Get a Free GIAC Cert Attempt or $350 Off through 5/29 with Online Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #99

December 18, 2018

Russian Disinformation Operations Better Understood; US Ballistic Missile Defense System Cybersecurity Problems; UK GCHQ: How to Circumvent the End-to-End Encryption Problem

2018 NetWars Military Service Cup Results: The Air Force beat the Army (last years winner) and Navy teams and Marines and Coast Guard as well in this years Service Cup competition held in Washington DC. Lt. Gen. Edward Cardon presented the awards.


****************************************************************************

SANS NewsBites                 Dec. 18, 2018                Vol. 20, Num. 99

****************************************************************************

TOP OF THE NEWS

 

  Russian Disinformation Operations

  US Ballistic Missile Defense System Audit Finds Cybersecurity Problems

  GCHQ Officials Suggest How to Circumvent the End-to-End Encryption Problem


REST OF THE WEEKS NEWS

 

  Updated Shamoon Infected Computers at Three Organizations

  Signal Says It Cannot Include a Backdoor in its App

  Facial Recognition Technology Used at Taylor Swift Concert in May

  Crowdstrikes Cyber Intrusion Services Casebook 2018: One Compromised Laptop Gave Hackers Access to Corporate Network

  Cloudflare Allegedly Counts Identified Terrorist Groups Among Clients

  Facebook Photos Exposed to App Developers

  Facebook Privacy Pop-Up Kiosk


INTERNET STORM CENTER TECH CORNER


****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019


-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019


-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019


-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019


-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019


-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019


-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019


-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Last Chance this year to Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive. Offer Ends December 26.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


***************************  Sponsored By SANS  ******************************


Attend SANS Open-Source Intelligence Summitin Washington, DC; February 25

This inaugural Summit will bring together leading security practitioners

and investigators to share proven techniques and tools that can be

applied to OSINT gathering and analysis. You'll get practical methods

for collecting and leveraging available information across the Internet.

http://www.sans.org/info/209300


*****************************************************************************

TOP OF THE NEWS

 

--Report on Russian Disinformation Operations

(December 17, 2018)

A report commissioned by the US Senate Select Committee on Intelligence (SSCI) details analysis of the Russian Internet Research Agency (IRA) propaganda groups influence operations targeting American citizens from 2014 through 2017. Among the reports key findings: there are active and ongoing interference operations on several [social media] platforms; there were extensive operations targeting Black-American communities; and the influence activity fomented both secessionist and insurrectionist sentiments. The report was created by researchers from cybersecurity firm New Knowledge; Canfield Research, LLC; and the Tow Center for Digital Journalism at Columbia University.


[Editor Comments]


[Pescatore] The Russian campaign focused on influencing the US presidential election, but the same tactics have and will be used in stock price manipulation and brand attacks. This is an area where marketing organizations are employing brand abuse monitoring services, fraud programs that take a different look, and email anti-phishing offerings that often include some overlapgood area for security teams to check around the company and work to integrate efforts.


Read more in:

Wired: How Russian Trolls Used Meme Warfare to Divide America

https://www.wired.com/story/russia-ira-propaganda-senate-report/

BBC: Russia 'meddled in all big social media' in US election, says report

https://www.bbc.com/news/technology-46590890

Cyberscoop: Russian disinformation ops were bigger than we thought

https://www.cyberscoop.com/russian-information-operations-senate-intelligence-committee/

Washington Post: New report on Russian disinformation, prepared for the Senate, shows the operations scale and sweep

https://www.washingtonpost.com/technology/2018/12/16/new-report-russian-disinformation-prepared-senate-shows-operations-scale-sweep/

Disinformation Report: The Tactics & Tropes of the Internet Research Agency

https://disinformationreport.blob.core.windows.net/disinformation-report/NewKnowledge-Disinformation-Report-Whitepaper.pdf




--US Ballistic Missile Defense System Audit Finds Cybersecurity Problems

(December 10, 14, 15, & 17, 2018)

According to a report from the US Department of Defense (DOD) Office of Inspector General (OIG), cyber protection for US ballistic missile defense systems (BMDS) lacks sufficient security. BMDS is designed to detect and intercept incoming missiles before they reach their targets. Nearly five years ago, the DOD CIO directed DOD to implement NIST security controls for systems protection. The report says that BMDS facilities have not fully implemented multi-factor authentication, do not consistently encrypt transmitted data, and that some known vulnerabilities remain unpatched. The facilities also failed to protect and monitor classified data stored on removable media, and lacked intrusion detection capabilities on classified networks.  


Read more in:

Threatpost: U.S. Ballistic Missile Defense System Rife with Security Holes

https://threatpost.com/ballistic-missile-security-holes/140019/

Nextgov: Poor Security Could Leave U.S. Defenseless Against Missile Attacks

https://www.nextgov.com/cybersecurity/2018/12/poor-security-could-leave-us-defenseless-against-missile-attacks/153569/

Bleeping Computer: U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit

https://www.bleepingcomputer.com/news/security/us-ballistic-missile-defense-systems-fail-cybersecurity-audit/

SC Magazine: DoD Inspector General finds multiple flaws in missile defense system cybersecurity

https://www.scmagazine.com/home/security-news/dod-inspector-general-finds-multiple-flaws-in-missile-defense-system-cybersecurity/

DODIG: Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information DODIG-2019-034

http://www.dodig.mil/reports.html/Article/1713611/security-controls-at-dod-facilities-for-protecting-ballistic-missile-defense-sy/


 

--GCHQ Officials Suggest How to Circumvent the End-to-End Encryption Problem

(November 29 & 30, 2018)

In an essay titled Principles for a More Informed Exceptional Access Debate, Technical Director of the National Cyber Security Centre Ian Levy and Technical Director for Cryptanalysis for GCHQ Crispin Robinson describe how they envision law enforcement might intercept communications protected by end-to-end encryption. Levy and Robinson suggest that law enforcement could be silently added to a chat or a call by a service provider. The authors maintain that their solution seems to be no more intrusive than the virtual crocodile clips that [are] authorize[d] today in traditional voice intercept solutions.


Read more in:

Lawfare Blog: Principles for a More Informed Exceptional Access Debate

https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate

ZDNet: GCHQ details how law enforcement could be silently injected into communications

https://www.zdnet.com/article/gchq-details-how-law-enforcement-could-be-silently-injected-into-communications/

TechCrunch: GCHQs not-so-smart idea to spy on encrypted messaging apps is branded absolute madness

https://techcrunch.com/2018/11/30/gchqs-not-so-smart-idea-to-spy-on-encrypted-messaging-apps-is-branded-absolute-madness/


*****************************************************************************


1) Don't Miss: "Defeating Attackers with Preventive Security" with Dave

Shackleford. Register: http://www.sans.org/info/209305


2) Does your vulnerability management program cover your organization's

cloud workloads, partner access, IoT and industrial control systems?

Take the SANS Survey and enter to win a $400 Amazon gift card |

http://www.sans.org/info/209310


3) How are you using the public cloud to meet their business needs? What

challenges to you face? | Take the SANS Cloud Survey and enter to win a

$400 Amazon gift card | http://www.sans.org/info/209315


*****************************************************************************


REST OF THE WEEKS NEWS   

 

--Updated Shamoon Infected Computers at Three Organizations

(December 17, 2018)

A new variant of the Shamoon data-wiping malware is being used against organizations in Saudi Arabia and the United Arab Emirates (UAE). Shamoon first appeared in 2012 when it was used to destroy more than 30,000 PCs belonging to Saudi Aramco. The new variant includes a component that erases files before wiping the master boot record, which makes it nearly impossible to recover data from a successfully infected machine. Italian oil service firm Saipem has disclosed its experience with the new Shamoon; Symantec says that at least two other organizations have seen machines infected with it.


[Editor Comments]


[Murray] Enterprise data must be stored on servers with least privilege as the access control strategy, not on the desktop with read/write as the default access control rule.


Read more in:

Dark Reading: Disk-Wiping 'Shamoon' Malware Resurfaces With File-Erasing Malware in Tow

https://www.darkreading.com/attacks-breaches/disk-wiping-shamoon-malware-resurfaces-with-file-erasing-malware-in-tow/d/d-id/1333509

Bleeping Computer: Shamoon Disk Wiper Returns with Second Sample Uncovered this Month

https://www.bleepingcomputer.com/news/security/shamoon-disk-wiper-returns-with-second-sample-uncovered-this-month/

Saipem: Saipem: Update On The Cyber Attack Suffered

http://www.saipem.com/sites/SAIPEM_en_IT/con-side-dx/Press%20releases/2018/Cyber%20attack%20update.page

 
 

--Signal Says It Cannot Include a Backdoor in its App

(December 13, 14, & 15, 2018)

In a December 13 blog post, Signal developer Joshua Lund expresses the organizations frustration with Australias new Assistance and Access bill, noting that attempting to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development. Lund says that the Signal cannot include a backdoor and that the end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us.


Read more in:

Signal: Setback in the outback

https://signal.org/blog/setback-in-the-outback/

ZDNet: Signal: We can't include a backdoor in our app for the Australian government

https://www.zdnet.com/article/signal-we-cant-include-a-backdoor-in-our-app-for-the-australian-government/

Motherboard: Encrypted Messaging App Signal Says It Wont Comply With Australias New Backdoor Bill

https://motherboard.vice.com/en_us/article/nep5vb/signal-app-australia-encryption-backdoor-bill

 
 

--Facial Recognition Technology Used at Taylor Swift Concert in May

(December 12, 13, & 15, 2018)

Taylor Swifts security team used facial recognition technology at a May 2018 Rose Bowl concert to identify known stalkers. The technology was embedded in a kiosk that was playing clips of Swifts rehearsals; as concert-goers looked into the screen, a camera looked back at them. The captured images of concert-goers faces were sent to a command center to be cross-referenced against a database of known stalkers. It is not known if concertgoers were aware that the technology was in use. Use of facial recognition technology in public places at large events is gaining traction; the 2020 Summer Olympics in Tokyo plans to use the technology for staff and athlete security checks.


Read more in:

The Register: Taylor's gonna spy, spy, spy, spy, spy... fans can't shake cam off, shake cam off

https://www.theregister.co.uk/2018/12/13/taylor_swift_facial_recognition/

CNET: Taylor Swift reportedly used facial recognition tech to identify stalkers

https://www.cnet.com/news/taylor-swift-reportedly-used-facial-recognition-tech-to-identify-stalkers/

Rolling Stone: Why Taylor Swift Is Using Facial Recognition at Concerts

https://www.rollingstone.com/music/music-news/taylor-swift-facial-recognition-concerts-768741/

 
 

--Crowdstrikes Cyber Intrusion Services Casebook 2018: One Compromised Laptop Gave Hackers Access to Corporate Network

(December 14, 2018)

According to Crowdstrikes Cyber Intrusion Services Casebook 2018, a single laptop used at a coffee shop was infiltrated and used to gain access to an unnamed companys entire corporate network. The laptop user visited the website of a partner organization through a phishing email. In this particular case, the hackers exploited a misconfiguration in the companys Active Directory implementation that granted unnecessary privileges. The security software that the affected company used detected threats only when the device was being used within the organizations network.


Read more in:

ZDNet: How one hacked laptop led to an entire network being compromised

https://www.zdnet.com/article/how-one-hacked-laptop-led-to-an-entire-network-being-compromised/

 
 

--Cloudflare Allegedly Counts Identified Terrorist Groups Among Clients

(December 14, 2018)

A Huffington Post report alleges that Cloudflare is providing cybersecurity services to seven groups that are under sanctions from the US Treasury Department; of those, six are identified as foreign terrorist groups by the US State Department.


[Editor Comments]


[Pescatore] All service providers have to deal with the know your customer issue and all the various sanctions that home country law places on doing business with blacklisted nations and countries. At any given time, many large service providers have compliance issuesthe key is how quickly they deal with known or reported violations.


