8 days left to get a GIAC Cert Attempt or $350 Off with OnDemand and vLive Training

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #91

November 16, 2018


****************************************************************************


SANS NewsBites              November 16, 2018               Vol. 20, Num. 91


****************************************************************************

 

Top of The News


 

- US NPPD is Now the Cybersecurity and Infrastructure Security Agency and Has an Elevated Mission


- Director of MIT Internet Policy Research Initiative Says Australian Assistance and Access Legislation Could Harm Research


 

The Rest of the Week's News


 

- November Patch Tuesday


- Firmware Patch Available for D-Link Router Vulnerability


- Siemens Patches Eight Security Issues


- Security Concerns Prompt DOD to Disable Filesharing Service


- US Plum Island Grid Attack Exercise


- Googles Internet Traffic Took an Inadvertent Detour Earlier This Week


- Guilty Plea in Fatal Swatting Case


- Internet Storm Center Tech Corner


- Cybersecurity Training Update


 

Internet Storm Center Tech Corner

 

**************************************************************************** 

 

The Rest of the Week's News


Cyber Defense Initiative(R) 2018 | Washington, DC | December 11-18


https://www.sans.org/event/cyber-defense-initiative-2018


SANS Security East 2019 | New Orleans, LA | February 2-9


https://www.sans.org/event/security-east-2019

 

SANS San Francisco Fall 2018 | November 26-December 1


https://www.sans.org/event/san-francisco-fall-2018

 

Tactical Detection & Data Analytics Summit & Training | Scottsdale, AZ | December 4-11


https://www.sans.org/event/tactical-detection-summit-2018

 

SANS Amsterdam January 2019 | January 14-19


https://www.sans.org/event/amsterdam-jan-2019

 

Cyber Threat Intelligence Summit & Training 2019 | Arlington, VA | January 21-28


https://www.sans.org/event/cyber-threat-intelligence-summit-2019


SANS London February 2019 | February 11-16


https://www.sans.org/event/london-february-2019


SANS Secure Japan 2019 | February 18-March 2


https://www.sans.org/event/secure-japan-2019

 

SANS Secure Singapore 2019 | March 11-23


https://www.sans.org/event/secure-singapore-2019

 

SANS OnDemand and vLive Training


http://www.sans.org/online-security-training/specials/

 

Get the ALL NEW 11" iPad Pro, or a Microsoft Surface Pro, or Take $350 Off with OnDemand and vLive Training. Offer ends December 5.

 

Single Course Training


SANS Mentor http://www.sans.org/mentor/about and Community SANS http://www.sans.org/community/

 

View the full SANS course catalog http://www.sans.org/courses and skills roadmap http://www.sans.org/cyber-security-skills-roadmap

 

**************************************************************************** 

 

Free technical content sponsored by SANS

 

Attend SANS Tactical Detection & Data Analytics Summit | Scottsdale, AZ | Dec 4-5 http://www.sans.org/info/208230

 

Learn firsthand from leading cybersecurity practitioners and top experts as they demonstrate how to leverage high-value log sources, monitoring tools, and sound analysis methods to detect attacks. http://www.sans.org/info/208230

 

**************************************************************************** 

 

Top of the News

 

US NPPD is Now the Cybersecurity and Infrastructure Security Agency and Has an Elevated Mission


(November 14, 2018)


On Monday, November 12, the US House of Representatives agreed to a Senate version of the Cybersecurity and Infrastructure Security Agency Act. The bill, which is expected to be signed into law, will give the National Protection and Programs Directorate a new name: the Cybersecurity and Infrastructure Security Agency (CISA). The bill also elevates CISAs mission, making it an operational component alongside the Transportation Security Administration (TSA) and other agencies; CISA director Christopher Krebs will report directly to the DHS Secretary.

