Get an 12.9" iPad Pro, Surface Pro or $400 Off Online Training - Only 2 Days Left!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #70

September 5, 2017

TOP OF THE NEWS


Flaws in Android Bootloader Code
Military and Intelligence Job Application Data Exposed
China's New Cyber Security Law

THE REST OF THE WEEK'S NEWS


Cobian RAT Authors Built in a Back Door
Federal Communications Commission Closes API Flaw in Comment System
Kate Charlet on CYBERCOM Elevation
Chris Painter on State Cyber Security Office Closure
Iowa County Hires Company to Conduct Voting System Review
Mirai Suspect Extradition
GitLab Fixes Session Hijacking Flaw

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Forcepoint LLC *******************************

Don't Miss: "The latest 2017 NSS Labs NGFW test results reveals many NGFWs may be vulnerable to evasions. Does your current firewall or IPS protect against AETs?" Join this webinar to see a demo of Evader by Forcepoint, designed to test network security appliances from many different vendors to see how well they defend against AETs. http://www.sans.org/info/198160

***************************************************************************

TRAINING UPDATE

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS OnDemand and vLive Training | Get a GIAC Certification Attempt or $350 Off your OnDemand or vLive course when you register by September 13! https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--Flaws in Android Bootloader Code (September 2 & 4, 2017)

Security flaws in Android bootloader firmware could be exploited to execute arbitrary code or create denial-of-service conditions. In all, researchers found seven vulnerabilities; one was previously known and six are new. Of the six new flaws, vendors have acknowledged five.

[Editor Comments]
[Neely] Exploiting bootloader flaws is one of the ways you root an Android device by allowing it to boot a non-secure kernel. This is important as each component of the boot process needs to be validated to insure a genuine/trusted operating system is running. In addition to developing a tool to find bootloader flaws, the developers also identified mitigations that could be implemented by manufacturers to lessen the impact of exploiting a bootloader flaw, such as protecting the partitions the bootloader accesses and not unlocking user data when the security state of the device has changed. In addition to discovery of flaws, manufacturers have to both repair those flaws and make them available to deployed devices.
[Northcutt] This is sketchy information, early in the cycle, If you are a security person working for a company that ships and sells products based on Android, you should read these articles and the paper and get your team up to speed. For the rest of us, there is a new tool, BootStomp, designed to help monitor the difficult task of verifying a safe boot via the "chain of trust". I expect there will be a lot of follow up work in the next few weeks.
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-redini.pdf

Read more in:
ZDNet: Android security: Multiple bootloader bugs found in major chipset vendors' code
http://www.zdnet.com/article/android-security-multiple-bootloader-bugs-found-in-major-chipset-vendors-code/
Bleeping Computer: Vulnerabilities Discovered in Mobile Bootloaders of Major Vendors
https://www.bleepingcomputer.com/news/security/vulnerabilities-discovered-in-mobile-bootloaders-of-major-vendors/

--Military and Intelligence Job Application Data Exposed (September 2 & 4, 2017)

US military and intelligence job applications held by TigerSwan, a North Carolina private security company, were exposed and available for download on a misconfigured server. TigerSwan says the fault lies with TalentPen, a company with which TigerSwan had contracted to process applications. The applications date back as far as 2009.

[Editor Comments]
[Neely] Data protection requirements of third parties need to include both verification of controls and data disposition processes. This is more than just purchasing cyber insurance. In this case, it appears that as TalentPen dissolved, so did the credentials protecting access to the data. S3, by default, doesn't provide anonymous access, which means the credentials protecting the data were intentionally removed without understanding what data was exposed by this action. It is no longer safe to assume outsourced functions are storing and processing data in-house. Regular review and monitoring of their processes, including corresponding updates to contracts and requirements is necessary to insure appropriate protections are in place.
[Northcutt] This is a WikiLeaks class disclosure; very damaging and quickly becoming a case study in what not to do before and after a disclosure incident. Assuming TalentPen is at fault, this is a great reminder of the cybersecurity risk of trusted 3rd parties.
https://www.darkreading.com/vulnerabilities---threats/3-golden-rules-for-managing-third-party-security-risk-/a/d-id/1326798?
http://www.securitymagazine.com/articles/87025-steps-to-mitigating-third-party-vendor-cybersecurity-threats

