SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #34

April 30, 2013

TOP OF THE NEWS

The Guardian's Twitter Accounts Hijacked
Twitter Warns News Companies to Improve Security
Apache Web Server Attack is Sophisticated and Stealthy

THE REST OF THE WEEK'S NEWS

Researchers Find Open IP Ports on Ships' Automated Identification Systems
Supreme Court Says States Can Limit FOIA Requests to Residents Only
Flaw in Adobe Reader Tracks Documents
Bringing Wiretap Laws Into the Digital Age
Dutch Man Arrested in Spain on Charges Related to Spamhaus DDoS Attacks
US Mulls Responses to Cyberattacks
Google Play Store Changes Content Policy
LivingSocial Hacked, User Passwords Reset
Travnet Trojan Steals Data

---

*************************** SPONSORED BY Bit9 ****************************
eBook: Detecting and Stopping Advanced Attacks. Today's cyber threat has changed in sophistication, in focus, and in its potential impact on your business. This eBook will tell you how today's advanced attacks require automatic detection and incident response. You will learn how you can most effectively protect your business. Download Today http://www.sans.org/info/129860
****************************************************************************
TRAINING UPDATE

-- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


-- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


-- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses.
http://www.sans.org/event/london-summer-2013


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Johannesburg, Malaysia, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

The Guardian's Twitter Accounts Hijacked (April 29, 2013)

The same group that hijacked the Associated Press's Twitter feed last week is now claiming responsibility for taking over Twitter accounts belonging to the UK newspaper The Guardian. The Syrian Electronic Army claims to have taken control of 11 Twitter feeds at the Guardian. The attack occurred over the weekend; as of Monday, Twitter had suspended most of the hijacked Guardian accounts. Following last week's AP incident, which resulted in a phony tweet claiming that there had been an attack on the White House, Twitter announced that it is conducting internal testing of two-factor authentication.
-http://www.zdnet.com/guardian-twitter-accounts-compromised-sea-takes-credit-7000
014650/
-http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-
twitter/240153800

Twitter Warns News Companies to Improve Security (April 30, 2013)

Twitter has contacted major news organizations around the world, warning them that attacks like those against the Associated Press and The Guardian are likley to continue, and advising them to examine their internal policies for using social media. Twitter made suggestions, such as increasing the strength of account passwords and designating just one computer to use for Twitter.
-http://www.bbc.co.uk/news/technology-22351987
-http://www.zdnet.com/twitter-warns-of-more-hacks-threats-to-come-issues-media-me
mo-7000014690/

Apache Web Server Attack is Sophisticated and Stealthy (April 29, 2013)

Websites running the Apache web server have been under attack for a month. The attacks are becoming increasingly sophisticated, powerful, and stealthy; they are virtually invisible without the use of specialized forensics. The attack opens a backdoor on the servers. The files that indicate an infection are stored in shared memory of an infected server. The backdoor is being called Linux/Cdorked.A.
-http://arstechnica.com/security/2013/04/admin-beware-attack-hitting-apache-websi
tes-is-invisible-to-the-naked-eye/
-http://www.v3.co.uk/v3-uk/news/2264874/hackers-hit-thousands-of-websites-with-ap
ache-backdoor-attack
-http://www.h-online.com/security/news/item/Compromised-Apache-binaries-load-mali
cious-code-1851442.html
[Editor's Comment (Northcutt): The second chart in the link below is illuminating. Apache deployments appear equally balanced between enterprise and smaller organizations. The enterprise folks are probably deploying countermeasures; smaller business organizations are probably running at risk:
-http://w3techs.com/technologies/details/ws-apache/all/all

---

*************************** Sponsored Links: ******************************
1) Tune in to this week's Wednesday Webcast: Understanding Control System Cyber Security. Includes a live cybersecurity demo using the CYBATI hands-on control system training environment. Wednesday, May 1 at 11:30am EDT Register at: http://www.sans.org/info/129635

2) SANS webcast with Dave Shackleford! Virtualization and Data Centers: A Security Perspective, Wednesday, May 1, at 1:00 PM EDT http://www.sans.org/info/129870
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Researchers Find Open IP Ports on Ships' Automated Identification Systems (April 29, 2013)

Researchers sifting through data collected in "an unprecedented census of nearly the entire Internet" were surprised to find that Internet connected Automatic Identification System (AIS) receivers on ships responded to port scans. The AIS receivers on ships and navigation markers provided data that allowed the researchers to track the locations of ships at sea. The ships included military and law enforcement vessels. The devices are used to help prevent collisions at sea and to allow for the tracking of international shipping.
-http://arstechnica.com/security/2013/04/good-morning-captain-open-ip-ports-let-a
nyone-track-ships-on-internet/
-http://www.technologyreview.com/news/514066/what-happened-when-one-man-pinged-th
e-whole-internet/

Supreme Court Says States Can Limit FOIA Requests to Residents Only (April 29, 2013)

The US Supreme Court has ruled that states may limit Freedom of Information Act (FOIA) requests to only citizens of that state. The decision will make it more difficult for journalists and researchers to obtain information from public agencies.
-http://arstechnica.com/tech-policy/2013/04/supreme-court-rules-states-can-limit-
foia-requests-to-their-own-citizens/
-http://www.supremecourt.gov/opinions/12pdf/12-17_d1o2.pdf

Flaw in Adobe Reader Tracks Documents (April 28 & 29, 2013)

A vulnerability in Adobe Reader could be exploited to track PDF files' movements. The flaw discloses when and where PDF files are opened and affects all versions of Adobe Reader, including the most recent update (Reader XI 11.0.2). McAfee Labs discovered the flaw and has not provided details because Adobe has not yet released a fix. McAfee also noted that it has detected in-the-wild attacks that exploit the flaw.
-http://www.computerworld.com/s/article/9238752/McAfee_spots_Adobe_Reader_PDF_tra
cking_flaw?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2264811/pdftracking-flaw-found-in-adobe-reader
-http://www.scmagazine.com/researchers-investigate-adobe-vulnerability-that-enabl
es-a-pdf-to-be-tracked/article/291076/
[Editor's Note (Pescatore): I hope this was really an unintentional flaw and not a feature. Just because I'm paranoid doesn't mean the model of the revenue coming from selling the server side of software like Adobe *isn't* really going away in favor of advertising revenue that requires tracking the user and selling the user's information to the advertisers... ]

Bringing Wiretap Laws Into the Digital Age (April 28, 2013)

A US government task force is pushing for real-time interception of communications from companies like Facebook and Google. The proposed legislation would impose fines on the companies for failing to comply with wiretap orders. Many newer communications technologies like social media and chat services are not subject to 1994's Communications Assistance for Law Enforcement Act (CALEA). The proposal for legislative change would clarify that CALEA in fact does apply to Internet phone calls. Officials want "to make sure their existing authorities can be applied across the full range of communications technologies." Rather than amend CALEA, the panel is looking to add enforcement in the form of fines to the 1968 Wiretap Act. Some of the companies that have been asked to intercept communications have replied that they do not have the means to conduct the wiretap. Critics warn that creating ways to wiretap increases the likelihood of a company's servers being hacked.
-http://www.washingtonpost.com/world/national-security/proposal-seeks-to-fine-tec
h-companies-for-noncompliance-with-wiretap-orders/2013/04/28/29e7d9d8-a83c-11e2-
b029-8fb7e977ef71_story.html
[Editor's Note (Pescatore): Messaging over social media and services like Snapchat are to CALEA what digital PBXs were to the Wiretap Act. CALEA should be updated and remember: CALEA finally got through by adding financial support for the carriers adding the necessary technology for lawful intercept (LI) done right. This approach seems to be trying to go in the opposite direction -- towards fines, which is a bad idea - likely would lead to vulnerable LI capabilities being added slapdash into systems. ]

Dutch Man Arrested in Spain on Charges Related to Spamhaus DDoS Attacks (April 26 & 29, 2013)

Spanish authorities arrested a Dutch man in connection with a series of distributed denial of service (DDoS) attacks against anti-spam organization Spamhaus. The suspect is believed to have launched the DDoS attacks after Spamhaus placed servers maintained by web hosting company Cyberbunker on its blacklist. Cyberbunker claims to offer secure web hosting for all content except child pornography and terrorism. The suspect is likely to be extradited to the Netherlands. The investigation involved police from the Netherlands, Germany, the UK, and the US. Spain's interior minister said the suspect had put together a mobile cyberattack center in a van.
-http://www.bbc.co.uk/news/technology-22337404
-http://krebsonsecurity.com/2013/04/dutchman-arrested-in-spamhaus-ddos/
-http://www.informationweek.com/security/attacks/spamhaus-ddos-suspect-arrested/2
40153788

