SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #6
January 22, 2019Google Fined 50 Million Over GDPR Privacy Violations
****************************************************************************
SANS NewsBites Jan. 22, 2018 Vol. 21, Num. 006
****************************************************************************
TOP OF THE NEWS
Google Fined 50 Million Over GDPR Violations
REST OF THE WEEKS NEWS
US Senators Concerned About Potential Cyber Risks of New DC Metro Rail Cars
WordPress Plug-in Website Restored After Breach and Defacement
DNC Says Russian Hackers Targeted It Again in November 2018
Microsoft Partner Portal Data Leak Exposes Support Ticket Titles
Canadas Health Sciences North Puts Systems on Downtime to Protect Them From Computer Virus
ThreadX WiFi Firmware Flaw
Critical Flaw in Cisco Small Business Switch Software
Baltimore Mayor Orders Security Review After Suspicious Materials Found on Employees Computer
Third-Party Temporary Patch for Windows Error Reporting Vulnerability
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019
-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad, ASUS Chromebook, or Take $250 Off with OnDemand or vLive. Offer Ends January 23.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
**************** Sponsored By Amazon Web Services, Inc. ********************
AWS and John Pescatore Present Best Practices for Cloud Security January 31 (special time 2 PM ET). Learn how to use the NIST Cyber Security Framework to identify gaps and prioritize efforts and technologies used in protecting cloud workloads and data in this first installment of the SANS AWS monthly series. Register here: http://www.sans.org/info/209910
*****************************************************************************
TOP OF THE NEWS
--Google Fined 50 Million Over GDPR Violations
(January 21, 2019)
French data regulator CNIL has fined Google 50 million (US$ 57 million) for violations of the General Data Protection Regulation (GDPR). CNIL says that Google failed to make its data collection policies easily accessible and that it did not obtain sufficient, specific, consent for ad personalization across its services.
[Editor Comments]
[Pescatore] The ruling against Google focuses on making it hard for users to understand what data is being collected and sold, as well as the basic opt-out, if you can figure out how philosophy that causes users to automatically give away their data when enrolling in a service and is prohibited by GDPR. Users and not just regulators are giving real pushback against abuse of their privacy. While the GDPR fine represents less than 3 hours of Google revenue, Googles updated Code of Conduct commits the company to beingmeasured against the highest possible standards of ethical business conduct. They came up short here and should change their conduct.
[Honan] While the 50 million fine is the item grabbing the headlines, the key issue here is the finding by CNIL of the unlawfulness of Googles approach to gathering peoples personal data. This will have bigger implications for Google, and many other organisations, in how they ensure they legally gather and use peoples personal data in line with the GDPR.
[Neely] This and future GDPR decisions could lead to two things. First, changes to privacy policies and settings from providers such as Google and Facebook to demystify their use of this data and second, a chance find out if the expert advice we followed to meet GDPR is accurate.
[Shpantzer] The Googles and Facebooks of the world will be fine, and they can afford to take on EU regulators. Its the blue team defenders Im worried about, having to justify their every move to keep their own networks safe, having nothing to do with a business model that sells data about their users to third parties. Based on the denials and delays of legitimate security work due to privacy shops citing GDPR, either GDPR authors failed to make it clear that security logs for protecting the enterprise are good for privacy (breach = zero privacy after all), and/or the privacy community isnt getting that message. Cybersecurity folks cannot protect their networks and fix GDPR and the privacy communitys (mis)understanding of GDPR.
Read more in:
CNIL: The CNILs restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC
BBC: Google hit with 44m GDPR fine over ads
https://www.bbc.com/news/technology-46944696
Ars Technica: Google must pay 50 million for GDPR violations, France says
ZDNet: GDPR: Google hit with 50 million fine by French data protection watchdog
**************************** SPONSORED LINKS ******************************
1) Don't Miss "Game Changing Defensive Strategies for 2019" with Alissa Torres. Register: http://www.sans.org/info/209915
2) SANS Automation & Integration Security Briefing: SOARing to New Heights - Using Orchestration & Automation Tools in the Way They're Intended. Learn More: http://www.sans.org/info/209920
3) The 14th Annual ICS Security Summit: Orlando, Florida - Mar 18-19. http://www.sans.org/info/209925
*****************************************************************************
REST OF THE WEEKS NEWS
--US Senators Concerned About Potential Cyber Risks of New DC Metro Rail Cars
(January 21, 2019)
Four US Senators have written to the Washington Metropolitan Area Transit Authority (WMATA) to express their concerns about foreign bidding on a DC Metro contract for new railcars. Specific concerns include the possibility that surveillance cameras and automated components of the cars could pose a cyber risk. WMATA has said it plans to amend an earlier request for proposals to include cybersecurity protocols; the letter also asks for specifics.
