SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #82
October 16, 2018Tomorrow (10/17) is the deadline for nominations for the 2018 SANS Difference Makers Awards. Send nominations to trends@sans.org. Full details on the awards and how to nominate a person, see http://www.sans.org/cyber-innovation-awards
****************************************************************************
SANS NewsBites October 16, 2018 Vol. 20, Num. 82
****************************************************************************
TOP OF THE NEWS
Third-Party Contractor Breach Leads to Theft of DOD Personnel Travel Data
Senator Introduces Election Vendor Ownership Transparency Bills
Voter Records Found for Sale on Dark Web
REST OF THE WEEKS NEWS
Brian Krebs Talks with Tony Sager About Supply Chain Security
Microsoft to Stop Supporting TLS 1.0 and 1.1 in its Browsers
PHP 5.x Will Be Unsupported After December 31, 2018
Apple Responds to Australias Proposed Encryption Law
Firefox 64 Will Not Support Live Bookmarks, Atom, and RSS Feed Subscriptions
IBM Pulls Buggy WebSphere Application Server Patch
Study Finds Legacy IT Systems Hinder Agencies Cloud Migration
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- Tactical Detection Summit 2018 | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad, ASUS Chromebook C202SA, or Take $250 Off with OnDemand or vLive. Offer Ends October 17.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk **************************
Investing in a Security Orchestration, Automation and Response (SOAR) platform is a highly strategic decision. Do you know what criteria you should consider when evaluating which SOAR platform to choose?
Our complimentary copy of The SOAR Buyers Guide will provide these answers as well as common security use cases it will solve. Download your copy today:
http://www.sans.org/info/207555
*****************************************************************************
TOP OF THE NEWS
--
Third-Party Contractor Breach Leads to Theft of DOD Personnel Travel Data
(October 12, 13, & 15, 2018)
A breach of systems at a third-party Department of Defense (DOD) contractor has compromised payment card and travel information of approximately 30,000 DOD military and civilian personnel. DOD was notified of the incident on October 4, 2018. The breach at the contractor was used to gain access to DOD systems and steal the data.
[Editor Comments]
[Henry] Adversaries are continuously targeting the supply chain to access the networks of their ultimate target (read the fantastic interview of Tony Sager, below.) Organizations need to ensure the networks theyre connecting to have appropriate security protocols established and are actually implementing them. This may require them to evaluate security policy, and actually conduct testing of the sites theyre doing business with. Contractual obligations, while not the be-all-end-all, can motivate contractors to comply when they realize theyre potentially liable.
[Williams] DoD contracted with a third party to be a steward of the data, but the third party failed to protect that information. While DoD probably had cybersecurity requirements in their contract, it doesn't seem they were auditing the third party (something which is admittedly very hard to do). This highlights yet again that while you can outsource the data, you can't outsource the responsibility to protect that data. Your breach is still your breach.
Read more in:
ZDNet: Pentagon discloses card breach
https://www.zdnet.com/article/pentagon-discloses-card-breach/
Reuters: Pentagon investigating cyber breach of some travel records
SC Magazine: Pentagon data breach exposed 30,000 travel records
https://www.scmagazine.com/home/security-news/pentagon-data-breach-exposed-30000-travel-records/
--
Senator Introduces Election Vendor Ownership Transparency Bills
(October 11, 2018)
US Senator Chris Van Hollen (D-Maryland) has introduced two bills aimed at transparency regarding the ownership of election systems used in the US. The Protect Our Elections Act would ban foreign ownership of elections systems and require other elections service providers to disclose foreign ownership or control of their companies. The Election Systems Integrity Act is a pared down version of the other bill, requiring that elections systems and services companies disclose foreign ownership.
[Editor Comments]
[Pescatore] Part of supply chain security is understanding the risks of the products you are buying; reliability and trustworthiness of the financing and ownership of vendors is an important element of that. In the long run, business will stay global, but the buying decisions need to include the costs of verifying that the cheaper products are actually less expensive in real usagerisk costs are huge in election systems.
[Murray] Almost sixty years ago, I tried to sell punched card voting against mechanical voting machines. There were only two competitors in that space, both American, both corrupt, and corrupting.
Read more in:
Cyberscoop: Two bills seek transparency in ownership of election vendors
https://www.cyberscoop.com/two-bills-seek-transparency-in-ownership-of-election-vendors/
--
Voter Records Found for Sale on Dark Web
(October 15, 2018)
Voter records from 19 US states have been found for sale on the Dark Web. In all, there are more than 35 million records. The data include names, physical addresses, voting histories, and other voting data. Those selling the data say that they are updated weekly, indicating they either have persistent access to the databases or that they are receiving the information from a human source.
