Don't Miss the Best Specials of the Year with Online Training! Learn More!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #77

September 29, 2017


Sonic Restaurant Payment System Breach
Deloitte Beach May Be Broader Than First Stated
Whole Foods Investigating Reports of Data Breach


Linux Kernel Vulnerability
Keychain Vulnerability Affects High Sierra and Earlier Versions of macOS
Cisco Patches Flaws in IOS and IOS XE
Internet Explorer Address Bar Information Leak
ICANN Postpones New Key Signing Key Rollout
Monero Mining Schemes
MIT Code Porting Tool


*************************** Sponsored By CloudFlare *******************************

To combat the rising exposure and heightened business impacts of Distributed Denial-of-Service (DDoS) attacks, companies need to address specific tactical problems while finding an advantage over bad actors in an ever-evolving threat landscape. Learn how to protect your applications from DDoS attacks, bots, and data compromise through layered defense.



-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 |

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 |

-- SANS Brussels Autumn 2017 | October 16-21 |

-- SANS Tokyo Autumn 2017 | October 16-28 |

-- SANS San Diego 2017 | October 30-November 4 |

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 |

-- SANS Sydney 2017 | November 13-25 |

-- SANS San Francisco Winter 2017 | November 27-December 2 |

-- SANS London November 2017 | November 27-December 2 |

-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive -

-- Anywhere, Anytime access for 4 months with OnDemand format -

-- Single Course Training
SANS Mentor
Community SANS
View the full SANS course catalog



--Sonic Restaurant Payment System Breach (September 26, 2017)

The Sonic Drive-In fast food restaurant chain has acknowledged that payment systems at an unspecified number of its stores were breached. Financial institutions noticed fraudulent activity on payment card accounts that had been used at Sonic. Batches of the stolen payment card data have recently been found for sale on underground carder forums.

[Editor Comments]
[Murray] The magnetic stripe remains a fundamental vulnerability in our retail payment system. It is way past time for the brands to put forward a plan for eliminating it.

Read more in:
KrebsOnSecurity: Breach at Sonic Drive-In May Have Impacted Millions of Credit, Debit Cards

--Deloitte Beach May Be Broader Than First Stated (September 25, 2017)

When Deloitte first acknowledged a breach of its email system, the company said that the incident affected a small number of its customers. A source now says that the breach affected Deloitte's entire internal email system, and that it began in the fall of 2016 or even earlier.

[Editor Comments]
[Neely] In October 2015 retailers were supposed to be supporting chip based cards, and the liability for fraud shifted from the issuer to the merchant when a chip based card was read by the mag-stripe reader. Gas Stations were given until 2017 to complete the transition. Even so, issuers are not finished updating card holders to chip based cards, and merchants have not fully implemented readers. Re-issue costs and software updates are the key factors slowing the conversion.

Read more in:
KrebsOnSecurity: Source: Deloitte Breach Affected All Company Email, Admin Accounts

--Whole Foods Investigating Reports of Data Breach (September 28, 2017)

Whole Foods is investigating reports that certain point-of-sale systems at some of its stores were compromised, exposing customers' payment card information. The compromised system is used at some Whole Foods taprooms and full table-service restaurants; it is not the same system as is used at regular checkout counters.

[Editor Comments]
[Williams] In the wake of the announced breach, insiders are leaking data about previous issues to the press. Several lessons to be learned here: (1) DLP will help detect those who communicate with the press using corporate email (this is surprisingly common). (2) When employees express issues, listen to them. They are the most likely to leak data. (3) Examine your external exposure before you announce a breach. Having SMB exposed to the Internet on a domain controller looks amateurish, especially in the post WannaCry and Petya era..
[Murray] Consumers can protect themselves by using EMV and mobile payment systems in place of magnetic stripe. While EMV is slower than mag-stripe, mobile is faster and both are safer.

Read more in:
Reuters: Whole Foods says taprooms, restaurants hacked
Cyberscoop: Whole Foods investigating breach tied to point-of-sale systems
Whole Foods: Whole Foods Market Payment Card Investigation Notification

*************************** SPONSORED LINKS ********************************

1) Don't Miss: "Accurate behavior analysis enables detection and of malicious insiders, outsiders and IoT device" Register:

2) Join John Pescatore for "Shrinking Attack Dwell Times - A Phishing Case Study Demo" Register:

3) "The ROI of AppSec: Getting your Money's Worth from Your AppSec Program" Learn More:



--Linux Kernel Vulnerability (September 28, 2017)

A vulnerability in the way the Linux kernel loads ELF files could lead to memory corruption and local privilege elevation. The flaw dates back to 2015, but was only recently classified as a vulnerability.

Read more in:
The Register: Patch alert! Easy-to-exploit flaw in Linux kernel rated 'high risk'
Bleeping Computer: Linux Kernel Bug Reclassified as Security Issue After Two Years

--Keychain Vulnerability Affects High Sierra and Earlier Versions of macOS (September 25 & 27, 2017)

A flaw in macOS can be exploited to exfiltrate passwords from a user's Mac keychain. The vulnerability affects macOS High Sierra, released on September 25, and earlier versions of the operating system.

Read more in:
SC Magazine: MacOS can be exploited to reveal keychain passwords, researcher warns
Ars Technica: Password-theft 0-day imperils users of High Sierra and earlier macOS versions
Nextgov: Major Security Vulnerability Discovered in New Mac OS

--Cisco Patches Flaws in IOS and IOS XE (September 28, 2017)

Cisco has released updates to address several flaws in Cisco IOS and IOS XE. Three of the vulnerabilities, including one that could be exploited to allow remote code execution and one that could be exploited to create denial-of-service conditions, affect both products. In addition, there are five updates for flaws that affect just IOS, and six that affect just IOS XE.

Read more in:
SC Magazine: Cisco patches remote code execution flaws in IOS and IOS XE
US-CERT: Cisco Releases Security Updates

--Internet Explorer Address Bar Information Leak (September 27, 2017)

A flaw in the most recent version of Microsoft's Internet Explorer (IE) leaks anything typed into the browser's address bar. When a user visits a website, that site can "see" everything typed into the browser bar once the user hits enter.

[Editor Comments]
[Northcutt] This is not a crisis, proof of concept attack and Internet Explorer is only used for 15.5% of browsing and dropping. If you are still using it, this may be an opportunity to ask yourself why:

Read more in:
Ars Technica: Internet Explorer bug leaks whatever you type in the address bar
Broken Browser: Revealing the content of the address bar (IE)

--ICANN Postpones New Key Signing Key Rollout (September 28, 2017)

ICANN (the Internet Corporation for Assigned Names and Numbers) has delayed the rollout of a new key signing key days before its scheduled release after learning that the key's deployment could force millions of people offline. The rollover was scheduled for October 11, 2017, but ICANN decided to push the date back because a significant number of resolvers used by Internet service providers (ISPs) and Network Operators are not ready.

[Editor Comments]
[Northcutt] This is important; we are talking about the root of cyber trust. There isn't that much most of us can do about it, but if called into the office upstairs, we need to be prepared to explain what is going on. Here is an updated link, consider pouring a cup of hot caffeine and getting up to speed:

Read more in:
The Register: Internet-wide security update put on hold over fears 60 million people would be kicked offline
ICANN: KSK Rollover Postponed

--Monero Mining Schemes (September 28, 2017)

Hackers have surreptitiously placed Monero cryptocurrency mining software on hundreds of Windows servers. The software has been operating since at least May 2017 and has generated $63,000 USD. A separate Monero mining scheme was detected on several websites that belong to the Showtime cable television channel.

[Editor Comments]
[Murray] Cryptography is not the security issue in digital currency.

Read more in:
CyberScoop: Hackers find unpatched servers to secretly mine $17,000 in Monero per month
Nextgov: Someone Made Over $60,000 Hijacking People's Computers to Mine Cryptocurrency

--MIT Code Porting Tool (September 28, 2017)

Massachusetts Institute of Technology (MIT) scientists have developed a tool that can be used to port code between projects. While not yet publicly available, the tool, CodeCarbonCopy (CCC), has been used in tests to port code between six different open-source image-processing programs. CCC can "detect and map variables from one codebase to another," and "also map out how the two programs represent data internally, adjusting the ported code."

[Editor Comments]
[Neely] Developers I work with download code more frequently than they create new code. The resulting assembly can be described as more of a software pile than a stack, which can be both fragile and have unintended operations that can be exploited. What is needed is tools that add visibility and understanding to the downloaded and assembled parts. The MIT tool helps knit disparate parts together, smoothing the integration needed when assembling them, reducing some of the risks. The developers still need to understand what the parts can and cannot do.
[Murray] Code re-use is what makes modern computing efficient. Re-using code whose properties one does not fully understand is making it risky.

Read more in:
Bleeping Computer: MIT Tool Lets Programmers Port Source Code Between Incompatible Projects
CSAIL MIT: CodeCarbonCopy (PDF)


XPCTRA Steals Banking/Cryptocurrency Info

Vulnerable Mobile Investment Applications

iOS WiFi Exploit PoC Code Published

Android Malware Exploiting "Dirty Cow"

Linux 4.14 Memory Encryption

Linux PIE/Stack Corruption

Everything You Ever Wanted To Know About JPEGs (and more)

CLKSCREW: Exposing Secure Enclaves via Energy Management (PDF)

Dealing With Massive Packet Captures

Illusion Gap Anti-Virus Bypass

DNSSEC KSK Update Delayed

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here:

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit