SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #9
February 1, 2019College Cybersecurity Programs Failing To Meet Employer Needs; Apple Revokes Facebook and Google Developer Certificates; Congress Needs to Consolidate Cybersecurity Oversight
****************************************************************************
SANS NewsBites Feb. 1, 2018 Vol. 21, Num. 009
****************************************************************************
TOP OF THE NEWS
CSIS: College Cybersecurity Programs Failing To Meet Employer Needs
Apple Revokes Facebook and Google Developer Certificates Because They Used Them to Collect User Data
Rep. Langevin: Congress Needs to Consolidate Cybersecurity Oversight
REST OF THE WEEKS NEWS
Facebook Hires Privacy Policy Managers
Teen Who Discovered FaceTime Flaw Had a Hard Time Reporting it to Apple
Airbus Discloses Data Breach
US Justice Dept. Announces Coordinated Effort to Disrupt North Korean Botnet
International Law Enforcement Effort Dismantles Dark Web Credentials Market and Pursues Webstresser Users
Military Needs to Combine Traditional and Cyber Training
Firefox 65 Updates Tracking Features, Fixes Security Issues
Chrome 72 Has 58 Security Fixes and New Security Features
Google is Testing Typosquatting Protection Feature for Chrome
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019
-- SANS Baltimore Spring 2019 | March 2-9 | https://www.sans.org/event/baltimore-spring-2019
-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019
-- SANS San Francisco Spring 2019 | March 11-16 | https://www.sans.org/event/san-francisco-spring-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive. Offer Ends February 6.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By AlphaSOC, Inc. *******************
Learn about common SOC blindspots that adversaries exploit, and how to measure the visibility of your existing SIEM apparatus using free, open source tools. Also learn about the data processing steps required to flag red teams, state-sponsored adversaries, and emerging threats within their environments using the AlphaSOC Analytics Engine. Register: http://www.sans.org/info/210075
*****************************************************************************
TOP OF THE NEWS
--CSIS Report: College Cybersecurity Programs Failing To Meet Employer Needs
(January 30, 2019)
After previously documenting how the shortage of skilled technical cybersecurity manpower leaves companies vulnerable, the Center for Strategic and International Studies issued a new report summarizing employers increasing frustration with collegiate cybersecurity programs that are often based in theory and do not enable students to develop critically needed skills. The report calls on NSA to raise the eligibility criteria for CAE-Cyber Defense schools based on the success of the CAE-Cyber Operations program.
Read more in:
CSIS: The Cybersecurity Workforce Gap
https://csis-prod.s3.amazonaws.com/s3fs-public/publication/190129_Crumpler_Cybersecurity_FINAL.pdf
--Apple Revokes Facebook and Google Developer Certificates Because They Used Them to Collect User Data
(January 30 & 31, 2019)
Facebook paid adults and teenagers to install a data-slurping iOS app using their enterprise certificate, bypassing the Apple App Store and requisite security checks. Apple had previously banned the application from the App Store for violating their data privacy rules. The app allows Facebook to see virtually everything a user does on the device. Apple states that distribution of the application for consumer research violates the terms of their enterprise development license. Google used a similar application to collect user and device data on iOS devices. Google acknowledged their mistake and disabled the application before Apple revoked its enterprise certificate. Both the Facebook and Google app are still available on Android.
[Editor Comments]
[Pescatore] When car manufacturers started competing on whose cars were safer or higher quality, car safety and quality went up. Companies like Microsoft and Apple that get most of their revenue from products and services are competing with Google and Facebook, who primarily get their revenue from targeted advertising. Good to see competitive business moves made in the name of privacy. The holy grail: seeing this same competitive dynamic happen to Internet Service Providers.
[Neely] Kudos to Apple for insisting their privacy standards be followed. With recent increased focus on privacy issues, expect others to also take steps to get their arms around privacy, such as Facebooks actions below. The revoked certificates allowed the app to be deployed directly to user devices rather than via the Apple app store and is intended for distribution of enterprise applications within a company. Do not install applications outside of the Apple and Google application stores without a full understanding of what they are and what they do.
