45+ InfoSec Courses at SANS Network Security 2018 in Las Vegas! Save up to $200 thru 8/22.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #57

July 20, 2018






****************************************************************************

SANS NewsBites               July 20, 2018                Vol. 20, Num. 057

****************************************************************************


TOP OF THE NEWS


 

Energy Companies Face New FERC Breach Reporting Requirements

 

House Bill Would Amend Homeland Security Act to Include CDM

 

Dept. of Interior OIG Completes Second Part of Hydroelectric Dam Cybersecurity Investigation


REST OF THE WEEKS NEWS

 

DOJ Digital Task Force Report Includes Plan to Alert Companies and Individuals to Foreign Malicious Cyber Operations

 

Cisco Releases 25 Security Updates

 

Leaky AWS S3 Bucket at Political Robocalling Form

 

Judge Rebukes FBI Agent Over Improper Stingray Use

 

Oracle Critical Patch Update

 

LabCorp Discloses Security Incident in SEC Filing

 

Microsoft Patches Patches


INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By A10 Networks **********************


DDoS attackers have evolved by weaponizing IoT devices. However, defenders continue to depend on technologies developed in the 2000s that lack the precision, scalability or automation needed to fight in the current cyber battlefield. Join us on this webinar with John Pescatore and Don Shin, Security Advocate at A10 Networks, to learn the techniques you must incorporate into your security strategy. Register: http://www.sans.org/info/205420


*****************************************************************************


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018


-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018


-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018


-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018


-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018


-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018


-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018


-- SANS London September 2018 | September 17-22  https://www.sans.org/event/london-september-2018


-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9 iPad Pro, Microsoft Surface Pro, or take $350 Off with Any OnDemand or vLive Course, Offer Ends August 1.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************

TOP OF THE NEWS


--

Energy Companies Face New FERC Breach Reporting Requirements

(July 19, 2018)

The Federal Energy Regulatory Commission (FERC) has issued a ruling that directs the North American Electric Reliability Corporation (NERC) to develop expanded rules for cyber incident reporting to require utility companies to report more information about cyberattacks. Utilities will be required to report not only attacks that result in compromise or cause disruption, but also attempted cyberattacks that could pose harm [to the] reliable operation of the nations bulk electric system.


Read more in:

Cyberscoop: Utilities will have stricter cybersecurity reporting requirements under new ruling

https://www.cyberscoop.com/ferc-ruling-stricter-reporting-requirements-electric-utilities/

Reuters: U.S. energy regulator wants more disclosure of cyber attacks

https://www.reuters.com/article/us-cyber-energy-regulator/u-s-energy-regulator-wants-more-disclosure-of-cyber-attacks-idUSKBN1K92OB

FERC: FERC Requires Expanded Cyber Security Incident Reporting

https://www.ferc.gov/media/news-releases/2018/2018-3/07-19-18-E-1.asp#.W1FXFdhKj-Z

 

--

House Bill Would Amend Homeland Security Act to Include CDM

(July 19, 2018)

US Representative John Ratcliffe (R-Texas) has introduced a bill that would make the Department of Homeland Securitys (DHSs) Continuous Diagnostics Mitigation (CDM) program law. The Advancing Cybersecurity Diagnostics and Mitigation Act would amend the Homeland Security Act of 2002 to include CDM. The bill would also require regular improvement of the CDM program to incorporate new modifications and technologies.


[Editor Comments]


[Pescatore] While the stated goals of the proposed bill (improve CDM program management and reduce the insanity around the funding and procurement processes) are badly needed, I cant really think of an example in federal security where a bill ever actually improved the security level of government agencies. There is also a glaring lack in the proposed legislation: there is no mandate for measuring and reporting actual improvements in securityshowing reduced damage, lowering of time to detect/respond/restore, etc.key metrics that every security program needs.


[Neely] While the bill will help with those currently electing to opt-out of CDM, two big challenges are keeping the list of products that meet CDM requirements current, and providing funding, not only for licenses but also for implementation and ongoing-maintenance. Currently funding has been offered for licenses with first year maintenance and integration support needed for reporting into federal dashboards, leaving agencies to find the resources for ongoing maintenance and lifecycle.


[Paller] The principal error being made by some CDM observers (apparently by people who have never successfully made major improvements in security but think they are experts) is in demanding that CDM should simultaneously measure large numbers of controls before deploying system by system daily/weekly improvement in security. All the security improvements from CDM will come about when system administrators make the most important security improvements every day. That can happen only if CDM is monitoring a subset of critical security controls that can be automatically measured very frequently. The subset can grow as agencies make major progress.


Read more in:

Nextgov: Governments Cyber Monitoring Program Would Become Law Under House Bill

https://www.nextgov.com/cybersecurity/2018/07/governments-cyber-monitoring-program-would-become-law-under-house-bill/149877/

SC Magazine: Proposed legislation would empower DHS to modernize Continuous Diagnostics Mitigation cyber program

https://www.scmagazine.com/proposed-legislation-would-empower-dhs-to-modernize-continuous-diagnostics-mitigation-cyber-program/article/782049/

FCW: New CDM bill aims for flexibility, newer tech

https://fcw.com/articles/2018/07/19/cdm-dhs-bill-ratcliffe.aspx?admgarea=TC_Security

Ratcliffe: Advancing Cybersecurity Diagnostics and Mitigation Act

https://ratcliffe.house.gov/sites/ratcliffe.house.gov/files/07-18-18_CDM%20Bill%20Text.pdf



--

Dept. of Interior OIG Completes Second Part of Hydroelectric Dam Cybersecurity Investigation

(July 17, 2018)

The Inspector General for the US Department of the Interior has completed the second part of [its] series to evaluate the U.S. Bureau of Reclamation's (USBR's) practices for protecting critical hydropower dams from emerging cyber threats. The report evaluates potential cybersecurity concerns at five USBR-managed hydroelectric dams. The first part of the report was released in June 2018.


Read more in:

FCW: Dam cyber: Interior IG closes out audit of hydroelectric control systems

https://fcw.com/articles/2018/07/17/dam-cyber-interior-watchdog.aspx

DOIOIG: Evaluation of the U.S. Department of the Interior's Cybersecurity Practices for Protecting Critical Infrastructure

https://www.doioig.gov/sites/doioig.gov/files/Memorandum_DOICyberSecurityPractices_Public.pdf

DOIOIG: U.S. Bureau of Reclamation Selected Hydropower Dams at Increased Risk From Insider Threats

https://www.doioig.gov/sites/doioig.gov/files/FinalEvaluation_ICSDams_Public.pdf

 

**************************  SPONSORED LINKS  ********************************


1) Don't Miss: "Windows Defender ATPs Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints" with Matt Bromley. Register: http://www.sans.org/info/205425


2) To understand risks and control the attack surface, you need visibility. But what is visibility and why is it critical? How do you get it? Find Out: http://www.sans.org/info/205430


3) Unisys cybersecurity experts will introduce you to a new software-defined network microsegmentation that enables dynamic perimeters to isolate the critical assets without the cost and complexity of static controls. Register: http://www.sans.org/info/205435


*****************************************************************************


THE REST OF THE WEEKS NEWS


--

DOJ Digital Task Force Report Includes Plan to Alert Companies and Individuals to Foreign Malicious Cyber Operations

(July 19, 2018)

In a speech earlier this week, US Deputy Attorney General Rod Rosenstein told attendees at the Aspen Security Forum in Colorado that the Justice Department (DOJ) plans to alert US companies, private organizations, and individuals when it detects a hacking threat posed by foreign actors. This policy is part of DOJs Cyber Digital Task Force Report, which describes categories of cyberthreats and what DOJ is doing to mitigate them.


Read more in:

The Hill: Rosenstein warns of growing cyber threat from Russia, other foreign actors

http://thehill.com/policy/cybersecurity/397986-rosenstein-warns-of-growing-threat-from-foreign-influence-operations

CNET: US to alert public to foreign operations targeting Americans

https://www.cnet.com/news/us-to-alert-public-to-foreign-operations-targeting-americans/

DOJ: Report of the Attorney Generals Cyber Digital Task Force (download)

https://www.justice.gov/ag/page/file/1076696/download

 

--

Cisco Releases 25 Security Updates

(July 19, 2018)

On July 18, Cisco released 25 security updates to address issues in Cisco Policy Suite, Cisco Nexus 9000 Fabric Switchers, and other product. Four of the flaws in Cisco Policy Suite are rated critical security risks; they affect issues with authentication requirements.


Read more in:

Cisco: Cisco Security Advisories and Alerts

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=100#~Vulnerabilities

Threatpost: Critical Authentication Flaws in Cisco Policy Suite Patched

https://threatpost.com/critical-authentication-flaws-in-cisco-policy-suite-patched/134158/

ZDNet: Cisco patches critical vulnerabilities in Policy Suite

https://www.zdnet.com/article/cisco-patches-critical-flaws-in-policy-suite/

Bleeping Computer: Cisco Removes Undocumented Root Password From Bandwidth Monitoring Software

https://www.bleepingcomputer.com/news/security/cisco-removes-undocumented-root-password-from-bandwidth-monitoring-software/


 

--

Leaky AWS S3 Bucket at Political Robocalling Form

(July 18, 2018)

A misconfigured AWS S3 bucket at a political robocalling company has exposed personal information of hundreds of thousands of US voters. The leaky bucket held voters names, addresses, political party affiliations, birth years, and demographics including ethnicity, education levels, and languages.


[Editor Comments]


[Neely] While AWS has increased awareness of insecure S3 configuration choices when creating new buckets, this data was in a bucket created prior to those changes. As security in the cloud is continuously evolving, regular review and continuous monitoring of security configurations to keep pace with best practices is needed.


Read more in:

The Register: Who's leaving Amazon S3 buckets open online now? Cybercroooks, US election autodialers

http://www.theregister.co.uk/2018/07/18/kromtech_open_buckets/

SC Magazine: Open AWS S3 bucket at political robocall firm exposes 2,600 files

https://www.scmagazine.com/open-aws-s3-bucket-at-political-robocall-firm-exposes-2600-files/article/781735/

ZDNet: Thousands of US voters' data exposed by robocall firm

https://www.zdnet.com/article/us-voter-data-exposed-by-robocall-firm/

Cyberscoop: Hundreds of thousands of voter records exposed on misconfigured server, researcher says

https://www.cyberscoop.com/robocent-voter-records-exposed/

 

-

Judge Rebukes FBI Agent Over Improper Stingray Use

(July 18, 2018)

A federal judge chastised an FBI agent for improper use of a stingray, also known as a cell-site simulator or IMSI catcher, and an improper search of a cellphone. In April 2016, an FBI agent sought and obtained warrants from a county superior court judge in California to search a suspects cellphone and to use a stingray to locate a second suspect. California law does not permit state judges to sign off on warrants for federal agents. Court documents also show that the FBI agent misled the judge about what a stingray does.


Read more in:

Ars Technica: Judge slams FBI for improper cellphone search, stingray use

https://arstechnica.com/tech-policy/2018/07/judge-slams-fbi-for-improper-cellphone-search-stingray-use/

SC Magazine: Federal Judge scolds FBI agent for improper stingray use

https://www.scmagazine.com/federal-judge-scolds-fbi-agent-for-improper-stingray-use/article/781734/

 

--

Oracle Critical Patch Update

(July 18, 2018)

On Wednesday, July 18, Oracle issued a Critical Patch Update that incudes fixes for 334 security issues. Sixty-one of the fixes are rated critical. Overall, 37 percent of the fixes in the July Critical Patch Update are for third-party components.


[Editor Comments]


[Murray] Not to worry: they fixed them all. Testing is complete when the programmer can no longer find any more of his own errors.


