Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #57

July 21, 2017


Dark Web Market Sites Taken Down
CyberStart Program Helps Identify Cybersecurity Aptitude
Devil's Ivy Exploits IoT Flaw in Millions of Devices


Tor Bug Bounty
FCC Lacks Documentation of Alleged DDoS Attack
Apple Updates
Prison Sentence for Citadel Developer Vartanyan
US State Dept. Folding Cyber Office into Another Bureau
Oracle's Critical Patch Update
Cisco Fixes WebEx Flaw


*************************** Sponsored By Palo Alto Networks *******************************

Don't Miss: "Win The Cyberwar With Zero Trust" This session will demonstrate how Zero Trust will not only transform network security but function as a business enabler, by focusing on the businesses grand strategic objectives. Register:

*************************************************************************** TRAINING UPDATE

-- SANS OnDemand and vLive Training | Special MacBook Air Offer! Get a MacBook Air, HP ProBook 450 G4 or take $450 off your course until July 26. 30+ courses with books, labs, mp3, & SME support.

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 |

-- SANS Boston 2017 | August 7-12 |

-- SANS Virginia Beach 2017 | August 21-September 1 |

-- SANS London September 2017 | September 25-30 |

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 |

-- SANS October Singapore 2017 | October 9-28 |

-- SANS Brussels Autumn 2017 | October 16-21 |

-- SANS Tokyo Autumn 2017 | October 16-28 |

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive

-- Anywhere, Anytime access for 4 months with OnDemand format

-- Single Course Training
SANS Mentor
Community SANS
View the full SANS course catalog



--Dark Web Market Sites Taken Down (July 20, 2017)

Law enforcement authorities around the world worked together to take down two criminal online marketplaces, AlphaBay and Hansa Market, which sold narcotics, firearms, and other illegal products. AlphaBay was taken offline on July 5; Hansa has been under the control of Dutch law enforcement authorities since June 20. At least two people have been arrested in connection with the sites and millions of dollars' worth of assets have been frozen.

[Editor Comments]

[Shawn Henry] Law Enforcement must disrupt adversary infrastructure in order to have a more significant impact on their operations. Making things more difficult and more costly for them decreases adversary revenue, requires more adversary effort, and begins to have a deterrent effect on the adversary over the long term. These organized crime adversary groups are businesses, in reality, and disruption of business operations will result in better outcomes for the private sector.
Read more in:

BBC: AlphaBay and Hansa dark web markets shut down
CNET: Largest dark web market closed in massive government takedown

KrebsOnSecurity: Exclusive: Dutch Cops on AlphaBay 'Refugees'
CyberScoop: Justice Department announces shutdown of AlphaBay, Hansa dark markets
WSJ: Global Crackdown Closes Two Large Illegal-Goods Websites

--CyberStart Program Helps Identify Cybersecurity Aptitude (July 18, 2017)

Seven US states will join SANS this summer to host a free online cybersecurity training game called CyberStart. The program teaches the foundations of cybersecurity and helps identify those with the natural talent and problem solving skills well-suited to the challenges that cybersecurity professionals face. CyberStart qualifying rounds run through July 28; the game itself runs August 1-28. The program is open to people aged 16 and older. The top 100 players will receive full scholarships to the 2018 CyberStart essentials cyber skills development program. The very top performers will be eligible to apply for grants and scholarships for advanced cybersecurity training.

[Editor Comments]

[Neely] I wish I had this option when I was young, allowing me to focus hacking efforts on a positive goal. Identification of skills leveraging gamification is huge, and providing direction towards cyber careers will help fill the deficit of cyber security talent in the workplace.

Read more in:

GovTech: 7 States Partner with SANS Institute to Offer Free Training, Grow Cybersecurity Workforce
SANS: What is CyberStart?

--Devil's Ivy Exploits IoT Flaw in Millions of Devices (July 18, 19, & 20, 2017)

A zero-day exploit known as Devil's Ivy affects millions of Internet of Things (IoT) devices, including security cameras and access card readers. The flaw lies in gSOAP open source code library, and it can be exploited remotely. Genivia, the company responsible for gSOAP, has released a fix for the issue.

[Editor Comments]

[Paller] This is open source code embedded by developers, and most of those developers probably forgot they used it. Even if manufacturers correct the flaw in future products, the odds are very low that consumers of IOT devices will actively manage existing devices by installing the Genivia patch.
[Williams] This is the sort of software supply chain issue that many companies are just now waking up to. The discovery of a vulnerability in a widely used library can expose a whole range of devices, many of which may never receive patches. Even though gSOAP has been patched, now downstream vendors must rebuild their code bases with the patched library and make the patches available to their customers. Even then, we know most simply won't patch. I suspect we'll hear of issues with this for years to come, much like when vendors failed to patch some end of life VPN appliances for HeartBleed. Talk to your vendors about how they'll manage patching support in cases like this, especially for those devices that are end of life.

Read more in:

CNET: Millions of IoT devices are vulnerable to widespread bug
Wired: Hack Brief: 'Devil's Ivy' Vulnerability Could Afflict Millions of IoT Devices
ZDNet: Millions of IoT devices hit by 'Devil's Ivy' bug in open source code library
Motherboard: Nasty Bug Left Thousands of Internet of Things Devices Open to Hackers
*************************** SPONSORED LINKS ********************************
1) "Machine Learning: Practical Applications for Cyber Security" with Ismael Valenzuela and Chris Pace: Register:
2) Learn how a micro-segmentation security strategy can help you modernize your ICS deployment without compromising security and privacy.
3) See how your efforts to keep the cloud secure for business compare. | Take the SANS Cloud Security Survey | Remain anonymous or enter your name to win a $400 gift certificate.


