SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #76
September 25, 2018****************************************************************************
SANS NewsBites September 25, 2018 Vol. 20, Num. 76
****************************************************************************
TOP OF THE NEWS
Chrome 69 Automatically Logs Users Into Browser When They Log In to Other Google Services
Apple Releases macOS Mojave; Researcher Reveals Privacy Flaw
Cisco Issues Patch for Hardcoded Root-Password in Video Surveillance Software
REST OF THE WEEKS NEWS
Microsoft Azure Active Directory Online App Authentication
Yubico Launches the YubiKey 5 Series
Scan4You Creator Gets 14-Year Prison Sentence
Boston-Area Police Participate in Election Cybersecurity Exercise
Cloudflare to Support Roughtime Timekeeping Protocol
Defunct Companys Data Left Unencrypted on Seized Computers
Microsoft JET Flaw Yet to be Patched
Guilty Plea in Attack that Disabled Police Surveillance Cameras in Washington, DC
Bitcoin Core Denial-of-Service Flaw
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ****************************
The Essential Guide to Security maps out how organizations can use
machine data for specific use cases and get started addressing threats
and security challenges. This ebook addresses how to assess your
organizations security maturity, specific threats to look for and how
to fight them. Download your complimentary copy today.
http://www.sans.org/info/206980
*****************************************************************************
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, Microsoft Surface Go or Take $300 Off with OnDemand or vLive, Offer Ends October 3.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Chrome 69 Automatically Logs Users Into Browser When They Log In to Other Google Services
(September 24, 2018)
One of the less-touted features of Chrome 69, which was released to the stable channel earlier this month, is that when users sign into any Google service, such as Gmail, they are now automatically logged into Chrome. When users directly log in to Chrome, browsing data are uploaded to Google servers. A Google spokesperson says that the change in Chrome 69 does not mean that browser data are being uploaded because the sync function is not automatically enabled.
[Editor Comments]
[Pescatore] It looks like you really arent automatically logged in to anything via this change, at least when you are using Chrome on a desktop computer. If you are using Google apps (like the Gmail app) on iOS, once you log-in you can only log out by deleting the app, not a very user-friendly way to avoid being tracked across every Google service. Of course, back in May Google updated its Code of Conduct and Do No Evil is nowhere to be found anymore!
[Neely] While unexpected, and at odds with the privacy notice, with automatic sign-in enabled, your browser history/bookmarks/etc. dont sync until you enable it. Once Sync is enabled, you can disable it; modify what is synchronized; as well as enabling protecting sync data with your own sync passphrase. The automatic login behavior can be turned off by setting the account consistency flag (chrome://flags/#account-consistency) to disabled.
[Northcutt] All Google products have been moving towards single sign on for years and people love it. Use Chrome when interacting with Google services, Firefox, with Duck Duck Go for search for almost everything else, keep Tor in your back pocket and you are good to go.
Read more in:
Threatpost: Googles Forced Sign-in to Chrome Raises Privacy Red Flags
https://threatpost.com/googles-forced-sign-in-to-chrome-raises-privacy-red-flags/137651/
Bleeping Computer: Users Forcibly Being Logged Into Chrome When Signing Into a Google Service
CNET: Google started quietly logging you into Chrome with latest update, reports say
--Apple Releases macOS Mojave; Researcher Reveals Privacy Flaw
(September 24, 2018)
On Monday, September 24, Apple made macOS Mojave (10.14) available for download to the public. Among the features touted in the newest version of the operating system are enhanced privacy and security. On the same day as Mojaves release, security expert Patrick Wardle disclosed a vulnerability in the operating system that could be exploited to bypass privacy controls to access sensitive user data without authorization.
Read more in:
Forbes: Apple macOS Mojave Is Now Available For Download: 14 Features You Should Know About
Bleeping Computer: macOS Mojave Privacy Bypass Flaw Allows Access to Protected Files
ZDNet: Apple MacOS Mojave zero-day privacy bypass vulnerability revealed
--Cisco Issues Patch for Hardcoded Root-Password in Video Surveillance Software
(September 21 & 24, 2018)
Cisco has released a fix for a hard-coded root password in its Video Surveillance Manager (VSM) software. The issue is fixed in VSM version 7.12. The Cisco advisory details specifically which products are affected.
