Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #2

January 8, 2019

US National Counterintelligence Helps Companies Protect Systems from Hackers; Cybersecurity Most Sought-After Skills in 2019; Personal Information of German Politicians Leaked on Twitter




****************************************************************************

SANS NewsBites                 Jan. 8, 2018                Vol. 21, Num. 002

****************************************************************************


TOP OF THE NEWS

 

  US National Counterintelligence and Security Center Campaign Aims to Help Organizations Protect Systems from Hackers

  Cybersecurity Likely to be Among Employers Most Sought-After Skills in 2019

  Personal Information of German Politicians Leaked on Twitter


REST OF THE WEEKS NEWS

  Attack Doubles Up on Malware

  Australian Emergency Warning Network Data Breach

  The Case for In-House Defense Department Pen Testing

  Microsoft Pulls Problematic Office 2010 Update

  Passport Numbers Compromised in Marriott Breach Were Not Encrypted

  Pentagon Asks Advisory Board for List of Ethical Principles for Using AI in Warfare

  North Dakota Considering Statewide Cybersecurity Oversight


INTERNET STORM CENTER TECH CORNER


****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019


-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019


-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019


-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019


-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019


-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019


-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019


-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive Training. Offer Ends January 9.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



***************************  Sponsored By InfoBlox  ************************************


Join Infoblox and the SANS institute for a timely discussion on how to bridge the islands of security that expose your network to ongoing risk.  Register:  http://www.sans.org/info/209545


*****************************************************************************

TOP OF THE NEWS

 

--US National Counterintelligence and Security Center Campaign Aims to Help Organizations Protect Systems from Hackers

(January 7, 2019)

A National Counterintelligence and Security Center (NCSC) campaign is designed to help companies protect their assets from foreign state-backed cyberattacks. NCSC is offering materials, including videos, brochures, and posters, to help organizations guard against supply chain threats, phishing threats, and economic/intellectual espionage. The materials provided include. NCSC operates under the aegis of the Office of the Director of National Intelligence (ODNI).


[Editor Comments]


[Neely] This is an opportunity for businesses to get a high quality feed on threats and mitigations. That data should help make the threats relevant to businesses who wouldnt otherwise be able to incorporate this data into their security protections.

 

[Henry] Educating business leaders and employees is critical, and Im glad to see ODNI offering this information to highlight adversary motives and the impact these attacks can have on the economy. The security guidance offered, though, is somewhat rudimentary (never click on suspicious links) and Id like to see the government move to a proactive intelligence collection and real-time sharing of IOCs and TTPs with the private sector.


Read more in:

The Hill: National security center launches program to help US firms guard against foreign hackers

https://thehill.com/policy/cybersecurity/424166-national-security-center-launches-program-to-help-us-firms-guard-against

Bleeping Computer: NCSC Starts Campaign to Help Industry Fight Foreign State Threats

https://www.bleepingcomputer.com/news/security/ncsc-starts-campaign-to-help-industry-fight-foreign-state-threats/

DNI: National Counterintelligence and Security Center Launches Campaign to Help Private Industry Guard Against Threats from Nation State Actors

https://www.dni.gov/index.php/ncsc-newsroom/item/1938-national-counterintelligence-and-security-center-launches-campaign-to-help-private-industry-guard-against-threats-from-nation-state-actors

DNI: NCSC Awareness Materials

https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-know-the-risk-raise-your-shield/ncsc-awareness-materials



--Cybersecurity Likely to be Among Employers Most Sought-After Skills in 2019

(January 7, 2019)

Two surveys paint a promising picture of hiring prospects for cybersecurity professionals in 2019. The Hays 2019 US Salary Guide finds that nearly 70 percent of IT employers plan to increase full-time IT hiring in 2019 and that more than half will increase hiring of consultants, particularly those with cloud computing and cybersecurity skills. Foote Partners predicts strong job growth in AI and cybersecurity.


[Editor Comments]


[Northcutt] Foote partners has certainly been tracking our industry and the balance of HR between skills and the certifications that demonstrate those skills for at least 20 years.


Read more in:

ZDNet: Tech skills in most demand this year: data, cloud and cybersecurity

https://www.zdnet.com/article/tech-skills-in-the-most-demand-this-year-data-cloud-and-cybersecurity/

 
 

--Personal Information of German Politicians Leaked on Twitter

(January 4 & 6, 2019)

Hackers leaked personal data belonging to German politicians, journalists, and other public figures through a stolen Twitter account. The stolen data include phone numbers, addresses, chat logs, payment card information, and voicemails. German authorities investigating the incident have reportedly searched the apartment of an IT worker who is being treated as a witness. 


[Editor Comments]


[Ullrich] While many initial reports suggested a nation state/sophisticated attacker, a 20-year-old student living with his parents was arrested earlier today. He confessed and is assumed to have acted alone out of frustration with some politicians statements. I think this is a good lesson against early attribution of attacks and also shows that it isnt really that hard to access *some* sensitive data. He did not breach any major secure networks but mostly focused on cloud based email and social media accounts of people interacting with significant political figures in Germany. One individual who identified himself as a key witness in the case and knew the attacker, noted via Twitter that the main exploit used by the attacker in the past was a password reset vulnerability in GMX, a large Germany webmail provider. The attacker typically used the access to the webmail account to later reset various other passwords. https://twitter.com/Janomine/status/1082357281751212032


Read more in:

Wired: A Major Hacking Spree Gets Personal for German Politicians

https://www.wired.com/story/germany-hacking-politicians-personal-information/

Reuters: German police search flat of 19-year-old man after data breach: rbb

https://www.reuters.com/article/us-germany-politics-cyber-police/german-police-search-flat-of-19-year-old-man-after-data-breach-rbb-idUSKCN1P10EQ


*****************************************************************************


1) 12 cloud security and compliance exercises that are critical for keeping your organizations data and systems secure in Amazon Web Services (AWS). Learn More:  http://www.sans.org/info/209560


2) SANS Instructor, Matt Bromiley talks on "Enterprise Security with a Fluid Perimeter" Sponsored by Aruba. Register: http://www.sans.org/info/209565


3) The 14th Annual ICS Security Summit in Orlando, FL - Mar 18-19. http://www.sans.org/info/209570


*****************************************************************************


REST OF THE WEEKS NEWS    

 

--Attack Doubles Up on Malware

(January 7, 2019)

An attack that combines two known pieces of malware have been detected in the wild. The attack uses the Vidar data harvesting malware followed by GandCrab ransomware. Vidar has the ability to steal a wide variety of data, including passwords, documents, screenshots, stored 2FA information, and cryptocurrency wallets. Once Vidar has sent the information to a command-and-control server, GandCrab encrypts the infected system and displays a ransom demand. 


Read more in:

The Register: She will lock you out, livin' la Vidar loca: Enterprising crims breed ransomware, file thief into hybrid nasty

https://www.theregister.co.uk/2019/01/07/vidar_infection/

ZDNet: Double trouble: Two-pronged cyber attack infects victims with data-stealing trojan malware and ransomware

https://www.zdnet.com/article/double-trouble-two-pronged-cyber-attack-infects-victims-with-data-stealing-trojan-malware-and-ransomware/

Bleeping Computer: GandCrab Operators Use Vidar Infostealer as a Forerunner

https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/

SC Magazine: Cybercriminals double up using Vidar and GandCrab in single attacks

https://www.scmagazine.com/home/security-news/ransomware/cybercriminals-double-up-using-vidar-and-gandcrab-in-single-attacks/

 
 

--Australian Emergency Warning Network Data Breach

(January 7 & 8, 2019)

The Queensland (Australia) Emergency Warning Network (EWN) has acknowledged that its system was breached by an unauthorized user who used stolen access credentials to send a message to subscribers. The message, which was sent via email, text, and landline, said EWN has been hacked. Your personal data is not safe. Trying to fix the security issues. When EWN became aware of the situation, they shut down the system.


[Editor Comments]


[Neely] While its easy to ask why multi-factor authentication was not in place, a challenge with emergency alert systems is determining the appropriate level of authentication assurance to not only prevent unauthorized messages but also support operations during an actual emergency where services needed to support strong authentication may be offline, or known network or location points for users are unavailable, meaning the system will need to in-source any strong authentication solution.


Read more in:

News: Emergency warning system compromised as hackers send text and email messages to thousands

https://www.news.com.au/technology/online/hacking/emergency-warning-system-compromised-as-hackers-send-text-and-email-messages-to-thousands/news-story/ebc22b8080dd2af7d4102803b61f0097

ZDNet: Emergency Warning Network confirms breach

https://www.zdnet.com/article/emergency-warning-network-confirms-breach/

Bleeping Computer: Hacker Uses Australian Early Warning Network to Send Spam Alerts

https://www.bleepingcomputer.com/news/security/hacker-uses-australian-early-warning-network-to-send-spam-alerts/

 
 

--The Case for In-House Defense Department Pen Testing

(January 7, 2019)

This opinion piece argues for the US Department of Defense (DOD) to conduct in-house penetration testing on its systems. Citing an October 2018 Government Accountability Office (GAO) report that examined cybersecurity issues related to DOD weapons systems, the author writes that theres no substitute for a formal, comprehensive and ongoing software assessment process that occurs before a system goes live and continues as long as the software is in use.


[Editor Comments]


[Henry] This is a standard security practice. Is the DOD really not internally pentesting/assessing its software prior to being put into production?


[Neely] The value proposition of continuous assessment versus periodic testing needs to be examined. When it is baked into system and software lifecycle, execution requires in-place resources and services rather than waiting for the results of a bug-bounty or completion of an assessment contract, potentially reducing exploitation opportunities. This also means the concept of continuous remediation needs to be embraced.


Read more in:

GCN: National security depends on in-house penetration testing

https://gcn.com/articles/2019/01/07/penetration-testing.aspx

 
 

--Microsoft Pulls Problematic Office 2010 Update

(January 7, 2019)

Microsoft has pulled a non-security update for Office 2010 because of reports that users who had installed it were unable to start Excel. The update was released on January 2, 2019, along with updates for Office 2013 and 2016. The majority of the reports are coming from Japan; the update includes changes to accommodate a new Japanese calendar era that will begin later this spring.


Read more in:

ZDNet: Microsoft pulls buggy Office 2010 January updates

https://www.zdnet.com/article/microsoft-pulls-buggy-office-2010-january-updates/

Bleeping Computer: Microsoft Pulls Office 2010 January 2019 Updates After Excel Blunder

https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-office-2010-january-2019-updates-after-excel-blunder/

Microsoft: January 2, 2019, update for Excel 2010 (KB4461627)

https://support.microsoft.com/en-us/help/4461627/january-2-2019-update-for-excel-2010-kb4461627

 
 

--Passport Numbers Compromised in Marriott Breach Were Not Encrypted

(January 4, 2019)

Marriott has revised the numbers associated with the data breach it disclosed in late November 2018. Marriott now says that some of the compromised records were duplicates and puts the number of affected records at 383 million, down from 500 million. While the total number of compromised records is lower than initial reports suggested, Marriott did say that the five million or so passport numbers that were compromised were not encrypted.


[Editor Comments]


[Ullrich] Encryption at rest is hard. If this passport data has to be shared with authorities in some countries, or verified at check-in, then it will be difficult to come up with a meaningful encryption scheme. Tokenization may have been an option to limit the exposure of the data and may have helped to implement an encrypted data store for the data.


[Pescatore] Credit reporting firm Experian reports that breached passport numbers fetch between $1,000 and $2,000 on cybercriminal online exchangesthe highest price of all identity data, more than complete medical records. In quantity, that would go down but 5 million stolen passport numbers are high valueMarriott should not have needed a complex risk analysis to decide either not to store those numbers online or to encrypt them if they did.


Read more in:

SC Magazine: 5M passports accessed in Marriott breach were unencrypted

https://www.scmagazine.com/home/security-news/5m-passports-accessed-in-marriott-breach-were-unecrypted/

NYT: Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not Encrypted

https://www.nytimes.com/2019/01/04/us/politics/marriott-hack-passports.html

 
 

--Pentagon Asks Advisory Board for List of Ethical Principles for Using AI in Warfare

(January 4, 2019)

Pentagon officials have given the Defense Innovation Board (DIB) the task of developing a list of ethical principles for the use of artificial intelligence (AI) in warfare. Current doctrine relies on a six-year-old document that requires a human to have the power to veto any decision made by an autonomous weapons system. DOD is seeking a framework for a broader policy to apply to predictive analytics and other areas in which AI may be used. The DIB plans to make its list public in June.


Read more in:

Defense One: Pentagon Seeks a List of Ethical Principles for Using AI in War

https://www.defenseone.com/technology/2019/01/pentagon-seeks-list-ethical-principles-using-ai-war/153940/

ESD: Department of Defense Directive: Autonomy in Weapon Systems (November 2012; revised May 2017)

https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/300009p.pdf

 
 

--North Dakota Considering Statewide Cybersecurity Oversight

(December 31, 2018 & January 4, 2019)

State legislators in North Dakota have heard testimony on a bill that would give the states Information Technology Department (ITD) authority to advise, oversee and regulate cybersecurity strategy for state agencies and public institutions, including school districts, public colleges and universities, and cities and counties. A North Dakota ITD executive said that more than 400 entities that connect to the states network are currently responsible for their own cybersecurity. 


[Editor Comments]


[Pescatore] Cybersecurity governance does *not* have to be centralized to be done successfully, but almost invariably it *does* have to mirror the IT governance style of the organizationmismatches in the two are good predictors of vulnerability. Since North Dakota is moving to centralized IT, it is also an opportunity to bake security into software development, procurement, and SOC/NOC process integration.


[Neely] Beyond creating a common strategy, the state has an opportunity to provide enterprise (volume) licensing for those agencies and public institutions for common tools they may not otherwise be able to afford on their own. This has worked well in DOE and is the model behind the DHS CDM DEFEND offering.  


Read more in:

Grand Forks Herald: Bill looks to standardize North Dakota cybersecurity for public entities

https://grandforksherald.com/business/technology/4552500-bill-looks-standardize-north-dakota-cybersecurity-public-entities

Statescoop: On cybersecurity, North Dakota wants to 'change the conversation completely'

https://statescoop.com/on-cybersecurity-north-dakota-wants-to-change-the-conversation-completely/

 

INTERNET STORM CENTER TECH CORNER


Malware in TAR Files

https://isc.sans.edu/forums/diary/Malicious+tar+Attachments/24496/


ReiKey MacOS Keystoke Logger Detector

https://objective-see.com/products/reikey.html


Phishing Tool Kit Uses Simple Substitution Fonts

https://www.proofpoint.com/us/threat-insight/post/phishing-template-uses-fake-fonts-decode-content-and-evade-detection

       

Malware of the Day: Encrypted Word Document

https://isc.sans.edu/forums/diary/Analyzing+Encrypted+Malicious+Office+Documents/24498/


Apple iOS Apps Reaching Out to Malware Server

https://www.wandera.com/risky-apps/


NCSC Offers Assistance Against Attacks from Foreign Governments

https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-know-the-risk-raise-your-shield/ncsc-awareness-materials


Hardware Agnostic Side Channel Attacks

https://arxiv.org/abs/1901.01161



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create