SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #9
February 2, 2018Just days left for U.S. high school girls to get the opportunity to discover whether they have latent talent that will enable them to excel in cybersecurity careers (and whether they will love the field). In probably the largest public-private partnership ever assembled in cybersecurity, 16 U.S. state governors (from Hawaii to Nevada to Texas to Maryland to Maine) issued individual press releases announcing their partnership with SANS to enable high school girls in their states to play CyberStart. Cisco also joined the partnership, demonstrating the interest employers have in finding and inspiring talented young people who can fill the cybersecurity jobs of the future. Because of CyberStart, America's cybersecurity leaders are gaining optimism that the U.S. can, reasonably quickly (because the same game finds talent in college students), build a pipeline of talent that will completely meet our national requirements. The UK also launched CyberStart in November for all high school students. Readers of NewsBites can help. To see which governors have made CyberStart available and what you can do to help, see the last story in this issue.
Alan
****************************************************************************
SANS NewsBites February 2, 2018 Vol. 20, Num. 009
****************************************************************************
TOP OF THE NEWS
Cybersecurity Campaign Playbook
NIST Digital Identity Authentication Standards Implementation Deadline Approaching
REST OF THE WEEK'S NEWS
Dutch Banks and Government Websites Hit with DDoS Attacks
Smominru Botnet Mines Monero Cryptocurrency
Adobe Will Patch Flash Zero-Day Next Week
DHS Re-examining Personal Electronic Device Policy
Cisco Talos Report Examines Cryptocurrency Mining
Firefox Updated to Fix Critical HTML Hijacking Flaw
Cisco Patches Critical Flaw in Adaptive Security Appliance (ASA)
High School Girls Find Their Cyber Talent and Passion with Girls Go CyberStart Competition
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Cylance **************************
The assumption of compromise is no longer a given. Cylance(R)customers worldwide have reported freedom from zero-days, ransomware, and fileless attacks. Prevention is possible with AI driven endpoint security from Cylance. Think beyond compromise. Visit http://www.sans.org/info/201770
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018
-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018
-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018
-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad Mini, Samsung Galaxy Tab S2 or take $300 Off your OnDemand or vLive training course by February 7. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
Cybersecurity Campaign Playbook
(February 1, 2018)
The Belfer Center for Science and International Affairs at the Harvard Kennedy School has created the
Cybersecurity Campaign Playbook
, a set of guidelines for political campaigns that are unable to hire their own cybersecurity staff. The playbook, which was created through the Belfer Center's Defending Digital Democracy Project, "offer[s] basic building blocks to a cybersecurity risk mitigation strategy that people without technical training can implement." The secretaries of state of Kentucky and West Virginia have begun sharing the playbook with political candidates.[Editor Comments]
[Pescatore] This is a well done document, with its own version of a Top Five that focuses on fighting phishing, the mostly likely attack campaign staffs are likely to see. It is a bit heavy-weight for state and local campaigns, though it does include first steps and then "if you can afford it.." I'd like to see public funds for election campaigns come with requirements to address cybersecurity.
[Williams] This is a fantastic resource for any organization that can't afford dedicated IT security staff. While the advice it offers is specific to campaigns, it provides solid advice in a format that's consumable by less technical staff (e.g. managers and executives).
[Neely] This is a great foundation that can be applied to more than just a political campaign. The wording is an example for effectively communicating cyber security issues and strategies to management and the approaches are based on economical options that won't break the bank.
Read more in:
Cyberscoop: A cybersecurity tip sheet for U.S. campaign officials is gaining traction, usage in field
Belfer Center: The
Cybersecurity Campaign Playbook
(PDF)https://www.belfercenter.org/sites/default/files/files/publication/Playbook%201.3.pdf
--
NIST Digital Identity Authentication Standards Implementation Deadline Approaching
(January 31, 2018)
US federal agencies have until the end of June 2018 to implement new standards for digital identity management and authentication. The guidelines can be found in the National Institute of Standards and Technology's (NIST's) Special Publication 800-63-3, which was released in June 2017. The guidelines are broken down into three sections: Enrollment and Identity Proofing, Authentication and Lifecycle Management, and Federation and Assertions.
