Last Day to Get an iPad Pro with Smart Keyboard, HP ProBook, or $350 Off with OnDemand or vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #77

October 1, 2019

Baltimore Auditor After Ransomware: Ineffective Backup Policies; US Treasury Sanctions Seven Russians for Election Interference




****************************************************************************

SANS NewsBites                 Oct. 1, 2019                Vol. 21, Num. 077

****************************************************************************


TOP OF THE NEWS


  Baltimore City Auditor: IT Department Lacks Effective Backup Policies

  US Treasury Sanctions Seven Russians for Election Interference



REST OF THE WEEK'S NEWS        


  UK Police Auction Off Seized Cryptocurrency

  Senate Passes Bill to Create Cyber Incident Response Teams

  Prison for Disgruntled Former Admin Who Damaged Systems

  Linux Kernel Lockdown Feature

  NY State Sues Dunkin' for Failing to Disclose Data Breach

  FDIC Implemented DNS Security Measures

  Rheinmetall Facilities in Three Countries Experience Disruptions Due to Malware

  Microsoft Will Ban More Extensions in Outlook


INTERNET STORM CENTER TECH CORNER


****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Denver 2019 | October 14-19 | https://www.sans.org/event/denver-2019


-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019


-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019


-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through October 2 with your OnDemand or vLive course.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


**********************  Sponsored By ZeroNorth    **************************


Manage Vulnerabilities through the Software Lifecycle: How to Enable Secure DevOps. Learn best practices for managing vulnerabilities and risk throughout the SDLC, from code commit to build to deployment, across diverse technology environments in this upcoming webcast. Friday October 4th at 3:30 PM ET: http://www.sans.org/info/214355


****************************************************************************

TOP OF THE NEWS  

 

--Baltimore City Auditor: IT Department Lacks Effective Backup Policies

(September 27 & 30, 2019)

Baltimore's City Auditor reported the findings of a recent audit conducted regarding the city's IT department. When the city was hit with a ransomware attack in May of this year, crucial data were lost because employees were storing files on their computers' hard drives rather than in the cloud. As a result, the IT department was unable to provide the auditor with information that would help determine if the department was meeting performance goals.


[Editor Comments]


[Neely] This highlights the need not only to identify places where corporate data is stored but also to implement backup solutions that are appropriate for those locations. Mobile users may be better served by a cloud-based backup than one that operates only when their device is joined to the corporate network. Further, having file syncing and storage options that transparently move local files to and from enterprise storage, which reduce the risks of distributed corporate data, need to function irrespective of location.


[Murray] Backup is not easy. On the other hand, it is the security measure of last resort, the one that works when all else fails. "Ransomware" and other risks to the alteration of data put new requirements for safety and speed of recovery on the backup strategy. In this increasingly hostile environment, modernizing backup is urgent.  


Read more in:

Baltimore Sun: Baltimore IT department uses 'mind-boggling,' outdated data storage method, audit finds

https://www.baltimoresun.com/politics/bs-md-ci-audit-it-20190927-23hrwbtdyzcu7lmmwdqzbmzja4-story.html

Dark Reading: Baltimore Reportedly Had No Data Backup Process for Many Systems

https://www.darkreading.com/attacks-breaches/baltimore-reportedly-had-no-data-backup-process-for-many-systems/d/d-id/1335953

Statescoop: Before cyberattack, Baltimore saved data only on local hard drives

https://statescoop.com/baltimore-ransomware-saved-data-local-hard-drives/

Ars Technica: Councilman "mind-boggled" by Baltimore City IT department ineptitude

https://arstechnica.com/information-technology/2019/09/whats-a-backup-baltimore-city-it-kept-data-on-local-drives/


 

--US Treasury Sanctions Seven Russians for Election Interference

(September 30, 2019)

The US Treasury has officially sanctioned a Russian financier and six Russian operatives for interfering in the 2018 US elections. The six operatives are employees of the Internet Research Agency, a troll farm that used phony social media personas to spread disinformation prior to the elections. The Treasury is targeting the financier's businesses and physical assets, including private planes and a yacht.


Read more in:

Treasury: Treasury Targets Assets of Russian Financier who Attempted to Influence 2018 U.S. Elections

https://home.treasury.gov/news/press-releases/sm787

The Hill: US sanctions Russian individuals for interference in 2018 elections

https://thehill.com/policy/cybersecurity/463645-us-sanctions-russian-individuals-for-interference-in-2018-elections

Cyberscoop: U.S. Treasury sanctions Russian financier for 2018 election interference attempt

https://www.cyberscoop.com/treasury-sanctions-internet-research-agency-yevgeniy-prigozhin/


****************************  SPONSORED LINKS  ******************************


1) Webcast October 3rd at 3:30 PM ET: IT, OT, and IOT -- Oh, My! Learn to See and Secure It All. http://www.sans.org/info/214360


2) Calling all CISOs, security managers and others with detailed budgetary knowledge! Take this survey: http://www.sans.org/info/214365


3) ICYMI Webcast: Gain new insights into best practices for aligning and sharing data between NetOps and SecOps. http://www.sans.org/info/214370


*****************************************************************************

REST OF THE WEEK'S NEWS    

 

--UK Police Auction Off Seized Cryptocurrency

(September 30, 2019)

In a 24-hour auction, British police sold off cryptocurrency that had been seized from a convicted criminal who sold hacking services and stolen personal data. The police made #240,000 (US $296,000). The Eastern Region Special Operations Unit (ERSOU) checked out potential bidders prior to the auction to ensure the cryptocurrency was not being sold back to criminals. Police in the US and Australia have also sold off seized cryptocurrency over the past few years.    