 

[Editor Comments]

 

[Henry] Ive long been an advocate of cybersecurity coordination across US government agencies; while there have been successes in prevention and deterrence, there needs to be much more collaboration to enable those responses to scale and move at the speed of the internet. A new agency means much more responsibility and obligation, but that requires authority. If CISA can bring organizations together in a more synchronized fashion and leverage agency authorities, capabilities, and expertise, there will be value. If it becomes another level of bureaucracy, then it becomes more of the same. I hope for the former, and time will tell.

 

Read more in:


- fcw.com: DHS cyber re-org clears Congress


https://fcw.com/articles/2018/11/14/cisa-not-nppd-bill-rockwell.aspx%E2%80%8B:


- www.nextgov.com: Congress Passes Long-Sought Bill to Rename DHS Cyber Agency


https://www.nextgov.com/cybersecurity/2018/11/congress-passes-long-sought-bill-rename-dhs-cyber-agency/152821/


 

Director of MIT Internet Policy Research Initiative Says Australian Assistance and Access Legislation Could Harm Research


(November 16, 2018)


The Australian government is getting more pushback to its proposed Assistance and Access encryption legislation. Daniel Weitzner, director of the Massachusetts Institute of Technologys (MITs) Internet Policy Research Initiative (IPRI) told Australias Parliamentary Joint Committee on Intelligence and Security (PJCIS) that if enacted, the legislation could have a chilling effect on research. A written submission from IPRI dated October 11, 2018 says, As we understand the Bill, there would be substantial penalties for disclosing information about required changes to system design and implementation, whether through technical assistance notices or technical capacity notices. Such penalties would thwart the increasingly vital process of subjecting widely-used software to maximum public scrutiny so that third-party security researchers can have the best chance of discovering vulnerabilities. (IPRIs submission is #32 in the APH link below.)

 

[Editor Comments]

 

[Williams] Discouraging public disclosure of security research simply drives that disclosure underground.

 

Read more in:


- www.theregister.co: MIT to Oz: Crypto-busting laws risk banning security tests


https://www.theregister.co.uk/2018/11/16/oz_cryptobusting_laws/


- www.aph.gov.au: Submissions received by the Committee


https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018/Submissions


 

**************************************************************************** 

 

Sponsored Links

 

Train in California's renowned wine region SANS Sonoma 2019 (Jan 14-19)! Choose from 4 courses in Core Security Essentials and Security Management. Learn more: http://www.sans.org/info/208235

 

What role does artificial intelligence play in security? Help SANS examine how security professionals are leveraging AI by taking this survey, and enter to win a $400 Amazon gift card | http://www.sans.org/info/208240

 

Does your vulnerability management program cover your organization's cloud workloads, partner access, IoT and industrial control systems? Take the SANS Survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/208245

 

**************************************************************************** 

 

The Rest of the Week's News

 

November Patch Tuesday


(November 13 & 14, 2018)


On Tuesday, November 13, Microsoft and Adobe released security updates for a variety of products. Microsofts 16 updates fix more than 60 vulnerabilities in Windows, Edge, Internet Explorer and other products. Among the vulnerabilities addressed are a zero-day vulnerability affecting Windows 7 and Windows Server 2008 that is being actively exploited, and a flaw in Bitlocker that could be exploited to access encrypted information. Adobe released updates for flaws in Flash Player, Acrobat and Reader, and Photoshop CC.

 

Read more in:


- https://krebsonsecurity.com: Patch Tuesday, November 2018 Edition


https://krebsonsecurity.com/2018/11/patch-tuesday-november-2018-edition/


- www.theregister.co.uk: It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page


https://www.theregister.co.uk/2018/11/14/patch_tuesday_november/


- www.scmagazine.com: Microsofts Patch Tuesday addresses Zero Day vulnerabilities


https://www.scmagazine.com/home/security-news/microsofts-patch-tuesday-addresses-zero-day-vulnerabilities/


- www.zdnet.com/: Microsoft patches Windows zero-day used by multiple cyber-espionage groups


https://www.zdnet.com/article/microsoft-patches-windows-zero-day-used-by-multiple-cyber-espionage-groups/


- helpx.adobe.com: Security updates available for Flash Player | APSB18-39


https://helpx.adobe.com/security/products/flash-player/apsb18-39.html

 

- helpx.adobe.com: Security updates available for Adobe Acrobat and Reader | APSB18-40


https://helpx.adobe.com/security/products/acrobat/apsb18-40.html


- helpx.adobe.com: Security updates available for Adobe Photoshop CC | APSB18-43


https://helpx.adobe.com/security/products/photoshop/apsb18-43.html

 

- portal.msrc.microsoft.com: Security Update Summary


https://portal.msrc.microsoft.com/en-us/security-guidance/summary


 

Firmware Patch Available for D-Link Router Vulnerability


(November 15, 2018)


D-Link has made a firmware update available to address an authentication bypass vulnerability in its DIR-850L wireless router. Researchers at Synopsys write that the issue allows clients to communicate with the router without completing the full WPA handshake; attackers could exploit the flaw to gain unauthenticated access to the routers network from where they could launch further attacks. Synposys discovered the problem and notified D-Link in early August. D-Link published the firmware patch on November 6, 2018.

 

[Editor Comments]

 

[Williams] This is not nearly as concerning as some other recently publicized router vulnerabilities. This vulnerability would allow attackers to communicate on the network only using unencrypted packets. These packets should not be processed by other endpoints that have legitimately connected to the router, so the risk is minimal.

 

[Murray] This vulnerability is to the wireless side of these access points, where we do not see systematic attacks, but D-Link routers have been shown to be vulnerable to the wire side where we do see systematic attacks. Those responsible for large numbers of these routers should patch them. Those who use one or two should take this as the occasion to upgrade.

 

Read more in:


 - www.scmagazine.com: D-Link router vulnerability detailed


https://www.scmagazine.com/home/security-news/d-link-router-vulnerability-detailed/


- www.synopsys.com: CyRC analysis: CVE-2018-18907 authentication bypass vulnerability in D-Link DIR-850L wireless router


https://www.synopsys.com/blogs/software-security/CVE-2018-18907/


- securityadvisories.dlink.com: DIR-850L ::H/W Revision A :: CVE-2018-18907 - WiFi encryption bypass


https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10097


 

Siemens Patches Eight Security Issues


(November 13 & 14, 2018)


Siemens has released security updates to address eight vulnerabilities in its IEC 61850 System Configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC; Siemens S7-400 CPUs; Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal); SCALANCE S; SIMATIC S7; SIMATIC STEP 7 (TIA Portal); and SIMATIC IT Production Suite. The vulnerabilities include improper access control flaws, improper input validation, code injection, cross-site scripting, resource exhaustion, unprotected storage of credentials, improper authentication, path traversal, and open redirect vulnerabilities. The US Department of Homeland Securitys (DHSs) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released advisories about the flaws (ICSA-18-317-01 through ICSA-18-317-08).

 

Read more in:


- threatpost.com: Siemens Patches Firewall Flaw That Put Operations at Risk


https://threatpost.com/siemens-patches-firewall-flaw-that-put-operations-at-risk/139082/

 

- www.scmagazine.com: ICS-CERT announces updates for several Siemens products


https://www.scmagazine.com/home/security-news/ics-cert-announces-updates-for-several-siemens-products/

 

- ics-cert.us-cert.gov: ICS-CERT Advisories


https://ics-cert.us-cert.gov/advisories


 

Security Concerns Prompt DOD to Disable Filesharing Service


(November 12 & 15, 2018)


The US Department of Defense (DOD) has disabled the Army Aviation and Missile Research Development and Engineering Center Safe Access File Exchange, or AMRDEC SAFE filesharing service used by army aviation and missile research centers as a preventative measure after government-internal agencies identified potential security risks. In a message on the AMRDEC SAFE portal, DOD says that it is uncertain if the site will be reinstated.

 

[Editor Comments]

 

[Williams] There was obviously a need for this capability. It is almost certain that another solution (one not adequately controlled or monitored) will be found by users and if the Army doesn't move quickly to replace this capability. Like many platforms in production today, the SAFE tool was never developed to be used as a long term or widespread file sharing solution. The platform likely saw early success and experienced deployment scope creep without additional security testing.

 

Read more in:


- www.zdnet.com: DOD disables file sharing service due to 'security risks'


https://www.zdnet.com/article/dod-disables-file-sharing-service-due-to-security-risks/


- www.fifthdomain.com: DOD file sharing tool disabled due to vulnerability


https://www.fifthdomain.com/dod/2018/11/12/dod-file-sharing-tool-disabled-due-to-vulnerability/%E2%80%8B


 

US Plum Island Grid Attack Exercise


(November 14, 2018)


The seven-day power grid cyberattack simulation that took place on Plum Island at the beginning of the month involved a black start: participants had to restart a grid that had been out for weeks, meaning that substation batteries would be drained batteries. Participants worked to restore power to the grid while coming under attack from a red team. The exercise was organized by the Defense Advanced Research Projects Agency (DARPA) and involved more than 100 people. (We covered this story earlier in the week and wanted to provide links to articles that are not behind a paywall.)

 

[Editor Comments]

 

[Murray] Widespread outages in the past have been the result of orderly shut-downs after component failures and/or changes in load. These shut-downs are designed to facilitate an early and orderly restart. This exercise shows the importance of early re-start. While instructive, and difficult, this exercise was very limited in scope. An attack is likely to be much wider in scope.

 

Read more in:


- www.wired.com: The Hail Mary Plan to Restart a Hacked US Electric Grid


https://www.wired.com/story/black-start-power-grid-darpa-plum-island/


- www.nextgov.com: Pentagon Researchers Test 'Worst-Case Scenario' Attack on U.S. Power Grid


https://www.nextgov.com/cybersecurity/2018/11/pentagon-researchers-test-worst-case-scenario-attack-us-power-grid/152803/


Googles Internet Traffic Took an Inadvertent Detour Earlier This Week


(November 13 & 14, 2018)


On Monday, November 12, traffic that should have been routed through Googles Cloud Platform was instead routed through Russia, China, and Nigeria. The incident appears to have been caused by a border gateway protocol (BGP) filter configuration error at an Internet service provider (ISP) in Nigeria. The issue was remedied in just over an hour. The event caused some Google services to become temporarily unavailable.

 

[Editor Comments]

 

[Ullrich] You have no control about how your traffic reaches its destination once it leaves your network. This is why you *always* need to insist on robust encryption, integrity checks and authentication.

 

[Honan] An excellent example as to how fragile and insecure the underlying infrastructure for the Internet is, and a reminder as to the importance of ensuring sensitive data is encrypted so it remains protected in the event of a reoccurrence of this issue, whether that occurrence is malicious or accidental.

 

Read more in:


-  www.wired.com: Google Internet Traffic Wasn't Hijacked, But It Was Out Of Control


https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/


- arstechnica.com: Google goes down after major BGP mishap routes traffic through China


https://arstechnica.com/information-technology/2018/11/major-bgp-mishap-takes-down-google-as-traffic-improperly-travels-to-china/


- www.scmagazine.com: Google hit with IP hijack taking down several services


https://www.scmagazine.com/home/security-news/google-hit-with-ip-hijack-attack-taking-down-several-services/


 - www.zdnet.com: Google traffic hijacked via tiny Nigerian ISP


https://www.zdnet.com/article/google-traffic-hijacked-via-tiny-nigerian-isp/


- www.eweek.com: What Happens When Your Data Gets Redirected to China


http://www.eweek.com/security/what-happens-when-your-data-gets-redirected-to-china

 

Guilty Plea in Fatal Swatting Case


(November 13 & 14, 2018)


Tyler Barriss has pleaded guilty to charges of making a false report resulting in a death, cyberstalking, and conspiracy for his role in swatting attacks, including one that led to the death of a man in Kansas in December 2017. Barriss faces a minimum prison sentence of 20 years.

