DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #54

July 10, 2018


SANS NewsBites                July 10, 2018                Vol. 20, Num. 054




PCI Auditor Trustwave Sued By Insurance Companies for Heartland Breach


Major Breaches in the First Six Months of 2018



Polar Flow Fitness App Reveals Location of Users in Military and Intelligence Agencies


Apple Launches iPhone USB Restricted Mode


D-Link, CIT Certificates Stolen


Domain Factory Hosting Provider Breach Exposed Customer Data


Timehop Breach Exposed User Data


Australian University Working to Contain Systems Breach


Chrome 68, Expected in Less Than Two Weeks, Will Mark HTTP Sites "Not Secure"


Suspended Sentence in Coinhive Case


Google Releases Android Update for July


***************************  Sponsored By Splunk  ***************************

Gartner Names Splunk a SIEM Magic Quadrant Leader for the Fifth Year Running!  Gartner recently published its 2017 Magic Quadrant (MQ) for Security Information and Event Management where Splunk was named a leader in the security information and event management (SIEM) market. Read the report to learn why Splunk is part of the select few that can replace outdated SIEM deployments and deliver the security analytics solution of tomorrow. http://www.sans.org/info/205265


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS London September 2018 | September 17-22  https://www.sans.org/event/london-september-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9" iPad Pro with Smart Keyboard, HP ProBook 450 G5, or take $400 Off with Any OnDemand or vLive Course, Offer Ends July 18.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






PCI Auditor Trustwave Sued By Insurance Companies for Heartland Breach

(July 6 & 9, 2018)

Two insurance companies are suing security firm Trustwave to recover payments they made to Heartland Payment Systems after a breach that occurred more than a decade ago. Heartland disclosed the breach in January 2009; attackers had stolen information on more than 100 million payment cards. Lexington Insurance Company paid out $20 million USD; Beazley Insurance Company paid out $10 million USD. The insurance companies maintain that Trustwave, which was contracted by Heartland to certify its Payment Card Industry Data Security Standard (PCI DSS) compliance, failed to detect an SQL injection attack on Heartland's systems in July 2007 and malware on Heartland servers in May 2008. The lawsuit also says that a Visa review of Heartland servers "found that Trustwave had incorrectly certified Heartland as PCI DSS compliant" in 2007 and 2008.

[Editor Comments]

[Paller]  It is not uncommon for companies to shop for "less rigorous" PCI auditors. If such auditors still exist, their executives and owners may not be sleeping as well as they did.

[Murray] This case will likely turn on the agreement between Heartland and Trustwave, rather than PCI DSS, and will likely be defended by Trustwave's insurers.

[Neely] It is generally a good idea to change your internal auditing company, or at least the members of the team, every 3-5 years to discover overlooked issues. Additionally, security assessments need to go beyond compliance requirements, assessing the entire corporate environment to ensure overall cyber hygiene is appropriate.

[Honan] The effect insurance companies will have on the cybersecurity industry will be far reaching and this is just one of the initial forays we will see in this area.  Insurance companies have decades of experience in quantifying and managing risk; that experience will be brought to bear on the cybersecurity industry which will hopefully lead to more robust risk management models for us and also weed out companies that are not proficient in providing cybersecurity services.

Read more in:

Cook County Record: Lawsuit: Data security firm Trustwave owes $30M for 2009 data breach at Heartland Payment Systems


Dark Reading: Insurers Sue Trustwave for $30M Over '08 Heartland Data Breach


Bleeping Computer: Security Firm Sued for Failing to Detect Malware That Caused a 2009 Breach




Major Breaches in the First Six Months of 2018

(July 9, 2018)

The most serious breaches of the first half of 2018 include the US government acknowledging that Russian hackers have managed access to a power utility's control systems; hackers using phishing attacks to gain access to university systems, private companies, and government agencies around the world and stealing many terabytes of intellectual property; and many instances of organizations misconfiguring data storage mechanisms, exposing stored information.

Read more in:

Wired: The Worst Cybersecurity Breaches of 2018 So Far


**************************  SPONSORED LINKS  ********************************

1) Don't Miss:  "Hiding in plain sight: the menace of Business Email Compromise And Why undertaking a regular compromise assessment is key"  Register:  http://www.sans.org/info/205270

2)  Organizations are finding their network perimeters, and thus their attack surfaces, are changing daily.  Learn More: http://www.sans.org/info/205275

3) How is your incident response team coping with protecting their organization? Take the SANS 2018 Incident Response Survey at http://www.sans.org/info/205280 and enter to win a $400 Amazon gift card!




