SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #28
April 9, 2019Healthcare Cybersecurity; GAO: ID Theft Services Inadequate; UK University Penetration Tests Find Weak Defenses
Do you know a college student who is interested in Cybersecurity? Check out Cyber FastTrack-
Who is Cyber FastTrack for?
. College students aged 18 and above who want to land a dream job in cybersecurity and earn further scholarships
What's it all about?
. A free online learning program to help college students quickly learn the skills they need to fast track their way to a cybersecurity career
. As well as hours of free learning, students can earn scholarships for further study with SANS, or $500 towards college tuition
When is it open? April 5 to May 10
www.cyber-fasttrack.org
****************************************************************************
SANS NewsBites April 9, 2019 Vol. 21, Num. 028
****************************************************************************
TOP OF THE NEWS
Improving Cybersecurity in the Healthcare Sector
GAO: Current ID Theft Services Do Not Adequately Address Breach Risks
University Penetration Tests Find Weak Defenses
REST OF THE WEEK'S NEWS
Suspicious Equipment Found in Hotel Room of Alleged Mar-a-Lago Intruder
OPM Issues Final Rule on Direct Hiring Authority
DOJ Inspector General: FBI Needs to Improve Breach Notification Practices
Malicious Version of Bootstrap Sass Added to Repository
DHS Secretary Nielsen Resigns
Motel 6 Will Pay $12 Million for Sharing Guest Data with Immigration
Exodus Spyware Found in iOS Apps
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Sponsored By Splunk *************************
One Phish, Two Phish, Three Phish, Fraud Phish. In this Seuss-inspired children's book, readers are taken on a colorful journey, discovering the many surprising ways fraud touches our everyday lives, including credit card scams, payroll fraud, financial aid swindles, healthcare deception, and wire transfer fraud, as well as phishing attacks, account takeovers, and more. http://www.sans.org/info/211710
***************************************************************************************
TOP OF THE NEWS
--Improving Cybersecurity in the Healthcare Sector
(April 3, 2019)
Healthcare organizations have responded to a request from US Senator Mark Warner (D-Virginia) to suggest ways to improve healthcare sector cybersecurity. Warner's office has not released the responses it received, but the some of entities that responded have released their ideas. The Health Information Sharing and Analysis Center (H-ISAC) along with Cyber Working Group of the Health Sector Coordinating Council met with Warner's staff. They encouraged the government to adopt cybersecurity best practices for the healthcare sector, including multifactor authentication, full disk encryption, least privilege access, network segmentation, and regular patching. The American Hospital Association wrote back suggesting an increase in the focus on medical device security.
[Editor Comments]
[Pescatore] In vendor marketing, I always look for null value words (like "holistic" and "heuristic") and substitute the real meaning ("non-existent" and "undocumented"). In government press releases, the word "encourage" generally means "issue more letters and reports." The only meaningful ways government can "encourage" higher levels of security is to require security as a heavily weighted factor in all procurements, or to enforce existing regulations around cybersecurity. Only after doing that, should looking at new regulations be on the table, let alone just more "encouragement."
[Murray] "HIPAA is in the ditch." While well intended, not only has it not delivered the security intended, it has had the unintended and perverse effect of resisting the use of digital technology in health care and the "portability" of those records. Trying to avoid "prescription," it has asked health care institutions to make and use risk assessments that most do not have the necessary knowledge, skill, abilities, and experience to make. In the meantime, the environment has become far more hostile than might have been expected when the HIPAA security guidelines were published. Health Care institutions should first comply with essential practices, known to be effective and efficient, and use "risk management" for making exceptional decisions and justifying expensive measures. Regulators should reform the HIPAA privacy rules.
