SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #50
June 26, 2018****************************************************************************
SANS NewsBites June 26, 2018 Vol. 20, Num. 050
****************************************************************************
TOP OF THE NEWS
Supreme Court Says Law Enforcement Need Warrant to Access Cell Site Location Data
California Data Privacy Bill Would Give Residents More Control Over Their Personal Information
Android Battery Saving App Also Loads Click Bot Malware
REST OF THE WEEK'S NEWS
Indian Banks Must Migrate ATMs from Windows XP
DISA Developing Continuous Evaluation Security Clearance Technology
Treasury Inspector General for Tax Administration Audit Found IRS Actions Did Not Adequately Protect Taxpayer Data
2018 Cyber X-Games Focused on Critical Infrastructure
Known Drupal Flaw is Being Exploited to Mine Cryptocurrency
Mobile Service Providers Will Stop Selling Location Data
PDQ Restaurant Chain Acknowledges Point-of-Sale System Breach
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By InfoBlox ************************
5 security experts say "Hack, No!" to DNS Threats. Join the live panel discussion June 28. http://www.sans.org/info/204990
*****************************************************************************
-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018
-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018
-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018
-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018
-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018
-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- SANS London September 2018 | September 17-22 https://www.sans.org/event/london-september-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a new iPad, Samsung Galaxy Tab A, or take $250 Off with Any OnDemand or vLive Course, Offer Ends June 27.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
Supreme Court Says Law Enforcement Need Warrant to Access Cell Site Location Data
(June 22, 2018)
The US Supreme Court has ruled that law enforcement must obtain a warrant to collect a suspect's cell site location information (CSLI). In a 5-4 decision, Chief Justice John Roberts wrote in the majority opinion that "when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone's user." The ruling does not overturn the "third-party doctrine," a legal precedent that found that people have no "reasonable expectation of privacy" regarding information collected by a third party, nor does it cover real-time tracking.
[Editor Comments]
[Pescatore] Establishing that individuals do "own" their personal location data, even if held by third parties, is a sweeping modernization of the boundaries of privacy. For law enforcement, getting a warrant is not really a major impediment and the ruling validates warrant-less access would still be allowed in emergency situations, such as "bomb threats, active shootings, and child abductions." But, other commercial applications collecting individual location data (personally worn IoT devices, smart cars, etc.) don't seem to be specifically addressed - yet.
[Murray] The Fourth Amendment does not speak to the "expectations" of the citizen but to whether or not the searches and seizures of the state are "reasonable," per se. The "reasonable expectation of privacy" test is used to justify some abuse. Carpenter contains the usual emergency (e.g., kidnapping, terrorism) exception to the warrant requirement but not to the Probable Cause test for the admissibility of evidence collected under the emergency exception.
Read more in:
Supreme Court: Carpenter V. United States: Certiorari to the United States Court of Appeals for the Sixth Circuit (PDF)
https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf
Wired: The Supreme Court Just Greatly Strengthened Digital Privacy
https://www.wired.com/story/carpenter-v-united-states-supreme-court-digital-privacy/
SC Magazine: Supreme Court rules government generally needs warrant for long-term surveillance using location data
ZDNet: Supreme Court says police need a warrant for historical cell location records
https://www.zdnet.com/article/supreme-court-search-warrant-cell-location-records/
Ars Technica: Supreme Court rules: Yes, gov't needs warrant to get cellphone location data
--
California Data Privacy Bill Would Give Residents More Control Over Their Personal Information
(June 22, 2018)
A bill introduced in the California state legislature could give residents more control over their personal data. The California Consumer Privacy Act of 2018 would allow California residents to find out what personal information data brokers and other businesses are collecting, where the companies obtain those data, and how those data are shared. Californians would be able to ask that the companies delete their personal information and demand that it not be sold. Businesses would be barred from denying services to people who make these demands.
[Editor Comments]
[Murray, Pescatore, Neely, Northcutt]
In security, as goes California, so goes the nation. "Breach Notification" began with California law; they tend to be early. Enterprises tend to comply with California law, whether or not they are domiciled there, while other states tend to follow their example. The California legislature seems to be good at the difficult job of drafting.
Read more in:
Wired: Bill Could Give Californians Unprecedented Control Over Data
LegInfo: The California Consumer Privacy Act of 2018
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
--
Android Battery Saving App Also Loads Click Bot Malware
(June 22, 2018)
A malicious Android app that infects devices with click bot malware is also capable of stealing text messages and log data. The app has infected at least 60,000 Android devices. Users are led to the app through a pop-up ad telling them that there is a problem with their device's battery. The app does actually monitor battery levels and shuts down processes that are using too much power when the battery is low.