--Tor Bug Bounty (July 20, 2017)

Tor has launched a bug bounty program to detect vulnerabilities in its anonymizing network. There are bounty schedules for both the Tor network daemon and the Tor browser.

[Editor Comments]

[Pescatore] Well-managed bug bounty programs (emphasis on "well" and "managed") have proven very effective. Last year, SANS gave the Office of the Secretary of Defense a SANS Difference Makers' Award for the "Hack the Pentagon" program that has since been expanded. Interesting to see Tor using the same vendor (HackerOne) as the Pentagon!

Read more in:

ZDNet: Tor network will pay you to hack it through new bug bounty program
HackerOne: Tor

--FCC Lacks Documentation of Alleged DDoS Attack (July 20, 2017)

In a response to a Freedom on Information Act (FOIA) request, the US Federal Communications Commission said it would not provide several hundred pages of documents related to an alleged distributed denial-of-service (DDoS) attack that crashed the agency's website. The FCC said that there is no written documentation because "the analysis stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation." While there are logs associated with the incident, the FCC maintains it cannot release those logs due to privacy concerns.

Read more in:

The Hill: FCC says it has no documentation of cyberattack that it claims happened
The Register: So, FCC, how about that massive DDoS? Hello? Hello...? You still there?
Ars Technica: FCC has no documentation of DDoS attack that hit net neutrality comments
RegMedia: FCC Response to FOIA Request

--Apple Updates (July 19 & 20, 2017)

Apple has released updates to address vulnerabilities in a variety of its products, including iOS, macOS, Safari and iTunes and iCloud for Windows. The update for iOS, version 10.3.3, fixes a flaw known as BroadPwn. That vulnerability exists in Broadcom chipsets used in Apple and Android devices.

[Editor Comments]

[Neely] This is likely the last version of iOS 10 prior to the release of iOS 11 in September. The BroadPwn flaw is also fixed in the 3.2.3 watchOS update released at the same time. iOS 10.3.3 also resolves an issue where Exchange calendars synchronized with the iOS Calendar app results in phantom meeting updates/invites.
Apple's Security Updates page for details on these patches:
[Northcutt] I first heard about the pile of updates needed here:
Did some checking, seemed valid, an update for my iPhone was available so it was first. All phone functions seem fine post update. I will do my Macs after sending this, (and finishing one last backup) and the rest of the fleet tomorrow.

Read more in:

The Register: Apple hurls out patches for dozens of security holes in iOS, macOS
Threatpost: Apple Patches Broadpwn Bug in IOS 10.3.3 US-CERT: Apple Releases Security Updates

--Prison Sentence for Citadel Developer Vartanyan (July 19 & 20, 2017)

Mark Vartanyan has been sentenced to five years in prison for his role in developing and maintaining the Citadel malware toolkit. Citadel, a variant of ZeuS, was used to steal more than 500 million USD from bank accounts around the world. Vartanyan pleaded guilty to computer fraud in March 2017.

Read more in:

The Register: Remember that Citadel bank-slurping malware? Its main man was just jailed for five years
ZDNet: Russian man who helped build Citadel malware sentenced to 5 years
Ars Technica: Russian man who helped create notorious malware sentenced to 5 years
DoJ: Russian Citizen who Helped Develop the "Citadel" Malware Toolkit is Sentenced

--US State Dept. Folding Cyber Office into Another Bureau (July 19, 2017)

The US State Department plans to close the Office of the Coordinator for Cyber Issues, which was established in 2011. Its mission was to coordinate with other countries on cyber security issues. The office will merge with the State Department's Bureau of Economic and Business Affairs.

Read more in:

The Hill: State Dept. to eliminate cyber office: report
SC Magazine: State Department reorganization to shutter cyber office, lower priority

--Oracle's Critical Patch Update (July 19, 2017)

Oracle's critical patch update for July 2017 includes fixes for more than 300 security issues, making it the largest critical patch update Oracle has released. The update fixes flaws in more than 90 products. Of the 308 vulnerabilities addressed, 165 are remotely exploitable.

Read more in:

ZDNet: Oracle just released its biggest set of critical security updates
Threatpost: Oracle Releases Biggest Update Ever: 308 Vulnerabilities Patched
Oracle: Oracle Critical Patch Update Advisory - July 2017

--Cisco Fixes WebEx Flaw (July 17 & 18, 2017

Cisco has patched a critical vulnerability in its WebEx conferencing browser extensions for Chrome and Firefox. The flaw could be exploited to allow an unauthenticated, remote user to execute code. The issue does not affect Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, or Cisco WebEx on Microsoft Edge or Internet Explorer.

Read more in:

FCW: CERT warns of Cisco WebEx vulnerability
Cisco: Cisco WebEx Browser Extension Remote Code Execution Vulnerability

Cisco WebEx Plugin Update

Node.JS DoS Vulnerability

Bitdefender Remote Stack Buffer Overflow

Coindash Hack

DowJones Leaks Customer Data via S3 Buckets

Bots Searching for Keys and Config Files

Apple Updates Everything

Trend Micro Sees SambaCry Exploits

Google Increases Developer Scrutiny

Symantec Sloppy Key Verification Leads To Revocation of Certificates

Gnome Thumbnailer Executes Code

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here:

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit