Get an 12.9" iPad Pro, Surface Pro or $400 Off Online Training - Only 2 Days Left!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #63

August 11, 2017

TOP OF THE NEWS


Hack the Air Force Bug Bounty Program Results
SAP Patches 19 Security Flaws
Microsoft Patch Tuesday
Adobe Patches for Acrobat, Reader, and Flash
Russian Espionage Group Targeted Western Travelers at European Hotels

THE REST OF THE WEEK'S NEWS


Bad Android Messaging Apps
Ukraine Postal Service Cyber Attack
Petya Arrest
Mozilla Releases Firefox 55
Microsoft to Distrust StartCom and WoSign Certificates
Salesforce Fires Two Security Engineers Over DEF CON Talk

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Forcepoint LLC *******************************

Forcepoint Achieves Highest Overall Security Effectiveness Out of 10 Vendors in 2017 NSS Labs' NGFW Test. In the test, Forcepoint NGFW blocked 99.95 percent of exploits and is the only vendor to block 100 percent of tested exploits from the NSS Labs static exploit library. Download the free report to view the full test results. http://www.sans.org/info/197375

***************************************************************************

TRAINING UPDATE

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS Virginia Beach 2017 | August 21-September 1 | https://www.sans.org/event/virginia-beach-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS OnDemand and vLive Training
Online Training Special: Get an iPad, Samsung Galaxy Tab A, or take $250 Off with OnDemand or vLive Training â ends August 16. Top-tier training without the travel. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast â https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive â https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format â https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--Hack the Air Force Bug Bounty Program Results (August 10, 2017)

The US Air Force's (USAF's) first bug bounty program, held earlier this year, turned up 207 valid vulnerabilities in 13 USAF public-facing websites. The program was open to participants from the US, Canada, the UK, Australia, and New Zealand; in all, 272 people took part.

[Editor Comments]
[Pescatore] All of the military services have seen the value of well-managed bug bounty programs, so here is what the next milestone should be: run them against web code *before* allowing that code to put installed on production systems. Even better, if you have the skills and budget, make sure application vulnerability testing is a routine part in several stages of a secure development life cycle of all software - including the software you buy. There are many examples of short payback periods and faster (not slower) time to market when this approach is adopted.

Read more in:
Nextgov: 17-Year-Old Hacks the Air Force for the Biggest Bug Bounty
http://www.nextgov.com/cybersecurity/2017/08/17-year-old-hacks-air-force-biggest-bug-bounty/140153/?oref=ng-channelriver
Fifth Domain: Hackers discover hundreds of vulnerabilities in Air Force domains
https://www.fifthdomain.com/dod/air-force/2017/08/10/hackers-discover-hundreds-of-vulnerabilities-in-air-force-domains/
The Hill: 'Hack the Air Force' challenge most successful military bug bounty yet
http://thehill.com/policy/cybersecurity/346016-hack-the-air-force-challenge-most-successful-military-bug-bounty-yet

--SAP Patches 19 Security Flaws (August 8 & 9, 2017)

SAP has released fixes for 19 vulnerabilities in its business management software. Three of the flaws have been given a high severity rating.

Read more in:
Threatpost: SAP Patch Tuesday Update Resolves 19 Flaws, Three High Severity
https://threatpost.com/sap-patch-tuesday-update-resolves-19-flaws-three-high-severity/127357/
The Register: SAP cleans up more than a dozen troubling CRM security blunders
http://www.theregister.co.uk/2017/08/09/sap_crm_vuln/
SAP: SAP Security Patch Day - August 2017
https://blogs.sap.com/2017/08/08/sap-security-patch-day-august-2017

--Microsoft Patch Tuesday (August 8 & 9, 2017)

On Tuesday, August 8, Microsoft released fixes for 48 security issues across a variety of its products. Twenty-five of the flaws are rated critical. Two of the flaws affect all currently supported versions of Windows.

Read more in:
Threatpost: Microsoft Patches Critical Windows Search Vulnerability
https://threatpost.com/microsoft-patches-critical-windows-search-vulnerability/127303/
ZDNet: Microsoft fixes 'critical' security bugs affecting all versions of Windows
http://www.zdnet.com/article/critical-security-bugs-affect-all-windows-versions/
Dark Reading: Microsoft Fixes 27 Remote Code Execution Flaws
http://www.darkreading.com/vulnerabilities---threats/microsoft-fixes-27-remote-code-execution-flaws/d/d-id/1329596?
Microsoft: Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance

--Adobe Patches for Acrobat, Reader, and Flash (August 9, 2017)

Adobe has released updates for Acrobat and Reader to address security issues that could be exploited to take control of vulnerable systems. The Acrobat and Reader updates are available for Windows and Mac. Adobe also released security updates for Flash, including a fix for a vulnerability for an issue that was incompletely addressed by an earlier patch. The Flash updates are available for Windows, Mac, Linux, and Chrome OS.

Read more in:
KrebsOnSecurity: Critical Security Fixes from Adobe, Microsoft
https://krebsonsecurity.com/2017/08/critical-security-fixes-from-adobe-microsoft-2/
ZDNet: Adobe patches security flaws in Acrobat and Reader
http://www.zdnet.com/article/adobe-patches-security-flaws-in-adobe-acrobat-and-reader/
Threatpost: Patched Flash Player Sandbox Escape Leaked Windows Credentials
https://threatpost.com/patched-flash-player-sandbox-escape-leaked-windows-credentials/127378/
Adobe: Security Update Available for Adobe Acrobat and Reader | APSB17-24
https://helpx.adobe.com/security/products/acrobat/apsb17-24.html
Adobe: Security updates available for Flash Player | APSB17-23
https://helpx.adobe.com/security/products/flash-player/apsb17-23.html

--Russian Espionage Group Targeted Western Travelers at European Hotels (August 11, 2017)

A Russian cyber-espionage group launched attacks against Wi-Fi networks in European hotels in an attempt to steal account access credentials from business and government travelers. According to FireEye, the APT28 espionage group occurred in early July. The attackers used spear phishing to trick the hotel guests into downloading an infected hotel reservation document.

[Editor Comments]
[Neely] Government travelers usually travel with burner or disposable laptops to potentially hostile environments, with mitigations for guest wireless such as cellular modems, and are given a current threat briefing before departure. The challenge is keeping only the information they need on the laptop and following appropriate sanitization processes for any data transferred back after the trip. Business travelers should follow suit. Have sufficient data about the risks at the destination, only travel with a laptop designated for foreign travel containing only the data you absolutely need. Sanitize the laptop between trips. Donât reconnect the laptop to the corporate network until sanitized.

Read more in:
Reuters: Russia-linked hackers targeted hotel guests across Europe: security firm
https://www.reuters.com/article/us-cyber-hotels-idUSKBN1AR1IZ

*************************** SPONSORED LINKS ********************************
1) The cost of Business Email Compromise is impacting employees, business partners and customers of organizations around the world. Register: http://www.sans.org/info/197380
2) Register to learn how to put some power into your network security so that you can effectively detect, hunt and prevent advanced threats. http://www.sans.org/info/197385
3) Join this webinar to learn about the Infoblox's unique approach to detecting and preventing data exfiltration. http://www.sans.org/info/197390
******************************************************************************

THE REST OF THE WEEK'S NEWS

--Bad Android Messaging Apps (August 10, 2017)

Some apps for sale in Android app stores have been found to contain malware known as SonicSpy, which can record calls, take pictures, make calls, send text messages, and monitor call logs and Wi-Fi access point information. SonicSpy is contained in messaging apps which do perform as advertised while surreptitiously stealing and monitoring users' information.

[Editor Comments]
[Williams] Just because it's in the legitimate app store doesn't mean it's good. There are many applications with malicious "extra features" in the legitimate app store today.

Read more in:
ZDNet: Android app stores flooded with 1,000 spyware apps
http://www.zdnet.com/article/android-app-stores-flooded-with-1000-spyware-apps/

--Ukraine Postal Service Cyber Attack (August 10, 2017)

A Ukraine postal service's package-tracking system has been the target of distributed denial-of-service (DDoS) attacks. The first attack began on Monday, August 7; IT services were able to manage the incident and restore normal functioning. A second attack began the following day.

Read more in:
BBC: Ukrainian postal service hit by 48-hour cyber-attack
http://www.bbc.com/news/technology-40886418

--Petya Arrest (August 10, 2017)

Police in Ukraine have arrested a person in connection with the Petya malware attacks that spread in late June, a month after the WannaCry outbreak. According to a police statement, the suspect told them he uploaded the malware to a file-sharing account and posted a link with instructions on his blog.

[Editor Comments]
[Williams] The suspect in this case isn't accused of deploying the original malware code. He posted a sample and instructions for executing the code in your environment to help people get extensions for filing taxes. Definitely a fraudster, definitely not a network exploitation mastermind.

Read more in:
ZDNet: Ukraine police make arrest in Petya ransomware case
http://www.zdnet.com/article/ukraine-police-arrest-suspect-behind-petya-ransomware-attack/
The Hill: Ukrainian police arrest suspect for spreading Petya malware
http://thehill.com/policy/cybersecurity/346109-ukraine-arrests-suspect-for-spreading-petya-malware-to-hide-evidence-of

--Mozilla Releases Firefox 55 (August 10, 2017))

Mozilla has updated Firefox to version 55. The newest version of the browser incorporates fixes for three critical flaws: one code execution vulnerability, and two use-after-free vulnerabilities. The update addresses 29 security issues in all. Firefox 55 is the first version of the browser to have click-to-activate for Flash turned on by default.

[Editor Comments]
[Northcutt] I will check again in the morning, but right now my MacOS Firefox says it is up to date with 54.0.1 from June 29, 2017. The Firefox release notes say it was available August 8, 2017:
https://www.mozilla.org/en-US/firefox/55.0/releasenotes/

Read more in:
SC Magazine: Mozilla Firefox patches 29 vulnerabilities
https://www.scmagazine.com/firefox-update-patches-29-vulnerabilities-5-critical/article/681165/
Threatpost: Mozilla Fixes 29 Vulnerabilities in Firefox, Makes Flash Click-to-Activate
https://threatpost.com/mozilla-fixes-29-vulnerabilities-in-firefox-makes-flash-click-to-activate/127338/

--Microsoft to Distrust StartCom and WoSign Certificates (August 8 & 10, 2017)

Microsoft has announced that its Internet Explorer and Edge browsers will start distrusting digital certificates from Chinese certificate authorities WoSign and StartCom in September. Microsoft joins Apple, Google, and Mozilla, which have all banned the certificates in their browsers.

[Editor Comments]
[Pescatore] The browser vendors bundle in automatic trust for dozens of root and intermediate certification authorities (CAs). Since the CA industry has shown no ability to police itself, the browser vendors need to continue to raise the bar on CA practices to earn that trust.

Read more in:
The Register: Microsoft bins unloved Chinese cert shops
http://www.theregister.co.uk/2017/08/10/microsoft_windows_10_will_not_recognise_chinese_cas_wosign_and_startcom/
ZDNet: Microsoft dumps notorious Chinese secure certificate vendor
http://www.zdnet.com/article/microsoft-dumps-notorious-chinese-secure-certificate-vendor/

--Salesforce Fires Two Security Engineers Over DEF CON Talk (August 9, 2017)

Salesforce fired two senior "red team" security engineers after they gave a talk about an internal IT defense testing tool at DEF CON. Salesforce executives and the company's legal team had signed off on the talk earlier this year, but less than an hour before the talk, an executive sent the presenters a text telling them not to announce the public release of the tool's code.

[Editor Comments]
[Williams] The name of the tool released, while an anagram of metasploit, was also a potentially offensive slang term. Salesforce management likely didn't realize the slang meaning when they signed off and may have balked when they realized what the tool name meant. The episode is unfortunate in that the researchers were asked to pull a talk immediately before they were supposed to appear on stage. However, in infosec (as in most businesses), we represent the views of our employers. Salesforce reserved (and exercised) the right to pull the talk at the last minute, presumably because they wanted to avoid a PR fiasco. While they are now engaged in a new PR fiasco, this one is limited to the infosec community and probably won't cost them any business.
[Neely] An about face on presenting the topic less than an hour before a talk is not viable, particularly in a conference like DEF CON where your cell is safest in airplane mode due to spoofing or hacking risks. Fortunately, I'm hearing the engineers are not wanting for job offers.

Read more in:
Ars Technica: Salesforce "red team" members present tool at Defcon, get fired
https://arstechnica.com/gadgets/2017/08/salesforce-fires-two-security-team-members-for-presenting-at-defcon/
The Register: Salesforce sacks two top security engineers for their DEF CON talk
http://www.theregister.co.uk/2017/08/10/salesforce_fires_its_senior_security_engineers_after_defcon_talk/
ZDNet: Salesforce fires red team staffers who gave Defcon talk
http://www.zdnet.com/article/salesforce-fires-red-team-staffers-who-gave-defcon-talk/

INTERNET STORM CENTER TECH CORNER

Microsoft Updates

https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+August+2017/22694/

Adobe Updates

https://helpx.adobe.com/security.html

Android Patches

https://source.android.com/security/bulletin/2017-08-01

How Are People Fooled By This? Email To Sign a Contract Provides Malware

https://isc.sans.edu/forums/diary/How+are+people+fooled+by+this+Email+to+sign+a+contract+provides+malware+instead/22696/

DirectDefense Accuses Carbon Black of Data Leak

https://www.carbonblack.com/2017/08/09/directdefense-incorrectly-asserts-architectural-flaw-in-cb-response/
https://www.directdefense.com/harvesting-cb-response-data-leaks-fun-profit/

Vulnerabilities in Solar Generation

https://horusscenario.com

Hunting Malicious npm Packages

https://duo.com/blog/hunting-malicious-npm-packages

Maldoc Analysis With ViperMonkey

https://isc.sans.edu/forums/diary/Maldoc+Analysis+with+ViperMonkey/22702/

Microsoft Joins Google/Mozilla in Banishing WoSign and StartCom From Trusted CA List

https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/

SMS Touch App Leaking Messages

https://www.zscaler.com/blogs/research/mobile-app-wall-shame-sms-touch

Mac Adware Mughthesec

https://objective-see.com/blog/blog_0x20.html


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create