Final Week to Get an iPad Mini, Chromebook Flip, or $250 Off with OnDemand and vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #14

February 19, 2019

Maryland, Texas, Indiana Take the Lead in Cyber Talent Competition; China and Iran Stepping Up US Attacks; Israels Hacking Hotline; Brokerages Targeted By Phishing Scheme


Texas, Indiana, Maryland, Iowa, Delaware, Georgia and New Jersey are off to a fast start in the national competition to determine which states can identify and develop world class cyber talent among their high school and college students most quickly and effectively. Here are their governors announcements (Note: their high school programs start with young women, but their college programs are open to all students who register in time):


* Texas Governor Abbott: https://gov.texas.gov/news/post/texas-to-partner-with-sans-institute-to-promote-cybersecurity-career-track-for-high-school-girls-and-all-college-students

* Indiana Governor Holcomb: https://calendar.in.gov/site/gov/event/nationwide-girls-go-cyberstart-competition-includes-indiana/

* Maryland Governor Hogan: http://www.dllr.state.md.us/whatsnews/girlsgocyberstart.shtml

* Iowa Governor Reynolds: https://governor.iowa.gov/2019/02/governor-reynolds-encourages-iowa-high-school-and-college-students-to-join-innovative

* Delaware Governor Carney: https://news.delaware.gov/2019/02/18/delawares-launches-girls-go-cyberstart-challenge/

* Georgia Governor Kemp: https://gov.georgia.gov/press-releases/2019-02-18/gov-kemp-announces-partnership-sans-institute-cyber-workforce-development

* New Jersey Governor Murphy: https://www.njhomelandsecurity.gov/media/governor-murphy-encourages-new-jersey-high-school-and-college-students-to-join-innovative-cybersecurity-competitions


****************************************************************************

SANS NewsBites                Feb. 19, 2018                Vol. 21, Num. 014

****************************************************************************


TOP OF THE NEWS


  China and Iran Stepping Up Attacks Against US Institutions

  Israels Hacking Hotline

  FINRA Warns Brokerages of Phishing Scheme


REST OF THE WEEKS NEWS


  NATO Researchers Catfish Soldiers on Facebook

  Google Earth Update Exposes Taiwan Military Bases

  GAO to Congress: Its Time for Data Privacy Legislation

  Chrome Will Alter FileSystem API to Prevent Sites From Blocking Incognito Browsing

  Equifax Datas Absence From Dark Web Suggests the Breach Was the Work of a Nation-State 

  Firefox Project Fission: Site Isolation

  Software Pirates Exploiting Apple Enterprise Developer Certificates to Spread Illegitimate Apps


INTERNET STORM CENTER TECH CORNER


****************  Sponsored By Amazon Web Services, Inc.  ******************


AWS Educational Series: Learn the relationship between compliance and risk management and how to automate these functions for cloud workloads in a webcast featuring Matt Bromiley. Register for the webcast here. http://www.sans.org/info/210445


*****************************************************************************


TOP OF THE NEWS


 

--China and Iran Stepping Up Attacks Against US Institutions

(February 15 & 18, 2019)

Hackers working on behalf of Iran and China have been targeting US companies and government agencies. Experts believe that the uptick in these attacks is related to recent US foreign policy decisions including the withdrawal from the Iran nuclear agreement and trade issues with China. Attacks that NSA analysts and experts from FireEye says came from Iran prompted the Department of Homeland Security (DHS) to issue an emergency order to implement protections against a DNS hijacking campaign in January. DHS officials now say that there is no evidence that the hackers hijacked any US federal government domains. 


[Editor Comments]


[Henry] The recent reporting on targeted attacks by China, Iran, and other nation-states is important. Geopolitical issues often drive targeting and can raise risks to the organization. Critical intelligence on who is targeting their organizations, how, and why enables CISOs to augment detection and protection.


Read more in:

NYT: Chinese and Iranian Hackers Renew Their Attacks on U.S. Companies

https://www.nytimes.com/2019/02/18/technology/hackers-chinese-iran-usa.html

FCW: DHS official: no evidence federal domains hijacked in global DNS campaign

https://fcw.com/articles/2019/02/15/dns-hijack-dhs-response.aspx

KrebsOnSecurity: A Deep Dive on the Recent Widespread DNS Hijacking Attacks

https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/


 

--Israels Hacking Hotline

(February 18, 2019)

Israel has established a hotline for individuals and businesses both to call and receive help with suspected hacking and cyber threats. The center is staffed by people who have served in Israeli military computing units. It was launched several weeks ago and currently receives about 100 calls a day.


