SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #46
June 11, 2019GAO: TSA Pipeline Security Problems; Traveler and License Plate Images Stolen from DHS Contractor
****************************************************************************
SANS NewsBites June 11, 2019 Vol. 21, Num. 046
****************************************************************************
TOP OF THE NEWS
GAO Audit Finds TSA Pipeline Security Plans Need to be Updated
Traveler and License Plate Images Stolen from Customs and Border Protection Contractor's Network
Two Maryland High Schools and One Texas High School Win National High School GirlsGoCyberStart Competition
*************************** Sponsored By VMRay ****************************
Defeat Evasive Malware. Learn about the popular methods attackers are using to evade sandbox environments in this whitepaper from the VMRay Research Team. You will get a deeper understanding of the telltale signs malware uses to evade analysis, and learn practical strategies for enhancing detection, no matter how evasive the threat. http://www.sans.org/info/213220
*****************************************************************************
REST OF THE WEEK'S NEWS
Voting Machine Vendor Urges Mandated Paper Trails
Spam Campaign Exploits Known Flaw in Microsoft Office
Wyden to DOJ: How Are Cyber Exploits Being Protected?
US States Working with National Governors Association to Improve Election Security
US Nuclear Regulatory Commission Needs More Cybersecurity Inspectors
The Google Cloud Outage
Komodo's Proactive Cryptocurrency Wallet Hack
BGP Route Leak Caused Mobile Traffic to be Rerouted Through China
Darkode Indictment
Correction: NSA Advice About BlueKeep Flaw
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019
-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019
-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
**************************** SPONSORED LINKS ******************************
1) In this Seuss-inspired children's book, discover the many surprising ways fraud touches our everyday lives. http://www.sans.org/info/213230
2) New to cybersecurity? Looking to improve Pentesting, Forensic or Cyber Defence skills? Level Up with SANS! http://www.sans.org/info/213235
3) How do your threat hunting efforts stack up with your peers? Take the SANS 2019 Threat Hunting Survey--and enter to win a $400 Amazon gift card! http://www.sans.org/info/213240
*****************************************************************************
TOP OF THE NEWS
--GAO Audit Finds TSA Pipeline Security Plans Need to be Updated
(June 5, 2019)
An audit conducted by the US Government Accountability Office (GAO) found that the Transportation Security Administration (TSA) which is responsible for monitoring and securing the country's oil and gas pipelines, lacks current, adequate plans for responding to security incidents. The TSA's Pipeline Security and Incident Recovery Protocol Plan, which assigns responsibilities for federal agencies and the private sector in the event of a pipeline security event, was last updated in 2010. A similar plan, an agreement between TSA and the Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA), has not been updated since 2006.
[Editor Comments]
[Neely] With the rapid advancement of the threat model against critical infrastructure, albeit oil and gas pipelines, or enterprise assets and supply chains, regular, possibly annual, incremental update and reviews to response plans will reduce the amount of change that needs to be incorporated.
[Murray] Contingency planning for infrastructure should now be a continuous activity, not "a document which one takes out and reads while sitting in the ashes.
Read more in:
FCW: Watchdog: Current pipeline security plans weak on cybersecurity, coordination
https://fcw.com/articles/2019/06/05/tsa-pipeline-security.aspx
GAO: Key Pipeline Security Documents Need to Reflect Current Operating Environment (PDF)
https://www.gao.gov/assets/700/699511.pdf
--Traveler and License Plate Images Stolen from Customs and Border Protection Contractor's Network
(June 10, 2019)
US Customs and Border Protection (CBP) has acknowledged that hackers broke into the IT systems of a third party contractor and stole photos of people and images of license plates. CBP uses cameras and video recordings at airports and at land border crossings. CBP said that it learned of the breach in late May; the contractor, who has not been identified, had copied the images to its own network, which was then breached.
[Editor Comments]
[Neely] Not only is this a case of third-party security controls being inadequate, it is also a case of the contractor exceeding the acceptable use agreement for the data. While the desire to use the available data to improve their capabilities was commendable, a verification that the change was an allowable use and that the data was properly protected was needed. When setting up third-party contractors to process data, include ongoing monitoring to make sure data protections are in place and use agreements are being adhered to.
[Murray] As long as the public is willing to accept government transferring the blame for breaches to "no-name" third parties, the breaches will continue. Government must be brought to the understanding that, to the extent that it collects data, it is responsible for protecting it.
