SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #98

December 17, 2019

****************************************************************************

SANS NewsBites Dec. 17, 2019 Vol. 21, Num. 098

****************************************************************************

Top of The News

Facebook Tracks Users' Purchases in the Physical World

New Jersey Hospital System Victim of Ransomware Attack

SANS Awards 2019 Cybersecurity Difference Maker's Awards

The Rest of the Week's News

Introducing SANS Holiday Hack Challenge 2019

Personal Data of Facebook Employees Exposed on Stolen Unencrypted Hard Drives

Google Hands Feds 1,500 Phone Locations In Unprecedented 'Geofence' Search

Internet of Things Gear is Generating Easy-to-Crack Keys

New Orleans Mayor Declares State of Emergency After City Cyberattack

Blue Cross Blue Shield of Minnesota Scrambling to Improve Cybersecurity

Many phishing sites spotted in global government focused campaign

FTC advice on checking Internet-connected toys before buying

Relaunched Toys R Us uses technology to monitor customersArticle

Plundervolt Voltage Attack Steals Data from Intel Chips

Some Hardware based password managers store passwords in plaintext

Last patches for Windows 10 Mobile released

London Metropolitan Police Trained to Fight Cybercrime

Internet Storm Center Tech Corner

****************************************************************************

Cybersecurity Training Update

SANS NewsBites Default Training Update for Tuesday, December 17, 2019 (NB 21.098)

-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- SANS OnDemand and vLive Training

Get a Free GIAC Certification Attempt or Take $350 Off through December 25 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

****************************************************************************

Free technical content sponsored by Mimecast

Protecting the User: A Review of Mimecast's Web Security Service. Unsuspecting employees remain in the firing line despite security awareness training and increasingly intelligent security controls. SANS instructor David Szili will discuss his perspectives on best practices for securing the web in general and his experience using the Mimecast Web Security cloud service in particular. http://www.sans.org/info/215030

http://www.sans.org/info/215030

****************************************************************************

Top of the News

Facebook Tracks Users' Purchases in the Physical World

(December 15, 2019)

A recent report highlights that a partnership between FaceBook and several retailers enables the retailers to transfer the purchase history of their customers to FaceBook. FaceBook in turn uses that data to target those customers with advertisements relating to their purchases when they access the FaceBook social media platform.

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

I am less worried about Facebook's capability for targeting than I am about who they allow to use the targeting capabilities, and what policies Facebook applies to the content and transparency of the "ads" that are put in front of targeted users. The prime example is Facebook policy to allow any content from political advertisers, with minimal or no differentiation when Custom or Lookalike Audience targeting is used. This allows blatant lies and misinformation to be put in front of targeted audiences that would never be allowed by other advertising channels, both traditional and modern social media, like Twitter and Google.

[Murray] https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray

Facebook's business practices are such that it is unlikely that users can understand the risk of doing business with them. Better to just avoid doing business with them altogether.

Read more in:

- https://6abc.com/technology/report-facebook-tracks-in-store-purchases-targets-users-with-ads/5757232/ : Facebook tracks in-store purchases, targets users with ads

- https://www.businessinsider.com/facebook-learns-what-you-buy-at-physical-stores-ads-explained-2019-12?r=US&IR=T : This is how Facebook learns what you buy at physical stores in order to show you relevant ads -- and how to opt out

New Jersey Hospital System Victim of Ransomware Attack

(December 14, 2019)

The largest provider of a hospital system, Hackensack Meridian Health, in New Jersey were victims of a ransomware attack and ultimately paid the ransom to restore their systems. The ransomware attack forced hospitals who are clients of Hackensack Meridian Health to postpone non-emergency operations and resulted in medical staff not being able to access electronic records. Hackensack Meridian Health said their primary clinical system is now back online and are working on restoring other affected systems. The company is working with the FBI and cybersecurity experts. Hackensack Meridian Health runs 17 acute care and specialty hospitals, nursing homes, outpatient centers, and the psychiatric facility Carrier Clinic

Read more in:

- https://nj1015.com/nj-largest-hospital-system-forced-to-pay-ransom-in-cyber-attack : NJ hospital system forced to pay ransom in cyber attack

SANS Awards 2019 Cybersecurity Difference Maker's Awards

(December 16, 2019)

SANS Institute honored the winners of the SANS 2019 Difference Makers Awards during an awards luncheon on Monday, December 16, at the SANS Cyber Defense Initiative(R) 2019 training event in Washington D.C. This annual awards program honors individuals, teams and groups from within the SANS community who have made a difference in security. The diverse Difference Makers range from a CEO to a high school teacher. The progress includes increasing diversity in the cyber security workforce, fighting fake account creation and implementing many areas of the Critical Security Controls, to name just a few.

