SANS Miami 2020 | Eight Cyber Security Courses | Simulcast | Cyber Defense NetWars

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #97

December 11, 2018

Senator: Crucial Need for Offensive Cyber Doctrine; Australias New Encryption Weakening Law




****************************************************************************

SANS NewsBites                Dec. 11, 2018                 Vol. 20, Num. 97

****************************************************************************


TOP OF THE NEWS


  US Senator Warner: Need for Offensive Cyber Doctrine is Crucial

  Australias New Encryption Weakening Law


REST OF THE WEEKS NEWS


  US House Bill Would Establish Grants for Cybersecurity Education

  2019 Security Awareness Survey Opens

  NRCC Aides eMail Compromised

  Huawei May Be Banned From Use in Some Countries

  Syrian Electronic Army Using Spyware to Track Political Opponents

  Google Pulls Android Adware Apps from Google Play Store

  Firefox Hasnt Fixed 11-Year-Old Bug

  Hackers Robbed Banks in Eastern Europe Through Direct Network Connections

  UK Man Sentenced to Three Years in Prison for DDoS and Bomb Threat Hoaxes

  Security Firm Says Russian Hackers Targeted Ukraine

  Opinion: The Problem With Private Companies Attributing Cyberattacks

  Google+ Shutdown Moved Up to April 2019


INTERNET STORM CENTER TECH CORNER


****************************************************************************

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a 10.5 iPad Pro with Smart Keyboard, or a Microsoft Surface Go, or take $350 Off with SANS Online Training. Offer ends December 12.

https://www.sans.org/online-security-training/specials/


-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019


-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019


-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019


-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019


-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019


-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019


-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019


-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


***************************  Sponsored By  Thycotic  ********************************


Discover your vulnerable privileged accounts before hackers do.

Thycotics Free Privileged Account Discovery Tool will save you hours of effort while vastly improving your privileged password security by giving you:

    A comprehensive view of all your Windows privileged accounts

    Instant reports that help you assess the security of your privileged passwords: http://www.sans.org/info/209110


*************************************************************************************

TOP OF THE NEWS


--US Senator Warner: Need for Offensive Cyber Doctrine is Crucial

(December 10, 2018)

US Senator Mark Warner (D-Virginia) is calling for a new cyber doctrine, a coherent strategy for how to deal with the hybrid approach of cyber and disinformation thats coming from our adversaries. In a December 7 speech at the Center for a New American Security, Warner said that failing to articulate a clear set of expectations about when and where we will respond to cyber attacks is not just bad policy, its downright dangerous.


Read more in:

FNN: Warner: Lack of clarity on offensive cyber downright dangerous

https://federalnewsnetwork.com/cybersecurity-2017/2018/12/warner-lack-of-clarity-on-offensive-cyber-downright-dangerous/

FCW: Warner calls for new cyber doctrine

https://fcw.com/articles/2018/12/07/warner-cyber-whole-of-society.aspx

Bloomberg: U.S. Should Weigh Force, Sanctions to Stop Hackers, Warner Says

https://www.bloomberg.com/news/articles/2018-12-07/senior-democrat-calls-for-tougher-u-s-response-to-cyber-attacks

Nextgov: Lawmaker Calls for Shifting Defense Funds to Combat Cyber Threats

https://www.nextgov.com/cybersecurity/2018/12/lawmaker-calls-shifting-defense-funds-combat-cyber-threats/153377/



--Australias New Encryption Weakening Law

(December 10, 2018)

Australias Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 became law last week. It alters at least 12 different pieces of existing legislation in its efforts to weaken encryption.


Read more in:

ZDNet: What's actually in Australia's encryption laws? Everything you need to know

https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/

ParlInfo: Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

https://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/r6195_aspassed/toc_pdf/18204b01.pdf;fileType=application%2Fpdf

ParlInfo: Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 Explanatory Memorandum

https://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r6195_ems_1139bfde-17f3-4538-b2b2-5875f5881239/upload_pdf/685255.pdf;fileType=application%2Fpdf


 

**************************  SPONSORED LINKS  ********************************


1) Learn how VMRay Analyzers IDA Pro Plugin enriches static analysis with behavior-based results. http://www.sans.org/info/209115


2) "WhatWorks in Application Security: How to Detect and Remediate Application Vulnerabilities and Block Attacks with Contrast Security" Register:  http://www.sans.org/info/209120


3) What role does artificial intelligence play in security? Help SANS examine how security professionals are leveraging AI by taking this survey, and enter to win a $400 Amazon gift card. http://www.sans.org/info/209125


*****************************************************************************

REST OF THE WEEKS NEWS  

 

--US House Bill Would Establish Grants for Cybersecurity Education

(December 5, 2018)

US Representatives Jim Langevin (D-Rhode Island) and Glenn Thompson (R-Pennsylvania) have introduced the Cybersecurity Education Integration Act, a bill that would allow the US Department of Education to offer grants totaling up to $500,000 a year for adding cybersecurity education to career and technical education curricula. The grants would be awarded on a competitive basis to partnerships between educational institutions and local employers that can show how they will incorporate cybersecurity education addressing critical infrastructure functions, such as the power grid. Additionally, to better include cybersecurity as a cultural touchstone within industry, training would have to be incorporated throughout the course of study rather than just as an additional class. Langevin and Thompson co-chair the Congressional Career and Technical Education Caucus.


[Editor Comments]


[Northcutt] I certainly understand the need for focus on the power grid; I would love to see some cybersecurity integrated into nursing/healthcare since that becomes more digital by the month, and automotive technician programs since cars are becoming robots.

https://www.techrepublic.com/article/cybersecurity-professionals-the-healthcare-industry-needs-you/

http://autocaat.org/Technologies/Automotive_Cybersecurity/


Read more in:

The Hill: Bipartisan bill would create grant program promoting cybersecurity education

https://thehill.com/policy/cybersecurity/419903-bipartisan-bill-would-create-grant-program-promoting-cybersecurity

Langevin: New Legislation Aims to Bolster Cybersecurity Education Among Skilled Trades

https://langevin.house.gov/press-release/new-legislation-aims-bolster-cybersecurity-education-among-skilled-trades

Congress: H.R.7214 - Cybersecurity Education Integration Act

https://www.congress.gov/bill/115th-congress/house-bill/7214/text/ih?overview=closed&format=txt

 
 

--2019 Security Awareness Survey Opens

For the past five years, we have surveyed the global security awareness community to develop the annual SANS Security Awareness Report. This free report enables organizations around the world to make data-driven decisions on how to mature their security awareness programs and benchmark them against others. Take the 2019 SANS Security Awareness Survey and get early access to the report, be entered into a raffle for an iPad, and help make a difference!

https://survey.sans.org/jfe/form/SV_4UZfNorPzzXlfr7: 2019 SANS Security Awareness Survey

 
 

--NRCC Aides eMail Compromised

(December 4 & 9, 2018)

The email accounts of four National Republican Congressional Committee senior aides were compromised and under surveillance for several months, a public relations professional hired to manage response to the incident has confirmed. An NRCC vendor detected the intrusion in April 2018. At that time, an internal investigation was launched and the FBI was notified, but senior Republican legislators were unaware of the incident until last week.


Read more in:

The Hill: NRCC breach exposes gaps 2 years after Russia hacks

https://thehill.com/policy/technology/420368-nrcc-breach-exposes-vulnerabilities-2-years-after-russia-hacks

Politico: Exclusive: Emails of top NRCC officials stolen in major 2018 hack

https://www.politico.com/story/2018/12/04/exclusive-emails-of-top-nrcc-officials-stolen-in-major-2018-hack-1043309

 

-Huawei May Be Banned From Use in Some Countries

(December 7, 2018)

Several countries, including the US, Australia, and New Zealand, have banned the use of Huawei products in their 5G infrastructures. A report from Japans Yomiuri Shimbun says that the Japanese government plans to ban the use of Huawei and ZTE equipment for government and military telecommunications systems in the interest of national security. 


Read more in:

CNET: Japan reportedly will stop buying Huawei, ZTE equipment

https://www.cnet.com/news/japan-reportedly-will-stop-buying-huawei-zte-equipment/

The Japan News: Japans government to halt use of Huawei, ZTE products out of security concerns

http://the-japan-news.com/news/article/0005397448


 

--Syrian Electronic Army Using Spyware to Track Political Opponents

(December 5 & 10, 2018)

According to research presented at the Black Hat Europe conference in London last week, the Syrian Electronic Army (SEA) is using spyware to snoop on political opponents. The malware is introduced through phony software updates. Once it has been installed on a targets mobile device and the user has accepted permissions, the spyware, known as SilverHawk, can be used to track users activity. It is capable of turning on microphones and cameras as well as stealing data. 


Read more in:

Forbes: Syrian Electronic Army Hackers Are Targeting Android Phones With Fake WhatsApp Attacks

https://www.forbes.com/sites/thomasbrewster/2018/12/05/syrian-electronic-army-hackers-are-targeting-android-phones-with-fake-whatsapp-attacks/

ZDNet: These hackers are using Android surveillance malware to target opponents of the Syrian government

https://www.zdnet.com/article/these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government/

Black Hat: Under the SEA - A Look at the Syrian Electronic Army's Mobile Tooling

https://www.blackhat.com/eu-18/briefings/schedule/#under-the-sea---a-look-at-the-syrian-electronic-armys-mobile-tooling-12952

 

--Google Pulls Android Adware Apps from Google Play Store

(December 6 & 10, 2018)

Google has pulled 22 Android apps from the Google Play store after they were found to contain adware. The ads loaded in the background not only generated income for those behind the apps, but also drained the devices batteries. The adware included code that made it appear to advertisers as though their ads were being displayed on a wide variety of devices, including iPhones; some advertisers pay more for iPhone ad views.


[Editor Comments]


[Neely] Google Play Protect will automatically uninstall these apps from devices. Play Protect was introduced in mid 2017 for Play Services 11 or above.


Read more in:

ZDNet: Android adware tricks ad networks into thinking it's an iPhone to make more money

https://www.zdnet.com/article/android-adware-tricks-ad-networks-into-thinking-its-an-iphone-to-make-more-money/

Ars Technica: 22 apps with 2 million+ Google Play downloads had a malicious backdoor

https://arstechnica.com/information-technology/2018/12/google-play-ejects-22-backdoored-apps-with-2-million-downloads/


 

--Firefox Hasnt Fixed 11-Year-Old Bug

(December 8, 2018)

A known bug that other browsers addressed years ago remains open in Firefox. The flaw, which was first detected in April 2007, is being actively exploited. The bug involves an iframe embedded in a websites source code that makes an HTTP authentication request on another domain, resulting in an authentication modal window that will not be dismissed; to leave the page, users must kill the browser session.


Read more in:

ZDNet: Malicious sites abuse 11-year-old Firefox bug that Mozilla failed to fix

https://www.zdnet.com/article/malicious-sites-abuse-11-year-old-firefox-bug-that-mozilla-failed-to-fix/

 
 

--Hackers Robbed Banks in Eastern Europe Through Direct Network Connections

(December 6 & 7, 2018)

According to a report from Kaspersky Lab, thieves have stolen funds from banks in several Eastern European countries. The attackers gained initial entry to the banks systems through devices connected directly to the banks local networks. The physical devices were planted by people pretending to be a courier, a job applicant, or someone otherwise unremarkable in the offices environment. The thieves then accessed the networks with remote access capability built into the planted devices.


[Editor Comments]


[Neely] The attackers used social engineering techniques to gain access to locations where devices could be discreetly added to the target network. Beyond employee training, 802.1X Network Authentication controls and rogue device detection/response provide strong mitigations to this type of attack.


Read more in:

SecureList: DarkVishnya: Banks attacked through direct connection to local network

https://securelist.com/darkvishnya/89169/

Dark Reading: Criminals Use Locally Connected Devices to Attack, Loot Banks

https://www.darkreading.com/attacks-breaches/criminals-use-locally-connected-devices-to-attack-loot-banks/d/d-id/1333439

 

--UK Man Sentenced to Three Years in Prison for DDoS and Bomb Threat Hoaxes

(December 7, 2018)

A UK man has been sentenced to three years in prison for his role in a series of distributed denial-of-service (DDoS) attacks and bomb threat hoaxes against schools. Duke-Cohan was arrested and released earlier this year. Following his release, he expanded his bomb threat hoaxes to schools in the US. He was also found to be responsible for falsely reporting that a commercial passenger aircraft had been hijacked. Duke-Cohan may face further charges in the US.


