SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #21
March 15, 2019Bill Asks Boards to Disclose Cyber Expertise; Microsoft and Adobe Patch Tuesday; Encouraging Women to Choose Cybersecurity Careers
****************************************************************************
SANS NewsBites March 15, 2019 Vol. 21, Num. 021
****************************************************************************
TOP OF THE NEWS
Bill Would Require Companies to Disclose Boards Cyber Expertise in SEC Filings
Microsoft and Adobe Patch Tuesday
Encouraging Women to Choose a Cybersecurity Career Path
REST OF THE WEEKS NEWS
Grand Jury Subpoenas Records from Facebook Data Sharing Partners
Services Returning to Normal After Facebook, Instagram, WhatsApp Outage
Cisco Patches Static Default Password Vulnerability
Senators Ask for Statistics on Senate Cyber Incidents
WordPress Flaw Fixed in Security and Maintenance Release 5.1.1
Report Says US Navy Under Cyber Siege
Software Misconfiguration Leaves Digital Certificates a Bit Short
Firefox Send Lets Users Share Large Encrypted Files
Venezuelas Struggle to Restore Electric Power After Massive Outage
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019
-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, ASUS Chromebook C223NA or Take $250 Off with OnDemand or vLive training. Offer ends March 20.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk **************************
7 SIEM Trends to Watch in 2019. Since the inception of SIEM technology over a decade ago, SIEM solutions have become more of an information platform, with enterprise demands for better security driving much of the SIEM market. Download your complimentary copy of "7 SIEM Trends to Watch in 2019," and discover some of the many exciting features on the horizon. http://www.sans.org/info/211102
*****************************************************************************
TOP OF THE NEWS
--Bill Would Require Companies to Disclose Boards Cyber Expertise in SEC Filings
(March 4 & 13, 2019)
US legislators in both the house and the senate have introduced a bill that would require publicly traded companies to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the companys Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the company.
[Editor Comments]
[Neely] In February 2018, the SEC introduced guidance that the board must include cyber security expertise and participate in tabletop exercises. Additionally, the SEC has civil law authority to perform cyber-related enforcement actions to protect investors, hold bad actors accountable and deter future wrongdoing. This legislation just adds a disclosure requirement which provides more transparency on the companies cyber posture at the board.
[Williams] It's difficult to measure cybersecurity expertise. By corporate board standards, someone who took a one-day seminar on cybersecurity issues may be considered an "expert." While those on the NewsBites editorial board regularly advise corporate boards on cybersecurity issues, most of those boards would not benefit from our full-time presence. Further, forcing boards to declare that they have an "expert" may decrease the likelihood that they will bring in real experts when the need arises.
Read more in:
The Hill: House Dem introduces bill requiring public firms to disclose cybersecurity expertise in leadership
MeriTalk: Bill to Boost Private Sector Cybersecurity Reintroduced
https://www.meritalk.com/articles/bill-to-boost-private-sector-cybersecurity-reintroduced/
--Microsoft and Adobe Patch Tuesday
(March 12, 2019)
On Tuesday, March 12, Microsoft released security updates to address 64 vulnerabilities in Windows operating systems, Office, Internet Explorer, Edge, and Sharepoint. Two of the fixes for Windows are for zero-day privilege elevation vulnerabilities. One of these is the flaw that was being exploited in conjunction with a vulnerability in Chrome. Adobes Patch Tuesday release comprises two updates to address a heap corruption issue that affects Photoshop CC and Digital Editions.