Read more in:
GovInfoSecurity: Groups Offer Ideas for Improving Healthcare Cybersecurity
https://www.govinfosecurity.com/groups-offer-ideas-for-improving-healthcare-cybersecurity-a-12336
--GAO: Current ID Theft Services Do Not Adequately Address Breach Risks
(April 1, 2019)
The US Government Accountability Office (GAO) has reiterated its position that Congress "should consider permitting agencies to determine the appropriate coverage level for" identity theft insurance coverage. Breaches pose a broad range of risks and that identity theft services do not adequately address risks faced by people whose information has been compromised. GAO also noted that identity theft services are sometimes offered more to reduce the liability of the entity that was breached than to protect consumers.
[Editor Comments]
[Pescatore] The GAO numbers indicate how useless these services are. Of the 22M people affected by the OPM breach, 3M have used the identity theft insurance coverage and 61 have received a total of $110K in compensation. OPM obligated a total of $421M for the coverage, which is just under $20/victim. That means they spent at least $60M to provide $110K in compensation - an enormous waste of money.
[Neely] Despite the low numbers of people using the services, having monitoring to watch for disclosure of your personal information as well as freezing your credit reports are important mitigations as today's attacks become increasingly sophisticated. By providing protection better aligned with the disclosure, risks agencies can avoid the OPM dilemma of a large reserved but unspent budget hit for unnecessary services.
Read more in:
GAO: Range of Consumer Risks Highlights Limitations of Identity Theft Services (PDF)
https://www.gao.gov/assets/700/697985.pdf
Nextgov: Identity Theft Services Inefficient at Addressing Data Breach Risks, Watchdog Says
--University Penetration Tests Find Weak Defenses
(April 4, 2019)
A series of penetration tests against more than 50 UK universities were successful in every case, and all within two hours. The pen testers were able to access staff and student information, financial systems, and research databases. The most effective approach was spear phishing.
[Editor Comments]
[Murray] However, US college and universities are dramatically more secure than they were a generation ago, when the Clinton administration found that seventy-five percent of the attack traffic in the Internet could be traced to, but not beyond, a(n) (open) college or university.
Read more in:
BBC: Hackers beat university cyber-defences in two hours
https://www.bbc.com/news/education-47805451
Hepi: How safe is your data? Cyber-security in higher education (PDF)
**************************** SPONSORED LINKS ******************************
1) Threat Hunting using DNS: A MasterClass with Dr. Paul Vixie and Ben April in Reston, VA Go to: http://www.sans.org/info/211715
2) ICYMI SANS Automation & Integration Security Briefing: SOARing to New Heights - Using Orchestration & Automation Tools in the Way They're Intended. http://www.sans.org/info/211720
3) What challenges do you face with incidents and breaches? Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211725
*****************************************************************************
REST OF THE WEEK'S NEWS
--Suspicious Equipment Found in Hotel Room of Alleged Mar-a-Lago Intruder
(April 8, 2019)
In the hotel room of alleged Mar-a-Lago intruder Yujing Zhang, law enforcement agents found multiple SIM cards and USB drives, a signal detector that can be used to scan areas for hidden cameras, and more than $7,500 in US currency. Zhang was arrested last week when she allegedly attempted to gain entry to the private Mar-a-Lago club in Florida. At the time, she was allegedly carrying multiple cellphones, a laptop, and a USB drive that has since been found to be capable of immediately infecting computers as soon at was plugged in. The additional details were revealed at a bond hearing on Monday, April 8.
[Editor Comments]
[Ullrich] It is a bit disconcerting that the Secret Service agent plugged the USB drive into his computer essentially to "see what happens." He may have destroyed evidence and infected his computer while also leaking documents from it if it was network-connected at the time.
[Williams] It is extremely difficult to protect networks against physical access attacks. Organizations with areas open to the public (hotels, retailers, etc.) face special challenges with restricting physical access since identifying a physical access threat isn't just a binary "are they one of us or not?" If your organization allows untrusted visitors within reach of your IT systems, use this event as a catalyst to re-evaluate how you will detect if your network has been compromised by a physical access threat.