Polar Flow Fitness App Reveals Location of Users in Military and Intelligence Agencies

(July 9, 2018)

The Polar Flow fitness app exposes sensitive information about its users, which include US intelligence employees, and military personnel. The Polar Flow Explore function could be used to obtain not only a user's geolocation data, but also their name and home address. Polar has temporarily suspended the Explore API. Polar is not the first fitness app to expose user data; several months ago, the Strava app was found to be exposing soldiers' locations and routes.

[Editor Comments]

[Murray] While one can blame the app designers, this is an edge use case. The agencies that elected to use the app in such a sensitive application and environment certainly bear part of the blame.

[Neely] The big difference between this exposure and prior Strava location disclosure is that Polar Flow exposed usernames, which could then be traced back to real identities using OSINT techniques. While Polar claims disclosure of the username was an opt-in feature, the allure of "social-fitness" sharing of workout information makes opting in very attractive, particularly as more employers roll out wellness programs that include fitness tracking devices. Pausing to weigh in the possible OPSEC consequences of sharing that information is counter-intuitive for many and needs to be explicitly included in user awareness training.


[Honan] In the rush to get products and features to market, many organisations are failing to consider the impact their product could have on the privacy and the real lives of those who use their products. The introduction of the General Data Protection Regulation (GDPR) has Privacy by Design as one of its key cornerstones and we should hopefully see improvements in this area moving forward.

Read more in:

Threatpost: Polar Fitness App Exposes Location of 'Spies' and Military Personnel


Bleeping Computer: Polar App Disables Feature That Allowed Journalists to Identify Intelligence Personnel


Fifth Domain: Polar fitness app broadcasted sensitive details of intelligence and service members


The Register: Fitness app Polar even better at revealing secrets than Strava




Apple Launches iPhone USB Restricted Mode

(July 9, 2018)

With the release of Apple's iOS 11.4, USB Restricted Mode for iPhone makes its debut. The feature prevents access to the phone's contents through its lightning port. An hour after the device has been locked, data access through the lightning port will be disabled and only allowed again after the correct passcode has been entered. Users will still be able to charge their phones. Prior to the introduction of USB Restricted Mode, data access through the lightning port was disabled after the device had been locked for a week. The feature is on by default in iOS 11.4.1.

[Editor Comments]

[Neely] The USB Accessories setting, found under Touch ID (or Face ID) & Passcode in the settings app, may appear backwards at first as turning the option to allow USB accessories without a timeout turns off the protection. In the general use case, where the device has been locked for an hour, USB access, forensic or otherwise will require the user to allow the access by unlocking the device, which adds piece of mind for the lost/stolen scenario. For corporate devices with this protection enabled this means you'll either need the existing passcode or to reset it to perform forensic analysis on a device which has been locked for more than an hour.

Read more in:

Engadget: iOS update adds security-focused USB restricted mode (updated)


Threatpost: Apple OS Update Lifts Curtain on iPhone USB Restricted Mode




D-Link, CIT Certificates Stolen

(July 9 & 10, 2018)

Code signing certificates from D-Link and Changing Information technology (CIT) appear to have been stolen and used to spread malware known as Plead. Both of the purloined certificates have been revoked.

[Editor Comments]

[Murray] What is being compromised here is not "certificates" but the ability to create them, including the private key.

Read more in:

The Register: Malware scum copied D-Link's code-signing certificates


SC Magazine: Stolen legitimate security certificates used to push Plead backdoor




Domain Factory Hosting Provider Breach Exposed Customer Data

(July 9, 2018)

A breach of systems at German hosting provider Domain Factory has exposed customer information. The breach occurred in late January, 2018, but the company did not learn of the incident until July 3. The compromised data include names, email addresses, birth dates, account passwords, and bank account information. Domain Factory customers are being urged to change their passwords.

[Editor Comments]

[Honan] As Domain Factory only discovered the breach on July 3rd, it will be interesting to keep an eye on how this breach develops with regards to GDPR. Under GDPR, organisations must notify their Supervisory Authority within 72 hours of detecting a breach. How this pans out will be of great interest to those who fall under the GDPR regulations (which is anyone who processes and/or stores personal data on individuals living within the EU).

Read more in:

The Register: 'Domain Factory' confirms January 2018 data breach


ZDNet: User data exposed in Domain Factory hosting security breach


Domain Factory: First-hand information - in German with translate option


Heise: Data leak at Domainfactory: Hackers crack systems, let customer data go along (in German with translate option)




Timehop Breach Exposed User Data

(July 9, 2018)

On July 4, 2018, a breach of the Timehop app's back-end cloud-based computing environment has exposed the personal information of as many as 21 million people. Timehop, which digs up old posts from users' social media profiles, became aware of the breach and managed to interrupt it while in progress. The compromised data include contact information and access tokens used to gather the old posts. The access tokens have been de-authorized. In a statement on its website, Timehop noted that it "has retained the services of a well established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users, and while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web."

[Editor Comments]

[Murray] Timehop management admits to the compromise of administrative credentials and the absence of strong authentication for the administrator. We continue to permit practices for privileged users that we condemn otherwise. The Israelis and their competitors provide software that provides for control, transparency, and accountability of privileged users. It is reckless not to use it.

[Honan] The Dark Web is part of the Internet and its overuse as a phrase in articles, media, press releases, and marketing material is making the Dark Web appear to be this mysterious and scary place that is separate from the Internet. This will lead people into a false sense of security regarding the Internet and believing bad things only happen on the Dark Web. Vendors need to stop FUD tactics and the overuse of the phrase of the Dark Web.

Read more in:

Threatpost: Timehop Breach Impacts Personal Data of 21 Million Users


ZDNet: Timehop breach hits 21 million users due to a lack of 2FA on cloud services


The Register: Nostalgic social network 'Timehop' loses data from 21 million users


Motherboard: Timehop Just Leaked Your Phone Number, Here's What You Need to Do


Timehop: Timehop Security Incident, July 4th, 2018




Australian University Working to Contain Systems Breach

(July 6 & 9, 2018)

The Australian National University in Canberra has been working to contain a systems breach believed to be the work of Chinese hackers, according to authorities there. The university includes a number of defense research units. The Australian government is helping the university "to minimize the impact of [the] threat."

Read more in:

Sydney Morning Herald: Chinese hackers breach ANU, putting national security at risk


Cyberscoop: Chinese-linked hackers breached top Australian defense university, report says


Reuters: Top-ranked Australian university hit by Chinese hackers: media


Bloomberg: Australian University Combats Hack of Computers Blamed on China




Chrome 68, Expected in Less Than Two Weeks, Will Mark HTTP Sites "Not Secure"

(July 6, 2018)

Chrome 68 is slated to be moved to the stable channel later this month, which means that all HTTP sites will be marked as "not secure" when viewed in the Chrome browser. While some major news sites, like BBC, The New York Times, and The Guardian, have already moved to HTTPS by default, others have moved part but not all of their site to HTTPS.

[Editor Comments]

[Neely] While regression testing is important, the time of tools, plug-ins and browsers not being able to operate with HTTPS is behind us. More and more hosting services are offering free HTTPS options such as Let's Encrypt, and other options such as Symantec Encryption Everywhere, and Cloudflare can be leveraged for locally hosted sites.


[Northcutt] When the browser supplier with 61% market share speaks, people will have to listen. However, I think dealing with redirects in cross-origin frames is just as important to surfing safety. https://blog.chromium.org/2018/06/chrome-68-beta-add-to-home-screen.html

Read more in:

Ars Technica: Despite Chrome's pending "mark of shame," 3 major news sites aren't HTTPS


Heise: Transport encryption: Chrome 68 does not like HTTP anymore (in German with translate option)




Suspended Sentence in Coinhive Case

(July 6, 2018)

A judge in Japan has given a man a suspended sentence for cryptojacking. Masato Yasuda hid a Coinhive cryptominer in a game-cheat tool, which was downloaded 90 times. The surreptitious cryptomining software earned Yasuda approximately 5,000 Japanese yen ($45 USD). Yasuda will receive a one-year jail sentence if he commits another offense within the next three years.

Read more in:

The Register: Japanese cryptominer slapped with suspended sentence




Google Releases Android Update for July

(July 2 & 6, 2018)

Google's Android security bulletin for July addresses 44 vulnerabilities, including 11 flaws of critical severity. The most severe, according to Google is a flaw in the Android OS Media framework that could be exploited "to execute arbitrary code within the context of a privileged process."

Read more in:

Threatpost: Google Patches Critical Remote Code Execution Bugs in Android OS


Android: Android Security Bulletin--July 2018




Trivial Exploit For HP iLO 4 (patched last August) (PDF)


Flexible Miner/Ransomware


Hacker Steals Gas From Gas Station



Reverse Shell via Weblogic Flaw


Apple Patches Everything Again


Microsoft Offers Better Azure AD Password Protection




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create