SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #85
October 26, 2018NYT: Russia and China Eavesdropping on Trumps iPhone Calls; Two New Developer Supply Chain Attacks; Okay to Pay Ransomware Demand?
****************************************************************************
SANS NewsBites October 26, 2018 Vol. 20, Num. 85
****************************************************************************
TOP OF THE NEWS
NYT: Russia and China Eavesdropping on US Presidents iPhone Calls
Two New Developer Supply Chain Attacks
When is it Okay to Pay Ransomware Demands?
REST OF THE WEEKS NEWS
ICS-CERT Warns of Security Flaw in Some Telecrane Construction Cranes
Second-Hand Voting Machines Hold a Trove of Secrets
UK ICO Fines Facebook 500,000 for Cambridge Analytica Data Debacle
Cathay Pacific Acknowledges Passenger Data Breach
DOD Expands Bug Bounty Program
FireEye: Triton Malware Has Ties to Russia
Youre Not Imagining It: Civilization is Flickering, Part 2
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- Tactical Detection Summit 2018 | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive, Offer Ends October 31.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By ProofPoint ************************
Email fraud is impacting companies worldwide, regardless of their size and industry. And what's more, fraudsters are not only targeting your employees, but your customers and partners as well. Don't Miss: "How to Build Your Modern Email Fraud Defense" with Dave Hoelzer. Learn more: http://www.sans.org/info/207740
*****************************************************************************
TOP OF THE NEWS
--
NYT: Russia and China Eavesdropping on US Presidents iPhone Calls
(October 24 & 25, 2018)
According to a report in the New York Times, US intelligence reports that Chinese spies frequently listen in on the presidents iPhone conversations. Aides have warned the president that the iPhones he is using are not secure and that Russian spies are also eavesdropping. The president has refuted the claims in a tweet.
Read more in:
NYT: When Trump Phones Friends, the Chinese and the Russians Listen and Learn
https://www.nytimes.com/2018/10/24/us/politics/trump-phone-security.html
SC Magazine: Russia, China listening in on Trumps private mobile phone conversations, report
Ars Technica: NYT: Chinese and Russian spies routinely eavesdrop on Trumps iPhone calls
--
Two New Developer Supply Chain Attacks
(October 23, 2018)
Dan Goodin describes two supply-chain attacks affecting developers that have recently emerged. The first involves the VestaCP server management control panel interface. Attackers managed to compromise VestaCP servers and maliciously alter an installer. The second involves a malicious module inserted into the Python programming language repository. Similarly named and similar in function except for an additional feature: a Visual Basic script that monitors server clipboards for signs a user is about to make a payment using cryptocurrency. The script can then reroute the payment to a wallet owned by the attacker.
[Editor Comments]
[Pescatore] Open source software continues to be a weak spot in supply chain security efforts. The Linux Foundation Core Infrastructure Initiative moved quickly after the widely publicized vulnerabilities in OpenSLL and NTP, but at the application or tool level there is a huge amount of open source software in use. Many application security testing vendors have tools to inventory open source software in use and identify vulnerable versions.
Read more in:
Ars Technica: Two new supply-chain attacks come to light in less than a week
--
When is it Okay to Pay Ransomware Demands?
?(October 23, 2018)
Earlier this month, the town of West Haven, Connecticut paid a US $2,000 ransom to regain access to 23 servers that had been maliciously encrypted. While conventional wisdom holds that ransomware demands should not be paid, organizations that lack adequate back up procedures may find that paying ransom is the most reliable way to regain access to their data. But paying the ransom is a gamble; less than half of ransomware victims that pay the demand are able to recover their data.
[Editor Comments]
[Pescatore] Whether to pay or not is a business decision, not a security decision. The key security input needs to be Whether we pay or not, we still have to make changes to fix the failure that enabled the ransomware (or other) attack to succeed. This is kind of similar to the cybersecurity issuepaying ransom or cyberinsurance premiums can reduce (not eliminate) the financial impact, but only for the first incident. After that you have a pre-existing conditions that attracts more attacks and causes insurance companies to deny policy coverage.
