OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #68

August 26, 2016


Red Cross Asks Disaster-Area Residents to Unlock WiFi Networks
Apple Updates iOS to Fix Trident Vulnerabilities
French Submarine Builder DCNS Designs Leaked


Cisco Patching ASA Flaw Against Leaked Exploit
Google to Tweak Search Result Algorithm to Favor Sites that Make
Content Readily Accessible
Decryption Key Available for Wildfire Ransomware
Swiss Authorities Indict Three in Phishing Case
Congressman Pushing for Cell Phone System Vulnerability Investigation
FBI Investigating Attempted Cyberattack Against NYT's Moscow Bureau
GozNym Trojan Targets Banks in Germany
Russian Banks Face Stronger Security Rules


********************** Sponsored By CloudFlare *************************

Microservices architecture is forcing developers to not only rethink how they design and develop applications, but also common security assumptions and practices. With the decomposition of traditional applications, each microservice instance represents a unique network endpoint, creating a distributed attack surface that is no longer limited to a few isolated servers or IP addresses. Learn more: http://www.sans.org/info/188252



--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 |

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 |

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 |

--SANS London Autumn 2016 | London, UK | September 19-24 |

--Security Leadership Summit and Training | Dallas, TX | September 27 - October 4, 2016 |

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA |

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic |

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA |

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |

--Pen Test HackFest Summit and Training | November 2-9, 2016 | Crystal City, VA |


Red Cross Asks Disaster-Area Residents to Unlock WiFi Networks (August 25, 2016)

Rescue workers at the earthquake site in Italy have asked local residents to disable passwords from their wi-fi networks to help rescuers and aid workers communicate.

[Editor Comments ]

[Assante ]
The desire to help should be complemented with taking precautions. Opening your wifi for use by aid organizations should be preceded by disabling wifi on all of your devices. Desperate times brings out the best and worst in people and some small number will be out for opportunity.

[Pescatore ]
Seems harsh to say, but I think it is pretty clear that the long term negatives of this would outweigh the short term positives. I'm a ham radio operator (K3TN); there are already emergency communications frequencies reserved for supporting the disaster recovery effort in Italy and hams have proven ways of bringing in temporary communications capabilities for recovery and relief workers that don't require compromises in security.

[Ullrich ]
Nice use of an existing infrastructure. Sure, many will never re-enable the password, and leave their networks exposed. But security is also about availability and in this case, it is possible that these wifi networks will help rescuers better communicate and save lives.

[Northcutt ]
In a disaster, the biggest problem is always communication. The bridge collapse in Minneapolis is a textbook case of wireless helping rescue and recovery operations: htps://en.wikipedia.org/wiki/Minneapolis_wireless_internet_network But wireless home networks do more than that, they give location information. In the past 20 years with GPS and mapping of SSID locations, paper maps are becoming pretty scarce:
Read more in:
Silicon Republic: Red Cross asks people to unlock Wi-Fi passwords following Italy earthquake:
BBC: Italy quake rescuers ask locals to unlock their wi-fi:

Apple Updates iOS to Fix Trident Vulnerabilities (August 25, 2016)

Apple has updated its iOS mobile operating system to version 9.3.5 to address three critical vulnerabilities that could be exploited to install spyware and steal private information from apps. The exploit, known as Trident, remotely jailbreaks vulnerable devices without the user's knowledge. It then installs the spyware, known as Pegasus, which can harvest a plethora of personal data, including messages, emails, social medias posts, and wi-fi passwords. The issue was detected when it was used against a device belonging to a human rights activist.

[Editor Comments ]

[Williams ]
These vulnerabilities are serious and those with MDM should force an update before allowing iOS devices to connect to their networks. However, these vulnerabilities are at least being patched - which is more than we can say for most Android handsets when vulnerabilities are announced.

[Ullrich ]
While Apple does not pre-announce patches, this is as close as Apple has gotten to a "surprise" patch for iOS. It also shows, yet again, how each time such an exploit is used, there is a risk of it being discovered by the target. In this case, luckily, the target shared it with others (and in the end Apple) to help fix the problem. But as soon as an exploit like this becomes known, it will be used against lower value targets, as well. "Collateral Damage" no longer requires physical proximity to the target, and can extend in time well beyond the original attack.