Read more in:
The Hill: Thousands of military contractor files allegedly left online, unsecure
http://thehill.com/policy/cybersecurity/349018-recruiter-allegedly-left-military-contractor-resumes-online-unsecure
The Register: Leaky S3 bucket sloshes deets of thousands with US security clearance
http://www.theregister.co.uk/2017/09/04/us_security_clearance_aws_breach/
Gizmodo: Data Breach Exposes Thousands of Job Seekers Citing Top Secret Government Work [Updated]
https://gizmodo.com/thousands-of-job-applicants-citing-top-secret-us-govern-1798733354?IR=T

--China's New Cyber Security Law (September 1, 2017)

A new law in China will allow that country's government to request source code and other intellectual property of companies doing business there. According to a white paper from Recorded Future, describes the possible effects of the law and offers suggestions for companies on complying with its requirements.

[Editor Comments]
[Pescatore] First, a disclaimer: I'm not a lawyer, so almost all laws look overly broad and poorly worded to me. That said, two points here: (1) the analysis seems to believe that without source code, vulnerabilities in commercial software can't be found. Windows, Flash, Adobe, and thousands of other pieces of commercial software with continual streams of vulnerabilities being discovered by outside parties doesn't support that conclusion at all; and (2) all buyers of software *should* require evidence that the code has been inspected for known vulnerabilities. That does *not* mean source code has to be provided, but that is the route the UK took years ago, when Huawei (a Chinese company with ties to the Chinese government) won the British Telecom infrastructure upgrade contract - and Huawei agreed to do so. All sellers of software get to decide who they want to sell to, just as all buyers get to decide who they want to buy from.

Read more in:
The Register: China's cybersecurity law grants government 'unprecedented' control over foreign tech
http://www.theregister.co.uk/2017/09/01/china_cybersecurity_law_analysis/
Recorded Future (white paper): China's Cybersecurity Law Gives the Ministry of State Security Unprecedented New Powers Over Foreign Technology
https://www.recordedfuture.com/china-cybersecurity-law/

*************************** SPONSORED LINKS ********************************

1) In case you missed it: "Turning Threat Data into Threat Intel Using Automated Analysis" http://www.sans.org/info/198165

2) "Asking the Right Questions about Dynamic Scanning to Secure Web Applications: A Buyer's Guide to App Sec Scanning Tools" Register: http://www.sans.org/info/198175

3) Security teams must stay ahead of modern day attacks by challenging their defenses automatically, continuously and at scale with breach and attack simulation. Learn More: http://www.sans.org/info/198180

******************************************************************************

THE REST OF THE WEEK'S NEWS

--Cobian RAT Authors Built in a Back Door (August 31 & September 1, 2017)

A free malware kit appears to have a back door built into it, allowing the authors of the kit to take control of the malware after it has been adapted by others. The malware, which is known as Cobian RAT (remote access Trojan), can be used to recruit computers to become part of a botnet, as well as to log keystrokes, take screen shots, execute shell commands, and install and uninstall programs.

Read more in:
SC Magazine: Secret backdoor in trojan builder kit designed to double-cross its users
https://www.scmagazine.com/secret-backdoor-in-trojan-builder-kit-designed-to-double-cross-its-users/article/685548/
Cyberscoop: A scam within a scam: New malware dupes crooks with unexpected backdoor
https://www.cyberscoop.com/zscaler-cobian-rat-backdoor-malware-cybercrime/

--Federal Communications Commission Closes API Flaw in Comment System (September 1, 2017)

The US Federal Communications Commission (FCC) has closed a hole on its website that allowed users to upload files. The bug in an application programming interface (API) in the FCC's comments system allowed users to obtain a key that let them upload whatever files they pleased. The API should not have been publicly accessible. The FCC has addressed the issue.

Read more in:
BBC: FCC closes virus upload loophole on its website
http://www.bbc.com/news/technology-41124831

--Kate Charlet on CYBERCOM Elevation (August 21 & September 1, 2017)

Kate Charlet, program director for Technology & International Affairs at the Carnegie Endowment for International Peace and former Acting Deputy Assistant Secretary of Defense for Cyber Policy, talks with Tom Temin about the implications of elevating CYBERCOM to a full combatant command. Charlet says that the elevation demonstrates the priority placed on defending against cyber threats, and that CYBERCOM is already performing many of the functions for which it will be responsible as a full combatant command. She also notes that the elevation will place CYBERCOM in a better position to request resources from the Defense Department.

Read more in:
FNR: Kate Charlet: Implications of changes to CYBERCOM status
https://federalnewsradio.com/federal-drive/2017/09/kate-charlet-implications-of-changes-to-cybercom-status/
War on the Rocks: U.S. Cyber Command Now Stands Taller, But Can It See Further?
https://warontherocks.com/2017/08/u-s-cyber-command-now-stands-taller-but-can-it-see-further/

--Chris Painter on State Cyber Security Office Closure (September 1, 2017)

In an interview with Nextgov, former US State Department Cyber Coordinator Chris Painter discusses the current administration's decision to close that office, merging Painter's former position into another bureau and diminishing its rank and authority. Painter says that cyber issues are too broad to be limited to a single bureau.

Read more in:
Nextgov: Former State Cyber Coordinator Says It Was a Mistake to Close His Office
http://www.nextgov.com/cybersecurity/2017/09/closing-state-cyber-office-could-diminish-us-cachet-cyberspace/140688/?oref=ng-channeltopstory

--Iowa County Hires Company to Conduct Voting System Review (September 1, 2017)

Linn County Iowa has hired an outside cyber security company to review the county's voter registration and election systems. The company will check the systems to make sure they are compliant with certified versions.

[Editor Comments]
[Pescatore] I can't vouch for ProCircular, the cybersecurity company selected by Linn County, but they seem like a legitimate company with cybersecurity expertise. That is good news. Nicole Perloth of the NY Times on 1 September published a story that showed how few states/counties had even looked into suspicious anomalies with their voting systems and how many who had chose firms that did physical security or law enforcement consulting, vs. having any cybersecurity (let alone voting machine specific) expertise. While the next US Presidential election is still 38 months away, that is not a long time to fix the problems - and there are important Congressional elections each year before then in any event. Election systems were declared Critical Infrastructure earlier this year by DHS - but hasn't moved to appoint the lead Sector Specific Agency, despite 33 states already requesting assistance.

Read more in:
GovTech: Linn County, Iowa, Retains Cybersecurity Firm to Review Its Election System
http://www.govtech.com/security/Linn-County-Iowa-Retains-Cybersecurity-Firm-to-Review-its-Election-System.html

--Mirai Suspect Extradition (August 30 & September 1, 2017)

A man who allegedly launched distributed of denial-of-service (DDoS) attacks against several UK banks has been extradited from Germany to the UK. Daniel Kaye allegedly used the Mirai botnet to launch attacks against Lloyds and Barclays. Kaye will face charges related to those attacks under the Computer Misuse Act. He will also face a charge of "endangering human welfare" for allegedly launching an attack against a Liberian Internet service provider (ISP).

Read more in:
ZDNet: Alleged Mirai botnet attacker forced back to British shores
http://www.zdnet.com/article/alleged-mirai-botnet-creator-forced-back-to-british-shores/
The Guardian: Alleged mastermind behind bank cyber-attacks extradited to UK
https://www.theguardian.com/uk-news/2017/aug/30/alleged-mastermind-daniel-kaye-lloyds-bank-cyber-attacks-extradited-uk

--GitLab Fixes Session Hijacking Flaw (August 31, 2017)

GitLab has fixed a session-hijacking vulnerability that could have been exploited to manage compromised accounts, update code, and steal sensitive information. The researcher who found the flaw noticed that his session token was visible in his URL. He also discovered that GitLab uses persistent private session tokens. GitLab was notified of the flaw earlier this year; the disclosure was delayed until a fix had been implemented.

Read more in:
Threatpost: Session Hijacking Bug Exposed Gitlab Users Private Tokens
https://threatpost.com/session-hijacking-bug-exposed-gitlab-users-private-tokens/127747/

INTERNET STORM CENTER TECH CORNER

Locky Ransom Ware is Back and This Time Pretends to Be a Font

https://isc.sans.edu/forums/diary/Malspam+pushing+Locky+ransomware+tries+HoeflerText+notifications+for+Chrome+and+FireFox/22776/

When is a PDF Just a PDF?

https://isc.sans.edu/forums/diary/It+is+a+resume+Part+1/22780/

Asterisk Vulnerable to RTPBleed

https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-asterisk-rtp-bleed

Arris AT&T Modems with Backdoor

https://www.nomotion.net/blog/sharknatto/


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create