Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #50

June 24, 2016


US Federal Reserve Considers Strengthening Security Measures
Apple Blocks Older Versions of Flash Plug-in in Safari
GAO Audit: Agencies View Foreign Governments as Most Severe Cyberthreat


Swagger Code Generator Vulnerability
Carbonite Passwords Reset After Suspected Reuse Attack
Libarchive Vulnerabilities
iOS 10 Beta Kernel Not Encrypted
Supreme Court Decision May Support Microsoft's Position in Ireland Server Data Case
InMobi to Pay FTC Fine of Nearly US $1 Million for Unauthorized Tracking
Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant
US Naval Academy Cybersecurity Major
Apple Fixes Flaw in AirPort Routers



****************** Sponsored by Trend Micro Inc. *************************

Business Email Compromise or CEO Fraud costs an average of $130,000 in fraudulent payments, learn more about this major threat from Trend Micro threat researchers:



--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 |

--MGT 433 at SANS London Summer 2016| London, UK | July 7-8 |

--SANS London Summer 2016| London, UK | July 9-16 |

--SANS Rocky Mountain | Denver, CO | July 11-16 |

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 |

--SANS San Antonio | San Antonio, TX | July 18-23 |

--Industrial Control Systems Security Training | Houston, TX | July 25-30 |

--SANS Vienna | Vienna, Austria | August 1-6 |

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 |

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 |

--SANS Alaska | August 22-27, 2016 | Anchorage, AK |



US Federal Reserve Considers Strengthening Security Measures (June 22, 2016)

US Federal Reserve (Fed) chair Janet Yellen told legislators that the Fed may implement "enhanced monitoring" for certain transactions after thieves stole US $81 million from the Bangladesh central bank. During the House Financial Services Committee meeting, Yellen noted that the Fed's systems were not compromised.

[Editor Comments ]
(Pescatore): The OIG at the Federal Reserve said earlier that they would be auditing the Fed's performance in overseeing cybersecurity at financial institutions, with a report to be published in 4Q16. Since lack of basic security hygiene was the root cause for the Bangladeshi bank theft, it would be good for the OIG to focus on those practices. In June of 2015, the FFIEC released a Cybersecurity Assessment Tool for banks that essentially allowed them to gauge the maturity of their cybersecurity programs. I'd like to see a comparison of those claiming mature programs but lacking basic security hygiene - all too often that is the case.
(Murray): Most transactions are part of a continuing relationship; computers are very good at identifying these. Fraudulent transactions look different. The Chase has a record of being able to identify them without slowing down the routine transactions. This "enhancement" may simply be changing the rules of controls already in place.
Read more in:
The Hill: Fed weighs enhanced scrutiny on transfers after $81M cyberheist

Apple Blocks Older Versions of Flash Plug-in in Safari (June 21, 2016)

Apple has said that it will block outdated versions of Adobe's Flash Player plug-in. Safari users running older versions of Flash will see a message warning them that the plug-in is outdated. They will have the option of downloading the most recent version. Other major browsers are taking steps to limit Flash as well.

[Editor Comments ]
(Northcutt): This is very sensible and there is no evidence of this being corporate sparring. I do wish Apple would fine-tune their messaging to the end user. Apple's support site says, "f you're using an out-of-date version of the Adobe Flash Player plug-in, you may see the message "Blocked plug-in," "Flash Security Alert," or "Flash out-of-date" when attempting to view Flash content in Safari." It would be far better to have only one well written message, may I suggest, "Security Alert, Flash is out-of-date".
Read more in:
CNET: Apple blocks outdated versions of Adobe Flash
Softpedia: Apple Disables Old Flash Player Versions Due to Security Vulnerabilities

Apple: Adobe Flash Player updates available for OS X on June 20, 2016

GAO Audit: Agencies View Foreign Governments as Most Severe Cyberthreat (June 21, 2016)

According to information gathered by the Government Accountability Office (GAO), the most frequent and most serious attacks against agency systems come from nation states.

[Editor Comments ]

Read more in:
Nextgov: Foreign Government Hackers are the Gravest and Most Common Threat, Agencies Say

GAO: INFORMATION SECURITY: Agencies Need to Improve Controls over Selected High-Impact Systems

*************************** SPONSORED LINKS *****************************
1) JUST RELEASED: The State of Bug Bounty Report 2016. Get your copy:

2) Watch this webinar and learn how to achieve a new level of security for your Office 365 deployment.

