SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #72
September 11, 2018****************************************************************************
SANS NewsBites September 11, 2018 Vol. 20, Num. 72
****************************************************************************
TOP OF THE NEWS
GAO Report Identifies Major Cybersecurity Challenges for US
Report: Grid Security Requires Proactive Public/Private Cooperation and Phased Approach
National Academies of Sciences, Engineering, and Medicine Urges US Elections to Use Paper Ballots
Maryland Launches First In Nation Assured Pipeline to Cybersecurity Jobs For Community College Students
REST OF THE WEEKS NEWS
Microsoft Documents Describe Windows Vulnerability Classification Process
Cloning Tesla Key Fobs
Trend Micro Apps Pulled from Apple App Store for Stealing Browser Histories and Cookies
Chrome 69 Does Not Display www and m Subdomains in Address Bar
US Department of Transportation CIO Looking to Crowdsourcing to Find Vulnerabilities in Agency Systems
DOJ Extradited Alleged Russian Hacker in Connection with Breaches of JPMorgan Chase and Other Financial Institutions
House Passes Naming and Shaming Cyber Deterrence and Response Act
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Corelight ************************
The first step in finding network breaches is BroCon 2018.
Cryptocurrency mining. Ransomware. Data exfiltration. Bro helps you find todays threats faster. Learn directly from the experts how Brothe worlds most powerful open-source network security monitor can make you a better threat hunter. October 10-12 in Washington DC. Learn more: http://www.sans.org/info/206650
*****************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a 9.7 iPad, Samsung Galaxy Tab A or Take $300 Off with OnDemand or vLive, Offer Ends September 19.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--GAO Report Identifies Major Cybersecurity Challenges for US
(September 7, 2018)
A report from the US Government Accountability Office (GAO) identifies four major cybersecurity challenges the country faces in securing its critical infrastructure. The report also suggests 10 critical actions to mitigate the risks. The four challenges are establishing a comprehensive cyber strategy and performing effective oversight, securing federal systems and information, protecting cyber critical infrastructure, and protecting privacy and sensitive data.
[Editor Comments]
[Pescatore] Here is my summary to save you reading 88 pages of this: Overall, the federal government is still not taking the basic security actions everyone has been telling them to do since 1997, and it still needs to do so. In a previous GAO report looking at this across 20152016, GAO said the federal government had made little to no progress on 4 key criteria for actions to improve security but had at least shown top level management commitmentbut we will be reviewing that in February 2019.
[Neely] Implementing CDM will increase visibilities to issues. DHS is even funding licensing for tools and implementation to build the needed monitoring and reporting for the first two years. While well-intended, participation in CDM is optional, resources for resolving issues and long-term support for CDM itself still fall on the participating agencies which are already falling short.
Read more in:
Nextgov: GAO: 'Urgent Action Needed to Address Nations Cyber Challenges
GAO: High-Risk Series: Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation (Report Highlights)
https://www.gao.gov/products/GAO-18-622
GAO: High-Risk Series: Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation
https://www.gao.gov/assets/700/694355.pdf
--Report: Grid Security Requires Proactive Public/Private Cooperation and Phased Approach
(September 6, 2018)
A study published by the Johns Hopkins University Applied Physics Laboratory (JHUAPL) says that before adversaries strike, power companies and government officials should partner to draft basic template orders to defend the grid.to create a plan to respond to attacks against the countrys critical infrastructure. The report suggests that when a physical or cyberattack on the power grid is detected, the White House should declare a grid security emergency, which would be followed by emergency phases of imminent attack, attack is occurring, and restoration.
[Editor Comments]
[Murray] It is a little late. The grid has been under constant attack for months to years. These attacks are now in the target identification and compromise phase. It consists of identifying and compromising controls to create a capability which threatens us even if it is never used. We cannot afford to wait until such an attack is detected. Even if we had no evidence, we would be reckless not to assume it. We know the grid is so vulnerable as to constitute an existential risk. We must assume a continuing attack and act accordingly. Hope is not a strategy.
Read more in:
FCW: Study: Grid security needs to be a team sport
https://fcw.com/articles/2018/09/06/grid-security-study-rockwell.aspx
JHUAPL: Resilience for Grid Security Emergencies: Opportunities For IndustryGovernment Collaboration
http://www.jhuapl.edu/Content/documents/ResilienceforGridSecurityEmergencies.pdf
--National Academies of Sciences, Engineering, and Medicine Urges US Elections to Use Paper Ballots
(September 7, 2018)
A report from the National Academies of Sciences, Engineering, and Medicine says that US elections should move to machine-readable paper ballots by the 2020 election and that no ballots should be returned over the Internet or over any system connected to it. Along with using paper ballots, the report recommends that states conduct risk-limiting audits, assess the integrity of voter databases, and that elections systems should continue to be designated critical infrastructure.
[Editor Comments]
[Pescatore] The report (it is more like a book) is exactly right with many recommendations but most of them will be blunted by the politics that surround the voting issue in the US. There are some very solid short-term recommendations, in particular: Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible.
[Murray] We moved away from paper ballots in order to meet the requirement for early tabulating and reporting. Modern scanners allow us to use paper ballots, with all their other advantages, and still meet those requirements.
Read more in:
Statescoop: Scientific collective calls for paper-based voting machines, no more internet voting
The Register: Dear America: Want secure elections? Stick to pen and paper for ballots, experts urge
https://www.theregister.co.uk/2018/09/07/dump_electronic_voting/
National Academies: New Report Identifies Steps to Secure Americans Votes; All U.S. Elections Should Use Paper Ballots by 2020 Presidential Election; Internet Voting Should Not Be Used at This Time
--Maryland Launches First In Nation Assured Pipeline to Cybersecurity Jobs For Community College Students
(September 10, 2018)
Two hundred Maryland community college students and their teachers will kick off the Maryland Cyber FastTrack program on Friday, September 14 with Cisco, IBM, Northrop Grumman, CACI, Geico, and two of the largest 3-letter federal cybersecurity employers. The program allows students to demonstrate their talent and earn scholarships for advanced SANS training and interviews and placement support for great cyber jobs with Americas best places to work for cybersecurity people -- all as part of a single assured pipeline. Four additional states will announce their Cyber FastTrack programs over the next four months.
https://www.prnewswire.com/news-releases/the-maryland-cyber-fast-track-program-provides-reliable-pathways-to-cybersecurity-jobs-for-the-states-community-colleges-and-historically-black-university-students-300709740.html: The Maryland Cyber Fast Track Program Provides Reliable Pathways To Cybersecurity Jobs For The State's Community Colleges And Historically Black University Students
For Maryland community college students interested in participating in the Cyber Fast Track kickoff event, register at https://bit.ly/MdFastTrack
Details of the kickoff event can be found at https://bit.ly/MCFTKickOff
For more information on Maryland's Cyber Fast Track, go to: https://cyber-fast-track.io
For a poster on "The 10 coolest jobs in Cybersecurity" and an overview of the Maryland Cyber Fast Track program, visit: https://www.sans.org/images/10coolestjobs.jpeg
************************** SPONSORED LINKS ********************************
1) Don't Miss: "Meeting the Critical Security Controls Using OSSEC" with John Pescatore. Register: http://www.sans.org/info/206655
2) VMRay Product Manager, Rohan Viegas will show you how Gandcrab ransomware evades detection and analysis and infects victims. Register: http://www.sans.org/info/206660
3) Learn how to analyze data using advanced machine learning that mimics human analysts. Register: http://www.sans.org/info/206665
*****************************************************************************
REST OF THE WEEKS NEWS
--Microsoft Documents Describe Windows Vulnerability Classification Process
(September 10, 2018)
Microsoft has published a pair of documents that sheds some light on how the company classifies Windows security issues. A web page titled Microsoft Security Servicing Criteria for Windows describes the criteria Microsoft uses to determine whether reported vulnerabilities in supported versions of Windows should be addressed with security updates and guidance or within the next version of Windows. The second document is a PDF file that describes Microsofts process for assigning severity ratings to vulnerabilities.
[Editor Comments]
[Pescatore] Microsoft has evolved a very solid methodology for dealing with vulnerabilities discovered in Windows. However, Microsoft does not use the Common Vulnerability Scoring Standard (CVSS) and the severity ratings are very Windows specific. While that makes it harder for enterprises to directly compare and prioritize Windows patching against the need to patch other critical software, the reality is that the vast majority of security incidents are enabled by Windows vulnerabilities deemed Critical or Important by Microsoftwhen blood is spurting from a vein, you dont really need to have a CVSS score to decide to fix or shield that before looking at your other scrapes and bruises. But, this does point out why software engineering is still an oxymoron and why software will continue to be squishy for a long time.
[Honan] Kudos to Microsoft for sharing these documents and I urge all companies to read these documents and apply the lessons from them into how they can set up their own vulnerability programs.
Read more in:
ZDNet: Microsoft details for the first time how it classifies Windows security bugs
Microsoft: Microsoft Security Servicing Criteria for Windows
https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria?rtc=1
Microsoft: Microsoft Vulnerability Severity Classification for Windows
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2A3xt
--Cloning Tesla Key Fobs
(September 10, 2018)
Researchers say they have found a relatively simple method for cloning key fobs for Tesla automobiles. The hack requires about $600 USD of equipment to read the wireless signals from a targeted fob, and two seconds of computation to determine the fobs cryptographic key. Tesla says that Model S cars sold after June 2018 are not affected by the vulnerability. Owners of older Tesla models can upgrade their key fobs. Tesla has also recently implemented a new security measure that allows people to set a PIN code to enter on the cars dashboard before they can drive the car.
[Editor Comments]
[Murray] Of course, the cost of such an attack includes a great deal of special knowledge. For some reason that continues to elude me, researchers never seem to count the knowledge, skill, and work that they invest in developing such attacks. Moreover they often encapsulate such knowledge and work in a computer program that permits their investment to be exploited by others without the same knowledge, skill, or effort.
Read more in:
Wired: Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob
https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/
--Trend Micro Apps Pulled from Apple App Store for Stealing Browser Histories and Cookies
(September 7 & 10, 2018)
Apple has removed the Trend Micros Adware Doctor app from its App Store because it was found to be stealing and uploading users browser histories. Apple first learned of the problematic app more than a month ago. The app violates Apple sandboxing security, copying users entire browser histories and their cookies and sending them to a domain that appears to be based in China. Other apps that reportedly acted in similar ways have also been removed from the store.
[Editor Comments]
[Ullrich] In addition to Adware Doctor, a number of additional apps were found to exfiltrate user data. These apps have also been removed from the Appstore either by Apple or the Apps publisher.
[Williams] This is both a success and a failure story at the same time. On the one hand, Apple's closed ecosystem is supposed to prevent malicious apps from being installed in the first place. On the other hand, the closed ecosystem does allow Apple to quickly address an issue like this. This story should serve as a reminder to organizations that just because an app made it through Apple's vetting doesn't mean the app is safe. Organizations should evaluate apps for security before installation. Those organizations that lack the resources to evaluate applications before installation can gain some herd immunity by only installing apps with a large user base.
[Neely] These applications exploit permissions explicitly granted. For example, Adware asks for permission to remove cookies, browser history and extensions which also grants it access to that information. This is mitigated in part in iOS 12 which introduces a home directory with separate permissions for access. Users still need to consider what apps they grant this access to.
Read more in:
The Register: Trend Micro tools tossed from Apple's Mac App Store after spewing fans' browser histories
https://www.theregister.co.uk/2018/09/10/trend_micro_apple_macos/
Threatpost: Apple Finally Boots Sneaky Adware Doctor App from Mac App Store
https://threatpost.com/apple-finally-boots-sneaky-adware-doctor-app-from-mac-app-store/137319/
Apple Insider: More malicious apps found in Mac App Store that are stealing user data
CNET: Apple removed popular app that was secretly stealing your browser history
https://www.cnet.com/news/apple-removed-popular-app-that-was-secretly-stealing-your-browser-history/
Motherboard: Popular Mac Anti-Adware App Surreptitiously Steals Your Browsing History, Researchers Say
https://motherboard.vice.com/en_us/article/wjye8x/mac-anti-adware-doctor-app-steals-browsing-history
Dark Reading: Apple (Finally) Removes MacOS App Caught Stealing User Browser Histories
--Chrome 69 Does Not Display www and m Subdomains in Address Bar
(September 9 & 10, 2018)
Chrome 69 does not display the www and m subdomains in the browsers address bar. Google calls the subdomains trivial, noting that this isn't information that most users need to concern themselves with in most cases. The change has met with criticism because there are bugs in the way Chrome is currently stripping the subdomains and it could be abused by hackers. Users can disable the setting.
