SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #84
October 23, 2018****************************************************************************
SANS NewsBites October 23, 2018 Vol. 20, Num. 84
****************************************************************************
TOP OF THE NEWS
Russian Charged Over Election Meddling
Super Micro Will Review its Hardware for Malicious Chips Despite Lack of Evidence
REST OF THE WEEKS NEWS
Critical TCP/IP Flaws in FreeRTOS
Healthcare.gov Breach Exposed Personal Information of 75,000 Users
Big Tech and Government Cybersecurity
Australian Intel Director Defends Assistance and Access Bill
FDA Draft Premarket Guidance for Medical Device Manufacturers Proposes Cybersecurity Bill of Materials
Tools Leaked by Shadow Brokers Used in Attacks
OpenBSD 6.4 Disables Audio Recording By Default, Adds Mitigations for Spectre and Other CPU-Related Attacks
SEC Report Suggests Insufficient Internal Accounting Controls Could Violate Federal Law
UKs National Cyber Security Centre
Youre Not Imagining It: Civilization is Flickering, Part 1
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- Tactical Detection Summit 2018 | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive, Offer Ends October 31.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By ************************************
*****************************************************************************
TOP OF THE NEWS
--Russian Charged Over Election Meddling
(October 19 & 22, 2018)
The US Department of Justice (DOJ) has charged Elena Alekseevna Khusyaynova with conspiracy to defraud the United States for allegedly interfering with the US political system, including the upcoming 2018 midterm elections. Khusyaynova allegedly managed the finances for a group financed by a Russian oligarch and involved in foreign influence activities.
Read more in:
Washington Post: Justice Dept. charges Russian woman with interference in midterm elections
The Hill: Russian woman charged with interfering in midterm elections
Federal Times: Russian woman charged with US election interference
DOJ: Russian National Charged with Interfering in U.S. Political System
https://www.justice.gov/opa/pr/russian-national-charged-interfering-us-political-system
--Super Micro Will Review its Hardware for Malicious Chips Despite Lack of Evidence
(October 22, 2018)
In an effort to debunk allegations made in a recent Bloomberg story that Chinese spies had placed malicious chips in some of its products, Super Micro Computer says it will examine its hardware. No one has shown us a motherboard containing any unauthorized hardware chip, we are not aware of any such unauthorized chip, and no government agency has alerted us to the existence of any unauthorized chip, company CEO Charles Liang wrote last week in a letter to customers. Despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article.
[Editor Comments]
[Pescatore] Whether or not Super Micros boards were tampered with, there are plenty of examples of such hardware tampering being done by Chinese, Russian and US government agencies. When I worked for the US Secret Services in the 1980s, we were still dealing with the discovery that IBM Selectric Typewriters sent out for repair by the US Embassy in Moscow and consulate in Leningrad had been tampered with and provided monitoring capabilities that the USSR exploited for 8 years!! Supply chain security is a complex targetthe first step is making sure the CFO and Chief Legal Counsel understand the risks and that procurement processes are reviews to find gaps.
[Neely] Make sure you and your suppliers have a plan for the discovery and resolution of any non-genuine devices.
[Murray] The supply chain constitutes a troubling vulnerability; among other things it makes us vulnerable to sleeper agents. However, until there is clear evidence of exploitation, it does not constitute a measurable risk, certainly not one that ranks with porous software and social engineering. These are sufficient to demonstrate that our current permissive policies and strategies are not working. More restrictive policies and strategies would reduce our cost of security, e.g. patching, and our cost of losses, breaches and tighten the supply chain.
Read more in:
Reuters: Super Micro to review hardware for malicious chips
Super Micro: Letter from Super Micro CEO Charles Liang
https://www.supermicro.com/en/news/CEO-letter
************************** SPONSORED LINKS *********************************
*****************************************************************************
REST OF THE WEEKS NEWS
--Critical TCP/IP Flaws in FreeRTOS
(October 22, 2018)
Critical security flaws in FreeRTOS, an operating system kernel used in many Internet-connected devices and embedded electronics, could be exploited to take control of vulnerable devices. Amazon Web Services (AWS) assumed stewardship of the FreeRTOS kernel last November.
[Editor Comments]
[Ullrich] Organizations have 30 days to patch this before Zimperium will release details. A lot of the patches have to come from vendors using an affected OS. Note that some of the vulnerabilities affect not only the Amazon-maintained FreeRTOS, but may also affect OpenRTOS and SafeRTOS (if the vulnerable TCP/IP components are installed). A patch will likely have to arrive from the device manufacturer.
