SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #60
August 2, 2019DOD Buying Vulnerable IT Products; Cisco to Pay $8.6 Million for Selling Unsecure Surveillance Software
****************************************************************************
SANS NewsBites Aug. 2, 2019 Vol. 21, Num. 060
****************************************************************************
TOP OF THE NEWS
Inspector General: DOD is Buying IT Products With Known Vulnerabilities
Cisco to Pay $8.6 Million for Knowingly Selling Unsecure Surveillance Software
REST OF THE WEEK'S NEWS
North Carolina County Loses $1.7 Million in Business Email Compromise Scam
Alabama School District Cyberattack Delays Opening Day
DHS's CISA Issues Small Aircraft Security Warning
Google Moves Chrome 76 to Stable Channel
$74 Million Premera Breach Settlement Receives Preliminary Approval
Georgia (US) Chooses New Voting Machines
Industry Warning on Skimming and Payment Security
Home Security Camera Vulnerability Lets Hackers Eavesdrop
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019
-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019
-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, Surface Pro, or Take $350 Off through August 7 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
***************** Sponsored By Forescout Technologies BV *******************
Visibility for Incident Response: A Review of Forescout 8.1. SANS analyst and instructor Don Murdoch will look into Forescout's recently updated IT/OT network device visibility and control platform and dig into the product's capabilities. Tuesday, August 13th at 1 PM ET. Register for this webcast: http://www.sans.org/info/213820
*****************************************************************************
TOP OF THE NEWS
--Inspector General: DOD is Buying IT Products With Known Vulnerabilities
(July 31, 2019)
An audit report from the US Department of Defense (DOD) Office of Inspector General (OIG) found that DOD has been purchasing commercial off-the-shelf (COTS) IT products that contain known vulnerabilities. The products examined in the audit include printers, computers, and cameras. There are currently no policies in place to prevent purchases of additional unsecure products.
[Editor Comments]
[Pescatore] It is ironic to see this IG report reference a 2017 Department of State alert about risk video surveillance technology from Hangzhou Hikvision citing 'cyber espionage from China" but no mention (see news item about Cisco paying $8.6M to settle, below) that vulnerable video surveillance technology was bought from Cisco for years by DoD and other agencies. The report is a bit too focused on "risk = foreign suppliers" but does make good general recommendations that the DoD's effort to make sure equipment and software are tested for vulnerabilities and risk before procurement are fragmented and largely voluntary - and thus ineffective.
[Neely] When implementing multiple mechanisms for procurement, such as the streamlined GPC program used for these purchases, screening for disallowed products needs to remain. Additionally, consider the risks associated with new purchasing options, particularly with items associated with high-risk areas, such as security or systems processing sensitive or proprietary information.
Read more in:
Oversight.gov: (U) Audit of the DoD's Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items (PDF)
https://www.oversight.gov/sites/default/files/oig-reports/DODIG-2019-106.pdf
Fedscoop: DOD continues to buy products it knows have cybersecurity vulnerabilities
https://www.fedscoop.com/defense-department-known-cyber-vulnerabilities-lenovo-lexmark-gopro/
Nextgov: The Pentagon Spent Millions on Vulnerable Chinese Tech in 2018, Watchdog Says
Fifth Domain: Why did the Pentagon spend $32.8M on risky tech?
https://www.fifthdomain.com/dod/2019/07/30/why-did-the-pentagon-spend-328-million-on-risky-tech/
--Cisco to Pay $8.6 Million for Knowingly Selling Unsecure Surveillance Software
(July 31, 2019)
Cisco has agreed to pay US $8.6 million in civil damages to settle claims that it knowingly sold vulnerable video surveillance software to local, state, and federal government agencies. The vulnerability in Cisco's Video Surveillance Manager was first reported to Cisco by James Glenn, who was working at a Cisco partner called NetDesign in 2008. A lawsuit filed in 2011 alleges that Glenn was fired in 2009 for reporting the violations. Cisco did not release fixes until 2013, and in the interim, continued to sell the technology. The Cisco settlement awards James Glenn approximately 1.6 million in damages.
Read more in:
Ars Technica: Cisco pays $8.6 million for selling surveillance system it knew was vulnerable
Threatpost: For $8.6M, Cisco Settles Suit Over Bug-Riddled Video Surveillance Software
https://threatpost.com/cisco-settles-suit-video-surveillance-software/146868/
ZDNet: Cisco to pay $8.6 million for selling vulnerable software to US government
NYT: Cisco to Pay $8.6 Million to Settle Government Claims of Flawed Tech
https://www.nytimes.com/2019/07/31/technology/cisco-tech-flaw-sales.html
**************************** SPONSORED LINKS ******************************
1) Webcast: The Age of Autonomous Breach Protection: Prepare, Confront and Respond to Cyberthreats Across the Entire Environment. Sign up: http://www.sans.org/info/213825
2) SANS would like your input on the effectiveness of your security testing program! Take our quick poll: http://www.sans.org/info/213830
3) Discover why we need to adopt a new approach to security, inside the perimeter. Webcast August 5th at 1 PM ET: http://www.sans.org/info/213835
*****************************************************************************
REST OF THE WEEK'S NEWS
--North Carolina County Loses $1.7 Million in Business Email Compromise Scam
(July 30 & 31, 2019)
Cabarrus County in North Carolina lost US $1.7 million to a social engineering scam. The thieves sent email messages that were manipulated to appear as though they were from the contractors for a new high school the county is building. They sent a request to update the banking account on file, and the school district made a $2.5 million payment to an account at Bank of America. A month later, the actual contractors contacted the county about the missed payment. Bank of America was able to recover about $776,000.
