Get unparalleled cyber security training from industry leaders in Santa Monica. Save $200 thru 9/18.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #3

January 11, 2019

Insurance Company Refuses $100 Million Claim As "Hostile Nation State Related"; Ten-Year Prison Sentence for DDoS Attack on Boston Childrens Hospital




****************************************************************************

SANS NewsBites                Jan. 11, 2018                Vol. 21, Num. 003

****************************************************************************


TOP OF THE NEWS


  Mondelez Sues Insurance Company for Not Paying $100 Million NotPetya Claim

  Ten-Year Prison Sentence for DDoS Attack on Boston Childrens Hospital


REST OF THE WEEKS NEWS


  FireEye: DNS Attacks That Targeted Organizations Around the World for Two Years May Have Ties to Iran

  Cisco Releases Fixes for eMail Security Appliance Flaws

  Patch Tuesday; Some Updates Causing Problems for Windows 7 Devices

  Chrome Ad Blocker to be Expanded Worldwide

  Kaspersky Provided Information That Led to Arrest of NSA Contractor

  Australia Real Estate Company Job Applicant Data Leaked

  Fiat-Chrysler Entertainment System Vulnerability Case to Proceed

  DARPA Seeking Air Gap Security Solution


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019


-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019


-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019


-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019


-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019


-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019


-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad, ASUS Chromebook, or Take $250 Off with OnDemand or vLive. Offer Ends January 23.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


***************************  Sponsored By  Cylance  ************************************


Don't Miss: "Using Data Science to Secure Cloud Workloads." In this session, you will learn how and where data science is being applied in the security industry as well as Cylance's Threat Predictive Advantage, which is one of the many benefits of applying data science to Next-Gen AV products.  http://www.sans.org/info/209810


*****************************************************************************

TOP OF THE NEWS

 

--Mondelez Sues Insurance Company for Not Paying $100 Million NotPetya Claim

(January 10, 2019)

US food company Mondelez is suing insurance company Zurich, which refused to pay a $100 million claim for damages caused by the NotPetya malware. Court documents show that Mondelez systems were hit with NotPetya twice, and that the malware rendered 1,700 servers and 24,000 laptops unusable.  The systems were permanently disabled creating high costs for Mondelez, but Zurich refused to pay say a liability exclusion for a hostile or warlike action by a government or sovereign power or people acting for them.


[Editor Comments]


[Pescatore] Cybersecurity insurance claims being denied because of pre-existing conditions (like missing patches that pre-date coverage initiation) or acts of war are not unusual. In fact, from what Ive seen, cybersecurity insurance having a positive ROI is unusual when you take into account premiums and deductibles vs. actual payouts. The fact that cybersecurity insurance only reduces risk by some fixed amount vs. actually transferring risk means that self-insurance is often going to be less expensive and one key point: the cost of avoiding the majority of breaches is usually less than a few years of cyberinsurance costs and the deductible for one incident.


[Murray] There are three things that we can do with risk. We can mitigate it, assume it, or assign it to others through insurance. For foreseeable and probable risk like attacks, mitigation is usually the most efficient. Insurance is usually reserved for residual risk after other measures, things with low rates but consequences so high as to represent a threat to the health of the business. Insurance is a means of spreading risk across time and others. However, insurance companies make money. Therefore, for most things it is not nearly efficient as mitigation. 


Read more in:

Irish Times: Mondelez sues Zurich over $100m cyberhack insurance claim

https://www.irishtimes.com/business/technology/mondelez-sues-zurich-over-100m-cyberhack-insurance-claim-1.3753475

 
 

--Ten-Year Prison Sentence for DDoS Attack on Boston Childrens Hospital

(January 10, 2019)

A US District Judge in Boston has sentenced Martin Gottesfeld to 10 years and one month in prison for launching distributed denial-of-service (DDoS) attacks that against healthcare facilities, including Boston Childrens Hospital, in 2014. In August 2018, a federal jury found Gottesfeld guilty of conspiracy to damage protected computers and of damaging protected computers. 


