SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #81
October 12, 2018****************************************************************************
SANS NewsBites October 12, 2018 Vol. 20, Num. 81
****************************************************************************
TOP OF THE NEWS
GAO: DOD Weapons Systems Too Easy To Hack
Security Concerns Prompted Medtronic to Stop Updates for Pacemaker Programmers
REST OF THE WEEKS NEWS
ESET: Ukraine Power Grid Attacks and NotPetya Linked
OPM Memo Grants Direct Hire Authority for STEM Jobs
Browsers Differ in Approaches to Distrusting Symantec Certificates
Six Months in Prison for Helping Russian Election Meddlers Get Bank Accounts
Joint Report on Publicly Available Hacking Tools
Microsoft Patch Tuesday
More Windows 10 Update Problems
Chinese Intelligence Officer Extradited to US to Face Charges of Economic Espionage
Adobe October Updates
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad, ASUS Chromebook C202SA, or Take $250 Off with OnDemand or vLive. Offer Ends October 17.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Deep Instinct **********************
"Reinventing Prevention with Deep Learning" with Jake Williams & Mark
Arapovic. Join us for a look at the evolution of protection against the
ever changing threat landscape as we consider what can be learned from
past approaches to threat mitigation, and if these approaches can be
modernized to cripple the multi-billion dollar Cybercrime industry.
Register: http://www.sans.org/info/207460
*****************************************************************************
TOP OF THE NEWS
--GAO: DOD Weapons Systems Too Easy To Hack
(October 9 & 10, 2018)
A new report from the US Government Accountability Office (GAO) found cybersecurity problems with Defense Department (DOD) weapons systems. testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected. According to the report, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.
[Editor Comments]
[Paller] The two most dangerous cyber risks to our nation are caused by the vulnerabilities in weapons systems and the broad penetration by our adversaries of the computers that control power in the U.S. and its allies. The risk to power systems is widely understood and the selection of Karen Evans (previously CIO of the whole federal government) as the new cyber czar for energy is the first positive thing that has happened on protection of power systems since we all gave up on DHSs ability to protect those systems nearly 10 years ago. Weapon system vulnerabilities are equally dangerous. A short time after Adm. Barry McCullough was sworn in as the first Commander of the 10th Fleet (the Navys Cyber Command), he told a group at CSIS that the U.S. dominates in kinetic weapons, but the other side is targeting command and control of OUR weapons systems. He concluded, We are on the wrong side of the spending curve by a factor of 4. Those vulnerabilities in our weapons systems mean we wont know whether the weapons we fire will hit the intended target or one of our own units. His CSIS briefing was April 5, 2010eight and a half years ago. Do you think our adversaries made progress in those 8 years? We need a Weapons Systems Cyber Czar in DOD with 4 stars and balls of steel.
[Murray] One is left with the suspicion that many of these problems are related to the use of general-purpose commercial off the shelf operating systems. The term patches was used.
[Neely] Weapons systems are increasingly being built using commodity components and with more interconnectivity than prior generation stand-alone systems. That raises the need to revisit the risk decision to prioritize this work; particularly if the attack vectors can be used to bypass current use controls.
[Williams] The GAO report authors have failed to distinguish between "remotely exploitable" and "exploitable from the Internet." These are two VERY different things. It isn't clear whether this was intentionally done in an effort to increase concern over the report or whether the data to clarify what was meant by "remote access" simply wasn't available in the reports they reviewed. While many weapons systems are remotely exploitable, this can only be done from a privileged position in the network - one which usually requires physical access.
Read more in:
FCW: GAO: DOD weapons systems easy to hack
https://fcw.com/articles/2018/10/09/gao-pwns-dod.aspx
Wired: US Weapons Systems Are Easy Cyberattack Targets, New Report Finds
https://www.wired.com/story/us-weapons-systems-easy-cyberattack-targets/
The Register: US may have by far the world's biggest military budget but it's not showing in security
https://www.theregister.co.uk/2018/10/10/gao_weapons_security/
SC Magazine: GAO report slams Department of Defense cybersecurity practices
https://www.scmagazine.com/home/news/gao-report-slams-department-of-defense-cybersecurity-practices/
GAO: Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities
https://www.gao.gov/products/GAO-19-128
--Security Concerns Prompted Medtronic to Stop Updates for Pacemaker Programmers
(October 11, 2018)
Medtronic, a company that manufactures implantable medical devices, has disabled Internet updates for CareLink programming devices that healthcare workers use to access pacemakers. Medtronic said it made the decision because the system was vulnerable to cyberattacks. The programmers can still be manually updated.
[Editor Comments]
[Pescatore] Vulnerabilities on the server or Internet side of the software update process is a common Internet of Things problemand a much easier target for attackers than the individual devices. Where security is involved in the evaluation of candidate devices (all too infrequently), this area should be highly weighted.
