SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #10
February 5, 2019NERC Fines Utility US $10 Million for Violations That Put Bulk Power System at Risk; US Senator Introduces Security Clearance Modernization Bill
****************************************************************************
SANS NewsBites Feb. 5, 2018 Vol. 21, Num. 010
****************************************************************************
TOP OF THE NEWS
NERC Fines Utility US $10 Million for Violations That Put Bulk Power System at Risk
US Senator Introduces Security Clearance Modernization Bill
REST OF THE WEEKS NEWS
WhatsApp Update Adds Biometric Authentication Option
FCC Faces Questioning Over Net Neutrality Repeal in Appellate Court
Cryptocurrency Funds Frozen After Death of Founder
Mozilla Halts Firefox 65 Rollout After Problems with Avast; Firefox 66 Will Include Man-in-the-Middle Warning Feature
Authorities are Going After WebStresser Users
SIM-Swapping Sentence
Cybercriminals Exploiting SS7 Flaw to Intercept 2FA Messages and Steal Funds from Bank Accounts
Lawmakers Want Information About How Shutdown Affected Federal Cybersecurity
Russian Hackers Targeted DC Think Tank
Apple to Issue Update to Address FaceTime Flaw
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- SANS Baltimore Spring 2019 | March 2-9 | https://www.sans.org/event/baltimore-spring-2019
-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019
-- SANS San Francisco Spring 2019 | March 11-16 | https://www.sans.org/event/san-francisco-spring-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- SANS Munich March 2019 | March 18-23 | https://www.sans.org/event/munich-march-2019
-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive. Offer Ends February 6.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By SANS ************************************
New Blog: The Director of National Intelligence calls cyber threat intelligence a core capability. Read Deb Radcliffs latest blog in our SANS Insights Security Blog:
http://www.sans.org/info/210095
*****************************************************************************
TOP OF THE NEWS
--NERC Fines Utility US $10 Million for Violations That Put Bulk Power System at Risk
(February 1, 2019)
The North American Electric Reliability Corporation (NERC) has fined a Regional Entity US$10 million for violations of Critical Infrastructure Protection (CIP) NERC Reliability Standards over a four-year period. The fine was disclosed in a regulatory filing that does not name the entity or list the specifics of the violations. The entity has been identified elsewhere as Duke Energy Corp., an electric power holding company based in Charlotte, NC. Thirteen of the CIP violations are deemed a serious risk to the countrys bulk power system.
[Editor Comments]
[Pescatore] It is hard to track NERC enforcement against that are purely cybersecurity-related, but it looks like that over the past two years CIP fines have gone from $180,000 to $2.7M to now $10M. Those three data points make a nice trend chart to show management if you are facing resistance over funding basic security hygiene controls in the power industry.
Read more in:
Security Ledger: Updated: Secrecy Reigns as NERC Fines Utilities $10M citing Serious Cyber Risks
EENews: Duke agreed to pay record fine for lax securitysources
https://www.eenews.net/stories/1060119265
NERC: Enforcement Actions 2019
https://www.nerc.com/pa/comp/CE/Pages/Actions_2019/Enforcement-Actions-2019.aspx
--US Senator Introduces Security Clearance Modernization Bill
(February 1 & 4, 2019)
US Senator Mark Warner (D-Virginia) has introduced legislation to modernize and (speed up) the process for government security clearances. The bill aims to take advantage of new technologies to help clear a backlog, and allow the government to hire strong job candidates more quickly. In a letter to acting White House Chief of Staff Mick Mulvaney, Deputy Director of OMB and Acting Director of OPM Margaret Wiechert, Director of National Intelligence Dan Coats, and Under Secretary of Defense for Intelligence Joseph Kernan, Warner writes The current vetting process for security clearances and positions of trust is too complicated, takes too long, costs too much, and fails to capitalize on modern technology and processes.
[Editor Comments]
[Neely] Obtaining a DOE Q clearance (DoD TS plus access for Restricted Data) takes about two years currently due to the backlog. The prospect of reducing that to 90 days is very attractive. OPM has two challenges: (1) the time each part of the investigation workflow takes, including handoffs, and (2) retaining trained, cleared staff to complete that work. Each year special task forces are formed to chip away at the backlog. This bill attempts to re-engineer the process by not only using more modern technology and approaches, but also through a re-examination of the SF-86 itself, resulting in a less onerous task requiring fewer resources. At risk is sufficient depth of investigation and reduction of reinvestigation which are key to assuring that workers are up to the task of protecting our nations most trusted information.
