SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #91
November 16, 2018****************************************************************************
SANS NewsBites November 16, 2018 Vol. 20, Num. 91
****************************************************************************
Top of The News
- US NPPD is Now the Cybersecurity and Infrastructure Security Agency and Has an Elevated Mission
- Director of MIT Internet Policy Research Initiative Says Australian Assistance and Access Legislation Could Harm Research
The Rest of the Week's News
- November Patch Tuesday
- Firmware Patch Available for D-Link Router Vulnerability
- Siemens Patches Eight Security Issues
- Security Concerns Prompt DOD to Disable Filesharing Service
- US Plum Island Grid Attack Exercise
- Googles Internet Traffic Took an Inadvertent Detour Earlier This Week
- Guilty Plea in Fatal Swatting Case
- Internet Storm Center Tech Corner
- Cybersecurity Training Update
Internet Storm Center Tech Corner
****************************************************************************
The Rest of the Week's News
Cyber Defense Initiative(R) 2018 | Washington, DC | December 11-18
https://www.sans.org/event/cyber-defense-initiative-2018
SANS Security East 2019 | New Orleans, LA | February 2-9
https://www.sans.org/event/security-east-2019
SANS San Francisco Fall 2018 | November 26-December 1
https://www.sans.org/event/san-francisco-fall-2018
Tactical Detection & Data Analytics Summit & Training | Scottsdale, AZ | December 4-11
https://www.sans.org/event/tactical-detection-summit-2018
SANS Amsterdam January 2019 | January 14-19
https://www.sans.org/event/amsterdam-jan-2019
Cyber Threat Intelligence Summit & Training 2019 | Arlington, VA | January 21-28
https://www.sans.org/event/cyber-threat-intelligence-summit-2019
SANS London February 2019 | February 11-16
https://www.sans.org/event/london-february-2019
SANS Secure Japan 2019 | February 18-March 2
https://www.sans.org/event/secure-japan-2019
SANS Secure Singapore 2019 | March 11-23
https://www.sans.org/event/secure-singapore-2019
SANS OnDemand and vLive Training
http://www.sans.org/online-security-training/specials/
Get the ALL NEW 11" iPad Pro, or a Microsoft Surface Pro, or Take $350 Off with OnDemand and vLive Training. Offer ends December 5.
Single Course Training
SANS Mentor http://www.sans.org/mentor/about and Community SANS http://www.sans.org/community/
View the full SANS course catalog http://www.sans.org/courses and skills roadmap http://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
Free technical content sponsored by SANS
Attend SANS Tactical Detection & Data Analytics Summit | Scottsdale, AZ | Dec 4-5 http://www.sans.org/info/208230
Learn firsthand from leading cybersecurity practitioners and top experts as they demonstrate how to leverage high-value log sources, monitoring tools, and sound analysis methods to detect attacks. http://www.sans.org/info/208230
****************************************************************************
Top of the News
US NPPD is Now the Cybersecurity and Infrastructure Security Agency and Has an Elevated Mission
(November 14, 2018)
On Monday, November 12, the US House of Representatives agreed to a Senate version of the Cybersecurity and Infrastructure Security Agency Act. The bill, which is expected to be signed into law, will give the National Protection and Programs Directorate a new name: the Cybersecurity and Infrastructure Security Agency (CISA). The bill also elevates CISAs mission, making it an operational component alongside the Transportation Security Administration (TSA) and other agencies; CISA director Christopher Krebs will report directly to the DHS Secretary.
[Editor Comments]
[Henry] Ive long been an advocate of cybersecurity coordination across US government agencies; while there have been successes in prevention and deterrence, there needs to be much more collaboration to enable those responses to scale and move at the speed of the internet. A new agency means much more responsibility and obligation, but that requires authority. If CISA can bring organizations together in a more synchronized fashion and leverage agency authorities, capabilities, and expertise, there will be value. If it becomes another level of bureaucracy, then it becomes more of the same. I hope for the former, and time will tell.
Read more in:
- fcw.com: DHS cyber re-org clears Congress
https://fcw.com/articles/2018/11/14/cisa-not-nppd-bill-rockwell.aspx%E2%80%8B:
- www.nextgov.com: Congress Passes Long-Sought Bill to Rename DHS Cyber Agency
https://www.nextgov.com/cybersecurity/2018/11/congress-passes-long-sought-bill-rename-dhs-cyber-agency/152821/
Director of MIT Internet Policy Research Initiative Says Australian Assistance and Access Legislation Could Harm Research
(November 16, 2018)
The Australian government is getting more pushback to its proposed Assistance and Access encryption legislation. Daniel Weitzner, director of the Massachusetts Institute of Technologys (MITs) Internet Policy Research Initiative (IPRI) told Australias Parliamentary Joint Committee on Intelligence and Security (PJCIS) that if enacted, the legislation could have a chilling effect on research. A written submission from IPRI dated October 11, 2018 says, As we understand the Bill, there would be substantial penalties for disclosing information about required changes to system design and implementation, whether through technical assistance notices or technical capacity notices. Such penalties would thwart the increasingly vital process of subjecting widely-used software to maximum public scrutiny so that third-party security researchers can have the best chance of discovering vulnerabilities. (IPRIs submission is #32 in the APH link below.)
[Editor Comments]
[Williams] Discouraging public disclosure of security research simply drives that disclosure underground.
Read more in:
- www.theregister.co: MIT to Oz: Crypto-busting laws risk banning security tests
https://www.theregister.co.uk/2018/11/16/oz_cryptobusting_laws/
- www.aph.gov.au: Submissions received by the Committee
https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018/Submissions
****************************************************************************
Sponsored Links
Train in California's renowned wine region SANS Sonoma 2019 (Jan 14-19)! Choose from 4 courses in Core Security Essentials and Security Management. Learn more: http://www.sans.org/info/208235
What role does artificial intelligence play in security? Help SANS examine how security professionals are leveraging AI by taking this survey, and enter to win a $400 Amazon gift card | http://www.sans.org/info/208240
Does your vulnerability management program cover your organization's cloud workloads, partner access, IoT and industrial control systems? Take the SANS Survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/208245
****************************************************************************
The Rest of the Week's News
November Patch Tuesday
(November 13 & 14, 2018)
On Tuesday, November 13, Microsoft and Adobe released security updates for a variety of products. Microsofts 16 updates fix more than 60 vulnerabilities in Windows, Edge, Internet Explorer and other products. Among the vulnerabilities addressed are a zero-day vulnerability affecting Windows 7 and Windows Server 2008 that is being actively exploited, and a flaw in Bitlocker that could be exploited to access encrypted information. Adobe released updates for flaws in Flash Player, Acrobat and Reader, and Photoshop CC.
Read more in:
- https://krebsonsecurity.com: Patch Tuesday, November 2018 Edition
https://krebsonsecurity.com/2018/11/patch-tuesday-november-2018-edition/
- www.theregister.co.uk: It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page
https://www.theregister.co.uk/2018/11/14/patch_tuesday_november/
- www.scmagazine.com: Microsofts Patch Tuesday addresses Zero Day vulnerabilities
https://www.scmagazine.com/home/security-news/microsofts-patch-tuesday-addresses-zero-day-vulnerabilities/
- www.zdnet.com/: Microsoft patches Windows zero-day used by multiple cyber-espionage groups
https://www.zdnet.com/article/microsoft-patches-windows-zero-day-used-by-multiple-cyber-espionage-groups/
- helpx.adobe.com: Security updates available for Flash Player | APSB18-39
https://helpx.adobe.com/security/products/flash-player/apsb18-39.html
- helpx.adobe.com: Security updates available for Adobe Acrobat and Reader | APSB18-40
https://helpx.adobe.com/security/products/acrobat/apsb18-40.html
- helpx.adobe.com: Security updates available for Adobe Photoshop CC | APSB18-43
https://helpx.adobe.com/security/products/photoshop/apsb18-43.html
- portal.msrc.microsoft.com: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Firmware Patch Available for D-Link Router Vulnerability
(November 15, 2018)
D-Link has made a firmware update available to address an authentication bypass vulnerability in its DIR-850L wireless router. Researchers at Synopsys write that the issue allows clients to communicate with the router without completing the full WPA handshake; attackers could exploit the flaw to gain unauthenticated access to the routers network from where they could launch further attacks. Synposys discovered the problem and notified D-Link in early August. D-Link published the firmware patch on November 6, 2018.
[Editor Comments]
[Williams] This is not nearly as concerning as some other recently publicized router vulnerabilities. This vulnerability would allow attackers to communicate on the network only using unencrypted packets. These packets should not be processed by other endpoints that have legitimately connected to the router, so the risk is minimal.
[Murray] This vulnerability is to the wireless side of these access points, where we do not see systematic attacks, but D-Link routers have been shown to be vulnerable to the wire side where we do see systematic attacks. Those responsible for large numbers of these routers should patch them. Those who use one or two should take this as the occasion to upgrade.
Read more in:
- www.scmagazine.com: D-Link router vulnerability detailed
https://www.scmagazine.com/home/security-news/d-link-router-vulnerability-detailed/
- www.synopsys.com: CyRC analysis: CVE-2018-18907 authentication bypass vulnerability in D-Link DIR-850L wireless router
https://www.synopsys.com/blogs/software-security/CVE-2018-18907/
- securityadvisories.dlink.com: DIR-850L ::H/W Revision A :: CVE-2018-18907 - WiFi encryption bypass
https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10097
Siemens Patches Eight Security Issues
(November 13 & 14, 2018)
Siemens has released security updates to address eight vulnerabilities in its IEC 61850 System Configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC; Siemens S7-400 CPUs; Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal); SCALANCE S; SIMATIC S7; SIMATIC STEP 7 (TIA Portal); and SIMATIC IT Production Suite. The vulnerabilities include improper access control flaws, improper input validation, code injection, cross-site scripting, resource exhaustion, unprotected storage of credentials, improper authentication, path traversal, and open redirect vulnerabilities. The US Department of Homeland Securitys (DHSs) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released advisories about the flaws (ICSA-18-317-01 through ICSA-18-317-08).
Read more in:
- threatpost.com: Siemens Patches Firewall Flaw That Put Operations at Risk
https://threatpost.com/siemens-patches-firewall-flaw-that-put-operations-at-risk/139082/
- www.scmagazine.com: ICS-CERT announces updates for several Siemens products
https://www.scmagazine.com/home/security-news/ics-cert-announces-updates-for-several-siemens-products/
- ics-cert.us-cert.gov: ICS-CERT Advisories
https://ics-cert.us-cert.gov/advisories
Security Concerns Prompt DOD to Disable Filesharing Service
(November 12 & 15, 2018)
The US Department of Defense (DOD) has disabled the Army Aviation and Missile Research Development and Engineering Center Safe Access File Exchange, or AMRDEC SAFE filesharing service used by army aviation and missile research centers as a preventative measure after government-internal agencies identified potential security risks. In a message on the AMRDEC SAFE portal, DOD says that it is uncertain if the site will be reinstated.
[Editor Comments]
[Williams] There was obviously a need for this capability. It is almost certain that another solution (one not adequately controlled or monitored) will be found by users and if the Army doesn't move quickly to replace this capability. Like many platforms in production today, the SAFE tool was never developed to be used as a long term or widespread file sharing solution. The platform likely saw early success and experienced deployment scope creep without additional security testing.
Read more in:
- www.zdnet.com: DOD disables file sharing service due to 'security risks'
https://www.zdnet.com/article/dod-disables-file-sharing-service-due-to-security-risks/
- www.fifthdomain.com: DOD file sharing tool disabled due to vulnerability
https://www.fifthdomain.com/dod/2018/11/12/dod-file-sharing-tool-disabled-due-to-vulnerability/%E2%80%8B
US Plum Island Grid Attack Exercise
(November 14, 2018)
The seven-day power grid cyberattack simulation that took place on Plum Island at the beginning of the month involved a black start: participants had to restart a grid that had been out for weeks, meaning that substation batteries would be drained batteries. Participants worked to restore power to the grid while coming under attack from a red team. The exercise was organized by the Defense Advanced Research Projects Agency (DARPA) and involved more than 100 people. (We covered this story earlier in the week and wanted to provide links to articles that are not behind a paywall.)
[Editor Comments]
[Murray] Widespread outages in the past have been the result of orderly shut-downs after component failures and/or changes in load. These shut-downs are designed to facilitate an early and orderly restart. This exercise shows the importance of early re-start. While instructive, and difficult, this exercise was very limited in scope. An attack is likely to be much wider in scope.
Read more in:
- www.wired.com: The Hail Mary Plan to Restart a Hacked US Electric Grid
https://www.wired.com/story/black-start-power-grid-darpa-plum-island/
- www.nextgov.com: Pentagon Researchers Test 'Worst-Case Scenario' Attack on U.S. Power Grid
https://www.nextgov.com/cybersecurity/2018/11/pentagon-researchers-test-worst-case-scenario-attack-us-power-grid/152803/
Googles Internet Traffic Took an Inadvertent Detour Earlier This Week
(November 13 & 14, 2018)
On Monday, November 12, traffic that should have been routed through Googles Cloud Platform was instead routed through Russia, China, and Nigeria. The incident appears to have been caused by a border gateway protocol (BGP) filter configuration error at an Internet service provider (ISP) in Nigeria. The issue was remedied in just over an hour. The event caused some Google services to become temporarily unavailable.
[Editor Comments]
[Ullrich] You have no control about how your traffic reaches its destination once it leaves your network. This is why you *always* need to insist on robust encryption, integrity checks and authentication.
[Honan] An excellent example as to how fragile and insecure the underlying infrastructure for the Internet is, and a reminder as to the importance of ensuring sensitive data is encrypted so it remains protected in the event of a reoccurrence of this issue, whether that occurrence is malicious or accidental.