[Murray ]
"If you see something, say something." This attack and the exploited vulnerabilities were discovered because a target was suspicious of a bait message.
Read more in:
Ars Technica: Actively exploited iOS flaws that hijack iPhones patched by Apple:

Ars Technica: Apple releases iOS 9.3.5 to fix 3 zero-day vulnerabilities
[Updated ]


The Register: Update your iPhones, iPads right now - govt spy tools exploit vulns:

New York Times: IPhone Users Urged to Update Software After Security Flaws are Found:

Computerworld: Apple patches iOS security flaws found in spyware targeting activist:

ZDNet: Apple releases 'important security update' for iPhone after spyware discovery:

Reports from Citizen Lab and Lookout here:



French Submarine Builder DCNS Designs Leaked (August 24, 2016)

Documents leaked from French manufacturer DCNS contain information about Scorpene-class submarines, which are used by India's military. India has launched an investigation. The vessels are also used by Malaysia and Chile. Australia, which also has vessels built by DCNS, says that the leaked information does not pertain to their submarines.

[Editor Comments ]

[Assante ]
I hope no one believed that only US weapon programs lost sensitive information at the hands of cyber spies? The importance and performance of modern submarines makes undersea warfare a highly competitive enterprise.

[Williams ]
Earlier this year, I blogged about Australia making the decision to hand carry their submarine plans to suppliers after making a risk assessment. Presumably they determined that there were no effective compensating controls to keep the plans safe given the sensitivity of the data. Today, I expect that the Australian officials involved in this decision are content in their decision.
Read more in:
Ars Technica: Military submarine maker springs leak after "hack" - India, Oz hit dive alarm


The Register: French submarine builder DCNS springs leak: India investigates


ZDNet: Federal government claims DCNS data leak has 'no bearing' on Australia


*************************** SPONSORED LINKS *****************************
1) What types of threats are driving the IT community into taking action, particularly in Europe? What actions are they are taking? Find out: http://www.sans.org/info/188257
2) Security practitioners are hearing more and more about threat intelligence (TI). But what exactly is it, and how can TI be effectively deployed? Register: http://www.sans.org/info/188262
3) What are your vulnerabilities? Do you even know? Take SANS survey and enter to win a $400 Amazon Gift Card. Take the survey HERE: http://www.sans.org/info/187750


Cisco Patching ASA Flaw Against Leaked Exploit (August 25, 2016)

Cisco has released patches for a vulnerability in its Adaptive Security Appliance (ASA) firewalls that are used in an exploit in the trove of leaked tools linked to the NSA. The exploit, known as ExtraBacon, takes advantage of a buffer overflow vulnerability in the Simple Network Management protocol (SNMP) implementation in Cisco's ASA software.

[Editor Comments ]

[Williams ]
In order for the EXTRABACON vulnerability to be successful, the attacker must be able to talk to a port that has SNMP enabled. Those following best practices have disabled SNMP on external interfaces and control SNMP access via ACLs and are largely protected from exploitation. Infosec researchers have ported the EXTRABACON vulnerability to later versions of the Cisco IOS than were originally supported (including 9.2(4)) (
[Pescatore ]
I'd also like to hear details of Cisco, Juniper and Fortinet "patching" their SDLC processes that allowed such vulnerabilities in their products to exist for so long. If they did run software vulnerability assessment tools but those products didn't find things like buffer overflows in SNMP code, I'd also like to hear those tool vendors announce fixes to their products.
Read more in: Computerworld: Cisco starts patching firewall devices against NSA-linked exploit

Google to Tweak Search Result Algorithm to Favor Sites that Make Content Readily Accessible (August 24, 2016)

Google plans to alter its search result ranking algorithms so sites that have pop-up advertisements or interstitial pages that interfere with users' ability to view content are less favored. Google cites examples of techniques that interfere with viewing content: pop-ups that cover portions of the main content; interstitial pages that must be closed before being able to view content; and advertisements that fill web browsers' screens so users must scroll down to access content. Exceptions will include pop-ups that tell users about the use of cookies, and pages that require login information.

[Editor Comments ]

[Pescatore ]
OK, I think everyone hates pop-up ads (they actually sound even more ominous and creepy when called "intrusive interstitials"...) and especially on our smart phones. Still, I get this queasy feeling when the dominant advertising supported search engine says "we will punish web sites that don't do advertising the way Google says it should be done." From a security point of view, I worry about forcing advertising to be more integrated into legitimate content, which is where this is heading. That is great for click through rates, which means more revenue for advertising networks like Google, but also increases the risks of malvertising.
Read more in: BBC: Google punishes sites with pop-up adverts
Google Blog: Helping users easily access content on mobile

Decryption Key Available for Wildfire Ransomware (August 24, 2016)

Researchers have developed and made available a tool to decrypt files that have been locked by Wildfire ransomware. The attackers using the ransomware demand payment of 1.5 bitcoin to decrypt the files. Wildfire has targeted users mainly in the Netherlands and Belgium by pretending to be missed package delivery notifications. The free decryption tool was released through the No More Ransom initiative, a collaborative effort of Europol, the Dutch National Police, Intel Security, and Kaspersky Lab. The initiative offers keys for other strains of ransomware as well.

[Editor Comments ]

[Henry ]
The efforts by government and private firms to assist victims in these types of cases is laudable and absolutely appreciated. Nevertheless, being provided the "antidote" after being poisoned is not a long-term solution. Using these same collaborative actions between public and private organizations to identify and stop the perpetrators, as well as raising awareness so people better protect their networks, can enhance this effort.
Read more in: ZDNet: Wildfire ransomware code cracked: Victims can now unlock encrypted files for free

SC Magazine: Researchers quell Wildfire ransomware with decryption key

Swiss Authorities Indict Three in Phishing Case (August 23 and 24, 2016)

Authorities in Switzerland have indicted three people in connection with a phishing scheme. The people allegedly stole payment card information from more than 130,000 people between October 2009 and their arrests in 2014 and 2015. They suspects were arrested in Bangkok and extradited to Switzerland. The case marks the country's first indictment in a global phishing case.]
Read more in: SC Magazine: Three indicted in Switzerland for phishing scam

Swiss Info: First Swiss indictment for worldwide 'phishing'

Congressman Pushing for Cell Phone System Vulnerability Investigation (August 24, 2016)

US Representative Ted Lieu (D-California) is urging the Federal Communications Commission (FCC) to expedite its investigation of the vulnerability in the Signaling System Number 7 (SS7) protocol used in mobile phone networks. Lieu wrote, "In light of the recent cyber hack at the DCCC that" exposed cell phone numbers of Democratic members of Congress, "the SS7 problem is no longer a theoretical threat."
Read more in: The Hill: Citing DCCC hack, Lieu wants speed in FCC hacking probe

House: Rep. Lieu's Letter to FCC (PDF)

FBI Investigating Attempted Cyberattack Against NYT's Moscow Bureau (August 23 and 24, 2016)

New York Times spokesperson Eileen Murphy says that the newspaper's Moscow bureau was the target of an attempted cyberattack earlier this month. Murphy said that the Times has "seen no evidence that any of our internal systems ... have been breached or compromised." The FBI is investigating.
Read more in: New York Times: New York Times's Moscow Bureau Was Targeted by Hackers

Computerworld: NY Times says Moscow bureau was targeted by cyberattack

BBC: Russian hackers 'targeted New York Times'
CNET: Russian hackers suspected in hack of New York Times, others

GozNym Trojan Targets Banks in Germany (August 23 and 24, 2016)

The GozNym Trojan horse program is targeting more than a dozen German banks. The malware redirects infected customers who are doing their banking over the Internet to websites where they steal account access credentials. GozNym has previously been used in similar attacks in the US and Poland.
Read more in: ZDNet: GozNym Trojan spreads to attack German banks
SC Magazine: GozNym malware is proficient in German, new malicious campaign proves

Russian Banks Face Stronger Security Rules (August 22, 2016)

The Russian Central Bank has established mandatory cybersecurity rules for domestic Russian banks. The banks will be required to report breaches to FinCERT, and to constantly monitor computers that transfer payments to the Central bank. Banks that are not compliant with the rules by the end of June 2017 could face penalties, including fines and being disconnected from the electronic payments system.

[Editor Comments ]

[Murray ]
They are requiring the completion of sensitive transactions or the exercise of special privileges to rely upon actions of multiple independent parties. This is a test that all central banks and other regulators should apply.
Read more in: SC Magazine UK: Russia's Central Bank introduces new mandatory cyber-security regulations


Voicemail Message Notification Deliver Ransomware

Updates Microsoft Word Bulletin

Multiple BTS Software Vulnerabilities

Popular HTTP Proxies Vulnerable to Cache Poisoning

Juniper/Cisco Updates Regarding #NSA Exploits

Wildfire Ransomware Takedown and Key Recovery

"Sandscout" tool to exploit iOS Sandbox Vulnerabilities

(sorry, only in German)

Sweet32 Birthday Attack against 3DES and Blowfish (https/openvpn)

Out-of-Band iOS Patch Fixes 0-Day Vulnerabilities

Malicious E-Mail Installs Proxy File to Redirect Requests to santander.com.br

Nginx DNS Resolver Issue (Windows Only)

Wifi Signals Can Be Used for Keystroke Sniffing

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil and gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research and principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create