 

Read more in:


- krebsonsecurity.com: Calif. Man Pleads Guilty in Fatal Swatting Case, Faces 20+ Years in Prison


https://krebsonsecurity.com/2018/11/calif-man-pleads-guilty-in-fatal-swatting-case-faces-20-years-in-prison/


- arstechnica.com: Man pleads guilty to swatting attack that led to death of Kansas man


https://arstechnica.com/tech-policy/2018/11/man-pleads-guilty-to-swatting-attack-that-lead-to-death-of-kansas-man/


- www.theregister.co.uk: Scumbag who phoned in a Call of Duty 'swatting' that ended in death pleads guilty to dozens of criminal charges


https://www.theregister.co.uk/2018/11/14/call_of_duty_swatting_tyler_barriss/


- www.justice.gov: California Man Pleads Guilty In Deadly Wichita Swatting Case


https://www.justice.gov/usao-ks/pr/california-man-pleads-guilty-deadly-wichita-swatting-case


**************************************************************************** 

 

Internet Storm Center Tech Corner

 

Microsoft Patch Tuesday


https://isc.sans.edu/forums/diary/November+2018+Microsoft+Patch+Tuesday/24308/

 

Adobe Security Bulletins


https://helpx.adobe.com/security.html

 

Details about Zero Day Exploit Taking Advantage of Win32k Vuln.


https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/

 

PacSec Pwn2Own Results


(day one) https://www.zerodayinitiative.com/blog/2018/11/13/pwn2own-tokyo-2018-day-one-results


(day two) https://www.zerodayinitiative.com/blog/2018/11/14/pwn2own-tokyo-2018-day-two-results-and-master-of-pwn

 

More Spectre/Meltdown Flaws (PDF)


https://arxiv.org/pdf/1811.05441.pdf

 

Emotet Spreading IcedID Banking Malware


https://isc.sans.edu/forums/diary/Emotet+infection+with+IcedID+banking+Trojan/24312/

 

Crypto Miners Abusing Insecure Docker Installs


https://forums.juniper.net/t5/Threat-Research/Container-Malware-Miners-Go-Docker-Hunting-In-The-Cloud/ba-p/400587

 

GPS Watches Can Be Used To Track Kids


https://www.pentestpartners.com/security-blog/tracking-and-snooping-on-a-million-kids/

 

Firefox Will Notify Users of Breached Sites


https://blog.mozilla.org/blog/2018/11/14/firefox-monitor-launches-in-26-languages-and-adds-new-desktop-browser-feature/

 

David Kennel: All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System


https://www.sans.org/reading-room/whitepapers/linux/all-seeing-eye-blind-man-understanding-linux-kernel-auditing-system-38605

 

**************************************************************************** 

 

The Editorial Board of SANS NewsBites

 

Alan Paller


https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller


Brian Honan


https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan


David Hoelzer


https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer


David Turley


https://www.sans.org/newsletters/newsbites/editorial-board#david-turley


Dr. Eric Cole


https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole


Ed Skoudis


https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis


Eric Cornelius


https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius


Gal Shpantzer


https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer


Jake Williams


https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams


Dr. Johannes Ullrich


https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich


John Pescatore


https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

 

Lee Neely


https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely


Mark Weatherford


https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford


Mason Brown


https://www.sans.org/newsletters/newsbites/editorial-board#mason-brown


Michael Assante


https://www.sans.org/newsletters/newsbites/editorial-board#michael-assante


Rob Lee


https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee


Sean McBride


https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride


Shawn Henry


https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry


Stephen Northcutt


https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt


Suzanne Vautrinot


https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot


Tom Liston


https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston