SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #14
February 19, 2019Maryland, Texas, Indiana Take the Lead in Cyber Talent Competition; China and Iran Stepping Up US Attacks; Israels Hacking Hotline; Brokerages Targeted By Phishing Scheme
Texas, Indiana, Maryland, Iowa, Delaware, Georgia and New Jersey are off to a fast start in the national competition to determine which states can identify and develop world class cyber talent among their high school and college students most quickly and effectively. Here are their governors announcements (Note: their high school programs start with young women, but their college programs are open to all students who register in time):
* Texas Governor Abbott: https://gov.texas.gov/news/post/texas-to-partner-with-sans-institute-to-promote-cybersecurity-career-track-for-high-school-girls-and-all-college-students
* Indiana Governor Holcomb: https://calendar.in.gov/site/gov/event/nationwide-girls-go-cyberstart-competition-includes-indiana/
* Maryland Governor Hogan: http://www.dllr.state.md.us/whatsnews/girlsgocyberstart.shtml
* Iowa Governor Reynolds: https://governor.iowa.gov/2019/02/governor-reynolds-encourages-iowa-high-school-and-college-students-to-join-innovative
* Delaware Governor Carney: https://news.delaware.gov/2019/02/18/delawares-launches-girls-go-cyberstart-challenge/
* Georgia Governor Kemp: https://gov.georgia.gov/press-releases/2019-02-18/gov-kemp-announces-partnership-sans-institute-cyber-workforce-development
* New Jersey Governor Murphy: https://www.njhomelandsecurity.gov/media/governor-murphy-encourages-new-jersey-high-school-and-college-students-to-join-innovative-cybersecurity-competitions
****************************************************************************
SANS NewsBites Feb. 19, 2018 Vol. 21, Num. 014
****************************************************************************
TOP OF THE NEWS
China and Iran Stepping Up Attacks Against US Institutions
Israels Hacking Hotline
FINRA Warns Brokerages of Phishing Scheme
REST OF THE WEEKS NEWS
NATO Researchers Catfish Soldiers on Facebook
Google Earth Update Exposes Taiwan Military Bases
GAO to Congress: Its Time for Data Privacy Legislation
Chrome Will Alter FileSystem API to Prevent Sites From Blocking Incognito Browsing
Equifax Datas Absence From Dark Web Suggests the Breach Was the Work of a Nation-State
Firefox Project Fission: Site Isolation
Software Pirates Exploiting Apple Enterprise Developer Certificates to Spread Illegitimate Apps
INTERNET STORM CENTER TECH CORNER
**************** Sponsored By Amazon Web Services, Inc. ******************
AWS Educational Series: Learn the relationship between compliance and risk management and how to automate these functions for cloud workloads in a webcast featuring Matt Bromiley. Register for the webcast here. http://www.sans.org/info/210445
*****************************************************************************
TOP OF THE NEWS
--China and Iran Stepping Up Attacks Against US Institutions
(February 15 & 18, 2019)
Hackers working on behalf of Iran and China have been targeting US companies and government agencies. Experts believe that the uptick in these attacks is related to recent US foreign policy decisions including the withdrawal from the Iran nuclear agreement and trade issues with China. Attacks that NSA analysts and experts from FireEye says came from Iran prompted the Department of Homeland Security (DHS) to issue an emergency order to implement protections against a DNS hijacking campaign in January. DHS officials now say that there is no evidence that the hackers hijacked any US federal government domains.
[Editor Comments]
[Henry] The recent reporting on targeted attacks by China, Iran, and other nation-states is important. Geopolitical issues often drive targeting and can raise risks to the organization. Critical intelligence on who is targeting their organizations, how, and why enables CISOs to augment detection and protection.
Read more in:
NYT: Chinese and Iranian Hackers Renew Their Attacks on U.S. Companies
https://www.nytimes.com/2019/02/18/technology/hackers-chinese-iran-usa.html
FCW: DHS official: no evidence federal domains hijacked in global DNS campaign
https://fcw.com/articles/2019/02/15/dns-hijack-dhs-response.aspx
KrebsOnSecurity: A Deep Dive on the Recent Widespread DNS Hijacking Attacks
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
--Israels Hacking Hotline
(February 18, 2019)
Israel has established a hotline for individuals and businesses both to call and receive help with suspected hacking and cyber threats. The center is staffed by people who have served in Israeli military computing units. It was launched several weeks ago and currently receives about 100 calls a day.
Read more in:
Reuters: Israeli cyber-hotline offers help for the hacked
YNET: Israeli cyber-hotline offers help for the hacked
https://www.ynetnews.com/articles/0,7340,L-5465513,00.html
--FINRA Warns Brokerages of Phishing Scheme
(February 15, 2019)
The US Financial Industry Regulatory Authority (FINRA) has notified brokerage firms of a phishing scheme that has been targeting brokerage companies. The deceptive email messages appear to come from an actual credit union and falsely warns that one of the brokerages customers is suspected of being involved in money laundering scheme. The email arrives with an attachment that likely contains a malicious virus or malware designed to obtain unauthorized access to the recipients computer network.
Read more in:
Bleeping Computer: Brokerage Firms Warned by FINRA Regulator of New Phishing Attack
FINRA: FINRA Warns of Fraudulent Phishing Emails Targeting Member Firms
http://www.finra.org/industry/information-notice-021319
**************************** SPONSORED LINKS ******************************
1) Key considerations when choosing a Security Operations Center (SOC) model. Read the report now. http://www.sans.org/info/210525
2) SURVEY: Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/210530
3) What does it take to establish a successful security operations program? Tell us your experience. Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card! http://www.sans.org/info/210535
*****************************************************************************
REST OF THE WEEKS NEWS
--NATO Researchers Catfish Soldiers on Facebook
(February 18, 2019)
A NATO research group, the Strategic Communications Center of Excellence (StratCom), conducted a catfishing operation to see how much information they could tease out of US military personnel. The researchers set up phony Facebook pages and invited military personnel to join closed Facebook groups. The resultssuggest that in the current digital arena an adversary would be able to collect enough personal data on soldiers to create targeted messages with precision, successfully influencing their chosen target audience to carry out desired behaviours.
[Editor Comments]
[Neely] In addition to social engineering, this study looked at fraudulent page, profile and group detection and removal by Facebook. The bottom line: you cannot solely rely on social media fraud detection mechanisms; training must be augmented so users understand how participation translates into genuine OPSEC (operational security) issues.
Read more in:
Wired: NATO Group Catfished Soldiers to Prove a Point About Privacy
https://www.wired.com/story/nato-stratcom-catfished-soldiers-social-media/
StratComCOE: Responding to Cognitive Security Challenges
https://www.stratcomcoe.org/responding-cognitive-security-challenges
--Google Earth Update Exposes Taiwan Military Bases
(February 18, 2019)
An update to Google Earths 3-D Maps inadvertently exposed the locations of Taiwanese military bases. The images are not blurred, allowing anyone view the detailed layout of the base. The problem also reportedly exposed Taiwans National Security Bureau and Military Intelligence Bureau.
[Editor Comments]
[Neely] Google used to blur out Department of Energy and Defense national laboratories as well. Now you can even find building/facility numbers as well as the street names within a facility. Organizations need to focus on controlling the information released regarding the actions and personnel at those facilities to maintain their needed operational obscurity.
Read more in:
ZDNet: Google Earth accidentally reveals secret military sites
https://www.zdnet.com/article/google-maps-update-accidentally-reveals-secret-military-sites/
SCMP: Taiwans darkest military secrets revealed by Google Maps
--GAO to Congress: Its Time for Data Privacy Legislation
(February 15 & 16, 2019)
A report from the US Government Accountability Office (GAO) recommends that Congress develop data privacy protection legislation much like the European Unions General Data Protection regulation (GDPR). Among the incidents referenced in the report is the Cambridge Analytica scandal, in which Facebook disclosed that a Cambridge University researcher may have improperly shared the data of up to 87 million of [its] users with a political consulting firm. The report is the result of a request from the House Energy and Commerce Committee two years ago.
[Editor Comments]
[Pescatore] We actually dont need Congress to *develop* privacy legislation; they have developed many drafts of privacy legislation in the past. We need Congress to *pass* privacy legislation. The traditional problem in the US is that federal policy drafts that represent needed increases in protection for consumer data either die because they are opposed by business interests, or they get so watered down that they die because they are then opposed by privacy interests. Hard to be optimistic that this will change anytime soon at the federal levelI think all progress in the US will come from state level laws.
[Murray] In 1974 Congress Passed the U.S. Privacy Act, the first and last Federal legislation on the subject. The seven year process from the book to the act was an object lesson in how difficult it is to draft technology-agnostic legislation to implement an abstract value. The Act was well intended, a compromise, was limited to the Federal Government, and had far less impact on privacy than the Freedom of Information Act. In a process lobbied by a huge industry that deals in personal information, the task may be even more difficult and time consuming. Then as now, the Europeans, having lived under totalitarian regimes of the left and right, led the way.
