SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #5
January 18, 2019WEF: Data Breaches and Cyber Attacks in Top Five Global Risks; South Korea Weapons Servers Breached; Women in CyberSecurity: Starting Early in the U.S. and U.K.
****************************************************************************
SANS NewsBites Jan. 18, 2018 Vol. 21, Num. 005
****************************************************************************
TOP OF THE NEWS
World Economic Forum Report: Data Breaches and Cyber Attacks in Global Risks List Top Five
South Korea Says Weapons Servers Breached
Women in CyberSecurity, Starting Early: U.S. and U.K. Launch Programs to Identify Young Women With Aptitude for Success
REST OF THE WEEKS NEWS
Cyber Thieves Targeting West African Banks
Oklahoma Government Server Exposed Sensitive Data
US Authorities Gained Cooperation of Drug Kingpins IT Specialist
Oracle Quarterly Update
DOJ Reportedly Investigating Huawei for Alleged Theft of Trade Secrets
DOJ Charges Two in Connection with Securities and Exchange Commission EDGAR Hack
Louisiana Introduces Digital Drivers Licenses
Clarification: Shutdown Affecting Government Web Security Certificate Renewal
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019
-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad, ASUS Chromebook, or Take $250 Off with OnDemand or vLive. Offer Ends January 23.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By ObserveIT ************************************
This talk will explain how to better protect your organization by differentiating between types of insider threats. Learn how to detect and respond appropriately to both accidental and intentional insider threats, right in the ObserveIT platform. You'll learn how to decrease your risk of data exfiltration while building a stronger workplace culture around security. Register: http://www.sans.org/info/209890
*****************************************************************************
TOP OF THE NEWS
--World Economic Forum Report: Data Breaches and Cyber Attacks in Global Risks List Top Five
(January 16, 2019)
The World Economic Forums (WEFs) Global Risks Report 2019 places large-scale cyber attacks and mass incidents of data theft at the top of the list of global risks, alongside natural disasters and climate change. The report notes the risk that cyberattacks pose to critical infrastructure, and well as rising concerns about identity theft and the erosion of privacy.
Read more in:
ZDNet: Data breaches, cyberattacks are top global risks alongside natural disasters and climate change
WEForum: The Global Risks Report 2019
https://www.weforum.org/reports/the-global-risks-report-2019
WEForum: The Global Risks Report 2019 14th Edition
http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf
--South Korea Says Weapons Servers Breached
(January 16 & 17, 2019)
South Koreas Ministry of National Defense says that computer systems that hold information about the countrys military weapons and munitions acquisitions has been breached. The attackers attempted to gain access to 30 Defense Acquisition Program Administration (DAPA) servers; they managed to breach 10. The initial intrusion occurred on October 4, 2018; their presence was detected on October 26.
[Editor Comments]
[Paller] A canary in the coal mine story. The first Commander of the Navys 10th Fleet (Cyber Command, ADM Bernie McCullough) told a group convened by the Center for Strategic and International Studies that though the U.S. dominates in kinetic weapons, the other side is outspending the U.S. 4 to 1 in attacking the command and control systems that determine whether commanders can trust their weapons to shoot where they are aimed.
[Neely] The attack effectively disabled DAPAs DLP solution, allowing documents to be exfiltrated. The activity was detected almost three weeks later, indicating increased detection and response capabilities may be an appropriate mitigation for this failure.
Read more in:
The Register: South Korea says mystery hackers cracked advanced weapons servers
https://www.theregister.co.uk/2019/01/17/south_korea_defense_ministryt_hacked/
ZDNet: Hackers breach and steal data from South Korea's Defense Ministry
https://www.zdnet.com/article/hackers-breach-and-steal-data-from-south-koreas-defense-ministry/
--Women in CyberSecurity, Starting Early: U.S. and U.K. Announce Programs To Identify Young Women With Aptitude for Success
(January 16 & 17, 2019)
The 2019 Girls Go CyberStart program for high school girls will open registration in mid-February in 26 U.S. states and they will start to play in early Marchentirely online. In 2018 CyberStart for Girls enrolled 6,500 young women in 16 states. In the UK CyberFirst Girls registration closes on Monday January 21 for girls aged 12 and 13. The UK program begins with an online round in late January and culminates in an in-person, grand final competition in late March. In the US girls who do well on the initial round win access to the complete CyberStart Game for the rest of the school year for both girls and boys in their school, as well as $150,000 in prizes for them and their schools.
[Editor Comments]
[Paller] Two of the best intrusion detection analysts I have ever seen are named Vickie and Judy. Both were forced to overcome high gender-related barriers to be accepted in the field. Programs like Girls Go CyberStart and CyberFirst Girls are necessary to remove those barriers.
[Pescatore] SANS has been very active in working to encourage women and minorities to enter the cybersecurity field and I had a reporter ask me: beyond the societal goodness, what is the actual benefit to corporate security programs? I told him that in my years of working experience, many (probably most) of the worst business and security decisions Ive seen can be traced to group-thinka lack of diverse viewpoints and experiences resulting in not even considering better strategies and actions.
