SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #64
August 16, 2019Cyber Pandemic Would Swamp Cyber First Responders; DOD Contractor Cybersecurity Requirements Generate Confusion
****************************************************************************
SANS NewsBites Aug. 16, 2019 Vol. 21, Num. 064
****************************************************************************
TOP OF THE NEWS
A Cyber Pandemic Would Swamp the Nation's Tight Supply of Cyber First Responders
DOD Contractor Cybersecurity Requirements Generate Confusion
REST OF THE WEEK'S NEWS
Judge Rules No More Paperless Voting in Georgia After 2019
Report: States Making Some Progress in Election Systems Security
UN Investigating North Korean Cyberattacks
Alleged Capital One Data Thief May Have Stolen Info from Other Organizations
Adobe's August Updates
Microsoft Patch Tuesday
Project Zero Discloses Windows Flaw Prior to Patch Release
Right to Repair Panel at DEF CON
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
Cybersecurity Training Update
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get a 10.5" iPad Air with Smart Keyboard, a Surface Go, or Take $300 off through August 21 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*********************** Sponsored By AWS Marketplace ************************
AWS Education Series: Building a Threat Detection Strategy in AWS. In this webcast, SANS Analyst David Szili explains the keys to detecting threats in the AWS cloud and presents a use case to demonstrate best practices. Learn which AWS native tools are most useful for continuous monitoring, detection and event management. August 22, 2 PM ET. http://www.sans.org/info/213940
*****************************************************************************
TOP OF THE NEWS
--A Cyber Pandemic Would Swamp the Nation's Tight Supply of Cyber First Responders
(August 14, 2019)
Speaking at the Virginia Cybersecurity Education Conference, Alan Paller built the case for high school and college educators to join with the 25 state governors who have already personally announced their support in implementing a national program to find and prepare the women and men with elite cyberskills who can counter waves of attacks by cyber criminals and nation states. To prepare for the cyber pandemic that would precede any major military conflict, and to find and recover from the surging wave of criminal attacks, the number of U.S. hunters and tool builders must grow from under 1,000 today to 50-60,000 to protect both commercial and military systems, in a quest not unlike the U.S. effort to develop 100,000 pilots as WW II approached. The Governors' programs, called Cyber Fast Track and Girls Go CyberStart, engaged more than 23,000 students this year and are likely to double that number next year.
Read more in:
Edscoop: Why the United States needs more cybersecurity experts -- badly
https://edscoop.com/us-cybersecurity-workforce-shortage-cyberstart-sans-institute/
The 2019 College program: cyber-fasttrack.org
The 2019 High School Program: girlsgocyberstart.com
First 18 Governors' Announcements:
https://www.sans.org/press/announcement/2019/02/25/1: Eighteen State Governors Launch "The Governors Cyber Skills Program" to Enable Young Women in Their States to Discover Their Innate Talent for Cybersecurity
--DOD Contractor Cybersecurity Requirements Generate Confusion
(August 12, 2019)
Two programs designed to help US defense department contractors understand and comply with cybersecurity requirements have generated more questions than answers for the contractors. Draft guidance from the National Institute of Standards and Technology (NIST), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, elicited more than 600 responses, including questions about cost, applicability, and other issues. DOD's Cybersecurity Maturity Model Certification program has also generated questions about how the third-party audits will work and how maturity levels are determined.
[Editor Comments]
[Pescatore] DoD and NIST have not set that high a bar - but it is good to see that it is high enough to generate complaints from contractors. If you look at breach statistics for 2018 (such as those from the Identity Theft Resource Center) you see that one of the few areas of increase in 2018 was breaches at subcontractors. Taking taxpayer dollars is a pretty good business; the overhead rates that are typically part of those contracts should be able to support basic levels of security hygiene. The key issue is really whether this turns into just another reporting burden or includes active testing/demonstration of higher levels of security.
[Neely] NIST SP 800-171 provides a cross-walk of security controls needed to protect CUI, as well as identifying which 800-53 controls apply to contractor versus federal systems and their priority. SP 800-171B provides added discussion and context to aid in understanding of what controls are designed to address and their origins which plays a large part in determining what to implement and how. What is sometimes missed is that the conversation also needs to include the feasibility of implementing controls versus tailoring them out and officially accepting the risk.
[Murray] We do not lack guidance so much as will.
