SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #47
June 14, 2019NIST Guidelines on Building Secure Software; SEC Alert on Misconfigured Data Storage Devices
****************************************************************************
SANS NewsBites June 14, 2019 Vol. 21, Num. 047
****************************************************************************
TOP OF THE NEWS
NIST Draft Guidelines for Building Secure Software
SEC Alert on Misconfigured Data Storage Devices
REST OF THE WEEK'S NEWS
Medical Workstation Vulnerabilities Could Be Exploited to Remotely Control Infusion Pumps
Hackers are Actively Exploiting Exim Flaw
Patch Tuesday: Microsoft, Adobe, and Intel
Patch for Cisco Bug in IOS XE Software User Interface
Lake City, Florida Ransomware Attack
Aircraft Part Manufacturer Hit by Ransomware Attack
RAMBleed Rowhammer Attack Can Be Used to Steal Data from Memory
Spammers Exploiting Google Calendar Feature
FBI: Criminals Using TLS Certificates to Make Sites Look Legitimate
Correction: GirlsGoCyberStart Competition: Winning Schools
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019
-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019
-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or Take $250 off through June 26 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************** Sponsored By Splunk *****************************
One Phish, Two Phish, Three Phish, Fraud Phish. In this Seuss-inspired children's book, readers are taken on a colorful journey, discovering the many surprising ways fraud touches our everyday lives, including credit card scams, payroll fraud, financial aid swindles, healthcare deception, and wire transfer fraud, as well as phishing attacks, account takeovers, and more. http://www.sans.org/info/213265
*****************************************************************************
TOP OF THE NEWS
--NIST Draft Guidelines for Building Secure Software
(June 12, 2019)
The National Institute of Standards and technology (NIST) has released a draft document, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF), which "facilitates communications about secure software development practices amongst business owners, software developers, and cybersecurity professionals within an organization." Comments will be accepted through August 5, 2019.
[Editor Comments]
[Neely] This SSDF references existing development standards from ISO, OWASP, PCI, BSA, BSIMM and others, which makes mapping to relevant practices much simpler, as well as comparing practices between organizations when establishing parity. The organization of the document will also facilitate conversations about implementing secure development practices without having to digest large standards prior to having a common understanding.
[Murray] We have known for generations how to build quality products. In software we do not do it. We continue to prefer generality, flexibility, convenience, and ease. We prefer error prone languages and procedures. Users have been trained to accept, not simply tolerate, shoddy software; enterprises have organized around routinely repairing and patching. Instead of the original developer "doing it right the first time," we all do it over and over again. We have defaulted to the most expensive strategy.
Read more in:
Nextgov: NIST Asks for Input on Building Secure Software
https://www.nextgov.com/cybersecurity/2019/06/nist-asks-input-building-secure-software/157648/
CSRC: Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)
--SEC Alert on Misconfigured Data Storage Devices
(June 13, 2019)
On May 23, 2019, the US Securities and Exchange Commission (SEC) issued a security risk alert to broker-dealers and investment advisers regarding the security of cloud storage accounts, database servers and other network storage. The alert notes that "during recent examinations, [its] Office of Compliance Inspections and Examinations" found that firms were not always taking advantage of network storage solutions security features and that "weak or misconfigured security settings on a network storage device could result in unauthorized access to information stored on the device." The SEC also notes that it observed a lack of adequate oversight of vendor-provided third-party services and inadequate data sensitivity classification.
[Editor Comments]
[Pescatore] This common problem is part of the OWASP Top Ten software vulnerabilities in category A6, Security Misconfigurations. SANS recently did a webinar on this area: https://www.sans.org/webcasts/missing-information-about-security-misconfiguration-explore-often-used-vulnerability-category-data-1000-plus-pentests-111055
[Neely] One of the big challenges of using outsourced or cloud services is classification of the data to ensure the proper protections are in place for that data. Historically, insourced IT has been setup to properly handle and protect all data types in the organization and users are not accustomed to checking prior to using a given service. Once the protection requirements are identified, verify the configuration and setup monitoring to ensure they remain in place.
