SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #50

June 24, 2016

TOP OF THE NEWS

US Federal Reserve Considers Strengthening Security Measures
Apple Blocks Older Versions of Flash Plug-in in Safari
GAO Audit: Agencies View Foreign Governments as Most Severe Cyberthreat

THE REST OF THE WEEK'S NEWS

Swagger Code Generator Vulnerability
Carbonite Passwords Reset After Suspected Reuse Attack
Libarchive Vulnerabilities
iOS 10 Beta Kernel Not Encrypted
Supreme Court Decision May Support Microsoft's Position in Ireland Server Data Case
InMobi to Pay FTC Fine of Nearly US $1 Million for Unauthorized Tracking
Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant
US Naval Academy Cybersecurity Major
Apple Fixes Flaw in AirPort Routers

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

****************** Sponsored by Trend Micro Inc. *************************

Business Email Compromise or CEO Fraud costs an average of $130,000 in fraudulent payments, learn more about this major threat from Trend Micro threat researchers:
http://blog.trendmicro.com/trendlabs-security-intelligence/company-cfos-targeted
-bec-schemes/?cm_mmc=Newsletter-_-Sans-_-Blog+Post-_-Targeted+Attacks

***************************************************************************

TRAINING UPDATE

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | https://www.sans.org/event/salt-lake-city-2016

--MGT 433 at SANS London Summer 2016| London, UK | July 7-8 | https://www.sans.org/event/mgt433-at-sans-london-summer-2016

--SANS London Summer 2016| London, UK | July 9-16 | https://www.sans.org/event/london-in-the-summer-2016

--SANS Rocky Mountain | Denver, CO | July 11-16 | https://www.sans.org/event/rocky-mountain-2016

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | https://www.sans.org/event/minneapolis-2016

--SANS San Antonio | San Antonio, TX | July 18-23 | https://www.sans.org/event/san-antonio-2016

--Industrial Control Systems Security Training | Houston, TX | July 25-30 | https://www.sans.org/event/ics-houston-summit-training-2016

--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | August 22-27, 2016 | Anchorage, AK | https://www.sans.org/event/alaska-2016

***************************************************************************

---

TOP OF THE NEWS

US Federal Reserve Considers Strengthening Security Measures (June 22, 2016)

US Federal Reserve (Fed) chair Janet Yellen told legislators that the Fed may implement "enhanced monitoring" for certain transactions after thieves stole US $81 million from the Bangladesh central bank. During the House Financial Services Committee meeting, Yellen noted that the Fed's systems were not compromised.

[Editor Comments ]
(Pescatore): The OIG at the Federal Reserve said earlier that they would be auditing the Fed's performance in overseeing cybersecurity at financial institutions, with a report to be published in 4Q16. Since lack of basic security hygiene was the root cause for the Bangladeshi bank theft, it would be good for the OIG to focus on those practices. In June of 2015, the FFIEC released a Cybersecurity Assessment Tool for banks that essentially allowed them to gauge the maturity of their cybersecurity programs. I'd like to see a comparison of those claiming mature programs but lacking basic security hygiene - all too often that is the case.
(Murray): Most transactions are part of a continuing relationship; computers are very good at identifying these. Fraudulent transactions look different. The Chase has a record of being able to identify them without slowing down the routine transactions. This "enhancement" may simply be changing the rules of controls already in place.
Read more in:
The Hill: Fed weighs enhanced scrutiny on transfers after $81M cyberheist
-http://thehill.com/business-a-lobbying/284505-fed-weighs-enhanced-scrutiny-on-tr
ansfers-after-81m-cyberheist

Apple Blocks Older Versions of Flash Plug-in in Safari (June 21, 2016)

Apple has said that it will block outdated versions of Adobe's Flash Player plug-in. Safari users running older versions of Flash will see a message warning them that the plug-in is outdated. They will have the option of downloading the most recent version. Other major browsers are taking steps to limit Flash as well.

