SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #30
April 16, 2019Insurance Companies Deny Cyber Claims; Law Enforcement Gets Locations from Google; USAF Adds Cybersecurity Career Path; Vulnerability in VPN Apps
****************************************************************************
SANS NewsBites April 16, 2019 Vol. 21, Num. 030
****************************************************************************
TOP OF THE NEWS
Insurance Companies Citing "War Exclusion" to Deny Payment of Claims for NotPetya Attacks
Law Enforcement Can Use Warrants to Get Device Location Data from Google
USAF Career Path Categories Now Include Cybersecurity
CERT CC Warns of Vulnerability in VPN Apps
REST OF THE WEEK'S NEWS
North Dakota's State IT Department is Now in Charge of All Public Organization Cybersecurity
Gmail Now Supports MTA-STS and TLS Reporting Standards
Space ISAC
NATO Cybersecurity Exercise Simulates Election Interference
Researchers Find Vulnerabilities in WPA3 Protocol
US Federal Jury Convicts Two Romanians on Multiple Malware-Related Charges
Microsoft Acknowledges Breach Affecting Webmail Services
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019
-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019
-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends April 17.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
******************** Sponsored By AWS Marketplace ************************
AWS Series Part IV: Securing Web Applications in AWS. Struggling with securing customer-facing apps? Learn how AWS addresses these inherent application risks with threat modeling and secure DevOps. Register for the April 25 webcast featuring SANS instructor Shaun McCullough with AWS solutions architect manager David Aiken. http://www.sans.org/info/211818
*****************************************************************************
TOP OF THE NEWS
--Insurance Companies Citing "War Exclusion" to Deny Payment of Claims for NotPetya Attacks
(April 15, 2019)
After snack food company Mondelez International was hit by the NotPetya attack in 2017, costs of cleaning up the infection, replacing computer equipment and losses from unfilled orders ran to more than $100 million. Mondelez's insurance company, Zurich Insurance, declined to pay the company's claim, citing the "war exclusion." Merck, the pharmaceutical company, said its insurers also refused to pay its claim from NotPetya losses, which totaled nearly $700 million. Both companies have challenged the insurance companies' decisions in court. The lawsuits focus on whether or not the US government's attribution of the NotPetya attack to Russia is sufficient for the insurance companies to declare a "war exclusion."
[Editor Comments]
[Williams] The likely reason insurers waited for NotPetya to try this tactic is that trying and failing in the courts would establish a negative precedent. Insurers wanted to maximize their chances of getting a favorable ruling, so they waited for a model case. NotPetya is that case. There's virtually no question that Russia was behind the attack and the motive of the attack is almost certainly a strike at Ukraine. Help your Chief Risk Officer (CRO) track his case. Cyber insurance, when used properly, can mitigate existential risks to a business. Misunderstanding what will and won't be covered could also be a major risk.
[Murray] These lawsuits are more likely to be settled than to see the inside of a courtroom, or to resolve the critical questions. First, is this the scale of event that the "war exclusion" was intended to address? Second, are all mischievous, or even malicious, acts of nation states "acts of war"? It is up to purchasers of insurance to ensure that they actually get the protection that they think they are paying for. Consider the use of brokers and claims adjusters that specialize in "cyber" insurance.
Read more in:
NYT: Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.
https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html
--Law Enforcement Can Use Warrants to Get Device Location Data from Google
(April 13, 2019)
Google's Sensorvault database contains location data for hundreds of millions of devices all over the world. Law enforcement officials have been using warrants to obtain information from Sensorvault in an effort to identify suspects in crimes. Sensorvault holds data from a Google Location History, a function which is not enabled by default, though some services, like traffic alerts, prompt users to enable it. Law enforcement officials have been seeking data from Sensorvault about devices in the vicinity at the time of a crime. While the initial data Google provides are anonymized, once law enforcement has analyzed movements patterns and reduced devices of interest to a smaller number, Google provides law enforcement with the information of the owners of those devices.
