InfoSec News

DoD

NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Versions of Windows

By

FORT MEADE, Md., June 4, 2019 —

The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows. Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.

CVE-2019-0708, dubbed “BlueKeep,” is a vulnerability in the Remote Desktop (RDP) protocol. It is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable.

This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches. Please refer to our advisory for additional information. This is critical not just for NSA’s protection of National Security Systems but for all networks. In order to increase resilience against this threat while large networks patch and upgrade, there are additional measures that can be taken:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.

Someone repeatedly compromised NASA servers

By

By William Knowles @c4i
Senior Editor
InfoSec News
December 19, 2018

 

This isn’t going to improve NASA’s FISMA scorecard rating for 2018.

On Tuesday, December 18, 2018. Bob Gibbs, Assistant Administrator, Office of the Chief Human Capital Officer sent an agency-wide message to the 17,000+ NASA employees, according to SpaceRef which posted the memo on their site.

On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised.

Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within. NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents.

NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected.

NASA employees should be counting their lucky stars that this doesn’t happen more often, In 2016 NASA’s Office of Inspector General found that NASA lacks a mature cyber program, earning a score of 27 out of 100 under the Office of Management and Budget’s and DHS’ five-step maturity model.

In the 2017 Federal Information Security Modernization Act: Fiscal Year 2017 Evaluation of NASA came to the conclusion that…

Despite progress made to address previously identified weaknesses related to its cybersecurity program, we concluded that NASA, based on the results of our current review, has not implemented an effective information technology security program. Further, without implementing additional improvements to ensure that NIST requirements are implemented, the Agency may lose ground in its efforts to address the challenges in a rapidly evolving cybersecurity landscape. To strengthen its information security program, we believe the Agency should continue its initiatives in each of the seven IG FISMA domains.

  1. Risk Management. Strengthen the enterprise architecture risk management framework by closing the gap between mission systems and inventory, and complete the transition to RISCS.
  2. Configuration Management. Augment secure configuration settings, improve hardware and software asset management, and remediate configuration-related vulnerabilities including unsupported operating systems.
  3. Identity and Access Management. Increase the use of PIV authentication for unprivileged users.
  4. Security Training. Complete applicable role-based training for personnel with significant security responsibilities.
  5. Continuous Monitoring. Develop a comprehensive continuous monitoring strategy for automatic hardware and software inventory detection and data exfiltration defense capabilities.
  6. Incident Response. Bridge the gap between reactive and proactive intelligence gathering and analysis techniques.
  7. Contingency Planning.

Finally, we are concerned that many recommended corrective actions from prior FISMA and other IT-related reviews remain open after more than a year. We urge a renewed Agency commitment to addressing our previous recommendations given the constant and growing cybersecurity threats. Although this memorandum made no specific recommendations to NASA, management provided a brief response that is reproduced in Enclosure V. Technical comments provided by management have been incorporated, as appropriate.

Sadly, Its easier to blame this all on aliens.

The DoD Cybersecurity Policy Chart

By

By William Knowles @c4i
Senior Editor
InfoSec News
November 11, 2018
Updated January 8, 2019

The goal of the DoD Cybersecurity Policy Chart, developed by the Cyber Security and Information Systems Information Analysis Center (CSIAC) is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme. The use of color, fonts, and hyperlinks are all designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems, and data.

At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right-hand side of the Cybersecurity Policy Chart, there are boxes, which identify key legal authorities, federal/national level Cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can be found in the Chart.

Click on the image above to download an interactive copy of .pdf of the DoD Cybersecurity Policy Chart, The chart was last updated on January 7, 2019. View the changelog here.

Malware Scam Uses NSA/CSS Seal

By

 

National Security Agency Seal

By William Knowles @c4i
Senior Editor
InfoSec News
September 29, 2014

For an agency that for the longest time used to be known as No Such Agency, now thanks to Edward Snowden it’s on center stage for everyone including malware writers.

The NSA Public Affairs Office is alerting the public of a scam that uses the NSA/CSS seals and banner. Victims of this malware scam report that a pop-up or a locked Internet browser alerts them that they have violated the law and/or are being monitored. Depending on where they are in the world, the latter part is likely true.

The malware scammer may also request that victims pay a fine. This activity and the associated alerts have no affiliation to the federal government, NSA included, and no money should be paid to the scammers.

Victims should consult a computer professional on how to address the computer infection. Victims may also contact the Internet Crime and Complaint Center, a partnership between the FBI and the National White Collar Crime Center that accepts Internet-related criminal complaints.

The NSA recommends users looking for more information on malware to review the NIST Guide to Malware Incident Prevention and Handling.

 

DoD 8570 InfoSec Training and Compliance Vendors Vulnerable to XSS

By

CVC8

By William Knowles @c4i
Senior Editor
InfoSec News
July 1, 2014

XSSposed (XSS exposed) is reporting that the Web sites of both the InfoSec Institute and the EC-Council are vulnerable to a Cross-site scripting (XSS) attack.

Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to a bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013.

According to XSSposed, the InfoSec Institute has not onetwothreefourfivesix, but SEVEN XSS vulnerabilities discovered this week.

This most recent XSS vulnerability to the EC-Council is to their portal page where their customers sign in. This is not the only XSS vulnerability to their site, The Hacker News reported one back in 2011 and Rafay Baloch and Deepanker Arora discovered another in 2013.

In a previous Web defacement statement, the “EC-Council takes the privacy and confidentiality of their customers very seriously.” Regardless, the EC-Council Web site was compromised three times during a single week in February 2014. Since the breach, EC Council has neither confirmed nor denied allegations that the attacker exfiltrated thousands of passports, drivers. licenses, government, and military Common Access Cards (CAC).

It seems neither organization is practicing what they preach for thousands of taxpayer’s dollars training the next generation of cyber warriors.

A (supposedly) expert team of information security instructors founded the InfoSec Institute in 1998. Their goal was to build a business by offering the best possible training experience for students.’ ‘InfoSec Institute deeply understands the needs of today’s IT professionals and is best positioned to offer world-class training.

The EC-Council is an Albuquerque New Mexico based organization that offers security professionals a reasonably inexpensive certificate among other security certificates to be compliant with Department of Defense standard 8570.

 

Photo by Richard Termine Photography