Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #7

January 24, 2017


Hack the Army Bug Bounty Program Turns Up 118 Vulnerabilities
China Will Shut Down Most VPNs in Clean-up Effort
GSA Single Sign-on
Chrome WebEx Plugin Flaw Fixed


Symantec Revokes Unvalidated TLS Certificates
State of (US) Federal Information Technology Report
Lloyds Bank Was Likely the Target of a DDoS Attack
Apple Updates iOS, macOS, and Safari
United Airlines IT Problem Grounded Flights on Sunday
NY State Stingray Legislation Proposed
Lavabit Relaunch
GE Patches Flaw Affecting Industrial Control Systems
Neverquest Malware Suspect Lisov Arrested in Spain


Symantec Revokes Unvalidated TLS Certificates
State of (US) Federal Information Technology Report
Lloyds Bank Was Likely the Target of a DDoS Attack
Apple Updates iOS, macOS, and Safari
United Airlines IT Problem Grounded Flights on Sunday
NY State Stingray Legislation Proposed
Lavabit Relaunch
GE Patches Flaw Affecting Industrial Control Systems
Neverquest Malware Suspect Lisov Arrested in Spain

*************************** Sponsored By Malwarebytes ********************

Party with Malwarebytes at RSA Conference 2017! Visit us in Booth #2319 in the South Hall to get the latest on advanced-threat detection and incident response. And don't miss the Malwarebytes Crush Party. Mingle with your security peers at the SFMOMA on Tuesday, February 14. RSVP today! http://www.sans.org/info/191657



--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017

--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/



Hack the Army Bug Bounty Program Turns Up 118 Vulnerabilities (January 19 & 23, 2017)

The U.S. Army's bug bounty program, which ran during the first three weeks of December 2016, resulted in 118 valid vulnerability reports. In all, 371 people participated and 416 bug reports were submitted. The first vulnerability report was submitted within the first five minutes of the program.

[Editor Comments ]

[Pescatore ]
SANS gave a 2016 Difference Makers award to the Pentagon team that started up the "Hack the Pentagon" managed bug bounty effort. It is good to see it spreading to other areas in DoD. Well managed bug bounty programs continue to show high value in both quantity, and more importantly, quality of vulnerabilities discovered per dollar.

Read more in:

SC Magazine: Hack the Army bug bounty programs finds 118 vulnerabilities

HackerOne: Hack The Army Results Are In

China Will Shut Down Most VPNs in Clean-up Effort (January 23, 2017)

China's Ministry of Industry and Information Technology has announced a plan to eliminate "unauthorized internet connections." Over the next 14 months, virtual private networks (VPNs), which people in China have been using to circumvent the government's blocking of certain websites and search results, will be shut down unless they have government approval. Internet service providers, content distribution networks, and data centers operating within the country must all be licensed by the Chinese government.

[Editor Comments ]

[Murray ]
The underlying assumption seems to be that Internet connections are to be "authorized" by the state.

[Pescatore ]
If you are responsible for keeping traveling executives secure, this is important to keep in mind over the next few years - and not just in China. Changes around the politics of global trade have proven, over the years, to have definite impact on the level of industrial espionage done by governments. Good idea to review your travelling executive policies and procedures, certainly about secure connectivity while on the road if VPNs get blocked, but also about carrying "clean" devices when on overseas travel, etc.

[Ullrich ]
While traveling in China, using your US data plan may be a solution, or obtaining a SIM card from a Hong Kong provider. During a recent visit, it was possible to connect to sites like Facebook from within China as long as a US or HK SIM was used, so it appears different filtering policies apply for these connections. Up to now, this was a rather expensive alternative, but some US carriers have recently begun some affordable international data plans that may help if you are visiting for a few days and don't want to go through the trouble of finding a cheaper HK SIM card.

Read more in:

Ars Technica: China announces mass shutdown of VPNs that bypass Great Firewall

CNET: China's new 'cleanup' campaign shores up Great Firewall

BBC: China to crack down on censor-busting services

GSA Single Sign-on (January 20, 2017)

The U.S. General Services Administration (GSA) plans to launch its single sign on platform, Login.gov, late next month. The platform would allow individuals to use one sign-on for access to multiple government services. The accounts will have two levels of authentication security based on the government services a user is accessing.

[Editor Comments ]

[Pescatore ]
The two levels are both still completely based on "what you know" and neither level uses of a second factor from "what you have" or "what you are" even though 25% of consumers are already using two factor on at least one commercial service. So, this approach is still vulnerable to simple phishing attacks. The login.gov plan does include integrating to back-end services to reduce fraud but we really need to government to be accelerating movement away from dependence on reusable passwords.