Read more in:

Oracle:

Oracle Critical Patch Update

Advisory - July 2018

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

eWeek: Oracle Patches 334 Flaws in July Critical Patch Update

http://www.eweek.com/security/oracle-patches-334-flaws-in-july-critical-patch-update

Threatpost: Oracle Sets All-Time Record with July Critical Patch Update

https://threatpost.com/oracle-sets-all-time-record-with-july-critical-patch-update/134089/

 

--

LabCorp Discloses Security Incident in SEC Filing

(July 17 & 18, 2018)

Medical testing and diagnostics company LabCorp shut down some of its systems after it detected suspicious activity on its network last weekend. LabCorp disclosed the incident in a July 16, 2018 Securities and Exchange Commission (SEC) filing, noting that the company expected to have systems functioning properly within several days. Reports not confirmed by LabCorp suggest that the incident may have compromised data. 


Read more in:

SC Magazine: Suspicious network activity could be symptom of breach at diagnostics firm LabCorp

https://www.scmagazine.com/suspicious-network-activity-could-be-symptom-of-breach-at-diagnostics-firm-labcorp/article/781733/

The Register: Blood test biz LabCorp pulls plug on systems over hacker fears

http://www.theregister.co.uk/2018/07/17/labcorp_security_concern/

PHX: United States Securities and Exchange Commission Form 8-K: Laboratory Corporation of America Holdings

http://phx.corporate-ir.net/phoenix.zhtml?c=84636&p=irol-SECText&TEXT=aHR0cDovL2FwaS50ZW5rd2l6YXJkLmNvbS9maWxpbmcueG1sP2lwYWdlPTEyMzU2NDM2JkRTRVE9MSZTRVE9MSZTUURFU0M9U0VDVElPTl9QQUdFJmV4cD0mc3Vic2lkPTU3

 

--

Microsoft Patches Patches

(July 17, 2018)

Nearly a week after Patch Tuesday, Microsofts scheduled monthly security update release, the company has issued 27 additional patches for Windows. The new fixes address four flaws introduced in the July Patch Tuesday release.


[Editor Comments]


[Neely] In the modern threat landscape, weve moved to a mindset of continuous patching, and operating systems such as Windows 10 which work to keep themselves continuously patched have increased our reliance on the vendor QA process. Where regression testing is still performed, often there is little time for comprehensive testing. Remember it is still key, particularly for server updates.


Read more in:

Computerworld: Stung by a festering pile of bugs on Patch Tuesday, MS releases 27 more patches

https://www.computerworld.com/article/3290465/microsoft-windows/stung-by-a-festering-pile-of-bugs-on-patch-tuesday-ms-releases-27-more-patches.html


******************************************************************************

INTERNET STORM CENTER TECH CORNER

 

Searching for Geographically Improbable Login Attempts

https://isc.sans.edu/forums/diary/Searching+for+Geographically+Improbable+Login+Attempts/23882/


Typo3 CMS Update

https://typo3.org/article/typo3-931-8717-and-7630-security-releases-published/


GitHub Expands Security Scanner to Python

https://blog.github.com/2018-07-12-security-vulnerability-alerts-for-python/


Money Laundering Scheme Exposed by Open Mongo Database

https://kromtech.com/blog/security-center/digital-laundry


Increase in Scans for Port 15454

https://isc.sans.edu/forums/diary/Request+for+Packets+Port+15454/23888/


Oracle Quarterly Critical Patch Update

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html


Venmo Public Transaction API

https://publicbydefault.fyi


Credential Stuffing Responsible for Majority of Login Attempts

http://info.shapesecurity.com/2018-Credential-Spill-Report-by-Shape-Security


Cisco Patches

https://tools.cisco.com/security/center/publicationListing.x


Diqee Smart Vacuum Vulnerabilities

http://en.diqee.com/goods/1994.html


Instagram About to Release 2FA Update

https://techcrunch.com/2018/07/17/instagram-2-factor/


Reporting Malicious Websites

https://isc.sans.edu/forums/diary/Reporting+Malicious+Websites+in+2018/23892/    


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create