Read more in:
Warner: Vice Chairman Warner Reintroduces Legislation to Revamp Security Clearance Process
https://www.warner.senate.gov/public/index.cfm/pressreleases?id=4C3DD642-E585-424E-9154-D9D42926C50C
MeriTalk: Warner Reintroduces Bill to Modernize Security Clearance Process
https://www.meritalk.com/articles/warner-reintroduces-bill-to-modernize-security-clearance-process/
Scribd: Modernizing the Trusted Workforce for the 21st Century Act of 2019 (text of bill)
https://www.scribd.com/document/398667956/Bag-19069
Scribd: Modernizing the Trusted Workforce for the 21st Century Act (information)
https://www.scribd.com/document/395101910/Modernizing-the-Trusted-Workforce-for-21st-Century-Act
Scribd: Warners Letter to Mulvaney, Wiechert, Coats, and Kernan
https://www.scribd.com/document/398667957/Mulvaney-Weichert-Coats-Kernan-VC-Warner-31JAN19
**************************** SPONSORED LINKS ******************************
1) The 14th Annual ICS Security Summit - Orlando, FL - Mar 18-19. http://www.sans.org/info/210100
2) Don't Miss "Modern AppSec Tools for Modern AppSec Problems: A Practical Introduction to the Next-Gen WAF" with Kelly Brazil of ThreatX. Register: http://www.sans.org/info/210120
3) Are your security controls and processes supporting your cloud environments? Take the SANS Cloud Security Survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/210110
*****************************************************************************
REST OF THE WEEKS NEWS
--WhatsApp Update Adds Biometric Authentication Option
(February 4, 2019)
A recent update to WhatsApp allows users to lock the app with biometric tools. WhatsApp version 2.19.20 on iPhones lets users lock the app with Face ID or Touch ID. A caveat: if users have set their notifications to allow message previews, those will still be visible and can be replied to without opening the app. Calls to WhatsApp can also be answered without unlocking the app. A version of WhatsApp with a biometric protection feature for Android is reportedly in beta testing.
[Editor Comments]
[Pescatore] Anything that reduces user reliance on reusable passwords is a step in the right direction.
[Neely] To get the benefit, not only enable locking the application, but also disable message preview. Locking the application is in addition to the device screen lock.
[Murray] Like passwords, biometrics are vulnerable to re-play attacks. They are more about convenience than security. They are best used (and are pretty much being used) as additional evidence in systems of strong authentication (e.g., possession of the mobile and the enrolled fingerprint or visage.) They are an alternative to a password. That said, they make security more convenient and their availability, at least as an alternative, will reduce the cost and inconvenience of good security.
Read more in:
Cyberscoop: WhatsApp adds biometric feature to help protect messages
https://www.cyberscoop.com/whatsapp-biometrics-faceid-touchid/
The Verge: WhatsApp can now be locked using Face ID or Touch ID
https://www.theverge.com/2019/2/4/18210197/whatsapp-touch-id-face-id-security
--FCC Faces Questioning Over Net Neutrality Repeal in Appellate Court
(February 1, 2019)
An appellate court panel of three judges questioned Federal Communications Commission (FCC) counsel about the process the agency used to repeal net neutrality rules. FCC lawyers were asked to defend the agencys position that broadband is not telecommunications, as well as its claims that the net neutrality rules impeded broadband investment.
Read more in:
WPost: Net neutrality: Federal judges had tough questions for the FCC
Ars Technica: FCC struggles to convince judge that broadband isnt telecommunications
CNET: Net neutrality gets its day in court
https://www.cnet.com/news/net-neutrality-goes-to-court/
--Cryptocurrency Funds Frozen After Death of Founder
(February 2 & 3, 2019)
The founder of Canadian cryptocurrency exchange QuadrigaCX, and the only individual holding the passwords to the companys cold wallets has died, leaving the company unable to access as much as US$190 million in cryptocurrency and fiat currency (legal tender). The company continued to operate for a month after the founders death using funds in its hot (live) wallet and in its fiat accounts. Canadian authorities have frozen the companys assets.
[Editor Comments]
[Williams] A few pundits have noted that this is a risk of doing business with a cryptocurrency exchange, but that's missing the bigger picture of using this as cautionary tale for enterprise disaster recovery plans. Most organizations I consult with today have a number of people who hold critical "keys to the kingdom" with little or no redundancy. Who in your organization has information and/or accesses that would result in serious financial risk if it suddenly unavailable became? This event can be used to motivate leadership to perform an inventory of these risks (and take corrective action).
Read more in:
ZDNet: $145 million funds frozen after death of cryptocurrency exchange admin
https://www.zdnet.com/article/145-million-funds-frozen-after-death-of-cryptocurrency-exchange-admin/
Gizmodo: Crypto Exchange Says It Can't Repay $190 Million to Clients After Founder Dies With Only Password
https://gizmodo.com/crypto-exchange-says-it-cant-repay-190-million-to-clie-1832309454
--Mozilla Halts Firefox 65 Rollout After Problems with Avast; Firefox 66 Will Include Man-in-the-Middle Warning Feature
(February 1 & 4, 2019)
Mozilla temporarily halted the rollout of Firefox 65 to some computers because of an issue with AVG and Avast antivirus that prevented Firefox 65 users from visiting HTTPS websites. The issue is due to the products HTTPS filtering feature. Mozilla temporarily stopped automatic updates to Windows machines. Avast has released a virus engine update for AVG and Avast antivirus that disables HTTPS filtering on Firefox altogether. With the release of Firefox 66, which is scheduled for March 19, 2019, the browser will include warnings about suspected man-in-the-middle (MitM) attacks. The feature is designed to detect when third-party apps are hijacking the browsers HTTPS traffic.
[Editor Comments]
[Pescatore] Chrome has had similar MITM warnings since 2017. Google and UC Berkeley users have done a study of user response to browser warnings and found that user adherence is pretty high for the active warnings that Chrome and Mozilla now useclose to 80% for phishing and malware warnings, though just under 40% for SSL warnings. Fears of habitual click-through have not proven truebrowsers are protecting the users that ISPs routinely allow to be exposed to unnecessary risks.
[Murray] Browsers are so open and complex that it is all but impossible to test them with all possible plug-ins. Avoid browsers in sensitive environments. Prefer apps for sensitive applications.
Read more in:
ZDNet: Windows Firefox 65 rollout halted by Mozilla: AV clash stopped users browsing
ZDNet: Firefox will soon warn users of software that performs MitM attacks
https://www.zdnet.com/article/firefox-will-soon-warn-users-of-software-that-performs-mitm-attacks/
--Authorities are Going After WebStresser Users
(February 1, 2019)
In April 2018, authorities in the UK, the U.S., and the Netherlands arrested the administrators of the WebStresser website, which offered DDoS-as-a-service, and took the site offline. Now authorities are going after people who used WebStressers services. In all, there are reportedly more than 250 customers being targeted. Police in the UK have already seized more than 60 personal electronic devices.
Read more in:
KrebsOnSecurity: 250 Webstresser Users to Face Legal Action
https://krebsonsecurity.com/2019/02/250-webstresser-users-to-face-legal-action/
--SIM-Swapping Sentence
(February 1 & 4, 2019)
A man who stole more than US$5 million worth of cryptocurrency through swapping the SIM cards used in mobile devices will be sentenced to 10 years in prison. Joel Ortiz accepted the sentence in a plea deal; his formal sentencing is scheduled for mid-March. Several other people suspected of SIM-swapping have also been arrested but their cases are not as far along. SIM-swapping involves an individual tricking a mobile carrier into transferring someone elses phone number to themselves. Once complete, the transfer allows the individual to hijack accounts and conduct other password resets that use the phone number as authentication.
[Editor Comments]
[Murray] The use of SMS for one-time passwords has been both convenient and effective, much more secure than reusable passwords and more convenient than tokens. Successful attacks against this method have exploited other vulnerabilities (social engineering in the provisioning of SIMs and phone numbers, social engineering of application support, and lack of authentication in SS7). The use of hardware or software tokens should be preferred for banking and similar applications.
Read more in:
Motherboard: Hacker Who Stole $5 Million By SIM Swapping Gets 10 Years in Prison
https://motherboard.vice.com/en_us/article/gyaqnb/hacker-joel-ortiz-sim-swapping-10-years-in-prison
Ars Technica: Man who stole $5M in cryptocurrency via SIM swap pleads guilty
--Cybercriminals Exploiting SS7 Flaw to Intercept 2FA Messages and Steal Funds from Bank Accounts
(January 31 & February 1, 2019)
Hackers are exploiting a vulnerability in the SS7 protocol to intercept two-factor authentication (2FA) messages and steal money from bank accounts. Telecommunications companies use SS7 to help them route Internet traffic around the world. The issue that the attackers are exploiting is that SS7 does not authenticate the source of a request to re-route traffic. The attack targeted customers of the UKs Metro Bank.
[Editor Comments]
[Pescatore] SS7 flaws were widely exposed in 2014; attacks exploiting those flaws happened in 2016/2017. Telcos that havent fixed or mitigated should be subject to fines for leaving critical infrastructure systems vulnerable.
[Neely] This highlights the problem with using SMS for 2 factor authentication. When implementing 2FA, select other methods for sending verification codes, e.g. hardware or software tokens. While vulnerable to interception, SMS for 2FA still raises the bar when compared to reusable password authentication.
Read more in:
Motherboard: Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts
https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
SC Magazine: SS7 exploited to intercept 2FA bank confirmation codes to raid accounts
--Lawmakers Want Information About How Shutdown Affected Federal Cybersecurity
(January 29, 30, & February 1, 2019)
In a letter to senior administration officials, six US senators asked for information on how the government shutdown may have affected efforts to defend federal systems from hackers. In his own letter to Department of Homeland Security (DHS) secretary Kirstjen Nielsen Senator Mark Warner (D-Virginia) wrote of his sincere hope that we will not come to learn that malicious actors opportunely chose to exploit our defenses while hundreds of thousands of government employees were needlessly pulled away from their jobs. In a separate story, a cybersecurity testing company noted that during the shutdown, endpoint security and patching increased; however, the company also noted a decrease in network security during the shutdown due to expired SSL certificates.
Read more in:
The Hill: Cyberattack fears on the rise after shutdown, intel testimony
Politico: Democrats worry hackers exploited the shutdown
https://www.politico.com/story/2019/01/29/democrats-worry-hackers-exploited-the-shutdown-1127646
Politico: Legislators letter to Nielsen and Nakasone
https://www.politico.com/f/?id=00000168-9a63-d7af-a77d-dfe7af9f0002
Scribd: Warners letter to Nielsen
https://www.scribd.com/document/398487694/01-29-2019-MRW-Letter-to-Sec-Nielsen-Re-Cyber-Shutdown
Fifth Domain: Surprising ways the government shutdown actually boosted federal cybersecurity
--Russian Hackers Targeted DC Think Tank
(January 31, 2019)
Russian hackers who previously broke into systems of the DNC and Hilary Clintons presidential campaign have targeted the Center for Strategic and International Studies (CSIS), a Washington, DC think tank. According to a recent court filing, the hacking group, known as Fancy Bear, set up new websites and a mail server that mimicked CSIS. Microsoft seized some of the domains late last year.
Read more in:
Daily Beast: Russian DNC Hackers Launch Fresh Wave of Cyberattacks on U.S.
https://www.thedailybeast.com/russian-dnc-hackers-launch-fresh-wave-of-cyberattacks-on-us
--Apple to Issue Update to Address FaceTime Flaw
(January 30 & February 1, 2019)
Apple plans to release an iOS update to fix a flaw in FaceTime group chat that allowed users to listen and in some instances view the people they were calling before those people answered the call. Apple disabled FaceTime group chat last week to protect users from the vulnerability. Once the update has been released, it will re-enable the feature.
[Editor Comments]
[Neely] Use of FaceTime group chat will require new minimum OS versions to work, presumably iOS 12.1.4 and OS X 10.14.4. With the feature disabled for unpatched devices/operating systems, the updates can be tested and deployed as you would normal patches rather than an out-of-band update cycle.
Read more in:
BBC: Apple to issue fix for Facetime bug
https://www.bbc.com/news/technology-47088161
CSM: Apple to fix FaceTime bug that permits eavesdropping
https://www.csmonitor.com/Technology/2019/0130/Apple-to-fix-FaceTime-bug-that-permits-eavesdropping
INTERNET STORM CENTER TECH CORNER
Sextortion eMail Update
https://isc.sans.edu/forums/diary/Sextortion+Follow+the+Money+Part+3+The+cashout+begins/24592/
Ubiquiti Devices Used in DDoS Attack
YouTube Copyright Extortion
https://www.youtube.com/watch?v=Q0i-sLESXqo
Google Chrome Experimenting with Typo Domain Detection
https://www.usenix.org/conference/enigma2019/presentation/stark
Exploiting Struts in vCenter
Wikipedia Tech Support Scam
Stealing macOS Keychain
https://www.youtube.com/watch?v=nYTBZ9iPqsU
Beauty Camera Ads for Android Include Adware
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/creat