[Editor Comments]
[Neely] Changing default credentials requires disclosure of all accounts that need to be changed. In this case the account was undocumented and not known. While this applies only to VSM installed by Cisco in specific products, the only mitigation is to apply to the update and verify that all known default credentials have been changed.
Read more in:
Cisco: Cisco Video Surveillance Manager Appliance Default Password Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm
ZDNet: Cisco: We've killed another critical hard-coded root password bug, patch urgently
SC Magazine: Cisco patches critical default password vulnerability
https://www.scmagazine.com/home/news/cisco-patches-critical-default-password-vulnerability/
************************** SPONSORED LINKS ********************************
1) "What Works in Certificate and Key Management: Enabling Secure
Digital Business Using Venafis Trust Protection Platform" Register:
http://www.sans.org/info/206985
2) Don't Miss "Automating Open Source Security: A SANS Review of
WhiteSource"
Register: http://www.sans.org/info/206990
3) What challenges do you face in using cyber threat intelligence
(CTI)? Help SANS examine the state of CTI. Take the survey and enter to
win a $400 Amazon gift card | http://www.sans.org/info/206995
*****************************************************************************
REST OF THE WEEKS NEWS
--Microsoft Azure Active Directory Online App Authentication
(September 24, 2018)
Microsoft customers will soon be able to use Azure Active Directory for passwordless app authentication. Azure Active Directory-connected apps can currently authenticate with Microsoft Authenticator, which uses passwords combined with one-time codes for stronger authentication. The new feature will use the app as one form of authentication and a biometric authenticator or PIN for the second.
[Editor Comments]
[Neely] Rather than working with users to create good passwords, take them off the table and replacing them with a biometric authenticator makes compromise very difficult. Because the MS authenticator app is still in play, the one-time token reduces the risk of poorly chosen PIN codes or a replicated biometric as a single authentication factor.
Read more in:
Ars Technica: Microsoft offers completely passwordless authentication for online apps
Dark Reading: Microsoft Deletes Passwords for Azure Active Directory Applications
--Yubico Launches the YubiKey 5 Series
(September 24, 2018)
Yubicos YubiKey 5 Series physical tokens support the FIDO2 open authentication standard. The token can replace weak password-based authentication with strong hardware-based authentication, according to the companys press release.
[Editor Comments]
[Pescatore] Good to see more of these coming available and will be even better to see the Facebooks, Amazons, PayPals, Venmos, etc. incentivizing their users to moving to using such devices. Google is either having production problems with its Titan Key or demand has been very highshipping time is 2 months or more.
Read more in:
Wired: The New YubiKey Will Help Kill the Password
https://www.wired.com/story/yubikey-series-5-fido2-passwordless/
Yubico: Yubico Launches YubiKey 5 Series, the Industrys First Multi-Protocol Security Keys Supporting FIDO2
--Scan4You Creator Gets 14-Year Prison Sentence
(September 21, 22, & 24, 2018)
Ruslan Bondars has been sentenced to 14 years in prison for creating and operating Scan4You, a service that lets malware purveyors check whether their malware is detected by or evades antivirus software. In May 2018, Bondars was convicted of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage and aiding and abetting.
Read more in:
ZDNet: Hacker gets a whopping 14 years in prison for running Scan4You service
Dark Reading: 'Scan4Yyou' Operator Gets 14-Year Sentence
DOJ: Operator of Counter Antivirus Service Scan4you Sentenced to 14 Years in Prison
https://www.justice.gov/opa/pr/operator-counter-antivirus-service-scan4you-sentenced-14-years-prison
--Boston-Area Police Participate in Election Cybersecurity Exercise
(September 21 & 24, 2018)
A team of Boston-area police participated in a cybersecurity exercise involving a simulated election. The police were pitted against a red team composed of executives from the company organizing the exercise, Boston College graduate students, and Boston mayors office staff members whose job was to sow disinformation and suppress voting. The red team managed to hack voter registration lists, change information about voting locations on websites, and create traffic jams to disrupt the election.
