Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #59

July 28, 2017


In Black Hat Keynote, Facebook CSO Calls for Empathy
NIST: Criticality Analysis Process Model
Adobe Will End Support for Flash in 2020


Man Arrested in Connection with DDoS Attacks Against Businesses in Australia and North America
Dutch Police Now Targeting Hansa Market Vendors
Lipizzan Spyware Infects Android Devices
GAO: IRS Information Security Still Needs Work
Arrest in Mt. Gox Bitcoin Theft Case
Italy's UniCredit Bank Reports Data Breaches
Open Source Toolkit Helps Fix SS7 Holes
3G and 4G LTE Network Vulnerability
FBI Cyber Division Chief Talks About Avalanche Takedown


*************************** Sponsored By RecordedFuture *******************************

Each day, exponentially more data and computing power becomes available. We're able to task machines to learn and understand more than ever before and, when combined with human analysis, this process can dramatically reduce laborious tasks. However, even with this surge in applicability, machine learning is still often considered a technology of the future. Learn More: http://www.sans.org/info/196980



-- SANS OnDemand and vLive Training | One Week Only - 12.9" iPadPro, or $550 Off With OnDemand or vLive Training - ends August 2. 30+ courses with books, labs, mp3, & SME support. https://www.sans.org/online-security-training/specials/

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS Boston 2017 | August 7-12 | https://www.sans.org/event/boston-2017

-- SANS Virginia Beach 2017 | August 21-September 1 | https://www.sans.org/event/virginia-beach-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/



--In Black Hat Keynote, Facebook CSO Calls for Empathy (July 26 & 27, 2017)

In the opening keynote address at the Black Hat conference, Facebook CSO Alex Stamos said that the cyber security industry has "perfected the art of finding problems over and over without addressing root issues. We need to think carefully about what to do about it downstream after discovery." Rather than pursue impressive hacks, "we have to focus on defense," Stamos said, "and broaden our scope of what we consider our responsibility." Stamos also called out the information security community for its insularity: "The security community has the tendency to punish those who implement imperfect solutions in an imperfect world," Stamos said. "We have no empathy. We don't have the ability to put ourselves in the shoes of people we are trying to protect."

[Editor Comments]
[Pescatore] Stamos reinforces my comment about root causes in the IRTS/GAO story in this issue: "We've perfected the art of finding problems over and over without addressing root issues." There is a lot of money being wasted on security consulting engagements and security products because security programs and managers aren't able to drive change in IT operations, procurement, etc. The Critical Security Controls have pointed this out for years - the top 5 controls are all about improving IT processes.

Read more in:

Technology Review: Facebook Security Chief: Cybersecurity Pros Need More Empathy to Protect Us
Threatpost: Facebook Security Boss: Empathy, Inclusion Must Come to Security
BBC: Facebook calls for a more people-centric security industry http://www.bbc.com/news/technology-40671089

--NIST: Criticality Analysis Process Model (July 24, 2017)

The US National Institute of Standards and Technology has published draft guidance for agencies to help them figure out the best way to allocate their information security budgets by providing "a structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals."

[Editor Comments]
[Murray] The government is already in analysis paralysis. Focus on the Top Twenty.
[Paller] Or the new Australian Top 8. The folks at NIST do NOT know as much about how attacks work as the Australian Signals Directorate who have to deal with the actual attacks. https://www.asd.gov.au/publications/protect/Essential_Eight_Maturity_Model.pdf

Read more in:

GCN: NIST's how-to for prioritizing risk
https://gcn.com/blogs/cybereye/2017/07/nist-risk-prioritization.aspx?admgarea=TC_SecCybersSec NIST: Criticality Analysis Process Model (PDF)

--Adobe Will End Support for Flash in 2020 (July 25 & 26, 2017)

Adobe has announced that it will end support for Flash Player by the end of 2020. The media player is unlikely to be missed by security professionals. As MobileIron Lead Solutions Architect James Plouffe noted, Flash "has achieved legendary status within the security community for the number and severity of its vulnerabilities."

[Editor Comments]
[Murray] 2020? Come on, guys! I am 82 years old already! Give an old man a break!
[Williams] It's easy to celebrate the security benefits of killing Flash, but this announcement means that Flash will simply no longer receive support. Flash will likely continue to be a part of a number of workflows, particularly with small to medium enterprises, for a number of years after 2020. The only difference is that users won't be receiving patches.

