SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #92
November 20, 2018****************************************************************************
SANS NewsBites November 20, 2018 Vol. 20, Num. 92
****************************************************************************
TOP OF THE NEWS
UK Parliament Committee Report: Critical Infrastructure Cyber Security At Risk
DOD, DHS Reach Cybersecurity Accord
DHSs Cybersecurity and Infrastructure Security Agency Has an Elevated Mission and a Two-Year Plan
REST OF THE WEEKS NEWS
Moodys Will Factor Risk of Cyber Attacks into Ratings
Microsoft Azure and Office 365 Multi-Factor Authentication Outage
Dark Web Hosting Provider Hacked, Sites Deleted
DHS Goal: Naming Critical Functions to Protect by End of Calendar Year
Spear Phishing Attack Impersonates US State Department Employees
Vovox Pulls Exposed Database Offline
Government Contractors to Face New Rules Around Data Breaches
Tabletop Cyberattack Simulation Brings Private Industry and Government Together
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get the ALL NEW 11" iPad Pro, or a Microsoft Surface Pro, or Take $350 Off with OnDemand and vLive Training. Offer ends December 5.
https://www.sans.org/online-security-training/specials/
-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018
-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019
-- Tactical Detection & Data Analytics Summit & Training | Scottsdale, AZ | December 4-11 | https://www.sans.org/event/tactical-detection-summit-2018
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019
-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By SANS ************************************
Attend SANS Tactical Detection & Data Analytics Summit | Scottsdale, AZ
| Dec 4-5 Learn firsthand from leading cybersecurity practitioners and
top experts as they demonstrate how to leverage high-value log sources,
monitoring tools, and sound analysis methods to detect attacks.
http://www.sans.org/info/208635
*****************************************************************************
TOP OF THE NEWS
--UK Parliament Committee Report: Critical Infrastructure Cyber Security at Risk
(November 19, 2018)
According to a report from the UK Parliaments Joint Committee on National Security Strategy, the UKs national critical infrastructure is vulnerable to damaging cyber attacks. The report also says that while the risk of cyberattacks on the national critical infrastructure is growing, neither the government nor the private companies that operate elements of critical infrastructure are doing enough to adequately protect it. The reports authors are concerned that expectations of the [GCHQs] National Cyber Security Centre are outstripping the resources put at its disposal by the Government. They go on to urge the Government to appoint a single Cabinet Office Minister who is charged with delivering improved cyber resilience across the UKs critical national infrastructure.
[Editor Comments]
[Henry] This is a global story and would have been completely valid had UK been replaced with the name of many other countries.
Read more in:
ZDNet: Security warning: UK critical infrastructure still at risk from devastating cyber attack
The Register: Britain may not be able to fend off a determined cyber-attack, MPs warn
https://www.theregister.co.uk/2018/11/19/uk_cni_report_parliament/
Parliament: Cyber Security of the UKs Critical National Infrastructure
https://publications.parliament.uk/pa/jt201719/jtselect/jtnatsec/1708/1708.pdf
--DOD, DHS Reach Cybersecurity Accord
(November 15 & 16, 2018)
The US Department of Defense (DOD) and Department of Homeland Security (DHS) have reached an agreement about how to help one another defend the parts of cyberspace for which each is responsible. In written testimony, DHS Assistant Secretary Jeanette Manfra noted that the accord reflects the commitment of both departments in collaborating to improve the protection and defense of the U.S. homeland from strategic cyber threats [and] clarifies roles and responsibilities between DOD and DHS to enhance U.S. government readiness to respond to cyber threats.
