Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #59

July 28, 2017

TOP OF THE NEWS


In Black Hat Keynote, Facebook CSO Calls for Empathy
NIST: Criticality Analysis Process Model
Adobe Will End Support for Flash in 2020

THE REST OF THE WEEK'S NEWS


Man Arrested in Connection with DDoS Attacks Against Businesses in Australia and North America
Dutch Police Now Targeting Hansa Market Vendors
Lipizzan Spyware Infects Android Devices
GAO: IRS Information Security Still Needs Work
Arrest in Mt. Gox Bitcoin Theft Case
Italy's UniCredit Bank Reports Data Breaches
Open Source Toolkit Helps Fix SS7 Holes
3G and 4G LTE Network Vulnerability
FBI Cyber Division Chief Talks About Avalanche Takedown

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By RecordedFuture *******************************

Each day, exponentially more data and computing power becomes available. We're able to task machines to learn and understand more than ever before and, when combined with human analysis, this process can dramatically reduce laborious tasks. However, even with this surge in applicability, machine learning is still often considered a technology of the future. Learn More: http://www.sans.org/info/196980

***************************************************************************

TRAINING UPDATE

-- SANS OnDemand and vLive Training | One Week Only - 12.9" iPadPro, or $550 Off With OnDemand or vLive Training - ends August 2. 30+ courses with books, labs, mp3, & SME support. https://www.sans.org/online-security-training/specials/

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS Boston 2017 | August 7-12 | https://www.sans.org/event/boston-2017

-- SANS Virginia Beach 2017 | August 21-September 1 | https://www.sans.org/event/virginia-beach-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

--In Black Hat Keynote, Facebook CSO Calls for Empathy (July 26 & 27, 2017)

In the opening keynote address at the Black Hat conference, Facebook CSO Alex Stamos said that the cyber security industry has "perfected the art of finding problems over and over without addressing root issues. We need to think carefully about what to do about it downstream after discovery." Rather than pursue impressive hacks, "we have to focus on defense," Stamos said, "and broaden our scope of what we consider our responsibility." Stamos also called out the information security community for its insularity: "The security community has the tendency to punish those who implement imperfect solutions in an imperfect world," Stamos said. "We have no empathy. We don't have the ability to put ourselves in the shoes of people we are trying to protect."

[Editor Comments]
[Pescatore] Stamos reinforces my comment about root causes in the IRTS/GAO story in this issue: "We've perfected the art of finding problems over and over without addressing root issues." There is a lot of money being wasted on security consulting engagements and security products because security programs and managers aren't able to drive change in IT operations, procurement, etc. The Critical Security Controls have pointed this out for years - the top 5 controls are all about improving IT processes.

Read more in:

Technology Review: Facebook Security Chief: Cybersecurity Pros Need More Empathy to Protect Us
https://www.technologyreview.com/s/608351/facebook-security-chief-cybersecurity-pros-need-more-empathy-to-protect-us/
Threatpost: Facebook Security Boss: Empathy, Inclusion Must Come to Security
https://threatpost.com/facebook-security-boss-empathy-inclusion-must-come-to-security/127038/
BBC: Facebook calls for a more people-centric security industry http://www.bbc.com/news/technology-40671089

--NIST: Criticality Analysis Process Model (July 24, 2017)

The US National Institute of Standards and Technology has published draft guidance for agencies to help them figure out the best way to allocate their information security budgets by providing "a structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals."

[Editor Comments]
[Murray] The government is already in analysis paralysis. Focus on the Top Twenty.
[Paller] Or the new Australian Top 8. The folks at NIST do NOT know as much about how attacks work as the Australian Signals Directorate who have to deal with the actual attacks. https://www.asd.gov.au/publications/protect/Essential_Eight_Maturity_Model.pdf

Read more in:

GCN: NIST's how-to for prioritizing risk
https://gcn.com/blogs/cybereye/2017/07/nist-risk-prioritization.aspx?admgarea=TC_SecCybersSec NIST: Criticality Analysis Process Model (PDF)
http://csrc.nist.gov/publications/drafts/nistir-8179/nistir-8179-draft.pdf

--Adobe Will End Support for Flash in 2020 (July 25 & 26, 2017)

Adobe has announced that it will end support for Flash Player by the end of 2020. The media player is unlikely to be missed by security professionals. As MobileIron Lead Solutions Architect James Plouffe noted, Flash "has achieved legendary status within the security community for the number and severity of its vulnerabilities."

