SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #31

April 19, 2013

SANSFIRE in June is Washington DC's largest cybersecurity training
program with 30+ full-week immersion courses with Internet Storm
Center's exclusive evening briefings on the newest attack techniques and
what to do about them. 12 days left to get the biggest discounts.
http://www.sans.org/event/sansfire-2013

---

TOP OF THE NEWS

Microsoft to Begin Offering Two-Factor Authentication
US House Passes CISPA, But White House Has Said It Will Veto the Bill
ACLU Files Complaint With FTC Over Android Security Updates

THE REST OF THE WEEK'S NEWS

Study Says Home Routers Vulnerable to Attacks
Microsoft: Web Based Threats More Prevalent Than Network Threats
Malware Targets Online Stock Trading Programs
Apple Updates Safari and Java
Oracle Issues Quarterly Patch Update and Java Update
Java 8 May be Delayed While Oracle Works Out Java 7 Security Issues
Sony Pictures Entertainment Hacker Gets One Year Prison Sentence
"Magic" Malware Spreading in the UK
VPS Host Linode Attacked Through ColdFusion Vulnerability
Pirate Bay Co-Founder Indicted on Hacking Charges

---

*************************** SPONSORED BY Symantec *************************
Gangs, Watering Holes, and Other Threats To combat cyber gangs, avoid the wrong watering holes, and escape other threats, you need Symantec's annual Internet Security Threat Report (ISTR). Join us for a live video webcast with a panel of IT security experts for an in-depth discussion of key findings from 2012. http://www.sans.org/info/129365
****************************************************************************
TRAINING UPDATE

- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware. http://www.sans.org/event/sansfire-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act. http://www.sans.org/event/rocky-mountain-2013


- -- SANS Secure Europe 2013 Amsterdam, Netherlands April 15-April 27, 2013 10 courses. http://www.sans.org/event/secure-europe-2013


- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole. http://www.sans.org/event/critical-security-controls-international-summit


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors. http://www.sans.org/event/pentest-berlin-2013


- -- Looking for training in your own community? http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Johannesburg, Malaysia, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Microsoft: Web Based Threats More Prevalent Than Network Threats (April 17 & 18, 2013)

According to Microsoft's Security Intelligence Report, web-based threats pose a greater risk to enterprise networks than do worms that spread through the network. This is the first time in four years that Conficker has not topped the list of threats to enterprise networks. That position is now occupied by IframeRef malware.
-http://www.scmagazine.com/threats-from-the-web-becoming-more-prevalent-than-netw
ork-worms/article/289470/
-http://www.darkreading.com/vulnerability/microsoft-worms-and-rogue-av-dying-web-
t/240153128
[Editor's Note (Pescatore): It is not the quantity of threats that are important, it is the quality. Years later, Slammer and Blaster were still topping the quantity charts because of automated mass attempts even when there were very few Windows machines missing those patches. Today's targeted attacks do not make the top of any quantity report, yet they are by far the most damaging. By volume, drizzle tops the list in weather attacks.
(Shpantzer): Getting off of XP to Win 7/8, patching browsers/Java/Adobe and using EMET seems to be a really good way to drastically reduce malware on Windows machines. EMET v4 is out in Beta, 3.5 is stable.
-http://www.microsoft.com/en-us/download/details.aspx?id=38761
(Murray): Open source intelligence from Verizon, Mandiant, Kroll, Sophos, IBM, McAfee, Symantec, Microsoft, Google, Trustwave, Trusteer, SANS, and others almost too numerous to mention, has proved to be far more valuable than that promised, but grudgingly given, from the government. That said, we may be reaching the limits of our bandwidth; my desktop is littered with reports that I have not found time to read. ]

US House Passes CISPA, But White House Has Said It Will Veto the Bill (April 16 & 18, 2013)