[Editor Comments]
[Pescatore] Good idea for all Requests for Proposals/Tenders to include cybersecurity requirements, including from all domestic suppliers. SANS gave Boeing procurement manager John Martin a Difference Makers award two years ago for doing just that across over 300 suppliers to Boeing.
[Weatherford] Classic use case for ensuring that the security folks are part of the contracting and procurement process. The timeline of events isnt clear, but heaven help us if it actually took a letter from Congress to get WMATA to amend the RFP and include a review of security requirements.
[Shpantzer] Its not like DC traffic cameras were ransomwared a couple of years ago (oh wait they were), so every system on the net is vulnerable, foreign bidding or otherwise.
Read more in:
Cyberscoop: Senators worry that new D.C. Metro railcars could carry cyber risk
https://www.cyberscoop.com/dc-metro-wmata-china-cars-cybersecurity-risk/
Scribd: Letter to WMATA
https://www.scribd.com/document/397856431/WMATA-Cyber-Concerns-8000-Series-Rail-Car-RFP
--WordPress Plug-in Website Restored After Breach and Defacement
(January 20 & 21, 2019)
A former employee hacked the website of WordPress plug-in WPML (WP MultiLingual), a popular translation plug-in. The former employee sent a mass email to all WPML customers claiming that there were vulnerabilities in the plug-in and providing links for them to follow. WPML says the incident was the work of a former employee who left a backdoor on the website. The attack occurred over the weekend and the site has been fully restored. WPML has more than 600,000 customers who pay for the service.
Read more in:
WPML: WPML.org Site Back to Normal After an Attack During the Weekend
https://wpml.org/2019/01/wpml-org-site-back-to-normal-after-an-attack-during-the-weekend/
ZDNet: Popular WordPress plugin hacked by angry former employee
https://www.zdnet.com/article/popular-wordpress-plugin-hacked-by-angry-former-employee/
Cyberscoop: Former WPML employee hacks plugin website to spam customers
https://www.cyberscoop.com/wordpress-wpml-website-hacked/
--DNC Says Russian Hackers Targeted It Again in November 2018
(January 18 & 19, 2019)
The US Democratic National Committee (DNC) says that Russian hackers attempted to infiltrate its computers just after the November 2018 elections. In a count filing that amended an earlier complaint, the DNC wrote that On November 14, 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although here is no evidence that the attack was successful.
Read more in:
The Register: US midterms barely over when Russians came knocking on our servers (again), Democrats claim
https://www.theregister.co.uk/2019/01/18/russia_hack_democrats/
ZDNet: DNC says Russia tried to hack its servers again in November 2018
https://www.zdnet.com/article/dnc-says-russia-tried-to-hack-its-servers-again-in-november-2018/
--Microsoft Partner Portal Data Leak Exposes Support Ticket Titles
(January 18, 2019)
A bug in the Microsoft Partner Portal allowed support partners to see the titles of all submitted support tickets worldwide. A Microsoft spokesperson told The Register, Weve addressed an issue that impacted a small subset of functions on our Partner Centre portal and were working to restore normal operation.
Read more in:
The Register: Microsoft partner portal 'exposes 'every' support request filed worldwide' today
https://www.theregister.co.uk/2019/01/18/microsoft_partner_portal_support_request_data_visible/
--Canadas Health Sciences North Puts Systems on Downtime to Protect Them From Computer Virus
(January 17 & 18, 2019)
A malware infection that hit an electronic health records system at Health Sciences North in Sudbury, Ontario, Canada has prompted the organization to put all of its systems on downtime to prevent the malware from spreading. The decision resulted in cancelled surgeries, postponed treatments, and other delays.
[Editor Comments]
[Williams] A reminder to have a "break glass in case of emergency" plan ready to execute. Security teams need to articulate which actions they can take to stem the spread of an infection, who can authorize those actions, and under what conditions they will do so. Any action that degrades the operation of the business should be planned for before an incident, especially for time critical actions.
Read more in:
CBC: Virus affecting IT system at Health Sciences North impacting health care across the region
https://www.cbc.ca/news/canada/sudbury/hsn-it-virus-update-1.4982267
Globe and Mail: Computer virus causes delays at dozens of Northern Ontario hospitals
SC Magazine: Cyberattack forces Health Sciences North to place systems on downtime at 24 hospitals
--ThreadX WiFi Firmware Flaw
(January 18, 2019)
A security flaw in widely used WiFi chip firmware could be exploited to execute arbitrary code with no user interaction. The issue exists in the ThreadX real-time operating system (RTOS), which is used in devices from gaming consoles to laptops to smartphones. The researcher who found this flaw also discovered three additional security issues affecting the firmware.
Read more in:
ZDNet: WiFi firmware bug affects laptops, smartphones, routers, gaming devices
https://www.zdnet.com/article/wifi-firmware-bug-affects-laptops-smartphones-routers-gaming-devices/
Bleeping Computer: Vulnerabilities Found in Highly Popular Firmware for WiFi Chips
--Critical Flaw in Cisco Small Business Switch Software
(January 18, 2019)
A critical flaw in Ciscos Small Business Switch software could be exploited to allow unauthenticated users gain full administrative privileges. The issue lies in a privileged user account in the devices default configuration. The account is used for initial login and cannot be removed. The admin can disable the account by configuring other user accounts to access privilege level 15. However, if all the level 15 accounts are removed, the default account is once again enabled and the admins are not notified. There are currently no patches for the vulnerability; Cisco has offered a workaround.
Read more in:
Cisco: Cisco Small Business Switches Privileged Access Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-sbsw-privacc
Threatpost: Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open
https://threatpost.com/critical-unpatched-cisco-flaw/141010/
--Baltimore Mayor Orders Security Review After Suspicious Materials Found on Employees Computer
(January 17, 2019)
Baltimore Mayor Catherine Pugh has ordered a security review after an employee was found to have given himself access to the computer of the director of the Department of Public Works. An investigation also found suspicious materials on the employees computer and he was fired. The individual, who worked at Baltimores water agency, was not identified in a recently released summary of the investigation, but a man who has identified himself as the subject of the investigation says that the findings are a misunderstanding of the situation.
[Editor Comments]
[Weatherford] Suspicious materials that include a guide to defeating electronic door locks, information on how to improvise lock picks and copies of The Anarchist Cookbook and activist Abbie Hoffmans Steal This Book. Ill bet many of us have these same suspicious materials on our computersAT HOME. Sounds like this guy was guilty of poor judgement rather than criminal activity but there is still no excuse for it, its unauthorized. One thing hasnt changed in the security business over the yearsthe difference between poor judgement and illegal behavior is often just . . . permission.
Read more in:
Baltimore Sun: Baltimore mayor orders security review after city employee found with hacking tools on his computer
--Third-Party Temporary Patch for Windows Error Reporting Vulnerability
(January 18 & 21, 2019)
A third party patch has been released for a vulnerability in Windows that Microsoft did not patch in its January security update. The temporary fix addresses a flaw in the Windows Error Reporting (WER) system that could be exploited to overwrite and replace files. The same organization says it is close to having a temporary patch ready for a second Windows flaw that was not addressed in the January update.
Read more in:
Bleeping Computer: Windows Zero-Day Bug That Lets Attackers Read Any File Gets Micropatch
ZDNet: Temporary fix available for one of the two Windows zero-days released in December
INTERNET STORM CENTER TECH CORNER
Suspicious GET Request: Do you know what it is?
https://isc.sans.edu/forums/diary/Suspicious+GET+Request+Do+You+Know+What+This+Is/24552/
Targeted Attack Uses Google Drive for Exfiltration
Drupal Patches
https://www.drupal.org/sa-core-2019-002 (PHP code execution)
https://www.drupal.org/sa-core-2019-001 (Third Party Libraries)
Packet Challenge Solution
https://johannes.homepc.org/packet8.txt
DNS Flag Day
WPML User Data Compromised and Used in EMail To Customers
https://wpml.org/2019/01/wpml-org-site-back-to-normal-after-an-attack-during-the-weekend/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
