SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #63
August 13, 2019Blockchain Does Not Ensure Secure Voting; Improving Security for Elections in Wisconsin; More iNSYNQ Ransomware Details
****************************************************************************
SANS NewsBites Aug. 13, 2019 Vol. 21, Num. 063
****************************************************************************
TOP OF THE NEWS
Experts: Blockchain Does Not Ensure Secure Voting
A Plan to Improve Security for Local Election Offices in Wisconsin
More iNSYNQ Ransomware Attack Details
REST OF THE WEEK'S NEWS
DEF CON Aviation Hacking Village
DEF CON Panel Discusses Role of Congress in National Cybersecurity
Australian Cyber Security Centre Issues BlueKeep Warning
Coinbase Cyberattack Began with Sophisticated Phishing Scheme
US Government to Establish Anonymous Vulnerability Reporting Portal
Moody's: Emergency Declaration Improved Recovery from Cyberattack
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get a 10.5" iPad Air with Smart Keyboard, a Surface Go, or Take $300 off through August 21 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************ Sponsored By AWS Marketplace **********************
AWS Education Series: Streamline Detection and Response by Integrating SIEM and SOAR in AWS. SANS, Optiv and AWS speakers will discuss design considerations, needs and capabilities, as well as technical, business and operational requirements for integrating and orchestrating SIEM and SOAR technologies in the AWS cloud. August 14, 2 PM ET. http://www.sans.org/info/213900
*****************************************************************************
TOP OF THE NEWS
--Experts: Blockchain Does Not Ensure Secure Voting
(August 12, 2019)
Thirty-two US states allow some sort of online voting for some voters - often this is for members of the military and their families who are living overseas to cast absentee ballots. Some US states have launched blockchain-based mobile voting pilots. Security experts have expressed concerns that using blockchain for mobile voting spells trouble. Concerns raised include the fact that using blockchain assumes the device from which someone is casting a vote contains no malware. Experts have criticized Voatz, the company that provided the technology used in three blockchain-based mobile voting pilots, for not providing a "detailed technical description" of the technology it uses, noting that the technology has not been federally certified.
[Editor Comments]
[Pescatore] Much of the real world is past the point of believing that adding the term "blockchain" implies anything about security. Most state governments are not able to judge the security level of election products, which is why the Help America Vote Act of 2002 established a framework for certification of voting products - there are dozens of systems on the certified list. While certification does not equal security, it should be the minimal requirement for any voting system to be considered.
[Murray] One can appreciate the use of blockchain to protect the recorded ballot from late change. It is harder to imagine how it might be used to ensure that the record correctly reflects the intent of the voter.
Read more in:
Computerworld: Why blockchain-based voting could threaten democracy
https://www.computerworld.com/article/3430697/why-blockchain-could-be-a-threat-to-democracy.html
cse.sc: What We Don't Know About the Voatz "Blockchain" Internet Voting System*
https://cse.sc.edu/~buell/blockchain-papers/documents/WhatWeDontKnowAbouttheVoatz_Blockchain_.pdf
--A Plan to Improve Security for Local Election Offices in Wisconsin
(August 12, 2019)
According to a document from the Election Security Lead for the Wisconsin Elections Commission, local clerks in the state of Wisconsin are accessing the state's voter registration and election management system from computers that are running on operating systems that are no longer supported or for which support is soon to be discontinued, including Windows XP and Windows 7. The document proposes purchasing loaner computers that will be available to the small jurisdictions as well as hiring a new employee to provide technical support to the clerks. Wisconsin elections are supervised at the local level; some villages have fewer than 50 voters; others in urban areas have as many as 300,000.
[Editor Comments]
[Pescatore] The HAVA legislation provided states $380M in 2018 to address voting system security issues and all 50 states have received funds from it. Wisconsin's approach to managing elections at such a low level makes their job much harder.
[Neely] Funding for replacement systems as well as technical resources to help deploy them are two of the big barriers for phasing out old operating systems. Raising the bar on the endpoint by updating to current operating systems and applications should make them more resistant to attack, but attention also needs to be paid to protecting the centralized systems to insulate them from risks of unsecure endpoints.
[Murray] The integrity of the database servers should not rely on the integrity of the clients. That said, providing secure clients is cheap enough.
