One Week Left to Get an 11" iPad Pro, a Surface Go 2, or $300 Off with OnDemand Training

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #16

February 25, 2020

Coronavirus Affecting Conferences; Median Dwell Time Falling; U.S. DoD DISA Breach Affects 200,000; Wyden Pushing for Release of Voting System Audit



****************************************************************************

SANS NewsBites               February 25, 2020             Vol. 22, Num. 016

****************************************************************************

TOP OF THE NEWS  

  Coronavirus: More Companies Backing Out of Conferences

  Median Dwell Time for Breaches is Falling Worldwide

  U.S. Defense of Department DISA Breach Exposed PII of 200,000 People

  Wyden Pushing for Release of ShiftState Voatz Audit Results



REST OF THE WEEK'S NEWS

  Car Thieves Disabling OnStar, Replacing Vehicle Computers

  Man Arrested in Connection with Political Website DDoS Attacks

  ISS World Recovering from Malware Attack

  NRC Health Ransomware Attack

  Toll Group Working to Recover from Ransomware Attack

  The Most Important Open Source Components and Associated Security Issues

  Samsung Discloses Data Security Incident

  FBI Touts Passphrases Over Passwords

  Zyxel Provides Fix for Zero-day Vulnerability in NAS Devices


INTERNET STORM CENTER TECH CORNER


*************************  Sponsored By Splunk  *****************************


The Fundamental Guide to Building a Better Security Operation Center (SOC). Outdated security solutions struggle to stay ahead of advanced cyberthreats, making it hard to detect unknown or hidden threats. So what are companies who rely on dinosaur technology to do? They need to start building the next generation, modern SOC today. Download The Fundamental Guide to Building a Better Security Operation Center (SOC) today to learn how a security operation suite can move your SOC into the future. http://www.sans.org/info/215630


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020


-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020


-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020


-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020


-- Rocky Mountain Hackfest Summit & Training | Denver,CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020


-- SANS OnDemand and vLive Training

Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through March 4 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



*****************************************************************************

TOP OF THE NEWS   

 

--Coronavirus: More Companies Backing Out of Conferences

(February 21, 2020)

AT&T Cybersecurity and Verizon have decided not to attend the RSA Conference in San Francisco this week, citing concerns about the coronavirus. IBM announced its decision not to attend RSA on February 15. The conference is taking place this week as scheduled. Sony and Facebook's Oculus have pulled out of the Game Developer Conference scheduled for March 16-20 in San Francisco. Coronavirus worries have already caused the cancellation of the World Mobile Congress that was to have taken place in in Barcelona February 24-27. Black Hat Asia 2020 has been postponed to fall 2020, and Cisco has cancelled its Cisco Live! Conference that was scheduled to be held in Melbourne, Australia early next month.


[Editor Comments]


[Murray and Neely] The best advice comes from the WHO and CDC regarding the Coronavirus ad should be incorporated in making a decision relating to attending or hosting an event.


[Honan] The increasing spread of the Coronavirus is a great opportunity for companies to revise their Business Continuity Plans (BCPs). Too often BCPs focus on the IT aspect of an interruption to business and not on the human element. Getting senior management to understand the impact of large numbers of staff being quarantined or out of work sick can help get the buy-in required for the non-IT element of BCPs. The Irish government has published an excellent guide for companies to deal with an influenza outbreak which can be adapted for use with the Coronavirus https://www.gov.ie/en/publication/2f5d5f-business-continuity-planning-checklist-of-preparatory-actions-in-res/: Business Continuity Planning - Checklist of Preparatory Actions in Responding to an Influenza Outbreak

 

Read more in:

SC Magazine: AT&T, Verizon join RSA exodus over Coronavirus fears

https://www.scmagazine.com/home/security-news/att-joins-rsa-exodus-black-hat-asia-rescheduled-over-coronavirus-fears/

CNET: Coronavirus prompts Verizon to pull out of RSA sponsorship

https://www.cnet.com/news/coronavirus-prompts-verizon-to-pull-out-of-rsa-sponsorship/

Axios: Coronavirus forces more companies to skip tech conferences

https://www.axios.com/coronavirus-tech-conference-cancellations-91ba53ec-0618-4fb5-8335-d6672e38aecc.html

 
 

--Median Dwell Time for Breaches is Falling Worldwide

(February 20, 2020)

According to the M-Trends 2020 Report, the global median "dwell time" - the time from initial breach to detection - fell from 78 days to 56 days in just one year. The report also found that while breaches are being detected more quickly, they are more often discovered by third parties rather than internally.


