SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #96
December 7, 2018Court: Employer's Legal Obligation to Protect Employee Data; House IoT Bill-Agencies to Focus on Security Over Price; Tools Used in Marriott Breach Used in Other Attacks
****************************************************************************
SANS NewsBites Dec. 7, 2018 Vol. 20, Num. 96
****************************************************************************
TOP OF THE NEWS
PA Supreme Court: Employer Has an Obligation to Secure Employee Data
House IoT Bill Would Encourage Agencies to Focus on Security Over Price
Tools Used in Marriott Breach Were Used in Other Attacks
REST OF THE WEEKS NEWS
Australian Parliamentary Committee Report Recommends Against eVoting
Australian Encryption Bill Passes
Huawei CFO Arrested in Canada at US Governments Request
Apple Updates Multiple Products
Adobe Releases Fix for Zero-Day Flash Flaw
Citrix Clarifies Reason for Forced Password Resets
NIST Report on First Responder Wireless Tech Security
December Android Updates
Quora Breach Affects 100 Million Users
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a 10.5 iPad Pro with Smart Keyboard, or a Microsoft Surface Go, or take $350 Off with SANS Online Training. Offer ends December 12.
https://www.sans.org/online-security-training/specials/
-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019
-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By VMRay ****************************
Doing static malware analysis? Learn how the VMRay Analyzer IDA Pro
Plugin seamlessly integrates the leading static analysis tool with our
best-of-breed sandbox.
http://www.sans.org/info/209070
*****************************************************************************
TOP OF THE NEWS
--PA Supreme Court: Employer Has an Obligation to Secure Employee Data
(November 27, 2018)
A decision from Pennsylvanias Supreme Court says that the University of Pittsburgh Medical Center (UPMC) has a common law duty to protect its employees personal data that are stored on a computer that can be accessed from the Internet. The plaintiffs alleged that they provided the data, which included Social Security numbers, tax information, and bank account information, to UPMC as a condition of their employment.
Read more in:
National Law Review: Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees' Personal Data
PA Courts: Opinion
--House IoT Bill Would Encourage Agencies to Focus on Security Over Price
(December 6, 2018)
A bill to be introduced in the US House of Representatives next week would require that Internet-connected devices purchased by the government meet certain security standards. The basic security requirements include functionality to accept security updates/patches, and allowing users to change the default passwords. Vendors would also be required to notify agencies when vulnerabilities are detected and must release timely updates to address the flaws. The bill also explicitly directs the OMB director and GSA administrator to guide agencies in limiting the use of lowest price technically acceptable criteria for purchases. The bill is a companion bill to the Senates Internet of Things Cybersecurity Improvement Act.
[Editor Comments]
[Pescatore] This is a baby step forward for Federal procurement focusing on driving security levels higher, but it takes a step in a very important direction.
[Neely] Even so, internet-connected IoT should have constrained network access to protect them and other network devices. It is important to note that the bill also includes provisions for non-compliant devices, including micro-segmentation, intelligent gateways, isolation and other external factors needed to provide comprehensive protection.
[Murray] While it seems to many to be necessary, not all appliances should include the functionality to accept security updates/patches. This functionality dramatically increases the attack surface of the device. It is this functionality that is used to incorporate the device into botnets. Many cheaper devices should simply be discarded if they prove to be insecure. Similarly, we should be discouraging the use of passwords for any such functionality that we do include. We should encourage a system using asymmetric key encryption such as Apple uses.
Read more in:
Nextgov: Upcoming Bill Would Lock Down Agencies' Internet-Connected Devices
Nextgov: Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018
https://www.nextgov.com/media/gbc/docs/pdfs_edit/120618jc1ng.pdf
--Tools Used in Marriott Breach Were Used in Other Attacks
(December 5, 2018)
Investigators looking into the Marriott Starwood breach say that some of the tools and techniques used in the attack were used in other attacks that have been attributed to Chinese hackers. The tools have been posted online, which means that other groups could have obtained them as well. Investigators also say that it is possible that multiple hacking groups had a presence in the system. The breach began in 2014, shortly after the massive breach of systems at the US Office of Personnel Management (OPM). The four-year dwell time prior to the breachs detection suggests that those responsible are working on behalf of a nation-state, according to Gartner analyst and VP Avivah Litan.