Read more in:
US Programs:
NBC: Jobs in cybersecurity are exploding. Why aren't women in the picture?
SANS: 2018 Girls Go CyberStart results and notes to governors
https://www.sans.org/CyberStartUS/girls-go-cyberstart-feedback
UK Programs:
Cyberfirst: CyberFirst nurturing young talent
https://www.cyberfirst.ncsc.gov.uk/
NCSC: Girls urged to join the tide of young people pursuing GCHQ cyber pipeline path
https://www.ncsc.gov.uk/news/girls-urged-join-tide-young-people-pursuing-gchq-cyber-pipeline-path
BBC: GCHQ sets up all-female cyber-training classes
https://www.bbc.com/news/education-46893352
Reuters: UK intelligence agency launches new mission - to train girls in cyber skills
**************************** SPONSORED LINKS ******************************
1) Don't Miss "Game Changing Defensive Strategies for 2019" with Alissa Torres. Register: http://www.sans.org/info/209895
2) SANS Automation & Integration Security Briefing: SOARing to New Heights - Using Orchestration & Automation Tools in the Way They're Intended. Learn More: http://www.sans.org/info/209900
3) Learn about common SOC blindspots that adversaries exploit, and how to measure the visibility of your existing SIEM apparatus using free, open source tools. Register: http://www.sans.org/info/209905
*****************************************************************************
REST OF THE WEEKS NEWS
--Cyber Thieves Targeting West African Banks
(January 17, 2019)
Symantec says that cybercriminals have been targeting West African banks since mid-2017. The attackers have been using off-the-shelf malware to establish a persistent presence in the banks systems and to exfiltrate data. The attacks have hit banks in Cameroon, the Democratic Republic of Congo, Ghana, Equatorial Guinea, and Cte d'Ivoire.
Read more in:
SC Magazine: West African banks targeted in multi-wave attack
https://www.scmagazine.com/home/security-news/west-african-banks-targeted-in-multi-wave-attack/
The Hill: Security firm identifies cyberattacks on West African financial groups
Bleeping Computer: Banks in West Africa Hit with Off-The-Shelf Malware, Free Tools
--Oklahoma Government Server Exposed Sensitive Data
(January 16 & 17, 2019)
An inadequately secured server at the Oklahoma Department of Securities (ODS) exposed confidential data, including Social Security numbers, the names and conditions of AIDS patients, and information related to FBI investigations. The server was open, allowing anyone to download data. ODS removed public access to the server the same day that it learned of the problem.
Read more in:
ZDNet: Oklahoma gov data leak exposes FBI investigation records, millions of department files
Statescoop: Oklahoma server exposes information on FBI investigations and AIDS patients
https://statescoop.com/oklahoma-data-exposure-upguard/
UpGuard: Out of Commission: How the Oklahoma Department of Securities Leaked Millions of Files
https://www.upguard.com/breaches/rsync-oklahoma-securities-commission
--US Authorities Gained Cooperation of Drug Kingpins IT Specialist
(January 8 & 16, 2019)
With the help of an IT specialist turned informant, authorities in the US were able to obtain damaging evidence to use in the trial of alleged Mexican drug kingpin Joaqun Guzmn (El Chapo). Christian Rodriguez developed a secure communications product for Guzmn; authorities managed to requite Rodriguezs cooperation and obtain encryption keys that allowed them to listen to Guzmns phone conversations.
Read more in:
NYT: El Chapo Trial: How a Colombian I.T. Guy Helped U.S. Authorities Take Down the Kingpin
https://www.nytimes.com/2019/01/08/nyregion/el-chapo-trial.html
SC Magazine: Feds flip El Chapos IT Consultant to gain drug lords encryption keys
--Oracle Quarterly Update
(January 16, 2019)
Oracle released 284 security fixes in its January 2019 quarterly Critical Patch Update. The patches address issues in Enterprise Manager Products Suite, MySQL, Fusion Middleware products, PeopleSoft and other products.
Read more in:
SC Magazine: Oracle issues 248 patches with new quarterly security update
Oracle: Oracle Critical Patch Update Advisory - January 2019
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
--DOJ Reportedly Investigating Huawei for Alleged Theft of Trade Secrets
(January 16, 2019)
The US Department of Justice (DOJ) is conducting a criminal investigation of Huawei Technologies for allegedly stealing trade secrets from business partners in the US. DOJ is reportedly close to filing an indictment in the case. Last week, Polish authorities arrested a Huawei employee on espionage charges, and in December, the companys chief financial officer (CFO) was arrested in Canada at the behest of US authorities for alleged violation of trade sanctions against Iran. (Please note that this WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore] Cisco sued Huawei back in 2003, claiming theft of intellectual property, and settled in 2004 when Huawei agreed to replace the offending code and documentation. If there is evidence a repeat of this kind of illegal behavior, they should be charged and if found guilty, enterprises should remove them from supplier lists. But, quite often reports of pursuing or investigating never result in actual charges, let alone guilty findings.
