SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #19
March 8, 2019Cyber Immersion Academy Graduates Present at RSA; Senate Equifax Investigation Report; RSA Panel: The Five Most Dangerous New Attack Techniques and How to Counter Them; GAO Chief Presents High Risk List to Legislators
New cyber stars to celebrate. At RSA this week, Carlota Binder demonstrated common misconfiguration of U-Boot and strategies to harden embedded devices, Xena Olsen spoke on the dangers of embedded devices as well as tactical threat intelligence, and Chris Elgee ran the sold-out NetWars tournaments. They are exemplary graduates of the SANS Cyber Immersion Academies. Beginning in the fall, a similar program will be available for any U.S. college student who wants to ensure they are employment-ready. You can qualify by excelling in Cyber Fast Track that 26 governors announced this week. Register your interest at www.cyber-fasttrack.org by April 5. Here are the graduates presentations:
https://www.rsaconference.com/speakers/carlota-bindner
https://www.rsaconference.com/speakers/xena-olsen
https://www.rsaconference.com/speakers/chris-elgee
And here is a WSC blog post: womenscyberjutsu.org/blogpost/1231015/319632/SANS-Women-Academy-Graduates-are-First-Time-Speakers-at-RSAC-2019
SANS Women Academy Graduates are First Time Speakers at RSAC 2019
****************************************************************************
SANS NewsBites March 8, 2019 Vol. 21, Num. 019
****************************************************************************
TOP OF THE NEWS
Senate Panel Equifax Investigation Findings Released
RSA Keynote Panel: The Five Most Dangerous New Attack Techniques and How to Counter Them
GAO Chief Enumerates High Risk List Issues for Legislators
REST OF THE WEEKS NEWS
Philadelphia Says No to Cashless Stores
Chrome Zero-Day Was Being Exploited in Conjunction with Unpatched Windows 7 Flaw
House Net Neutrality Bill Would Nullify FCCs Rule Repeal
Public Interest Technology Track at RSA
NSAs Ghidra Decompiler is Now Open-Source
Report: States Need Additional Funds to Update Voting Machines
Survey: EMEA Student Awareness of Opportunities in Cybersecurity
INTERNET STORM CENTER TECH CORNER
******************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS Munich March 2019 | March 18-23 | https://www.sans.org/event/munich-march-2019
-- SANS Secure Canberra 2019 | March 18-23 | https://www.sans.org/event/secure-canberra-2019
-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019
-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, ASUS Chromebook C223NA or Take $250 Off with OnDemand or vLive training. Offer ends March 20.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By VMRay ************************************
Join SANS Analyst Jake Williams, VMRay Senior Threat Researcher Tamas Boczan and Product Manager Rohan Viegas as they take a deeper look at pervasive evasion techniques malware authors use to circumvent detection. Register: http://www.sans.org/info/211045
*****************************************************************************
TOP OF THE NEWS
--Senate Panel Equifax Investigation Findings Released
(March 8, 2019)
A Senate panel investigation into the 2017 Equifax breach found that the company again and again neglected to take adequate precautions to protect the consumer data it held. The panels report makes several recommendations, including that Congress should pass legislation that establishes a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyberattacks and data breaches.
[Editor Comments]
[Neely] Equifax has lots of company: a recent study found most of the fortune 100 companies had similar problems. The argument for stability or status quo, versus the expense of regression testing, possible downtime, to apply updates and security fixes is not new and has to be baked into the business. Reliance on regulatory requirements alone is insufficient. Until security is immutable in the board room this will continue.
Read more in:
The Register: Tech security at Equifax was so diabolical, senators want to pass US laws making its incompetence illegal
https://www.theregister.co.uk/2019/03/08/security_equifax_senate/
Carper.senate: How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach: Staff Report
--RSA Panel: The Five Most Dangerous New Attack Techniques and How to Counter Them
(March 7, 2019)
At the Five Most Dangerous New Attack Techniques and How to Counter Them panel at the RSA conference in San Francisco on Thursday, March 7, Ed Skoudis, Heather Mahalik, and Johannes Ullrich described attack techniques and remediations and answered questions from audience members.
Read more in:
RSA Conference: The Five Most Dangerous New Attack Techniques and How to Counter Them (video)
--GAO Chief Enumerates High Risk List Issues for Legislators
(March 6, 2019)
Head of the US Government Accountability Office (GAO) Comptroller General Gene Dodaro spoke to panels at both the House and the Senate regarding the GAOs recently published High Risk List, which examined 35 areas in federal programs/operations that are vulnerable to waste, fraud, abuse, and mismanagement, or that need broad reform. Dodaro told members of the Senate panel that the administrations National Cyber Security Strategy, released last fall, provides no implementation plan, definition of responsibilities, or metrics." Dodaro told the House panel that federal IT systems have the same material weaknesses every year, due in part to legacy IT systems. Dodaro also questioned federal agency heads attention to known cybersecurity issues, saying that the problems lack top-level management attention.
Read more in:
FCW: Cyber strategy short on specifics and metrics, says GAO
https://fcw.com/articles/2019/03/06/gao-high-risk-cyber-rockwell.aspx
MeriTalk: Comptroller Questions Priority Given by Agency Heads to Cybersecurity Issues
GAO: HIGH-RISK SERIES: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas (Highlights)
https://www.gao.gov/products/GAO-19-393T
GAO: HIGH-RISK SERIES: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas (full report)
https://www.gao.gov/assets/700/697259.pdf
*****************************************************************************
Sponsored Links:
1) "Osquery: A Modern Approach to CSIRT Analytics" with Dave Shackleford. Register: http://www.sans.org/info/211050
2) Don't Miss "Alternative Network Visibility Strategies for an Encrypted World" with Matt Bromiley. Register: http://www.sans.org/info/211060
3) What does it take to establish a successful security operations program? Tell us your experience. Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211055
*****************************************************************************
REST OF THE WEEKS NEWS
--Philadelphia Says No to Cashless Stores
(March 7, 2019)
Philadelphias mayor has signed a bill prohibiting cashless stores from operating in the city starting this summer. Opponents to the measure say allowing customers to pay with cash slows transactions and poses a security risks for employees locking up at the end of the business day. Proponents say that cashless stores discriminate against customers who do not have bank accounts and those who simply want to pay with cash. There is a privacy issue, too: by using digital payment methods, consumers are forced to share records of their purchases with third-party companies. The bill is an amendment to Philadelphias Fair Practices Ordinance.
[Editor Comments]
[Pescatore] Seems odd to have government dictating payment methods to businesses, since there are business and customer concerns on both sides of the issue. In a cash transaction there is no recourse for the buyerwith credit cards you can always dispute a transaction. The next regulatory issue will be if stores are allowed to charge more for cash transactions, much the way some gas station sill charge more for credit card transactions.
[Neely] The legislation includes enough exceptions for membership stores, parking garages, security deposits, etc. that businesses who wish to remain cashless can. Having worked retail in my youth, the overhead to process cash, make accurate change and make bank deposits hasnt changed, but the ease and speed of processing credit, debit and electronic payments has widened the gap.
Read more in:
Ars Technica: Sorry Amazon: Philadelphia bans cashless stores
https://arstechnica.com/tech-policy/2019/03/sorry-amazon-philadelphia-bans-cashless-stores/
NYT: Philadelphia Bans Cashless Stores Amid Growing Backlash
https://www.nytimes.com/2019/03/07/business/cashless-stores-philadelphia.html
--Chrome Zero-Day Was Being Exploited in Conjunction with Unpatched Windows 7 Flaw
(March 6 & 7, 2019)
Earlier this week, Google disclosed that the Chrome update released on March 1, 72.0.3626.121, contained a fix for a zero-day vulnerability that was being actively exploited. Several days later, Google further disclosed that the flaw was being exploited in conjunction with an as-yet unpatched vulnerability in Windows 7. Microsoft is working on a fix for the issue. Users running Windows 7 are urged to upgrade to Windows 10 if possible.
[Editor Comments]
[Neely] Because the flaw is being actively exploited, consider an out-of-band update to address this patch. If youre relying on auto-update, make sure running copies of Chrome have been restarted to load the updated executable. While Windows 7 extended support ends January 14, 2020 - other products are already ceasing support for Windows 7. Windows 10 migration projects should be nearing completion.
Read more in:
Chrome: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
Googleblog: Disclosing vulnerabilities to protect users across platforms
https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
ZDNet: Google reveals Chrome zero-day under active attacks
https://www.zdnet.com/article/google-reveals-chrome-zero-day-under-active-attacks/
ZDNet: Google: Chrome zero-day was used together with a Windows 7 zero-day
https://www.zdnet.com/article/google-chrome-zero-day-was-used-together-with-a-windows-7-zero-day/
Bleeping Computer: Google Chrome Update Patches Zero-Day Actively Exploited in the Wild
Ars Technica: A serious Windows zeroday is being actively exploited in the wild
--House Net Neutrality Bill Would Nullify FCCs Rule Repeal
(March 6, 2019)
US legislators in the House of Representatives have introduced a bill that would nullify the Federal Communications Commissions (FCCs) net neutrality rules repeal and would forbid the FCC from repealing the rules in the future. While the bill is likely to have enough support to pass in the House, its chances in the Senate are far less certain.
Read more in:
Ars Technica: Democrats net neutrality bill would fully restore Obama-era FCC rules
energycommerce.house: Save the Internet Act of 2019
--Public Interest Technology Track at RSA
(March 6, 2019)
Bruce Schneier hosted a Cybersecurity and Public Interest Tech track at the RSA conference in San Francisco. In a talk titled The Role of Security Technologists in Public Policy, Schneier speaks to the current disconnect between technology and policy and saying that it is no longer sustainable for them to be in different worlds. Other speakers include Matt Mitchell, a hacker focused on public interest technology. Mitchell founded CryptoHarlem, which offers free public workshops on privacy, anti-surveillance, and digital security.
Read more in:
Dark Reading: Meet the New 'Public-Interest Cybersecurity Technologist'
RSA Conference: How Public-Interest Technologists are Changing the World (video)
https://www.rsaconference.com/videos/how-public-interest-technologists-are-changing-the-world
RSA Conference: The Role of Security Technologists in Public Policy (Bruce Schneiervideo)
https://www.rsaconference.com/videos/the-role-of-security-technologists-in-public-policy
--NSAs Ghidra Decompiler is Now Open-Source
(March 5 & 6, 2019)
The US National Security Agency (NSA) has open-sourced its formerly internal Ghidra reverse engineering platform. NSA senior cybersecurity adviser Rob Joyce presented Ghidra at the RSA conference in San Francisco earlier this week. Joyce said that the decision to share Ghidra was made to help improve cybersecurity tools, to educate new talent, and to build community. Ghidra is currently available through the NSA website, but there are plans to release the source code on GitHub in the future.
Read more in:
Wired: The NSA Makes Ghidra, a Powerful Cybersecurity Tool, Open Source
https://www.wired.com/story/nsa-ghidra-open-source-tool/
The Register: Did you know?! Ghidra, the NSA's open-sourced decompiler toolkit, is ancient Norse for 'No backdoors, we swear!'
https://www.theregister.co.uk/2019/03/06/nsa_ghidra_joyce/
ZDNet: NSA releases Ghidra, a free software reverse engineering toolkit
https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/
Bleeping Computer: NSA's Ghidra Reverse Engineering Framework Stirs Up Malware Researchers
--Report: States Need Additional Funds to Update Voting Machines
(March 5, 2019)
A report from the Brennan Center for Justice at NYUs School of Law found that while 31 US states want to replace their voting equipment before the 2020 election, most do not have the money to do it. Congress has given states a total of $380 million through the Help America Vote Act (HAVA), but in most cases it is not enough to cover the costs of replacing the old machines. Older machines require parts that are hard to find and often run on software so old it is no longer supported. The most worrisome situations are in the 12 states that, either statewide or in some municipalities, use electronic voting machines that do not provide an auditable paper trail.
Read more in:
Brennan Center: Voting Machines at Risk: Where We Stand Today
https://www.brennancenter.org/analysis/voting-machines-risk-where-we-stand-today
Wired: States Need Way More Money to Fix Crumbling Voting Machines
https://www.wired.com/story/states-money-fix-crumbling-voting-machines/
GCN: Aging voting machines risk election security
https://gcn.com/articles/2019/03/05/aging-voting-machines-risk.aspx
Fifth Domain: As 2020 nears, pressure grows to replace voting machines
--Survey: EMEA Student Awareness of Opportunities in Cybersecurity
(March 5, 2019)
A SANS study found that just 16 percent of students aged 14-18 in the UK have considered a career in cybersecurity. In Saudi Arabia and the UAE, the figures are 50 percent and 54 percent, respectively. The study polled 4,000 students in the UK, France, Germany, the Netherlands, Belgium, the UAE and Saudi Arabia. They also polled 1,000 parents of students and 200 educational professionals.
[Editor Comments]
[Neely] Visible role models and communication about the benefits are important for any career choice. When someone asks you what you do, remember to talk about the exciting stuff. In Cyber, we have the ability to enable businesses to accomplish amazing things, that nobody else has done, securely.
Read more in:
Beta News: Students aren't aware of cybersecurity career opportunities
https://betanews.com/2019/03/05/students-unaware-cybersecurity-careers/
FE News: 84% of UK students have never considered career in cyber security
InfoSecurity: Over 80% of UK Students Have Never Considered an Infosec Career
https://www.infosecurity-magazine.com/news/80-uk-students-never-considered-1/
SANS: SANS EMEA Survey: the iGen and Cyber Security. Is the next generation aware of Cyber Securitys importance?
https://www.sans.org/media/emea/SANS-iGen-and-cyber-security-report.pdf
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
More Resume Malspam. Now With Trickbot and EternalBlue
Comcast Uses same "0000" PIN For All Number Porting Requests
NSA Releases Ghidra Reverse Analysis Tool
Recent Google Chrome Vulnerability Being Exploited
https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html?m=1
Android Monthly Security Bulletin
https://source.android.com/security/bulletin/2019-03-01
Cloudflare Deploys Rules to Protect Against Recent Drupal Exploit
Disposable E-Mail Addresses
https://isc.sans.edu/forums/diary/Keep+an+Eye+on+Disposable+Email+Addresses/24716/
Cisco DoS Vulnerability Activity Exploited
https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/
MonitorKit uses macOS Game Engine to Analyze Security Events
https://github.com/objective-see
RSA Panel Video
NetApp Default Account Vulnerability
https://security.netapp.com/advisory/ntap-20190305-0001/
Cisco NS-OS NX-API Privilege Escalation
Slub Backdoor Users GitHub and Slack
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create