[Editor Comments]
[Pescatore] The US Government's 2017 mandate for agencies to implement SPF/DKIM/DMARC for strong email sender authentication has greatly raised the bar against email spoofing and has driven many defense contractors and other suppliers to follow suit. Adoption at the state and local level is much lower but incidents like these should be used as drivers to prioritize doing so - many organizations are finding it way less complex or disruptive than they thought it would be.
[Neely] Many email solutions support adding a warning for unsafe or external content. Additionally, as John suggests, adding controls such as DMARC, DKIM and SPF will help and don't require a significant IT investment to deploy.
[Murray] Late changes to account numbers or addresses should be confirmed out of band before use. Never have such confirmations been easier or more necessary than now (This is a "Business e-mail fraud," not "compromise." Do not blame the messenger. E-mail is not compromised; it is working as intended. "There is no such corrupting lie as a problem poorly named.")
Read more in:
Statescoop: North Carolina county lost $1.7 million in email scam
https://statescoop.com/north-carolina-cabarrus-county-lost-1-7-million-email-scam/
Cabarrus Magazine: Cabarrus County Government Targeted In Social Engineering Scam
--Alabama School District Cyberattack Delays Opening Day
(July 31, 2019)
The Houston County (Alabama) School District has pushed back the first day of classes from August 1 to August 12 because recovery from an unspecified cyberattack is taking more time than anticipated. All 4,000 district computers need to be reconfigured. The district will operate on a paper-based system until it is back online.
Read more in:
SC Magazine: Cyberattack forces Houston County schools to postpone opening day
--DHS's CISA Issues Small Aircraft Security Warning
(July 30 & 31, 2019)
The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an "insecure implementation of CAN bus networks affecting aircraft." Hackers with physical access to the aircraft could access the Controller Area Network (CAN) bus and manipulate aircraft telemetry. Researchers from Rapid 7 have published a report about the issue.
[Editor Comments]
[Neely] The problem is that most CAN bus devices don't support encryption or authentication, so inappropriate devices can manipulate traffic or devices. The target is smaller, typically personally owned aircraft where there isn't a huge budget to upgrade or replace instrumentation when alternatives become available. The primary mitigation remains physical access controls, which can vary greatly by location. Key is don't allow unknown devices or unauthorized connections to be introduced.
Read more in:
US-CERT: CAN Bus Network Implementation in Avionics
https://www.us-cert.gov/ics/alerts/ics-alert-19-211-01
Rapid7: Investigating CAN Bus Network Integrity in Avionics Systems
https://www.rapid7.com/research/report/investigating-can-bus-network-integrity-in-avionics-systems/
ZDNet: DHS warns about CAN bus vulnerabilities in small aircraft
https://www.zdnet.com/article/dhs-warns-about-can-bus-vulnerabilities-in-small-aircraft/
SC Magazine: DHS warns small aircraft are vulnerable to cyberattacks from those with physical access
Cyberscoop: DHS warns of vulnerability that could be used to alter flight data in small planes
https://www.cyberscoop.com/dhs-aircraft-warning-rapid7-can-bus/
Threatpost: DHS Warning: Small Aircraft are Ripe for Hacking
https://threatpost.com/dhs-warning-small-aircraft-hacking/146795/
--Google Moves Chrome 76 to Stable Channel
(July 30 & 31, 2019)
Google has released Chrome 76 to the stable channel. The newest version of the browser also turns Adobe Flash Player off by default; if users had enabled Flash for a site previously, Chrome will no longer remember. Google plans to completely eliminate support for Flash by the end of 2020. Chrome 76 also eliminates a loophole that allowed websites to detect whether users were browsing in Incognito Mode. Chrome 76 also includes fixes for 43 security issues.
[Editor Comments]
[Neely] For enterprises still dependent on Flash, users will be frustrated re-authorizing Flash content. Expect enabling support for Flash to get increasingly difficult as we move into 2020. If you don't have a clear path to eliminating Flash by the end of 2020, consider a hosted enterprise browser for use with Flash and other sites with insecure plugins, such as Java, which can only access those functions and supporting sites.
Read more in:
Chrome Releases: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2019/07/stable-channel-update-for-desktop_30.html
ZDNet: Google Chrome 76 released for Windows, Mac, and Linux
https://www.zdnet.com/article/google-chrome-76-released-for-windows-mac-and-linux/
Threatpost: Chrome 76 Dumps Default Adobe Flash Player Support
https://threatpost.com/chrome-76-default-adobe-flash/146843/
--$74 Million Premera Breach Settlement Receives Preliminary Approval
(August 1, 2019)
Premera Blue Cross will pay $74 million to settle a consolidated class action lawsuit that was brought following a breach in 2014. The breach affected 11 million people. While at least $10 million will be spent to reimburse affected individuals, the majority of the settlement funds will be spent on security improvements. A federal judge has given the settlement preliminary approval.
[Editor Comments]
[Neely] $42 million is for security improvements, $32 million for reimbursements, legal fees, and notifications. While the settlement for class members without out-of-pocket damages is only $50 (or up to $100 for those who lived in California), a nice option is the two-year credit monitoring option can be delayed up to two years to offset existing credit monitoring expiring in that interval.
Read more in:
GovInfosecurity: Judge Gives Go-Ahead for Settlement of Premera Breach Case
https://www.govinfosecurity.com/judge-gives-go-ahead-for-settlement-premera-breach-case-a-12865
--Georgia (US) Chooses New Voting Machines
(July 29, 2019)
The US state of Georgia has selected a technology vendor to provide its new election systems. Georgia currently uses direct-recording touch screen voting machines that do not create a verifiable paper trail. The new machines still use touchscreens for voting, but they print out a paper ballot that is used for vote tabulation. The new equipment is expected to be deployed in time for use in the March 2020 primary election.
[Editor Comments]
[Neely] It is encouraging to see selection of systems that produce a paper trail; effectively producing a machine-marked paper ballot. Even so, concerns are raised that voters will not confirm that the marked ballot accurately reflects their choices. The tradeoff of a manually marked ballot with potential unreadable markings versus a mechanically marked ballot with possible errors will need to be assessed and the risks documented. The state is partnering with DHS and other election security experts to make sure they have their bases covered.
Read more in:
Statescoop: Georgia buys new voting machines with paper trails
https://statescoop.com/georgia-buys-new-voting-machines-with-paper-trails/
--Industry Warning on Skimming and Payment Security
(August 1, 2019)
The PCI Security Standards Council and the Hospitality ISAC have issued a joint alert warning of the "emerging threat" of skimming malware such as Magecart. The alert describes how the malware works and suggests detection and prevention best practices. The advisory recommends reviewing third-party services and products and "restricting access and permissions of third-party scripts to only trusted sources."
Read more in:
PCI Security Standards: The Threat of Online Skimming to Payment Security (PDF)
https://www.pcisecuritystandards.org/pdfs/PCISSC_Magecart_Bulletin_RHISAC_FINAL.pdf
Infosecurity Magazine: PCI Council & Retail ISAC Issue Magecart Warning
https://www.infosecurity-magazine.com/news/pci-isac-magecart/
Dark Reading: PCI Security Council, Retail ISAC Warn Retailers on Magecart Attacks
--Home Security Camera Vulnerability Lets Hackers Eavesdrop
(July 31, 2019)
A vulnerability in a consumer-grade home security camera could be exploited to remotely eavesdrop on the device's audio without authentication. The issue affects the firmware in the Amcrest IP2M-841B IP camera. The flaw was detected by Tenable researchers, who notified Amcrest of the issue back in May. A firmware update was released the same day that Tenable disclosed the issue.
Read more in:
Amcrest: Type or find your firmware by selecting your product model
https://amcrest.com/firmwaredownloads
Medium: I Always Feel Like Somebody's Watching Listening to Me
ZDNet: IoT home security camera allows hackers to listen in over HTTP
https://www.zdnet.com/article/iot-home-security-camera-allows-hackers-to-listen-in-over-http/
Threatpost: Trivial Bug Turns Home Security Cameras Into Listening Posts
https://threatpost.com/trivial-bug-turns-home-security-cameras-into-listening-posts/146835/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
What Is Listening On Port 9527/TCP?
https://isc.sans.edu/forums/diary/What+is+Listening+On+Port+9527TCP/25194/
Phishing Attack Targeting Financial Sector
Luno Phishing E-Mail and Badly Implemented 2FA
https://isc.sans.edu/forums/diary/Can+You+Spell+2FA+A+Luno+Phish+Example/25186/
Enterprise Software Phoning Home
https://www.extrahop.com/company/press-releases/2019/extrahop-issues-warning-about-phoning-home/
Google Stripping www and https again
https://bugs.chromium.org/p/chromium/issues/detail?id=883038#c114
Google Chrome Update
https://w3c.github.io/webappsec-fetch-metadata/
https://chromereleases.googleblog.com/2019/07/stable-channel-update-for-desktop_30.html
Bypassing VISA Contactless Limits
https://www.ptsecurity.com/ww-en/about/news/visa-card-vulnerability-can-bypass-contactless-limits/
Cryptomining via GitHub/PasteBin C&C
https://unit42.paloaltonetworks.com/rockein-the-netflow/
Apple Re-Releases 2019-004 Security Update for Sierra/High Sierra
https://support.apple.com/en-us/HT210348
Disabling Server Side Recording of Apple Siri Commands
https://github.com/jankais3r/Siri-NoLoggingPLS
PowerShell Empire Abandoned
https://github.com/EmpireProject/Empire
https://twitter.com/xorrior/status/1156626182978383874
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create