SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #78
October 2, 2018A nice opportunity to help the security community recognize unsung heroes of cybersecurity - inside your own organization - so others may learn from their successes. Please nominate people and teams for the 2018 Security Difference Makers Awards. They will be recognized in December in Washington, DC. Pick people who deserve recognition for making meaningful progress in cybersecurity either by increasing security levels or by using security controls and processes to enable new business success. Send nominations to trends@sans.org. Deadline: October 16. Full details on how to nominate at www.sans.org/cyber-innovation-awards
****************************************************************************
SANS NewsBites October 2, 2018 Vol. 20, Num. 78
****************************************************************************
TOP OF THE NEWS
Facebook Forces Mass Logout After Breach
Breached Singapore Health Server Was Unpatched for More Than a Year
Karen Evans Answers House Energy and Commerce Committees Questions About CESER
REST OF THE WEEKS NEWS
Tesco Bank Fined 2.26m Over November 2016 Breach
Chrome Seeks to Make Extensions More Trustworthy
US Government Sues California Over Net Neutrality Law
DOD Needs More Latitude in Hiring Cyber Personnel
FBIs IC3 Warns of Increased RDP Exploits
International Cyber Attack Metrics Dont Add Up
Bill Would Codify Federal CIO Role Changes
DOJ Cyberattack Response Best Practices
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, Microsoft Surface Go or Take $300 Off with OnDemand or vLive, Offer Ends October 3.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk ************************************
The Essential Guide to Security maps out how organizations can use machine data for specific use cases and get started addressing threats and security challenges. This ebook addresses how to assess your organizations security maturity, specific threats to look for and how to fight them. Download your complimentary copy today. http://www.sans.org/info/207100
*****************************************************************************
TOP OF THE NEWS
-
Facebook Forces Mass Logout After Breach
(September 28 & October 1, 2018)
Facebook logged 90 million users out of their accounts after the company discovered that hackers had been exploiting a flaw in Facebook code that allowed them to steal Facebook access tokens and take over other peoples accounts. The stolen tokens could also be used to access apps and websites linked to the Facebook accounts. The hackers exploited a trio of flaws that affected the View As feature, which lets users see how their profiles appear to other people. Facebook has fixed the security issue; it has also reset the access tokens for 90 million accounts. Facebook became aware of the issue on September 16, when it noticed an unusual spike in people accessing Facebook.
[Editor Comments]
[Neely] The forced logout invalidated the existing authentication session tokens, meaning they could not be used to login to Facebook or any other sites enabled to allow access via your Facebook credentials. While Facebook has worked to identify all impacted users, consider logging out all of your Facebook sessions to be sure your authentication tokens are not at risk. This is done from the security settings where you can see and logout all your active sessions.
[Pescatore] Since it is National Computer Security Awareness Month and a lot of awareness presentations are being given, it is good advice to tell employees never use those Login with Facebook buttons on websites in their personal online activities.
Read more in:
Facebook: Security Update
https://newsroom.fb.com/news/2018/09/security-update/
Wired: The Facebook Security Meltdown Exposes Way More Sites Than Facebook
https://www.wired.com/story/facebook-security-breach-third-party-sites/
Wired: Everything We Know About Facebook's Massive Security Breach
https://www.wired.com/story/facebook-security-breach-50-million-accounts/
eWeek: Facebook Data Breach Extended to Third-Party Applications
http://www.eweek.com/security/facebook-data-breach-extended-to-third-party-applications
ZDNet: Facebook discloses network breach affecting 50 million user accounts
https://www.zdnet.com/article/facebook-discloses-network-breach-affecting-50-million-user-accounts/
KrebsOnSecurity: Facebook Security Bug Affects 90M Users
https://krebsonsecurity.com/2018/09/facebook-security-bug-affects-90m-users/
The Register: Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code
https://www.theregister.co.uk/2018/09/28/facebook_accounts_hacked_bug/
--
Breached Singapore Health Server Was Unpatched for More Than a Year
(September 27, 2018)
A compromised server that led to a massive breach of Singapores SingHealth healthcare group member data had not been patched for 14 months prior to the breach. The person who was managing the server was doing so unofficially. He was not trained in cyber security or server administration and did not have procedures for handling security incidents.
Read more in:
Straits Times: Exploited server in SingHealth cyber attack did not get security update for 14 months, COI finds
--
Karen Evans Answers House Energy and Commerce Committees Questions About CESER
(September 27 & 28, 2018)
Karen Evans, assistant secretary of the DoE's Office of Cybersecurity, Energy Security, and Emergency Response (CESER), answered questions about her office, which was established earlier this year. Evans was sworn in in early September. In her written testimony, Evans noted that the Department is focusing cyber support efforts to strengthen energy sector cybersecurity preparedness, coordinate cyber incident response and recovery, and accelerate game-changing research, development, and deployment (RD&D) of resilient energy delivery systems. Evans also told legislators that she plans to distill threat intelligence into actionable reports for operators of critical infrastructure without disclosing classified information, so the operators do not need to go through the laborious process of obtaining security clearances to receive the information. In the video below, Evans addresses this issue in response to a question posed by Rep. Jerry McNerney (D-CA); McNerneys question begins at 57:30; Evans response at 58:30.
[Editor Comments]
[Paller] Many people are unaware of Asst. Sec. Evans background and may underestimate how quickly and effectively she will make the new CESAR into a high-impact agency in the single most important area of critical infrastructureelectric power. The question some observers are asking is not whether she will have a major impact, but whether the U.S. government waited too long to put someone in place who can make a difference before a major attack turns the power off across large areas.
Read more in:
FCW: Energy's cyber office looks to keep industry in the loop
https://fcw.com/articles/2018/09/28/ceser-threat-data-clearance.aspx
Energy & Commerce: DOE Modernization: The Office of Cybersecurity, Energy Security, and Emergency Response (video of hearing)
House.gov: Testimony of Assistant Secretary Karen Evans
https://docs.house.gov/meetings/IF/IF03/20180927/108725/HHRG-115-IF03-Wstate-EvansK-20180927.pdf
************************** SPONSORED LINKS ********************************
1) Don't Miss: "Why the World Must Take Notice of the Rising Asian Dark Web" Register: http://www.sans.org/info/207105
2) "Investigate East-West Attack Activities to Defend Critical Assets: A SANS Review of ExtraHop Reveal(x)" Learn More: http://www.sans.org/info/207110
3) About Webcasts
What challenges do you face in using cyber threat intelligence (CTI)? Help SANS examine the state of CTI. Take the survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/207115
*****************************************************************************
REST OF THE WEEKS NEWS
--
Tesco Bank Fined 2.26m Over November 2016 Breach
(October 1, 2018)
The UKs Financial Conduct Authority (FCA)has fined Tesco Bank 16.4m ($21.4m USD) for a data breach that led to the theft of 2.26m ($3.4m USD) from its customers. In all, 40,000 Tesco accounts were compromised and funds stolen from 9,000 of those. Following the breach, Tesco temporarily froze online transactions for all account holders, which created further problems for customers. The FCA called the November 2016 incident largely avoidable. A year before the attack, Tesco had received a fraud alert from Visa about the type of attack that eventually hit its systems.
Read more in:
BBC: Tesco Bank fined 16.4m over cyber-attack
https://www.bbc.com/news/business-45704273
The Register: Financial Conduct Authority fines Tesco Bank 16.4m over 2016 security breach
https://www.theregister.co.uk/2018/10/01/fca_fines_tesco_bank_164m_for_2016_security_breach/
ZDNet: Tesco Bank fined 16.4m over cyber attack
https://www.zdnet.com/article/tesco-bank-fined-16-4m-over-cyber-attack/
--
Chrome Seeks to Make Extensions More Trustworthy
(October 1, 2018)
Google has announced that it will implement measures to keep malicious extensions out of the GooglePlay store. Google will look more closely at extensions that ask for expansive permissions and will reject extensions that contain obfuscated code. In Chrome 70, users will be able to restrict the activity of extensions that try to modify web pages. Next year, Google extension developers will be required to complete revised manifests that describe the privileges their extensions require and to use two-factor authentication to make it more difficult for hackers to access their accounts. In a separate story, Chrome extension developers were targeted in a phishing campaign that tries to get the developers to disclose their account credentials.
[Editor Comments]
[Pescatore] Extensions have been to browsers as DLLs have been to Windows. Both encourage independent software vendors to add functionality to the base platform, but the security ramifications were not thought through before the additions were built. Thus, lots of backfilling and spackling is constantly required. Google taking steps to make sure extensions must come from the Google Play app store (read: a big whitelist) is a good thing, and should be the norm for all browsers. Doing a better job of making sure fewer malicious apps and extensions ever get into the app store is the prerequisite.
[Murray] One is reminded of the Security claims that were made for Chrome when it was announced. It should not surprise anyone that those claims were not realized. Browsers are both fundamentally vulnerable and difficult to implement safely. Enterprise users should continue to prefer browsing only from isolated or locked-down devices. As Harry DeMaio cautions, Doing business on the World Wide Web is like doing business in Times Square. (All strong authentication is multi-factor but not all multi-factor is strong. Competent security people do not say two-factor when they mean strong.)
Read more in:
Chromium: Trustworthy Chrome Extensions, by default
https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html
CNET: Google cracks down on malicious Chrome extensions
https://www.cnet.com/news/google-cracks-down-on-malicious-chrome-extensions/
ZDNet: Google to no longer allow Chrome extensions that use obfuscated code
https://www.zdnet.com/article/google-to-no-longer-allow-chrome-extensions-that-use-obfuscated-code/
ZDNet: Phishing campaign targets developers of Chrome extensions
https://www.zdnet.com/article/phishing-campaign-targets-developers-of-chrome-extensions/
--
US Government Sues California Over Net Neutrality Law
(September 30, 2018)
On Sunday, September 30, California Governor Jerry Brown signed into law net neutrality legislation, which was introduced after the Federal Communications Commission (FCC) decided to repeal net neutrality rules. Later that same day, the US Department of Justice (DOJ) sued the state of California, alleging that the law is illegal because states do not have the authority to regulate interstate commerce.
Read more in:
Ars Technica: Calif. enacts net neutrality lawUS govt immediately sues to block it [Updated]
https://arstechnica.com/tech-policy/2018/09/california-governor-signs-net-neutrality-rules-into-law/
NYT: Justice Department Sues to Stop California Net Neutrality Law
https://www.nytimes.com/2018/09/30/technology/net-neutrality-california.html
Bloomberg: Trump Administration Sues California Over Net Neutrality Law
Threatpost: California, U.S. Government Battle Over Net Neutrality State Law
https://threatpost.com/california-u-s-government-battle-over-net-neutrality-state-law/137820/
DOJ: Justice Department Files Net Neutrality Lawsuit Against the State of California
LegInfo: SB-822 Communications: broadband Internet access service.
http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB822
--
DOD Needs More Latitude in Hiring Cyber Personnel
(September 28, 2018)
At a September 26 Senate hearing, US Department of Defense (DOD) principal deputy CIO Essye Miller told members of the Senate Armed Services Committee's Personnel and Cybersecurity subcommittees that 4,000 civilian cyber-related employees have left the agency in the past year. The majority of the workers were in IT management and computer science. DOD needs employees with a wide variety of cyber skills. Brig. Gen. Dennis Crall, the principal deputy cyber advisor and senior military advisor for cyber policy for the defense secretary's office, who also testified before the committee, says DOD wants to increase pay and streamline the hiring process.
Read more in:
Defense Systems: DOD has lost 4,000 civilian cyber workers in the past year
https://defensesystems.com/articles/2018/09/28/cyber-workforce-dod-williams.aspx
Senate Armed Services: Statement by Essye B. Miller, Department of Defense (PDF)
https://www.armed-services.senate.gov/imo/media/doc/Miller_09-26-18.pdf
--
FBIs IC3 Warns of Increased RDP Exploits
(September 27, 28 & October 1, 2018)
The FBIs Internet Crime Complaint Center (IC3) and the Department of Homeland Security (DHS) have issued a joint warning that Windows Remote Desktop Protocol (RDP) is increasingly being used as an attack vector. RDP has been used to spread ransomware and other types of malware. The FBI and DHS recommend that organizations use strong passwords, employ two-factor authentication, ensure that the versions of RDP they use are up to date, restrict access to the default RDP port, and disable the service if it is not needed. Organizations are also advised to enable logs and make sure the logs include RDP logins.
[Editor Comments]
[Murray] Strong passwords address brute force attacks; this is not what we are seeing. What is indicated is strong authentication (at least two kinds of evidence, at least one of which is resistant to replay.)
Read more in:
IC3: Cyber Actors Increasingly Exploit the Remote Desktop Protocol to Conduct Malicious Activity
https://www.ic3.gov/media/2018/180927.aspx
Bleeping Computer: IC3 Issues Alert Regarding Remote Desktop Protocol (RDP) Attacks
ZDNet: FBI warns companies about hackers increasingly abusing RDP connections
SC Magazine: RDP attacks on the rise warns FBI, DHS
https://www.scmagazine.com/home/news/rdp-attacks-on-the-rise-warns-fbi-dhs/
--
ATM Jackpotter Sentenced
(September 26 & 28, 2018)
Argenys Rodriguez has been sentenced to one year and one day in prison for his role in an ATM jackpotting scheme. Jackpotting involves manipulating ATMs to dispense all their cash. Rodriguez is the first person in the US to be sentenced for jackpotting. He and an accomplice managed to install Ploutus malware on ATMs in Connecticut and Rhode Island. They were arrested in January 2018, shortly after ATM company Diebold Nixdorf issued a warning that jackpotting activity had been detected in the US. Rodriguez pleaded guilty in June to conspiracy to commit bank fraud.
