SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #93
November 26, 2019****************************************************************************
SANS NewsBites Nov. 26, 2019 Vol. 21, Num. 093
****************************************************************************
TOP OF THE NEWS
NYPD Fingerprint Database Computers Infected with Ransomware
Livingston, NJ Schools Ransomware
Ransomware Attack Affects More than 100 Nursing Homes
REST OF THE WEEK'S NEWS
US Dept. of Energy Audit Finds Security Weaknesses
Alleged Jack Dorsey Hacker Arrested
Twitter Lets Users Enroll in 2FA Without a Phone Number
FBI Warns of Cyberattacks Targeting Auto Industry
Obstruction Lighting Control Panels Found Unprotected on Internet
Target is Suing its Insurance Company Over Costs Associated with 2013 Data Breach
Updated FISMA Guidance
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By SANS ********************************
Attend SANS Cyber Threat Intelligence Summit | Arlington, VA | Jan 20-21
Hear from the experts and bring order to the chaos by learning how to properly create and maintain threat intelligence in your organization. http://www.sans.org/info/214865
*****************************************************************************
TOP OF THE NEWS
--NYPD Fingerprint Database Computers Infected with Ransomware
(November 25, 2019)
A contractor installing a digital display at the New York City Police Department inadvertently infected computers connected to the department's LiveScan fingerprint tracking system. The malware was introduced when the contractor plugged an infected NUC mini-PC into the network. Although the malware did not execute, NYPD decided to take LiveScan down and reinstall software on 200 department computers around the city.
[Editor Comments]
[Neely] The need for procedures when connecting third-party components to the corporate network is critical to ensure that no collateral damage happens. Even so, segmentation of components is a key further mitigation to contain damage when malware is introduced despite controls.
[Murray] The common practice of allowing third parties to install servers or other devices on flat networks is proving to be very dangerous; think Target. "Zero trust," not flat or even "structured," networks are no longer optional. "Process-to-process isolation" is a fundamental principle of security.
Read more in:
SC Magazine: NYPD fingerprint database touched by ransomware
Threatpost: NYPD Fingerprint Database Taken Offline to Thwart Ransomware
https://threatpost.com/nypd-fingerprint-database-ransomware/150592/
--Livingston, NJ Schools Ransomware
(November 24, 2019)
The Livingston (New Jersey) Public Schools experienced a ransomware attack on November 21. The incident caused the district to delay the start time for schools by two hours on Monday, November 25. According to the Superintendent, some district services are back online, but the phone system and Parent Access Portal were not accessible as of the weekend.
Read more in:
Bleeping Computer: Livingston School District in New Jersey Hit With Ransomware
Patch: Virus Infects Livingston School CPU Servers; Delayed Opening
https://patch.com/new-jersey/livingston/virus-infects-livingston-school-cpu-servers-delayed-opening
--Ransomware Attack Affects More than 100 Nursing Homes
(November 23 & 25, 2019)
A ransomware attack affected access to patient data at more than 100 nursing homes in the US. The November 17 attack that Wisconsin-based Virtual Care Provider Inc. (VCPI), which provides data hosting, security, access management for nursing homes and acute care facilities. The attack poses a threat to patient health at some facilities as medication orders cannot be processed. The hackers responsible for the attack are demanding $14 million in Bitcoin.
[Editor Comments]
[Murray] This is not the first case we have seen, or even the first in healthcare, where all the customers of an application service provider have been injured by a successful extortion attack against the service provider. Before relying upon a service for a mission critical application, ensure (think contract provision) that the service is isolated from the other applications and systems, particularly e-mail and browsing, of the provider.
Read more in:
KrebsOnSecurity: 110 Nursing Homes Cut Off from Health Records in Ransomware Attack
SC Magazine: Ransomware attack on nursing homes' services provider threatens lives
GovInfosecurity: Attackers Demand $14 Million Ransom From IT Services Firm
https://www.govinfosecurity.com/attackers-demand-14-million-ransom-from-services-firm-a-13444
**************************** SPONSORED LINKS ******************************
1) ICYMI Webcast: Hear how software supply chains are evolving: http://www.sans.org/info/214870
2) Webcast December 5th at 10:30 AM ET: OUTMANEUVER the Adversary - Alter Your Cyber Terrain by Making Attacks More Difficult: http://www.sans.org/info/214875
3) How is your organization detecting threats at the network level? Take this survey: http://www.sans.org/info/214880
*****************************************************************************
REST OF THE WEEK'S NEWS
--US Dept. of Energy Audit Finds Security Weaknesses
(November 25, 2019)
An US Department of Energy (DoE) Office of Inspector General (OIG) audit of 28 DoE locations found numerous security weaknesses, including configuration management issues, web application system integrity weaknesses, and deficiencies in security control testing and continuous monitoring. Of the 1,848 DoE-owned work stations tested in the course of the audit, more than half were found to be missing patches and updates that had been available at least a month before the audit was conducted.
[Editor Comments]
[Neely] The DoE IG has 54 findings for the agency, the full management report is due in December. Even so, sites have been provided draft versions of the findings to allow remediation efforts to commence. Several of the issues, such as not having secure configurations or unaddressed vulnerabilities, will become far more visible as the department rolls out CDM as the monitoring is across all sites and connected systems rather than only items selected for audit. Having a real-time view across the enterprise can help an organization not only identify issues more rapidly, but also identify areas that need augmentation or other assistance that is otherwise unnoticed.
[Murray] For practical purposes, all audits can be expected to find and report control weaknesses. That is part of the reason that we do them. We had a British colleague whose reports all read in part, "I found 'em, they fixed 'em."
MeriTalk: DoE Audit Flags Numerous Cyber Issues, 54 Fix Recommendations
https://www.meritalk.com/articles/doe-audit-flags-numerous-cyber-issues-54-fix-recommendations/
Nextgov: Auditors Uncover Tens of Thousands of Critical Security Gaps At Energy Facilities
Energy: The Department of Energy's Unclassified Cybersecurity Program - 2019
https://www.energy.gov/ig/downloads/evaluation-report-doe-oig-20-12
Energy: Evaluation Report
https://www.energy.gov/sites/prod/files/2019/11/f68/DOE-OIG-20-12.pdf
--Alleged Jack Dorsey Hacker Arrested
(November 23 & 25, 2019)
Law enforcement authorities have arrested an individual who is believed to be part of a group that hacked Twitter CEO Jack Dorsey's Twitter account in late August. The hackers were able to take over the account using a SIM-swapping attack.
[Editor Comments]
[Murray] This attack illustrates a limitation of the use of SMS for authentication, i.e., it relies upon the phone service provider to resist fraudulent changes of association between the phone number and the device. NIST pointed out this limitation more than a year ago. Unfortunately, they encouraged the use of one-time-password generators without pointing out that these rely upon service provider to resists fraudulent changes in the association between the user account and the generator. See https://whmurray.blogspot.com/2018/08/limitations-of-one-time-passwords.html
Read more in:
Vice: Authorities Arrest Alleged Member of Group That Hacked Jack Dorsey
https://www.vice.com/en_us/article/gyzawx/authorities-arrest-suspected-jack-dorsey-hacker
CNET: Member of group behind Jack Dorsey's Twitter account hack reportedly arrested
https://www.cnet.com/news/jack-dorsey-twitter-account-hacking-cops-reportedly-make-arrest/
--Twitter Lets Users Enroll in 2FA Without a Phone Number
(November 21 & 23, 2019)
On Thursday, November 21, Twitter announced that it would allow users to disable SMS two-factor authentication (2FA) and instead use a physical security key or a one-time code authenticator app. Until now, Twitter users who wanted to use 2FA were required to provide a phone number and enable SMS 2FA.
[Editor Comments]
[Pescatore] Always good to see more services support more forms of strong authentication, but: it is important to note that every form of strong authentication always has a scenario where backup forms of weaker authentication will be needed. If you switch to using a security token on your Twitter account, if you want to log in from a device that doesn't support it, or you lost the token or just forgot to bring it, in some cases (Windows primarily) you will need to generate a temporary password which will require an SMS message (if you have registered a phone) or going to twitter.com and generating a one hour password. So, there is still a path for attackers - there always will be in the real word. The use of a separate token (just like having to use a separate ATM card to get money out of an ATM machine) is still a huge leap forward compared to reusable passwords.
[Neely] Having a separate 2FA device or application raises the bar considerably over SMS based mechanisms. Even so, SMS account recovery mechanisms are being exploited (see the Jack Dorsey story) so also configure account recovery such that it doesn't depend on SMS or your mobile phone.
[Murray] As a general rule, the choice of where to get a one-time password should be left to the user. However, the significance of this announcement rests not in the fact that Twitter is offering a new alternative but that they were caught using the telephone number that the user had supplied for strong authentication for other purposes.
Read more in:
Twitter: How to use two-factor authentication
https://help.twitter.com/en/managing-your-account/two-factor-authentication
Twitter: Twitter Safety
https://twitter.com/TwitterSafety/status/1197621020229804054
ZDNet: Twitter will finally let users disable SMS as default 2FA method
https://www.zdnet.com/article/twitter-will-finally-let-users-disable-sms-as-default-2fa-method/
--FBI Warns of Cyberattacks Targeting Auto Industry
(November 22 & 23, 2019)
On November 19, the US Federal Bureau of Investigation (FBI) sent a Private Industry Notification to automotive industry organizations, warning of a recent uptick in cyberattacks targeting the automotive industry. The document notes an increase in "cyberattacks to obtain sensitive customer data, network account passwords, and internal enterprise network details," from organizations in the automotive industry. It goes on to list several specific examples of recent attacks and to offer recommendations for defending against cyberattacks.
Read more in:
Bleeping Computer: FBI Warns of Cyber Attacks Targeting US Automotive Industry
SC Magazine: Cyberattackers taking auto industry for a ride, FBI reportedly warns
--Obstruction Lighting Control Panels Found Unprotected on Internet
(November 22, 2019)
Control panels for obstruction lighting systems were found exposed on the Internet. The systems are used to operate lights on top of tall structures to warn aircraft of their presence. The researcher who detected the issue found at least 46 separate panels that were accessible and could be accessed to manipulate the intensity of the lights, and switch them on and off. The researcher alerted both the US Federal Aviation Administration (FAA) and the company that makes the exposed systems. The FAA contacted the company, which is working with customers to fix the problem. The company has also begun using security credentials for new products.
[Editor Comments]
[Neely] ICS security can be challenging, and adding security to the system may not be an option, such as is being done in this case. In the event that the vendor cannot provide solution, and remote access and control is needed, consider installing security devices to restrict and monitor remote access to only allow authorized individuals and/or devices.
Read more in:
Vice: Lights That Warn Planes of Obstacles Were Exposed to Open Internet
https://www.vice.com/en_us/article/7x5nkg/airplane-warning-lights-hacked
--Target is Suing its Insurance Company Over Costs Associated with 2013 Data Breach
(November 21 & 22, 2019)
Target has filed a lawsuit against ACE American Insurance Co., alleging that the insurer owes Target $74 million to cover costs incurred replacing payment cards after a 2013 data breach. Target maintains that the costs should be covered under its general liability policy.
[Editor Comments]
[Pescatore] I've been a nattering nabob of negativism on the ROI of cybersecurity policies, but this strategy (our general liability policy covers cybersecurity related damage) almost never works. Those policies often offer riders for additional cost that offer "digital data protection," but that is only for physical events that cause loss of digital data, like an employee damaging a disk drive or something like that. Target's angle is that the credits cards they had to replace are physical items. A new slant, so who knows? But, overall positive ROI on spending to reach basic security hygiene is much more likely than from spending on lawsuits 6 years after your lack of basic security hygiene was exploited.
Read more in:
SC Magazine: Target files $74 million suit against Chubb over breach coverage
GovInfosecurity: Target Sues Insurer Over 2013 Data Breach Costs
https://www.govinfosecurity.com/target-sues-insurer-over-2013-data-breach-costs-a-13435
Business Insurance: Target sues Chubb in connection with 2013 data breach
--Updated FISMA Guidance
(November 19, 20, & 22 2019)
The US Office of Management and Budget (OMB) has released updated guidance for federal civilian agencies to help with the Federal Information Security Management Act (FISMA) compliance.
[Editor Comments]
[Pescatore] It is nearly Thanksgiving Day, so I'm trying to be more positive with my comments. So: the new stuff in this guidance seem to be: (1) Making sure agencies enable DISA to do vulnerability scans on all internet-connected governments and (2) more reporting on privacy and incidents and those reports going to more committees and agencies. (1) is a proactive move, if those vulnerabilities end up being closed faster. I'm having problems putting a positive spin on (2). The best I can do: more agency reports stored on government servers and sent over networks to multiple committees and agencies may act as steganography and make it harder for attackers to find sensitive government and personally identifiable information?
[Neely] Adding reduced reporting intervals to incentivize use of CDM may be the leverage needed to increase implementation. A key concern is transitioning from continuous monitoring to timely remediation, which may require not only more staff but also considerable research and regression testing insure security changes don't negatively impact mission. Management support requires a commitment to continue to meet objectives while security is improved.
Read more in:
MeriTalk: OMB Updates FISMA Guidance for FY2020
https://www.meritalk.com/articles/omb-updates-fisma-guidance-for-fy2020/
FCW: Updated FISMA guidance puts new reporting mandates on agencies
https://fcw.com/articles/2019/11/20/fisma-updates-johnson.aspx
Whitehouse: Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements
https://www.whitehouse.gov/wp-content/uploads/2019/11/M-20-04.pdf
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Web Filter Misconfiguration Abused for Reconnaissance
https://isc.sans.edu/forums/diary/Abusing+Web+Filters+Misconfiguration+for+Reconnaissance/25538/
Local Malware Analysis with Malice
https://isc.sans.edu/forums/diary/Local+Malware+Analysis+with+Malice/25544/
DNS over HTTPS (DoH) in SOHO Networks
https://isc.sans.edu/forums/diary/My+Little+DoH+Setup/25548/
Multiple Vulnerabilities in VNC
https://www.kaspersky.com/blog/vnc-vulnerabilities/31462/
Fortinet Weak Crypto
Tracking Web Users via DNS
https://github.com/uBlockOrigin/uBlock-issues/issues/780
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create