[Editor Comments ]
(Northcutt): This is very sensible and there is no evidence of this being corporate sparring. I do wish Apple would fine-tune their messaging to the end user. Apple's support site says, "f you're using an out-of-date version of the Adobe Flash Player plug-in, you may see the message "Blocked plug-in," "Flash Security Alert," or "Flash out-of-date" when attempting to view Flash content in Safari." It would be far better to have only one well written message, may I suggest, "Security Alert, Flash is out-of-date".
Read more in:
CNET: Apple blocks outdated versions of Adobe Flash
-http://www.cnet.com/news/apple-blocks-outdated-versions-of-adobe-flash/
Softpedia: Apple Disables Old Flash Player Versions Due to Security Vulnerabilities
-http://news.softpedia.com/news/apple-disables-old-flash-player-versions-due-to-s
ecurity-vulnerabilities-505476.shtml
Apple: Adobe Flash Player updates available for OS X on June 20, 2016
-https://support.apple.com/en-us/HT202681

GAO Audit: Agencies View Foreign Governments as Most Severe Cyberthreat (June 21, 2016)

According to information gathered by the Government Accountability Office (GAO), the most frequent and most serious attacks against agency systems come from nation states.

[Editor Comments ]

Read more in:
Nextgov: Foreign Government Hackers are the Gravest and Most Common Threat, Agencies Say
-http://www.nextgov.com/cybersecurity/2016/06/foreign-government-hackers-are-grav
est-and-most-common-threat-agencies-say/129280/?oref=ng-channelriver
GAO: INFORMATION SECURITY: Agencies Need to Improve Controls over Selected High-Impact Systems
-http://www.gao.gov/products/GAO-16-501

---

*************************** SPONSORED LINKS *****************************
1) JUST RELEASED: The State of Bug Bounty Report 2016. Get your copy: https://pages.bugcrowd.com/2016-state-of-bug-bounty-report?utm_campaign=20160608
%20-%20State%20of%20Bug%20Bounty%202016&utm_content=Newsletter&utm_mediu
m=demandgen&utm_source=SANS

2) Watch this webinar and learn how to achieve a new level of security for your Office 365 deployment. https://www.brighttalk.com/webcast/13361/201387?cid=70138000000eMqdAAE&mc=19
9237&ot=wc&tt=tp

3) Take the SANS 2016 Cloud Security Survey & enter to win a $400 Amazon Gift Card! www.surveymonkey.com/r/2016SANSCloudSecuritySurvey
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Swagger Code Generator Vulnerability (June 23, 2016)

A severe flaw in a code generator for the Swagger OpenAPI specification could be exploited to execute code remotely. The issue is known to affect the NodeJS, PHP, Ruby, and Java programming languages. Until maintainers patch the code generators, users are being urged to "carefully inspect Swagger documents for language-specific escape sequences."

[Editor Comments ]
(Williams): These articles make the vulnerability sound more widespread than it is. Only applications *actively using* the Swagger library appear to be at risk. That's the good news. The bad news is that for those vulnerable applications the result is code execution on the vulnerable server - a much more serious vulnerability class than the XSS and SQL injection we usually see.
Read more in:
SC Magazine: Code generator for Swagger spec vulnerable to remote code execution
-http://www.scmagazine.com/code-generator-for-swagger-spec-vulnerable-to-remote-c
ode-execution/article/505216/
ZDNet: Severe Swagger vulnerability compromises NodeJS, PHP, Java
-http://www.zdnet.com/article/severe-swagger-vulnerability-compromises-nodejs-php
-java/
Rapid7 Blog: R7-2016-06: Remote Code Execution via Swagger Parameter Injection (CVE-2016-5641)
-https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote
-code-execution-via-swagger-parameter-injection-cve-2016-5641

Carbonite Passwords Reset After Suspected Reuse Attack (June 22 and 23, 2016)

Backup service provider Carbonite has reset all user passwords after detecting what is likely another password reuse attack: password and username combinations stolen elsewhere are being used to access accounts. Other companies, including GitHub, GoToMyPC, and LogMeIn, have recently reported similar attacks.

[Editor Comments ]

Read more in:
SecurityWeek: Online Backup Firm Carbonite Hit by Password Reuse Attack
-http://www.securityweek.com/online-backup-firm-carbonite-hit-password-reuse-atta
ck
SC Magazine: Carbonite resets passwords after attackers target user accounts
-http://www.scmagazine.com/carbonite-resets-passwords-after-attackers-target-user
-accounts/article/505241/

Libarchive Vulnerabilities (June 21, 22 and 23, 2016)

Researchers at Cisco Talos have found three input validation security issues in the way Libarchive open-source compression library handles 7zip files, mtree files, and Rar files. Libarchive was initially created for FreeBSD, but has since been ported to all major operating systems. The libarchive maintainers have released patches, but it may take awhile for the fixes to be applied to all affected projects.

[Editor Comments ]
(Williams): Of the three vulnerabilities, the 7-zip vulnerability is by far the most serious while the other two should be mitigated on any modern OS by stack canaries and safe unlinking. Even when libarchive is patched on affected systems, many applications have libarchive compiled in as a static library and will continue to be vulnerable. Organizations should consider limiting the processing of 7-zip files in applications that have not been patched.
(Liston) : Poorly coded input validation rears it's ugly head once again. The bad thing about flaws in libraries is the "collateral damage" - all the applications that use the library become vulnerable. This one is particularly bad because it's used by SO many different things.
Read more in:
The Register: Libarchive needs patching again
-http://www.theregister.co.uk/2016/06/23/libarchive_needs_patching_again/
Computerworld: Severe flaws in widely used archive library put many projects at risk
-http://www.computerworld.com/article/3087351/security/severe-flaws-in-widely-use
d-archive-library-put-many-projects-at-risk.html
SC Magazine: Severe flaws detected in popular compression library
-http://www.scmagazine.com/severe-flaws-detected-in-popular-compression-library/a
rticle/505066/
Talos Blog: The Poisoned Archives
-http://blog.talosintel.com/2016/06/the-poisoned-archives.html

iOS 10 Beta Kernel Not Encrypted (June 21 & 23, 2016)

Apple recently released the beta version of iOS 10 in which the kernel is not encrypted. Despite speculation that the decision not to encrypt the kernel was made to encourage people to find and report bugs, Apple said that the decision was made to improve performance.

[Editor Comments ]
(Williams): Even if this for performance reasons, the net result is positive for security researchers. Making the kernel easier to inspect has the side effect of making it easier for researchers to locate any backdoor code that might be included in iOS to comply with a secret court ruling. Some researchers have listed this as a very real concern after the recent legal battles between Apple and the IC.
Read more in:
Ars Technica: iOS 10 beta still encrypts user data, but not the kernel
-http://arstechnica.com/apple/2016/06/ios-10-beta-still-encrypts-user-data-but-no
t-the-kernel/
ZDNet: Apple deliberately left iOS 10 kernel unencrypted
-http://www.zdnet.com/article/apple-deliberately-left-ios-10-kernel-unencrypted/
MIT Technology Review: Apple Opens Up iPhone Code in What Could Be Savvy Strategy or Security Screwup
-https://www.technologyreview.com/s/601748/apple-opens-up-iphone-code-in-what-cou
ld-be-savvy-strategy-or-security-screwup/
MIT Technology Review: Apple Now Says It Meant to Open Up iPhone Code
-https://www.technologyreview.com/s/601762/apple-now-says-it-meant-to-open-up-iph
one-code/

Supreme Court Decision May Support Microsoft's Position in Ireland Server Data Case (June 22, 2016)

In a decision released earlier this week, the US Supreme Court wrote, "absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application." The ruling was made in a RICO (Racketeer Influences and Corrupt Organizations) Act case. While unrelated to the Microsoft case in which the company is refusing to surrender data held on a server in Ireland to US officials, the decision could provide support for Microsoft's position that the Electronic Communications Privacy Act (ECPA) does not say that congress intended it to "reach private emails stored on provider's computers in foreign countries."

[Editor Comments ]
(Murray): In the event of conflicting laws, security professionals should prefer those of the local jurisdiction. This common guidance, though not legal opinion, recognizes the kind of dilemma confronting Microsoft in particular and International companies in general. Some companies, IBM for example, have done business through wholly owned but locally chartered and managed subsidiaries. However, this strategy is stressed by Internet enabled business models that blur where the business occurs.
Read more in: Computerworld: Microsoft invokes Supreme Court opinion in Ireland email case
-http://www.computerworld.com/article/3086839/security/microsoft-invokes-supreme-
court-opinion-in-ireland-email-case.html

InMobi to Pay FTC Fine of Nearly US $1 Million for Unauthorized Tracking (June 22, 2016)

The US Federal Trade Commission (FTC) has fined mobile advertisement company InMobi US $950,000 for ignoring users' privacy settings on their phones and tracking their locations to serve targeted advertisements. InMobi also tracked children's locations without parents' permission, a violation of the US Children's Online Privacy Protection Act. InMobi has agreed to the fine. The terms of the settlement also call for InMobi to delete all data collected from children and to implement a privacy program that will be audited by a third party every two years for the next 20 years.

[Editor Comments ]
(Pescatore): Usual kudos to the FTC for using existing legislation to drive companies to enforce their stated privacy and security practices. I'd like to hear Apple App Store and Google Play update their testing procedures to detect when apps are not obeying user selected privacy settings - seems like the WiFi State and Captive Network calls in Android and iOS should have been pretty easy for tools to detect.
Read more in:
Ars Technica: Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users
-http://arstechnica.com/tech-policy/2016/06/advertiser-that-tracked-100-million-p
hone-users-without-consent-pays-950000/
Computerworld: Mobile advertiser tracked users' locations without their consent, FTC alleges
-http://www.computerworld.com/article/3087495/security/mobile-advertiser-tracked-
users-locations-without-their-consent-ftc-alleges.html
FTC: Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers' Locations Without Permission
-https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-networ
k-inmobi-settles-ftc-charges-it-tracked

Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant (June 22, 2016)

US legislators have rejected an amendment to a criminal justice funding bill that would have allowed the FBI to conduct warrantless searchers of people's browsing histories. While the measure garnered a majority of the votes, it failed to obtain the necessary 60 votes to advance. The issue may come up for consideration as soon as next week, however, because Senate majority leader Mitch McConnell submitted a motion to reconsider it.
Read more in:
CNET: Senate nixes plan for warrantless FBI searches of internet browsing histories
-http://www.cnet.com/news/senate-nixes-plan-for-warrantless-fbi-searches-of-inter
net-browsing-histories/
ZDNet: Senate rejects FBI bid for warrantless access to internet browsing histories
-http://www.zdnet.com/article/senate-rejects-fbi-bid-for-warrantless-access-to-in
ternet-browsing-histories/
Washington Post: After Orlando, Senate rejects plan to allow FBI Web searches without court order
-https://www.washingtonpost.com/news/powerpost/wp/2016/06/22/after-orlando-senate
-bill-seeks-to-allow-fbi-web-searches-without-court-order/

US Naval Academy Cybersecurity Major (June 21, 2016)

The US Naval Academy's class of 2015 was the first graduating class with the opportunity to select a cybersecurity major. Twenty-seven students graduated in the cybersecurity major last year, and those graduates represent "every community in the service, from Navy SEALs to submariners to Marines." The first two years of the major involve technical classes; the later years focus on cybersecurity, policy, and legal and ethical issues. The class of 2015 was also the first in which every Naval Academy student was required to take two cybersecurity classes.
Read more in:
Federal News Radio: Naval Academy grads spread cyber awareness servicewide
-http://federalnewsradio.com/cyber-skills-training-month/2016/06/naval-academy-gr
ads-spread-cyber-awareness-servicewide/

Apple Fixes Flaw in AirPort Routers (June 21, 2016)

Apple has released a firmware update for certain AirPort routers to address a DNS parsing flaw. Details of the flaw are vague: Apple said only that attackers could potentially cause arbitrary code execution due to a memory corruption issue. The firmware upgrade affects 802.11n Airport Express, Extreme, and Time Capsule base stations; and 802.11ac AirPort Extreme and Time Capsule.

[Editor Comments ]
Pescatore - In this day and age, I'd much rather just see all browsers auto-update every plug-in. But if that can't happen, having insecure plugins cause the "CHECK ENGINE" light to glow, or act as the "You can't shift into DRIVE until you put your foot on the brake" equivalent is appropriate.
Read more in:
The Register: AirPort owners: Apple's patched a mystery vuln
-http://www.theregister.co.uk/2016/06/21/airport_owners_apples_patched_a_mystery_
vuln/
Apple: APPLE-SA-2016-06-20-1 AirPort Base Station Firmware Update 7.6.7 and 7.7.7
-http://prod.lists.apple.com/archives/security-announce/2016/Jun/msg00000.html

---

INTERNET STORM CENTER TECH CORNER

BitCoin Phishing With Typo Squatting Domains
-http://blog.cyren.com/articles/2016-Q2_bitcoin-phishing-via-google-adwords.html

Google Attempting to Simplify 2 Factor Authentication
-http://googleappsupdates.blogspot.co.uk/2016/06/new-settings-for-2-step-verifica
tion.html

Deobfuscating Java Code
-https://isc.sans.edu/forums/diary/Security+through+obscurity+never+works/21187/

Microsoft Updates SEAL
-http://research.microsoft.com/en-us/people/kilai/v2.0-beta.pdf

Cisco Releases Pidgin Vulnerabilities
-http://blog.talosintel.com/2016/06/vulnerability-spotlight-pidgin.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create