Two Days Left to Get an iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off with OnDemand and vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #35

May 3, 2019

80 Million Households' Data Leaked On Azure; DHS Targets National Critical Functions; DHS Cuts Time for Critical Vulnerabilities by 50%; 1,100 Colleges Competing in National Cybersecurity Talent Competition


 

****************************************************************************

SANS NewsBites                 May 3, 2019                 Vol. 21, Num. 035

****************************************************************************

TOP OF THE NEWS

 

  Unsecured Azure Database Holds Data on 80 Million US Households

  DHS's List of National Critical Functions Offers New Lens for Understanding Risk

  DHS Binding Operational Directive: Fix Flaws Faster

  Down to the Wire: The Collegiate Cybersecurity Talent Leaderboard


REST OF THE WEEK'S NEWS


  Huawei Backdoor Was Telnet Service

  Dell Offers Fix for Utility Vulnerability

  A2 Hosting Struggling to Recover from Ransomware Attack

  Google is Rolling Out Automatic Location and Browsing History Data Delete Option

  Senate Bill Would Let Cybersecurity Experts Work for Multiple Agencies

  Critical Vulnerability in Cisco Nexus 9000 Fabric Switches

  GAO on TSA Pipeline Security Oversight

  Data-driven Security


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends May 15.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*************** Sponsored By Fidelis Cybersecurity  ******************


When it comes to cybersecurity, you can only defend what you can see. Organizations continue to suffer breaches, oftentimes because they do not have continuous, real-time visibility of all their critical assets. Register for the Fidelis webcast "Gaining a Decisive Advantage Through Terrain Based Cyber Defense" to learn more:  http://www.sans.org/info/212635


***********************************************************************

TOP OF THE NEWS

 

--Unsecured Azure Database Holds Data on 80 Million US Households

(April 29 & 30, 2019)

Researchers Noam Rotem and Ran Locar found an unsecured 24GB Azure-hosted database that holds information on approximately 80 million U.S. households. Microsoft has stated that they "have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured."


[Editor Comments]


[Neely] We need to watch for unsecured data in all cloud services and we should be monitoring externally stored data to ensure it is properly protected. Also, clear ownership and lines of responsibility need to be associated with any data store to aid incident response efforts.


Read more in:

Digital Trends: Data breach of unknown entity exposes private data of 80 million U.S. households

https://www.digitaltrends.com/computing/data-breach-exposes-data-of-80-million-us-households/

BankInfoSecurity: Mystery Database Exposed Info on 80 Million US Households

https://www.bankinfosecurity.com/mystery-database-exposed-info-on-80-million-us-households-a-12432

CNET: Cloud database removed after exposing details on 80 million US households

https://www.cnet.com/news/cloud-database-removed-after-exposing-details-on-80-million-us-households/

The Register: FYI: Someone left 24GB of personal info on 80m US households exposed to the public internet

https://www.theregister.co.uk/2019/04/29/microsoft_cloud_database_exposed/


 

--DHS's List of National Critical Functions Offers New Lens for Understanding Risk

(April 30, 2019)

The Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA) have released a list of national critical functions. They are defined as "the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof." The functions are organized into four areas: connect, distribute, manage, and supply. The functions provide a new approach to risk management that focuses on activities rather than separate critical infrastructure sectors.  


[Editor Comments]


[Pescatore] In many ways, the government focusing on critical functions, which usually cross vertical sectors, and industry focusing on verticals makes much more sense. Rather than yet another set of risk registers, I'd rather see the government focus on a small number of those functions that we already know are at high risk - with "Conduct Elections" at the top of the list.


[Murray] The significance of this work is that it moves infrastructure protection strategy from a "critical industry" based approach to a "function" based approach. This may be more focused, granular, inclusive, and effective.   


Read more in:

MeriTalk: DHS Sets List of National Critical Functions, Marking Shift from CI Sectors

https://www.meritalk.com/articles/dhs-sets-list-of-national-critical-functions-marking-shift-from-ci-sectors/

DHS: National Critical Functions: An Evolved Lens for Critical Infrastructure Security and Resilience

https://www.dhs.gov/sites/default/files/publications/national-critical-functions-overview-508.pdf

 
 

--DHS Binding Operational Directive: Fix Flaws Faster

(April 29 & 30 & May 1, 2019)

The US department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has released a binding operational directive (BOD) that reduces the amount of time agencies have to fix critical flaws from 30 days to 15 days from their detection. Agencies will have 30 days to fix flaws designated as "high vulnerabilities." If an agency does not remediate the flaws within the given time frame, DHS will provide it with a partially completed remediation plan that it is expected to complete and return to DHS within three days. The response will list the constraints the agency is under that prevent the remediation, a remediation timetable, and the agency's plan for keeping systems secure in the interim. The agencies must also whitelist the IP addresses of the National Cybersecurity Assessments and Technical Services cyber hygiene scans.


[Editor Comments]


[Pescatore] Back in 2014, the slow pace of government agencies fixing the Heartbleed vulnerabilities resulted in DHS mandating 30-day patching in 2015. Moving to 15 days four years later is a move in the right direction - faster patching is actually easier today than it was four years ago.


[Neely] BOD 19-02 applies only to internet accessible systems. Not only does it set a shortened timeline for remediation of flaws, it also requires agencies to permit vulnerability scans from DHS. DHS has been scanning public facing agency services for a while, as new agencies and services are scanned the challenge will be developing the process to identify and "resolve" false positives so staff can focus on true weaknesses. CDM efforts will address scanning and vulnerability management on agency internal networks. While both scenarios represent possibly added burden, the overall transparency will make vulnerable systems hard to overlook and provide opportunities for increased cyber hygiene government-wide.


Read more in:

FNN: DHS tells agencies to move faster to fix critical cyber vulnerabilities

https://federalnewsnetwork.com/cybersecurity/2019/04/dhs-tells-agencies-to-move-faster-to-fix-critical-cyber-vulnerabilities/

Nextgov: CISA Cuts Deadline For Patching Critical Weaknesses In Half

https://www.nextgov.com/cybersecurity/2019/05/cisa-cuts-deadline-patching-critical-weaknesses-half/156683/

Threatpost: DHS Shortens Deadline For Gov Agencies to Fix Critical Flaws

https://threatpost.com/dhs-deadline-gov-agencies-fix-critical/144269/

MeriTalk: New BOD Requires Agencies to Fix Critical Vulnerabilities in 15 Days

https://www.meritalk.com/articles/new-bod-requires-agencies-to-fix-critical-vulnerabilities-in-15-days/

Cyber.dhs: Binding Operational Directive 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems

https://cyber.dhs.gov/bod/19-02/


 

-- Down to the Wire: The Collegiate Cybersecurity Talent Leaderboard

(May 1, 2019)

As of Wednesday morning, the national cyber talent search competition launched by 25 governors had been joined by 10,400 college students representing every state. Eight more days to go. Awards include $2.4 million in SANS scholarships plus 200 scholarships for study at other colleges.

The program: www.cyber-fasttrack.org

The state-by-state leaderboard https://www.sans.org/cyber-fast-track/state-ranking

The national rankings are at https://www.sans.org/cyber-fast-track/nationally-ranked


****************************  SPONSORED LINKS  ******************************


1) Attend the inaugural SANS Enterprise Defense Summit in Redondo Beach, CA June 3-4.  http://www.sans.org/info/212640


2) Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212645


3) How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212650


*****************************************************************************

REST OF THE WEEK'S NEWS       

 

--Huawei Backdoor Was Telnet Service

(April 30 & May 2, 2019)

The undocumented backdoor in Huawei equipment acknowledged by Vodafone turns out to be a Telnet remote debug interface. While it was hardcoded into the equipment and was not documented, it does not appear to have been a deliberate secret backdoor. Huawei addressed the concerns to Vodafone's satisfaction back in 2012.


[Editor Comments]


[Honan] Using phrase like "backdoor" for a security bug can be very damaging for the vendors involved and indeed our industry. It also demonstrates why we need to have strong encryption at all levels so our data remains secure no matter what vendors' equipment it traverses.


