SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #7
January 24, 2020Microsoft's Misconfiguration Discloses Millions of Customer Records; The Fight Against Election Meddling; Seattle Testing Web-Based Voting
****************************************************************************
SANS NewsBites January 24, 2020 Vol. 22, Num. 007
****************************************************************************
TOP OF THE NEWS
Microsoft Customer Service Records Exposed via Misconfigured Servers
Report Calls for International Efforts to Fight Election Meddling
Seattle-area Conservation District Testing Web-Based Voting In Two Weeks
REST OF THE WEEK'S NEWS
Call to Reform UK's Computer Misuse Act
Citrix Releases Fixes for SD-WAN WANOP
ProtonVPN Apps Now Open Source
Safari's Information Tracking Prevention Poses Privacy Concerns
Swatters Targeting Tech Executives
DHS's CISA Warns of Increased Emotet Attacks
US Treasury Wants to Hear Financial Sector Cybersecurity Concerns
Correction
INTERNET STORM CENTER TECH CORNER
******************* Sponsored By AWS Marketplace *************************
Enhance Security Ops, Visibility and Detection/Response in AWS. Learn how to leverage SIEM, SOAR and continuous monitoring in the AWS cloud to improve visibility and accuracy for security ops, detection and response. This webcast features Dave Shackleford, SANS GIAC technical director, and Vinay Sukumar, security intelligence category principal at AWS. Thursday, January 30, 2:00 PM ET. http://www.sans.org/info/215355
****************************************************************************
Cybersecurity Training Update
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, an HP Chromebook 14 G5, or Take $300 Off through February 5 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
TOP OF THE NEWS
--Microsoft Customer Service Records Exposed via Misconfigured Servers
(January 22 & 23, 2020)
Five improperly configured Elasticsearch servers resulted in the exposure of 250 million Microsoft customer support records for several weeks late last year. The exposure was due to misconfigured security rules that were implemented on December 5, 2019. Microsoft was notified of the problem on December 29, and had fixed the problem by December 31. All five servers stored the same information.
[Editor Comments]
[Paller] One aspect of the story here is that if a company as skilled as Microsoft is making catastrophic configuration errors in setting up cloud and open source applications, how badly configured are those applications when used by less sophisticated organizations?
[Murray] If we cannot rely upon Microsoft to properly configure systems, it is unlikely that their customers will be able to do so. We need fewer choices, safe defaults out of the box, and better direction, documentation, and supervision.
[Pescatore] OWASP A6 "Security Misconfigurations" is really getting a lot of action with admin misconfigurations of cloud services and open source software in particular. The telling quote in the Microsoft Response Center blog post: "Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database." Why not, and where else has this happened are the key questions: were the controls simply policy statements (This should be done) vs. gates (Database does not go production unless this has been done.)?
[Neely] Security misconfiguration of cloud services has become a recurring theme. While developers have embraced the ease of creating and deploying solutions, the criticality of appropriate access controls seems to be missed. Rapid deployment of solutions needs to include independent verification of the security settings prior to production release. When implementing services, particularly cloud-based, be sure to enable verification and monitoring of the security baseline.
Read more in:
MSRC Blog: Access Misconfiguration for Customer Support Database
https://msrc-blog.microsoft.com/2020/01/22/access-misconfiguration-for-customer-support-database/
Comparitech: Report: 250 million Microsoft customer service and support records exposed on the web
https://www.comparitech.com/blog/information-security/microsoft-customer-service-data-leak/
SC Magazine: Microsoft database misconfiguration exposes 250M customer support records
The Register: WindiLeaks: 250 million Microsoft customer support records dating back to 2005 exposed to open internet
https://www.theregister.co.uk/2020/01/22/microsoft_support_database_leak/
ZDNet: Microsoft discloses security breach of customer support database
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
--Report Calls for International Efforts to Fight Election Meddling
(January 22, 2020)
A report from the Kofi Annan Commission on Elections and Democracy in the Digital Age notes that "disinformation has been weaponized to discredit democratic institutions, sow societal distrust, and attack political candidates." The report offers proposals for countering the challenge to the integrity of elections worldwide; the proposals include the formation of an international coalition to address election meddling, including phony social media campaigns.
[Editor Comments]
[Pescatore] We've seen in cybersecurity that big long lists of what needs to be done generally results in very little meaningful steps forward - lots of talk, very little action. The big issue of social media companies like Facebook knowingly allowing false and dangerous "information" to be passed on the networks is pretty similar to ISPs knowingly allowing phishing attacks and malware to be carried out over their networks. Putting that part of the problem aside, actually increasing the security of election systems and *not* allowing untested systems and software be used without making sure that basic security hygiene is included is a more manageable problem. I think we have seen that aircraft flight control software that isn't sufficiently tested can lead to disastrous results - election systems should be viewed with that same lens.
