SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #7
January 26, 2018****************************************************************************
SANS NewsBites January 26, 2018 Vol. 20, Num. 007
****************************************************************************
TOP OF THE NEWS
27 Android Apps Have Malicious Component from SDK
Norton, McAfee, and SAP Allowed Russia Access to Source Code
Dutch Government Officials Using Stripped-Down Phones for Travel
REST OF THE WEEK'S NEWS
A.P. M?ller-Maersk NotPetya IT Recovery Completed in 10 Days
Wyden Takes Wray to Task on Encryption Back Doors
Chrome 64 Includes Spectre Mitigations, Better Pop-Up Blocking
Prison Sentence for University eMail Hacker
Bell Canada Suffers Another Data Breach
Electron Developer Framework Flaw Affects Widely-Used Apps
GAO Will Investigate FCC Net Neutrality Comment Concerns
DHS Testing Software to Protect Laboratory ICS
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Improve Your Cybersecurity Posture in the Financial Sector With NIST Standards-Based Solutions Financial institutions face a challenging environment in which cyber threats are growing in severity and sophistication. Splunk has been working with NIST's National Cybersecurity Center of Excellence to address two key challenges in the financial sector. Join this webinar to learn about Access Rights Management and IT Asset Management reference architectures, relevant use cases, and how Splunk Enterprise is integrated in the example solutions. http://www.sans.org/info/201370
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018
-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018
-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018
-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018
-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad Mini, Samsung Galaxy Tab S2 or take $300 Off your OnDemand or vLive training course by February 7. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
27 Android Apps Have Malicious Component from SDK
(January 25, 2018)
A software development kit (SDK) from Chinese company Ya Ya Yun has been found to include a malicious component that has made its way into apps found in the Google Play store. Used by developers to allow chats between app users, the component opens websites and clicks on advertisements. The 27 apps have been downloaded a total of 4.5 million times.
[Editor Comments]
[Neely] Choose your SDK carefully, some of them include unintended functionality. Consult the Android Developer forums well vetted options.
Read more in:
Bleeping Computer: Infected Android Games Spread Adware to More Than 4.5 Million Users
--
Norton, McAfee, and SAP Allowed Russia Access to Source Code
(January 25, 2018)
A Reuters investigation has found that three major software companies, Norton, McAfee, and SA, have allowed Russian authorities to examine their source code. These companies' products are used on at least a dozen US federal agency networks. Last fall, Reuters found that Hewlett Packard's ArcSight software, which is used by the US Defense Department, had been reviewed by a Russian military contractor (ArcSight has since been purchased by Micro Focus). The recent Reuters probe found that ArcSight is used on other agency networks as well.
[Editor Comments]
[Pescatore] How about this headline: "Russia and China Have Access to Source Code of Operating System Used Across US Banks, Nuclear Reactors and Government Systems - Linux" Actually, the real headline should be "US Fails to Require Software Vendors Test Source Code Used on Sensitive Government and Critical Infrastructure Systems." Just as the UK has done for years with Huawei, requiring or performing testing of source code for vulnerabilities and malicious capabilities should be a standard part of supply chain security - routine policy, not click-bait.
[Murray] Examination of source code is a two-edged source. For good code, it is a demonstration of quality. For poor code, it may expose exploitable vulnerabilities.
Read more in:
Reuters: Tech firms let Russia probe software widely used by U.S. government
--
Dutch Government Officials Using Stripped-Down Phones for Travel
(January 22, 2018)
Dutch government officials have begun using non-Internet-connected mobile phones when they travel outside the country. The "dumb phones," which do not support apps, are designed with security in mind. They allow phone calls and text messages, and will allow data transfer only over registered and secure networks.
[Editor Comments]
[Murray] In a world of ubiquitous and fast connectivity, there is little reason to take the risk of carrying sensitive data on portable devices. In the world of cheap hardware, one need not take the risk of reusing devices that may have been compromised.
[Neely] Taking only the data and capabilities you need on travel is something we all should do. Samsung has been working diligently to get their Knox environment approved for protection and transmission of classified information. These devices are leveraging Suite B encryption to protect data in transmission and at rest and are only sending data when on a registered secure network. Couple this with having known good applications on the device, with a hardened OS these are one hard target. As they resemble traditional smartphones, they won't stand out like prior Secure Mobile Environment Portable Electronic Device (SME PED) devices.