[Editor Comments]


[Neely] More rapid discovery of breaches is moving the bar in the right direction. That external parties are discovering them first is an indication that partnering with an external service can help cover gaps in internal services and could be used with an accompanying build or buy decision for the long-term strategy.

 

[Honan] It is good to see a downward trend in this statistic, however it is still way too high. The fact that breaches are being discovered by third parties rather than the victims is still a worrisome trend. Preventive controls are essential in cybersecurity, but equally important is having appropriate detection controls in place and effective incident response.

 

Read more in:

FireEye: M-Trends 2020 (PDF)

https://content.fireeye.com/m-trends/rpt-m-trends-2020

ZDNet: Cybersecurity: Hacking victims are uncovering cyberattacks faster - and GDPR is the reason why

https://www.zdnet.com/article/cybersecurity-hacking-victims-are-uncovering-cyber-attacks-faster-and-gdpr-is-the-reason-why/

Dark Reading: Firms Improve Threat Detection but Face Increasingly Disruptive Attacks

https://www.darkreading.com/attacks-breaches/firms-improve-threat-detection-but-face-increasingly-disruptive-attacks/d/d-id/1337097

 
 

--U.S. Defense of Department DISA Breach Exposed PII of 200,000 People

(February 20 & 24, 2020)

The US Department of Defense's (DoD's) Defense Information Systems Agency (DISA) has acknowledged a network breach that compromised the personal information of at least 200,000 individuals. On February 11, 2020, DISA sent letters to the people whose data were compromised, telling them that the breach occurred between May and June 2019. DISA secures and manages White House communications.


Read more in:

Threatpost: Data Breach Occurs at Agency in Charge of Secure White House Communications

https://threatpost.com/data-breach-occurs-at-agency-in-charge-of-secure-white-house-communications/153160/

SC Magazine: DISA breach likely exposed personal data on at least 200K

https://www.scmagazine.com/home/security-news/disa-breach-likely-exposed-personal-data-on-at-least-200k/

Cyberscoop: Pentagon's tech agency reveals potential breach involving personal data

https://www.cyberscoop.com/disa-breach-pii/

FNN: DISA exposes personal data of 200,000 people

https://federalnewsnetwork.com/disa/2020/02/disa-exposes-personal-data-of-200000-defense-employees/

 
 

 --Wyden Pushing for Release of ShiftState Voatz Audit Results

(February 24, 2020)

US Senator Ron Wyden (D-Oregon) is asking a company that conducted an audit on the Voatz mobile voting app to disclose the results. While ShiftState's audit gave Voatz "high marks," researchers at MIT recently published a paper enumerating security concerns present in Voatz. Specifically, Wyden wants to know how many "ShiftState personnel that audited Voatz [have] experience in election security, cryptographic protocol design and analysis, side channel analysis, and blockchain security;" whether ShiftState detected the same flaws the MIT researchers found; and whether the company agrees or disagrees with the MIT findings and why.


[Editor Comments]


[Pescatore] Something as critical as voting software should have more public security testing references than just a small company that has been in existence for under two years. Voatz has started up a managed bug bounty program, talking about many of the right things security-wise but anything connected to elections needs to have the talk verified to see if the right actions match the talk.


[Neely] The challenge will be finding a repeatable methodology that adequately tests the security of voting apps irrespective of who performs that assessment. Given the stakes, reconciliation of assessments from multiple sources is appropriate to ensure election integrity.

 

Read more in:

MeriTalk: Sen. Wyden Questions ShiftState on Voatz Audit

https://www.meritalk.com/articles/sen-wyden-questions-shiftstate-on-voatz-audit/

 

****************************  SPONSORED LINKS  ******************************


1) Webcast March 12th at 1 PM ET: Innovative Application Security Testing Techniques for Modern Software Development. Register: http://www.sans.org/info/215635


2) Survey | How do you currently measure your threat hunting efforts? Take this survey: http://www.sans.org/info/215640


3) Don't miss this upcoming webcast: Secure Branch Connectivity With SD-WAN. Register: http://www.sans.org/info/215650


*****************************************************************************

REST OF THE WEEK'S NEWS

 

--Car Thieves Disabling OnStar, Replacing Vehicle Computers

(February 11, 2020)

In "a recent string of stolen Chevrolet Silverado pickups," thieves disabled the OnStar anti-theft technology almost immediately, reducing the likelihood of the vehicles' recovery. Surveillance video has shown how fast the thieves operate - pop the lock, open the hood, change the computer, and disable OnStar tracking.