[Editor Comments]
[Northcutt] Section 4.2 (identity proofing) of the following required guideline includes the word "shall" a lot; you might find it helpful to understand if you are in government or, soon, work for a government contractor.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf
[Murray] This guidance encourages, but still does not require, strong authentication. This is an improvement but it is hard to imagine a government "use case" for which passwords, vulnerable to replay, are adequate.
Read more in:
FNR: NIST deadline looms for agencies to improve digital authentication standards
GCN: NIST's digital identity deadline approaches
https://gcn.com/articles/2018/01/31/identity-access-management.aspx?admgarea=TC_SecCybersSec
NIST: Digital Identity Guidelines: Now Available
https://pages.nist.gov/800-63-3/
************************** SPONSORED LINKS ********************************
1) See market-leading threat hunting and incident response live in action. Register now! - http://www.sans.org/info/201775
2) Learn about the five key technologies that must evolve to implement a successful identity management solution that addresses hybrid and multi-cloud environments. Register: http://www.sans.org/info/201780
3) Don't Miss: "A pen-testers perspective on malware & ransomware attack techniques and the state of endpoint security" Register: http://www.sans.org/info/201785
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Dutch Banks and Government Websites Hit with DDoS Attacks
(February 1, 2018)
Shortly after the story about Dutch Intelligence agencies providing the US with information about Russian hackers targeting the DNC, bank and government websites in the Netherlands began experiencing distributed denial-of-service (DDoS) attacks. It is not yet known who is behind the attacks.
[Editor Comments]
[Pescatore] Power conditioning and power backup is part of any data center build, just part of the cost of doing business. Denial of Service filtering/mitigation as part of all Internet services needs to be considered the same way. Ideally ISPs would be required to start cleaning their own pipes, vs. continuing to charge for the 70% of the bits they deliver that are obviously malicious and just get deleted by businesses.
Read more in:
ZDNet: DDoS mystery: Who's behind this massive wave of attacks targeting Dutch banks?
--
Smominru Botnet Mines Monero Cryptocurrency
(February 1, 2018)
More than 500,000 Windows-based machines have been infected with malware that mines for Monero cryptocurrency. The botnet, named Smominru, has mined 8,900 Monero since May 2017. (Monero closed at just under $241 USD on February 1, 2018. At that value, 8,900 Monero = $2.14 million USD.)
Read more in:
Threatpost: Massive Smominru Cryptocurrency Botnet Rakes In Millions
https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/
Bleeping Computer: Smominru Botnet Infected Over 500,000 Windows Machines
SC Magazine: Monero miner Smominru using EternalBlue to spread
https://www.scmagazine.com/monero-miner-smominru-using-eternalblue-to-spread/article/741458/
--
Adobe Will Patch Flash Zero-Day Next Week
(February 1, 2018)
Adobe says it will patch a zero-day flaw in its Flash Player next week. The vulnerability is being actively exploited by hackers in North Korea to attack Windows machines in South Korea, according to South Korea's Computer Emergency Response Team. The attack spreads through malicious code embedded in documents, webpages, and spam.
[Editor Comments]
[Murray] One would like to think that, a country engaged in active cyber warfare, would stop using Flash.
Read more in:
Adobe: Security Advisory for Adobe Flash Player
https://blogs.adobe.com/psirt/?p=1520
Bleeping Computer: New Adobe Flash Zero-Day Spotted in the Wild
https://www.bleepingcomputer.com/news/security/new-adobe-flash-zero-day-spotted-in-the-wild/
Dark Reading: Adobe to Patch Flash Zero-Day Discovered in South Korean Attacks
Threatpost: Adobe Flash Player Zero-Day Spotted In The Wild
https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/
The Register: Nork hackers exploit Flash bug to pwn South Koreans. And Adobe will deal with it next week
http://www.theregister.co.uk/2018/02/01/adobe_flash_security_patch/
SC Magazine: Attackers exploiting critical Adobe Flash Player zero-day bug; no patch until next week
--
Oracle POS Vulnerability
(January 31, 2018)
A directory traversal flaw in Oracle's Micros point-of-sale (POS) software could be exploited to steal data. Oracle released a fix for the issue in January, but many systems are likely to remain unpatched for months. The software is running on as many as 300,000 POS systems. The issue affects versions 2.7, 2.8, and 2.9.
Read more in:
Bleeping Computer: Security Bug Affects Over 300,000 Oracle POS Systems
https://www.bleepingcomputer.com/news/security/security-bug-affects-over-300-000-oracle-pos-systems/
The Register: Oracle point-of-sale system vulnerabilities get Big Red cross
https://www.theregister.co.uk/2018/01/31/oracle_micros_pos_vuln/
Threatpost: Oracle Micros POS Vulnerability Puts 300,000 Systems At Risk
https://threatpost.com/oracle-micros-pos-vulnerability-puts-300000-systems-at-risk/129736/
ZDNet: Oracle Micros point-of-sale system vulnerability puts business data at risk
http://www.zdnet.com/article/oracle-micros-point-of-sale-systems-to-security-flaw/
--
DHS Re-examining Personal Electronic Device Policy
(January 31, 2018)
In light of a recent news story about the Strava fitness app leaking military base location, the US Department of Defense (DoD) is reviewing its policy on personal electronic devices at work. DoD officials told CNN that Defense Secretary James Mattis is considering banning personnel from bringing personal cell phones into the Pentagon.
[Editor Comments]
[Williams] Many in the younger generation have never been without a cell phone. Telling them they can't bring their phones to the office will remove at least some of them from the talent pool.
Read more in:
CNN: Exclusive: Mattis seeking to ban cell phones from Pentagon
https://www.cnn.com/2018/01/31/politics/mattis-pentagon-cellphone-ban/index.html
Nextgov: Pentagon Reviewing Electronic Device Policy
http://www.nextgov.com/policy/2018/01/pentagon-reviewing-electronic-device-policy/145625/
--
Cisco Talos Report Examines Cryptocurrency Mining
(January 31, 2018)
Cryptocurrency mining botnets are on the rise. Unlike ransomware, the goal of infecting a machine with cryptocurrency mining malware is to remain undetected. A report from Cisco Talos looks at the tools and methods that are used in cryptocurrency mining attacks.
Read more in:
Talos Intelligence: Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions
http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html
Threatpost: Crypto Miners May be the 'New Payload of Choice' for Attackers
https://threatpost.com/crypto-miners-may-be-the-new-payload-of-choice-for-attackers/129734/
eWeek: Cisco Reveals the Economics of Crypto-Currency Mining Attacks
http://www.eweek.com/security/cisco-reveals-the-economics-of-crypto-currency-mining-attacks
--
Firefox Updated to Fix Critical HTML Hijacking Flaw
(January 30 & 31, 2018)
Mozilla has updates Firefox to address a critical flaw that could be exploited to execute arbitrary code with user privileges. In a security advisory about the flaw, Cisco writes, "The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software." The flaw can be exploited by tricking a user into opening a malicious document or clicking on a malicious link.
[Editor Comments]
[Neely] This is fixed in Firefox 58.0.1. If you're running the regular release version of Firefox, update now. Note: Firefox ESR version 52 and Firefox for Android are not impacted.
Read more in:
Mozilla: Arbitrary code execution through unsanitized browser UI
https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/
Cisco: Mozilla Firefox HTML Fragments in Chrome-Privileged Documents Arbitrary Code Execution Vulnerability
https://tools.cisco.com/security/center/viewAlert.x?alertId=56610
The Register: Unsanitary Firefox gets fix for critical HTML-handling hijack flaw
http://www.theregister.co.uk/2018/01/30/mozilla_patches_critical_firefox_vulnerability/
ZDNet: Firefox 58.0.1: Mozilla releases fix for critical HTML hijack flaw
http://www.zdnet.com/article/firefox-security-mozilla-issues-fix-for-critical-html-hijack-flaw/
Cyberscoop: Firefox vulnerability allowing for arbitrary code execution is fixed
Bleeping Computer: Mozilla Fixes Severe Flaw in Firefox UI That Leads to Remote Code Execution
--Cisco Patches Critical Flaw in Adaptive Security Appliance (ASA)
(January 30, 2018)
Cisco has released security updates to address "a vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code." There are no workarounds available.
[Editor Comments]
[Murray] There are always workarounds; we just do not like them.
Read more in:
Cisco: Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
Threatpost: Cisco Patches Critical VPN Vulnerability
https://threatpost.com/cisco-patches-critical-vpn-vulnerability/129694/
SC Magazine: Cisco patches ASA software flaw allowing VPN hacks
--
High School Girls Find Their Cyber Talent and Passion with Girls Go CyberStart Competition
(January 30, 2018)
The Girls Go CyberStart competition is a cybersecurity training pilot program for girls in 9th-12th grade. The competition is open to students in 17 US states and territories; the top contestant in each state will win a paid trip with a parent to the Women in Cybersecurity conference in Chicago on March 23-24. Registration for Girls Go CyberStart is open through February 16. The competition runs from February 20-25.
Read more in:
GovTech: States Partner to Get Girls Interested in Cyber, IT
http://www.govtech.com/workforce/States-Partner-to-Get-Girls-Interested-in-Cyber-IT.html
GirlsGoCyberStart: Welcome to Girls Go CyberStart!
https://girlsgocyberstart.com/
Girls who attend high school in these states are eligible (with url for governors' press releases in each state):
Delaware: https://news.delaware.gov/2018/01/22/girls-go-cyberstart/
Mississippi: https://newsms.fm/gov-bryant-ms-homeland-security-announce-cybersecurity-scholarship/
North Carolina: https://governor.nc.gov/news/gov-cooper-encourages-nc-high-school-girls-join-innovative-cybersecurity-competition
American Samoa: http://www.samoanews.com/local-news/american-samoa-participate-girls-go-cyberstart-challenge
New York high school girls may also be eligible. Their decision is pending.
Here's a great letter (adapted from one used by the head of the Girl Scouts in Connecticut) you can use as a model to tell press people you know about it or to tell colleges that have high school networks or to tell your high schools or kids directly. The goal is to get every high school girl a chance to discover if they would enjoy this field and would be good in it.
Girls Go CyberStart-a cybersecurity program for high school girls!
Girl Scouts of Connecticut has recently partnered with the State of Connecticut and SANS Institute to encourage young women in high school to learn cybersecurity skills. The initiative, Girls Go CyberStart, was initiated by SANS following the recent start of their CyberStart program, enabling 3,500 students in seven states to discover and demonstrate their aptitude for cybersecurity. Unfortunately, only five percent of the students who participated in its first round were young women. To help address this issue, SANS is launching a program specifically to attract young women in high school in ten additional states across the U.S.!
Did you know that the cybersecurity market is expected to grow from $75 billion in 2015 to $170 billion by 2020? Tens of thousands of cybersecurity jobs in the U.S. are unfilled. Job posting are up 74 percent over the past five years. Girl Scouts wants to help girls get excited and interested in cybersecurity. It is this next generation that will be responsible for cracking codes, creating safe software, and finding security flaws to protect our communities, so we need to make sure we give them the tools and experience they need to succeed and help save the world.
With Girls Go CyberStart, girls in high school can form teams or play alone and participate in a series of fun and interactive challenges that offer the chance to explore exciting topics such as cryptography, penetration testing, and digital forensics. No prior computer knowledge is needed and students from all educational backgrounds are welcome.
Girls interested in Girls Go CyberStart, can head to its website and learn more! Registration opens January 29 and closes February 16.
The game play begins at 9:00 a.m. on February 20 and stops at 11:59 p.m. on February 25. To learn more, visit https://girlsgocyberstart.com/.
INTERNET STORM CENTER TECH CORNER
DCShadow Attack
https://www.dropbox.com/s/baypdb6glmvp0j9/Buehat%20IL%20v2.3.pdf
https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
Cisco WebVPN Update
https://isc.sans.edu/forums/diary/Cisco+ASA+WebVPN+Vulnerability/23289/
Reviving DDE Code Execution via OneNote
https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
Tax Phishing Season Starts
https://isc.sans.edu/forums/diary/Tax+Phishing+Time/23295/
Using FLIR In Incident Response
https://isc.sans.edu/forums/diary/Using+FLIR+in+Incident+Response/23291/
Oracle MICROS POS Vulnerability
https://erpscan.com/press-center/blog/oracle-micros-pos-breached/
Adobe Flash 0-Day
https://isc.sans.edu/forums/diary/Adobe+Flash+0Day+Used+Against+South+Korean+Targets/23301/
Adaptive Phishing Kit
https://isc.sans.edu/forums/diary/Adaptive+Phishing+Kit/23299/
Crypto Miners "Payload of Choice"
http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html
Autosploit Links Shodan to Metasploit
https://github.com/NullArray/AutoSploit
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
