SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #26
April 2, 2019GAO: Give Regulators Authority to Impose Penalties After Breaches; SUNY Identifies Cyber Talent in the Student Body; Another Flaw Found in Swiss Online Voting Software
****************************************************************************
SANS NewsBites April 2, 2019 Vol. 21, Num. 026
****************************************************************************
TOP OF THE NEWS
GAO: Give Regulators More Authority to Impose Penalties on Companies After Breaches
SUNY Stony Brook Identifies Fast Track for Cyber Talent Discovery and Advancement in the Student Body
Another Flaw Found in Swiss Online Voting Software
REST OF THE WEEK'S NEWS
House Bill Would Create Cyber Advisory Panel at DHS
Senators Ask Voting Machine Vendors About Focus on Security
USAF Fast-Track IT System Shortens Authority to Operate Certification Time
Hackers Target Spanish Defence Ministry Intranet
20-Year Sentence for Fatal Swatting Attack
Boeing to Update MCAS Software
City of Albany, NY Targeted in Ransomware Attack
Software Outage Delayed Flights in US on Monday
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019
-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS OnDemand and vLive Training
Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends April 3.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By MobileIron ****************************
Security breaches are more common today, but their impact isnt any less serious. The question is how are cyber attackers able to get to the data? And why are so few organizations able to stop them? The reason is because many organizations are simply not able to keep pace, and they are up against the cyber kill chain, which is highly adept at targeting and compromising mobile devices, users, apps, and networks. Register to learn more: http://www.sans.org/info/211242
*****************************************************************************
TOP OF THE NEWS
--GAO: Give Regulators More Authority to Impose Penalties on Companies After Breaches
(March 26, 2019)
A report from the US Government Accountability Office (GAO) says that giving federal regulators more authority to impose penalties on companies that suffer customer data breaches could help reduce the likelihood of more major incidents like the Equifax breach. The report examined the FTC's and the Consumer Financial Protection Bureau's (CFPB's) roles in consumer reporting agency (CRA) oversight. GAO "recommend[s] that Congress consider giving FTC civil penalty authority to enforce GLBA's [Gramm-Leach-Bliley Act] safeguarding provisions."
[Editor Comments]
[Pescatore] SANS gave the FTC a "Difference Makers" award back in 2013 and the GAO report notes that the FTC has quietly been effective in punishing egregious cybersecurity violations by business over the years since. I'm not a lawyer, but to me GLBA was the "send out postcards" kind of legislation that was pretty useless, adding that to FTC's charter would seem to dilute their effectiveness.
Read more in:
Nextgov: Empowering Regulators Could Stop the Next Equifax Breach, Watchdog Says
https://www.nextgov.com/analytics-data/2019/03/empowering-regulators-could-stop-next-equifax-breach-watchdog-says/155842/
GAO: CONSUMER DATA PROTECTION: Action Needed to Strengthen Oversight of Consumer Reporting Agencies (Fast Facts/Highlights)
https://www.gao.gov/products/GAO-19-469T
GAO: CONSUMER DATA PROTECTION: Actions Needed to Strengthen Oversight of Consumer Reporting Agencies
https://www.gao.gov/assets/700/697026.pdf
--SUNY Stony Brook Identifies Fast Track For Cyber Talent Discovery and Advancement in the Student Body
(April 2, 2019)
Colleges face a shortage of technical talent to fill cybersecurity jobs in their IT departments. One college discovered a surprisingly large number of students have the talent to excel in technical cybersecurity roles. A carefully implemented program can find the best students for those positions and give those students great experience to make them well qualified for highly-paid cyber roles.