Read more in:
- www.wired.com: Google Internet Traffic Wasn't Hijacked, But It Was Out Of Control
https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/
- arstechnica.com: Google goes down after major BGP mishap routes traffic through China
https://arstechnica.com/information-technology/2018/11/major-bgp-mishap-takes-down-google-as-traffic-improperly-travels-to-china/
- www.scmagazine.com: Google hit with IP hijack taking down several services
https://www.scmagazine.com/home/security-news/google-hit-with-ip-hijack-attack-taking-down-several-services/
- www.zdnet.com: Google traffic hijacked via tiny Nigerian ISP
https://www.zdnet.com/article/google-traffic-hijacked-via-tiny-nigerian-isp/
- www.eweek.com: What Happens When Your Data Gets Redirected to China
http://www.eweek.com/security/what-happens-when-your-data-gets-redirected-to-china
Guilty Plea in Fatal Swatting Case
(November 13 & 14, 2018)
Tyler Barriss has pleaded guilty to charges of making a false report resulting in a death, cyberstalking, and conspiracy for his role in swatting attacks, including one that led to the death of a man in Kansas in December 2017. Barriss faces a minimum prison sentence of 20 years.
Read more in:
- krebsonsecurity.com: Calif. Man Pleads Guilty in Fatal Swatting Case, Faces 20+ Years in Prison
https://krebsonsecurity.com/2018/11/calif-man-pleads-guilty-in-fatal-swatting-case-faces-20-years-in-prison/
- arstechnica.com: Man pleads guilty to swatting attack that led to death of Kansas man
https://arstechnica.com/tech-policy/2018/11/man-pleads-guilty-to-swatting-attack-that-lead-to-death-of-kansas-man/
- www.theregister.co.uk: Scumbag who phoned in a Call of Duty 'swatting' that ended in death pleads guilty to dozens of criminal charges
https://www.theregister.co.uk/2018/11/14/call_of_duty_swatting_tyler_barriss/
- www.justice.gov: California Man Pleads Guilty In Deadly Wichita Swatting Case
https://www.justice.gov/usao-ks/pr/california-man-pleads-guilty-deadly-wichita-swatting-case
****************************************************************************
Internet Storm Center Tech Corner
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/November+2018+Microsoft+Patch+Tuesday/24308/
Adobe Security Bulletins
https://helpx.adobe.com/security.html
Details about Zero Day Exploit Taking Advantage of Win32k Vuln.
https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/
PacSec Pwn2Own Results
(day one) https://www.zerodayinitiative.com/blog/2018/11/13/pwn2own-tokyo-2018-day-one-results
(day two) https://www.zerodayinitiative.com/blog/2018/11/14/pwn2own-tokyo-2018-day-two-results-and-master-of-pwn
More Spectre/Meltdown Flaws (PDF)
https://arxiv.org/pdf/1811.05441.pdf
Emotet Spreading IcedID Banking Malware
https://isc.sans.edu/forums/diary/Emotet+infection+with+IcedID+banking+Trojan/24312/
Crypto Miners Abusing Insecure Docker Installs
https://forums.juniper.net/t5/Threat-Research/Container-Malware-Miners-Go-Docker-Hunting-In-The-Cloud/ba-p/400587
GPS Watches Can Be Used To Track Kids
https://www.pentestpartners.com/security-blog/tracking-and-snooping-on-a-million-kids/
Firefox Will Notify Users of Breached Sites
https://blog.mozilla.org/blog/2018/11/14/firefox-monitor-launches-in-26-languages-and-adds-new-desktop-browser-feature/
David Kennel: All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System
https://www.sans.org/reading-room/whitepapers/linux/all-seeing-eye-blind-man-understanding-linux-kernel-auditing-system-38605
****************************************************************************
The Editorial Board of SANS NewsBites
Alan Paller
https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller
Brian Honan
https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan
David Hoelzer
https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer
David Turley
https://www.sans.org/newsletters/newsbites/editorial-board#david-turley
Dr. Eric Cole
https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole
Ed Skoudis
https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis
Eric Cornelius
https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius
Gal Shpantzer
https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer
Jake Williams
https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams
Dr. Johannes Ullrich
https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich
John Pescatore
https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore
Lee Neely
https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely
Mark Weatherford
https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford
Mason Brown
https://www.sans.org/newsletters/newsbites/editorial-board#mason-brown
Michael Assante
https://www.sans.org/newsletters/newsbites/editorial-board#michael-assante
Rob Lee
https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee
Sean McBride
https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride
Shawn Henry
https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry
Stephen Northcutt
https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt
Suzanne Vautrinot
https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot
Tom Liston
https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston