SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #75
September 21, 2018****************************************************************************
SANS NewsBites September 21, 2018 Vol. 20, Num. 75
****************************************************************************
TOP OF THE NEWS
US Department of Defense Releases New Cyber Strategy Enabling Cyber Command More Freedom of Action
White House Updates (Public) National Cyber Strategy
US Dept. of State eMail
Judge Denies Motion to Force Use of Paper Ballots in Georgia Election, But Decries the Security of the States Electronic Voting Systems
REST OF THE WEEKS NEWS
Senator Wyden Will Introduce Legislation to Improve Cybersecurity of Senate and Senate Staff Personal eMail Accounts
Equifax Fined in UK Over Last Years Breach
Adobe Issues Surprise Update
Mirai Creators Sentenced to Five Years Probation Working with FBI
California Farm Bureau Agreement Weakens Farmers Right to Repair Position
GovPayNow Data Leak
Traces of Pegasus Spyware Detected in 45 Countries
West Virginia Will Use Mobile Voting App
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Corelight *************************
Need to find network breaches faster? Attend BroCon 2018! Dont miss your chance to attend the open-source developers & users conference for Bro. Youll hear from the creators, builders, and leading users of Bro. Its the premier annual gathering of Bro experts. October 10-12 in Washington DC. Learn more: http://www.sans.org/info/206945
*****************************************************************************
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, Microsoft Surface Go or Take $300 Off with OnDemand or vLive, Offer Ends October 3.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--US Department of Defense Releases New Cyber Strategy Enabling Cyber Command More Freedom of Action
(September 18 & 19, 2018)
The US Department of Defense (DoD) has released the 2018 DoD Cyber Strategy; the new document replaces the 2015 DoD Cyber Strategy. The document describes how DoD plans to implement the National Defense Strategy in the cyber realm.
Read more in:
Defense: Summary: Department of Defense Cyber Strategy 2018
https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF
Defense: Fact Sheet: 2018 DoD Cyber Strategy and Cyber Posture Review
https://media.defense.gov/2018/Sep/18/2002041659/-1/-1/1/Factsheet_for_Strategy_and_CPR_FINAL.pdf
FCW: DOD's new cyber strategy stresses election security, embraces commercial IT
https://fcw.com/articles/2018/09/19/dod-cyber-strategy-williams.aspx
Nextgov: Pentagons Updated Cyber Strategy Focuses on Assertively Defending U.S. Interests
https://www.nextgov.com/cybersecurity/2018/09/pentagons-updated-cyber-strategy-focuses-assertively-defending-us-interests/151395/
Fifth Domain: DoD releases first new cyber strategy in three years
https://www.fifthdomain.com/dod/2018/09/19/department-of-defense-unveils-new-cyber-strategy/
--White House Updates (Public) National Cyber Strategy
(Sept. 21, 2018)
Just came out yesterday
https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf: National Cyber Strategy of the United States of America (PDF)
[Editor Comments]
[Eubanks] Consider investing some time this weekend time to read the "National Cyber Strategy of the United States of America" and send a summary to your executives ahead of being asked. Key areas in your summary might include what this Strategy means, how it might impact your organization and what you recommend be done in response. At a minimum, set a calendar reminder to assess the progress made in these 4 pillars over the next year. The National Strategy To Secure Cyberspace" from February 2003 can be found at:
https://www.whitehouse.gov/briefings-statements/president-donald-j-trump-is-strengthening-americas-cybersecurity/: President Donald J. Trump is Strengthening Americas Cybersecurity
--US Dept. of State eMail
(September 18 & 19, 2018)
The US State Department has notified employees of a breach of the departments unclassified email system. The breach reportedly affected less than one percent of employee inboxes.
[Editor Comments]
[Williams] The Department of State handles extremely sensitive material and is huge (24,000 employees not including the 45,000 local in-country employees). Saying that less than 1% of users were impacted is misleading - by framing the breach as a small percent, rather than the large number of users impacted, the impact of the breach is misrepresented.
Read more in:
CNET: State Department email data breach exposes employee data
https://www.cnet.com/news/state-department-email-data-breach-exposes-employee-data/
FNR: State Dept. alerts employees about security breach of email system
https://federalnewsradio.com/federal-newscast/2018/09/state-dept-alerts-employees-about-security-breach-of-e-mail-system/
The Register: US State Department confirms: Unclassified staff email boxes hacked
https://www.theregister.co.uk/2018/09/18/state_department_hacked/
--Judge Denies Motion to Force Use of Paper Ballots in Georgia Election, But Decries the Security of the States Electronic Voting Systems
(September 19, 2018)
A federal judge has denied a motion seeking to prohibit the Georgia Secretary of State and county election offices from using direct recording electronic voting machines in the upcoming elections. However, the judges ruling advises the Defendants that further delay is not tolerable in their confronting of and tackling the challenges before the States election balloting system.
