NewsBites Volume XXII - Issue #70 September 4, 2020

Top of the News

2020-09-04

US Supreme Court to Hear CFAA Case

US Supreme Court will hear a case that could determine whether the 1986 Computer Fraud and Abuse Act (CFAA) is overly broad. The Electronic Privacy Information Center (EPIC) has filed an amicus brief on behalf of the plaintiff, a police officer who was convicted of violating the CFAA when he accessed a law enforcement database to obtain personal information for a third party. Voting app maker Voatz has submitted an amicus brief on behalf of the US government in the case, arguing that researchers who do not have permission to examine code for vulnerabilities should not be exempt from prosecution under CFAA.

Editor's Note

The tricky part is connecting the two halves of this story. The officer was convicted after tracing a phony license plate in exchange for money, under the CFAA, rather than other laws he is alleged to have violated. As such, the subject of authorized use is being scrutinized, as it is not currently defined in the CFAA. The risk is that the current interpretation would make it a crime to violate any web sites terms of service, allowing the service owner to decide who goes to prison for what offense, which is control Voatz wishes to maintain. The downside of that approach is that security researchers could also run afoul of the law. Irrespective of how this comes down, make sure you have verified authorization to research the security of any given service before doing so.

Lee Neely

"Examining code" is research; attacking live systems is rogue hacking. If accessing law enforcement databases for third parties is found not to be a crime, then it is one more example of why the CFAA needs to be re-written. The CFAA was written long before so many systems were attached to the public networks and most abuse was by otherwise "authorized" personnel.

William Hugh Murray

European ISPs Hit by DDoS Attacks

Multiple European Internet service providers (ISPs) were hit with distributed denial-of-service (DDoS) attacks last week. The attacks affected ISPs in France, Belgium, and the Netherlands. Some experts have suggested that last weeks CenturyLink outage in the US may have been triggered by a DDoS attack; two separate analysis reports say that the CenturyLink outage was due to a problem with a tool commonly used while mitigating DDoS attacks.

Student Admits Launching DDoS Attacks Against Online School Platform

A Florida high school student has been arrested for orchestrating distributed denial-of-service (DDoS) attacks against the Miami-Dade schools online learning platform. The attacks disrupted teachers and students access to virtual classrooms. The 16-year-old has been charged with felony computer use in an attempt to defraud and misdemeanor interference with an educational institution.

Editor's Note

The student attacked the My School Online platform. While Comcast added DDOS protections, they were not able to fully stop the attacks. Teachers were able to pivot to alternate options such as Zoom and MS Teams. Services such as Zoom and Teams have anti-DDOS protections; it would be prudent for educators to ensure their e-learning platform is similarly protected, as well as having a verified contingency plan for their system being off-line or otherwise unavailable.

Lee Neely

The Rest of the Week's News

2020-09-02

Fix Available for One of Two Vulnerabilities in MAGMI Magento Plugin

Two vulnerabilities in the Magento Mass Import (MAGMI) plugin could be exploited to allow remote code execution. An authentication bypass vulnerability exists because MAGMI versions 0.7.23 and older allow default ... credentials to be used in the event a database connection fails. The issue has been fixed in MAGMI v.0.7.24. A cross-site forgery vulnerability exists because of a lack of CSRF tokens. There is not yet a fix for this issue. The flaws were detected by researchers at Tenable.

MIT CSAIL Researchers Develop Cyber Risk Platform

Researchers at MITs Computer Science and Artificial Intelligence Lab (CSAIL) have developed a [cryptographic] platform for securely measuring cyber risk. Dubbed SCRAM (Secure Cyber Risk Aggregation and Measurement), the platform allows organizations to assess their risk without exposing sensitive data.

Editor's Note

For 16 years I have been hearing how important it is to share data and I agree. But the idea of a cryptographic front end to ensure there are no OPSEC leaks is misguided. Five or six pieces of information would be enough to identify most corporations. What is truly needed is a trustworthy information broker.

Stephen Northcutt

Cisco Updates for Jabber Flaw Available

Cisco has released fixes for a critical vulnerability affecting Jabber for Windows. The flaw, which is due to improper validation of message contents, affects multiple versions of the desktop collaboration application. The vulnerability can be exploited with no user interaction to remotely execute code with privileges of the targeted user. The issue does not affect Jabber for macOS or for mobile platforms.

WordPress File Manager Plugin Flaw is Being Actively Exploited

Developers of the File Manager plugin for WordPress have released an updated version to address a vulnerability that affects File Manager versions 6.0 through 6.8. Users are urged to update to version 6.9. The flaw could be exploited to allow unauthenticated users to execute commands and upload malicious files on a target site. File Manager has been installed more than 700,000 times.

Editor's Note

Now that you're running Wordpress 5.5, enable auto-updates for your plugins. To validate the fix is in place, make sure lib/php/connector.minimal.php is no longer present. Consider uninstalling utility plugins, like File Manager, when not in use, to remove possible exploit paths. The Wordfence article below includes IOCs and an explanation of the vulnerability.

Lee Neely

Cyberattack on Norways Parliament Affected eMail Accounts

Authorities in Norway are investigating a significant cyberattack that compromised the email accounts of several members and employees of Stortinget, the countrys parliament. Stortinget administrator Marianne Andreassen said the attackers downloaded data.

Editor's Note

It has to become standard operating procedure to enable multi-factor authentication for internet facing services. Also consider using email message encryption options, such as OME, S/MIME or PGP to encrypt sensitive information to protect it even if downloaded. Check your email provider for records retention capabilities to preserve information, creating a long-term archive, irrespective of malicious actions, such as deleting the mailbox.

Lee Neely

CISA: Agencies Must Have Vulnerability Disclosure Policies

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) that requires federal government agencies to establish vulnerability disclosure policies. The Office of Management and Budget (OMB) has issued a memorandum supporting the BOD and establishing deadlines for implementation.

Editor's Note

Having a defined place to report discovered vulnerabilities, with clear definition of remuneration, scoped systems, and how to remain within authorized testing scope is excellent. The intent is for agency policies to align with the DOJ Vulnerability Disclosure Framework (https://www.justice.gov/criminal-ccips/page/file/983996/download), which also provides guidance on implementation and administration of a policy. While allowing anyone to conduct testing without constraint feels like open-season on internet-facing systems, our adversaries dont get permission before finding and exploiting vulnerabilities. To support increased testing activities, agencies will need to ensure they have visibility to all internet-facing service logs and alerts, including cloud-based services. Those data must feed to centralized logging, SIEM and/or SOAR platforms to support automated detection, correlation and response of activities.

Lee Neely

National Guard Cyber Exercise Will be Entirely Virtual

The US National Guards annual cyber exercise, Cyber Shield, will be entirely online this year. The event will take place over a two-week period later this month. Cyber Shield exercise director George Battistelli says this years exercise will focus on information operations.

Editor's Note

This has been a year of learning how to work closely together while physically separated. Learning is more difficult as ad-hoc teamwork and coaching, such as looking over a teammate's shoulder to help, requires advance planning and technology configuration. The lessons learned from these activities should be leveraged to help teams be better prepared for remote collaboration and assistance scenarios as well as greater self-reliance and sufficiency.

Lee Neely

Five Eyes Countries Issue Joint Cybersecurity Advisory

A joint advisory from cybersecurity authorities in Australia, Canada, New Zealand, the UK, and the US highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of [the] report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.