[Editor Comments]
[Pescatore] Several issues here. SANS instructor Heather Mahalik did a great talk at the SANS keynote threat panel at the RSA conference on how much information cloud service providers, using Google as the prime example, collect on you. You can go to myactivity.google.com to get an idea, and at myaccount.google.com you can disable web/app activity, location history, voice recording and other "this will improve your experience" type services. At the law enforcement level, there is a long history of not even needing warrants to get called/calling number data because the courts ruled that the individual "...voluntarily conveyed numerical information to the telephone company" So, if you voluntarily click to enable those services, you have essentially given permission - at least in the US, in Europe GDPR is pickier. Bottom: make an informed decision, check those settings.
Read more in:
NYT: Google's Sensorvault Is a Boon for Law Enforcement. This Is How It Works.
https://www.nytimes.com/2019/04/13/technology/google-sensorvault-location-tracking.html
--USAF Career Path Categories Now Include Cybersecurity
(April 11, 2019)
The US Air Force has announced seven new career categories, including intelligence, space, and cybersecurity. Lt. Gen. Brian Kelly, Air Force deputy chief of staff for manpower, personnel, and services told reporters, "We can't have a one-size-fits-all developmental path."
Read more in:
FCW: Cyber is among new USAF competitive career categories
https://fcw.com/articles/2019/04/11/usaf-cyber-career-category.aspx
--CERT CC Warns of Vulnerability in VPN Apps
(April 11 & 12, 2019)
A Vulnerability Note from Carnegie Mellon University's CERT Coordination Center warns that several virtual private network (VPN) applications store unencrypted authentication and/or session cookies in memory and/or in log files. The Note lists several products that are affected, and goes on to say, "It is likely that this configuration is generic to additional VPN applications." Some of the identified products have addressed the issue.
Read more in:
kb.cert: VPN applications insecurely store session cookies
https://www.kb.cert.org/vuls/id/192371/
Threatpost: Authentication Bypass Bug Hits Top Enterprise VPNs
https://threatpost.com/authentication-bypass-bug-enterprise-vpns/143781/
Cyberscoop: DHS alerts industry to insecure enterprise VPN apps
https://www.cyberscoop.com/dhs-alert-enterprise-vpn-cisco-f5-palo-alto-networks/
The Register: US-Cert alert! Thanks to a massive bug, VPN now stands for 'Vigorously Pwned Nodes'
https://www.theregister.co.uk/2019/04/12/uscert_vpn_alert/
**************************** SPONSORED LINKS ******************************
1) In this Seuss-inspired children's book, discover the many surprising ways fraud touches our everyday lives. http://www.sans.org/info/211823
2) Webcast April 17th, 1 PM ET: Simplifying Application Security with Software-Defined Security, presented by VMware and SANS expert Dave Shackleford. http://www.sans.org/info/211828
3) Webcast April 23rd, 1 PM ET: Palo Alto Networks and SANS expert Matt Bromiley to discuss various automation tools to help keep your multi-cloud environments secure. http://www.sans.org/info/211833
*****************************************************************************
REST OF THE WEEK'S NEWS
--North Dakota's State IT Department is Now in Charge of All Public Organization Cybersecurity
(April 12, 2019)
North Dakota's governor has signed into law a bill that puts the state's IT department in charge of cybersecurity operations across state public organizations, including schools, local governments, state legislature, and the courts. The goal is to provide the public entities across the state a unified framework.
[Editor Comments]
[Pescatore] State and local governments are unique environments. Especially for states for lower populations and revenue, the fully distributed governance model doesn't often work. But, the completely centralized approach often tries to drive identical processes across universities, courts, medical centers, revenue agencies and police departments - very different risks, very different business drivers. A more federated approach takes more management skill and attention but has seemed to work well in many states.
