SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #53
July 9, 2019British Airways GDPR Fine 10% of Profits; Baltimore's Ransomware; CyberCom Warns of Outlook Attacks
In Memoriam: Michael Joseph Assante - the best man we ever knew. Rest in peace.
Mike died on Friday July 5th. Here are his last words to the community:
"As a good navy man, I relinquish the watch to your capable hands. Watch over each other and care for one other. The world is beautiful and worth fighting for the right principles and values. Know I am smiling right now!"
****************************************************************************
SANS NewsBites July 9, 2019 Vol. 21, Num. 053
****************************************************************************
TOP OF THE NEWS
UK's Information Commissioner's Office to Fine British Airways for GDPR Violations
Baltimore's Ransomware Recovery Progress
US CyberCom Warns of Attacks On Outlook
REST OF THE WEEK'S NEWS
Apple Fixes iMessage Flaw
Canonical GitHub Account Hacked
Eurofins Scientific Paid Ransomware Demand
PGP Flood Attacks
Border Surveillance Firm Suspended After Breach
D-Link Agrees to FTC Settlement
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019
-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019
-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019
-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, Surface Go, or Take $300 Off through July 10 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************* Sponsored By Splunk *****************************
5 Key Ways CISOs Can Accelerate the Business. In a new report conducted by Forrester, CISOs are encouraged to align security with the enterprise, as well as juggle key innovations and manage the skills gap. Download your copy of 5 Key Ways CISOs Can Accelerate the Business and discover how to embed security into your business strategy. http://www.sans.org/info/213590
*****************************************************************************
TOP OF THE NEWS
-- UK's Information Commissioner's Office to Fine British Airways for GDPR Violations
(July 8, 2019)
The UK Information Commissioner's office (ICO) has announced that it will fine British Airways (BA) #183.39M ([euro]204.68 million/US $229.45 million) for violations of the General Data Protection Regulation (GDPR). The 2018 data breach exposed personal information of 500,000 customers.
[Editor Comments]
[Pescatore] Another good source of data to use in briefing CEOs and Boards: Using typical numbers, that US $229.45 million fine is about 6% of BA's 2018 profit. It represents about $40 per record exposed, while the typical hard costs (dealing with the problem, communicating with impacted customers, providing credit check services, dealing with lawsuits, etc.) are typically $50-75 per record, or a another $250M. So, the total cost of this one incident is about $500M or over 10% of BA's 2018 profit. The cost of avoiding making sure the web software didn't have easily exploited vulnerabilities before it was allowed on the website would have been less than 1% of that eventual cost.
[Honan] This announcement is an intent by the ICO to fine British Airways. British Airways will contest this, and the final penalty may be different from the one announced here. Also, the proposed fine is not for the breach itself but according to the ICO's statement due to "poor security arrangements at the company". The proposed fine amounts to 1.5% of British Airways revenue so this should send a strong message to all organisations that are regulated by the GDPR to take the security and privacy of their customer data seriously.
Read more in:
ICO: Intention to fine British Airways #183.39m under GDPR for data breach
BBC: British Airways faces record #183m fine for data breach
https://www.bbc.com/news/business-48905907
The Register: UK data regulator threatens British Airways with 747-sized fine for massive personal data blurt
https://www.theregister.co.uk/2019/07/08/ico_threatens_ba_with_huge_fine_for_huge_data_loss/
ZDNet: GDPR: Record British Airways fine shows how data protection legislation is beginning to bite
ZDNet: GDPR: British Airways faces record #183m fine for customer data breach
https://www.zdnet.com/article/gdpr-british-airways-faces-record-183m-fine-for-customer-data-breach/
Cyberscoop: British Airways fined $229 million under GDPR for data breach tied to Magecart
https://www.cyberscoop.com/british-airways-gdpr-fine-magecart/
Threatpost: Post-Data Breach, British Airways Slapped With Record $230M Fine
https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/
-- Baltimore's Ransomware Recovery Progress
(July 3, 2019)
The city of Baltimore, Maryland, is making gradual progress in restoring its systems in the wake of a May 7 ransomware attack. The city is now able to accept payments for parking tickets and property tax bills online. As of July 3, the Baltimore water billing system was still offline.
Read more in:
Baltimore Sun: Baltimore restores online payment systems for speeding and parking tickets and property taxes
https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-online-payments-20190703-story.html
-- US CyberCom Warns of Attacks On Outlook
(July 2 & 3, 2019)
US Cyber Command has issued an alert warning that hackers with links to the Iranian government have been exploiting a known sandbox escape vulnerability in Microsoft Outlook to install malware on unpatched servers. Cyber Command has uploaded malware samples to VirusTotal. Microsoft released a fix for the vulnerability in October 2017.
[Editor Comments]
[Neely] Irrespective of the focus of the attack, make sure that your office installations are up-to-date with current patches. Patches are available for Outlook 2010, 2013 and 2016.
[Murray] While application escape mechanisms may add some flexibility and function to application software, they continue to plague security. Even where rarely used, they are often, for "convenience," enabled by default.
Read more in:
Twitter: USCYBERCOM has discovered active malicious use of CVE-2017-11774...
https://twitter.com/CNMF_VirusAlert/status/1146130046127681536
The Register: US Cyber Command warns that the Outlook is not so good - Iranians hitting email flaw
https://www.theregister.co.uk/2019/07/03/outlook_flaw_iran/
SC Magazine: Cyber Command warns hackers exploiting Outlook vulnerability to attack gov't agencies
Bleeping Computer: Outlook Flaw Exploited by Iranian APT33, US CyberCom Issues Alert
Duo: US Cyber Command Warns of Targeted Attacks on Old Outlook Flaw
https://duo.com/decipher/us-cyber-commands-warns-of-targeted-attacks-on-old-outlook-flaw
**************************** SPONSORED LINKS ******************************
1) Simplify your OT security journey when deploying and operating OT networks. Register for Radiflow's upcoming webcast: http://www.sans.org/info/213575
2) Take the SANS 2019 Threat Hunting Survey and enter to win a $400 Amazon gift card! Survey closes July 10th: http://www.sans.org/info/213580
3) Sign up for the webcast "Backstory + VirusTotal: How to Get the Most Out of Your Security Data" with Chronicle and SANS expert Matt Bromiley: http://www.sans.org/info/213585
*****************************************************************************
REST OF THE WEEK'S NEWS
-- Apple Fixes iMessage Flaw
(July 8, 2019)
Apple fixed a high-severity vulnerability in iMessage that could be used to create denial-of-service conditions on devices running versions of iOS that are not current. The DoS condition can be resolved by resetting the device to factory settings. The flaw was initially detected by Google's Project Zero, which notified Apple about it several months ago. Apple fixed the problem with iOS 12.3, which was released on May 13, 2019. According to one estimate, 47 percent of iOS devices are running vulnerable versions of the operating system. The flaw can be exploited by simply sending a target a maliciously-crafted iMessage; no user interaction is required.
[Editor Comments]
[Neely] iOS 12.3 can be applied to iPhone 5S or later, iPad Mini 2 or later and 6th generation iPod touch or later. While iOS 12 includes an automatic update setting, the updates are applied at a random interval during the seven days after the update is released and the device has to be both connected to power and on a wireless network for that to work.
Read more in:
Threatpost: Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software
https://threatpost.com/apple-patches-imessage-bug/146277/
Duo: iMessage Flaw Can Brick iPhones
https://duo.com/decipher/imessage-flaw-can-brick-iphones
-- Canonical GitHub Account Hacked
(July 8, 2019)
On Saturday, July 6, hackers compromised a GitHub account that belongs to Canonical, the company that produces and supports the Ubuntu Linux distribution. It does not appear that Ubuntu source code has been affected.
Read more in:
ZDNet: Canonical GitHub account hacked, Ubuntu source code safe
https://www.zdnet.com/article/canonical-github-account-hacked-ubuntu-source-code-safe/
BankInfoSecurity: Canonical Investigating Hack of Its GitHub Page
https://www.bankinfosecurity.com/canonical-investigating-hack-its-github-page-a-12749
-- Eurofins Scientific Paid Ransomware Demand
(July 5, 2019)
Forensic services company Eurofins Scientific reportedly paid an undisclosed sum demanded in a ransomware attack. The attack occurred on June 2, and prompted UK police to suspend working with Eurofins. Some court proceedings were reportedly delayed because results of Eurofins analysis were not available.
Read more in:
Infosecurity Magazine: UK's Eurofins Scientific Reportedly Pays Ransom
https://www.infosecurity-magazine.com/news/uks-eurofins-scientific-reportedly/
ZDNet: UK's largest police forensics lab paid ransom demand to recover locked data
BBC: Eurofins Scientific: Forensic services firm paid ransom after cyber-attack
https://www.bbc.com/news/uk-48881959
-- PGP Flood Attacks
(July 1, 2, 3, & 5, 2019)
Attackers have poisoned at least two PGP certificates by adding tens of thousands of signatures. OpenPGP does not limit the number of signatures that can be added to a PGP certificate, and GnuPG does not manage certificates with large numbers of signatures well.
Read more in:
GitHub: SKS Keyserver Network Under Attack
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Threatpost: PGP Ecosystem Targeted in 'Poisoning' Attacks
https://threatpost.com/pgp-ecosystem-targeted-in-poisoning-attacks/146240/
Vice: Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem
Bleeping Computer: Public Certificate Poisoning Can Break Some OpenPGP Implementations
Duo: OpenPGP Certificate Attack Worries Experts
https://duo.com/decipher/openpgp-certificate-attack-worries-experts
-- Border Surveillance Firm Suspended After Breach
(July 3, 2019)
Customs and Border Protection has suspended a subcontractor that stored sensitive data on its private network, which was then breached. The company, Perceptics, allegedly transferred some of the images onto its private network in violation of CBP rules.
[Editor Comments]
[Honan] Simply contracting a company not to do something or ensuring they have a relevant policy is not enough; you need to ensure you have the ability, and the capability, to audit and verify they meet your security requirements.
Read more in:
SC Magazine: Border-surveillance subcontractor suspended after cyberattack
-- D-Link Agrees to FTC Settlement
(July 2 & 3, 2019)
D-Link Systems has agreed to a settlement with the US Federal Trade Commission (FTC) over allegations that the company misrepresented efforts to secure its wireless routers and Internet-connected cameras. The proposed settlement imposes a number of requirements, including calling for D-Link to establish a comprehensive software security program, undergo third-party security assessments, and submit compliance reports to the FTC.
[Editor Comments]
[Pescatore] While the FTC is the most active enforcement of privacy rules the US government has, the severity of the punishment is like a gnat bite to GDPR's shark bite.
Read more in:
FTC: [Proposed] Stipulated Order for Injunction and Judgment
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
FTC: D-Link Agrees to Make Security Enhancements to Settle FTC Litigation
FTC: FTC Charges D-Link Put Consumers' Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras (2017 Complaint)
The Register: D-Link must suffer indignity of security audits to settle with the Federal Trade Commission
SC Magazine: D-Link agrees to overhaul security in FTC settlement
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Powershell Kill Switch Commands
Malicous XSL Files
https://isc.sans.edu/forums/diary/Malicious+XSL+Files/25098/
Canonical Github Hack
https://news.ycombinator.com/item?id=20373009
Blocking DNS over HTTPS
https://github.com/bambenek/block-doh
Magento RCE Exploit
https://blog.ripstech.com/2019/magento-rce-via-xss/
Does "Godlua" Use DNS over HTTPS or Not?
https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/
New Wave of Magecart Attacks
https://gist.github.com/gwillem/5d936f5a84837d5c1dcb488ce256294a
Exploit for Cisco Authentication Bypass and RCE
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-dcnm-rce.txt
Zipato SmartHub Vulnerabilities
https://blackmarble.sh/zipato-smart-hub/
Cloudflare Outage
https://www.cloudflarestatus.com/incidents/tx4pgxs6zxdr
Android Update
https://source.android.com/security/bulletin/2019-07-01
Facebook's Libra Crypto Currency Already Impersonated
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
