SANS NewsBites

GAO: DoD Failing On Cyber Hygiene; Texas Judge Approves Mail-in Voting for Anyone Who Requests It; Air Force Bounty Program Found 460 Bugs

April 17, 2020  |  Volume XXII– Issue #31

Top of the News


2020-04-14

GAO Report: Department of Defense Needs to Renew Focus on Cyber Hygiene

A report from the US Government Accountability Office (GAO) says that the Department of Defense (DoD) has either abandoned or stopped keeping track of many of the cyber hygiene goals the agency set for itself in 2015. GAO makes seven recommendations for DoD, several of which focus on assigning responsibility for implementation of cyber hygiene tasks.

Editor's Note

One line in this 54-page report captures the glaring problem: "The department does not know the extent that cyber hygiene practices have been implemented to protect DOD networks from key cyberattack techniques." Importantly, DoD CIOs stated they did not know they were responsible for implementing and monitoring the key Cybersecurity Culture and Compliance Initiatives (DC3I). One reason for this: the report notes that in December 2016, the DoD moved responsibility for DC3I implementation and oversight from the US Cyber Command to the DoD CIO office as part of implementing the November 2014 DOD Directive 5144.02 that said the DoD CIO office had overall cybersecurity responsibility. While I think there has been a lot of progress at the DoD working levels, it looks like over the transition of Presidential administrations, the transition of responsibility for DoD cybersecurity at the top didn't happen.

John Pescatore
John Pescatore

2020-04-16

Texas Judge Approves Mail-in Voting for Anyone Who Requests It

Despite the Texas Attorney general's insistence that concerns about the COVID-19 pandemic would not qualify as a reason to request a mail-in ballot in that state, a Texas District Judge said he will issue a temporary injunction that will allow registered voters in that state to request mail-in ballots. In Texas, absentee ballots are limited to individuals with a disability that prevents them from voting in person.

Editor's Note

So called "computer scientists" (you know who you are) are projecting security requirements onto online voting that are very difficult to meet. They have made the perfect the enemy of the good. Some of these requirements will have to be relaxed to meet the emerging requirement for "travel and date free" voting. We cannot achieve risk free online voting but we can achieve "good enough," perhaps equal to what we now do with mail, signatures, rubber stamps, and double envelopes. The good enough systems will be diverse and multi-step, to include registration, distribution of ballots, recording of votes, return of ballots, early tabulating and reporting, and late auditing and certifying of the results. It is time to stop carping and to begin designing and implementing.

William Hugh Murray
William Hugh Murray

2021-01-27

Air Force Bug Bounty Program Found More Than 460 Vulnerabilities

A US Air Force bug bounty program that ran last fall turned up more than 460 security issues in the Air Force Virtual Data Center. The remote challenge ran from October 23-November 20, 2019; there was a one-day live element on November 7, 2019.

The Rest of the Week's News


2020-04-15

Linksys Forces Password Reset

Linksys locked all SmartWiFi user accounts on April 2, 2020, after discovering that hackers were breaking into Linksys and D-Link routers and changing their DNS settings to redirect them to malicious sites. The attackers accessed the routers using credential-stuffing attacks. Users need to reset their passwords to regain access to their accounts.

Editor's Note

When users reset their Linksys accounts, it triggers a check of all their associated Linksys devices and alerts the users if any their DNS settings were compromised. Of note, there was some confusion about the account reset notification sent. The email legitimate comes fromsubscribermangement@linksys-email.com rather than a linksys.com email address.

Lee Neely
Lee Neely

2020-04-15

Google Removes Malicious Chrome Extensions From Web Store

Google has pulled nearly 50 malicious extensions from the Chrome Web Store. These bad apps were pretending to be legitimate cryptocurrency wallet apps, but actually stole cryptowallet keys and other sensitive information.

Editor's Note

A key element of the world recovering from the COVID-19 virus is testing, and a critical part of making widespread testing work will be cellphone apps used for demonstrating an individual's testing status and tracing possible contacts if someone is found to be infected. Google and Apple need to really step up the security of apps and extensions that make it through their testing. Longer times for most apps and extensions to come out of the process are worth it now to significantly elevate the trust/safety level of phones for this coming critical use. Google and Apple are already working together on the tracing side of the problem. A joint effort on radically reducing "badware" that gets through their testing regimes should be a key part of that.

John Pescatore
John Pescatore

2020-04-14

Patch Tuesday

On Tuesday, April 14, Microsoft released fixes for more than 100 security issues in Windows and related software. Nineteen of the flaws are rated critical, which means they can be remotely exploited to gain control of vulnerable machines with no user interaction. Three of the vulnerabilities addressed in the update are being actively exploited: two remote code execution flaws in Adobe Font Manager Library, and a remote code execution flaw in Internet Explorer. Adobe released fixes for vulnerabilities in ColdFusion, After Effects, and Digital Editions.


2020-04-16

Zoom Brings in Help to Address Security Issues

Zoom is calling in experts to help it address security and privacy concerns. With millions of people working at home during the COVID-19 epidemic, Zoom's popularity has ballooned. It has also been subjected to greater scrutiny by both hackers and security experts, who have unearthed a number of security and privacy issues. The company has hired numerous security consultants, many of whom are former privacy and security experts from other high-profile tech companies. (Please note that the WSJ story is behind a paywall.)

Editor's Note

Zoom's CEO publicly apologized for "falling short" on security and privacy and Zoom has taken a lot of important steps to improve. But, they aren't the only video conferencing approach in use and we know attackers are going after them all. SANS is doing a series of webinars on the key elements to making sure all remote work is done as securely as possible that you can access at https://www.sans.org/webcasts/

John Pescatore
John Pescatore

There is a lot of FUD around Zoom, and rather than drop it like a hot potato, consideration needs to be given to implementing it securely and applying fixes as they come out. Before jumping to another solution, careful analysis of the security, user experience, and transition costs need to be performed.

Lee Neely
Lee Neely

2020-04-16

Czech Republic Cybersecurity Body Warns of Attacks in Healthcare Sector

The Czech Republic's central government cybersecurity body has issued a warning that cyberattackers may be targeting healthcare organizations in that country. The Czech health ministry said it had detected and stopped cyberattacks against hospitals. In a separate story, an FBI official said that hackers who appear to be working with the backing of foreign governments are breaking into systems that belong to companies working on COVID-19 research.


2020-04-16

European Energy Company Faces Ransomware Demand


[Murray] It is very late to be seeing so many successful extortions based on weak cyber security. Raise the cost of attack against your systems and improve your resilience. The bad news is that you need to raise the cost of attack about ten-fold to be effective. The good news is that you are on the flat part of the security cost curve where you can get a big bang for your bucks. Lack of budget is not an excuse; there is always money for that which must be done. Ask for it over and over until you get it. That is called "your job."

Editor's Note

It is very late to be seeing so many successful extortions based on weak cyber security. Raise the cost of attack against your systems and improve your resilience. The bad news is that you need to raise the cost of attack about ten-fold to be effective. The good news is that you are on the flat part of the security cost curve where you can get a big bang for your bucks. Lack of budget is not an excuse; there is always money for that which must be done. Ask for it over and over until you get it. That is called "your job."

William Hugh Murray
William Hugh Murray

2020-04-16

Immunity Passports

Several countries have begun floating the idea of an "immunity passport," which would certify that someone is immune to COVID-19. Not only does the idea raise a number of security and privacy issues, but there are still unknowns about immunity to this particular virus.

Editor's Note

I carry an immunization record with me when traveling internationally, typically a paper form, as well as a digital backup, to be surrendered for examination by border control based on the risk of your origin point, or verification that you meet local mandatory immunization requirements. While COVID-19 changes those factors, the bigger issue is having an internationally recognized indicator of immunity to COVID-19.

Lee Neely
Lee Neely

2020-04-16

PoetRAT Targeting Organizations in Azerbaijan

A new remote access Trojan (RAT) that is being called PoetRAT is targeting organizations in Azerbaijan. According to Cisco Talos, "the malware was distributed using URLs that mimic some Azerbaijan government domains." Once they gained access to a system, PoetRAT operators used additional tools, including keystroke loggers, password stealers, and "a tool used to monitor the hard disk and exfiltrate data automatically."


2020-04-16

Microsoft Will Extend Support for Windows 10 1809

Microsoft is extending support for Windows 10 1809 and Windows Server 1809. The original end-of-service date, May 12, 2020, has been pushed back to November 10, 2020. Microsoft has recently extended end-of service dates for several other products, including Windows 10 1709, Configuration Manager 1810, SharePoint Server 2010, SharePoint Foundation 2010, and Project Server 2010. Microsoft made the decision to extend support "to help people and organizations focus their attention on retaining business continuity."

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+April+2020+Patch+Tuesday/26022/


Adobe Security Bulletins

https://helpx.adobe.com/security.html


Microsoft Extending EOL For Windows 10 1709/1809

https://support.microsoft.com/en-us/help/4557164/lifecycle-changes-to-end-of-support-and-servicing-dates


Dell Safe BIOS

https://blog.dellemc.com/en-us/dell-technologies-bolsters-pc-security-todays-remote-workers/


Hunting Without IOCs

https://isc.sans.edu/forums/diary/No+IOCs+No+Problem+Getting+a+Start+Hunting+for+Malicious+Office+Files/26026/


Cloudflare/Online Banking Outages

https://twitter.com/eastdakota/status/1250520852354854912


Crypto Currency Stealing Browser Extensions

https://medium.com/mycrypto/discovering-fake-browser-extensions-that-target-users-of-ledger-trezor-mew-metamask-and-more-e281a2b80ff9


Applocker vs. Living off the Land Attacks

https://isc.sans.edu/forums/diary/Using+AppLocker+to+Prevent+Living+off+the+Land+Attacks/26032/


Windows Security Crashing After Definition Update

https://www.askwoody.com/2020/reports-of-windows-security-nee-microsoft-security-essentials-crashing-after-installing-this-mornings-definition-updates/


700 Malicious Ruby Gems Found

https://thehackernews.com/2020/04/rubygem-typosquatting-malware.html


vCenter Exploit for CVE-2020-3952

https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/