The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.

CSIAC ANNOUNCEMENTS:

Today’s Predictions for Tomorrow’s Internet – National Cyber Security Awareness Month – Week 3: October 16-20 - CSIAC

Smart cities, connected devices, digitized records, as well as smart cars and homes have become a new reality. Week 3 will remind citizens that their sensitive, personal information is the fuel that makes smart devices work. While there are tremendous benefits of this technology, it is critical to understand how to use these cutting-edge innovations in safe and secure ways.

Free CSIAC Webinar – Thursday, October 26 @ 12:00 pm EDT – Applying the 20 Critical Controls for Risk Assessment - CSIAC

This webinar will introduce attendees to the Center for Internet Security (CIS) Top 20 Critical Security Controls. Tools and techniques to implement the controls will be discussed. With the uncertainty and risks associated with the Internet of Things (IoT), it is essential to understand how to assess a system or a business network and implement controls to eliminate, minimize, mitigate or manage risk. The "Top 20" is an industry accepted framework for cyber security managers to address all elements within and threats to a network. The incorporation of these controls provides learners with real world skills and experiences.

FEEDBACK FROM PREVIOUS DIGEST:

Cloud Computing:

Cut Cord: How Viacom’s Master Controls Were Left Exposed - Up Guard

The UpGuard Cyber Risk Team can now disclose that Viacom Inc, the Fortune 500 corporation that owns Paramount Pictures, as well as cable channels like MTV, Comedy Central, and Nickelodeon, exposed a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation's business operations.

RECENT HEADLINES:

Critical Infrastructure:

Cyber Risks Loom for Energy Sector - FCW

The potentially catastrophic cyber threat looming over the U.S. critical infrastructure is potentially worse than a busy hurricane season according to a key Department of Energy infrastructure security official.

Cyberwarfare:

Russia May Have Tested Cyber Warfare on Latvia, Western Officials Say - Reuters

Moscow was probably behind interruptions in Latvia's mobile communications network before Russia's war games last month, in an apparent test of its cyber attack tools, Baltic and NATO officials said, based on early intelligence of the drills.

DOD Tests and Deploys Upgraded JRSS - Defense Systems

The Navy is now assessing its implementation of its Joint Regional Security Stacks data consolidation and interoperability initiative by subjecting data networks to a wide range of attack scenarios, emerging threats and operational conditions.

North Korea Hackers Stole South Korea-U.S. Military Plans to Wipe Out North Korea Leadership: Lawmaker - Reuters

Democratic Party representative Rhee Cheol-hee said 235 gigabytes of military documents were taken from the Defense Integrated Data Center in September last year, citing information from unidentified South Korean defense officials.

Data Security:

Equifax Website Borked Again, This Time to Redirect to Fake Flash Update - ARS Technica

In May credit reporting service Equifax's website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers.

Heads Up: This Netflix Phish Targets Business Email, Not Just Home Accounts - PhishMe

A most-recent example shows a message that again spoofs Netflix but also collects credit card details.

Severe Flaw in WPA2 Protocol Leaves Wi-Fi Traffic Open to Eavesdropping - ARS Technica

An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points. The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks.

Spoofed SEC Emails Distribute Evolved DNSMessenger - Talos

Cisco Talos previously published research into a targeted attack that leveraged an interesting infection process using DNS TXT records to create a bidirectional command and control (C2) channel. Using this channel, the attackers were able to directly interact with the Windows Command Processor using the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server. We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain.

Attackers can Pull Data From Air-gapped Networks’ Surveillance Cameras - SC Magazine

Researchers have demonstrated a way for remote attackers to exfiltrate data from and send malicious commands to air-gapped networks, using infrared surveillance cameras that ironically are supposed to make the organizations using them more secure.

Blockchain and Digital Currency:

Russia Turns Cold on Crypto-Currencies - Reuters

President Vladimir Putin said on Tuesday crypto-currencies were risky and used for crime, as Russia’s central bank said it would block websites selling bitcoin and its rivals - a change of tone from a month-old promise to legalize the market.

Internet-of-Things:

Google Updates Home Mini to Address Major Privacy Bug - CNET

The smaller version of Google's Assistant-equipped smart speaker, unveiled earlier this month, apparently suffers from a bug that caused some units to record sounds at random times and transmit the audio to Google's servers. Google said Tuesday it issued a software update on Saturday to address the issue.

FEEDBACK FROM PREVIOUS DIGEST:

Machine Learning and Artificial Intelligence:

Google Reveals Android Robocop AI to Spot and Destroy Malware - The Register

In its ongoing quest to trap and kill Android malware, Google has, as usual, turned to machine learning - and is reporting some success.

RECENT HEADLINES:

Mobile Security:

iOS Privacy: steal.password – Easily get the user’s Apple ID password, just by asking - KrauseFX

Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so.

John Kelly’s Personal Cellphone was Compromised, White House Believes - Politico

White House officials believe that chief of staff John Kelly's personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.

Network Security:

10Gbps Cable Internet Uploads and Downloads Coming in DOCSIS Update - ARS Technica

Cable Internet with download and upload speeds of 10Gbps may eventually come to American homes thanks to a new specification for higher-speed, symmetrical data transmissions.

New NIST and DHS Standards Get Ready to Tackle BGP Hijacks - Bleeping Computer

Two US government agencies have united forces to coordinate the creation of a new set of standards aimed at securing the process of routing of information between major Internet entities, such as Internet Service Providers, hosting providers, cloud providers, educational, research, and national networks. The solution they developed is actually a collection of standards known collectively as Secure Inter-Domain Routing (SIDR).

A Bug Has No Name: Multiple Heap Buffer Overflows In the Windows DNS Client - Bishop Fox

CVE-2017-11779 fixed by Microsoft in October of 2017, covers multiple memory corruption vulnerabilities in the Windows DNS client. The issues affect computers running Windows 8/ Server 2012 or later, and can be triggered by a malicious DNS response. An attacker can exploit this issue to gain arbitrary code execution in the context of the application that made the DNS request.

Public Sector:

How Israel Caught Russian Hackers Scouring the World for U.S. Secrets - NY Times

It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.

Software Security:

Apple Releases macOS High Sierra 10.13 Supplemental Update With Fix for APFS Disk Utility Bug and Keychain Vulnerability - Mac Rumors

Apple today released a supplemental update to macOS High Sierra 10.13, the first update to the macOS High Sierra operating system that was released to the public in late September. The macOS High Sierra 10.13 update comes just over one week after the release of macOS High Sierra.

CSIAC Supported Communities

CSIAC supports several communities of practice, such as the Cyber Community of Interest (COI) Group and research & development working groups.

Technical Resources, Policy and Guidance

This list of related sites provides additional sources to pursue the topic of Cybersecurity. The sites include Government organizations, including federal agencies, Department of Defense and military service agencies, commercial organizations, and academic institutions.

The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.