NewsBites Volume XXII - Issue #9 January 31, 2020

Top of the News

2020-01-30

US Dept. of Interior Grounds Drones

The US Secretary of the Interior has issued an order grounding its entire fleet of drones except in the event of an emergency, such as fighting wildfires, search-and-rescue missions, and natural disasters. The decision to ground the unmanned aircraft was made to "ensure the cybersecurity and supply of American technology of unmanned aircraft systems."

Editor's Note

A general worry about the security of drones, and all IT devices/systems, is a good thing, but country specific worry creates a giant blind spot. We know in security that in a global business environment that simple geo blocking is rarely an effective solution. However, cybersecurity teams often have to react to management directives (whether business or government management or political/legislative) mandates, like DoI had to in this case react to Presidential Determination 2019-13 that has the stated aim of favoring US-based drone manufacturers. The best security team actions use the mandate as a justification to actually increase security. In this case, how about DoI saying "We will require all drones to demonstrate that their software and systems have been tested for vulnerabilities and hidden capabilities as part of the procurement and/or deployment processes" and US-based drone manufacturers taking the lead in meeting that requirement?

John Pescatore

A requirement to buy American is common for US Government agencies. Even so, at the time of selection, the best of class drones were likely the DHJ provided units. Rather than focus on a single threat, having security guidance and standards for purchases independent of origin would allow the most flexibility for use of products independent of source and manufacturing location.

Lee Neely

Hunting Down Ransomware Crooks

A Canadian insurance company was hit with a ransomware attack in October 2019. The company had purchased cyber insurance from a UK company, which paid US $950,000 in Bitcoin to regain access to its data. Once the company had the decryption key, it still took more than a week to fully recover the data. The UK insurance company hired an investigation company specializing in blockchain to track down to perpetrators and get its money back.

Editor's Note

Ransomware attacks are proving to be lucrative and low-risk. They will continue until something changes. Historically extortion has been addressed by "following the money." So far digital currency has made that ineffective.

William Hugh Murray

Government Contractor Hit with Ransomware

Systems at US Government contractor Electronic Warfare Associates (EWA) were hit with Ryuk ransomware last week. EWA took the compromised servers offline following the infection. While EWA has not made a public statement about the incident, evidence of the infection - including encrypted files and ransom notes - is visible online.

Regis University Ransomware

Regis University in Denver, Colorado, was hit with a ransomware attack in August 2019. The school paid the ransom, but the recovery still took months. The attack occurred as the fall 2019 semester began. Regis held a summit on Tuesday, January 29 to share what it learned from the incident.

The Rest of the Week's News

2020-01-30

UN European IT Systems Hacked Through SharePoint Vulnerability

In the summer of 2019, officials at the United Nations discovered that hackers broke into IT systems at the organizations headquarters in Vienna, Austria and Geneva, Switzerland. The incident was not disclosed until earlier this week. The attackers were able to access the systems through a known vulnerability in Microsoft SharePoint; a fix for the flaw had been available for months prior to the breach.

Editor's Note

The UN is exempt from the disclosure requirements of legislation such as the GDPR. Attempts to keep the incident under wraps, versus disclosing it, have resulted in inconsistent claims of impact and severity. The accessed systems included domain controllers, and actions included clearing the logs of their actions, so the full scope will likely not be known. What is known is the attack used an unpatched system. Whether production or development, comprehensive maintenance of the security posture, including patching with validation, has to be the norm. The cycle of discoverable weakness to exploitation is too rapid to assume otherwise.

Lee Neely

Zoom Fixes Video Conferencing Vulnerability

Zoom has fixed a flaw in the its video conferencing tool's URL scheme that could have been exploited to eavesdrop on meetings. Prior to the fix, Zoom meetings did not require passwords by default, which means that anyone who guessed the meeting ID number could join. Zoom learned of the issue in July 2019 and fixed the issue: passwords are now required by default for all scheduled meetings. Zoom made other security enhancements as well.

Editor's Note

Zoom also has a setting to lock a meeting in progress so that others cannot join, which could be useful when having sensitive conversations.

Lee Neely

Apple Updates

Apple has released fixes for vulnerabilities in multiple products, including iOS, macOS, and Safari. The most current version of iOS, 13.3.1, addresses 23 security issues. The macOS updates address 35 issues, and the Safari update (v.13.0.5) addresses two issues.

Editor's Note

Apple has been moving towards a monthly patch cycle, coupled with code reuse across platforms, drives a need to update all things Apple on a more regular cadence. Apple makes information on published updates available through their security updates page (https://support.apple.com/en-us/HT201222) and their security-announce mailing list.

Lee Neely

Apple's policy is to not release information about vulnerabilities until after a fix has been made available. This is the same policy followed by IBM for decades but different from that followed by most of the industry. While Microsoft customers express a preference for knowing about vulnerabilities, few actually implement workarounds in advance of fixes.

William Hugh Murray

Stolen Wawa Data for Sale Online

Payment card information stolen from the Wawa convenience store chain has been posted for sale on the Internet. The attackers may have stolen details for as many as 30 million payment cards. Wawa's systems were compromised in March 2019; the company detected the issue and notified customers in December.

Editor's Note

The Wawa data has been spotted on the Joker's Stash darkweb carding fraud forum under the name BIGBADABOOM-III. Claims are that using EMV (chip enabled) card readers reduces fraud by as much as 40%, and gas stations have been slow to migrate to chip readers at the pump, predominantly due to perceived costs. The deadline to support EMV sits at October 1st 2020; in October 2019, it was estimated there are 800,000 pumps in the US that still needed to migrate.

Lee Neely

Updates Available to Address DMA Vulnerabilities in Dell and HP Laptops

Dell and HP have issued BIOS updates to fix flaws in laptops' Direct Memory Access (DMA) capability. The issues could be exploited to gain kernel privileges on vulnerable laptops.

Russia Blocks ProtonMail and ProtonVPN

Russia has blocked blocked ProtonMail and ProtonVPN. Russia's telecommunications watchdog, Roskomnadzor, says the decision to block was made because Proton Technologies' did not register its services with Russian authorities and did not provide Russian authorities with information about the owners of mailboxes that were used to send threats.

WordPress Code Snippets Plug-in Flaw

A high-severity vulnerability in the Code Snippets WordPress plug-in could be exploited to take over websites running unpatched versions of the plug-in. Code Snippets is running on approximately 200,000 websites.

NYC Medical Center Issues Notice of Data Privacy Incident

According to a notice from Village Care Rehabilitation and Nursing (VCRN) Center in New York City, an employee was tricked by a spoofed email into sharing patient information with a threat actor. The disclosed data include names, birthdates, and medical insurance information. VCRN learned of the incident in late December 30, 2019.