SANS Miami 2020 | Eight Cyber Security Courses | Simulcast | Cyber Defense NetWars

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #66

August 23, 2019

Ransomware Outbreak; Young Women Report Bias, Discrimination, and Harassment in Coding Internship Interviews




****************************************************************************

SANS NewsBites                Aug. 23, 2019                Vol. 21, Num. 066

****************************************************************************

TOP OF THE NEWS

  Ransomware Outbreak in the US

  Young Women Report Bias, Discrimination, and Harassment in Coding Internship Interview Process


REST OF THE WEEK'S NEWS       


  US Public Libraries Need Improved Cybersecurity for Census

  Ukrainian Nuclear Plant Network Connected to Internet for Cryptomining

  NSA Security Project Will Help Protect Machines from Firmware Attacks

  Browsers Implement "Technical Solutions" to Prevent HTTPS Traffic Interception in Kazakhstan

  Webmin Backdoor was the Work of a Malicious Actor

  Apple Update Re-Opens Earlier Vulnerability

  Unpatchable Flaw in Xilinx SoC Board


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019


-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019


-- SANS OnDemand and vLive Training

Get free GIAC Cert Attempt or Take $350 off with OnDemand or vLive training through September 4.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*******************  Sponsored By AWS Marketplace   *************************


JumpStart Guide for Security Information and Event Management (SIEM) in AWS. Security information and event management plays an important role in collecting data on network assets and traffic. This webcast will provide guidance on the key issues to consider when choosing SIEM or SOAR products for integration on the AWS platform and suggests a process for making such important decisions. http://www.sans.org/info/214000


*****************************************************************************

TOP OF THE NEWS  

 --Ransomware Outbreak in the US

(August 21 & 22, 2019)

The past several months have seen a wave of ransomware attacks hit local government organizations in states across the US. Most recently, 22 municipalities in Texas were hit with ransomware in an attack believed to be launched by "a single threat actor," according to Texas state officials. Lubbock County managed to detect and deal with the infection right away. Other municipalities are working to recover from the attacks. When private companies are hit with ransomware attacks, they are often able to keep the incident quiet. People notice when a municipality's online presence disappears.  


[Editor Comments]


[Paller] The NY Times article is the best I have read on ransomware. It is comprehensive, detailed, and extremely well written. The key actionable words in the article were, in my view, "[The FBI had] urged them to update their software -- something Baltimore had failed to do." Moving forward, a simple measure of a CISO's effectiveness will be whether they have actually ensured their systems are patched and updated (and segmented if patching is not feasible). By the way, the wave of attacks against organizations in the same state - that rely on the same first responders - is a 'tip of the iceberg' example of a cyber pandemic that burns out the first responders forcing most victims to capitulate.


[Murray] While many of these attacks may fail, they are still narrowly targeted. If one is vulnerable and part of the target population, one will fall over. Note that the targets are chosen in such a way as to exhaust the resources that might be called upon for remediation. Last week it was Louisiana, this week Texas.


Read more in:

NYT: Ransomware Attacks Are Testing Resolve of Cities Across America

https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html

Ars Technica: While one Texas county shook off ransomware, small cities took full punch

https://arstechnica.com/information-technology/2019/08/while-one-texas-county-shook-off-ransomware-small-cities-took-full-punch/

Dark Reading: Texas Towns Recover, but Local Governments Have Little Hope for Respite from Ransomware

https://www.darkreading.com/attacks-breaches/texas-towns-recover-but-local-governments-have-little-hope-for-respite-from-ransomware/d/d-id/1335606


 

--Young Women Report Bias, Discrimination, and Harassment in Coding Internship Interview Process

(August 22, 2019)

While the tech industry gives lip service to a commitment to diversity, the actual make-up of the companies and the overt gender bias and discrimination in the internship interviewing process reveal that the companies have a long way to go to meet this commitment. The low percentage of women in coding may be due only partly to a pipeline problem, but also to a pervasive atmosphere of institutionalized gender bias at some organizations that devalues women's abilities. A survey of 152 third- and fourth-year female college students studying computer science or a related field found that nearly half had negative experiences during the internship application process. The experiences include a notable lack of diversity, being dismissed or demeaned because of gender, bias and discriminatory comments, and harassing comments and behavior.  


