SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #86
October 30, 2018****************************************************************************
SANS NewsBites October 30, 2018 Vol. 20, Num. 86
****************************************************************************
TOP OF THE NEWS
FTC Website Has Free Cybersecurity Resources for Small Businesses
REST OF THE WEEKS NEWS
UN Special Rapporteur for Privacy Calls for Australias Encryption Bill to be Set Aside
Signal App Tests Sealed Sender Feature
OPM: Proposed Rule Change Would Give Agency Heads Direct Hire Authority
Library of Congress Adds New DMCA Section 1201 Exemptions, Renews Others
Windows Defender Now Has Sandbox Mode
New Jersey Court Orders Mirai Creator to Pay US.6 Million in Restitution
Wyden: Government Websites Need Encryption Help from DHS
Cathay Pacific Employs Experian to Help in Breach Aftermath
X.Org Privilege Escalation Flaw
New America Report Proposes Volunteer Civilian Cybersecurity Corps
McAfee Finds Some US County Election Websites Easily Spoofed
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018
-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- Tactical Detection Summit 2018 | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive, Offer Ends October 31.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
***************** Sponsored By Absolute Software Corp. **************************
Keep cybersecurity incidents from happening by developing a cyber-threat checklist with SANS Analyst and Instructor, Alissa Torres, and Absolute Software in their upcoming webcast.
Register here: http://www.sans.org/info/207805
***********************************************************************************
TOP OF THE NEWS
--
Election Security by State
(October 2018)
SC Magazines Election Coverage includes state by state reports that look at each states struggles and successes as well as how they are spending federal funds earmarked for election security. In the ZDNet story, DHS Under Secretary for National Protection and Programs Directorate (NPPD) Christopher Krebs observes that the plethora of free election security tools and services offered has overwhelmed and confused some state and local election officials. Krebs suggested that in the future, the offerings could be made available through DHS, which could help clarify what the tools are and how they can be used.
Read more in:
SC Magazine: Election Coverage
https://www.scmagazine.com/home/security-news/government-and-defense/election-coverage/
ZDNet: DHS: Election officials inundated, confused by free cyber-security offerings
--
FTC Website Has Free Cybersecurity Resources for Small Businesses
(October 26, 2018)
The US Federal Trade Commission (FTC) has launched a website that offers free cybersecurity resources for small businesses. The content was generated in part in response to conversations FTC officials held during a listening tour with small and mid-sized businesses. Website topics include vendor security, ransomware, email authentication, and understanding the National Institute of Standards and Technology (NIST) Cybersecurity Framework. FTC created the website along with US Department of Homeland Security (DHS), NIST, and the Small Business Administration (SBA).
[Editor Comments]
[Pescatore] The UK NCSC has a similarly useful site that I often point EU small businesses to: https://www.ncsc.gov.uk/smallbusiness
Read more in:
Dark Reading: FTC Offers Small Businesses Free Cybersecurity Resources
FTC: Cybersecurity for Small Businesses
https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity
************************** SPONSORED LINKS ********************************
1) Learn 8 critical network architecture principles that will strengthen your security defenses with SANS Matt Bromiley and Corelight.
Register here: http://www.sans.org/info/207815
2) See how machine learning technology can protect cloud infrastructure in Oracles upcoming webcast.
Register here: http://www.sans.org/info/207820
3) Calling all security architects, SOC and IR managers: How automated and integrated are your security and IR processes? Take the SANS Survey | http://www.sans.org/info/207825
*****************************************************************************
REST OF THE WEEKS NEWS
--
UN Special Rapporteur for Privacy Calls for Australias Encryption Bill to be Set Aside
(October 29, 2018)
Calling Australias proposed Assistance and Access Bill fatally flawed, United Nations Special Rapporteur on the right to privacy Joe Cannataci called for the bill to be put aside. In a submission to Australias Parliamentary Joint Committee on Intelligence and Security, Cannataci writes that in his considered view, thebill is a poorly-conceived national security measure that is equally likely to endanger security as not. He also questions the technical feasibility of the bill achieving its goals without introducing cybersecurity vulnerabilities to myriad Internet-connected devices. Its aims do not justify a lack of judicial oversight, or independent monitoring, or the extremely troubling lack of transparency.
