SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #95
December 4, 2018****************************************************************************
SANS NewsBites December 4, 2018 Vol. 20, Num. 95
****************************************************************************
TOP OF THE NEWS
US OMB and CIO Council Open Cyber Reskilling Pathway for Federal Employees
Marriott Starwood Breach
China Intensifies Cyberespionage Targeting US Organizations
REST OF THE WEEKS NEWS
US Senators Introduce Global Electoral Exchange Act
House Passes SMART IoT Act
Citrix Changes ShareFile Password Policy
Malicious Apple Fitness Apps Use TouchID to Trick Users into Approving Exorbitant Charges
Kubernetes Releases Updates to Fix Critical Privilege Elevation Flaw
Windows Active Directory Setting Found to be Effective Against NotPetya-Like Worm
Signet Jewelers Fixes Purchase Data Exposure Hole on Websites
INTERNET STORM CENTER TECH CORNER
****************************************************************************
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get the ALL NEW 11" iPad Pro, or a Microsoft Surface Pro, or Take $350 Off with OnDemand and vLive Training. Offer ends December 5.
https://www.sans.org/online-security-training/specials/
-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019
-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By ************************************
Read this Executive Brief from CSO, Closing the Cybersecurity Gap: 3
Keys to an Analytics-Driven Security, to learn how you can improve your
security posture and gain real bottom-line benefits.
http://www.sans.org/info/208895
*****************************************************************************
TOP OF THE NEWS
-US OMB and CIO Council Open Cyber Reskilling Pathway for Federal Employees
(November 30, 2018)
The US Office of Management and Budget (OMB), along with the Department of Education and the CIO Council, is launching the Federal Cyber Reskilling Academy, which will train current federal employees to become cyber defense analysts. The program is open to any federal employee who does not currently work in the cyber or IT fields. Applications for the program opened on November 30, 2018; they close on January 11, 2019. In mid-January, applicants will be sent links to online critical thinking and problem-solving skills assessments; the members of the first cohort will be chosen starting in late February 2019. The three-month training program will begin on March 11.
[Editor Comments]
[Neely] While applicants will need to pass the screening processes, critical thinking/problem solving, the reward is top quality training and certification. Federal employees with any interest in Cyber Security should apply.
[Honan] Too often people see a career in cybersecurity as a quick way to earn money due to the skills shortage. However, a good cybersecurity professional is not just technically proficient but needs skills such as problem solving and critical thinking. I think this is a great move.
[Paller] The aptitude and capabilities identified in the Federal Reskilling Programs Aptitude Test are valuable for other high-paid careers such as advanced software development. In the largest global survey of employers and employees of software developers, specific programming skills were essential, but proven problem-solving skills were ranked by employers as nearly twice as important as a core competency.
https://research.hackerrank.com/developer-skills/2018/
Read more in:
FNN: Federal Cyber Reskilling Academy to retrain federal employees as cyber defense analysts
Fifth Domain: White House launches cyber reskilling academy for feds
FCW: OMB looks to retrain feds to fill cyber needs
https://fcw.com/articles/2018/11/30/cyber-reskill-omb-gunter.aspx
CIO.gov: Federal Cyber Reskilling Academy
https://www.cio.gov/reskilling/
--Marriott Starwood Breach
(November 30 & December 1, 2018)
The intrusion that initiated the Marriott Starwood data breach occurred in 2014. The breach compromised personal information of as many as 500 million customers. The affected data include names, birth dates, information about trips and reservations, and passport numbers. The breach was detected in early September 2018, but its scope was not determined until mid-November, when investigators found an encrypted version of the entire Starwood reservation database on the web.
[Editor Comments]
[Ullrich] First of all, it would be nice if the company Marriott hired for the web monitoring service cared enough about information security to allow passwords longer than 15 characters (which actually likely indicates that passwords are not hashed). Secondly: If you are affected by a breach like this (who isnt?), think beyond the hype. 500 Million lost records is a large number. But for most of us, this is luckily not the breach to worry about. Most of us just lost payment card data and maybe data like usernames and passwords. I do absolutely not care about how many times my credit card data is stolen each year. Credit card companies/banks dont care, and they bear the financial burden. If they would care, they would fix it. As for my Marriott/SPG password: Not using the same password at any other sites makes this a non-event for me. Probably the most sensitive piece of information lost in this case is passport data (if you had that information stored with Marriott). If would be nice for Marriott to list exactly what information they believe was stolen for a particular account. But again, that would require them to care.
[Neely] When you take remediation steps, address both your Marriott and SPG accounts, if you havent combined them. Given the number of hotel chains under the Marriott/Starwood brand, dont assume you havent stayed in one of their properties; proactively check.
