Inside Security - December 9th, 2019

Inside Security (Dec 9th, 2019)

OS flaw could lead to VPN hijack / Forum finds Windows 7 ESU bypass / Panels back cyber command center

Subscribe | View in browser

1. University of New Mexico researchers have discovered a vulnerability in macOS, Linux, and other operating systems that could allow attackers to hijack virtual private network (VPN) sessions. The flaw could enable an attacker to gain unauthorized VPN access to spy on a user’s session and inject malware into a website, perhaps compromising the browser. The vulnerability affects established VPN protocols such as Open VPN and IKEv2/IPSec and newer protocols such as WireGuard. Linux plans to issue a patch for the security flaw, and the researchers are waiting until then to release a full description of the vulnerability. -- NAKED SECURITY

2. An online tech forum has uncovered a way to install the Windows 7 Extended Security Updates (ESU) feature without paying for it. When Microsoft ends support for Windows 7 on Jan. 14 of next year, the company will provide continued support and security updates to companies and educational institutions for between $25 and $200 per workstation until 2023. Microsoft sent out a test ESU last month so that IT administrators could determine whether their systems were compatible with the ESU feature. In response, the community of My Digital Life has developed a tool that bypasses Microsoft's restrictions and installs the test ESU. While Microsoft is likely to make changes to prevent this tool from working, the company has had trouble in the past securing its Windows license vulnerabilities. -- ZDNET

3. The president's National Infrastructure Advisory Council is recommending the creation of a command center to improve sharing and processing of public and private cybersecurity data concerning critical infrastructure (CI) threats. In addition, the council backs the establishment of a Federal Cybersecurity Commission "to mitigate catastrophic cyber risks to critical infrastructure that have potential national security impacts." It also recommends measures designed to secure the supply chain of critical cyber components for privately run CI facilities. -- CISA

4. Facebook is suing Hong Kong-based ILikeAd Media International Company and two Chinese nationals, Chen Xiaocong and Huang Tao, for allegedly hijacking hundreds of thousands of Facebook accounts to run bogus ads for counterfeit goods. Beginning in 2016, the pair created and distributed malware designed to extract ad-related information about victims. Facebook said that the company and individuals used images of celebrities in ads to their bogus products and a cloaking technique to disguise an ad’s destination link. Facebook is seeking an injunction to stop the defendants from continuing their scheme as well as damages and court costs. -- TECHNODE

5. Hackers have carried out a ransomware attack on a Colorado IT company that provides services to dental offices, disrupting operations at more than 100 dental practices, according to security researcher Brian Krebs. Complete Technology Solutions (CTS) was infected by the Sodinokibi or rEvil ransomware that also infected Wisconsin dental IT provider PerCSoft two months ago. Krebs reported that CTS declined to pay the $700,000 ransom to unlock infected systems at customer locations. The dental practices use CTS for network security, data backup, and voice-over-IP phone services. There was no indication that patient data was compromised. -- KREBS ON SECURITY

6. Amazon has released a new feature called the AWS Identity and Access Management access analyzer to help users fix the problem of leaky Amazon S3 buckets. The tool provides alerts if a cloud-storage bucket is configured to allow public access or to share data with other AWS accounts. Once administrators receive these alerts, they can take action to set or restore the desired access policy to prevent sensitive data from being exposed. The analyzer can also be used to monitor access policies for AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions. -- BITDEFENDER

7. The U.S. Department of Justice has sentenced two Romanian nationals to prison for developing and operating a fraud scheme using the Bayrob malware. Bogdan Nicolescu was sentenced to 20 years in prison, and Radu Miclaus was sentenced to 18 years. The defendants were convicted in April. Their cybercriminal scheme involved a botnet of more than 400,000 infected computers, which enabled them to steal credit card numbers that netted them more than $4.5 million on the dark web. -- SECURITY WEEK

8. The U.S. Department of Defense is working with smaller vendors to help them meet defense contractor cybersecurity mandates, a department spokeswoman said. The department is concerned about the cybersecurity of small companies that are subcontractors to the larger prime contractors. DoD is working with the prime contractors and industry associations to improve cybersecurity compliance of the smaller subcontractors. The DoD will provide training and resources to help small companies achieve Cybersecurity Maturity Model Certification (CMMC) for vendor security. "We understand the challenge to small companies ... We will find innovative ways to help make them cyber secure with the help of our large primes as well," said Ellen Lord, undersecretary of defense for acquisition and sustainment. -- DOD

9. The U.K.'s Information Commissioner's Office has published updated guidance on processing special category data that requires additional protection under the European Union's General Data Protection Regulation (GDPR). Special category data includes personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership; genetic and biometric data; and data concerning health, sex life, or sexual orientation. The guidance contains examples of what constitutes special category data and explains how organizations can comply with GDPR while processing it. -- DLA PIPER

10. Australia-based NSW Ambulance Service is expected to reach a settlement in a class action lawsuit brought against the company relating to sensitive health and personal data that was accessed and sold by a contractor. The class action lawsuit was brought by Centennial Lawyers on behalf of the company's 130 employees and contractors affected by the breach. The contractor was subsequently convicted of unlawfully selling the employees' workers compensation files to a group of injury attorneys. The files contained sensitive information, including mental health information about paramedics. -- CIO

Fred Donovan is a professional writer, editor, and content specialist with decades of experience, most recently in the areas of information technology and cybersecurity. He has written for such publications as, FierceITSecurity, InfoSecurity Magazine, Report on Patient Privacy, TechGenix, and NetDefense. Fred has a B.A. from Harvard University in government and an M.S. in national security from Georgetown University.

Copyright © 2020, All rights reserved.

Our mailing address is:
767 Bryant St. #203
San Francisco, CA 94107

Did someone forward this email to you? Head over to to get your very own free subscription!

You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.

Subscribe to Inside Security