Read more in:
FCW: Contractors have questions about DOD's cyber requirements
https://fcw.com/articles/2019/08/12/dod-contractor-cyber-johnson.aspx
CSRC: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf
acc.osd: Cybersecurity Maturity Model Certification
https://www.acq.osd.mil/cmmc/index.html
**************************** SPONSORED LINKS ******************************
1) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/213945
2) Webcast Focus On People, Process, and Technology to Take Your SOC to the Next Level. August 20 at 1 PM ET: http://www.sans.org/info/213950
3) ICYMI Neighborhood Keeper: A Collaborative Initiative for Our ICS Community. View webcast http://www.sans.org/info/213955
*****************************************************************************
REST OF THE WEEK'S NEWS
--Judge Rules No More Paperless Voting in Georgia After 2019
(August 15, 2019)
A federal judge has ruled that the US state of Georgia must phase out its paperless voting systems before the 2020 primary election. The ruling does not require the state to move to hand marked ballots. The state is now prohibited from conducting elections on the old direct recording electronic (DRE) touchscreen machines it has used for 17 years and the ruling does not allow them to be kept as stopgap measures. The DREs do not generate an auditable paper trail for votes. The ruling allows the state to proceed with its plan to purchase new touchscreen machines that generate a paper ballot to be scanned.
[Editor Comments]
[Pescatore] Nothing is perfectly secure and ATM machines aren't either - but they are good examples of computer entry of data that requires high integrity and a strong audit trail. Which is why ATM machines still include paper receipt printout. Early in the internet age, it was also claimed that ATM machines were not reachable over the internet, too...
[Neely] Sometimes a ruling like this is the justification needed to get resources needed to replace old technology. While the idea of a paper receipt is not new, when these DREs were purchased, it was not required component for electronic voting. While it may feel harsh, prohibiting falling back to old systems is important when they don't meet minimum security requirements or exceed acceptable risk thresholds.
Read more in:
Statescoop: Federal judge bans paperless voting machines in Georgia after 2019
https://statescoop.com/georgia-paper-voting-machines-lawsuit-ruling/
Lawyers Committee: CIVIL ACTION NO. 1:17-CV-2989-AT
https://lawyerscommittee.org/wp-content/uploads/2019/08/GA-Order-8.15.pdf
--Report: States Making Some Progress in Election Systems Security
(August 13 & 14, 2019)
A report from the Brennan Center for Justice examines steps US states have made in replacing outdated systems and in adopting "statistically sound audits," two recommendations made by the Senate Select Committee on Intelligence in its report on Russian interference in US elections. This report looks at progress since 2016 and what remains to be done before the 2020 election. The Brennan Center report says that while some states are replacing paperless direct recording electronic (DRE) voting machines, with systems that generate voter verifiable paper record, as many as 16 million people will still be casting their 2020 votes on machines that do not provide any sort of paper trail. At least 24 states are expected to require post-election audits before certifying 2020 election results. Just two states, Colorado and Rhode Island, require Risk Limiting Audits (RLAs) before election results can be legally certified; other states are piloting RLA programs.
Read more in:
Brennan Center: Voting Machine Security: Where We Stand Six Months Before the New Hampshire Primary
MeriTalk: Eight States Will Vote Paperless in 2020 Despite Security Risks
https://www.meritalk.com/articles/eight-states-will-vote-paperless-in-2020-despite-security-risks/
--UN Investigating North Korean Cyberattacks
(August 14, 2019)
The United Nations is investigating at least 35 reported cyberattacks in 17 countries that are believed to be the work of North Korean hackers stealing money for the country's weapons programs. The thefts primarily involve attacks on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) international financial transaction messaging system; cryptocurrency attacks against exchanges and users; and cryptomining.
[Editor Comments]
Read more in:
Fifth Domain: UN probing 35 North Korean cyberattacks in 17 countries
--Alleged Capital One Data Thief May Have Stolen Info from Other Organizations
(August 13 & 14, 2019)
According to court documents, the woman who allegedly stole personal information belonging to more than 100 million people from Capital One AWS cloud-hosted databases may also have stolen data from as many as 30 other organizations. (Please note that the WSJ story is behind a paywall.)
Read more in:
Regmedia: United States' Memorandum in Support of Motion for Detention (PDF)
https://regmedia.co.uk/2019/08/14/thompsondetentionfiling.pdf
The Register: Chin up, CapitalOne: You may not have been the suspected hacker's only victim. Feds fear 30-plus organizations hit
https://www.theregister.co.uk/2019/08/14/capitalone_hacker_court/
ZDNet: Capital One hacker took data from more than 30 companies, new court docs reveal
WSJ: Federal Prosecutors Accuse Capital One Hacker of Hitting Dozens More Targets (paywall)
--Adobe's August Updates
(August 13 & 14, 2019)
Adobe has released updates for Acrobat, Reader, Photoshop, and other products. The updates for Adobe Acrobat and Reader address 76 security issues. There are 22 fixes in the Photoshop update.