3) Take the SANS 2016 Cloud Security Survey & enter to win a $400 Amazon Gift Card!


Swagger Code Generator Vulnerability (June 23, 2016)

A severe flaw in a code generator for the Swagger OpenAPI specification could be exploited to execute code remotely. The issue is known to affect the NodeJS, PHP, Ruby, and Java programming languages. Until maintainers patch the code generators, users are being urged to "carefully inspect Swagger documents for language-specific escape sequences."

[Editor Comments ]
(Williams): These articles make the vulnerability sound more widespread than it is. Only applications *actively using* the Swagger library appear to be at risk. That's the good news. The bad news is that for those vulnerable applications the result is code execution on the vulnerable server - a much more serious vulnerability class than the XSS and SQL injection we usually see.
Read more in:
SC Magazine: Code generator for Swagger spec vulnerable to remote code execution

ZDNet: Severe Swagger vulnerability compromises NodeJS, PHP, Java

Rapid7 Blog: R7-2016-06: Remote Code Execution via Swagger Parameter Injection (CVE-2016-5641)

Carbonite Passwords Reset After Suspected Reuse Attack (June 22 and 23, 2016)

Backup service provider Carbonite has reset all user passwords after detecting what is likely another password reuse attack: password and username combinations stolen elsewhere are being used to access accounts. Other companies, including GitHub, GoToMyPC, and LogMeIn, have recently reported similar attacks.

[Editor Comments ]

Read more in:
SecurityWeek: Online Backup Firm Carbonite Hit by Password Reuse Attack

SC Magazine: Carbonite resets passwords after attackers target user accounts

Libarchive Vulnerabilities (June 21, 22 and 23, 2016)

Researchers at Cisco Talos have found three input validation security issues in the way Libarchive open-source compression library handles 7zip files, mtree files, and Rar files. Libarchive was initially created for FreeBSD, but has since been ported to all major operating systems. The libarchive maintainers have released patches, but it may take awhile for the fixes to be applied to all affected projects.

[Editor Comments ]
(Williams): Of the three vulnerabilities, the 7-zip vulnerability is by far the most serious while the other two should be mitigated on any modern OS by stack canaries and safe unlinking. Even when libarchive is patched on affected systems, many applications have libarchive compiled in as a static library and will continue to be vulnerable. Organizations should consider limiting the processing of 7-zip files in applications that have not been patched.
(Liston) : Poorly coded input validation rears it's ugly head once again. The bad thing about flaws in libraries is the "collateral damage" - all the applications that use the library become vulnerable. This one is particularly bad because it's used by SO many different things.
Read more in:
The Register: Libarchive needs patching again
Computerworld: Severe flaws in widely used archive library put many projects at risk

SC Magazine: Severe flaws detected in popular compression library

Talos Blog: The Poisoned Archives

iOS 10 Beta Kernel Not Encrypted (June 21 & 23, 2016)

Apple recently released the beta version of iOS 10 in which the kernel is not encrypted. Despite speculation that the decision not to encrypt the kernel was made to encourage people to find and report bugs, Apple said that the decision was made to improve performance.

[Editor Comments ]
(Williams): Even if this for performance reasons, the net result is positive for security researchers. Making the kernel easier to inspect has the side effect of making it easier for researchers to locate any backdoor code that might be included in iOS to comply with a secret court ruling. Some researchers have listed this as a very real concern after the recent legal battles between Apple and the IC.
Read more in:
Ars Technica: iOS 10 beta still encrypts user data, but not the kernel

ZDNet: Apple deliberately left iOS 10 kernel unencrypted
MIT Technology Review: Apple Opens Up iPhone Code in What Could Be Savvy Strategy or Security Screwup

MIT Technology Review: Apple Now Says It Meant to Open Up iPhone Code

Supreme Court Decision May Support Microsoft's Position in Ireland Server Data Case (June 22, 2016)

In a decision released earlier this week, the US Supreme Court wrote, "absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application." The ruling was made in a RICO (Racketeer Influences and Corrupt Organizations) Act case. While unrelated to the Microsoft case in which the company is refusing to surrender data held on a server in Ireland to US officials, the decision could provide support for Microsoft's position that the Electronic Communications Privacy Act (ECPA) does not say that congress intended it to "reach private emails stored on provider's computers in foreign countries."

