SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #1
January 4, 2019US HHS Cybersecurity Guidance for Health Care; CenturyLink 911 Emergency Service Cyber Outage
****************************************************************************
SANS NewsBites Jan. 4, 2019 Vol. 21, Num. 001
****************************************************************************
TOP OF THE NEWS
US Dept. of Health and Human Services Releases Cybersecurity Guidance
CenturyLink Data Center Outage Affected 911 Emergency Service
REST OF THE WEEKS NEWS
SANS Holiday Hack Challenge
Adobe Updates for Reader and Acrobat
Chrome for Android Flaw Partially Patched
CleanMyMacX Privilege Elevation Flaws
Ransomware Infects Cloud Hosting Providers Systems
Australian Government Worker Data Compromised
Ransomware Attack Hinders Newspaper Production
North Korean Defector Data Stolen
Charges Filed in Petroleum Company Trade Secret Theft
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Cylance ************************************
Don't Miss: "Using Data Science to Secure Cloud Workloads." In this session, you will learn how and where data science is being applied in the security industry as well as Cylance's Threat Predictive Advantage, which is one of the many benefits of applying data science to Next-Gen AV products. http://www.sans.org/info/209525
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019
-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019
-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive Training. Offer Ends January 9.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--US Dept. of Health and Human Services Releases Cybersecurity Guidance
(January 2, 2019)
The US Department of Health and Human Services (HHS) has released cybersecurity guidance for healthcare organizations. The documents were developed to meet a requirement in the 2015 Cybersecurity Act to provide healthcare organizations with consistent cybersecurity practices to protect patient data. The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. It includes a main document, two volumes of technical information, and a resources and templates section. The guidelines are voluntary.
[Editor Comments]
[Murray] This guidance represents a break with the past. It it good practice based rather than risk based. Many health care enterprises lack the necessary knowledge, skill, ability, and experience to assess risk but we know what practices are effective and efficient. That said, good practice for 2019 will be very different from 2018, much less 2015. Least privilege access control, strong authentication, end-to-end application layer encryption, improved, not to say novel, backup and recovery strategies, and early attack and breach detection are necessary to address the more organized and hostile threat profile for 2019.
[Neely] This guidance is intended to leverage the CSF to help healthcare organizations adopt a better security posture based on current risks. It provides an excellent primer on current threats, impacts and mitigations as well as suggested controls for small, medium and large organizations. What is missing are the mandatory controls the regulators will be auditing them against.
[Pescatore] Like many of these efforts mandated by legislation, there is a lot of documentation just summarizing long existing guidance. Small health care organizations, however, may find the Technical Volume and Resources/Template sections useful to focus on justifying needed improvements to address the most common threats against health care systems.
Read more in:
FCW: HHS releases cyber guides for healthcare orgs
https://fcw.com/articles/2019/01/02/hhs-cyber-johnson.aspx
PHE: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf
--CenturyLink Data Center Outage Affected 911 Emergency Service
(December 28, 2018)
An outage affecting 15 CenturyLink data centers in the US and Europe caused 911 emergency services in several US states and in some areas of Canada to be unavailable. The problem started around noon ET on December 27; the issue was fully resolved as of December 29. The outage also affected Internet, phone and TV service availability. A CenturyLink spokesperson said, the outage was caused by a faulty network management card from a third-party equipment vendor that caused invalid traffic replication. The US Federal Communications Commission (FCC) is investigating the outage.
[Editor Comments]
[Northcutt] I attended church with the guy in charge of the national suicide hot line. His nightmare was calling the hotline and getting a busy signal. CenturyLink executives appear to yawn in this case. If they are not subjected to crushing fines that show the FCC cares about human life, then 911 has no value.
[Neely] Critical services, such as 911, should have verified/tested backup service options, and assessed the time to fail-over versus their service availability requirements. For example, in the Boise area, local libraries had both primary internet connections as well as backup cellular hotspots to provide internet access to impacted residents during the service outage.