[Editor Comments]
[Murray] While such exercises should be encouraged, we should be very careful what we conclude from them. In the short term, the bad guys have an advantage over the police. Prevention is the job of those officials operating the election, not the police. Catch and punish after the fact is their role.
Read more in:
Fifth Domain: Hackers in Boston gamed out an election day nightmare - and won
Cyberscoop: In this election security drill, Massachusetts cops battle hackers to protect the vote
https://www.cyberscoop.com/massachusetts-election-security-drill/
--Cloudflare to Support Roughtime Timekeeping Protocol
(September 21, 2018)
Cloudflare will support a new authenticated time service. Roughtime is a secure authenticated time protocol developed by Google. Many devices currently use Network Time protocol (NTP) for synchronization, but NTP is an aging protocol that does not include security measures; it has been abused to amplify distributed denial-of-service (DDoS) attacks. The Roughtime protocol incorporates security measures that will help prevent attackers from using it to amplify attacks. Cloudflare will use Roughtime to help validate SSL/TLS certificate expiration dates.
[Editor Comments]
[Pescatore] I dont think Roughtime is really being seen as a full NTP replacement but making it easier/faster/safer for TLS cert expiration/revocation status to be checked is a good thing.
[Murray] As is the case with many appliances (e.g., digital cameras, baby monitors, clocks, time servers) the risk that they will be converted to malicious purposes (e.g., denial of service, crypto mining, or brute force attacks against passwords or keys) outweighs that that their applications will not work as intended (e.g. distort the picture, ignore distressed infants, tell the wrong time.)
[Neely] Increased use of security certificates requires accurate time on systems to properly respond to revocation and update events. As systems use network time sources for keeping clocks accurate, the accuracy of that time source needs to also be assured. Roughtime adds assurance of a genuine time source which will disrupt attempts for MITM time synchronization attacks. Cloudflare is the first major adoption of Roughtime since its introduction in 2016. While turn-key replacement clients for endpoints are still a bit off, you can download and build your own from reference implementations written in C++ and Go.
Read more in:
Cloudflare: Roughtime: Securing Time with Digital Signatures
https://blog.cloudflare.com/roughtime/
Wired: Clouldflare and Google Will Help Sync the Internet's ClocksAnd Make You Safer
https://www.wired.com/story/clouldflare-google-roughtime-sync-clocks-security/
eWeek: Cloudflare Secures Time With Roughtime Protocol Service
http://www.eweek.com/security/cloudflare-secures-time-with-roughtime-protocol-service
--Defunct Companys Data Left Unencrypted on Seized Computers
(September 18, 21, & 22, 2018)
Equipment belonging to a now-defunct Canadian retailer was offered for sale on Craigs List; the machines were found to contain unencrypted customer data dating back to 2007, including payment card numbers and transaction records. The equipment was seized by the companys landlords after the company failed to pay rent. The Royal Canadian Mounted Police (RCMP) and the Office of the Information and Privacy Commissioner of British Columbia are investigating.
[Editor Comments]
[Pescatore] This is a common occurrence at businesses, and not just when they go bankrupt. When replaced, corporate PCs, servers and printers are often disposed of by selling them to firms that pay a low price and then resell them immediatelyoften with very sensitive data left on them. Important to work with IT and procurement to make sure that those contracts include full sanitization or the IT procedures do so before surplussing the equipment.
[Neely] Because of the sequence of events, the only way to mitigate this exposure would be encryption at rest. With the power of modern systems, the overhead of encryption is negligible. Implementing and testing key escrow services is critical when deploying. Once encryption at rest is SOP, clearing systems for reuse or resale becomes as simple as clearing the encryption key rather than continued reliance on disk wipe procedures.
