SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #39

May 17, 2016

TOP OF THE NEWS

Vietnamese Bank Stopped Fraudulent SWIFT Transfer
SWIFT Tells Users They're Responsible for Cybersecurity
Chrome to Replace Flash with HMTL5 for Default Media Player by End of Year

THE REST OF THE WEEK'S NEWS

Windows Defender Advanced Threat Protection (ATP)
Guilty Plea in Press Release Theft/Insider Trading Scheme
US Government Survey: Privacy Concerns Limiting Internet Financial Use
iOS Update
Japanese Teen Charged in School Website DDoS Case
GSA's 18F Tech Team Says Slack Configuration was Not a Breach
Nulled.io Breach
Number of Companies With Unpatched SAP Flaw Likely Higher than Initial Estimate

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************** Sponsored By Lancope **************************

Accelerate Incident Response with NetFlow Analysis - FREE DUMMIES eBOOK! Download our latest eBook to learn best practices for building an effective incident response team, process, and toolkit. In addition, learn how NetFlow analysis can accelerate incident response by delivering complete network visibility to discover, investigate, and counteract a wide variety of cyberattacks!
http://www.sans.org/info/185925

***************************************************************************

TRAINING UPDATE

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

- --DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

- --SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRQ

- --SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSk

- --SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSE

- --SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gST

- --Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMn

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Vietnamese Bank Stopped Fraudulent SWIFT Transfer (May 13 and 16, 2016)

A Vietnamese bank managed to stop a fraudulent transaction conducted through the SWIFT messaging system totaling more than US $1 million. Portions of the code used in the attacks on Tien Phong Bank and the Bangladesh Central Bank bears similarities to the code used in the attack against Sony Pictures in 2014.
-http://thehill.com/policy/cybersecurity/279999-vietnam-bank-thwarts-11m-cyberhei
st-using-swift-software
-http://www.scmagazine.com/vietnamese-bank-thwarts-hack-made-through-swift-messag
ing-system/article/496584/
-http://arstechnica.com/information-technology/2016/05/1b-bangladesh-hackers-impl
icated-in-attack-on-vietnamese-bank-sony-hack/
-http://www.computerworld.com/article/3070375/security/malware-attacks-on-two-ban
ks-have-links-with-2014-sony-pictures-hack.html
[Editor's Note (Murray): While most commercial banks, even community banks, will initiate "wire transfers" for their customers, most are not direct customers of SWIFT. Rather they work through correspondents who have more activity. Note that many of the "account takeovers" that we have seen have involved transactions that began on the domestic ACH network and then have gone through correspondents onto the international SWIFT network. At least some fraudulent transactions have been detected and stopped by these correspondent banks, including, notably, JPMorgan-Chase. ]

SWIFT Tells Users They're Responsible for Cybersecurity (May 12, 2016)

SWIFT has rejected allegations that it was responsible for the theft of US $81 million from the Bangladesh Bank. Officials at that bank maintained that SWIFT technicians created vulnerabilities when they connected the SWIFT messaging system to a real-time gross settlement system. In a May 3 letter, SWIFT told its users that they that they are responsible for the security of their own computers, noting "SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks."
-http://www.reuters.com/article/us-bangladesh-heist-swift-idUSKCN0Y320K
-http://www.nbcnews.com/tech/security/financial-messaging-service-swift-says-bank
s-responsible-own-cybersecurity-n572631
[Editor's Note (Liston): Swift gives users encryption tools and certs for signing messages. If they get properly signed messages, they pass them along. If an organization loses control of their authentication process, SWIFT can't be responsible. (Murray): This should not come as a surprise to any SWIFT customer bank. SWIFT is not like the Federal Reserve System. SWIFT is a messaging system, not a bank. SWIFT's customers do not have funds on deposit with SWIFT; it is not a fiduciary. SWIFT is not a party to transactions or transfers. However, control of the bank's access to SWIFT enables one to send messages, transactions, to others in the bank's name; those transactions are routinely executed immediately and without any further authentication. The bank must limit the use of that access to authorized and intended purposes. SWIFT cannot do that. Nor can it undo transactions sent: that is between parties to the transactions. ]

Chrome to Replace Flash with HMTL5 for Default Media Player by End of Year (May 16, 2016)

Google's Chrome browser will default to HTML5 instead of Flash to play video and animation by the end of this calendar year. The change will affect all websites except for a whitelist of 10 popular sites, including Facebook, Amazon, YouTube, and Yahoo. Chrome will still ship with Flash; on sites where HTML5 is not available, users will be asked if they want to use Flash. Google has already said that Google Display Network and DoubleClick Digital Marketing will be exclusively HTML5 as of June 30, 2016.
-http://www.informationweek.com/software/enterprise-applications/google-ending-au
tomatic-chrome-support-for-flash/d/d-id/1325533
-http://www.computerworld.com/article/3070495/security/google-to-block-flash-by-d
efault-on-most-sites-for-chrome-users.html
-http://www.bbc.com/news/technology-36301904
-http://www.v3.co.uk/v3-uk/news/2458341/google-chrome-will-switch-off-flash-conte
nt-by-default
-https://docs.google.com/presentation/d/106_KLNJfwb9L-1hVVa4i29aw1YXUy9qFX-Ye4kvJ
j-4/edit#slide=id.p

---

************************** SPONSORED LINKS ********************************
1) Threat Advisor: Stop Ransomware Before It Starts - Download Now: http://www.sans.org/info/185930

2) Don't let a security breach harm customer trust. Learn how to protect your relationships with LifeLock. http://www.sans.org/info/185935

3) SECURITY WEBCAST: Thurs, 5/19 @ 2pm ET. Make Threat Monitoring More Effective to Lower Attacks. http://www.sans.org/info/185945
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Windows Defender Advanced Threat Protection (ATP) (May 16, 2016)

Microsoft has made the preview of its Windows Defender Advanced Threat Protection (ATP) available to all enterprise professionals. Until now, ATP has been tested by a group of companies by invitation only.
-http://www.computerworld.com/article/3071013/microsoft-windows/microsoft-expands
-preview-of-windows-10s-new-advanced-threat-service.html
[Editor's Note (Murray): Windows Defender is a welcome addition to our tool-box. However, it is a detective mechanism that operates late. One might prefer to resist APT-like attacks early, for example by (using Windows Active Directory) locking down desktops, keeping all enterprise data and sensitive applications on servers, and using end-to-end encryption even on internal networks. However, enterprises continue to resist this use preferring the convenience of open desktops and flat networks. While Windows Defender should certainly be considered in these more vulnerable environments, reliance on late detection assumes some tolerance for compromise and loss. ]

Guilty Plea in Press Release Theft/Insider Trading Scheme (May 16, 2016)

Vadym Iermolovych has pleaded guilty to charges of conspiracy to commit wire fraud, conspiracy to commit computer hacking, and aggravated identity theft for his role in a stock trading scheme that made more than US $30 million. In all, 32 people have been charged in connection with the scheme. Iermolovych admitted that he broke into newswire agencies and took press releases that had not yet been published; the group used the information to make stock trades.
-http://www.bbc.com/news/world-us-canada-36307306
-http://www.reuters.com/article/trading-cyber-plea-idUSL2N18D1GY
-http://www.theregister.co.uk/2016/05/17/insider_trading_hacker_pleads_guilty_in_
the_us/
-https://www.justice.gov/usao-nj/pr/ukrainian-hacker-admits-role-largest-known-co
mputer-hacking-and-securities-fraud-scheme
[Editor's Note (Williams): This is an interesting attack vector - organizations should consider what they are putting in their press releases and whether early release could impact company valuation. Most marketing and public relations department have never considered the impact that a hacking incident may have on their product, but this case highlights the threat. Infosec professionals should use this example to educate their stakeholders. ]

US Government Survey: Privacy Concerns Limiting Internet Financial Use (May 16, 2016)

Online privacy or security concerns have stopped millions of people in the United States from using the internet to pay bills, shop or post on social media, according to a large government survey. The data from the National Telecommunications and Information Administration (NTIA) found that 29 percent of homes surveyed had not conducted financial transactions online because of privacy or security concerns.
-https://www.ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-
deter-economic-and-other-online-activities
-http://thehill.com/policy/technology/280019-survey-security-concerns-keeping-som
e-from-engaging-online
[Editor's Note (Pescatore): This is actually a GOOD thing, showing consumers have a healthy fear of using the Internet for sensitive transactions. Companies making profit off of people using the Internet need to invest in making Internet use safer for consumers. Making it easier for consumers to use strong authentication, pressuring the browser/CA industry to make SSL and certificates provide meaningful site authentication and pressuring their ISPs to start raising the bar on malware and phishing are three areas on the top of my list. If the e-commerce industry does NOT make those kinds of investments, consumers should and will be careful in how much they do on the Internet. ]

iOS Update (May 16, 2016)

Apple has updated iOS to version 9.3.2. The newest version of the mobile operating system addresses dozens of vulnerabilities, including one that could be exploited through Siri to gain access to personal data on a device. The update also fixes several flaws that could be exploited to allow remote code execution.
-http://www.zdnet.com/article/apple-has-fixed-a-bug-that-let-hackers-bypass-iphon
e-lock-screen/
-http://arstechnica.com/apple/2016/05/ios-9-3-2-is-here-fixes-iphone-se-bluetooth
-problems-and-other-bugs/
-http://www.cnet.com/news/your-iphone-can-run-night-shift-and-low-power-mode-at-t
he-same-time-thanks-to-ios-9-3-2-update/
[Editor's Note (Williams): All who jailbreak, take note: there are several fixes for remotely exploitable vulnerabilities in this release. If you aren't updating, you remain vulnerable. For their part, Apple could discourage jailbreaks by allowing tethering apps - one of the main reasons people jailbreak. ]

Japanese Teen Charged in School Website DDoS Case (May 16, 2016)

A Japanese teenager has been charged for allegedly launching a distributed denial-of-service (DDoS) attack that rendered 444 school websites unavailable. For the alleged offenses, the teenager faces up to three years in prison and a fine of 500,000 yen (US $4,600).
-http://www.scmagazine.com/japanese-teen-launches-massive-ddos-attack-to-remind-t
eachers-they-are-incompetent/article/496756/
[Editor's Note (Liston): His goal was to prove that his teachers are "incompetent" and he chose a DDoS attack? That's like "proving" da Vinci was a lousy painter by spray painting over the Mona Lisa. ]

GSA's 18F Tech Team Says Slack Configuration was Not a Breach (May 13, 2016)

The US General Services Administration's (GSA's) 18F tech team has been called out by the agency's inspector general over its use of the Slack messaging app, saying that they way it was configured may have exposed GSA Google Drive accounts to unauthorized access. The inspector called the situation a data breach. 18F disagreed, saying the "integration was a mistake, but the consequences were not a data breach."
-http://federalnewsradio.com/agency-oversight/2016/05/gsas-18f-exposes-data-using
-popular-social-media-tool/
-https://fcw.com/articles/2016/05/13/slack-security-18f.aspx
-http://www.nextgov.com/cio-briefing/2016/05/18f-slack-incident-wasnt-data-breach
/128341/?oref=ng-HPtopstory

Nulled.io Breach (May 13 and 16, 2016)

Underground stolen data market Nulled.io was the victim of a data breach. The data thief took a 1.3 GB archive that held 9.45 GB of compressed data. The compromised information includes details of more than 500,000 user accounts; transaction information; and personal messages, purchase records, and invoices.
-http://www.scmagazine.com/hacker-doxes-nulled-cybercrime-forum-exposes-data-on-5
36000-user-accounts/article/496755/
-http://arstechnica.com/security/2016/05/breach-of-nulled-io-crime-forum-could-ca
use-a-world-of-pain-for-members/
-http://www.zdnet.com/article/nulled-oi-hacking-forum-data-breach-exposes-attacke
rs-in-the-shadows/

Number of Companies With Unpatched SAP Flaw Likely Higher than Initial Estimate (May 13, 2016)

The number of organizations with systems vulnerable to a SAP flaw that was patched in 2010 is likely to be considerably higher than the initial estimate of 36, according to the company that first detected the issue. Fixing the misconfiguration problem in the Invoker Servlet can be complicated.
-http://www.theregister.co.uk/2016/05/13/sap_six_year_unpatched_bug_analysis/

---

INTERNET STORM CENTER TECH CORNER

Python Malware
-https://isc.sans.edu/forums/diary/Python+Malware+Part+1/21057/

Ubiquity AirOS Worm
-http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/
td-p/1562940

Google Chrome Update
-http://www.theregister.co.uk/2016/05/13/google_crushes_five_vulns_with_patch_run
_and_20k_in_bug_bounties/

Microsoft Releases Windows 10 Security Auditing And Monitoring Reference
-https://www.microsoft.com/en-us/download/details.aspx?id=52630

419 Death Scams Still Going Around
-https://isc.sans.edu/forums/diary/An+oldie+but+a+goodie+419+Death+Scam/21061/

Flash Zero Day Details
-https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-da
y.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/