NewsBites Volume XXII– Issue #27 April 3, 2020

Top of the News

2020-03-31

FBI Issues Warning About Zoom Security Issues

The FBI has issued a warning that Zoom and other teleconferencing apps may be vulnerable to hijacking. The FBI advises users not to make meetings or classrooms, public, to restrict screensharing capability, and to use meeting passwords. Zoom has a "waiting room" feature that allows the host to control who is admitted.

Editor's Note

Today The Citizen Lab released the results of their examination of the security and privacy features in Zoom (https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/: Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings) Their findings back up the warnings from the FBI and raised several concerns over how encryption is enabled within the application. However, we need to remember that companies are using Zoom, and other conferencing platforms, to enable them to survive through the COVID19 pandemic and companies need to do a risk assessment that suits them. For many companies the warnings from the FBI and The Citizen Lab will be an acceptable risk for them, while others who may be discussing sensitive data it may not.

Brian Honan

The easy answer is there are more secure alternatives to Zoom and companies should be providing and recommending those. The real answer is that many employees working at home and their families will be using Zoom for the next few months. Security vendor Checkpoint recently put good safe use guidelines for using Zoom at (https://blog.checkpoint.com/2020/03/26/whos-zooming-who-guidelines-on-how-to-use-zoom-safely/: Who's Zooming Who? Guidelines on How to Use Zoom Safely) and SANS has released a secure work at home awareness kit at (https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit: SANS Security Awareness Work-from-Home Deployment Kit) Zoom (see item below) has also pledged to make security job one over the next few months - much needed.

John Pescatore

Zoom: Two Zero-days Patched; Credential Theft Flaw Not Yet Fixed; Password Problems

Fixes Available for two zero-day vulnerabilities in Zoom for macOS; Zoom is working on a fix for a vulnerability that lets attackers steal Windows credentials; and an automated Zoom meeting discovery tool found that many meetings are not password protected.

Editor's Note

Disclosing vulnerabilities should be done responsibly, and directly to the affected provider prior to a public blog posting to give them time to respond. Zoom has been working to accelerate addressing security issues discovered. Of late, the patches are released as quickly as 24 hours after issue discovery. These discovered issues have been resolved.

Lee Neely

For reasons of audience convenience, few Zoom meetings employ passwords. However, they are essential for many business applications. Be particularly careful about privileges granted to meeting participants.

William Hugh Murray

Zoom Founder Says Company Will Focus on Security and Privacy

Due to the number of people currently working and learning from home, use of the Zoom videoconferencing app has risen sharply from 10 million users in December 2019 to more than 200 million in March 2020. The company has faced complaints about myriad security and privacy issues, including meetings disrupted by intruders, user data being shared with Facebook, and the fact that the app's end-to-end encryption feature does not actually function as end-to-end encryption. The company has taken steps to remedy some of the issues. Zoom's founder Eric Yuan says that the company will spend the next three months working on addressing security issues.

Editor's Note

Zoom's founder came from Cisco where security is the top priority. He should have made security a top requirement from the start. I hope Zoom's Board of Directors is hearing the message - you can help by giving Zoom feedback about how important security is. Their feedback form is at https://zoom.us/feed

John Pescatore

Credit is due to Zoom for how quickly they responded to the issues raised and how openly they have communicated to their users. There are many lessons here for companies to learn on how they can improve their vulnerability management processes.

Brian Honan

Microsoft Warns Hospitals of Vulnerabilities in VPN and Gateway Appliances

Microsoft has directly warned hospitals that their virtual private network (VPN) and gateway appliances contain security flaws that are being exploited by attackers behind the REvil/Sodinokibi ransomware. In a blog post, the Microsoft Threat Protection Intelligence Team writes, "Through Microsoft's vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure."

Editor's Note

Johannes Ulrich of SANS Internet Storm Center highlighted these vulnerabilities in his part of the SANS "Five Most Dangerous Attack Techniques and How to Prevent Them" keynote panel at the 2020 RSA Conference - you can see it at https://www.sans.org/the-five-most-dangerous-new-attack-techniques: The Five Most Dangerous New Attack Techniques). SANS will present the 2020 Threat Trends report that includes those 5 areas and more, on an April 28th webinar - info at https://www.sans.org/webcasts/top-attacks-threat-report-112665: SANS Top New Attacks and Threat Report.

John Pescatore

Terminate VPNs on the application, not the perimeter and not an on operating system. The additional design, setup, and administration will be more than offset by the reduction in risk.

William Hugh Murray

The Rest of the Week's News

2020-04-01

FCC Order Requires Carriers to Implement STIR/SHAKEN Protocol

The US Federal Communications Commission (FCC) has unanimously approved an anti-robocall order, which "requires all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021." This action from the FCC was required as a part of the TRACED Act, which passed Congress and became law in December 2019.