Read more in:
ZDNet: SEC security alert warns about misconfigured NAS, DBs, and cloud storage servers
Scribd: Safeguarding Customer Records and Information in Network Storage - Use of Third Party Security Features
https://www.scribd.com/document/413264377/OCIE-Risk-Alert-Network-Storage
**************************** SPONSORED LINKS ******************************
1) Is your SOC team ready for the next cyberattack? Download our guide to find out http://www.sans.org/info/213270
2) SANS Pen Test HackFest Summit - Our Call for Presentations is open! Submit a talk proposal: http://www.sans.org/info/213285
3) Keynotes announced for the inaugural SANS Supply Chain Cybersecurity Summit in Washington, DC! | Summit agenda: http://www.sans.org/info/213280
*****************************************************************************
REST OF THE WEEK'S NEWS
--Medical Workstation Vulnerabilities Could Be Exploited to Remotely Control Infusion Pumps
(June 13, 2019)
A pair of security flaws in Becton Dickinson Alaris Gateway Workstation for medical infusion pumps could be exploited to remotely take control of pumps and alter infusion rates, which could deliver too much medication to a patient, or could prevent medication from being infused. Hospitals admins can update to the most recent firmware version to fix the critical vulnerability.
[Editor Comments]
[Pescatore] While much of the focus has been on the lack of security in medical devices, the easier attack target is the control/admin/server software that the medical institutions used. That software is often badly designed and easily accessed through mismanaged Internet connectivity. Similar issue with mobile apps - the server side software is the bigger risk.
[Neely] The workstations are running Windows CE, and can be updated by placing a Windows .CAB file on the devices SMB share. In addition to application of the relevant update, which adds access restrictions to the SMB share, implement network level controls such as blocking SMB, or segmentation/VLAN restrictions to provide protections against future vulnerabilities.
[Murray] While such vulnerabilities are serious, panic is not justified. Our focus should be on avoidance of error, more than resistance to malice.
Read more in:
The Register: Hacking these medical pumps is as easy as copying a booby-trapped file over the network
https://www.theregister.co.uk/2019/06/13/medical_workstation_vulnerabilities/
Threatpost: Max-Severity Bug in Infusion Pump Gateway Puts Lives at Risk
https://threatpost.com/critical-bug-infusion-pump-lives-at-risk/145660/
ICS-CERT: Advisory (ICSMA-19-164-01) BD Alaris Gateway Workstation
https://ics-cert.us-cert.gov/advisories/ICSMA-19-164-01
--Hackers are Actively Exploiting Exim Flaw
(June 13, 2019)
A remote command execution vulnerability in the Exim mail transfer agent (MTA), disclosed earlier this month, is now being actively exploited. Exim runs on an estimated 57 percent of email servers worldwide. Owners of Exim servers are advised to update to version 4.92 as soon as possible.
[Editor Comments]
[Williams] This is a difficult to execute remote attack, but is trivial to execute locally. If users have shell access on any servers running Exim, this vulnerability is much more significant.
Read more in:
ZDNet: Exim email servers are now under attack
https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/
--Patch Tuesday: Microsoft, Adobe, and Intel
(June 11 & 12, 2019)
On Tuesday, June 11, Microsoft released updates to fix 88 security issues. Twenty-one of the vulnerabilities are rated critical, and four were disclosed prior to the security release. There is exploit code available for four of the vulnerabilities. Adobe released updates for Flash, ColdFusion, and Campaign Classic, and Intel released 11 updates for its software, firmware, and hardware.
Read more in:
KrebsOnSecurity: Microsoft Patch Tuesday, June 2019 Edition
https://krebsonsecurity.com/2019/06/microsoft-patch-tuesday-june-2019-edition/
The Register: It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes
https://www.theregister.co.uk/2019/06/11/patch_tuesday/
ZDNet: Microsoft's June 2019 Patch Tuesday fixes many of SandboxEscaper's zero-days
SC Magazine: Microsoft patches 22 critical flaws, four zero days on June Patch Tuesday
ZDNet: Adobe fixes critical security flaws in Flash, ColdFusion, Campaign
https://www.zdnet.com/article/adobe-fixes-critical-security-flaws-in-flash-coldfusion-campaign/
SC Magazine: Intel joins Patch Tuesday with 11 security updates
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Adobe: Security Bulletin for Adobe Flash Player | APSB19-30
https://helpx.adobe.com/security/products/flash-player/apsb19-30.html
Adobe: Security updates available for ColdFusion | APSB19-27
https://helpx.adobe.com/security/products/coldfusion/apsb19-27.html
Adobe: Security Bulletin for Adobe Campaign | APSB19-28
https://helpx.adobe.com/security/products/campaign/apsb19-28.html
--Patch for Cisco Bug in IOS XE Software User Interface
(June 13, 2019)
Cisco has released an update for its IOS XE software user interface (UI) to address a cross-site request forgery flaw. The high-severity flaw could be exploited to execute commands on or reconfigure vulnerable devices.