Read more in:
Bleeping Computer: Chrome 69 Removing WWW and M subdomains From the Browser's Address Bar
LifeHacker: Google Is Killing 'WWW' In Chrome (And People Aren't Happy)
https://www.lifehacker.com.au/2018/09/chrome-is-killing-www/
bugs.chromium: Incorrect transforms when stripping subdomains
https://bugs.chromium.org/p/chromium/issues/detail?id=881410
--US Department of Transportation CIO Looking to Crowdsourcing to Find Vulnerabilities in Agency Systems
(September 7, 2018)
A series of low-level ransomware attacks targeting the US Department of Transportation (DOT) last year prompted CIO Vicki Hildebrand to review DOT security using crowdsourced bug hunting through Synack, a company that offers that service. Hildebrand told reporters at the Billington Cybersecurity Summit last week that the team found vulnerabilities that did not have easy fixes. She created a team to whack these things when theyre identified instead of falling back on regular patching to address vulnerabilities.
[Editor Comments]
[Neely] As part of her transition, Hildebrand wanted to find out the current status. DOT started with central (HQ) systems looking for vulnerabilities on the assumption these would be more secure than field office systems. While the scope of issues found exceeds their response capacities, a wide cast call for help also alerts others of possible targets. Leveraging the CSC and CDM would help frame a prioritized approach towards problem resolution and continuous monitoring.
Read more in:
Nextgov: Ransomware Strikes Launched a Cyber Cleansing Program at Transportation
Fedscoop: DOT grateful for extra hands that bug bounty program provided, CIO says
https://www.fedscoop.com/bug-bounty-synack-transportation-department-vicki-hildebrand/
--DOJ Extradited Alleged Russian Hacker in Connection with Breaches of JPMorgan Chase and Other Financial Institutions
(September 7, 2018)
A Russian man has been extradited from the country of Georgia to the US for his alleged role in cyberattacks targeting several financial institutions, including JP Morgan Chase. Andrei Tyurin faces numerous charges, including computer hacking, wire fraud, and conspiracy to commit securities fraud.
Read more in:
Cyberscoop: U.S. extradites Russian accused in hack of JPMorgan Chase
https://www.cyberscoop.com/andrei-tyurin-extradited-jpmorgan-chase-hack/
FCW: Russian hacker accused of historic data theft will face trial in U.S.
https://fcw.com/articles/2018/09/07/russian-hacker-extradited.aspx
Reuters: Russian extradited to U.S. to face charges over JPMorgan hack
DOJ: Manhattan U.S. Attorney Announces Extradition of Alleged Russian Hacker Responsible for Massive Network Intrusions at U.S. Financial Institutions, Brokerage Firms, a Major News Publication, and Other Companies
DOJ: Indictment
https://www.justice.gov/usao-sdny/press-release/file/1092376/download
--House Passes Naming and Shaming Cyber Deterrence and Response Act
(September 5, 2018)
The US House of Representatives has passed the Cyber Deterrence and Response Act. The bill directs the president to identify individuals behind state-sponsored hacking that threatens US interests and calls for a list of known foreign hacking groups to be published on the Federal Register. A companion bill has been introduced in the Senate.
[Editor Comments]
[Williams] First, there's little evidence that naming and shaming is effective in deterrence. It's hard to picture that if this bill passes, other countries won't "name and shame" U.S. government hackers as well. One potential issue is that other governments may apply a different standard to attribution standard than the U.S. when naming. If all governments begin naming and shaming, it's doubtful that this will be as effective in deterring action in other countries as it will in the U.S. Governments in other countries exert much more influence over their operators than we do in the U.S.
Read more in:
Cyberscoop: House passes deterrence bill that would call out nation-state hackers
https://www.cyberscoop.com/cyber-deterrence-ted-yoho-nation-state-hackers/
Congress.gov: H.R.5576 - Cyber Deterrence and Response Act of 2018
https://www.congress.gov/bill/115th-congress/house-bill/5576
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Crypto Mining in a Windows Headless Browser
https://isc.sans.edu/forums/diary/Crypto+Mining+in+a+Windows+Headless+Browser/24078/
"findstr" Used to Extract Malware from LNK Files
https://isc.sans.edu/forums/diary/What+is+dikona+or+glirote3/24084/
MacOS Adware Doctor Stealing Browser History
https://twitter.com/privacyis1st/status/1031428304543395840
https://objective-see.com/blog/blog_0x37.html
Trend Micro App Leaks Data, is Removed from Appstore
VPN Applications with Privilege Escalation Vulnerabilities
Keybase Extension Allows Access By Scripts from Any Site
Tor Browser Javascript Vulnerability
https://www.bleepingcomputer.com/news/security/exploit-affecting-tor-browser-burned-in-a-tweet/
Chrome Removes Subdomains from URL Bar
https://bugs.chromium.org/p/chromium/issues/detail?id=881410
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
