SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #69
August 31, 2018****************************************************************************
SANS NewsBites August 31, 2018 Vol. 20, Num. 069
****************************************************************************
TOP OF THE NEWS
Google Selling 2FA Security Keys
GAO Report: Census Bureau Cybersecurity
REST OF THE WEEKS NEWS
DoJ: CFAA May Not Currently Apply to Hacking Voting Machines
Firefox Will Roll Out Anti-Tracking Features
Cobalt Cybercrime Group Targeting Bank Employees
Misfortune Cookie Flaw Affects Medical Devices
Chinese Hotel Chain Data Theft
Cisco Data Center Network Manager Flaw
Fiserv Fixes Flaw That Exposed Customer Account Transaction Information
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Venafi, Inc ***********************
During this SANS What Works, Troels Oerting, Chief Security Officer at Barclays Bank will provide details of his selection and deployment of Venafi to enable discovery and management of encryption keys and certificates in use across Barclays, supporting more transparent use of encryption, avoiding business disruption from expired certificates and demonstrating benefits to increased integrity and availability of critical business processes. http://www.sans.org/info/206505
*****************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018
-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London September 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, ASUS Chromebook C300SA or Take $250 Off with OnDemand or vLive, Offer Ends September 5.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Google Selling 2FA Security Keys
(August 30, 2018)
Google is now selling its USB and Bluetooth Titan FIDO-based security keys for two factor authentication (2FA). Google has been using the keys internally; last month, the company said that since the keys use has been adopted more than eight months ago, none of its employees accounts has been phished.
[Editor Comments]
[Pescatore] Good news/bad news: there is a waiting list to buy Googles Titan security key. Thats good news if it signifies high demand, bad news if it is because Google did the announcement before it had the production capacity. The single biggest thing that Google/Apple/Facebook/Twitter/Microsoft/Paypal etc. can do to advance cybersecurity is to actively drive up the use of strong authentication.
[Neely] Making it easier for users to implement 2FA is key to adoption. These keys provide the verification through USB, bluetooth or NFC connections with a complex handshake, not just a one-time code; that makes spoofing impractical. The biggest challenge will be making sure that all your use cases support the devices, e.g. Android doesnt currently support NFC Titan keys, and that you remember to disable fallback to a reusable credential.
[Murray] Even after a month of restricted sales, they sold out in half a day; latecomers were put on a waiting list. This product (actually two keys?) can reduce the inconvenience of strong authentication but at a price that many consumers may be unlikely to pay. While this product does provide some (unique) protection against fraudulent provisioning attacks, there will still be social engineering attacks targeting support desks. One can take some comfort in knowing that ten percent of Google users have opted into the Google strong authentication system. This contradicts the assertion of some still resisting enterprise security people that users will not tolerate strong authentication solutions.
[Northcutt] I am a big believer in 2FA authentication. As soon as I read the news about the announcement I zoomed up to the Google store to buy one. I was put on a waiting list. After I get it I will try to post a first look at the bottom of NewsBites.
Read more in:
The Verge: Googles in-house security key is now available to anyone who wants one
https://www.theverge.com/2018/8/30/17797338/google-titan-security-key-2fa-token-store-sale
CNET: You can buy Google's $50 set of Titan security keys now
https://www.cnet.com/news/you-can-buy-googles-50-set-of-security-keys-now/
Bleeping Computer: Google's FIDO Based Titan Security Key Now Available for $50 USD
--GAO Report: Census Bureau Cybersecurity
(August 30, 2018)
A report from the US Government Accountability Office (GAO) found more than 3,000 security issues in Census Bureau IT systems that need to be addressed before 2020. Of the identified flaws, 43 are rated high risk or very high risk. The actual number of flaws could actually be higher as there are some Census systems that have not yet been examined.
[Editor Comments]
[Neely] The Census Bureau is performing a huge IT modernization task prior to conducting the 2020 census. This report captures the status during the 2018 testing exercises which is midway along their project plan. The GAO previously identified 93 recommendations for the 2020 census, 61 of which have been implemented, and plans have been implemented to address the remaining 32. The issue here is, as usual, one of getting needed resources to implement these plans and achieve approval to operate prior to starting the census.
[Pescatore] The Census count is obviously the holy grail for attackers that want to disrupt the US democratic system. Back in 1995 or so, I testified to Congress when the Social Security Administration first wanted to put what is now called your personal Social Security Statement online. That was delayed a few years and SSA did a good job making sure it was done securely. The Census Bureau actually seems to be making progress on the cybersecurity side, but the staffing and management problems detailed in the report need emergency attention.
Read more in:
Nextgov: Census Bureau Must Fix 3,100 Cyber Vulnerabilities Before 2020 Count
MeriTalk: Census Identifies 3,100 Cybersecurity Weaknesses in IT Testing
https://www.meritalk.com/articles/census-31000-cyber-problems/
GAO: 2020 CENSUS: Continued Management Attention Needed to Address Challenges and Risks with Developing, Testing, and Securing IT Systems
https://www.gao.gov/assets/700/694169.pdf
************************** SPONSORED LINKS ********************************
1) Understand where you are vulnerable the most, how to improve your security and where to invest your resources. Learn More: http://www.sans.org/info/206510
2) Don't Miss: "How to achieve autonomous (and optimized) hunting and detection." Register: http://www.sans.org/info/206515
3) Join SANS at the Threat Hunting & Incident Response Summit on Sep. 6-7 in New Orleans! Learn from top threat hunters and security practitioners as they share the latest methods and techniques used to hunt adversaries. http://www.sans.org/info/206520
*****************************************************************************
REST OF THE WEEKS NEWS
-DoJ: CFAA May Not Currently Apply to Hacking Voting Machines
(August 30, 2018)
A July 2018 report from the US Department of Justice (DoJ) suggests that the Computer Fraud and Abuse Act (CFAA), a law frequently used to prosecute cybercrimes, may not apply to those who interfere with electronic voting systems. According to the report, the CFAA prohibits hacking into machines that are connected to the Internet. Experts are skeptical of the claims, maintaining that the CFAA has not been interpreted this way in past cases. A bill introduced in the Senate in July 2018 would amend the CFAA to ensure it covers voting machines.
[Editor Comments]
[Murray] Fraud and abuse are still crimes. The CFAA was intended to make them easier to prosecute. To the extent that this is a problem, it is easily remedied.
Read more in:
Motherboard: Justice Department Warns It Might Not Be Able to Prosecute Voting Machine Hackers
FCW: Does the CFAA apply to voting machine hacks?
https://fcw.com/articles/2018/08/30/cfaa-voting-hacks-johnson.aspx
DoJ Report: Report of the Attorney Generals Cyber Digital Task Force (July 2018)
https://www.justice.gov/ag/page/file/1076696/download
--Firefox Will Roll Out Anti-Tracking Features
(August 30, 2018)
Mozilla says that future versions of Firefox will help protect users privacy, block malicious scripts, and shorten webpage loading times by blocking cross-site tracking scripts, slow tracking scripts, and malicious miner and fingerprinting scripts. The new features will be rolled out over several versions of Firefox during the next few months.
[Editor Comments]
[Murray] New features of browsers to remedy old features of browsers. Enterprise users should prefer isolated or locked-down systems for browsing the web and doing e-mail.
[Neely] As web drive-by methods remain in the top five mechanisms by which endpoints get compromised, blocking these scripts will help give users an added level of defense. The features are available in the Firefox 63 nightly build, with parity expected in Firefox ESR 60.3. Expect releases this fall.
Read more in:
Mozilla: Changing Our Approach to Anti-tracking
https://blog.mozilla.org/futurereleases/2018/08/30/changing-our-approach-to-anti-tracking/
Bleeping Computer: Mozilla Firefox Will Soon Block All Trackers by Default
--Cobalt Cybercrime Group Targeting Bank Employees
(August 30, 2018)
The cybercrime group known as Cobalt is believed to be responsible for attacks against ATMs and the SWIFT international financial messaging systems. The group appears to be launching a new set of phishing attacks against employees at two financial institutions: NS Bank in Russia and Patria Bank in Romania.
[Editor Comments]
[Murray] It is urgent that even small banks adopt strong authentication and true end-to-end encryption measures to resist lateral compromise after one employee clicks on a bait object.
Read more in:
Dark Reading: Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks
ZDNet: Notorious cyber crime gang behind global bank hacking spree returns with new attacks
--Misfortune Cookie Flaw Affects Medical Devices
(August 30, 2018)
The US Department of Homeland Securitys (DHSs) Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has issued an advisory warning of a vulnerability in Qualcomm Life Capsule Datacaptor Terminal Server that could be exploited to allow an attacker to execute unauthorized code to obtain administrator-level privileges on the device. The flaw, known as Misfortune Cookie, was first detected four years ago; at that time, it affected servers. This time, it has been found to affect medical devices. Qualcomm Life has developed a fix to address the vulnerability.
Read more in:
ZDNet: Misfortune Cookie vulnerability returns to impact medical devices
https://www.zdnet.com/article/misfortune-cookie-vulnerability-impacts-medical-devices/
Threatpost: Critical Flaws in Syringe Pump, Device Gateways Threaten Patient Safety
Bleeping Computer: 4-Year Old Misfortune Cookie Rears Its Head In Medical Gateway Device
ICS-CERT: Advisory (ICSMA-18-240-01) Qualcomm Life Capsule
https://ics-cert.us-cert.gov/advisories/ICSMA-18-240-01
--Chinese Hotel Chain Data Theft
(August 29, 2018)
Chinas Huazhu hotel chain has acknowledged that customer data may have been stolen and offered for sale on the Internet. Nearly 500 million pieces of data appear to be advertised on a darknet site. The number of affected customers is estimated to be 1130m million.
[Editor Comments]
[Neely] The root cause appears to be a developer uploading the internal database to GitHub. Create a process to monitor your GitHub and other external code repositories for deliberate or accidental inclusion of inappropriate information such as databases and SSH private keys, and assure proper access controls are in place to protect company IP.
Read more in:
The Register: Chinese hotel chain warns of massive customer data theft
https://www.theregister.co.uk/2018/08/29/chinese_hotel_data_theft/
--Cisco Data Center Network Manager Flaw
(August 29, 2018)
Cisco has published a security advisory warning of a path traversal vulnerability in Cisco Data Center Network Manager (DCNM). The issue affects DCNM versions prior to 11.0(1). Updates are available to address the flaw.
Read more in:
Cisco: Cisco Data Center Network Manager Path Traversal Vulnerability
SC Magazine: Cisco Data Center Network Manager flaw allows unauthorized access to sensitive information
--Fiserv Fixes Flaw That Exposed Customer Account Transaction Information
(August 28, 2018)
Fiserv has fixed a security issue in its web platform that is used by numerous financial institutions. The flaw involves alerts for account transactions. The alert event numbers are assigned sequentially, so if a customer has chosen to receive the alerts, they can view transaction information for other peoples accounts simply by changing the number in the browser. Fiserv has developed a fix for the issue and pushed it out to clients that use hosted versions of the affected products. The company said it planned to deploy the fix to clients using in-house versions of affected products earlier this week.
Read more in:
KrebsOnSecurity: Fiserv Flaw Exposed Customer Data at Hundreds of Banks
https://krebsonsecurity.com/2018/08/fiserv-flaw-exposed-customer-data-at-hundreds-of-banks/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Windows Task Scheduler Local Privilege Escalation Vulnerability
https://www.kb.cert.org/vuls/id/906424
3D Printers Exposed to Internet
https://isc.sans.edu/forums/diary/OctoPrint+3D+Web+Interfaces+EXPOSED+Port+5000+default/24038/
Firefox Nightly Built Removes Trust From Symantec Certificates
https://bugzilla.mozilla.org/show_bug.cgi?id=1460062
https://bugzilla.mozilla.org/show_bug.cgi?id=1484006
More Octoprint Details
https://isc.sans.edu/forums/diary/3D+Printers+in+The+Wild+What+Can+Go+Wrong/24044/
Mimecast Identifies Weaknesses in Existing eMail Filters
https://www.mimecast.com/resources/ebooks/dates/2018/7/the-state-of-email-security-2018-report/
Packagist Remote Code Injection Vulnerability
https://justi.cz/security/2018/08/28/packagist-org-rce.html
More OpenSSH User Enumeration Issues
http://seclists.org/oss-sec/2018/q3/180
Two New TPM Vulnerabilities
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-han.pdf
Cryptocoin Miners are More Popular Than Ever and Dominate in Attacks
https://isc.sans.edu/forums/diary/Crypto+Mining+Is+More+Popular+Than+Ever/24050/
Cryptocoin Miners Deployed via Struts Vulnerability
Android Leaks Information to Processes
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
