SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #99
December 18, 2018Russian Disinformation Operations Better Understood; US Ballistic Missile Defense System Cybersecurity Problems; UK GCHQ: How to Circumvent the End-to-End Encryption Problem
2018 NetWars Military Service Cup Results: The Air Force beat the Army (last years winner) and Navy teams and Marines and Coast Guard as well in this years Service Cup competition held in Washington DC. Lt. Gen. Edward Cardon presented the awards.
****************************************************************************
SANS NewsBites Dec. 18, 2018 Vol. 20, Num. 99
****************************************************************************
TOP OF THE NEWS
Russian Disinformation Operations
US Ballistic Missile Defense System Audit Finds Cybersecurity Problems
GCHQ Officials Suggest How to Circumvent the End-to-End Encryption Problem
REST OF THE WEEKS NEWS
Updated Shamoon Infected Computers at Three Organizations
Signal Says It Cannot Include a Backdoor in its App
Facial Recognition Technology Used at Taylor Swift Concert in May
Crowdstrikes Cyber Intrusion Services Casebook 2018: One Compromised Laptop Gave Hackers Access to Corporate Network
Cloudflare Allegedly Counts Identified Terrorist Groups Among Clients
Facebook Photos Exposed to App Developers
Facebook Privacy Pop-Up Kiosk
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019
-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Last Chance this year to Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive. Offer Ends December 26.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By SANS ******************************
Attend SANS Open-Source Intelligence Summitin Washington, DC; February 25
This inaugural Summit will bring together leading security practitioners
and investigators to share proven techniques and tools that can be
applied to OSINT gathering and analysis. You'll get practical methods
for collecting and leveraging available information across the Internet.
http://www.sans.org/info/209300
*****************************************************************************
TOP OF THE NEWS
--Report on Russian Disinformation Operations
(December 17, 2018)
A report commissioned by the US Senate Select Committee on Intelligence (SSCI) details analysis of the Russian Internet Research Agency (IRA) propaganda groups influence operations targeting American citizens from 2014 through 2017. Among the reports key findings: there are active and ongoing interference operations on several [social media] platforms; there were extensive operations targeting Black-American communities; and the influence activity fomented both secessionist and insurrectionist sentiments. The report was created by researchers from cybersecurity firm New Knowledge; Canfield Research, LLC; and the Tow Center for Digital Journalism at Columbia University.
[Editor Comments]
[Pescatore] The Russian campaign focused on influencing the US presidential election, but the same tactics have and will be used in stock price manipulation and brand attacks. This is an area where marketing organizations are employing brand abuse monitoring services, fraud programs that take a different look, and email anti-phishing offerings that often include some overlapgood area for security teams to check around the company and work to integrate efforts.
Read more in:
Wired: How Russian Trolls Used Meme Warfare to Divide America
https://www.wired.com/story/russia-ira-propaganda-senate-report/
BBC: Russia 'meddled in all big social media' in US election, says report
https://www.bbc.com/news/technology-46590890
Cyberscoop: Russian disinformation ops were bigger than we thought
https://www.cyberscoop.com/russian-information-operations-senate-intelligence-committee/
Washington Post: New report on Russian disinformation, prepared for the Senate, shows the operations scale and sweep
Disinformation Report: The Tactics & Tropes of the Internet Research Agency
--US Ballistic Missile Defense System Audit Finds Cybersecurity Problems
(December 10, 14, 15, & 17, 2018)
According to a report from the US Department of Defense (DOD) Office of Inspector General (OIG), cyber protection for US ballistic missile defense systems (BMDS) lacks sufficient security. BMDS is designed to detect and intercept incoming missiles before they reach their targets. Nearly five years ago, the DOD CIO directed DOD to implement NIST security controls for systems protection. The report says that BMDS facilities have not fully implemented multi-factor authentication, do not consistently encrypt transmitted data, and that some known vulnerabilities remain unpatched. The facilities also failed to protect and monitor classified data stored on removable media, and lacked intrusion detection capabilities on classified networks.
Read more in:
Threatpost: U.S. Ballistic Missile Defense System Rife with Security Holes
https://threatpost.com/ballistic-missile-security-holes/140019/
Nextgov: Poor Security Could Leave U.S. Defenseless Against Missile Attacks
Bleeping Computer: U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit
SC Magazine: DoD Inspector General finds multiple flaws in missile defense system cybersecurity
DODIG: Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information DODIG-2019-034
--GCHQ Officials Suggest How to Circumvent the End-to-End Encryption Problem
(November 29 & 30, 2018)
In an essay titled Principles for a More Informed Exceptional Access Debate, Technical Director of the National Cyber Security Centre Ian Levy and Technical Director for Cryptanalysis for GCHQ Crispin Robinson describe how they envision law enforcement might intercept communications protected by end-to-end encryption. Levy and Robinson suggest that law enforcement could be silently added to a chat or a call by a service provider. The authors maintain that their solution seems to be no more intrusive than the virtual crocodile clips that [are] authorize[d] today in traditional voice intercept solutions.
Read more in:
Lawfare Blog: Principles for a More Informed Exceptional Access Debate
https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate
ZDNet: GCHQ details how law enforcement could be silently injected into communications
TechCrunch: GCHQs not-so-smart idea to spy on encrypted messaging apps is branded absolute madness
*****************************************************************************
1) Don't Miss: "Defeating Attackers with Preventive Security" with Dave
Shackleford. Register: http://www.sans.org/info/209305
2) Does your vulnerability management program cover your organization's
cloud workloads, partner access, IoT and industrial control systems?
Take the SANS Survey and enter to win a $400 Amazon gift card |
http://www.sans.org/info/209310
3) How are you using the public cloud to meet their business needs? What
challenges to you face? | Take the SANS Cloud Survey and enter to win a
$400 Amazon gift card | http://www.sans.org/info/209315
*****************************************************************************
REST OF THE WEEKS NEWS
--Updated Shamoon Infected Computers at Three Organizations
(December 17, 2018)
A new variant of the Shamoon data-wiping malware is being used against organizations in Saudi Arabia and the United Arab Emirates (UAE). Shamoon first appeared in 2012 when it was used to destroy more than 30,000 PCs belonging to Saudi Aramco. The new variant includes a component that erases files before wiping the master boot record, which makes it nearly impossible to recover data from a successfully infected machine. Italian oil service firm Saipem has disclosed its experience with the new Shamoon; Symantec says that at least two other organizations have seen machines infected with it.
[Editor Comments]
[Murray] Enterprise data must be stored on servers with least privilege as the access control strategy, not on the desktop with read/write as the default access control rule.
Read more in:
Dark Reading: Disk-Wiping 'Shamoon' Malware Resurfaces With File-Erasing Malware in Tow
Bleeping Computer: Shamoon Disk Wiper Returns with Second Sample Uncovered this Month
Saipem: Saipem: Update On The Cyber Attack Suffered
--Signal Says It Cannot Include a Backdoor in its App
(December 13, 14, & 15, 2018)
In a December 13 blog post, Signal developer Joshua Lund expresses the organizations frustration with Australias new Assistance and Access bill, noting that attempting to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development. Lund says that the Signal cannot include a backdoor and that the end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us.
Read more in:
Signal: Setback in the outback
https://signal.org/blog/setback-in-the-outback/
ZDNet: Signal: We can't include a backdoor in our app for the Australian government
Motherboard: Encrypted Messaging App Signal Says It Wont Comply With Australias New Backdoor Bill
https://motherboard.vice.com/en_us/article/nep5vb/signal-app-australia-encryption-backdoor-bill
--Facial Recognition Technology Used at Taylor Swift Concert in May
(December 12, 13, & 15, 2018)
Taylor Swifts security team used facial recognition technology at a May 2018 Rose Bowl concert to identify known stalkers. The technology was embedded in a kiosk that was playing clips of Swifts rehearsals; as concert-goers looked into the screen, a camera looked back at them. The captured images of concert-goers faces were sent to a command center to be cross-referenced against a database of known stalkers. It is not known if concertgoers were aware that the technology was in use. Use of facial recognition technology in public places at large events is gaining traction; the 2020 Summer Olympics in Tokyo plans to use the technology for staff and athlete security checks.
Read more in:
The Register: Taylor's gonna spy, spy, spy, spy, spy... fans can't shake cam off, shake cam off
https://www.theregister.co.uk/2018/12/13/taylor_swift_facial_recognition/
CNET: Taylor Swift reportedly used facial recognition tech to identify stalkers
https://www.cnet.com/news/taylor-swift-reportedly-used-facial-recognition-tech-to-identify-stalkers/
Rolling Stone: Why Taylor Swift Is Using Facial Recognition at Concerts
https://www.rollingstone.com/music/music-news/taylor-swift-facial-recognition-concerts-768741/
--Crowdstrikes Cyber Intrusion Services Casebook 2018: One Compromised Laptop Gave Hackers Access to Corporate Network
(December 14, 2018)
According to Crowdstrikes Cyber Intrusion Services Casebook 2018, a single laptop used at a coffee shop was infiltrated and used to gain access to an unnamed companys entire corporate network. The laptop user visited the website of a partner organization through a phishing email. In this particular case, the hackers exploited a misconfiguration in the companys Active Directory implementation that granted unnecessary privileges. The security software that the affected company used detected threats only when the device was being used within the organizations network.
Read more in:
ZDNet: How one hacked laptop led to an entire network being compromised
https://www.zdnet.com/article/how-one-hacked-laptop-led-to-an-entire-network-being-compromised/
--Cloudflare Allegedly Counts Identified Terrorist Groups Among Clients
(December 14, 2018)
A Huffington Post report alleges that Cloudflare is providing cybersecurity services to seven groups that are under sanctions from the US Treasury Department; of those, six are identified as foreign terrorist groups by the US State Department.
[Editor Comments]
[Pescatore] All service providers have to deal with the know your customer issue and all the various sanctions that home country law places on doing business with blacklisted nations and countries. At any given time, many large service providers have compliance issuesthe key is how quickly they deal with known or reported violations.
Read more in:
Huffington Post: U.S. Tech Giant Cloudflare Provides Cybersecurity For At Least 7 Terror Groups
https://www.huffingtonpost.com/entry/cloudflare-cybersecurity-terrorist-
groups_us_5c127778e4b0835fe3277f2f
CNET: Cloudflare customers reportedly include foreign terrorist groups under US sanctions
https://www.cnet.com/news/cloudflare-customers-reportedly-include-foreign-terrorist-groups/
Gizmodo: Cloudflare Under Fire for Allegedly Providing DDoS Protection for Terrorist Websites
https://gizmodo.com/cloudflare-under-fire-for-allegedly-providing-ddos-prot-1831107649
--Facebook Photos Exposed to App Developers
(December 14, 2018)
On Friday, December 14, Facebook acknowledged yet another data privacy mistake: for a two-week period in September 2018, more than 850 third-party app developers had access to photos belonging to 6.8 million Facebook users, regardless of the permissions users had granted. Facebook says the data leak problem was fixed in September 25.
[Editor Comments]
[Northcutt] I do not believe there ever was, or ever will be, such a thing as a private photo posted to social medial, no matter what the platform.
Read more in:
Wired: Facebook Exposed 6.8 Million Users' Photos to Cap Off a Terrible 2018
https://www.wired.com/story/facebook-photo-api-bug-millions-users-exposed/
The Register: Stop us if you've heard this one: Facebook apologizes for bug leaking private photos
https://www.theregister.co.uk/2018/12/14/facebook_leaking_private_photos/
ZDNet: Facebook bug exposed private photos of 6.8 million users
https://www.zdnet.com/article/facebook-bug-exposed-private-photos-of-6-8-million-users/
Ars Technica: Were sorry, Facebook says, againnew photo bug affects millions
Cyberscoop: Facebook bug gave developers access to private photos of 6.8 million users
https://www.cyberscoop.com/facebook-photo-api-bug-december-2018/
--Facebook Privacy Pop-Up Kiosk
(December 12 & 13, 2018)
Last week, at the end of a year filled with data privacy troubles, Facebook set up a kiosk at a holiday market in New York City that was staffed with employees ready to answer peoples questions about privacy, advertisements, and the companys data collection practices. Facebook is making a concerted effort to be clear that they are not in the business of selling users personal data. A New York Times Op-Ed piece says that assertion is semantic skullduggery, observing that Facebooks practice of making sure advertisers ads are shown to their desired target audience is tantamount to selling user data.
[Editor Comments]
[Neely] Privacy controls can be confusing. Kudos to Facebook to spread understanding; users need to remember the slippery slope of expecting online information to remain private.
[Murray] There are two kinds of Facebook users: the knowledgeable and the naive. Neither expects privacy from Facebook.
Read more in:
Wired: At a New York Privacy Pop-Up, Facebook Sells Itself
https://www.wired.com/story/facebook-nyc-privacy-pop-up/
New York Times: Congress May Have Fallen for Facebooks Trap, but You Dont Have To
https://www.nytimes.com/2018/12/12/opinion/facebook-data-privacy-advertising.html
INTERNET STORM CENTER TECH CORNER
Magellan SQLite Vulnerability
https://blade.tencent.com/magellan/index_en.html
Logitech Options Vulnerability
https://bugs.chromium.org/p/project-zero/issues/detail?id=1663
Intel NUC BIOS Protection Flaw
https://embedi.org/blog/nuclear-explotion/
HiddenTear Ransomware Decrypter
Password Protected ZIP with Maldoc
https://isc.sans.edu/forums/diary/Password+Protected+ZIP+with+Maldoc/24426/
Memes Used as Covert Command and Control Channel
Shamoon Disk Wiper Malware is Back
https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
