4 Days left to get an iPad Pro, Surface Pro, or $400 Off with Online Training!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #57

July 21, 2017

TOP OF THE NEWS


Dark Web Market Sites Taken Down
CyberStart Program Helps Identify Cybersecurity Aptitude
Devil's Ivy Exploits IoT Flaw in Millions of Devices

THE REST OF THE WEEK'S NEWS


Tor Bug Bounty
FCC Lacks Documentation of Alleged DDoS Attack
Apple Updates
Prison Sentence for Citadel Developer Vartanyan
US State Dept. Folding Cyber Office into Another Bureau
Oracle's Critical Patch Update
Cisco Fixes WebEx Flaw

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Palo Alto Networks *******************************

Don't Miss: "Win The Cyberwar With Zero Trust" This session will demonstrate how Zero Trust will not only transform network security but function as a business enabler, by focusing on the businesses grand strategic objectives. Register: http://www.sans.org/info/196745

*************************************************************************** TRAINING UPDATE

-- SANS OnDemand and vLive Training | Special MacBook Air Offer! Get a MacBook Air, HP ProBook 450 G4 or take $450 off your course until July 26. 30+ courses with books, labs, mp3, & SME support. https://www.sans.org/online-security-training/specials/

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 | https://www.sans.org/event/security-awareness-summit-2017

-- SANS Boston 2017 | August 7-12 | https://www.sans.org/event/boston-2017

-- SANS Virginia Beach 2017 | August 21-September 1 | https://www.sans.org/event/virginia-beach-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

--Dark Web Market Sites Taken Down (July 20, 2017)

Law enforcement authorities around the world worked together to take down two criminal online marketplaces, AlphaBay and Hansa Market, which sold narcotics, firearms, and other illegal products. AlphaBay was taken offline on July 5; Hansa has been under the control of Dutch law enforcement authorities since June 20. At least two people have been arrested in connection with the sites and millions of dollars' worth of assets have been frozen.

[Editor Comments]

[Shawn Henry] Law Enforcement must disrupt adversary infrastructure in order to have a more significant impact on their operations. Making things more difficult and more costly for them decreases adversary revenue, requires more adversary effort, and begins to have a deterrent effect on the adversary over the long term. These organized crime adversary groups are businesses, in reality, and disruption of business operations will result in better outcomes for the private sector.
Read more in:

BBC: AlphaBay and Hansa dark web markets shut down
http://www.bbc.com/news/technology-40670010
CNET: Largest dark web market closed in massive government takedown
https://www.cnet.com/news/alphabay-hansa-shutdown-closed-dark-web-market-silk-road/

KrebsOnSecurity: Exclusive: Dutch Cops on AlphaBay 'Refugees'
https://krebsonsecurity.com/2017/07/exclusive-dutch-cops-on-alphabay-refugees/
CyberScoop: Justice Department announces shutdown of AlphaBay, Hansa dark markets
https://www.cyberscoop.com/alphabay-shut-down-hansa-jeff-sessions-europol/?category_news=technology
WSJ: Global Crackdown Closes Two Large Illegal-Goods Websites
https://www.wsj.com/articles/authorities-close-two-large-illegal-goods-websites-1500568971

--CyberStart Program Helps Identify Cybersecurity Aptitude (July 18, 2017)

Seven US states will join SANS this summer to host a free online cybersecurity training game called CyberStart. The program teaches the foundations of cybersecurity and helps identify those with the natural talent and problem solving skills well-suited to the challenges that cybersecurity professionals face. CyberStart qualifying rounds run through July 28; the game itself runs August 1-28. The program is open to people aged 16 and older. The top 100 players will receive full scholarships to the 2018 CyberStart essentials cyber skills development program. The very top performers will be eligible to apply for grants and scholarships for advanced cybersecurity training.

[Editor Comments]

[Neely] I wish I had this option when I was young, allowing me to focus hacking efforts on a positive goal. Identification of skills leveraging gamification is huge, and providing direction towards cyber careers will help fill the deficit of cyber security talent in the workplace.

Read more in:

GovTech: 7 States Partner with SANS Institute to Offer Free Training, Grow Cybersecurity Workforce
http://www.govtech.com/security/7-States-Partner-with-SANS-Institute-to-Offer-Free-Training-Grow-Cybersecurity-Workforce.html
SANS: What is CyberStart?
https://www.sans.org/CyberStartUS

--Devil's Ivy Exploits IoT Flaw in Millions of Devices (July 18, 19, & 20, 2017)

A zero-day exploit known as Devil's Ivy affects millions of Internet of Things (IoT) devices, including security cameras and access card readers. The flaw lies in gSOAP open source code library, and it can be exploited remotely. Genivia, the company responsible for gSOAP, has released a fix for the issue.