Read more in:
ZDNet: US sentences to prison its first ATM jackpotter
https://www.zdnet.com/article/us-sentences-to-prison-its-first-atm-jackpotter/
DOJ: Springfield Man Sentenced to Prison for Role in ATM "Jackpotting" Scheme
https://www.justice.gov/usao-ct/pr/springfield-man-sentenced-prison-role-atm-jackpotting-scheme
--
International Cyber Attack Metrics Dont Add Up
(September 27, 2018)
How do countries count cyberattacks? One says that there were 24,000 attacks against defense targets in one year; another claims 110 attempts to break into government servers during that same year; and a third notes an average of 500 cyberattacks a month against defense infrastructure. Governments in several countries have acknowledged that they do not have one single set of standards and reporting metrics. What one country deems critical may not be considered critical in another. For international entities such as EU and NATO, this inconsistency is problematic. The article observes that without published standards and discernable metrics, such warnings are of no real value to the public.
[Editor Comments]
[Pescatore] Number of attacks is never a meaningful, let alone useful, metric, any more than number of raindrops hitting a roof would be a meaningful metric. Retail tracks revenue damage due to shrinkage (shoplifting and employee theft) not the number of times someone tries to steal a shirt at the clothing store. That is why reports looking at actual damage like the Verizon Data Breach Investigation Report and Microsofts Security Intelligence report [well, parts of it], are much more useful than the numerous billions and billions of attacks are being observed reports.
Read more in:
Defense One: In Cyberspace, Governments Dont Know How to Count
https://www.defenseone.com/ideas/2018/09/cyberspace-governments-dont-know-how-count/151629/
--
Bill Would Codify Federal CIO Role Changes
(September 26, 2018)
The Federal CIO Authorization Act of 2018, introduced in the US House of Representatives last week, would elevate the position of federal CIO to a presidential appointment reporting to the director of the Office of Management and Budget (OMB). The federal CIO currently reports to the OMB deputy director for management. The bill would also rename the Office of E-Government to the Office of the Federal Chief Information Officer. Rep. Will Hurd (R-TX), one of the bills co-sponsors along with Re. Robin Kelly (D-IL), said that it makes a clear statement that the federal CIO is in charge of coordinating IT policy across the government.
Read more in:
Nextgov: Legislation Would Elevate Federal CIO, Codify Federal CISO
Hurd: Hurd & Kelly Introduce Bipartisan Bill to Codify & Elevate the Federal CIO Position
--
DOJ Cyberattack Response Best Practices
(September 2018)
The US Department of Justices (DOJs) Cybersecurity Unit has released updated Best Practices for Victim Response and Reporting of Cyber Incidents. The document comprises four sections: Steps to Take Before a Cyber Intrusion or Attack Occurs; Responding to a Cyber Incident: Executing Your Incident Response Plan; What Not to Do Following a Cyber Incident; and What to do After a Cyber Incident Appears to be Resolved.
[Editor Comments]
[Neely] This is an easy-to-read guide a business can use to build a game plan for incident response, including references and additional information that you wont find by just reading the regulation.
Read more in:
DOJ: Best Practices for Victim Response and Reporting of Cyber Incidents
https://www.justice.gov/criminal-ccips/file/1096971/download
Meritalk: DoJ Cyber Unit Releases Updated Cyber Incident Reporting Guidelines
https://www.meritalk.com/articles/53177/
INTERNET STORM CENTER TECH CORNER
Update About Facebook Breach that Compromised More than 50 Million Accounts
https://newsroom.fb.com/news/2018/09/security-update/
Telegram Leaks Local IP Address By Default
https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html
DDE Code Injection
https://isc.sans.edu/forums/diary/More+Excel+DDE+Code+Injection/24150/
SMTP MTA Strict Transport Security (MTA-STS)
https://www.rfc-editor.org/rfc/rfc8461.txt
Adobe Acrobat/Reader Update
https://helpx.adobe.com/security/products/acrobat/apsb18-30.html
Site Tricks Users Into Subscribing to Browser Notifications
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create