[Honan] The NoMoreRansom website, hosted by Europol, has decryption keys for many of the known ransomware variants and other very useful tools for victims of ransomware attack. https://www.nomoreransom.org/en/index.html
[Neely] Availability of existing, published decryption keys should considered before deciding to pay.
Read more in:
Threatpost: City Pays $2K in Ransomware, Stirs Never Pay Debate
https://threatpost.com/city-pays-2k-in-ransomware-stirs-never-pay-debate/138527/
************************** SPONSORED LINKS ********************************
1) Oracle Webcast: "How to use Machine Learning to protect Cloud Infrastructure" Register: http://www.sans.org/info/207745
2) Don't Miss: "Network Architecture with Security in Mind" with Matt Bromiley and Sam Kumarsamy. Register: http://www.sans.org/info/207750
3) Calling all security architects, SOC and IR managers: How automated and integrated are your security and IR processes? Take the SANS Survey | http://www.sans.org/info/207755
*****************************************************************************
REST OF THE WEEKS NEWS
--
Election Security Discussion
(October 25, 2018)
In part one of a two-part discussion series on election security, John Gilligan, chief executive at Center for Internet Security (CIS) talks to CyberChat host Sean Kelley about security resources for state and local governments: 3 Steps to Secure Your Elections Infrastructure Today and the Election Security Handbook. Other guests on the show include Matthew Masterson, senior cybersecurity advisor of Election Security at the Homeland Security Department; and Chris Wlaschin, former CISO at the Health and Human Services Department and current vice president of System Security for Election Systems and Software.
Read more in:
FNR: How secure is the election process?
https://federalnewsnetwork.com/cyber-chat/2018/10/how-secure-is-the-election-process/
CISecurity: 3 Steps to Secure Your Elections Infrastructure Today (PDF)
https://www.cisecurity.org/wp-content/uploads/2018/10/EI-ISAC-3-Steps-11-Oct.pdf
CISecurity: A Handbook for Elections Infrastructure Security
https://www.cisecurity.org/elections-resources/
--
ICS-CERT Warns of Security Flaw in Some Telecrane Construction Cranes
(October 23 & 25, 2018)
The US Department of Homeland Securitys (DHSs) Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has released an advisory warning of an authentication bypass by capture-replay vulnerability in Telecrane F25 Series construction cranes. The flaw could be exploited to remotely take control of the equipment. Telecrane urges users to upgrade to the latest version of firmware.
Read more in:
The Register: What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection
https://www.theregister.co.uk/2018/10/25/crane_command_vulnerability/
ICS-CERT: Advisory (ICSA-18-296-03) Telecrane F25 Series
https://ics-cert.us-cert.gov/advisories/ICSA-18-296-03
--
Second-Hand Voting Machines Hold a Trove of Secrets
(October 25, 2018)
Symantec researcher Brian Varner bought used direct-recording electronic voting machines on eBay in 2016 and again several months ago. Not only did the machines have unwiped, unencrypted hard drives, but they also could be examined and reverse-engineered to discover ways to manipulate them to affect election outcomes. While other industries, such as healthcare and finance, have standards and regulations for handling sensitive information and equipment, election systems have no such regulations. Varner notes that theres an opportunity here to develop nationwide policies and security protocols that would govern how voting machines are secured.
[Editor Comments]
[Pescatore] These days, if something has a plug, connector or battery, then it is probably storing information that needs to be made inaccessible before surplussing out to jobbers who end up selling it online. Especially in critical infrastructure areas, equipment disposal/sanitizing guidelines need to apply to more than just PCs, servers, and printers.
[Neely] Most equipment now includes persistent storage of some kind. Equipment lifecycle processes must include media sanitization, not just for computers, laptops and smartphones, but for everything with storage. Equipment recyclers can provide certified clearing processes as well as a path outside the waste stream for usable equipment.
[Northcutt] The shared computer in hotel club lounges, printers at end of life with amazing volumes of data still stored. This happens again and again. We need to decide that anything that consumes electricity is a computer and have end of life data rules for the manufacturers of all computers to provide a final wipe function.
Read more in:
Wired: I Bought Used Voting Machines on eBay for $100 Apiece. What I Found Was Alarming
https://www.wired.com/story/i-bought-used-voting-machines-on-ebay/
--
UK ICO Fines Facebook 500,000 for Cambridge Analytica Data Debacle
(October 25, 2018)
The UKs Information Commissioners Office (ICO) has fined Facebook 500,000 (US $641,000) over the Cambridge Analytica scandal. The fine is the maximum allowable under the law as the breach occurred prior to the adoption of the General Data Protection Regulation (GDPR) in May 2018. According to the ICO, Facebook allowed app developers access to user data without clear consent. In fact, users who had not downloaded the app in question also had their information exposed to the developer if they were Facebook friends with someone who had downloaded the app. A researcher used the app to collect personal information belonging to an estimated 87 million Facebook users. Some of those data were allegedly sold to Cambridge Analytica, which allegedly used the information to create Facebook users voter profiles.
[Editor Comments]
[Honan] The 500,000 fine is the highest fine available under the old UK Data Protection regime to the ICO. Under the EU GDPR the maximum fine can now range up to 20,000,000 or 4% of the organisations annual turnover.
Read more in:
BBC: Facebook fined 500,000 for Cambridge Analytica scandal
https://www.bbc.com/news/technology-45976300
ZDNet: Facebook must pay UK's ICO 500,000 over Cambridge Analytica scandal
https://www.zdnet.com/article/facebook-must-pay-uks-ico-500000-over-cambridge-analytica-scandal/
ICO: ICO issues maximum 500,000 fine to Facebook for failing to protect users personal information
--
Cathay Pacific Acknowledges Passenger Data Breach
(October 24 & 25, 2018)
Hong Kong-based Cathay Pacific Airways has acknowledged a security breach that exposed the personal information of as many as 9.4 million passengers. The compromised data include names, nationalities, dates of birth, email and physical addresses, passport numbers, Hong Kong ID card numbers, frequent flyer membership numbers, and travel data.
[Editor Comments]
[Neely] Cathay Pacific took immediate steps to contain the breach and provide information to passengers. The airline is offering credit monitoring services to affected passengers. They appear to have missed the reporting windows required by GDPR, which may result in a hefty fine.
Read more in:
The Register: Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare
SC Magazine: Cathay Pacific data breach exposes PII of 9.4 million customers
Cathay Pacific: Cathay Pacific announces data security event affecting passenger data
https://news.cathaypacific.com/cathay-pacific-announces-data-security-event-affecting-passenger-data
Infosecurity Cathay Pacific: Data security event (information for passengers)
https://infosecurity.cathaypacific.com/en_HK.html
--
Mozilla Releases Firefox 63
(October 24, 2018)
On Tuesday October 23, Mozilla released Firefox 63. The newest version of the browser includes an Enhanced Tracking Protection feature that gives users the option to block cookies and storage access from third-party trackers. Firefox 63 also includes fixes for 14 security issues, including several critical memory safety bugs.
[Editor Comments]
[Neely] This version also includes fixes for cross origin security violations. These fixes are also rolled into Firefox ESR 60.3.0.
Read more in:
eWeek: Mozilla Enhances Tracking Protection in Firefox 63
http://www.eweek.com/security/mozilla-enhances-tracking-protection-in-firefox-63
Mozilla: Version 63.0, first offered to Release channel users on October 23, 2018
https://www.mozilla.org/en-US/firefox/63.0/releasenotes/
Mozilla: Security vulnerabilities fixed in Firefox 63
https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/
--
DOD Expands Bug Bounty Program
(October 24, 2018)
The US Department of Defense (DOD) is expanding its bug bounty program to include additional systems for participants to test, including more critical systems. DOD is also taking on two new partners in the endeavor. Previous DOD bug bounties have been managed by HackerOne; they will now be joined by Synack and Bugcrowd. The first DOD bug bounty program, Hack the Pentagon, was launched in 2016. Since then the programs have identified 5,000 vulnerabilities that DOD has fixed.
[Editor Comments]
[Pescatore] Well-managed bug bounty programs (with well-managed being the key phrase) have shown great value. The DoD has done a great job expanding and managing these programs since SANS gave them a Difference Makers award in 2016.
Read more in:
Fifth Domain: DoD bug bounty program to expand to more sensitive systems
Defense Systems: DOD awards new bug bounty contracts
https://defensesystems.com/articles/2018/10/24/dod-bug-bounty-awards.aspx
--
FireEye: Triton Malware Has Ties to Russia
(October 23, 2018)
Cybersecurity company FireEye says that the Triton industrial control system (ICS) malware, which was used to launch an attack against an energy company in the Middle East last year, has been linked to Russia. In a blog post, FireEye says that there are several clues that tie at least one component of the malware to Russias Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a government-owned research institute.
Read more in:
FireEye: TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Wired: Russia Linked to Disruptive Industrial Control Malware
https://www.wired.com/story/triton-malware-russia-industrial-controls/
The Register: That Saudi oil and gas plant that got hacked. You'll never guess who could... OK, it's Russia
https://www.theregister.co.uk/2018/10/24/triton_malware_attack/
SC Magazine: FireEye attributes TRITON ICS attack to Russian
https://www.scmagazine.com/home/security-news/fireeye-attributes-triton-ics-attack-to-russian/
Cyberscoop: FireEye links Russia-owned lab to group behind Trisis
https://www.cyberscoop.com/trisis-russia-fireeye/?category_news=technology
--
Youre Not Imagining It: Civilization is Flickering, Part 2
(October 24, 2018)
In part two of his blog post about threats to the power grid, Michael Assante writes, We must work to deter threat actors, manage the risks associated with infrastructure disruptions, and develop/test effective responses to failures. It is time to stop debating the threat or incident of the day and work toward more fully understanding the problems we face, and developing and broadly deploying solutions -- however imperfect -- to minimize potential consequences and quickly return systems to a normal reliable functioning state.
Read more in:
RSA Conference:
Youre Not Imagining It: Civilization is Flickering, Part 2
https://www.rsaconference.com/blogs/youre-not-imagining-it-civilization-is-flickering-part-2
INTERNET STORM CENTER TECH CORNER
Malware Uses Decoy Picture
https://isc.sans.edu/forums/diary/Malicious+Powershell+using+a+Decoy+Picture/24234/
DNS over HTTPS Pushback
https://twitter.com/paulvixie/status/1053765281917661184
Signal Desktop Leaves Encryption Key Exposed
https://twitter.com/nathanielrsuchy
Firefox 63 Allows Less Tracking
https://blog.mozilla.org/security/2018/10/23/firefox-63-lets-users-block-tracking-cookies/
Reversing AutoIT
https://isc.sans.edu/forums/diary/Diving+into+Malicious+AutoIT+Code/24238/
More ALPC Flaws from Sandbox Escaper
https://twitter.com/SandboxEscaper/status/1054744201244692485
https://twitter.com/mkolsek/status/1054794984908562432
Arcserve Vulnerabilities
https://www.digitaldefense.com/blog/zero-day-alerts/arcserve-disclosure/
WebExec Vulnerability
Scam Calls Targeting Chinese Living in the US
X.Org Privilege Elevation Flaw
https://lists.x.org/archives/xorg-announce/2018-October/002927.html
Remote Videos in Office Documents
https://blog.cymulate.com/abusing-microsoft-office-online-video
Mac Malware Injects Ads
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