[Editor Comments]

[Paller] This is open source code embedded by developers, and most of those developers probably forgot they used it. Even if manufacturers correct the flaw in future products, the odds are very low that consumers of IOT devices will actively manage existing devices by installing the Genivia patch.
[Williams] This is the sort of software supply chain issue that many companies are just now waking up to. The discovery of a vulnerability in a widely used library can expose a whole range of devices, many of which may never receive patches. Even though gSOAP has been patched, now downstream vendors must rebuild their code bases with the patched library and make the patches available to their customers. Even then, we know most simply won't patch. I suspect we'll hear of issues with this for years to come, much like when vendors failed to patch some end of life VPN appliances for HeartBleed. Talk to your vendors about how they'll manage patching support in cases like this, especially for those devices that are end of life.

Read more in:

CNET: Millions of IoT devices are vulnerable to widespread bug
https://www.cnet.com/news/iot-devices-hack-bug-vulnerability-devil-ivy-exploit/
Wired: Hack Brief: 'Devil's Ivy' Vulnerability Could Afflict Millions of IoT Devices
https://www.wired.com/story/devils-ivy-iot-vulnerability/
ZDNet: Millions of IoT devices hit by 'Devil's Ivy' bug in open source code library
http://www.zdnet.com/article/millions-of-iot-devices-hit-by-devils-ivy-bug-in-open-source-code-library/
Motherboard: Nasty Bug Left Thousands of Internet of Things Devices Open to Hackers
https://motherboard.vice.com/en_us/article/gybm4b/internet-of-things-camera-axis-bug
*************************** SPONSORED LINKS ********************************
1) "Machine Learning: Practical Applications for Cyber Security" with Ismael Valenzuela and Chris Pace: Register: http://www.sans.org/info/196750
2) Learn how a micro-segmentation security strategy can help you modernize your ICS deployment without compromising security and privacy. http://www.sans.org/info/196755
3) See how your efforts to keep the cloud secure for business compare. | Take the SANS Cloud Security Survey | Remain anonymous or enter your name to win a $400 gift certificate. http://www.sans.org/info/196760
******************************************************************************

THE REST OF THE WEEK'S NEWS

--Tor Bug Bounty (July 20, 2017)

Tor has launched a bug bounty program to detect vulnerabilities in its anonymizing network. There are bounty schedules for both the Tor network daemon and the Tor browser.

[Editor Comments]

[Pescatore] Well-managed bug bounty programs (emphasis on "well" and "managed") have proven very effective. Last year, SANS gave the Office of the Secretary of Defense a SANS Difference Makers' Award for the "Hack the Pentagon" program that has since been expanded. Interesting to see Tor using the same vendor (HackerOne) as the Pentagon!

Read more in:

ZDNet: Tor network will pay you to hack it through new bug bounty program
http://www.zdnet.com/article/tor-network-wants-you-to-hack-it/
HackerOne: Tor
https://hackerone.com/torproject

--FCC Lacks Documentation of Alleged DDoS Attack (July 20, 2017)

In a response to a Freedom on Information Act (FOIA) request, the US Federal Communications Commission said it would not provide several hundred pages of documents related to an alleged distributed denial-of-service (DDoS) attack that crashed the agency's website. The FCC said that there is no written documentation because "the analysis stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation." While there are logs associated with the incident, the FCC maintains it cannot release those logs due to privacy concerns.

Read more in:

The Hill: FCC says it has no documentation of cyberattack that it claims happened
http://thehill.com/policy/technology/342971-fcc-says-it-has-no-documentation-of-cyberattack-that-it-claims-happened
The Register: So, FCC, how about that massive DDoS? Hello? Hello...? You still there?
http://www.theregister.co.uk/2017/07/20/fcc_cant_prove_ddos_attack/
Ars Technica: FCC has no documentation of DDoS attack that hit net neutrality comments
https://arstechnica.com/information-technology/2017/07/fcc-has-no-documentation-of-ddos-attack-that-hit-net-neutrality-comments/
RegMedia: FCC Response to FOIA Request
https://regmedia.co.uk/2017/07/20/fccgizmodofoia.pdf

--Apple Updates (July 19 & 20, 2017)

Apple has released updates to address vulnerabilities in a variety of its products, including iOS, macOS, Safari and iTunes and iCloud for Windows. The update for iOS, version 10.3.3, fixes a flaw known as BroadPwn. That vulnerability exists in Broadcom chipsets used in Apple and Android devices.

[Editor Comments]

[Neely] This is likely the last version of iOS 10 prior to the release of iOS 11 in September. The BroadPwn flaw is also fixed in the 3.2.3 watchOS update released at the same time. iOS 10.3.3 also resolves an issue where Exchange calendars synchronized with the iOS Calendar app results in phantom meeting updates/invites.
Apple's Security Updates page for details on these patches: https://support.apple.com/en-us/HT201222
[Northcutt] I first heard about the pile of updates needed here:
http://bgr.com/2017/07/20/ios-10-3-3-update-fixes-iphone-broadpwn-malware/
Did some checking, seemed valid, an update for my iPhone was available so it was first. All phone functions seem fine post update. I will do my Macs after sending this, (and finishing one last backup) and the rest of the fleet tomorrow.

Read more in:

The Register: Apple hurls out patches for dozens of security holes in iOS, macOS
http://www.theregister.co.uk/2017/07/19/apple_patches_ios_os_x_flaws/
Threatpost: Apple Patches Broadpwn Bug in IOS 10.3.3
https://threatpost.com/apple-patches-broadpwn-bug-in-ios-10-3-3/126955/ US-CERT: Apple Releases Security Updates
https://www.us-cert.gov/ncas/current-activity/2017/07/19/Apple-Releases-Security-Updates

--Prison Sentence for Citadel Developer Vartanyan (July 19 & 20, 2017)

Mark Vartanyan has been sentenced to five years in prison for his role in developing and maintaining the Citadel malware toolkit. Citadel, a variant of ZeuS, was used to steal more than 500 million USD from bank accounts around the world. Vartanyan pleaded guilty to computer fraud in March 2017.

Read more in:

The Register: Remember that Citadel bank-slurping malware? Its main man was just jailed for five years
http://www.theregister.co.uk/2017/07/20/citadel_malware_dev_gets_5yrs/
ZDNet: Russian man who helped build Citadel malware sentenced to 5 years
http://www.zdnet.com/article/russian-helped-build-notorious-citadel-malware-prison-sentence/
Ars Technica: Russian man who helped create notorious malware sentenced to 5 years
https://arstechnica.com/tech-policy/2017/07/russian-man-who-helped-create-notorious-malware-sentenced-to-5-years/
DoJ: Russian Citizen who Helped Develop the "Citadel" Malware Toolkit is Sentenced
https://www.justice.gov/usao-ndga/pr/russian-citizen-who-helped-develop-citadel-malware-toolkit-sentenced-0t

--US State Dept. Folding Cyber Office into Another Bureau (July 19, 2017)

The US State Department plans to close the Office of the Coordinator for Cyber Issues, which was established in 2011. Its mission was to coordinate with other countries on cyber security issues. The office will merge with the State Department's Bureau of Economic and Business Affairs.

Read more in:

The Hill: State Dept. to eliminate cyber office: report
http://thehill.com/policy/cybersecurity/342698-state-dept-to-eliminate-cyber-office-report
SC Magazine: State Department reorganization to shutter cyber office, lower priority
https://www.scmagazine.com/state-department-reorganization-to-shutter-cyber-office-lower-priority/article/676176/

--Oracle's Critical Patch Update (July 19, 2017)

Oracle's critical patch update for July 2017 includes fixes for more than 300 security issues, making it the largest critical patch update Oracle has released. The update fixes flaws in more than 90 products. Of the 308 vulnerabilities addressed, 165 are remotely exploitable.

Read more in:

ZDNet: Oracle just released its biggest set of critical security updates
http://www.zdnet.com/article/oracle-just-released-its-biggest-set-of-critical-security-updates/
Threatpost: Oracle Releases Biggest Update Ever: 308 Vulnerabilities Patched
https://threatpost.com/oracle-releases-biggest-update-ever-308-vulnerabilities-patched/126910/
Oracle: Oracle Critical Patch Update Advisory - July 2017
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

--Cisco Fixes WebEx Flaw (July 17 & 18, 2017

Cisco has patched a critical vulnerability in its WebEx conferencing browser extensions for Chrome and Firefox. The flaw could be exploited to allow an unauthenticated, remote user to execute code. The issue does not affect Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, or Cisco WebEx on Microsoft Edge or Internet Explorer.

Read more in:

FCW: CERT warns of Cisco WebEx vulnerability
https://fcw.com/articles/2017/07/18/webex-bugfix-rockwell.aspx
Cisco: Cisco WebEx Browser Extension Remote Code Execution Vulnerability
http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html

Cisco WebEx Plugin Update

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex
https://bugs.chromium.org/p/project-zero/issues/detail?id=1324&desc=2

Node.JS DoS Vulnerability

https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/

Bitdefender Remote Stack Buffer Overflow

https://landave.io/2017/07/bitdefender-remote-stack-buffer-overflow-via-7z-ppmd/

Coindash Hack

https://twitter.com/coindashio/status/886936799695818752
https://www.coindash.io

DowJones Leaks Customer Data via S3 Buckets

https://www.upguard.com/breaches/cloud-leak-dow-jones

Bots Searching for Keys and Config Files

https://isc.sans.edu/forums/diary/Bots+Searching+for+Keys+Config+Files/22630/

Apple Updates Everything

https://support.apple.com/en-us/HT201222

Trend Micro Sees SambaCry Exploits

http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry/

Google Increases Developer Scrutiny

https://developers.googleblog.com/2017/05/updating-developer-identity-guidelines.html

Symantec Sloppy Key Verification Leads To Revocation of Certificates

https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html

Gnome Thumbnailer Executes Code

http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create