Read more in:

Dark Reading: Adobe's Move to Kill Flash Is Good for Security
The Register: Adobe will kill Flash by 2020: No more updates, support, tears, pain...
SC Magazine: A Eulogy for Flash, dead at last, dead at last
Ars Technica: Adobe ending Flash support at the end of 2020
https://arstechnica.com/information-technology/2017/07/with-html5-webgl-javascript-ascendant-adobe-to-cease-flash-dev-at-end-of-2020/ Adobe: Flash & The Future of Interactive Content
*************************** SPONSORED LINKS ********************************
1) Register to learn how a micro-segmentation security strategy can help you modernize your ICS deployment without compromising security and privacy. http://www.sans.org/info/196985
2) Don't Miss: "Dissecting various real-world DGA variants" Register: http://www.sans.org/info/196990
3) See how your efforts to keep the cloud secure for business compare. | Take the SANS Cloud Security Survey | Remain anonymous or enter your name to win a $400 gift certificate. http://www.sans.org/info/196995


--Man Arrested in Connection with DDoS Attacks Against Businesses in Australia and North America (July 28, 2017)

A man arrested in Seattle, Washington is suspected of having a role in cyber attacks against businesses in Australia and North America. The arrest follows an investigation of more than two years involving authorities in Australia, the US, and Canada. The suspect was allegedly involved in launching distributed denial-of-service (DDoS) attacks against businesses in those countries.

Read more in:

ZDNet: US male arrested for string of DDoS attacks against Australia, North America
CIO: US man arrested over Aussie DDoS attacks

--Dutch Police Now Targeting Hansa Market Vendors (July 27, 2017)

Earlier this summer, Dutch police took control of the underground bazaar Hansa Market. The police are now using information obtained from the takeover to pursue vendors who sold their goods on on the underground marketplace. If the vendors used the same username and passwords combination for Hansa as they did for the Dream Market, police have been able to take over those accounts as long as the vendors did not activate two-factor authentication. Police are also using locktime files to track down the vendors.

[Editor Comments]
[Stephen Northcutt] The Law Enforcement, (LE), use of locktime files, (originally text files), used to facilitate crypto currency transactions. Another surprise for me was the extensive use of Reddit by the Hansa community. The URL of one of the more innocuous posts is below, guess I need to get an account and start browsing; always something.

Read more in:

Bleeping Computer: Crooks Reused Passwords on the Dark Web, so Dutch Police Hijacked Their Accounts

--Lipizzan Spyware Infects Android Devices (July 26 & 27, 2017)

Spyware known as Lipizzan has been used in targeted attacks against Android devices. Once a device has been infected, Lipizzan can be used to monitor communications and location, and send data back to attackers. While Lipizzan has been found on fewer than 100 devices, its functionality and small range of infection suggest it was being used to target specific individuals. Google has blocked all developers and apps that have been associated with Lipizzan from the Android ecosystem. In addition, a new security tool, Google Play Protect, has notified affected devices and removed Lipizzan from those devices.

[Editor Comments]
[Neely] Take notice of Google Play Protect, released last week, this is Google's tool to combat malware, and will be on the front line for detection, intervention and uninstalling detected Android malware. Base Android malware protection measures should now be: opt in to Google Play Protect, only install apps from the Google Play Store, keep your device updated, and don't enable unknown app sources.

Read more in:

ZDNet: This Android spyware can record calls, take screenshots and video, targets Gmail, LinkedIn, Snapchat data
Wired: Google Finds and Blocks Spyware Linked to Cyberarms Group
Android Developers Blog: From Chrysaor to Lipizzan: Blocking a new targeted spyware family

--GAO: IRS Information Security Still Needs Work (July 27, 2017)

According to a recently released Government Accountability Office (GAO) audit, the US Internal Revenue Service (IRS) has failed to fix numerous information security issues. As a result, says the report, the IRS limited in its ability to adequately protect taxpayer data.

[Editor Comments]
[Pescatore] This kind of audit result is very common. Basically, a lot of good security effort being applied but not being able to close security holes as fast as new ones are discovered. This almost always results from not addressing root cause problems - it is like bailing out a boat with a bucket vs. finding and plugging the leak. Most of the findings result from weaknesses in privilege and access management - the root cause is usually in IT operations processes and there will never be enough security buckets to keep up.
[Murray] That said, the IRS has made progress toward reducing tax refund fraud.

Read more in:

The Hill: IRS fails to resolve dozens of information security deficiencies, GAO says
GAO: Control Deficiencies Continue to Limit IRS's Effectiveness in Protecting Sensitive Financial and Taxpayer Data

--Arrest in Mt. Gox Bitcoin Theft Case (July 26 & 27, 2017)

Authorities in Greece have arrested a man believed to be involved in the laundering of stolen Bitcoin. Alexander Vinnik is the owner of the BTC-e Bitcoin trading platform, which has allegedly been used to launder stolen cryptocurrency, including 375 million USD worth of Bitcoin stolen from Mt Gox in 2014. Vinnik has been indicted by a grand jury in California; US authorities plan to start extradition proceedings.

[Editor Comments]

[Williams] If nothing else, this story highlights the power of blockchain analysis. Large crypto currency thefts are hard to convert to fiat currency. Bitcoin mixing services are useful for laundering small amounts, but larger amounts remain problematic. This is likely why we haven't seen WannaCry attackers cash out their BitCoin.

Read more in:

The Register: Greek police arrest chap accused of laundering $4bn of Bitcoin
ZDNet: Russian Bitcoin exchange chief arrested in connection to Mt. Gox 'hack'
BleepingComputer: BTC-e Owner Arrested for Laundering Stolen Bitcoin, Ransomware Payments
DoJ: Russian National And Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme And Allegedly Laundering Funds From Hack Of Mt. Gox

--Italy's UniCredit Bank Reports Data Breaches (July 26 & 27, 2017)

A pair of data security breaches at Italy's UniCredit bank has compromised 400,000 loan customers' account information. UniCredit says that the breach occurred through the systems of an unnamed third-party provider. The first of the two breaches took place in September and October 2016; the second occurred in June and July 2017.

[Editor Comments]
[Murray] Outsiders attack deposit accounts. Insiders attack loan accounts.

Read more in:

V3: Italy's biggest bank, UniCredit, suffers major cyber breach
BBC: Hack on Italy's largest bank affects 400,000 customers
Bloomberg: Hackers Breach 400,000 UniCredit Bank Accounts for Data

--Open Source Toolkit Helps Fix SS7 Holes (July 26, 2017)

Researchers have developed an open source toolkit that can be used to help fix vulnerabilities in Signaling System 7 (SS7). Flaws in the SS7 standard, which was created to allow interoperability between mobile carrier systems, have been used to steal money from bank accounts.

Read more in:

Wired: An Open-Source Toolkit to Help Patch Cell Networks' Critical Flaw

--3G and 4G LTE Network Vulnerability (July 26, 2017)

A flaw in a cryptographic protocol used in 3G and 4G LTE mobile networks could be exploited to conduct surveillance and location tracking. The vulnerability does not allow attackers to intercept calls or messages.

Read more in:

ZDNet: Security flaw in 3G, 4G LTE networks lets hackers track phone locations
WCCFtech: 2G Was Too Weak? Turns Out 3G & 4G Networks Are Also Prone to Stingray Surveillance Attacks

--FBI Cyber Division Chief Talks About Avalanche Takedown (July 26, 2017)

At the Black Hat conference in Las Vegas, FBI cyber division unit chief Tom Grasso described the Avalanche takedown, which occurred in December 2016. More than half a million systems were affected by Avalanche, which enabled botnets. The takedown operation was a cooperative effort involving the FBI, foreign governments, international organizations, and private companies.

Read more in:

DarkReading: FBI Talks Avalanche Botnet Takedown


Adobe Announces End of Flash for 2020


JA3 Hash To Fingerprint SSL/TLS Connections


New Wave of Apple iCloud Ransom Attacks


Malspam Pushing Emotet Malware


Broadpwn Released


Microsoft Announces Windows 10 Bug Bounty


Custom Map Vulnerability in Valve Games


Targeting HTTP's Hidden Attack-Surface


Petya/Goldeneye Decryptor


TinyPot, My Small Honeypot


Shaun McCullough


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create