Read more in:

Reuters: Massachusetts man gets 10 years in prison for hospital cyberattack

https://www.reuters.com/article/us-massachusetts-cyber/massachusetts-man-gets-10-years-in-prison-for-hospital-cyberattack-idUSKCN1P42J8

Justice: Jury Convicts Man Who Hacked Boston Children's Hospital And Wayside Youth & Family Support Network (August 1, 2018)

https://www.justice.gov/usao-ma/pr/jury-convicts-man-who-hacked-boston-childrens-hospital-and-wayside-youth-family-support



**************************  SPONSORED LINKS  ********************************


1) "Malicious or Negligent? How to Understand User Intent to Stop Data Exfiltration" with John Pescatore.  Register:  http://www.sans.org/info/209815


2) Don't Miss "Game Changing Defensive Strategies for 2019" with Alissa Torres.  Register:  http://www.sans.org/info/209820


3) What obstacles are you facing with your vulnerability management program? Take the SANS 2019 Vulnerability Management Survey for a chance to win a $400 Amazon gift card | http://www.sans.org/info/209825


*****************************************************************************

REST OF THE WEEKS NEWS     

 

--FireEye: DNS Attacks That Targeted Organizations Around the World for Two Years May Have Ties to Iran

(January 9 & 10, 2019)

Researchers at FireEye say they have uncovered a series of DNS hijacking attacks that may be linked to Iran. The attacks occurred over the past two years and targeted mostly governments, telecommunications companies, and Internet infrastructure companies in North America, Europe, North Africa, and the Middle East.


Read more in:

FireEye: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

Threatpost: Unprecedented DNS Hijacking Attacks Linked to Iran

https://threatpost.com/unprecedented-dns-hijacking-attacks-linked-to-iran/140737/

The Hill: Security firm says worldwide cyber campaign targeting dozens of domains linked to Iran

https://thehill.com/policy/cybersecurity/424714-security-firm-says-cyber-campaign-targeting-dozens-of-domains-across

ZDNet: Iranian hackers suspected in worldwide DNS hijacking campaign

https://www.zdnet.com/article/iranian-hackers-suspected-in-worldwide-dns-hijacking-campaign/

 
 

--Cisco Releases Fixes for eMail Security Appliance Flaws

(January 9 & 10, 2019)

Cisco has made fixes available for two flaws in its AsyncOS email security appliance tool. Both vulnerabilities could be exploited to create denial-of-service conditions. Cisco released 16 additional fixes for other security issues in its products. 


Read more in:

Threatpost: Critical Flaw in Ciscos Email Security Appliance Enables Permanent DoS

https://threatpost.com/cisco-critical-vulnerability-patch/140726/

ZDNet: Cisco warns: Patch now or risk your security appliance choking on single rogue email

https://www.zdnet.com/article/cisco-warns-patch-now-or-risk-your-security-appliance-choking-on-single-rogue-email/

 
 

--Patch Tuesday; Some Updates Causing Problems for Windows 7 Devices

(January 8 & 10, 2019)

On Tuesday, January 8, Microsoft released fixes for nearly 50 security issues, including seven rated as critical. The critical flaws could be exploited to execute code remotely. Affected products include Microsoft Edge, Windows 10, and Server and Chakra Core. In a related story, some of the updates included in Tuesdays release have reportedly bricked devices running Windows 7.


[Editor Comments]


[Neely] Pushing this update to Windows 7 systems in environments using Microsoft Key Management Service (KMS) need to check for negative interaction with the April 2018 KB971033 update resulting in Windows 7 installations no longer being reported as genuine. KB971033 should not be installed this environment. Backing it out and deleting the KMS/activation data will allow reactivation to succeed.


[Murray] The risk associated with the continued use of Windows 7 will continue to increase with time. Use should be restricted to only those applications that cannot be efficiently migrated to current systems. Compensating controls, including isolation from other sensitive systems and apps, may be indicated.  


Read more in:

ISC: Microsoft January 2019 Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+January+2019+Patch+Tuesday/24504/

MSRC: Release Notes: January 2019 Security Updates

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/b4384b95-e6d2-e811-a983-000d3a33c573

SC Magazine: January Patch Tuesday: Microsoft patches 7 critical vulnerabilities

https://www.scmagazine.com/home/security-news/vulnerabilities/january-patch-tuesday-microsoft-patches-7-critical-vulnerabilities/

The Register: Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

https://www.theregister.co.uk/2019/01/08/patch_tuesday_january/

ZDNet: Microsoft January 2019 Patch Tuesday fixes 50 vulnerabilities

https://www.zdnet.com/article/microsoft-january-2019-patch-tuesday-fixes-50-vulnerabilities/

KrebsOnSecurity: Patch Tuesday, January 2019 Edition

https://krebsonsecurity.com/2019/01/patch-tuesday-january-2019-edition/

Bleeping Computer: Microsoft Patches Remote Code Execution Vulnerability in Exchange Server

https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-remote-code-execution-vulnerability-in-exchange-server/

SC Magazine: Microsoft updates brick Windows 7 devices

https://www.scmagazine.com/home/network-security/microsoft-updates-brick-windows-7-devices/

 
 

--Chrome Ad Blocker to be Expanded Worldwide

(January 9, 2019)

Starting July 9, 2019, Googles Chrome browser will expand its practice of filtering advertisements from sites that have displayed abusive ads. The standard is currently in effect in North American and Europe. This summer, the practice will take effect worldwide. Users will still have the final say about whether or not they want to see the ads on a given site.


[Editor Comments]


[Pescatore] The reality is that the fact that the Internet is free to use enables many forms of attack, like phishing and malvertising. High penetration of ad blocking driving more services requiring paid subscriptions could be a big jump forward for security and privacy -and consumers do seem to be willing to pay for more of both.


[Neely] This only filters items that dont meet the Better Ads Standards regarding abusive ad experiences. The filter can be toggled in chrome://settings/content/ads  greyed out means the blocking is enabled. The expansion is co-timed with the Better Ads Standards being expanded to worldwide scope.


Read more in:

Bleeping Computer: Google Chrome Ad Blocker Expands Worldwide Starting July 9th

https://www.bleepingcomputer.com/news/google/google-chrome-ad-blocker-expands-worldwide-starting-july-9th/

 
 

--Kaspersky Provided Information That Led to Arrest of NSA Contractor

(January 9, 2019)

Kaspersky Lab appears to have provided the National Security Agency (NSA) with information that helped lead to the arrest of a former NSA security contractor Harold T. Martin III. Martin was arrested in 2016 and charged with the theft of a large amount of classified data.


[Editor Comments]


[Pescatore] There has still been no hard evidence released by the US Government against Kaspersky, but unfortunately, the act of contacting NSA with concerns about Martin does not in any way clear things up. We are still where we wereno evidence Kaspersky Lab takes orders from Russian intelligence, but no real way to prove they don't. Of course, outside the US you can substitute any US firm for Kaspersky and NSA for Russian intelligence and the same sentence holds.


[Neely] Martin was clever enough to extract terabytes of data from the NSA, but not clever enough to protect his identity when reaching out for disposition of the data. Kaspersky was able to track his Twitter handle back to his real identity by way of his dating and LinkedIn profiles. While this is a great example of Kaspersky reaching out to the NSA for the greater good, it is unlikely this will change their standing with the U.S. government as a whole.


Read more in:

Politico: Exclusive: How a Russian firm helped catch an alleged NSA data thief

https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-cybersecurity-1089131

 
 

--Australia Real Estate Company Job Applicant Data Leaked

(January 8, 2019)

Australias First National Real Estate group has acknowledged that a data security incident compromised information of some job applicants. The leak, which affected roughly 2,000 individuals, exposed CV and cover letter information. The incident appears to be related to a third-party online tool.


[Editor Comments]


[Neely] Not only do applicants need to use caution with what they include in their application submission, but employers need to verify the security practices of third-party services used to screen applicants, particularly those relating to background and medical screening.


[Murray] Employment applications contain the most sensitive personal data and are collected under conditions of asymmetric power. Applicants who do not provide any and all information requested are at a distinct disadvantage. Prospective employers owe a special duty to collect only that information essential to the hiring decision, to protect it as they would their own most sensitive data, and to destroy it after a decision has been made.  


[Honan] For readers who are responsible for compliance with the EU General Data Protection Regulation (GDPR), this is a stark reminder that you need to ensure you have got assurances from any third party providers on how they protect data entrusted to you by your customers.


Read more in:

IT News: First National Real Estate has job applicant data exposed online

https://www.itnews.com.au/news/first-national-real-estate-has-job-applicant-data-exposed-online-517597

ZDNet: First National 'dealing with authorities' after reported information leak

https://www.zdnet.com/article/first-national-dealing-with-authorities-after-reported-information-leak/

Twitter: Gareth

https://twitter.com/NetworkString/status/1081241426690785280

 
 

--Fiat-Chrysler Entertainment System Vulnerability Case to Proceed

(January 8, 2019)

The US Supreme Court has declined to hear Fiat-Chryslers appeal of a class action lawsuit that was filed after researchers demonstrated that weak coding practices in a Jeeps entertainment software allowed hackers to take control of the vehicle. The plaintiffs in the case maintain that Fiat-Chrysler had known about the security issue for three years without fixing it and are seeking damages of US $50,000 per affected vehicle. Fiat-Chrysler maintains that the plaintiffs do not have grounds to sue as they were not directly affected by the vulnerability. 


[Editor Comments]


[Murray] Courts have been slow to award damages unless the plaintiffs can show direct damage. Any damage here might be proportional to a loss in re-sale value but that would likely be measured in hundreds of dollars rather than tens of thousands.  


Read more in:

The Register: Jeep hacking lawsuit shifts into gear for trial after US Supremes refuse to hit the brakes

https://www.theregister.co.uk/2019/01/08/jeep_hacking_supreme_court/

SC Magazine: U.S. Supreme Court declines to hear Fiat Chrysler appeal in car hacking case

https://www.scmagazine.com/home/security-news/the-u-s-supreme-court-monday-declined-to-hear-fiat-chryslers-appeal-in-a-class-action-lawsuit-claiming-the-automaker-knew-its-vehicles-were-vulnerable-to-cyberattacks-as-early-as-2011/

 

--DARPA Seeking Air Gap Security Solution

(January 8, 2019)

The US Defense Advanced Research Project Agency (DARPA) is seeking proposals for systems that would protect data as they are being moved from air-gapped systems to connected systems. The solicitation seeks technology with physically provable guarantees to isolate high risk transactions.


[Editor Comments]


[Neely] Physical separation is one of the key mitigations for keeping classified data contained. The consequences of error, such as a data breach, can be extreme, so any solution will need significant vetting, verification, and testing, and understanding will be necessary before the risks will be accepted, and likely only for specific classifications and levels of data. Today, One Way Links (aka diodes) exist for automated transfer to unclassified systems today, but they are expensive, are geared towards specific file and data types/sizes, have limited throughput, and take a long time to be approved due the sensitive nature of these operation. While processing classified data on a non-isolated system has its appeals, it also presents a significant concentration of risk.


[Pescatore] Air gaps/data diodes have been around and in use in narrow use cases for many years now. The major barrier DARPA cites for their use is the long time it takes the Government to certify them for usewhich of course isnt addressed in a research program! Hard to see that applying the terribly flawed government product certification process to custom semiconductor designs for gaps will remove any barriers.


[Northcutt] This is an ancient idea. You cant connect a classified network to an unclassified. But wait, all we want to do is suck data up from the less critical network to feed our models in the high value network. A common term for the device is guard. The key word to focus on is guaranteed. https://www.sans.org/reading-room/whitepapers/casestudies/connecting-classified-network-internet-case-study-694: Connecting a Classified Network to the Internet. A case study.


Read more in:

Fedscoop: DARPA wants to move beyond the air gap

https://www.fedscoop.com/darpa-wants-move-beyond-air-gap/

GCN: Solving the air-gap dilemma

https://gcn.com/articles/2019/01/08/darpa-air-gap.aspx

FBO: Guaranteed Architecture for Physical Security (GAPS)

https://www.fbo.gov/index?s=opportunity&mode=form&id=6a27d503720b0375f1f4596e32b0211a&tab=core&_cview=0


 

INTERNET STORM CENTER TECH CORNER


Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+January+2019+Patch+Tuesday/24504/

https://patchtuesdaydashboard.com/


Adobe Updates

https://helpx.adobe.com/security.html


Google Play Store Adware

https://blog.trendmicro.com/trendlabs-security-intelligence/adware-disguised-as-game-tv-remote-control-apps-infect-9-million-google-play-users/


Ethereum Classic 51% Attack

https://blog.coinbase.com/ethereum-classic-etc-is-currently-being-51-attacked-33be13ce32de       


Simple Mechanism for Creating Certificates

https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/


Review of Smartphone Face Recognition (in Dutch)

https://www.consumentenbond.nl/veilig-internetten/gezichtsherkenning-te-hacken


Google Public DNS Now Supports DNS-over-TLS

https://security.googleblog.com/2019/01/google-public-dns-now-supports-dns-over.html


Malwarebytes Freezes Windows 7

https://forums.malwarebytes.com/topic/241223-malwarebytes-for-windows-and-windows-7-freezelock-up/


German Police Looking for MAC Address (in German)

https://polizei.brandenburg.de/pressemeldung/f8-e0-79-af-57-eb-cyber-fahndung-nach-ma/1310909       


Old Tricks still work: I love you Malspam

https://isc.sans.edu/forums/diary/Heartbreaking+Emails+Love+You+Malspam/24512/


Juniper Updates Released

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10916&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10918&cat=SIRT_1&actp=LIST


New Systemd/Journald Exploit Release

https://www.qualys.com/2019/01/09/system-down/system-down.txt


Global DNS Hijacking

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html


 


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create