Read more in:
Zimperium: FreeRTOS TCP/IP Stack Vulnerabilities Put A Wide Range of Devices at Risk of Compromise: From Smart Homes to Critical Infrastructure Systems
The Register: Get patching, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking
https://www.theregister.co.uk/2018/10/22/freertos_iot_platform_security_flaws/
SC Magazine: Amazon patches IoT and critical infrastructure security flaws
https://www.scmagazine.com/home/security-news/__trashed-6/
Bleeping Computer: Remote Code Execution Flaws Found in FreeRTOS - Popular OS for Embedded Systems
--Healthcare.gov Breach Exposed Personal Information of 75,000 Users
(October 21, 2018)
A breach of the Healthcare.gov sign-up system compromised personal information of 75,000 users. Healthcare.gov hosts the Federally Facilitated Exchanges (FFE) that agents and brokers use to sign people up for Affordable Care Act (ACA) health plans. The FFE system is managed by the Centers for Medicare & Medicaid Services (CMS), which issued a press release about the incident on October 19. The press release noted that the incident will not negatively affect open enrollment. The accounts associated with the activity that alerted CMS to the breach have been deactivated.
[Editor Comments]
[Ullrich] You can consider this a success story in detecting and mitigating unauthorized access by an authenticated user. According to the press release, the leak happened when authorized agent and broker accounts accessed the data. It isnt clear whether the particular user was acting malicious, exploiting a vulnerability, or if these users account was compromised.
[Donald Smith] From the GitHub link you get a feel for what some of the issues were: https://github.com/aws/amazon-freertos/blob/master/CHANGELOG.md: Change Log for Amazon FreeRTOS
Read more in:
ZDNet: Hackers steal data of 75,000 users after Healthcare.gov FFE breach
https://www.zdnet.com/article/hackers-steal-data-of-75000-users-after-healthcare-gov-ffe-breach/
CMS: CMS Responding to Suspicious Activity in Agent and Broker Exchanges Portal
--Big Tech and Government Cybersecurity
(October 22, 2018)
The White House is planning to meet with Amazon, Google, IBM, and Microsoft to try and hammer out arrangements that would encourage some of their employees to temporarily take jobs with the federal government to help modernize its approach to cybersecurity. Because the companies are some of the governments largest vendors, care will need to be taken so that employees who elect to work for federal agencies do not experience a conflict of interest. US Director of National Intelligence Dan Coats has called out tech companies over the incongruity of their reluctance to work with the US government and their willingness to work with foreign entities like China.
Read more in:
Washington Post: The White House is wooing tech workers to do tours of duty in government
Fifth Domain: Top US intelligence official takes veiled shot at Google
--Australian Intel Director Defends Assistance and Access Bill
(October 22, 2018)
Duncan Lewis, Director General of Security at the Australian Security Intelligence Organization (ASIO), defended the controversial proposed Assistance and Access Bill that would give Australian intelligence agencies the authority to request and in some cases demand access to encrypted communications. Lewis said that the bill does not allow for persistent monitoring or mass surveillance. The bill lays out three levels of access assistance. Technical Assistance Notices would compel providers to provide decrypted communications through means they already have available; Technical Capability Notices would compel providers to build technology to allow intelligence to access encrypted communications; and Technical Assistance Requests would ask providers to help voluntarily. The content sought with Technical Assistance Requests would not be constrained by the same rules that apply to the Notices, and the requests would not be included in annual audit reports.
Read more in:
ZDNet: ASIO chief says encryption-busting scheme would not involve persistent monitoring
--FDA Draft Premarket Guidance for Medical Device Manufacturers Proposes Cybersecurity Bill of Materials
(October 19, 2018)
A US Food and Drug Administration (FDA) draft of premarket guidance for medical device manufacturers proposes preparing a cybersecurity bill of materials that alerts users to hardware and software components used in the devices. The draft guidance also addresses general principles and risk assessment, and trustworthy device design though the use of the National Institute of Standards and Technology (NIST) Framework.
[Editor Comments]
[Pescatore] Im going to go cynical here: the FDA has been putting out guidance on cybersecurity for medical devices for years and the security quality of the devices sold hasnt really changed. Most of the guidance just requires more documentation vs. more securityand the FDA never seems to take any real enforcement action. I think it is necessary for the Healthcare ISAC or other health care system buyers group together to take joint action to drive security testing requirements into all procurements of medical devices and systems.
[Neely] Creating frameworks and guidelines for securing medical devices is a great step forward. This guidance seems to lack requirements to actually implement this guidance.
Read more in:
GovInfoSecurity: FDA Calls for 'Cybersecurity Bill of Materials' for Devices
https://www.govinfosecurity.com/fda-calls-for-cybersecurity-bill-materials-for-devices-a-11628
FDA: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff
--Tools Leaked by Shadow Brokers Used in Attacks
(October 19, 2018)
Cyber criminals are using NSA hacking tools leaked last year by Shadow Brokers to target systems at organizations in aerospace, nuclear energy and other industries in Russia, Iran, and Egypt, according to Kaspersky Lab researchers. The tools used in the attacks are the Dark Pulsar backdoor and the FuzzBunch and DanderSpritz toolkits.
[Editor Comments]
[Williams] The nuclear and aerospace industries are not typical cybercrime targets. Their targeting implies that nation states are reusing the NSA tools.