Read more in:
SC Magazine: 35 million voter records from 19 states found for sale on Dark Web
ZDNet: US voter records from 19 states sold on hacking forum
https://www.zdnet.com/article/us-voter-records-from-19-states-sold-on-hacking-forum/
************************** SPONSORED LINKS ********************************
1) Join SANS Matt Bromiley as he shares his experiences using BehavioSecs relatively new method of behavioral biometrics and its role in identifying bad actors.
Register here: http://www.sans.org/info/207575
2) Calling all security architects, SOC and IR managers: How automated and integrated are your security and IR processes? Take the SANS Survey | http://www.sans.org/info/207580
3) What challenges do you face in using cyber threat intelligence (CTI)? Help SANS examine the state of CTI. Take the survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/207585
*****************************************************************************
REST OF THE WEEKS NEWS
--
Brian Krebs Talks with Tony Sager About Supply Chain Security
(October 12, 2018)
Krebss conversation with Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency, covers a range of topics relating to supply chain security, from the Trusted Foundry program to Sandia National Laboratories approach to supply chain security to its relationship to the Internet of Things (IoT). Sager says that the problem of supply chain security is outside of the autonomy of the average company to figure it out. We do need more national focus on the problem.
[Editor Comments]
[Murray] A truly safe supply chain can come only at the price of some reduction in innovation or market efficiency.
Read more in:
KrebsOnSecurity: Supply Chain Security 101: An Experts View
https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/
--
Microsoft to Stop Supporting TLS 1.0 and 1.1 in its Browsers
(October 15, 2018)
Starting in the first half of 2020, Microsoft plans to disable support for Transport Layer Security (TLS) 1.0 and 1.1 in Edge and Internet Explorer. The Internet Engineering Task Force (IETF) is holding discussions about formally deprecating TLS 1.0 and 1.1.
[Editor Comments]
[Honan] Google will also follow this move with Chrome 72: https://security.googleblog.com/2018/10/modernizing-transport-security.html. I expect Apple and other browsers wont be far behind. This will present interesting challenges for many inhouse legacy systems that have not been updated to support modern browsers and how organisations will manage the risk associated with outdated browsers.
[Neely] Apple, Mozilla, Microsoft and Google have all published desupport dates in the first half of 2020. If your servers dont already support TLS 1.2, update to versions that do, then start checking the logs for clients still using 1.0 and 1.1 and update them.
Read more in:
ZDNet: Microsoft to disable TLS 1.0 and TLS 1.1 support in Edge and Internet Explorer
IETF: Deprecating TLSv1.0 and TLSv1.1
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00
--
PHP 5.x Will Be Unsupported After December 31, 2018
(October 14, 2018)
Support for PHP 5.6.x will cease on December 31, 2018, which means that all PHP 5.x versions will no longer be supported. Nearly 70 percent of websites run on PHP, according to one estimate.
[Editor Comments]
[Neely] While each PHP version is fully supported for two years, with an additional year for critical security fixes, 5.6 had an extended security fix window. PHP is often installed on Linux with the OS, and updates are performed with the OS package update cycle. Not all those updates are current, some only offering version 5.4. Others offer PHP 7.0, which is only supported until 12/3/2018. Target updating to PHP 7.2 which is supported until 11/30/2020 and will likely have to be obtained from other software repositories.
Read more in:
ZDNet: Around 62% of all Internet sites will run an unsupported PHP version in 10 weeks
--
Apple Responds to Australias Proposed Encryption Law
(October 14, 2018)
Apple has responded to the Australian governments proposed new encryption law, calling them dangerously ambiguous and asserting that encryption is the single best tool we have to protect data and ultimately lives. Australias proposed new law, the Assistance and Access Bill, would establish three levels of assistance in accessing encrypted communications expected from technology companies; they range from voluntary assistance to a notice from the attorney general requiring a company to build a new capability to allow access to encrypted communications. Apple also lays out the argument that governments seem unwilling to hear: Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will by extension weaken the protections for everyone.
Read more in:
CNET: Apple says 'dangerous' Australian encryption laws put 'everyone at risk'
https://www.cnet.com/news/apple-says-dangerous-australian-encryption-laws-put-everyone-at-risk/
--
Firefox 64 Will Not Support Live Bookmarks, Atom, and RSS Feed Subscriptions
(October 13, 2018)
Mozilla is removing support for Atom, RSS Feeds subscriptions, and live bookmarks in Firefox starting with version 64. Mozilla made the decision due to maintenance, performance, and security issues. Users who still want to receive RSS feeds can install an add-on that allows them. Firefox 64 is scheduled for release in December 2018.
[Editor Comments]
[Northcutt] Bully for Firefox. Features, with massively complex SW systems always come with vulnerabilities. If people are not using them, cut from the distribution.