In a 288-127 vote on Thursday, April 18, the US House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). The bill would allow email and Internet providers to share information with the government. CISPA now goes to the Senate, where its fate is questionable given the White House's position that it will veto CISPA as-is. One of the administration's concerns is that CISPA does not require private entities to strip irrelevant personal data from information shared with government agencies or other private sector entities. Legislators tried, unsuccessfully, to add an amendment to CISPA which would have ensured that companies' terms of use and privacy policies would continue to be valid and enforceable. Critics of CISPA say it "poses a major threat to Fourth Amendment rights."
-http://news.cnet.com/8301-13578_3-57580275-38/house-approves-cispa-but-outlook-i
n-senate-is-unclear/
-http://www.zdnet.com/in-passing-cispa-u-s-house-sanctions-death-of-the-fourth-am
endment-7000014205/
-http://www.computerworld.com/s/article/9238493/House_approves_CISPA_despite_priv
acy_objections?taxonomyId=17
-http://www.scmagazine.com/white-house-threatens-cispa-veto-again/article/289132/
Administration's Statement on CISPA:
-http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/113/saphr624r_
20130416.pdf
[Editor's Note (Murray): The House followed the money and ignored the popular opposition to this bill. CISPA offers sweeping immunity to business, far beyond what is necessary to accomplish its objectives. It invites abuse. ]

ACLU Files Complaint With FTC Over Android Security Updates (April 17, 2013)

The American Civil Liberties Union (ACLU) has filed a complaint with the US Federal Trade Commission (FTC) asking that the agency investigate major wireless phone service carriers for failing to deliver updates for known security issues in the Android operating system. The complaint alleges unfair and deceptive business practices for failing to distribute the patches and failing to inform customers that their devices are vulnerable to attacks. While Google has issued updates for the flaws, the carriers have not pushed them out in a timely manner. Apple issues its own updates for its phones, but individual carriers bear the responsibility of pushing out Android fixes.
-http://www.wired.com/threatlevel/2013/04/aclu-android-security-issue/
-http://www.h-online.com/security/news/item/ACLU-calls-for-FTC-investigation-into
-carrier-Android-1844175.html
-http://arstechnica.com/security/2013/04/wireless-carriers-deceptive-and-unfair/
-http://www.washingtonpost.com/business/technology/2013/04/16/1d7364fc-a6c9-11e2-
a8e2-5b98cb59187f_story.html
Text of Complaint:
-http://www.aclu.org/files/assets/aclu_-_android_ftc_complaint_-_final.pdf
[Editor's Note (Pescatore): I think "Politics makes for strange bedfellows" comes from Shakespeare, but it sure applies here: the ACLU filing complaints about security issues? But I like their angle: if the carriers don't push out security patches to the phones, they are not honoring their side of the contracts they lock people into and thus the contracts should be invalidated. Nice incentive for the carriers to more regularly update Android phones. But this also points out the security advantages of the Apple and Blackberry model, where the hardware and software come from one vendor who does push out updates regularly, vs. the Android (and Windows PC) model where the user is on their own.
(Northcutt): Kudos to our story collector, Kathy Bradford! This is a big story and everyone dealing with BYOD and MDM (Bring your own device and mobile device management) has skin in the game. (Shpantzer): Google could learn from Apple's closed ecosystem and enforce discipline in the Android Telco/OEM ranks. Fragmentation is theoretically good for security against mass malware (not a monoculture, hard to test on infinite number of hw/sw permutations), but old and terminally vulnerable versions of Android persist for months or even years, whereas new Apple iOS versions have 90% penetration in a matter of days or weeks. ]

---

*************************** Sponsored Links: ******************************
1) Attend the Mobile Device Security Summit where experts and practitioners will detail proven approaches to securing BYOD. http://www.sans.org/info/129370

2) "Data Center Virtualization from a Security Perspective," featuring Dave Shackleford and Deepak Thakkar, Wednesday, May 1, at 1 PM EDT http://www.sans.org/info/129375

3) There's not much time left to take the SANS survey on the Critical Security Controls and enter to win a new iPad! http://www.sans.org/info/129380
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Study Says Home Routers Vulnerable to Attacks (April 17 & 18, 2013)