[Editor Comments]
[Murray] Video of testimony before a joint meeting of two congressional subcommittees can be found at https://www.c-span.org/video/?454510-1/interagency-cyber-cooperation: Interagency Cyber Cooperation
Read more in:
FNR: DoD, DHS reach accord on new steps to cooperate in cyber defense
Defense Systems: DOD teams with DHS for critical infrastructure protection
https://defensesystems.com/articles/2018/11/16/dhs-dod-cyber-cooperation.aspx
Nextgov: DHS and Pentagon Memo Details Future Cyber Cooperation
--DHSs Cybersecurity and Infrastructure Security Agency Has an Elevated Mission and a Two-Year Plan
(November 16, 2018)
The Department of Homeland Securitys (DHSs) National Protection and Programs Directorate (NPPD) is now officially the Cybersecurity and Infrastructure Security Agency (CISA). The new legislation also elevates CISAs mission within DHS. has been signed into law. The bill also elevates CISAs mission within DHS, putting it on the same level as the Secret Service, the Federal Emergency Management Agency (FEMA) and others.
Read more in:
FNR: Launch of DHS cyber agency more of a groundbreaking than a ribbon-cutting
https://federalnewsnetwork.com/cybersecurity/2018/11/launch-of-dhs-cyber-agency-more-of-a-
groundbreaking-than-a-ribbon-cutting/
The Hill: Trump signs bill cementing cybersecurity agency at DHS
************************** SPONSORED LINKS ********************************
1) Train in California's renowned wine region SANS Sonoma 2019 (Jan
14-19)! Choose from 4 courses in Core Security Essentials and Security
Management. Learn more, http://www.sans.org/info/208620
2) What role does artificial intelligence play in security? Help SANS
examine how security professionals are leveraging AI by taking this
survey, and enter to win a $400 Amazon gift card |
http://www.sans.org/info/208625
3) Does your vulnerability management program cover your organization's
cloud workloads, partner access, IoT and industrial control systems?
Take the SANS Survey and enter to win a $400 Amazon gift card |
http://www.sans.org/info/208630
*****************************************************************************
REST OF THE WEEKS NEWS
--Moodys Will Factor Risk of Cyber Attacks into Ratings
(November 12, 2018)
Moodys plans to start including the impact a major cybersecurity incident would have on a company in its creditworthiness ratings. Moodys may move to a separate cyber-risk rating apart from the entitys credit ranking. According to its website. Moodys provid[es] credit ratings, research, tools and analysis that contribute to transparent and integrated financial markets.
[Editor Comments]
[Henry] The insurance agencies are working hard to assess cybersecurity incidents and risk, as are the SEC and other government regulators. Moodys movement into this area seems to be a logical step. Companies values are based on many factors, including their intellectual property, their corporate strategies, and other differentiators. While loss of those assets can impact companies ability to compete and should be measured, the methodologies used to assess cybersecurity has typically been a challenge. Moodys ability to make that assessment will require a lot of thought and calculation.
[Pescatore] While this sounds like a good thing, in 2017 Moodys paid nearly $1B in fines to settle government charges that it gave inflated ratings to risky mortgage investments that played major roles in causing the 2008 financial meltdown. If they werent trustworthy in their core business of financial risk rating, pretty sure they shouldnt be at the top of list for cybersecurity risk ratings.
[Northcutt] There is a pot of gold waiting for the first group to develop an actuarial table for cyber risk, though the reality is it is many tables. They started with utilities; it will be interesting to see how far they are able to get. The press release does show some good architecture with respect to compliance.
https://www.moodys.com/research/Moodys-As-cyber-threat-intensifies-for-US-utilities-government-support--PBC_1142449: Research Announcement: Moody's: As cyber threat intensifies for US utilities, government support remains key to credit profiles
Read more in:
CNBC: Moody's is going to start building the risk of a business-ending hack into its credit ratings
https://www.cnbc.com/2018/11/12/moodys-to-build-business-hacking-risk-into-credit-ratings.html
--Microsoft Azure and Office 365 Multi-Factor Authentication Outage
(November 19, 2018)
A problem with multi-factor authentication (MFA) has prevented some Microsoft Azure and Office 365 users from accessing their accounts. The outage began at 4:39 AM UTC Monday, November 19 (11:39 PM ET Sunday, November 18). The problem is affecting users around the world. The issue may also prevent some users from performing self-service password resets. Azure services are now operating normally. As of Tuesday, November 20 at 1:00 PM ET (6:00 PM UTC), the Office 365 Status page says We've conducted extensive monitoring over the last 12 hours and have not observed an increase in failed authentication requests. We'll continue to monitor the environment while we further investigate the root cause of this issue. Azure's status page says that it is operating normally.