[Editor Comments]


[Pescatore] Seizure and auctioning of these digital currencies by law enforcement has been happening for 5 or 6 years - I thought by now more criminals would have learned to better protect their digital wallets and private keys, just the way they evolved numerous ways to hide criminally obtained physical assets and cash. Luckily, criminal minds aren't any better at basic security hygiene than the honest people...

 

Read more in:

The Register: Thanks crims: UK cops' first auction of ill-gotten Bitcoin nets them #240k

https://www.theregister.co.uk/2019/09/30/blightys_first_bitcoin_auction_on_behalf_of_the_cops_nets_240k/

BBC: TalkTalk hacker Elliott Gunton: Cryptocurrency auctioned by police

https://www.bbc.com/news/uk-england-norfolk-49880630


 

--Senate Passes Bill to Create Cyber Incident Response Teams

(September 30, 2019)

The US Senate has approved a bill that would have the Department of Homeland Security (DHS) establish "incident response teams" to help entities, especially schools and local governments, take precautions against and recover from cyber attacks. The teams would help both public and privacy sector organizations. The bill now heads to the House of Representatives for approval. Congress drafted the legislation in response to the epidemic of ransomware.


[Editor Comments]


[Pescatore] Whenever one of these draft cybersecurity bills pops up, I always read the last paragraph first, and this one (like pretty much every other one) includes the statement: "No additional funds are authorized to be appropriated to carry out the requirements of this Act and the amendments made by this Act." These unfunded mandates are kind of like thinking you can make more stew just by using a bigger pot and more water.


[Northcutt] I read the Senate Report, this sounds like a reasonable idea:

https://www.congress.gov/congressional-report/116th-congress/senate-report/27


Read more in:

Threatpost: Senate Passes Bill Aimed At Combating Ransomware Attacks

https://threatpost.com/senate-passes-bill-aimed-at-combating-ransomware-attacks/148779/

Congress: S.315 - DHS Cyber Hunt and Incident Response Teams Act of 2019

https://www.congress.gov/bill/116th-congress/senate-bill/315/text


 

--Prison for Disgruntled Former Admin Who Damaged Systems

(September 27 & 30, 2019)

A man who once worked as a system admin for a US Army contractor has been sentenced to two years in prison for damaging systems he had worked on when he learned he was going to lose his job. Barrence Anthony pleaded guilty to one count of accessing a protected computer without authorization.


Read more in:

The Register: Holy smokes! Ex-IT admin gets two years prison for trashing Army chaplains' servers

https://www.theregister.co.uk/2019/09/30/army_chaplain_admin_jailed/

Cyberscoop: Former U.S. Army contractor sentenced to prison for destroying IT system

https://www.cyberscoop.com/army-contractor-sentenced-federated-it/


 

--Linux Kernel Lockdown Feature

(September 29, 2019)

A new lockdown feature for the Linux kernel will do pretty much exactly what it sounds like. The Linux kernel lockdown module is slated to ship with the Linux kernel 5.4 branch. The feature will be off by default. When it is activated, it will prevent even root accounts from interacting with kernel code.


[Editor Comments]


[Neely] This provides an option to secure containers where the shared kernel is one of the merging attack vectors. Some applications may need adjustment as they read kernel services with access restricted by this LSM.


[Murray] Perhaps we can rapidly move to the point where this is on by default. If not safe out of the box, it should at least be safe as installed, on at the end of the install process.

 

Read more in:

ZDNet: Linux to get kernel 'lockdown' feature

https://www.zdnet.com/article/linux-to-get-kernel-lockdown-feature/


 

--NY State Sues Dunkin' for Failing to Disclose Data Breach

(September 27, 2019)

The State of New York has filed a lawsuit against Dunkin' for allegedly violating New York's data breach notification laws. The complaint alleged that Dunkin' did not disclose a 2015 breach affecting customer data in a timely fashion. The breach involved a credential stuffing attack and compromised loyalty account information belonging to more than 19,000 customers. Dunkin' notified users of the incident in 2018. The lawsuit also alleges that Dunkin' failed to take necessary precautions to protect customers, such as resetting passwords and freezing accounts.   


Read more in:

ag.ny.gov: Complaint: The People of the State of New York... Against Dunkin' Brands, Inc.

https://ag.ny.gov/sites/default/files/dunkin_complaint.pdf

Threatpost: Dunkin' Donuts Gets Hit with Lawsuit Over 2015 Attack

https://threatpost.com/dunkin-donuts-lawsuit/148750/


 

--FDIC Implemented DNS Security Measures

(September 27, 2019)

An audit report from the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General, the FDIC has taken all four actions as required by the Department of Homeland Security's (DHS's) Emergency Directive 19-01, which aims to mitigate the risks of DNS infrastructure tampering. DHS issued the directive on January 22, 2019, in response to several DNS infrastructure tampering incidents that targeted US government agencies. The four actions are auditing DNS records, changing DNC account passwords, implementing multifactor authentication, and monitoring certificate transparency logs.  


[Editor Comments]


[Neely] These actions are appropriate for all. Making sure that your DNS only contains authorized entries, that only the intended people and processes can update is key to mitigating risks of entries for either shadow services or updates to send users to replacement sites. The certificate transparency log audits help discover unauthorized issuance of certificates. If your DNS provider doesn't offer both DNS security options as well as multi-factor authentication, consider switching to one who does.


Read more in:

MeriTalk: FDIC Sees Success in Securing DNS

https://www.meritalk.com/articles/fdic-sees-success-in-securing-dns/

Oversight: The FDIC's Actions to Mitigate the Risk of Domain Name System Infrastructure Tampering

https://www.oversight.gov/sites/default/files/oig-reports/19-006AUD.pdf

DHS: Emergency Directive 19-01: Mitigate DNS Infrastructure Tampering (January 22, 2019)

https://cyber.dhs.gov/ed/19-01/


 

--Rheinmetall Facilities in Three Countries Experience Disruptions Due to Malware

(September 26 & 27, 2019)

German defense contractor Rheinmetall said that systems in three countries were infected with malware last week. Rheinmetall facilities in Brazil, Mexico, and the US are expected to experience "considerable disruption." In a press release, Rheinmetall said that it expected the disruption would be from between two to four weeks.


Read more in:

Rheinmetall: Ad-hoc: Rheinmetall AG: Regional disruption of production due to malware at Rheinmetall Automotive

https://www.rheinmetall.com/en/rheinmetall_ag/press/news/latest_news/index_18496.php

ZDNet: Malware infection disrupts production at defence contractor plants in three countries

https://www.zdnet.com/article/malware-infection-disrupts-production-at-defence-contractor-plants-in-three-countries/

Cyberscoop: German manufacturer says malware has caused 'significant disruption' to plants in three countries

https://www.cyberscoop.com/rheinmetall-malware-disruption-manufacturing/


 

--Microsoft Will Ban More Extensions in Outlook

(September 25, 26 & 27, 2019)

Microsoft is expanding the list of file extensions that will be banned from Outlook. The list currently includes 104 file extensions; an additional 38 extensions will be added soon, according to a Microsoft Exchange team blog post. Users will be unable to download files from their Outlook inboxes with extensions that are on the list. Admins for Office 365, Exchange Online, and Exchange Server systems can whitelist blocked extensions. (See the Office support link below for a list of currently blocked file extensions.)


[Editor Comments]


[Pescatore] Depending on which statistics you believe, somewhere between 35% and 70% of emails (towards the lower end for business, towards the higher end for consumers) will be opened on mobile devices, not Windows machines. Other statistics: only somewhere between 2% and 10% of emails are opened in an Outlook client. So, while this is a good security move by Microsoft it really isn't going to have much impact. The biggest impact player (Google with Gmail, Android and Chrome) has been increasing blocking overall for several years. Businesses need to pressure their ISPs to add on-the-wire blocking of universally agreed upon bad files, a much better place to do this.

 

[Neely] Rather than whitelisting any of these extensions, consider providing users alternate means to legitimately share these files, such as a network file exchange, with appropriate access controls and security monitoring.

 

Read more in:

ZDNet: Microsoft bans 38 file extensions in Outlook for the Web

https://www.zdnet.com/article/microsoft-bans-38-file-extensions-in-outlook-for-the-web/

Threatpost: Microsoft Blacklists Dozens of New File Extensions in Outlook

https://threatpost.com/microsoft-blacklists-dozens-of-new-file-extensions-in-outlook/148737/

support.office: Blocked attachments in Outlook (current)

https://support.office.com/en-us/article/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519

Techcommunity.microsoft: Changes to File Types Blocked in Outlook on the web

https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Changes-to-File-Types-Blocked-in-Outlook-on-the-web/ba-p/874451



****************************************************************************

INTERNET STORM CENTER TECH CORNER


Polycom Scans

https://isc.sans.edu/forums/diary/New+Scans+for+Polycom+Autoconfiguration+Files/25366/


Maldoc, PowerShell and BITS

https://isc.sans.edu/forums/diary/Maldoc+PowerShell+BITS/25372/


Apple Security Details

https://support.apple.com/en-us/HT201222


iOS Jailbreak

https://github.com/axi0mX/ipwndfu


Yet Another Critical Exim Flaw

https://nvd.nist.gov/vuln/detail/CVE-2019-16928


CISCO Introduces Semianual Patch Day

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72547


Windows 2019 to make it easier to disable legacy TLS Versions

https://www.microsoft.com/security/blog/2019/09/30/tls-version-enforcement-capabilities-now-available-certificate-binding-windows-server-2019



******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create