SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #73
September 14, 2018****************************************************************************
SANS NewsBites September 14, 2018 Vol. 20, Num. 73
****************************************************************************
TOP OF THE NEWS
Bill Would Establish National Financial Breach Notification Standard
Critics of California IoT Security Bill Say It Doesnt Go Far Enough
REST OF THE WEEKS NEWS
The SCADA Fix That Wasnt
Browser Spoofing Flaw
Levashov Pleads Guilty in Kelihos Case
Executive Order Imposes Sanctions for Election Interference
Microsoft and Adobe Patch Tuesday
Senator Wants to Know What How DHS Plans to Use DMARC Data
Schneider Electric Notifies Customers of Infected USBs That Accompanied Shipped Products
Trend Micro Apple App Store Clarification
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By CyberX ************************************
Don't miss "CCE - INLs New Approach to Securing Critical Industrial Infrastructure" If you're a critical infrastructure provider, you will be targeted. And if you are targeted, you will be compromised. Join Andy Bochman, Senior Grid Strategist for National & Homeland Security at the Idaho National Laboratory (INL), as he describes a radical new methodology for securing critical systems. Register: http://www.sans.org/info/206780
***************************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a 9.7 iPad, Samsung Galaxy Tab A or Take $300 Off with OnDemand or vLive, Offer Ends September 19.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
Bill Would Establish National Financial Breach Notification Standard
(September 7 & 10, 2018)
A bill introduced by Representative Blaine Luetkemeyer (R-Missouri) would create a national data breach notification standard for financial institutions. The bill would amend the Gramm-Leach-Bliley Act to require financial institutions to issue notifications in the event of unauthorized access that is reasonably likely to result in identity theft, fraud, or economic loss. There is not yet a companion bill in the Senate.
[Editor Comments]
[Pescatore] That reasonable term shows up in this bill, too. (See comment on California IoT Security Bill story.) It would only require breach notificationin the event of unauthorized access that is reasonably likely to result in identity theft, fraud, or economic loss. That is better than required demonstration that bad things have definitely happened but leaves too much wiggle room in defining reasonably likely. The EU GDPR regulations go the other wayyou have to report a breach unless impact to the information owner is unlikely. GDPR gives its own form of wiggle room by not requiring notification if the organization has implemented appropriate technical and organizational protection measures or risk is no longer likely to materialize, or if the organization can demonstrate that notification would involve disproportionate effort. Bottom line: focus first on protecting your customers information, using a defendable framework like the CIS Critical Security Controls, and you will be able to say you took reasonable precautions using appropriate measures that make damage to the information owner unlikely.
[Henry] Breach notification bills have been circulating around Congress for more than a decade. I participated in many conversations with congressional staff, members, and other government agencies over the years about this topic, and substantive actions were never taken. While I concur generally with the premise of this bill, there needs to be another component, without which this notification requirement fails. If the purpose is to identify those engaged in financial fraud and network breaches, it will require the deep analysis of the information submitted (IOCs, for example) so that law enforcement can begin the attribution process and take actions required to deter this activity. That second piece is a big lift. It will require infrastructure, policy, and process to define how the data is used, by whom, and in what manner. That, too, has been discussed for more than a decade, with limited success. Im not optimistic it will happen imminently, but its absolutely necessary and I hope there are plans in place for the near future.
[Northcutt] It is somewhat compelling to have a national standard as opposed to the current patchwork of state laws. However, if that is the goal, why have a separate standard for financial breaches than all other breaches? A bill was previously introduced for social media breaches at the national level:
https://www.law.com/newyorklawjournal/2018/06/01/challenges-of-a-national-72-hour-data-breach-notification-standard/?slreturn=20180814042224
Read more in:
MeriTalk: House Bill Would Create Financial Data Breach Notification Standard
https://www.meritalk.com/articles/house-bill-would-create-financial-data-breach-notification-standard/
Luetkemeyer: Luetkemeyer Introduces the Consumer Information Notification Requirement Act
https://luetkemeyer.house.gov/news/documentsingle.aspx?DocumentID=399113
-
Critics of California IoT Security Bill Say It Doesnt Go Far Enough
(September 13, 2018)
The California state legislature has approved a bill aimed at improving the security of Internet of Things (IoT) devices. If it becomes law, the bill would require IoT devices equipped with a means for authentication outside a local area network to have unique default passwords, or prompt users to create a unique password when setting up the device. Critics say the bill does not go far enough, as vulnerabilities in IoT devices run beyond just default passwords.
