6 September 2018

Purpose
Educate recipients of cyber This Issue’s News Articles:
events to aid in protecting
electronically stored DoD,
 Mobile spyware maker leaks 2 million records
corporate proprietary, and/or  Twitter is keeping 500,000 bots from logging in every day
Personally Identifiable
Information from unauthorized  Using just a laptop, boffins sniff, spoof and pry – without busting browser
access, theft or espionage
padlock
Source
This publication incorporates
 Homeland Security awards massive cyber contract to ManTech
open source news articles to  House passes measure to identify, sanction hackers assisting in cyberattacks
educate readers on cyber
security matters IAW USC Title against US
17, section 107, Para a. All
articles are truncated to avoid
 Social Security numbers exposed on US government transparency site
the appearance of copyright  Chrome: Flash is almost, almost, almost dead
infringement
 How a data request turned into a data breach
Newsletter Team
* SA Jeanette Greene  House passes CDM bill
Albuquerque FBI
* CI Agent Scott Daughtry
 Protecting the power grid from GPS spoofing
NMCIWG Member  Remotely exploitable flaw in Schneider Electric PLCs is a danger to OT
Subscription/Questions networks
Click HERE to request for your
employer-provided email address
 Chinese hacker group targets tech supply chain, report says
to be added to this product’s
distribution list

The FBI will not send NMCIWG

products to a non-United States Mobile spyware maker leaks 2 million records
employer provided email account Tech Crunch, 5 Sep 2018: mSpy, a commercial spyware solution designed to help
Disclaimer you spy on kids and partners, has leaked over 2 million records including software
Viewpoints, company names, or
products within this document purchases and iCloud usernames and authentication tokens of devices running
are not necessarily the opinion
of, or an endorsement by, the FBI
mSky. The data appears to have come from an unsecured database that allowed
or any member of the New security researchers to pull out millions of records. “Before it was taken offline
Mexico Counterintelligence
Working Group (NMCIWG) sometime in the past 12 hours, the database contained millions of records,
NMCIWG Members including the username, password and private encryption key of each mSpy
Our membership includes
representatives from these
customer who logged in to the mSpy site or purchased an mSpy license over the
agencies: 902nd MI, AFOSI, Air past six months,” wrote security researcher Brian Krebs. mSpy is a platform that
Force Research Labs, DOE, DSS,
DTRA, FBI, HSI, Los Alamos Labs, allows parents to see what their children are doing online and, presumably, allow
MDA, NAG, NCIS, NGA, NRO,
Sandia National Labs and the US
partners to keep tabs on each other. The app allows you to monitor “WhatsApp,
Attorney’s Office Snapchat, Facebook, and other messaging apps” and tracks calls, SMS, and GPS
Distribution data. mSpy has leaked data before and Krebs reported a hack in 2015 that the
You may forward this product to
U.S. person co-workers or other company denied for a full week. This latest leak is less a hack than an oversight in
U.S. agency / U.S. company email
accounts
database control. On their server was found open database with millions of user’s
records including passwords, Facebook and WhatsApp and iCloud messages.
Your company may archive
NMCIWG products on its internal
network (accessible only to
employees) Twitter is keeping 500,000 bots from logging in every day
This product may NOT be altered
Engadget, 5 Sep 2018: It’s also challenging up to 10 million suspicious accounts per
in any way or copied / pasted week. Twitter CEO Jack Dorsey is currently testifying before the House Energy and
into a database system or
Internet forum Commerce Committee and in response to questions from Representatives Kathy
Castor (D-FL) and Gene Green (D-TX) about bots, Dorsey said that the platform is
UNCLASSIFIED Page 1
 NMCIWG CYBER SHIELD

keeping around 500,000 bot accounts from logging in every day. He also reiterated that every week, Twitter's
systems are challenging between eight and ten million accounts that are suspected of misusing automation or
disseminating spam. Dorsey said that Twitter's systems are now catching more than three times as many
suspicious accounts and thwarting twice as many suspicious logins than they were a year ago.