Read more in:
Nextgov: Federal Judge Blasts Georgias Dated, Vulnerable Voting System
https://www.nextgov.com/cybersecurity/2018/09/federal-judge-blasts-georgias-dated-vulnerable-voting-system/151377/
************************** SPONSORED LINKS ********************************
1) "What Works in Certificate and Key Management: Enabling Secure Digital Business Using Venafis Trust Protection Platform" Register: http://www.sans.org/info/206950
2) What challenges do you face in using cyber threat intelligence (CTI)? Help SANS examine the state of CTI. Take the survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/206955
3) What are the ten essential features and capabilities IT security decision makers look for when evaluating potential candidates.? Learn More: http://www.sans.org/info/206960
*****************************************************************************
REST OF THE WEEKS NEWS
--Senator Wyden Will Introduce Legislation to Improve Cybersecurity of Senate and Senate Staff Personal eMail Accounts
(September 20, 2018)
In a letter to Senate leadership on Wednesday, September 19, Senator Ron Wyden (D-Oregon) wrote seeking support for legislation that aims to allow the US Senate Sergeant at Arms (SSA) to provide cybersecurity assistance to Senators and staff on an opt-in basis. Wyden had been surprised to learn in the wake of attacks targeting legislators personal email accounts, SSA refused to help Senate and Senate staff members because it may not offer cybersecurity assistance for personal accounts. A Google spokesperson has confirmed that the company notified US senators and aides that hackers working on behalf of foreign governments are targeting their personal email accounts.
[Editor Comments]
[Pescatore] I think many companies recognized years ago that the blurring of work/life boundaries meant they have to expand their view of how they support personally-owned devices and personally managed-services, like email, social media, DropBox, etc. That is certainly true for top level management, but these days for the entire workforce. Good to see the government start to recognize this, bad that it had to come from a Senator vs. security managers inside government agencies pushing for this.
Read more in:
Document Cloud: Wyden Letter to Senate Leadership
https://www.documentcloud.org/documents/4906721-Wyden-cybersecurity-letter-9-19-18.html
FNR: Lawmaker: US Senate, staff targeted by state-backed hackers
https://federalnewsradio.com/cybersecurity/2018/09/lawmaker-us-senate-staff-targeted-by-state-backed-hackers-2/
Cyberscoop: Wyden: Tech company has told multiple senators of foreign hacking attempts
https://www.cyberscoop.com/senate-hacking-ron-wyden-personal-email/
--Equifax Fined in UK Over Last Years Breach
(September 20, 2018)
The UKs Information Commissioners Office (ICO) has hit Equifax with a fine of 500,000 ($663,000 US), the maximum allowable penalty for the breach that compromised personal information belonging to millions of people, including 15 million in the UK. The penalty is not as high as expected because the breach occurred prior to the adoption of the European Unions General Data Protection Regulation (GDPR) and Equifax was instead fined under 1998s Data Protection Act. GDPR allows for maximum penalties of as much as 4% of a companys global turnover for the most serious data failures.
[Editor Comments]
[Murray] A minor slap on the wrist for this industry that, literally, has a Congressional license (the Fair Credit Reporting Act) to steal. It is past time to bring this industry to heel and into the 21st Century. Reforms should include the right, without charge, of the subjects of the data to see it, correct or contest it, and know about all changes, uses, and sales.
Read more in:
Tech Crunch: Equifax slapped with UKs maximum penalty over 2017 data breach
https://techcrunch.com/2018/09/20/equifax-slapped-with-uks-maximum-penalty-over-2017-data-breach/
--Adobe Issues Surprise Update
(September 19 & 20, 2018)
Adobe released unscheduled patches for Acrobat and Reader just a week after its regular monthly update security. The patches fix seven vulnerabilities, including a critical out-of-bounds write flaw that could be exploited to execute code remotely.
[Editor Comments]
[Neely] While the patch includes a critical vulnerability (CVE-2018-12848) there are no known exploits. The only mitigation is to patch.
