SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #65
August 20, 2019Ransomware At 23 Texas Local Government Organizations; Army Cyber Units Lack Adequate Cyber Staff, Training; Cheating on Hacker Exams?
****************************************************************************
SANS NewsBites Aug. 20, 2019 Vol. 21, Num. 065
****************************************************************************
TOP OF THE NEWS
Texas Ransomware Attack Affects 23 Local Government Organizations
Army Cyber Units Lack Adequate Staff, Equipment, Training
Cheating on Hacker Exams?
REST OF THE WEEK'S NEWS
US Gives Companies Another 90 Days to Work With Huawei
Updates Available for Fix Webmin Backdoor
Hacker Ordered to Forfeit $480,000 in Ill-Gotten Gains
US Customs and Border Protection IT Outage Slows Passenger Processing
Appeals Court Allows Privacy Lawsuit Against Facebook to Proceed
ECB Shuts Down Third-Party-Hosted Site After Malware Infection
Proposal Would Limit Lifespan of HTTPS Certificates
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get a 10.5" iPad Air with Smart Keyboard, a Surface Go, or Take $300 off through August 21 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*********************** Sponsored By Splunk ******************************
The SIEM Buyer's Guide for 2020. In 2020, security information event management (SIEM) solutions will be far more than an information platform, expanding to include compliance reporting and logs from firewalls and other devices, as well as User and Entity Behavior Analytics (UEBA) -- now considered an essential capability by Gartner. Download The SIEM Buyer's Guide for 2020 to learn the ROI benefits of adopting a modern SIEM solution. http://www.sans.org/info/213960
*****************************************************************************
TOP OF THE NEWS
--Texas Ransomware Attack Affects 23 Local Government Organizations
(August 16, 18, & 19, 2019)
On Friday, August 16, computer systems at 23 local government organizations in Texas became infected with ransomware. Evidence points to the attacks coming from "one single threat actor," according to the Texas Department of Information Resources (TDIR). Recovery efforts are being supported by both state and federal authorities.
[Editor Comments]
[Pescatore] Local government systems have sort become the "reunion" tours of most forms of malware: first the attackers go after the larger more lucrative targets, who then start to address the vulnerabilities. Then we usually see waves of the same attacks succeeding at smaller firms and then state and local agencies. That points out two things: (1) State and local agencies have staffing, funding and governance obstacles that are not being overcome and (2) State and local agencies don't seem to take advantage of advanced knowledge that those high profile attacks of last year are going to hit them this year.
Read more in:
ZDNet: Over 20 Texas local governments hit in 'coordinated ransomware attack'
Ars Technica: Ransomware strike takes down 23 Texas local government agencies
Statescoop: Widespread ransomware attack reported across Texas
https://statescoop.com/widespread-ransomware-attack-reported-across-texas/
Threatpost: Coordinated Ransomware Attack Hits 23 Texas Government Agencies
https://threatpost.com/coordinated-ransomware-attack-hits-23-texas-government-agencies/147457/
--Army Cyber Units Lack Adequate Staff, Equipment, Training
(August 19, 2019)
According to a report from the Government Accountability Office (GAO), the US Army's cyber units are woefully understaffed. They also lack sufficient equipment and training. The 915th Cyber Warfare Support Battalion and the Intelligence, Cyber, Electronic Warfare and Space (IECWS) unit were established over the last two years, and more units are planned for 2020. GAO recommendations include risk assessments of staffing, equipment, and training at both existing units, and creating risk assessments for new units.
[Editor Comments]
[Murray] Government may be an exception but most security programs that are resource-constrained are so because they have not yet learned to make effective proposals, take "no" for an answer, and regroup. "No" is far more often the answer to inadequate justification than a decision to accept risk. General management needs to learn to put resources where they want the capability to be.
