Online Training Special Offer - Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends 9/27!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #67

August 25, 2017

TOP OF THE NEWS


National Infrastructure Advisory Council Report - A Pre 9-11 Moment
AccuWeather Updates App to Fix Data Privacy Problem (Maybe)

THE REST OF THE WEEK'S NEWS


FBI Files Charges Against Alleged Malware Distributor
Microsoft Settles with German Consumer Rights Group Over OS Downloads
Baratov Pleads Not Guilty in Yahoo! Breach Case
ROPEMAKER Attack Lets Attackers Alter eMail Content After Delivery
Fuze Fixes Security Problems
Second Ukraine Accounting Company May Have Been Hacked
Google Removes Hundreds of Android Apps from Google Play Store Over Spyware Concerns
Google's Titan Security Chip

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By WireX Systems *******************************

WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Register for this webcast to learn more: http://www.sans.org/info/197750

***************************************************************************

TRAINING UPDATE

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS OnDemand and vLive Training | Get an iPad Pro (10.5") with Smart Keyboard, an HP Chromebook 13 G1 or take $350 Off OnDemand or vLive Training when you register by August 30! https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--National Infrastructure Advisory Council Report - A Pre 9-11 Moment (August 22 & 23, 2017)

"There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack, [for the nation] to organize effectively and take bold action," said the US National Infrastructure Advisory Council report. The report lists 11 recommendations, including "establish separate, secure communications networks specifically designated for the most critical cyber networks; ... identify best-in-class scanning tools and assessment practices; ... [and] establish clear protocols to rapidly declassify cyber threat information."

[Editor Comments]
[Assante] The experience and foresight of the industry leaders comprising the council warrants policy makers and peers to pay close attention. Their statement regarding the pace of cyber threats and corresponding urgency to get our house in order should serve as a final warning. The time for action is now, as we race forward into a more digital and connected world.
[Paller] As Mike Assante notes, the NIAC members accurately describe the problem. Many of the solutions they offer, however, may not be the right ones as John Pescatore notes below.
[Pescatore] Out of the 11 top level recommendations, most are standard committee output (more industry/govt. sharing, more task forces, senior government meetings), and most of the others are standard security goodness (reach basic security hygiene, faster above the line/below the line declassifying of govt threat data, etc.) The "separate, secure communications network" is the most attention getting but makes no sense as proposed as the primary method for Critical Infrastructure communications (the report says have an RF-based backup.) It makes real sense as a backup approach, but pretending that systems that haven't been made secure will magically be secure if they don't seem to have direct Internet connectivity is what got power systems, ATM machines, voting machines etc. in trouble in the first place.

Read more in:
Cyberscoop: Trump advisers: key industries need separate systems in wake of cataclysmic event
https://www.cyberscoop.com/niac-cyber-electricity-grid-telecoms-finance/
FCW: White House advisory group warns of '9/11-level cyber attack'
https://fcw.com/articles/2017/08/22/white-house-cyber-advice-rockwell.aspx
FNR: Federal panel urges 11 steps to avert a cyber 9/11
https://federalnewsradio.com/cybersecurity/2017/08/federal-panel-urges-11-steps-to-avert-a-cyber-911/
The Hill: White House advisory group raises cybersecurity concerns
http://thehill.com/policy/cybersecurity/347566-white-house-advisors-feds-have-tools-to-protect-infrastructure-cyber-but
The Hill: Members resign from White House council on infrastructure security
http://thehill.com/policy/cybersecurity/347563-members-resign-from-white-house-council-on-infrastructure-security
Nextgov: Time's Running Out to Prevent a Massive Cyberattack on Critical Infrastructure, Advisory Group Says
http://www.nextgov.com/cybersecurity/2017/08/times-running-out-prevent-massive-cyberattack-critical-infrastructure-advisory-group-says/140417/?oref=ng-channelriver
Fifth Domain: Report: Critical infrastructure under risk of '9/11-level cyber attack'
https://www.fifthdomain.com/critical-infrastructure/2017/08/23/report-critical-infrastructure-under-risk-of-911-level-cyber-attack/
DHS (NIAC Study): Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (PDF)
https://www.dhs.gov/sites/default/files/publications/niac-cyber-study-draft-report-08-15-17-508.pdf

--AccuWeather Updates App to Fix Data Privacy Problem (Maybe) (August 23, 2017)

AccuWeather has updated its app to address an issue that collected location data even when users had not granted the app permission. Prior to the update, AccuWeather shared all users' router names and basic service set identifiers with Reveal Mobile, an AccuWeather tech partner.

[Editor Comments]
[Northcutt] Once you understand the problem reading the AccuWeather blog post is instructive. Three examples:
1) no GPS coordinates are collected or passed without further opt-in permission from the user. = = Right, the SSID of the router is passed and the location of most WiFi routers is known.
2) Accordingly, at no point was the data used by AccuWeather for any purpose. = = Correct, as we best understand, that is why AccuWeather has a business relationship with Reveal Mobile. If that is not correct, what is the reason AccuWeather is hooked up with Reveal Mobile?
3) the end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. = = That could be, but when you look Reveal Mobile up on Google, their tag line is "Turn Location Data into Meaningful Mobile Revenue"
Bottom line: To have collected the data after users opted out and then issuing a misleading blog indicates using an alternate weather forecast source such as weather.com might be sensible. A note to other companies caught doing inappropriate things: history is starting to show saying you are sorry and promising never to do it again often plays better. Just mean it when you say it.
https://www.accuweather.com/en/press/69041756

Read more in:
The Register: AccuWeather: Our app slurped your phone's location via Wi-Fi but we like totally didn't use it
http://www.theregister.co.uk/2017/08/23/accuweather_says_ignorance_of_location_data_precludes_misuse/
BBC: AccuWeather app shared users' location data
http://www.bbc.com/news/technology-41037081

*************************** SPONSORED LINKS ********************************

1) "The latest 2017 NSS Labs NGFW test results reveals many NGFWs may be vulnerable to evasions. Does your current firewall or IPS protect against AETs?" Register: http://www.sans.org/info/197755

2) Do organizations know where their sensitive data is? And if they do, how are they assessing and protecting that data? Learn More: http://www.sans.org/info/197760

3) Don't Miss: "Asking the Right Questions about Dynamic Scanning to Secure Web Applications: A Buyer's Guide to App Sec Scanning Tools" http://www.sans.org/info/197765

******************************************************************************

THE REST OF THE WEEK'S NEWS

--FBI Files Charges Against Alleged Malware Distributor (August 24 & 25, 2017)

The FBI has filed charges against a Chinese man for allegedly distributing malware that was used in attacks targeting systems at several US companies. Yu Pingan was arrested in Los Angeles on Monday, August 21. According to the indictment, Yu Pingan distributed malware that may have been used in attacks against systems belonging to the US Office of Personnel Management (OPM) and the Anthem health insurance company.

Read more in:
ZDNet: FBI charges Chinese national with distributing malware used in OPM hack
http://www.zdnet.com/article/fbi-charges-chinese-national-with-distributing-sakula-malware/
The Register: Chinese chap collared, charged over massive US Office of Personnel Management hack
https://www.theregister.co.uk/2017/08/25/fbi_charge_chinese_suspect_us_office_of_personnel_mgmt_hack/
Politico: Complaint (PDF)
http://www.politico.com/f/?id=0000015e-161b-df04-a5df-963f36840001

--Microsoft Settles with German Consumer Rights Group Over OS Downloads (August 24, 2017)

Concluding an 18-month legal wrangle with a German consumer rights organization, Microsoft has agreed to stop forcibly downloading upgrades for Windows operating systems onto computers in Germany. The company admitted wrongdoing in downloading more than 6GB of data onto users' devices in 2015. Microsoft will not download any operating systems updates without the user's express permission, and will pay penalties if it breaks the agreement.

[Editor Comments]
[Murray] Some consumers are unlikely to authorize patching and are more likely to attach vulnerable systems to the Internet. While this agreement may avoid some inconvenience to a small number of consumers, it will weaken the infrastructure.

Read more in:
Bleeping Computer: Germany: Microsoft Agrees to Stop Forcibly Downloading Windows Upgrades
https://www.bleepingcomputer.com/news/microsoft/germany-microsoft-agrees-to-stop-forcibly-downloading-windows-upgrades/

--Baratov Pleads Not Guilty in Yahoo! Breach Case (August 23 & 24, 2017)

Karim Baratov has pleaded not guilty to 47 charges related to the compromise of hundreds of millions of Yahoo! accounts. Baratov was recently extradited from Canada. Court documents say that Baratov and Alexey Belan were hired by two Russian FSB officers, Dmitry Dokuchaev and Igor Suschin, to break into Yahoo!'s systems in 2014.

Read more in:
The Register: Accused! Yahoo! hacker! pleads! not! guilty! in! US! court!
http://www.theregister.co.uk/2017/08/24/accused_yahoo_hacker_pleads_not_guilty/
Daily Beast: Russian Spies' Hacker-for-Hire Pleads Not Guilty to Cracking Yahoo
http://www.thedailybeast.com/russian-spies-hacker-for-hire-pleads-not-guilty-to-cracking-yahoo
Reuters: Canadian accused in Yahoo hack pleads not guilty in U.S. court
http://www.reuters.com/article/us-yahoo-cyber-trial-idUSKCN1B32KV

--ROPEMAKER Attack Lets Attackers Alter eMail Content After Delivery (August 22 & 23, 2017)

An attack known as Ropemaker, for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky, lets attackers change the content of email once it has been delivered to a user's inbox. The attack works by remotely altering cascading style sheets (CSS) in HTML emails.

[Editor Comments]
[Neely] This attack is not been seen in the wild. It applies only to desktop email clients; it fails on browser-based email clients as they strip out header tags required by this exploit. Modern email content delivery depends on HTML rendering to deliver a rich user experience, so users are disinclined to turn off support for HTML in email. Beyond disabling HTML email, a network filter could be added blocking remote CSS download by email clients.

Read more in:
Dark Reading: ROPEMAKER Attack Turns Benign Emails Hostile Post-Delivery
https://www.darkreading.com/attacks-breaches/ropemaker-attack-turns-benign-emails-hostile-post-delivery/d/d-id/1329696
Threatpost: Ropemaker Exploit Allows for Changing of Email Post-Delivery
https://threatpost.com/ropemaker-exploit-allows-for-changing-of-email-post-delivery/127600/
The Register: Did ROPEMAKER just unravel email security? Nah, it's likely a feature
http://www.theregister.co.uk/2017/08/23/ropemaker_exploit/
SC Magazine UK: Money for old rope? Ropemaker changes your emails AFTER delivery
https://www.scmagazineuk.com/money-for-old-rope-ropemaker-changes-your-emails-after-delivery/article/683376/
eWeek: Ropemaker Email Exploit Exposes Desktop Clients to Security Risks
http://www.eweek.com/security/ropemaker-email-exploit-exposes-desktop-clients-to-security-risks
Bleeping Computer: ROPEMAKER Lets Attackers Change Your Emails After Delivery
https://www.bleepingcomputer.com/news/security/ropemaker-lets-attackers-change-your-emails-after-delivery/

--Fuze Fixes Security Problems (August 22 & 23, 2017)

Fuze has fixed three vulnerabilities in its voice messaging and collaboration platform that could be exploited to expose user account information and allow unauthorized access. Rapid7 notified Fuze of the security issues in mid-April. Fuze released fixes for the flaws by May 6, but the issues were only publicly disclosed earlier this week.

Read more in:
ZDNet: Data leak vulnerabilities patched in Fuze TPN portal
http://www.zdnet.com/article/data-leak-vulnerabilities-patched-in-fuze/
The Register: VoIP bods Fuze defuse triple whammy of portal security vulnerabilities
http://www.theregister.co.uk/2017/08/23/fuze_plugs_security_flaws/
Threatpost: Fuze Patches TPN Handset Vulnerabilities
https://threatpost.com/fuze-patches-tpn-handset-vulnerabilities/127555/
Rapid7: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)
https://community.rapid7.com/community/infosec/blog/2017/08/22/r7-2017-07-multiple-fuze-tpn-handset-portal-vulnerabilities-fixed

--Second Ukraine Accounting Company May Have Been Hacked (August 22 & 23, 2017)

A Ukrainian cyber security firm says it believes it has detected another instance in which computers at an accounting software company were compromised and are being used to spread malware. The scenario bears many similarities to the Petya/NotPetya malware infections that spread earlier this summer.

Read more in:
Bleeping Computer: Ukraine Fears Second Ransomware Outbreak as Another Accounting Firm Got Hacked
https://www.bleepingcomputer.com/news/security/ukraine-fears-second-ransomware-outbreak-as-another-accounting-firm-got-hacked/
Reuters: Ukraine cyber security firm warns of possible new attacks
http://www.reuters.com/article/us-cyber-ukraine-attacks-idUSKCN1B222O

--Google Removes Hundreds of Android Apps from Google Play Store Over Spyware Concerns (August 21 & 23, 2017)

Google has pulled more than 500 Android apps from the Google Play Store after finding that they were infected with an adware software development kit (SDK) that could download malicious plug-ins. Apps containing the Igexin SDK have been downloaded more than 100 million times.

[Editor Comments]
[Neely] The affected applications included an advertising SDK that could download malicious plug-ins. Symantec issued warnings about the lgexin SDK back in 2015, but it wasn't until the SDK moved from potentially taking action to actively doing so that Google remove the applications. The best mitigation is to use devices with current Android releases so you have Google's most current protections from malicious behavior.

Read more in:
SC Magazine: 500+ Android apps found containing program that can download spyware plug-in
https://www.scmagazine.com/500-android-apps-found-containing-program-that-can-download-spyware-plug-in/article/683248/
Ars Technica: Spyware backdoor prompts Google to pull 500 apps with >100m downloads
https://arstechnica.com/information-technology/2017/08/500-google-play-apps-with-100-million-downloads-had-spyware-backdoor/
Dark Reading: Google Removes 500 Android Apps Following Spyware Scare
http://www.darkreading.com/threat-intelligence/google-removes-500-android-apps-following-spyware-scare/d/d-id/1329693?
Threatpost: Android Spyware Linked to Chinese SDK Forces Google to Boot 500 Apps
https://threatpost.com/android-spyware-linked-to-chinese-sdk-forces-google-to-boot-500-apps/127585/

--Google's Titan Security Chip (August 22, 2017)

Google plans to disclose information about its Titan security chip this week. Titan was developed to help improve security for Google's cloud computing network. The chip has already been installed in the servers and network cards in Google's data centers. The Titan chip checks to see if hardware has been altered; if it detects an anomaly, it will shut down the hardware to prevent it from booting.

[Editor Comments]
[Pescatore] What Google has done is essentially design a custom Trusted Platform Module (TPM) chip for Google's hardware. Let's call it TPM+ because it actually does a few things better than the Trusted Computing Group standard TPM, which has been around for over 10 years and gets hardly any use at all. The TCG TPM suffered from a "try to make every vendor in TCG happy" approach. Google's Titan "TPM+" is a "let's solve a real security problem for our own customers" approach. In reality, most major steps forward in security happen this way - notice that in the mobile phone world, you didn't see Apple or Google using industry standard approaches to roll out App Stores, sandboxing, etc.

Read more in:
Silicon Angle: Report: Google to integrate Titan security chips with its cloud services
https://siliconangle.com/blog/2017/08/22/report-google-integrate-titan-security-chips-cloud-services/
Reuters: Google touts Titan security chip to market cloud services
https://www.reuters.com/article/us-alphabet-google-titan-idUSKCN1B22D6
Security Today: Google to Unveil New Titan Computer Chip
https://securitytoday.com/articles/2017/08/24/google-titan-chip.aspx

INTERNET STORM CENTER TECH CORNER

Elcomsoft Releases Ability to Retrieve Apple Keychain from iCloud

https://www.elcomsoft.com/eppb.html

Mapping Rooms with Smart Speakers

http://musicattacks.cs.washington.edu/activity-information-leakage.pdf

Netcraft Identifies .fish Domain Used For Phishing

https://news.netcraft.com/archives/2017/08/21/first-fishy-phishing-sites-sighted.html

Malware Loading Avast Safe Zone Browser

https://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/

Ropemaker E-Mail Style Sheet Manipulation

https://www.mimecast.com/globalassets/documents/whitepapers/wp_the_ropemaker_email_exploit.pdf

Cloud Based Accounts Increasingly a Target

https://www.microsoft.com/en-us/security/intelligence-report

More Malware Found At Ukrainian Accounting Software Makers

https://issp.ua/issp_system_images/UPD_samples_analysis_eng.pdf

Critical HPE iLo Vulnerability

http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

Facebook Messenger Spam Leads to Malware

https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-messenger/81590/

iOS 10.3.1 Kernel Exploit Released

https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/

Samsung Bricks Smart TVs With Update

https://eu.community.samsung.com/t5/TV-Audio-Video/Samsung-MU-Series-2017-Smart-TV-s-will-do-nothing-after-Samsung/td-p/250277


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create