SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #70

September 02, 2016

TOP OF THE NEWS

SWIFT Warns Member Banks of More Attacks
Dropbox Breach May Affect 68 Million Accounts
Fifty-two Month Sentence for Account Breaches

THE REST OF THE WEEK'S NEWS

Kimpton Hotels Acknowledges Breach
With Chrome 53, Google Blocks Flash Analytics
Apple Patches Flaws in OS X and Safari Against Pegasus Spyware
New York DMV Uses Facial Recognition Software to Thwart Identity Fraud
Adobe Releases Hotfixes for Critical ColdFusion Flaw
Microsoft Warns of JavaScript Malware that Alters Browser Proxy Server Settings
FTC: Rental Cars Could Leak Personal Data
NIST Digital Authentication Guidance Revised Draft

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************ Sponsored By SANS *****************************

Register today for the SANS Security Leadership Summit & Training, September 27-October 4, in Dallas, TX. Attend two-days of talks and discussions focused on effectively leading a team responsible for protecting your organization from ever-evolving threats. Following the Summit, take a world-class SANS course taught by real-world practitioners and leading information security experts.
http://www.sans.org/info/188427

***************************************************************************

TRAINING UPDATE

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 |
https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 |
https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 |
https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA |
https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic |
https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |
https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |
https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA |
https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA |
https://www.sans.org/event/pen-test-hackfest-2016

***************************************************************************

---

TOP OF THE NEWS

SWIFT Warns Member Banks of More Attacks(August 31, 2016)

In February 2016, attackers stole US $81 million from Bangladesh Bank. In a letter to its clients earlier this week, global financial messaging system SWIFT disclosed that there have been more attacks, some successful, against member banks and urged them to adopt strong security measures.

Read more in: Reuters: Exclusive: SWIFT discloses more cyber thefts, pressures banks on security
-http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11600C
The Register: More banks plundered through SWIFT attacks
-http://www.theregister.co.uk/2016/08/31/swift_reuters/
Computerworld: SWIFT: More banks hacked; persistent, sophisticated threat is here to stay
-http://www.computerworld.com/article/3114337/security/swift-more-banks-hacked-pe
rsistent-sophisticated-threat-is-here-to-stay.html
The Hill: Report: More SWIFT banks robbed
-http://thehill.com/business-a-lobbying/293931-report-more-swift-banks-robbed
SC Magazine: SWIFT warns of new attacks, pushes for security upgrades
-http://www.scmagazine.com/swift-warns-of-new-attacks-pushes-for-security-upgrade
s/article/519774/

Dropbox Breach May Affect 68 Million Accounts(August 31, 2016)

Dropbox has urged users whose accounts date back before the middle of 2012 to change their passwords. The issue dates back to a 2012 breach; at that time, it was believed that just email addresses were accessed. Now it appears that passwords were compromised as well.

Read more in: Ars Technica: Dropbox hackers stole e-mail addresses, hashed passwords from 68M accounts
-http://arstechnica.com/security/2016/08/dropbox-hackers-stole-email-addresses-ha
shed-passwords-68m-accounts/
CNET: Dropbox hack leaks more than 60 million usernames and passwords
-http://www.cnet.com/news/dropbox-hack-leaks-more-than-60-million-usernames-and-p
asswords/
Wired: Hack Brief: 4-year-old Dropbox hack exposed 68 million people's data
-https://www.wired.com/2016/08/hack-brief-four-year-old-dropbox-hack-exposed-68-m
illion-peoples-data/

Fifty-two Month Sentence for Account Breaches (September 1, 2016)

Marcel Lehel Lazar has been sentenced to 52 months in prison for breaking into Internet accounts of US citizens, including those of some government officials. Lazar was extradited from Romania to the US in March 2016 and in May pleaded guilty to charges of unauthorized access to a protected computer and aggravated identity theft. Prior to his extradition, Lazar was serving a seven-year sentence for similar offenses in Romania.