[Editor Comments]
[Ullrich] A four year dwell time does not necessarily suggest a nation state actor. Missed detection is due either to a sophisticated attacker, or to not-sufficiently-sophisticated security monitoring. The attribution to Chinese hackers appears to be weak so far, in particular connecting them to nation state interests. This just appears to follow the classic post-breach PR playbook of playing up the skills of the attacker to appear less negligent in allowing the breach to persist for four years. The same article also mentions that several hacking groups likely had access to the data. I doubt they were all highly sophisticated nation state actors.
Read more in:
Reuters: Exclusive: Clues in Marriott hack implicate China - sources
Dark Reading: Starwood Breach Reaction Focuses on 4-Year Dwell
************************** SPONSORED LINKS ********************************
1) 12 Days of Thycotic is here! Sign up now for free cyber security
giveaways.
Get loads of cyber security gifts and resources this holiday season with
12 Days of Thycotic! Sign up now. http://www.sans.org/info/209065
2) "WhatWorks in Application Security: How to Detect and Remediate
Application Vulnerabilities and Block Attacks with Contrast Security"
Register: http://www.sans.org/info/209075
3) Learn how VMRay Analyzers IDA Pro Plugin enriches static analysis
with behavior-based results. http://www.sans.org/info/209085
*****************************************************************************
REST OF THE WEEKS NEWS
--Australian Parliamentary Committee Report Recommends Against eVoting
(December 6, 2018)
An Australian parliamentary committee has concluded that current technology is not sufficiently mature for an election to be conducted through a full scale electronic voting process, and recommends sticking with paper ballots. The Joint Standing Committee on Electoral Matters report on Australias 2016 federal election voiced concerns about the cost, security and verification of results associated with electronic voting.
[Editor Comments]
[Pescatore] Electronic voting is kind of like digital watches, or keypad entry on house doors vs. physical keys: yes, the technology can do it and it sounds kind of neat. But reliability goes down, costs goes up and security can go down. It doesnt have to go down, but it does if the focus is simply on new technology vs. better technology.
Read more in:
The Register: Pencil manufacturers rejoice: Oz government doesn't like e-voting
https://www.theregister.co.uk/2018/12/06/evoting_off_australias_agenda/
APH: Report on the conduct of the 2016 federal election and matters related thereto
--Australian Encryption Bill Passes
(December 6 & 7, 2018)
After much contentious parliamentary debate, Australias controversial encryption bill has passed. Critics of the legislation say it will weaken encryption by capitulating to the demands of law enforcement and the government. The law requires that technology companies provide a means of accessing encrypted communications and information if served with a warrant.
Read more in:
News.com: Terrorists dont knock off at 5pm on a Thursday: Opposition leader Bill Shorten lashes the government
ZDNet: Shorten defends process of passing encryption laws and reviewing later
ZDNet: Australia now has encryption-busting laws as Labor capitulates
https://www.zdnet.com/article/australia-now-has-encryption-busting-laws-as-labor-capitulates/
The Register: Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time
https://www.theregister.co.uk/2018/12/07/australias_crypto_legislation/
Ars Technica: Australia passes new law to thwart strong encryption
https://arstechnica.com/tech-policy/2018/12/australia-passes-new-law-to-thwart-strong-encryption/
--Huawei CFO Arrested in Canada at US Governments Request
(December 5 & 6, 2018)
Canadian authorities have detained Huawei chief finance officer (CFO) Wanzhou Meng at the request of the US government, which is seeking extradition. Specifics have not been released as a Canadian court has approved Wanzhous request for a ban on publishing details. However, it is known that DOJ has been investigating possible violations of sanctions against Iran by Huawei. Wanzhous arrest in Vancouver, BC, on December 1, coincides with Australias, New Zealands, and the USs decisions to ban the use of Huawei products in 5G network infrastructure. The UK has not blocked the use of Huawei products, but UK telecom BT Group has said it will remove Huawei products from its 3G and 4G core networks within the next two years, and will not include Huawei in the vendor selection for its 5G core network.
Read more in:
BBC: Huawei finance chief Meng Wanzhou arrested in Canada
https://www.bbc.com/news/business-46462858
ZDNet: Huawei CFO reportedly arrested in Canada for breaking US-Iran trade sanctions
ZDNet: BT avoids Huawei for 5G after stripping tech from EE mobile network
https://www.zdnet.com/article/bt-avoids-huawei-for-5g-after-stripping-tech-from-ee-mobile-network/
CNET: BT to strip Huawei equipment from 4G network by 2021, won't use it in 5G core
--Apple Updates Multiple Products
(December 5 & 6, 2018)
Apple has released security updates to address issues in macOS, iOS, Safari, iCloud, iTunes for Windows, and tvOS. The most recent versions of Apple products include iOS 12.1.1, macOS Mojave 10.14.2, tvOS 12.1.1, Safari 12.0.1, iTunes 12.9.2 for Windows, and iCloud for Windows 7.9.
[Editor Comments]
[Neely] This update includes fixes to Webkit and Safari, which are included in OS X, iOS, TV OS and Watch OS resulting in a larger set of updates. The iOS 12.1.1 update includes the fix for the FaceTime contacts access/lock screen bypass.
Read more in:
Dark Reading: Apple Issues Security Fixes Across Mac, iOS
https://www.darkreading.com/endpoint/apple-issues-13-security-fixes/d/d-id/1333423
Ars Technica: Apple releases iOS 12.1.1, macOS Mojave 10.14.2, and tvOS 12.1.1
eWeek: Apple Fixes Passcode, Remote Code Execution Flaws in iOS and macOS
http://www.eweek.com/security/apple-fixes-passcode-remote-code-execution-flaws-in-ios-and-macos
US-CERT: Apple Releases Multiple Security Updates
https://www.us-cert.gov/ncas/current-activity/2018/12/05/Apple-Releases-Multiple-Security-Updates
--Adobe Releases Fix for Zero-Day Flash Flaw
(December 5, 2018)
Adobe has released a patch for a vulnerability in its Flash Player outside of its regularly scheduled security updates. The use after free flaw could be exploited to allow arbitrary code execution. The flaw is being actively exploited in a phishing campaign with the help of a maliciously-crafted Word document.
[Editor Comments]
[Ullrich] A proof-of-concept exploit has been made public for this vulnerability. Sadly, some browsers (e.g. Chrome and Edge) include Flash as a built-in component. Dont forget to update affected browsers. For everybody else: remove Flash.
[Neely] Given that significant vulnerabilities in Flash continue to be discovered, and Adobe is unlikely to release fixes after it goes EOL in 2020, it is critical to make sure your project to eliminate its use is on-track to complete well before 12/31/2020.
[Northcutt] The major browsers dropped Flash in 2016. When I was taking the Washington State food worker safety course, I had to use a virtual browser, (Silo by Authentic8), to view the material.
Read more in:
Cyberscoop: Report: Adobe zero-day exploit similar to HackingTeam tool
https://www.cyberscoop.com/gigamon-atr-flash-zero-day/
Threatpost: Adobe Flash Zero-Day Leveraged Via Office Docs in Campaign
https://threatpost.com/adobe-flash-zero-day-leveraged-via-office-docs-in-campaign/139635/
The Register: Adobe Flash zero-day exploit... leveraging ActiveX embedded in Office Doc... BINGO!
https://www.theregister.co.uk/2018/12/05/flash_zeroday_adobe/
SC Magazine: Adobe fixes zero-day Flash bug after attackers target Russian clinic with exploit
ZDNet: Adobe releases out-of-band security update for newly discovered Flash zero-day
Adobe: Security updates available for Flash Player | APSB18-42
https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
--Citrix Clarifies Reason for Forced Password Resets
(December 4, 2018)
In a December 4 blog post, Citrix explains that it made the decision to force users to reset their ShareFile passwords because it detected a credential stuffing attack against ShareFile users. Credential stuffing involves trying username and passwords combinations stolen from one site on other sites in the hope that some users reuse their access credentials on multiple accounts. Citrix pointed out that there have been a record number of breaches compromising this type of information in 2018, and that the suspicious activity it detected occurred shortly after several high-profile breaches were disclosed. In response to questions from Brian Krebs, Citrix wrote that they did not enforce a password reset on accounts that are using more stringent authentication controls.
Read more in:
KrebsOnSecurity: A Breach, or Just a Forced Password Reset?
https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/
Citrix: Citrix forces password reset to protect against credential stuffing
--NIST Report on First Responder Wireless Tech Security
(December 4, 2018)
The National Institute of Standards and Technology (NIST) has released a draft report titled Security Analysis of First Responder Mobile and Wearable Devices, which aims to to identify security objectives for these devices, enabling jurisdictions to more easily select and purchase secure devices and industry to design and build more secure public safety devices. NIST is taking comments on the document through January 7, 2019.
Read more in:
GCN: Securing wireless tech for responders
https://gcn.com/articles/2018/12/04/nist-responder-tech-cybersecurity.aspx
NIST: Draft NISTIR 8196: Security Analysis of First Responder Mobile and Wearable Devices
https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8196-draft.pdf
--December Android Updates
(December 4, 2018)
In its December update for Android, Google has fixed 53 different vulnerabilities, including 11 that are rated critical. Of those, six could be exploited to remotely execute code in the Android Media Framework and System components. Google handsets will receive over-the-air updates. Update delivery for other devices will vary by manufacturer and carrier.
[Editor Comments]
[Neely] While these fixes address flaws in Android 7.0 through 9, check your hardware providers lifecycle support information to determine if and when you will see the update for your particular device. Measure the time from when your device was released, not purchased. Android 7 was released in August 2016. For manufacturers that provide updates, by year three only security fixes are distributed and sometimes less frequently.
Read more in:
Threatpost: Google Patches 11 Critical RCE Android Vulnerabilities
https://threatpost.com/google-patches-11-critical-rce-android-vulnerabilities/139612/
Android: Android Security BulletinDecember 2018
https://source.android.com/security/bulletin/2018-12-01
--Quora Breach Affects 100 Million Users
(December 3 & 4, 2018)
Question and answer site Quora has disclosed a breach it detected on Friday, November 30. In a blog post that outlines what is currently known about the breach, Quora chief executive Adam DAngelo wrote that the incident is being investigated and that the company want[s] to be as transparent as possible without compromising our security systems or the steps we're taking. Quora has logged affected users out of the service and has invalidated their passwords.
[Editor Comments]
[Murray] It remains to be seen what Quoras contribution to the breach was. However, they got the disclosure right, both timing and transparency.
Read more in:
NYT: Quora, the Q. and A. Site, Says Data Breach Affected 100 Million Users
https://www.nytimes.com/2018/12/04/technology/quora-hack-data-breach.html
The Register: Yet another mega-leak: 100 million Quora accounts compromised by system invaders
https://www.theregister.co.uk/2018/12/04/100_million_quora_passwords/
Ars Technica: Hackers breach Quora.com and steal password data for 100 million users
Quora: Quora Security Update
https://blog.quora.com/Quora-Security-Update
INTERNET STORM CENTER TECH CORNER
Latest Lokibot Malspam
https://isc.sans.edu/forums/diary/Malspam+pushing+Lokibot+malware/24372/
Fake Ransomware Decryption Service
https://www.theregister.co.uk/2018/12/04/ransomware_helper_was_middleman_dr_shifro/
Chrome 71 Released
Adobe Releases Emergency Flash Patch
https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
Adobe Vulnerability PoC Released
https://isc.sans.edu/forums/diary/Is+it+Time+to+Uninstall+Flash+If+you+havent+already/24382/
PoC Exploit for Kubernetes Vulnerability
https://github.com/evict/poc_CVE-2018-1002105
Data Exfiltration During Pentests
https://isc.sans.edu/forums/diary/Data+Exfiltration+in+Penetration+Tests/24354/
Apple Updates Everything (but not WatchOS)
https://support.apple.com/en-us/HT201222
WatchOS Update
https://support.apple.com/en-us/HT209343
New Privacy Issues Affecting 3G-5G protocols
https://eprint.iacr.org/2018/1175
Preston Ackerman: Marketing 2FA
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
