SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #6
January 23, 2018****************************************************************************
SANS NewsBites January 23, 2018 Vol. 20, Num. 006
****************************************************************************
TOP OF THE NEWS
Intel Says to Hold Off on Patches While It Gets Better Ones Ready
US Supreme Court Will Hear Microsoft and Irish Data Centre Case
SANS Awarded Grant to Help Develop Maryland Cyber Security Workforce
REST OF THE WEEK'S NEWS
FBI Standardized Cyber Crime Takedown Reporting Statistics
Opera Mobile Now Blocks Crypto Currency Mining
Two-Year Sentence for DDoS Attacks Against Google, Skype
Tenacious, Malicious Browser Extensions
Investors Betting on Grid Security Products
Lebanese Intelligence Agency Linked to Cyber Espionage Campaign
Lithuanian Authorities Investigating News Site Hack
ADS-B Aircraft ID System Vulnerabilities
New Firefox Features Restricted to Secure Context
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Awake Security *******************
Threats today continue to be missed, investigations are often inconclusive, and hunting is deprioritized. By pre-correlating, profiling and tracking entities, including devices, users and domains, Awake Security surfaces notable behaviors previously difficult to spot. See how Awake's agentless machine learning automates detection and response tasks that otherwise take hours of manual context gathering. http://www.sans.org/info/201265
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018
-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018
-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018
-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018
-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, ASUS Chromebook or $350 Off with your vLive Course when you register by January 24. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
Intel Says to Hold Off on Patches While It Gets Better Ones Ready
(January 22, 2018)
Intel is telling its customers to stop applying its recently-released patches for the Meltdown and Spectre CPU vulnerabilities because the company is developing new fixes to address the rebooting issues in the earlier patches.
[Editor Comments]
[Ullrich] All these issues with Meltdown/Spectre patches that people are experiencing are caused, essentially, by the fact they are not "patches" but work arounds ("hacks") that do not fix the actual hardware problem. We will have to see how Intel will address this in future CPUs. For now, the "solution" appears to be to allow the operating system to turn off IBRS (Indirected Branch Restricted Speculation) for critical operations. Implementation of this feature is inconsistent across different CPUs and the operating system has to be careful to use the correct workaround depending on the CPU, to accurately reflect the microcode version that is used in that CPU.
Read more in:
Intel: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners
Cyberscoop: Intel tells customers to skip buggy patches for Spectre and Meltdown
Computerworld: Belay that order: Intel says you should NOT install its Meltdown firmware fixes
CNET: Intel halts some chip patches as the fixes cause problems
https://www.cnet.com/news/intel-stops-some-chip-patches-unexpected-reboot-meltdown-spectre/
--
US Supreme Court Will Hear Microsoft and Irish Data Centre Case
(January 19, 2018)
Twenty-three amicus briefs signed by hundreds of individuals and organizations support Microsoft's position regarding customer data held on a server in Ireland. The US Department of Justice (DoJ) has demanded the information, and Microsoft has refused. The case has made its way to the US Supreme Court. The court will hear arguments in the case next month.
[Editor Comments]
[Williams] This will be a landmark case for US based service providers as well as customers of those providers. If the government wins, US based service providers may be forced to bring data back into the US to comply with a warrant. Depending on the location of the data center where the data is stored, this might cause legal problems in the jurisdictions where data resides. A ruling for the government will likely result in two things happening. First, criminals trying to hide their activities (precisely the ones the government claims it needs this ruling for) will take their business to non-US service providers. Second (and perhaps more importantly), many US based service providers will re-architect their networks to comply with the ruling, but still avoid providing customer data.
[Neely] This is about jurisdiction. Is data access covered by the laws of the country in which it resides or by the country in which the company resides. With current EU privacy laws, and the pending GDPR, it's critical to get this right as in those countries the user retains rights to their data and its disposition. If the US wins, users in foreign countries can't expect their privacy laws to always be honored, which could result in them taking their business elsewhere.