Read more in: Computerworld: Romanian hacker Guccifer gets 52 months in prison
-http://www.computerworld.com/article/3115264/security/romanian-hacker-guccifer-g
ets-52-months-in-prison.html
BBC: Hacker 'Guccifer' jailed for four years
-http://www.bbc.com/news/world-us-canada-37250907
Dept. of Justice: May 25, 2016: Romanian Hacker Pleads Guilty to Computer Hacking Crimes
-https://www.justice.gov/usao-edva/pr/romanian-hacker-guccifer-pleads-guilty-comp
uter-hacking-crimes

---

*************************** SPONSORED LINKS *****************************
1) Attend the SANS Security Leadership Summit & Training, September 27 - October 4, in Dallas! http://www.sans.org/info/188432

2) Hardening Microservices Security: Building a Layered Defense Strategy Wednesday, September 21st, 2016 at 1:00 PM. Register: http://www.sans.org/info/188437

3) Security practitioners are hearing more about threat intelligence (TI). But what exactly is it, and how can TI be effectively deployed? Register: http://www.sans.org/info/188442
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Kimpton Hotels Acknowledges Breach (August 31 and September 1, 2016)

Kimpton Hotels has posted a notice to its website acknowledging a security breach that affected payment terminals at some of its properties. Attackers appear to have had access to the payment systems between February 16, 2016 and July 7, 2016. Customers who used payment cards at certain Kimpton front desks and restaurants may be affected by the breach. Kimpton has provided a list of properties where terminals were compromised.

Read more in: KrebsonSecurity: Kimpton Hotels Acknowledges Data Breach
-http://krebsonsecurity.com/2016/09/kimpton-hotels-acknowledges-data-breach/
Kimpton: Payment Card Notification
-https://www.kimptonhotels.com/promos/payment-card-notification

With Chrome 53, Google Blocks Flash Analytics (September 1, 2016)

Google has released version 53 of its Chrome browser to address 33 security issues. The browser continues its move away from Flash and toward HTML5-based technology. While Chrome still ships with the Flash Player plugin for the time being, it does not allow Flash to run in the background for page analytics. Google says users can expect faster page uploads for most websites and improved battery life as a result. Chrome 53 is available for Linux, Mac, and Windows.

Read more in: ZDNet: Google Chrome starts blocking Flash tracking for better battery life and performance
-http://www.zdnet.com/article/google-chrome-starts-blocking-flash-tracking-for-be
tter-battery-life-and-performance/

Apple Patches Flaws in OS X and Safari Against Pegasus Spyware (September 1, 2016)

Apple has released a critical security update for OS X and Safari to fix vulnerabilities that were found initially detected and patched in devices running iOS. The flaws have been found in Apple's desktop products as well. They could be exploited by Pegasus spyware to monitor activity on affected devices.

{Editor Comments ]
(Ullrich) No surprise that OS X and Safari are vulnerable as well, given the substantial overlap between the iOS and OS X, in particular with WebKit, the "engine" behind Safari. With the exploit already written for iOS, it is likely that one is available for OS X as well.

Read more in:The Register: Patch now: Apple emits fix for Pegasus spyware bugs in OS X, Safari
-http://www.theregister.co.uk/2016/09/02/macos_safari_security_update/
CNET: Apple Releases OS X patch for spyware exploit
-http://www.cnet.com/news/apple-releases-os-x-patch-for-spyware-exploit/
Ars Technica: New OS X security updates patch same zero-days as iOS 9.3.5
-http://arstechnica.com/apple/2016/09/new-os-x-security-updates-patch-same-zero-d
ays-as-ios-9-3-5/
Apple: About the security content of Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
-https://support.apple.com/en-ca/HT207130

New York DMV Uses Facial Recognition Software to Thwart Identity Fraud (August 31, 2016)

New York's Department of Motor Vehicles has been using facial recognition technology since 2008. It has helped authorities catch people who were using false information to obtain driver's licenses, in some cases attempting to assume someone else's identity. When the program was piloted, it measured 32 points on people's faces. The most recent upgrade, launched in January 2016, measures 128 points and has led to 100 arrests and 900 open cases.

Read more in: GCN: Facial recognition tech nabs ID fraudsters
-https://gcn.com/articles/2016/08/31/ny-dmv-facial-recognition.aspx?admgarea=TC_S
ecCybersSec

Adobe Releases Hotfixes for Critical ColdFusion Flaw (August 31, 2016)

Adobe has released hotfixes to address a critical information disclosure flaw in its ColdFusion application server. The issue affects ColdFusion versions 10 and 11, but not the ColdFusion 2016 release. Administrators should upgrade to version 10 update 21 or version 11 update 10. The flaw lies in the parsing of crafted XML entities.

Read more in: Computerworld: Adobe patches critical vulnerability in ColdFusion application server
-http://www.computerworld.com/article/3114193/security/adobe-patches-critical-vul
nerability-in-coldfusion-application-server.html
SC Magazine: Adobe issued hotfix for critical information disclosure vulnerability in ColdFusion
-http://www.scmagazine.com/adobe-issued-hotfix-for-critical-information-disclosur
e-vulnerability-in-coldfusion/article/519428/
Adobe Advisory: Hotfixes available for ColdFusion
-https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html

Microsoft Warns of JavaScript Malware that Alters Browser Proxy Server Settings (August 30 and 31, 2016)

In a Technet blog post, Microsoft warns of malicious JavaScript code that arrives embedded in a .doc attachment. If users click on the embedded object, the JavaScript code executes and, in turn, drops and executes PowerShell scripts that deploy a root certificate that allow attackers to monitor HTTPS traffic, and installs a client that allows the computer to connect to the Tor network, which is used to serve a file that reconfigures proxy settings.

Read more in: V3: Microsoft warns about new wave of Word macro viruses
-http://www.v3.co.uk/v3-uk/news/2469361/microsoft-warns-about-new-wave-of-word-ma
cro-viruses
Computerworld: Attackers use rogue proxies to hijack HTTPS traffic
-http://www.computerworld.com/article/3113693/security/attackers-use-rogue-proxie
s-to-hijack-https-traffic.html
Microsoft Technet: Double-click me not: Malicious proxy settings in Embedded Script
-https://blogs.technet.microsoft.com/mmpc/2016/08/29/double-click-me-not-maliciou
s-proxy-settings-in-ole-embedded-script/

FTC: Rental Cars Could Leak Personal Data (August 30 and 31, 2016)

In a consumer information blog post, the US Federal Trade Commission (FTC) warns that rentals cars could leak personal information. While rental cars may offer attractive connected features, they can also retain data entered into GPS systems or information from smartphones if they are connected to the car's system. The post recommends taking steps to ensure that personal data are protected, including a cigarette lighter adapter to charge phones instead of connecting directly to the system through a USB port; being careful about permissions if devices are connected to the car's system; and deleting data when you return the car.

Read more in: FCW: Rental cars can be data thieves, warns FTC
-https://fcw.com/articles/2016/08/31/ftc-cert-rockwell.aspx
FTC: What is your phone telling your rental car?
-https://www.consumer.ftc.gov/blog/what-your-phone-telling-your-rental-car

NIST Digital Authentication Guidance Revised Draft(August 30, 2016)

The US National Institute of Standards and technology (NIST) has published a revised draft of its guidance for digital authentication. This version comprises four documents: digital authentication guidelines; enrollment and identity proofing; authentication and lifecycle management; and federation and assertions.

Read more in: Federal News Radio: NIXST published major revisions to digital authentication guidance
-http://federalnewsradio.com/technology/2016/08/nist-publishes-major-revisions-di
gital-authentication-guidance/
NIST: Draft NIST Special Publication 800-63-3: Digital Authentication Guideline?
-https://pages.nist.gov/800-63-3/sp800-63-3.html

---

INTERNET STORM CENTER TECH CORNER

Today's Locky Variant Arrives as a Windows Script File
-https://isc.sans.edu/forums/diary/Todays+Locky+Variant+Arrives+as+a+Windows+Scri
pt+File/21423/

OneLogin Breached and Secure Notes Lost
-https://www.onelogin.com/blog/august-2016-incident

USB Memory Stick Can Be Used to Exfiltrate Data Wireless
-http://cyber.bgu.ac.il/t/USBee.pdf

Jail Break App in Apple's App Store
-https://www.reddit.com/r/jailbreak/comments/506eyp/release_ppjailbreak_on_the_ap
pstore/

Abobe ColdFusion Update
-https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html

OS X Bittorrent Client Transmission Backdoored
-http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmiss
ion-application/

Arrested Lurk Hacking Group Likely Developed Angler Exploit Kit
-https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/

Vulnerable REDIS Instances Used by Fake Ransomware
-https://duo.com/blog/over-18-000-redis-instances-targeted-by-fake-ransomware

Malware Using Maxmind For Geolocation
-https://isc.sans.edu/forums/diary/Maxmindcom+Abused+As+AntiAnalysis+Technique/21
435/

Content Security Policy of Limited Use in Real World
-https://research.google.com/pubs/pub45542.html

CryptWare Bitlocker Enhancement Vulnerability
-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160831-
0_CryptWare_CryptoPro_Manipulation_of_pre-boot_authentication_v10.txt

Google Releases Chrome 53
-http://googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-deskt
op_31.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create