[Editor Comments]


[Pescatore] The 2019 RSA Conference had a number of good sessions, put on by women already in cybersecurity, trying to give women interested in cybersecurity some tools to deal with many of these issues. Ideally, those issues would go away faster but experience and studies like this one show they just don't. The rate at which institutionalized gender bias goes away will be driven by more from the outside overcoming the bias and then working from the inside to eliminate it.

https://www.rsaconference.com/industry-topics/presentation/women-in-cybersecurity-finding-attracting-


[Paller] An insightful study on promising approaches to overcoming gender bias in cybersecurity was published last year by NBC News:

https://www.nbcnews.com/news/us-news/jobs-cybersecurity-are-exploding-why-aren-t-women-picture-n865206


[Murray] One takeaway from this study is the need to train interviewing managers to project the environment that the enterprise intends to create. Another is that the so-called "Bro" culture is an artifact of the "team," not to say "locker-room," culture. Since most development work is team work, those who aspire to careers in the field should consider bringing to the table "team" experience, e.g. team sports, band, chorus, drama.


Read more in:


Girls Who Code: Applying for Internships as a Woman in Tech | Findings from a Survey of GWC-Affiliated Women

http://girlswhocode.com/wp-content/uploads/2019/08/GWC_Advocacy_InternshipApplicationExperiences_PDF_z6.pdf

Wired: For Young Female Coders, Internship Interviews Can be Toxic

https://www.wired.com/story/for-young-female-coders-internship-interviews-can-be-toxic/


****************************  SPONSORED LINKS  ******************************


1) August 29 at 3:30 PM ET: Don't Open These - The Five Most Dangerous File Types. Register: http://www.sans.org/info/214005


2) What challenges do you face with implementing endpoint security in your organization? Take this survey: http://www.sans.org/info/214010


3) Webcast: Learn how to identify hidden & destructive objects in your environment in this upcoming webcast: http://www.sans.org/info/214015


*****************************************************************************

REST OF THE WEEK'S NEWS       

 --US Public Libraries Need Improved Cybersecurity for Census

(August 22, 2019)

The US Census Bureau will be encouraging many people to respond to the 2020 census online. While digitized data are easier to manage, they also introduce security concerns. Some people will likely be entering their census information via computers at public libraries. While the Census bureau is using multiple layers of security, including two-factor authentication, encryption, the Department of Homeland Security's (DHS's) EINSTEIN 3 system, and help from Microsoft, libraries need additional funding to improve their IT security.

 

[Editor Comments]


[Pescatore] This is very similar to the voting machine problem - another national-level function that requires states, counties and other local agencies to reach basic security hygiene levels.


[Murray] Almost any user of a kiosk computer can contaminate it. Consider re-initializing these computers from a "gold" image after a specified period (e.g. an hour) of idleness. (I learned this control from Stan Gatewood at USC.edu, now at the State of Georgia.) That said, all the libraries in the country constitutes a huge attack surface with a high cost of biasing the results.  


Read more in:

Wired: Shh! No Hacking the Census in the Library

https://www.wired.com/story/shh-no-hacking-the-census-in-the-library


 

--Ukrainian Nuclear Plant Network Connected to Internet for Cryptomining

(August 22, 2019)

Employees at a nuclear power plant in Ukraine reportedly connected portions of the plant's internal network to the Internet so they could mine for cryptocurrency. The Ukrainian Secret Service is investigating whether the mining rigs were used as entry points for attackers to gain access to the nuclear plant's network.



Read more in:

ZDNet: Employees connect nuclear plant to the internet so they can mine cryptocurrency

https://www.zdnet.com/article/employees-connect-nuclear-plant-to-the-internet-so-they-can-mine-cryptocurrency/


 

--NSA Security Project Will Help Protect Machines from Firmware Attacks

(August 22, 2019)

A NSA research project aims to help protect machines from firmware attacks by isolating the firmware in a container. The agency plans to make the tool, which is described as "an enhanced SMI transfer monitor (STM) to provide protected execution services on the x86 platform," available to the public.

[Editor Comments]


Read more in:

Cyberscoop: How an NSA researcher plans to allow everyone to guard against firmware attacks

https://www.cyberscoop.com/nsa-firmware-open-source-coreboot-stm-pe-eugene-myers/

Platform Security: Using the Intel STM for Protected Execution (PDF)

https://www.platformsecuritysummit.com/2018/speaker/myers/STMPE2Intelv84a.pdf


 

--Browsers Implement "Technical Solutions" to Prevent HTTPS Traffic Interception in Kazakhstan

(August 21, 2019)

Makers of major browsers have banned a root certificate that the Kazakh government has been using to intercept HTTPS traffic. Firefox, Chrome, and Safari now display error messages if HTTPS traffic is encrypted with the Kazakh government's certificates. Earlier this summer, Internet users in Kazakhstan were forced to install the certificate by their ISPs. The Kazakh government intercepted and decrypted HTTPS traffic for several weeks, then stopped the practice earlier this month.


Read more in:

Wired: Firefox and Chrome Fight Back Against Kazakhstan's Spying

https://www.wired.com/story/chrome-firefox-kazakhstan-surveillance

ZDNet: Apple, Google, and Mozilla block Kazakhstan's HTTPS intercepting certificate

https://www.zdnet.com/article/apple-google-and-mozilla-block-kazakhstans-https-intercepting-certificate/

Ars Technica: Google, Apple, and Mozilla block Kazakhstan government's browser spying

https://arstechnica.com/tech-policy/2019/08/chrome-firefox-and-safari-updated-to-block-kazakhstan-government-spying/

Duo: Google and Mozilla Block Kazakhstan HTTPS Interception

https://duo.com/decipher/google-and-mozilla-block-kazakhstan-https-interception


 

--Webmin Backdoor was the Work of a Malicious Actor

(August 21, 2019)

The backdoor recently patched in the Webmin Unix admin tool was planted by a malicious actor who gained access to the development build server in April 2018. The flaw could be exploited to execute commands with root privileges. The tool's maintainers have released updated versions of Webmin (v1.930) and its associated Usermin (v1.780) tool.


Read more in:

Threatpost: Backdoor Found in Utility for Linux, Unix Servers

https://threatpost.com/backdoor-found-in-utility-for-linux/147581/


 

--Apple Update Re-Opens Earlier Vulnerability

(August 20, 2019)

Apple's most recent mobile operating system update, iOS 12.4, appears to have reopened an older issue that can be exploited to jailbreak iPhones. The original vulnerability was reported to Apple earlier this year, and was fixed in iOS 12.2, which was released in May. iOS 12.4 was released on July 22.


Read more in:

The Register: Breaker, breaker. Apple's iOS 12.4 update breaks jailbreak break, un-breaks the break. 10-4

https://www.theregister.co.uk/2019/08/20/apples_ios_update_jailbreak/

SC Magazine: iOS 12.4 update reintroduced old bug, enabling jailbreak for current devices

https://www.scmagazine.com/home/security-news/mobile-security/ios-12-4-update-reintroduced-old-bug-enabling-jailbreak-for-current-devices/


 

--Unpatchable Flaw in Xilinx SoC Board

(August 20, 2019)

Researchers have found two vulnerabilities in Xilinx system-on-chip (SoC) boards. Both vulnerabilities affect the SoC's Encrypt Only secure boot mode. One of the flaws is unpatchable; Xilinx did not patch the other one because attackers could get around that fix by exploiting the unpatchable vulnerability.  


Read more in:

ZDNet: Unpatchable security flaw found in popular SoC boards

https://www.zdnet.com/article/unpatchable-security-flaw-found-in-popular-soc-boards/



*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Guildma Malware is Now Using Facebook and YouTube as Update Channel

https://isc.sans.edu/forums/diary/Guildma+malware+is+now+accessing+Facebook+andYouTube+to+keep+uptodate/25222/


KAPE vs. Commando VM: Red vs. Blue

https://isc.sans.edu/forums/diary/KAPE+Kroll+Artifact+Parser+and+Extractor/25258/


Supply Chain Issues: rest-client ruby gem backdoored

https://www.theregister.co.uk/2019/08/20/ruby_gem_hacked/


Phishers Customize Branded Outlook 365 Login Pages

https://www.bleepingcomputer.com/news/security/phishing-attacks-scrape-branded-microsoft-365-login-pages/


Attacks against Exposed Sphinx Servers

https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/CERT-Bund/CERT-Reports/HOWTOs/Open-Sphinx-Server/open-Sphinx-server_node.html


Cisco Patches

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=50#~Vulnerabilities


Newly Registered Domains Most Dangerous

https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/


Steam Zero Days and Bug Bounty Controversy

https://www.theregister.co.uk/2019/08/22/valve_bug_bounty_steam_u_turn/


bb-builder malicious npm Package

https://blog.reversinglabs.com/blog/the-npm-package-that-walked-away-with-all-your-passwords


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create