Ending Soon! Online Training Special Offer: Get iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off through July 24!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #33

April 26, 2019

Washington Data Breach Legislation; Applications Open 2nd US Cyber Reskilling Academy; Digital Moat for Pentagon; Microsoft: Forced Password Resets Do Not Help Security


 

****************************************************************************

SANS NewsBites               April 26, 2019                Vol. 21, Num. 033

****************************************************************************


TOP OF THE NEWS

 

  Washington State Passes Data Breach Legislation

  Applications Open for Cyber Reskilling Academy Second Cohort

  Digital Moat for Pentagon

  Microsoft: Forced Password Resets Do Not Help Security


REST OF THE WEEK'S NEWS

 

  Supply Chain Hackers Target Video Game Development Software

  US Legislators Ask Google for More Information About Sensorvault Geolocation Database

  Two Indicted in Connection with Economic Espionage and Theft of Trade Secrets

  Report Offers "Snapshot" of Current State Chief Privacy Officer Role

  WordPress Social Warfare Plug-in Vulnerabilities Are Being Actively Exploited

  Palo Alto Networks and GoDaddy Take Down Scamming Subdomains

  Cleveland Airport Ransomware Infection


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off your OnDemand or vLive course. Offer ends May 1.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


**************************  Sponsored By  SANS  ****************************


Attend SANS Enterprise Defense Summit in Redondo Beach, CA, June 3-4 Explore attack emulation strategies, incident response techniques, and available tools that can be deployed at scale. Through in-depth presentations and panel discussions, top experts will present tools, tactics, and procedures that provide real value and can be deployed within enterprise environments.: http://www.sans.org/info/212380


*****************************************************************************

TOP OF THE NEWS

 

--Washington State Passes Data Breach Legislation

(April 23 & 25, 2019)

Legislators in the US state of Washington have passed a bill that expands the requirements for notifying consumers of data breaches. The bill shortens the time period entities have to notify consumers and the state attorney general from 45 to 30 days. The bill also expands the types of personally identifiable information that if compromised require consumer notification. Previously, organizations had to notify consumers if their names were compromised along with "Social Security numbers, driver's license numbers, state ID numbers or financial account information." That list has been expanded to include "full birth dates, health insurance ID numbers, medical histories, student ID numbers, military ID numbers, passport ID numbers, username-password combinations, or biometric data."


[Editor Comments]


[Neely] The added data types better matches the types of privacy data that are current targets and of concern to consumers. While as a consumer I appreciate a short notification window, it still needs to be long enough to allow for accurate forensic analysis to determine the scope of a breach. In addition to broadening the types of data that require customer notification, Washington was attempting to pass broad privacy legislation, akin to the GDPR, which was killed in the legislature for not being strong enough. Expect this to resurface in their 2020 legislative session.


[Williams] As with any state privacy laws, this isn't just a Washington state problem. Most e-commerce retailers do business in Washington, so this will apply to them as well. Most organizations we work with today struggle to report relevant information within 45 days. Decreasing the reporting time will increase difficulty significantly.



Read more in:

SC Magazine: Washington state legislature passes data breach law, but punts on privacy law

https://www.scmagazine.com/home/government/washington-state-legislature-passes-data-breach-law-but-punts-on-privacy-law/

Tripwire: Washington State Legislature Passes New Data Breach Law

https://www.tripwire.com/state-of-security/government/washington-state-legislature-passes-new-data-breach-law/

ATG: AG Ferguson Bill Strengthening Data Breach Laws Passes Legislature

https://www.atg.wa.gov/news/news-releases/ag-ferguson-bill-strengthening-data-breach-laws-passes-legislature


 

--Applications Open for Cyber Reskilling Academy Second Cohort

(April 23, 2019)

The US Federal Cyber Reskilling Academy is now accepting applications for its second cohort. The first cohort was open to federal employees who do not currently work in IT. The second cohort is open to all executive breach federal employees. More than 1,500 people applied to the first cohort; 30 were selected and began their three-month training on April 15. Applications for the second cohort will be accepted through May 15. Applicants will be required to take two online assessments by May 22, and the members of the new cohort will be notified starting June 10, 2019.


Read more in:

Fedscoop: Applications open for second Federal Cyber Reskilling Academy cohort

https://www.fedscoop.com/applications-open-second-federal-cyber-reskilling-academy-cohort/

Nextgov: Federal Cyber Reskilling Academy Announces Second Class

https://www.nextgov.com/cybersecurity/2019/04/federal-cyber-reskilling-academy-announces-second-class/156486/

CIO.gov: Federal Cyber Reskilling Academy

https://www.cio.gov/reskilling/


 

--Digital Moat for Pentagon

(April 25, 2019)

The US Defense Information Systems Agency (DISA) has awarded a pair of contracts to develop a cloud-based digital "moat" to isolate the Pentagon's internal networks from the rest of the Internet, while still allowing Pentagon employees to access the Internet.


[Editor Comments]


[Murray] End-to-end application layer security is preferable.


Read more in:

Nextgov: DISA Awards Two Contracts to Build a Moat Around the Pentagon's Internet

https://www.nextgov.com/cybersecurity/2019/04/disa-awards-two-contracts-build-moat-around-pentagons-internet/156540/

 
 

--Microsoft: Forced Password Resets Do Not Help Security

(April 25, 2019)

Microsoft has acknowledged that the practice of forcing passwords to expire and requiring users to come up with new ones is not a help to security. In a blog post, Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903, Microsoft's Aaron Margosis writes that one of the baseline changes will be "dropping the password-expiration policies that require periodic password changes." He goes on to say that while recent research indicates that enforcement of banned password lists and multi-factor authentication are better alternatives, "they cannot be expressed or enforced with our recommended security configuration baselines."


[Editor Comments]


[Neely] This is intended to allow an organization to implement a policy that is aligned with their risk tolerance. Where still deploying reusable passwords, long pass phrases that are only changed upon compromise, as indicated by NIST SP 800-63-3, is better than forced changes. Even better, move to multi-factor authentication, reducing reusable passwords to a "break-glass" use case.


[Murray] While one hates being asked to change a password that one has only used once or twice in ninety days, one cannot look at this requirement in isolation. The intent is to limit fraudulent reuse of compromised passwords. However, in the absence of evidence of password compromise, this may be overkill. The use of mobile computers for strong authentication has so lowered the cost of one-time passwords that this should be the preferred measure for preventing fraudulent reuse.


Read more in:

CNET: Microsoft admits expiring-password rules are useless

https://www.cnet.com/news/microsoft-admits-expiring-password-rules-are-useless/

Blogs.technet: Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903

https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/


****************************  SPONSORED LINKS  ******************************


1) Don't Miss "Gaining a Decisive Advantage Through Terrain Based Cyber Defense" with Craig Harber and Rami Mizrahi.  Register:  http://www.sans.org/info/212385


2) How is your organizations responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/212390


3) What challenges do you face with incidents and breaches? Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/212395

 

*****************************************************************************

REST OF THE WEEK'S NEWS       

 

--Supply Chain Hackers Target Video Game Development Software

(April 23 & 24, 2019)

Researchers from two separate companies say that the same group of hackers that used the Asus software update mechanism to infect machines with malware have launched a similar supply chain attack against video game developers. The hackers managed to slip malware into the Microsoft Video Studio development tool which was then used by three separate video game companies.  


Read more in:

Wired: Supply Chain Hackers Snuck Malware Into Videogames

https://www.wired.com/story/supply-chain-hackers-videogames-asus-ccleaner/

Threatpost: Point Blank Gamers Targeted with Backdoor Malware

https://threatpost.com/gamers-pointblank-backdoor-malware/144088/

 
 

--US Legislators Ask Google for More Information About Sensorvault Geolocation Database

(April 24 & 25, 2019)

The US House Energy and Commerce Committee has sent a letter to Google CEO Sundar Pichai asking detailed questions about the company's Sensorvault database, which contains geolocation data gathered from Android devices. Earlier this month, the New York Times reported that US law enforcement agencies have access to the data through search warrants. Legislators want to know what data Sensorvault stores how are these data used; which Google affiliates and subsidiaries have access to the data or derived analytics; whether Google has other similar databases; who can access Sensorvault; and whether Google sells, licenses or otherwise discloses the data to third parties besides law enforcement.


Read more in:

ZDNet: Congress sends letter to Google for details on Sensorvault location tracking database

https://www.zdnet.com/article/congress-sends-letter-to-google-for-details-on-sensorvault-location-tracking-database/

MeriTalk: House E&C Asks Google for Details on 'Sensorvault' Data

https://www.meritalk.com/articles/house-ec-asks-google-for-details-on-sensorvault-data/

Energy Commerce: Letter to Google CEO Sundar Pichai Regarding Sensorvault Database

https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/Google.2019.4.23.%20Letter%20to%20Google%20re%20Sensorvault.CPC_.pdf

NYT: Tracking Phones, Google Is a Dragnet for the Police (from April 13)

https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html

 
 

--Two Indicted in Connection with Economic Espionage and Theft of Trade Secrets

(April 23 & 24, 2019)

An indictment unsealed earlier this week charges two men with economic espionage and conspiracy to steal trade secrets from General Electric (GE). The indictment alleges that Xiaoqing Zheng stole electronic files containing proprietary information from GE Power & Water while he was employed there. It further alleges that Zheng sent the information to Zhaoxi Zhang, a business partner in China. The pair allegedly intended to use the stolen trade secrets to benefit the People's Republic of China.


[Editor Comments]


[Williams] Another week, another espionage case fueled by an insider. If you haven't reviewed your insider threat program recently, use this story as a tool to justify that review. Insiders are particularly difficult to catch. You can't put the cat back in the bag after trade secrets walk out the door. Remember that for some organizations, losing trade secrets to a foreign competitor can represent an existential threat.


Read more in:

Dark Reading: Two Charged with Economic Espionage, GE Trade Secret Theft

https://www.darkreading.com/risk/two-charged-with-economic-espionage-ge-trade-secret-theft/d/d-id/1334519

Justice: Former GE Engineer and Chinese Businessman Charged with Economic Espionage and Theft of GE's Trade Secrets

https://www.justice.gov/opa/pr/former-ge-engineer-and-chinese-businessman-charged-economic-espionage-and-theft-ge-s-trade

 
 

--Report Offers "Snapshot" of Current State Chief Privacy Officer Role

(March 27 & April 22, 2019)

A report from the National Association of State Chief Information Officers (NASCIO) looks at the growing role of state Chief Privacy Officers (CPOs). Twelve states currently have a CPO or an equivalent. The report "provides a snapshot of the state chief privacy officer position, the background of CPOs, what they do in their roles, how the role is administratively structured and their advice for states interested in creating the position."  


[Editor Comments]


[Neely] Federal agencies have had a requirement for a privacy officer since 2005. Given current concerns over properly protecting privacy information, and ever increasing requirements around breach notification (see Washington State article above) having a state level CPO has moved from a nice-to-have, or and-also job, to a necessary position with the appropriate knowledge and authority and budget to implement required protections with monitoring. The report gives a good advice on what's necessary for a CPO to be successful.


Read more in:

GCN: States giving privacy officers a seat at the table

https://gcn.com/articles/2019/04/22/nascio-chief-privacy-officers.aspx

NASCIO: Perspectives on Privacy: A Survey and Snapshot of the Growing State Chief Privacy Officer Role

https://www.nascio.org/PDAA/ArtMID/640/ArticleID/778/Perspectives-on-Privacy-A-Survey-and-Snapshot-of-the-Growing-State-Chief-Privacy-Officer-Role

NASCIO: Perspectives on Privacy: A Survey and Snapshot of the Growing State Chief Privacy Officer Role

https://www.nascio.org/Portals/0/Publications/Documents/2019/

NASCIO_PerspectivesOnPrivacy.pdf

 
 

--WordPress Social Warfare Plug-in Vulnerabilities Are Being Actively Exploited

(April 23, 2019)

There are now multiple active exploits for a pair of vulnerabilities in the Social Warfare WordPress plug-in. The flaws can be used to allow cross-site scripting and remote code execution attacks. Once a website has been compromised, attackers can use it to mine for cryptocurrency, launch drive-by malware attacks, host phishing pages, or add the website to a botnet. The plug-in lets websites add social media sharing buttons to their websites. The vulnerabilities exist in all versions of the plug-in prior to 3.5.3, which was released on March 21, 2019. When the flaws were first disclosed, downloads of the plug-in were disabled until the update was released. However, many websites have not updated the plug-in.     


[Editor Comments]


[Neely] One report showed 42,000 sites were still running the buggy plug-in. If you're still using the Social Warefare plug-in, make sure that it is updated; if you're not using it, uninstall it. Consider adding a plug-in for your WordPress site that will either notify or auto-update plug-ins where needed.


Read more in:

Unit 42: Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978

https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-wordpress-social-warfare-plugin-cve-2019-9978/

Threatpost: Exploits for Social Warfare WordPress Plugin Reach Critical Mass

https://threatpost.com/exploits-social-warfare-wordpress/144051/

SC Magazine: WordPress Social Warfare plugin vulnerabilities abused in the wild

https://www.scmagazine.com/home/security-news/vulnerabilities/wordpress-social-warfare-plugin-vulnerabilities-abused-in-the-wild/

 
 

--Palo Alto Networks and GoDaddy Take Down Scamming Subdomains

(April 25, 2019)

Palo Alto Networks and GoDaddy worked together to take down more than 15,000 subdomains that were being used in spam operations to sell purported weight loss drugs, brain enhancing supplements and other dodgy pharmaceutical products. The spammers compromised GoDaddy customer accounts and created subdomains that they used to send the spam.


Read more in:

Wired: GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains

https://www.wired.com/story/godaddy-spam-takedown-subdomains-snake-oil/

eWeek: GoDaddy Removes 15,000 Subdomains That Were Scamming Users

https://www.eweek.com/security/godaddy-removes-15-000-subdomains-that-were-scamming-users

ZDNet: GoDaddy takes down 15,000 subdomains used for online scams

https://www.zdnet.com/article/godaddy-takes-down-15000-subdomains-used-for-online-scams/

 
 

--Cleveland Airport Ransomware Infection

(April 25, 2019)

Ransomware infected computers at Cleveland (Ohio) Hopkins International Airport causing outages of email, payroll, and record keeping systems, as well as flight and baggage information monitors. The problems began on Monday, April 22, and on Thursday, April 25, airport staff were still helping travelers find their flights and their luggage. The FBI is investigating.   


Read more in:

SC Magazine: Ransomware disables Cleveland airport's email systems, information screens

https://www.scmagazine.com/home/security-news/ransomware-disables-cleveland-airports-email-systems-information-screens/

Cleveland: Info screens still off at Cleveland Hopkins International Airport; city still mum on cause, potential foul play

https://www.cleveland.com/cityhall/2019/04/info-screens-still-off-at-cleveland-hopkins-international-airport-city-still-mum-on-cause-potential-foul-play.html

 

INTERNET STORM CENTER TECH CORNER


Decoding Malicious VBA Office Document Without Source Code

https://isc.sans.edu/forums/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870/


Rooting Out Unwanted Domain Admins With Powershell

https://isc.sans.edu/forums/diary/Where+have+all+the+Domain+Admins+gone+Rooting+out+Unwanted+Domain+Administrators/24874/


More Updates on "ShadowHammer" Supply Chain Attack

https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/


A Malicious Sight in Google Sites

https://www.netskope.com/blog/malicious-google-sites


Mac OS X-Protect Now Covering Windows Malware

https://twitter.com/patrickwardle/status/1120771284286103552


Unpatched Vulnerability in WebLogic Exploited

https://isc.sans.edu/forums/diary/Unpatched+Vulnerability+Alert+WebLogic+Zero+Day/24880/


Collecting Windows Service Accounts

https://isc.sans.edu/forums/diary/Service+Accounts+Redux+Collecting+Service+Accounts+with+PowerShell/24882/


Wifi Finder Leaks Hotspot Passwords

https://techcrunch.com/2019/04/22/hotspot-password-leak/


Github Hosting Phishing Pages

https://www.proofpoint.com/us/threat-insight/post/threat-actors-abuse-github-service-host-variety-phishing-kits


Confluence Vulnerability Exploited by GandGrab

https://blog.alertlogic.com/active-exploitation-of-confluence-vulnerability-cve-2019-3396-dropping-gandcrab-ransomware/


New Microsoft Security Baseline for Windows 10 / Windows Server

https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create