Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #62

August 7, 2018



****************************************************************************

SANS NewsBites               August 7, 2018                Vol. 20, Num. 062

****************************************************************************


TOP OF THE NEWS

  US Dept. of Energy is Planning Power Grid Cybersecurity Exercise

  Treasury Report Urges National Breach Notification Standard

  Study: Spam is Still an Effective Way to Infect Computers


REST OF THE WEEKS NEWS

  New Pentagon Policy Prohibits Employees from Using Geolocation in Operational Areas

  Taiwan Semiconductor Manufacturing Plants Temporarily Shut Down by Cyberattack

  Facebooks Fizz TLS 1.3 Library

  HP Releases Fix for InkJet Printer Flaws

  Windows App Development Environment Bug

  Burn Box Self-Revocable Encryption


INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Splunk  ****************************


Graphic Novel: "Through the Looking Glass Table"

How does machine data, an analytics-driven platform, log management, SIEM, UEBA and SOAR solutions help IT managers and SOC analysts alike get ahead of the game? How can they better understand and respond to incidents, breaches, phishing attempts, insider threats and more? Find out with our first issue of our graphic novel Through the Looking Glass Table. http://www.sans.org/info/205960


*****************************************************************************


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018


-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018


-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018


-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018


-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018


-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018


-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018


-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018


-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Final Week for Summer Special Offers with Online Training. Get a 10.5 iPad Pro, Samsung Galaxy Tab S3 or take $350 Off with Any OnDemand or vLive Course, Offer Ends August 8.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



*****************************************************************************


TOP OF THE NEWS

 

--US Dept. of Energy is Planning Power Grid Cybersecurity Exercise

(August 3, 2018)

The US Department of Energy (DOE) is planning an exercise to test the power grids ability to recover from a blackout caused by a cyberattack. The exercise will take place in November 2018 and will have participants working to restore the power grid while defending against a cyberattack on the electric, oil, and natural gas infrastructure.  


[Editor Comments]


[Neely] This will be an excellent capabilities assessment and will likely result in opportunities for improvement. Critical infrastructure is viewed as the next generation battlefield and the Incorporation of such an exercise in annual emergency response drills has to be SOP.


[Assante] Re-energizing a system requires a multi-phase approach to start generating and balancing load pockets and then expanding out into the system. Walking through and simulating how to regain integrity and control of blackstart-cranking paths is critical to recover from a regional power outage. Exercising under the unique circumstances of a cyber caused outage will help coordination, but it must also deal with the challenges of firmware-level attacks on substation devices and the possibility of re-infect/attack from local equipment. This is currently a gap in capabilities that needs to be closed!


Read more in:

E&E News: DOE to vet grid's ability to reboot after a cyberattack

https://www.eenews.net/stories/1060092675

 
 

--Treasury Report Urges National Breach Notification Standard

(July 31 & August 3, 2018)

A US Treasury report that focuses on nonbank financial institutions, financial technology (fin-tech), and innovation includes recommendations for improved fin-tech consumer protection, such as giving consumers greater control over their financial data, and establishing a national breach notification standard.


[Editor Comments]


[Pescatore] The report makes two weak recommendations (1) removing unintended or unnecessary regulatory and other barriers to stronger digital identities, and (2) fully implement the long delayed U.S. government federated digital identity system Both recommendations point to public/private partnerships vs. having the government take action to make government services more secure by requiring strong authentication for things like tax filings.


[Paller] Following up on John Pescatores comment: If the government wont lead by example, it is difficult to see how it can be considered part of the solution.


[Murray] Breach notification embarrasses the victim system operator but no longer serves to protect the data subjects. Most of us have had our personal data compromised multiple times. Telling us about one more time does not offer us much.


Read more in:

SC Magazine: U.S. Treasury calls for national data breach notification and increased data protections

https://www.scmagazine.com/us-treasury-calls-for-national-data-breach-notification-and-increased-data-protections/article/785999/

Treasury: Treasury Releases Report on Nonbank Financials, Fintech, and Innovation

https://home.treasury.gov/news/press-releases/sm447

Treasury: A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation

https://home.treasury.gov/sites/default/files/2018-08/A-Financial-System-that-Creates-Economic-Opportunities---Nonbank-Financials-Fintech-and-Innovation.pdf

 
 

--Study: Spam is Still an Effective Way to Infect Computers

(July 31 & August 2, 2018)

A study from F-Secure and MWR InfoSecurity says that spam is still the top choice of attackers for spreading malware. The study found that spam click rates have risen slightly from 13.4 percent last year to 14.2 percent this year. The report also says that spam is still an effective vector of infection because the presence of others, like Adobe Flash, is diminishing.


[Editor Comments]


[Neely] The good news is other paths to the system for malware are closing down, making traditional distribution mechanisms less effective. The bad news is that getting a user to click on a malicious link or attachment still works. Beyond hardening of the endpoint and the perimeter, focus on user training which includes recognition for proper reporting.


Read more in:

Threatpost: ThreatList: Spams Revival is Tied to Adobe Flashs Demise

https://threatpost.com/threatlist-spams-revival-is-tied-to-adobe-flashs-demise/134688/

Information Age: Spam still the most common cyber crime technique, according to recent research

https://www.information-age.com/spam-still-first-choice-cyber-crime-according-study-123473840/

 

**************************  SPONSORED LINKS  ********************************


1) Come hear from Tom Patterson, Unisys Chief Trust Officer, who represents one of the cyber moonshot subcommittees co-chairs give you an insiders look at the security science that will impact our future. Visit Unisys at Booth #1420 at Black Hat! http://www.sans.org/info/205965


2) Don't Miss "Automating Open Source Security: A SANS Review of WhiteSource" Learn More: http://www.sans.org/info/205970


3) "Break Silos and respond to threats faster; Eliminating network and security silos to speed attack response" Register: http://www.sans.org/info/205975


*****************************************************************************

REST OF THE WEEKS NEWS

 

--New Pentagon Policy Prohibits Employees from Using Geolocation in Operational Areas

(August 6, 2018)

The US Department of Defense (DOD) has prohibited employees from using geolocation apps on all devices, both personal and government-issued, in operational areas. The policy takes effect immediately. Combatant commanders may make exceptions for government-issued devices for mission necessity.


[Editor Comments]


[Pescatore]

The DoD has unique constraints, but turning off location services on all clean mobile phones and laptops issued to executives on international travel to China, Russia, Venezuela, etc. is a good idea.


[Murray] The problem is not geolocation, per se. Rather it is apps that leak location information into the network. It is naive to believe that such leakage is limited to geolocation apps. We should keep in mind that we deployed the very expensive GPS system primarily for military applications. Fix the leaks.


[Neely] Given the recent wave of data gleaned from databases created as users record activities, DOD is working to close the hole rather than waiting for application owners to take action. While controlling these settings on DOD managed devices is possible, reliance on users to enable/disable the geolocation services on personal devices is problematic. A stronger control is to prohibit personally owned devices in operational areas.


Read more in:

Defense: Memo: Use of Geo location-Capable Devices, Applications, and Services

https://media.defense.gov/2018/Aug/06/2001951064/-1/-1/1/GEOLOCATION-DEVICES-

APPLICATIONS-SERVICES.PDF

Defense: New DoD Policy Prohibits GPS-Enabled Devices in Deployed Settings

https://www.defense.gov/News/Article/Article/1594486/new-dod-policy-prohibits-gps-enabled-devices-in-deployed-settings/

FCW: DOD cracks down on geolocation devices and services

https://fcw.com/articles/2018/08/06/dod-geo-ban-williams.aspx

 
 

--Taiwan Semiconductor Manufacturing Plants Temporarily Shut Down by Cyberattack

(August 6, 2018)

A cyberattack launched against Taiwan Semiconductor Manufacturing Company (TSMC) forced the company to shut down some of its production plants late last week. TSMC said that its systems were infected by a variant of WannaCry ransomware. The company is back in full production as of Monday, August 6.


Read more in:

SC Magazine: Taiwanese Semiconductor product knocked offline due to

https://www.scmagazine.com/taiwanese-semiconductor-product-knocked-offline-due-to/article/786362/

ZDNet: TSMC says variant of WannaCry virus brought down its plants

https://www.zdnet.com/article/tsmc-says-variant-of-wannacry-virus-brought-down-its-plants/

BBC: Apple chipmaker recovers after malware attack

https://www.bbc.com/news/technology-45089095

 
 

--Facebooks Fizz TLS 1.3 Library

(August 6, 2018)

Facebook has released Fizz, an open source TLS 1.3 library. Fizz reportedly manages memory more efficiently than other TLS libraries. Facebook says that more than half its traffic is now secured with TLS 1.3.


Read more in:

FB: Deploying TLS 1.3 at scale with Fizz, a performant open source TLS library

https://code.fb.com/networking-traffic/deploying-tls-1-3-at-scale-with-fizz-a-performant-open-source-tls-library/

Dark Reading: Facebook Launches Fizz Library for Dev Speed, Security

https://www.darkreading.com/application-security/facebook-launches-fizz-library-for-dev-speed-security/d/d-id/1332496

The Register: Facebook cracks opens its bottle of Fizza carbonated TLS 1.3 lib

https://www.theregister.co.uk/2018/08/06/facebook_tls_1_3_fizz/

ZDNet: Fizzing up the new TLS security protocol

https://www.zdnet.com/article/fizzing-up-the-new-tls-security-protocol/

 
 

--HP Releases Fix for InkJet Printer Flaws

(July 31, August 3 & 6, 2018)

HP has released a firmware update to address two flaws affecting its InkJet printers. The vulnerability affects at least 166 different models of HP InkJet printers. Malicious files sent to vulnerable devices could result in stack or static buffer overflows, which could allow remote code execution. In May, HP launched a bug bounty program, the first such program to address flaws in printers. The program is private; 34 researchers were invited to participate.


[Editor Comments]


[Murray] Part of the problem here is that there is too much gratuitous general-purpose computer function included in these printers and exposed to public networks. We should be building appliances with only the function necessary rather than including too much function which we then have to compensate for.  


Read more in:

The Register: Ever seen printer malware in action? Install this HP Ink patchor you may find out

https://www.theregister.co.uk/2018/08/03/hp_printer_malware/

ZDNet: HP printer? Over 100 inkjet models have two critical bugs so patch now, warns HP

https://www.zdnet.com/article/hp-printer-over-100-inkjet-models-have-two-critical-bugs-so-patch-now-warns-hp/

CNET: HP will pay hackers up to $10,000 to break its printers

https://www.cnet.com/uk/news/hp-will-pay-hackers-up-to-10000-to-break-their-printers/

CSO Online: $10,000 for hacking HP printers: First bug bounty program for printer security

https://www.csoonline.com/article/3293435/security/10000-for-hacking-hp-printers-first-bug-bounty-program-for-printer-security.html

HP: HPSBHF03589 rev. 2 - HP Ink Printers Remote Code Execution

https://support.hp.com/us-en/document/c06097712

HP: HP Launches Industrys First Print Security Bug Bounty Program

https://press.ext.hp.com/us/en/press-releases/2018/hp-launches-industrys-first-print-security-bug-bounty-program.html

 
 

--Windows App Development Environment Bug

(August 3 & 6, 2018)

A flaw in the Minimalist GNU for Windows for 64-bit PCs (mingw-w64) compiling tool produces executable Windows files that are incompatible with Address Space Layout Randomization (ASLR) exploit mitigation technology. An advisory from CERT/CC suggests a workaround for the issue, but there are not presently any fixes. Vendors were notified about the issue in late July.


Read more in:

CERT: mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

https://www.kb.cert.org/vuls/id/307144

SC Magazine: Bug in Mingw-w64 Windows app development environment results in exploitable executables

https://www.scmagazine.com/bug-in-mingw-w64-windows-app-development-environment-results-in-exploitable-executables/article/785814/

ZDNet: Windows apps made on Linux hit by security fail

https://www.zdnet.com/article/windows-apps-made-on-linux-hit-by-security-fail/

 
 

-Burn Box Self-Revocable Encryption

(July 31, 2018)

Researchers from Cornell University, Cornell Tech, and the University if Illinois Champaign-Urbana have developed a form of self-revocable encryption, which would allow users to temporarily revoke access to selected files on their devices. The feature could be especially useful to journalists and human rights workers who want to prevent authorities from viewing sensitive information. The researchers plan to present their work at Usenix Security Symposium in Baltimore later this month.


[Editor Comments]


[Neely] When using such techniques, caution has to be taken to not appear to lying or otherwise obstructing law enforcement or border control officials which can lead to an extended scope inspection. The safest bet is not store sensitive data on the devices going through control points and log out of cloud services that can access the data.


Read more in:

Wired: Burnbox Makes Hidden Files Look Like You've Deleted Them

https://www.wired.com/story/burnbox-makes-hidden-files-look-like-youve-deleted-them/

Usenix: BurnBox: Self-Revocable Encryption in a World Of Compelled Access

https://www.usenix.org/conference/usenixsecurity18/presentation/tyagi

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER


New WPA Attack

https://hashcat.net/forum/thread-7717.html


Fake Tech Support Uses More Intelligent Call Routing

https://www.symantec.com/blogs/threat-intelligence/tech-support-scam-call-optimization


HP Printer Updates

https://support.hp.com/us-en/document/c06097712       


Numeric Obfuscation

https://isc.sans.edu/forums/diary/Numeric+obfuscation+another+example/23960/


Crestron Touchscreen Vulnerability

https://blog.securitycompass.com/security-advisory-regarding-crestron-tsw-xx60-touch-panel-devices-9f1a71a926a5


Facebook Releases "Fizz" TLS 1.3 Library

https://github.com/facebookincubator/fizz


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create