[Editor Comments]
[Murray] 2020? Come on, guys! I am 82 years old already! Give an old man a break!
[Williams] It's easy to celebrate the security benefits of killing Flash, but this announcement means that Flash will simply no longer receive support. Flash will likely continue to be a part of a number of workflows, particularly with small to medium enterprises, for a number of years after 2020. The only difference is that users won't be receiving patches.

Read more in:

Dark Reading: Adobe's Move to Kill Flash Is Good for Security
http://www.darkreading.com/vulnerabilities---threats/adobes-move-to-kill-flash-is-good-for-security/d/d-id/1329472
The Register: Adobe will kill Flash by 2020: No more updates, support, tears, pain...
http://www.theregister.co.uk/2017/07/25/flash_nahuh_internets_screen_door_gone_for_good_by_2020/
SC Magazine: A Eulogy for Flash, dead at last, dead at last
https://www.scmagazine.com/flash-ends-two-decade-run-phasing-out-in-2020/article/677760/
Ars Technica: Adobe ending Flash support at the end of 2020
https://arstechnica.com/information-technology/2017/07/with-html5-webgl-javascript-ascendant-adobe-to-cease-flash-dev-at-end-of-2020/ Adobe: Flash & The Future of Interactive Content
https://blogs.adobe.com/conversations/2017/07/adobe-flash-update.html
*************************** SPONSORED LINKS ********************************
1) Register to learn how a micro-segmentation security strategy can help you modernize your ICS deployment without compromising security and privacy. http://www.sans.org/info/196985
2) Don't Miss: "Dissecting various real-world DGA variants" Register: http://www.sans.org/info/196990
3) See how your efforts to keep the cloud secure for business compare. | Take the SANS Cloud Security Survey | Remain anonymous or enter your name to win a $400 gift certificate. http://www.sans.org/info/196995
******************************************************************************

THE REST OF THE WEEK'S NEWS

--Man Arrested in Connection with DDoS Attacks Against Businesses in Australia and North America (July 28, 2017)

A man arrested in Seattle, Washington is suspected of having a role in cyber attacks against businesses in Australia and North America. The arrest follows an investigation of more than two years involving authorities in Australia, the US, and Canada. The suspect was allegedly involved in launching distributed denial-of-service (DDoS) attacks against businesses in those countries.

Read more in:

ZDNet: US male arrested for string of DDoS attacks against Australia, North America
http://www.zdnet.com/article/us-male-arrested-for-string-of-ddos-attacks-against-australia-north-america/
CIO: US man arrested over Aussie DDoS attacks
https://www.cio.com.au/article/625385/us-man-arrested-over-2015-ddos-attack-australia/?fp=4&fpid=51241

--Dutch Police Now Targeting Hansa Market Vendors (July 27, 2017)

Earlier this summer, Dutch police took control of the underground bazaar Hansa Market. The police are now using information obtained from the takeover to pursue vendors who sold their goods on on the underground marketplace. If the vendors used the same username and passwords combination for Hansa as they did for the Dream Market, police have been able to take over those accounts as long as the vendors did not activate two-factor authentication. Police are also using locktime files to track down the vendors.

[Editor Comments]
[Stephen Northcutt] The Law Enforcement, (LE), use of locktime files, (originally text files), used to facilitate crypto currency transactions. Another surprise for me was the extensive use of Reddit by the Hansa community. The URL of one of the more innocuous posts is below, guess I need to get an account and start browsing; always something.
https://www.reddit.com/r/DarkNetMarkets/comments/6ok7ym/hansa_locktimes_a_guide_for_vendors/

Read more in:

Bleeping Computer: Crooks Reused Passwords on the Dark Web, so Dutch Police Hijacked Their Accounts
https://www.bleepingcomputer.com/news/security/crooks-reused-passwords-on-the-dark-web-so-dutch-police-hijacked-their-accounts/

--Lipizzan Spyware Infects Android Devices (July 26 & 27, 2017)

Spyware known as Lipizzan has been used in targeted attacks against Android devices. Once a device has been infected, Lipizzan can be used to monitor communications and location, and send data back to attackers. While Lipizzan has been found on fewer than 100 devices, its functionality and small range of infection suggest it was being used to target specific individuals. Google has blocked all developers and apps that have been associated with Lipizzan from the Android ecosystem. In addition, a new security tool, Google Play Protect, has notified affected devices and removed Lipizzan from those devices.

