SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #74
September 18, 2018****************************************************************************
SANS NewsBites September 18, 2018 Vol. 20, Num. 74
****************************************************************************
TOP OF THE NEWS
GAO Report on Equifax Breach
US County Election Office eMail Security
REST OF THE WEEKS NEWS
Bristol Airport Ransomware Attack
Peekaboo Flaw Affects Surveillance Equipment Running NUUO Software
Russians Expelled from the Netherlands for Attempted Hack on Swiss Lab
Judge Says Georgia Can Use Electronic Voting Machines
Veeam Acknowledges Data Exposure
Bill Would Create Cybersecurity Apprenticeship Program to Boost Federal Workforce
Senator Warner: Government Should Look at Replacing Outdated Tech Infrastructure Instead of Patching
The Implications of Indicting Foreign Hackers in US
HHS OIG Report on FDAs Review of Medical Device Cybersecurity
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ************************************
Graphic Novel: "Through the Looking Glass Table" How does machine data, an analytics-driven platform, log management, SIEM, UEBA and SOAR solutions help IT managers and SOC analysts alike get ahead of the game? How can they better understand and respond to incidents, breaches, phishing attempts, insider threats and more? Find out with our first issue of our graphic novel Through the Looking Glass Table. http://www.sans.org/info/206845
***************************************************************************************
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a 9.7 iPad, Samsung Galaxy Tab A or Take $300 Off with OnDemand or vLive, Offer Ends September 19.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
GAO Report on Equifax Breach
(September 17, 2018)
A report from the US government Accountability Office (GAO) on the Equifax breach found that the company had to look at the attackers database queries to determine exactly what information had been compromised. (The breach affected more than 165 million people worldwide.) The report found that while Equifax had installed a device to inspect network traffic for evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected. The misconfiguration was due to an expired certificate.
[Editor Comments]
[Pescatore] The GAO report mostly rehashes old news about last years Equifax breach, but in the section about looking at the reactions of government agencies who are Equifax customers had a telling quote: Representatives of IRS, SSA, and USPS noted that they responded to the breach independently of other agencies, because they said it was unclear whether any single federal agency had responsibility for coordinating government actions in response to a breach of this type in the private sector. This points out a huge, gaping hole in the US Federal Government approach to supply chain securitydidnt anyone at DHS or NIST read the news and say We need to proactively find out all government customers of Equifax and have a coordinated response??
[Murray] This report simply supports the conclusions already reached that this breach was caused by the failure of Equifax to adhere to what should be essential practices, not to say basic hygiene, to protect sensitive personal information about its subjects. This information represented the stock in trade of Equifax and its competitors. Moreover, its compromise was bound to result in an increase in credit application fraud. That said, Equifax and its two competitors have figured out a way to increase their revenues from the breach.
[Williams] After reading this report, I think a case can be made that the Equifax breach was a supply chain issue. Equifax didn't add a systems admin to an email list about Struts vulnerabilities, but it also failed to identify the vulnerability in its vulnerability scans, even after the attackers had compromised the system. But if Struts is not deployed in the web root, an analyst must configure the scanner to the Struts URLs to be successful. This combination of failures would seem to imply that Equifax was simply unaware that this system was using Struts at all.
[Neely] Renewing certificates is easy to overlook, particularly in a large enterprise, without an active process watching and alerting on those about to expire.
Read more in:
The Register: Equifax IT staff had to rerun hackers' database queries to work out what was nickedaudit
https://www.theregister.co.uk/2018/09/17/gao_report_equifax_mega_breach/
GAO: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach
https://www.gao.gov/assets/700/694158.pdf
--
US County Election Office eMail Security
(September 14, 2018)
Email systems in 11 counties election offices around the US have been found to be vulnerable to hacking with just a username and password, which means that communications could be intercepted or attackers could send spoofed email messages. Experts recommend two-factor authentication. ProPublica surveyed 27 county elections offices that include 40 congressional districts that are considered to be close races.
Read more in:
GCN: The overlooked weak link in election security
https://gcn.com/articles/2018/09/14/email-vulnerabilities-elections-systems.aspx
************************** SPONSORED LINKS *********************************
1) Real-world use-cases: See how to simplify asset inventory and detect cyber threats simultaneously http://www.sans.org/info/206850
2) What challenges do you face in using cyber threat intelligence (CTI)? Help SANS examine the state of CTI. Take the survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/206860
3) "Powering IR/SOC with Code Reuse Detection - The Emotet Case Study" Register: http://www.sans.org/info/206865
*****************************************************************************
REST OF THE WEEKS NEWS
--
Bristol Airport Ransomware Attack
(September 17, 2018)
The Bristol, UK airport was the target of a ransomware attack late last week, which led the airport to take down several applications, including one that provides data to the flight information screens, to contain the attack. Airport staff turned to whiteboards and markers to provide passengers with flight information. By Sunday, September 16, screens in key locations had been restored while the airport worked to mitigate the situation.
