SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #70
September 4, 2018****************************************************************************
SANS NewsBites September 4, 2018 Vol. 20, Num. 70
****************************************************************************
TOP OF THE NEWS
California Bill Establishes Election Cybersecurity Office
Five Eyes Countries Want Tech Companies Help to Access Encrypted Communications
California Legislators Approve Net Neutrality Bill
REST OF THE WEEKS NEWS
Google Says It Will Roll Out Ad Verification System to Target Tech Support Scams
Healthcare Company Accused of Destroying Evidence in Breach Case
Apple App Store Data Privacy Policy Changes
FBI Protected Voices Initiative Website
OIG Report: US State Dept. Visa Application Analysis System is Inadequately Protected
House Committee Recommendations to Improve CVE Program
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Venafi, Inc *************************
During this SANS What Works, Troels Oerting, Chief Security Officer at Barclays Bank will provide details of his selection and deployment of Venafi to enable discovery and management of encryption keys and certificates in use across Barclays, supporting more transparent use of encryption, avoiding business disruption from expired certificates and demonstrating benefits to increased integrity and availability of critical business processes. http://www.sans.org/info/206525
*****************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, ASUS Chromebook C300SA or Take $250 Off with OnDemand or vLive, Offer Ends September 5.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
-- California Bill Establishes Election Cybersecurity Office
(August 29 & 31, 2018)
California Governor Jerry Brown has signed into law a bill that aims to help protect the security of the states elections systems. The new law allocates USD 134 million for voting systems upgrades and USD 2 million to establish an Office of Elections Cybersecurity within the office of Californias Secretary of State. The office will help state and local elections officials guard systems against cyberthreats and will monitor for false information about elections that could suppress voting or otherwise cause confusion and provide correct information instead.
[Editor Comments]
[Pescatore] Since even national elections in the US are essentially locally run, progress will have to come from efforts like this. Reflexively, I hate to see yet another org chart box created to address what from a technology point of view is just another basic security hygiene problem; the problem is less about technology and more about the process and politics.
[Neely] The legislation covers broad cyber hygiene and threat mitigations; it doesnt include timelines or language requiring an implementation plan. Measurable objectives are needed to assure a successful implementation.
Read more in:
GCN: California creates elections security office
https://gcn.com/articles/2018/08/31/california-election-security-office.aspx
ABC7: Gov. Brown signs bill to create election cybersecurity office
https://abc7.com/gov-brown-signs-bill-to-create-election-cybersecurity-office/4093248/
California State Legislature: Assembly Bill No. 3075
http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB3075
-- Five Eyes Countries Want Tech Companies Help to Access Encrypted Communications
(August 31 & September 3, 2018)
The countries known as the Five Eyesthe US, the UK, Canada, Australia, and New Zealandhave issued a joint statement suggesting that unless tech companies help law enforcement access communications protected by end-to-end encryption, they may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.
[Editor Comments]
[Honan] It is quite clear that governments and their agencies will continue to push for backdoor access into our encrypted communications, despite it being proven over and over again how this will undermine the security of the Internet. It is therefore just as important that we continue to educate, influence, and make people aware of the risks such an approach can bring. Once our encrypted communications is undermined, it will forever remain so.
[Pescatore] When the move to digital telecoms started impacting law enforcement access to communications, the Community Assistance to Law Enforcement Act (CALEA) was passed in 1994 and included a lot of checks and balances to try to find a balance between two somewhat conflicting societal demands: protection from and pursuit of criminals, and maintaining privacy. As other technologies like wireless and VoIP were added to the mix over the years, CALEA was modified. Not perfect, but it seemed like both sides (privacy groups and law enforcement) were equally unhappy, which is always the real sign of a working compromise! Big differences here: the technology provider mix is much bigger and (probably more importantly) the highest revenue growth for technology companies in the future is NOT the Five Eyes countriesfinding a middle ground will be much harder and even longer.
