Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #83

October 19, 2018

****************************************************************************

SANS NewsBites               October 19, 2018               Vol. 20, Num. 83

****************************************************************************


TOP OF THE NEWS


 DHS Secretary Says U.S. Ready for Election Day Interference

 Facebook Election War Room

 Florida Election Security

 California County Working with Federal Officials to Improve Voting Systems Security

 Dallas County Election Systems Security Enhancements


REST OF THE WEEKS NEWS


GitHub Platform Update Security Features

Flaws Affect Eight Models of D-Link DWR Routers

LuminosityLink Creator Sentenced to Prison

Anthem to Pay US Million in Breach Settlement

Oracle Patches More than 300 Security Issues

US Federal Government DMARC Adoption Rate

Google Releases Chrome 70

North Carolina Water Utility Hit with Ransomware


INTERNET STORM CENTER TECH CORNER

 

*****************************************************************************

CYBERSECURITY TRAINING UPDATE    

 

-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018

    

-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018


-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018


-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018


-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018


-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018


-- Tactical Detection Summit 2018 | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018


-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019


-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive, Offer Ends October 31.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


***************************  Sponsored By Security Matter  *****************************


A Guide to Conquering the Challenges of ICS Asset (In)Visibility

Todays complex industrial networks are more vulnerable than ever, with 79% of ICS/SCADA operators reporting a breach in the past 24 months. Learn how you can optimize asset and threat visibility to reduce risks and take control of your network.

http://www.sans.org/info/207670


***************************************************************************************


TOP OF THE NEWS


--

DHS Secretary Says U.S. Ready for Election Day Interference

(Oct 8, 2018)

Singling out the new Election Infrastructure Information Sharing and Analysis (EI-ISAC) Center as the fastest growing ISAC in history, Secretary Nielsen said the network of sensors established by the ISAC and the sharing network that is in place with more than 1,000 governments signed up so far.


Read more in:

Security Boulevard: Secretary of Homeland Security: Were Ready for Election Day Interference

https://securityboulevard.com/2018/10/secretary-of-homeland-security-were-ready-for-election-day-interference/

CISecurity: Elections Infrastructure ISAC

https://www.cisecurity.org/ei-isac/ei-isac-services/



--

Facebook Election War Room

(October 18, 2018)

Earlier this week, Facebook invited journalists inside its War Room, a space devoted to protecting its networks from the fraud and interference that marked the 2016 US presidential election. The War Room was set up a month ago, in time for the Brazilian presidential election and next months US midterm elections. The War Room is home to two dozen teams that include specialists in threat intelligence, data science, engineering, research, operations, legal policy, and communications.


Read more in:

Wired: Inside Facebook's Plan to Safeguard the 2018 Election

https://www.wired.com/story/inside-facebooks-plan-to-safeguard-2018-election/

 

--

Florida Election Security

(October 17, 2018)

In the third of three stories on how US states are addressing cybersecurity threats in the upcoming mid-term elections, TechRepublic takes a look at Floridas efforts. Russian hackers targeted Floridas voter registration databases in 2016, and several counties were targeted in phishing attacks. Florida accepted more than US$19 million from Congress through the Help America Vote Act (HAVA) to help with elections security; the state is using the funds for physical security, upgrading voting systems, and risk-assessment and post-election audits. (The previous two installments cover efforts in West Virginia and Ohio.)


Read more in:

Tech Republic: How Florida is bolstering election security after being targeted by Russian hackers

https://www.techrepublic.com/article/how-florida-is-bolstering-election-security-after-being-targeted-by-russian-hackers/



-

California County Working with Federal Officials to Improve Voting Systems Security

(October 18, 2018)

When Kammi Foote, head of elections in Inyo County, California, was contacted by federal officials prior to the 2016 presidential election asking her to let them know if she noticed anything unusual, their reluctance to provide any details left her with more questions than answers. Since then, increased communication and collaboration between federal officials and local governments has helped Foote take measures to protect voting systems in her county.