Read more in:
Wired: How to Protect Yourself From the Giant Marriott Hack
https://www.wired.com/story/marriott-hack-protect-yourself/
The Register: Marriott's Starwood hotels mega-hack: Half a BILLION guests' deets exposed over 4 years
https://www.theregister.co.uk/2018/11/30/marriott_starwood_hotels_500m_customer_records_hacked/
SC Magazine: Marriott breach exposes more than just customer info
https://www.scmagazine.com/home/security-news/marriott-breach-exposes-more-than-just-customer-info/
KrebsOnSecurity: What the Marriott Breach Says About Security
https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/
--China Intensifies Cyberespionage Targeting US Organizations
(November 29, 2018)
China has stepped up its cyberespionage efforts to obtain technological information from the US. Three years ago, the US and China reached an agreement that ostensibly ended Chinas practice of stealing intellectual property from US organizations. The attacks did decrease for about a year and a half, but began again shortly after the current administration took office.
Read more in:
NYT: After a Hiatus, China Accelerates Cyberspying Efforts to Obtain U.S. Technology
https://www.nytimes.com/2018/11/29/us/politics/china-trump-cyberespionage.html
************************** SPONSORED LINKS ********************************
1) 12 Days of Thycotic is here! Sign up now for free cyber security
giveaways. Get loads of cyber security gifts and resources this holiday
season with 12 Days of Thycotic! Sign up now.
http://www.sans.org/info/208900
2) Learn how VMRay Analyzer's IDA Pro Plugin enriches static analysis
with behavior-based results. http://www.sans.org/info/208905
3) Does your vulnerability management program cover your organization's
cloud workloads, partner access, IoT and industrial control systems?
Take the SANS Survey and enter to win a $400 Amazon gift card |
http://www.sans.org/info/208910
*****************************************************************************
REST OF THE WEEKS NEWS
--US Senators Introduce Global Electoral Exchange Act
(November 30 & December 3, 2018)
US senators have introduced the Global Electoral Exchange Act, a bill that would establish a State Department-based program to share election security information with other countries. Under the program, the State Department would offer grants to US non-profit groups involved in election security issues so that they can share information with similar organizations in other countries. The program would also provide opportunities for US elections officials to visit other countries to observe their elections security practices, and for foreign elections officials to visit the US for the same purpose. The House unanimously passed similar legislation earlier this year.
Read more in:
The Hill: Bipartisan pair of senators introduces bill to create global election security information sharing program
MeriTalk: Senators Introduce International Election Security Bill
https://www.meritalk.com/articles/senators-introduce-international-election-security-bill/
--House Passes SMART IoT Act
(November 29, 2018)
The House of Representatives has passed the SMART IoT Act, which direct[s] the Secretary of Commerce to conduct a study and submit to Congress a report on the state of the internet-connected devices industry in the United States. The bill now goes to the Senate, with just two weeks left in the legislative session. If enacted, the Department of Commerce would have one year to provide Congress with a report that includes a survey of the internet-connected devices industry through outreach to participating entities as well as information about agencies with jurisdiction over the identified entities; and existing related regulations and standards. The report would be delivered one year after the bill is enacted.
Read more in:
FCW: House passes SMART IoT Act
https://fcw.com/articles/2018/11/29/house-smart-iot-act.aspx
Congress.gov: H.R.6032 - SMART IoT Act
https://www.congress.gov/bill/115th-congress/house-bill/6032
--Citrix Changes ShareFile Password Policy
(December 4, 2018)
Over the weekend, users of Citrixs Sharefile service were forced to change their passwords. Citrix says that the forced password reset is not due to a breach, but an effort to stay ahead of hackers who may try stolen access credentials on other accounts. Citrix says that users will be required to reset their passwords at regularly scheduled intervals.
[Editor Comments]
[Pescatore, Murray, and Neely] It is pretty much standard advice to change compromised passwords on any other sites where you are using them, so Citrix doing a forced reset has a certain logic to it. But, we know from years of past experience that forcing quarterly password resets generally results in *lower* security and we know that large scale breaches are occurring at least quarterly, so I dont think this ends up increasing security. Id much, much rather see Citrix use these events as opportunities to convince users to migrate to Sharefiles Two Step Verification and see Citrix work to make two-factor authentication work with corporate logins and custom home pages.
[Ullrich] Forcing users to periodically change their passwords has been shown to be ineffective and often counterproductive. However, accounts should be locked if the password was reused and leaked in a breach of a different organization, or if the account was idle for an extended time. For the first case, Troy Hunt does an excellent job in providing data to allow organizations to recognize if a password was shared. The second case very much depends on the organizations business, but disabling accounts that have not been used, and forcing users to use a reset procedure to enabling them, will prevent some credential stuffing attacks. Just make sure that the reset procedure is implemented correctly.
[Honan] Most up to date guidance is for users not to regularly change passwords as this leads to password reuse and variations of the same password (see the UKs National Cyber Security Centres password guidance https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach: Password Guidance: Simplifying Your Approach) Cloud providers, like Citrix, should look to enforcing Multi Step and/or Multi Factor authentication for their users.
Read more in:
The Register: Customers baffled as Citrix forces password changes for document-slinging Sharefile outfit
https://www.theregister.co.uk/2018/12/04/password_change_for_sharefile/
ShareFile: ShareFile System Status - December 1st, 2018 Note -
--Malicious Apple Fitness Apps Use TouchID to Trick Users into Approving Exorbitant Charges
(December 3, 2018)
Apple has pulled several sketchy iOS fitness apps from the App Store after they were found to be tricking users into okaying US $120 payments using the companys TouchID fingerprint recognition feature. The Fitness Balance app, Calories Tracker app, and Heart Rate Monitor behaved like reasonable fitness apps, but they were found to be using a pop-up ruse to trick users into authorizing in-app payments. Users who have had funds stolen can contact Apple for a refund.
Read more in:
Wired: Watch Out For a Clever Touch ID Scam Hitting the App Store
https://www.wired.com/story/iphone-touch-id-scam-apps/
Threatpost: iOS Fitness Apps Robbing Money From Apple Victims
https://threatpost.com/ios-fitness-apps-robbing-money-from-apple-victims/139546/
Bleeping Computer: Scam iOS Fitness Apps Steal Money Through Apple Touch ID
ZDNet: Two iOS fitness apps tricked users into making TouchID payments
https://www.zdnet.com/article/two-ios-fitness-apps-tricked-users-into-making-touchid-payments/
Ars Technica: iOS apps used Touch ID feature to trick users into paying hefty fees
--Kubernetes Releases Updates to Fix Critical Privilege Elevation Flaw
(December 3, 2018)
The Kubernetes development team has released a trio of updates to fix a critical flaw that could be exploited to gain elevated privileges and steal data, inject code, or take down applications and services. The flaw could be exploited remotely and requires no user interaction. Users are urged to update to versions 1.10.11, 1.11.5, or 1.12.3. The problem is also fixed in the upcoming version 1.13.0.
Read more in:
The Register: Container code cluster-fact: There's a hole in Kubernetes
https://www.theregister.co.uk/2018/12/03/container_code_clusterfact_theres_a_hole_in_kubernetes/
ZDNet: Kubernetes' first major security hole discovered
https://www.zdnet.com/article/kubernetes-first-major-security-hole-discovered/
Google Groups: Kubernetes Security Announcement - v1.10.11, v1.11.5, v1.12.3 released to address CVE-2018-1002105
https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88
GitHub: CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections #71411
https://github.com/kubernetes/kubernetes/issues/71411
--Windows Active Directory Setting Found to be Effective Against NotPetya-Like Worm
(December 3, 2018)
UK security firm NCC Group was asked by a customer to create a less lethal version of the NotPetya malware and release it onto the customers network so they could learn how to defend their systems from similarly-destructive malware. During the exercise, NCC discovered that the 'Account is sensitive and cannot be delegated' Windows Active Directory setting, when applied to domain administrator accounts, hindered the worms efforts to spread.
[Editor Comments]
[Honan] What is just as effective is restricting access to the Domain Administrator account, allocating dedicated domain admin accounts for administrators, and removing user accounts from the Domain Administrator groups. Also using Microsoft Local Administrator Password Solution to manage local administrator access on PCs and laptops is also very effective. https://www.microsoft.com/en-ca/download/details.aspx?id=46899
Read more in:
The Register: Wanna save yourself against NotPetya? Try this one little Windows tweak
https://www.theregister.co.uk/2018/12/03/notpetya_ncc_eternalglue_production_network/
--Signet Jewelers Fixes Purchase Data Exposure Hole on Websites
(December 3, 2018)
The parent company of jewelry retailers Jared and Kay Jewelers has fixed a vulnerability on their websites that could have been exploited to expose the order information of all online customers. The company initially addressed the issue only partially, protecting all future purchases. It later fixed the problem so that past order information was not exposed.
[Editor Comments]
[Neely] The OWASP Top Ten A2 addresses weak or broken authentication and session management. In short, a reminder that creating your own algorithm for generating authentication or session tokens can lead to their being easily guessed/manipulated. Additionally, when obtaining a bug report be sure to capture the entire scope of the flaw so you dont find the gaps the hard way. Kudos to Brandon Sheehy for escalating the issue to insure the bug was fully fixed.
Read more in:
KrebsOnSecurity: Jared, Kay Jewelers Parent Fixes Data Leak
https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/
INTERNET STORM CENTER TECH CORNER
KingMiner Improved Cryptomining
https://research.checkpoint.com/kingminer-the-new-and-improved-cryptojacker/
Autocad Malware
https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft
US-Cert Releases SamSam Alerts
https://www.us-cert.gov/ncas/alerts/AA18-337A
Kubernetes Patches
https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88
Siglent Technologies Oscilloscope Vulnerabilities
https://seclists.org/fulldisclosure/2018/Nov/68
Word Maldoc: Yet Another Place to Hide a Command
https://isc.sans.edu/forums/diary/Word+maldoc+yet+another+place+to+hide+a+command/24370/
Malicious iOS Apps Trick Users into Making Payments
https://www.welivesecurity.com/2018/12/03/scam-ios-apps-promise-fitness-steal-money-instead/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create