[Murray] While some of the vulnerability arises from the generality and flexibility of the concept of the browser, much of the risk results from the porous environments in which they run. While Safari for iOS does not include support for Flash, it also runs in an environment that is resistant to contamination by its data. Even Windows can be locked down in such a way as to significantly limit the risk of contamination from the browser or its data. We simply cannot have our cake and eat it.
Read more in:
Bleeping Computer: Mozilla Removing Live Bookmarks and RSS Feed Subscriptions in Firefox 64
GIJSK: Firefox removes core product support for RSS/Atom feeds
https://www.gijsk.com/blog/2018/10/firefox-removes-core-product-support-for-rss-atom-feeds/
--Vigilante is Fixing MikroTik Routers
(October 12, 2018)
A hacker named Alexey has been breaking into other peoples MikroTik routers and adjusting their settings to protect the devices from being used by cryptojackers, botnet herders, and other cybercriminals. Alexey says that he patched more than 100,000 MikroTik routers by add[ing] firewall rules that blocked access to the router from outside the local network, and left an address in the comments where users could send questions. Of the 50 people who responded, most were not pleased with the unsolicited help.
[Editor Comments]
[Williams] Beyond being illegal, vigilante operations like this are also reckless. Network engineers (honest ones anyway) will tell you how hard it is to get networks working correctly. While vigilantes may think they are causing no harm, they simply lack the in-depth knowledge of the network to be anywhere near sure.
Read more in:
ZDNet: A mysterious grey-hat is patching people's outdated MikroTik routers
https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/
--
IBM Pulls Buggy WebSphere Application Server Patch
(October 11, 2018)
IBM has pulled a patch for its WebSphere Application Server following reports that the fix was causing problems for some users. The remote code execution flaw affects WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0. The flaw could be exploited to remotely execute Java code via the SOAP connector port.
Read more in:
The Register: WebSphere and loathing in New York: IBM yanks buggy application server security fix from admins
https://www.theregister.co.uk/2018/10/11/ibm_websphere_security_fix_pulled/
IBM: Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2018-1567)
https://www-01.ibm.com/support/docview.wss?uid=swg22016254
--
Voting and Cybersecurity Activists Opposed to West Virginias Plan to Let Citizens Living Abroad Vote Via Smartphone
(October 10, 2018)
Four cybersecurity and elections activist groups have called for the US state of West Virginia to stop a pilot program that would allow overseas military personnel and other living abroad to cast their ballots over a smartphone app. The communication is protected by blockchain; one of those opposed to the smartphone voting scheme observed that blockchain remains vulnerable to multiple attacks that can compromise an election.
[Editor Comments]
[Murray] Some portion of the generation that has never written a paper check will eventually vote the same way they pay and get paid. They will be hard to convince that voting by mail is safer than voting by mobile app. They will register by mobile app, obtain their ballot by mobile app, and cast it by mobile app. The activists might as well get over it.
Read more in:
McClatchy: Is higher voter turnout worth the risk of hacking? W.Va pilot program will find out
https://www.mcclatchydc.com/news/policy/technology/article219731920.html
--MeriTalk
Study Finds Legacy IT Systems Hinder Agencies Cloud Migration
(October 15, 2018)
MeriTalk surveyed 150 US Federal IT managers regarding their cloud migration plans and network modernization efforts. Two-thirds of the agencies say that their legacy network infrastructures are impeding their migration to the cloud.
[Editor Comments]
[Neely] Most agencies have maintained network capacity within their data center, and to their internal users. Increasing the ISP connection is often skipped because it also requires upgrading or replacing perimeter protections. Understanding bandwidth requirements for services moving to the cloud is important, both for end-user and data feed traffic from legacy systems to avoid creating your own denial of service.
Read more in:
MeriTalk: Legacy Infrastructure Holding Agencies Back from Real Cloud Progress
MeriTalk: Press Release: Legacy Networks Stifle Government Cloud Migration; Struggle to Keep Pace With Demands of Next-Gen Tech, Research Study Finds
https://www.meritalk.com/wp-content/uploads/2018/10/Cloud_Complexity_Press_Release-1.pdf
INTERNET STORM CENTER TECH CORNER
IBM Updates WebSphere Update
https://www-01.ibm.com/support/docview.wss?uid=swg22016254
Incomplete JET Database Patch
https://blog.0patch.com/2018/10/patching-re-patching-and-meta-patching.html
Fake Mining Apps
Fake Google Photo App Turns out to be Ad-Clicker
Many Large Websites Affected by Branch.io XSS Flaw
https://www.vpnmentor.com/blog/dom-xss-bug-affecting-tinder-shopify-yelp/
Medtronics Pacemakers Disable Remote Update (PDF)
Proof-of-Concept Exploit for Microsoft Edge Vulnerability CVE-2018-8495
https://leucosite.com/Microsoft-Edge-RCE/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