[Editor Comments]
[Paller] CIOs, CISOs and students in all the colleges in 27 states (where governors announced their states' Cyber FastTrack programs) will be able to test the tools discovered and demonstrated by SUNY Stony Brook on Friday April 5 at www.cyber-fasttrack.org
Read more in:
er.educause: CyberStart: Finding the Best Candidates for Student Cybersecurity Positions...and Beyond!
https://er.educause.edu/blogs/2019/4/cyberstart-finding-the-best-candidates-for-student-cybersecurity-positions-and-beyond
--Another Flaw Found in Swiss Online Voting Software
(March 25, 2019)
Researchers examining the source code for Internet voting software that Switzerland plans to use later this year have found a vulnerability that could be exploited to turn votes into unreadable nonsense. According to their paper, the researchers have discovered "a weakness in the SwissPost-Scytl implementation of the Fiat-Shamir transform that allows the creation of false decryption proofs, which verify perfectly but actually 'prove' a decryption that is different from the true plaintext." These same researchers found a flaw in the software several weeks ago. That vulnerability could have been exploited to replace actual votes with fraudulently created votes. That flaw has reportedly been fixed.
Read more in:
Cyberscoop: Second flaw found in Swiss election system could change 'valid votes into nonsense,' researchers say
https://www.cyberscoop.com/swiss-voting-system-second-flaw/
people.eng: How not to prove your election outcome
https://people.eng.unimelb.edu.au/vjteague/HowNotToProveElectionOutcome.pdf
**************************** SPONSORED LINKS ******************************
1) ICYMI SANS Automation & Integration Security Briefing: SOARing to New Heights - Using Orchestration & Automation Tools in the Way They're Intended. http://www.sans.org/info/211247
2) "Simplifying Application Security with VMware AppDefense" with Dave Shackleford. Learn More: http://www.sans.org/info/211252
3) Don't Miss "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" Register: http://www.sans.org/info/211257
*****************************************************************************
REST OF THE WEEK'S NEWS
--House Bill Would Create Cyber Advisory Panel at DHS
(March 28, 2019)
US legislators have introduced a bill that would establish a cyber advisory committee at the Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA). The 35-member committee would include cybersecurity professionals from state and local government and from relevant industries, like transportation, energy, and healthcare.
Read more in:
The Hill: Bipartisan bill would create cyber advisory panel at DHS
https://thehill.com/policy/cybersecurity/436339-bipartisan-bill-would-create-cybersecurity-advisory-committee-at-dhs
--Senators Ask Voting Machine Vendors About Focus on Security
(March 27, 2019)
Ranking members of several US Senate committees have written to three major voting machine vendors to ask them "about the security of the voting systems [their] companies manufacture and service." The three companies - Hart InterCivic, Election Systems & Software, and Dominion Voting Systems - provide the hardware and software used by 92 percent of US voters. The letter expresses concern that the majority of voting machines currently in use "have not been meaningfully updated in nearly two decades," and goes on to ask 16 questions about what steps the companies are taking to improve the security of their systems, and their views on federally mandated hand-marked paper ballots and post-election audits.
[Editor Comments]
[Henry] Questioning vendors, raising the expectations, and holding the vendors accountable is all critically important. That said, the government needs to hold attacking adversaries accountable too. In addition to continuing to secure the infrastructure, I'd be very interested to see actions congress is taking to define the redlines (illegal access to voting machines, in this case) and to communicate the ramifications to those crossing the redlines. This goes beyond "pointing fingers" and more towards developing a holistic security and deterrence strategy.
[Pescatore] Some of these same Senators wrote letters to the biggest voting system vendor, ESS, last year. Back in 2012, Senator Rockefeller sent similar letters to the CEOs of the Fortune 500 companies after Congress failed to pass a cybersecurity act. I don't remember an inch of progress being made because of any of the pen pal correspondence legislators do - imagine if there was no SEC enforcement, but when a company produced fraudulent financial reports or ignored "Generally Acceptable Accounting Principles" it received only letters from the senators. Voting systems will never be an area where market forces can change anything - I'd much rather see those pens signing legislation than writing "Dear CEO..."
[Neely] Existing components were designed to operate for 20-30 years with nominal if any updates with a very different threat landscape. What is needed is a common understanding of system lifecycle. Not only expected life of the components but also what updates will be made to existing components for how long as well as a plan for adapting to the changing threat landscape.
Read more in:
Cyberscoop: Voting-machine vendors have some serious questions to answer, senators say
https://www.cyberscoop.com/election-security-voting-machines-klobuchar-letter/
Klobuchar: Ranking Members Klobuchar, Warner, Reed, and Peters Press Election Equipment Manufacturers on Security
https://www.klobuchar.senate.gov/public/index.cfm/news-releases?ID=CB7B78C2-5313-4FA2-AB83-B4A7C85201F9
--USAF Fast-Track IT System Shortens Authority to Operate Certification Time
(March 27, 2019)
US Air Force officials have been given the green light to use the Fast-Track authority to operate (ATO) process to certify IT systems. The Fast-Track process can be completed in as short a period of time as one week. The Air Force has previously used the National Institute of Standards and Technology's (NIST's) Risk Management Framework (RMF) to certify systems. Air Force chief technology officer Frank Konieczny said that "It comes down to the premise that RMF is a compliance issue. It doesn't mean you're secure, it means you're compliant." Fast-Track involves pen-testing a system to establish a baseline and then employing continuous monitoring.
[Editor Comments]
[Neely] Sometimes a lot of time is lost understanding the necessary controls needed to protect the data in a new system. While NIST frameworks are designed for most scenarios, an understanding of requirements is needed to appropriately tailor them to the current requirements. Active security testing coupled with reuse of existing solutions to support systems would provide a fast path to a verified secure system with an acceptable level of risk and sufficient data protections. Even so, the authorizing official needs sufficient time to understand the results, and any needed mitigation so they can appropriately accept the risk of operation.
Read more in:
Nextgov: Air Force's New Fast-Track Process Can Grant Cybersecurity Authorizations In One Week
https://www.nextgov.com/cybersecurity/2019/03/air-forces-new-fast-track-process-can-grant-cybersecurity-authorizations-one-week/155860/
--Hackers Target Spanish Defence Ministry Intranet
(March 26, 2019)
Spain's El Pais newspaper reported that the country's defense ministry intranet was infected with malware in March. The attackers appeared to be seeking secret, high-tech military information, according to sources involved in the investigation. The infected intranet does not hold classified information, but there is concern that the attackers could attempt to move laterally to more classified defense ministry systems. It is not known who is behind the attack, but sources say its sophistication indicates it is the work of a nation-state.
Read more in:
NYT: Virus Attacks Spain's Defence Intranet, Foreign State Suspected-Paper
https://www.nytimes.com/reuters/2019/03/26/technology/26reuters-spain-security-cybertattack.html
--20-Year Sentence for Fatal Swatting Attack
(March 24 & 29, 2019)
Tyler Barriss has been sentenced to 20 years in prison for making a phony emergency call that resulted in the shooting death of an innocent person. As a prank to settle a dispute between two players of an online game, Barriss phoned authorities in Kansas, pretending to be one of the men and claimed to be holding people hostage in a home. Barriss provided an incorrect address, and a tragic series of events led to the shooting death of an innocent man.
Read more in:
KrebsOnSecurity: Man Behind Fatal 'Swatting' Gets 20 Years
https://krebsonsecurity.com/2019/03/man-behind-fatal-swatting-gets-20-years/
The Register: Trio indicted after police SWAT prank call leads to cops killing bloke
https://www.theregister.co.uk/2018/05/24/swatting_death_indictment/
Ars Technica: Man gets 20 years for deadly "swatting" hoax
https://arstechnica.com/tech-policy/2019/03/man-gets-20-years-for-deadly-swatting-hoax/
--Boeing to Update MCAS Software
(March 29 & April 1, 2019)
Initial findings from the analysis of black box data from the crash of Ethiopian Airlines Flight 302 indicate that faulty sensor data caused the Boeing 737 MAX's Maneuvering Characteristics Augmentation System (MCAS) software to activate an anti-stall feature that forced the nose of the plane down. Boeing is reportedly working with the US Federal Aviation Administration (FAA) to release an updated version of the MCAS software. Last week, the acting FAA director told the Senate Commerce, Science, and Transportation Committee's aviation subcommittee that there had not been flight tests to see how pilots would respond to to MCAS software malfunction.
[Editor Comments]
[Neely] After the update and validation testing, a big challenge will be regaining public trust in those aircraft, which may hinge on revised processes for introducing significant changes to certification of new aircraft control systems.
[Murray] In this case, software is the fix, not the cause. The cause was faulty sensor data. We know that the MCAS was implicated in two accidents. However, to properly assess it, one would need to know how many stalls it prevented. If stalls were not a safety issue, MCAS would not be necessary. One is reminded of automated cars, where every accident is highlighted but no credit is given for accidents avoided.
Read more in:
Ars Technica: Initial findings put Boeing's software at center of Ethiopian 737 crash
https://arstechnica.com/information-technology/2019/03/initial-findings-put-boeings-software-at-center-of-ethiopian-737-crash/
FAA: FAA Statement on Boeing 737 MAX Software Update
https://www.faa.gov/news/updates/?newsId=93206
--City of Albany, NY Targeted in Ransomware Attack
(April 1, 2019)
Computer systems at the city of Albany, New York were hit with a ransomware attack on Saturday, March 30. According to a press release, most city services were available on Monday, April 1, with the exception of birth certificates, marriage licenses and certificates, and death certificates. The Albany Police Officers Union said that officers could not get "access to the scheduling system, departmental email, and any other service or program that operates by internet connection."
Read more in:
Statescoop: Albany, N.Y. hit with ransomware attack, mayor says
https://statescoop.com/albany-n-y-hit-with-ransomware-attack-mayor-says/
CNET: New York capital hit by ransomware attack, taking services offline
https://www.cnet.com/news/new-york-capital-hit-by-ransomware-attack-taking-services-offline/
Bleeping Computer: New York Albany Capital Hit by Ransomware Attack
https://www.bleepingcomputer.com/news/security/new-york-albany-capital-hit-by-ransomware-attack/
--Software Outage Delayed Flights in US on Monday
(April 1, 2019)
A fault in flight planning software caused travel delays at US airports on Monday morning, April 1. The US Federal Aviation Administration (FAA) said that the problem affected several airlines that use the AeroData system, which calculates aircraft weight and balance fuel requirements. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Williams] While many will view this as a simple outage, it is actually a supply chain issue. Organizations should examine how many external software as a service (SaaS) vendors they have that can negatively impact or completely disrupt operations. In this case, operations were suspended during the outage. A good DR plan would provide a secondary service provider and/or a manual process for calculating the weight and balance data. While it's almost certain that a manual process exists, it must be practiced regularly (like any good DR plan) if it is to be executed successfully during an outage.
Read more in:
Washington Post: Several major airlines grounded planes Monday morning across U.S. because of software problem
https://www.washingtonpost.com/transportation/2019/04/01/southwest-airlines-grounds-planes-across-country/
Bleeping Computer: U.S. Airlines Cancel, Delay Flights Because of Aerodata Outage
https://www.bleepingcomputer.com/news/technology/us-airlines-cancel-delay-flights-because-of-aerodata-outage/
WSJ: U.S. Airlines Report Delays Caused by System Fault (paywall)
https://www.wsj.com/articles/southwest-airlines-says-systemwide-technology-problem-affecting-flights-11554117011
INTERNET STORM CENTER TECH CORNER
Annotating Golang Binaries with Cutter and Jupyter
https://isc.sans.edu/forums/diary/Annotating+Golang+binaries+with+Cutter+and+Jupyter/24790/
VMWare Patches
https://www.vmware.com/security/advisories/VMSA-2019-0005.html
Kubernetes Directory Traversal
https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/
Android Monthly Update
https://source.android.com/security/bulletin/2019-04-01#2019-04-01-details
ASUS Targeted MAC Addresses Available for Download
https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/
Common "OpenAction" False Positive in PDFs Created by OpenOffice
https://isc.sans.edu/forums/diary/Analysis+of+PDFs+Created+with+OpenOfficeLibreOffice/24798/
Weaponized Version of New Zealand Attack Manifesto
https://bluehexagon.ai/blog/weaponized-version-of-new-zealand-terror-suspects-manifesto-discovered-in-the-wild/
Malicious Android App Forwards Banking Calls to Attacker
https://www.blackhat.com/asia-19/briefings/schedule/index.html#when-voice-phishing-met-malicious-android-app-13419
Google Allowing WebAuthn Login from Firefox/Edge
https://twitter.com/christiaanbrand/status/1111430192596025347
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