[Paller] Bill Murray's comment highlights one of the great opportunities for rapid improvement of the effectiveness of cybersecurity technical leaders - learning to present cybersecurity requirements in ways that animate and persuade general managers. Fear doesn't work anymore. To give SANS Technology Institute graduate and undergraduate students a career boost by becoming effective presenters of cybersecurity requirements, we built a new course called "Secrets to Successful Cybersecurity Presentations." It covers security briefings from the first one a new employee will give to how to brief boards of directors. It will be ready around the end of the year. We hope to also make it available to all SANS alumni. The companion course, SEC402: Cybersecurity Writing: Hack the Reader, was just released.
https://www.sans.org/course/cyber-security-writing-hack-the-reader
Read more in:
GAO: FUTURE WARFARE: Army Is Preparing for Cyber and Electronic Warfare Threats, but Needs to Fully Assess the Staffing, Equipping, and Training of New Organizations
https://www.gao.gov/assets/710/700940.pdf
Fedscoop: Army's new cyber units come with serious workforce challenges, GAO finds
https://www.fedscoop.com/army-cyber-workforce-challenges-gao-report/
GovInfosecurity: GAO: Army's New Cyber Units Understaffed and Underequipped
https://www.govinfosecurity.com/gao-armys-new-cyber-units-understaffed-underequipped-a-12927
-- Cheating On "Ethical" Hacker Exams?
(August 19, 2019)
A DoD contractor claims he and others got undue help on their ethical hacker exams. In March of 2017, the contractor they worked for, SAIC, allegedly gave them a printout the day before they took the test that contained the same questions and answers as the test. Confirmation came from a second contractor: "The first questions come on the screen, and it is exactly the same as we had in the test bank earlier. "The sequence of the questions were different, but the actual questions and the answers were identical. The options of A,B,C,D were exactly the same. Identical."
Read more in:
Fox 13 News: Investigating cyber-security at U.S. Central Command
http://www.fox13news.com/news/fox-13-investigates/investigating-cyber-security-at-us-central-command
**************************** SPONSORED LINKS ******************************
1) Webcast August 27 at 10:30 AM ET: How to Identify Hidden & Destructive Objects in Your Environment. http://www.sans.org/info/213965
2) What challenges do you face with implementing endpoint security in your organization? Take this survey: http://www.sans.org/info/213970
3) Meet Your New Best Friend: DNS Security. Learn DNS security fundamentals in this upcoming webcast. http://www.sans.org/info/213975
*****************************************************************************
REST OF THE WEEK'S NEWS
--US Gives Companies Another 90 Days to Work With Huawei
(August 19, 2019)
The US has extended the temporary license that allows US companies to sell products to Huawei. At the same time, the US added 46 companies associated with Huawei to an export blacklist. (Please note that the WSJ story is behind a paywall.)
Read more in:
BBC: US delays Huawei trade ban for another 90 days
https://www.bbc.com/news/technology-49391420
WSJ: Trump Administration Delays Ban on Huawei Working With U.S. Firms (paywall)
SC Magazine: U.S. renews temporary license allowing companies to sell to Huawei, adds 45 to blacklist
--Updates Available for Fix Webmin Backdoor
(August 19, 2019)
A backdoor in the Webmin, the open source sysadmin task application for Unix systems, could be exploited to execute commands with root privileges. Webmin maintainers have released updated versions of Webmin (1.930) and the associated Usermin (1.780) to address the issue.
[Murray] It is ironic that the privileged users, those over whom we most need accountability, are those most likely to use shared IDs and passwords, have excessive privileges, and have privileges that we can not successfully withdraw. All enterprises, without exception, should be using Privileged Access Management software, and have a well designed policy for its use.