Read more in:

GMAuthority: Chevrolet Silverado Thieves Disable OnStar Tracking

https://gmauthority.com/blog/2020/02/chevrolet-silverado-thieves-disable-onstar-tracking/

NBCDFW: Thieves Target Chevrolet Silverados, Disable OnStar Tracking

https://www.nbcdfw.com/news/local/thieves-target-chevrolet-silverados-disable-onstar-tracking/2309420/

 
 

--Man Arrested in Connection with Political Website DDoS Attacks

(February 21 & 24, 2020)

The FBI has arrested a California man for allegedly launching distributed denial-of-service (DDoS) attacks against the website of a political candidate. The suspect's wife worked as a campaign staffer for one of the victim's political opponents.


Read more in:

The Intercept: FBI Arrests Hacker Linked to Former Rep. Katie Hill's Campaign

https://theintercept.com/2020/02/21/fbi-arrests-hacker-linked-to-katie-hill-campaign/

Ars Technica: California man arrested on charges his DDoSes took down candidate's website

https://arstechnica.com/information-technology/2020/02/california-man-arrested-on-charges-his-ddoses-took-down-candidates-website/

Cyberscoop: Feds charge California man for 2018 DDoS attacks on congressional campaign

https://www.cyberscoop.com/arthur-dam-katie-hill-ddos-election-security/

The Hill: FBI arrests man accused of launching cyberattacks against former Rep. Katie Hill's rival

https://thehill.com/homenews/house/484122-fbi-arrests-hacker-linked-to-former-rep-katie-hills-2018-campaign

SC Magazine: Campaign staffer's husband arrested for DDoSing former Rep. Katie Hill's opponent

https://www.scmagazine.com/home/security-news/cyberattack/campaign-staffers-husband-arrested-for-ddosing-former-rep-katie-hills-opponent/

 
 

--ISS World Recovering from Malware Attack

(February 21, 2020)

Copenhagen-based ISS World says it is recovering from a malware attack that hit its network last week. The facilities management has more than half a million employees around the world. ISS says it has determined the "root cause" of the problem, but has not said if the malware is ransomware.  


Read more in:

GovInfosecurity: Facilities Maintenance Firm Recovering from Malware Attack

https://www.govinfosecurity.com/facilities-maintenance-firm-recovering-from-malware-attack-a-13747

 
 

--NRC Health Ransomware Attack

(February 20 & 21, 2020)

NRC Health, a company that administers patient satisfaction surveys for hospitals across the US, has acknowledged that its systems were hit with a ransomware attack on February 11. The company shut down its "entire environment" to limit the damage. Hospitals have expressed concern about the security of patient data.


Read more in:

FierceHealthcare: NRC Health recovering from ransomware attack

https://www.fiercehealthcare.com/tech/vendor-nrc-health-working-to-restore-it-systems-after-ransomware-attack

CNBC: Cyberattack on NRC Health sparks privacy concerns about private patient records stored by US hospitals

https://www.cnbc.com/2020/02/20/nrc-health-cyberattack-sparks-privacy-concerns-about-patient-records-in-us.html

 
 

--Toll Group Working to Recover from Ransomware Attack

(February 18, 2020)

Australian freight delivery provider Toll Group is still recovering from a ransomware attack that hit its network in late January. The company has not and does not plan to pay the ransom demand. Toll customers have expressed frustration with delays that resulted from network downtime.  


Read more in:

CISOMag: Toll Faces Customer Fallout After Cyberattack

https://www.cisomag.com/toll-faces-customer-fallout-after-cyberattack/

 
 

--The Most Important Open Source Components and Associated Security Issues

(February 18 & 20, 2020)

The Census Program II "identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities." The report is the work of the Linux Foundation's Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH).


[Editor Comments]


[Ullrich] The security of software components continues to be a problem. This report focuses in particular on JavaScript Node Package Manager (npm) packages. Over the last year, a number of npm packages has been compromised. If you are using npm (and at this point, there are hardly any organizations that do not), you need to come up with a way to inventory and audit the packages you use. This isn't easy, and will take time, but is essential just like your hardware inventory.


[Neely] The challenge of open source is determination of how well it has been assessed. A report like this provides an extra data point to accompany your own assessment and validation processes.


Read more in:

Core Infrastructure: Census Program II - Download Preliminary Report

https://www.coreinfrastructure.org/programs/census-program-ii/

The Register: The great big open-source census: Most-used libraries revealed - plus 10 things developers should be doing to keep their code secure

https://www.theregister.co.uk/2020/02/20/linux_foundation_report/

ZDNet: The Linux Foundation identifies most important open-source software components and their problems

https://www.zdnet.com/article/the-linux-foundation-identifies-the-most-important-open-source-software-components-and-their-problems/

 
 

--Samsung Discloses Data Security Incident

(February 24, 2020)

Samsung said that a data security incident last week allowed some users to view other users' information. The company says the incident was not related to the mysterious "1/1" push notifications some users reported receiving. Those notifications came from the Find My Mobile app even if the users had it disabled.


Read more in:

Silicon Angle: Samsung suffers data breach as coronavirus spreads through South Korea

https://siliconangle.com/2020/02/24/samsung-suffers-data-breach-coronavirus-spreads-south-korea/

The Register: Samsung cops to data breach after unsolicited '1/1' Find my Mobile push notification

https://www.theregister.co.uk/2020/02/24/samsung_data_breach_find_my_mobile/

 
 

--FBI Touts Passphrases Over Passwords

(February 18, 21, & 22, 2020)

A Tech Report from the FBI's Portland, Oregon Field Office encourages people to use passphrases of at least 15 characters rather than passwords, because the longer passphrases are more difficult to crack. The passphrases do not need to contain numbers, special characters, or a combination of upper- and lower-case letters.


[Editor Comments]


[Neely] NIST 800-63-3 provides guidance which supports this choice. In addition to length, and lack of special characters, password systems need to prevent the use of single dictionary words and words related to the service or person creating the passphrase. Lastly, the ability to manage a banned-words list built from prior incidents and breaches should be considered.


Read more in:

FBI: Oregon FBI Tech Tuesday: Building a Digital Defense with Passwords

https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/oregon-fbi-tech-tuesday-building-a-digital-defense-with-passwords

ZDNet: FBI recommends passphrases over password complexity

https://www.zdnet.com/article/fbi-recommends-passphrases-over-password-complexity/

TechNadu: FBI Recommends Using Long Passphrases Over Strong Passwords

https://www.technadu.com/fbi-recommends-long-passphrases-over-strong-passwords/93502/

 
 

--Zyxel Provides Fix for Zero-day Vulnerability in NAS Devices

(February 24, 2020)

Zyxel, which makes networking devices, has released a fix for a remote code execution vulnerability affecting some of its Network Attached Storage (NAS) products. Zyxel learned of the issue nearly two weeks ago, when KrebsOnSecurity notified the company that directions for exploiting the flaw were being offered for sale online. Some of the products affected by the vulnerability are no longer supported.   


Read more in:

Zyxel: Zyxel security advisory for the remote code execution vulnerability of NAS products

https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

KrebsOnSecurity: Zyxel Fixes 0day in Network Storage Devices

https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/

 

*****************************************************************************


INTERNET STORM CENTER TECH CORNER


Old Style Excel Macro Malware

https://isc.sans.edu/forums/diary/Maldoc+Excel+4+Macros+in+OOXML+Format/25830/


Simple But Efficient VBScript Obfuscation

https://isc.sans.edu/forums/diary/Simple+but+Efficient+VBScript+Obfuscation/25828/


Let's Encrypt Beefs Up Validation

https://letsencrypt.org/2020/02/19/multi-perspective-validation.html


ScrollToTextFragment Privacy Concerns in Google Chrome 80

https://github.com/WICG/ScrollToTextFragment/issues/76#issue-538137989

https://docs.google.com/document/d/1YHcl1-vE_ZnZ0kL2almeikAj2gkwCq8_5xwIae7PVik/edit#heading=h.uoiwg23pt0tx


Google Warns of Microsoft Edge (in German)

https://www.heise.de/security/meldung/l-f-Google-findet-den-neuen-Edge-Browser-doof-und-unsicher-4665634.html


Google Play Store Joker / Clicken Malware

https://research.checkpoint.com/2020/android-app-fraud-haken-clicker-and-joker-premium-dialer/


Another OpenSMTPD Vulnerability

https://github.com/OpenSMTPD/OpenSMTPD/releases


WhatsApp Group Invite Links in Search Engines

https://twitter.com/JordanWildon/status/1230829082662842369


 


*****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create