[Editor Comments]
[Pescatore] Other California laws already require reasonable security measures be built into any product; this bill really just adds the specific language around default passwords, which is a good thing. There isnt an accepted definition of reasonable security measures but the California law does exempt devices that are already covered by HIPAAusing that as an example of already proscribed reasonable security measures for medical devices. That seems to be a gaping holeI think the only times HHS has taken action for PHI exposures involving medical things was when laptops holding PHI from things were compromised.
[Northcutt] The bill has already been through 8 amendments. New legislation is difficult, the main idea is to make these faceless devices subject to legal and privacy regulation.
http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327: SB-327 Information privacy: connected devices.
[Murray] Without trying to draft legislation, my preference for a small attack surface over the ability to patch continues. Cheap devices should simply be disposable. This law works for local-only access. If the vendor wants to reserve access, the appliance should use a system like Apple uses for iOS in which the device recognizes the vendor by means of its public key. By no means should the vendor and the local owner/manager use the same credentials or interface.
Read more in:
Threatpost: Experts Bemoan Shortcomings with IoT Security Bill
https://threatpost.com/experts-bemoan-shortcomings-with-iot-security-bill/137409/
************************** SPONSORED LINKS ********************************
1) New Course Spotlight: "SEC487: Open-Source Intelligence Gathering (OSINT) and Analysis" Learn how to leverage OSINT tools to move faster and dig deeper into data on the internet. Register: http://www.sans.org/info/206785
2) What challenges do you face in using cyber threat intelligence (CTI)? Help SANS examine the state of CTI. Take the survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/206795
3) "Powering IR/SOC with Code Reuse Detection - The Emotet Case Study" Register: http://www.sans.org/info/206800
*****************************************************************************
REST OF THE WEEKS NEWS
--
The SCADA Fix That Wasnt
(September 11 & 12, 2018)
A flaw in Advantech WebAccess could be exploited to remotely execute commands with admin privileges on vulnerable systems. The vulnerability was supposed to have been addressed in a fix in January 2018, but researchers at Tenable say the issue was not actually fixed in that update. The issue still affects Advantech WebAccess versions 8.3, 8.3.1, and 8.3.2. According to ICS-CERT, Advantech pans to fix the flaw sometime this month.
[Editor Comments]
[Murray] Most of these devices should not be directly connected to the Internet. Those that must be should be only by means of end-to-end encryption (VPN). Patching may operate too late for many of the more sensitive applications of theses devices.
Read more in:
SC Magazine: Imaginary patch? SCADA software company reportedly never actually fixed RCE bug despite issuing update
https://www.scmagazine.com/home/news/imaginary-patch-scada-software-company-reportedly-never-actually-fixed-rce-bug-despite-issuing-update/
HelpNetSecurity: Advantech WebAccess RCE flaw still exploitable, exploit code available
https://www.helpnetsecurity.com/2018/09/11/cve-2017-16720/
Tenable: Tenable Research Advisory: Advantech WebAccess Remote Command Execution Still Exploitable
https://www.tenable.com/blog/tenable-research-advisory-advantech-webaccess-remote-command-execution-still-exploitable
--
Browser Spoofing Flaw
(September 12, 2018)
A browser address bar flaw that affects Safari and Edge could be exploited to spoof web addresses; JavaScript could be used to update the address bar while a page is still loading. Microsoft fixed the issue in Edge with a patch in its security updates this week. Apple has not yet addressed the issue in Safari.
[Editor Comments]
[Neely] This relies on exploiting the race condition that exists when the page is loading, lowering the risk of successful exploitation. Partial mitigation can be achieved by blocking nefarious sites at the perimeter or endpoint.
Read more in:
SC Magazine: Apples Safari and Microsofts Edge browsers contain spoofing bug
https://www.scmagazine.com/home/news/apples-safari-and-microsofts-edge-browsers-contain-spoofing-bug/
Threatpost: Apple Yet to Patch Safari Browser Address Bar Spoofing Flaw
https://threatpost.com/apple-yet-to-patch-safari-browser-address-bar-spoofing-flaw/137395/
--
Levashov Pleads Guilty in Kelihos Cas
e
(September 12, 2018)
Peter Yuryevich Levashov has pleaded guilty to causing intentional damage to a protected computer, conspiracy, wire fraud, and aggravated identity theft for his role in the use of the Kelihos botnet to steal login credentials, send spam, and install malware. Levashov was arrested in Spain in April 2017 and extradited to the US in February 2018.