US Mulls Responses to Cyberattacks (April 27, 2013)

While US intelligence officials believe that the Iranian government is responsible for a series of distributed denial of service (DDoS) attacks on US online banking websites over the past eight months, the government is reluctant to issue a formal warning for fear of escalating hostilities between the US and Iran. Officials have also noted that the attacks this far have not been so disruptive as to justify retaliation. The administration also said that establishing a threshold for responding to cyberattacks is tricky because each situation is different and "the risk of misattribution and escalation is real."
-http://www.washingtonpost.com/world/national-security/us-response-to-bank-cybera
ttacks-reflects-diplomatic-caution-vexes-bank-industry/2013/04/27/4a71efe2-aea2-
11e2-98ef-d1072ed3cc27_story.html

Google Play Store Changes Content Policy (April 26 & 29, 2013)

The Google Play Store has changed its Content Policy to require that developers not update apps outside of the store. Specifically, "an app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism." Apps that do not abide by the new requirement will be labeled "dangerous products" and may be removed from the store. The policy change may have been prompted by Facebook's introduction last month of a silent update feature for Facebook for Android.
-http://news.cnet.com/8301-1009_3-57581691-83/google-no-app-makers-you-cant-skip-
the-play-store/
-http://arstechnica.com/information-technology/2013/04/google-bans-self-updating-
android-apps-possibly-including-facebooks/
-http://www.zdnet.com/google-outlaws-android-app-updates-that-dont-come-from-its-
play-store-7000014574/
-http://www.h-online.com/security/news/item/Google-locks-down-updating-on-Play-st
ore-1851695.html
[Editor's Note (Pescatore): Over time Google Play has become a lot more like the Apple App Store, which is a good thing. I think Google found that trying to compete with the iPhone and iPad with a "Droid Does" campaign didn't work - the world doesn't need that one-thousand-and-first poker app, it is fine with 1,000 poker apps, none of which steal users' credit card numbers or cover their screens with scamware. To the majority of consumers, their computing devices are appliances that ought to just work, not science fair projects that explode if you don't constantly tinker with them.
(Murray): While this change might move Google in the direction of Apple's more secure model, Google does not even pretend that this change is about security. ]

LivingSocial Hacked, User Passwords Reset (April 26, 2013)

Hackers have compromised a database belonging to the LivingSocial daily deals website; the breach affects more than 50 million users. The cyberthieves managed to steal names, email addresses, birthdates and encrypted passwords. Affected users are being urged to change their passwords. Fortunately, customers' financial information is stored separately and did not fall prey to the attackers. LivingSocial has not provided details about what sort of attack was used to access the data.
-http://news.cnet.com/8301-1009_3-57581718-83/livingsocial-hacked-50-million-affe
cted/
-http://www.theregister.co.uk/2013/04/26/livingsocial_hacking_attack/
-http://www.computerworld.com/s/article/9238732/After_hack_LivingSocial_tells_50M
_users_to_reset_passwords?taxonomyId=17
[Editor's Note (Honan): While LivingSocial has the password database salted and hashed, unlike other breaches such as LinkedIn, it was not with a particularly strong cryptographic algorithm (SHA-1). This should serve as a good reminder that all security controls, including cryptographic algorithms, need to reviewed and updated regularly to deal with the latest threats.
(Murray): If the attacker has one's "...names, email addresses," and "birthdates..." then the compromise of "encrypted passwords" is the least of one's worries. Big Data Business (BDB) storing PII in the clear with weak authentication; where is the plaintiffs' bar when we really need them? ]

Travnet Trojan Steals Data (April 26, 2013)

The Travnet Trojan horse program compresses stolen files and uploads them to remote servers. Travnet is being used in targeted attacks. It collects information about the computers it infects, including IP addresses, IP configuration data, and running processes. It is capable of stealing a variety of document types. Travnet has been infecting computers through email and exploiting known and patched flaws in Microsoft Office.
-http://www.scmagazine.com/travnet-trojan-compresses-files-to-send-more-info-to-d
ata-thieves/article/290486/
[Editor's Note (Pescatore): Seems almost quaint to see malware going after Office flaws. I think there have been two vulnerabilities requiring patches in Office so far in 2013, but Travnet exploits 2009/2010 vulnerabilities using malformed RTF. Sort of like someone today getting scurvy because they haven't eaten fruit in three or four years.

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/