Information and Cyber Security News Headline Updated on 18 December 2019

The headline on 18 December 2019

Facebook Tracks Users’ Purchases in the Physical World. A recent report highlights that a partnership between Facebook and several retailers enables the retailers to transfer the purchase history of their customers to Facebook. Facebook in turn uses that data to target those customers with advertisements relating to their purchases when they access the Facebook social media platform.

Note:

  • I am less worried about Facebook’s capability for targeting than I am about who they allow to use the targeting capabilities, and what policies Facebook applies to the content and transparency of the “ads” that are put in front of targeted users. The prime example is Facebook policy to allow any content from political advertisers, with minimal or no differentiation when Custom or Lookalike Audience targeting is used. This allows blatant lies and misinformation to be put in front of targeted audiences that would never be allowed by other advertising channels, both traditional and modern social media, like Twitter and Google.
  • Facebook’s business practices are such that it is unlikely that users can understand the risk of doing business with them. Better to just avoid doing business with them altogether.

Read more in:

New Jersey Hospital System Victim of Ransomware Attack. The largest provider of a hospital system, Hackensack Meridian Health, in New Jersey were victims of a ransomware attack and ultimately paid the ransom to restore their systems. The ransomware attack forced hospitals who are clients of Hackensack Meridian Health to postpone non-emergency operations and resulted in medical staff not being able to access electronic records. Hackensack Meridian Health said their primary clinical system is now back online and are working on restoring other affected systems. The company is working with the FBI and cybersecurity experts. Hackensack Meridian Health runs 17 acute care and specialty hospitals, nursing homes, outpatient centers, and the psychiatric facility Carrier Clinic

Read more in: New Jersey 101.5 > NJ hospital system forced to pay ransom in cyber attack

Personal Data of Facebook Employees Exposed on Stolen Unencrypted Hard Drives. Personal data of 29,000 US based Facebook employees, which included banking data, was lost when unencrypted hard drives were stolen from a payroll workers car. Police are investigating the theft. It is unclear why the employee stored the unencrypted hard drives in their car and why they were being transported in this way. A spokesperson for Facebook stated that the company has taken appropriate disciplinary action with the payroll employee involved.

Note: Obviously several policy failures here. This can be a good news item to use to drive a check on current policies around encrypting storage as a default and providing secure mechanisms for data transport that should eliminate any reason to carry hard drives around in cars!

Read more in:

Google Hands Feds 1,500 Phone Locations In Unprecedented ‘Geofence’ Search. Forbes has discovered that Google has complied with so-called geofence warrants that have resulted in an “unprecedented” data haul for law enforcement: one in which Google combed through its SensorVault to find 1,494 device identifiers for phones in the vicinity of the fires and then handed them over to the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF).

Note: Recent court decisions and FCC investigations into “who owns location data” have tended to focus on telecoms carriers and to some extent mobile phone manufacturers. This points out that location-based metadata is collected and stored by many different companies. Courts and legislators are moving slower than ever, we need the technology companies to be proactive about adopting secure defaults for protecting location data and high transparency about when it is collected and sold or given to third parties.

Read more in:

Internet of Things Gear is Generating Easy-to-Crack Keys. A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won’t be an easy one to solve.This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations were being repeated at a far greater rate than they should, meaning encrypted connections could possibly be broken by attackers who correctly guess a key.

Note:

  • There used to be a talking Barbie doll that would say “Math is hard!” which was certainly sexist, but still a very, very true statement. Crypto is math, and crypto is hard – 25 years ago the US government issued the FIPS-140 standard because of crappy crypto coming out in commercial software. Similar action is needed for the IoT generation of claims of use of cryptography to secure device use.
  • IoT device manufacturers continue to prioritize time-to-market over security. Until that situation improves, leverage segmentation and restrict network access to only services they need, if any.

Read more in:

New Orleans Mayor Declares State of Emergency After City Cyberattack. New Orleans Mayor LaToya Cantrell declared a state of emergency Friday after the city was hit by a cyberattack. Phishing attempts and suspicious activity were detected on the city’s network around 5 a.m., and by 11 a.m., technician investigators detected “a cybersecurity incident” causing the city’s information technology department to begin powering down servers and city computers as a precaution.