[Shpantzer] Positive feedback loops are the best loops. Imagine this started at your org. What kind of telemetry are you able to work with to get a root cause analysis in a reasonable amount of time? How would you know if this was a fault or malice?
Read more in:
The Verge: FCC investigating major CenturyLink outage and 911 disruptions
https://www.theverge.com/2018/12/28/18159110/centurylink-internet-911-outage-fcc-investigating
ZDNet: CenturyLink outage takes down several 911 emergency services across the US
https://www.zdnet.com/article/centurylink-outage-takes-down-several-911-emergency-services-across-the-us/
MeriTalk: FCC Chairman Pai Investigates CenturyLink Outage
https://www.meritalk.com/articles/fcc-chairman-pai-investigates-centurylink-outage/
*****************************************************************************
1) SANS Instructor, Matt Bromiley talks on "Enterprise Security with a Fluid Perimeter" Sponsored by Aruba. Register: http://www.sans.org/info/209530
2) Infoblox Webcast: "Remediating Threats by Bridging Islands of Security" with John Pescatore. Register: http://www.sans.org/info/209535
3) 12 cloud security and compliance exercises that are critical for keeping your organizations data and systems secure in Amazon Web Services (AWS). Learn More: http://www.sans.org/info/209540
*****************************************************************************
REST OF THE WEEKS NEWS
-SANS Holiday Hack Challenge Open Now through January 14, 2019
The FREE annual SANS Holiday Hack Challenge is underway right now! This year, Santa is hosting KringleCon, a virtual conference at the North Pole, where you walk through Santas virtual castle and watch 22 top-notch recorded 12-18 minute talks with directly applicable technical skills. And, within your browser, you can also walk around Santas castle solving cyber defense, DFIR, and pen test challenges as an entertaining and surprising holiday plot unfolds. Youll get to match wits with a holiday super villain while listening to a custom album of holiday tunes. Its fun for all ages, and it is SANS gift to the cyber security community. Over 16,500 people have played so far! Get it all for free at https://holidayhackchallenge.com.
--Adobe Updates for Reader and Acrobat
(January 3, 2019)
Adobe has released updates for two critical flaws in Reader and Acrobat. A use-after-free vulnerability could allow arbitrary code execution; a security bypass vulnerability could be exploited to obtain elevated privileges.
[Editor Comments]
[Shpantzer] Periodic reminder to patch/isolate/harden-the-configuration-of Reader, and that the only thing worse than a fake Adobe Reader download is a genuine Adobe Reader download.
Read more in:
The Register: Hope you're over that New Year's hangoverthere's an Adobe PDF app patch to install
https://www.theregister.co.uk/2019/01/03/acrobat_reader_flaw/
Bleeping Computer: Adobe Acrobat and Reader Security Updates Released for Critical Bugs
https://www.bleepingcomputer.com/news/security/adobe-acrobat-and-reader-security-updates-released-for-critical-bugs/
Adobe: Security Bulletin for Adobe Acrobat and Reader | APSB19-02
https://helpx.adobe.com/security/products/acrobat/apsb19-02.html
--Chrome for Android Flaw Partially Patched
(January 3, 2019)
Google has patched a flaw in Chrome for Android that was first reported in May 2015. The vulnerability leaks information in User-Agent strings about smartphones models and firmware. Given that information, it is possible to determine the degree to which a device is up to date with security patches. Chrome for Android v. 70, which was shipped in October 2018, removed the build number from the User-Agent string.
Read more in:
ZDNet: Google Chrome flaw patched three years after initial report
https://www.zdnet.com/article/google-chrome-flaw-patched-three-years-after-initial-report/
--CleanMyMacX Privilege Elevation Flaws
(January 3, 2019)
More than a dozen privilege elevation vulnerabilities affect MacPaws CleanMyMacX software, a product that scans for and deletes unneeded files to free up space on computers. The flaws could be exploited to gain root access to a machine running the application. The flaws were detected by researchers at Cisco Talos. Updates for CleanMyMacX are available from MacPaw.