[Editor Comments]
Read more in:
Adobe: Security bulletin for Adobe Acrobat and Reader | APSB19-41
https://helpx.adobe.com/security/products/acrobat/apsb19-41.html
Adobe: Security updates available for Adobe Photoshop CC | APSB19-44
https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
ZDNet: Adobe security patch update tackles Photoshop, Acrobat, Reader, and more
https://www.zdnet.com/article/adobe-security-patch-update-tackles-photoshop-acrobat-reader-and-more/
Bleeping Computer: Adobe Releases Security Updates for Reader, Photoshop, and More
--Microsoft Patch Tuesday
(August 13, 2019)
Microsoft's Patch Tuesday release for August includes fixes for 93 security issues affecting Windows and other software. Among the vulnerabilities addressed are four remote code execution flaws in Remote Desktop Services; these flaws can be exploited with a maliciously-crafted RDP packet to gain control of vulnerable systems.
[Editor Comments]
[Murray] The number of security fixes continues to go up rather than down. One might be tempted to conclude that the security of the product goes up with the patches. On the other hand, one might conclude that there will be tens more fixes next month and the one after and that the product remains porous and fragile. In any case, the industry strategy of poor quality early with late fixes, transfers the cost of quality to the consumer. There has never been a better example of Philip B. Crosby's maxim, "It is always cheaper to do it right the first time."
Read more in:
KrebsOnSecurity: Patch Tuesday, August 2019 Edition
https://krebsonsecurity.com/2019/08/patch-tuesday-august-2019-edition/
The Register: This summer's hottest sequels: BlueKeep II, III, IV and V - the latest wormable RDP holes in Microsoft Windows
https://www.theregister.co.uk/2019/08/13/windows_rdp_patch_tuesday/
Dark Reading: Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
ZDNet: Microsoft August 2019 Patch Tuesday fixes 93 security bugs
https://www.zdnet.com/article/microsoft-august-2019-patch-tuesday-fixes-93-security-bugs/
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
--Project Zero Discloses Windows Flaw Prior to Patch Release
(August 14, 2019)
One of the security issues fixed in Microsoft's Patch Tuesday release for August is a flaw in the CTF subsystem (MSCTF) of the Windows Text Services Framework (MSCTF) that affects all versions of Windows and has been present for two decades. The issue was first detected by Google's Project Zero, which notified Microsoft in May; details of the flaw were released before Microsoft's Patch Tuesday release.
[Editor Comments]
[Neely] Project Zero responsibly disclosed the issue to Microsoft which started their 90 day countdown for public release of the information. That fixed delay is designed to motivate vendors to implement fixes for flaws in a timely fashion rather than ignore them. At this point, as fixes are in the August Microsoft update; follow normal process for deploying the update.
Read more in:
Threatpost: 20-Year-Old Bug in Legacy Microsoft Code Plagues All Windows Users
https://threatpost.com/20-year-old-bug-legacy-microsoft-windows-users/147336/
Bleeping Computer: Windows CTF Flaws Enable Attackers to Fully Compromise Systems
ZDNet: Vulnerability in Microsoft CTF protocol goes back to Windows XP
https://www.zdnet.com/article/vulnerability-in-microsoft-ctf-protocol-goes-back-to-windows-xp/
Chromium: Issue 1859: msctf: multiple design flaws in textservices framework
https://bugs.chromium.org/p/project-zero/issues/detail?id=1859
--Right to Repair Panel at DEF CON
(August 11, 2019)
Speakers on a Right to Repair panel at DEF CON encouraged people to support state-level efforts to establish right-to-repair laws. The speakers noted that the restrictions from manufacturers not only make it more difficult to repair equipment, but also impair security research. Laws being drafted in several state legislators are modeled after an automobile right-to-repair law passed by Massachusetts legislators in 2012. Although 20 right-to-repair laws were introduced in state legislatures in 2019, not one has been brought to a floor vote.
Read more in:
Security Ledger: Digital Right to Repair Movement seeks Allies at DEF CON
https://securityledger.com/2019/08/digital-right-to-repair-movement-seeks-allies-at-def-con/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/August+2019+Microsoft+Patch+Tuesday/25236/
Adobe Patches
https://helpx.adobe.com/security.html
MedusaHTTP Malware
https://isc.sans.edu/forums/diary/Recent+example+of+MedusaHTTP+malware/25234/
Analysis of a Spearphishing Maldoc
https://isc.sans.edu/forums/diary/Analysis+of+a+Spearphishing+Maldoc/25242/
Windows Text Services Vulnerabilities
https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html#ftnt2
Cryptominer uses DuckDNS for C&C
https://www.varonis.com/blog/monero-cryptominer/
Intel NUC Vulnerabilities
https://www.intel.com/content/www/us/en/security-center/default.html
HTTP/2 Vulnerabilities
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
IoT Security Stagnation
https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/
Kaspersky Insecurity
https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
