Get an 11" iPad Pro, Surface Go 2, or $300 Off with OnDemand Training

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #7

January 24, 2020

Microsoft's Misconfiguration Discloses Millions of Customer Records; The Fight Against Election Meddling; Seattle Testing Web-Based Voting




****************************************************************************

SANS NewsBites               January 24, 2020              Vol. 22, Num. 007

****************************************************************************


TOP OF THE NEWS  


  Microsoft Customer Service Records Exposed via Misconfigured Servers

  Report Calls for International Efforts to Fight Election Meddling

  Seattle-area Conservation District Testing Web-Based Voting In Two Weeks




REST OF THE WEEK'S NEWS


  Call to Reform UK's Computer Misuse Act

  Citrix Releases Fixes for SD-WAN WANOP

  ProtonVPN Apps Now Open Source

  Safari's Information Tracking Prevention Poses Privacy Concerns

  Swatters Targeting Tech Executives

  DHS's CISA Warns of Increased Emotet Attacks

  US Treasury Wants to Hear Financial Sector Cybersecurity Concerns

  Correction

 

INTERNET STORM CENTER TECH CORNER


*******************  Sponsored By AWS Marketplace  *************************


Enhance Security Ops, Visibility and Detection/Response in AWS. Learn how to leverage SIEM, SOAR and continuous monitoring in the AWS cloud to improve visibility and accuracy for security ops, detection and response. This webcast features Dave Shackleford, SANS GIAC technical director, and Vinay Sukumar, security intelligence category principal at AWS. Thursday, January 30, 2:00 PM ET. http://www.sans.org/info/215355


****************************************************************************

Cybersecurity Training Update

 

-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020


-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020


-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020


-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020


-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020


-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020


-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020


-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS OnDemand and vLive Training

Get an iPad Mini, an HP Chromebook 14 G5, or Take $300 Off through February 5 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

 

****************************************************************************

TOP OF THE NEWS   

 --Microsoft Customer Service Records Exposed via Misconfigured Servers

(January 22 & 23, 2020)

Five improperly configured Elasticsearch servers resulted in the exposure of 250 million Microsoft customer support records for several weeks late last year. The exposure was due to misconfigured security rules that were implemented on December 5, 2019. Microsoft was notified of the problem on December 29, and had fixed the problem by December 31. All five servers stored the same information.   


[Editor Comments]


[Paller] One aspect of the story here is that if a company as skilled as Microsoft is making catastrophic configuration errors in setting up cloud and open source applications, how badly configured are those applications when used by less sophisticated organizations?


[Murray] If we cannot rely upon Microsoft to properly configure systems, it is unlikely that their customers will be able to do so. We need fewer choices, safe defaults out of the box, and better direction, documentation, and supervision.  


[Pescatore] OWASP A6 "Security Misconfigurations" is really getting a lot of action with admin misconfigurations of cloud services and open source software in particular. The telling quote in the Microsoft Response Center blog post: "Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database." Why not, and where else has this happened are the key questions: were the controls simply policy statements (This should be done) vs. gates (Database does not go production unless this has been done.)?


[Neely] Security misconfiguration of cloud services has become a recurring theme. While developers have embraced the ease of creating and deploying solutions, the criticality of appropriate access controls seems to be missed. Rapid deployment of solutions needs to include independent verification of the security settings prior to production release. When implementing services, particularly cloud-based, be sure to enable verification and monitoring of the security baseline.


Read more in:

MSRC Blog: Access Misconfiguration for Customer Support Database

https://msrc-blog.microsoft.com/2020/01/22/access-misconfiguration-for-customer-support-database/

Comparitech: Report: 250 million Microsoft customer service and support records exposed on the web

https://www.comparitech.com/blog/information-security/microsoft-customer-service-data-leak/

SC Magazine: Microsoft database misconfiguration exposes 250M customer support records

https://www.scmagazine.com/home/security-news/database-security/microsoft-database-misconfiguration-exposes-250m-customer-support-records/

The Register: WindiLeaks: 250 million Microsoft customer support records dating back to 2005 exposed to open internet

https://www.theregister.co.uk/2020/01/22/microsoft_support_database_leak/

ZDNet: Microsoft discloses security breach of customer support database

https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/


 

--Report Calls for International Efforts to Fight Election Meddling

(January 22, 2020)

A report from the Kofi Annan Commission on Elections and Democracy in the Digital Age notes that "disinformation has been weaponized to discredit democratic institutions, sow societal distrust, and attack political candidates." The report offers proposals for countering the challenge to the integrity of elections worldwide; the proposals include the formation of an international coalition to address election meddling, including phony social media campaigns.


[Editor Comments]


[Pescatore] We've seen in cybersecurity that big long lists of what needs to be done generally results in very little meaningful steps forward - lots of talk, very little action. The big issue of social media companies like Facebook knowingly allowing false and dangerous "information" to be passed on the networks is pretty similar to ISPs knowingly allowing phishing attacks and malware to be carried out over their networks. Putting that part of the problem aside, actually increasing the security of election systems and *not* allowing untested systems and software be used without making sure that basic security hygiene is included is a more manageable problem. I think we have seen that aircraft flight control software that isn't sufficiently tested can lead to disastrous results - election systems should be viewed with that same lens.


Read more in:

Wired: Elections Globally Are Under Threat. Here's How to Protect Them

https://www.wired.com/story/un-warns-global-threat-election-integrity/

NYT: Fringe Groups Undermine Democracy via Social Media: Kofi Annan Think-Tank

https://www.nytimes.com/reuters/2020/01/22/world/europe/22reuters-davos-meeting-socialmedia.html


 

-- Seattle-area Conservation District Testing Web-Based Voting In Two Weeks


(January 22, 2020)

The King Conservation District in Seattle, Washington, plans to test a web-site voting option in a February 10 election. Voters who choose to may use the site, built by Democracy Live, and access their ballots with their names and birthdates. The district, which encompasses Seattle and some suburbs, has about 1.2 million voters.


[Editor Comments]


[Pescatore] This is a small test in a local election for a conservation board member seat, with a lot of manual checking proposed. It is underwritten by the Tusk Philanthropies, which has an admirable goal of increasing voting participation while also increasing the security of election systems. If Tusk is seriously focusing on the security, we need efforts like this to help drive things forward. If the slant is too much towards "Let's use the latest technology for elections!" then just a big step backwards. I hope they produce a detailed after-action assessment.


[Neely] Votes collected through the LiveBallot application will be signed on the device screen. The submitted ballot is then printed and compared with on-file signatures. Washington state's mail-in ballots are verified with a signature matching process. Using digital signatures with appropriate issuing processes could reduce the variability of creating on-screen signatures and can be digitally verified.


Read more in:

Statescoop: Mobile voting arrives for 1.2 million Seattle-area voters

https://statescoop.com/mobile-voting-arrives-seattle-washington/


****************************  SPONSORED LINKS  ******************************


1) Webcast January 29th at 10:30 AM ET: Elevate Your Endpoint Security with Microsoft Defender ATP. Register: http://www.sans.org/info/215360


2) Don't miss the results of the SANS 2020 Cybersecurity Spending Survey on January 29th at 1 PM ET! Sign up: http://www.sans.org/info/215365


3) Live Simulcast | SANS Chris Crowley and industry experts to present the SANS Automation and Orchestration Solutions Forum. Register: http://www.sans.org/info/215370


*****************************************************************************


REST OF THE NEWS

 

--Call to Reform UK's Computer Misuse Act

(January 22, 2020)

The CLRNN has published a report calling for the UK government to update the Computer Misuse Act (CMA) which was enacted in 1990. CLRNN says that the law's vague definition of "unauthorized access" does not go far enough to protect the activity of legitimate security researchers. Furthermore, the law's definition of "computer" does not take into account the growth of the Internet of Things and mobile devices. CLRNN has also proposed changes that would bring the law up to date.


[Editor Comments]


[Neely] The CMA was enacted to fill gaps in existing legislation rather than be a comprehensive computer crime law and was based on relevant issues from 1990. While the computer crime legislation and supporting policy, such as the CMA, are designed to be technology-independent for long term relevance and applicability, they need to include a plan for review and update as technology, risks and tactics evolve.


[Murray] We have both of these problems in our own Computer Fraud and Abuse Act. Both laws were passed when most computer systems were private and most "authorized" use was by insiders. We have known about these problems in these laws for a decade. While drafting the necessary changes is difficult, it is, nonetheless, about time.  


Read more in:

The Register: Academics call for UK's Computer Misuse Act 1990 to be reformed

https://www.theregister.co.uk/2020/01/22/clrnn_computer_misuse_act_reform_call/

Portswigger: The UK's Computer Misuse Act is 'crying out for reform'

https://portswigger.net/daily-swig/the-uks-computer-misuse-act-is-crying-out-for-reform

Reg Media: Reforming the Computer Misuse Act 1990: CLRNN Report (PDF)

https://regmedia.co.uk/2020/01/22/clrnn_cma_reform_report.pdf

 
 

--Citrix Releases Fixes for SD-WAN WANOP

(January 23, 2020)

Citrix has released patches for versions of its SD-WAN WANOP products that are vulnerable to a critical flaw that was disclosed in December. Citrix released patches for some vulnerable versions of its Application Delivery Controller (ADC) and Gateway products earlier this week. Fixes for the rest of the vulnerable version are scheduled to be released on Friday, January 24.


Read more in:

Citrix: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP

https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/

ZDNet: Citrix: These are new patches for your vulnerable servers

https://www.zdnet.com/article/citrix-these-are-new-patches-for-your-vulnerable-servers/

 
 

--ProtonVPN Apps Now Open Source

(January 21 & 22, 2020)

Code for all ProtonVPN apps of all platforms has been open sourced and has undergone a third-party security audit. The ProtonVPN code for Android, iOS, macOS, and Windows is available on GitHub.  


[Editor Comments]


[Neely] ProtonVPN published the reports from the audits by SEC Consult, which identified issues such as hard coded credentials, and lack of certificate pinning, which have been resolved.


Read more in:

ProtonVPN: All ProtonVPN apps are now open source and audited

https://protonvpn.com/blog/open-source/

ZDNet: ProtonVPN apps handed to open source community in transparency push

https://www.zdnet.com/article/protonvpn-apps-handed-to-open-source-community-in-transparency-security-push/

Bleeping Computer: ProtonVPN Apps Open Sourced for Added Transparency and Security

https://www.bleepingcomputer.com/news/security/protonvpn-apps-open-sourced-for-added-transparency-and-security/

 
 

--Safari's Information Tracking Prevention Poses Privacy Concerns

(January 22 & 23, 2020)

The Intelligent Tracking Prevention system in Apple's Safari browser has been found to pose privacy risks for users. Google's Information Security Engineering team found several security issues in ITP, "including the disclosure of the user's web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks." Apple has addressed some of the issues in recent updates.


Read more in:

arvin: Information Leaks via Safari's Intelligent Tracking Prevention (PDF)

https://arxiv.org/pdf/2001.07421.pdf

Ars Technica: Google researchers find serious privacy risks in Safari's anti-tracking protections

https://arstechnica.com/information-technology/2020/01/safaris-anti-tracking-protections-can-leak-browsing-and-search-histories/

The Register: Safari's Intelligent Tracking Protection is misspelled, says Google: It should be Dumb Browser Stalking Enabler

https://www.theregister.co.uk/2020/01/22/apple_intelligent_tracking_protection/

ZDNet: Google to Apple: Safari's privacy feature actually opens iPhone users to tracking

https://www.zdnet.com/article/google-to-apple-safaris-privacy-feature-actually-opens-iphone-users-to-tracking/

Threatpost: Google: Flaws in Apple's Private-Browsing Technology Allow for Third-Party Tracking

https://threatpost.com/google-flaws-in-apples-private-browsing-technology-allow-for-third-party-tracking/152128/

 
 

--Swatters Targeting Tech Executives

(January 23, 2020)

Swatters are targeting tech company executives, causing armed SWAT teams to arrive at their homes under false pretenses. Swatters can find information about the executives on online forums. Some believe people in these industries are being targeted because they have taken down accounts. The city of Seattle, Washington, has established a voluntary registry for people who believe they may be targeted by swatters.   


Read more in:

NYT: People Are Calling SWAT Teams to Tech Executives' Homes

https://www.nytimes.com/2020/01/23/technology/fake-swat-calls-swatting.html

 
 

--DHS's CISA Warns of Increased Emotet Attacks

(January 22 & 23, 2020)

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that it has detected an increase in cyberattacks using the Emotet Trojan. Many of the attacks have targeted US military and government systems. Emotet can be used as a malware downloader or malware dropper. CISA's recommendations include blocking email attachments that are associated with malware and those that cannot be scanned by antivirus products; segmenting and segregating networks and functions; and adopting a least-privilege approach.


Read more in:

US-CERT: Increased Emotet Malware Activity

https://www.us-cert.gov/ncas/current-activity/2020/01/22/increased-emotet-malware-activity

Duo: Emotet Sets Sights on Military and Government Targets

https://duo.com/decipher/emotet-sets-sights-on-military-and-government-targets

Infosecurity Magazine: US Cybersecurity Agency Issues Emotet Warning

https://www.infosecurity-magazine.com/news/us-cybersecurity-issues-emotet/

 
 

--US Treasury Wants to Hear Financial Sector Cybersecurity Concerns

(January 22, & 23, 2020)

According to a notice in the Federal Register, the US Treasury Department's Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) wants input from banks and other financial sector organizations "to better understand the cybersecurity risk to U.S. financial services sector and financial services critical infrastructure." A recent report from the Federal Reserve Bank of New York a major cyberattack targeting a large US bank could have serious reverberations throughout the country's financial system.


[Editor Comments]


[Murray]  The failure of the banks to address legitimate concerns of their customers (e.g., the persistence of the infamous magnetic stripe on credit and debit cards, the continued acceptance of credit card numbers from merchants ("card not present" fraud), failure to resist "account takeovers" and other unauthorized transactions, social engineering of support desks) should be of interest to the Treasury. The banks are part of the problem. While bank security is dramatically better than it was fifty years ago, the increase in the use of and reliance on banking still leaves us with a deficit.  


Read more in:

GovInfosecurity: Treasury Wants to Collect More Cyber Risk Details From Banks

https://www.govinfosecurity.com/treasury-wants-to-collect-more-cyber-risk-details-from-banks-a-13642

Fifth Domain: Treasury wants more info on financial sector cybersecurity risks

https://www.fifthdomain.com/civilian/2020/01/22/treasury-wants-more-info-on-financial-sector-cybersecurity-risks/

New York Fed: Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis (abstract)

https://www.newyorkfed.org/research/staff_reports/sr909

Federal Register: Agency Information Collection Activities; Proposed Collection; Comment Request; Financial Sector Critical Infrastructure Cybersecurity Survey

https://www.federalregister.gov/documents/2020/01/22/2020-00898/agency-information-collection-activities-proposed-collection-comment-request-financial-sector

 
 

--Correction

The name of a guest editor whose comment appeared in Tuesday's NewsBites was misspelled. The guest editor is Russ McRee, not McGee.

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER


DeepBlueCLI

https://isc.sans.edu/forums/diary/DeepBlueCLI+Powershell+Threat+Hunting/25730/

https://github.com/sans-blue-team/DeepBlueCLI


German Malspam Pushing Ursnif

https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/


Simple vs. Complex Obfuscation

https://isc.sans.edu/forums/diary/Complex+Obfuscation+VS+Simple+Trick/25738/


EFS Ransomware

https://safebreach.com/Post/EFS-Ransomware


Fake Leak Compensation

https://www.kaspersky.com/blog/data-leak-compensation-scam/32057/


Tracking Users Using Safari's Intelligent Tracking Prevention

https://arxiv.org/pdf/2001.07421.pdf


Cisco Firepower Management Center LDAP Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth


Criminals Use Fake Job Sites to Defraud Victims

https://www.ic3.gov/media/2020/200121.aspx


Muhstik Botnet Targeting Tomato Routers

https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/


RD Gateway PoC Exploit Release

https://github.com/ollypwn/BlueGate


Citrix ADC Compromise Scanner

https://github.com/citrix/ioc-scanner-CVE-2019-19781/


LastPass Accidentally Removes Extension from Chrome Web Store

https://twitter.com/LastPassStatus/status/1220122561989640192


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create