Read more in:
CNET: US needs an internet data privacy law, GAO tells Congress
https://www.cnet.com/news/us-needs-an-internet-data-privacy-law-gao-tells-congress/
ZDNet: GAO gives Congress go-ahead for a GDPR-like privacy legislation
https://www.zdnet.com/article/gao-gives-congress-go-ahead-for-a-gdpr-like-privacy-legislation/
GAO: INTERNET PRIVACY: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (PDF)
https://www.gao.gov/assets/700/696437.pdf
--Chrome Will Alter FileSystem API to Prevent Sites From Blocking Incognito Browsing
(February 15, 2019)
Google is planning to make changes to the FileSystem API for Chrome so that websites cannot check to see if users are browsing in a regular session or in Incognito Mode. Some websites deny users access to content if they are browsing in Incognito Mode. The FileSystem API is not currently available when users are browsing in Incognito Mode because it leaves behind files that pose a possible privacy risk. A website can attempt to invoke the FileSystem API; if it is unable to use the API, then it knows the user is in Incognito Mode. Google will make changes to the API so that websites will no longer be able to tell whether a user is browsing incognito or not.
Read more in:
Engadget: Chrome will make it harder to block incognito browsing
https://www.engadget.com/2019/02/18/google-chrome-incognito-mode-blocking/
Bleeping Computer: Google Fixing Chrome API to Prevent Incognito Mode Detection
--Equifax Datas Absence From Dark Web Suggests the Breach Was the Work of a Nation-State
(February 13 & 15, 2019)
The Equifax breach, in which personal information belonging to nearly 150 million people was compromised, occurred more than a year-and-a-half ago, but the pilfered data have not turned up on the DarkWeb. This suggests that the attack was conducted by a nation-state rather than by criminals looking to make money.
Read more in:
Threatpost: Wheres the Equifax Data? Does It Matter?
https://threatpost.com/equifax-data-nation-state/141929/
CNBC: The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme
https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html
--Firefox Project Fission: Site Isolation
(February 4, 6, & 14, 2019)
Mozilla is planning to introduce a site isolation feature to Firefox. Project Fission, as the project is known, will allow Firefox to create a separate process for each website that is being accessed. If the site includes an iframe, it will have its own process as well. Users can follow the progress of Project Fission on the project tech leads GitHub site (see below).
[Editor Comments]
[Murray] This effort may resist cross site scripting attacks but will not address Internet attacks on the environment that the browser runs in. The browser will remain the Achilles Heel of the desktop and the desktop of the enterprise.
Read more in:
Computerworld: Mozilla to harden Firefox defenses with site isolation, a la Chrome
ZDNet: Firefox to get a 'site isolation' feature, similar to Chrome
https://www.zdnet.com/article/firefox-to-get-a-site-isolation-feature-similar-to-chrome/
Mystor: Fission Engineering Newsletter #1
https://mystor.github.io/fission-news-1.html
--Software Pirates Exploiting Apple Enterprise Developer Certificates to Spread Illegitimate Apps
(February 13, 2019)
Companies distributing pirated software are taking advantage of enterprise developer certificates, which allow organizations to distribute apps internally without having to go through the Apple App Store, to spread altered apps. An Apple spokesperson said Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely.
[Editor Comments]
[Neely] Those certificates are intended to allow developed applications to be distributed within an enterprise without sending them to the Apple App store. Upon discovery of misuse, Apple will revoke those certificates, after which any applications signed with those certificates no longer function. Even so, those applications work until that happens. Users need to be sure they are only install applications from the official Apple App store or their official Enterprise App store.
Read more in:
Reuters: Software pirates use Apple tech to put hacked apps on iPhones
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Finding Property Values in Office Documents
https://isc.sans.edu/forums/diary/Finding+Property+Values+in+Office+Documents/24652/
Snap Patches Available
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing
Bro-Sysmon
https://engineering.salesforce.com/test-out-bro-sysmon-a6fad1c8bb88
VMWare Releases Update To Address runc Vulnerability
https://www.vmware.com/security/advisories/VMSA-2019-0001.html
Know What You Are Logging
https://isc.sans.edu/forums/diary/Know+What+You+Are+Logging/24656/
Cryptojacking Apps in Microsoft App Store
https://www.symantec.com/blogs/threat-intelligence/cryptojacking-apps-microsoft-store
Spectre Software Mitigation Insufficient (PDF)
https://arxiv.org/pdf/1902.05178.pdf
Swedish Healthcare Breach Leaks Phone call Recordings
https://computersweden.idg.se/2.2683/1.714787/inspelade-samtal-1177-vardguiden-oskyddade-internet
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