[Editor Comments]
[Neely] Enabling multi-factor authentication remains an important security measure, particularly if you permit access to Microsofts cloud services from non-corporate devices or insecure networks. If youre using ADFS rather than your own authenticator, Microsoft provides multiple options for multi-factor authentication. Using the Microsoft Authenticator application eliminates reliance on SMS for message delivery and possible interception.
[Honan] One of the keys to security is resilience. Organisations moving to the cloud need effective and resilient multi-factor authentication platforms, and if they should fail they need contingency plans.
Read more in:
ZDNet: Microsoft Azure, Office 365 users hit by multi-factor authentication issue
The Register: Azure goes super-secure: Multi-factor authentication is borked in Europe and Asia
https://www.theregister.co.uk/2018/11/19/azure_down/
Status Office 365: Office 365 service health status
Azure: Azure status
https://azure.microsoft.com/en-us/status/
--Dark Web Hosting Provider Hacked, Sites Deleted
(November 17 & 19, 2018)
Hackers have deleted all accounts, including the servers root account, from dark web hosting provider Daniels Hosting. The administrator says that there were no back-ups of the hosted sites; all data are gone. He says he will bring [the] hosting back up once the vulnerability has been identified and fixed. The attack occurred on November 15.
Read more in:
ZDNet: Popular Dark Web hosting provider got hacked, 6,500 sites down
https://www.zdnet.com/article/popular-dark-web-hosting-provider-got-hacked-6500-sites-down/
BBC: Blackout for thousands of dark web pages
https://www.bbc.com/news/technology-46263995
--DHS Goal: Naming Critical Functions to Protect by End of Calendar Year
(November 16, 2018)
The US Department of Homeland Security (DHS) plans to compile a list of the countrys most critical functions that need to be protected from cyberattacks. Then, the DHS along with federal researchers and other organizations will begin mapping how the functions rely on each other, identifying which sectors depend on which critical elements, and what the effect on each sector would be if these elements were attacked. The critical function identification and mapping is a DHS National Risk Management Center project.
[Editor Comments]
[Neely] Mapping critical functions and their interdependencies is important to build a risk model and then prioritize mitigation and application of security measures. The trick will be maintaining this mapping as well as incentivizing application of appropriate security controls and monitoring the residual risks. Leveraging the capabilities and budget with CDM DEFEND will allow agencies to get a jump on licensing products as well as provide a path for DHS to continue to monitor the risks.
[Henry] Eighteen years ago, I worked in the FBIs National Infrastructure Protection Center (NIPC.) One of NIPCs responsibilities was the Key Asset and Critical Infrastructure program, whose mission was to compile a list of the countrys most critical functions that need to be protected from cyberattacks. After 9/11 NIPC was terminated, as the mission was transferred from the FBI when newly established DHS. Its an important program and Im glad to see it get the attention it deserves.
[Murray] This is an essential step in improving the security of our infrastructure. Attempting to secure everything to the same level will leave some things under-protected and others over-protected. It is neither effective nor efficient. However, this is not a simple exercise; it is more important to get it right than to get it early.
Read more in:
Nextgov: DHS Aims to ID Critical Functions to Protect from Cyberattacks by Years End
--Spear Phishing Attack Impersonates US State Department Employees
(November 16 & 19, 2018)
A phishing attack believed to be the work of hackers working for the Russian government is using email messages that purport to be from US State Department employees. The phony messages have been sent to people at government agencies, think tanks, and other organizations.
[Editor Comments]
[Pescatore] The current administrations National Cybersecurity Strategy says a key objective is to ENSURE THE GOVERNMENT LEADS IN BEST AND INNOVATIVE PRACTICES: The Federal Government will ensure the systems it owns and operates meet the standards and cybersecurity best practices it recommends to industry. Every Presidential Cybersecurity Strategy since PDD-63 in 1998 has said the same thing, yet we still have government employees (including elected official) and US citizens accessing government services doing so with re-usable passwords vs. strong authentication.
Read more in:
Reuters: Russians impersonating U.S. State Department aide in hacking campaign: researchers
Ars Technica: Russias Cozy Bear comes out of hiding with post-election spear-phishing blitz
--Vovox Pulls Exposed Database Offline
(November 15 & 16, 2018)
An inadequately secured server exposed a database that contains millions of SMS text messages, many of which include reset links, plaintext passwords, and one-time passwords for various accounts. The database in question belongs to communications firm Vovox, which processes billions of calls and text messages every month, according to the companys website. Vovox pulled the database offline after it was notified of the situation, and before public disclosure of the issue. The database on the server was configured in a way that made it easily readable and searchable.
[Editor Comments]
[Neely] While the database is no longer accessible, the risks of using SMS messaging for 2FA remain. When choosing multi-factor options for services provided, most authentication solutions support other options such as OTP, which doesnt rely on sending the device a code that can be intercepted or recorded. Even so, the TOTP seeds need to not be recoverable.
Read more in:
TechCrunch: A leaky database of SMS text messages exposed password resets and two-factor codes
https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/
Ars Technica: Database leak exposes millions of two-factor codes and reset links sent by SMS
--Government Contractors to Face New Rules Around Data Breaches
(November 15 & 19, 2018)
A proposed rule from the US General Services Administration (GSA) seeks to amend the Federal Acquisition Regulation (FAR) to create and implement appropriate contract clauses and regulatory coverage to address contractor requirements for a breach response consistent with the requirements. The proposed rule would require that in the event of a breach, the GSA and the affected agency would have access to the contractors breached systems. It would also require contractors to retain images of the breached systems for government review.
[Editor Comments]
[Neely] Flowing down of cybersecurity requirements to contractor systems can be a challenge. While contractors may not embrace the need for the GSA to be able to access systems for forensic analysis, as the data owners, they are accountable for what happens to that data, particularly with privacy legislation such as the GDPR and California Consumer Privacy Act which carry increased penalties relating to breaches and reporting requirements.
Read more in:
Fedscoop: GSA proposes new cybersecurity reporting rules for contractors
https://www.fedscoop.com/gsa-proposes-2-new-cybersecurity-reporting-rules-contractors/
Nextgov: Government Contractors Face New Data Breach Disclosure and Investigation Requirements
--Tabletop Cyberattack Simulation Brings Private Industry and Government Together
(November 13, 2018)
In October, the Foundation for Defense of Democracies think tank held a tabletop cyberattack simulation exercise that focused on determining what companies and government agencies would need from each other in the event of a cross-sector cyber attack. The exercise illustrated that there really is daylight between the positions of the private sector and the government regarding retaliatory action, according to former National Security Agency (NSA) director retired Gen. Michael Hayden.
[Editor Comments]
[Murray] One would hope that such drills become regular, routine, and ubiquitous. If and when we come under attack, it will be too late to coordinate our responses. Improving the resilience of our digital infrastructure is essential; we must be able to absorb multiple simultaneous Sony-scale attacks while sustaining critical capabilities.
Read more in:
Cyberscoop: How the U.S. might respond if China launched a full-scale cyberattack
https://www.cyberscoop.com/u-s-respond-china-launched-full-scale-cyber-attack/
INTERNET STORM CENTER TECH CORNER
Multipurpose PCAP Analysis Tool
https://isc.sans.edu/forums/diary/Multipurpose+PCAP+Analysis+Tool/24322/
Quickly Investigating Websites with Lookyloo
https://isc.sans.edu/forums/diary/Quickly+Investigating+Websites+with+Lookyloo/24320/
From Field Spoofing in GMail
https://blog.cotten.io/hacking-gmail-with-weird-from-fields-d6494254722f?gi=ce61de4cb006
Google Play Malware
https://twitter.com/LukasStefanko
ATM Vulnerabilities
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/ATM-Vulnerabilities-2018-eng.pdf
Nagios XI Update
https://www.tenable.com/security/research/tra-2018-37
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create