Take your cyber security skills to the next level with SANS training in Miami! Save $300 thru 11/20.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #53

July 9, 2019

British Airways GDPR Fine 10% of Profits; Baltimore's Ransomware; CyberCom Warns of Outlook Attacks




In Memoriam: Michael Joseph Assante - the best man we ever knew. Rest in peace.

 

Mike died on Friday July 5th. Here are his last words to the community:

 

"As a good navy man, I relinquish the watch to your capable hands. Watch over each other and care for one other. The world is beautiful and worth fighting for the right principles and values. Know I am smiling right now!"

 

****************************************************************************

SANS NewsBites                 July 9, 2019                Vol. 21, Num. 053

****************************************************************************


TOP OF THE NEWS


   UK's Information Commissioner's Office to Fine British Airways for GDPR Violations

   Baltimore's Ransomware Recovery Progress

   US CyberCom Warns of Attacks On Outlook


REST OF THE WEEK'S NEWS       

 

   Apple Fixes iMessage Flaw

   Canonical GitHub Account Hacked

   Eurofins Scientific Paid Ransomware Demand

   PGP Flood Attacks

   Border Surveillance Firm Suspended After Breach

   D-Link Agrees to FTC Settlement


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019


-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through July 10 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*************************  Sponsored By Splunk   *****************************


5 Key Ways CISOs Can Accelerate the Business. In a new report conducted by Forrester, CISOs are encouraged to align security with the enterprise, as well as juggle key innovations and manage the skills gap. Download your copy of 5 Key Ways CISOs Can Accelerate the Business and discover how to embed security into your business strategy. http://www.sans.org/info/213590


*****************************************************************************



TOP OF THE NEWS  

 

-- UK's Information Commissioner's Office to Fine British Airways for GDPR Violations

(July 8, 2019)

The UK Information Commissioner's office (ICO) has announced that it will fine British Airways (BA) #183.39M ([euro]204.68 million/US $229.45 million) for violations of the General Data Protection Regulation (GDPR). The 2018 data breach exposed personal information of 500,000 customers.


[Editor Comments]


[Pescatore] Another good source of data to use in briefing CEOs and Boards: Using typical numbers, that US $229.45 million fine is about 6% of BA's 2018 profit. It represents about $40 per record exposed, while the typical hard costs (dealing with the problem, communicating with impacted customers, providing credit check services, dealing with lawsuits, etc.) are typically $50-75 per record, or a another $250M. So, the total cost of this one incident is about $500M or over 10% of BA's 2018 profit. The cost of avoiding making sure the web software didn't have easily exploited vulnerabilities before it was allowed on the website would have been less than 1% of that eventual cost.


[Honan] This announcement is an intent by the ICO to fine British Airways. British Airways will contest this, and the final penalty may be different from the one announced here. Also, the proposed fine is not for the breach itself but according to the ICO's statement due to "poor security arrangements at the company". The proposed fine amounts to 1.5% of British Airways revenue so this should send a strong message to all organisations that are regulated by the GDPR to take the security and privacy of their customer data seriously.


Read more in:

ICO: Intention to fine British Airways #183.39m under GDPR for data breach

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/

BBC: British Airways faces record #183m fine for data breach

https://www.bbc.com/news/business-48905907

The Register: UK data regulator threatens British Airways with 747-sized fine for massive personal data blurt

https://www.theregister.co.uk/2019/07/08/ico_threatens_ba_with_huge_fine_for_huge_data_loss/

ZDNet: GDPR: Record British Airways fine shows how data protection legislation is beginning to bite

https://www.zdnet.com/article/gdpr-record-british-airways-fine-shows-how-data-protection-legislation-is-beginning-to-bite/

ZDNet: GDPR: British Airways faces record #183m fine for customer data breach

https://www.zdnet.com/article/gdpr-british-airways-faces-record-183m-fine-for-customer-data-breach/

Cyberscoop: British Airways fined $229 million under GDPR for data breach tied to Magecart

https://www.cyberscoop.com/british-airways-gdpr-fine-magecart/

Threatpost: Post-Data Breach, British Airways Slapped With Record $230M Fine

https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/


 -- Baltimore's Ransomware Recovery Progress

(July 3, 2019)

The city of Baltimore, Maryland, is making gradual progress in restoring its systems in the wake of a May 7 ransomware attack. The city is now able to accept payments for parking tickets and property tax bills online. As of July 3, the Baltimore water billing system was still offline.