Read more in:
Wired: Why Facebook's Banned 'Research' App Was So Invasive
https://www.wired.com/story/facebook-research-app-root-certificate/
The Register: Furious Apple revokes Facebook's enty app cert after Zuck's crew abused it to slurp private data
https://www.theregister.co.uk/2019/01/30/facebook_apple_enterprise_certificate_revocation/
Ars Technica: Apple revokes Facebooks developer certificate over data-snooping appGoogle could be next
CNET: Google's data-gathering app may have also violated Apple's policies
https://www.cnet.com/news/googles-data-gathering-app-may-have-also-violated-apples-policies/
ZDNet: Google shuts down iPhone data-gathering app: 'This was a mistake, and we apologize'
The Verge: Apple blocks Google from running its internal iOS apps
--Rep. Langevin: Congress Needs to Consolidate Cybersecurity Oversight
(January 29, 2019)
Speaking at the State of the Net Conference on Tuesday, January 29, US Representative Jim Langevin (D-Rhode Island) said that within the legislature, there are too many groups that have some say about cybersecurity, which bogs down the process of addressing cyberthreats quickly. We as a Congress are going to have to move with greater agility to respond to the cybersecurity threats we face going forward, and we cant do it under the current construct. Langevin called on Speaker of the House Nancy Pelosi (D-California) to designate a committee to be the lead on cybersecurity, much as there have been committees to address other policy issues, such as health care reform.
[Editor Comments]
[Weatherford] Cyber is sexy, so everyone wants a piece of the action and their name associated with a piece of legislation. There were 348 pieces of legislation at the end last Congress with cybersecurity or privacy in the title or text. Those bills came from dozens of different legislators and committees in the House and Senate and there was so much duplication it was ridiculous. Yes. Congress needs to consolidate cybersecurity oversight.
[Pescatore] Designate a committee is to actual increase in security as more steering wheels, less window glass is to safer car travel.
Read more in:
Nextgov: Lawmaker: Congress Needs Fewer Committees with Cyber Oversight
**************************** SPONSORED LINKS ******************************
1) Attention Decision Makers of Every level: Gain a foothold on the first opportunity to narrow the vendor field. http://www.sans.org/info/210080
2) "Prioritizing Security Operations in the Cloud through the Lens of the NIST Framework" with John Pescatore. Register: http://www.sans.org/info/210085
3) Are your security controls and processes supporting your cloud environments? Take the SANS Cloud Security Survey and enter to win a $400 Amazon gift card.
http://www.sans.org/info/210090
*****************************************************************************
REST OF THE WEEKS NEWS
--Facebook Hires Privacy Policy Managers
(January 30, 2019)
In an attempt to improve its less than stellar record on privacy, Facebook has hired several people who have been critical of the companys practices. In December, Facebook hired Nathan White, formerly senior legislative manager for Access Now, to be the companys privacy policy manager. Earlier this week, Facebook announced that it has hired lawyers Robyn Greene and Nate Cardozo, formerly senior policy counsel at New Americas Open Technology Institute and senior information security counsel at the Electronic Frontier Foundation (EFF), respectively. Cardozo will be the WhatsApp privacy policy manager; Greene will be privacy policy manager for law enforcement and data protection. Facebook has also hired Bijan Madhani as its privacy and public policy manager; Madhani was formerly senior policy counsel at the Computer & Communication Industry Association.
[Editor Comments]
[Pescatore] I have an area of my lawn that gets very little sun and collects lots of moisture. Ive tried every recommended way of getting grass to grow there, but the DNA of the soil just constantly rejects even the most expensive topdressing and seed approaches. Facebooks DNA has proven to be very resistant to attempts to get a privacy focus to take root, let alone grow. I just chopped down a number of trees to see if more sunlight will work in my back yard this spring; we will be able to tell very quickly if these three new hires are able to quickly fire up their chain saws at Facebook.
Read more in:
Wired: Facebook Hires Up Three of Its Biggest Privacy Critics
https://www.wired.com/story/facebook-hires-privacy-critics/
Cyberscoop: Facebook beefs up privacy, security staff amid ongoing scrutiny over data collection practices
MeriTalk: Facebook Ramps up Cybersecurity Staff
https://www.meritalk.com/articles/facebook-ramps-up-cybersecurity-staff/
--Teen Who Discovered FaceTime Flaw Had a Hard Time Reporting it to Apple
(January 29, 2019)
The Arizona teenager who discovered the FaceTime group chat eavesdropping flaw earlier this month found it difficult to notify Apple. Starting in January 20, he and his mother tried to contact Apple. They learned that they needed a development account to report a bug. Apple disabled the Group Chat feature on FaceTime on Monday, January 28.(Please note that the WSJ story is behind a paywall)
UPDATE: On Friday, February 1, 2019, Apple fixed the FaceTime eavesdropping issue on its servers, and will release an iOS update next week to re-enable the feature for users. Apple also issued a statement apologizing for the flaw and thanking the Thompson family for reporting the bug and announced improvements to their bug reporting processes.
[Editor Comments]
[Neely] If you disabled FaceTime, be sure to test the updated iOS before re-enabling it for the enterprise. Expect a companion patch to Mac OS 10.14 (Mojave) which also supports group FaceTime.
Read more in:
9to5Mac: Apple says iOS fix for Group FaceTime bug now coming next week, issues apology
Wired: Apple Takes Drastic Measures to Stop a Nasty Facetime Bug
https://www.wired.com/story/apple-facetime-bug-group-chats/
Cyberscoop: Apple disables group chat on FaceTime after discovery of bad bug
https://www.cyberscoop.com/facetime-bug-group-chat-disabled-apple-ios-macos/
WSJ: Teenager and His Mom Tried to Warn Apple of FaceTime Bug (paywall)
https://www.wsj.com/articles/teenager-and-his-mom-tried-to-warn-apple-of-facetime-bug-11548783393
--Airbus Discloses Data Breach
(January 30 & 31, 2019)
Aircraft manufacturer Airbus has disclosed a breach of its commercial aircraft business systems. Airbus describes the compromised information as mostly professional contact and IT identification details of some Airbus employees in Europe.
Read more in:
The Register: Personal data slurped in Airbus hackbut firm's industrial smarts could be what crooks are after
https://www.theregister.co.uk/2019/01/31/airbus_hacked_eurofighter_link/
ZDNet: Airbus data breach impacts employees in Europe
https://www.zdnet.com/article/airbus-data-breach-impacts-employees-in-europe/
Bleeping Computer: Airbus Data Breach Exposes Employee Credentials, Professional Contact Details
Airbus: Airbus Statement on Cyber Incident
https://www.airbus.com/newsroom/press-releases/en/2019/01/airbus-statement-on-cyber-incident.html
--US Justice Dept. Announces Coordinated Effort to Disrupt North Korean Botnet
(January 30 & 31, 2019)
The US Department of Justice (DOJ), the FBI, and US Air Force Office of Special Investigations (AFOSI), have worked together to map and disrupt the Joanap botnet, which was created and is used by North Korean hackers. A warrant obtained in October 2018 allowed the FBI and AFOSI to operate servers that mimicked peers in the botnet, which helped them identify infected machines. They used this information to notify victims in the US that their systems have been infected.
Read more in:
The Register: Team America tries to crash Little Rocket Man's Joanap botnet from within, warns owners of infected boxes
https://www.theregister.co.uk/2019/01/31/north_korea_joanap_botnet_fbi_warrant/
ZDNet: DOJ moves to take down Joanap botnet operated by North Korean state hackers
Ars Technica: FBI, Air Force investigators mapped North Korean botnet to aid shutdown
Justice: Justice Department Announces Court-Authorized Efforts to Map and Disrupt Botnet Used by North Korean Hackers
Justice: Search Warrant (October 18, 2018)
https://www.justice.gov/opa/press-release/file/1125546/download
--International Law Enforcement Effort Dismantles Dark Web Credentials Market and Pursues Webstresser Users
(January 29 & 30, 2019)
An international law enforcement effort involving Europol and agencies in the US, Belgium, Germany, and Ukraine dismantled a site that sells account access credentials and personally identifiable information. Seizure orders executed against the xDedic domain names on January 24 sinkholed the operation. The UKs National law enforcement agencies also took action to identify people who have been using the Webstresser<dot>org DDoS-as-service site. The UKs National Crime Agency (NCA) is working with corresponding agencies from 14 countries to identify Webstresser users. Several hundred individuals are under investigation.
[Editor Comments]
[Murray] The policing of Cyberspace is increasing and becoming more effective. However, it operates late. As with traditional law enforcement, it cannot make the environment safe. It is not a substitute for early and effective security.
Read more in:
Threatpost: Feds Dismantle Dark Web Credentials Market
https://threatpost.com/feds-dark-web-credentials-market/141286/
Bleeping Computer: Police Forces Team Up To Hunt Down Users of DDoS Services
--Military Needs to Combine Traditional and Cyber Training
(January 29, 2019)
In a paper published by the Center for Strategic and Budgetary Assessments (CSBA), non-resident CSBA fellow Jennifer McArdle addresses two questions: How should U.S. armed forces train its warfighters tactically and operationally for a battlespace saturated by adversary cyber and informationized attacks on U.S. platforms and systems? [and] How should U.S. armed forces train its warfighters to exploit the advantages of the cyber domain for multi-domain operations? Traditional soldiers are not often trained alongside cyber specialists, which could leave them inadequately prepared for the complexities of modern battle. McArdle writes, U.S. warfighters should be trained to fight as an integrated whole in and through an increasingly contested and complex battlespace saturated by adversary cyber and information operations.
[Editor Comments]
[Neely] While it is becoming accepted that cyber-attacks can be as significant as traditional battlefield actions, providing kinetic training grounds to accommodate and combine both traditional and cyber range activities is still an emerging capability. Current battlefield exercises use 3x5 cards to simulate cyber interaction with the scenario. New facilities, such as the Armys Muscatatuck Urban training Complex in Indiana, provide a full scale operational cyber component which is integrated with traditional exercises to provide the needed realism and diversity of modern conflict scenarios.
Read more in:
Fifth Domain: Why note cards cant simulate a cyberattack
https://www.fifthdomain.com/dod/2019/01/28/why-note-cards-cant-simulate-a-cyberattack/
CBSA Online: Victory Over and Across Domains: Training for Tomorrows Battlefields
https://csbaonline.org/uploads/documents/Victory_Over_and_Across_Domains.pdf
--Firefox 65 Updates Tracking Features, Fixes Security Issues
(January 29, 2019)
Mozilla has made Firefox 65 available on its release channel. The newest version of the browser includes enhancements to its tracking protection feature. The content blocking settings are clearer, with standard, strict, and custom setting options. Firefox 65 also includes fixes for seven security issues, including three rated critical: two memory safety vulnerabilities, and one use-after-free flaw.
[Editor Comments]
[Neely] Included in this version is a change to the process manager (about:performance) providing identification of subprocess by process name and type rather than just PID making identification of memory and energy use much clearer. The changes to content blocking allow for more fine-grained tracking/cookie rejection as opposed to blocking ads. While the new strict setting provides the most privacy, sites that require tracking cookies may fail, so test fully.
Read more in:
Bleeping Computer: Firefox 65 Released with Updated Content Blocking, MSI Installers, and More
Mozilla: Security vulnerabilities fixed in Firefox 65
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/
--Chrome 72 Has 58 Security Fixes and New Security Features
(January 30, 2019)
Google released Chrome 72 to the stable channel earlier this week. The newest version of the browser deprecates TLS 1.0, TLS 1.1, and removes support for HTTP-based public key pinning. In addition, Chrome 72 will not render resources from FTP servers.
[Editor Comments]
[Neely] The change to rendering FTP servers is part of a larger effort to block third-party applications from injecting code into the browser improving the overall security of the browser. The updated browser has a setting to show incompatible applications (chrome://settings/incompatibleApplications) as well as offer to remove them. Some of these injection techniques are used by security services to intercept or scan for malware. Test these changes for impact before deploying.
[Murray] One remembers the security claims that were made for Chrome when it was announced; when there was a security choice among browsers. It is now obvious that it will take more than good intentions and frequent patches that fix tens of vulnerabilities to make browsers safe. Isolate browsers from sensitive applications. Lock down the systems on which they run (default access control policy of least privilege). Prefer apps to browsers for sensitive applications. Provide your users with apps for your sensitive applications.
Read more in:
SC Magazine: Google Chrome update contains 58 security fixes
Bleeping Computer: Chrome 72 Released with 58 Security Fixes, Deprecates TLS 1.0 and 1.1
--Google is Testing Typosquatting Protection Feature for Chrome
(January 29 & 30, 2019)
A future version of Chrome will include a feature that helps protect users from typosquatting attacksmalicious URLs crafted to look almost exactly like legitimate URLs. The feature, Navigation suggestions for lookalike URLs, is being tested in Chrome Canary. An official ship day has not been announced, but a Google engineer gave a presentation about it at the USENIX Enigma conference on January 29.
Read more in:
ZDNet: Google Chrome to get warnings for 'lookalike URLs'
https://www.zdnet.com/article/google-chrome-to-get-warnings-for-lookalike-urls/
Wired: Google Takes Its First Steps Toward Killing the URL
https://www.wired.com/story/google-chrome-kill-url-first-steps/
INTERNET STORM CENTER TECH CORNER
Phishing Not Ready for IPv6
Apple Disables FaceTime Group Messages
https://www.apple.com/support/systemstatus/
Outlook 365 Safe Link Errors
https://twitter.com/Swiss_Jay/status/1090271197193940992
Chrome Update
https://www.zdnet.com/article/google-chrome-72-removes-hpkp-deprecates-tls-1-0-and-tls-1-1/
Firefox Update
https://techdows.com/2019/01/firefox-to-disable-extensions-in-private-browsing-mode-by-default.html
RCE in Samsung Store via "evilgrade"
https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/
Tracking DNS Changes
https://isc.sans.edu/forums/diary/Tracking+Unexpected+DNS+Changes/24596/
systemd/journald PoC Exploit
https://capsule8.com/blog/exploiting-systemd-journald-part-1/
Windows Defender Boot Issues
https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform
Mac Malware Steals Cryptocurrency Exchange Cookies
https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
Facebook (and Google) Research VPN
https://techcrunch.com/2019/01/29/facebook-project-atlas/
https://www.macrumors.com/2019/01/30/google-exploiting-apple-enterprise-certificate/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create