[Editor Comments]
[Neely] Take notice of Google Play Protect, released last week, this is Google's tool to combat malware, and will be on the front line for detection, intervention and uninstalling detected Android malware. Base Android malware protection measures should now be: opt in to Google Play Protect, only install apps from the Google Play Store, keep your device updated, and don't enable unknown app sources.

Read more in:

ZDNet: This Android spyware can record calls, take screenshots and video, targets Gmail, LinkedIn, Snapchat data
http://www.zdnet.com/article/this-android-spyware-can-record-calls-take-screenshots-and-video-targets-gmail-linkedin-snapchat/
Wired: Google Finds and Blocks Spyware Linked to Cyberarms Group
https://www.wired.com/story/lipizzan-android-malware-nation-state/
Android Developers Blog: From Chrysaor to Lipizzan: Blocking a new targeted spyware family
https://android-developers.googleblog.com/2017/07/from-chrysaor-to-lipizzan-blocking-new.html

--GAO: IRS Information Security Still Needs Work (July 27, 2017)

According to a recently released Government Accountability Office (GAO) audit, the US Internal Revenue Service (IRS) has failed to fix numerous information security issues. As a result, says the report, the IRS limited in its ability to adequately protect taxpayer data.

[Editor Comments]
[Pescatore] This kind of audit result is very common. Basically, a lot of good security effort being applied but not being able to close security holes as fast as new ones are discovered. This almost always results from not addressing root cause problems - it is like bailing out a boat with a bucket vs. finding and plugging the leak. Most of the findings result from weaknesses in privilege and access management - the root cause is usually in IT operations processes and there will never be enough security buckets to keep up.
[Murray] That said, the IRS has made progress toward reducing tax refund fraud.

Read more in:

The Hill: IRS fails to resolve dozens of information security deficiencies, GAO says
http://thehill.com/policy/cybersecurity/344127-irs-fails-to-resolve-dozens-of-information-security-deficiencies-gao
GAO: Control Deficiencies Continue to Limit IRS's Effectiveness in Protecting Sensitive Financial and Taxpayer Data
http://www.gao.gov/assets/690/686111.pdf

--Arrest in Mt. Gox Bitcoin Theft Case (July 26 & 27, 2017)

Authorities in Greece have arrested a man believed to be involved in the laundering of stolen Bitcoin. Alexander Vinnik is the owner of the BTC-e Bitcoin trading platform, which has allegedly been used to launder stolen cryptocurrency, including 375 million USD worth of Bitcoin stolen from Mt Gox in 2014. Vinnik has been indicted by a grand jury in California; US authorities plan to start extradition proceedings.

[Editor Comments]

[Williams] If nothing else, this story highlights the power of blockchain analysis. Large crypto currency thefts are hard to convert to fiat currency. Bitcoin mixing services are useful for laundering small amounts, but larger amounts remain problematic. This is likely why we haven't seen WannaCry attackers cash out their BitCoin.

Read more in:

The Register: Greek police arrest chap accused of laundering $4bn of Bitcoin
http://www.theregister.co.uk/2017/07/27/greek_police_arrest_alleged_russian_bitcoin_launderer/
ZDNet: Russian Bitcoin exchange chief arrested in connection to Mt. Gox 'hack'
http://www.zdnet.com/article/russian-bitcoin-exchange-chief-arrested-in-connection-to-mt-gox-hack/
BleepingComputer: BTC-e Owner Arrested for Laundering Stolen Bitcoin, Ransomware Payments
https://www.bleepingcomputer.com/news/security/btc-e-owner-arrested-for-laundering-stolen-bitcoin-ransomware-payments/
DoJ: Russian National And Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme And Allegedly Laundering Funds From Hack Of Mt. Gox
https://www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-alleged

--Italy's UniCredit Bank Reports Data Breaches (July 26 & 27, 2017)

A pair of data security breaches at Italy's UniCredit bank has compromised 400,000 loan customers' account information. UniCredit says that the breach occurred through the systems of an unnamed third-party provider. The first of the two breaches took place in September and October 2016; the second occurred in June and July 2017.

[Editor Comments]
[Murray] Outsiders attack deposit accounts. Insiders attack loan accounts.

Read more in:

V3: Italy's biggest bank, UniCredit, suffers major cyber breach
https://www.v3.co.uk/v3-uk/news/3014648/major-italian-bank-suffers-major-cyber-incident
BBC: Hack on Italy's largest bank affects 400,000 customers
http://www.bbc.com/news/technology-40728447
Bloomberg: Hackers Breach 400,000 UniCredit Bank Accounts for Data
https://www.bloomberg.com/news/articles/2017-07-26/unicredit-says-400-000-clients-affected-by-security-breach

--Open Source Toolkit Helps Fix SS7 Holes (July 26, 2017)

Researchers have developed an open source toolkit that can be used to help fix vulnerabilities in Signaling System 7 (SS7). Flaws in the SS7 standard, which was created to allow interoperability between mobile carrier systems, have been used to steal money from bank accounts.

Read more in:

Wired: An Open-Source Toolkit to Help Patch Cell Networks' Critical Flaw
https://www.wired.com/story/ss7-flaw-open-source-toolkit/

--3G and 4G LTE Network Vulnerability (July 26, 2017)

A flaw in a cryptographic protocol used in 3G and 4G LTE mobile networks could be exploited to conduct surveillance and location tracking. The vulnerability does not allow attackers to intercept calls or messages.

Read more in:

ZDNet: Security flaw in 3G, 4G LTE networks lets hackers track phone locations
http://www.zdnet.com/article/stingray-security-flaw-cell-networks-phone-tracking-surveillance/
WCCFtech: 2G Was Too Weak? Turns Out 3G & 4G Networks Are Also Prone to Stingray Surveillance Attacks
http://wccftech.com/3g-4g-lte-stingray-surveillance/

--FBI Cyber Division Chief Talks About Avalanche Takedown (July 26, 2017)

At the Black Hat conference in Las Vegas, FBI cyber division unit chief Tom Grasso described the Avalanche takedown, which occurred in December 2016. More than half a million systems were affected by Avalanche, which enabled botnets. The takedown operation was a cooperative effort involving the FBI, foreign governments, international organizations, and private companies.

Read more in:

DarkReading: FBI Talks Avalanche Botnet Takedown
http://www.darkreading.com/attacks-breaches/fbi-talks-avalanche-botnet-takedown/d/d-id/1329473?

INTERNET STORM CENTER TECH CORNER

Adobe Announces End of Flash for 2020

https://blogs.adobe.com/conversations/2017/07/adobe-flash-update.html

JA3 Hash To Fingerprint SSL/TLS Connections

https://github.com/salesforce/ja3
https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41

New Wave of Apple iCloud Ransom Attacks

https://www.heise.de/mac-and-i/meldung/Erneut-iCloud-Erpressungswelle-ueber-Meinen-Mac-suchen-und-Mein-iPhone-suchen-3782075.html

Malspam Pushing Emotet Malware

https://isc.sans.edu/forums/diary/Malspam+pushing+Emotet+malware/22650/

Broadpwn Released

http://blog.exodusintel.com/2017/07/26/broadpwn/

Microsoft Announces Windows 10 Bug Bounty

https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/

Custom Map Vulnerability in Valve Games

https://oneupsecurity.com/research/remote-code-execution-in-source-games

Targeting HTTP's Hidden Attack-Surface

http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html

Petya/Goldeneye Decryptor

https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/

TinyPot, My Small Honeypot

https://isc.sans.edu/forums/diary/TinyPot+My+Small+Honeypot/22654/

Shaun McCullough

https://www.sans.org/reading-room/whitepapers/testing/docker-create-multi-container-environments-research-sharing-lateral-movement-37855


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create