Read more in:
ISC: Microsoft March 2019 Patch Tuesday
https://isc.sans.edu/diary/Microsoft+March+2019+Patch+Tuesday/24742
KrebsOnSecurity: Patch Tuesday, March 2019 Edition
https://krebsonsecurity.com/2019/03/patch-tuesday-march-2019-edition/
ZDNet: Microsoft March Patch Tuesday comes with fixes for two Windows zero-days
The Register: Microsoft changes DHCP to 'Dammit! Hacked! Compromised! Pwned!' Big bunch of security fixes land for Windows
https://www.theregister.co.uk/2019/03/12/march_patch_tuesday_dhcp/
SC Magazine: March Patch Tuesday: Microsoft addresses 18 critical security issues
Dark Reading: Microsoft Patch Tuesday: 64 Vulnerabilities Patched, 2 Under Attack
SC Magazine: Adobe Patch Tuesday covers Photoshop CC and Digital Editions
Microsoft: Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Adobe: Security updates available for Adobe Photoshop CC | APSB19-15
https://helpx.adobe.com/security/products/photoshop/apsb19-15.html
Adobe: Security Updates Available for Adobe Digital Editions | APSB19-16
https://helpx.adobe.com/security/products/Digital-Editions/apsb19-16.html
--Encouraging Women to Choose a Cybersecurity Career Path
(March 13, 2019)
Women are underrepresented in IT, especially cybersecurity. To encourage more women to choose a cybersecurity career path, educators need to introduce girls to cybersecurity by the time they are in middle school. Girls can also be encouraged to attend summer camps, competitions, and to join computer clubs. And women already in the field need to foster future talent by forming a visible connection with young students to encourage future careers; maintaining the connection through college with career fairs and workshops; fostering interest with technical trainings, boot camps and technology conferences; creating internal and external career opportunities for women; and offering flexible working arrangements to both women and men.
[Editor Comments]
[Pescatore] There was a marked difference at the RSA conference in the number of female speakers, a good thing. I highly recommend the session given by two SANS Difference Maker winners, Mandy Galante, IT Director at Mater Dei High School in NJ, and Michele Guel, Distinguished Engineer at Cisco. You can see the slides at https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13289/PROF-R03-Women-in-Cybersecurity-Finding-Attracting-and-Cultivating-Talent.pdf
Read more in:
IT World Canada: RSA Conference: How to get more women into cyber security
Security Intelligence: Women in Security Speak Out at RSAC 2019, But Theres Still a Long Way to Go
**************************** SPONSORED LINKS ******************************
1) Don't Miss "Playing Moneyball in Cybersecurity" sponsored by Unisys.
Register: http://www.sans.org/info/211107
2) The SANS Reading Room features over 2,860 original computer security white papers in 109 different categories. Check it out: http://www.sans.org/info/211112
3) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211117
*****************************************************************************
REST OF THE WEEKS NEWS
--Grand Jury Subpoenas Records from Facebook Data Sharing Partners
(March 13 & 14, 2019)
A US federal grand jury has subpoenaed records from at least two companies that have data sharing partnerships with Facebook. The New York Times says that Facebook has more than 150 such partnerships. The agreements allowed the companies to view FB users data, sometimes without their consent. The companies subpoenaed are prominent makers of smartphones and other devices, according to the NYT. A Facebook spokesperson said that the company is cooperating with investigators.
[Editor Comments]
[Pescatore] The enterprise angle to this story is important. The enterprise supply chain includes the service providers that the enterprise sales and marketing organizations use, including Facebook or SEO type firms that exploit user data Facebook has been selling access to. Weve seen this in a big way with the enormous breach in 2018 at Exactis, where 340M users had this personal information exposed, as well as Facebooks own issues. Another area: the bulk email service providers marketing often uses have been the biggest obstacles to getting DMARC turned on for corporate email services. Supply security efforts need to include this.
Read more in:
NYT: Facebooks Data Deals Are Under Criminal Investigation
https://www.nytimes.com/2019/03/13/technology/facebook-data-deals-investigation.html
SC Magazine: Facebook reportedly under criminal probe for data sharing practices with partners
--Services Returning to Normal After Facebook, Instagram, WhatsApp Outage
(March 13, 2019)
Facebook says that a server configuration change is responsible for outages affecting its eponymous social media site, Instagram, and WhatsApp earlier this week. The global disruption was the most severe Facebook has experienced in more than a decade. Facebook says services are returning to normal.
Read more in:
Washington Post: Facebook, Instagram and WhatsApp suffered a global outage. What happened?
BBC: Facebook suffers the most severe outage in its history
https://www.bbc.com/news/technology-47562281
Wired: When Facebook Goes Down, Don't Blame Hackers
https://www.wired.com/story/facebook-down-dont-blame-hackers/
CNBC: Facebook blames server configuration change for its longest outage ever
https://www.cnbc.com/2019/03/13/facebook-suffers-outage-related-to-core-whatsapp-and-instagram.html
--Cisco Patches Static Default Password Vulnerability
(March 14, 2019)
Cisco has released updates to fix a static default password flaw in the Cisco Common Services Platform Collector (CSPC). The vulnerability could be exploited to log into the system and access data. Cisco notes that the account with the static default password does not have administrator privileges. Patches are available for CSPC 2.7.x (Release 2.7.4.6) and for CSPC 2.8.x (Release 2.8.1.2).
[Editor Comments]
[Murray] This is not so much a flaw as an implementation induced vulnerability. It reflects a management and training failure. It also reflects a warp in development culture where programmers are loath to give up control over their product. This is serious in internal applications, unforgivable in product code.
Read more in:
Cisco: Cisco Common Services Platform Collector Static Credential Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190313-cspcscv
Threatpost: Cisco Patches Critical Default Password Bug
https://threatpost.com/cisco-patches-critical-default-password-bug/142814/
--Senators Ask for Statistics on Senate Cyber Incidents
(March 13 & 14, 2019)
US Senators Ron Wyden (D-Oregon) and Tom Cotton (R-Arkansas) have asked the Senate Sergeant at Arms to give senators information about Senate-related data breaches. In a letter, Wyden and Cotton acknowledged that while the details of the breaches may need to remain secret, legislators should be given aggregate data about Senate computer breaches and other data compromises. The letter also asks that Senate leaders and members of the Senate Committees on Rules and Intelligence be notified of new breaches within five days of their detection.
Read more in:
Wyden: Letter to US Senate Sergeant at Arms
The Hill: Wyden, Cotton call for policy alerting senators of cyber breaches
CNET: Senators want to know when they've been hacked
https://www.cnet.com/news/senators-want-to-know-when-congress-has-been-hacked/
ZDNet: US senators want to know how many times they've been hacked
https://www.zdnet.com/article/us-senators-want-to-know-how-many-times-theyve-been-hacked/
Infosecurity Magazine: US Lawmakers Call for Senate Breach Alerts
https://www.infosecurity-magazine.com/news/us-lawmakers-call-for-senate-1/
--WordPress Flaw Fixed in Security and Maintenance Release 5.1.1
(March 13, 2019)
The March 12 WordPress 5.1.1 Security and Maintenance Release includes a fix for a vulnerability that could be exploited to launch cross-site scripting attacks through malicious comments where the comments module is enabled. The issue was introduced in the WordPress 5.1 Betty release, which became available on February 19, 2019.
[Editor Comments]
[Neely, Murray] Ideally, dont allow comments on your site. If you must, moderation, registration and filtering of that content can reduce the introduction of malfeasance. Update even if you dont have comments enabled.
Read more in:
WordPress: WordPress 5.1.1 Security and Maintenance Release
https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
Bleeping Computer: Wordpress 5.1.1 Fixes XSS Vulnerability Leading to Website Takeovers
--Report Says US Navy Under Cyber Siege
(March 13, 2019)
An internal US Navy review obtained by the Wall Street Journal says that the Navy and Navy contractors are under cyber siege by numerous foreign adversaries, including hackers working on behalf of China. The attackers are stealing national security secrets such as plans for a supersonic antiship missile. The report says that the Navy and the Defense Department have only a limited understanding of the actual totality of losses that are occurring because of the complexity of tracking contractor and subcontractor cyber incidents. (Please note that the WSJ story is behind a paywall.)
Read more in:
WSJ: Navy, Industry Partners Are Under Cyber Siege by Chinese Hackers, Review Asserts (paywall)
https://www.wsj.com/articles/navy-industry-partners-are-under-cyber-siege-review-asserts-11552415553
SC Magazine: U.S. Navy taken to task for cybersecurity flaws
Navy Times: Report: Navy is under cyber siege, national secrets leaking from the hull
--Software Misconfiguration Leaves Digital Certificates a Bit Short
(March 12 & 13, 2019)
A misconfiguration of the EJBCA software package has led to the issuance of more than one million browser trusted digital certificates that fall short of industry requirements. The certificates, which have 63-bit rather than 64-bit serial numbers, will need to be replaced.
Read more in:
The Register: Open-source 64-ish-bit serial number gen snafu sparks TLS security cert revoke runaround
https://www.theregister.co.uk/2019/03/13/tls_cert_revoke_ejbca_config/
Ars Technica: A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates
ZDNet: Apple, Google, GoDaddy misissued TLS certificates with weak serial numbers
--Firefox Send Lets Users Share Large Encrypted Files
(March 12 & 13, 2019)
Mozilla has launched Firefox Send, a free, end-to-end encrypted filesharing service. Users can upload files to Mozilla servers and share a link to the encrypted file with friends and co-workers. Firefox Send allows users to place limits on how long the file will be available and on how many times it is downloaded. Firefox Send allows uploads up to 1G; users can upload files as large as 2.5G if they sign in with a Firefox account.
[Editor Comments]
[Pescatore] I played with this while it was in beta. It certainly is easy to use compared to most PC-based encryption tools. But, there are lots of downsides, beyond the one that will get the most press attention: Firefox saying it is relying on its Terms of Service prohibition against illegal content being stored vs. any active controls. To me, the two biggest issues: (1) absolutely no requirement for any form of authentication, making it a nice feature for phishers and other attackers for getting targets to download malware; and (2) files are still unencrypted at the most dangerous placethe users endpoints. There are easier ways to rely on device encryption at the cloud service provider side, and the use of TLS for most browser to server communications means encrypting the file only while in transport adds minimal security.
Read more in:
Mozilla: Introducing Firefox Send, Providing Free File Transfers while Keeping your Personal Information Private
Wired: Firefox Send is an Easy Way to Share Large Files Securely
https://www.wired.com/story/firefox-send-encrypted-large-files/
ZDNet: Mozilla launches Firefox Send, a free, encrypted file-sharing service
https://www.zdnet.com/article/mozilla-launches-firefox-send-a-free-encrypted-file-sharing-service/
Ars Technica: Firefox Send lets you send files up to 2.5GB with time and download limits
The Register: This is the Send, encrypted end-to-end, this is the Send, my Mozillan friend
https://www.theregister.co.uk/2019/03/13/mozilla_send_/
--Venezuelas Struggle to Restore Electric Power After Massive Outage
(March 12 & 13 & 14, 2019)
Power outages across Venezuela began more than a week ago and while power has been restored to much of the country, there are sections that still have no power and it could be months or even years before service is anywhere near normal. The Central University of Venezuelas faculty of engineering has confirmed that the massive outage was caused by a fire near a substation. There are two possibilities as to why the fires effect was devastating. The first is that the fire destroyed part of the transmission network, which will take up to two months to repair. The second is that the fire caused a turbine failure at a hydroelectric dam that provides 80 percent of the countrys power. If this is the case, repair could take several years and would require replacement parts and qualified technicians, resources that have been scarce in Venezuela.
Read more in:
The Guardian: Venezuela: power returns after blackout but normal service may be a long way off
https://www.theguardian.com/world/2019/mar/14/venezuela-blackout-power-returns
Wired: Why It's So Hard to Restart Venezuela's Power Grid
https://www.wired.com/story/venezuela-power-outage-black-start/
The Guardian: Venezuela blackout: what caused it and what happens next?
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+March+2019+Patch+Tuesday/24742/
Adobe Updates
https://helpx.adobe.com/security.html
PSMiner
Intel Patches
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00185.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00191.html
Analyzing ZIP Files in Ghidra
https://isc.sans.edu/forums/diary/Tip+Ghidra+ZIP+Files/24732/
64 Bit Certificate Serial Number Revocation
https://adamcaudill.com/2019/03/09/tls-64bit-ish-serial-numbers-mass-revocation/
Cisco Default Account Problem
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190313-cspcscv
Automatic Certificate Management Environment
https://tools.ietf.org/html/rfc8555
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create