Read more in:
Softpedia: Dutch Government Switches to Super-Secure "Dumb" Phone to Prevent Hacks
************************** SPONSORED LINKS ********************************
1) Don't Miss: "Mind the Gap: going beyond penetration testing for security improvement" Register: http://www.sans.org/info/201375
2) The Zero Trust architecture is an ideal solution for the cloud where it is not possible to trust the network. Register for "Building Zero Trust Model with Microsegmentation in the Cloud" to learn more: http://www.sans.org/info/201380
3) It's time to make sure that DNS is part of your security posture. Register to Learn more: http://www.sans.org/info/201385
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--A.P. M?ller-Maersk NotPetya IT Recovery Completed in 10 Days
(January 25, 2107)
After the A.P. M?ller-Maersk container shipping form's computer systems were infected with the NotPetya malware last summer, the company faces the problem of having to restore its entire computer infrastructure. The process, which Maersk IT staff completed in 10 days, involved reinstalling 4,000 servers, 45,000 PCS, and 2,500 applications. Speaking on a panel at the World Economic Forum, A.P. M?ller-Maersk executive Jim Hagemann Snabe said that the incident cost the company between $250 million and $350 million USD.
[Editor Comments]
[Neely] Ten days to complete that much remediation is phenomenal. Beyond having the resources to execute that plan, having the infrastructure, backups, etc. available and working is an indicator that they had a working/tested BCP. Even with a rapid restoration of services, the cost to the company, due to lost revenue, productivity, and recovery was significant. These costs need to be a component that management accepts when building your DR plan.
[Pescatore] M?ller-Maersk chair Hagemann Snabe did a public relations talk that focused on the heroic rescue efforts, vs. on the process and control failures that left Maersk vulnerable to a relatively easy to avoid/mitigate attack. Also, a month after Not-Petya Maersk issued a status update that said they still had "... some challenges in certain locations due to manual processing and capacity restrictions." So, it took them longer than 10 days. Maersk and FedEx/TNT damage from Not-Petya are good case studies to show to CEOs and boards about what you need to do to avoid incidents vs. require expensive heroics in recovery that still result in $300M damage to the bottom line.
[Murray] One doubts that this was their "contingency plan," or that it was efficient. Test your plan in the light of this kind of attack. One suspects that we have new contingencies that current plans will not address.
Read more in:
Bleeping Computer: Maersk Reinstalled 45,000 PCs and 4,000 Servers to Recover From NotPetya Attack
The Register: IT 'heroes' saved Maersk from NotPetya with ten-day reinstallation bliz
http://www.theregister.co.uk/2018/01/25/after_notpetya_maersk_replaced_everything/
--
Wyden Takes Wray to Task on Encryption Back Doors
(January 25, 2018)
US Senator Ron Wyden (D-Oregon) has written a letter to FBI director Christopher Wray following Wray's remarks calling encryption an "urgent public safety issue" at a conference earlier this month. Wyden took Wray to task for his statement that tech companies "should be able to design devices that both provide data security and permit lawful access with a court order," writing "Experts have repeatedly stated that what you are asking for is not, in fact, possible." UK Prime Minister Theresa May echoed Wray's sentiments in a speech at the World Economic Forum.
Read more in:
ZDNet: Senator calls out FBI director's 'ill-informed' encryption backdoor views
http://www.zdnet.com/article/senator-calls-out-fbi-directors-ill-informed-encryption-backdoor-views/
The Hill: Wyden blasts FBI chief over encryption remarks
http://thehill.com/policy/cybersecurity/370709-wyden-blasts-fbi-chief-over-encryption-remarks
The Register: Here we go again... UK Prime Minister urges nerds to come up with magic crypto backdoors
http://www.theregister.co.uk/2018/01/25/uk_prime_minister_encryption/
--
Donna Dodson Interview
(January 25, 2018)
Gigi Schumm talks to Donna Dodson, chief cybersecurity officer at the National Institute of Standards and Technology (NIST), associate director of the Information Technology Laboratory, and director of the National Cybersecurity Center of Excellence.
Read more in:
FNR: You don't want, need to be just like everyone else
--
Chrome 64 Includes Spectre Mitigations, Better Pop-Up Blocking
(January 24 & 25, 2018)
Google has updated its Chrome browser to version 64 for Windows, Mac, Linux, and Android. Among the changes are an improved pop-up blocker and mitigations to protect users from exploits against the Spectre vulnerability. Chrome 64 also includes fixes for 53 security issues.
Read more in:
Bleeping Computer: Chrome 64 Released With Stronger Popup Blocker, Spectre Mitigations
ZDNet: Google: Chrome 64 is out now, giving you tougher pop-up blocker, Spectre fixes
--
Firefox Updated to Version 58
(January 23, 24, & 25 2018)
Mozilla has updated Firefox to version 58 to fix 32 security issues. Firefox 58 also marks the second major release of Firefox Quantum. Mozilla has also updated Firefox Extended Support Release to ESR 52.6.
[Editor Comments]
[Neely] This is important for businesses deploying the ESR branch of Firefox. ESR is targeted for managed desktops where stability and packaging for enterprise deployment is favored over having the latest features and enhancements. ESR lags the regular Firefox releases by two cycles (12 weeks.) There are critical bug fixes in this patch for both branches of Firefox.
Read more in:
The Register: It's 2018 and... wow, you're still using Firefox? All right then, patch these horrid bugs
http://www.theregister.co.uk/2018/01/24/mozilla_firefox_security_updates/
eWeek: Mozilla Fixes 32 Security Flaws, Accelerates Performance in Firefox 58
http://www.eweek.com/security/mozilla-fixes-32-security-flaws-accelerates-performance-in-firefox-58
Threatpost: Firefox, Chrome Patch Vulnerabilities, Add Security Features
https://threatpost.com/firefox-chrome-patch-vulnerabilities-add-security-features/129658/
--
Prison Sentence for University eMail Hacker
(January 24 & 25, 2018)
A district judge in New York has sentenced Jonathan Powell to six months in prison for breaking into more than 1,000 email accounts that belonged to Pace University students and trying to steal sexually explicit photos and videos. Powell was also ordered to pay nearly $279,000 USD in restitution.
Read more in:
Reuters: Arizona man gets six months in prison for hacking university email accounts
DoJ: Individual Who Compromised Over 1,000 Email Accounts At A New York City University Sentenced To 6 Months In Prison
--
Bell Canada Suffers Another Data Breach
(January 24, 2018)
Bell Canada has acknowledged a second data breach in less than a year. In May 2017, a hackers stole information belonging to 1.9 million customers. The more recent breach affected fewer than 100,000 customers. Bell Canada has not said if the two breaches are related.
Read more in:
CBC: Bell Canada data breach: Up to 100,000 customers affected
The Register: Bell Canada Canucks it up again: Second hack in just eight months
http://www.theregister.co.uk/2018/01/24/bell_canada_security_hack/
SC Magazine: Bell Canada breach exposes names, emails of 100K customers
https://www.scmagazine.com/bell-canada-breach-exposes-names-emails-of-100k-customers/article/739274/
--
Electron Developer Framework Flaw Affects Widely-Used Apps
(January 23 & 24, 2018)
A remote code execution vulnerability in the Electron developer framework affects Skype for Windows, Slack, and other applications. Electron has released updated versions of the framework (1.8.2-beta, 1.7.11, and 1.6.16) and has posted a workaround. Application publishers have also released updates to fix the issue.
[Editor Comments]
[Neely] Vulnerable apps need to not only be built on the vulnerable versions of the Electron framework, but also have registered themselves with the OS as the default handler for their traffic. E.g. slack:// opens the slack app. Electron saves developers a lot of time producing their applications in a platform-independent fashion. Deploy the updated versions of the desktop applications to mitigate the risk. Skype has already been updated.
Read more in:
Threatpost: Skype, Slack and Other Popular Windows Apps Vulnerable to Critical Framework Bug
Cyberscoop: Severe Electron framework vulnerability impacts apps like Skype and Slack
https://www.cyberscoop.com/electron-vulnerability-skype-slack/
The Register: Skype, Slack, other apps inherit Electron vuln
http://www.theregister.co.uk/2018/01/24/skype_signal_slack_nherit_electron_vuln/
--
Hide 'N Seek IoT P2P Botnet
(January 24, 2018)
An Internet of Things (IoT) botnet dubbed Hide 'N Seek is spreading through a custom peer-to-peer (P2P) system. The botnet was first detected earlier this month. The number of infected devices has grown from 2,700 to more than 24,000 in a matter of days. A decentralized architecture makes the botnet more difficult to take down.
Read more in:
SC Magazine: Hide 'N Seek IoT botnet caught using Peer-to-Peer communication
ZDNet: This unusual new IoT botnet is spreading rapidly via peer-to-peer communication
--
GAO Will Investigate FCC Net Neutrality Comment Concerns
(January 24, 2018)
The US Government Accountability Office (GAO) will investigate allegations that many of the comments regarding net neutrality received by the Federal Communications Commission (FCC) were generated by bots rather than by individuals, and that some of the comments were posted with stolen names and email addresses. The FCC's docketing system received more than 23 million comments during a public comment period on net neutrality. In contrast, the second-highest number of comments received during an FCC comment period was 3.7 million in 2016; those comments were also addressing net neutrality.
[Editor Comments]
[Pescatore] Just as Facebook and Twitter have had to finally acknowledge their systems were used to spread misinformation for malicious purposes, the GAO should expand this inquiry into how any Government system utilizing public comment or input from social media determines when comments are actually from US citizens vs. automated systems. Successful businesses are not basing business decisions based on unfiltered comments they get on their web sites, Facebook pages or Twitter accounts.
Read more in:
FCW: GAO to investigate bot-driven net neutrality comments
https://fcw.com/articles/2018/01/24/fcc-gao-probe-comment-spam.aspx
--
DHS Testing Software to Protect Laboratory ICS
(January 18 & 23, 2018)
The US Department of Homeland Security (DHS) is testing new software that will help protect industrial control systems (ICS) used at government laboratories. ICS systems at these labs are used to manage ventilation, heating, security, decontamination, and pathogen release prevention. The technology being tested "injects software into each device's binary operating system and constantly analyzes the code to prevent rogue commands from executing." The software is being tested at the Plum Island Animal Disease Center, which is a Biosafety Level 3 laboratory. The technology could eventually be used to help secure Internet of Things devices.
[Editor Comments]
[Assante] Peering into black boxes is only one step in a much more intensive process of being able to test, track, touch, and deploy fixes to embedded devices. I am surrounded by embedded systems as I write this note and am growing anxious thinking about knowing how many N-days are here as I am confident there is little capability to remediate them.
[Paller] In Mike Assante's comment, an "N-day" is a vulnerability that has been disclosed and for which a patch is available, but after N days, the patch has not been applied. In embedded devices - many patches are never applied.
Read more in:
Wired: A New Way to Track Down Bugs Could Help Save IoT
https://www.wired.com/story/a-new-way-to-track-down-bugs-could-help-save-iot/
Nextgov: DHS Inoculating Labs Against Hacks That Could Release Dangerous Diseases
INTERNET STORM CENTER TECH CORNER
Apple Patches Everything, Again
https://isc.sans.edu/forums/diary/Apple+Updates+Everything+Again/23269/
OpenSSL Introduces its Version of a "Patch Tuesday"
https://www.openssl.org/blog/blog/2018/01/18/f2f-london/
Hide 'N Seek IoT Botnet
Electron Fixes Protocol Handlers Flaw
https://electronjs.org/blog/protocol-handler-fix
Tracking Users Using CSS
https://github.com/jbtronics/CrookedStyleSheets
Ransomware As a Service
https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/
"Rapid" Ransomware
https://id-ransomware.blogspot.ru/2018/01/rapid-ransomware.html (Russian)
RTF Files For Hancitor Utilize Exploit for CVE-2017-11882
https://isc.sans.edu/forums/diary/RTF+files+for+Hancitor+utilize+exploit+for+CVE201711882/23271/
Xerox Workcenters Fudge Numbers
libcurl Vulnerability
http://seclists.org/oss-sec/2018/q1/94
Container Intrusions: Assessing the Efficacy of Intrusion Detection and Analysis Methods for Linux Container Environments
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