[Ullrich ]
Great plan. Now let's all pray, sacrifice chickens or do whatever it takes to make a complex project like this work. I hope the project will be open as it will likely become the most attacked single sign on service in the world, and we will all be able to learn a great deal from a service like this.

Read more in:

CGN: GSA readies single sign-on platform

Chrome WebEx Plugin Flaw Fixed (January 23, 2017)

The WebEx browser extension for Chrome has been updated to fix a flaw that could be exploited through drive-by attacks to execute arbitrary code. The plugin is installed on an estimated 20 million machines. The patch was released two days after Google's Project Zero notified Cisco of the problem.

[Editor Comments ]

[Ullrich ]
Note that the latest version, 1.0.3 released on Sunday is still vulnerable, per Google. The vulnerability is easy to exploit. If possible, do not use this plugin until further notice. You may still use other browsers to participate in WebEx sessions, but I wouldn't be surprised if other browsers are affected by similar flaws. Get ready for a set of WebEx vulnerability disclosures as researchers zoom in on its messaging protocol.

[Williams ]
When you dig into the internals of this vulnerability, it appears that the code was released without a skilled security assessor ever looking at it. The extension allows developers to call exports from DLLs using JavaScript. The developers did use security through obscurity, obfuscating strings in the JavaScript (possible to avoid these vulnerabilities from being discovered). Obviously you should patch if you use WebEx. Organizations can use this as a case study promoting the need for security auditing of code prior to release.

Read more in:

Ars Technica: Widely used WebEx plugin for Chrome will execute attack code

The Register: Cisco's WebEx Chrome plugin will execute evil code, install malware via secret 'magic URL'

Project Zero: Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution

*************************** SPONSORED LINKS ********************************

1) Email spoofing attacks increase; SANS reviews Mimecast service designed to stop sophisticated phishing efforts. Learn More: http://www.sans.org/info/191662

2) Don't Miss: "Stop Threats in their Tracks- An Introduction to Advanced Malware Protection" Register: http://www.sans.org/info/191667

3) SANS 2017 Threat Hunting Survey - Is threat hunting proactive, reactive or both? Tell us in this SANS survey and enter to win a $400 Amazon Gift Card: http://www.sans.org/info/191672



Symantec Revokes Unvalidated TLS Certificates (January 23, 2017)

Symantec has revoked more than 100 improperly issued transport layer security (TLS) certificates. Some of the certificates could be used to spoof HTTPS websites. The certificates were issued by three certificate authorities owned by Symantec.

[Editor Comments ]

[Pescatore ]
The certificate business Symantec got into after buying Verisign in 2010 is a poor fit with the rest of their "keep the bad guy out" product lines, as their continuing problems show.

[Ullrich ]
While organizations around the world try to update their certificates from SHA1 to SHA2, Certificate Authorities still don't know how to control their signing keys and pose a much larger threat to the TLS infrastructure then any issue recently discovered with algorithms used by TLS.

[Williams ]
As hard as it is for organizations impacted by this issue to deal with, Symantec did the right thing here. Leaving the certificates in the wild represented a widespread risk if they were misused. This problem highlights the challenges of building a large-scale certificate trust. One bad actor can ruin things for everyone.

Read more in:

The Register: Symantec carpeted over dodgy certificates, again

Ars Technica: Already on probation, Symantec issues more illegit HTTPS certificates

ZDNet: Symantec revokes faulty security certificates

State of (US) Federal Information Technology Report (January 23, 2017)

The U.S. CIO Council released the State of Federal Information Technology Report on Thursday, January 19, 2017. The publication provides an overview of the government's path to the current state of information technology as well as 11 recommendations for the future of government information technology.

[Editor Comments ]

[Murray ]
Interesting reading. By and for government CIOs. Management is difficult. Recaps (mostly failed) IT management initiatives. Recommendations are buried; not action or role oriented. Security gets its own section. There appears to be an underlying assumption that the management of IT is separate from the management of government. This is an assumption that would have seemed very strange in the pre-computer world. It is a holdover from the era in which computer technology was expensive and where efficiency improved with scale. Many of the problems observed are rooted in this assumption.

Read more in:

FederalNewsRadio: 12 stats that tell you about the state of federal IT

CIO Council: State of Federal Information Technology (PDF)

Lloyds Bank Was Likely the Target of a DDoS Attack (January 23, 2017)

Millions of Lloyds Bank customers were unable to access the UK Bank's online services for two days earlier this month. The incident was likely due to a distributed denial-of-service (DDoS) attack. The attack occurred on January 11 and 12. According to a report in The Financial Times, the attack was launched from overseas.

Read more in:

ZDNet: Lloyds Bank services bit by denial-of-service attack

The Register: Lloyds Bank outage: DDoS is prime suspect

Apple Updates iOS, macOS, and Safari (January 23, 2017)

Users are being encouraged to upgrade to iOS version 10.2.1 as soon as possible. The newest version of Apple's mobile operating system includes fixes for more than a dozen security issues. Two of the vulnerabilities could be exploited to execute code with kernel privileges. Apple has also released security updates for macOS (to version 10.12.4) and Safari (to version 10.0.3).

[Editor Comments ]

[Northcutt ]
I have done my updates and everything still appears to be working. The Wired magazine listed below seems to be the best source, but here is a bit of additional information including Apple's own fairly vague information:



Read more in:

Wired: The New iOS Update Fixes Big Security Holes, So Get It Now

United Airlines IT Problem Grounded Flights on Sunday (January 22 & 23, 2017)

An unspecified IT problem caused United Airlines to ground all domestic US flights on Sunday evening, January 21. The problem, which has been called a glitch but not yet otherwise specified, was resolved within a matter of hours. A report from CNN cited sources that said the issue was caused by a problem with the Aircraft Communications Addressing and Reporting System (ACARS).

Read more in:

ZDNet: United Airlines flights suspended after technical glitch

New York Times: United Airlines Flights Are Delayed By Computer Problem

Christian Science Monitor: United Airlines Computer Glitch Creates Cascade of Delays

CNN: United Airlines resumes flights after temporary ground order

NY State Stingray Legislation Proposed (January 23, 2017)

State legislators in New York are considering a bill that would limit law enforcement's use of cell site simulator surveillance technology, often referred to as stingray. If passed, the law would require law enforcement agents to obtain a warrant prior to using the technology. They would also be required to be specific about the technology they plan to use. Exceptions would be made in cases involving life threatening situations, but a warrant would still be required to be obtained within three days or the gathered evidence could be destroyed.

Read more in:

ZDNet: New York bill aims to limit police use of "stingray" phone surveillance

Lavabit Relaunch (January 22 & 23, 2017)

In 2013, Ladar Levison shuttered his Lavabit encrypted email service rather than provide the government with SSLs keys which would have compromised his customers' privacy. Levison has announced that he is relaunching Lavabit, which is built with the Dark Internet Mail Environment (DIME) open source, end-to-end encrypted email standard. Levison is also releasing source code release for DIME will be available on Github. DIME offers three levels of security: Trustful, Cautious, and Paranoid. Former Lavabit users may access their accounts in Trustful mode; new users may pre-register for the next release, which will offer all three security modes.

Read more in:

Computerworld: Lavabit developer has a new encrypted, end-to-end email protocol

ZDNet: Lavabit relaunches secure email service, encrypted mail goes open-source

The Register: Go dark with the flow: Lavabit lives again

CNET: Snowden's email service of choice, Lavabit, lives again

Lavabit: Lavabit Relaunch

GE Patches Flaw Affecting Industrial Control Systems (January 20, 2017)

General Electric (GE) has released updates for its industrial control systems (ICS) to fix an issue that could be exploited to steal passwords for SCADA (supervisory control and data acquisition) systems. A GE spokesperson said that the flaw could not be remotely exploited. Affected products include Proficy HMI/SCADA iFix Version 5.8 SIM 13 and earlier; Proficy HMI/SCADA CIMPLICITY Version 9.0 and earlier; and Proficy Historian Version 6.0 and earlier.

Read more in:

The Register: General Electrics plays down industrial control plant vulnerabilities

ICS-CERT: Advisory: GE Proficy HMI/SCADA iFix, Proficy HMI / SCADA CIMPLICITY, and Proficy Historian Vulnerability

Neverquest Malware Suspect Lisov Arrested in Spain (January 19 & 20, 2017)

Police in Spain have arrested Stanislav Lisov, an individual wanted by the U.S. for his alleged role in developing and using banking malware known as Neverquest, which has been found to be targeting online banking customers of between 100 and 200 financial institutions. Lisov is being held in Catalonia until Spain's High Court decides whether he will be extradited to the U.S.

Read more in:

Reuters: Spain arrests Russian bank-account hacker wanted by FBI

Computerworld: Spanish police nab suspect behind Neverquest banking malware

Washington Post: Spain arrest Russian wanted by US for alleged hacking


Sage 2.0 Ransomware

Starwars Twitter Botnet

Symantec Messes Up SSL Certificates Again

Github CSP Experiences

Experimenting with IPv6 Fragments

Apple Updates Everything

WebEx Secret Install URL

Vulnerability in Symantec Norton Download Manager

Exploit for Microsoft RDC Client on Mac

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board