Read more in:
ZDNet: Backdoor found in Webmin, a popular web-based utility for managing Unix servers
The Register: Dear Planet Earth: Patch Webmin now - zero-day exploit emerges for potential hijack hole in server control panel
https://www.theregister.co.uk/2019/08/19/webmin_project_zero_day_patch/
--Hacker Ordered to Forfeit $480,000 in Ill-Gotten Gains
(August 19, 2019)
A UK court has sentenced Elliot Gunton to 20 months in prison; he pleaded guilty to several charges, including hacking and money laundering. Gunton has also been ordered to forfeit more than #400,000 (US $485,000) in bitcoin that he received as payment for his hacking services. Gunton has been released as the time he has already served in custody fulfills his prison sentence.
Read more in:
ZDNet: UK hacker-for-hire jailed for role in SIM-swapping attacks, data theft
Infosecurity Magazine: Teenage Hacker-for-Hire Receives Prison Sentence
https://www.infosecurity-magazine.com/news/teenage-hacker-for-hire-receives/
BBC: TalkTalk hacker Elliott Gunton took cryptocurrency for stolen data
https://www.bbc.com/news/uk-england-norfolk-49375156
The Register: Teen TalkTalk hacker ordered to pay #400k after hijacking popular Instagram account
https://www.theregister.co.uk/2019/08/19/elliott_gunton_400k_repay_instagram_hacking_telstra/
---US Customs and Border Protection IT Outage Slows Passenger Processing
(August 16, 2019)
On Friday, August 16th, US Customs and Border Protection (CBP) suffered an IT outage that caused a significant slowdown in the agency's ability to process incoming travelers, including US citizens. While CBP worked on fixing the problem, the agency reverted to manual mechanisms for processing passengers.
[Editor Comments]
[Murray] Face it. If a manual procedure is as fast as the automatic one, it is probably as efficient. While alternatives improve resilience, they do so at some cost, and only by plan. "A plan is not a document that one takes out and reads while sitting in the ashes. It is a capability, the ability to do something in its presence that one cannot do in its absence." --Robert H. Courtney, Jr.
[Neely] Having manual procedures to back-up IT processes when they fail is outstanding. Unfortunately, this manual system doesn't have the same throughput as the automated system. Be sure to understand the impacts on customers when failing to manual mechanisms and investigate having alternate automated systems that could kick in before a full fallback to manual processing.
Read more in:
Washington Post: Customs and Border Protection computer outage leads to slowdown at international airports across the United States
GovTech: U.S. Customs IT Outage Snarls Airports Around the Country
https://www.govtech.com/computing/US-Customs-IT-Outage-Snarls-Airports-Around-the-Country.html
Politico: Customs airports systems reportedly down nationwide
https://www.politico.com/story/2019/08/16/jfk-lax-customs-outage-1466856
--Appeals Court Allows Privacy Lawsuit Against Facebook to Proceed
(August 16, 2019)
A federal appeals court in California has ruled that a class action lawsuit against Facebook may move forward. The lawsuit alleges that Facebook's tagging feature violated an Illinois privacy law. Illinois's Biometric Identity Privacy Act (BIPA) requires all companies operating within Illinois to adhere to a strict set of privacy requirements relating to the use and collection of biometric data, including notification of collection, intended use and retention as well as written permission for that use. The lawsuit alleges that Facebook's tagging feature broke the law with its use of facial recognition technology.
[Editor Comments]
[Neely] This could be a test of the Facebook EULA where they claim rights to all content posted and end-user privacy claims about the content they share. When sharing content through someone else's service (e.g. Facebook, Twitter, LinkedIn, etc.) be aware of the privacy and ownership terms around sharing that data that you've agreed to. As a company, while much focus has been on GDPR privacy concerns of late, don't forget to consider applicable privacy regulations such as BIPA and CDPR.
Read more in:
EPIC: Patel v. Facebook: Federal Appeals Court Says Consumers Can Sue Facebook for Facial Recognition
https://epic.org/amicus/bipa/patel-v-facebook/
EPIC: Opinion
https://epic.org/amicus/bipa/patel-v-facebook/Patel-v-FB-9th-Cir-Opinion.pdf
GovTech: Facebook's Facial Recognition Feature Could Cost It Billions
https://www.govtech.com/social/Facebooks-Facial-Recognition-Feature-Could-Cost-It-Billions.html
--ECB Shuts Down Third-Party-Hosted Site After Malware Infection
(August 15 & 16, 2019)
The European Central Bank (ECB) has shut down one of its websites after it became infected with malware. The attacker also compromised the personal information of about 480 individuals. The affected site is ECB's Banks' Integrated Reporting Dictionary (BIRD) system, which offers members of the EU banking industry information about generating statistical and supervisory reports. The attack appears to date back to December 2018, although it was discovered more recently during regular maintenance.
[Editor Comments]
[Pescatore] Imagine if the headlines said, "Robbers Steal Millions from Bank Vault Installed By Third Party." There are definitely supply chain security complexities, as well as with the use of Software-as-a-Service but third-party hosting of web sites has now been common for more than a decade and the issues for assuring visibility and control of security are pretty straightforward.
[Neely] Third-party security can be very difficult. Irrespective of contractual obligations to maintain minimum levels of security, the data owners have an obligation to verify these controls are in place. In addition to regular reviews of these controls, include discussions with the third-party regarding forwarding event data to your SIEM for increased visibility.
Read more in:
ECB: ECB shuts down compromised BIRD website
https://www.ecb.europa.eu/press/pr/date/2019/html/ecb.pr190815~b1662300c5.en.html
Reuters: ECB shuts down one of its websites after hacker attack
GovInfosecurity: European Central Bank Closes a Website Following Hack
https://www.govinfosecurity.com/european-central-bank-closes-website-following-hack-a-12925
--Proposal Would Limit Lifespan of HTTPS Certificates
(August 15, 2019)
An industry group, the CA/Browser Forum, is considering a proposal that would limit the lifespan of HTTPS certificates to no more than 13 months. The certificates are currently valid for a maximum of 27 months from the date of issue. Shortening the length of time certificates are valid reduces the likelihood that outdated and unsecure encryption algorithms will persist in the Internet ecosystem. Critics of the proposal say that its benefits do not outweigh the hassle of renewing certificates more frequently. If the proposal receives enough votes, it will take effect in March 2020.
[Editor Comments]
[Pescatore] Over the years, SSL certificate lifespans have been shortened from 8 to 3 to 2 years and this same debate has occurred. I don't think there is any data that can show any decrease in actual damage because of shorter lifespans but they do enable shorter transition times when key length increases or other crypto changes are agreed upon. There is also a benefit in forcing organizations to go to yearly cycles of tracking and budgeting for certificates in the same way they do software licenses.
[Neely] If you have automated mechanisms of updating your HTTPS certificates, the lifespan is not a big impact. Most organizations I've interacted with are still manually requesting and installing their certificates and shortened intervals are not appealing. In this case, creating a recurring service ticket assigned to the right group is the best hope for keeping an eye on expiring certificates.
Read more in:
Duo: Proposal to Make HTPPS Certificate Expire Yearly Back on the Table
https://duo.com/decipher/proposal-to-make-https-certificate-expire-yearly-back-on-the-table
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Trend Micro Password Manager DLL Hijacking
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1123396.aspx
Firefox Password Manager May Leak Passwords
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/#CVE-2019-11733
Large Number of VoIP System Vulnerabilities Released
https://www.sit.fraunhofer.de/en/cve/
iOS 12.4 Jailbreak Released After Reintroduced Vulnerability from 12.2
https://github.com/pwn20wndstuff/Undecimus/releases
SHA2-Signed Updates for Windows Not Available with Symantec Endpoint Protection
https://support.symantec.com/us/en/article.tech255857.html
Attacking and Downgrading Bluetooth Key Negotiation
Confidential Company Documents Leaked in Public Sandboxes
https://blog.cylab.co/2019/08/16/confidential-company-documents-exposed-in-public-sandboxes/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