Read more in:

Blue Cross Blue Shield of Minnesota Scrambling to Improve Cybersecurity. An internal whistleblower raised concerns that the Minnesota’s largest health insurer has neglected thousands of important updates to its computer system. The company’s top cybersecurity executive says the insurer has been working diligently in recent weeks to reduce its vulnerability for a cyber attack. Internal documents show the BCBS of Minnesota has allowed 200,000 vulnerabilities deemed “critical” or “severe” to linger for years on its computer systems, despite warnings to executives.

Read more in: KSTP > Blue Cross Blue Shield scrambling to improve cybersecurity

Many phishing sites spotted in global government focused campaign. Over 62 domains and 122 phishing sites targeting Government users were discovered by security vendor Anomali. Unlike other phishing campaigns which enabled detection through spelling and grammar errors, these are well crafted multi-language campaigns such that the primary indications are that the messages are from unknown users and have unexpected attachments.

Read more in:

FTC advice on checking Internet-connected toys before buying. Internet-connected toys are in high-demand this year, and the FTC is making recommendations for parents to consider prior to purchase and upon receipt. The advice includes checking for microphones and cameras and verify that you can determine when they are active. Other recommendations: Don’t rely on the Children’s Online Privacy Protection Act (COPPA). Checklists like this are beneficial, remember that regardless of the security reputation of the manufacturer and regulatory oversight, you must verify which features are enabled and that they are configured properly.

Read more in:

Relaunched Toys R Us uses technology to monitor customers. The relaunched Toys R Us stores are now including sensors to monitor customer activities. In support of their new business model, which leases areas of the store to toy providers, are Installed by business partner B8ta, the sensors will monitor how customers move around the store and determine which areas get the most activity. There has been some social media uproar relating to confusion over the term monitoring shopper cadence, which is meant to capture shopper movement patterns, not conversation/voice capture; additionally there are concerns about whether the system actually ignores people under four feet tall to not run afoul of COPPA requirements regarding parental consent prior to data capture for children under 13.

Note: The data collected will be used to influence the costs of the leased spaces, particularly those with high success rates. The question of not capturing patrons under four feet tall versus the claim that the information is being captured in public places, and not bound by COPPA needs to be resolved quickly; especially as Toys R Us is catering to children.

Read more in:

Plundervolt Voltage Attack Steals Data from Intel Chips. Newly discovered “Plundervolt” vulnerability (CVD-2019-11157) uses CPU voltage modification to target and expose data in Intel’s Software Guard Extensions (SGX). Intel has released a microcode update to address the issue, or disable the SGX functionality. Data recovered can include keys needed for cryptographic operations and the exploit can be used to corrupt program memory. To use the protections offered by SGX, it must be both enabled in BIOS as well as incorporated into application code. Exploitation requires local privileged access.

Note: Because the likelihood of exploitation is low, due to local privileged access requirements, Intel released a microcode fix that addresses this. The promise of SGX is encrypted enclaves to protect sensitive code, even from code running at higher privilege levels, and is intended to bring added security to cloud based computing.

Read more in:

Some Hardware based password managers store passwords in plaintext. Investigation of ecZone Password Safe, passwordsFAST, and Royal Vault Password Keeper devices by security researcher Phil Eveleigh found that while a passcode is used to protect access to the stored passwords, direct access to the chip provides access to plain-text passwords as well as the master pin. Further, he found that even after full reset the passwords were not cleared in some devices. Note that while the Royal Vault Password keeper encrypts the data, decryption is possible by discovering the master PIN within the stored dataset. No responses have been received from the device manufacturers regarding the issues discovered.

Note: Retrieving the clear-text passwords required chip access to the device, which makes the risk of exploit low, even so, unless the wipe operation can be verified, choose physical destruction rather than wipe and reissue. Also, be sure to use strong master passwords to limit unauthorized access to passwords through the normal mechanisms.

Read more in:

Last patches for Windows 10 Mobile released. The last round of security patches for Microsoft’s Windows 10 Mobile were released, marking the end of Microsoft’s attempt at a mobile operating system. Windows 10 Mobile was officially end of support on June 11, 2019. Many Microsoft execs carry Android devices rather than ones powered by Windows Mobile. Bill Gates feels that had he not been distracted by copyright and related lawsuits, and released Windows Mobile three months earlier, the market niche held by Android would have been Microsoft.