[Editor Comments]
[Pescatore] Mr. Cannatacis Special Rapporteur mandate is to focus on privacy issues, and most of his arguments do just that. But his understated point that the bill is equally likely to endanger security as not does point to the likelihood that attempts to mandate backdoors in technology will lead tointroducing vulnerabilities to the cybersecurity of all devices irrespective of whether they are mobiles, tablets, watches, cars, etc., As Ive pointed out here numerous times, the number of times per year that encryption hinders law enforcement or national defense is a small fraction of the number of yearly breaches that would have been foiled if strong encryption was routinely used.
[Neely] While proponents of such legislation are quick to come up with examples of how decryption capabilities would have helped them, it is much harder to measure the number of times properly encrypted information prevented unauthorized access, modification or distribution of information. Consideration also has to be given to the impacts from business who chose not to perform transactions in a country where decryption may happen.
Read more in:
ZDNet: Australian encryption-busting Bill fatally flawed: UN Special Rapporteur
Computerworld: Governments encryption bill fatally flawed, UN privacy watchdog says
OHCHR: Mandate of the Special Rapporteur on the right to privacy
https://www.ohchr.org/Documents/Issues/privacy/O_LAUS_6.2018.pdf
-
Signal App Tests Sealed Sender Feature
(October 29, 2018)
The Signal encrypted messaging app is testing a feature that will let users encrypt the senders identity. Signal already takes pains to minimize the data that is retained about Signal users. Sealed Sender will hide the senders identity within the encrypted envelope of the message. The feature is currently in beta release.
Read more in:
Wired: Signal Has a Clever New Way to Shield Your Identity
https://www.wired.com/story/signal-sealed-sender-encrypted-messaging/
Cyberscoop: Signal Messenger tests feature to encrypt sender identity along with message
https://www.cyberscoop.com/signal-encryption-sealed-sender-beta/?category_news=technology
TechCrunch: Signal rolls out a new privacy feature making it tougher to know a senders identity
https://techcrunch.com/2018/10/29/signal-sealed-sender-feature-messaging-security/
Signal: Technology preview: Sealed sender for Signal
https://signal.org/blog/sealed-sender/
--
OPM: Proposed Rule Change Would Give Agency Heads Direct Hire Authority
(October 29, 2018)
The US Office of Personnel Management (OPM) is proposing a rule change that would give federal agency heads direct hire authority for IT positions. OPM deems the rule change necessary to implement Executive Order (E.O.) 13833 titled, Enhancing the Effectiveness of Agency Chief Information Officers which requires OPM to issue proposed regulations delegating to the head of a covered agency authority necessary to determine whether there is a severe shortage of candidates or a critical hiring need for information technology (IT) positions under certain conditions, sufficient to justify a DHA. The intended effect of this change is to enhance the Government's ability to recruit needed IT professionals.
[Editor Comments]
[Neely] Currently only OPM can approve direct hiring authority. This change would allow agency heads to make the determination while OPM retains an oversight role, which will make it easier to respond to directives that need a surge in IT and Cyber resources.
Read more in:
FedScoop: OPM to delegate IT direct hire authority to agency heads
https://www.fedscoop.com/opm-delegate-direct-hire-authority-agency-heads/
Federal Register: A Proposed Rule by the Personnel Management Office on 10/29/2018
https://www.federalregister.gov/documents/2018/10/29/2018-23340/examining-system
--
Library of Congress Adds New DMCA Section 1201 Exemptions, Renews Others
(October 29, 2018)
Last week, the US Library of Congress renewed several exemptions to Section 1201 of the Digital Millennium Copyright Act (DMCA) and added several new ones. DMCA Section 1201 makes it illegal to circumvent digital copyright protection. The Electronic Frontier Foundation (EFF) says the new exemptions do not go far enough.
