SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #97

December 13, 2019

****************************************************************************

SANS NewsBites December 13, 2019 Vol. 21, Num. 097

****************************************************************************

Top of The News

GDPR Breach: German privacy regulator fines 1&1 Telecom

FBI assesses Russian apps may be counterintelligence threat

Google Releases Chrome 79 With Improved Password Compromise Alerts and Real Time Phishing Warnings

The Rest of the Week's News

iPR Software exposed thousands via unprotected Amazon S3 Bucket

Mobile Devices Blur Work and Personal Privacy Increasing Cyber Risks

Adobe Releases Patches for 'Likely Exploitable' Critical Vulnerabilities

Apple iOS 13.3 Update Includes Support For FIDO2-Compliant Authentication Tokens

Facebook Tells US Attorney General It Will Continue to Incorporate Strong Encryption

Waco Alerts Water Customers of Possible Online Breach

More Senior Cybersecurity Government Officials Leave

Internet Storm Center Tech Corner

Cybersecurity Training Update

-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- SANS OnDemand and vLive Training

Get a Free GIAC Certification Attempt or Take $350 Off through December 25 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

********************************************

Free technical content sponsored by ZeroNorth

This is How Rapid AppSec Fills the Security Gap. Gaps in your application security program may exist--and filling these gaps takes time. With the ZeroNorth Solution for Rapid AppSec, open source security scanning tools are embedded within the ZeroNorth platform. You can quickly fill gaps while a longer-term strategy--likely centered on commercial scanning tools--moves forward. Learn more or request a demo. https://www.sans.org/info/215010

********************************************

Top of the News

GDPR Breach: German privacy regulator fines 1&1 Telecom

(December 10, 2019)

1&1 Telecom has been hit by one of the largest GDPR fines dished out so far. German privacy regulator claims 1&1 Telecom didn't enact sufficient protections for customer privacy data, claiming it was aware callers could obtain extensive information about other customers with only the DOB and name of customer. 1&1 claims existing security requirements were implemented when tested and has since added protections to meet current requirements. 1&1 Telecom is appealing the fine.

Editor's Note

[Pescatore} https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

1&1 was apparently allowing callers to its call center to authenticate by just giving name and date of birth. This is kind of ironic, as when I went to their web site to see what they do, the opening splash says (English translation): "Your privacy is very important to us! The protection of your personal data has top priority for 1&1" 1&1 has apparently cooperated very quickly to correct the problems, so perhaps this is after the fact damage control marketing.

Read more in:

- https://www.databreachtoday.com/gdpr-breach-german-privacy-regulator-fines-11-telecom-a-13482 : GDPR Violation: German Privacy Regulator Fines 1&1 Telecom

- https://www.complianceweek.com/data-privacy/1-and-1-telecom-fined-106m-for-gdpr-violations-company-fights-back/28171.article : 1 & 1 Telecom fined $10.6M for GDPR violations; company fights back

- https://securityboulevard.com/2019/12/11-telecom-gmbh-hit-by-almost-10-million-gdpr-fine-over-poor-security-at-call-centre/ : Web-hosting firm 1&1 hit by almost [euro]10 million GDPR fine over poor security at call centre

FBI assesses Russian apps may be counterintelligence threat

(December 2, 2019)

The FBI is treating any mobile app that comes out of Russia as a "potential counterintelligence threat" partly due to the in legal restrictions on Russian Government which permit access to device and user data. Coupled with the new Russian law requiring devices be sold with Russian software pre-loaded. (See NewsBites Volume XXI - Issue #92: https://www.sans.org/newsletters/newsbites/xxi/92) This raises concerns about surveillance and loss of privacy.

Read more in:

- https://www.cyberscoop.com/fbi-russian-apps-counterintelligence-faceapp-schumer/ : FBI assesses Russian apps may be counterintelligence threat

- https://www.nydailynews.com/news/politics/ny-fbi-faceapp-counterintelligence-threat-russia-elections-20191202-t2kyyceuuzgzbhjoo5njx5vxnm-story.html : FBI labels FaceApp a 'potential counterintelligence threat,' will assess whether Russia has used it to attack U.S. elections

- https://fortune.com/2019/12/02/fbi-russia-apps-faceapp-counterintelligence-threat/ : Russian Apps Are 'a Potential Counterintelligence Threat,' FBI Warns

Google Releases Chrome 79 With Improved Password Compromise Alerts and Real Time Phishing Warnings

(December 11, 2019)

Google released a stable build of Chrome 79 which included new features aimed at security for password and phishing protection. As the user enters credentials into websites, the Chrome browser will check to see if those credentials have been previously compromised. The database of compromised websites the Chrome browser checks will now be updated every 30 minutes.

Read more in:

- https://blog.google/products/chrome/better-password-protections : Better password protections in Chrome

- https://www.techspot.com/news/83142-chrome-79-has-better-password-protection-real-time.html :Chrome 79 has better password protection and real-time phishing warnings

********************************************

Read more in:

- https://www.technadu.com/ipr-software-exposed-thousands-via-corporate-data-leak/87161/ : iPR Software Exposed Thousands via a Humongous Corporate Data Leak

- https://www.securityweek.com/thousands-ipr-software-users-exposed-amazon-s3-bucket : Thousands of iPR Software Users Exposed on Amazon S3 Bucket

Mobile Devices Blur Work and Personal Privacy Increasing Cyber Risks

(December 6 , 2019)

The Queensland University of Technology released a study concluding organizations aren't moving quickly enough on cyber security threats linked to the drive toward using personal mobile devices in the workplace. The increased use of Bring Your Own Devices (BYOD) as mixed with the pace of electronic device adoption is introducing unmitigated risks relating to DLP as well as OPSEC concerns due to continuous transmission of location data.

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

The reality is that BYOD has been the norm for many companies for a decade now and the percentage of data breaches that come from the use of personally owned devices is near zero. In fact, the more that work is done on iOS or Android mobile devices, which implement software white lists, sandboxing, etc., the less likely businesses are to see impact from malware compared to the same workers using Windows laptops! The biggest risk of BYOD is when the personal devices are disposed of, which happens frequently. IT organizations providing support for workers transitioning to new personal devices can go a long way to both dealing with the disposal issue and helping assure proper setup of a new device.

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

BYOD can be a huge enabler for worker productivity. One cannot assume these are single user devices and business applications have to be implemented with access controls commensurate with the data they are processing/storing. Many options exist to sandbox application specific data as well as require additional authentication and permit removal of corporate data without impacting the rest of the device. By implementing application level versus device level controls, the overall usability of the device is less impacted and the struggle to manage a device that is not corporate property eased.

[Murray] https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray

A decade ago similar authorities were telling us that the SOHO use of WiFi would bring down the sky. In practice, in part because the access points resisted attacks from the wire-side where most of the attacks were coming from, the opposite proved to be true. The use of iOS and Android devices with purpose-built apps has proven to be far safer than personal computers and browsers for the same applications. That said, enterprises should keep sensitive on services and applications that resist storing of such data on any edge devices however owned and managed.

Read more in:

- https://www.sciencedaily.com/releases/2019/12/191205141759.htm : Mobile devices blur work and personal privacy raising cyber risks

Adobe Releases Patches for 'Likely Exploitable' Critical Vulnerabilities

(December 10, 2019)

For the last patch Tuesday of 1029, Adobe released updates for Acrobat Reader, Photoshop CC, ColdFusion and Brackets to patch 25 vulnerabilities, 17 of which have been rated as critical. The most common flaw identified is remote code execution. While there is no evidence these are being exploited in the wild, Adobe recommends prioritizing these fixes.

Read more in:

- https://thehackernews.com/2019/12/adobe-software-update.html : Adobe Releases Patches for 'Likely Exploitable' Critical Vulnerabilities

- https://www.bleepingcomputer.com/news/security/adobe-releases-their-december-2019-security-updates/ : Adobe Releases Their December 2019 Security Updates

- https://helpx.adobe.com/security.html : Adobe Security Bulletins and Advisories

Apple iOS 13.3 Update Includes Support For FIDO2-Compliant Authentication Tokens

(December 12, 2019)

Apple released iOS 13.3, iPadOS 13.3, tvOS 13.3, and watchOS 6.1.1 to the public. The update includes Safari browser support for two factor authentication tokens for FIDO2-compliant security keys that make use of near-field communications (NFC), USB, and Lightning.

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

Apple's lack of support for these devices was a major friction point in broader 2FA adoption, especially by upper management and board directors. Organizations should testbed supporting these tokens with interested users or IT/security staff - there are still pitfalls, but every time a reusable password is replaced with stronger authentication the security bar gets raised.

[Ullrich] https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich

Apple's inclusion of NFC support for FIDO2 in iOS is closing the last major gap in FIDO2 support. FIDO2 is currently the most promising solution to move away from passwords for web-authentication. If you are responsible for a web application, take a look and try to support it in the near future. Android and Windows (via Windows Hello) have been supporting FIDO2 for a while now.

Read more in:

- https://support.apple.com/en-us/HT210393 : About iOS 13 Updates

- https://nakedsecurity.sophos.com/2019/12/12/apple-ios-13-3-is-here-bringing-support-for-keyfobby-authentication/ : Apple iOS 13.3 is here, bringing support for keyfobby authentication

Facebook Tells US Attorney General It Will Continue to Incorporate Strong Encryption

(December 10, 2019)

The heads of Facebook-owned WhatsApp and Messenger services told US Attorney General William Barr and his U.K. and Australian counterparts that Facebook is moving forward with plans to enable end-to-end encryption on all of its messaging services. WhatsApp already uses end-to-end encryption. Facebook plans to extend that protection to Messenger and Instagram Direct without weakening security by building in back doors for covert law enforcement access

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

In October 2017, DHS Binding Operational Directive 18-01 required all federal agencies to move to use of HTTPS with Strict Transport Security to assure the confidentiality and security of government communications and systems. This was following private industry's lead in doing so - never a good thing to see "We are doing as you said but we don't want you to do as https://www.sans.org/newsletters/newsbites/editorial-board#lee-neelywe do" when it comes to making advances in security.

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

On the one hand, law enforcement wants to be able to decrypt secure communications, and on the other regulators require strong encryption standards that cannot be compromised or broken easily. Implement strong verified encryption and look to other mechanisms for forensic investigation and discovery.

Read more in:

- https://www.usatoday.com/story/tech/2019/12/10/facebook-william-barr-encryption-coming-messenger-instagram/4391220002/ : Facebook rebuffs Attorney General William Barr on encrypted messages

- https://www.nytimes.com/2019/12/10/technology/whatsapp-barr-encryption.html : Facebook and Barr Escalate Standoff Over Encrypted Messages

Waco Alerts Water Customers of Possible Online Breach

(December 11, 2019)

Customer credit card information could have been stolen from the city of Waco, TX water department's Click2Gov online payment portal earlier this year. Investigators hired by the city found payment information entered between Aug. 30 and Oct. 14, including names, addresses, credit card numbers, expiration dates and card verification value numbers, could have been stolen by malicious code.

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

The risk of a stored or saved payment method is the vendor having access to the information needed to reuse it, and if compromised, so will others. If you must store a number with a merchant or service provider, remember to consider the impacts of having that stored credit card disclosed - enable fraud alerts, what is involved in obtaining a replacement card. Use a card that is only for cases where it must be stored so the transactions are identifiable, and you know exactly where you will need to take action in the event of an incident.

[Murray] https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray

Given the convenient alternative methods of payment, e.g., bill-pay, PayPal, one-time or one-merchant credit card token numbers (e.g. privacy.com), consumers should be discouraged from giving their credit card Primary Account Numbers to utilities or others for recurring payments. Experience suggests that some enterprises will leak the numbers.

Read more in:

- https://www.wacotrib.com/news/government/waco-alerts-water-customers-of-possible-online-security-breach/article_a89ab93b-c091-5c78-8988-c531bb62b662.html : Waco alerts water customers of possible online security breach

- https://securityboulevard.com/2019/12/waco-water-bill-attack-just-the-latest-in-a-wave-of-click2gov-breaches/ : Waco water bill attack just the latest in a wave of Click2Gov breaches

More Senior Cybersecurity Government Officials Leave

(December 11, 2019)

Two top government cybersecurity officials have announced they are stepping down this month. Amy Hess, the executive assistant director of the Criminal, Cyber, Response, and Services Branch of the Federal Bureau of Investigation will depart for a job as the chief of public services in Louisville, Ky. Jeanette Manfra, the most senior official dedicated exclusively to cybersecurity at the Department of Homeland Security, will leave her post at year's end for a job at Google.

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

There is always brain drain from government to private industry, but the rate has been very high at a time when attacks against election systems and other critical infrastructure are are also increasing. The upside is that many times the same brain working on the same problems can make more progress when they move to private industry - in cybersecurity, that is as big a motivating factor as increase in salary for many.

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

The most senior positions are often political appointees, and in an election year are replaced with the changes in power. This is further exacerbated as Cyber Security talent is in high demand and it is not uncommon for the private sector to recruit staff from public sector jobs, particularly highly visible positions with compensation packages not available from the government. Those packages often come with a work-life-balance price tag. The best mitigation is active succession planning, but with the shortfall in cyber talent, agencies are turning to programs to identify, train and promote talent from within to meet the needs.

Read more in:

- https://www.wsj.com/articles/top-u-s-cybersecurity-officials-to-depart-as-election-season-enters-full-swing-11575658194 : Top U.S. Cybersecurity Officials to Depart as Election Season Enters Full Swing

- https://www.cnet.com/news/homeland-securitys-former-top-cybersecurity-official-to-join-google/ : Google hires Homeland Security's former top cybersecurity official

********************************************

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+December+2019+Patch+Tuesday/25592/

https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/

Adobe Patch Tuesday

https://helpx.adobe.com

https://helpx.adobe.com/security.html

Apple Security Updates