SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #102

December 27, 2013

TOP OF THE NEWS

Is This Man Selling The Stolen Target Data?
Concerns About PIN Data in Target Breach

THE REST OF THE WEEK'S NEWS

DHS Getting Cybersecurity in Focus
Japanese Government Warns Ministries to Stop Using Certain Language Input Software
Dogecoin Online Wallet Service Compromised
If NSA Can't Store Phone Data, Who Will?
Snapchat API and Exploits Published
FBI Warns Media Members Receiving Phishing eMails
Vulnerability in Samsung Galaxy S4 Smartphones
Mariposa Botnet Mastermind Gets Five-Year Prison Sentence

---

**************************** Sponsored By Bit9 ***************************
Do you know what's on your computer and do you trust it? Download this free tool and learn what is installed and running on your computer, what files or processes exist that exhibit behaviors common to advanced threats and the overall trust rating for your computer. http://www.sans.org/info/146865
***************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 The nation's largest conference and training program on security of power, oil & gas and other industrial control systems. Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Is This Man Selling The Stolen Target Data? (December 24, 2013)

Brian Krebs had an exclusive post Tuesday providing an inside look at a person who may be a key distributor of the information stolen from Target.
-http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/

Concerns About PIN Data in Target Breach (December 26, 2013)

In the week since the massive data breach of Target's in-store card payment system was disclosed, few additional details have emerged, but there has been plenty of speculation. A Target spokesperson has said that the company has "no reason to believe that PIN data, whether encrypted or unencrypted, was compromised." But others are concerned that the issue was even raised, because it suggests that Target stores PIN data along with debit card data, or that the attackers managed to compromise the company's point-of-sale system directly.
-http://www.darkreading.com/attacks-breaches/targets-christmas-data-breach/240165
020
[Editor's Note (Murray): Handling breaches is difficult. Is it better to be early or accurate and complete? While one grants that Target may not know, to the extent that this disclosure has been timely, it has been short on the necessary information for efficient reaction. ]

---

************************** Sponsored Links: ******************************
1) Is the Perimeter Dead (or just Redefined)? Take the SANS Survey on End Point Intelligence and enter to win an iPad! http://www.sans.org/info/146870

2) Analyst Webcast: Smart buildings, Cars and Other Devices: New SANS Survey Reveals How Internet of Things Impacts IT Risk Management, Wednesday, January 15 at 1 PM EDT. http://www.sans.org/info/146875

3) Complete the 2014 SANS DDoS Survey and register for a chance to win an iPad. http://www.sans.org/info/146880
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DHS Getting Cybersecurity in Focus (December 23, 2013)

John Gilligan, who has served as CIO of the US Air Force; CIO of the Department of Energy (DOE); and program executive officer for the Air Force's Battle Management/Command and Control, points out ways in which the US Department of Homeland Security (DHS) has made progress in its cybersecurity mission. Since the agency's inception, people have been skeptical of "the wisdom of trying to grow a new capability in DHS" instead of placing it in the hands of "the well-resourced and better-skilled NSA." While Gilligan says that "in discussions with current and former government executives, I have found no one who believes that DHS is doing a very good job in cybersecurity, much less an outstanding one," he notes his "appreciation of the enormous difficulty of DHS's role," remarking on US-CERT's "day-to-day role of alerting organizations to potential or actual cyber attacks," and the National Cybersecurity and Communications Integration Center's (NCCIC's) "progress in effectively sharing realtime cyber threat information across critical infrastructure sectors."
-http://www.federaltimes.com/article/20131223/IT01/312230001/Is-DHS-growing-into-
cyber-mission-
[Editor's Note (Murray): On quantity of "resource," DHS dwarfs NSA. On the other hand, quantity may not translate into capability. ]

Japanese Government Warns Ministries to Stop Using Certain Language Input Software (December 26, 2013)

The Japanese government is warning ministries there not to use certain language input software because the products send copies of created documents to servers in other countries. The programs named in the warnings from Japan's National Information Security Center include Baidu's IME (input method editor) for Windows, which sends every character types to Baidu servers without user consent. The programs allow users to write Japanese characters with English language keyboards by spelling the words phonetically.
-http://www.bloomberg.com/news/2013-12-26/japan-warns-of-security-risk-in-softwar
e-used-for-language-input.html
-http://www.japantimes.co.jp/news/2013/12/26/national/chinese-made-computer-input
-system-banned-in-government-agencies/#.UrynUUKinjA
-http://the-japan-news.com/news/article/0000898793

Dogecoin Online Wallet Service Compromised (December 26, 2013)

An online wallet service for a virtual currency known as Dogecoin says hackers managed to compromise the service and steal millions of Dogecoins. The attackers appear to have made alterations to the Dogewallet website so that the proceeds from all transactions were credited to their own address. The currency's value is nowhere near Bitcoin's - currently, one US dollar is worth 1,668 Dogecoins. In all, the losses were an estimated US $18,000. Dogewallet is now urging users to use offline wallets.
-http://www.theregister.co.uk/2013/12/26/dogecoin_christmas_heist/
-http://www.forbes.com/sites/timworstall/2013/12/26/dogecoin-seems-all-grown-up-n
ow-theyve-just-had-their-first-mass-theft/
[Editor's Note (Northcutt): If you are going to run a treasury you have to guard both the reserve currency and the printing presses. This is true for both real and virtual currencies. ]

If NSA Can't Store Phone Data, Who Will? (December 25, 2013)

Following the revelation that the NSA has been storing vast quantities of phone call metadata and a federal judge's opinion that the practice is "almost certainly" unconstitutional, the government is considering alternatives to the agency holding the data. Some have suggested requiring the phone companies themselves to retain the data and requiring that the NSA meet strict guidelines when requesting to look at them, but that involves expense and puts the telecoms in the position of being the target of data breaches. Furthermore, unless the data retention arrangement was clearly specified to be for counterterrorism purposes only, the companies could find themselves receiving data requests from federal agents as well as state and local governments. A proposal that would establish a third-party entity to retain the data poses similar problems; as one unnamed senior Senate aide observed, "You'd have to demonstrate why that organization having those records provides any less privacy concern than giving it to the NSA, which operates under very strict privacy guidelines."
-http://www.washingtonpost.com/world/national-security/if-not-the-nsa-who-should-
store-the-phone-data/2013/12/25/df00c99c-6ca9-11e3-b405-7e360f7e9fd2_story.html
[Editor's Note (Honan): As the recent opinion from the European Court of Justice highlights, the question democratic governments should be asking is whether they should be storing such metadata in the first place rather than who should be storing it.
(Murray): The mere existence of such data invites abuse and misuse. However, collating the data across carriers makes it significantly more sensitive; all of one's associations are in one database. Moreover, having the data in the hands of the state
[may (Ed.) ]
violate the social contract in which the state gets the exclusive right to use force and the citizen is protected from "unreasonable searches and seizures" and guaranteed "freedom of association." The Fourth and First Amendments to the Constitution tremble under the weight of this program. ]

Snapchat API and Exploits Published (December 25 & 26, 2013)

Hackers have published Snapchat's API (application programming interface) and exploit code for a pair of vulnerabilities that could be used to match phone numbers with usernames and create phony Snapchat accounts. The hackers say they released the information because Snapchat developers ignored their notifications about the vulnerabilities.
-http://arstechnica.com/business/2013/12/snapchat-exploit-may-let-hackers-connect
-names-and-phone-numbers-in-bulk/
-http://www.forbes.com/sites/timworstall/2013/12/26/snapchats-api-is-hacked-and-e
xploits-allowing-phone-number-collection-and-bogus-account-creation-published/
-http://www.zdnet.com/researchers-publish-snapchat-code-allowing-phone-number-mat
ching-after-exploit-disclosures-ignored-7000024629/

FBI Warns Media Members Receiving Phishing eMails (December 24 & 26, 2013)

Earlier this week, the FBI warned that the hacking group known as the Syrian Electronic Army (SEA) was sending phishing emails trying to get people to divulge their usernames and passwords. The emails were reportedly sent to members of the media, including some New York Times employees. The link provided claimed to be a CNN story about the conflict in Syria. The link actually directed people who clicked on it to phony Google login pages. The SEA has denied responsibility for the deceptive messages.
-http://www.scmagazine.com//sea-denies-reported-fbi-claim-that-hacktivists-were-p
hishing/article/327062/
-http://bits.blogs.nytimes.com/2013/12/24/the-syrian-electronic-army-is-at-it-aga
in/?_r=0

Vulnerability in Samsung Galaxy S4 Smartphones (December 24, 2013)

A vulnerability in Samsung's Galaxy S4 smartphone could be exploited to steal data despite the implementation of a new security platform. The flaw reportedly allows attackers to track email and record data communications even with the device's implementation of the Knox security platform. Samsung is looking into reports of the flaw; the company has indicated that it does not believe that the problem is as serious as those who disclosed it make it out to be.
-http://news.cnet.com/8301-1009_3-57616275-83/researchers-report-security-flaw-in
-samsungs-galaxy-s4/
-http://www.nbcnews.com/technology/samsung-galaxy-s4-phones-have-big-security-hol
e-israeli-researchers-2D11794870

Mariposa Botnet Mastermind Gets Five-Year Prison Sentence (December 24, 2013)

A court in Slovenia has sentenced Matjaz Skorjanc to five years in prison for creating and distributing malware known as ButterFly Flooder that was used to create the Mariposa botnet. Authorities arrested Skorjanc in 2010 following a two-year investigation. He has also been ordered to pay a 4,000 euro (US $5,500) fine and surrender a car and apartment. The Mariposa malware is believed to have infected 12.7 million computers worldwide.
-http://www.bbc.co.uk/news/technology-25506016

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/