Read more in:
ZDNet: Cisco alert: Patch this dangerous bug open to remote attacks via malicious ads
Threatpost: High-Severity Cisco Flaw in IOS XE Enables Device Takeover
https://threatpost.com/high-severity-cisco-flaw-in-ios-xe-enables-device-takeover/145645/
Bleeping Computer: Cisco IOS XE Software Receives Fix Against High-Severity Flaw
Cisco: Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190612-iosxe-csrf
--Lake City, Florida Ransomware Attack
(June 12 & 13, 2019)
Municipal computer systems in Lake City, Florida were hit by a Ransomware attack on Monday, June 10. The city's administrative systems, including landlines, email, and payment card systems, were affected, but emergency services are fully operational as they are isolated and protected with encryption. Receipts for utility and water payments are currently being hand-written, as are building permits.
[Editor Comments]
[Neely] Rapid containment, built-in isolation and encryption of Public Safety networks, as well as falling back to paper processes are all components for successful recovery in a modern disaster. Brush off your DR plan and make sure it includes these options.
Read more in:
SC Magazine: Lake City recovering from ransomware attack
HotforSecurity: Ransomware attack paralyses Lake City email, landlines and credit card services
--Aircraft Part Manufacturer Hit by Ransomware Attack
(June 12 & 13, 2019)
Computers at ASCO, a company that manufactures parts for airplanes, were infected with ransomware on Friday, June 7. The company has temporarily shut down operations at facilities in four countries while it sorts out the problem. The ransomware first infected computers at a plant in Belgium. Production facilities in Germany, Canada, and the US are also shut, although it is unclear whether they were also infected or just shut down as a precautionary measure.
Read more in:
Brussels Times: Cyber-attack causes aircraft parts maker to close indefinitely
ZDNet: Ransomware halts production for days at major airplane parts manufacturer
SC Magazine: Spirit AeroSystems confirms ASCO Industries cyberattack
--RAMBleed Rowhammer Attack Can Be Used to Steal Data from Memory
(June 11 & 12, 2019)
The RAMBleed Rowhammer attack can be used to steal data; previous Rowhammer attacks could be used to alter data and gain an attacker elevated privileges. Those attacks used Rowhammer to flip bits in a machine's memory; RAMBleed uses Rowhammer to read data stored in a machine's physical memory.
[Editor Comments]
[Neely] While there are multiple attack vectors demonstrated, it's not clear how attractive using RAMBleed is versus other techniques as these are slow attacks. Some of the attacks take 34 hours to execute, which is not consistent with a fast attack/rapid exit methodology often seen today.
Read more in:
RAMBleed: RAMBleed: Reading Bits in Memory Without Accessing Them
https://rambleed.com/docs/20190603-rambleed-web.pdf
Threatpost: RAMBleed Side-Channel Attack Exposes Privileged Memory
https://threatpost.com/rambleed-side-channel-privileged-memory/145629/
ZDNet: 'RAMBleed' Rowhammer attack can now steal data, not just alter it
https://www.zdnet.com/article/rambleed-rowhammer-attack-can-now-steal-data-not-just-alter-it/
The Register: RAMBleed picks up Rowhammer, smashes DRAM until it leaks apps' crypto-keys, passwords, other secrets
https://www.theregister.co.uk/2019/06/11/rambleed_rowhammer_attack/
Ars Technica: Researchers use Rowhammer bit flips to steal 2048-bit crypto key
--Spammers Exploiting Google Calendar Feature
(June 11, 2019)
Spammers are using unsolicited Google Calendar invitations to lure users to sites crafted to steal their credentials. Kaspersky researchers recommend disabling the "automatically add invitations" option in the Google Calendar Event Setting menu. Spammers are also sending unsolicited notifications through Gmail. John Strand spoke about this issue at the SANS Pen Test HackFest Summit in November 2018. (For the link, see Ed Skoudis's comment below.)
[Editor Comments]
[Skoudis] There are a lot of very interesting attack vectors for various cloud-based services and information security pros need to understand them so we can defend our organizations' critical data. John Strand's talk at the SANS Pen Test Hackfest explained not only the Google Calendar issue, but also several other attacks associated with various cloud providers and their services. I consider it a must-watch.
https://www.youtube.com/watch?v=EQ1-eP7e6w0&feature=youtu.be&t=525: The Clouds Are Out to Get Me! - SANS Pen Test HackFest Summit 2018
Read more in:
Kaspersky: How spammers use Google services
https://usa.kaspersky.com/blog/spam-through-google-services/17799/
Threatpost: Google Calendar Attacks Target Unwitting Mobile Users
https://threatpost.com/google-calendar-attacks-mobile/145588/
ZDNet: This is how scammers are now abusing Google Calendar to pillage your data
https://www.zdnet.com/article/this-is-how-scammers-abuse-google-calendar-to-slurp-up-your-data/
Forbes: New Security Warning Issued For Google's 1.5 Billion Gmail And Calendar Users
--FBI: Criminals Using TLS Certificates to Make Sites Look Legitimate
(June 10 & 11, 2019)
The FBI has issued a Public Service Announcement warning that criminals are using TLS certificates to make fraudulent or malicious websites appear trustworthy. The PSA warns people not to implicitly trust "https" websites and those with a lock in the address bar. The announcement also recommends questioning the authenticity of a suspicious email; confirming it by phone or a different email thread; and reading carefully for awkward phrasing and misspellings and incorrect domains.
[Editor Comments]
[Pescatore] The reality is that due to the lack of investment in education by the browser/CA industry, very few people notice the colors or icons on the browser, let alone know what they mean. Ed Skoudis and Johannes Ulrich of SANS pointed out how attackers obtain fraudulent certs, and defensive measures to take, in the SANS Threat Keynote at this year's RSA conference - SANS webinar and pointer to white paper at https://www.sans.org/webcasts/top-attacks-threat-report-110540: SANS Top New Attacks and Threat Report
[Murray] We have done a fair job of convincing users to look for TLS. We have not done a good job of getting them to verify the source and content of certificates.
[Honan] This is a good example of why good messaging is important in a security awareness campaign. For years many have told people to look for the HTTPS at the beginning of a URL or to look for the lock simple in their browser to determine if a website is secure. This leads to the misconception that all an SSL/TLS certificate does is provide a secure channel to the server and does not verify the security, or in some cases the authenticity, of a website. So for your next security awareness campaign please review your messaging to ensure you don't mislead people into a false sense of security.
Read more in:
Dark Reading: FBI Warns of Dangers in 'Safe' Websites
IC3: Cyber Actors Exploit 'Secure' Websites in Phishing Campaigns
https://www.ic3.gov/media/2019/190610.aspx
---Correction: GirlsGoCyberStart Competition: Winning Schools
(June 14, 2019)
In Tuesday's NewsBites, the list of the top three high schools in the GirlsGoCyberStart competition should have read:
Clements High School in Texas: Number 3
Poolesville High School in Maryland: Number 2
Montgomery Blair High School in Maryland: Number 1
Read more in:
Medium: The Winners of the National Championship for Girls Go CyberStart 2019
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patches
https://isc.sans.edu/forums/diary/MSFT+June+2019+Patch+Tuesday/25024/
Adobe Patches
https://helpx.adobe.com/security.html
SAP Security Notes
https://www.onapsis.com/blog/sap-patch-notes-june-2019
Intel Updates
Microsoft Certificate DoS
https://bugs.chromium.org/p/project-zero/issues/detail?id=1804
GPS Receiver Woes
https://www.flightglobal.com/news/articles/collins-gps-outage-grounds-regional-flights-458819/
RAMBleed Attack
https://www.documentcloud.org/documents/6150180-RamBleed-attack-CVE-2019-0174.html
Sandbox Escaper Publishes Additional CVE-2019-0841 Bypass
http://sandboxescaper.blogspot.com/p/disclosures_8.html
Bypassing NTLM Message Signing (CVE-2019-1040)
https://blog.preempt.com/drop-the-mic
Details About macOS Keysteal Vulnerability
https://www.pinauten.de/resources/KeySteal_OBTS_2019.pdf
Exim Flaw Exploited
https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability
Yubico Recalling FIPS Certified Yubikeys
https://www.yubico.com/support/security-advisories/ysa-2019-02/
Vulnerable Infusion Pumps
Telegram DDoS Attack
https://twitter.com/telegram/status/1138768124914929664
Ghidra Tips for IDA Users: Function Call Graphs
https://isc.sans.edu/forums/diary/A+few+Ghidra+tips+for+IDA+users+part+4+function+call+graphs/25032/
Joel Chapman: Security Consideration for Voice over Wifi (VoWifi) Systems
https://www.sans.org/reading-room/whitepapers/telephone/paper/38945
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