Read more in:
Statescoop: Hundreds of Wisconsin elections offices use expired operating systems, official says
elections.wi: Election Security- Managed Hardware Proposal
--More iNSYNQ Ransomware Attack Details
(August 9, 2019)
More information has emerged about the vector of infection behind the ransomware attack against QuickBooks cloud host iNSYNQ. The attackers appear to have initially gained access to the company's network through a phishing email. The attackers then spent a week and a half scoping out the terrain. iNSYNQ took its network offline on July 16. The company did not pay the ransom and is still working to restore customer access to files. During a virtual "town hall" meeting, iNSYNQ's CEO said that the company had restored access to more than 90 percent of customer files as of August 2.
[Editor Comments]
[Murray] The community continues to be vulnerable to enterprise-wide compromises through the compromise of one user. This is not acceptable. It results in part from flat enterprise networks. While I prefer end-2-end application layer encryption, at a minimum, desktops doing e-mail and browsing should be on a network segment isolated from infrastructure and mission critical applications.
Read more in:
KrebsOnSecurity: iNSYNQ Ransom Attack Began With Phishing Email
https://krebsonsecurity.com/2019/08/insynq-ransom-attack-began-with-phishing-email/
**************************** SPONSORED LINKS ******************************
1) Download The SIEM Buyer's Guide for 2020 to learn the ROI benefits of adopting a modern SIEM solution. http://www.sans.org/info/213905
2) Webcast August 20 at 1 PM ET: Focus on People, Process, and Technology to Take Your SOC to the Next Level. Register: http://www.sans.org/info/213910
3) ICYMI Webcast: Learn how a well architected DNS, DHCP and IPAM can power SOAR platforms to enhance and improve incident response: http://www.sans.org/info/213915
*****************************************************************************
REST OF THE WEEK'S NEWS
--DEF CON Aviation Hacking Village
(August 12, 2019)
For the first time, DEF CON had an an aviation "hacking village" much like the voting systems villages that have been at the conferences since 2017. The US Air Force (USAF) was present, scouting for aviation-focused cybersecurity talent.
[Editor Comments]
[Neely] What is needed is not only people (hunters) with the skills to find weaknesses in systems, but also those with the needed skills to secure them, which may not be the same people. Additionally, when considering weaknesses in aviation systems, consideration has to be given to the degree of redundancy and the pilot's ability to make decisions from multiple sources and override erroneous input.
Read more in:
Cyberscoop: At DEF CON's aviation village, the military is interested in more than just the hacks
https://www.cyberscoop.com/pentagon-recruiting-def-con-aviation-hacking/
The Register: US military swoops into DEF CON seeking a few good hackers for debut aviation pwning village
https://www.theregister.co.uk/2019/08/12/defcon_aviation_village/
aviationvillage: Aviation Village: Our Values, Goals and Scope
https://aviationvillage.org/our-values-goals-and-scope/
--DEF CON Panel Discusses Role of Congress in National Cybersecurity
(August 12, 2019)
Speaking on a panel at DEF CON last week, US Representative Ted Lieu (D-California) told the audience that the US is not prepared to handle a cyberattack that targets multiple sectors. Lieu also said that "a single point of contact," rather than having cybersecurity responsibilities spread out over different agencies and bureaus, "would make things easier" when responding to a cyberattack.
Read more in:
The Register: US still 'not prepared' in event of a serious cyber attack and Congress can't help if it happens
https://www.theregister.co.uk/2019/08/12/defcon_politicians_hackers/
Dark Reading: Security Pros, Congress Reps Talk National Cybersecurity at DEF CON
--Australian Cyber Security Centre Issues BlueKeep Warning
(August 12, 2019)
The Australian Cyber Security Centre (ACSC) is urging businesses running older versions of Microsoft Windows to apply patches against possible BlueKeep vulnerability exploits. An exploit for the flaw has been disclosed to Metasploit. The head of the ACSC believes as many as 50,000 organizations, including some government agencies and critical infrastructure operators, are running vulnerable versions of Windows.
[Editor Comments]
[Neely] Key here is that there is now a disclosed exploit for BlueKeep. Previously reports of reverse engineering the Microsoft patch included keeping the needed exploit under wraps. The mitigation remains to apply the patch, which may require a reboot, and remove internet accessible RDP where not essential.