[Editor Comments ]
(Murray): In the event of conflicting laws, security professionals should prefer those of the local jurisdiction. This common guidance, though not legal opinion, recognizes the kind of dilemma confronting Microsoft in particular and International companies in general. Some companies, IBM for example, have done business through wholly owned but locally chartered and managed subsidiaries. However, this strategy is stressed by Internet enabled business models that blur where the business occurs.
Read more in: Computerworld: Microsoft invokes Supreme Court opinion in Ireland email case

InMobi to Pay FTC Fine of Nearly US $1 Million for Unauthorized Tracking (June 22, 2016)

The US Federal Trade Commission (FTC) has fined mobile advertisement company InMobi US $950,000 for ignoring users' privacy settings on their phones and tracking their locations to serve targeted advertisements. InMobi also tracked children's locations without parents' permission, a violation of the US Children's Online Privacy Protection Act. InMobi has agreed to the fine. The terms of the settlement also call for InMobi to delete all data collected from children and to implement a privacy program that will be audited by a third party every two years for the next 20 years.

[Editor Comments ]
(Pescatore): Usual kudos to the FTC for using existing legislation to drive companies to enforce their stated privacy and security practices. I'd like to hear Apple App Store and Google Play update their testing procedures to detect when apps are not obeying user selected privacy settings - seems like the WiFi State and Captive Network calls in Android and iOS should have been pretty easy for tools to detect.
Read more in:
Ars Technica: Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users

Computerworld: Mobile advertiser tracked users' locations without their consent, FTC alleges

FTC: Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers' Locations Without Permission

Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant (June 22, 2016)

US legislators have rejected an amendment to a criminal justice funding bill that would have allowed the FBI to conduct warrantless searchers of people's browsing histories. While the measure garnered a majority of the votes, it failed to obtain the necessary 60 votes to advance. The issue may come up for consideration as soon as next week, however, because Senate majority leader Mitch McConnell submitted a motion to reconsider it.
Read more in:
CNET: Senate nixes plan for warrantless FBI searches of internet browsing histories

ZDNet: Senate rejects FBI bid for warrantless access to internet browsing histories

Washington Post: After Orlando, Senate rejects plan to allow FBI Web searches without court order

US Naval Academy Cybersecurity Major (June 21, 2016)

The US Naval Academy's class of 2015 was the first graduating class with the opportunity to select a cybersecurity major. Twenty-seven students graduated in the cybersecurity major last year, and those graduates represent "every community in the service, from Navy SEALs to submariners to Marines." The first two years of the major involve technical classes; the later years focus on cybersecurity, policy, and legal and ethical issues. The class of 2015 was also the first in which every Naval Academy student was required to take two cybersecurity classes.
Read more in:
Federal News Radio: Naval Academy grads spread cyber awareness servicewide

Apple Fixes Flaw in AirPort Routers (June 21, 2016)

Apple has released a firmware update for certain AirPort routers to address a DNS parsing flaw. Details of the flaw are vague: Apple said only that attackers could potentially cause arbitrary code execution due to a memory corruption issue. The firmware upgrade affects 802.11n Airport Express, Extreme, and Time Capsule base stations; and 802.11ac AirPort Extreme and Time Capsule.

[Editor Comments ]
Pescatore - In this day and age, I'd much rather just see all browsers auto-update every plug-in. But if that can't happen, having insecure plugins cause the "CHECK ENGINE" light to glow, or act as the "You can't shift into DRIVE until you put your foot on the brake" equivalent is appropriate.
Read more in:
The Register: AirPort owners: Apple's patched a mystery vuln

Apple: APPLE-SA-2016-06-20-1 AirPort Base Station Firmware Update 7.6.7 and 7.7.7


BitCoin Phishing With Typo Squatting Domains

Google Attempting to Simplify 2 Factor Authentication

Deobfuscating Java Code

Microsoft Updates SEAL

Cisco Releases Pidgin Vulnerabilities

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit