SANS NewsBites

US Legislators Draft Nationwide Data Privacy Act; Acuity Confirms Their GitHub Repositories Were Breached; D-Link NAS Vulnerability Affects End-of-Life Devices; Help Us Improve NewsBites

April 9, 2024  |  Volume XXVI - Issue #28

Top of the News


2024-04-08

US Legislators Draft Nationwide Data Privacy Act

Two US legislators have drafted the American Privacy Rights Act, which eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals. The legislation would restrict the types of data companies can collect, retain, and use to only what is necessary to provide products and services. It would also hold companies accountable for their data security obligations.

Editor's Note

One of the great things about the US is how our 50 states (plus territories!) serve as petri dishes of democracy. Many have created and tested their own privacy laws. Here's hoping the federal government manages to adopt the best aspects of each.

Christopher Elgee
Christopher Elgee

Having a single privacy law in the U.S. would simplify implementation for all involved. The draft legislation parallels the existing goals of CCPA, GDPR and other privacy acts. The question is how it will be transformed as it works its way through congress and if states will be willing to accept what remains or continue to enact their own rules.

Lee Neely
Lee Neely

A US Data Privacy Act is long overdue. On first blush it appears to be modeled off the European General Data Protection Regulation (GDPR) giving citizens rights over their personal data. Given its bipartisan sponsored, strengthens the likelihood it will fully be considered by the House and Senate.

Curtis Dukes
Curtis Dukes

2024-04-05

Acuity Confirms Their GitHub Repositories Were Breached

The US Department of State is investigating a potential cyber incident after information that was purportedly taken from national security agencies was leaked online. Tech consulting firm Acuity, which is a US government contractor, has confirmed that intruders breached their GitHub repositories and stole documents.

Editor's Note

Maybe the headline should read "Acuity confirms it stored national security data on GitHub", not that the GitHub repo was breached. But it probably sounded better in the press release to call this a GitHub repo breach.

Johannes Ullrich
Johannes Ullrich

Not so sure storing national security information on GitHub is a wise choice without a lot of due diligence to ensure its protected. The takeaway is to really understand the (external) environment you're storing sensitive data in and verify the protection (and detection) mechanisms meet or exceed your requirements, then ensure they continue to do so.

Lee Neely
Lee Neely

2024-04-07

D-Link NAS Vulnerability Affects End-of-Life Devices

A vulnerability affecting more than 92,000 D-Link network-attached storage (NAS) devices is being actively exploited. The issue was discovered by a researcher known online as netsecfish, who writes, The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter. The vulnerable devices are no longer supported and thus will not be patched.

Editor's Note

Whenever you purchase a device, you need to track its "lifetime" based on the vendors end-of-support rules. Vendors not being open about how long to expect support for should be avoided. But at one point, the only option will be to replace the device, which needs to be budgeted for.

Johannes Ullrich
Johannes Ullrich

We need to be as conscious of lifecycle with home devices as we are in the workplace. Yeah, they are not broken as they keep working. But they are not getting updates either. Also its easy to forget about them - like that time you allowed a connection from the internet to help some friends you never shut down? Now the really hard part is to get rid of the old one so you're not tempted to put it back online.

Lee Neely
Lee Neely

The count makes one suspicious that these devices are visible to the public networks. Network attached storage should not be visible to the public networks.

William Hugh Murray
William Hugh Murray

2024-04-09

Help Us Improve NewsBites

Please take 3 minutes to give us your suggestions.

The Rest of the Week's News


2024-04-05

Optical Product Manufacturer Discloses Cybersecurity Incident

Hoya Corporation has disclosed a cybersecurity incident that the company says has affected some production facilities and some product ordering systems. Hoya says that on March 30, they discovered a discrepancy in system behavior that revealed a system failure, and was advised by third-party experts that it was likely due to unauthorized access. Hoya is a Tokyo-based manufacturer of optical products, including eyeglasses, contact lenses, endoscopy products, and glass substrate used in hard disk drives.

Editor's Note

Although Hoya has yet to confirm a ransomware attack, it bears all the hallmarks of one. Hoyas revenue last year was just over $5.6B, so its safe to assume they have a reasonable cybersecurity budget. Hopefully, they will be forthcoming about what happened and what defenses were in place at the time of attack.

Curtis Dukes
Curtis Dukes

2024-04-08

German State Switches from Microsoft Windows to Linux

The Germany state of Schleswig-Holstein says it plans to move from Microsoft Windows to Linux. Schleswig-Holstein digitalization minister Dirk Schršdter noted that the use of open-source software also benefits from improved IT security, cost-effectiveness, data protection, and seamless collaboration between different systems. He also cited digital sovereignty as a reason for the move. The switch to open-source is not a surprise: several years ago, the state announced its intention to switch from Microsoft Office to LibreOffice, with a goal of migrating 25,000 computers by 2026.

Editor's Note

If you're evaluating a similar move, make sure you consider the impact on your support and security services. The total cost of ownership may be higher than you think. Make sure you understand what infrastructure you're going to need to provide and how you'll achieve equivalent security and user experience. You may need a lot of training as so much experience is based on how Windows does things.

Lee Neely
Lee Neely

2024-04-08

Home Depot Data Breach Impacts Employees

Home Depot has acknowledged a recent cybersecurity incident that exposed employee data. Home Depot told Bleeping Computer that A third-party Software-as-a-Service (SaaS) vendor inadvertently made public a small sample of Home Depot associates' names, work email addresses and User IDs during testing of their systems. The number of affected employees is not specified.

Editor's Note

Testing with mocked up or dummy data takes a bit longer to generate usable data but is really important for testing. With outsourced or cloud services you need data which doesn't matter while you make sure systems are properly secured before going live.

Lee Neely
Lee Neely

Test data is part of the specification. It should be written before the code. It includes both the inputs and the associated expected outputs. Live data does not contain the expected outputs and is not adequate for testing. Moreover, proper separation of functions should deny developers and testers access to live data.

William Hugh Murray
William Hugh Murray

2024-04-08

HHS Alert Warns of Healthcare Sector IT Help Desk Social Engineering Schemes

The US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) has published a sector alert warning of an increase in social engineering attacks targeting IT help desks in the healthcare sector. The calls in the recent campaigns come from phone numbers spoofed to appear local to the organization; the callers have managed to convince help desk staffers to enroll new devices for MFA authentication.


2024-04-08

Google V8 Sandbox Aims to Prevent Memory Corruption Vulnerabilities from Spreading

Google is adding a V8 sandbox to their Chrome browser with the goal of preventing memory corruption in V8 from spreading within the host process. Memory corruption vulnerabilities in V8 are usually not garden variety memory corruption issues: most cannot be addressed by switching to memory-safe programming languages or using hardware memory safety features.

Editor's Note

This is designed to protect the host system from the browser.

Lee Neely
Lee Neely

Browsers leak. This announcement says that the Javascript V8 engine, a component of many browsers, leaks so badly that the solution is to encapsulate it so as to contain the leakage. The objectives of the V8 engine, and of most browsers, were speed and features. Speed, features, and integrity: pick two.

William Hugh Murray
William Hugh Murray

2024-04-05

NYC Payroll Website Not Available Outside of City Intranet

Due to a phishing campaign aimed at obtaining city employee account credentials, the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) is not currently publicly available. According to Recorded Future, New York City's Office of Technology and Innovation said that employees were receiving smishing (phishing via SMS) messages. While the website is not accessible to the general public, it is still accessible to employees through NYC's secure internal network (intranet). The smishing messages, which asked employees to set up MFA, appears to be a scam based out of Lithuania.

Editor's Note

Sounds like a sensible precaution. Reducing your attack surface, by not exposing some applications to the internet, can substantially reduce the risk. Maybe this application should never have been exposed in the first place?

Johannes Ullrich
Johannes Ullrich

2024-04-08

US DoJ Data Exposed in Third-Party Breach

A data security incident at a US Department of Justice (DoJ) third-party contractor has resulted in the exposure of DoJ-related information belonging to more than 340,000 people. The Greylock McKinnon Associates consulting firm said the incident occurred in May 2023. The compromised data include Medicare information and Social Security numbers.

Editor's Note

It took the third party until February this year to confirm the incident. While they subsequently deleted the DoJ data, the data were already exposed) This highlights the need to understand the capabilities of your third-party providers as well as make sure their response actions are consistent with your requirements. Propose a joint tabletop to make sure you're on the same page.

Lee Neely
Lee Neely

Law firms and consultant organizations often maintain sensitive information on behalf of their clients. They are perhaps the weak link in the cybersecurity chain. What's disappointing though, is the timing of victim notification almost a year after the data breach.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

A Use Case for Adding Threat Hunting to Your Security Operations Team.

https://isc.sans.edu/diary/30816

Notepad++ Parasite Site

https://notepad-plus-plus.org/news/help-to-take-down-parasite-site/

Hugging Face Pickle File Vulnerabilities

https://huggingface.co/blog/hugging-face-wiz-security-blog

Heartbleed 10th Anniversary

https://heartbleed.com/

Possible Libarchive Backdoor Vulnerability

https://github.com/libarchive/libarchive/pull/1609

Google Considers V8 Sandbox no longer experimental

https://v8.dev/blog/sandbox

Magento XML Backdoor

https://sansec.io/research/magento-xml-backdoor

Google Public DNS's approach to fight against cache poisoning attacks

https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html

Remote code execution (RCE) vulnerability in Brocade Fabric OS (CVE-2023-3454)

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23215