SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #20
March 12, 2019Marriott/Equifax CEOs at Senate Hearing on Their Breaches; Dutch Say Cookie Walls Violate GDPR; IoT Security Standards Bill; Ten Best Cyber Journalists
****************************************************************************
SANS NewsBites March 12, 2019 Vol. 21, Num. 020
****************************************************************************
TOP OF THE NEWS
Marriott CEO Appears Before Senate Panel to Talk About Breach (Equifax, too)
Cookie Walls Violate GDPR, Says Dutch Privacy Watchdog
IoT Security Standards Bill Introduced in Both Houses
Ten Best Cyber Journalists Announced
REST OF THE WEEKS NEWS
Facebook Sues Two People for Allegedly Stealing User Data
Some Organizations Are Paying Ransom to Regain Files
Citrix is Investigating Internal Network Intrusion
Researchers Find Security Flaws in High-end Car Alarms
Call for Coordinated Vulnerability Disclosure
College Application Database Breached
Germany Publishes Telecom Network Supplier Security Requirements
RSA: Researchers Say Easily Compromised Ultrasound Machine Reflects Hospital Cybersecurity Issues
San Francisco FBI Warns of SIM Swapping
CORRECTION
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019
-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, ASUS Chromebook C223NA or Take $250 Off with OnDemand or vLive training. Offer ends March 20.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Uptycs ***************************
Join SANS Instructor, Dave Shackleford, and Milan Shah, Uptycs Co-Founder and CTO, as he explores how the open source, universal agent, osquery, is providing a single view of the truth with a comprehensive data set inclusive of 100s of system attributes across operating systems, containers and cloud workloads. Register: https://www.sans.org/info/211065
*****************************************************************************
TOP OF THE NEWS
--Marriott CEO Appears Before Senate Panel to Talk About Breach
(March 8, 2019)
In testimony before a US Senate subcommittee last week, Marriott Internationals CEO provided details about the companys customer data breach that had not been disclosed before. Marriott first learned of the breach in September 2018 when it was notified by the IT company that managed the Starwood reservation database; Marriott acquired Starwood in 2016 but had not migrated the Starwood reservation system to its own. An investigation found a remote access Trojan and the Mimikatz pen-testing tool on the Starwood IT system. They also found that the attackers had been present in the Starwood system since 2014. In November 2018, investigators found that data, including guest passport numbers and other information had been exfiltrated from the system.
[Editor Comments]
[Murray] The committee also heard from the Equifax CEO and CISO. The legislators were surprised by the massive management failures and not much reassured by the changes. As in the Target breach, the Equifax breach resulted in a purge of management. One is reminded of Courtneys Third Law: There are no technical solutions to management problems, but there are management solutions to technical problems.
Read more in:
ZDNet: Marriott CEO shares post-mortem on last year's hack
https://www.zdnet.com/article/marriott-ceo-shares-post-mortem-on-last-years-hack/
--Cookie Walls Violate GDPR, Says Dutch Privacy Watchdog
(March 8 & 11, 2019)
Dutch Data Protection Authority Autoriteit Persoonsgegevens (AP) has issued a statement explaining that cookie wallsthe practice of websites making visitors agree to accept cookies to view the contentviolate the European Unions General Data Protection Regulation (GDPR). AP chairperson Aleid Wolfsen said that if users cannot access a site without agreeing to be tracked, they are being forced to share their data.
[Editor Comments]
[Pescatore] One of the issues with GDPR is that each country has a Data Protection Authority and they are making different interpretations of the language in the initial rollout of GDPR. The Dutch are taking a stance that other DPAs dont seem to be taking. Weve seen this confusion in other areas, too. Brian Honan, Gal Shpantzer, Mark Weatherford and I did a SANS webinar a few weeks ago on Dispelling GDPR Myths: Avoid the Compliance Trap, Make Real Security/Privacy Gains that had a lively debate around thisyou can see it at https://www.sans.org/webcasts/dispelling-gdpr-myths-avoid-compliance-trap-real-security-privacy-gains-110215
[Murray] The most noticeable impact of GDPR on this side of the pond has been that one must consent to cookies. The privacy issue is not with cookies per se but with third party cookies. One needs to know the source and use of the cookies in order to be able to give informed consent. Failing to make this necessary distinction, GDPR may be making things worse rather than better.
[Honan] The key point under GDPR is that consent must be freely given; if a visitor to a website cannot gain access to the site without first agreeing/consenting to receive cookies then this is against the GDPR.
Read more in:
Autoriteit Persoonsgegevens: Websites moeten toegankelijk blijven bij weigeren tracking cookies (Websites must remain accessible when refusing tracking cookies) (in Dutch)
SC Magazine: Dutch Data Protection Authority chips away at cookie walls, declaring they violate GDPR
The Register: Is this the way the cookie wall crumbles? Dutch data watchdog says nee to take-it-or-leave-it consent
https://www.theregister.co.uk/2019/03/08/gdpr_forced_consent_tracker_walls_still_a_thing/
--IoT Security Standards Bill Introduced in Both Houses
(March 11, 2019)
US legislators in both the House of Representatives and the Senate have introduced a bill that would establish security standards for Internet of Things (IoT) devices. The bill would require the National Institute of Standards and Technology (NIST) to develop recommendations for government IoT use and establish minimum security requirements. The Office of Management and Budget (OMB) would be required to develop guidelines for government IoT purchases and use.
[Editor Comments]
[Pescatore] Back in 2013 I briefed the National Security Telecommunications Advisory Committee (NSTAC) Industrial Internet/IoT working group. One of my key recommendations was to take a narrow scope definition of IoT, since a self-driving car, a baby monitor and a fitness watch have very different security issues. The language in this bill says The term covered device means a physical object that (i) is capable of connecting to and is in regular connection with the Internet; (ii) has computer processing capabilities that can collect, send, or receive data; and (iii) is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems. This is overly broad and open to lots of confusion: devices that have Bluetooth interfaces, but not WiFi, never actually connect to the Internetthey connect to those devices (like smart mobile communication devices) that arent covered!
[Henry] Seeing congress address this critically important and growing risk is laudable and appreciated. That said, Id like to see more details. Organizations need to understand that NIST recommendations are baseline, and compliance with those recommendations do not equal security. Additionally, the legislation calls for NIST to review their recommendations every five years. Thats a lifetime in technology, and their evaluation needs to be much more frequent and consistent in order to be effective and efficient, with any measure of success.
[Neely] Similar legislation was introduced in the 115th Congress and didnt advance. NIST is already releasing reports and guidance on IoT and Cyber-Physical Systems; all that is missing is the larger NIST guides for securing these devices. OMB restrictions on purchases would help raise the bar for new purchases in government. Support is also needed from private sector procurement organizations to make enough of a financial impact for manufacturers to implement these standards.
Read more in:
The Hill: Lawmakers introduce bipartisan bill for 'internet of things' security standards
--Ten Best Cyber Journalists Announced
(March 12, 2019)
Among professional awards, the most satisfying are those that are chosen by professional peers. The 2018 Bi-Annual Best Cybersecurity Journalist Awards are just that. The ten winners and three rising stars, nominated and chosen by cyber journalists from around the world, are listed at: https://www.sans.org/top-journalists/2018
**************************** SPONSORED LINKS ******************************
"Securing Your Endpoints with Carbon Black: A SANS Review of the CB Predictive Security Cloud Platform" with Dave Shackleford. Register: https://www.sans.org/info/211070
What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. https://www.sans.org/info/211075
Check out the Security Insights Blog here: https://www.sans.org/info/211080
*****************************************************************************
REST OF THE WEEKS NEWS
--Facebook Sues Two People for Allegedly Stealing User Data
(March 8, 10, & 11, 2019)
Facebook has filed a lawsuit against two people in Ukraine for allegedly creating and distributing malicious quiz apps that prompted users to install browser extensions that surreptitiously stole the users data from social networking sites, including Facebook. The stolen data were then allegedly used to inject advertisements into users news feeds. The scheme allegedly operated between 2016 and 2018, targeting Russian users. In all, roughly 63,000 browsers were affected. Facebook is suing Gleb Sluchevsky and Andrey Gorbachov for violations of state and federal anti-hacking laws, fraud, and breach of terms of service.
Read more in:
Cyberscoop: Facebook suit accuses two Ukrainians of distributing adware disguised as quizzes
https://www.cyberscoop.com/facebook-quizzes-malicious-lawsuit-ukrainians/
CNET: Facebook sues Ukrainians over quiz apps that stole your data
https://www.cnet.com/news/facebook-sues-ukrainians-over-quizzes-packed-with-adware-stealing-data/
ZDNet: Facebook sues Ukrainian browser extension makers for scraping user data
Daily Beast: Facebook Suit Reveals Ukrainian Hackers Used Quizzes to Take Data from 60,000 Users
--Some Organizations Are Paying Ransom to Regain Files
(March 8, 9, & 11, 2019)
A county in the US state of Georgia has paid $400,000 to attackers to regain access to files that were encrypted on March 6, 2019. Jackson County, Georgia paid the ransom over the weekend. The attack forced the majority of the countys IT systems offline, although the website remained functional as did emergency services. County officials said the amount of the ransom is likely less than it would cost to restore systems from backups. The countys email system was still down as of Monday afternoon. It is not clear how much of the systems have been satisfactorily restored. In a separate story, a surgical practice in Washington state paid $15,000 to attackers to regain access to its data in January.
[Editor Comments]
[Williams] Some in the community frown on payment, but at the end of the day, paying the ransom can be a good business decision. Some organizations paid when they believed they could restore from offline backups because it was the quickest way to restore operations. Stories of organizations that pay but don't recover files are generally overblown. Attackers weve seen paid have a 100% recovery rate (one even refunded money when some of the servers didn't decrypt properly). Prevention is still the best plan, but adopting a "never pay" policy is generally not optimal for continued operations.
[Neely] Far greater than the ransom is the cost to recover, create new baseline backups and clean system images, as well as taking steps to prevent recurrence and improve recovery capabilities in such an scenario. Threat reports show that ransomware use is still a concern. Walk through this scenario taking a hard look at your point in time recovery capabilities, and adjust now before you discover gaps during an incident.
Read more in:
MeriTalk: Georgia County Pays Cybercriminals $400K to Remove Ransomware
https://www.meritalk.com/articles/georgia-county-pays-cybercriminals-400k-to-remove-ransomware/
ZDNet: Georgia county pays a whopping $400,000 to get rid of a ransomware infection
Bleeping Computer: Ransomware Attack on Jackson County Gets Cybercriminals $400,000
SC Magazine: Columbia Surgical Specialists pay $15,000 ransom to unlock files
--Citrix is Investigating Internal Network Intrusion
(March 8, 2019)
Last week, the FBI notified Citrix that the companys internal network may have been breached by hackers from outside the US. Citrix has launched a forensic investigation, brought in a third-party firm to help, and are cooperating with the FBI. The company says that the intruders stole business documents.
[Editor Comments]
[Pescatore] The bad news is this is another example of a company not knowing it had been compromised until it received notice from the FBI. In many of those delayed-discovery cases, the extent of the compromise is larger than the first corporate press release suggests. I guess the good news is that it has been two years since Citrix sold off GoToMeeting to LogMeInit would be good to hear from LogMeIn that those services have been investigated to assure no compromises.
Read more in:
Citrix: Citrix investigating unauthorized access to internal network
The Register: Iranian-backed hackers ransacked Citrix, swiped 6TB+ of emails, docs, secrets, says cyber-biz
https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/
Cyberscoop: Citrix says FBI investigating network breach by 'international cyber criminals'
ZDNet: Citrix discloses security breach of internal network
https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/
Ars Technica: Citrix says its network was breached by international criminals
Threatpost: Citrix Falls Prey to Password-Spraying Attack
https://threatpost.com/citrix-password-spraying/142649/
--Researchers Find Security Flaws in High-end Car Alarms
(March 7 & 8, 2019)
Researchers at Pen Test partners found vulnerabilities in two pricey after-market car alarm unlock car doors, alter cruise control settings, systems. The flaws could be exploited to geolocate the car in real time, disable the alarm, and kill engines while the car is at speed. The examined alarms, Viper (known as Clifford in the UK) and Pandora Car Alarm System, are installed on an estimated 3 million cars. The researchers exploited weaknesses in the alarms APIs to take control of the associated accounts. The vendors were contacted and fixed the problems prior to the vulnerabilities disclosure.
[Editor Comments]
[Neely] The base attack exploits weaknesses in the password recovery portion of the application to take over the account for a given vehicle using another account on the alarm providers system. As the weakness was not in the alarm itself, fixes to the providers servers resolved these issues. These particular alarm systems were attractive targets because they were marketed as unhackable.
Read more in:
Pen Test Partners: BLOG: AUTOMOTIVE SECURITY Gone in six seconds? Exploiting car alarms
https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/
The Register: No guns or lockpicks needed to nick modern cars if they're fitted with hackable 'smart' alarms
https://www.theregister.co.uk/2019/03/08/ptp_smart_car_alarm_research_pandora_viper_smart_start/
SC Magazine: Researchers hack cars via aftermarket alarm systems
ZDNet: Smart 'unhackable' car alarms open the doors of 3 million vehicles to hackers
https://www.zdnet.com/article/smart-car-alarms-opened-the-doors-of-3-million-vehicles-to-hackers/
BBC: Security holes found in big brand car alarms
https://www.bbc.com/news/technology-47485731
--Call for Coordinated Vulnerability Disclosure
(March 7, 2019)
The Cybersecurity Coalition has published a white paper calling for coordinated vulnerability disclosure frameworks for governments and organizations. The paper describes several general issues related to CVD, distinguishes broad characteristics and categories of CVD, provides recommendations on driving adoption in public and private sectors, urges support for government-funded programs focused on vulnerability disclosure and identification, and outlines international CVD standards [currently] in use.
[Editor Comments]
[Murray] Not all vulnerabilities are the same. This accounts, at least in part, for why we have had difficulty in reaching a consensus about the ethics of disclosure.
Read more in:
Cybersecurity Coalition: White Paper: "Policy Priorities for Coordinated Vulnerability Disclosure and Handling"
https://www.cybersecuritycoalition.org/policy-priorities
FCW: Cyber group calls for coordinated vulnerability disclosure policies
https://fcw.com/articles/2019/03/07/vulnerability-disclosure-coalition.aspx
--College Application Database Breached
(March 7 & 11, 2019)
An online system used by hundreds of colleges and universities to manage student applicant data has been breached. Slate is used by more than 900 schools, but the attack targeted applicants to just three colleges: Grinnell, Oberlin, and Hamilton. Applicants to the schools received email messages from the attackers offering access to confidential information such as teacher recommendations, admission officer interview notes, and tentative admission decisions in return for payment. The colleges have advised the prospective students to ignore the attackers messages; they are working with authorities. (Please note that the WSJ story is behind a paywall.)
Read more in:
Dark Reading: Hackers Break into System That Houses College Application Data
WSJ: Hackers Breach College-Applicant Databases, Seek Ransom (paywall)
https://www.wsj.com/articles/hackers-breach-college-applicant-databases-seek-ransom-11552003816
--Germany Publishes Telecom Network Supplier Security Requirements
(March 7 & 8, 2019)
Germanys Federal Network Agency, the Bundesnetzagentur (BNetzA), has published security guidelines for all telecommunications networks suppliers. The systems may only be sourced from trustworthy suppliers whose compliance with national security regulations and provisions for the secrecy of telecommunications and for data protection is assured. Security components will need to be certified by the Federal Office for Information Security, and network traffic must be constantly monitored for anomalies. Networks should use equipment from several manufacturers and should build in redundancy for key equipment.
[Editor Comments]
[Neely] Germany is working to legislate supply chain security by implementing standards that must be met and requiring monitoring for anomalous behavior detection rather than singling out suspect suppliers. Continued support beyond the development and deployment of 5G will be challenging.
Read more in:
ZDNet: Germany planning 'trustworthy' supplier requirement for all networks and 5G
Washington Post: Germany to require suppliers of 5G networks be trustworthy
--RSA: Researchers Say Easily Compromised Ultrasound Machine Reflects Hospital Cybersecurity Issues
(March 7, 2019)
At the RSA conference last week, researchers from Check Point Research described how they launched a proof-of-concept (POC) attack against an ultrasound machine at an Israeli hospital, with the hospitals permission. One of the researchers noted that because hospitals tend to have flat networks,it was trivial to locate a [connected] ultrasound machine. The ultrasound machine was running Windows 2000, which has been unsupported since July 2010. The researchers say the POC attack illustrates the cybersecurity problems prevalent at medical facilities.
Read more in:
Threatpost: RSA Conference 2019: Ultrasound Hacked in Two Clicks
https://threatpost.com/ultrasound-hacked/142601/
--San Francisco FBI Warns of SIM Swapping
(March 6, 2019)
The FBI in San Francisco has issued a public warning about an increase in the instance of SIM swapping. The FBI notes that many targets of SIM swappers are people who have significant investments in cryptocurrency.
[Editor Comments]
[Pescatore] A more complicated SIM swapping attack has been seen against corporate executives traveling outside their home country, especially to China and Russia. Cell phones and tablets with wireless data capabilities that are temporarily out of the executives possession (hotel rooms, meetings where cellphones are not allowed in the room, even at airport security checkpoints) had SIMs physically swapped, leading many companies to provide some corporate travelers to certain countries with clean burner phones.
Read more in:
FBI: FBI San Francisco Warns the Public of the Dangers of SIM Swapping
--CORRECTION
(March 12, 2019)
In Fridays NewsBites, we misspelled the last name of one of the SANS Immersion Academy graduates who presented at RSA. Carlota Bindner, not Binder, demonstrated common misconfiguration of U-Boot and strategies to harden embedded devices.
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Reversing HTA Files
https://isc.sans.edu/forums/diary/Quick+and+Dirty+Malicious+HTA+Analysis/24728/
Apache SOLR Patch
https://issues.apache.org/jira/browse/SOLR-13301
Windows 7 + Google Chrome Exploit in the Wild
https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
Vulnerable Car Alarms
https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/
DevOps Tool StackStorm Vulnerability
https://quitten.github.io/StackStorm/
Gaming Industry Supply Chain Attack
https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/
Developers Will Not Code Secure By Default
https://net.cs.uni-bonn.de/fileadmin/user_upload/naiakshi/Naiakshina_Password_Study.pdf
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
