SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #66
August 21, 2018****************************************************************************
SANS NewsBites August 21, 2018 Vol. 20, Num. 066
****************************************************************************
TOP OF THE NEWS
US Federal DMARC Implementation Deadline is Approaching
NIST Small Business Cybersecurity Act is Now Law
Gmail Confidential Mode
REST OF THE WEEKS NEWS
PHP Flaw Affects WordPress, Other CMSs
Prison Sentence in Business eMail Compromise Case
Apple Says Customer Data Not Compromised in Breach
Canada Telco TRS Flaw Patched
Philips IntelliSpace Cardiovascular Products Vulnerability
Augusta University Health Data Breached
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk *****************************
Graphic Novel: "Through the Looking Glass Table"
How does machine data, an analytics-driven platform, log management, SIEM, UEBA and SOAR solutions help IT managers and SOC analysts alike get ahead of the game? How can they better understand and respond to incidents, breaches, phishing attempts, insider threats and more? Find out with our first issue of our graphic novel Through the Looking Glass Table. http://www.sans.org/info/206245
*****************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018
-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018
-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive, Offer Ends August 22.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--US Federal DMARC Implementation Deadline is Approaching
(August 20, 2018)
The deadline for federal implementation of Domain-based Message Authentication, Reporting, and Conformance (DMARC) is less than two months away. There are still more than 200 US federal agency domains that have not adopted the requirements set forth in Homeland Security Binding Operational Directive 18-01 (BOD 18-01). The Office on Management and Budget (OMB) has a website that tracks agency domain compliance with BOD 18-01 as well as other federal security requirements.
[Editor Comments]
[Neely] Agencies are in the hard part of the DMARC implementation, where they are identifying legitimate third-party senders and making needed adjustments so those emails are marked as legitimate. With the impending end of the federal fiscal year September 30th, expect changes to be pushed back to November/December to mitigate impacts to year-end close and open processes.
[Murray] Phishing, bait, attacks have proven to be so efficient that many, not to say most, breaches, in government as elsewhere, have started with such an attack. The application of DMARC will not stop them all but it will resist some of them. It qualifies as an essential security measure for most commercial and government enterprises.
Read more in:
FNR: How agencies can stop playing Russian Roulette with their email security
https://federalnewsradio.com/reporters-notebook-jason-miller/2018/08/how-agencies-can-stop-playing-russian-roulette-with-their-email-security/
Pulse.CIO: Compliance Chart
https://pulse.cio.gov/https/domains/
--NIST Small Business Cybersecurity Act is Now Law
(August 17, 2018)
The National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act has been signed into law. It requires the NIST director to release guidance and resources to help small and mid-size businesses (SMBs) identify the security risks they face and to reduce those risks.
[Editor Comments]
[Murray] In the 80s Peter Browne and I served with others on a commission of the Small Business Administration to draft computer security guidance for their constituency. It was essential hygiene, much the same guidance as NIST will give today. It was the 80s so the guidance was published as a tri-fold pamphlet, with limited distribution, and no dedicated support or funding. While today the use of computers in business is ubiquitous, In the 80s, it was still limited mostly to larger enterprises. This law is timely and can be expected to be effective and efficient.
[Neely] SMBs need to be frugal with IT and Security dollars, as well as good guidance on where to focus. While the CSC helps prioritize application of cyber security controls, a simplified cyber security framework will be easier to digest and help them understand what they need to do. This will also help cross-walk requirements when working with larger businesses who have a more complex set of regulations.
[Henry] The inability of SMBs to address basic cybersecurity measures is significant in contributing to the overall risk to the ecosystem. These companies have limited resources, expertise, and understanding of the threat. The NIST guidelines will be helpful in ensuring theyve got a roadmap forward, though it still requires successful implementation. Good recommendations are helpful only when appropriately executed, and Im not overly optimistic that will happen broadly.
Read more in:
SC Magazine: President signs NIST Small Business Cybersecurity Act into law
https://www.scmagazine.com/president-signs-nist-small-business-cybersecurity-act-into-law/article/789147/
--Gmail Confidential Mode
(August 18 & 20, 2018)
Gmails new Confidential Mode lets users send email messages that self destruct and cannot be printed or forwarded. Settings allow senders to choose an amount of time before the email expires (from one day to five years) and can restrict access to the message after it is sent. Senders can also choose to require a password to open the message. The email contains a link to the actual content of the message, which is hosted on Google servers. The Electronic Frontier Foundation (EFF) takes issue with Googles claims of Confidential Modes security and privacy, pointing out that the messages are not encrypted end-to-end.
