DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #46

June 12, 2018


SANS NewsBites               June 12, 2018                Vol. 20, Num. 046





China Hacked US Navy Contractor


Department of the Interior OIG: Bureau of Reclamation Hydropower Dams Security Risks


Federal Appeals Court Throws Out FTC's LabMD Ruling



Apple Imposes New App Store Cryptomining Restrictions


Senate NDAA Amendments


US Sanctions Over Russia Connections


Business eMail Compromise Arrests


FCC's Net Neutrality Repeal Takes Effect


Foscam Releases Patches For Cameras


Chilean Bank Hit in SWIFT Theft


MIT Frequency Hopping Transmitter Could Help Secure IoT


***************************  Sponsored By Pulse Secure  ************************************

Don't Miss: "What Works in Visibility, Access Control and IOT Security - Pulse Secure NAC Outcomes at Energy Provider" with John Pescatore. Learn how a medium-sized Canadian power company integrated Pulse Secure Network Access Control into their network fabric to gain visibility into the assets in use, as well as enforce access controls while minimizing any business user disruption. Register: http://www.sans.org/info/204490


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018

-- Security Awareness Summit 2018 | Charleston, SC | August 6-15 | https://www.sans.org/event/security-awareness-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, ASUS Chromebook, or Take $250 Off with SANS OnDemand and vLive Training until June 13.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






China Hacked US Navy Contractor

(June 8, 9, & 11, 2018)

Hackers working on behalf of the Chinese government broke into the computer network of a US Navy military contractor and stole 614 GB of sensitive data. The intrusions occurred in January and February of this year. The stolen information includes development plans for a supersonic anti-ship missile.    

Read more in:

Washington Post: China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare


SC Magazine: Chinese gov't hackers snag secret missile plans in Navy contractor breach


ZDNet: China blamed for data theft from US Navy contractor


Fifth Domain: Chinese hackers steal sensitive Navy program data




Department of the Interior OIG: Bureau of Reclamation Hydropower Dams Security Risks

(June 7, 2018)

A report from the Department of the Interior Office of Inspector General (OIG) found that US Bureau of Reclamation (USBR) hydropower dams are at risk from insider threats. USBR uses industrial control systems (ICS) to remotely control operation at two of the dams. DOIOIG made "five recommendations to help the USBR improve the security posture of its critical dams by mitigating insider threats to its industrial control system." The issues raised in the report include the risk of insider threats at hydropower dams; an excessive number of employees with system administrator privileges; failure to remove inactive accounts; and inadequate personnel security practices for personnel who manage the ICS.

[Editor Comments]

[Northcutt] Risk is often calculated considering the likelihood of an adverse event and its severity. We seem to be in a cycle of increasingly intense weather. In terms of impact, a flood of fast moving water can be very destructive:

http://www.businessinsider.com/dam-safety-statistics-risk-of-death-2017-2: California's dam crisis highlights the surprisingly deadly history of hydroelectric power

[Murray] All enterprise is vulnerable to privileged insiders. We need to increase the use of two-party control over sensitive capabilities and increase the use of software that provides transparency and accountability over the use of privileged controls. It is ironic that accountability for privileged users is weakest where we need it most. "Outsiders damage the brand. Insiders bring down the business."  

[Neely] Historically the strongest control for ICS systems is the lock on the door. While these ICS systems are isolated behind a controlled interface and have controls in place to limit introduction of malware, security practices relating to humans are easily overlooked. Not removing inactive accounts because we don't know what will break or because the person may return is a practice that needs to stop. While not all control systems support multiple accounts, or even separate classes of user accounts, when they do, disable the inactive accounts and after a transition period, delete them.

Read more in:

DOIOIG: U.S. Bureau of Reclamation Selected Hydropower Dams at Increased Risk from Insider Threats




Federal Appeals Court Throws Out FTC's LabMD Ruling

(June 8, 2018)

A US federal appeals court has thrown out the Federal Trade Commission's (FTC's) ruling requiring LabMD to revamp its security policies and practices, saying that the FTC's order is unenforceable. The FTC filed the complaint against the medical testing company, in 2013 following a series of breaches that compromised patient data. LabMD challenged the FTC's ruling in court on the grounds that the agency lacked the authority to regulate how the company handled consumer data. A federal appeals court granted a stay of the FTC's order, which LabMD challenged in 2016, filing a petition for review.


[Editor Comments]

[Pescatore] I recently watched the (excellent) movie RBG, so I may be over-estimating my understanding of legal rulings, but this ruling points to deficiencies in specificity of the FTC cease and desist mandate vs. FTC authority to go after companies that do not protect citizen's data. This seems to be a good example of where an order pointing towards implementing a community-based standard such as the CIS Critical Security Controls in the mandate might have caused the ruling to be in favor of the FTC.

[Hoelzer] This is a really big deal because the agency that does have this authority has been progressively defanged over the last 18 months. The consent order against Dwolla remains an excellent roadmap to avoiding regulatory attention and measuring whether or not the enterprise approach to security is "reasonable and appropriate".

https://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf: Dwolla Consent Order

Read more in:

Health IT Security: Court Dismisses FTC Order on LabMD's Data Security Lapses


Media CA11: Petition for Review of a Decision of the Federal Trade Commission



**************************  SPONSORED LINKS  ********************************

1) Download "A Short Primer of GDPR Essentials." Achieve compliance, and get insights into financial implications, people, processes, and tools organizations need to consider under the GDPR.  http://www.sans.org/info/204495

2) Don't Miss: "Stopping IoT-based Attacks on Enterprise Networks" sponsored by HP.  Register: http://www.sans.org/info/204500

3) ) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204505




Apple Imposes New App Store Cryptomining Restrictions

(June 11, 2018)

Apple has banned cryptomining apps from the App Store. The restriction applies to apps that actively mine cryptocurrency; apps that are designed to manage or trade cryptocurrency will still be permitted.

Read more in:

Ars Technica: Apple just banned cryptocurrency mining on iOS devices


Bleeping Computer: Apple Bans Apps That Mine Cryptocurrencies




Senate NDAA Amendments

(June 8 & 11, 2018)

US Senators are adding amendments to the National Defense Authorization Act (NDAA) that failed to pass in the House version of the bill. One of the amendments would require the president to appoint a White House cybersecurity advisor. Another amendment would require the administration to publish a cyber security strategy that includes possible repercussions for adversaries who conduct cyberattacks against US targets.

Read more in:

Nextgov: Lawmakers Take Another Shot at Transforming Trump Cyber Policy


The Hill: Senators introduce election security amendment to defense bill




US Sanctions Over Russia Connections

(June 11, 2018)

The US Department of the Treasury has sanctioned five Russian entities and three Russian individuals for aiding Russia's Federal Security Service (FSB) in conducting cyberattacks against US targets. The attacks listed include NotPetya ransomware, attacks on the US power grid, and compromised routers and other network devices. Some of those sanctioned say the action is unwarranted.  

Read more in:

Treasury: Treasury Sanctions Russian Federal Security Service Enablers


FCW: Treasury hits infosec vendors with Russia-related sanctions


Dark Reading: US Slaps Sanctions on Five Russian Entities, Three Individuals for Cyberattacks


Bleeping Computer: USA Sanctions Russian Entities Over Alleged Ties to Russian FSB




Business eMail Compromise Arrests

(June 11, 2018)

US law enforcement officials have arrested 74 people in connection with business email compromise schemes. The suspects, who were arrested in the US and in several other countries around the world, allegedly stole money through intercepted and hijacked wire transfers.

[Editor Comments]

[Murray] These are not "e-mail compromises" but fraudulent messages. E-mail continues to operate as intended.  

Read more in:

DoJ: 74 Arrested in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes


The Hill: Feds arrest dozens in alleged wire transfer scam


Reuters: FBI says 74 arrested in global sweep targeting email compromise schemes




FCC's Net Neutrality Repeal Takes Effect

(June 11, 2018)

On the same day the the US Federal Communications Commission's (FCC's) net neutrality appeal took effect, a law in the state of Washington imposes net neutrality there. Oregon has also passed a net neutrality bill that applies to Internet service providers (ISPs) that provide service to state and local government agencies. Oregon's law takes effect January 1, 2019. There is pending net neutrality legislation pending in many other states.

[Editor Comments]

[Pescatore] I'd like to see the states that are *not* going to introduce net neutrality laws at the state level instead pass legislation requiring ISPs to filter out known malicious traffic. If an ISP can recognize Netflix traffic and charge more for it, why are they still delivering (and charging for) easily recognizable spam, phishing, denial of service, ransomware and other malicious traffic?

[Neely] Not all states are creating equal legislation; California may surpass Washington with the broadest scope legislation.

Read more in:

Ars Technica: First state net neutrality law took effect today, countering FCC repeal



 --Foscam Releases Patches for Cameras

(June 11, 2018)

Foscam has released updates for its security cameras to address a trio of vulnerabilities that could be exploited to gain root access to a device armed with just the device's IP address. Users are urged to upgrade their cameras as soon as possible.

[Editor Comments]

[Murray] "Upgrade" seems very unlikely. A large number of these devices have long since been forgotten.

Read more in:

Threatpost: Foscam Issues Patches for Vulnerabilities In IP Cameras




Chilean Bank Hit in SWIFT Theft

(June 8 & 11, 2018)

A Chilean bank is the latest to be targeted in a theft using the SWIFT International money transfer system. On May 24, Banco de Chile was first hit with a ransomware attack that disrupted operations at the bank. The ransomware attack served as a distraction; while the bank was trying to repair the damage, the thieves made fraudulent wire transfers via the local SWIFT network.   

[Editor Comments]

[Honan] We are seeing adversaries use distraction attacks more and more in order to achieve their real goal. This is a timely reminder to review your incident response policies to include processes on how to remain vigilant to other threats when dealing with an active intrusion.

Read more in:

The Register: Hackers target payment transfer system at Chile's biggest bank


Bleeping Computer: Hackers Crashed a Bank's Computers While Attempting a SWIFT Hack


Reuters: Bank of Chile trading down after hackers rob millions in cyberattack




MIT Frequency Hopping Transmitter Could Help Secure IoT

(June 7 & 8, 2018)

Researchers at MIT have developed technology that could be used to help secure Internet of Things (IoT) devices. A frequency-hopping transmitter scatters data packets onto different, random radio frequency channels.   

Read more in:

EurekAlert: Novel transmitter protects wireless devices from hackers


SC Magazine: MIT researchers develop frequency-hopping transmitter that fends off attackers


V3: MIT researchers develop transmitter to prevent hackers from attacking IoT devices




The Seven Properties of Highly Secure Devices


Finding Deserialisation Issues With Burp


FTC Starts Looking Into Cryptojacking


Drupal Disputes Number of Vulnerable Sites




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create