Become more effective at your job with hands-on cyber security training in Reston. Save $200 thru 8/28.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #4

January 15, 2019

Government Shutdown Means Agency Security Deteriorating; Russian Hackers Targeted US Utilities Through Contractor and Subcontractor Systems; Mozilla: Bye-bye Flash, Bye-bye NPAPI


****************************************************************************

SANS NewsBites                Jan. 15, 2018                Vol. 21, Num. 004

****************************************************************************


TOP OF THE NEWS

  Government Shutdown Means Some Agency TLS Certificates Have Not Been Renewed

  Russian Hackers Targeted US Utilities Through Contractor and Subcontractor Systems

  Mozilla: Bye-bye Flash, Bye-bye NPAPI


REST OF THE WEEKS NEWS

  GoDaddy Turns Off JavaScript User Metrics Function

  Proposed Legislation: Preventing Future Government Shutdowns, Grid Security

  Security Issues Affect Card-Based Building Access System

  Huawei Fires Employee Arrested in Poland on Espionage Charges

  Man Behind Liberian Internet Attack Sentenced

  Commission Makes Recommendations for Updating Voting Systems in Georgia (US)

  Group Aims to Fight SIM Swapping


INTERNET STORM CENTER TECH CORNER

 

****************************************************************************

-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019


-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019


-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019


-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019


-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019


-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- ICS Security Summit & Training | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019


-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad, ASUS Chromebook, or Take $250 Off with OnDemand or vLive. Offer Ends January 23.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*********************** Sponsored By Amazon Web Services, Inc. ***************************


AWS Monthly Series! Advance Your Security in the Cloud Using the NIST CSF.  SANS Director John Pescatore, along with the AWS team, explains how to employ automated, innovative and secure solutions to strengthen your cybersecurity posture with tools available in the AWS Marketplace on January 31, at a special time of 2 PM ET. Register here: http://www.sans.org/info/209805


*****************************************************************************

TOP OF THE NEWS

 

--Government Shutdown Means Some Agency TLS Certificates Have Not Been Renewed

(January 12, 2019)

One effect of the US government shutdown is the fact that some TLS certificates for some government websites have expired, which means they will be identified as unsafe by and inaccessible from some browsers. At least 80 certificates have not been renewed as a result of the shutdown, including websites at NASA and the US Department of Justice.


[Editor Comments]


[Williams] While there's been a lot of media attention to expired certificates on government websites, the real story is what we aren't seeing. If this most basic cybersecurity practice has been neglected in government networks, imagine all the other patching and maintenance not being addressed during the shutdown. It is also telling that in 2019, so many government websites still depend on manual intervention to renew a certificate. This process should be automated at this point.  Finally, in Chrome it is possible to bypass HSTS and still view a website by typing the letters "thisisunsafe" when presented with the certificate error.


[Neely] After all the effort done to support BOD 18-01, this underscores the need for staff to maintain the upgraded security posture. While a number of agencies have replaced their web sites with a page indicating that they are offline until the shutdown has been resolved, accepting the expired certificate doesnt add much value, and the updated security no longer allows for non-TLS site access.


Read more in:

Dark Reading: Government Shutdown Brings Certificate Lapse Woes

https://www.darkreading.com/vulnerabilities-and-threats/government-shutdown-brings-certificate-lapse-woes/d/d-id/1333641

CNET: Shutdown: Government sites with lapsed security certificates pose risk

https://www.cnet.com/news/shutdown-government-sites-with-lapsed-security-certificates-pose-risk/

FCW: Dot-gov site security erodes during shutdown

https://fcw.com/articles/2019/01/11/dotgov-certificates-expire-rockwell.aspx

Threatpost: U.S. Government Shutdown Leaves Dozens of .Gov Websites Vulnerable

https://threatpost.com/u-s-government-shutdown-leaves-dozens-of-gov-websites-vulnerable/140782/


 

--Russian Hackers Targeted US Utilities Through Contractor and Subcontractor Systems

(January 10, 2019)

This article offers a detailed account of how Russian hackers attempted to infiltrate systems associated with the US power grid through small companies. Rather than strike the utilities head on, the hackers went after the systems unprotected underbellyhundreds of contractors and subcontractorswho had no reason to be on high alert against foreign agents. The hackers used watering hole and phishing attacks in their attempts to obtain access to their targets. (Please note that this WSJ story is behind a paywall.)


Read more in:

WSJ: Americas Electric Grid Has a Vulnerable Back Doorand Russia Walked Through It (paywall)

https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112

 
 

--Mozilla: Bye-bye Flash, Bye-bye NPAPI

(January 13 & 14, 2019)

When Mozilla releases Firefox 69 later this year, the browser will no longer support the Adobe Flash plug-in by default. Flash is the only NPAPI plug-in still supported in Firefox. More than a year ago, Adobe announced that it would end support for Flash Player by the end of 2020. The stable version of Firefox 69 is expected to be released in September 2019.


[Editor Comments]


[Neely] This change will also be reflected in Firefox ESR 60.9.0. Enterprises that need NPAPI or Flash plugin support past September may need to deploy a hosted or virtual browser capability that has these functions with restricted application access to limit exposure.


Read more in:

Mozilla: Plugin Roadmap for Firefox

https://developer.mozilla.org/en-US/docs/Plugins/Roadmap

ZDNet: Mozilla: Firefox 69 will disable Adobe Flash plugin by default

https://www.zdnet.com/article/mozilla-firefox-69-will-disable-adobe-flash-plugin-by-default/

Softpedia: Mozilla to Disable Flash in Firefox 69

https://news.softpedia.com/news/mozilla-to-disable-flash-in-firefox-69-524528.shtml

Bleeping Computer: Mozilla to Disable Flash Plugin by Default in Firefox 69

https://www.bleepingcomputer.com/news/software/mozilla-to-disable-flash-plugin-by-default-in-firefox-69/

Threatpost: Mozilla Kills Default Support for Adobe Flash in Firefox 69

https://threatpost.com/flash-default-mozilla-firefox-69/140814/


****************************  SPONSORED LINKS  *******************************


1) "Malicious or Negligent? How to Understand User Intent to Stop Data Exfiltration" with John Pescatore.  Register:  http://www.sans.org/info/209830


2) Don't Miss "Game Changing Defensive Strategies for 2019" with Alissa Torres.  Register:  http://www.sans.org/info/209835


3) Join Thomas Pernicario, Solutions Engineer at Cylance for an informative discussion on data science and cloud security. http://www.sans.org/info/209840


*****************************************************************************

REST OF THE WEEKS NEWS     

 

--GoDaddy Turns Off JavaScript User Metrics Function

(January 14, 2019)

Web hosting company GoDaddy has turned off a function that was injecting JavaScript into customers websites. The feature was intended to run GoDaddys Real User Metrics (RUM) system, a snippet of JavaScript code [that] allows [GoDaddy] to measure and track the performance of [users] website, and collects information such as connection time and page load time. GoDaddy has acknowledged that the JavaScript may have a negative impact on website performance, and plans to reintroduce it in the future as an opt-in feature.


[Editor Comments]


[Honan] Interesting European GDPR angle to this is that the website owners need to be aware of what personal data of residents in the EU and the EEA are being gathered by third parties and to allow those individuals to opt-in to have their data collected. Website owners should ensure they are aware of all third party code that is on their sites and what personal data that code is gathering and for what purposes.


Read more in:

ZDNet: GoDaddy removes JavaScript injection which tracks website performance, but might break it too

https://www.zdnet.com/article/godaddy-javascript-injection-tracks-website-performance-but-might-break-it-too/

 
 

--Proposed Legislation: Preventing Future Government Shutdowns, Grid Security

(January 14, 2019)

Legislation proposed by US congress members includes a bill that would guarantee furloughed federal employees retroactive pay when the government shutdown ends and another that would prevent future government shutdowns. Two pieces of proposed legislation would have the government work more closely with private sector organizations to ensure the security of the countrys power grid.


[Editor Comments]


[Neely] The proposed energy legislation calls attention to the need to assure the security of components used in the bulk energy system as well as measure the impact/criticality of interruptions to that system. The challenge will be getting utilities to participate without an identified funding source, particularly those that are dealing with liability and bankruptcy issues like PG&E in California.


Read more in:

Nextgov: Lawmakers Propose Bills to Avoid Future Shutdowns, Secure the Power Grid

https://www.nextgov.com/cio-briefing/2019/01/lawmakers-propose-bills-avoid-future-shutdowns-secure-power-grid/154126/


 

--Security Issues Affect Card-Based Building Access System

(January 14, 2019)

Flaws in a card-based building access program could be exploited to take control of vulnerable systems. Researchers at Tenable and the US Computer Emergency Response Team (US-CERT) have both notified the company, PremiSys, about the issues. The vulnerabilities include an admin account with a hard-coded password that users cannot change; user credentials and other data stored with weak encryption; backups stored in a ZIP file protected by a hard-coded password; and a default database username and password that are arduous to change.


[Editor Comments]


[Murray] While issues have been identified with this application, almost any application or service that runs peer to others on physical network may represent a similar risk. Such applications should be isolated from others physically, network segmentation, or logically, virtual local area networks (VLANS). Since applications employing end-to-end application layer encryption would be protected from such weak applications or services, most, not to say all, sensitive applications should be so protected.  


Read more in:

ZDNet: Details published about vulnerabilities in popular building access system

https://www.zdnet.com/article/details-published-about-vulnerabilities-in-popular-building-access-system/

Tenable: Multiple Zero-Days in PremiSys IDenticard Access Control System

https://www.tenable.com/blog/multiple-zero-days-in-premisys-identicard-access-control-system

 
 

--Huawei Fires Employee Arrested in Poland on Espionage Charges

(January 11, 12, & 14, 2019)

Authorities in Poland have arrested two people for allegedly spying for the Chinese government. One of the two, Wang Weijing, is a Chinese employee of Huawei who is a sales director in Poland. Huawei has fired Wang. The second individual is a former Polish security official.


Read more in:

ZDNet: Huawei sacks employee arrested in Poland as Warsaw mulls EU ban

https://www.zdnet.com/article/huawei-sacks-employee-arrested-in-poland-as-warsaw-mulls-eu-ban/

The Register: Poland may consider Huawei ban amid 'spy' arrestsreports

https://www.theregister.co.uk/2019/01/14/poland_huawei_ban_mooted/

NYT: Poland Arrests 2, Including Huawei Employee, Accused of Spying for China

https://www.nytimes.com/2019/01/11/world/europe/poland-china-huawei-spy.html

Ars Technica: Huawei employee arrested, accused of high-level espionage for China

https://arstechnica.com/tech-policy/2019/01/huawei-employee-accused-of-spying-for-china-was-arrested-in-poland/

NYT: Huawei Fires Employee Arrested in Poland on Spying Charges

https://www.nytimes.com/2019/01/12/world/asia/huawei-wang-weijing-poland.html

 
 

--Man Behind Liberian Internet Attack Sentenced

(January 11 & 14, 2019)

A British man who admitted to launching a distributed denial-of-service (DDoS) attack against a Liberian Internet service provider (ISP) has been sentenced to 30 months in jail. Daniel Kaye said he accepted payment from one Liberian ISP to launch the attack against a rival company; the attack was so strong that it knocked out service for most of the country.


Read more in:

ZDNet: Hacker 'BestBuy' sentenced to prison for operating Mirai DDoS botnet

https://www.zdnet.com/article/hacker-bestbuy-sentenced-to-prison-for-operating-mirai-ddos-botnet/

ZDNet: Liberian ISP sues rival for hiring hacker to attack its network

https://www.zdnet.com/article/liberian-isp-sues-rival-for-hiring-hacker-to-attack-its-network/

The Register: Brit hacker hired by Liberian telco to nobble rival now behind bars

https://www.theregister.co.uk/2019/01/14/liberian_hackerforhire_case/

BBC: Briton who knocked Liberia offline with cyber attack jailed

https://www.bbc.com/news/uk-46840461

 
 

--Commission Makes Recommendations for Updating Voting Systems in Georgia (US)

(January 10, 2019)

A panel given the task of recommending a replacement for the voting system currently used by the US state of Georgia has recommend that the state adopt voting machines that record voted and print hardcopies of ballots. The commission opted for the machine marked ballots over paper ballots marked by voters and then read by machines, which is what cybersecurity experts recommended. The Secure, Accessible and Fair Elections, or SAFE, Commission voted 13-3 to send the recommendation to state legislators, who will ultimately decide what to do in the upcoming legislative session. Since 2002, Georgia has been using paperless touchscreen voting machines that do not create a paper trail. The dissenting members of the panel plan to release a minority report with their own recommendations. The cost differential is significant, with implementation of a system for hand marked ballots coming in at US $50 million, roughly one third the cost of machine marked ballots. The commission also recommends that the new system be in place in time for the 2020 election.


Read more in:

NYT: Commission Recommends Machine-Marked Ballots for Georgia

https://www.nytimes.com/aponline/2019/01/10/us/ap-us-voting-machines-georgia.html

 
 

--Group Aims to Fight SIM Swapping

(January 8, 2019)

A group created by people who have been victims of SIM swapping crimes has launched an initiative to raise awareness about the fast growing problem of SIM crimes, be a resource for victims, and effect change through legal efforts. SIM swapping involves thieves convincing mobile carrier representatives to switch the SIM number of a targets account to match the SIM card number on the thiefs mobile device. Once the switch has been made, attackers can take over accounts.


[Editor Comments]


[Neely] While there are mitigations, such as adding passwords to your mobile carrier account to stop unauthorized changes, the StopSIMCrime site is intended as a clearing house of both additional preventative measures and resources for remediation once fully flushed out.


Read more in:

Motherboard: SIM Swapping Victims Who Lost Millions Are Pressuring Telcos to Protect Their Customers

https://motherboard.vice.com/en_us/article/vbawv8/sim-swapping-hacking-victims-want-telephone-companies-protect-customers-edited

StopSIMCrime: Stop SIM Crime

http://stopsimcrime.org/

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER

 

Government Website TLS Certificates Expire due to Partial Shutdown

https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html


Firefox EOL Plan for Flash

https://bugzilla.mozilla.org/show_bug.cgi?id=1519434


Fake Movie File Malware

https://www.bleepingcomputer.com/news/security/fake-movie-file-infects-pc-to-steal-cryptocurrency-poison-google-results/


Microsoft Windows Patch Breaks Access 97

https://borncity.com/win/2019/01/11/windows-january-2019-updates-breaks-access-to-access-dbs/


Snorpy Assists in Snort Rule Writing

https://isc.sans.edu/forums/diary/Snorpy+a+Web+Base+Tool+to+Build+SnortSuricata+Rules/24522/


Packet Challenge

https://xn--suuo-5ob60ete7h.com/packet7.txt

       

Microsoft LAPS - Blue Team / Red Team

https://isc.sans.edu/forums/diary/Microsoft+LAPS+Blue+Team+Red+Team/24528/


Intel SGX Platform Update

https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00203.html


Godaddy Injecting JavaScript

https://www.igorkromin.net/index.php/2019/01/13/godaddy-is-sneakily-injecting-javascript-into-your-website-and-how-to-stop-it/


Play with Docker Vulnerability

https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create