Read more in:
Wired: Elections Globally Are Under Threat. Here's How to Protect Them
https://www.wired.com/story/un-warns-global-threat-election-integrity/
NYT: Fringe Groups Undermine Democracy via Social Media: Kofi Annan Think-Tank
https://www.nytimes.com/reuters/2020/01/22/world/europe/22reuters-davos-meeting-socialmedia.html
-- Seattle-area Conservation District Testing Web-Based Voting In Two Weeks
(January 22, 2020)
The King Conservation District in Seattle, Washington, plans to test a web-site voting option in a February 10 election. Voters who choose to may use the site, built by Democracy Live, and access their ballots with their names and birthdates. The district, which encompasses Seattle and some suburbs, has about 1.2 million voters.
[Editor Comments]
[Pescatore] This is a small test in a local election for a conservation board member seat, with a lot of manual checking proposed. It is underwritten by the Tusk Philanthropies, which has an admirable goal of increasing voting participation while also increasing the security of election systems. If Tusk is seriously focusing on the security, we need efforts like this to help drive things forward. If the slant is too much towards "Let's use the latest technology for elections!" then just a big step backwards. I hope they produce a detailed after-action assessment.
[Neely] Votes collected through the LiveBallot application will be signed on the device screen. The submitted ballot is then printed and compared with on-file signatures. Washington state's mail-in ballots are verified with a signature matching process. Using digital signatures with appropriate issuing processes could reduce the variability of creating on-screen signatures and can be digitally verified.
Read more in:
Statescoop: Mobile voting arrives for 1.2 million Seattle-area voters
https://statescoop.com/mobile-voting-arrives-seattle-washington/
**************************** SPONSORED LINKS ******************************
1) Webcast January 29th at 10:30 AM ET: Elevate Your Endpoint Security with Microsoft Defender ATP. Register: http://www.sans.org/info/215360
2) Don't miss the results of the SANS 2020 Cybersecurity Spending Survey on January 29th at 1 PM ET! Sign up: http://www.sans.org/info/215365
3) Live Simulcast | SANS Chris Crowley and industry experts to present the SANS Automation and Orchestration Solutions Forum. Register: http://www.sans.org/info/215370
*****************************************************************************
REST OF THE NEWS
--Call to Reform UK's Computer Misuse Act
(January 22, 2020)
The CLRNN has published a report calling for the UK government to update the Computer Misuse Act (CMA) which was enacted in 1990. CLRNN says that the law's vague definition of "unauthorized access" does not go far enough to protect the activity of legitimate security researchers. Furthermore, the law's definition of "computer" does not take into account the growth of the Internet of Things and mobile devices. CLRNN has also proposed changes that would bring the law up to date.
[Editor Comments]
[Neely] The CMA was enacted to fill gaps in existing legislation rather than be a comprehensive computer crime law and was based on relevant issues from 1990. While the computer crime legislation and supporting policy, such as the CMA, are designed to be technology-independent for long term relevance and applicability, they need to include a plan for review and update as technology, risks and tactics evolve.
[Murray] We have both of these problems in our own Computer Fraud and Abuse Act. Both laws were passed when most computer systems were private and most "authorized" use was by insiders. We have known about these problems in these laws for a decade. While drafting the necessary changes is difficult, it is, nonetheless, about time.
Read more in:
The Register: Academics call for UK's Computer Misuse Act 1990 to be reformed
https://www.theregister.co.uk/2020/01/22/clrnn_computer_misuse_act_reform_call/
Portswigger: The UK's Computer Misuse Act is 'crying out for reform'
https://portswigger.net/daily-swig/the-uks-computer-misuse-act-is-crying-out-for-reform
Reg Media: Reforming the Computer Misuse Act 1990: CLRNN Report (PDF)
https://regmedia.co.uk/2020/01/22/clrnn_cma_reform_report.pdf
--Citrix Releases Fixes for SD-WAN WANOP
(January 23, 2020)
Citrix has released patches for versions of its SD-WAN WANOP products that are vulnerable to a critical flaw that was disclosed in December. Citrix released patches for some vulnerable versions of its Application Delivery Controller (ADC) and Gateway products earlier this week. Fixes for the rest of the vulnerable version are scheduled to be released on Friday, January 24.
Read more in:
Citrix: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP
ZDNet: Citrix: These are new patches for your vulnerable servers
https://www.zdnet.com/article/citrix-these-are-new-patches-for-your-vulnerable-servers/
--ProtonVPN Apps Now Open Source
(January 21 & 22, 2020)
Code for all ProtonVPN apps of all platforms has been open sourced and has undergone a third-party security audit. The ProtonVPN code for Android, iOS, macOS, and Windows is available on GitHub.
[Editor Comments]
[Neely] ProtonVPN published the reports from the audits by SEC Consult, which identified issues such as hard coded credentials, and lack of certificate pinning, which have been resolved.
Read more in:
ProtonVPN: All ProtonVPN apps are now open source and audited
https://protonvpn.com/blog/open-source/
ZDNet: ProtonVPN apps handed to open source community in transparency push
Bleeping Computer: ProtonVPN Apps Open Sourced for Added Transparency and Security
--Safari's Information Tracking Prevention Poses Privacy Concerns
(January 22 & 23, 2020)
The Intelligent Tracking Prevention system in Apple's Safari browser has been found to pose privacy risks for users. Google's Information Security Engineering team found several security issues in ITP, "including the disclosure of the user's web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks." Apple has addressed some of the issues in recent updates.
Read more in:
arvin: Information Leaks via Safari's Intelligent Tracking Prevention (PDF)
https://arxiv.org/pdf/2001.07421.pdf
Ars Technica: Google researchers find serious privacy risks in Safari's anti-tracking protections
The Register: Safari's Intelligent Tracking Protection is misspelled, says Google: It should be Dumb Browser Stalking Enabler
https://www.theregister.co.uk/2020/01/22/apple_intelligent_tracking_protection/
ZDNet: Google to Apple: Safari's privacy feature actually opens iPhone users to tracking
Threatpost: Google: Flaws in Apple's Private-Browsing Technology Allow for Third-Party Tracking
--Swatters Targeting Tech Executives
(January 23, 2020)
Swatters are targeting tech company executives, causing armed SWAT teams to arrive at their homes under false pretenses. Swatters can find information about the executives on online forums. Some believe people in these industries are being targeted because they have taken down accounts. The city of Seattle, Washington, has established a voluntary registry for people who believe they may be targeted by swatters.
Read more in:
NYT: People Are Calling SWAT Teams to Tech Executives' Homes
https://www.nytimes.com/2020/01/23/technology/fake-swat-calls-swatting.html
--DHS's CISA Warns of Increased Emotet Attacks
(January 22 & 23, 2020)
The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that it has detected an increase in cyberattacks using the Emotet Trojan. Many of the attacks have targeted US military and government systems. Emotet can be used as a malware downloader or malware dropper. CISA's recommendations include blocking email attachments that are associated with malware and those that cannot be scanned by antivirus products; segmenting and segregating networks and functions; and adopting a least-privilege approach.
Read more in:
US-CERT: Increased Emotet Malware Activity
https://www.us-cert.gov/ncas/current-activity/2020/01/22/increased-emotet-malware-activity
Duo: Emotet Sets Sights on Military and Government Targets
https://duo.com/decipher/emotet-sets-sights-on-military-and-government-targets
Infosecurity Magazine: US Cybersecurity Agency Issues Emotet Warning
https://www.infosecurity-magazine.com/news/us-cybersecurity-issues-emotet/
--US Treasury Wants to Hear Financial Sector Cybersecurity Concerns
(January 22, & 23, 2020)
According to a notice in the Federal Register, the US Treasury Department's Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) wants input from banks and other financial sector organizations "to better understand the cybersecurity risk to U.S. financial services sector and financial services critical infrastructure." A recent report from the Federal Reserve Bank of New York a major cyberattack targeting a large US bank could have serious reverberations throughout the country's financial system.
[Editor Comments]
[Murray] The failure of the banks to address legitimate concerns of their customers (e.g., the persistence of the infamous magnetic stripe on credit and debit cards, the continued acceptance of credit card numbers from merchants ("card not present" fraud), failure to resist "account takeovers" and other unauthorized transactions, social engineering of support desks) should be of interest to the Treasury. The banks are part of the problem. While bank security is dramatically better than it was fifty years ago, the increase in the use of and reliance on banking still leaves us with a deficit.
Read more in:
GovInfosecurity: Treasury Wants to Collect More Cyber Risk Details From Banks
https://www.govinfosecurity.com/treasury-wants-to-collect-more-cyber-risk-details-from-banks-a-13642
Fifth Domain: Treasury wants more info on financial sector cybersecurity risks
New York Fed: Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis (abstract)
https://www.newyorkfed.org/research/staff_reports/sr909
Federal Register: Agency Information Collection Activities; Proposed Collection; Comment Request; Financial Sector Critical Infrastructure Cybersecurity Survey
--Correction
The name of a guest editor whose comment appeared in Tuesday's NewsBites was misspelled. The guest editor is Russ McRee, not McGee.
******************************************************************************
INTERNET STORM CENTER TECH CORNER
DeepBlueCLI
https://isc.sans.edu/forums/diary/DeepBlueCLI+Powershell+Threat+Hunting/25730/
https://github.com/sans-blue-team/DeepBlueCLI
German Malspam Pushing Ursnif
https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/
Simple vs. Complex Obfuscation
https://isc.sans.edu/forums/diary/Complex+Obfuscation+VS+Simple+Trick/25738/
EFS Ransomware
https://safebreach.com/Post/EFS-Ransomware
Fake Leak Compensation
https://www.kaspersky.com/blog/data-leak-compensation-scam/32057/
Tracking Users Using Safari's Intelligent Tracking Prevention
https://arxiv.org/pdf/2001.07421.pdf
Cisco Firepower Management Center LDAP Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth
Criminals Use Fake Job Sites to Defraud Victims
https://www.ic3.gov/media/2020/200121.aspx
Muhstik Botnet Targeting Tomato Routers
RD Gateway PoC Exploit Release
https://github.com/ollypwn/BlueGate
Citrix ADC Compromise Scanner
https://github.com/citrix/ioc-scanner-CVE-2019-19781/
LastPass Accidentally Removes Extension from Chrome Web Store
https://twitter.com/LastPassStatus/status/1220122561989640192
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