[Editor Comments]
[Shpantzer] Thou shalt not install random utilities on thine operating systems and expect no downsides.
Read more in:
Threatpost: A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access
https://threatpost.com/flaws-mac-clean-up-root/140551/
SC Magazine: Multiple privilege escalation vulnerabilities in CleanMyMacX
https://www.scmagazine.com/home/security-news/several-privilege-escalation-vulnerabilities-were-found-in-macpaws-cleanmymac-x-software-all-of-which-will-allow-an-attacker-to-modify-the-file-system-as-root/
Talos: Vulnerability Spotlight: Multiple privilege escalation vulnerabilities in CleanMyMac X
https://blog.talosintelligence.com/2019/01/vulnerability-spotlight-CleanMyMac-X.html
--Ransomware Infects Cloud Hosting Providers Systems
(January 2, 2019)
DataResolution.net, a cloud hosting provider was hit with a ransomware attack on December 24. DataResolution provides services for more than 30,000 companies worldwide. The company has not released a public statement about the situation. The ransomware strain is believed to be Ryuk, the same one that was used in the attack that disrupted the production of some editions of certain US newspapers.
Read more in:
KrebsOnSecurity: Cloud Hosting Provider DataResolution.net Battling Christmas Eve Ransomware Attack
https://krebsonsecurity.com/2019/01/cloud-hosting-provider-dataresolution-net-battling-christmas-eve-ransomware-attack/
--Australian Government Worker Data Compromised
(January 2, 2019)
Data about 30,000 employees of the Victoria, Australia government were exposed when an unauthorized user accessed and downloaded a local directory. The compromised information includes work email addresses, job titles, and some mobile phone numbers. The data could be used to launch phishing attacks and influence campaigns.
Read more in:
SC Magazine: Australian government worker info hacked
https://www.scmagazine.com/home/security-news/australian-government-worker-info-hacked/
Infosecurity Magazine: Third Party Accessed Victorian Government Directory
https://www.infosecurity-magazine.com/news/third-party-accessed-victorian/
--Ransomware Attack Hinders Newspaper Production
(December 29, 30, & 31, 2018 & January 2, 2019)
A ransomware attack that hit the Tribune Company in late December disrupted printing operations and prevented some editions of several newspapers from being delivered on time. Affected publications include the New York Times, the Wall Street Journal, the Los Angeles Times, and the San Diego Union-Tribune. The ransomware used in the attack has been identified as Ryuk. While it bears similarities to other malware that has been associated with a certain hacking group, experts say it is too soon to attribute the attack to a specific group.
[Editor Comments]
[Neely] The interconnected nature of these systems allowed the ransomware to impact the systems at both Tribune Publishing as well as their former affiliates the Los Angeles Times and San Diego Union Tribune. While the affiliates had been sold in February, the systems had not implemented sufficient controls to prevent the spread of ransomware underscoring the need to implement controlled interfaces between business partners and minimize the duration of trust relationships when businesses are separated.
[Murray] Recovery is no longer about recovering one file, or even a few. In the face of ransomware and state sponsored sabotage, the requirement may be to recover all mission-critical capabilities within hours to days. Does your strategy meet this requirement?
[Shpantzer] Ryuk also hit the hosting provider, DataResolution.