Read more in:
ZDNet: ASD releases warning of BlueKeep vulnerability
https://www.zdnet.com/article/asd-releases-warning-of-bluekeep-vulnerability/
--Coinbase Cyberattack Began with Sophisticated Phishing Scheme
(August 8 & 9, 2019)
An incident report posted by Coinbase's CISO regarding an attack against the cryptocurrency exchange discloses that the attack began with a phishing campaign launched at the end of May. The phishing messages appeared to come from a legitimate domain. Some of the emails contained links that ultimately exploited a pair of then-unpatched Firefox vulnerabilities. Coinbase Security detected and blocked the attack.
Read more in:
Coinbase: Responding to Firefox 0-days in the wild
https://blog.coinbase.com/responding-to-firefox-0-days-in-the-wild-d9c85a57f15b
The Register: Anatomy of an attack: How Coinbase was targeted with emails booby-trapped with Firefox zero-days
https://www.theregister.co.uk/2019/08/09/coinbase_pwned/
--US Government to Establish Anonymous Vulnerability Reporting Portal
(August 9, 2019)
The US federal government plans to establish a system that will let people report vulnerabilities securely and anonymously. DEF CON will host the SecureDrop servers for the program. SecureDrop is open source software that some organizations use to receive anonymous tips. The vulnerability reports will go to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which will share the information.
[Editor Comments]
[Pescatore] This approach makes sense for encouraging reporting of vulnerabilities found in US Government systems, but not for general reporting of software vulnerabilities or vulnerabilities found in private industry systems. Direct reporting to vendors (or through the managed bug bounty programs many of them have), or reporting to ISACs is already widely done and already works well. Adding another stop along the way will not add any value - where value is measured by reducing the time any vulnerability goes unfixed.
[Neely] This reporting solution aligns with plans to have CISA distribute more threat information to the private sector. It is not clear how this reporting mechanism meshes with existing reporting or bug bounty efforts already in place without introducing delays or reduction in fidelity of the reported flaws.
Read more in:
Cyberscoop: Feds plan to use SecureDrop as a vulnerability reporting portal
https://www.cyberscoop.com/securedrop-dhs-vulnerability-disclosure-def-con/
--Moody's: Emergency Declaration Improved Recovery from Cyberattack
(August 8, 2019)
A report from Moody's Investor Service says that when states declare emergencies in the wake of a cyberattack, there is a greater likelihood of recovery. The report looked closely at the state of Louisiana, where the governor declared an emergency in the wake of ransomware attacks against several school districts. The declaration gave the districts access to resources that would not otherwise have been available, including assistance from the Louisiana National Guard, State Police, and the Office of Technology Services.
[Editor Comments]
[Pescatore] This article implies they have only two data points to work from, so I can't see how it could have any meaningful data. A big issue is that by the time a governor can declare an emergency around ransomware (or most cyberattacks, in general) it is already too late to avoid damage. More resources should surely reduce recovery time but imagine if those resources were spent on assuring basic security hygiene *before* the ransomware hit. As far as I can tell, right now only 13 states are working with the National Governors Association to do so. In July NGA announced that Louisiana was one of 7 states that NGA resources will be supplied to "...develop action plans to advance and refine key priorities in cybersecurity." Maybe they will *not* need to declare as many cybersecurity emergencies in the future.
[Neely] Emergency declarations do allow for additional resources which will not be ordinarily available otherwise. Even so, success depends on having an updated cyber response plan for optimal application of those resources as well as identification of which resources are needed and available irrespective of the emergency declaration.
Read more in:
Statescoop: Emergency declarations improve cyberattack recovery, report says
https://statescoop.com/emergency-declaration-louisiana-cyberattacks-improve-recovery-moodys/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
100% JavaScript Phishing Page
https://isc.sans.edu/forums/diary/100+JavaScript+Phishing+Page/25220/
Malicious DAA Attachments
https://isc.sans.edu/forums/diary/Malicious+DAA+Attachments/25230/
Turning Tesla into Surveillance Platform
https://github.com/tevora-threat/scout
Basic Electron Framework Exploitation
https://www.contextis.com/en/blog/basic-electron-framework-exploitation
SQLite Exploits
https://research.checkpoint.com/select-code_execution-from-using-sqlite/
Vulnerabilities in DSLR Cameras
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/
https://global.canon/en/support/security/d-camera.html
Printer Vulnerabilities
https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Romero
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