[Editor Comments]
[Pescatore] First, many found out with Snapchat that disappearing messages dont really disappear, same with Gmails confidential mode. Also, using Gmail to increase privacy scores high in cognitive dissonancelogging in to Gmail means you are logged in, and tracked across, all Google services, like search and YouTube.
[Murray] There are certainly advantages to storing e-mail in the cloud. There are advantages to having ephemeral links to that mail. It is hard to see that confidentiality is among those advantages. That such a system will be vulnerable to commercial failure and government abuse is no reason to give up the potential advantages. One hopes that users of such a system will appreciate its limitations as well as its advantages.
[Neely] Google is striving to deliver confidentiality without requiring a full PKI and records-retention implementation as an alternative to current trends of just sending messages without any protection. Unless the message is encrypted end-to-end, then others can read it. Given the interconnections between Google services, all engineered to help you find and access content regardless of the containing service, its hard to believe the content will ever truly self-destruct. Use record retention services to limit storage of messages, PKI to protect messages end-to-end.
[Northcutt] +1 EFF observation the messages are not encrypted end to end so they could easily be stored on Google servers long past the expiration date and the data can be demanded by the government. Best to wait for version 2.0. If you have never looked at the EFFs best effort to track National Security Letters, NSL, and vendor response this is worth a read, or re-read:
https://www.eff.org/who-has-your-back-2017
Read more in:
Bleeping Computer: Gmail's Confidential Mode Let's You Send Self-Destructing Emails
https://www.bleepingcomputer.com/news/google/gmails-confidential-mode-lets-you-send-self-destructing-emails/
Engadget: Gmail's 'Confidential Mode' arrives on mobile devices
https://www.engadget.com/2018/08/18/gmail-confidential-mode-mobile-devices/
Electronic Frontier Foundation: Between You, Me, and Google: Problems With Gmail's Confidential Mode
https://www.eff.org/deeplinks/2018/07/between-you-me-and-google-problems-gmails-confidential-mode
Google: Send & open confidential emails
https://support.google.com/mail/answer/7674059?co=GENIE.Platform%3DDesktop&hl=en
************************** SPONSORED LINKS ********************************
1) ICYMI: "What Works in Visibility, Access Control and IOT SecurityPulse Secure NAC Outcomes at Energy Provider" view the archive: http://www.sans.org/info/206255
2) Join SANS at the Threat Hunting & Incident Response Summit on Sep. 6-7 in New Orleans! Learn from top threat hunters and security practitioners as they share the latest methods and techniques used to hunt adversaries. http://www.sans.org/info/206260
3) "How Network Traffic Analytics Eliminates Darkspace for the SOC" with Chris Crowley. Register: http://www.sans.org/info/206265
*****************************************************************************
REST OF THE WEEKS NEWS
--PHP Flaw Affects WordPress, Other CMSs
(August 20, 2018)
A severe remote code execution PHP flaw affects several content management systems (CMSs), including WordPress and Typo3 as well as the TCPDF PDF generation library. The flaw was first disclosed more than a year ago.
[Editor Comments]
[Neely] The PHP flaw can be exploited to raise the privilege level on existing accounts within the CMS which means monitor these accounts carefully for unexpected activity. This would be a good time to review accounts for continued need and appropriate access levels.
Read more in:
The Register: So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks
https://www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/
SC Magazine: PHP exploit flaw puts WordPress and other CMS sites at risk of remote code execution
https://www.scmagazine.com/php-exploit-flaw-puts-wordpress-and-other-cms-sites-at-risk-of-remote-code-execution/article/789821/
Threatpost: Severe PHP Exploit Threatens WordPress Sites with Remote Code Execution
https://threatpost.com/severe-php-exploit-threatens-wordpress-sites-with-remote-code-execution/136649/
--Prison Sentence in Business eMail Fraud Scheme
(August 20, 2018)
A US District Judge in Connecticut has sentenced Olumuyiwa Yahtrip Adejumo to 15 months in prison for his role in a business email compromise scheme. According to court documents, Adejumo and his accomplices sent email messages to company executives that appeared to come from CEOs asking them to wire money to certain accounts. In his guilty plea, Adejumo admits to causing more than $100,000 USD in losses to at least three organizations.
[Editor Comments]
Read more in:
Dark Reading: Ohio Man Sentenced to 15 Years for BEC Scam
https://www.darkreading.com/attacks-breaches/ohio-man-sentenced-to-15-years-for-bec-scam/d/d-id/1332614
USDOJ: Ohio Resident Sentenced to 15 Months in Federal Prison for Role in Business E-Mail Compromise Scheme
https://www.justice.gov/usao-ct/pr/ohio-resident-sentenced-15-months-federal-prison-role-business-e-mail-compromise-scheme
--Apple Says Customer Data Not Compromised in Breach
(August 20, 2018)
After an Australian teenager pleaded guilty to breaking into Apples main computer network, the company reassured customers that their data were not compromised. The teenager admitted to downloading 90 gigabytes of internal data and to accessing customer accounts.
[Editor Comments]
[Neely] The teenager used SSH keys to access back end systems, reminding us that not only must care be taken to protect SSH private keys, but also insure appropriate controls are in place to protect direct access to key assets.
Read more in:
Reuters: Apple reassures customers after Australian media reports hack by teen
https://www.reuters.com/article/us-australia-apple-cyber/apple-reassures-customers-after-australian-media-reports-hack-by-teen-idUSKBN1L12L0
The Age: Melbourne teen hacked into Apple's secure computer network, court told
https://www.theage.com.au/national/victoria/melbourne-teen-hacked-into-apple-s-secure-computer-network-court-told-20180816-p4zxwu.html
--Canada Telco TRS Flaw Patched
(August 19 & 20, 2018)
Canadian Internet service providers (ISPs) have patched a security issue flaw in a telecommunications relay service (TRSs), which allows people with hearing and speech issues to place and receive calls through keyboards and other devices. The local file disclosure flaw could be exploited to gain elevated privileges on servers and gather user data. The flaw affects the SOLEO IP Relay platform.
[Editor Comments]
Read more in:
Bleeping Computer: Canadian Telcos Patch Vulnerability in TRS Systems
https://www.bleepingcomputer.com/news/security/canadian-telcos-patch-vulnerability-in-trs-systems/
Threatpost: Canadian Telcos Patch an APT-Ready Flaw in Disability Services
https://threatpost.com/canadian-telcos-patch-an-apt-ready-flaw-in-disability-services/136704/
--Philips IntelliSpace Cardiovascular Products Vulnerability
(August 14, 17, & 20, 2018)
A security flaw in Philips IntelliSpace Cardiovascular (ISCV) medical data management products could be exploited to gain elevated privileges and allow arbitrary code execution. The Department of Homeland Securitys (DHSs) Industrial Control System Cyber Emergency Response Team (ICS-CERT) has published an advisory. The flaw affects IntelliSpace Cardiovascular Version 3.1 or earlier, and Xcelera Version 4.1 or earlier.
[Editor Comments]
Read more in:
Threatpost: Philips Vulnerability Exposes Sensitive Cardiac Patient Information
https://threatpost.com/philips-vulnerability-exposes-sensitive-cardiac-patient-information/136669/
SC Magazine: Philips cardiovascular software found to contain privilege escalation, code execution bugs
https://www.scmagazine.com/philips-cardiovascular-software-found-to-contain-privilege-escalation-code-execution-bugs/article/789796/
ICS-CERT: Philips IntelliSpace Cardiovascular Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSMA-18-226-01
Philips: Committed to proactively addressing the security concerns of our customers
https://www.usa.philips.com/healthcare/about/customer-support/product-security
--Augusta University Health Data Breached
(August 17, 2018)
Personal information on more than 400,000 people was compromised through a phishing attack that targeted faculty and administrators at Augusta University Health in the US state of Georgia. The intrusion was discovered nearly a year ago but the university didnt realize that data were compromised until July 31, 2018.
[Editor Comments]
Read more in:
SC Magazine: Phishing attack on Augusta University Health leads to breach exposing info on 400K persons
https://www.scmagazine.com/phishing-attack-on-augusta-university-health-leads-to-breach-exposing-info-on-400k-persons/article/789497/
Atlanta Journal Constitution: Ga. university breach risks health, personal information of 417,000
https://www.ajc.com/news/state--regional/university-breach-risks-health-personal-information-417-000/nPuUSV8qqvQXTQjY0ML8wN/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Fragmentsmack Summary
https://isc.sans.edu/forums/diary/Back+to+the+90s+FragmentSmack/23998/
HP Does Not Release Patches for Non-Windows Users
https://www.intego.com/mac-security-blog/exclusive-hp-leaves-mac-users-vulnerable-to-fax-hacks/
More about VB Script 0-Day Vulnerability and "Dark Hotel" (Chinese only)
https://ti.360.net/blog/articles/analyzing-attack-of-cve-2018-8373-and-darkhotel/ (Chinese only)
https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/
PHP Deserialization Vulnerability Code Execution (PDF)
https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
Regular Expression DDoS in Javascript (PDF)
http://mp.binaervarianz.de/ReDoS_TR_Dec2017.pdf
OpenSSH User Enumeration Update
https://isc.sans.edu/forums/diary/OpenSSH+user+enumeration+CVE201815473/24004
Turning (Page) Tables Exploit Technique (PDF)
https://cdn2.hubspot.net/hubfs/487909/Turning%20(Page)%20Tables_Slides.pdf
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
