing foreign hardware and software products for vulnerabilities. FSTEC notifies the public of just 10 percent vulnerabilities, suggesting that it retains the information about the remaining 90 percent for the Russian governments use, according to a paper from Recorded Future.
[Editor Comments]
[Pescatore] Im pretty sure no one is surprised when Russian, Chinese or US intelligence agencies fail to disclose all the vulnerabilities they find. Which makes the advice simple: supply chain security programs should not rely on vulnerability information coming solely from government sources.
[Williams] It's very convenient to think "oh no, Russia" when reading this, but context is needed to properly evaluate the report. Every government evaluates the hardware and software it uses for vulnerabilities, so we should not be surprised that Russia is also doing so. The percentage of vulnerabilities released vs. kept for "government use" is also a meaningless metric. The US Vulnerabilities Equities Process board proudly notes that it reports the overwhelming number of vulnerabilities it discovers. But the numbers don't matter. MS 17-010 (EternalBlue, the exploit that powered WannaCry and NotPetya) is arguably more serious than the combined impact of 1000 local denial of service vulnerabilities discovered in software that is sparsely deployed. The type, impact, required configuration, and other pieces of information that will never be provided to the public are necessary to evaluate these statements. Given that we lack this data, the statements are interesting anecdotes and nothing more.
Read more in:
Nextgov: Russias Foreign-Software Approval Service Helps Military Hackers: Report
Recorded Future: Pavlovs Digital House: Russia Focuses Inward for Vulnerability Analysis
https://www.recordedfuture.com/russian-vulnerability-analysis/
--
Greek Court Allows Russian Cybercrime Suspect to be Extradited to France
(July 16, 2018)
A Greek court is allowing the extradition of Russian citizen Alexander Vinnik to France where he will face charges of hacking, money laundering, extortion, and being involved in organized crime. Vinnik is one of a handful of Russian cybercrime suspects who have been arrested while outside Russia. Yevgeniy Nikulin was extradited from Czechia to the US to face charges there.
[Editor Comments]
[Murray] Note that Greece is extraditing a Russian, not a Greek. The general national position remains, he may be a dirty, rotten, rogue hacker, but he is our dirty, rotten, rogue hacker.
Read more in:
Cyberscoop: Russian cybercrime suspect to be extradited to France despite Moscow's objections
https://www.cyberscoop.com/alexander-vinnik-extradited-to-france/
****************************************************************************
INTERNET STORM CENTER TECH CORNER
New WebLogic Vulnerability Already Exploited
https://isc.sans.edu/forums/diary/Weblogic+Exploit+Code+Made+Public+CVE20182893/23896/
Microsoft Edge Turns Off XSS Protection
https://portswigger.net/daily-swig/xss-protection-disappears-from-microsoft-edge
Intel Management Engine Vulnerabilities
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00112.html
July IE Patch Fixed Older Remote Code Execution Bug
User Tracking With TLS 1.2 Certificates
http://tma.ifip.org/wordpress/wp-content/uploads/2017/06/tma2017_paper2.pdf
More Spectre
https://arxiv.org/pdf/1807.07940.pdf
DNS Rebinding Vulnerability Common in IoT
https://www.armis.com/dns-rebinding-exposes-half-a-billion-iot-devices-in-the-enterprise/
Google Chrome 68 Released Today. HTTP sites marked as "insecure"
https://support.google.com/chrome/a/answer/7679408?hl=en
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