Read more in:

WBTW: States and feds unite on election security after '16 clashes

https://www.wbtw.com/news/politics/states-and-feds-unite-on-election-security-after-16-clashes/1533772689



-

Dallas County Election Systems Security Enhancements

(October 18, 2018)

Dallas County (Texas) is taking steps to beef up its elections security before next months elections. The security enhancements will focus on suspicious email, phishing attempts, intrusion attempts, and the overall security of the voting systems. Dallas County Judge Clay Jenkins is not concerned about the security of electronically cast votes because we dont put our election machines on the internet ever.


Read more in:

Fox4News: Dallas County set to approve additional security measures on voting system

http://www.fox4news.com/news/dallas-county-to-approve-additional-security-measures-on-voting-system


**************************  SPONSORED LINKS  ********************************


Sponsored Links:


1) The one constant behind all attacks is that they are human-driven. Learn best practices for conducting your own Human Intelligence.

Register here: http://www.sans.org/info/207675


2) Calling all security architects, SOC and IR managers: How automated and integrated are your security and IR processes? Take the SANS Survey | http://www.sans.org/info/207680


3) Microsegmentation and Your Zero Trust Security Strategy - Learn about it here.

http://www.sans.org/info/207690


*****************************************************************************


REST OF THE WEEKS NEWS

 

--

GitHub Platform Update Security Features

(October 17 & 18, 2018)

GitHubs updated platform includes three new security features: Java and .NET support for security vulnerability alerts; GitHub token scanning for public repositories; and the GitHub Security Advisory API.


Read more in:

ZDNet: GitHub security alerts now support Java and .NET projects

https://www.zdnet.com/article/github-security-alerts-now-support-java-and-net-projects/

Cyberscoop: GitHub rolls out new token scanning, security alert features

https://www.cyberscoop.com/github-security-access-tokens-security-advisory-api/

GitHub: Future of Software: Developers at the center of the universe

https://blog.github.com/2018-10-16-future-of-software/

GitHub: Securing your code

https://blog.github.com/2018-10-16-future-of-software/#security

 
 

--

Flaws Affect Eight Models of D-Link DWR Routers

(October 17 & 18, 2018)

Eight D-Link DWR series routers have vulnerabilities that could be exploited to take complete control of the devices. D-Link says it plans on issuing fixes for just two of the affected routers: DWR-111 and DWR-116. The other routers, DWR-140, -512, -640, -712, and -912, have reached end-of-life and will no longer receive updates. The flaws were detected in May 2018 and D-Link was notified.


[Editor Comments]


[Murray] These appear to be mostly wireless access points costing tens to low hundreds of dollars and numbering in the hundreds of thousands to millions. One might easily replace one for the cost of patching. In many instances, neither will happen.  


[Neely] Keep product lifecycle in mind, particularly with commodity products such as your router or firewall which will only receive updates for a finite period. While these will operate for many years, dont expect updates for more than 3-5 years, after which replacement is necessary.


Read more in:

Threatpost: Multiple D-Link Routers Open to Complete Takeover with Simple Attack

https://threatpost.com/multiple-d-link-routers-open-to-complete-takeover-with-simple-attack/138383/

The Register: Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage

https://www.theregister.co.uk/2018/10/17/dlink_security_flaws/

Bleeping Computer: Bug Trio Affecting Eight D-Link Models Leads to Full Compromise

https://www.bleepingcomputer.com/news/security/bug-trio-affecting-eight-d-link-models-leads-to-full-compromise/

 
 

--

LuminosityLink Creator Sentenced to Prison

(October 15 & 17, 2018)

Colton Grubbs has been sentenced to 30 months in prison for creating and selling the LuminosityLink remote access tool (RAT). Earlier this year, Grubbs pleaded guilty to conspiracy to access a protected computer without authorization and obtain information; removal of property to prevent seizure; and conspiracy to commit money laundering. LuminosityLink has the capability to log keystrokes, switch on cameras and microphones, and view and download files.