Read more in:

Baltimore Sun: Baltimore restores online payment systems for speeding and parking tickets and property taxes

https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-online-payments-20190703-story.html

 
 

-- US CyberCom Warns of Attacks On Outlook

(July 2 & 3, 2019)

US Cyber Command has issued an alert warning that hackers with links to the Iranian government have been exploiting a known sandbox escape vulnerability in Microsoft Outlook to install malware on unpatched servers. Cyber Command has uploaded malware samples to VirusTotal. Microsoft released a fix for the vulnerability in October 2017.


[Editor Comments]


[Neely] Irrespective of the focus of the attack, make sure that your office installations are up-to-date with current patches. Patches are available for Outlook 2010, 2013 and 2016.


[Murray] While application escape mechanisms may add some flexibility and function to application software, they continue to plague security. Even where rarely used, they are often, for "convenience," enabled by default.


Read more in:

Twitter: USCYBERCOM has discovered active malicious use of CVE-2017-11774...

https://twitter.com/CNMF_VirusAlert/status/1146130046127681536

The Register: US Cyber Command warns that the Outlook is not so good - Iranians hitting email flaw

https://www.theregister.co.uk/2019/07/03/outlook_flaw_iran/

SC Magazine: Cyber Command warns hackers exploiting Outlook vulnerability to attack gov't agencies

https://www.scmagazine.com/home/security-news/apts-cyberespionage/cyber-command-warns-outlook-vulnerability-exploited-to-attack-govt-agencies/

Bleeping Computer: Outlook Flaw Exploited by Iranian APT33, US CyberCom Issues Alert

https://www.bleepingcomputer.com/news/security/outlook-flaw-exploited-by-iranian-apt33-us-cybercom-issues-alert/

Duo: US Cyber Command Warns of Targeted Attacks on Old Outlook Flaw

https://duo.com/decipher/us-cyber-commands-warns-of-targeted-attacks-on-old-outlook-flaw


****************************  SPONSORED LINKS  ******************************


1) Simplify your OT security journey when deploying and operating OT networks. Register for Radiflow's upcoming webcast: http://www.sans.org/info/213575


2) Take the SANS 2019 Threat Hunting Survey and enter to win a $400 Amazon gift card! Survey closes July 10th: http://www.sans.org/info/213580


3) Sign up for the webcast "Backstory + VirusTotal: How to Get the Most Out of Your Security Data" with Chronicle and SANS expert Matt Bromiley: http://www.sans.org/info/213585


*****************************************************************************

REST OF THE WEEK'S NEWS       

 -- Apple Fixes iMessage Flaw

(July 8, 2019)

Apple fixed a high-severity vulnerability in iMessage that could be used to create denial-of-service conditions on devices running versions of iOS that are not current. The DoS condition can be resolved by resetting the device to factory settings. The flaw was initially detected by Google's Project Zero, which notified Apple about it several months ago. Apple fixed the problem with iOS 12.3, which was released on May 13, 2019. According to one estimate, 47 percent of iOS devices are running vulnerable versions of the operating system. The flaw can be exploited by simply sending a target a maliciously-crafted iMessage; no user interaction is required.


[Editor Comments]


[Neely] iOS 12.3 can be applied to iPhone 5S or later, iPad Mini 2 or later and 6th generation iPod touch or later. While iOS 12 includes an automatic update setting, the updates are applied at a random interval during the seven days after the update is released and the device has to be both connected to power and on a wireless network for that to work.


Read more in:

Threatpost: Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software

https://threatpost.com/apple-patches-imessage-bug/146277/

Duo: iMessage Flaw Can Brick iPhones

https://duo.com/decipher/imessage-flaw-can-brick-iphones

 
 

-- Canonical GitHub Account Hacked

(July 8, 2019)

On Saturday, July 6, hackers compromised a GitHub account that belongs to Canonical, the company that produces and supports the Ubuntu Linux distribution. It does not appear that Ubuntu source code has been affected.


Read more in:

ZDNet: Canonical GitHub account hacked, Ubuntu source code safe

https://www.zdnet.com/article/canonical-github-account-hacked-ubuntu-source-code-safe/

BankInfoSecurity: Canonical Investigating Hack of Its GitHub Page

https://www.bankinfosecurity.com/canonical-investigating-hack-its-github-page-a-12749

 
 

-- Eurofins Scientific Paid Ransomware Demand

(July 5, 2019)

Forensic services company Eurofins Scientific reportedly paid an undisclosed sum demanded in a ransomware attack. The attack occurred on June 2, and prompted UK police to suspend working with Eurofins. Some court proceedings were reportedly delayed because results of Eurofins analysis were not available.  


Read more in:

Infosecurity Magazine: UK's Eurofins Scientific Reportedly Pays Ransom

https://www.infosecurity-magazine.com/news/uks-eurofins-scientific-reportedly/

ZDNet: UK's largest police forensics lab paid ransom demand to recover locked data

https://www.zdnet.com/article/uks-largest-police-forensics-lab-paid-ransom-demand-to-recover-locked-data/

BBC: Eurofins Scientific: Forensic services firm paid ransom after cyber-attack

https://www.bbc.com/news/uk-48881959

 
 

-- PGP Flood Attacks

(July 1, 2, 3, & 5, 2019)

Attackers have poisoned at least two PGP certificates by adding tens of thousands of signatures. OpenPGP does not limit the number of signatures that can be added to a PGP certificate, and GnuPG does not manage certificates with large numbers of signatures well.  


Read more in:

GitHub: SKS Keyserver Network Under Attack

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

Threatpost: PGP Ecosystem Targeted in 'Poisoning' Attacks

https://threatpost.com/pgp-ecosystem-targeted-in-poisoning-attacks/146240/

Vice: Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem

https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem

Bleeping Computer: Public Certificate Poisoning Can Break Some OpenPGP Implementations

https://www.bleepingcomputer.com/news/security/public-certificate-poisoning-can-break-some-openpgp-implementations/

Duo: OpenPGP Certificate Attack Worries Experts

https://duo.com/decipher/openpgp-certificate-attack-worries-experts

 
 

-- Border Surveillance Firm Suspended After Breach

(July 3, 2019)

Customs and Border Protection has suspended a subcontractor that stored sensitive data on its private network, which was then breached. The company, Perceptics, allegedly transferred some of the images onto its private network in violation of CBP rules.


[Editor Comments]


[Honan] Simply contracting a company not to do something or ensuring they have a relevant policy is not enough; you need to ensure you have the ability, and the capability, to audit and verify they meet your security requirements.


Read more in:

SC Magazine: Border-surveillance subcontractor suspended after cyberattack

https://www.scmagazine.com/home/government/border-surveillance-subcontractor-perceptics-was-suspended-after-a-cyberattack-against-the-firm-revealed-sensitive-monitoring-details/

 
 

 -- D-Link Agrees to FTC Settlement

(July 2 & 3, 2019)

D-Link Systems has agreed to a settlement with the US Federal Trade Commission (FTC) over allegations that the company misrepresented efforts to secure its wireless routers and Internet-connected cameras. The proposed settlement imposes a number of requirements, including calling for D-Link to establish a comprehensive software security program, undergo third-party security assessments, and submit compliance reports to the FTC.


[Editor Comments]


[Pescatore] While the FTC is the most active enforcement of privacy rules the US government has, the severity of the punishment is like a gnat bite to GDPR's shark bite.


Read more in:

FTC: [Proposed] Stipulated Order for Injunction and Judgment

https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf

FTC: D-Link Agrees to Make Security Enhancements to Settle FTC Litigation

https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation

FTC: FTC Charges D-Link Put Consumers' Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras (2017 Complaint)

https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate

The Register: D-Link must suffer indignity of security audits to settle with the Federal Trade Commission

https://www.theregister.co.uk/2019/07/03/dlink_to_suffer_the_indignity_of_security_audits_to_settle_with_the_ftc/

SC Magazine: D-Link agrees to overhaul security in FTC settlement

https://www.scmagazine.com/home/security-news/iot/d-link-agrees-to-overhaul-security-in-ftc-settlement/


*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Powershell Kill Switch Commands

https://isc.sans.edu/forums/diary/Using+Powershell+in+Basic+Incident+Response+A+Domain+Wide+KillSwitch/25088/


Malicous XSL Files

https://isc.sans.edu/forums/diary/Malicious+XSL+Files/25098/


Canonical Github Hack

https://news.ycombinator.com/item?id=20373009


Blocking DNS over HTTPS

https://github.com/bambenek/block-doh


Magento RCE Exploit

https://blog.ripstech.com/2019/magento-rce-via-xss/


Does "Godlua" Use DNS over HTTPS or Not?

https://www.golem.de/news/verschluesseltes-dns-falschmeldung-in-propagandaschlacht-um-dns-ueber-https-1907-142358.html

https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/


New Wave of Magecart Attacks

https://gist.github.com/gwillem/5d936f5a84837d5c1dcb488ce256294a


Exploit for Cisco Authentication Bypass and RCE

https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-dcnm-rce.txt


Zipato SmartHub Vulnerabilities

https://blackmarble.sh/zipato-smart-hub/


Cloudflare Outage

https://www.cloudflarestatus.com/incidents/tx4pgxs6zxdr


Android Update

https://source.android.com/security/bulletin/2019-07-01


Facebook's Libra Crypto Currency Already Impersonated

https://www.digitalshadows.com/blog-and-research/facebooks-libra-cryptocurrency-cybercriminals-tipping-the-scales-in-their-favor/


 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create