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

The two most fun things I get to do at SANS are the What Works and Difference Makers programs. News headlines always focus on the failures, while thousands of security teams are out there protecting their businesses and their customers without much fanfare. Actual security progress is made by learning from successes, not by pointing at failures.

Read more in:

- https://www.sans.org/cyber-innovation-awards/ : SANS Presents: People Who Made a Difference in Security in 2019

- https://www.prnewswire.com/news-releases/sans-announces-2019-difference-makers-award-winners-300974068.html : SANS Announces 2019 Difference Makers Award Winners

****************************************************************************

Read more in:

- https://www.theverge.com/2019/12/13/21020736/facebook-theft-unencrypted-drives-employee-payroll-security : A thief stole unencrypted hard drives filled with 29,000 Facebook employees' information

- https://www.bloomberg.com/news/articles/2019-12-13/thief-stole-payroll-data-for-thousands-of-facebook-employees : Thief Stole Payroll Data for Thousands of Facebook Employees

- https://www.theregister.co.uk/2019/12/13/facebook_data_loss/ : Valuable personal info leaks from Facebook - not Zuck selling it, unencrypted hard drives of staff data stolen

Google Hands Feds 1,500 Phone Locations In Unprecedented 'Geofence' Search

(December 16, 2019)

Forbes has discovered that Google has complied with so-called geofence warrants that have resulted in an "unprecedented" data haul for law enforcement: one in which Google combed through its SensorVault to find 1,494 device identifiers for phones in the vicinity of the fires and then handed them over to the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF).

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

Recent court decisions and FCC investigations into "who owns location data" have tended to focus on telecoms carriers and to some extent mobile phone manufacturers. This points out that location-based metadata is collected and stored by many different companies. Courts and legislators are moving slower than ever, we need the technology companies to be proactive about adopting secure defaults for protecting location data and high transparency about when it is collected and sold or given to third parties.

Read more in:

- https://nakedsecurity.sophos.com/2019/12/16/police-get-unprecedented-data-haul-from-google-with-geofence-warrants/ : Police get "unprecedented" data haul from Google with geofence warrants

- https://www.forbes.com/sites/thomasbrewster/2019/12/11/google-gives-feds-1500-leads-to-arsonist-smartphones-in-unprecedented-geofence-search : Google Hands Feds 1,500 Phone Locations In Unprecedented 'Geofence' Search

Internet of Things Gear is Generating Easy-to-Crack Keys

(December 16, 2019)

A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won't be an easy one to solve.This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations were being repeated at a far greater rate than they should, meaning encrypted connections could possibly be broken by attackers who correctly guess a key.

Editor's Note

[Pescatore]https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

There used to be a talking Barbie doll that would say "Math is hard!" which was certainly sexist, but still a very, very true statement. Crypto is math, and crypto is hard - 25 years ago the US government issued the FIPS-140 standard because of crappy crypto coming out in commercial software. Similar action is needed for the IoT generation of claims of use of cryptography to secure device use.

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

IoT device manufacturers continue to prioritize time-to-market over security. Until that situation improves, leverage segmentation and restrict network access to only services they need, if any.

Read more in:

- https://info.keyfactor.com/factoring-rsa-keys-in-the-iot-era : Factoring RSA Keys in the IoT Era

- https://www.theregister.co.uk/2019/12/16/internet_of_crap_encryption/ : Internet of crap (encryption): IoT gear is generating easy-to-crack keys

New Orleans Mayor Declares State of Emergency After City Cyberattack

(December 13, 2019)

New Orleans Mayor LaToya Cantrell declared a state of emergency Friday after the city was hit by a cyberattack. Phishing attempts and suspicious activity were detected on the city's network around 5 a.m., and by 11 a.m., technician investigators detected "a cybersecurity incident" causing the city's information technology department to begin powering down servers and city computers as a precaution.

Read more in:

- https://www.securitymagazine.com/articles/91435-new-orleans-hit-by-cyberattack-declares-state-of-emergency : New Orleans Hit by Cyberattack; Declares State of Emergency

- https://www.cnn.com/2019/12/13/us/new-orleans-cyberattack-state-of-emergency/index.html : New Orleans mayor declares state of emergency in wake of city cyberattack

Blue Cross Blue Shield of Minnesota Scrambling to Improve Cybersecurity

(December 16, 2019)

An internal whistleblower raised concerns that the Minnesota's largest health insurer has neglected thousands of important updates to its computer system. The company's top cybersecurity executive says the insurer has been working diligently in recent weeks to reduce its vulnerability for a cyber attack. Internal documents show the BCBS of Minnesota has allowed 200,000 vulnerabilities deemed "critical" or "severe" to linger for years on its computer systems, despite warnings to executives.

Read more in:

- https://kstp.com/medical/blue-cross-blue-shield-scrambling-to-improve-cybersecurity/5580976/ : Blue Cross Blue Shield scrambling to improve cybersecurity

Many phishing sites spotted in global government focused campaign

(December 13, 2019)

Over 62 domains and 122 phishing sites targeting Government users were discovered by security vendor Anomali. Unlike other phishing campaigns which enabled detection through spelling and grammar errors, these are well crafted multi-language campaigns such that the primary indications are that the messages are from unknown users and have unexpected attachments.

Read more in:

- https://www.infosecurity-magazine.com/news/100-phishing-sites-spotted-global/ : Over 100 Phishing Sites Spotted in Global Government Campaign

- https://www.informationsecuritybuzz.com/expert-comments/new-phishing-campaign-targeting-govt-departments-around-the-world-commentary-from-email-security-expert/ : New Phishing Campaign Targeting Gov't Departments Around The World - Commentary From Email Security Expert

FTC advice on checking Internet-connected toys before buying

(December 10, 2019)

Internet-connected toys are in high-demand this year, and the FTC is making recommendations for parents to consider prior to purchase and upon receipt. The advice includes checking for microphones and cameras and verify that you can determine when they are active. Other recommendations: Don't rely on the Children's Online Privacy Protection Act (COPPA). Checklists like this are beneficial, remember that regardless of the security reputation of the manufacturer and regulatory oversight, you must verify which features are enabled and that they are configured properly.

Read more in:

- https://www.bleepingcomputer.com/news/security/ftc-advises-checking-smart-toy-features-before-buying/ : FTC Advises Checking Smart Toy Features Before Buying

- https://www.consumer.ftc.gov/blog/2018/12/buying-internet-connected-smart-toy-read : Buying an internet-connect smart toy? Read this

- https://us.norton.com/internetsecurity-kids-safety-is-your-childs-connected-teddy-bear-too-smart.html : 8 ways to help protect your kids' privacy against smart toy vulnerabilities

Relaunched Toys R Us uses technology to monitor customers

(December 10, 2019)

The relaunched Toys R Us stores are now including sensors to monitor customer activities. In support of their new business model, which leases areas of the store to toy providers, are Installed by business partner B8ta, the sensors will monitor how customers move around the store and determine which areas get the most activity. There has been some social media uproar relating to confusion over the term monitoring shopper cadence, which is meant to capture shopper movement patterns, not conversation/voice capture; additionally there are concerns about whether the system actually ignores people under four feet tall to not run afoul of COPPA requirements regarding parental consent prior to data capture for children under 13.

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

The data collected will be used to influence the costs of the leased spaces, particularly those with high success rates. The question of not capturing patrons under four feet tall versus the claim that the information is being captured in public places, and not bound by COPPA needs to be resolved quickly; especially as Toys R Us is catering to children.

Read more in:

- https://www.syracuse.com/business/2019/12/geoffreys-watching-sensors-at-new-toys-r-us-stores-track-shoppers.html : Geoffrey's watching: Sensors at new Toys R Us stores track shoppers

- https://www.fierceelectronics.com/sensors/revived-toys-r-us-wired-up-to-monitor-customers : Revived Toys R Us wired up to monitor customers

- https://www.wired.com/story/toys-r-us-surveillance/ : Toys "R" Us is back - Now With More Surveillance!

Plundervolt Voltage Attack Steals Data from Intel Chips

(December 11, 2019)

Newly discovered "Plundervolt" vulnerability (CVD-2019-11157) uses CPU voltage modification to target and expose data in Intel's Software Guard Extensions (SGX). Intel has released a microcode update to address the issue, or disable the SGX functionality. Data recovered can include keys needed for cryptographic operations and the exploit can be used to corrupt program memory. To use the protections offered by SGX, it must be both enabled in BIOS as well as incorporated into application code. Exploitation requires local privileged access.

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Because the likelihood of exploitation is low, due to local privileged access requirements, Intel released a microcode fix that addresses this. The promise of SGX is encrypted enclaves to protect sensitive code, even from code running at higher privilege levels, and is intended to bring added security to cloud based computing.