Read more in:
Statescoop: North Dakota's IT department takes charge of cybersecurity for the entire state
GovTech: North Dakota Adopts Statewide Cybersecurity Approach
https://www.govtech.com/security/North-Dakota-Adopts-Statewide-Cybersecurity-Approach.html
--Gmail Now Supports MTA-STS and TLS Reporting Standards
(April 11, 2019)
Gmail now supports the MTA-STS and TLS Reporting security standards, the first major email provider to implement the standards. Both standards are extensions to the Simple Mail Transfer Protocol (SMTP). Both help establish secure cryptographic connections to help prevent SMTP man-in-the-middle attacks.
[Editor Comments]
[Pescatore] Most of the major email service providers worked together on RFC 8460/8461. Google being first to turn it on is less important than all of them agreeing on common standards and implementing those standards.
[Hoelzer] As wonderful as this is for privacy, it remains to be seen how this squares with the emphasis on data leakage prevention. Encryption between SMTP servers has been available for years through STARTTLS, but for a number of DLP solutions to work STARTTLS must either be disabled or the DLP solution itself will act as a man-in-the-middle, tampering with the handshake to prevent the TLS session from establishing. We will have to watch and see if things actually change with the STS element since neither RFC seems to account for DLP solutions at all.
Read more in:
ZDNet: Gmail becomes first major email provider to support MTA-STS and TLS Reporting
--Space ISAC
(April 9, 2019)
The US space industry will establish the Space Information Sharing and Analysis Center (S-ISAC). The organization's analysis center will be housed at the National Cybersecurity Center in Colorado Springs, Colorado.
Read more in:
Cyberscoop: New Space ISAC plans to elevate the industry's awareness of cyberthreats
https://www.cyberscoop.com/space-isac-ncc-kratos/
Space News: Space Information Sharing and Analysis Center to be based in Colorado Springs
https://spacenews.com/space-information-sharing-and-analysis-center-to-be-based-in-colorado-springs/
--NATO Cybersecurity Exercise Simulates Election Interference
(April 9 & 15, 2019)
Earlier this month, NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE) coordinated a cybersecurity exercise that simulated coordinated attacks designed to interfere with elections in a fictional country. Locked Shields 2019, which is a real-time exercise, involved "the defence of a large scale power grid control system and power generating substations, 4G public safety network for law enforcement and emergency communication, PLC controlled water purification plant and maritime awareness tools." The exercise's organizers were in Tallinn Estonia; the blue teams, which are from CCDCOE member nations, and played from their own countries.
Read more in:
CCDCOE: International Live-Fire Cyber Defence Exercise Locked Shields Kicks Off Today
Fifth Domain: NATO launches cyber-defense drill simulating elections under attack https://www.fifthdomain.com/global/europe/2019/04/08/nato-launches-cyber-defense-drill-simulating-elections-under-attack/
ZDNet: Cybersecurity: This giant wargame is preparing for the next big election hack
--Researchers Find Vulnerabilities in WPA3 Protocol
(April 11, 2019)
Researchers have published a paper detailing several vulnerabilities in the WPA3 protocol that was released less than a year and a half ago. WPA was touted as being an improvement over WPA2. It employs a protocol, dubbed Dragonfly, that its architects said did a better job of guarding against password guessing attacks than did WPA2. The paper says that the process used to create WPA3 should have been more open and that weaknesses in low-cost devices are likely to persist as they are less likely to be patched.
[Editor Comments]
[Pescatore] The WiFi Alliance started out at the Wireless Ethernet *Compatibility* Alliance, and at each generation of new WiFi connect/authenticate/secure standards have tended to suffer from both the lack of openness mentioned and an organizational DNA that tends to prioritize ease of use and multi-vendor compatibility over security thoroughness. WiFi is the common denominator across the "Internet of Things" - these regular cycles of "new, improved" and "oops, have to fix" are just going to be the standard way of life. Important that everything you buy with WiFi in it is either disposable or has manageable update capabilities.
[Murray] Attacks from the air side do not scale well. They are more often used to steal access than to steal data or implement fraud. While many WPA3 implementations are now available for purchase, they do not yet constitute a large portion of the population of wireless access points. Because passwords for routers are used mostly in the rare event of adding new devices to the network, using long and strong passwords is not much of an inconvenience. Users of all routers should avail themselves of long, but easy to remember, passwords.
Read more in:
Ars Technica: Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords
Papers.mathyvanhoef: Dragonblood: A Security Analysis of WPA3's SAE Handshake (PDF)
https://papers.mathyvanhoef.com/dragonblood.pdf
--US Federal Jury Convicts Two Romanians on Multiple Malware-Related Charges
(April 11, 12, 13, & 15, 2019)
Two Romanian citizens have been found guilty of numerous charges for developing and distributing malware that infected more than 400,000 computers in the US. Bogdan Nicolescu and Radu Miclaus used the malware to steal payment card information, use infected machines' resources to mine cryptocurrency, and to commit online auction fraud. A third co-conspirator, Tiberiu Danet, pleaded guilty to charges in November 2018.
Read more in:
ZDNet: The Bayrob malware gang's rise and fall
https://www.zdnet.com/article/the-bayrob-malware-gangs-rise-and-fall/
SC Magazine: Two Romanians convicted for roles in Bayrob malware operation
Threatpost: Romanian Duo Convicted of Malware Scheme Infecting 400,000 Computers
https://threatpost.com/romanian-duo-convicted-of-malware-scheme-infecting-400000-computers/143745/
Justice: Two Romanian Cybercriminals Convicted of All 21 Counts Relating to Infecting Over 400,000 Victim Computers with Malware and Stealing Millions of Dollars
Justice: Multiple Victim Case Update - United States V. Nicolescu et al.
https://www.justice.gov/usao-ndoh/multiple-victim-case-update-united-states-v-nicolescu-et-al
--Microsoft Acknowledges Breach Affecting Webmail Services
(April 13 & 15, 2019)
Microsoft has admitted that its web-based email services (Outlook, MSN, and Hotmail) were breached earlier this year, exposing user information, including email addresses, email subject lines, names of people in conversations, and customer folder names. The hackers used stolen credentials to access a Microsoft customer support account, and then accessed user account information. The hackers also appear to have accessed the content of some messages. Microsoft has notified affected users.
Read more in:
Tech Crunch: Microsoft: Hackers compromised support agent's credentials to access customer email accounts
https://techcrunch.com/2019/04/13/microsoft-support-agent-email-hack/
Motherboard: Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support
Wired: Microsoft Email Hack Shows the Lurking Danger of Customer Support
https://www.wired.com/story/microsoft-email-hack-outlook-hotmail-customer-support/
Threatpost: Microsoft Outlook Breach Widens in Scope, Impacting MSN And Hotmail - Report
https://threatpost.com/microsoft-outlook-breach-msn-hotmail/143772/
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Configuring MTA-STS
https://isc.sans.edu/forums/diary/Configuring+MTASTS+and+TLS+Reporting+For+Your+Domain/24840/
How to Find Hidden Cameras in Your AirBNB
https://isc.sans.edu/forums/diary/How+to+Find+Hidden+Cameras+in+your+AirBNB/24834/
Insecure Storage of VPN Credentials
https://www.kb.cert.org/vuls/id/192371/
Malicious/Misleading VPN Ads
Internet Explorer XML External Entity Vulnerability
Common "False Positives" in DNS Query Logs
https://isc.sans.edu/forums/diary/Odd+DNS+Requests+that+are+Normal/24844/
Executables in Polyglot DICOM Images (PDF)
Adblock Plus Allows Filter List Providers to Inject Code in Pages
https://armin.dev/blog/2019/04/adblock-plus-code-injection/
Microsoft Patch Problems
https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472
https://support.microsoft.com/en-us/help/4493446/windows-8-1-update-kb4493446
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create=