Read more in:
Ars Technica: Thumb drive carried by Mar-a-Lago intruder immediately installed files on a PC
--OPM Issues Final Rule on Direct Hiring Authority
(April 3, 2019)
The US Office of Personnel Management (OPM) has issued its final rule that gives agencies the ability to fast track hiring for IT and cyber positions. The rule, which is effective May 3, 2019, and applies in cases where agency heads determine that they are facing a "severe shortage" of employees in these areas. Under the rule, agency heads would be permitted to hire people for a period of up to four years and may extend the appointment for an additional four years. People hired under the rule may not be transferred to non-IT positions.
Read more in:
FCW: OPM issues final rule on direct-hire for cyber
https://fcw.com/articles/2019/04/03/opm-direct-hire-authority.aspx
Govinfo: Office of Personnel Management Final Rule (PDF)
https://www.govinfo.gov/content/pkg/FR-2019-04-03/pdf/2019-06396.pdf
--DOJ Inspector General: FBI Needs to Improve Breach Notification Practices
(April 1 & 5, 2019)
A report from the US Department of Justice Office of the Inspector General (DOJ OIG) says that the Federal Bureau of Investigation (FBI) needs to improve the way it notifies victims of cybersecurity breaches. According to the report, notifications are often delivered too late or do not contain sufficient information for victims to take action to protect themselves. The FBI is not using its Cyber Guardian system as it was made to be used. The report says breach notification could be improved if the FBI cooperated with other agencies and allowed them to enter data in Cyber Guardian as well.
[Editor Comments]
[Ullrich] Breach notifications are a thankless and labor-intensive undertaking. It is often difficult to identify the victim, find correct contact information and provide sufficient detail for the victim to verify the breach. Cooperating may certainly help as suggested in the article, but ultimately this is a manpower problem. Also, the large number of fake breach reports and scammers impersonating agencies in phone calls suggesting breaches makes the process even more difficult.
[Murray] Security professionals should act on FBI warnings but should not rely upon them as the sole, or even primary, source of intelligence. The time to discovery of breaches reported in the Verizon Data Breach Incident report indicates that relying upon external sources contributes to late discovery.
Read more in:
ZDNet: FBI criticized for delaying breach notifications, including insufficient details
Cyberscoop: Inspector general finds deficiencies in how FBI tells companies they've been breached
https://www.cyberscoop.com/fbi-inspector-general-breach-notification-report/
OIG.justice: Audit of the Federal Bureau of Investigation's Cyber Victim Notification Process (PDF)
https://oig.justice.gov/reports/2019/a1923.pdf
--Malicious Version of Bootstrap Sass Added to Repository
(April 4 & 5, 2019)
A malicious version of the bootstrap-sass open source framework was posted to the RubyGems repository. Developers have been alerted to update their systems. The malicious version of the website development tool, version 3.2.0.3, contains a backdoor. The issue has been addressed in version 3.4.0.2.
Read more in:
Cyberscoop: Backdoor vulnerability in open source tool exposes thousands of apps to remote code execution
https://www.cyberscoop.com/bootstrap-sass-infected-snyk-rubygems/
ZDNet: Backdoor code found in popular Bootstrap-Sass Ruby library
https://www.zdnet.com/article/backdoor-code-found-in-popular-bootstrap-sass-ruby-library/
--DHS Secretary Nielsen Resigns
(April 7 & 8, 2019)
Kirstjen Nielsen has resigned her position as Secretary of the Department of Homeland Security (DHS). Nielsen's appointment as secretary in December 2017 was notable due to her background in cybersecurity. Nielsen's resignation has an effective departure date of April 10; after that date, Kevin McAleenan will become acting DHS Secretary. McAleenan is currently the US Customs and Border Protection Commissioner.