Read more in:

- https://nakedsecurity.sophos.com/2019/12/16/plundervolt-stealing-secrets-by-starving-your-computer-of-voltage/ : Plundervolt - stealing secrets by starving your computer of voltage

- https://www.securityweek.com/plundervolt-attack-uses-voltage-steal-data-intel-chips : Plundervolt Attack Uses Voltage to Steal Data from Intel Chips

- https://www.pcworld.com/article/3489538/plundervolt-attack-against-intel-core-cpus-prompts-fix-that-disables-cpu-voltage-settings.html : Protecting your Intel CPU from Plundervolt attacks can ruin your overclock, maybe

- https://plundervolt.com/ : Plundervolt

Some Hardware based password managers store passwords in plaintext

(December 09, 2019)

Investigation of ecZone Password Safe, passwordsFAST, and Royal Vault Password Keeper devices by security researcher Phil Eveleigh found that while a passcode is used to protect access to the stored passwords, direct access to the chip provides access to plain-text passwords as well as the master pin. Further, he found that even after full reset the passwords were not cleared in some devices. Note that while the Royal Vault Password keeper encrypts the data, decryption is possible by discovering the master PIN within the stored dataset. No responses have been received from the device manufacturers regarding the issues discovered.

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Retrieving the clear-text passwords required chip access to the device, which makes the risk of exploit low, even so, unless the wipe operation can be verified, choose physical destruction rather than wipe and reissue. Also, be sure to use strong master passwords to limit unauthorized access to passwords through the normal mechanisms.

Read more in:

- https://www.securityweek.com/hardware-based-password-managers-store-credentials-plaintext : Hardware-based Password Managers Store Credentials in Plaintext

- https://www.bleepingcomputer.com/news/security/some-hardware-based-password-managers-have-poor-security/ : Some Hardware-based Password Managers have poor security

Last patches for Windows 10 Mobile released

(December 09, 2019)

The last round of security patches for Microsoft's Windows 10 Mobile were released, marking the end of Microsoft's attempt at a mobile operating system. Windows 10 Mobile was officially end of support on June 11, 2019. Many Microsoft execs carry Android devices rather than ones powered by Windows Mobile. Bill Gates feels that had he not been distracted by copyright and related lawsuits, and released Windows Mobile three months earlier, the market niche held by Android would have been Microsoft.

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

In 2010, at a session at a Gartner conference, I asked then Microsoft CEO Steve Ballmer how Microsoft was going to succeed in the mobile phone market and his answer was "Windows, baby!" Also, six years earlier Bill Gates said Microsoft would rid the world of spam by 2006. I don't think copyright issues and lawsuits are really to blame for the failure of those two predictions. But owners of large installed bases do tend invest too much in fighting off threats to the profitability of that base vs. innovating to meet users changing needs. As many of stories in this issue point out, we are nearing one of those tipping points around protecting user data vs. profiting from it.

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Windows Mobile was a nice operating system, and Microsoft wanted to be "the" mobile device OS provider, success wasn't solely dependent on timing of the release or lawsuits, I recall the market was looking for an open solution which is where Android fit in.

Read more in:

- https://www.zdnet.com/article/windows-10-mobile-is-over-prepare-for-final-security-patches-as-support-ends/ : Windows 10 Mobile is over, prepare for final patches as support ends

London Metropolitan Police Trained to Fight Cybercrime

(December 16, 2019)

A Freedom of Information request submitted to the London Metropolitan police has highlighted that thousands of police on that force have received some level of training in fighting cybercrime. The training has been provided using online training solutions and approximately 4,500 officers took the "Cyber Crime and Digital Policing - First Responder", while another 4,500 completed the "Cyber Crime and Digital Policing - Introduction course"

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

The average citizen is not going to have the background on how to select help during an incident, so providing them the option to call the police when they have a cyber incident, and get a responder who has been properly trained raises the bar on proper actions being taken and increases the likelihood of a successful outcome.

Read more in:

- https://www.infosecurity-magazine.com/news/thousands-of-met-police-get-cyber : Thousands of Met Police Get Cyber Training

****************************************************************************

Internet Storm Center Tech Corner

Slack "Unshare" Not Working As Expected

https://www.theregister.co.uk/2019/12/16/slack_filesharing_vulnerability_post_sharing/

Google Making OAUTH Mandatory for GSuite

https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html

TPLink Authentication Bypass

https://securityintelligence.com/posts/tp-link-archer-router-vulnerability-voids-admin-password-can-allow-remote-takeover/

Factoring IoT RSA Keys

https://info.keyfactor.com/factoring-rsa-keys-in-the-iot-era