Read more in:

The Register: Oh dear. Secret Huawei enterprise router snoop 'backdoor' was Telnet service, sighs Vodafone

https://www.theregister.co.uk/2019/04/30/huawei_enterprise_router_backdoor_is_telnet/

Axios: The curious case of Bloomberg's Huawei scoop

https://www.axios.com/curious-case-bloombergs-huawei-scoop-5ea156bc-0fa6-42e0-8ece-41a0e9619fcd.html

 
 

--Dell Offers Fix for Utility Vulnerability

(May 1, 2019)

A vulnerability in the DellSupportAssist utility, a tool that ships with most Dell laptops and desktops, could be exploited to execute code with administrative privileges. Dell has released a fix for the issue.


[Editor Comments]


[Neely] Many enterprises image systems with their own support tools, while end-users often leave them in place. Regardless, if you're not using the vendor provided tools, remove them. If you are using them, make sure they are part of your patch and vulnerability management solution.


Read more in:

ZDNet: Dell laptops and computers vulnerable to remote hijacks

https://www.zdnet.com/article/dell-laptops-and-computers-vulnerable-to-remote-hijacks/

 
 

--A2 Hosting Struggling to Recover from Ransomware Attack

(May 1, 2019)

A ransomware attack affecting web hosting provider A2 has affected all of the company's Windows-based servers. The infection occurred on April 23 and the company is slowly restoring data from backups. However, some A2 customers have said that the restored data are several months old. A2 acknowledged the infection in a blog post on May 1.


Read more in:

The Register: A2 Hosting finds 'restore' the hardest word as Windows outage slips into May

https://www.theregister.co.uk/2019/05/01/a2_hosting_down/

ZDNet: Windows Server hosting provider still down a week after ransomware attack

https://www.zdnet.com/article/windows-server-hosting-provider-still-down-a-week-after-ransomware-attack/

a2hosting: Windows Service Update

https://www.a2hosting.com/blog/windows-service-update/

 
 

--Google is Rolling Out Automatic Location and Browsing History Data Delete Option

(May 1 & 2, 2019)

Google plans to let users automatically delete their location and web-browsing history. Currently, Google allows users to turn off location, web, and app history, and to manually delete data from searches and other functions. Google will roll out the new option over the next few weeks. Users will be able to choose to keep their data for three months, for 18 months, or indefinitely.


[Editor Comments]


[Neely] When rolled out you will be able to navigate to https://myactivity.google.com, Activity Controls, to manage Location or Web History settings. Make sure that you verify settings for all your Google accounts.


Read more in:

CNET: Google will now let you automatically delete location and activity history. Here's how

https://www.cnet.com/how-to/google-will-now-let-you-automatically-delete-location-and-activity-history-heres-how/

ZDNet: Google adds option to auto-delete search and location history data

https://www.zdnet.com/article/google-adds-option-to-auto-delete-location-history-data/

Washington Post: Google will soon allow users to auto-delete location history and search data

https://www.washingtonpost.com/technology/2019/05/02/google-will-soon-allow-users-auto-delete-location-history-search-data/

 
 

--Senate Bill Would Let Cybersecurity Experts Work for Multiple Agencies

(May 1, 2019)

The US Senate's Federal Rotational Cyber Workforce Program Act of 2019 would allow cybersecurity experts to work in multiple government agencies. The rotational assignments would last between six months and a year with the option for a 60-day extension. Participating employees would be obligated to return to their original agency for the same length of time as their rotation.


[Editor Comments]


[Neely] Allowing experts to work across agencies will build their network and sphere of influence as well as keep them interested in the mission at hand. The requirement to return home is necessary as it assures the original agency they don't lose hard acquired talent to other agencies.


Read more in:

Fedscoop: Cybersecurity pros could work for multiple agencies under bill passed by Senate

https://www.fedscoop.com/federal-rotational-cyber-workforce-program-passes-senate/

Nextgov: Senate Passes Bill to Allow Cyber Talent to Rotate Through Agencies

https://www.nextgov.com/cybersecurity/2019/05/senate-passes-bill-allow-cyber-talent-rotate-through-agencies/156680/

Congress: S.406: Federal Rotational Cyber Workforce Program Act of 2019

https://www.congress.gov/bill/116th-congress/senate-bill/406/text

 
 

--Critical Vulnerability in Cisco Nexus 9000 Fabric Switches

(May 2, 2019)

Cisco has released an advisory warning of a critical vulnerability in its Nexus 9000 fabric switches. The flaw could be exploited to connect remotely to devices with Secure Shell (SSH) and obtain root privileges. The issue lies in SSH key management in the Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. Cisco has released updates to address the issue.


Read more in:

ZDNet: Cisco's warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches

https://www.zdnet.com/article/ciscos-warning-patch-now-critical-ssh-flaw-affects-nexus-9000-fabric-switches/

The Register: Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are - oh no, wait, it's Cisco again

https://www.theregister.co.uk/2019/05/02/cisco_vulnerabilities/

Cisco: Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Default SSH Key Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-nexus9k-sshkey

 

--GAO on TSA Pipeline Security Oversight

(May 1 & 2, 2019)

The US Transportation Security Administration (TSA) is in charge of oversight for the physical security and cybersecurity of the country's 2.7 million miles of oil and gas pipelines. According to a report from the Government Accountability Office (GAO), the TSA has just six people working full time on pipeline security. While the pipelines are privately owned and there are private sector employees who focus on their cybersecurity, TSA establishes rules and enforces compliance. The GAO report noted that "the TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies-such as the required level of cybersecurity expertise-necessary to carry out its pipeline security responsibilities."


Read more in:

ZDNet: Only six TSA staffers are overseeing US oil & gas pipeline security

https://www.zdnet.com/article/only-six-tsa-staffers-are-overseeing-us-oil-gas-pipeline-security/

GAO: CRITICAL INFRASTRUCTURE PROTECTION: Actions Needed to Address Weaknesses in TSA's Pipeline Security Program Management

https://www.gao.gov/assets/700/698835.pdf

 
 

--Data-driven Security

(April 29, 2019)

Martin's Point Health Care information security officer Matthew Witten "has created a new framework to help create what the company calls a 'data-driven approach' to security."


[Editor Comments]


[Pescatore] SANS recognized Matthew Witten and his team with a SANS Difference Maker award last year for demonstrating how a small team can achieve large results in security operations, including a proactive level of threat hunting.


Read more in:

CSO Online: How a data-driven approach to security helps a small healthcare team embrace automation

https://www.csoonline.com/article/3390683/how-a-data-driven-approach-to-security-helps-a-small-healthcare-team-embrace-automation.html


 

INTERNET STORM CENTER TECH CORNER


Facebook Leaking Sellers Exact Locations

https://www.7elements.co.uk/resources/blog/facebooks-burglary-shopping-list/


Revive Adserver Deserialization Vulnerability

https://www.revive-adserver.com/security/revive-sa-2019-001/


AutoMacTC: Automating Mac Forensics Triage

https://www.crowdstrike.com/blog/automating-mac-forensic-triage/


Kroll Artifact Parser And Extractor (KAPE)

https://learn.duffandphelps.com/kape


RCE Vulnerability in Dell Support Assist

https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/


Sodinokibi Ransomware Exploits WebLogic Server Vulnerability

https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html


Cisco Patches SSH Default Credential Vulnerability in Nexus 9000 Switches

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-nexus9k-sshkey


New SAP Exploits Used to Target Exposed

https://www.onapsis.com/10kblaze


Creston Multiple Vulnerabilities

https://www.crestron.com/en-US/Security/Security_Advisories


Current State of JavaScript Crypto Jacking

https://blog.malwarebytes.com/cybercrime/2019/05/cryptojacking-in-the-post-coinhive-era/


D-Link Camera Vulnerabilities

https://www.welivesecurity.com/2019/05/02/d-link-camera-vulnerability-video-stream/


Securepairs Promotes "Right to Repair"

https://securepairs.org/


Polymorphic Skimmer Targeting 57 Different Payment Gateways

https://labs.sansec.io/2019/04/29/polymorphic-skimmer-57-payment-gateways/


More Attacks Against S/Mime and PGP Signed Email

https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create