SANS NewsBites

Microsoft's Misconfiguration Discloses Millions of Customer Records; The Fight Against Election Meddling; Seattle Testing Web-Based Voting

January 24, 2020  |  Volume XXII - Issue #7

Top of the News


2020-01-23

Microsoft Customer Service Records Exposed via Misconfigured Servers

Five improperly configured Elasticsearch servers resulted in the exposure of 250 million Microsoft customer support records for several weeks late last year. The exposure was due to misconfigured security rules that were implemented on December 5, 2019. Microsoft was notified of the problem on December 29, and had fixed the problem by December 31. All five servers stored the same information.

Editor's Note

One aspect of the story here is that if a company as skilled as Microsoft is making catastrophic configuration errors in setting up cloud and open source applications, how badly configured are those applications when used by less sophisticated organizations?

Alan Paller
Alan Paller

If we cannot rely upon Microsoft to properly configure systems, it is unlikely that their customers will be able to do so. We need fewer choices, safe defaults out of the box, and better direction, documentation, and supervision.

William Hugh Murray
William Hugh Murray

OWASP A6 "Security Misconfigurations" is really getting a lot of action with admin misconfigurations of cloud services and open source software in particular. The telling quote in the Microsoft Response Center blog post: "Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database." Why not, and where else has this happened are the key questions: were the controls simply policy statements (This should be done) vs. gates (Database does not go production unless this has been done.)?

John Pescatore
John Pescatore

Security misconfiguration of cloud services has become a recurring theme. While developers have embraced the ease of creating and deploying solutions, the criticality of appropriate access controls seems to be missed. Rapid deployment of solutions needs to include independent verification of the security settings prior to production release. When implementing services, particularly cloud-based, be sure to enable verification and monitoring of the security baseline.

Lee Neely
Lee Neely

2020-01-22

Report Calls for International Efforts to Fight Election Meddling

A report from the Kofi Annan Commission on Elections and Democracy in the Digital Age notes that "disinformation has been weaponized to discredit democratic institutions, sow societal distrust, and attack political candidates." The report offers proposals for countering the challenge to the integrity of elections worldwide; the proposals include the formation of an international coalition to address election meddling, including phony social media campaigns.

Editor's Note

We've seen in cybersecurity that big long lists of what needs to be done generally results in very little meaningful steps forward - lots of talk, very little action. The big issue of social media companies like Facebook knowingly allowing false and dangerous "information" to be passed on the networks is pretty similar to ISPs knowingly allowing phishing attacks and malware to be carried out over their networks. Putting that part of the problem aside, actually increasing the security of election systems and *not* allowing untested systems and software be used without making sure that basic security hygiene is included is a more manageable problem. I think we have seen that aircraft flight control software that isn't sufficiently tested can lead to disastrous results - election systems should be viewed with that same lens.

John Pescatore
John Pescatore

2020-01-22

Seattle-area Conservation District Testing Web-Based Voting In Two Weeks

The King Conservation District in Seattle, Washington, plans to test a web-site voting option in a February 10 election. Voters who choose to may use the site, built by Democracy Live, and access their ballots with their names and birthdates. The district, which encompasses Seattle and some suburbs, has about 1.2 million voters.

Editor's Note

This is a small test in a local election for a conservation board member seat, with a lot of manual checking proposed. It is underwritten by the Tusk Philanthropies, which has an admirable goal of increasing voting participation while also increasing the security of election systems. If Tusk is seriously focusing on the security, we need efforts like this to help drive things forward. If the slant is too much towards "Let's use the latest technology for elections!" then just a big step backwards. I hope they produce a detailed after-action assessment.

John Pescatore
John Pescatore

Votes collected through the LiveBallot application will be signed on the device screen. The submitted ballot is then printed and compared with on-file signatures. Washington state's mail-in ballots are verified with a signature matching process. Using digital signatures with appropriate issuing processes could reduce the variability of creating on-screen signatures and can be digitally verified.

Lee Neely
Lee Neely

The Rest of the Week's News


2020-01-22

Call to Reform UK's Computer Misuse Act

The CLRNN has published a report calling for the UK government to update the Computer Misuse Act (CMA) which was enacted in 1990. CLRNN says that the law's vague definition of "unauthorized access" does not go far enough to protect the activity of legitimate security researchers. Furthermore, the law's definition of "computer" does not take into account the growth of the Internet of Things and mobile devices. CLRNN has also proposed changes that would bring the law up to date.

Editor's Note

The CMA was enacted to fill gaps in existing legislation rather than be a comprehensive computer crime law and was based on relevant issues from 1990. While the computer crime legislation and supporting policy, such as the CMA, are designed to be technology-independent for long term relevance and applicability, they need to include a plan for review and update as technology, risks and tactics evolve.

Lee Neely
Lee Neely

We have both of these problems in our own Computer Fraud and Abuse Act. Both laws were passed when most computer systems were private and most "authorized" use was by insiders. We have known about these problems in these laws for a decade. While drafting the necessary changes is difficult, it is, nonetheless, about time.

William Hugh Murray
William Hugh Murray

2020-01-23

Citrix Releases Fixes for SD-WAN WANOP

Citrix has released patches for versions of its SD-WAN WANOP products that are vulnerable to a critical flaw that was disclosed in December. Citrix released patches for some vulnerable versions of its Application Delivery Controller (ADC) and Gateway products earlier this week. Fixes for the rest of the vulnerable version are scheduled to be released on Friday, January 24.


2020-01-22

ProtonVPN Apps Now Open Source

Code for all ProtonVPN apps of all platforms has been open sourced and has undergone a third-party security audit. The ProtonVPN code for Android, iOS, macOS, and Windows is available on GitHub.

Editor's Note

ProtonVPN published the reports from the audits by SEC Consult, which identified issues such as hard coded credentials, and lack of certificate pinning, which have been resolved.

Lee Neely
Lee Neely

2020-01-23

Safari's Information Tracking Prevention Poses Privacy Concerns

The Intelligent Tracking Prevention system in Apple's Safari browser has been found to pose privacy risks for users. Google's Information Security Engineering team found several security issues in ITP, "including the disclosure of the user's web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks." Apple has addressed some of the issues in recent updates.


2020-01-23

Swatters Targeting Tech Executives

Swatters are targeting tech company executives, causing armed SWAT teams to arrive at their homes under false pretenses. Swatters can find information about the executives on online forums. Some believe people in these industries are being targeted because they have taken down accounts. The city of Seattle, Washington, has established a voluntary registry for people who believe they may be targeted by swatters.


2020-01-23

DHS's CISA Warns of Increased Emotet Attacks

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that it has detected an increase in cyberattacks using the Emotet Trojan. Many of the attacks have targeted US military and government systems. Emotet can be used as a malware downloader or malware dropper. CISA's recommendations include blocking email attachments that are associated with malware and those that cannot be scanned by antivirus products; segmenting and segregating networks and functions; and adopting a least-privilege approach.


2020-01-23

US Treasury Wants to Hear Financial Sector Cybersecurity Concerns

According to a notice in the Federal Register, the US Treasury Department's Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) wants input from banks and other financial sector organizations "to better understand the cybersecurity risk to U.S. financial services sector and financial services critical infrastructure." A recent report from the Federal Reserve Bank of New York a major cyberattack targeting a large US bank could have serious reverberations throughout the country's financial system.

Editor's Note

The failure of the banks to address legitimate concerns of their customers (e.g., the persistence of the infamous magnetic stripe on credit and debit cards, the continued acceptance of credit card numbers from merchants ("card not present" fraud), failure to resist "account takeovers" and other unauthorized transactions, social engineering of support desks) should be of interest to the Treasury. The banks are part of the problem. While bank security is dramatically better than it was fifty years ago, the increase in the use of and reliance on banking still leaves us with a deficit.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

DeepBlueCLI

https://isc.sans.edu/forums/diary/DeepBlueCLI+Powershell+Threat+Hunting/25730/

https://github.com/sans-blue-team/DeepBlueCLI


German Malspam Pushing Ursnif

https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/


Simple vs. Complex Obfuscation

https://isc.sans.edu/forums/diary/Complex+Obfuscation+VS+Simple+Trick/25738/


EFS Ransomware

https://safebreach.com/Post/EFS-Ransomware


Fake Leak Compensation

https://www.kaspersky.com/blog/data-leak-compensation-scam/32057/


Tracking Users Using Safari's Intelligent Tracking Prevention

https://arxiv.org/pdf/2001.07421.pdf


Cisco Firepower Management Center LDAP Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth


Criminals Use Fake Job Sites to Defraud Victims

https://www.ic3.gov/media/2020/200121.aspx


Muhstik Botnet Targeting Tomato Routers

https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/


RD Gateway PoC Exploit Release

https://github.com/ollypwn/BlueGate


Citrix ADC Compromise Scanner

https://github.com/citrix/ioc-scanner-CVE-2019-19781/


LastPass Accidentally Removes Extension from Chrome Web Store

https://twitter.com/LastPassStatus/status/1220122561989640192