Read more in:
CNET: US and intelligence allies take aim at tech companies over encryption
https://www.cnet.com/news/us-five-eyes-allies-take-aim-at-tech-companies-over-encryption/
Nextgov: Five Eyes Intel Alliance Urges Big Tech to Help Break Encrypted Messages
InfoSecurity: Five Eyes Talk Tough on Encryption Backdoors
https://www.infosecurity-magazine.com/news/five-eyes-talk-tough-on-encryption/
Home Affairs (Australia): Statement of Principles on Access to Evidence and Encryption
-- California Legislators Approve Net Neutrality Bill
(August 31, 2018)
On Thursday, August 30, the California State Assembly approved a net neutrality bill in the face of opposition from the telecommunications industry. The California Senate approved a version of the bill in May, but the changes made to the state assembly bill were substantive enough that the Senate needed to vote to approve the bill again, which it did on Friday, August 31. Governor Jerry Brown has until September 30, 2018, to sign the bill into law. The bill would prohibit Internet service providers (ISPs) from blocking or throttling legitimate traffic; it would also prohibit ISPs from charging fees to websites or online services for prioritized service.
[Editor Comments]
[Murray] This proposal also prohibits zero rating, the practice of not charging for favored content, even when it appears to favor the consumer. While this practice was condoned by the FCC, it is a clear violation of the principle that carriers not discriminate on the basis of the source or application of traffic. Be careful what you ask for; you might get it.
Read more in:
Ars Technica: Calif. Senate approves net neutrality rules, sends bill to governor
Ars Technica: Gold standard state net neutrality bill approved by California Assembly
************************** SPONSORED LINKS ********************************
1) Join SANS at the Threat Hunting & Incident Response Summit on Sep. 6-7 in New Orleans! Learn from top threat hunters and security practitioners as they share the latest methods and techniques used to hunt adversaries. http://www.sans.org/info/206530
2) Don't Miss: "How to achieve autonomous (and optimized) hunting and detection." Register: http://www.sans.org/info/206535
3) Understand where you are vulnerable the most, how to improve your security and where to invest your resources. Learn More: http://www.sans.org/info/206545
*****************************************************************************
REST OF THE WEEKS NEWS
-- Google Says It Will Roll Out Ad Verification System to Target Tech Support Scams
(September 3, 2018)
Google plans to roll out a new ad verification system aimed at preventing third-party tech support scams from appearing in its ads. The verification system will be introduced in the next few months; meanwhile, Google has already implemented restrictions on third-party tech support ads.
[Editor Comments]
[Northcutt] I was on a home services website recently and there were multiple sketchy Microsoft tech support ads. Microsoft was kind enough to receive the data and the web site is cleaned up, but how many people get hurt in the interim?
[Neely] Reducing paths adversaries have to the endpoint is a tough game. Google raising the bar is a good step. Additionally, make sure your endpoints themselves have web site controls to further filter content from nefarious sources.
Read more in:
ZDNet: Google to tech-support scammers: We're about to get even tougher on your ads
Engadget: Google widens crackdown on ads for tech support scams
https://www.engadget.com/2018/09/02/google-widens-crackdown-on-ads-for-tech-support-scams/
Google: Restricting ads in third-party tech support services
-- Healthcare Company Accused of Destroying Evidence in Breach Case
(September 3, 2018)
Plaintiffs in a class-action lawsuit against US health care organization Premera Blue Cross have filed court documents accusing the company of destroying data crucial to establishing accurate details regarding a 2014 data breach. The document allege that Premera destroyed a computer that held essential information about the incident as well as logs that could have provided evidence of data exfiltration. The breach, which was detected in January 2015, affected systems that held medical information belonging to more than 11 million people.
[Editor Comments]
[Honan] A good example of why you need formalised incident response and forensic gathering processes in place when investigating a breach. Protecting your evidence is critical not just for any potential criminal cases but to help you determine what the root cause of the incident was, and also to help you defend any civil suits or regulatory investigations into the breach.
Read more in:
ZDNet: Premera Blue Cross accused of destroying evidence in data breach lawsuit
-- Apple App Store Data Privacy Policy Changes
(August 31 & September 3, 2018)
Apples new privacy policy for its Apple App Store takes effect on October 3, 2018. After that date, developers will have to submit privacy policies for new apps and updates before they can be submitted for distribution. To prevent surreptitious policy changes, developers will be permitted to edit policies only when they submit a new version of the app. The privacy policies must include clear information about what data are collected; how the data are collected; how the data are stored; what is done with the data and how users can revoke their consent and demand that their data be deleted. Apple also requires that the policy promise that any third-party entities with which the data are shared abide by the same rules.
[Editor Comments]
[Pescatore] Apple doesnt seem to have said much about actual testing/validation to make sure that the AppStore will reject apps that violate the included policy statements. This move seems more like a reactive GDPR compliance move to require policies vs. an actual increase privacy move.
[Neely] The restrictions on data use are clear, and restrictions match reasonable expectations of how access to and collection of this data should be managed, reminiscent of GDPR and the California Consumer Privacy Act. Additionally, this attempts to move data collection to an explicit permission model rather than burying the permission in the EULA that users dont read. Until we see consequences for non-compliance, it is not clear app developers will take this seriously.
Read more in:
ZDNet: Apple looks to plug App Store privacy hole with new personal data policy
Computerworld: Apple insists developers ramp up their privacy commitments
Apple Developer: 5.1.1 Data Collection and Storage
https://developer.apple.com/app-store/review/guidelines/#data-collection-and-storage
-- FBI Protected Voices Initiative Website
(August 31, 2018)
The FBIs Protected Voices initiative is designed to mitigate the risk of cyber influence operations targeting U.S. elections. The program spans a variety of topics, including patching software, ensuring secure communications, and browser hygiene. The Protected Voices website is operated in conjunction with the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI).
Read more in:
FBI: Protected Voices
https://www.fbi.gov/investigate/counterintelligence/foreign-influence/protected-voices
SC Magazine: FBI launches Protective Voices site to combat malicious foreign influence
Nextgov: FBI Fights Viral Influence Campaigns With Informational Videos
-- OIG Report: US State Dept. Visa Application Analysis System is Inadequately Protected
(August 29, 2018)
According to an audit from the US State Department office of inspector general, a computer system used for determining the accuracy of information submitted by people seeking US visas does not adequately protect the data it holds. The report also found that the system in question is not being regularly patched, scanned for viruses, or audited for evidence of intrusions. The report examined the Bureau of Consular Affairs Office of Fraud Prevention Programs.
Read more in:
Nextgov: State Department Visa Analysis System Wasnt Patched or Scanned for Viruses, Audit Finds
Oversight.gov: Inspection of the Bureau of Consular Affairs Office of Fraud Prevention Programs
https://www.oversight.gov/sites/default/files/oig-reports/isp-i-18-42.pdf
-- House Committee Recommendations to Improve CVE Program
(August 27, 2018)
Following an investigation begun in March 2017, the US House of Representatives Energy and Commerce Committee has concluded that the historical practices for managing the CVE [Common Vulnerabilities and Exposures] program are clearly insufficient. The committee recommends that DHS convert the program from a contract-based funding model to a dedicated Program, Project, or Activity (PPA) line item in its actual budget, and that DHS and MITRE conduct biennial reviews to assess the programs stability and effectiveness.
Read more in:
Cyberscoop: House panel rips CVE contracting and oversight policies
https://www.cyberscoop.com/cve-mitre-house-energy-and-commerce-committee/
House Energy & Commerce Committee: Letter to DHS Secretary
House Energy & Commerce Committee: Letter to MITRE
****************************************************************************
INTERNET STORM CENTER TECH CORNER
OSX/MacOS and Dangers of Custom URL Schemes
https://objective-see.com/blog/blog_0x38.html
Philips e-Alert Vulnerability
https://ics-cert.us-cert.gov/advisories/ICSA-18-242-01
Reversing and Modifying the Medium Mobile App
Active Directory Leaks via Azure
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
Google Restricts Tech Support Ads
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