Read more in:
The Register: Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds
https://www.theregister.co.uk/2018/10/19/leaked_nsa_malware/
SecureList: DarkPulsar
https://securelist.com/darkpulsar/88199/
--OpenBSD 6.4 Disables Audio Recording By Default, Adds Mitigations for Spectre and Other CPU-Related Attacks
(October 19, 2018)
OpenBSD 6.4 was released on Thursday, October 18. The newest version of the operating system disables audio recording by default; users who want to switch it on can flip a kernel flag. OpenBSD 6.4 also includes mitigations for Spectre v2, SpectreRSB, L1TF, and Lazy FPU attacks.
Read more in:
ZDNet: Audio recording is now disabled by default in OpenBSD
https://www.zdnet.com/article/audio-recording-is-now-disabled-by-default-in-openbsd/
--SEC Report Suggests Insufficient Internal Accounting Controls Could Violate Federal Law
(October 16 & 17, 2018)
Last week Tuesday, October 16, the US Securities and Exchange Commission (SEC) issued a report on an investigation into whether nine companies that had experienced cyber-related fraud had implemented sufficient internal accounting controls. The report specifically examines incidents involving business email compromise (BEC) in which the company lost at least US$1 million. The report concludes that companies that have not implemented sufficient controls could be in violation of federal law.
[Editor Comments]
[Pescatore] The report points to the 1934 Securities Exchange Act that requires companies maintain internal accounting systems that provide shareholders with reasonable assurances that the business is adequately controlled and some later regulations that require those reasonable controls around transactions in particular. Of course, the SEC hasnt and doesnt define reasonable so there really isnt much to this report as far as forcing functions to drive businesses to higher levels of email security, but the headlines are still useful in getting support for deploying DMARC and stronger authentication.
Read more in:
Insurance Journal: Lax Cyber Security Could Be Federal Law Violation, SEC Warns
https://www.insurancejournal.com/news/national/2018/10/17/504783.htm
SEC: SEC Investigative Report: Public Companies Should Consider Cyber Threats When Implementing Internal Accounting Controls (Press Release)
https://www.sec.gov/news/press-release/2018-236
SEC: Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements
https://www.sec.gov/litigation/investreport/34-84429.pdf
--UKs National Cyber Security Centre
(October 16 & 17, 2018)
The UKs National Cyber Security Centre (NCSC) was established two years ago as a single entity focused on protecting the countryincluding companies and private citizensfrom cyberthreats. NCSC, which is part of the Government Communications Headquarters (GCHQ), the UKs counterpart to the USs National Security Agency (NSA), manages to strip intelligence from classified threat information and push it out to businesses and the public citizens quickly. The USs approach to cybersecurity lacks this focus. The Department of Homeland Security (DHS) the FBI, and the NSA all see cyberattacks every day but cannot always notify victims. The reasons vary: DHSs responsibilities are broad; the FBI investigates incidents, but covertly; and the NSA is limited regarding its interaction with US citizens.
[Editor Comments]
[Paller] The value of the UKs more centralized management of cybersecurity became especially visible in the last year when the UK created a coordinated national effort in all UK schools to find cyber talent and develop it. DHS continues spread money to schools and grantees without first determining whether the people being trained have the natural aptitude and the tenacity to excel.
Read more in:
NBC News: A British invention that U.S. spies should copy
https://www.nbcnews.com/news/world/british-invention-u-s-spies-should-copy-n920891
--Youre Not Imagining It: Civilization is Flickering, Part 1
(October 22, 2018)
In Part 1 of a two-part blog post, Michael Assante notes, As our reliance on connected digital systems becomes nearly total, and as computers susceptibility to manipulation by remote others is now well established, all well-informed citizens have ample cause to be anxious about their lightsand much more. But how do we decide whether we listen to the doomsayers or those who say we should just relax, its not that bad? Assantes blog will give you a few tools to better judge for yourself which of these voices is closer to the ground truth. (Look for part two in Fridays NewsBites.)
[Editor Comments]
[Assante] The important concept here is that focusing on responding to a breach will not be sufficient in a highly automated and hyper-connected world. Engineers and cyber professionals will need to be prepared to work much closer together in the near future.
Read more in:
RSAConference: Youre Not Imagining It: Civilization is Flickering, Part 1
https://www.rsaconference.com/blogs/youre-not-imagining-it-civilization-is-flickering-part-1
INTERNET STORM CENTER TECH CORNER
MacOS LaunchAgent
https://isc.sans.edu/forums/diary/Beyond+good+ol+LaunchAgent+part+0/24230/
TLS Session Tracking
https://arxiv.org/pdf/1810.07304.pdf
jQuery File Upload Plugin
https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html
Drupal Update
https://www.drupal.org/sa-core-2018-006
MSG Files: Compressed RTF
https://isc.sans.edu/forums/diary/MSG+Files+Compressed+RTF/24228/
FreeRTOS TCP/IP Stack Vulnerabilities
VLC/Live555 RTSP Server Vulnerability
https://www.talosintelligence.com/reports/TALOS-2018-0684
Microsoft Yammer Update
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8569#ID0EGB
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
