SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #90
November 13, 2018****************************************************************************
SANS NewsBites November 13, 2018 Vol. 20, Num. 90
****************************************************************************
TOP OF THE NEWS
Pentagon Adding New Cybersecurity Language to Contracts
Grid Attack Simulation Exercise
Bank of England Hosts Cybersecurity Exercise to Test Resilience of Financial Sector
REST OF THE WEEKS NEWS
WordPress Fixes Flaws in WP GDPR Compliance App
More Details About Cathay Pacific Airways Breach
Intel Microcode Boot Loader Tool
US National Science Foundation Wants Feedback on Rewrite of Government Cybersecurity R&D Plan
NIST Plans to Move to IBMs Watson for Vulnerability Scoring
FDA Responds to OIG Report on Postmarket Medical Device Security
West Virginia Used Blockchain-Based Mobile Voting for Citizens Living Overseas
US Has Not Signed Paris Cyber Agreement
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Best Offer of the Year: Get the ALL NEW 12.9" iPad Pro, or an HP ProBook 450 G5, or Take $400 Off with OnDemand and vLive Training. Offer Ends November 14.
https://www.sans.org/online-security-training/specials/
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019
-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018
-- Tactical Detection & Data Analytics Summit & Training | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk ***************************
White Paper: Security Operations Platforms produce a number of economic benefits in addition to helping your SOC team work more efficiently. This white paper aims to quantify those benefits by outlining a methodology to estimate your Return on Investment (ROI) from investing in SecOps Platforms. http://www.sans.org/info/208070
*****************************************************************************
TOP OF THE NEWS
--
Pentagon Adding New Cybersecurity Language to Contracts
(November 2 & 9, 2018)
Future Pentagon contracts will include new language specifying cybersecurity expectations. Ellen Lord, the undersecretary of defense for acquisition and sustainment, said that DoD is coming out with standard contract language that all the services will use." Contractors cybersecurity practices will be considered on par with quality and cost of service when considering proposals.
[Editor Comments]
[Pescatore, Williams] Whether this is meaningful or not depends on what that language is. While making sure cybersecurity is a highly weighted evaluation criteria in RFPs is a good thing, the real gains will only come from requiring actual demonstration of secure practices at the contractors and actual testing of the security levels of products. More pages of documentation do not lead to more security.
[Paller] The right language here will have the largest impact of any federal cybersecurity initiative.
Read more in:
Stripes: Pentagon bolstering cybersecurity demands for future contracts
--
Grid Attack Simulation Exercise
(November 9, 2018)
From October 31 to November 6, government and industry researchers participated in a power grid cyberattack simulation exercise on a government-owned, restricted island in Long Island Sound. The simulation was an opportunity to test existing response plans to catastrophic grid events that included supply chain attacks, ransomware, and misconfigured equipment. Led by Defense Advanced Research Projects Agency (DARPA) program manager Walter Weiss, the exercise started with an order to restore the grid, which in the scenario had been down for several weeks. (Please note that the WSJ story is behind a paywall.)
Read more in:
WSJ: Federal Researchers Simulate Power Grid Cyberattack, Find Holes in Response Plan (paywall)
--
Bank of England Hosts Cybersecurity Exercise to Test Resilience of Financial Sector
(November 8 & 9, 2018)
On Friday, November 9, the Bank of England along with regulators and the Treasury, conducted a war-gaming exercise to test financial institutions resilience in the face of a cyberattack. Forty organizations participated. In an announcement on its website, the Bank of England writes The exercise will help authorities and firms identify improvements to our collective response arrangements, improving the resilience of the sector as a whole.
Read more in:
BBC: Top banks in cyber-attack 'war game'
https://www.bbc.com/news/business-46149667
Bank of England: Sector resilience exercise
https://www.bankofengland.co.uk/news/2018/november/sector-resilience-exercise
************************** SPONSORED LINKS ********************************
1) Join SANS Matt Bromiley & VirusTotal as they present a new tool set that can help analysts search more data faster. Register here: http://www.sans.org/info/208085
2) Does your vulnerability management program cover your organization's cloud workloads, partner access, IoT and industrial control systems? Take the SANS Survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/208090
3) What role does artificial intelligence play in security? Help SANS examine how security professionals are leveraging AI by taking this survey, and enter to win a $400 Amazon gift card | http://www.sans.org/info/208095
*****************************************************************************
REST OF THE WEEKS NEWS
--
WordPress Fixes Flaws in WP GDPR Compliance App
(November 12, 2018)
WordPress has fixed a vulnerability in a plug-in that is being actively exploited by unauthenticated users to obtain elevated privileges. As its name suggests, the WP GDPR Compliance plug-in is designed to help site owners comply with the European Unions General Data Protection Regulation (GDPR). Users are urged to update to the most recent version of WP GDPR Compliance, v.1.4.3 is the most current.
[Editor Comments]
[Ullrich] The irony here is that a regulation that was supposed to improve privacy (security?) leads to buggy code that makes data less secure. It may be easy to make fun of this WordPress module, but I wonder how many companies rushed GDPR fixes into production to meet a deadline without adequately testing the code they created. Developers often see work like this as non-productive and try to get it out of the way as quickly as possible by cutting corners.
Read more in:
SC Magazine: Attackers exploit GDPR compliance plug-in for WordPress
Cyberscoop: Flaw in WordPress plugin allowed unauthorized admin access, backdoors
https://www.cyberscoop.com/wordpress-wp-gdpr-compliance-plugin-flaw-wordfence/
Wordfence: Privilege Escalation Flaw In WP GDPR Compliance Plugin Exploited In The Wild
--
More Details About Cathay Pacific Airways Breach
(November 12, 2018)
In a written submission to Hong Kongs legislative council Legco, Cathay Pacific Airways revealed that although it first became aware of suspicious activity on its networks in March 2018 and took immediate action to understand the incident and to contain it, attacks continued over the next several months, noting that these ongoing attacks also expanded the scope of potentially accessed data. Cathay Pacific publicly revealed the breach in late October.
Read more in:
The Register: Cathay Pacific hack: Airline admits techies fought off cyber-siege for months
https://www.theregister.co.uk/2018/11/12/cathay_pacific_hack_data_siege_3_months/
Legco: Written submission by Cathay Pacific Airways Limited
https://www.legco.gov.hk/yr18-19/english/panels/ca/papers/caitbse20181114cb2-222-2-e.pdf
--
Intel Microcode Boot Loader Tool
(November 12, 2018)
The Intel Microcode Boot Loader provides a workaround for the microcode problem on Intel-based motherboards. Many motherboards are vulnerable to Spectre side-channel attacks because manufacturers usually release firmware updates only for their most current products. The Intel Microcode Boot Loader lets users create a bootable USB flash drive that applies the most recent microcode updates each time the system is booted.
[Editor Comments]
[Ullrich] This is a really neat tool. But most people do not need it. If you are running an up-to-date operating system, a patch should have been delivered as part of the operating system. For everybody else, this tool can be a life safer. But this is a tool Intel should have released, not an anonymous member of a tech support forum. Use at your own risk. (but thanks to the person creating the tool)
Read more in:
Bleeping Computer: The Intel Microcode Boot Loader Protects Older CPUs From Spectre
TechPowerUp: Intel Microcode Boot Loader
https://www.techpowerup.com/forums/threads/intel-microcode-boot-loader.248858/
--
US National Science Foundation Wants Feedback on Rewrite of Government Cybersecurity R&D Plan
(November 9, 2018)
The US National Science Foundation (NSF) is seeking input on the 2018 revision of the federal cybersecurity research and development plan. According to the NSF Request for Information (RFI), pursuant to the Cybersecurity Enhancement Act of 2014, Federal agencies must update the Federal cybersecurity research and development (R&D) strategic plan every four years. The NITRD NCO [Networking and Information Technology Research and Development National Coordination Office] seeks public input for the 2019 update of the Federal cybersecurity R&D strategic plan. The updated plan will be used to guide and coordinate federally funded research in cybersecurity, including cybersecurity education and workforce development, and the development of consensus-based standards and best practices in cybersecurity. Responders asked to direct their responses to one or more of six focus questions. Responses will be accepted through January 15, 2019.
Read more in:
Nextgov: National Science Foundation Seeks Feedback on Major Cyber Research Priorities Update
Federal Register: Request for Information on Update to the 2016 Federal Cybersecurity Research and Development Strategic Plan
--
NIST Plans to Move to IBMs Watson for Vulnerability Scoring
(November 2 & 12, 2018)
The National Institute of Standards and Technology reportedly plans to move to a vulnerability scoring method that uses IBMs Watson artificial intelligence (AI) system by October 2019. The new system will take over the work now done by human analysts. In a pilot program earlier this year, NIST used Watson to examine hundreds of thousands of existing CVSS vulnerability scores; Watson then used that information to score new vulnerabilities, which were by and large in line with human analysts findings. Where Watson stumbled is when evaluating new and complex vulnerabilities; in those cases, human analysts will evaluate the vulnerabilities.
[Editor Comments]
[Pescatore] I wonder how they know when Watson stumbles without an actual human person looking at every score?? That said, the Base and Temporal scores within CVSS lend themselves to algorithmic scoring, at least where everyone uses the same terminologywhich isnt the case in a lot of consumer products. The highest value part of the CVSS approach is the Environmental Metric group where each organization has to add a factor based on its IT environment and business impact potential. That factor is key in bubbling the most critical patches to the top of the list.
Read more in:
Nextgov: NIST Teams Up with IBMs Watson to Rate How Dangerous Computer Bugs Are
SC Magazine: Report: NIST to use IBMs Watson AI system to score vulnerabilities
--
FDA Responds to OIG Report on Postmarket Medical Device Security
(November 7, 2018)
The US Food and Drug Administration (FDA) has responded to a report from the Department of Health and Human Services Office of Inspector General (HHS OIG) regarding the agencys approach to postmarket medical device security. The report says that the FDA does not have sufficient procedures to handle security issues once medical devices are on the market. FDA says that since the audit, it has taken steps to address these issues.
Read more in:
GovInfoSecurity: FDA Reacts to Critique of Medical Device Security Strategy
https://www.govinfosecurity.com/fda-reacts-to-critique-medical-device-security-strategy-a-11689
OIG.HHS: The Food and Drug Administrations Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices
https://oig.hhs.gov/oas/reports/region18/181630530.pdf
--
West Virginia Used Blockchain-Based Mobile Voting for Citizens Living Overseas
(November 7, 2018)
The US state of West Virginia used a blockchain-based mobile app to allow military personnel stationed overseas and others who quality under the Uniformed and Overseas Citizens Act, to vote using their mobile devices. The West Virginia Secretary of State estimates that 144 people used the app in last weeks election. While some have touted blockchain as a benefit to voting, others disagree. In an interview published in MITs Technology Review in August 2018, J. Alex Halderman, director of the University of Michigans Center for Computer Security and Society, said that blockchain is just another form of recording votes. If attackers compromise voters devices or the servers that record votes and log them to the blockchain, they can still manipulate election outcomes. There are no easy solutions here.
Read more in:
GCN: How West Virginia brought blockchain-secured voting to Election Day
https://gcn.com/articles/2018/11/07/west-virginia-mobile-blockchain-voting.aspx
Technology Review: Hackers are out to jeopardize your vote
https://www.technologyreview.com/s/611830/hackers-are-out-to-jeopardize-your-vote/
--
US Has Not Signed Paris Cyber Agreement
(November 12, 2018)
The US has declined to endorse French President Emmanuel Macrons Paris Call for Trust and Security in Cyberspace. While the initiative does not hold signatories to a legal agreement, its mostly a symbol of the need for diplomacy and cooperation in cyberspace, where its hard to enforce any single countrys laws. The Paris Call is also endorsed by private companies, groups, non-profits, and universities. Other countries that have not signed include the UK, Israel, Iran, China, and Russia.
[Editor Comments]
[Pescatore] The wording of the Paris Call is very similar to the Cyberspace Tech Accord that Microsoft had proposed back in April, which was signed by 60 companies. It is very odd which governments didnt sign the Paris Call (China, Russia and Iran as major sources of cyber attacks you would expect, but the US and the UK?) and which companies didnt sign Microsofts Tech Accord (Google and Apple didnt, Facebook did; VMWare did, IBM did not.) The bottom line is that Calls and Accords have no regulatory power but in security it is often the informal alliances and cooperative agreements that work the bestthey can adapt faster as technology and threats change. It would be good to see the signees of each continue to work together to make advances, which will happen even without the missing biggies.
Read more in:
Wired: The US Sits Out an International Cybersecurity Agreement
https://www.wired.com/story/paris-call-cybersecurity-united-states-microsoft/
The Hill: US, Russia not among 50 nations pledging to fight cybercrime
INTERNET STORM CENTER TECH CORNER
Cloudflare Releases Mobile Apps To Use 1.1.1.1
https://blog.cloudflare.com/1-thing-you-can-do-to-make-your-internet-safer-and-faster/
Crypto Coin Miners Now With Rootkits
Google Play Protect Reduces Malware
https://security.googleblog.com/2018/11/introducing-android-ecosystem-security.html
Google BGP Hijack via Russia
https://twitter.com/thousandeyes/status/1062102171506765825
Microcode Bootloader USB
https://www.techpowerup.com/forums/threads/intel-microcode-boot-loader.248858/
Wordpress GDPR Tool Vulnerable
https://www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create