Read more in:
The Hill: Russian hacker pleads guilty for role in Kelihos botnet
http://thehill.com/policy/cybersecurity/406357-russian-hacker-pleads-guilty-for-role-in-kelihos-botnet
Reuters: Russian pleads guilty in U.S. to operating Kelihos botnet
https://www.reuters.com/article/us-usa-cyber-levashov/russian-pleads-guilty-in-u-s-to-operating-kelihos-botnet-idUSKCN1LS31M
DOJ: Russian National Who Operated Kelihos Botnet Pleads Guilty to Fraud, Conspiracy, Computer Crime and Identity Theft Offenses
https://www.justice.gov/opa/pr/russian-national-who-operated-kelihos-botnet-pleads-guilty-fraud-conspiracy-computer-crime
--
Executive Order Imposes Sanctions for Election Interference
(September 12, 2018)
A US presidential executive order signed earlier this week imposes sanctions on individuals and groups who attempt to meddle in US elections. The scope of the order includes not just interference with election and campaign infrastructure, but it also covers distribution of propaganda and disinformation, according to National Security Advisor John Bolton. The order has met with criticism from legislators, who have said that it gives the president broad authority to determine if sanctions are warranted, and that it does not go far enough to address threats to elections.
[Editor Comments]
[Henry] The use of propaganda and misinformation to sow discord and create confusion has become a standard arrow in the quiver of our adversaries. This tactic will be used regularly going forward, and US law and legal actions will be necessary to deter and hold those engaged in this activity accountable; this is a good first step. That said, the US must go much further. The redlinesthose actions that can never be attemptedmust be clearly defined for our adversaries, as well as what the retribution will be. Only then can we engage internationally on the broad discussions required to ensure better integrity and security of the infrastructure.
Read more in:
Fifth Domain: Trump OKs sanctions for foreigners who meddle in elections
https://www.fifthdomain.com/critical-infrastructure/2018/09/12/trump-oks-sanctions-for-foreigners-who-meddle-in-elections/
Reuters: Trump signs order to enable sanctions for U.S. election meddling
https://www.reuters.com/article/us-usa-cyber-election/trump-signs-order-to-enable-sanctions-for-u-s-election-meddling-idUSKCN1LS2NA
FCW: Trump order imposes consequences on election meddlers
https://fcw.com/articles/2018/09/12/trump-order-election-influence.aspx
Wired: Trump's New Executive Order Slaps a Bandaid on Election Interference Problems
https://www.wired.com/story/trump-executive-order-election-interference-sanctions/
White House: Executive Order on Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election
https://www.whitehouse.gov/presidential-actions/executive-order-imposing-certain-sanctions-event-foreign-interference-united-states-election/
--
Microsoft and Adobe Patch Tuesday
(September 11 & 12, 2018)
On Tuesday, September 11, Microsoft and Adobe released scheduled security updates. Microsofts updates address more than 60 security issues, including the critical Advanced Local Procedure Call (ALPC) vulnerability that was disclosed in August. Adobes updates include fixes for six critical flaws in Cold Fusion, and for a flaw in Flash Player.
Read more in:
SC Magazine: Patch Tuesday: Microsoft patches 17 critical issues, ALPC vulnerability
https://www.scmagazine.com/home/news/patch-tuesday-microsoft-patches-17-critical-issues-alpc-vulnerability/
Threatpost: Microsoft Patches Actively Exploited Bug as Part of Patch Tuesday
https://threatpost.com/microsoft-patches-three-actively-exploited-bugs-as-part-of-patch-tuesday/137372/
ZDNet: Microsoft patches recent ALPC zero-day in September 2018 Patch Tuesday updates
https://www.zdnet.com/article/microsoft-patches-recent-alpc-zero-day-in-september-2018-patch-tuesday-updates/
KrebsOnSecurity: Patch Tuesday, September 2018 Edition
https://krebsonsecurity.com/2018/09/patch-tuesday-september-2018-edition/
ZDNet: Adobe patch update tackles six critical vulnerabilities in ColdFusion
https://www.zdnet.com/article/adobe-patch-update-tackles-six-critical-vulnerabilities-in-coldfusion/
Threatpost: Adobe Patches Six Critical Flaws in ColdFusion
https://threatpost.com/adobe-patches-six-critical-flaws-in-coldfusion/137347/
Microsoft: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Adobe: Security updates available for ColdFusion | APSB18-33
https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html?red=av
Adobe: Security updates available for Flash Player | APSB18-31
https://helpx.adobe.com/security/products/flash-player/apsb18-31.html?red=av
--
Senator Wants to Know What How DHS Plans to Use DMARC Data
(September 11, 2018)
In an August 2, 2018, letter to DHS National Protection and Programs Directorate (NPPD) Undersecretary Christopher Krebs, Senator Ron Wyden (D-Oregon) asked how DJHS is analyzing Domain Message Authentication Reporting and Conformance (DMARC) reports and what actionable cyber intelligence has been gained from the reports. In an August 31 response, Krebs said that DHS has not created a plan to use the DMARC data. Wyden told FCW that these reports are a source of useful information that DHS should be using to go after hackers and prevent future attacks. The UKs National Cyber Security Centre has established a system to analyze DMARC reporting data.
[Editor Comments]
[Neely] While BOD 18-01 requires forwarding DMARC data to DHSs National Cybersecurity & Communications Integration Center (NCCIC), there is no stated requirement to analyze the data. Just as you need to set up processes to review and alert when centrally collecting logs, NCCIC needs to establish their model and processes.
Read more in:
FCW: Should DHS do more with DMARC data?
https://fcw.com/articles/2018/09/11/dhs-dmarc-data-wyden.aspx
Wyden: Wyden letter to NPPD Undersecretary Krebs
https://www.wyden.senate.gov/imo/media/doc/wyden-dmarc-followup-letter-to-dhs%20(002).pdf
--
Schneider Electric Notifies Customers of Infected USBs That Accompanied Shipped Products
(September 10, 2018)
Schneider Electric has notified customers that some of them may have received USB drives infected with malware included in a product shipment. The affected drives contain documentation and non-essential utilities for Schneiders Conext Combox and Conext Battery Monitor solar-power-related products. The malware made its way onto the devices through a supplier during manufacturing.
[Editor Comments]
[Neely] Scanning thumb drives, irrespective of source, before inserting in the target system should be SOP, particularly when those systems are SCADA or ICS systems which may not have or support endpoint protection mechanisms.
Read more in:
Cyberscoop: Schneider Electric snafu shows the need to stay vigilant over supply chain
https://www.cyberscoop.com/schneider-electric-usb-malware/
--
Trend Micro Apple App Store Clarification
(September 11, 2018)
Trend Micro says that its apps that were moved from Apples App Store collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation [and that it] was a one-time data collection, done for security purposes. The Adware Doctor app that Apple removed from its App Store for downloading user data and sending it to a server in China is not a Trend Micro product.
Read more in:
SearchSecurity: Trend Micro apps on Mac accused of stealing data
https://searchsecurity.techtarget.com/news/252448492/Trend-Micro-apps-on-Mac-accused-of-stealing-data
Cyberscoop: Trend Micro blames data collection issue on code library re-use
https://www.cyberscoop.com/trend-micro-mac-app-store-browser-history/
Trend Micro: Answers to Your Questions on Our Apps in the Mac App Store
https://blog.trendmicro.com/answers-to-your-questions-on-our-mac-apps-store/
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+September+Patch+Tuesday+Summary/24088/
Adobe Patches
https://helpx.adobe.com/security.html
Safari/Edge URL Bar Spoofing
https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html
Exploit Search Engine
https://sploitus.com
So What is Going on With IPv4 Fragments these Days?
https://isc.sans.edu/forums/diary/So+What+is+Going+on+With+IPv4+Fragments+these+Days/24092/
Magecart Javascript Injection Attacks
https://www.bleepingcomputer.com/news/security/feedify-service-compromised-with-magecart-information-stealing-script/
Bypassing CSP Using Polyglot JPEGs
https://portswigger.net/blog/bypassing-csp-using-polyglot-jpegs
Malicious MHT Files
https://isc.sans.edu/forums/diary/Malware+Delivered+Through+MHT+Files/24096/
Improved Coldboot Attack
https://blog.f-secure.com/cold-boot-attacks/
SAP Patches
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
