SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #89
November 12, 2019After Breach Capital One CISO Reassigned; SIM Swapping
****************************************************************************
SANS NewsBites Nov. 12, 2019 Vol. 21, Num. 089
****************************************************************************
TOP OF THE NEWS
Capital One CISO Reassigned After Breach
SIM Swapping
REST OF THE WEEK'S NEWS
Ransomware Hits SmarterASP.NET Hosting Provider
New Mexico School District Ransomware Update
Pemex Ransomware Attack
Provider Explains Delayed Text Messages
Texas Health and Human Services Commission Fined for HIPAA Violations
U.S. Senator Wyden Seeks Mobile Voting App Audit
US Election Cyberthreat Disclosure Framework
DOJ Alleges Company Sold Vulnerable, Illegally Imported Surveillance Equipment
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro with Smart Keyboard, an HP ProBook, or Take $350 Off through November 13 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
********************* Sponsored By AWS Marketplace *************************
Live Webcast: Proactive Threat Hunting in AWS. David Aiken, AWS solutions architect, and Shaun McCullough, SANS instructor, SEC545 Cloud Security Architecture and Operations, share real-life examples of proactive threat hunting. These experts also advise on how to build a threat hunting program for the AWS environment, including tools and techniques for discovery and analysis. November 21, 2 PM ET. http://www.sans.org/info/214725
*****************************************************************************
TOP OF THE NEWS
--Capital One CISO Reassigned After Breach
(November 7 & 8, 2019)
Capital One has reassigned its chief information security officer (CISO) in the wake of a data breach. The attack compromised personal data related to more than 100 million card holders and card account applicants. Capital One disclosed the breach in July after the company was notified by an outside source; the initial intrusion had occurred at least four months prior. The individual who allegedly accessed the information exploited a misconfigured firewall. In the months following the disclosure, more than a dozen cybersecurity employees reportedly left Capital One because of frustration with security issues remaining inadequately addressed. The former CISO Michael Johnson will now serve as senior vice president and cybersecurity advisor. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore] We've seen fewer reflexive "off with their heads" firing of CIOs and CISOs after breaches. Most boards are more sophisticated about cybersecurity these days, despite many of the myths out there. If the board wasn't warned of the risks or potential of incidents, different story - any position with Chief in the title is expected to keep the board aware of risks in their areas, and demonstrate strategy to mitigate the risk levels. Surprises are still bad!
Read more in:
WSJ: Capital One Senior Security Officer Being Moved to New Role (paywall)
https://www.wsj.com/articles/capital-one-senior-security-officer-being-moved-to-new-role-11573144068
Bank Infosecurity: Following Massive Breach, Capital One Replacing CISO: Report
https://www.bankinfosecurity.com/following-massive-breach-capital-one-replacing-ciso-report-a-13385
SC Magazine: Report: Recently breached Capital One reassigns its CISO
https://www.scmagazine.com/home/security-news/data-breach/report-recently-breached-capital-one-reassigns-its-ciso/
--SIM Swapping
(November 8 & 10, 2019)
Once SIM swappers have taken control of a targeted phone number, they often move quickly to lock rightful users out of their accounts, plunder data, and steal funds. A man in Toronto, Ontario, found his phone number had been ported by a thief, who made a purchase with his credit card and accessed his files, ultimately blackmailing him with videos that were stored in his cloud account. A man in Las Vegas, Nevada, lost US$24 million in Bitcoin to the thief who ported his number. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore] In the US, telecom carriers continue to be barriers to making progress against attacks like malware, phishing and SIM swapping. In contrast, carriers in other countries routinely block known malicious executables and websites, and enable banks to check on recent SIM change actions before allowing an online transaction. In the US, the carriers just point to ongoing studies and the FCC takes no action. It is pretty much up to individuals to contact their carrier to see what additional measures (like additional levels of PIN or 2FA) are available to raise the bar against SIM swapping.
[Neely] The prevalence of SIM swapping highlights the risks of using your mobile phone for password recovery, either via SMS or phone call. Where possible, use other mechanisms and make sure that notifications of use include email or other mechanism not associated with your phone. The primary mitigation for SIM swapping is to have account security enabled with your provider. Also make sure that any security verification questions associated with that account are not based on discoverable information such as schools attended and places lived, making it harder to impersonate you.
[Murray] While the use of SMS for one-time passwords is dramatically more secure than reusable passwords, it has limitations [https://whmurray.blogspot.com/2018/08/limitations-of-one-time-passwords.html] which should be noted. These limitations include the persistent failure of the carriers to resist fraudulent changes. Prefer tokens for sensitive applications. Even this has limitations, but the banks seem to be doing a little better than the carriers at resisting fraudulent changes and timely notification of changes.
Read more in:
CBC: Attempted sextortion leads to call for stricter phone porting rules
https://www.cbc.ca/news/technology/phone-porting-extortion-1.5352300
WSJ: He Thought His Phone Was Secure; Then He Lost $24 Million to Hackers (paywall)
https://www.wsj.com/articles/he-thought-his-phone-was-secure-then-he-lost-24-million-to-hackers-11573221600
**************************** SPONSORED LINKS *****************************
1) Download The SIEM Buyer's Guide for 2020 to learn the ROI benefits of adopting a modern SIEM solution. http://www.sans.org/info/214730
2) Webcast November 13th at 1 PM ET: Learn how your SecOps team can ingest events, reports and alerts from any number of sources using SOAR. http://www.sans.org/info/214735
3) ICYMI Webcast: Data Governance: What Dark Secrets Lurk in Your Salesforce Instance? http://www.sans.org/info/214740
*****************************************************************************
REST OF THE WEEK'S NEWS
--Ransomware Hits SmarterASP.NET Hosting Provider
(November 10 & 11, 2019)
Web hosting provider SmarterASP.NET is recovering from a ransomware attack that occurred on Saturday, November 9. SmarterASP.NET has more than 440,000 customers. SmarterASP notified affected users that their hosting accounts were attacked and their data had been encrypted. The company also said it was working with experts to try to decrypt customer data. As of Monday afternoon, SmarterASP's Facebook page said that 98 percent of accounts had been fixed.
[Editor Comments]
[Honan] Backup. Backup. And Backup again. If there is anything the ransomware epidemic should teach us, it is to live by that mantra.
Read more in:
ZDNet: Major ASP.NET hosting provider infected by ransomware
https://www.zdnet.com/article/major-asp-net-hosting-provider-infected-by-ransomware/
Threatpost: Ransomware Attack Downs Hosting Service SmarterASP.NET
https://threatpost.com/ransomware-attack-downs-hosting-service-smarterasp-net/150072/
Infosecurity Magazine: Hoster SmarterASP.NET Taken Down by Ransomware
https://www.infosecurity-magazine.com/news/hoster-smarteraspnet-taken/
SC Magazine: Ransomware attack knocks SmarterASP.net customers knocked offline
https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-knocks-smarterasp-net-customers-knocked-offline/
--New Mexico School District Ransomware Update
(November 8 & 11, 2019)
A ransomware attack that infected computers at the Las Cruces, New Mexico school district has kept all the schools offline since October 29. District officials said that they plan to scrub and reformat 30,000 hard drives, and that they will upgrade security hardware prior to reconnecting to the Internet. Each school currently has two scrubbed computers so that nurses can access medical records and administrators can access parent contact information and print transcripts. The district's email system was not affected, as it uses a cloud provider rather than the district's own systems.
[Editor Comments]
[Neely] This highlights the need to assess your ability to rebuild a large number of systems due to an incident and how that aligns to your recovery time objective. In this case, incremental service recovery is being used to provide services until additional systems can be returned online with additional security measures in place to prevent recurrence.
Read more in:
Edscoop: Ransomware forces New Mexico school district to scrub 30,000 devices
https://edscoop.com/ransomware-forces-new-mexico-school-district-scrub-30000-devices/
GovTech: Las Cruces, N.M., School District to Scrub 30,000 Computers
https://www.govtech.com/security/Las-Cruces-NM-School-District-to-Scrub-30000-Computers.html
--Pemex Ransomware Attack
(November 11, 2019)
Mexico's state-owned oil company, Pemex, was hit with a ransomware attack on Sunday, November 10. In a statement released a statement on Monday, Pemex said that the attacks were detected and neutralized and that less than five percent of its computers were affected. In an internal email seen by Reuters, Pemex told employees to disconnect their computers from the company's network and to back up critical data.
[Editor Comments]
[Murray, Neely] Having a system in place to backup data, critical or otherwise, needs to be SOP (before the attack).
Read more in:
Reuters: Ransomware attack at Mexico's Pemex halts work, threatens to cripple computers
https://www.reuters.com/article/us-mexico-pemex/ransomware-attack-at-mexicos-pemex-halts-work-threatens-to-cripple-computers-idUSKBN1XM041
Bloomberg: Pemex Works to Strengthen System After Cyber Attack Attempts
https://www.bloomberg.com/news/articles/2019-11-11/pemex-workers-barred-from-computers-after-unexpected-shutdown
--Provider Explains Delayed Text Messages
(November 8, 2019)
The text messages that arrived nearly nine months after they were sent were the result of a server failure at text messaging Syniverse, according to a statement from the company. The server failed on February 14, 2019 and was reactivated last week. Normally, if a message cannot be delivered immediately, Syniverse stores it for up to 72 hours, then deletes it. In this case, the messages that were in the queue in February were sent when the server was reactivated on November 7.
Read more in:
Ars Technica: Why more than 168,000 Valentine's day text messages arrived in November
https://arstechnica.com/information-technology/2019/11/why-168149-valentines-day-text-messages-arrived-in-november/
Syniverse: Syniverse Updated Statement Regarding Recent Person-to-Person Text Messaging Event
https://www.syniverse.com/insights/syniverse-statement-regarding-person-to-person-messaging-event
--Texas Health and Human Services Commission Fined for HIPAA Violations
(November 7 & 11, 2019)
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has fined the Texas Health and Human Services Commission US$1.6 million for violations of the Health Insurance Portability and Accountability Act (HIPAA). Between 2013 and 2017, the electronic protected health information of 6,617 people was exposed when an internal application was moved from a private server to a public server and a coding flaw allowed access to the information without authentication.
[Editor Comments]
[Murray] HIPAA continues to discourage the use of digital systems for health care records; the opposite of its intent. These fines, while well intended and even necessary, are contributing to the problem.
Read more in:
Infosecurity Magazine: Texas Health Agency Fined $1.6m for Data Breach
https://www.infosecurity-magazine.com/news/texas-health-agency-fined-for-data/
HHS: OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html
--U.S. Senator Wyden Seeks Mobile Voting App Audit
(November 7 & 8, 2019)
US Senator Ron Wyden (D-Oregon) has asked the Defense Secretary Mark Esper and head of the National Security Agency and US Cyber Command Gen. Paul Nakasone to conduct a cybersecurity audit of Voatz, a mobile voting app that allows residents living overseas to cast ballots. Wyden is concerned about the lack of transparency that Voatz developers have offered regarding the app. Wyden writes that Voatz claims to have had an independent audit of its servers and the app, but has not disclosed the results of the audit or even the identity of the third-party auditors. Wyden urges DoD and the NSA to conduct an audit and to make the results public.
[Editor Comments]
[Pescatore] If the same exact Voatz app had been written in China, there would have been a blizzard of politicians issuing press releases demanding transparency if not a full ban. All voting software should be exposed to full open testing as part of procurement agreements.
[Murray] Purchasers of election systems should expect a Type II Service Auditors Report (SAS 70). This is an audit report intended for use by the purchasers or users of a service or product and is signed by the auditors.
Read more in:
Statescoop: Senator wants Pentagon cybersecurity review of mobile voting app Voatz
https://statescoop.com/senator-wants-pentagon-cybersecurity-review-mobile-voting-app-voatz/
Washington Post: Sen. Ron Wyden (D-Ore.) Letter Regarding Voatz
https://www.washingtonpost.com/context/sen-ron-wyden-d-ore-letter-regarding-voatz/e9e6dd4f-1752-4c46-8e37-08a0f21dd042/
--US Election Cyberthreat Disclosure Framework
(November 8, 2019)
The White House has released a framework for notifying federal legislators, state and local officials, private sector organizations, and the general public about foreign interference in US elections. Current law requires the FBI and DHS to notify entities that are victims of cyberattacks. The new framework requires decisions about election interference notifications to be reviewed by intelligence officials.
Read more in:
Cyberscoop: U.S. officials release framework for notifying public of foreign interference in elections
https://www.cyberscoop.com/foreign-interference-2020-election-odni-framework/
Fifth Domain: Here's the new plan for election cyberthreat notifications
https://www.fifthdomain.com/congress/capitol-hill/2019/11/08/heres-the-new-plan-for-election-cyberthreat-notifications/
--DOJ Alleges Company Sold Vulnerable, Illegally Imported Surveillance Equipment
(November 8, 2019)
The US Justice Department (DoJ) has charged Long Island (New York) based Aventura Technologies, Inc. and seven of its employees with fraud, money laundering, and illegally importing equipment from China. Aventura allegedly knowingly sold Chinese-made surveillance equipment that contained vulnerabilities to the US government and to private customers while claiming it was made in the US.
Read more in:
GovInfosecurity: DOJ: Company Sold Gear With Security Flaws to US Military
https://www.govinfosecurity.com/doj-company-sold-gear-security-flaws-to-us-military-a-13384
ZDNet: Aventura charged for flogging Chinese spy equipment to US gov't with security vulnerabilities
https://www.zdnet.com/article/firm-charged-for-flogging-chinese-spy-equipment-to-us-govt-with-known-security-vulnerabilities/
Justice: Aventura Technologies, Inc. and its Senior Management Charged with Fraud, Money Laundering and Illegal Importation of Equipment Manufactured in China
https://www.justice.gov/usao-edny/pr/aventura-technologies-inc-and-its-senior-management-charged-fraud-money-laundering-and
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Applications Diverted from Their Main Use
https://isc.sans.edu/forums/diary/Microsoft+Apps+Diverted+from+Their+Main+Use/25502/
Did BlueKeep Malware Affect Patching?
https://isc.sans.edu/forums/diary/Did+the+recent+malicious+BlueKeep+campaign+have+any+positive+impact+when+it+comes+to+patching/25506/
Are We Going Back to TheMoon (and How is Liquor Involved?)
https://isc.sans.edu/forums/diary/Are+We+Going+Back+to+TheMoon+and+How+is+Liquor+Involved/25512/
New Update for Magento Shopping Cart
https://magento.com/security/patches/latest-magento-security-update-helps-protect-recently-reported-rce-vulnerability
https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
DShield/ISC Honeypot Update
https://isc.sans.edu/honeypot.html
Pwn2Own Summary
https://www.zerodayinitiative.com/blog/2019/11/7/pwn2own-tokyo-2019-day-two-final-results
ZoneAlarm vBulletin Forum Breached
https://thehackernews.com/2019/11/zonealarm-forum-data-breach.html
CSS Injection in Slack to Log Keystrokes
https://fletchto99.dev/2019/november/slack-vulnerability/
State of Javascript Framework Security
https://snyk.io/wp-content/uploads/snyk-javascript_report_2019.pdf
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