Many widely used home routers are easy to hack into, according to a study by a company called Independent Security Evaluators. A test found 13 of the most popular home routers had easily remotely exploitable vulnerabilities that could be used to snoop on or modify network traffic. All of the routers tested were using the most recent firmware and were tested with their out-of-the box default configurations.
-http://news.cnet.com/8301-1009_3-57579981-83/top-wi-fi-routers-easy-to-hack-says
-study/
-http://www.computerworld.com/s/article/9238474/Popular_home_routers_contain_crit
ical_security_vulnerabilities?taxonomyId=17
[Editor's Note (Murray): May well be true. However, we are far better off with these routers than we would have been without them. SOHO routers have raised the cost of attack and have dramatically reduced the size of bot-nets that we would have had without them. ]

Malware Targets Online Stock Trading Programs (April 18, 2013)

Researchers have detected malware that steals login credentials from QUIK and FOCUS IVonline trading software. The software can be used to make trades on the Moscow Exchange, the St. Petersburg Exchange, the Ukrainian Exchange, and others. The malware has been used in attacks since November 2012.
-http://www.computerworld.com/s/article/9238496/Researchers_find_malware_targetin
g_online_stock_trading_software?taxonomyId=17
-http://www.theregister.co.uk/2013/04/18/online_broker_malware/

Apple Updates Safari and Java (April 17 & 18, 2013)

Apple's most recent update for Safari includes functionality that allows users to decide whether to enable the Java plug-in on a site-by-site basis. The new feature is available in the latest versions of Safari 5 and 6. Apple has also released an update for the Java browser plug-in that addresses 21 vulnerabilities. The updates address remote code execution vulnerabilities in the browser and in Java.
-http://www.zdnet.com/apples-latest-safari-updates-add-site-by-site-java-plugin-c
ontrols-7000014207/
-http://www.v3.co.uk/v3-uk/news/2261946/apple-releases-security-updates-for-safar
i-and-java

Oracle Issues Quarterly Patch Update and Java Update (April 16 & 18, 2013)

On Tuesday, April 16, Oracle released its quarterly Critical Patch Update to address 128 vulnerabilities in a variety of the company's products. The company also issued a critical security update for Java that addresses 42 vulnerabilities, the majority of which are remotely exploitable. Nineteen of the 42 flaws have been given the highest severity rating.
-http://www.h-online.com/security/news/item/Oracle-closes-128-holes-across-its-pr
oduct-range-1844692.html
-http://news.cnet.com/8301-1009_3-57579845-83/oracle-preps-128-security-patches-j
ava-gets-42/
-http://www.theregister.co.uk/2013/04/17/oracle_java_security_update/
-http://www.theregister.co.uk/2013/04/16/oracle_critical_patch_april/
[Editor's Note (Pescatore): Why do Oracle's Java patches try to trick me into loading Google Chrome or McAfee scanning tools?? I assume Oracle is getting revenue from those vendors for this schlocky practice - it makes all three of them look minor-league. ]

Java 8 May be Delayed While Oracle Works Out Java 7 Security Issues (April 18, 2013)

In a blog post, Mark Reinhold, chief architect of the Java Platform Group at Oracle, says that the release date for Java 8 may be delayed because of the need to focus on security for Java 7.x. Oracle recently issued a security update for the Java browser plug-in. Reinhold said that the group's increased attention to security has resulted in an "upgrade
[in ]
our development processes to increase the level of scrutiny applied to new code." He also suggested that the group's focus be on releasing a stable, polished version of Java 8.
-http://www.informationweek.com/security/application-security/oracle-delays-java-
8-to-improve-java-7-s/240153185
-http://mreinhold.org/blog/secure-the-train
[Editor's Note (Pescatore): The obvious response is "Please do!" but I also have a very strong "deja vu all over again" feeling, as Microsoft said the same thing back in 2004 as it delayed the beta release of Vista to focus on a security "push" after the worms of 2003 ravaged Windows PCs and Servers. Turned out to be a good decision in the long run for the security of Microsoft but not so much for Vista - though I don't think the security push was a factor in Vista's problems in the marketplace. ]

Sony Pictures Entertainment Hacker Gets One Year Prison Sentence (April 18, 2013)

A judge in California has sentenced Cody Kretsinger to a year and a day in federal prison, followed by a year of home detention. In April 2012, Kretsinger pleaded guilty to conspiracy and unauthorized impairment of a protected computer in connection with an SQL hack on the Sony Pictures Entertainment website. The judge also ordered Kretsinger to perform 1,000 hours of community service and pay restitution of more than US $600,000. Kretsinger stole the registration data of thousands of people who used the site and gave the information to LulzSec to post to the Internet.
-http://arstechnica.com/tech-policy/2013/04/lulzsec-hacker-gets-a-year-in-jail-fo
r-sony-breach/

"Magic" Malware Spreading in the UK (April 17 & 18, 2013)

Malware known as Magic communicates with an as-yet unknown custom protocol. Thousands of computers in the UK have been infected across a variety of sectors, including finance, education, and telecommunications. While Magic's purpose is not clear, it is likely to have been designed for espionage, as it has been active on computers for nearly a year. It can establish a backdoor on infected machines, steal data, and inject HTML into browsers. Researchers who have examined Magic say that the malware has additional capabilities that it has not yet used, suggesting that those behind the operation may be conducting reconnaissance for a larger attack.
-http://www.theregister.co.uk/2013/04/18/magic_malware_menaces_uk/
-http://www.scmagazine.com/trojan-uses-magic-code-to-infect-organizations-around-
globe/article/289290/
-http://www.v3.co.uk/v3-uk/news/2262412/magic-malware-infects-thousands-of-uk-fir
ms-with-network-infiltration-tricks

Microsoft to Begin Offering Two-Factor Authentication (April 17, 2013)

Microsoft will start offering two-factor authentication to Microsoft Account users on an optional basis. The scheme will be much like those used by Google, Apple, and Facebook in which accounts are protected with both a password and a one-time passcode sent to users in a text message or generated by an authentication app. Users will have the opportunity to designate certain devices as trusted on which they do not need to use two-factor authentication.
-http://arstechnica.com/security/2013/04/microsoft-rolls-out-standards-compliant-
two-factor-authentication/
-http://www.computerworld.com/s/article/9238465/Microsoft_moves_to_optional_two_f
actor_authentication?taxonomyId=17
[Editor's Note (Pescatore): If you think about it, it wasn't really until the late 1990s before most people routinely even entered passwords into their computers for logging in. If we can get the incoming generation of new computer users routinely doing two-factor authentication via text messaging, a big step forward. Of course, two issues: (1) attacks will move forward, too; and (2) when people are using their smartphone as their primary Internet access device, text messaging to that device does not provide a second factor. But, making the basic move away from reusable passwords is as important as moving away from Baby Oil as suntan lotion. ]

VPS Host Linode Attacked Through ColdFusion Vulnerability (April 16, 2013)

Linode, a Virtual Private Server (VPS) hosting company, has reset passwords for all user accounts after becoming aware of and blocking suspicious activity that appeared to be a "coordinated attempt to access one of
[its ]
customers." The company recommends that all customers change their shell passwords and regenerate Linode API keys. The attack appears to have been launched through a vulnerability in Adobe's ColdFusion web server platform.
-http://arstechnica.com/security/2013/04/coldfusion-hack-used-to-steal-hosting-pr
oviders-customer-data/
-http://www.zdnet.com/vps-host-linode-issues-customer-wide-password-reset-7000014
057/

Pirate Bay Co-Founder Indicted on Hacking Charges (April 16, 2013)

The Pirate Bay co-founder Gottfrid Svartholm was indicted in Sweden for allegedly hacking into a bank's computer system to withdraw funds as well as hacking into systems of a number of Swedish companies and Sweden's federal tax agency. Svartholm is accused of stealing "a large amount of data from companies and agencies." Three other people have been indicted in connection with the intrusions; Svartholm is believed to have masterminded the attacks.
-http://www.wired.com/threatlevel/2013/04/pirate-bay-co-founder-indicted/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/