Read more in:

Reuters: Israeli cyber-hotline offers help for the hacked

https://www.reuters.com/article/us-cyber-israel-hotline/israeli-cyber-hotline-offers-help-for-the-hacked-idUSKCN1Q70K1

YNET: Israeli cyber-hotline offers help for the hacked

https://www.ynetnews.com/articles/0,7340,L-5465513,00.html

 
 

--FINRA Warns Brokerages of Phishing Scheme

(February 15, 2019)

The US Financial Industry Regulatory Authority (FINRA) has notified brokerage firms of a phishing scheme that has been targeting brokerage companies. The deceptive email messages appear to come from an actual credit union and falsely warns that one of the brokerages customers is suspected of being involved in money laundering scheme. The email arrives with an attachment that likely contains a malicious virus or malware designed to obtain unauthorized access to the recipients computer network.


Read more in:

Bleeping Computer: Brokerage Firms Warned by FINRA Regulator of New Phishing Attack

https://www.bleepingcomputer.com/news/security/brokerage-firms-warned-by-finra-regulator-of-new-phishing-attack/

FINRA: FINRA Warns of Fraudulent Phishing Emails Targeting Member Firms

http://www.finra.org/industry/information-notice-021319


****************************  SPONSORED LINKS  ******************************


1) Key considerations when choosing a Security Operations Center (SOC) model. Read the report now. http://www.sans.org/info/210525


2) SURVEY: Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/210530


3) What does it take to establish a successful security operations program? Tell us your experience. Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card! http://www.sans.org/info/210535


*****************************************************************************

REST OF THE WEEKS NEWS  

  

--NATO Researchers Catfish Soldiers on Facebook

(February 18, 2019)

A NATO research group, the Strategic Communications Center of Excellence (StratCom), conducted a catfishing operation to see how much information they could tease out of US military personnel. The researchers set up phony Facebook pages and invited military personnel to join closed Facebook groups. The resultssuggest that in the current digital arena an adversary would be able to collect enough personal data on soldiers to create targeted messages with precision, successfully influencing their chosen target audience to carry out desired behaviours.


[Editor Comments]


[Neely] In addition to social engineering, this study looked at fraudulent page, profile and group detection and removal by Facebook. The bottom line: you cannot solely rely on social media fraud detection mechanisms; training must be augmented so users understand how participation translates into genuine OPSEC (operational security) issues.


Read more in:

Wired: NATO Group Catfished Soldiers to Prove a Point About Privacy

https://www.wired.com/story/nato-stratcom-catfished-soldiers-social-media/

StratComCOE: Responding to Cognitive Security Challenges

https://www.stratcomcoe.org/responding-cognitive-security-challenges

 
 

--Google Earth Update Exposes Taiwan Military Bases

(February 18, 2019)

An update to Google Earths 3-D Maps inadvertently exposed the locations of Taiwanese military bases. The images are not blurred, allowing anyone view the detailed layout of the base. The problem also reportedly exposed Taiwans National Security Bureau and Military Intelligence Bureau.


[Editor Comments]


[Neely] Google used to blur out Department of Energy and Defense national laboratories as well. Now you can even find building/facility numbers as well as the street names within a facility. Organizations need to focus on controlling the information released regarding the actions and personnel at those facilities to maintain their needed operational obscurity.


Read more in:

ZDNet: Google Earth accidentally reveals secret military sites

https://www.zdnet.com/article/google-maps-update-accidentally-reveals-secret-military-sites/

SCMP: Taiwans darkest military secrets revealed by Google Maps

https://www.scmp.com/news/china/military/article/2186351/taiwans-darkest-military-secrets-revealed-google-maps

 
 

--GAO to Congress: Its Time for Data Privacy Legislation

(February 15 & 16, 2019)

A report from the US Government Accountability Office (GAO) recommends that Congress develop data privacy protection legislation much like the European Unions General Data Protection regulation (GDPR). Among the incidents referenced in the report is the Cambridge Analytica scandal, in which Facebook disclosed that a Cambridge University researcher may have improperly shared the data of up to 87 million of [its] users with a political consulting firm. The report is the result of a request from the House Energy and Commerce Committee two years ago.    


[Editor Comments]


[Pescatore] We actually dont need Congress to *develop* privacy legislation; they have developed many drafts of privacy legislation in the past. We need Congress to *pass* privacy legislation. The traditional problem in the US is that federal policy drafts that represent needed increases in protection for consumer data either die because they are opposed by business interests, or they get so watered down that they die because they are then opposed by privacy interests. Hard to be optimistic that this will change anytime soon at the federal levelI think all progress in the US will come from state level laws.


[Murray] In 1974 Congress Passed the U.S. Privacy Act, the first and last Federal legislation on the subject. The seven year process from the book to the act was an object lesson in how difficult it is to draft technology-agnostic legislation to implement an abstract value. The Act was well intended, a compromise, was limited to the Federal Government, and had far less impact on privacy than the Freedom of Information Act. In a process lobbied by a huge industry that deals in personal information, the task may be even more difficult and time consuming. Then as now, the Europeans, having lived under totalitarian regimes of the left and right, led the way.  


Read more in:

CNET: US needs an internet data privacy law, GAO tells Congress

https://www.cnet.com/news/us-needs-an-internet-data-privacy-law-gao-tells-congress/

ZDNet: GAO gives Congress go-ahead for a GDPR-like privacy legislation

https://www.zdnet.com/article/gao-gives-congress-go-ahead-for-a-gdpr-like-privacy-legislation/

GAO: INTERNET PRIVACY: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (PDF)

https://www.gao.gov/assets/700/696437.pdf

 
 

--Chrome Will Alter FileSystem API to Prevent Sites From Blocking Incognito Browsing

(February 15, 2019)

Google is planning to make changes to the FileSystem API for Chrome so that websites cannot check to see if users are browsing in a regular session or in Incognito Mode. Some websites deny users access to content if they are browsing in Incognito Mode. The FileSystem API is not currently available when users are browsing in Incognito Mode because it leaves behind files that pose a possible privacy risk. A website can attempt to invoke the FileSystem API; if it is unable to use the API, then it knows the user is in Incognito Mode. Google will make changes to the API so that websites will no longer be able to tell whether a user is browsing incognito or not.


Read more in:

Engadget: Chrome will make it harder to block incognito browsing

https://www.engadget.com/2019/02/18/google-chrome-incognito-mode-blocking/

Bleeping Computer: Google Fixing Chrome API to Prevent Incognito Mode Detection

https://www.bleepingcomputer.com/news/google/google-fixing-chrome-api-to-prevent-incognito-mode-detection/

 
 

--Equifax Datas Absence From Dark Web Suggests the Breach Was the Work of a Nation-State 

(February 13 & 15, 2019)

The Equifax breach, in which personal information belonging to nearly 150 million people was compromised, occurred more than a year-and-a-half ago, but the pilfered data have not turned up on the DarkWeb. This suggests that the attack was conducted by a nation-state rather than by criminals looking to make money.


Read more in:

Threatpost: Wheres the Equifax Data? Does It Matter?

https://threatpost.com/equifax-data-nation-state/141929/

CNBC: The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme

https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html

 
 

--Firefox Project Fission: Site Isolation

(February 4, 6, & 14, 2019)

Mozilla is planning to introduce a site isolation feature to Firefox. Project Fission, as the project is known, will allow Firefox to create a separate process for each website that is being accessed. If the site includes an iframe, it will have its own process as well. Users can follow the progress of Project Fission on the project tech leads GitHub site (see below).


[Editor Comments]


[Murray] This effort may resist cross site scripting attacks but will not address Internet attacks on the environment that the browser runs in. The browser will remain the Achilles Heel of the desktop and the desktop of the enterprise.


Read more in:

Computerworld: Mozilla to harden Firefox defenses with site isolation, a la Chrome

https://www.computerworld.com/article/3340371/web-browsers/mozilla-to-harden-firefox-defenses-with-site-isolation-a-la-chrome.html

ZDNet: Firefox to get a 'site isolation' feature, similar to Chrome

https://www.zdnet.com/article/firefox-to-get-a-site-isolation-feature-similar-to-chrome/

Mystor: Fission Engineering Newsletter #1

https://mystor.github.io/fission-news-1.html

 

 --Software Pirates Exploiting Apple Enterprise Developer Certificates to Spread Illegitimate Apps

(February 13, 2019)

Companies distributing pirated software are taking advantage of enterprise developer certificates, which allow organizations to distribute apps internally without having to go through the Apple App Store, to spread altered apps. An Apple spokesperson said Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely.


[Editor Comments]


[Neely] Those certificates are intended to allow developed applications to be distributed within an enterprise without sending them to the Apple App store. Upon discovery of misuse, Apple will revoke those certificates, after which any applications signed with those certificates no longer function. Even so, those applications work until that happens. Users need to be sure they are only install applications from the official Apple App store or their official Enterprise App store.


Read more in:

Reuters: Software pirates use Apple tech to put hacked apps on iPhones

https://www.reuters.com/article/us-apple-piracy/software-pirates-use-apple-tech-to-put-hacked-apps-on-iphones-idUSKCN1Q3097

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER

 

Finding Property Values in Office Documents

https://isc.sans.edu/forums/diary/Finding+Property+Values+in+Office+Documents/24652/


Snap Patches Available

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing


Bro-Sysmon

https://engineering.salesforce.com/test-out-bro-sysmon-a6fad1c8bb88


VMWare Releases Update To Address runc Vulnerability

https://www.vmware.com/security/advisories/VMSA-2019-0001.html


Know What You Are Logging

https://isc.sans.edu/forums/diary/Know+What+You+Are+Logging/24656/


Cryptojacking Apps in Microsoft App Store

https://www.symantec.com/blogs/threat-intelligence/cryptojacking-apps-microsoft-store


Spectre Software Mitigation Insufficient (PDF)

https://arxiv.org/pdf/1902.05178.pdf


Swedish Healthcare Breach Leaks Phone call Recordings

https://computersweden.idg.se/2.2683/1.714787/inspelade-samtal-1177-vardguiden-oskyddade-internet


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create