Note:

  • In 2010, at a session at a Gartner conference, I asked then Microsoft CEO Steve Ballmer how Microsoft was going to succeed in the mobile phone market and his answer was “Windows, baby!” Also, six years earlier Bill Gates said Microsoft would rid the world of spam by 2006. I don’t think copyright issues and lawsuits are really to blame for the failure of those two predictions. But owners of large installed bases do tend invest too much in fighting off threats to the profitability of that base vs. innovating to meet users changing needs. As many of stories in this issue point out, we are nearing one of those tipping points around protecting user data vs. profiting from it.
  • Windows Mobile was a nice operating system, and Microsoft wanted to be “the” mobile device OS provider, success wasn’t solely dependent on timing of the release or lawsuits, I recall the market was looking for an open solution which is where Android fit in.

Read more in: ZDNet > Windows 10 Mobile is over, prepare for final patches as support ends

London Metropolitan Police Trained to Fight Cybercrime. A Freedom of Information request submitted to the London Metropolitan police has highlighted that thousands of police on that force have received some level of training in fighting cybercrime. The training has been provided using online training solutions and approximately 4,500 officers took the “Cyber Crime and Digital Policing – First Responder”, while another 4,500 completed the “Cyber Crime and Digital Policing – Introduction course”

Note: The average citizen is not going to have the background on how to select help during an incident, so providing them the option to call the police when they have a cyber incident, and get a responder who has been properly trained raises the bar on proper actions being taken and increases the likelihood of a successful outcome.

Read more in: Infosecurity Magazine > Thousands of Met Police Get Cyber Training

The headline on 15 December 2019

WordPress 5.3.1 Security & Maintenance release to resolve the following issues:

  • Unprivileged users could make a post sticky via the REST API.
  • Cross-Site Scripting vulnerability can be stored in links.
  • Stored Crossed-Site Scripting vulnerability using block editor content.

Source: WordPress.org > WordPress 5.3.1 Security and Maintenance Release

The headline on 11 December 2019

44 Million Compromised Credentials Used on Microsoft Accounts. Microsoft engineers recently analyzed over three billion credentials known to be compromised by criminals. Utilizing sources from law enforcement and public databases of breached accounts the Microsoft Team identified 44 million user accounts of Microsoft services were reusing known compromised credentials. These accounts ranged from Microsoft’s consumer services to credentials used by companies for Microsoft Azure.

Note:

  • Credential reuse, and/or poor password choices by users necessitate the use of multi-factor authentication. IDPs can be configured for location and device awareness to raise the bar, or completely block authentication for unknown devices or untrusted environments. Disable, or highly restrict the use of legacy protocols that cannot be configured for MFA.
  • Reused passwords and fraudulent password reuse are known problems, but they are the result of the bind in which many users find themselves. Users should employ password managers and strong authentication, such as is offered by Microsoft and its peers. Enterprises should avoid overly complex password rules that make choosing a password difficult and should offer strong authentication options to their users.

Read more in:

China Reportedly Orders State Offices To Remove Foreign Tech Which Could Hit US Firms Like Microsoft. China’s Communist Party has ordered all state offices to remove foreign hardware and software within three years. Systems and software are to be replaced with Chinese provided equivalents. The replacement encompasses 20-30 million pieces of equipment and commences in 2020. Organizations are required to meet milestones of 30%, 50% and 20% in 2020, 2021 and 2022 respectively. China began building a Windows and iOS replacement in 2013, with the help of British company Canonical. This move affects US providers including HP, Dell, and Microsoft. China’s latest policy may be seen as one of the most direct moves against U.S. technology firms during the trade war.

Note: Unfortunately, the longer these types of trade war escalations continue, the likelihood of impact on buying and selling of security products and services continues to increase. Huawei and Kaspersky have seen the impact of US directives against buying their security products; large US security vendors could see similar impacts from large foreign markets. From an enterprise perspective, this dictates the need for backup planning in case your existing vendors are caught in the crossfire. [Neely] This is motivated by trade wars and threats of economic sanctions rather than increased security or locally produced products. Even Chinese vendors such as Lenovo or Huawei are heavily impacted by these sanctions. Businesses need to consider location when developing lists of alternate suppliers, particularly when suppliers are overseas and can be impacted such actions.

Read more in:

New Zealand Releases Cybersecurity Governance Resource. New Zealand’s Government Communications Security Bureau’s National Cyber Security Centre (NCSC) has produced a resource for boards to help improve cybersecurity governance. The NCSC study interviewed cybersecurity professionals from 250 of New Zealand’s nationally significant organizations. The governance resource called Charting Your Course: Cyber Security Governance sets out six areas that will help focus engagement between an organization’s governance and its security practitioners.

Note: This initial publication is a good deal too buzzword-laden for me – anytime I see “resilient”, “security culture” and “holistic” on one page my eyes glaze over. Hopefully, the following on drill-down documents will focus more on bridging the realities of corporate governance and operations to the realities of effective cybersecurity as a critical and integral factor in the success of the corporation.

Read more in:

Google Releases Open Source Tool for Finding File Access Vulnerabilities. Google on Monday has released the source code of a tool designed to help developers identify vulnerabilities related to file access. The tool, named PathAuditor, has been useful to Google and the company has now decided to release it as an open-source. The tech giant is still actively working on PathAuditor and pointed out that it’s not an officially supported Google product.

Note: Many vulnerability assessment/management tools will find similar vulnerabilities, check with your existing vendor. Google often throw spaghetti on the wall and then moves on – unless this gets broad support, better to see existing products incorporate such capabilities.

Read more in:

New Phishing Campaign Uses Self-Contained Webpage to Steal Credentials. Researchers have spotted a new phishing campaign that attempts to steal credentials. However, this campaign is different from the commonly observed ones. The phishing attack does not redirect victims to another site for login like a lot of phishing campaigns usually do. Instead, it bundles the scam’s landing page in the HTML attachment, likely in an attempt to bypass security filters and analytics on web proxies.

Note: Scanners don’t typically inspect the attached HTML content sufficiently to discover malicious content embedded in these attachments. While we coach users to use caution with attachments, the prevalence of applications that attach content in HTML attachments encourages the opposite behavior. In addition to focusing on updated user awareness, consider endpoint protection strategies that include blocking access to non-categorized and known bad sites.

Read more in:

US Government Website For Federal Rules Input Inaccessible Due To Expired SSL Certificate. Regulations.gov, the US Government’s portal for industry and the public to make comments in response to proposed regulations, suffered a self-inflicted denial of service attack when the digital certificate to enable secure HTTP expired. The website returned to service on Monday night after being out for much of the day. At least one government agency had to extend the deadline on public comment. [Neely] Current browser versions do a really good job of blocking access to sites with certificate problems, whether expired, untrusted issuer, name-mismatch, etc. raising the bar on the IT team to keep certificates updated. Consider using certificate issuers that support automated updates. Alternately, a script to scan and alert on certificates that are due to expire is not difficult to create, making sure the alerts trigger ITSM tickets, so it won’t be missed.

Read more in:

New Jersey Shakespeare Theater Hit By Ransomware. The Shakespeare Theatre of New Jersey was forced to cancel a performance of “A Christmas Carol” after their reservation and ticketing system were hit by ransomware. They are currently selling tickets, but not able to perform seat assignments until patrons arrive at the venue. Other businesses in their area were reportedly also affected at the same time.

Note: This underscores the value of reaching out to customers during an incident, being transparent about the incident and asking for their support. Patrons continue to make reservations and bear with the theater as they work to restore normal operations. Make sure your DR/Incident response plan includes customer notification and support.

Read more in:

China fires “Great Cannon” Cyber-Weapon at the Hong Kong Pro-Democracy Movement. China’s “Great Cannon” – a massive DDOS tool, which is used sparingly due to negative publicity when used, captures traffic at the country perimeter and redirects it by use of JavaScript injection. The tool has been resurrected in response to the pro-democracy movements in Hong Kong.

Read more in:

Apple Explains iPhone 11 Location Requests. Apple’s iPhone 11 USES Ultra-Wideband radio for short-range high bandwidth file exchange. UWB uses location services to find other UWB devices. These requests happen even when applications and services are set not to request location data. This is disabled in airplane mode. The checks for the location also verify the device is in a country where UWB is permitted.

Note: Future versions of iOS are supposed to contain a setting explicitly for toggling UWB. The wide spectrum, multi-channel use by UWB permits data transfer at up to 1.6Gbps for a few meters. UWB is currently used to improve the performance of Airdrop.

Read more in:

US-CERT AA19-339A: Dridex Malware. A recent collaboration between the Department of Treasury’s FinCEN and CIG groups, in response to Dridex malware’s continued use in the financial sector, provides a consolidated reference on Dridex including an overview, related activities, IOCs, mitigations, and recommendations.

Read more in:

T-Mobile Launches 600Mhz 5G. T-Mobile pushed out 5G services across the US but using its 600MHz LTE-like spectrum. This service doesn’t operate at the full 5G speeds. The fastest 5G requires millimeter wave (mmWave) which is easily obstructed and doesn’t go far.

Note: Mobile Operators are rolling out 5G in stages, leveraging their existing LTE resources and spectrum. Your device may report a 5G (or 5Ge) connection without delivering the increased speed promised by 5G. mmWave deployments, needed for those increased speeds, require a very dense deployment of radios and supporting fiber infrastructure, which some communities are challenging.

Read more in:

Car Makers BMW and Hyundai Victims of Cyber Attack. The carmakers BMW and Hyundai are reported to have been hacked by a criminal group known as Ocean Lotus, also known as APT 32. The alleged compromise is reported to have happened in the spring of 2019 when BMW’s security team discovered an instance of a commercial hacking tool, Cobalt Strike, installed on a workstation. The reports also state the car manufacturer Hyundai were also a victim of this group. The Ocean Lotus group is alleged to be behind attacks against other car manufacturers such as Toyota Japan, Toyota Australia, and Toyota Vietnam.

Read more in:

Amazon Buckets Leak over 750,000 Applicants’ Data for US Birth Certificates. A company that provides a service to allow customers to apply for copies of birth certificates from US States has allegedly exposed the personal details of those applicants. A UK based security research company identified the unsecured Amazon Bucket which contained the personal details of 750,000 people. The data includes their name, date of birth, email address, and home address, amongst other details.

Read more in:

TechCrunch > Over 750,000 applications for US birth certificate copies exposed online

MashableAsia > Nearly 800,000 applications for birth certificate copies exposed online for anyone to access

The headline on 07 December 2019

Data Center Ransomware Infection. Data Center provider CyrusOne has confirmed that it suffered a ransomware attack earlier this week. The company says that the incident has affected “availability issues” for six of its managed services customers.

Note:

  • This attack appears to be caused by a version of the REvil (Sokinokibi) ransomware, which also impacted 23 local governments across Texas earlier this year. Consider the impact/risks if one of your providers, such as your colocation service or your MSP, is impacted, and doesn’t plan to pay the ransom, as is indicated in this case; are you prepared with alternatives to continue operations for the duration of the incident?
  • The six customers are called “collateral damage.” The drug company, Merck, was such collateral damage when one of its service providers was compromised. It has caused them to re-think and restructure their relationship with the thousands of providers in their “supply chain.”

Read more in: ZDNet > Ransomware attack hits major US data center provider

Illinois School District Hit with Ransomware. The Sycamore Community School District 427 in Illinois has been hit with ransomware. The attack appears to be limited to the district’s “internal technology servers;” many other district systems, including email, phones, and student information systems are reportedly not infected.

Read more in edscoop > Yet another school district hit by ransomware, this time in Illinois

Evil Corp. Hacking Group Indictments. US federal prosecutors have indicted Maksim Yakubets and Igor Turashev, who are allegedly members of the hacking group known as Evil Corp. The pair allegedly “led one of the most sophisticated transnational cybercrime syndicates in the world,” according to a US Department of Justice press release.

Read more in:

Man-in-the-Middle Attack Used to Steal Venture Capital Investment. Hackers used a complex man-in-the-middle attack to steal approximately US $1 million from a Chinese venture capital firm that was supposed to be going to a start-up company in Israel. The hackers set up phony domains and spoofed emails between the companies, even going so far as to cancel a scheduled in-person meeting.

Note: Verify the log retention period and access requirements for your email and related systems before an incident, making sure that there are not only at least six months of information but also that sufficient information is captured and your staff will be able to access it when needed. Always use an out-of-band verification process with wire transfers to ensure they are going to the intended recipient.

Read more in:

Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters’ Online Forum. A distributed denial-of-service (DDoS) tool known as the Great Cannon has reportedly been used against the LIHKG social media platform used by protesters in Hong Kong. China’s Great Cannon was first described by Citizen Lab in April 2015.

Read more in:

ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in the Middle East. IBM has detected new malware, dubbed ZeroCleare, that has been used to wipe data at energy and industrial sector organizations in the Middle East. The targeted attacks were likely the work of Iranian state-sponsored hackers.

Note: We must move away from the default access control rule of “read/write,” convenient but risky, to “read-only” for data and “execute only” for programs, marginally less convenient but you will get over it.

Read more in:

US Senators Get Classified Ransomware Briefing. US legislators received a classified briefing about the threat of ransomware on Wednesday, December 5. Christopher Krebs, director of the US Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) spoke to the Senate Cybersecurity Caucus.

Note:

  • Briefings like this are needed to ensure continued support of initiatives and resources to help state and local governments which may not have access to the needed tools and information to implement needed protections in the current threat environment. That said, with the current active exploitation environment, waiting for external help is ill-advised.
  • Ransomware is now the preferred way to monetize compromised systems and enterprises. We know that the vectors for attacks are e-mail and browsers, but we fail to isolate these from mission-critical data, applications, and systems. We know that the vulnerability includes the capability for the system user to modify it on the fly, but we fail to lock them down by denying the user admin privileges and by restricting “write” access. This is not mere negligence but borders on recklessness.

Read more in:

Rich Communication Services Implementations Found to be Unsecure. Researchers have found that telecommunications carriers are implementing a new messaging standard in ways that could allow communications to be intercepted, modified, or spoofed. The Rich Communication Services (RCS) standard is fairly new and has a broader range of features than SMS.

Note:

  • What’s being called into question are implementation flaws, rather than flaws in the protocol itself. RCS shows promise to provide a more secure alternative to SMS and avoid the pitfalls in SS7. RCS is one to keep an eye on, especially when a verified secure implementation is available.
  • It looks as if messaging may be going the route of the browsers: adding features until the product is porous, not to say broken.

Read more in:

Siemens Provides Workaround for PLC Flaw. Siemens has released workarounds to address a vulnerability in its S7-1200 programmable logic controllers (PLCs) while is develops a fix for the problem. The issue lies in “an undocumented hardware-based special access feature,” and could be exploited to take control of vulnerable devices.

Read more in:

NIST Draft Guidance on Hardware Supply Chain Security. The US National Institute of Standards and Technology (NIST) has published draft guidance on hardware supply chain security, Validating the Integrity of Servers and Client Devices. NIST will accept comments on the document through January 6, 2020.

Note: This is about building standards to support supply chain security, which has been a challenge of late. The document is a short, easy read, encapsulating information from some other NIST and external documents on OEM supply chain security. Despite the short timeline and the holiday season, it’s worth reading and contributing to.

Read more in:

The headline on 04 December 2019

Great Plains Health Recovering From Ransomware. Great Plains Health (GPHealth) medical center is recovering from a ransomware attack. The attack occurred on Monday, November 25. The next day, GPHealth canceled a large number of non-emergency appointments and procedures. GPHealth is based in North Platte, Nebraska.

Note: Speaking of HHS notifications, in the Sentara Hospitals story below, the regulators want you to tell them all about your ransomware problems, even if you think it’s just an integrity issue and not confidentiality. HHS put out specific ransomware guidance a few years ago. Yes, it’s a breach: www.hhs.gov: FACT SHEET: Ransomware and HIPAA

Read more in:

Common Weakness Enumeration List Updated. The MITRE Corp has updated the Common Weakness Enumeration (CWE) list. According to MITRE, the CWE Top 25 is “a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.” Topping the revised list is “Improper Restriction of Operations within the Bounds of a Memory Buffer.” Cross-site scripting errors are listed second. SQL injection vulnerabilities, which topped the previous version of the list, is now in sixth place. MITRE Corp. operates the Department of Homeland Security’s (DHS’s) Systems Engineering and Development Institute.

Note: Sadly, we can enumerate our errors but not fix them. Part of the problem here is the von Neumann Architecture, part of the languages we use, part that the programmer does not, or cannot, know the environment in which his program will run, and only a small part that it is a hard problem. However, a good craftsman does not blame his tools. If we insist upon using flawed tools for hard problems, we must train to compensate for them. Our tolerance for shoddy continues to be an embarrassment.

Read more in:

Google Warns Users of Nation-State Email Hacking. In three months earlier this year, Google notified more than 12,000 users that their accounts were being targeted in phishing attacks conducted by government-backed hackers. The majority of alerts were sent to users in South Korea, Pakistan, Vietnam, and the US.

Note: SANS instructor Heather Mahalik did a great talk at the SANS keynote threat panel at the RSA conference on how much information many users expose to cloud-based email providers such as Gmail, and common ways attackers use social media paths to trick users into exposing password reset info. Heather gave great advice to give to executives. You can see a summary with links in the white paper at www.sans.org: SANS Top New Attacks and Threat Report (PDF)

Read more in:

Sentara Hospitals Fined for Failing to Properly Report Breach to HHS. Virginia-based Sentara Hospitals has agreed to a $2.2 million settlement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) over violations of the Health Insurance Portability and Accountability ACT (HIPAA). OCR launched its investigation after learning that Sentara had mailed nearly 600 patients’ personal health information to the wrong addresses. Sentara has also agreed to “a corrective action plan.”

Note: The fine works out to about $3,600 per record exposed, a really scary number that will be good ammunition for getting senior management attention. In 2019, HHS has issued 7 fines averaging just under $2M each – the size of the fines is more related to large process deficiencies than to the size of the breach. The average profit margin in healthcare is in the 5% range, meaning that a $2M fine essentially cancels out $40M in revenue! That is a better number to use when trying to justify the spending needed to reach basic security hygiene levels.

Read more in:

Piracy Sites Shutdown. Europol, working with law enforcement teams from 18 countries, has shut down more than 30,000 Internet domain names for trafficking in pirated digital content and counterfeit products and pharmaceuticals. Officials have also seized physical property, frozen at least €150,000 (the US $165,000) in several bank accounts, and arrested three individuals in connection with the investigation.

Read more in:

Imminent Monitor RAT Operation Shut Down. Law enforcement officials from multiple countries cooperated to take down the infrastructure supporting a malware operation known as Imminent Monitor, a remote access Trojan (RAT) that has been sold online since 2013. The investigation was led by the Australian Federal Police and aided by authorities in Belgium, New Zealand, the UK, the US, and other countries.

Note: Well done to all involved in this takedown. A timely reminder that international cooperation is key to tackling the scourge of online crime. It is also a good time to highlight again the No More Ransom website supported by Europol which distributes the known decryption keys for ransomware strains. You can access it for free at www.nomoreransom.org

Read more in:

CISA Wants US Government Agencies to Establish Vulnerability Disclosure Programs. The US Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) has issued a draft binding operational directive (B20-01) that would require civilian agencies to establish vulnerability disclosure programs, as well as a plan for managing security issues that are reported. CISA is accepting comments on the draft document through December 27, 2019.

Note:

  • Large technology companies in private industry went through this over a decade ago, and the results were overwhelmingly positive. It would be good to see CISA provide a strawman vulnerability disclosure policy as a starting point for all the departments and agencies.
  • The guidance on the BOD 20-01 web site includes all the aspects needed as well as timelines; providing a sample policy would help agencies meet the deliverables, as well as avoiding “wrong-rock” iterations. The directive includes additional FISMA reporting requirements associated with the disclosure program starting in FY21. While well-intended, not every agency has the resources or process maturity to meet the tracking, verification, response and reporting requirements.

Read more in:

Facebook and Twitter Warn of Malicious SDKs. Twitter and Facebook have warned of certain malicious software development kits (SDKs) that could be used to steal users’ personal information. The SDKs in question are maintained by MobiBurn and oneAudience.

Note: These SDKs are being leveraged by data aggregators and have been seen on Android vs iOS. Use caution with granting excess permissions on Android applications.

Read more in:

California DMV Makes Millions Selling Drivers’ Personally Identifiable Information. According to documents obtained through a public records act request, the California Department of Motor Vehicles (DMV) has been making millions of dollars a year selling drivers’ personal information. Customers paying for the information include data brokers, credit reporting agencies, and private investigators. The data include names, addresses, and car registration information, all of which drivers must provide to get a license. The practice of DMVs selling driver data is not unique to California.

Note: No, it is not unique to California but is usually governed by law. Where it is not, it is because the legislature chooses to look the other way.

Read more in: The California DMV Is Making $50M a Year Selling Drivers’ Personal Information

Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.