Read more in:

Huffington Post: U.S. Tech Giant Cloudflare Provides Cybersecurity For At Least 7 Terror Groups

https://www.huffingtonpost.com/entry/cloudflare-cybersecurity-terrorist-

groups_us_5c127778e4b0835fe3277f2f

CNET: Cloudflare customers reportedly include foreign terrorist groups under US sanctions

https://www.cnet.com/news/cloudflare-customers-reportedly-include-foreign-terrorist-groups/

Gizmodo: Cloudflare Under Fire for Allegedly Providing DDoS Protection for Terrorist Websites

https://gizmodo.com/cloudflare-under-fire-for-allegedly-providing-ddos-prot-1831107649

 
 

--Facebook Photos Exposed to App Developers

(December 14, 2018)

On Friday, December 14, Facebook acknowledged yet another data privacy mistake: for a two-week period in September 2018, more than 850 third-party app developers had access to photos belonging to 6.8 million Facebook users, regardless of the permissions users had granted. Facebook says the data leak problem was fixed in September 25.


[Editor Comments]


[Northcutt] I do not believe there ever was, or ever will be, such a thing as a private photo posted to social medial, no matter what the platform.


Read more in:

Wired: Facebook Exposed 6.8 Million Users' Photos to Cap Off a Terrible 2018

https://www.wired.com/story/facebook-photo-api-bug-millions-users-exposed/

The Register: Stop us if you've heard this one: Facebook apologizes for bug leaking private photos

https://www.theregister.co.uk/2018/12/14/facebook_leaking_private_photos/

ZDNet: Facebook bug exposed private photos of 6.8 million users

https://www.zdnet.com/article/facebook-bug-exposed-private-photos-of-6-8-million-users/

Ars Technica: Were sorry, Facebook says, againnew photo bug affects millions

https://arstechnica.com/tech-policy/2018/12/were-sorry-facebook-says-again-new-photo-bug-affects-millions/

Cyberscoop: Facebook bug gave developers access to private photos of 6.8 million users

https://www.cyberscoop.com/facebook-photo-api-bug-december-2018/

 
 

--Facebook Privacy Pop-Up Kiosk

(December 12 & 13, 2018)

Last week, at the end of a year filled with data privacy troubles, Facebook set up a kiosk at a holiday market in New York City that was staffed with employees ready to answer peoples questions about privacy, advertisements, and the companys data collection practices. Facebook is making a concerted effort to be clear that they are not in the business of selling users personal data. A New York Times Op-Ed piece says that assertion is semantic skullduggery, observing that Facebooks practice of making sure advertisers ads are shown to their desired target audience is tantamount to selling user data.


[Editor Comments]


[Neely] Privacy controls can be confusing. Kudos to Facebook to spread understanding; users need to remember the slippery slope of expecting online information to remain private.


[Murray] There are two kinds of Facebook users: the knowledgeable and the naive. Neither expects privacy from Facebook.  

Read more in:

Wired: At a New York Privacy Pop-Up, Facebook Sells Itself

https://www.wired.com/story/facebook-nyc-privacy-pop-up/

New York Times: Congress May Have Fallen for Facebooks Trap, but You Dont Have To

https://www.nytimes.com/2018/12/12/opinion/facebook-data-privacy-advertising.html

 
 

INTERNET STORM CENTER TECH CORNER


Magellan SQLite Vulnerability

https://blade.tencent.com/magellan/index_en.html


Logitech Options Vulnerability

https://bugs.chromium.org/p/project-zero/issues/detail?id=1663


Intel NUC BIOS Protection Flaw

https://embedi.org/blog/nuclear-explotion/


HiddenTear Ransomware Decrypter

https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-hiddentear-ransomware-with-ht-brute-forcer/       


Password Protected ZIP with Maldoc

https://isc.sans.edu/forums/diary/Password+Protected+ZIP+with+Maldoc/24426/


Memes Used as Covert Command and Control Channel

https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/


Shamoon Disk Wiper Malware is Back

https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/

 
 
 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create