NewsBites Volume XXII - Issue #15 February 21, 2020

Top of the News

2020-02-19

US Natural Gas Pipeline Operator Hit with Ransomware

According to an advisory from the US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA), networks at a natural gas compression facility were infected with ransomware. The incident is believed to be the same one reported by the US Coast Guard in December 2019. The initial vector of attack was a phishing email; the malware then made its way from an office computer through the IT network to the operational technology (OT) network.

Editor's Note

Network isolation often includes the need to interact with and transfer data to other non-isolated systems. Using a trusted gateway or one-way link reduces the risks, and data transfer processes still need active anti-malware protections.

Lee Neely

One should not pass up an opportunity to remind management that e-mail (and browsing) should be isolated from mission critical applications. We cannot tolerate a situation where the cost of compromise of the enterprise is equal to that of social engineering any one of many users. Consider a combination of strong authentication, restrictive (as opposed to promiscuous or permissive) access control policy, and end-to-end application-layer encryption.

William Hugh Murray

Citrix Says Hackers Had Access to its Networks for Five Months

Hackers maintained an "intermittent" presence inside Citrix networks for five months, according to a February 10, 2020, letter the company sent to users affected by the breach. Between October 13, 2018 and March 8, 2019, the hackers stole data belonging to employees, contractors, interns, and job candidates. Citrix first learned of the breach in March 2019, when the FBI notified the company that hackers had likely accessed the company's internal network. The FBI told Citrix that the intruders may have used "password spraying" attacks to gain access.

Editor's Note

As Citrix is often deployed at the perimeter to provide a virtual desktop on the corporate network, like VPN servers, it is a prime target of attack, and warrants similar monitoring and security oversight. Be sure to apply Citrix's recently released patch for CVE-2019-19781.

Lee Neely

I guess whoever wrote the Citrix letter has never tried to sell a house where the real estate listing said "Termites had intermittent access to the structure..."

John Pescatore

The Rest of the Week's News

2020-02-19

Ring Now Requires 2FA

Ring now requires all users of its camera doorbell products to use two-factor authentication (2FA) when signing into their accounts. Previously, 2FA was optional. The decision follows reports of serious security issues, including not alerting users of failed login attempts and not limiting the number of login attempts.

Editor's Note

Good move by Ring (and maybe a bit overdue). It looks like the public pressure caused by several news items about compromised accounts got to them. Google recently implemented similar measures for its Nest devices.

Johannes Ullrich

All movement away from reliance on reusable passwords is good movement, though not security nirvana. But, millions of consumers are being nudged towards increased use of multi-factor authentication - a good reason to try to make the same progress on enterprise user logins as a key element in fighting phishing attacks.

Lee Neely

Consumers are not nearly as resistant to strong authentication as enterprises are, and as enterprise management seems to believe everyone is. The use of reusable passwords must be restricted to trivial applications (or applications where fraudulent use will be immediately obvious.) "Convenience" is no longer sufficient justification. (In many applications and environments, one-time passwords are more convenient than mandated periodic changes.)

William Hugh Murray

Cisco Security Updates Include Fix for Smart Software Manager Static Password Issue

Cisco has released patches to address 17 security issues in several products, including a critical static password flaw in Cisco Smart Software Manager On-Prem. The release also includes fixes for six high-severity vulnerabilities.

Editor's Note

This may not be the result of mere error. History suggests that programmers are reluctant to give total control of their product to users and may use static passwords as long-term back doors.

William Hugh Murray

MGM Resorts Acknowledges 2019 Data Breach

MGM Resorts has disclosed that personal information belonging to more than 10.76 million people who stayed at MGM hotels has been posted to an online hacking forum. Attackers gained unauthorized access to a cloud server last summer.

Swiss Government Says Ransomware Poses Threat to Small and Medium Enterprises

The Swiss Government's Reporting and Analysis Centre for Information Assurance (MELANI) says that "ransomware continues to pose a significant security risk to small and medium enterprises." MELANI "has dealt with more than a dozen ransomware cases" in the past few weeks alone. MELANI's analysis of the incidents concluded that most affected organizations did not have adequate IT security and did not adhere to best practices. The alert lists weaknesses that were used as "gateways" for attack: lack of anti-virus software or ignoring or not taking seriously anti-virus warnings; poorly protected remote access procedures; ignoring or not taking seriously notifications from authorities; not maintaining offline backups; ineffective patch and lifecycle management; lack of network segmentation; and excessive user privileges.

Editor's Note

I think this report pretty much sums up the current ransomware issue: Ransomware is an indicator of poor security controls and not implementing "best practices". Just as with other "commodity" malware like crypto coin miners, you should always be watching out for what else took advantage of these missing controls

Johannes Ullrich

US, UK, and Others Blame Russia's GRU for Republic of Georgia Cyberattacks

The US, the UK, Australia, and a number of EU countries have formally blamed Russia's military intelligence (GRU) for launching cyberattacks against targets in the Republic of Georgia in October 2019. Thousands of websites were defaced or taken down, and two television stations' broadcasts were disrupted.

Adobe Issues Out-of-Cycle Fixes for Critical Flaws

Adobe has released two out-of-cycle fixes that could be exploited to allow remote code execution. The affected products are Adobe After Effects and Adobe Media Encoder. Both flaws are out-of-bounds write vulnerabilities.

Editor's Note

According to Adobe, these flaws are unlikely to be exploited, but they can lead to arbitrary remote code execution. I don't think these are "emergency" patches, but they were not released on Adobe's normal patch Tuesday.

Johannes Ullrich

ISS World Suffers Ransomware Attack

Copenhagen-based ISS World has acknowledged that its internal network was hit with ransomware on Monday, February 17. A company spokesperson said ISS World "immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident." ISS World provides facilities management services, such as cleaning and catering; it has 500,000 employees worldwide.

2,000 UK Government Mobile Devices Reported Missing in Span of One Year

Over the past year, more than 2,000 UK government mobile devices, including smartphones, laptops, and external storage devices, have been reported missing. More than 1,800 of the devices are believed to be encrypted, but even one unencrypted device in the hands of the wrong individual could expose sensitive data. At least eight UK government departments say they have never been audited by the Information Commissioner's Office (ICO); others reported that their last audit was several years ago.

Editor's Note

There are about 3M UK central government employees; let's just assume an average of 1 phone/laptop/storage device per employee, which is probably low. 2,000 lost out of 3M is under .1% - a very low number. I think typical average rates for mobile phone losses per year are in the 4% range. 90% of the lost devices having encryption turned on is strong progress from previous years where this same type of report came out in the UK. Enterprises: how do your loss rates and encrypted device percentages compare to the UK government?

John Pescatore

Current guidance for protecting mobile devices: Both iOS and Android (version 6+) support encryption of the device and can be managed by your MDM (mobile device management software). That will require a passcode to access the device; otherwise it is transparent to the user. Make sure the device passcode strength/option is commensurate with the data protected. Additionally, options exist to sandbox applications with further encryption, but investigate the trade-off between security and usability before rolling them out. Include sending a device wipe in your lost-device reporting processes, along with a good definition of what lost means, including duration.

Lee Neely

Swatting Arrest

A 19-year-old has been arrested in connection with multiple swatting, cyberstalking, and hacking incidents. Tristan Rowe has been charged with cyberstalking and unauthorized access to a computer. Each charge carries a maximum penalty of five years in prison.

Android Linux Kernel Code Changes Introduce New Vulnerabilities

A Google Project Zero researcher says that some smartphone makers are modifying the Android Linux kernel to protect devices from attacks, which can actually introduce new exploitable weaknesses. Jann Horn writes, "I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won't complicate updates to newer kernel releases."

Editor's Note

While this flaw is specific to the Samsung kernel, extensions that support their Galaxy A50 devices and rely on a race condition to exploit, device manufacturers often need to extend Android OS to support their specific hardware. As such, when purchasing a non-Google-provided device, make sure the vendor has a proven track record with security. Samsung has a record of providing security features back to the community, such as their FIPS certified encryption library, and will address this flaw rapidly.

Lee Neely

Apple Will Shorten Duration of Certificate Trust in Safari

After September 1, 2020, Apple's Safari browser will no longer trust HTTPS certificates that have expiration dates more than 13 months, or 398 days, after they were created. Certificates issued before September 1 will be trusted for 27 months, or 825 days, from their creation dates. Apple announced the change at a Certification Authority Browser Forum meeting earlier this week.

Editor's Note

No issue if you are using automatic certificate renewals via Let's Encrypt. However, this is going to get messy for people who are using internal certificate authorities and if you have a lot of certificates to renew for devices that cannot use a simple scripted system to renew certificates. Now may be a good time to look into a good certificate management solution if you haven't done so.

Johannes Ullrich

Apple has not yet updated their guidance on certificate trust requirements (https://support.apple.com/en-us/HT210176). These changes are intended to raise the bar on trustworthiness of sites claiming to be secure. When issuing shorter-lived certificates, support that with automated processes to alert, if not auto renew, to avoid lapses in coverage.