Read more in:
Cyberscoop: Too soon to attribute cyberattack that disrupted U.S. newspapers, researchers say
https://www.cyberscoop.com/newspaper-cyberattack-ryuk-ransomware-tribune-company/
CNET: Malware suspected of hobbling several newspapers' production
https://www.cnet.com/news/malware-suspected-of-hobbling-newspapers-production/
SC Magazine: Stop the presses: cyberattack disrupts distribution of major newspapers
https://www.scmagazine.com/home/security-news/stop-the-presses-cyberattack-disrupts-distribution-of-major-newspapers/
ZDNet: Ransomware suspected in cyberattack that crippled major US newspapers
https://www.zdnet.com/article/ransomware-suspected-in-cyberattack-that-crippled-major-us-newspapers/
Dark Reading: Cyberattack Halts Publication for US Newspapers
https://www.darkreading.com/perimeter/cyberattack-halts-publication-for-us-newspapers/d/d-id/1333575
--North Korean Defector Data Stolen
(December 28, 2018)
South Koreas Unification Ministry says that hackers accessed a database which has compromised personal information of North Korean defectors. The data include names, birthdates, and addresses of nearly 1,000 people. The information was stolen from one of the 25 support centers that the Unification Ministry operates to help North Korean defectors with jobs, healthcare, and legal support as they resettle in South Korea.
Read more in:
NYT: North Korean Defectors Personal Data Was Stolen by Hackers, South Says
https://www.nytimes.com/2018/12/28/world/asia/north-korea-defectors-hack.html
ZDNet: Hackers steal personal info of 1,000 North Korean defectors
https://www.zdnet.com/article/hackers-steal-personal-info-of-1000-north-korean-defectors/
--Charges Filed in Petroleum Company Trade Secret Theft
(December 21, 2018 & January 2, 2019)
US law enforcement agents have arrested a man for allegedly stealing trade secrets from the petroleum company where he worked. Hongjin Tan, who is from China, is a legal permanent US resident. Tan allegedly stole the information to use at a competing company in China where he had been offered a job. Phillips 66 has confirmed that it is cooperating with the FBI in an investigation related to a former employee; the company was not named in court documents.
[Editor Comments]
[Shpantzer] Have you discussed the concept of trade secrets with your legal counsel? Trade secrets are only legally protected if you secure them in a certain manner, above and beyond normal confidential data. https://www.justice.gov/criminal-ccips/file/891011/download#page3
Read more in:
Justice: Chinese National Charged with Committing Theft of Trade Secrets
https://www.justice.gov/opa/pr/chinese-national-charged-committing-theft-trade-secrets
Security InfoWatch: Former Phillips 66 employee charged with trade secret theft
https://www.securityinfowatch.com/security-executives/news/21039172/trade-secret-theft-charge-filed
INTERNET STORM CENTER TECH CORNER
Malware Leaks Victim Data via FTP
https://isc.sans.edu/forums/diary/Malicious+Script+Leaking+Data+via+FTP/24484/
Hijacking Dormant Twitter Accounts
https://techcrunch.com/2019/01/02/hackers-islamic-state-propaganda-twitter/
Android Authentication Bypass via Skype
https://www.youtube.com/watch?v=EiEcwOfTFqI
Critical Adobe Updates
https://helpx.adobe.com/security/products/acrobat/apsb19-02.html
FilesLocker Ransomware Master Key Published
https://www.bleepingcomputer.com/news/security/master-decryption-key-released-for-fileslocker-ransomware/
WiFi Chipset Exploit (PDF)
https://2018.zeronights.ru/wp-content/uploads/materials/19-Researching-Marvell-Avastar-Wi-Fi.pdf?fbclid=IwAR07FmZGKLKdJAKI4g0o-Wm-dLGwclV8Hhi-L4_HRlklldY8UC6WY72AdAw
Gift Card Scams
https://isc.sans.edu/forums/diary/Gift+Card+Scams+on+the+rise/24482/
Bypassing Vein Scanner Authentication (in German)
https://media.ccc.de/v/35c3-9545-venenerkennung_hacken
Hacking Smart Lightbulbs and Firmware Exploits
https://media.ccc.de/v/35c3-9723-smart_home_-_smart_hack
European Union Offers Bug Bounty for Open Source Software
https://juliareda.eu/fossa/
Bypassing Google ReCaptcha
https://github.com/ecthros/uncaptcha2
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