Read more in:
SC Magazine: DHS Secretary Nielsen resigns
https://www.scmagazine.com/home/government/dhs-secretary-nielsen-resigns/
MeriTalk: DHS Losing Cyber-Forward Leader as Kirstjen Nielsen Resigns
https://www.meritalk.com/articles/dhs-losing-cyber-forward-leader-as-kirstjen-nielsen-resigns/
--Motel 6 Will Pay $12 Million for Sharing Guest Data with Immigration
(April 5, 2019)
Motel 6 has been ordered to pay the US State of Washington US $12 million for sharing guest information with Immigration and Customs Enforcement (ICE) without first receiving a warrant. While the lawsuit was filed in Washington state, the practice occurred across the country. Most of the money will be shared among the 80,000 people whose privacy was violated. Motel 6 has signed a legally binding agreement stating that it will not share guest information without a warrant, a subpoena, or a credible reason to believe an individual is in danger.
[Editor Comments]
[Neely] The claim is that the decision to share information with ICE was a local one. Regardless of where the decision is made, caution should be used to share information only after following due process to avoid liability for inappropriate disclosure.
[Williams] This is a serious breach of confidentiality. While fourth amendment protections prevent warrantless searches by law enforcement, commercial organizations can search their own data without a warrant. The information obtained from a commercial organization can then be sent to law enforcement, bypassing constitutional protections. These concerns extend to organizations trying to de-anonymize data as well. When data from multiple organizations is aggregated, a fuller picture of an individual may result than the data owner believed was possible. This is one of the reasons that GDPR protections are so important: it is impossible to anticipate how data may be used after it is collected. It is highly unlikely that any of Motel 6's guests considered the possibility that their data would be turned over to ICE.
Read more in:
Seattle Times: Motel 6 to pay Washington $12M for giving information on 80,000 guests to ICE
SC Magazine: Motel 6 to pay $12M for sharing guest info with ICE
https://www.scmagazine.com/home/security-news/motel-6-to-pay-12m-for-sharing-guest-info-with-ice/
AGPortal: State of Washington, Plaintiff, v. Motel 6 Operating L.P. And G6 Hospitality LLC: Consent Decree (PDF)
--Exodus Spyware Found in iOS Apps
(April 8, 2019)
A version of the Android spyware found in about 25 apps in the Google Play store several weeks ago has now been detected in apps for iOS systems. None of the apps is in the Apple App Store. The spyware, called Exodus, is made by an Italian company that makes surveillance tools used by law enforcement authorities. The iOS version is less sophisticated than the android version.
[Editor Comments]
[Ullrich] Without being served from the App Store, it will be difficult for victims to get infected with this malware. Only jailbroken devices should be susceptible to this malware.
[Neely] Apps delivered outside the official app stores haven't had the same vetting nor do they have the protections from the Apple App Store or Google Play Protect that will uninstall apps that are discovered to contain malware. In short, install from the official app stores.
Read more in:
Ars Technica: Well-funded surveillance operation infected both iOS and Android devices
Threatpost: SAS 2019: Exodus Spyware Found Targeting Apple iOS Users
https://threatpost.com/exodus-spyware-apple-ios/143544/
ZDNet: Security researchers discover iOS version of Exodus Android spyware
https://www.zdnet.com/article/security-researchers-discover-ios-version-of-exodus-android-spyware/
INTERNET STORM CENTER TECH CORNER
Fake Office 365 Invoices Spread Ransomware
https://isc.sans.edu/forums/diary/Fake+Office+365+Payment+Information+Update/24818/
Malware Hiding in Well-Known Directory
https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-https-sites
Altering CT Images to Manipulate Diagnosis
https://arxiv.org/pdf/1901.03597.pdf
QT Framework RCE Vulnerability
TrendMicro Patch
https://success.trendmicro.com/solution/1122250
Ghidra vs. IDA
Dovecot Patch
https://dovecot.org/list/dovecot-news/2019-March/000403.html
Apache CVE-2019-0211 Exploit
https://github.com/cfreal/exploits/tree/master/CVE-2019-0211-apache
Using JavaScript in Exploits
https://www.youtube.com/watch?v=HfpnloZM61I
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create