[Honan] This case will be closely watched by many within Europe. Should Microsoft lose this case it will lead to many organisations, particularly European government agencies, becoming very reluctant to engage with US cloud service providers and US based tech companies to store or process their data as many will see this ruling as providing US government agencies free reign to demand access to data even if it is located physically within the EU. In particular, with the advent of the EU General Data Protection Regulation (GDPR) the extra focus on the privacy rights of individuals resident in the EU will become a major concern for many EU organisations.
Read more in:
Gizmodo: Nearly Everyone Backs Microsoft in Landmark Email Privacy Case-Except the DOJ
https://gizmodo.com/nearly-everyone-backs-microsoft-in-landmark-email-priva-1822233305
The Register: There are other, legal ways to nab Microsoft emails, privacy groups remind Supremes
http://www.theregister.co.uk/2018/01/19/microsoft_data_centre_privacy_international/
--
SANS Awarded Grant to Help Develop Maryland Cyber Security Workforce
(January 19, 2018)
The SANS Institute has been awarded a $500,000 USD EARN (Employment Advancement Right Now) Implementation Grant from the Maryland Department of Labor, Licensing and Regulation (DLLR). SANS will use the funds to develop and launch the SANS Cyber Workforce Academy Maryland.
[Editor Comments]
[Paller] Normally a training grant like this would not merit "top of the news" coverage. This Maryland program, however, uses a talent test that identifies veterans highly likely to succeed in technical cyber roles and has had a nearly-perfect record of getting veterans into high paying jobs. Thus, it is being copied by other states that believe cybersecurity training programs for veterans should get them jobs, not just certifications.
Read more in:
SANS: SANS Institute Awarded EARN Maryland Grant; Seeks to Grow State's Cybersecurity Talent Pipeline
https://www.sans.org/press/announcement/2018/01/17/1
Biz Journals: Bethesda firm wins state grant to launch new cyber workforce training program
************************** SPONSORED LINKS ********************************
1) Improve Your Cybersecurity Posture in the Financial Sector With NIST Standards-Based Solutions. Join the webinar: http://www.sans.org/info/201270
2) Don't Miss: "Mind the Gap: going beyond penetration testing for security improvement" Register: http://www.sans.org/info/201275
3) The Zero Trust architecture is an ideal solution for the cloud where it is not possible to trust the network. Register for "Building Zero Trust Model with Microsegmentation in the Cloud" to learn more: http://www.sans.org/info/201280
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
FBI Standardized Cyber Crime Takedown Reporting Statistics
(January 22, 2018)
In fiscal year (FY) 2014, the FBI reported close to 2,500 cyber crime takedowns. In FY 2017, that number was 252. The significant drop in the number of takedown reports by is due to inconsistent definitions of disruptions and dismantlements between FBI field offices. Now the definition has been standardized.
[Editor Comments]
[Pescatore] This points out that it would be very useful if the US Government used a standard definition for metrics for agencies to report along the full incident lifecycle. The wide swing of the FBI numbers on takedowns and disruptions has been mirrored in similarly wide swings in what the individual agencies report annually.
[Neely] When creating metrics, or other key indicators, a clear consistent definition not only is fundamental to accurate, credible reporting, but also makes it clear to staff what indicators of success are important.
Read more in:
Nextgov: Massive Reduction in FBI Cyber Crime Takedowns Was Result of Definition Change
--
Opera Mobile Now Blocks Crypto Currency Mining
(January 22, 2018)
The newest mobile version of the Opera browser now blocks in-browser crypto currency mining. The feature will be enabled as long as users have the browser's ad-blocker enabled. The feature has been available in the desktop version of Opera since December 2017.
Read more in:
Bleeping Computer: Opera Blocks In-Browser CryptoCurrency Mining in New Mobile Browser Versions
--
Two-Year Sentence for DDoS Attacks Against Google, Skype
(January 18 & 22, 2018)
A UK man has received a two-year jail sentence for launching distributed denial-of-service (DDoS) attacks against Skype, Google, and other high-profile sites. Alex Bessel operated a botnet comprising more than 9,000 PCs. Bessel also sold a variety of hacking tools and made more than $700,000 USD.
Read more in:
ZDNet: Hacker jailed for DDoS attacks against Skype and Google
http://www.zdnet.com/article/hacker-jailed-for-ddos-attacks-against-pokemon-skype-and-google/
West Midlands Police: Two years' jail for web crook who set up online hackers shop
https://www.west-midlands.police.uk/news/4889/two-years-jail-web-crook-who-set-online-hackers-shop
--
Tenacious, Malicious Browser Extensions
(January 19 & 22, 2018)
A malicious browser extensions, named "Tiempo en colombia en vivo" takes steps to prevent users from removing it from their machines. In Chrome, the malicious app redirects users' requests away from sites that could help remove the extension. It automatically clicks on YouTube videos, generating false view numbers. The extension was installed at least 11,000 times before it was removed from the Google store. An extension for Firefox was not as difficult to remove.
Read more in:
Ars Technica: Malicious Chrome extension is next to impossible to manually remove
SC Magazine: Malicious Chrome and Firefox extensions block removal to hijack browsers
--
Investors Betting on Grid Security Products
(January 17 & 22, 2018)
In 2017, investments more than doubled in private companies developing cyber security solutions for power grid operators and other industrial organizations. Industrial-focused cyber security firms have seen fundraising grow from $5 million USD in 2010 to $700 million USD last year.
[Editor Comments]
[Pescatore] "Betting" is the operative term here. In 2016, over $1B was bet on (invested in) Bitcoin - about 3x the amount wagered on/invested in ICS security startups. where big gains in industrial system security have been made, they came from focus on basic security hygiene processes and CISOs who were able to communicate and convince management that security was a key part of reliability. Cool new products can augment those processes, and act as a force multiplier - but multiplying zero by anything still gets you zero...
[Northcutt] The International Energy Agency Secure and Efficient report lays out a lot of the issues:
http://www.iea.org/publications/freepublications/publication/SECUREANDEFFICIENTELECTRICITYSUPPLY.pdf
For folks with a cybersecurity background, Wired has been following the topic:
https://www.wired.com/story/hacking-a-power-grid-in-three-not-so-easy-steps/
https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/
The brightest light may be these new battery storage systems and not just micrograms:
Read more in:
Bloomberg: Wall Street Has a $1.7 Billion Bet on the Rising Risk of Grid Attacks
--
Lebanese Intelligence Agency Linked to Cyber Espionage Campaign
(January 18, 19, & 20, 2018)
A cyber espionage campaign targeting mobile devices has been linked to a Lebanese intelligence agency. Known as Dark Caracal, the operation gathers personal data from individuals associated with foreign governments and militaries, financial institutions, legal offices, and other organizations. It has likely been active since at least 2012.
Read more in:
Fifth Domain: Report links hacking campaign to Lebanese security agency
Cyberscoop: Hackers linked to Lebanese government caught in global cyber-espionage operation
Nextgov: Lebanese Spy Agency Likely Behind Fake Messaging Apps, Researchers Say
Motherboard: Lebanese Government Hackers Hit Thousands of Victims With Incredibly Simple Campaign
--
Lithuanian Authorities Investigating News Site Hack
(January 19, 2018)
Lithuania's national cyber security centre is investigating the appearance of a phony news story posted to a television station's website. Lithuanian vice defense minister Edvinas Kerza said that the IP address of the attackers was traced to St. Petersburg, Russia. The television website has been the target of cyber attacks in the past after it refused to take down stories about Vladimir Putin.
[Editor Comments]
[Williams] Cyber attacks against media outlets will be increasingly important in future conflicts. As any good propagandist knows, controlling the media helps you sway public opinion. In past wars, we've seen leaflets dropped from aircraft used as a way to sway opinions of a target populations. The future is here and this is what it looks like.
Read more in:
Washington Post: Lithuania probing bogus story after TV station is hacked
Independent: Lithuania probes TV station cyber attack which published fake news story
--
ADS-B Aircraft ID System Vulnerabilities
(January 19, 2018)
According to a report from the US Government Accountability Office (GAO), there are unresolved security concerns with new technology that will be able to determine the locations of all aircraft flying in US domestic airspace by 2020. The Automatic Dependent Surveillance-Broadcast (ADS-B) Out technology broadcasts location and velocity data from aircraft avionics equipment, but the broadcasts are susceptible to interception. The Federal Aviation Administration (FAA) has mandated that all aircraft, including military aircraft, be equipped with ADS-B by January 1, 2020.
[Editor Comments]
[Ullrich] Many of the issues described are (1) long known and have been the subject of popular hobbyist projects for years, and (2) very much linked to the nature the problem of aircraft location is addressed. No encryption scheme will make a self-reported location any more reliable then the sensor used to provide the location information. The user (aircraft/pilot) is in charge of that component and unless specialized, proprietary, sealed and regularly audited hardware is used, this problem probably cannot be solved. Encryption by itself will not solve it. ADS-B is a very important and useful component as long as it is backed up by other location information (radar...) that is not controlled by the endpoint. An additional difficulty comes from the need to have the system work across national borders.
Read more in:
FCW: Next gen aircraft ID system vulnerable, watchdog finds
https://fcw.com/articles/2018/01/19/faa-nextgen-cyber-gao.aspx
GAO: Urgent Need for DOD and FAA to Address Risks and Improve Planning for Technology That Tracks Military Aircraft (PDF)
https://www.gao.gov/assets/690/689478.pdf
--
New Firefox Features Restricted to Secure Context
(January 17 & 18, 2018)
Mozilla has announced that "effective immediately, all new features that are web-exposed are to be restricted to secure contexts." The policy change applies to Firefox. Existing features are not subject to the new conditions. Mozilla will provide developer tools to help with the new requirement.
[Editor Comments]
[Murray] The browser is the Achilles Heel of the desktop. Features are the Achilles Heel of the browser. Browsers compete on features. This strategy will work only if other browsers follow.
[Neely] Mozilla has been pushing for an HTTPS-only environment since 2015. With options such as "Lets Encrypt" in early 2017, reports say over half of web traffic is now encrypted. While definition of a secure context is still being finalized, expect it to include the use of HTTPS with insecure algorithms disabled and configurations that prevent fallback to HTTP as well as protections to prevent MiTM such as certificate pinning. Expect other browser providers to follow suit.
Read more in:
Bleeping Computer: Mozilla Restricts All New Firefox Features to HTTPS Only
Computerworld: Mozilla mandates that new Firefox features rely on encrypted connections
Mozilla: Secure Contexts Everywhere
https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/
INTERNET STORM CENTER TECH CORNER
Analyzing an RTF Phishing Document
https://isc.sans.edu/forums/diary/An+RTF+phish/23255/
Satori Variant Steals ETH from Miners
Legal Challenges of Bug Bounties (German)
HTTPs on Every Port?
https://isc.sans.edu/forums/diary/HTTPS+on+every+port/23261/
Curl over TOR
https://isc.sans.edu/forums/diary/Retrieving+malware+over+Tor/23257/
Evrial Trojan Modifies Copy/Pasted Bitcoin Addresses
https://twitter.com/malwrhunterteam/status/953313514629853184
Spectre/Meltdown Microcode Patch Problems
https://lkml.org/lkml/2018/1/21/192
DNS Rebinding Attacks Against Geth
https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
Chinese Quantum Cryptography Satellite Link Transmits Intercontinental Videolink
https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.120.030501
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
