SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #32

April 23, 2013

TOP OF THE NEWS

Verizon Report shows China As Source of Most Cyber Attacks
Former Hosting Provider Admin Allegedly Placed backdoors on 2,700 Servers
Bank Sues Fraud Victim to Recover US $336,600

THE REST OF THE WEEK'S NEWS

US Air Force Academy Team Wins Cyber Defense Competition
Yet Another Java Vulnerability Surfaces
Hacking Trial Illustrates Over-Broad Interpretation of Computer Fraud and Abuse Act
Reuters Fires Man Who Allegedly Helped Anonymous Hack LA Times Story
Reports Suggest Payment Card Breach at Teavana Stores
Erroneous DMCA Takedown Notices Problematic
Google Fined a Pittance for Street View Data Collection In Germany
Japan's National Police Agency Wants ISPs to Block Tor for Those Who "Abuse" It
BadNews Malware Snuck Into Google Play Apps
Siri Retains Query Data for Two Years

---

*************************** SPONSORED BY SANS ****************************
At the Mobile Device Security Summit experts and practitioners will detail proven approaches to securing BYOD. Organizations who have developed successful programs will share how they developed and gained management support for their plans, and provide lessons learned and pitfalls to avoid. http://www.sans.org/info/129480
****************************************************************************
TRAINING UPDATE

- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS Secure Europe 2013 Amsterdam, Netherlands April 15-April 27, 2013 10 courses.
http://www.sans.org/event/secure-europe-2013


- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Bangalore, Johannesburg, Malaysia, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Verizon Report shows China As Source of Most Cyber Attacks (April 23, 2013)

Hackers whose identity could be tightly linked to the Chinese government were the most active cyberspies last year, according to the annual Verizon Data Breach Report released today. Verizon worked with 18 partners in producing the report, including agencies of the U.S. and other governments. New and importantly this year, the Verizon analysts included the 20 Critical Security Controls (previously known as the SANS Top 20) and showed how each of the 10 principal "threat actions" (attack methods) could be mitigated with a combination of those 20 controls. Best summary in the press:
-http://www.zdnet.com/verizon-data-breach-report-state-sponsored-attacks-surge-70
00014286/
-http://www.upi.com/Science_News/2013/04/22/China-tops-list-of-sources-of-cyber-e
spionage-attacks-in-2012/UPI-23131366682218/
Download the report at
-http://www.verizonenterprise.com/DBIR/2013/

Former Hosting Provider Admin Allegedly Placed backdoors on 2,700 Servers (April 19, 2013)

A man who was once employed by hosting provider Hostgator has been arrested and charged with breach of computer security. Eric Gunnar Gisse worked as an administrator at Hostgator from September 2011 through February 15, 2012. He allegedly installed backdoors on more than 2,700 company servers. The day after Gisse was dismissed from his position, officials at Hostgator detected the backdoor application that he had installed. The backdoor was disguised to look like a Unix administration tool.
-http://arstechnica.com/security/2013/04/former-employee-arrested-charged-with-ro
oting-2700-hostgator-servers/
[Editor's Note (Pescatore): This is the nightmare scenario for all outsourcing, including the use of the cloud. A lot of the transparency needed from cloud service providers falls in this area: separation of duties, privilege management, change control etc. the FedRAMP continuous monitoring guidelines (which map quite well to the Critical Security Controls) capture this very well.
(Paller): The practice of leaving back doors is more widespread than is commonly known. Programmers do it in writing code so they can more easily maintain the code if the owner of the software changes the access methods. And "trusted" security practitioners sometimes do it. I still have the audio tape of one of the best-known speakers in the security field, currently president of an organization of information security practitioners, saying that he left back doors on his penetration testing clients' computers. He gave a reason that made me think that if they ever did anything he didn't like he would consider using the back door. Hubris. ]

Bank Sues Fraud Victim to Recover US $336,600 (April 19, 2013)

A North Carolina bank is suing one of its customers for funds the bank maintains were provided as a short-term loan to cover a US $336,600 fraudulent transaction. Wallace & Pittman PLLC, a company that specializes in real estate legal services, is refusing to repay the funds, claiming it was not a loan. Park Sterling Bank says it provided the funds as a short-term loan so that the company would not overdraw its trust account, and to allow the company to try to recover the stolen money. Wallace & Pittman has an online ledger transaction that calls the funds classified as "reverse previous wire entry." The company also alleges that the bank did not employ adequate security; Wallace & Pittman maintains that Park Sterling Bank should have noticed that the IP address used to initiate the transfer was one that had never before been associated with the company and that the destination of the transfer - Russia - should have raised suspicions because the company had never before made a wire transfer to a bank outside the US.
-http://krebsonsecurity.com/2013/04/bank-sues-cyberheist-victim-to-recover-funds/
Park Sterling's Complaint:
-http://krebsonsecurity.com/wp-content/uploads/2013/04/Park-Sterling-Bank-Complai
nt.pdf
Wallace & Pittman's Response:
-http://krebsonsecurity.com/wp-content/uploads/2013/04/Answer-Wallace-Pittman.pdf
[Editor's Note (Pescatore): The FFIEC is pretty clear about the need for "risk-based authentication" and this type of electronic funds transfer system is an obvious candidate for something stronger than reusable passwords. However, the bank doesn't seem to have offered that. With most free consumer email services offering two-factor authentication, businesses ought to demand the same from their commercial banking services - and those services probably ought to refrain from suing their customers unless they are offering secure alternatives.
(Shpantzer): Lame authentication of the end user AND lame verification of the legitimacy of the transaction. You really should pick just one, if you must pick. The bank's complaint, however, says that the customer declined to use the 'dual control' method of two representatives' authorization in order to trigger a transaction, a claim that the customer denies in the answer to the laws.
(Northcutt): As I understand it personal accounts have more protection (probability of being reimbursed) and business accounts have less, but there have been cases where the business has won in court. In the mean time, repeat after me, if you use a computer to do online banking for your business, do not use that computer for anything else:
-http://normantranscript.com/x1301512034/Who-pays-when-your-bank-account-is-hacke
d]

---

*************************** Sponsored Links: ******************************
1) AlienVault USM delivers complete security visibility in minutes. Download the Free 30-Day Trial. http://www.sans.org/info/129485

2) "Data Center Virtualization from a Security Perspective," featuring Dave Shackleford and Deepak Thakkar, Wednesday, May 1, at 1 PM EDT http://www.sans.org/info/129490

3) New Analyst paper in the SANS reading room: "Implementing the Critical Security Controls," by Jim D. Hietala http://www.sans.org/info/129495 To see a listing of all Analyst program papers visit http://www.sans.org/info/129500
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Air Force Academy Team Wins Cyber Defense Competition (April 23, 2013)

A team from the US Air Force Academy has taken top honors in the National Security Agency's (NSA's) 13th annual Cyber Defense Exercise (CDX). Teams from US military academies as well as the Royal Military College of Canada participated in the competition, which required them to design and build their own networks. NSA Red Team members then launched attacks against those networks for 84 straight hours. CDX not only provides a chance for the teams to develop their defensive strategies, but also allows NSA's Red Team the opportunity to practice offensive hacking. The competition required that the teams log all their activity and explain their decisions to examiners.
-http://www.theregister.co.uk/2013/04/23/us_airforce_hacking_competition/
[Editor's Note (Skoudis): The CDX competition is very impressive, and really does a great job in helping cadets learn how to defend their networks from very determined attackers. The scale, complexity, and quality of CDX are unparalleled in cyber challenge competitions. Congrats to the US Air Force Academy on their victory!
(Paller): Since more than half the 250,000 NewsBites subscribers are SANS alumni, I wanted to share a note from the computer science professor at the Air Force Academy who built the program that enables winning teams year after year: "I just wanted to write and thank SANS again for its tremendous support of cadet cyber education and training at the Air Force Academy. SANS has really been a force multiplier in what we've been able to do to prepare officers who will excel in cyber, and we're really grateful." The Air Force Academy is one of the recipients of SANS' academic grants program through which we provide training support where it can make a major difference in national security. ]

Yet Another Java Vulnerability Surfaces (April 22 & 23, 2013)

A reflection API vulnerability in the most recently patched version of Java could be exploited to bypass the sandbox feature. The attack would require that users click "yes" to allow an application to execute on their computers. Oracle has been notified. The flaw affects all versions of Java SE 7 as well as the java Runtime Environment (JRE) Plugin software, the Java Development Kit (JDK), and Server JRE. Oracle released a security update for Java (Java 7, Update 21) just last week.
-http://www.theregister.co.uk/2013/04/23/java_reflection_api_an_insecure_mess/
-http://www.informationweek.com/security/vulnerabilities/oracle-bug-hunter-spots-
java-7-server-fl/240153337

Hacking Trial Illustrates Over-Broad Interpretation of Computer Fraud and Abuse Act (April 22, 2013)

Jury deliberations have begun in a case involving David Nosal, a California man who is accused of violating the Computer Fraud and Abuse Act (CFAA). Nosan allegedly accessed a proprietary database at a company where he had previously worked using access credentials provided by two former colleagues. Authorities say Nosal used the information in the database to build a competing business. Nosal's legal team tried unsuccessfully to convince the judge to throw out the charges because the CFAA does not apply in this case.
-http://www.wired.com/threatlevel/2013/04/hacking-trial-sans-hacking/
[Editor's Note (Murray): While some fraud and abuse may take the form of hacking, the law is not about hacking per se. "Hacking" is not a necessary predicate for the application of the act. ]

Reuters Fires Man Who Allegedly Helped Anonymous Hack LA Times Story (April 22, 2013)

Reuters has fired Matthew Keys following his indictment on charges he conspired with members of the Anonymous hacking group to help them gain access to a Tribune Co. website and alter a story on the Los Angeles Times website. Keys was Reuters' deputy social media editor. The incident that prompted the charges occurred in December 2010. Keys had been employed at a Tribune television station through October 2010. He allegedly supplied the login credentials to Anonymous members after leaving that job.
-http://www.latimes.com/local/lanow/la-me-ln-matthew-keys-fired-20130422,0,507046
2.story

Reports Suggest Payment Card Breach at Teavana Stores (April 22, 2013)

Brian Krebs writes that multiple sources have warned of a breach involving payment cards at Teavana, a US retail chain that sells tea and related items. Starbucks acquired the company last year, and has so far not confirmed a breach, but did say that it is responding to inquiries from card-issuing banks and payment card companies. One card issuing institution said that in March 2013, its fraud team noticed a spike in purchased of gift cards using counterfeit payment cards. The majority of the counterfeit cards were clones of cards used legitimately at Teavana stores.
-http://krebsonsecurity.com/2013/04/sources-tea-leaves-say-breach-at-teavana/

Erroneous DMCA Takedown Notices Problematic (April 22, 2013)

The Fox broadcasting company has sent Digital Millennium Copyright Act (DMCA) takedown notices regarding URLs linking to a novel, written by Cory Doctorow, called "Homeland." Fox produces a television show with the same name; the two are in no way related. Further complicating matters is the fact that Doctorow published his novel under a Creative Commons license, which means its availability on BitTorrent is completely legal, so Fox's takedown notices are causing legitimate content to be removed from the Internet. There is little recourse in situations like this. The DMCA requires that the takedown notices be issued in good faith, but it is easy enough to blame the erroneous notices on carelessness. In any case, the party whose content was wrongly taken down can recover only costs and attorney's fees.
-http://arstechnica.com/tech-policy/2013/04/not-that-homeland-fox-sends-bogus-tak
edowns-for-copyright-reformers-book/
[Editor's Note (Shpantzer): DMCA robo-notices have been problematic for some time. For a hilarious (and terrifying) account of copyright shenanigans and DMCA notices, see here:
-http://dmca.cs.washington.edu/]

Google Fined a Pittance for Street View Data Collection In Germany (April 22, 2013)

Johannes Caspar, Commissioner for Data Protection and Freedom of Information in Hamburg, Germany, has imposed a fined 145,000 euros (US $189,000) fine on Google for collecting unencrypted Wi-Fi data packets while gathering images for its Street View feature. It is the highest allowable fine for the offense under German law. Caspar has acknowledged that the fine is far too small to act as a deterrent to Google.
-http://news.cnet.com/8301-1009_3-57580705-83/germany-fines-google-$189k-for-stre
et-view-wi-fi-data-breach/
-http://www.bbc.co.uk/news/technology-22252506
-http://www.computerworld.com/s/article/9238576/Germans_fine_Google_for_gathering
_personal_data_with_Street_View_cars?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2263170/google-fined-gbp124-000-for-street-view-s
lurping-german-wifi-data

Japan's National Police Agency Wants ISPs to Block Tor for Those Who "Abuse" It (April 21 & 22, 2013)

Japan's National Police Agency (NPA) may begin asking Internet service providers (ISPs) there to block Tor, a network that helps people anonymize their online activity. (Tor stands for The Onion Router). The ISPs would be asked to block people's use of Tor if those people had been found to be abusing the network. Japanese police were thwarted in their efforts to nab a cybercriminal because he used Tor. The NPA's plan comes in response to a recommendation from a panel brought together to help decide how to fight crime that is committed with the help of Tor.
-http://arstechnica.com/tech-policy/2013/04/japanese-police-ask-isps-to-start-blo
cking-tor/
-http://www.bbc.co.uk/news/technology-22248692
-http://www.theregister.co.uk/2013/04/22/tor_japan_police_ban/
[Editor's Note (Murray): This is a troubling and confusing report. Use of anonymizers should not "be read as a presumption of guilt." Resort to anonymizers is rare, mostly legitimate, and sometimes even necessary. On the other hand, such use in the furtherance of a crime should be treated as aggravating. "To block people's use of Tor if those people had been found (presumably by a court) to be abusing the network" seems appropriate. However, it should take something more than a mere assertion on the part of the police. ]

BadNews Malware Snuck Into Google Play Apps (April 20 & 22, 2013)

Malware known as BadNews has been downloaded from Google Play at least two million times. BadNews was found to have been hidden in at least 32 separate apps from four different developers. The malware was added to the apps after they had been submitted to Google Play. Infected Android devices connect to remote servers every four hours to send harvested data, including device phone numbers and unique serial numbers. The remote servers also instruct infected devices to install a Trojan horse program called AlphaSMS that sends text messages to numbers that incur charges. Google has removed the infected apps.
-http://www.theregister.co.uk/2013/04/22/android_malware_badnews/
-http://arstechnica.com/security/2013/04/family-of-badnews-malware-in-google-play
-downloaded-up-to-9-million-times/
-http://www.scmagazine.com/badnews-infections-in-google-play-spread-premium-rate-
sms-trojan/article/289951/

Siri Retains Query Data for Two Years (April 19, 2013)

Apple has revealed that it retains information about questions users ask Siri for as long as two years, although the company does try to anonymize the data. Siri queries are sent to Apple's servers, where they are assigned an identifier - not an AppleID or email address - that links the voice files to the device from which they were sent. After six months, the identifier is removed, but the query data are retained to help Apple with product testing and improvement. The disclosure of Apple's data retention practices comes in response to pressure from American Civil Liberties Union (ACLU) lawyer Nicole Ozer, who said that that Apple does not do enough to let customers know their privacy rights.
-http://www.wired.com/wiredenterprise/2013/04/siri-two-years/
-http://arstechnica.com/apple/2013/04/apple-remembers-where-you-wanted-to-get-dru
nk-for-up-to-2-years/
-http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/
[Editor's Note (Pescatore): Change cell phone services and if you wait longer than about 10 days you lose all your voicemail messages, which are usually pretty valuable. Yet every time you chat with Siri Apple manages to save that for up to two years? Hard to see this making the top 10 list of privacy concerns, but another area where it should really be opt in.
(Northcutt): This is confusing to me. I thought Apple devices had a Unique Identifier (UDID). And if you use an Apple service like iTunes or the App Store then Apple would be able to link the UDID to the AppleID. It might be more straightforward for Apple to adopt the hulu/Netflix/Amazon line that they use the information they store about me to give me the best possible service:
-http://www.innerfence.com/howto/find-iphone-unique-device-identifier-udid
-http://developer.apple.com/library/ios/#documentation/uikit/reference/UIDevice_C
lass/Reference/UIDevice.html
-https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/