SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #80
October 9, 2018****************************************************************************
SANS NewsBites October 9, 2018 Vol. 20, Num. 80
****************************************************************************
TOP OF THE NEWS
Californias IoT Security Bill Will Require Devices to Ship With Unique Passwords
Microsoft Suspends Windows 10 October Update Rollout Over Data Loss Bug
Brian Krebs on the Bloomberg Disclosure of Servers With Hardware Back-Doors
REST OF THE WEEKS NEWS
DotGov Bolsters Domain Security
Heathrow Airport Fined 120,000 Over Lost USB Drive
Google is Shutting Down Google+
Git Project Fixes Submodule Flaw
Banking Trojan Found on Library Computers
DOJ Official Defends Hacker Indictments
Wyden Asks FEC (Again) if Campaign Funds May Be Used for Cybersecurity
Thunderbird Update Addresses Critical RCE Flaw
MITRE Publishes Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad, ASUS Chromebook C202SA, or Take $250 Off with OnDemand or vLive. Offer Ends October 17.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Security Matters *******************
Webcast: Thursday, October 11th, 2018 at 1:00 PM EST. Hear the real
truths, challenges and benefits from current and former asset owners who
have deployed the largest ICS network monitoring projects in the country.
Register here: http://www.sans.org/info/207365
*****************************************************************************
TOP OF THE NEWS
--Californias IoT Security Bill Will Require Devices to Ship With Unique Passwords
(October 5 & 6, 2018)
On September 28, 2018, the Information Privacy: Connected Devices bill was signed into law. Effective January 1, 2020, the law requires that Internet of Things (IoT) devices ship with unique passwords instead of a common default password.
[Editor Comments]
[Neely] Having users set up a strong password upon first use is a step in the right direction. Devices will also have to include password recovery mechanisms, which must have appropriate validation checks.
[Williams] This is a step in the right direction for security, but will likely lead to greater implementation and troubleshooting issues. I'm betting that manufacturers will implement a factory reset password scheme that is algorithmically generated based on some data available without authentication (e.g. some unauthenticated endpoint that returns a device ID, which can be used to derive the password).
Read more in:
Nextgov: In California, Its Going to Be Illegal to Make Routers With Weak Passwords
Engadget: California bans default passwords on any internet-connected device
SC Magazine: Weak passwords outlawed out West, California law aims to secure IoT devices
LegInfo: SB-327 Information privacy: connected devices.
https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
--Microsoft Suspends Windows 10 October Update Rollout Over Data Loss Bug
(October 6, 2018)
Microsoft has paused the October update for Windows 10 (version 1809) due to reports that users Documents and Pictures folders have disappeared after the update was installed. The company is advising that users who downloaded the update manually not install it, and that those who have installed it use their devices as little as possible. In the Microsoft link, scroll down to Known issues updating to Windows 10, version 1809 to see the announcement that the rollout has been paused.
Read more in:
Microsoft: Windows 10 update history
https://support.microsoft.com/en-au/help/4464619/windows-10-update-history
Ars Technica: Data-deletion bug forces Microsoft to suspend rollout of Windows 10 update
Bleeping Computer: Microsoft Has Pulled the Windows 10 October 2018 Update
--Brian Krebs on the Bloomberg Disclosure of Servers With Hardware Back-Doors
(October 5, 2018)
Brian Krebs places the Chinese technology manufacturing threat to the US supply chain in context. For example, it isn't new: More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sams entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government. And it will be extremely hard to counter: it is often tough to tell from the brand name of a given gizmo who actually makes all the multifarious components that go into any one electronic device sold today, and its quite time consuming and expensive to detect when products may have been intentionally compromised during some part of the manufacturing process. Your typical motherboard of the kind produced by a company like Supermicro can include hundreds of chips, but it only takes one hinky chip to subvert the security of the entire product. He closes by offering five steps we need to take now to help mitigate the problemfrom Bill Murrays list.
Read more in:
KrebsOnSecurity: Supply Chain Security is the Whole Enchilada, But Whos Willing to Pay for It?
************************** SPONSORED LINKS ********************************
1) Negligence | Acceptable Risk. Its a fine line. CIS RAM to establish
duty of care. http://www.sans.org/info/207385
2) "Defeating the next attack with old ideas, is Threat Prevention
back?" with Jake Williams & Mark Arapovic. Register:
http://www.sans.org/info/207375
3) What challenges do you face in using cyber threat intelligence (CTI)?
Help SANS examine the state of CTI. Take the survey and enter to win a
$400 Amazon gift card | http://www.sans.org/info/207380
*****************************************************************************
REST OF THE WEEKS NEWS
--DotGov Bolsters Domain Security
(October 8, 2018)
On October 1, DotGov, the registrar in charge of managing .gov domains, began rolling out two factor authentication for the accounts that sysadmins use to register and manage the domains. By February 13, 2019, DotGov aims to have all US government domain owners establish two-factor account authentication.
[Editor Comments]
[Pescatore] Moving all sysadmin functions to strong authentication is a smart move for many reasons: (1) those accounts are high value targets; (2) learn and resolve pitfalls before any broader use; (3) eat your own dogfood is always better than just telling the business side to eat dog food.
[Neely] Adding a two factor authentication solution such as Google Authenticator is simple and cost effective with modern authentication systems, and should be standard with public facing applications. While an opt-in model allows user impact to be minimized, adding a time limit for adoption is also critical.
[Murray] System administrators, those for whom accountability is an essential control, are the ones most likely to be sharing IDs and passwords. Strong authentication, based upon enterprise owned tokens, can help repair this.
Read more in:
ZDNet: US government rolls out 2-step verification for .gov domain owners
https://www.zdnet.com/article/us-government-rolls-out-2-step-verification-for-gov-domain-owners/
--Heathrow Airport Fined 120,000 Over Lost USB Drive
(October 8, 2018)
The UK Information Commissioners Office (ICO) has fined Heathrow Airport 120,000 ($157,000 USD) over the loss of a USB flash drive drive that contained sensitive information about airport security. The compromised data include security patrol routes, CCTV camera locations, and other security-related information. The USB stick was found by a private individual in October 2017. The devices contents were viewed at a library, then the device was given to a newspaper, which made a copy of the information and returned the device to the airport. The device was not encrypted or password protected.
[Editor Comments]
[Neely] While the financial sector has virtually eliminated USB flash drives due to risks, other sectors are hard pressed to stop using them. Using authorized USB flash drives which are both encrypted and password-protected is a good way to mitigate the risks of both lost drives and insertion of unauthorized devices.
Read more in:
The Register: Remember that lost memory stick from Heathrow Airport? The terrorist's wet dream? So does the ICO
https://www.theregister.co.uk/2018/10/08/ico_fines_heathrow_airport_over_lost_memory_stick/
BBC: Heathrow fined for USB stick data breach
https://www.bbc.com/news/business-45785227
--Google is Shutting Down Google+
(October 8, 2018)
Google is shutting down its Google+ social network following news reports that indicate the company knew about and fixed an API bug that could have exposed user data, but chose not to inform users about the issue. The issue, which had been present since 2015, potentially exposed data belonging to 500,000 Google+ users. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Northcutt] Nobody was using Google+ so there will not be an impact to users. Not sure what will happen with GDPR fines. The expectation is that the Facebook breach is going to be costly:
Read more in:
ZDNet: Google shuts down Google+ after API bug exposed details for over 500,000 users
Wired: Google's Privacy Whiplash Shows Big Tech's Inherent Contradictions
https://www.wired.com/story/googles-privacy-whiplash-shows-big-techs-inherent-contradictions/
Cyberscoop: Google shuts down Google+ for consumers due to bug found months ago
https://www.cyberscoop.com/google-plus-data-exposure-api/?category_news=technology
WSJ: Google Exposed User Data, Feared Repercussions of Disclosing to Public (paywall)
--Git Project Fixes Submodule Flaw
(October 6 & 8, 2018)
The Git Project has released Git v2.19.1 to patch a flaw that could be exploited to allow remote code execution. The Git Project has also released backports for older versions to fix the issue: v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1. Users are being urged to update their clients. The issue affects GitHub Desktop, Atom, and Git command client.
Read more in:
Github: Git Submodule Vulnerability Announced
https://blog.github.com/2018-10-05-git-submodule-vulnerability/
ZDNet: Code execution bug in malicious repositories resolved by Git Project
https://www.zdnet.com/article/code-execution-bug-in-malicious-repositories-resolved-by-git-project/
Bleeping Computer: Git Project Patches Remote Code Execution Vulnerability in Git
--Banking Trojan Found on Library Computers
(October 6 & 8, 2018)
Nearly 600 computers at the Anne Arundel County (Maryland) Public Library system were found to have been infected with the Emotet baking Trojan. The machines appear to have been infected on September 17 and the malware was detected on October 4. The library is notifying the nearly 5,000 people who used the computers during that time.
[Editor Comments]
[Pescatore] Since we are still in National Cybersecurity Awareness Month, this is a good example to show employees on the danger of using public computers. If your business runs public computers/kiosks, good reminder to lock them down and have restrictive Group Policy Objects around frequently misused services like client to client SMB communication.
Read more in:
Softpedia: Annapolis Library Computers Infected with Emotet, Almost 5K Customers Affected
AACPL: Library Computers Exposed to Emotet Virus
https://www.aacpl.net/node/110178
--DOJ Official Defends Hacker Indictments
(October 4 & 5, 2018)
Speaking at the CyberNext DC event last week, Deputy Assistant Attorney General Adam Hickey defended the Justice Departments decision to indict foreign hackers despite the improbability of ever bringing the individuals to justice. In his prepared remarks, Hickey noted that even in the cases where we have yet to apprehend a defendant, the charges were never the end of the story: whether it is trade remedies, sanctions, contributions to network defense, or diplomatic efforts to rally likeminded nations to confront an adversary together, all of those charges served a greater purpose.
Readmore in:
Justice: Deputy Assistant Attorney General Adam Hickey of the National Security Division Delivers Remarks at CyberNext DC
Cyberscoop: DOJ official: Whether they're extradited or not, indicting foreign hackers is important
https://www.cyberscoop.com/foreign-hackers-indictments-important-doj-adam-hickey/
SC Magazine: U.S. Deputy ADA: Indictments of alleged foreign hackers have merit, even without an arrest
--Wyden Asks FEC (Again) if Campaign Funds May Be Used for Cybersecurity
(October 5, 2018)
In May, 2018, US Senator Ron Wyden (D-Oregon) asked the Federal Elections Commission (FEC) whether campaign funds may be used to help secure personal devices and online accounts that belong to members of Congress. Wyden expressed concerns that the upcoming mid-term elections could be targeted by attacks similar to those that interfered with the 2016 presidential election. Wyden sent a supplemental letter to the FEC on October 3 that includes a table of types of cybersecurity investments and how they increase security (final two pages of PDF).
[Editor Comments]
[Neely] The core issue is whether these would be allowed expenditures. Government funds usually cannot be used for personal expenses, e.g. providing home routers and endpoint protection for their personal devices.
Read more in:
Bloomberg: Senator Asks FEC to Let Campaign Funds Be Used for Hacking Protection
FEC: Wyden letter to FEC Chair
https://www.fec.gov/files/legal/aos/2018-15/201815R_1.pdf
--Thunderbird Update Addresses Critical RCE Flaw
(October 4 & 5, 2018)
Mozilla has fixed a critical memory corruption vulnerability in its Thunderbird email client that could be exploited to allow remote code execution. Thunderbird 60.2.1 also includes fixes for six other security issues.
Read more in:
ZDNet: Mozilla resolves critical code execution flaw in Thunderbird email client
Bleeping Computer: Mozilla Patches Critical Vulnerability in Thunderbird 60.2.1
Mozilla: Security vulnerabilities fixed in Thunderbird 60.2.1
https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/
--MITRE Publishes Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
(October 1, 2018)
MITRE has published a playbook for health delivery organizations (HDOs) that outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework, which starts with conducting device inventory and developing a baseline of medical device cybersecurity information.
Read more in:
MITRE: MITRE Creates Playbook on Medical Device Cybersecurity
GovInfoSecurity: FDA Reveals Steps to Bolster Medical Device Cybersecurity
https://www.govinfosecurity.com/fda-reveals-steps-to-bolster-medical-device-cybersecurity-a-11575
INTERNET STORM CENTER TECH CORNER
WPA2 Krack Attack Update
https://www.krackattacks.com/followup.html#overview
Cisco Updates
Apple Updates iOS and iCloud for Windows
https://support.apple.com/en-ca/HT209162
https://support.apple.com/en-ca/HT209141
Intel Adds Spectre/Meltdown Mitigation to 9th Generation CPUs
git Vulnerability Fixed
https://github.com/timwr/CVE-2017-1000117
Seattle Police Tries to Stop SWATting
https://www.seattle.gov/police/need-help/swatting
Windows October Update File Deleting Issues
https://support.microsoft.com/en-us/help/4464619/windows-10-update-history
https://blogs.technet.microsoft.com/filecab/2018/08/30/9205/
macOS Code Signing Vulnerabilities
https://www.virusbulletin.com/conference/vb2018/abstracts/code-signing-flaw-macos
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