[Editor Comments]
[Pescatore] Whenever I see didnt go far enough on some change in legislation, it usually means there is some other side of the argument saying, it went too far and indicates compromise, which seems like a quaint idea these days. DMCA definitely needed changes but most of the angst has been about theoretical or anecdotal issues vs. major impediments to legitimate researchers needs or individual users actions. The proposed measures are a good step in the right direction. The next review is three years away (I think)a good point to see if further changes needed.
[Northcutt] Please scan the EFF article below. Imagine buying an expensive machine only to have the manufacturer able to take legal action against you because you fixed it when it broke a couple weeks past the warranty. I had to replace my washing machine, dryer, dishwasher and refrigerator this year, all were 9 years old. The next refresh cycle they will cost as much as economy cars; you bet I want the right to repair them.
Read more in:
Motherboard: Feds Expand Security Researchers' Ability to Hack Without Going to Jail
Ars Technica: Researchers can now legally restore abandoned online game servers
EFF: New Exemptions to DMCA Section 1201 Are Welcome, But Dont Go Far Enough
Federal Register: Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies
--
Windows Defender Now Has Sandbox Mode
(October 26 & 29, 2018)
Microsoft has added a sandbox mode feature to its Windows Defender antivirus tool. The feature is currently available in early versions of Windows 10 for users in the Windows Insider program. There is also a way for those who are not in the Windows Insider program to enable the feature.
[Editor Comments]
[Neely] Windows Defender Sandbox mode is for Windows 10 1703 or later. The current business Semi-Annual Channel (Targeted) release is 1809. The sandboxing feature can be enabled for users not in the Windows Insider program by setting a system wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and rebooting.
[Murray] What we really need to sand-box are browsers and mail clients.
Read more in:
TechRadar: Windows Defender set to become more secure with sandbox mode
https://www.techradar.com/amp/news/windows-defender-set-to-become-more-secure-with-sandbox-mode
CloudBlogs.microsoft: Windows Defender Antivirus can now run in a sandbox
--New Jersey Court Orders Mirai Creator to Pay US$8.6 Million in Restitution
(October 26, 2018)
On Friday, October 26, a federal judge in Trenton, New Jersey has ordered Paras Jha, one of the people responsible for the Mirai botnet, to pay US$8.6 million in restitution for using Mirai to launch distributed denial-of-service (DDoS) attacks against systems at Rutgers University while he was a student there. Jha was also sentenced to 2,500 hours of community service, and six months of home confinement. In September 2018, a federal court in Alaska ordered Jha and two-conspirators to each to pay US$127,000 for their roles in creating Mirai, a botnet that harnessed the power of Internet of Things (IoT0 devices to conduct DDoS attacks. The three were also sentenced to 2,500 hours of community service and five years of probation. Prosecutors in Alaska said that Jha and his two co-conspirators did not deserve prison sentences because they had fully cooperated with the government and had helped with cybercrime investigations.
Read more in:
KrebsOnSecurity: Mirai Co-Author Gets 6 Months Confinement, $8.6M in Fines for Rutgers Attacks
Reuters: Mirai botnet hacker ordered to pay $8.6 million in damages
Cyberscoop: University DDoS attack leads to $8.6 million fine, house arrest for New Jersey man
https://www.cyberscoop.com/mirai-botnet-rutgers-sentencing/
--
Wyden: Government Websites Need Encryption Help from DHS
(October 24 & 26, 2018)
In a letter to Christopher Krebs, Undersecretary for the National Protection and Programs Directorate (NPPD) and the US Department of Homeland Security (DHS), Senator Ron Wyden (D-Oregon) calls on DHS to urge DHS to help agencies encrypt government website traffic. Some metadata is transmitted unencrypted, meaning that hackers can intercept or hijack the unprotected metadata, tricking users into visiting a malicious site or spying on their activities. Wyden suggests requiring agencies to encrypt federal employees domain name server (DNS) queries, and having the GSA require companies to enable Encrypted Server Name Indication (ESNI) as a condition of selling content distribution network (CDN) service to the US government.
Read more in:
Wyden: October 24, 2018 letter to DHS
https://www.wyden.senate.gov/imo/media/doc/wyden-encrypted-sni-letter-to-dhs.pdf
Cyberscoop: Government website encryption needs help from DHS, Sen. Wyden says
https://www.cyberscoop.com/encryption-federal-government-websites-dhs-ron-wyden/
DHS: Binding Operational Directive 18-01: Enhance Email and Web Security (October 16, 2017)
https://cyber.dhs.gov/bod/18-01/
--
Cathay Pacific Employs Experian to Help in Breach Aftermath
(October 26, 2018)
Cathay Pacific Airways has hired Experian to provide credit monitoring services to 9 million customers whose personal data were compromised in a data breach the airline disclosed last week. Cathay Pacific first detected the breach in March 2018, but did not publicly disclose it until October 24. Experian experienced its own data breach in 2015, when an internal server holding personal information of 15 million people was compromised.
Read more in:
Bloomberg: Cathay Enlists Firm Once Sued for Data Breach to Help After Hack
KrebsOnSecurity: Experian Breach Affects 15 Million Consumers (October 2, 2015)
https://krebsonsecurity.com/2015/10/experian-breach-affects-15-million-consumers/
--
X.Org Privilege Escalation Flaw
(October 25 & 26, 2018)
A privilege escalation and file overwrite vulnerability in X.Org X server affects versions 1.19 and later. X server is used in most Linux and OpenBSD distributions that have a GUI interface. The flaw is trivial to exploit. A patch for the flaw was added to the xserver repository on October 25. X.Org also offers a workaround for instances when immediate patching is not feasible or a patch is unavailable.
Read more in:
Threatpost: X.Org Flaw Allows Privilege Escalation in Linux Systems
https://threatpost.com/x-org-flaw-allows-privilege-escalation-in-linux-systems/138624/
Ars Technica: Easy-to-exploit privilege escalation bug bites OpenBSD and other big name OSes
Bleeping Computer: Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems
Lists.x.org: X.Org security advisory: October 25, 2018
https://lists.x.org/archives/xorg-announce/2018-October/002927.html
--
New America Report Proposes Volunteer Civilian Cybersecurity Corps
(October 25, 2018)
A report from New America Cybersecurity Policy Fellow Natasha Cohen and Strategist and Senior Fellow Peter Warren Singer proposes the creation of a United Stated Cybersecurity Civilian Corps to fill the human and organizational gaps in the countrys current cybersecurity environment.
Read more in:
Nextgov: Its Time to Organize Volunteer Hackers, Think Tank Says
GCN: Could civilians help fill the cyber talent gap?
https://gcn.com/articles/2018/10/26/cybersecurity-civilian-corps.aspx
New America: The Need for C3: A Proposal for a United States Cybersecurity Civilian Corps
https://www.newamerica.org/cybersecurity-initiative/reports/need-c3/
--
McAfee Finds Some US County Election Websites Easily Spoofed
(October 25, 2018)
McAfee researchers looked at county election websites in 20 US states that have close elections this fall and found that many of them could be spoofed. Many of the surveyed sites are not .gov domains, which require federal validation test to obtain. Instead, they had domains that could be purchased by anyone. Because county election websites are a resource voters looking for information about registration deadlines and requirements and polling places and times, a spoofed site could be used to spread bad information. In addition, most of the websites did not enforce the use of Secure Sockets Layer (SSL) certificates.
Read more in:
Dark Reading: County Election Websites Can Be Easily Spoofed to Spread Misinformation
McAfee: State County Authorities Fail at Midterm Election Internet Security
INTERNET STORM CENTER TECH CORNER
Dissecting Malicious Office Documents in Linux
https://isc.sans.edu/forums/diary/Dissecting+Malicious+Office+Documents+with+Linux/24248/
Analyzing Compressed RTF Documents
https://isc.sans.edu/forums/diary/Detecting+Compressed+RTF/24250/
Cryptominers Scan for Docker Engine
DemonBot Targeting Hadoop
https://blog.radware.com/security/2018/10/new-demonbot-discovered/
Maldoc Duplicating PowerShell
https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/
SystemD DHCPv6 Remote Code Executing Vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-15688
New File Types Emerge in Malware Spam Attachments
Malicious Mac Crypto Currency Tracker Installs Backdoor
Sandbox For Windows Defender
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