Read more in:

The Register: LuminosityLink spyware mastermind gets 30 months in the clink, forfeits $725k in Bitcoin

https://www.theregister.co.uk/2018/10/17/luminositylink_rat_author/

ZDNet: Creator of remote access tool LuminosityLink sent behind bars

https://www.zdnet.com/article/creator-of-remote-access-tool-luminositylink-sent-behind-bars/

DOJ: Stanford Man Sentenced to 30 Months for Computer Intrusion Crimes

https://www.justice.gov/usao-edky/pr/stanford-man-sentenced-30-months-computer-intrusion-crimes

 
 

--Anthem to Pay US$16 Million in Breach Settlement

(October 17, 2018)

Anthem has agreed to pay US$16 million to the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) settle potential HIPAA violations arising from a 2015 breach that compromised data belonging to 80 million current and former patients. The data included member IDs and Social Security numbers, email addresses, employment information and income data.


[Editor Comments]


[Neely] Regrettably, the majority of this settlement goes to cover legal and court fees. Customers with exposed information were offered two years of credit monitoring back in 2015 the lawsuit sought to extend that to four years. For status on the settlement, check the settlement web site: http://www.databreach-settlement.com


[Honan] Considering Anthems annual revenue for 2017 was US$90 Billion a US$16 million fine is pocket change. This is why a regulation like the General Data Protection Regulation which can inflict fines of up to 4% of a companys annual turnover is making businesses sit up and take notice of their responsibility to securing the personal data entrusted to it by its customers.


Read more in:

SC Magazine: Anthem to pay record $16M for 2015 data breach

https://www.scmagazine.com/home/security-news/anthem-to-pay-record-16m-for-2015-data-breach/

HHS: Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html

 
 

--

Oracle Patches More than 300 Security Issues

(October 16 & 17, 2018)

Oracle has released its October Critical Patch Update, which addresses 301 vulnerabilities across the companys products, including Oracle Database, E-Business Suite, and Fusion Middleware. Forty-five of the flaws have CVSS severity ratings of 9.8.


[Editor Comments]


[Neely] Ingesting a large patch set can be overwhelming. It is important to note these patches are spread across multiple products, not just the database, so breaking down the patches by product is necessary for success. Because so many flaws have high severity ratings, and can be remotely exploited, expeditious regression testing and deployment is prudent, particularly on externally facing systems.


Read more in:

Threatpost: Oracle Fixes 301 Flaws in October Critical Patch Update

https://threatpost.com/oracle-fixes-301-flaws-in-october-critical-patch-update/138407/

The Register: Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then

https://www.theregister.co.uk/2018/10/16/oracle_patch_bundle/

SC Magazine: Oracle security updates contains 45 critical-rated vulnerability

https://www.scmagazine.com/home/security-news/oracle-security-updates-contains-45-critical-rated-vulnerability/

Oracle: Oracle Critical Patch Update Advisory - October 2018

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

 
 

--

US Federal Government DMARC Adoption Rate

(October 16, 2018)

US federal government agencies and departments had until October 16, 2018, to comply with a Department of Homeland Security (DHS) directive requiring them to adopt Domain-based Message Authentication, Reporting and Conformance (DMARC) with the highest security settings. According to statistics from Proofpoint, on October 15, more than 60 percent of agencies were compliant with the directive and another 10 percent have implemented DMARC but have not set the policy to reject suspicious email. Statistics from Agari indicate that DMARC adoption is at 85 percent, but just 74 percent have set the reject policy.


[Editor Comments]


[Neely] Getting to a DMARC policy of reject of 100% is a process, and if youre struggling, purchasing a DMARC report analysis service can not only help you identify remaining issues, but they also have a playbook to get to the needed policy as well as assistance for tracking down quarantined or rejected messages. This will also help you identify external sources, authorized or otherwise, sending email on your behalf that need to be addressed. Be sure that any host with a MX record also has a corresponding SPF entry and your SMTP servers all require TLS. If youre still concerned about losing legitimate email, enable DMARC checks for inbound email as a separate project. DHS is closely monitoring progress against BOD 18-01, and demanding agencies reach 100% alignment, with the implied threat of budgetary impact for non-compliance.  


[Paller] DHS compliance is entirely ineffective. DHS can apply no motivating consequences for non-compliance. But compliance is an unimportant reason for full DMARC implementation. Finishing DMARC implementation will let recipients of email from your site verify it is actually coming from your site. That verification will almost entirely protect your customers or citizens from getting fake (ransomware, phishing, destructive) emails that purport to come from your domain. Thats worth avoiding because it will keep you from the embarrassment of negative exposure on the front page of the Washington Post (which IS an effective motivator). And if thats not enough, how about not hurting your constituents?


Read more in:

FCW: Federal DMARC compliance spikes up

https://fcw.com/articles/2018/10/16/dmarc-update-federal-domains.aspx

Bleeping Computer: U.S. Gov Agencies Fail to Fully Embrace DMARC Email Security Policy

https://www.bleepingcomputer.com/news/security/us-gov-agencies-fail-to-fully-embrace-dmarc-email-security-policy/

 
 

--

Google Releases Chrome 70

(October 16, 2018)

On Tuesday, October 16, Google released Chrome 70 to the stable channel. The newest version of the browser has a setting option that allows users to decide whether to allow automatic Chrome sign-in when they log into a Google account. The option was added after Google was criticized for logging users into Chrome when they logged into a Google website. The option is on by default. Chrome 70 also includes the final version of the TLS 1.3 standard.    


[Editor Comments]


[Neely] The option to sign into Chrome when accessing other Google services such as Gmail is enabled by default. Additionally there is now an option to easily see if youre syncing content or not, as well as what options are being synchronized.


Read more in:

ZDNet: Chrome 70 released with revamped Google account login system

https://www.zdnet.com/article/chrome-70-released-with-revamped-google-account-login-system/

Chrome: Stable Channel Update for Desktop

https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html

 
 

--

North Carolina Water Utility Hit with Ransomware

(October 15, 2018)

The internal computer system at North Carolinas Onslow Water and Sewer Authority (ONWASA) became infected with ransomware on Saturday, October 13, 2018. The incident has forced the company to take customer service features offline and it says it will need to rebuild its computing infrastructure. For the time being, all ONWASA offices and plants will operate manually; water and wastewater services for homes and businesses will not be interrupted. The attack comes on the heels of Hurricane Florence, which ravaged the area last month.


[Editor Comments]


[Murray] Healthcare, small utilities, and municipalities are now the preferred targets for these extortion attacks. These attacks exploit the default access control rule of read/write/execute. Enterprise data should be stored only on servers with read-only or execute-only as the default access rules for most objects. Ransomware also requires a backup and restore capability that permits recovery of all data in hours.  


Read more in:

Cyberscoop: Ransomware hits computer networks of North Carolina water utility

https://www.cyberscoop.com/ransomware-hits-onwasa-computer-network-north-carolina-water-utility/

ONWASA: Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area

https://www.onwasa.com/DocumentCenter/View/3701/Scan-from-2018-10-15-08_08_13-A


 

INTERNET STORM CENTER TECH CORNER

Oracle CPU

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html


libssh vulnerability

https://www.libssh.org/security/advisories/CVE-2018-10933.txt


Vending Machine Mobile App Compromise

https://hackernoon.com/how-i-hacked-modern-vending-machines-43f4ae8decec


Cisco Patches

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2018%2F10%2F17&firstPublishedEndDate=2018%2F10%2F17&lastPublishedStartDate=2018%2F10%2F17&lastPublishedEndDate=2018%2F10%2F17


51% Attack Against Crypto Currencies

https://old.reddit.com/r/CryptoCurrency/comments/9m1uuj/if_i_livestreamed_the_setup_and_execution_of/


VMWare Patch

https://www.vmware.com/au/security/advisories/VMSA-2018-0026.html


Multiple D-Link Vulnerabilities

https://seclists.org/fulldisclosure/2018/Oct/36


RID Hijacking in Windows (PDF)

https://www.romhack.io/slides/RomHack%202018%20-%20Sebastian%20Castro%20-%20Windows%20RID%20Hijacking:%20Maintaining%20Access%20on%20Windows%20Machines.pdf


Browsers Announce Timeline to Discontinue TLS1.0/1.1 support

https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/

https://security.googleblog.com/2018/10/modernizing-transport-security.html

https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/


Abandoned "NewShareCount" Twitter Counter abused

https://blog.sucuri.net/2018/10/malicious-redirects-from-newsharecounts-com-tweet-counter.html

 
 
 
 


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create