Read more in:
The Register: Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale
https://www.theregister.co.uk/2018/09/21/ncix_servers_sold/
CBC: RCMP and privacy commissioner probe alleged NCIX data breach
https://www.cbc.ca/news/canada/british-columbia/ncix-breach-probe-1.4833976
PrivacyFly: NCIX Data Breach
https://www.privacyfly.com/articles/ncix_breach/
--Microsoft JET Flaw Yet to be Patched
(September 21, 2018)
An out-of-bounds write flaw in Microsofts JET Database Engine could be exploited to execute code remotely. The issue lies in the JET Database Engines handling of malformed data. TrendMicros ZeroDay Initiative detected the flaw and notified Microsoft on May 8; on September 9, Microsoft responded that a patch might not be ready in time to meet the 120-day deadline for disclosure. Microsoft addressed two flaws in JET in Septembers Patch Tuesday release, but not for the out-of-bounds write flaw; the company says it is working on a patch for this flaw.
Read more in:
SC Magazine: Report: Microsoft misses disclosure deadline to patch RCE bug in JET
Threatpost: Unpatched Microsoft Zero-Day in JET Allows Remote Code-Execution
https://threatpost.com/unpatched-microsoft-zero-day-in-jet-allows-remote-code-execution/137597/
--Guilty Plea in Attack that Disabled Police Surveillance Cameras in Washington, DC
(September 20 & 21, 2018)
Eveline Cismaru has pleaded guilty to conspiracy to commit wire fraud and conspiracy to commit computer fraud for her role in a scheme that disabled surveillance cameras in Washington, DC. The scheme involved infecting the devices with ransomware and using them to distribute ransomware to other computers. The incident occurred in January 2017 prior to the presidential inauguration. Cismaru and a co-defendant, Mihai Alexandru Isvanca, were arrested in Romania in December 2017; Cismaru fled to the country following her arrest and was apprehended in the UK in March 2018; she was extradited in June 2018. Isvanca is being held in Romania pending extradition. Cismarus sentencing is scheduled for December 3, 2018.
Read more in:
Washington Post: Romanian woman pleads guilty in D.C. police camera ransomware attack before 2017 Trump inauguration
The Register: Guilty: The Romanian ransomware mastermind who infected Trump inauguration CCTV cams
https://www.theregister.co.uk/2018/09/21/cctv_ransomware_trump_washington_dc/
SC Magazine: Romanian woman pleads guilty to ransomware attack on D.C. police cameras before Trump Inauguration
DOJ: Romanian Woman Pleads Guilty to Federal Charges in Hacking of Metropolitan Police Department Surveillance Cameras
--Bitcoin Core Denial-of-Service Flaw
(September 20, 2018)
Developers have released a fix for a vulnerability in the Bitcoin Core software. The flaw affects Bitcoin Core versions 0.14.0 through 0.16.2. All vulnerable versions should be upgraded to 0.16.3 as soon as possible.
Read more in:
NextWeb: Crippling DDoS vulnerability put the entire Bitcoin market at risk
https://thenextweb.com/hardfork/2018/09/20/bitcoin-core-vulnerability-blockchain-ddos/
GitHub: Fix crash bug with duplicate inputs within a transaction
https://github.com/bitcoin/bitcoin/commit/4b8a3f5d235f40be8102506ab26caad005cc40d6
INTERNET STORM CENTER TECH CORNER
Odd DNS Requests from Firewalls
https://isc.sans.edu/forums/diary/Suspicious+DNS+Requests+Issued+by+a+Firewall/24128/
Securing API Connections
Microsoft JET Database 0day
https://www.zerodayinitiative.com/advisories/ZDI-18-1075/
Western Digital Releases Patch for MyCloud Drives
https://support.wdc.com/knowledgebase/answer.aspx?ID=25952&s
Job Offers With Malware Attachment
More Sextortion Emails
https://isc.sans.edu/forums/diary/Sextortion+Spam+and+the+Infinite+Monkey+Theorem/24136/
MacOS 10.14 (Mojave) Security Fixes
https://support.apple.com/en-us/HT209139
Mojave Privacy Protection Bypass
Cloudflare Supporting Encrypted SNI
https://blog.cloudflare.com/esni/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
