SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
April 23, 2019
150 Best US Colleges for Cyber Talent; Russian Hackers Infiltrated Florida Computers Before 2016 Election; DOE Developing Technology “Blacklist” for Utilities; Industry Choosing IT Cybersecurity Experts for OT Security
The 150 “Top Tier” US colleges for discovering and developing cybersecurity talent are listed at the end of this issue, sorted by state. If your organization recruits from any of these colleges, you now have the option to ask candidates for their “CyberStart scores.” Performance on CyberStart was proven to be a reliable indicator of “elite” cyber talent in a national program in the UK. See www.cyber-fasttrack.org for details on the program. Twenty-five state governors announced the program and encouraged students in their states to “just try it” to discover their natural talent. More than 400 new students are engaging every day, so the Top Tier colleges will change over the remaining three weeks of student eligibility for 2019. George Mason demonstrated they could boost their college’s rank more than 50 positions in just 2 days by sending a single email to their students to tell them about the program (and the $2.5 million in available scholarships). With over 7,400 college students already participating, the program shows preliminary promise of scaling to fill the nation’s need for elite cyber talent within the next 3 years.
*********************** Sponsored By Splunk ******************************
One Phish, Two Phish, Three Phish, Fraud Phish. In this Seuss-inspired children’s book, readers are taken on a colorful journey, discovering the many surprising ways fraud touches our everyday lives, including credit card scams, payroll fraud, financial aid swindles, healthcare deception, and wire transfer fraud, as well as phishing attacks, account takeovers, and more. http://www.sans.org/info/211883
Mueller’s report on the investigation into Russian interference in the 2016 US presidential election says that “the Russian government interfered in the 2016 presidential election in sweeping and systematic fashion.” According to the report, Russian hackers infiltrated computer systems of at least one Florida county government and that they planted malware on systems at a voting machine manufacturing company. The report did not offer evidence that either incident compromised election results.
[Pescatore] The US Election Assistance Commission has a list that shows 9 different organizations have active efforts focused on improving election system security that started since January 2017 when election systems were finally defined as critical infrastructure. Most of those efforts are essentially defining best practices or identifying gaps against well-known best practices. This is kind of like studying best practices for avoiding potholes in roads (critical infrastructure) and identifying known potholes – without any emergency activity to at least fill those potholes!
[Murray] The strength of our election system rests more upon its diversity than on any technology. That said, we should prefer technology that is transparent, vetted before use, and audited after. It is salutary that more than half of us vote on paper ballots. Note that alternative means of recording votes were motivated by the desire for easy tabulation and early reporting, and that fraud has more often been in the counting and reporting processes than in the recording processes.
Read more in:
Politico: Collusion aside, Mueller found abundant evidence of Russian election plot
–DOE Developing Unclassified Technology “Blacklist” for Electric Utilities
(April 18, 2019)
The US Department of Energy (DOE) and the National Counterintelligence and Security Center are looking at ways to be more transparent about technology that poses security risks. DOE’s Center’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) is developing a list of “don’t buy” foreign supplied equipment and technology intelligence for the country’s electric utilities.
[Pescatore] More transparency is definitely needed, as all too often the products that are put on the government’s “Don’t Buy” list get there solely because of the country of origin, vs. any evidence or testing that showed malicious capabilities. Meanwhile, many products that governments routinely buy for Critical Infrastructure and deploy from domestic suppliers (see election machines) are riddled with vulnerabilities that are easily exploited by foreign powers. If all products for Critical Infrastructure were routinely tested before procurement, transparency in the results would not require any “redacting” or declassification.
[Neely] These lists are driven from counterintelligence, not cyber security, which means they are based on an assessment of the company and those that control their production of products more than actual deficiencies. They are answering the question “Should we do business with this company?” This also means that full disclosure of the research/evidence behind the negative decision may not be possible due to classification and need-to-know restrictions. Ideally there should also be supporting identified product deficiencies to enable a more rounded choice to support the blacklist decision.
Read more in:
E&E News: How hacking threats spurred secret U.S. blacklist
According to a 2018 Gartner report, just 35 percent of large industrial companies have put the CISO or their equivalent in charge of the networks that manage physical processes, also known as Operational Technology (OT). One of the reasons the figure is low is that manufacturers were concerned that the cybersecurity experts would interfere with manufacturing processes. The figure is expected to double by 2021; a central driver of the trend is believed to be the NotPetya and WannaCry attacks that caused serious problems at major manufacturers several years ago.
[Pescatore] The 35% estimate from early 2018 seems high to me, and probably a better question is “What percentage of security programs have the staff, skills and architecture to successfully secure OT systems?” Changing the Visio organization chart to show new functions under boxes is easy, but even security organizations that are mature in monitoring and security PCs, servers and routers, aren’t necessarily able to effectively secure OT systems, let alone integrate them into existing processes.
[Neely] Understanding how to secure components that can’t be patched and have multi-decade lifecycles is going to be a challenge for many cyber security professionals. While OT is not general purpose IT, bringing cyber expertise to bear can ensure adequate and verified perimeter protections are in place for those devices and their presence and purpose incorporated into the overall cyber strategy, resulting in more secure integration and access to and with IT systems. Even so, cooperation between the system owners and cyber teams will be critical to minimize operational impacts.
Facebook has acknowledged that it stored millions of Instagram passwords in internal server logs in plaintext. The news follows the revelation last month that Facebook employees had access to hundreds of millions of Facebook user passwords stored in plaintext, and less than a day after Facebook acknowledged that it had inadvertently saved contact lists of 1.5 million new Facebook users.
[Williams] While I’ve seen many downplay this report, saying “there’s no evidence of anyone inappropriately accessing the passwords,” logging them breaks the fundamental principle of non-repudiation. While Instagram timelines don’t regularly appear as critical evidence in my cases, this should serve as a warning for some smaller shops that do have non-repudiation issues – if it can happen to Facebook, it can happen to you. Logging HTTP POST variables is particularly dangerous for e-commerce where credit card data can be logged and put in the SIEM.
[Neely] This would be an excellent time to update your password as well as enable two-factor authentication on Facebook and Instagram accounts. Select the authenticator app rather than SMS code option. You can elect to have the service remember known devices so you only get prompted for the second factor when a new device authenticates.
[Northcutt] FB has also acknowledged lifting as many as 1.5M email addresses w/o customer consent.
–Hutchins Pleads Guilty to Charges Related to Malware Creation
(April 19 & 22, 2019)
Marcus Hutchins, the UK man who discovered a way to stop WannaCry from spreading, has pleaded guilty to conspiracy and to distributing malware. In 2014, Hutchins created the Kronos Trojan, which has been used to steal online bank account access credentials. Hutchins was arrested as he was preparing to fly home after attending a conference in Las Vegas, Nevada in 2017.
Computer systems in four municipalities across the US have been affected by ransomware in the past week and a half. Systems in Greenville, North Carolina, became infected on April 10. Systems in Imperial County, California and in Stuart, Florida became infected on April 13, and systems in Augusta, Maine were infected on April 18.
[Shpantzer] Let’s see here… If ransomware/nukeware shuts down hospital systems, municipal networks with transportation and other OT, manufacturing plants, and other critical infrastructure (and all of those have happened), what are the international norms at play? If I walked into a hospital and took a hammer to a rack in the datacenter and shut the place down for a while, what would I be charged with? Why is ransomware not treated as an entirely different category than say stealing credit card numbers and creating banking Trojans to steal money from financial services or even stealing IP? Some counties in the US have populations bigger than some countries. I can help people mitigate the impact of ransomware but I can’t deter bad actors from doing this because I don’t arrest people. This seems like a job for better financial intelligence and manhunts for organized crime and those who enable this kind of disruption, at the international level.
Read more in:
SC Magazine: Ransomware ravages municipalities nationwide this week
(April 21, 2019)
Read more in:
–Microsoft Patch Causing Problems for Users of Certain A-V Products
(April 19, 2019)
A component of the April 9 Windows security update is causing problems for users of several different anti-virus products. Users running anti-virus software from Avast, Avira, ArcaBit, McAfee and Sophos have been reporting that the update has caused their computers to become slow and even unresponsive. Avast and ArcaBit have released updates to fix the problem, and McAfee is in the process of developing a fix. Microsoft is blocking users running Avira and Sophos products from downloading the updates until fixes are developed. The problems affect users running Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2.
[Williams] Antivirus companies aren’t using undocumented interfaces because they want to or because “it looks cool.” They’re doing it because Microsoft isn’t providing the interfaces the AV companies need to protect users. If Microsoft isn’t careful, they’ll find themselves under the gun of another antitrust lawsuit from AV companies.
Read more in:
Ars Technica: McAfee joins Sophos, Avira, Avast–the latest Windows update breaks them all
–CIA Reportedly Told Foreign Intelligence Officials That Huawei Receives Funding from China’s Military
(April 21, 2019)
According to a report in The Times, the CIA told intelligence officials in Canada, the UK, New Zealand, and Australia that Huawei receives funding from Chinese government organizations. The Times article is quoted as saying that Huawei has received funding from “the People’s Liberation Army, China’s National Security Commission and a third branch of the Chinese state intelligence network.”
[Williams] There are lots of reasons not to use Huawei networking equipment, the biggest of which is the total lack of an SDLC (secure development lifecycle). Using a weak argument like Huawei taking money from the PLA hurts the argument itself.
Read more in:
CNET: CIA reportedly says Huawei funded by Chinese state security
The US National Institute of Standards and Technology (NIST) has released NIST Special Publication (SP) 800-163 Revision 1, Vetting the Security of Mobile Applications. The original version of the document was released in January 2015. The updated version “expands on the original document by exploring resources that can be used to inform an organization’s requirements for mobile app security;” provides greater detail about the steps of the vetting process; and offers a deeper “exploration of the current threat landscape facing mobile apps.”
[Neely] Keeping guidance on assessing mobile applications updated is key for success. Use this guide to develop processes for vetting key applications, and use your EMM to enforce decisions. Some of the risks associated with non-vetted applications can be mitigated by requiring installation from the official Apple and Google Play stores. Additionally, require Play Protect on Android devices which can uninstall apps that have been identified as malicious. This is built in to the iTunes store.
Read more in:
MeriTalk: NIST Updates Guidance on Mobile App Security Vetting
–GPS Rollover Issue Crashes New York City Wireless Network
(April 10, 12, & 22, 2019)
The GPS system rollover caused New York City’s private wireless network, NYCWiN, to crash; it remained down for 10 days. The GPS reset happens about every 20 years because the memory allocated for the system to count the date becomes full after 1,024 weeks. The NYCWiN outage affected “some of the New York Police Department’s license-plate readers, the Department of Transportation traffic-light programming, and communications at remote work sites for the sanitations and parks departments.” An investigation is expected to be completed next week.
[Murray] Y2K should have taught us the folly of allocating storage, or even address space, as though it is a scarce resource. This an example of false economy resulting from trying to drive by looking in the rear view mirror.
Read more in:
Statescoop: NYC works to reboot wireless network after GPS update crashed it
In August 2014, routers ran out of memory space to store the full BGP routing table, which holds the addresses of all known routable IPv4 Internet connected networks (CIDR blocks). The issue, referred to as 512k Day caused ISP outages around the world. At the time, legacy routers got emergency patches that allowed admins to allocate more memory for the IPv4 BGP routing table. The new upper limit was, in general, set at 768k. Entities tracking the size of the global BGP routing table say that 768k Day could occur within the next month.
[Ullrich] A similar “512k Day” caused some limited outages a few years ago. Sadly, the solution for older routers is to allocate memory for IPv4 that could be used for IPv6 instead. One reason IPv4 space is becoming more fragmented is the lack of IPv4 addresses and the need to use them more and more efficiently.
[Neely] The two primary mitigations to this risk are replacing older equipment such as Cisco 6500/7600 series products and not accepting /24 routes, instead let upstream transit providers handle that routing.
Read more in:
ZDNet: Some internet outages predicted for the coming month as ‘768k Day’ approaches
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI’s critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation’s top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power’s CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute’s top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute’s Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS’ efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.