Register by Tomorrow to Save $300 on 4-6 Day Courses at SANS Cyber Defense Initiative® in Washington, DC!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #59

July 30, 2019

Capital One Breach; Senate Intelligence Committee Election Interference Report



****************************************************************************

SANS NewsBites                July 30, 2019                Vol. 21, Num. 059

****************************************************************************

TOP OF THE NEWS

 

  Capital One Breach

  Senate Intelligence Committee Report on Election Interference


REST OF THE WEEK'S NEWS       

 

  Ransomware Hits Medical Center and Hospital in Puerto Rico

  Georgia (US) Department of Public Safety Ransomware Infection

  Deutsche Bank Email Access Blunder Allowed Former Employees to Access Work Accounts

  Multiple Vulnerabilities in VxWorks Operating System

  LAPD Data Breach

  GitHub Blocking Developers in Countries Under US Trade Sanctions

  No Prison for Marcus Hutchins


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019


-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an 11" iPad Pro, Surface Pro, or Take $350 Off through August 7 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


************************* Sponsored By VMWare, Inc ***************************


Evolving Micro-Segmentation for Preventive Security. Read this primer from Dave Shackleford, analyst at SANS Institute, on the evolution of micro-segmentation to the next generation of fully software-defined internal firewalls. Firewalls can combine Layer 7 network traffic analysis with workload protection to understand expected behavior of applications - so you can shrink the attack surface and radically lower your internal threat risk. http://www.sans.org/info/213775


*****************************************************************************


TOP OF THE NEWS

 

 --Capital One Breach

(July 29, 2019)

Credit card company Capital One has acknowledged that a data breach has compromised personal information of 100 million US customers and 6 million Canadian customers. The affected data include information collected from customers at the time they applied for credit cards between 2006 and 2019 as well as credit scores, credit limits and balances, and contact information. The FBI has arrested a suspect in the case.    


[Editor Comments]


[Neely] If the suspect had not reached out on social media it is unlikely she'd have been apprehended. While waiting for a perpetrator to make a mistake is an investigative option, it is better to ensure your active defense and detection mechanisms are performing. Regularly verify you can not only detect unauthorized accesses, often referred to as purple team exercises, but also that your boundary protection settings are as intended.


Read more in:

Capital One: Capital One Announces Data Security Incident

http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=2405043

ZDNet: 100 million Americans and 6 million Canadians caught up in Capital One breach

https://www.zdnet.com/article/100-million-americans-and-6-million-canadians-caught-up-in-capital-one-breach/

Ars Technica: Hacker ID'd as former Amazon employee steals data of 106 million people from Capital One

https://arstechnica.com/information-technology/2019/07/feds-former-cloud-worker-hacks-into-capital-one-and-takes-data-for-106-million-people/

 
 

 --Senate Intelligence Committee Report on Election Interference

(July 25, 2019)

A report from the Senate Intelligence Committee says that Russian hackers interfered with election systems in all 50 US states leading up to the 2016 election. The report warns that US election systems remain vulnerable to attacks, posing a threat to the integrity of the 2020 election. The report describes a failure of intelligence including inadequate warnings to states and underestimating the scope of the attacks. It also says that while Russian hackers had access to systems that could have allowed them to alter voter registration data, they did not meddle in that way. The report is heavily redacted, blocking out some recommendations for protections that could be put in place for the 2020 election. Visible recommendations include requiring a paper trail for voters, and paper backups for election registration systems.


[Editor Comments]


[Pescatore] While the US Senate is ignoring the facts around the need to improve election security, there are solid efforts in a number of states to raise the bar. However, in national elections the results from all the states get added to together and the integrity of the results drops to the lowest common denominator.


[Neely] Recommendations of a paper trail or backups align with the concept of immutable audit records. As with audit logs, anomaly detection requires active monitoring. The question is when and how do you verify them?


[Murray] The security of our election system rests in its diversity and distributed authority. It is much more resilient than some would have you believe. The success of the Russian attacks was more in manipulating voters than systems: "social engineering" on a grand scale.


Read more in:

NYT: Russia Targeted Election Systems in All 50 States, Report Finds

https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html

SC Magazine: Report: Russian-sponsored hackers could have modified U.S. voter data, but didn't

https://www.scmagazine.com/home/security-news/report-russian-sponsored-hackers-could-have-modified-u-s-voter-data-but-didnt/


****************************  SPONSORED LINKS  ******************************


1) Webcast This Friday - Integrated Incident Response: A Panel Discussion about the SANS 2019 IR Survey. Register: http://www.sans.org/info/213785


2) What issues do you face with security effectiveness testing? Share your thoughts in our quick poll: http://www.sans.org/info/213780


3) Webcast August 7 at 1PM ET: The Age of Autonomous Breach Protection: Prepare, Confront and Respond to Cyberthreats Across the Entire Environment. http://www.sans.org/info/213790


*****************************************************************************


REST OF THE WEEK'S NEWS   

    

--Ransomware Hits Medical Center and Hospital in Puerto Rico

(July 19 & 29, 2019)

Ransomware has infected systems at a medical center and hospital in Puerto Rico. The

Bayamon Medical Center and Puerto Rico Women and Children's Hospital are part of the same organization. The incident affected information of more than 500,000 people. In a July 19 press release, the organization says that it "hired an outside consultant to" help with decryption and recovery.   


Read more in:

GovInfosecurity: Ransomware Attack Impacts 522,000 Patients in Puerto Rico

https://www.govinfosecurity.com/ransomware-attack-impacts-522000-patients-in-puerto-rico-a-12848


Bayamon-Medical: Press Release

http://www.bayamon-medical.com/prwch/docs/comunicado_de_prensa.jpg

 
 

--Georgia (US) Department of Public Safety Ransomware Infection

(July 29, 2019)

Georgia's Department of Public Safety became the victim of a ransomware attack on Friday, July 26. The incident affected the Georgia state patrol, the Georgia Capitol Police and the Georgia Motor Carrier Compliance Division. Laptops in police cars were unable to connect to the Internet and could not access law enforcement data. Officers are using work phones and radios to request information.


[Editor Comments]


[Neely] This and the LAPD story below show the growing trend for ransomware to target law enforcement groups, an easy step from current activities targeting city and state governments. The Georgia officers ability to work around the offline services is driven from experience having to deal with past outages, underscoring the importance of testing these alternative processes to get the job done.


Read more in:

CNET: Georgia police hit with ransomware infection

https://www.cnet.com/news/georgia-police-hit-with-ransomware-infection/

ZDNet: Ransomware infection takes some police car laptops offline in Georgia

https://www.zdnet.com/article/ransomware-infection-takes-some-police-car-laptops-offline-in-georgia/

 
 

--Deutsche Bank Control System Blunder Allowed Former Employees to Access Work eMail Accounts

(July 29, 2019)

Some former Deutsche Bank employees were able to access their work email accounts for weeks after they lost their jobs when the bank's equities trading division was eliminated. The employees' access to financial systems was cut off as soon as they were let go. Deutsche Bank has a history of problems with controls and computer systems.  


[Editor Comments]


[Pescatore] A vulnerability like that one is kind of like seeing one carpenter ant in your house - you know you have a lot more if you see one. Not having the processes in place to remove user accounts from Active Directory and/or email when employees (and often contractors) are terminated usually indicates bigger problems around both overall access control and any auditing that has been done.


[Neely] When staff separates, terminates or otherwise ceases to work for you, the termination process needs to include active disablement of all accounts, followed by deletion of those accounts in a timely fashion. It is easy to overlook accounts in legacy or standalone systems as well as an IDP used for cloud services. Running a scan for active accounts of separated employees is an excellent self-assessment. The results should not see dead people.


Read more in:

Bloomberg: Some Deutsche Bank Employees Kept Email Access After Being Fired

https://www.bloomberg.com/news/articles/2019-07-29/some-deutsche-bank-employees-kept-email-access-after-being-fired

Dark Reading: Deutsche Bank Email Vulnerability Left Ex-Employees with Access

https://www.darkreading.com/vulnerabilities---threats/deutsche-bank-email-vulnerability-left-ex-employees-with-access/d/d-id/1335375

 
 

--Multiple Vulnerabilities in VxWorks Operating System

(July 29, 2019)

Security researchers have identified 11 vulnerabilities that affect the VxWorks real-time operating system, which is embedded in two billion Internet connected devices around the world, including SCADA equipment, medical devices, and elevator controllers. The group of flaws has been dubbed Urgent11. Six of the vulnerabilities are remote code execution flaws. The issues do not affect the most recent version of VxWorks.

 

[Editor Comments]


[Neely] These are IoT, embedded controllers and critical systems, which makes updates tricky. Look to segment them, including removal of unneeded Internet access. Even if Internet access is needed, should the device be externally reachable or discoverable?


Read more in:

Wind River: Urgent/11 Further Boosts VxWorks Security

https://blogs.windriver.com/wind_river_blog/2019/07/urgent-11-further-boosts-vxworks-security.html

Wired: An Operating System Bug Exposes 200 Million Critical Devices

https://www.wired.com/story/vxworks-vulnerabilities-urgent11/

Ars Technica: 200 million devices--some mission-critical--vulnerable to remote takeover

https://arstechnica.com/information-technology/2019/07/200-million-devices-some-mission-critical-vulnerable-to-remote-takeover/

SC Magazine: Over 200M devices affected by critical flaws found in real-time operating system

https://www.scmagazine.com/home/security-news/vulnerabilities/over-2b-devices-affected-by-critical-flaws-found-in-real-time-operating-system/

Dark Reading: Series of Zero-Day Vulnerabilities Could Endanger 200 Million Devices

https://www.darkreading.com/endpoint/series-of-zero-day-vulnerabilities-could-endanger-200-million-devices/d/d-id/1335379

Threatpost: 'URGENT/11' Critical Infrastructure Bugs Threaten EternalBlue-Style Attacks

https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/

 
 

--LAPD Data Breach

(July 29, 2019)

A data breach has compromised personally identifiable information of 2,500 Los Angeles Police Department (LAPD) officers, as well as that of 17,500 people who applied to become LAPD officers.


Read more in:

Bleeping Computer: LAPD Data Breach Exposes Personal Info of Roughly 2.5K Officers

https://www.bleepingcomputer.com/news/security/lapd-data-breach-exposes-personal-info-of-roughly-25k-officers/

CNET: LAPD data breach exposes personal info of 2,500 officers, report says

https://www.cnet.com/news/lapd-data-breach-reveals-personal-info-of-2500-officers-report-says/

 
 

--GitHub Blocking Developers in Countries Under US Trade Sanctions

(July 26, 27, & 29 2019)

GitHub has confirmed that it has begun blocking developers in countries that are under US trade sanctions from accessing private repositories and GitHub Marketplace. Developers are finding that their access to their GitHub accounts has been "restricted." One developer in Crimea found that he was prevented from accessing his GitHub hosted site, existing private repositories and from creating new private repositories. GitHub is imposing the restrictions based on users' IP addresses and payment histories. Countries facing US trade sanctions include the Crimea region of Ukraine, Cuba, Iran, North Korea, and Syria.


Read more in:

Tech Crunch: GitHub confirms it has blocked developers in Iran, Syria and Crimea

https://techcrunch.com/2019/07/29/github-ban-sanctioned-countries/

ZDNet: GitHub starts blocking developers in countries facing US trade sanctions

https://www.zdnet.com/article/github-starts-blocking-developers-in-countries-facing-us-trade-sanctions/

Bleeping Computer: Microsoft-Owned GitHub Blocks Devs in US Sanctioned Countries

https://www.bleepingcomputer.com/news/security/microsoft-owned-github-blocks-devs-in-us-sanctioned-countries/

 
 

--No Prison for Marcus Hutchins

(July 26, 2019)

A US federal judge in Wisconsin sentenced Marcus Hutchins to time served and one year of supervised release for his role in creating the Kronos malware, which was used to steal bank account credentials. Hutchins initially made news in May 2017 for discovering a way to defang the WannaCry malware; he was arrested several months later in Las Vegas after attending a conference there.  


Read more in:

The Register: He's coming home, he's coming home ... Hutchins' coming home: British Wannacry killer held in US on malware dev rap set free by judge

https://www.theregister.co.uk/2019/07/26/hutchins_sentencing/

Cyberscoop: Marcus Hutchins, who stopped WannaCry's spread, avoids prison time

https://www.cyberscoop.com/marcus-hutchins-sentenced-kronos-wannacry/

Ars Technica: WannaCry slayer, malware author Marcus Hutchins won't go to prison

https://arstechnica.com/tech-policy/2019/07/wannacry-slayer-malware-author-marcus-hutchins-sentenced-to-time-served/

 
 

INTERNET STORM CENTER TECH CORNER


DVRIP Port 34567 Uptick

https://isc.sans.edu/forums/diary/DVRIP+Port+34567+Uptick/25174/


11 Flaws in VxWorks IPNet TCP/IP Stack

https://go.armis.com/urgent11


iOS iMessage File Disclosure Vulnerability

https://bugs.chromium.org/p/project-zero/issues/detail?id=1858


LibreOffice LibreLogo Macro Python Code Injection

https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/


Extracting Private Key From Amazon Music Application

https://koen.io/2019/07/26/underscoring-the-private-in-private-key/



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create