Read more in:

KrebsOnSecurity: Bomb Threat Hoaxer, DDos Boss Gets 3 Years

https://krebsonsecurity.com/2018/12/bomb-threat-hoaxer-ddos-boss-gets-3-years/

The Register: Brit bomb hoax teen who fantasised about being a notorious hacker cops 3 years in jail

https://www.theregister.co.uk/2018/12/07/george_duke_cohan_sentenced_3_years/

 

--Security Firm Says Russian Hackers Targeted Ukraine

(December 8, 2018)

A private intelligence company says it has uncovered evidence that hackers working on behalf of the Russian government launched cyberattacks against Ukrainian government and military targets prior to and during the seizure of Ukrainian ships and sailors late last month. The attacks appear to indicate that the hackers were stealing information that would help Russia carry out the physical maritime attack along with other data.


Read more in:

Nextgov: Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures, Firm Says

https://www.nextgov.com/cybersecurity/2018/12/russia-launched-cyber-attacks-against-ukraine-ship-seizures-firm-says/153387/

 
 

--Opinion: The Problem With Private Companies Attributing Cyberattacks

(November 29, 2018)

The author of this opinion piece observes that private security firms often attribute attacks before governments do, which can present risks as there are no standards for what constitutes sufficient evidence to positively identify perpetrators. Attribution is a mix of art and computer science. It requires weaving together subtle forensic clues with past attack methods, current operational techniques, and knowledge of adversaries geopolitical objectives to identify a likely perpetrator.


Read more in:

Wired: The US Leans on Private Firms to Expose Foreign Hackers

https://www.wired.com/story/private-firms-do-government-dirty-work/

 

--Google+ Shutdown Moved Up to April 2019

(December 10 & 11, 2018)

A newly-disclosed bug in Google+ has prompted Google to push up the retirement date of the social networks consumer version. While shutdown was initially slated for August 2019, Google now plans to terminate Google+ by April 2019. The initial decision was made after an internal investigation showed that Google+ had exposed personal information of half a million users over three years. Now a new bug in a Google+ API, introduced in a November 7, 2018 update, exposed profile data that users had not made public; the issue affected 52.5 million user accounts. Google detected the flaw and fixed it on November 13.


[Editor Comments]  


[Neely] While Google is fixing the flaws, this is still a good indicator to move off Google +. To delete your Google + Account, login, go to Settings/Account/disable Google + and delete your entire profile.


Read more in:

The Register: Latest Google+ flaw leads Chocolate Factory to shut down site early

https://www.theregister.co.uk/2018/12/11/google_hacked_again/

Threatpost: Google Accelerates Google+ Shutdown After New Bug Discovered

https://threatpost.com/google-accelerates-google-shutdown-after-new-bug-discovered/139764/

Wired: A New Google+ Blunder Exposed Data From 52.5 Million Users

https://www.wired.com/story/google-plus-bug-52-million-users-data-exposed/


 

INTERNET STORM CENTER TECH CORNER

Analyzing Malicious Docker Images

https://isc.sans.edu/forums/diary/A+Dive+into+malicious+Docker+Containers/24388/


Arrest of Huawei CFO Inspires Advance Fee Scam

https://isc.sans.edu/forums/diary/Arrest+of+Huawei+CFO+Inspires+Advance+Fee+Scam/24396/


Sextortion Messages Leading to Ransomware

https://www.proofpoint.com/us/threat-insight/post/sextortion-side-ransomware


WebKit Exploit Released

https://github.com/LinusHenze/WebKit-RegEx-Exploit


Implants Found in Russian Banksa

https://securelist.com/darkvishnya/89169/


Kubernetes Unauthenticated PoC Exploit for CVE-2018-1002105

https://github.com/evict/poc_CVE-2018-1002105#unauthenticated-poc


WebAssembly Brings Buffer Overflows to Browsers

https://www.forcepoint.com/blog/security-labs/new-whitepaper-memory-safety-old-vulnerabilities-become-new-webassembly


Increased Ethereum Miner Attacks

https://isc.sans.edu/port.html?port=8545

https://www.zdnet.com/article/hackers-ramp-up-attacks-on-mining-rigs-before-ethereum-price-crashes-into-the-gutter


Android Click Fraud Apps are Emulating iPhones for Higher Revenue

https://www.bleepingcomputer.com/news/security/android-clickfraud-op-impersonates-iphones-to-bump-ad-premiums/


 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create