Read more in:
Ars Technica: Report: DOJ pursuing criminal charges against Huawei for theft of tech
The Hill: Federal prosecutors investigating Huawei for allegedly stealing trade secrets: report
WSJ: Huawei Targeted in U.S. Criminal Probe for Alleged Theft of Trade Secrets (paywall)
--DOJ Charges Two in Connection with Securities and Exchange Commission EDGAR Hack
(January 15, 2019)
The US Department of Justice (DOJ) has charged two Ukrainian men with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud for their alleged roles in the the 2016 breach of the Securities and Exchange Commissions (SECs) Electronic Data Gathering, Analysis, and Retrieval (EDGAR) financial filing system. The men allegedly sold the information to others who in turn allegedly used the privileged information to conduct financial transactions. In addition, the US Securities and Exchange Commission (SEC) has charged nine people in connection with the scheme.
Read more in:
FCW: SEC charges nine in 2016 EDGAR hack, insider trading scheme
https://fcw.com/articles/2019/01/16/sec-edgar-hack-johnson.aspx
SC Magazine: Ukrainian nationals charged with hacking SEC docs in $4.1 million scam
Ars Technica: Nine defendants charged in SEC hacking scheme that netted $4.1 million
Justice: Two Ukrainian Nationals Indicted in Computer Hacking and Securities Fraud Scheme Targeting U.S. Securities and Exchange Commission
Justice: Indictment
https://www.justice.gov/usao-nj/press-release/file/1124251/download
SEC: Complaint filed in United States District Court District of New Jersey
https://www.sec.gov/litigation/complaints/2019/comp-pr2019-1.pdf
--Louisiana Introduces Digital Drivers Licenses
(January 15, 2019)
Drivers in the US state of Louisiana now have the option of obtaining a digital drivers license, or DDL. Louisianas DLL launched in July 2018. While law enforcement will accept the DDL as a valid identification document, other entities, such as retail stores are not required to accept it. Louisianas DDL is not currently accepted by TSA. Several other US states are in various stages of developing similar systems.
[Editor Comments]
[Murray] The Food Court in Vanderbilt Hall of Grand Central Terminal now has signs that say Cashless. One now gets messages from ones trading partners announcing that paperless is the default. A digital drivers license will be more convenient for drivers and law enforcement officers. It implies electronic access to a database of authorized drivers, wants and warrants, and other information useful to arresting officers.
[Neely] Dont forget to continue to carry a physical ID until adoption is wide-spread and reciprocity is in place. Digital Drivers Licenses are in various stages of development in several states, including Iowa, Idaho, Colorado, Maryland and the District of Columbia, but none has a statewide rollout. The piloted security features explored include remote revocation by the DMV, encryption at rest/transit and biometric authentication to access the license or transmission of that information. As the states are using different solution providers including Gemalto and IDEMIA, interoperation and equivalent protections are going to be key.
[Northcutt] Yup, that tiny sliver of plastic is a burden to carry around. People dont write phone apps from scratch, they use Software Development Kits, (SDKs), and some of these are very intrusive. if my DDL will not work unless location is turned on, that would tell me not to keep this app.
Read more in:
GovTech: Louisiana Enters the Era of the Digital Driver's License
http://www.govtech.com/gov-experience/Louisiana-Enters-the-Era-of-the-Digital-Drivers-License-.html
--Clarification: Shutdown Affecting Government Web Security Certificate Renewal
(January 17, 2019)
In Tuesdays NewsBites, we ran a story about how the partial US government shutdown is affecting agency website security. To clarify a point, the expired certificates are affecting the availability of some web pages, including payment portals and remote access services, at some agencies.
[Editor Comments]
[Neely] Perhaps maintaining these certificates should be part of the core operations performed when operating on a skeleton crew during a shutdown or other crisis.
Read more in:
Washington Post: The shutdown is breaking government websites, one by one
INTERNET STORM CENTER TECH CORNER
Emotet and Other Malspam Campaigns Resume After Holiday Break
https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/
Server Hosting Companies Trivially Hacked
https://www.websiteplanet.com/blog/report-popular-hosting-hacked/
Vulnerabilities in Industrial Remote Controls
Oracle Quarterly Critical Patch Update
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Android Malware Uses Motion Detection to Evade Analysis
Magecart Delivered Via Compromised Advertising Sites
MSFT Skype/Team Foundation Server Patches
Premisys Identicard Vulnerabilities
https://www.tenable.com/security/research/tra-2019-01
SCP Client Vulnerabilities
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
ES File Explorer Open Port Vulnerability
https://github.com/fs0c131y/ESFileExplorerOpenPortVuln
Twitter for Android Bug
https://help.twitter.com/en/protected-tweets-android
Introduction to WebAuthn/FIDO2
https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285
Ransomware as a Service
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