Using just a laptop, boffins sniff, spoof and pry – without busting browser padlock
TheRegister, 6 Sep 2018: Researchers based in Germany have discovered how to spoof certificates they don't
own – even if the certs are protected by the PKI-based domain validation. Though the group withheld the
names of certificate authorities whose certs could be spoofed, Dr Haya Shulman, of the Fraunhofer Institute
for Secure Information Technology, told The Register a "weak off-path attacker" can – using nothing more
than a laptop – steal credentials, eavesdrop, or distribute malware using the method. All the while, Dr
Shulman told us, the user would think their connections were secure because that's what their browser would
report. Dr Shulman's team wrote: "The attack exploits DNS Cache Poisoning and tricks the CA into issuing
fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the
attacker's public key to a victim domain." The group has asked The Register not to republish the paper
because it names affected Certificate Authorities. We have however, seen a demo of a live attack by
Fraunhofer's team. "The attack is initiated with a DNS request," the paper explained. "To succeed in the
attack, the attacker has to craft a correct DNS response before the authentic response from the real
nameserver arrives." By successfully mapping their spoofed DNS record to hosts controlled by the attacker,
domain validation checks run by the CA are performed not by the record owner, but against the attacker's
hosts. The attack depends on getting DNS responses broken into fragments, achieved by sending the
nameserver an "ICMP fragment needed" packet. This tricks the server into thinking the victim's system is
configured to only process small packets. The second trick is on the victim: in processing the first fragment,
the victim's machine has completed the DNS challenge-response fields. In other words, Fragment A contains
the validation the victim expects for a domain, but then the attacker injects Fragment B with spoofed
information that the victim accepts.

Homeland Security awards massive cyber contract to ManTech

TheHill, 6 Sep 2018: The Department of Homeland Security (DHS) has awarded another massive contract to
carry out and support a key cybersecurity program. ManTech announced Wednesday that it had been
awarded the $668 million contract, one day after the House passed a bill to codify the Continuous Diagnostics
and Mitigation (CDM) program. The program aims to protect the federal government networks from
cyberattacks. The firm will provide support to several government agencies on the CDM program as part of
the contract, including the departments of Education and Housing and Urban Development as well the
Environmental Protection Agency (EPA), the Nuclear Regulatory Commission and the SEC. DHS has awarded
other major contracts for the CDM program over the past few months. Booz Hamilton Allen landed a $621
million, six-year contract earlier this year, and CGI Federal was granted a $530 million contact in July, partially
focused on cloud protections.

House passes measure to identify, sanction hackers assisting in cyberattacks against US

TheHill, 5 Sep 2018: The House on Wednesday passed a bill to implement government-wide rules to name and
sanction actors who assist with nation-state-sponsored cyberattacks against the U.S. The legislation, which
passed by a voice vote, would direct President Trump to implement sanctions against those who assist in
carrying out cyberattacks on the U.S. The measure would allow him to skip out on the sanctions if doing so is
in the country’s best interest. According to the legislation, the president would be required to label foreign
UNCLASSIFIED Page 2
 NMCIWG CYBER SHIELD

individuals or entities who have “knowingly materially assisted, sponsored, or provided financial, material, or
technological support” in cyberattacks targeting the U.S. as critical cyber threat actors. President Trump would
be directed to publish the threat actors in the federal register, with the exception of those determined to
remain secret for national security or law enforcement purposes. The names would still be shared with
Congress. The president would also be required to slap sanctions on those threat actors under the new
legislation, which features a list of possible economic penalties that could be imposed.

Social Security numbers exposed on US government transparency site

Sophos, 6 Sep 2018: The US government exposed dozens of people’s personal details, including social security
numbers, due to an online mishap on a public transparency portal, it emerged this week. FOIA.gov, a site that
centrally administers freedom of information act requests, had been serving up the information for weeks,
CNN reported on Monday. People use the site, operated by the Environmental Protection Agency, as a single
go-to source for requesting information from the government. They can submit requests concerning
everything from data about criminal cases through to government expenses through the portal. The site then
routes information requests through to the appropriate agencies and delivers the results. Those requesting
information may enter sensitive personal data and are even encouraged to do so by government agencies to
help service their requests – information such as status on an immigration application or information about
criminal cases. The problem stemmed from a software bug in the site’s search facility. This allows people to
search existing FOIA requests and find out who has requested information about what. These records include
personal details that the site normally withholds until the originating agency gives permission to reveal it. That
masking stopped working. Instead, the site began displaying all of the information by default, including
sensitive data, effectively rendering it publicly available. The software glitch meant that sensitive information
about individuals, including birthdates, immigrant identification numbers, addresses and contact details were
available online. CNN identified at least 80 full or partial Social Security numbers during its research. According
to the news site, the masking feature had been working properly until 9 July, when the website upgraded from
version 2.0 to version 3.0.

Chrome: Flash is almost, almost, almost dead

Sophos, 3 Sep 2018: If you use Google’s Chrome browser after 4 September the latest update will make it
even harder to use in-browser Adobe Flash. Starting with Chrome update 69, the browser will require users to
explicitly enable Flash every single time they want to use it. Chrome will no longer remember this preference
between sessions, so every time a user hits a site that uses Flash, they’ll have to say “yes, I really want to
enable this extension.” If it sounds annoying, it absolutely is, and that’s by design. This is just another step on
the timeline that Chrome and many other browsers have set upon to slowly, slowly wean the public off Flash
in anticipation of Adobe’s official plan to end support for the plugin by 2020. The next step in Chrome’s
timeline – summer 2019 – is to completely disable Flash by default, requiring users to go into their settings to
enable the plugin every time they want it to run. After that, in 2020, it’s game over for Flash entirely.

How a data request turned into a data breach

Engadget, 6 Sep 2018: The process was smooth enough, with the right safeguards apparently in place. I
emailed the dating app Coffee Meets Bagel to request personal data. Within 24 hours the company asked for a
selfie of me holding an ID card and a piece of paper with the words "Coffee Meets Bagel" scrawled on it.
Exactly one month later I received an email from Stephen Brandon, the company's data protection officer. The
response form clearly spelled out where it got my data from and laid out my rights to correct or erase my
personal information. The seven attached spreadsheets were clearly labelled -- "criteria," "messages,"
UNCLASSIFIED Page 3
 NMCIWG CYBER SHIELD

"profile" -- and contained a comprehensive amount of data, even if all the values weren't fully explained. The
only problem: This was not my data. Instead, it belonged to Jon, a man from one of New York's outer
boroughs who declined to be identified by his full name. I inadvertently learned a lot about him. I know Jon's
birthday, personal email address, alma mater, ethnicity, height and occupation. I know that he's Catholic and
likes vodka. I can infer his home address from the GPS coordinates of where the app was opened. In short, this
was a lens into some of a stranger's most personal and identifiable information. It was a data breach, caused,
ironically, by an attempt at data transparency. It took less than five minutes for me to pinpoint his online
social media profiles and reach out. "I think it's a major invasion of privacy, but I can see how these mistakes
happen," said Jon. "Coffee Meets Bagel should be held accountable, but ultimately it's up to me to be more
selective with where I share my data voluntarily." Arum Kang, Coffee Meets Bagel's co-founder and CEO, said
that the mix-up came from basic human error. An employee mistyped my internal user ID number into the
automated tool for pulling data and failed to double-check that the system spat out the right person's
information. In the wrong hands the kind of information Coffee Meets Bagel sent to me could easily be used
for identity theft or to infer passwords and security questions to other accounts. Combining spoof email
addresses and basic personal details could facilitate requesting even more data from other online services,
depending on their ID-verification methods, which we found varied widely across organizations. For users, the
lesson is to secure your data once you get it from a company. A hacker might not need to scale Facebook's
security apparatus if they can find the same data on an unencrypted hard disk.

House passes CDM bill

FCW, 5 Sep 2018: A bill to codify Continuous Diagnostics and Mitigation, a government-wide cybersecurity
program run out of the Department of Homeland Security, passed the House Sept. 4. The bill would add CDM
to the Homeland Security Act, require federal agencies to develop reporting metrics for systemic cybersecurity
risks and build in expectations that agencies will continually update and deploy new technologies to support
the program. It also requires the secretary of Homeland Security to develop a strategic plan for the program
six months after passage. If enacted into law, it would represent the first attempt by Congress to bolster the
program through legislation. Ratcliffe and other members of Congress have expressed confidence in DHS and
the foundation of CDM; they have also expressed concern over slower than expected progress from many
federal agencies. The bill now moves to the Senate, where another DHS cyber reform bill, the Cybersecurity
and Infrastructure Security Agency Act, has thus far become mired in jurisdictional turf wars between differing
committees since being passed last year. Ratcliffe urged the Senate to swiftly consider and pass its own
version of his CDM legislation. The House also passed another significant piece of cyber-related legislation on
Sept. 5. The Cyber Deterrence and Response Act lays out a formal process for the president to enact
diplomatic, economic and criminal sanctions against nation-states found to be engaging in malicious cyber
activity.

Protecting the power grid from GPS spoofing

GCN, 4 Sep 2018: It’s relatively simple for bad actors to bring down a power grid by spoofing the GPS signals
the grid uses to time stamp sensor measurements, according to researchers at the University of Texas at San
Antonio. The sensors -- phasor measurement units -- are installed in fixed locations throughout the grid and
transmit 30 measurements per second to the control center, where operators monitor grid performance and
increase or decrease the supply of electricity depending on the readings. That data is time stamped with the
signals received by the sensors’ on-board GPS receivers. A spoofed GPS signal, according to Nikolaos Gatsis,
assistant professor of electrical and computer engineering, would result in those time stamps being incorrect.
“They would make the control center think that the measurements they are getting happened at a different
UNCLASSIFIED Page 4
 NMCIWG CYBER SHIELD

time,” Gatsis said. That, he said, could cause operators to take actions they shouldn’t be taking and that could
lead to blackouts. The algorithm compares previously recorded information about GPS signal timing to
incoming signals. When an anomaly in the timing is detected operators are alerted. And the algorithm does
more than just detect anomalies. “The algorithm can also provide protection,” Gatsis said. “It provides the
corrected timing” by noting the timing of signals before the attack began and projecting them forward. The
team is also exploring using the algorithm to protect against time-synchronization attacks against financial
institutions, which use the GPS timing data to time stamp financial transactions.