[Editor Comments]
[Pescatore] Good to check if your incident response procedures/playbooks support a rapid decision to shut down peripheral applications before core business apps can be impacted. FedEx and Maersk alone are publicly quoting over $1B in costs due to being impacted by NotPetya. In many cases where prevention failed, rapid and accurate reaction limited damage. Two days of whiteboards showing flight times is way better than two days of plane delays.
[Murray] Secure copies of our data and programs are the security measure of last resort. Such copies enable us to recover from otherwise unanticipated events. However, historically backup plans assumed that the lost or damaged data would be limited to a small portion of our data and that recovery time would not be an issue. Going forward we must anticipate the loss of all or most of our data at once and that we must be able to recover all of it in hours to days. This is a capability that goes beyond simple copies.
Read more in:
BBC: Cyber attack led to Bristol Airport blank screens
https://www.bbc.co.uk/news/uk-england-bristol-45539841
The Register: Bristol airport pulls flight info system offline following attack by 'online criminals'
https://www.theregister.co.uk/2018/09/17/bristol_airport_cyber_attack/
SC Magazine: Bristol airport hit with ransomware attack
https://www.scmagazine.com/home/news/bristol-airport-hit-with-ransomware-attack/
--
Peekaboo Flaw Affects Surveillance Equipment Running NUUO Software
(September 17, 2018)
A critical unauthenticated stack buffer overflow vulnerability in NUUO Network Video Recorder software can be exploited to allow remote code execution, which means attackers could view and manipulate video feeds. A second flawa backdoor in debug codewas also found in the software.
[Editor Comments]
[Neely] Restricting access to your video surveillance system needs to include network protections and limited user access. Components often include vulnerabilities that cannot or will not be patched, which can be used to bypass account management controls.
Read more in:
Cyberscoop: Zero day in popular video surveillance technology goes public, unpatched
https://www.cyberscoop.com/nuuo-zero-day-peekaboo-video-surveillance-vulnerability/?category_news=technology
ZDNet: Hackers hijack surveillance camera footage with 'Peekaboo' zero-day vulnerability
https://www.zdnet.com/article/hackers-can-tamper-with-surveillance-camera-footage-due-to-new-zero-day-vulnerability/
Tenable: Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder
https://www.tenable.com/blog/tenable-research-advisory-peekaboo-critical-vulnerability-in-nuuo-network-video-recorder
--
Russians Expelled from the Netherlands for Attempted Hack on Swiss Lab
(September 14 & 17, 2018)
Earlier this year, authorities in the Netherlands expelled two people suspected of being Russian spies for allegedly attempting to hack computers at a Swiss laboratory that conducts chemical weapons testing. The Spiez laboratory tested samples from a Sergei Skripal, a Russian spy and his daughter, who were poisoned in England on March 4, 2018. The lab confirmed the Skripals exposure to a military-grade nerve agent.
Read more in:
Ars Technica: Russians tried to hack Swiss lab testing samples from Skripal attack
https://arstechnica.com/information-technology/2018/09/russians-tried-to-hack-swiss-lab-testing-samples-from-skripal-attack/
The Guardian: Dutch expelled Russians over alleged novichok lab hacking plot
https://www.theguardian.com/uk-news/2018/sep/14/dutch-expelled-russians-over-alleged-novichok-laboratory-hacking-plot
Washington Post: Dutch ousted Russians for alleged attempt to hack Swiss lab
https://www.washingtonpost.com/world/europe/dutch-ousted-2-russians-over-alleged-swiss-lab-hack-attempt/2018/09/14/491f6424-b830-11e8-ae4f-2c1439c96d79_story.html
--
Judge Says Georgia Can Use Electronic Voting Machines
(September 14 & 16, 2018)
US District Judge Amy Totenberg has ruled that the state of Georgia may continue to use electronic voting machines in the November mid-term elections despite concerns that they may be vulnerable to hacking. Judge Totenberg denied a request for injunction that would have required the state move to paper ballots in time for the election.
[Editor Comments]
[Murray] This may be a huge vulnerability but an acceptable risk. First, history records that election fraud is most often in the tallying and reporting phases, not the vote recording phase. Second, Georgia has compensating controls in place to resist the kind of access necessary for the kind of hack demonstrated. Efficient security, not to mention public policy, must be based on risk, not threat, vulnerability, potential consequences, or fear.
Read more in:
AJC: Federal judge rejects paper ballots for 2018 Georgia election
https://www.ajc.com/news/state--regional-govt--politics/federal-judge-rejects-paper-ballot-effort-for-2018-georgia-election/MPNGITqPbZ9wYfZ0NEP1IJ/
SC Magazine: Georgia voting system on trial, plaintiffs call for paper ballots to replace machines
https://www.scmagazine.com/home/news/georgia-voting-system-on-trial-plaintiffs-call-for-paper-ballots-to-replace-machines/
Washington Post: In Georgia, a legal battle over electronic vs. paper voting
https://www.washingtonpost.com/world/national-security/in-georgia-a-legal-battle-over-electronic-vs-paper-voting/2018/09/16/d655c070-b76f-11e8-94eb-3bd52dfe917b_story.html
--
Veeam Acknowledges Data Exposure
(September 12 & 14, 2018)
Data management company Veeam has acknowledged that it exposed customer data through a misconfigured MongoDB database due to human error. The database was left unprotected by a password for nearly two weeks between August 28 and September 10. Veeam has notified regulators, customers, and partners.
[Editor Comments]
[Neely] Kudos to Veeam for sending notifications expeditiously and securing the database. The allure of creating cloud-based or internet-facing solutions immediately for convenience and to meet business goals results in creating solutions without taking time to audit them for security. Beyond making sure security is built into the process, we also need to equip our defenders with tools such as a CASB to detect and respond to ad-hoc solutions that may not be secure.
Read more in:
The Register: Veeam holds its hands up, admits database leak was plain 'complacency'
https://www.theregister.co.uk/2018/09/14/veeam_leak_follow_up/
ZDNet: Data management firm Veeam mismanages own data, leaks millions of records
https://www.zdnet.com/article/data-management-firm-veeam-mismanages-own-data-leaks-440m-email-addresses/
The Register: Back up a minute: Veeam database config snafu exposed millions of customer records
https://www.theregister.co.uk/2018/09/12/veeam_database_config_snafu_exposed_millions_email_addresses/
Veeam: Veeam Data Incident: Update from Peter McKay
https://www.veeam.com/executive-blog/veeam-data-incident-resolved.html
--
Bill Would Create Cybersecurity Apprenticeship Program to Boost Federal Workforce
(September 13 & 17, 2018)
The Cyber Ready Workforce Act, introduced in the US House of Representatives (earlier this month, would establish grants to help create, implement, and expand registered Department of Labor cybersecurity apprenticeship programs. The goal is to increase the number of qualified cybersecurity professionals available to businesses and the government. The programs would be required to provide certain security certifications and to connect participants with organizations for apprenticeship. The program is based on Nevadas cybersecurity apprenticeship program.
Read more in:
ZDNet: US lawmakers introduce bill to fight cybersecurity workforce shortage
https://www.zdnet.com/article/us-lawmakers-introduce-bill-to-fight-cybersecurity-workforce-shortage/
The Hill: Dem introduces bill to create federal cybersecurity apprenticeship program
http://thehill.com/policy/cybersecurity/406577-dem-introduces-bill-to-create-federal-cybersecurity-apprenticeship
Rosen: Cyber Ready Workforce Act
https://rosen.house.gov/sites/rosen.house.gov/files/documents/ROSENV_096_xml.pdf
--
Senator Warner: Government Should Look at Replacing Outdated Tech Infrastructure Instead of Patching
(September 13, 2018)
While speaking on September 13 at the Protecting Privacy panel hosted by The Atlantic, US Senator Mark Warner (D-Virginia) said that the government should be innovative in its IT purchasing rather than falling back on to the products that are heavy on patching. The government currently spends an estimated 80 percent of its IT budget on maintenance, patches, and upgrades of legacy systems. Warner also noted that over the next few years, the government will buy 8-10 billion IoT connected devices. Warner has co-sponsored legislation with Cory Gardner (R-Colorado) that would requite IoT devices to be free of known vulnerabilities, be able to be updated, and let users change their passwords.
[Editor Comments]
[Pescatore] This is kind of like saying we live on an EPA superfund site and our grass doesnt grow welllets buy new sod. The fact that the government sticks with obsolete equipment is often tied to the fact that they are still running obsolete applications that only run on obsolete equipment, and they are often driven to this state by the crazy ways legislators fund (or let funding lapse to) government agencies and programs. Not to mention that new systems will need to be patched, toothe government needs to focus on basic security hygiene as a prerequisite for buying new stuff.
[Neely] Adding potentially insecure IoT devices to the existing IT support burden is a losing proposition unless other resources are released to address the ongoing security requirements of these devices which can be achieved by IT modernization. There is a lot of inertia to overcome with modernization efforts. Even with cloud-first directives, migrating legacy systems to new offerings requires significant resources for business process reengineering, regression and integration testing. Support will have to come from the top to modernize processes which must include funding for needed resources as well as acceptance of short-term business disruptions needed.
Read more in:
Nextgov: Lawmaker: If You Think Patching is Tough Now, Its Going to Get Worse
https://www.nextgov.com/cybersecurity/2018/09/lawmaker-if-you-think-patching-tough-now-its-going-get-worse/151252/
The Atlantic: How can privacy survive the digital age?
http://protectingprivacy.theatlantic.com/
YouTube: Senator Mark Warner on Digital Protection, Privacy and Rights
(Warners comments on government systems security are in response to an audience question posed at 25:40 in the video.)
https://www.youtube.com/watch?v=AUgIRVLQ0os&list=PLwj46yNDLyTUpMblYw6whNPCIHFt4vTxv&index=2
--
The Implications of Indicting Foreign Hackers in US
(September 13, 2018)
Over the past several years, the US has begun indicting foreign hackers who have targeted sensitive US IT systems. The practice has met with criticism from people who have worked as hackers on behalf of the US government because they say it places them in danger of retaliation. This article argues that Americas adversaries lack both the technical proficiency to catch it in the act and the moral high ground to embarrass it on the world stage.
[Editor Comments]
[Williams] The article claims that indictments of Chinese hackers in 2014 "shocked China into agreeing to a pact to reign in commercial espionage." Though there may be a relationship, no causal relationship was demonstrated between the two events. It's also worth noting that the charges levied by the US extend well beyond just hackers and include systems administrators, targeting analysts, and other support personnel (though the article omits this point). In the interest of full disclosure, I am one of the former US government hackers cited in the article.
Read more in:
The Economist: Americas government is putting foreign cyber-spies in the dock
https://www.economist.com/united-states/2018/09/15/americas-government-is-putting-foreign-cyber-spies-in-the-dock
--
HHS OIG Report on FDAs Review of Medical Device Cybersecurity
(September 12, 2018)
An audit report from US Department of Health and Human Services (HHS) Office of Inspector General (OIG) says that the Food and Drug Administration (FDA) should implement additional processes to oversee the security of networked medical devices before they are approved for sale. The OIG report observes that two tools the FDA uses to assess readiness for the market were developed before the boom in networked medical devices and prior to the advent of threats like ransomware. The report suggests using pre-submission meetings to address cybersecurity issues, to include cybersecurity documentation as criteria in its assessment tools.
[Editor Comments]
[Pescatore] Every now and then one of the OIG reports really nails it. The FDA seems to agree; fast movement from them on this would be nice. Heres the OIG quote: We recommend that FDA promote the use of presubmission meetings to address cybersecurity-related questions, include cybersecurity documentation as a criterion in FDAs Refuse-To-Accept checklists, and include cybersecurity as an element in the Smart template. FDA concurred with all three recommendations.
Read more in:
OIG.HHS: FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices
https://www.oig.hhs.gov/oei/reports/oei-09-16-00220.pdf
Health Data Management: OIG: cybersecurity must be further integrated into FDA premarket review process
https://www.healthdatamanagement.com/news/oig-cybersecurity-must-be-further-integrated-into-fda-premarket-review-process
GovInfoSecurity: FDA to Ramp Up Medical Device Cybersecurity Scrutiny
https://www.govinfosecurity.com/fda-to-ramp-up-medical-device-cybersecurity-scrutiny-a-11486
INTERNET STORM CENTER TECH CORNER
Reversing Visual Basic Shortcuts
https://isc.sans.edu/forums/diary/2020+malware+vision/24104/
Not So Random User Agent
https://isc.sans.edu/forums/diary/User+Agent+String+uatoolsrandom/24102/
Safari DoS
https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea
Webroot SecureAnywhere macOS Vulnerability
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-16962--Webroot-SecureAnywhere-macOS-Kernel-Level-Memory-Corruption/
Analyzing Office Docs
https://isc.sans.edu/forums/diary/Dissecting+Malicious+MS+Office+Docs/24108/
Intel Patches Management Engine Encryption Vulnerability
http://blog.ptsecurity.com/2018/09/intel-me-encryption-vulnerability.html
Apple Updates Everything but macOS
https://support.apple.com/en-us/HT209106
FBot Botnet
https://blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/
Related STI Paper: Botnet Resiliency via Private Blockchain (Jonathan Sweeny)
https://www.sans.org/reading-room/whitepapers/covert/botnet-resiliency-private-blockchains-38050
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