Editor's Note

While some carriers, including AT&T, Verizon, Sprint and T-Mobile, have voluntarily implemented STIR/SHAKEN, sometimes a regulatory requirement is needed to get resources and commitment to implement security measures. Once implemented, carriers need to verify their solution works with other networks. The last step: users need devices which display the "Caller Verified" notification and have the notification enabled for their account.

Lee Neely

STIR/SHAKEN is the first critical step, providing call authentication - raising the bar against spoofing of the calling number. Congress finally acted on that, a good thing. The next step is another chance for the carriers to raise the bar through rapid voluntary action - the addition of better call analytics to detect malicious calls, even if they are coming from an authenticated calling number. Then apply those same major bar raisers to data traffic.

John Pescatore

Marriott Discloses Second Data Breach in 16 Months

Marriott International has disclosed a data breach that exposed information belonging to 5.2 million customers. The information was compromised through the use of access credentials belonging to "two employees at a franchise property." In November 2018, Marriott disclosed that a breach of the Starwood hotel reservation database that affected nearly 400 million people. Both breaches illustrate the need for organizations to ensure the security not only of their own systems, but also of those of their partners.

Editor's Note

Judicious use of multi-factor authentication reduces the value of captured credentials. Make sure that all entry points that accept those credentials have the same authentication requirements.

Lee Neely

The lodging industry is obviously hard hit by the travel restrictions to fight the pandemic. This would be a good time for lodging IT operations to upgrade the security of their IT systems, just as they will be upgrading sanitary protections at the facilities.

John Pescatore

Microsoft Will Postpone Disabling TLS 1.0 and 1.1 in Browsers

Microsoft will delay disabling of TLS 1.0 and 1.1 in its browsers. The change, originally scheduled for the first half of 2020 will be pushed back to the second half of the year. TLS 1.0 and 1.1 will now be disabled by default "no sooner than Microsoft Edge version 84," scheduled for release in July 2020. The protocols will be disabled by default in Internet Explorer 11 and Microsoft Edge Legacy as of September 8, 2020. Microsoft made the decision to postpone the changes "in light of current global circumstances."

Editor's Note

Continue to queue up efforts to update services to support TLS 1.2 & 1.3 as regardless of when the support is deprecated, the perception will be a problem with your service rather than their browser.

Lee Neely

COVID-19 Malware Overwrites Master Boot Record

Researchers have identified several strains of coronavirus-themed malware that wipe files or overwrite master boot records on infected computers.

GoDaddy Phishing Attack

A spear phishing attack that targeted employees of domain name registrar GoDaddy managed to obtain access credentials that allowed the attacker to alter domain settings for at least six GoDaddy customers.

Editor's Note

Dealing with entities that are trolling domain registries and sending users messages designed to modify their registration is common; attackers are trying to target less savvy associates for success. Additionally, make sure that your registrar accounts use two-factor authentication, your domains are locked, and DNSSEC is enabled. GoDaddy support will help you analyze any unexpected messages if you cannot verify they are genuine on your own.

Lee Neely

Update Addresses Two Vulnerabilities in WordPress Rank Math SEO Plugin

A critical vulnerability in the WordPress Rank Math search engine optimization (SEO) plugin could be exploited to gain elevated privileges. A second, high-severity vulnerability in the same plugin could be exploited to install redirects on a vulnerable website. Users are urged to update to Rank Math version 1.0.41.1.

Editor's Note

Plug-ins are a major source of vulnerability in WordPress use and come with few indicators of quality. They may even put other applications at risk. Minimize and maintain those that you use; consider focused penetration testing of them.

William Hugh Murray

Biotech Company Doing COVID-19 Research Hit With Ransomware

According to information provided in a financial disclosure filing to the US Securities and Exchange Commission (SEC), biotech company 10x Genomics experienced a ransomware attack in March 2020 in which some company data were stolen. 10x Genomics writes that it has "isolated the source of the attack and restored normal operations with no material day-to-day impact to the Company or the Company's ability to access its data." 10x Genomics, along with other companies around the world, is sequencing cells from people who have recovered from COVID-19 to look for antibodies.

NERC Releases Report on November 2019 Power Grid Security Exercise

The North American Electric Reliability Corporation (NERC) has released its report on the results of the November 2019 GridEx grid security and emergency response exercise. In all, over 7,000 people at more than 500 organizations participated in the exercise, which simulated a malware attack against utilities' industrial control systems. The report includes recommendations from NERC on how to improve grid resilience.

Editor's Note

It should not come as too big a surprise that the conclusions and recommendations of the exercise report focus on communications among the organizations rather than on the security and resilience of those organizations.

William Hugh Murray

Hackers with Alleged Iranian Ties Have Targeted WHO Staff eMail Accounts

Hackers with alleged ties to Iran's government have been trying to break into staff members' email accounts systems at the World Health Organization (WHO) since early March. It is not known if the phishing attacks succeeded.