OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #53

July 9, 2019

British Airways GDPR Fine 10% of Profits; Baltimore's Ransomware; CyberCom Warns of Outlook Attacks

In Memoriam: Michael Joseph Assante - the best man we ever knew. Rest in peace.


Mike died on Friday July 5th. Here are his last words to the community:


"As a good navy man, I relinquish the watch to your capable hands. Watch over each other and care for one other. The world is beautiful and worth fighting for the right principles and values. Know I am smiling right now!"



SANS NewsBites                 July 9, 2019                Vol. 21, Num. 053



   UK's Information Commissioner's Office to Fine British Airways for GDPR Violations

   Baltimore's Ransomware Recovery Progress

   US CyberCom Warns of Attacks On Outlook



   Apple Fixes iMessage Flaw

   Canonical GitHub Account Hacked

   Eurofins Scientific Paid Ransomware Demand

   PGP Flood Attacks

   Border Surveillance Firm Suspended After Breach

   D-Link Agrees to FTC Settlement




-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019

-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019

-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019

-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019

-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019

-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019

-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019

-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019

-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019

-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through July 10 with OnDemand or vLive training.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



*************************  Sponsored By Splunk   *****************************

5 Key Ways CISOs Can Accelerate the Business. In a new report conducted by Forrester, CISOs are encouraged to align security with the enterprise, as well as juggle key innovations and manage the skills gap. Download your copy of 5 Key Ways CISOs Can Accelerate the Business and discover how to embed security into your business strategy. http://www.sans.org/info/213590




-- UK's Information Commissioner's Office to Fine British Airways for GDPR Violations

(July 8, 2019)

The UK Information Commissioner's office (ICO) has announced that it will fine British Airways (BA) #183.39M ([euro]204.68 million/US $229.45 million) for violations of the General Data Protection Regulation (GDPR). The 2018 data breach exposed personal information of 500,000 customers.

[Editor Comments]

[Pescatore] Another good source of data to use in briefing CEOs and Boards: Using typical numbers, that US $229.45 million fine is about 6% of BA's 2018 profit. It represents about $40 per record exposed, while the typical hard costs (dealing with the problem, communicating with impacted customers, providing credit check services, dealing with lawsuits, etc.) are typically $50-75 per record, or a another $250M. So, the total cost of this one incident is about $500M or over 10% of BA's 2018 profit. The cost of avoiding making sure the web software didn't have easily exploited vulnerabilities before it was allowed on the website would have been less than 1% of that eventual cost.

[Honan] This announcement is an intent by the ICO to fine British Airways. British Airways will contest this, and the final penalty may be different from the one announced here. Also, the proposed fine is not for the breach itself but according to the ICO's statement due to "poor security arrangements at the company". The proposed fine amounts to 1.5% of British Airways revenue so this should send a strong message to all organisations that are regulated by the GDPR to take the security and privacy of their customer data seriously.

Read more in:

ICO: Intention to fine British Airways #183.39m under GDPR for data breach


BBC: British Airways faces record #183m fine for data breach


The Register: UK data regulator threatens British Airways with 747-sized fine for massive personal data blurt


ZDNet: GDPR: Record British Airways fine shows how data protection legislation is beginning to bite


ZDNet: GDPR: British Airways faces record #183m fine for customer data breach


Cyberscoop: British Airways fined $229 million under GDPR for data breach tied to Magecart


Threatpost: Post-Data Breach, British Airways Slapped With Record $230M Fine


 -- Baltimore's Ransomware Recovery Progress

(July 3, 2019)

The city of Baltimore, Maryland, is making gradual progress in restoring its systems in the wake of a May 7 ransomware attack. The city is now able to accept payments for parking tickets and property tax bills online. As of July 3, the Baltimore water billing system was still offline.

Read more in:

Baltimore Sun: Baltimore restores online payment systems for speeding and parking tickets and property taxes



-- US CyberCom Warns of Attacks On Outlook

(July 2 & 3, 2019)

US Cyber Command has issued an alert warning that hackers with links to the Iranian government have been exploiting a known sandbox escape vulnerability in Microsoft Outlook to install malware on unpatched servers. Cyber Command has uploaded malware samples to VirusTotal. Microsoft released a fix for the vulnerability in October 2017.

[Editor Comments]

[Neely] Irrespective of the focus of the attack, make sure that your office installations are up-to-date with current patches. Patches are available for Outlook 2010, 2013 and 2016.

[Murray] While application escape mechanisms may add some flexibility and function to application software, they continue to plague security. Even where rarely used, they are often, for "convenience," enabled by default.

Read more in:

Twitter: USCYBERCOM has discovered active malicious use of CVE-2017-11774...


The Register: US Cyber Command warns that the Outlook is not so good - Iranians hitting email flaw


SC Magazine: Cyber Command warns hackers exploiting Outlook vulnerability to attack gov't agencies


Bleeping Computer: Outlook Flaw Exploited by Iranian APT33, US CyberCom Issues Alert


Duo: US Cyber Command Warns of Targeted Attacks on Old Outlook Flaw


****************************  SPONSORED LINKS  ******************************

1) Simplify your OT security journey when deploying and operating OT networks. Register for Radiflow's upcoming webcast: http://www.sans.org/info/213575

2) Take the SANS 2019 Threat Hunting Survey and enter to win a $400 Amazon gift card! Survey closes July 10th: http://www.sans.org/info/213580

3) Sign up for the webcast "Backstory + VirusTotal: How to Get the Most Out of Your Security Data" with Chronicle and SANS expert Matt Bromiley: http://www.sans.org/info/213585



 -- Apple Fixes iMessage Flaw

(July 8, 2019)

Apple fixed a high-severity vulnerability in iMessage that could be used to create denial-of-service conditions on devices running versions of iOS that are not current. The DoS condition can be resolved by resetting the device to factory settings. The flaw was initially detected by Google's Project Zero, which notified Apple about it several months ago. Apple fixed the problem with iOS 12.3, which was released on May 13, 2019. According to one estimate, 47 percent of iOS devices are running vulnerable versions of the operating system. The flaw can be exploited by simply sending a target a maliciously-crafted iMessage; no user interaction is required.

[Editor Comments]

[Neely] iOS 12.3 can be applied to iPhone 5S or later, iPad Mini 2 or later and 6th generation iPod touch or later. While iOS 12 includes an automatic update setting, the updates are applied at a random interval during the seven days after the update is released and the device has to be both connected to power and on a wireless network for that to work.

Read more in:

Threatpost: Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software


Duo: iMessage Flaw Can Brick iPhones



-- Canonical GitHub Account Hacked

(July 8, 2019)

On Saturday, July 6, hackers compromised a GitHub account that belongs to Canonical, the company that produces and supports the Ubuntu Linux distribution. It does not appear that Ubuntu source code has been affected.

Read more in:

ZDNet: Canonical GitHub account hacked, Ubuntu source code safe


BankInfoSecurity: Canonical Investigating Hack of Its GitHub Page



-- Eurofins Scientific Paid Ransomware Demand

(July 5, 2019)

Forensic services company Eurofins Scientific reportedly paid an undisclosed sum demanded in a ransomware attack. The attack occurred on June 2, and prompted UK police to suspend working with Eurofins. Some court proceedings were reportedly delayed because results of Eurofins analysis were not available.  

Read more in:

Infosecurity Magazine: UK's Eurofins Scientific Reportedly Pays Ransom


ZDNet: UK's largest police forensics lab paid ransom demand to recover locked data


BBC: Eurofins Scientific: Forensic services firm paid ransom after cyber-attack



-- PGP Flood Attacks

(July 1, 2, 3, & 5, 2019)

Attackers have poisoned at least two PGP certificates by adding tens of thousands of signatures. OpenPGP does not limit the number of signatures that can be added to a PGP certificate, and GnuPG does not manage certificates with large numbers of signatures well.  

Read more in:

GitHub: SKS Keyserver Network Under Attack


Threatpost: PGP Ecosystem Targeted in 'Poisoning' Attacks


Vice: Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem


Bleeping Computer: Public Certificate Poisoning Can Break Some OpenPGP Implementations


Duo: OpenPGP Certificate Attack Worries Experts



-- Border Surveillance Firm Suspended After Breach

(July 3, 2019)

Customs and Border Protection has suspended a subcontractor that stored sensitive data on its private network, which was then breached. The company, Perceptics, allegedly transferred some of the images onto its private network in violation of CBP rules.

[Editor Comments]

[Honan] Simply contracting a company not to do something or ensuring they have a relevant policy is not enough; you need to ensure you have the ability, and the capability, to audit and verify they meet your security requirements.

Read more in:

SC Magazine: Border-surveillance subcontractor suspended after cyberattack



 -- D-Link Agrees to FTC Settlement

(July 2 & 3, 2019)

D-Link Systems has agreed to a settlement with the US Federal Trade Commission (FTC) over allegations that the company misrepresented efforts to secure its wireless routers and Internet-connected cameras. The proposed settlement imposes a number of requirements, including calling for D-Link to establish a comprehensive software security program, undergo third-party security assessments, and submit compliance reports to the FTC.

[Editor Comments]

[Pescatore] While the FTC is the most active enforcement of privacy rules the US government has, the severity of the punishment is like a gnat bite to GDPR's shark bite.

Read more in:

FTC: [Proposed] Stipulated Order for Injunction and Judgment


FTC: D-Link Agrees to Make Security Enhancements to Settle FTC Litigation


FTC: FTC Charges D-Link Put Consumers' Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras (2017 Complaint)


The Register: D-Link must suffer indignity of security audits to settle with the Federal Trade Commission


SC Magazine: D-Link agrees to overhaul security in FTC settlement




Powershell Kill Switch Commands


Malicous XSL Files


Canonical Github Hack


Blocking DNS over HTTPS


Magento RCE Exploit


Does "Godlua" Use DNS over HTTPS or Not?



New Wave of Magecart Attacks


Exploit for Cisco Authentication Bypass and RCE


Zipato SmartHub Vulnerabilities


Cloudflare Outage


Android Update


Facebook's Libra Crypto Currency Already Impersonated




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create