OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #50

June 26, 2018


SANS NewsBites               June 26, 2018                Vol. 20, Num. 050




Supreme Court Says Law Enforcement Need Warrant to Access Cell Site Location Data


California Data Privacy Bill Would Give Residents More Control Over Their Personal Information


Android Battery Saving App Also Loads Click Bot Malware



Indian Banks Must Migrate ATMs from Windows XP


DISA Developing Continuous Evaluation Security Clearance Technology


Treasury Inspector General for Tax Administration Audit Found IRS Actions Did Not Adequately Protect Taxpayer Data


2018 Cyber X-Games Focused on Critical Infrastructure


Known Drupal Flaw is Being Exploited to Mine Cryptocurrency


Mobile Service Providers Will Stop Selling Location Data


PDQ Restaurant Chain Acknowledges Point-of-Sale System Breach


***************************  Sponsored By InfoBlox  ************************

5 security experts say "Hack, No!" to DNS Threats.  Join the live panel discussion June 28. http://www.sans.org/info/204990


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS London September 2018 | September 17-22  https://www.sans.org/event/london-september-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a new iPad, Samsung Galaxy Tab A, or take $250 Off with Any OnDemand or vLive Course, Offer Ends June 27.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






Supreme Court Says Law Enforcement Need Warrant to Access Cell Site Location Data

(June 22, 2018)

The US Supreme Court has ruled that law enforcement must obtain a warrant to collect a suspect's cell site location information (CSLI). In a 5-4 decision, Chief Justice John Roberts wrote in the majority opinion that "when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone's user." The ruling does not overturn the "third-party doctrine," a legal precedent that found that people have no "reasonable expectation of privacy" regarding information collected by a third party, nor does it cover real-time tracking.

[Editor Comments]

[Pescatore] Establishing that individuals do "own" their personal location data, even if held by third parties, is a sweeping modernization of the boundaries of privacy. For law enforcement, getting a warrant is not really a major impediment and the ruling validates warrant-less access would still be allowed in emergency situations, such as "bomb threats, active shootings, and child abductions." But, other commercial applications collecting individual location data (personally worn IoT devices, smart cars, etc.) don't seem to be specifically addressed - yet.


[Murray] The Fourth Amendment does not speak to the "expectations" of the citizen but to whether or not the searches and seizures of the state are "reasonable," per se. The "reasonable expectation of privacy" test is used to justify some abuse. Carpenter contains the usual emergency (e.g., kidnapping, terrorism) exception to the warrant requirement but not to the Probable Cause test for the admissibility of evidence collected under the emergency exception.  


Read more in:

Supreme Court: Carpenter V. United States: Certiorari to the United States Court of Appeals for the Sixth Circuit (PDF)


Wired: The Supreme Court Just Greatly Strengthened Digital Privacy


SC Magazine: Supreme Court rules government generally needs warrant for long-term surveillance using location data


ZDNet: Supreme Court says police need a warrant for historical cell location records


Ars Technica: Supreme Court rules: Yes, gov't needs warrant to get cellphone location data



California Data Privacy Bill Would Give Residents More Control Over Their Personal Information

(June 22, 2018)

A bill introduced in the California state legislature could give residents more control over their personal data. The California Consumer Privacy Act of 2018 would allow California residents to find out what personal information data brokers and other businesses are collecting, where the companies obtain those data, and how those data are shared. Californians would be able to ask that the companies delete their personal information and demand that it not be sold. Businesses would be barred from denying services to people who make these demands.   

[Editor Comments]

[Murray, Pescatore, Neely, Northcutt]

In security, as goes California, so goes the nation. "Breach Notification" began with California law; they tend to be early. Enterprises tend to comply with California law, whether or not they are domiciled there, while other states tend to follow their example. The California legislature seems to be good at the difficult job of drafting.


Read more in:

Wired: Bill Could Give Californians Unprecedented Control Over Data


LegInfo: The California Consumer Privacy Act of 2018



Android Battery Saving App Also Loads Click Bot Malware

(June 22, 2018)

A malicious Android app that infects devices with click bot malware is also capable of stealing text messages and log data. The app has infected at least 60,000 Android devices. Users are led to the app through a pop-up ad telling them that there is a problem with their device's battery. The app does actually monitor battery levels and shuts down processes that are using too much power when the battery is low.  

[Editor Comments]

[Neely] Note that this application was delivered through the legitimate Google Play store. Users need to be diligent about permissions granted to an application. For example, this battery saving application requests SMS and Bluetooth pairing capabilities, as well as the ability to modify system settings, which should be red flags.

Read more in:

SC Magazine: 60,000 Android devices hit with ad-clicking bot malware


Threatpost: Malicious App Infects 60,000 Android Devices - But Still Saves Their Batteries


**************************  SPONSORED LINKS  ********************************

1) Don't Miss:  "All Your Network Traffic Are Belong to Us -- VPNFilter Malware and Implications for ICS"  Register: http://www.sans.org/info/204995

2) Fortinet Webcast "Diffuse Cryptojacking & Ransomware Attacks with a Sandbox" with Dave Shackleford.  Register: http://www.sans.org/info/205000

3) Take the SANS 2018 Incident Response Survey at http://www.sans.org/info/205005 and enter to win a $400 Amazon gift card!




Indian Banks Must Migrate ATMs from Windows XP

(June 25, 2018)

India's banks have until June 2019 to stop using Windows XP in ATMs. (For reference, Microsoft ended support for Windows XP in April 2014.) The Reserve Bank of India sent financial institutions a notice setting out a timeline for migration; at least 50 percent of the machines must be migrated by the end of this calendar year; they must implement anti-skimming and application whitelisting technologies by March 2019; and they must be completely migrated a year from now. The banks must file compliance plans by the end of July 2018.    

[Editor Comments]

[Neely] ATMs are viewed more as appliances than computers, where security updates and changes must be well tested before deployment, and not unlike SCADA systems, they are expected to last a very long time to achieve the expected ROI. The update to newer operating systems typically drives replacing the entire ATM to add newer functionality, such as check imaging and EMV support, as well as increased security. While standalone ATMs are relatively inexpensive, in-wall units are expensive which will lead to maximal timeline use.

Read more in:

The Register: India tells its banks to get Windows XP off ATMs - in 2019!


Reserve Bank of India: Control measures for ATMs - Timeline for compliance




DISA Developing Continuous Evaluation Security Clearance Technology

(June 22, 2018)

The Defense Information Systems Agency (DISA) is developing a security clearance investigation system that will employ continuous evaluation capability, eliminating the need to reinvestigate workers who already hold security clearances and reducing the backlog of security clearance investigations. The National Background Investigation System (NBIS) "is designed to replace and modernize the existing systems that were being operated by OPM," according to DISA services development executive and acting executive officer for NBIS Terry Carpenter. DISA was given the task of developing and managing security clearance technology following the massive data breach at the Office of Personnel Management (OPM) in 2015.

[Editor Comments]

[Neely] Process and automation improvements will improve the overall clearance process, hopefully eliminating the bi-annual OPM tiger-team working their backlogs, the focus for the new system must be on security first.


Read more in:

FCW: DISA takes the lead in continuous monitoring clearance tech




Treasury Inspector General for Tax Administration Audit Found IRS Actions Did Not Adequately Protect Taxpayer Data

(June 21 & 25, 2018)

According to an audit report from the Treasury Inspector General for Tax Administration, the US Internal Revenue Service (IRS) was in such a hurry to fix one security issue that it neglected to take precautions to protect taxpayer data. The IRS rushed to fix weaknesses in the "Get Transcript" feature that were being exploited by criminals to file fraudulent tax returns and steal refunds. The IRS shut down the feature and moved the associated logs to a data warehouse for analysts to examine for fraud. The IRS neglected to inform the officials in charge of the warehouse that the data were being moved there. While the IRS did ensure that the facility had appropriate physical security, no steps were taken to monitor what employees did once they had access to the system.

[Editor Comments]

[Honan] A reminder that when responding to an incident and it requires you to use alternative systems, it is essential to ensure the alternatives being used have the same levels of security as in the primary systems.


Read more in:

Treasury.gov: The Cybersecurity Data Warehouse Needs Improved Security Controls (PDF)


Nextgov: IRS' Rush to Secure Exposed Taxpayer Data Left It Vulnerable Again




2018 Cyber X-Games Focused on Critical Infrastructure

(June 19 & 22, 2018)

Earlier this month, the Army Reserve Cyber Operations Group held the Cyber X-Games, which brought together 72 participants Army and Air Force soldiers, ROTC cadets, and military contractors in an exercise geared toward practicing defending critical infrastructure networks in finance, public utilities, and healthcare from cyberattacks. Prior to the exercise, the participants spent four days learning about the tools and protocols they would be using.

Read more in:

Army: Cyber X-Games 2018 focuses on critical infrastructure


Fifth Domain: How the Army is virtually prepping for real cyberattacks




Known Drupal Flaw is Being Exploited to Mine Cryptocurrency

(June 21 & 22, 2018)

A remote code execution flaw in versions 7 and 8 of the Drupal content management framework is being exploited to use infected machines' processing power to mine Monero cryptocurrency. For the time being, it appears that cryptocurrency mining is all the flaw is being used for, but it could be used as a means of conducting more malicious activity. A fix for the vulnerability has been available since April 25, 2018, but many users have not yet updated.   

[Editor Comments]

[Henry] We've seen another similar vulnerability in Drupal as well. Both vulnerabilities allow for remote code execution and have been patched. However, given the outstanding number of unpatched and un-updated sites, the vulnerabilities are likely to continue to be ripe for mineware campaigns. The exploitations are creating significant costs to victim companies as their resources are being exploited by criminals.

Read more in:

Drupal: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004


Trend Micro: Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware


Dark Reading: New Drupal Exploit Mines Monero for Attackers




Mobile Service Providers Will Stop Selling Location Data

(June 19, 2018)

In a June 15, 2018 letter to Wyden, Verizon pledged to end the practice of sharing information with location aggregators.  After being publicly criticized by US Senator Ron Wyden (D-Oregon), Sprint, AT&T, and T-Mobile have said that they will follow Verizon's example and no longer sell customers' real-time cell location data to third parties. Wyden sent letters to the carriers after learning of information being shared with a company that used the data in ways that violated carrier policy.

[Editor Comments]

[Murray] The company to whom the carriers were selling the data existed for the purpose of reselling to those to whom the carriers did not want to be seen as selling directly. Kudos to Senator Wyden for holding them accountable for this abuse.  

Read more in:

Wyden: Following Wyden's Investigation, Verizon Pledges to End Contracts With Companies that Sell Americans' Location


Wyden: Verizon Letter (PDF)


ZDNet: Verizon, Sprint, AT&T and T-Mobile stop sharing real-time cell phone location data




PDQ Restaurant Chain Acknowledges Point-of-Sale System Breach

(June 25, 2018)

The PDQ fast food restaurant chain has disclosed that a point-of-sale system breach compromised customer payment card data. The malware was on the PDQ system between April 20 and May 19, 2018. Some of the information has been used to conduct fraudulent transactions. The breach affects nearly all of PDQ's 70 locations.  

[Editor Comments]

[Murray] The hospitality industry, and the service providers on which it relies, continue to be a major source of the compromise of payment card data. However, the fundamental vulnerability remains the continued use of the account number in the clear on the magnetic stripe. Years after the introduction and acceptance of the EMV chip, the industry has still not announced a plan, much less a schedule, for eliminating this egregious vulnerability. This may be in part because the merchants bear much of the risk and want the magnetic stripe for backward compatibility.


Read more in:

SC Magazine: Hackers get into PDQ's hen house, swipe credit card data






XPS Documents Used for Spam


Deprecating TLSv1.0 and TLSv1.1


Leaky Firebase Installs


Guilty By Association


Filezilla and Adware


iOS Pin Brute Forcing Confusion



Azure Baseline Security Policy


Phone Battery Usage as Keystroke Logger



New Exploit Kit Trends




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create