Read more in:
Threatpost: Critical Out-of-Band Patch Issued for Adobe Acrobat Reader
https://threatpost.com/critical-out-of-band-patch-issued-for-adobe-acrobat-reader/137554/
SC Magazine: Adobe releases surprise update week after Patch Tuesday
https://www.scmagazine.com/home/news/adobe-releases-surprise-update-week-after-patch-tuesday/
ZDNet: Adobe releases patch out of schedule to squash critical code execution bug
https://www.zdnet.com/article/adobe-releases-patch-out-of-schedule-to-squash-code-execution-bugs/
Adobe: Security bulletin for Adobe Acrobat and Reader | APSB18-34
https://helpx.adobe.com/security/products/acrobat/apsb18-34.html
--Mirai Creators Sentenced to Five Years Probation Working with FBI
(September 18, 19, & 20, 2018)
Three people who pleaded guilty to building the Mirai botnet and using it to launch distributed denial-of-service (DDoS) attacks have been sentenced to five years of probation and 2,500 hours of community service. They were also ordered to pay $127,000 US in restitution. The three have cooperated with the FBI and have helped the bureau with complex cybercrime investigations. The sentences require that the three continue to cooperate with the FBI and to provide assistance to law enforcement and the research community.
[Editor Comments]
[Williams] This characterization of the sentence sends the message "get caught hacking, and youll be able to work with the FBI instead of going to jail." The "work" they've already done is very likely informant work, which may place their lives in danger in the future. There's much that could be done to communicate the specifics of this sentence better so that it doesn't send the wrong message.
[Neely] They have obtained a resume line sufficient to alleviate concerns of future employers, but it is not clear they will not revert to past behavior.
Read more in:
Document Cloud: Hackers Cooperation with FBI leads to Substantial Assistance in Other Complex Cybercrime Investigations
https://www.documentcloud.org/documents/4901641-Jha-White-Dalton-20-20-20-20-Alexander.html
KrebsOnSecurity: Mirai Botnet Authors Avoid Jail Time
https://krebsonsecurity.com/2018/09/mirai-botnet-authors-avoid-jail-time/
The Register: No, the Mirai botnet masters aren't going to jail. Why? 'Cos they help Feds nab cyber-crims
https://www.theregister.co.uk/2018/09/20/makers_of_mirai_free/
Ars Technica: Mirai botnet creators praised for helping FBI, wont serve prison time
https://arstechnica.com/tech-policy/2018/09/mirai-botnet-creators-praised-for-helping-fbi-wont-serve-prison-time/
FCW: Botnet bandits drop dimes on cybercrimes
https://fcw.com/articles/2018/09/19/fbi-mirai-botnet-perps-help.aspx
Wired: The Mirai Botnet Architects Are Now Fighting Crime With the FBI
https://www.wired.com/story/mirai-botnet-creators-fbi-sentencing/
--California Farm Bureau Agreement Weakens Farmers Right to Repair Position
(September 11 & 19, 2018)
The California Farm Bureau has signed an agreement that diminishes the rights of farmers to repair and adjust their farm machinery. According to the agreement, farmers can purchase repair parts only through a dealer. The Farm Bureau has previously been a strong proponent of right to repair legislation, which would require equipment manufacturers to sell repair parts, to make diagnostic materials available to customers, and to provide a means for equipment owners to circumvent proprietary software locks for the purpose of maintaining and modifying their farming equipment.
Read more in:
Wired: John Deere Just Swindled Farmers Out of Their Right to Repair
https://www.wired.com/story/john-deere-farmers-right-to-repair/
Motherboard: Farmer Lobbying Group Sells Out Farmers, Helps Enshrine John Deere's Tractor Repair Monopoly
https://motherboard.vice.com/en_us/article/kz5qgw/california-farm-bureau-john-deere-tractor-hacking-right-to-repair
--GovPayNow Data Leak
(September 17 & 18, 2018)
Government Payment Service (GovPayNow.com) has leaked 14 million customer record darting back to 2012. GovPayNow is used by state and local governments to process online payments for licensing fees, traffic citations, and other transactions. The compromised data include names, addresses, and the last four digits of payment card numbers. The information was exposed by changing digits in online receipt URLs.
Read more in:
Dark Reading: GovPayNow Leak of 14M+ Records Dates Back to 2012
https://www.darkreading.com/threat-intelligence/govpaynow-leak-of-14m+-records-dates-back-to-2012/d/d-id/1332837
KrebsOnSecurity: GovPayNow.com Leaks 14M+ Records
https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/
SC Magazine: 14 million customer records exposed in GovPayNow leak
https://www.scmagazine.com/home/news/14-million-customer-records-exposed-in-govpaynow-leak/
--Traces of Pegasus Spyware Detected in 45 Countries
(September 18 & 19, 2018)
Using a new scanning technique, researchers from The Citizen Lab found evidence that Pegasus spyware is being used in 45 countries around the world. Pegasus uses social engineering to trick users into clicking an exploit link, which downloads surveillance malware onto their devices. Some of the counties using Pegasus have questionable human rights records.
Read more in:
CitizenLab: Hide and Seek: Tracking NSO Groups Pegasus Spyware to Operations in 45 Countries
https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/
Motherboard: Cyber Sleuths Find Traces of Infamous iPhone and Android Spyware Pegasus in 45 Countries
https://motherboard.vice.com/en_us/article/bjaz94/nso-group-pegasus-45-countries-map-spyware-citizen-lab
Cyberscoop: Pegasus spyware active in 45 countries, Citizen Lab says
https://www.cyberscoop.com/pegasus-spyware-45-countries-citizen-lab/
SC Magazine: Pegasus spyware spotted in 45 countries, many with questionable human rights records
https://www.scmagazine.com/home/news/pegasus-spyware-spotted-in-45-countries-many-with-questionable-human-rights-records/
-West Virginia Will Use Mobile Voting App
(September 18, 2018)
The US state of West Virginia plans to use a blockchain-based mobile voting app in the November elections. The Voatz app will be used to let members of the military and their families stationed overseas cast absentee ballots. Military personnel in remote areas face difficulties with the regular absentee ballot process unreliable postal service and lack of landline telephones. Voters have to submit a Federal Post Card Application requesting to receive voting information online or through email. Once the request has been confirmed, they can download the app. To cast a ballot, voters will scan their drivers license or passport; take a video selfie; and touch the phones fingerprint reader.
[Editor Comments]
[Pescatore] Currently, blockchain is to technology, as turmeric is to food: just sprinkle some on and all health problems disappear! It is perfectly possible to have a secure mobile app using blockchain but it is also very possible for the app to have huge, gaping vulnerabilities, no matter how much turmeric/blockchain is tossed in. Voatz says Security Innovation and HackerOne were used for security audits/testing, which could be a good thing. However, the HackerOne Voatz page shows it just started in early August, with 4 reports resolved to date and $650 in bounties paid out. No details are given on Security Innovations effort and not clear how many new versions will come out before the midterm electionsmore transparency needed.
[Neely] Reconnecting our troops with the voting process is a problem worth solving. Using blockchain for an immutable record of the transaction, and a separate database for PII, three factor authentication and user verification their ballot is as intended are all excellent security measures, and introduce enough complexity that independent review and testing is critical.
Read more in:
Computerworld: W. Va. to use blockchain-based mobile app for mid-term voting
https://www.computerworld.com/article/3305844/emerging-technology/w-va-to-use-blockchain-based-mobile-app-for-mid-term-voting.html
INTERNET STORM CENTER TECH CORNER
Certificate Transparency Tools
https://isc.sans.edu/forums/diary/Using+Certificate+Transparency+as+an+Attack+Defense+Tool/24114/
Kodi Malicious Add-Ons
https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/
Cloudflare Making DNSSEC Adoption Easier
https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/
Akamai State of the Internet Report
https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp
Peekaboo DVR Vulnerability
https://www.tenable.com/blog/tenable-research-advisory-peekaboo-critical-vulnerability-in-nuuo-network-video-recorder
Hunting for Suspicious Processes with OSSEC
https://isc.sans.edu/forums/diary/Hunting+for+Suspicious+Processes+with+OSSEC/24122/
Western Digital MyCloud Unauthenticated Admin Access
https://www.securify.nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html
Adobe Releases Special Patch for Acrobat and Reader
https://helpx.adobe.com/security/products/acrobat/apsb18-34.html
NSSLabs Sues Crowdstrike, Symantec, ESET
https://www.nsslabs.com/blog/company/advancing-transparency-and-accountability-in-the-cybersecurity-industry/
Bitcoin Core Vulnerability
https://motherboard.vice.com/amp/en_us/article/qvakp3/a-major-bug-in-bitcoin-software-could-have-crashed-the-currency?__twitter_impression=true
WebAuthn Standard
https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet
https://fidoalliance.org/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create