Remotely exploitable flaw in Schneider Electric PLCs is a danger to OT networks

HelpNet Security, 6 Sep 2018: A vulnerability in the Schneider Electric Modicon M221, a programmable logic
controller (PLC) deployed in commercial industrial facilities worldwide, can be exploited to remotely
disconnected the device from communicating in the ICS network. “An unauthorized user could have easily
exploited this vulnerability to execute a synchronized attack and cause a number of these controllers to stop
communicating. This type of unauthorized action would allow a cyber-attacker to massively disconnect the
effected PLCs from the HMI leaving the operator with no way to view and control the physical processes on
the OT network, while instantly harming the safety and reliability of the ICS systems,” Radiflow researchers
have noted. Uncovered by Radiflow CTO Yehonatan Kfir and responsibly disclosed to Schneider Electric over
two months ago, the vulnerability affects all versions of Modicon M221 firmware prior to v1.6.2.0 and can be
triggered with specially crafted programing protocol frames. “This CVE could have resulted in the controller
getting stuck and causing its communication to drop from the OT network. Disconnecting the PLC from the
HMI certainly has more than just a low impact on the availability of an OT network. To recover such a problem,
an onsite visit from a technician to do a power reset is required. The impact of such a situation on availability
seems much higher than reflected in the scoring.” For those industrial operators that can’t implement the new
firmware immediately, the company has pointed out temporary mitigation steps: set up a firewall blocking all
remote/external access to port 502 and disable all unused protocols.

Chinese hacker group targets tech supply chain, report says

FCW, 3 Sep 2018: Over the past two years, a mysterious group calling itself "Intrusion Truth" has been
releasing blog posts providing detailed information about Chinese-linked hackings groups. Their latest findings
purport to show that two Chinese nationals and a contracting firm associated with an Advanced Persistent
Threat group named Stone Panda are actively working for or with the Chinese government. In particular, the
group provides photo evidence, satellite imagery and even Uber receipts that show two individuals associated
with Stone Panda regularly traveling to a Ministry of State Security compound in Tianjin, China. They also
provided separate evidence purporting to show how the group uses contracting firms to recruit hackers on
behalf of the Chinese government. Crowdstrike, a U.S.-based cybersecurity and threat intelligence firm, said it
has corroborated "several key pieces of information" and believes the findings are both credible and could
significantly impact Chinese hacking efforts going forward. "The exposure of Stone Panda as an [Ministry of
Security Services] contractor would be another blow to China's current cyber operations given Stone Panda's
prolific targeting of a variety of sectors, and may prompt an additional U.S. investigation at a tenuous time for
Sino-U.S. relations during an ongoing trade war," analysts for the firm wrote on August 30. Adam Meyers, vice
president of intelligence at Crowdstrike, told FCW that while little is known about the identities or motivations
behind Intrusion Truth, the group appears to have access to more than open source intelligence, and its
previous work exposing the operations of another Chinese APT, Gothic Panda, have been largely borne out as
accurate. In fact, their work in 2017 helped lay the groundwork for a series of indictments in 2017 by the
Department of Justice against another Chinese hacking group, dubbed Gothic Panda, and Chinese internet
UNCLASSIFIED Page 5
 NMCIWG CYBER SHIELD

security firm Boyusec. Meyers believes a similar fate could await the individuals and entities identified in the
group's latest disclosure. Stone Panda is one of several Chinese APT groups charged with targeting supply
chain vulnerabilities in the software, shared services and telecommunications industries. Meyers said the
findings provide another example demonstrating how China has slowly ramped back up its cyber economic
espionage in recent years despite a 2015 bilateral agreement between the U.S. and China to mutually curb
such activities. He said it also indicates the extent which China is relying on third-party security contracting
companies to carry out their espionage work. After Intrusion Truth posted its findings online, Crowdstrike
noticed that several of the named individuals began scrubbing and deleting their social media accounts and
other aspects of their online footprint. Meyers believes now that the group is exposed, it will likely go
underground and dormant, at least temporarily, while members rebuild their operational security and
anonymity.

UNCLASSIFIED Page 6