Read more in:
Reuters: Medtronic disables pacemaker programmer updates over hack concern
Medtronic: Urgent Medical Device Correction: Software Distribution Network & Associated Programmers
************************** SPONSORED LINKS ********************************
1) Don't Miss "How to Conduct and Utilize Human Intelligence by Engaging
Your Cyber Adversaries" Register: http://www.sans.org/info/207465
2) Join SANS Matt Bromiley as he shares his experiences using
BehavioSecs relatively new method of behavioral biometrics and its role
in identifying bad actors. Register here: http://www.sans.org/info/207470
3) What challenges do you face in using cyber threat intelligence (CTI)?
Help SANS examine the state of CTI. Take the survey and enter to win a
$400 Amazon gift card | http://www.sans.org/info/207475
*****************************************************************************
REST OF THE WEEKS NEWS
--ESET: Ukraine Power Grid Attacks and NotPetya Linked
(October 11, 2018)
Researchers from ESET have uncovered evidence they say links the June 2017 NotPetya ransomware attacks back to the group believed to be responsible for the attacks against the power grid in Ukraine in December 2015 and December 2016.
Read more in:
WeLiveSecurity: New TeleBots backdoor: First evidence linking Industroyer to NotPetya
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
CyberScoop: Researchers link tools used in NotPetya and Ukraine grid hacks
https://www.cyberscoop.com/telebots-eset-notpetya-ukraine-link/
ZDNet: Security researchers find solid evidence linking Industroyer to NotPetya
--OPM Memo Grants Direct Hire Authority for STEM Jobs
(October 11, 2018)
A memo from the US Office of Personnel Management (OPM) grants agencies direct-hire authority for certain cybersecurity and other STEM-related jobs, including Computer Engineers, Computer Scientists, Electronics Engineers, and IT Cybersecurity Specialists. The authority to circumvent standard employment processes for these jobs takes effect immediately.
[Editor Comments]
[Neely] This hiring authority allows agencies to more rapidly hire STEM positions at paygrades 11-15 without preference eligibility and examination constraints and associated OPM approval processes.
Read more in:
Fedsmith: OPM Announces New Direct Hiring Authority for Certain Positions
https://www.fedsmith.com/2018/10/11/opm-announces-new-direct-hiring-authority-certain-positions/
MeriTalk: OPM Memo Authorizes More Cybersecurity Hires
https://www.meritalk.com/articles/opm-memo-authorizes-more-cybersecurity-hires/
FedScoop: Weichert unveils federal IT, cyber direct hire authority days into OPM tenure
https://www.fedscoop.com/opm-unveils-cyber-stem-direct-hire-authority-weicherts-first-action/
--Browsers Differ in Approaches to Distrusting Symantec Certificates
(October 9 & 11, 2018)
Mozilla has pushed back its deadline for distrusting legacy Symantec certificates. The company said it is delaying the change until later this year when more sites have replaced their Symantec TLS certificates. Chrome 70 will stop recognizing the questionable certificates when it is released on October 16. The decision to distrust legacy Symantec certificates was made more than a year ago after several incidents that violated industry best practices.
[Editor Comments]
[Williams] It wasn't simply "violations of best practices" that led to distrust of Symantec certificates. The entire web of trust is rooted in certificate authorities and registration authorities having proper audit records. Symantec didn't have any audit records for at least one of its registration authorities. Certificates could have been issued to malicious actors; almost two years later, we STILL can't say whether or not that happened. If the browser vendors were serious about security, they would have immediately distrusted Symantec certificates. This is another case that shows how "giving people time" to avoid a usability issue really doesn't work.
Read more in:
The Register: Mozilla grants distrusted Symantec certs a stay of execution, claims many sites yet to make switch
https://www.theregister.co.uk/2018/10/11/firefox_symantec_certs_delay/
The Register: It's a cert: Hundreds of big sites still unprepared for starring role in that Chrome 70's show
https://www.theregister.co.uk/2018/10/09/chrome_70_symantec_cert_disavowal/
--Six Months in Prison for Helping Russian Election Meddlers Get Bank Accounts
(October 11, 2018)
Richard Pinedo has been sentenced to six months in prison for establishing American bank accounts using stolen identities for Russians attempting to interfere with the 2016 presidential election. The accounts were used to funnel money into the US to be used to pay for ads with PayPal. In his plea deal, Pinedo admitted to one count of identity fraud. He is cooperating with federal investigators.
Read more in:
The Register: Bloke gets six months for fixing up Russia's US election trolls with bank accounts, fake identities
https://www.theregister.co.uk/2018/10/11/russian_troll_jail/
Washington Post: Cooperating U.S. defendant sentenced in Mueller probe of alleged Russian 2016 election trolling effort
DOJ: Statement of the Offense - February 12, 2018
https://www.justice.gov/file/1035547/download
--Joint Report on Publicly Available Hacking Tools
(October 11, 2018)
The cyber security authorities of Australia, Canada, New Zealand, the UK, and the US have released a joint report describing several hacking tools that have been used in recent attacks. The report also provides guidance on detecting the tools and limiting their effect. The tools covered in the report are remote Access Trojans (RATs); Web Shells; Mimikatz; lateral movement tools used in previously-compromised networks; PowerShell Empire; and command-and-control obfuscation and exfiltration tools.
[Editor Comments]
[Neely] The report is a nice primer on these common hacking tools, what they do, how they may be detected, and on potential mitigations. Coupled with the included references to protection and detection measures, this report can help management understand why these are needed and show a pathway to alignment with best practices.
Read more in:
The Register: UK.gov teams up with Five Eyes chums to emit spotters' guide for miscreants' hack tools
https://www.theregister.co.uk/2018/10/11/hacking_tools_taxonomy/
NCSC: Joint report on publicly available hacking tools
https://www.ncsc.gov.uk/joint-report
--Microsoft Patch Tuesday
(October 9 & 11, 2018)
On Tuesday, October 9, Microsoft released fixes for nearly 50 security issues, including a patch for a zero-day vulnerability affecting the Win32k component that could be exploited to gain elevated privileges. Twelve of the security issues fixed are rated critical.
Read more in:
KrebsOnSecurity: Patch Tuesday, October 2018 Edition
https://krebsonsecurity.com/2018/10/patch-tuesday-october-2018-edition/
Dark Reading: Microsoft Fixes Privilege Escalation 0Day Under Active Attack
Threatpost: Microsoft Patches Zero-Day Under Active Attack by APT
https://threatpost.com/microsoft-patches-zero-day-under-active-attack-by-apt/138164/
Microsoft: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
--More Windows 10 Update Problems
(October 11, 2018)
Users running Windows 10 on some HP machines are reporting that the most recent update, version 1809, is causing blue screen of death crashes that reference a WDF_Violation error. Microsoft is aware of the reports and is looking into the matter.
Read more in:
ZDNet: More Windows 10 October update woes? HP users report BSOD after Tuesday patch
Bleeping Computer: HP PCs Getting WDF_VIOLATION BSOD After Installing Windows 10 Updates
--Chinese Intelligence Officer Extradited to US to Face Charges of Economic Espionage
(October 10, 2018)
A Chinese intelligence officer has been arrested in Belgium and extradited to the US to face charges of conspiracy and attempting to commit economic espionage and conspiracy and attempting to commit theft of trade secrets. Yanjun Xu allegedly tried to steal trade secrets from a US aerospace company. Some members of the cybersecurity community have expressed concern that the arrest will lead to increased cyberattacks against US targets from China.
Read more in:
ZDNet: Arrest of top Chinese intelligence officer sparks fears of new Chinese hacking efforts
Dark Reading: Chinese Intelligence Officer Under Arrest for Trade Secret Theft
DOJ: Chinese Intelligence Officer Charged with Economic Espionage Involving Theft of Trade Secrets from Leading U.S. Aviation Companies
--Adobe October Updates
(October 9 & 10, 2018)
Adobes monthly security updates includes fixes for a total of 16 vulnerabilities in Adobe Digital Editions, Adobe Experience Manager, Adobe Framemaker, and Adobe Technical Communications Suite. Notably absent from the release are any security fixes for Adobe Flash Player. Last week, Adobe issued an out-of-cycle update to address 86 vulnerabilities in Acrobat and Reader.
Read more in:
SC Magazine: Flash Player missing from Adobes October Patch Tuesday update
https://www.scmagazine.com/home/news/flash-player-missing-from-adobes-october-patch-tuesday-update/
Threatpost: Four Critical Flaws Patched in Adobe Digital Edition
https://threatpost.com/four-critical-flaws-patched-in-adobe-digital-edition/138178/
Adobe: Security Updates Available for Adobe Digital Editions | APSB18-27
https://helpx.adobe.com/security/products/Digital-Editions/apsb18-27.html
Adobe: Security updates available for Adobe Experience Manager | APSB18-36
https://helpx.adobe.com/security/products/experience-manager/apsb18-36.html
Adobe: Security Updates Available for Adobe Framemaker | APSB18-37
https://helpx.adobe.com/security/products/framemaker/apsb18-37.html
Adobe: Security Updates Available for Adobe Technical Communications Suite | APSB18-38
https://helpx.adobe.com/security/products/techcommsuite/apsb18-38.html
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/October+2018+Microsoft+Patch+Tuesday/24186/
CVE-2018-8453 Details from Kaspersky
https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/
Adobe Updates
https://helpx.adobe.com/security.html
Juniper Patches
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES
Magecart Infects "Shopper Approved" Plugin
https://www.riskiq.com/blog/labs/magecart-shopper-approved/
Salesforce Releases hassh Library
https://github.com/salesforce/hassh
Reverse Analysis of WebAssembly
Remote Code Execution Vulnerability in WhatsApp
https://bugs.chromium.org/p/project-zero/issues/detail?id=1654
Experian Vulnerability Could Have Leaked Credit Freeze PINs
New Campaign Using Old Equation Editor Vulnerability
https://isc.sans.edu/forums/diary/New+Campaign+Using+Old+Equation+Editor+Vulnerability/24196/
Root Access Vulnerability in SONY Smart TVs
MicroTik RouterOS Vulnerabilities
https://github.com/tenable/routeros/blob/master/bug_hunting_in_routeros_derbycon_2018.pdf
Firefox Delays Symantec Certificate Distrust
https://www.theregister.co.uk/2018/10/11/firefox_symantec_certs_delay/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