[Editor Comments]
[Neely] Note that this application was delivered through the legitimate Google Play store. Users need to be diligent about permissions granted to an application. For example, this battery saving application requests SMS and Bluetooth pairing capabilities, as well as the ability to modify system settings, which should be red flags.
Read more in:
SC Magazine: 60,000 Android devices hit with ad-clicking bot malware
https://www.scmagazine.com/60000-android-devices-hit-with-ad-clicking-bot-malware/article/775634/
Threatpost: Malicious App Infects 60,000 Android Devices - But Still Saves Their Batteries
************************** SPONSORED LINKS ********************************
1) Don't Miss: "All Your Network Traffic Are Belong to Us -- VPNFilter Malware and Implications for ICS" Register: http://www.sans.org/info/204995
2) Fortinet Webcast "Diffuse Cryptojacking & Ransomware Attacks with a Sandbox" with Dave Shackleford. Register: http://www.sans.org/info/205000
3) Take the SANS 2018 Incident Response Survey at http://www.sans.org/info/205005 and enter to win a $400 Amazon gift card!
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Indian Banks Must Migrate ATMs from Windows XP
(June 25, 2018)
India's banks have until June 2019 to stop using Windows XP in ATMs. (For reference, Microsoft ended support for Windows XP in April 2014.) The Reserve Bank of India sent financial institutions a notice setting out a timeline for migration; at least 50 percent of the machines must be migrated by the end of this calendar year; they must implement anti-skimming and application whitelisting technologies by March 2019; and they must be completely migrated a year from now. The banks must file compliance plans by the end of July 2018.
[Editor Comments]
[Neely] ATMs are viewed more as appliances than computers, where security updates and changes must be well tested before deployment, and not unlike SCADA systems, they are expected to last a very long time to achieve the expected ROI. The update to newer operating systems typically drives replacing the entire ATM to add newer functionality, such as check imaging and EMV support, as well as increased security. While standalone ATMs are relatively inexpensive, in-wall units are expensive which will lead to maximal timeline use.
Read more in:
The Register: India tells its banks to get Windows XP off ATMs - in 2019!
http://www.theregister.co.uk/2018/06/25/indian_banks_on_notice_windows_xp_must_die/
Reserve Bank of India: Control measures for ATMs - Timeline for compliance
https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11311&Mode=0
--
DISA Developing Continuous Evaluation Security Clearance Technology
(June 22, 2018)
The Defense Information Systems Agency (DISA) is developing a security clearance investigation system that will employ continuous evaluation capability, eliminating the need to reinvestigate workers who already hold security clearances and reducing the backlog of security clearance investigations. The National Background Investigation System (NBIS) "is designed to replace and modernize the existing systems that were being operated by OPM," according to DISA services development executive and acting executive officer for NBIS Terry Carpenter. DISA was given the task of developing and managing security clearance technology following the massive data breach at the Office of Personnel Management (OPM) in 2015.
[Editor Comments]
[Neely] Process and automation improvements will improve the overall clearance process, hopefully eliminating the bi-annual OPM tiger-team working their backlogs, the focus for the new system must be on security first.
Read more in:
FCW: DISA takes the lead in continuous monitoring clearance tech
https://fcw.com/articles/2018/06/22/disa-clearance-nbis-tech.aspx
--
Treasury Inspector General for Tax Administration Audit Found IRS Actions Did Not Adequately Protect Taxpayer Data
(June 21 & 25, 2018)
According to an audit report from the Treasury Inspector General for Tax Administration, the US Internal Revenue Service (IRS) was in such a hurry to fix one security issue that it neglected to take precautions to protect taxpayer data. The IRS rushed to fix weaknesses in the "Get Transcript" feature that were being exploited by criminals to file fraudulent tax returns and steal refunds. The IRS shut down the feature and moved the associated logs to a data warehouse for analysts to examine for fraud. The IRS neglected to inform the officials in charge of the warehouse that the data were being moved there. While the IRS did ensure that the facility had appropriate physical security, no steps were taken to monitor what employees did once they had access to the system.
[Editor Comments]
[Honan] A reminder that when responding to an incident and it requires you to use alternative systems, it is essential to ensure the alternatives being used have the same levels of security as in the primary systems.
Read more in:
Treasury.gov: The Cybersecurity Data Warehouse Needs Improved Security Controls (PDF)
https://www.treasury.gov/tigta/auditreports/2018reports/201820030fr.pdf
Nextgov: IRS' Rush to Secure Exposed Taxpayer Data Left It Vulnerable Again
--
2018 Cyber X-Games Focused on Critical Infrastructure
(June 19 & 22, 2018)
Earlier this month, the Army Reserve Cyber Operations Group held the Cyber X-Games, which brought together 72 participants Army and Air Force soldiers, ROTC cadets, and military contractors in an exercise geared toward practicing defending critical infrastructure networks in finance, public utilities, and healthcare from cyberattacks. Prior to the exercise, the participants spent four days learning about the tools and protocols they would be using.
Read more in:
Army: Cyber X-Games 2018 focuses on critical infrastructure
https://www.army.mil/article/207319/cyber_x_games_2018_focuses_on_critical_infrastructure
Fifth Domain: How the Army is virtually prepping for real cyberattacks
--
Known Drupal Flaw is Being Exploited to Mine Cryptocurrency
(June 21 & 22, 2018)
A remote code execution flaw in versions 7 and 8 of the Drupal content management framework is being exploited to use infected machines' processing power to mine Monero cryptocurrency. For the time being, it appears that cryptocurrency mining is all the flaw is being used for, but it could be used as a means of conducting more malicious activity. A fix for the vulnerability has been available since April 25, 2018, but many users have not yet updated.
[Editor Comments]
[Henry] We've seen another similar vulnerability in Drupal as well. Both vulnerabilities allow for remote code execution and have been patched. However, given the outstanding number of unpatched and un-updated sites, the vulnerabilities are likely to continue to be ripe for mineware campaigns. The exploitations are creating significant costs to victim companies as their resources are being exploited by criminals.
Read more in:
Drupal: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
https://www.drupal.org/sa-core-2018-004
Trend Micro: Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware
Dark Reading: New Drupal Exploit Mines Monero for Attackers
https://www.darkreading.com/operations/new-drupal-exploit-mines-monero-for-attackers/d/d-id/1332129
--
Mobile Service Providers Will Stop Selling Location Data
(June 19, 2018)
In a June 15, 2018 letter to Wyden, Verizon pledged to end the practice of sharing information with location aggregators. After being publicly criticized by US Senator Ron Wyden (D-Oregon), Sprint, AT&T, and T-Mobile have said that they will follow Verizon's example and no longer sell customers' real-time cell location data to third parties. Wyden sent letters to the carriers after learning of information being shared with a company that used the data in ways that violated carrier policy.
[Editor Comments]
[Murray] The company to whom the carriers were selling the data existed for the purpose of reselling to those to whom the carriers did not want to be seen as selling directly. Kudos to Senator Wyden for holding them accountable for this abuse.
Read more in:
Wyden: Following Wyden's Investigation, Verizon Pledges to End Contracts With Companies that Sell Americans' Location
Wyden: Verizon Letter (PDF)
https://www.wyden.senate.gov/imo/media/doc/Verizon%20Response%20to%20Sen%20Wyden%2006_15_18.pdf
ZDNet: Verizon, Sprint, AT&T and T-Mobile stop sharing real-time cell phone location data
https://www.zdnet.com/article/senator-rebukes-carriers-sharing-real-time-location-data/
--
PDQ Restaurant Chain Acknowledges Point-of-Sale System Breach
(June 25, 2018)
The PDQ fast food restaurant chain has disclosed that a point-of-sale system breach compromised customer payment card data. The malware was on the PDQ system between April 20 and May 19, 2018. Some of the information has been used to conduct fraudulent transactions. The breach affects nearly all of PDQ's 70 locations.
[Editor Comments]
[Murray] The hospitality industry, and the service providers on which it relies, continue to be a major source of the compromise of payment card data. However, the fundamental vulnerability remains the continued use of the account number in the clear on the magnetic stripe. Years after the introduction and acceptance of the EMV chip, the industry has still not announced a plan, much less a schedule, for eliminating this egregious vulnerability. This may be in part because the merchants bear much of the risk and want the magnetic stripe for backward compatibility.
Read more in:
SC Magazine: Hackers get into PDQ's hen house, swipe credit card data
https://www.scmagazine.com/hackers-get-into-pdqs-hen-house-swipe-credit-card-data/article/775798/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
XPS Documents Used for Spam
https://isc.sans.edu/forums/diary/XPS+Attachment+Used+for+Phishing/23794/
Deprecating TLSv1.0 and TLSv1.1
https://datatracker.ietf.org/doc/draft-moriarty-tls-oldversions-diediedie/
Leaky Firebase Installs
http://info.appthority.com/-q2-2018-mtr-download-Firebase-vulnerability
Guilty By Association
https://isc.sans.edu/forums/diary/Guilty+by+association/23800/
Filezilla and Adware
https://forum.filezilla-project.org/viewtopic.php?t=48441
iOS Pin Brute Forcing Confusion
https://twitter.com/hackerfantastic/status/1010631766087032832
https://twitter.com/hackerfantastic/status/1010240042990596096
Azure Baseline Security Policy
Phone Battery Usage as Keystroke Logger
https://sites.google.com/site/silbersteinmark/Home/popets18power.pdf?attredirects=1
New Exploit Kit Trends
https://blog.malwarebytes.com/cybercrime/2018/06/exploit-kits-spring-2018-review/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create