Read more in:
Wired: Hack Brief: Hackers Stole a Border Agency Database of Traveler Photos
https://www.wired.com/story/hackers-stole-traveler-photos-border-agency-database/
Washington Post: U.S. Customs and Border Protection says photos of travelers were taken in a data breach
The Register: US border cops confirm: Maker of America's license-plate, driver recognition tech hacked, camera images swiped
https://www.theregister.co.uk/2019/06/10/us_custom_border_patrol_contractor_hacked/
--Two Maryland High Schools and One Texas High School Win National High School GirlsGoCyberStart Competition
(June 11, 2019)
After 27 governors announced GirlsGoCyberStart in February, 11,250 high school girls played CyberStart Assess winning access to the CyberStart Game for the girls and boys in their schools. 120 four-woman teams qualified for the national championships. Three schools in Most of the 27 participating states won financial prizes and 20 school made the 10,000 point club. The top three schools nationally - winning substantial financial rewards are:
Clements HS in Texas: Number 3
Poolesville HS in Maryland: Number 2
Montgomery Blair HS in Maryland: Number 1
Medium: The Winners of the National Championship for Girls Go CyberStart 2019
*****************************************************************************
REST OF THE WEEK'S NEWS
--Voting Machine Vendor Urges Mandated Paper Trails
(June 7 & 10, 2019)
In an Op-Ed piece in Roll Call, Election Systems & Software CEO Tom Burt called on Congress to pass legislation requiring paper trails for all voters. The company said it would no longer sell paperless voting machines "as primary voting devices." ES&S also asked Congress to require that voting machines be tested by third-party researchers and noted that there us a "need for the establishment of standards for machine penetration testing."
[Editor Comments]
[Northcutt] Paper leaves a record that is hard to modify without detection. Good stuff!
Read more in:
RollCall: A paper record for every voter: It's time for Congress to act
https://www.rollcall.com/news/opinion/paper-record-every-voter-time-congress-act
Washington Post: The Cybersecurity 202: Even a voting machine company is pushing for election security legislation
Ars Technica: Leading voting-machine vendor vows to ditch paperless voting
--Spam Campaign Exploits Known Flaw in Microsoft Office
(June 7, 9, & 10 2019)
Microsoft has warned of a spam campaign that uses maliciously-crafted RTF documents. Once the documents have been opened, they infect computers with no additional user interaction. The spam email is being sent in several different European languages. The malicious documents exploit a known vulnerability for which Microsoft released a patch in November 2017.
[Editor Comments]
[Neely] The bug lies in the old Equation Editor component, which Microsoft patched in November 2017, and then removed in January 2018. Security updates were released for Office 2007, 2010 and 2016. Either apply the patch or upgrade to the January 2018 (or later) Office packages.
Read more in:
Threatpost: Microsoft Warns of Email Attacks Executing Code Using an Old Bug
https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/
ZDNet: Microsoft warns about email spam campaign abusing Office vulnerability
Bleeping Computer: Microsoft Issues Warning on Spam Campaign Using Office Exploits
MSRC: CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
--Wyden to DOJ: How Are Cyber Exploits Being Protected?
(June 7, 2019)
US Senator Ron Wyden (D-Oregon) has asked the Department of Justice (DOJ) how law enforcement agencies are protecting offensive cyber tools from foreign intelligence agencies and others. Wyden's letter compares keeping the cyber tools safe from adversaries just as it protects nuclear, chemical, and biological weapons. Wyden asks specifically whether cyber exploits have even been accessed by an adversary through a breach or in the wild, and whether foreign countries have developed offensive cyber tools that law enforcement agencies use.
Read more in:
Cyberscoop: Senator asks Department of Justice if it can keep a lid on its software exploits
https://www.cyberscoop.com/department-of-justice-hacking-tools-ron-wyden-letter/
Document Cloud: Wyden June 5 Letter to Barr (PDF)
https://www.documentcloud.org/documents/6143688-Wyden-Letter-to-Barr.html
--US States Working with National Governors Association to Improve Election Security
(June 5 & 7, 2019)
Six US states have been selected to participate in the National Governors Association's (NGA's) Policy Academy, which will work "on strategies to improve cybersecurity operations and communications around elections." There will be a two-day workshop in each of the states (Arizona, Hawaii, Idaho, Nevada, Minnesota, and Virginia) and the states will have monthly virtual meetings with Policy Academy staff to help develop action plans specific to each state.
Read more in:
NGA: States Get Assistance on Election Cybersecurity
https://www.nga.org/news/press-releases/states-get-assistance-on-election-cybersecurity/
Fifth Domain: Russian hackers targeted them. Now states want to protect their election systems
--US Nuclear Regulatory Commission Needs More Cybersecurity Inspectors
(June 4, 6, & 7, 2019)
According to a recent Inspector General report, nearly one-third of Nuclear Regulatory Commission (NRC) cybersecurity inspectors will be eligible for retirement by the end of FY 2020. There is concern that there are not enough people being trained to assume those positions. A decade ago, the NRC began requiring nuclear power stations to protect their IT systems from cyberattacks. While cybersecurity inspectors are currently being trained, many have other responsibilities as well, which compounds the difficulty of keeping cybersecurity expertise current.
Read more in:
MeriTalk: NRC Facing Staffing Issues in Cyber, IG Says
https://www.meritalk.com/articles/nrc-facing-staffing-issues-in-cyber-ig-says/
Nextgov: Nuclear Energy Regulators Need to Bring on More Cyber Experts, Watchdog Says
Oversight: Audit of NRC's Cyber Security Inspections at Nuclear Power Plants (PDF)
--The Google Cloud Outage
(June 6 & 7, 2019)
Google has provided a more detailed explanation of the June 2 Google Cloud outage that impacted Google services as well as third-party services that depend on Google Cloud for several hours. "Two normally-benign misconfigurations, and a specific software bug, combined to initiate the outage," which prevented Google engineers from pushing out a fix quickly.
Read more in:
status.cloud.google: Google Cloud Status Dashboard: Google Cloud Networking Incident #19009
https://status.cloud.google.com/incident/cloud-networking/19009
Wired: The Catch-22 That Broke the Internet
https://www.wired.com/story/google-cloud-outage-catch-22/
--Komodo's Proactive Cryptocurrency Wallet Hack
(June 6 & 7, 2019)
When the Komodo cryptocurrency platform learned of a backdoor in its Agama wallet app, it exploited the vulnerability to move customers' funds in unsecured wallets to a secure location to protect them from being stolen by hackers. In all, Komodo moved eight million Komodo coins and 96 Bitcoins to a secure location. The Komodo support page provides instructions for customers to reclaim their cryptocurrency.
[Editor Comments]
[Neely] This is a case of application supply-chain security. The wallet app contained theEasyDEX-GUI, which included a malicious java library, re-enforcing the need to not-only check the security of code you develop, but also third-party components. Komodo not only proactively secured funds for their users, using the discovered exploit, but also discontinued the vulnerable wallet, published advice on a replacement wallet and creating new KMD/BTC addresses and provided instructions for reclaiming collected funds. The question is how many users' wallets were exploited prior to Komodo's proactive sweep.
Read more in:
Komodo Platform: Agama security announcement
ZDNet: Cryptocurrency startup hacks itself before hacker gets a chance to steal users funds
The Register: Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves
https://www.theregister.co.uk/2019/06/07/komodo_npm_wallets/
SC Magazine: Researchers exploit crypto wallet bug before hackers to save customer funds
--BGP Route Leak Caused Mobile Traffic to be Rerouted Through China
(June 7 & 8, 2019)
A Border Gateway Protocol (BGP) route leak caused European mobile Internet traffic to be routed through the infrastructure of China Telecom for several hours on June 6. The incident was due to a BGP route leak at Safe Host, a Swiss data center co-location company. While providers often set procedures to prevent other networks from echoing faulty routes, in this case, China Telecom re-announced the routes, which resulted in networks that connect to China Telecom following the routes as well.
Read more in:
Ars Technica: BGP event sends European mobile traffic through China Telecom for 2 hours
ZDNet: For two hours, a large chunk of European mobile traffic was rerouted through China
Bleeping Computer: China Routed Traffic from European Carriers for Two Hours
DUO: Large BGP Leak Hits European Mobile Carriers
https://duo.com/decipher/large-bgp-leak-hits-european-mobile-carriers
--Darkode Indictment
(June 7, 2019)
Four people have been indicted on charges of racketeering conspiracy and conspiracy to commit wire fraud and bank fraud related to their involvement in the Darkode hacking forum. Europol and the FBI shut down Darkode in 2015.
Read more in:
GovInfoSecurity: Feds Charge Four in New Darkode Case
https://www.govinfosecurity.com/feds-charge-four-in-new-darkode-case-a-12588
SC Magazine: Court unseals indictment against alleged Darkode hacking forum members
Justice: Four International Hacking Suspects Charged with Racketeering
https://www.justice.gov/usao-dc/pr/four-international-hacking-suspects-charged-racketeering
--Correction: NSA Advice About BlueKeep Flaw
(June 10, 2019)
In the last issue of NewsBites (21.045, Friday, June 7) there was a typo in the "NSA Urges BlueKeep Patching" story summary. The summary should read that "to increase resilience against this threat while large networks patch and upgrade," organizations can block TCP Port 3389 at firewalls, enable network level authentication, and disable desktop services if they are not necessary.
NSA: NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Versions of Windows (PDF)
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Keep An Eye On Your WMI Logs
https://isc.sans.edu/forums/diary/Keep+an+Eye+on+Your+WMI+Logs/25012/
Interesting JavaScript Obfuscation Example
https://isc.sans.edu/forums/diary/Interesting+JavaScript+Obfuscation+Example/25020/
Sysmon DNS Query Logging
https://isc.sans.edu/forums/diary/Tip+Sysmon+Will+Log+DNS+Queries/25016/
European Mobile Operator Traffic Leaked to China
Komodo Agama Vulnerability and Breach
https://komodoplatform.com/update-agama-vulnerability/
Lessons Learned From Microsoft SOC
Spam Taking Advantage of DNS over HTTPS
https://myonlinesecurity.co.uk/it-looks-like-another-dns-compromise-hack-happening/
VLC Update Patches Various Security Flaws
http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create