SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #53

July 05, 2013

TOP OF THE NEWS

Chinese CERT Reports Increases in Mobile Malware - 80% on Android
Critical Android Flaw Lets Attackers Insert Code Into Signed Apps
South Korean Defense Ministry to Prohibit Certain Smartphone Functionality

THE REST OF THE WEEK'S NEWS

Visa and Mastercard Blocking Payments to Some VPN Providers
CTO Tests Company Employee's Phishing Smarts
European Parliament Adopts Draft Cybercrime Penalties Directive
NIST Issues Draft of Preliminary Framework to reduce Cyber Risks to Critical Infrastructure
IPMI Vulnerabilities Give Hackers Broad Access to Servers
Auernheimer Appealing Conviction in iPad User Data Exposure Case
Remote Access Trojan Targets Organizations in the Middle East
Ubisoft Customers Are Urged to Change Passwords Following Breach

---

*************************** SPONSORED BY SANS ****************************
Digital Forensics Survey Results released during a July 18 webcast at 1 PM EDT. Register for the webcast and automatically sign up for a copy of the associated report. http://www.sans.org/info/134327
***************************************************************************
TRAINING UPDATE
-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


-- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials Plus Canberra, Austin, Bangkok and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Chinese CERT Reports Increases in Mobile Malware - 80% on Android (July 4, 2013)

According to data from the National Computer Network Emergency Response Team/Coordination Center of China (CNCERT/CC), China experienced a 25-fold increase in detected mobile malware samples between 2011 and 2012. More than 80 percent of the malware samples targeted Android devices. Forty percent of the malware was designed to launch fee-based services on the mobile devices. CNCERT/CC also reported that in 2012, 73,000 Trojan and botnet command-and-control servers hijacked 14.2 million host machines in that country.
-http://www.computerworld.com/s/article/9240574/China_sees_increase_in_Trojan_and
_botnet_attacks_from_other_countries?taxonomyId=17
-http://www.zdnet.com/cn/mobile-malware-rises-more-than-25-times-in-china-7000017
678/s
-http://www.pcworld.com/article/2043663/china-sees-increase-in-trojan-and-botnet-
attacks-from-other-countries.html
[Editor's Note (Skoudis): Wow! Predicted for years, the age of mobile malware is finally upon us as the bad guys have perfected reliable ways to make good money by attacking mobile devices. Just as enterprises, a decade ago, needed to split resources from protecting primarily their servers to protecting workstations as well, they now need to shift resources to spread the security blanket over mobile devices in their midst. ]

Critical Android Flaw Lets Attackers Insert Code Into Signed Apps (July 2, 3 & 4, 2013)

A critical vulnerability that affects every version of the Android operating system since 2009 can be exploited to allow attackers complete access to Android devices. Hackers could steal data from the phones, use them to send spam, or eavesdrop on communications. The flaw allows attackers to alter the code of an app without invalidating the apps original cryptographic signature, which allows malicious code to evade the operating system's mechanism that checks cryptographic signatures to make sure they are trusted.
-http://www.h-online.com/security/news/item/Android-s-code-signing-can-be-bypasse
d-1911409.html
-http://www.bbc.co.uk/news/technology-23179522
-http://arstechnica.com/security/2013/07/android-flaw-allows-hackers-to-surreptit
iously-modify-apps/
-http://www.v3.co.uk/v3-uk/news/2279495/android-master-key-leaves-99-percent-of-g
oogle-smartphone-and-tablet-users-open-to-attack
[Editor's Note (Skoudis): This feels rather like someone saying, "There is a GIANT security flaw in your device, but I can't share any details and there isn't anything you can do to defend yourself." Yeah...we figured that. Thanks. There just isn't enough information for enterprises or consumers to take informed action.]

South Korean Defense Ministry to Prohibit Certain Smartphone Functionality (July 3, 2013)

Starting July 15, South Korean defense ministry employees must install an app on their smartphones that disables certain functions, such as Internet connectivity and camera, while inside ministry buildings. The step is being taken to prevent data leaks. Most employees will be permitted to receive and make phone calls and use text messaging while inside the building, but iPhone users will be limited to receiving calls and messages. Visitors may not carry mobile phones into the building at all. This is a test run, and the plan will be revised if necessary. Other South Korean military facilities may adopt the plan if it is found to be effective.
-http://www.zdnet.com/s-korea-defense-bans-internal-smartphone-usage-7000017613/
[Editor's note (Skoudis): Given the location-aware features of mobile devices, it makes sense to disable certain risky functions when in specific areas. I do this manually when I go to hacker conferences, shutting off Bluetooth and Wifi, among other things while at the conference. It makes sense to have devices automatically do this kind of thing, essentially applying a new security profile dynamically when in more hostile settings. ]

---

*************************** Sponsored Links: ******************************
1) Another New Paper in the SANS reading room: SANS survey on Mobile Application Security: http://www.sans.org/info/134332

2) NEW paper in the SANS Reading Room: Results of the SANS Critical Security Controls Survey, featuring John Pescatore. http://www.sans.org/info/134337

3) NEW paper in the SANS Reading Room: "Implementing Hardware Roots of Trust," includes real case studies, best practices and standards on how to implement hardware security that is ubiquitous in most of today's organizations. http://www.sans.org/info/134342
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Visa and Mastercard Blocking Payments to Some VPN Providers (July 3 & 4, 2013)

Swedish online payment service provider PaySon says that Mastercard and Visa have ordered the company to stop allowing payments to some virtual private network (VPN) providers and anonymization services. The new focus on VPNs and anonymization services appears to be directed at five companies that have been linked to P2P piracy. In a related story, WikiLeaks says that its Icelandic payment processor, Valitor, is once again accepting donations from credit cards for the organization. In 2010, Mastercard and Visa ordered payment processors not to process payments to WikiLeaks. An Icelandic court ruled recently that Valitor must resume processing payments to WikiLeaks.
-http://news.techeye.net/business/vpn-providers-under-attack
-http://www.theregister.co.uk/2013/07/04/payment_block_swedish_vpns/
-http://www.techdirt.com/articles/20130703/13150923710/visa-mastercard-ban-anonym
izing-vpns-just-as-they-allow-wikileaks.shtml
-http://arstechnica.com/tech-policy/2013/07/you-can-now-donate-to-wikileaks-with-
your-credit-card-via-iceland/
-http://www.reuters.com/article/2013/07/03/us-iceland-wikileaks-idUSBRE9620QI2013
0703
[Editor's note (Skoudis): These flaws in most IPMI deployments are pretty profound. Dan Farmer's papers on this topic released earlier this year (titled "IPMI: Freight Train to Hell") are must-reads for technically minded people, as IPMI gives attackers a built-in backdoor to completely control an enterprise's computing devices. ]

CTO Tests Company Employee's Phishing Smarts (July 3, 2013)

Several weeks ago, the chief technology officer at Atlantic Media sent out a phony phishing email to all 450 company employees. The message appeared to come from Google Apps and asked recipients to click on a link to confirm their account information. When the employees clicked on the link, they were taken to a website that revealed the security test. About 120 employees clicked on the link. Another 120 opened the message but did not click on the link. CTO Tom Cochran noted, "Telling someone that something is bad can happen is not as good as demonstrating it." The remaining employees either called or messaged Cochran about the suspicious message, and some flagged it in their inboxes. While Cochran believes in the value of security education for employees, Bruce Schneier says they are a waste of companies' time and money, because "you're only as strong as your worst offender." Schneier noted that a better choice would be "investment in systems that take user mistakes out of the loop."
-http://www.scmagazine.com/cto-of-media-company-faked-out-employees-with-phishing
-emails/article/301603/
[Editor's Note (Honan): Security awareness on its own is not effective. However, saying "you're only as strong as your worst offender." is like saying "you're only as safe on the road as the worst driver". Proper security awareness training combined with technology, policing and enforcement can prove to be very effective in securing your environment. ]

European Parliament Adopts Draft Cybercrime Penalties Directive (July 4, 2013)

The European Parliament has adopted a draft directive that would impose more stringent penalties on people convicted of cybercrimes. Under the directive, those convicted of operating botnets would face at least three years in prison. The directive also requires member states to respond to urgent requests for help from other states within eight hours. After the directive is formally adopted, member states will have two years to adopt the directive into their own body of laws.
-http://www.bbc.co.uk/news/technology-23187470
-http://www.europarl.europa.eu/news/en/pressroom/content/20130701IPR14763/html/Cy
ber-attacks-Parliament-adopts-stricter-EU-wide-penalties

NIST Issues Draft of Preliminary Framework to reduce Cyber Risks to Critical Infrastructure (July 3, 2013)

The US National Institute of Standards and Technology (NIST) has released a draft of voluntary cybersecurity framework for industries that are part of the country's critical infrastructure. NIST published the draft "for discussion purposes at upcoming workshops and to further encourage private sector input." Ed Skoudis said that the plan as currently presented "include(s) a lot of moving parts, but" that he thinks "the NIST framework will be helpful for critical infrastructure providers to sort out what their current capabilities are, and what they need to do to have a well-though-out approach to cybersecurity." A February 2013 executive order requires that NIST publish final guidelines for the companies by November of this year.
-http://www.nextgov.com/cybersecurity/2013/07/federal-standards-body-proposes-cyb
er-regulations-private-sector/66005/?oref=ng-channeltopstory
-http://www.nist.gov/itl/upload/draft_outline_preliminary_framework_standards.pdf

IPMI Vulnerabilities Give Hackers Broad Access to Servers (July 2, 2013)

Vulnerabilities in the Intelligent Platform Management Interface (IPMI) could be exploited to give hackers an "almost-physical level of access" to vulnerable servers. The IPMI protocol is used by Baseboard Management Controllers. It allows management controllers from different manufacturers to communicate and interact with servers from different manufacturers. Researcher HD Moore notes that IPMI users are "heavily cautioned by the vendors to never place a server's BMC on the Internet." Researchers say the flaws affect more than 100,000 Internet-connected servers.
-http://www.wired.com/threatlevel/2013/07/ipmi/
-http://www.darkreading.com/management/new-gaping-security-holes-found-exposing/2
40157724

Auernheimer Appealing Conviction in iPad User Data Exposure Case (July 2, 2013)

Andrew Auernheimer is appealing his hacking conviction. Last year, Auernheimer was found guilty of conspiracy to gain unauthorized access to computers and identity theft. In March 2013, he was sentenced to 41 months in prison. Auernheimer was prosecuted under the Computer Fraud and Abuse Act (CFAA), which has come under increased scrutiny for being outdated, overly-broad, and for often being abused. Auernheimer's legal team is arguing that he accessed a portion of AT&T's website that was not password protected and therefore his actions were not illegal.
-http://news.cnet.com/8301-1009_3-57592084-83/at-t-ipad-hacker-appeals-conviction
/
-http://www.theregister.co.uk/2013/07/02/auernheimer_ipad_hack_appeal/
-http://www.scmagazine.com/lawyers-ask-appeals-court-to-toss-conviction-of-resear
cher-who-exposed-att-ipad-customer-data/article/301569/
-http://www.wired.com/opinion/2013/07/dont-hate-the-crime-hate-the-person-how-wee
vs-appeal-affects-all-of-us/

Remote Access Trojan Targets Organizations in the Middle East (July 2, 2013)

A remote access Trojan (RAT) known as njRAT is targeting organizations in the Middle East. The malware can steal data from browsers, activate webcams, and log keystrokes. It has been used against government, telecommunications, and energy sector systems. njRAT arrives as an executable file attachment that pretends to be a Microsoft Word or PDF document. It can also spread through drive-by downloads and USB drives.
-http://www.scmagazine.com/remote-access-trojan-targets-middle-east-based-energy-
and-government-sectors/article/301544/

Ubisoft Customers Are Urged to Change Passwords Following Breach (July 3, 2013)

Video game developer and publisher Ubisoft has acknowledged a security breach that exposed the names, email addresses, and encrypted passwords of millions of the company's users. Ubisoft noted that it does not store payment card information. At the time of the attack, Ubisoft's user database contained information for 58 million accounts. Ubisoft is urging users to change their passwords. Users who purchase Ubisoft games are usually required to create an account with the company to ensure that they are running legitimate versions of the software.
-http://www.bbc.co.uk/news/technology-23159997
-http://www.washingtonpost.com/business/technology/ubisoft-reports-data-breach-as
ks-users-to-change-passwords/2013/07/02/6b79357a-e349-11e2-a11e-c2ea876a8f30_sto
ry.html
-http://www.h-online.com/security/news/item/Attackers-gain-access-to-Ubisoft-cust
omer-data-Update-1910357.html
-http://www.zdnet.com/ubisoft-breached-asks-customers-to-reset-passwords-70000176
05/
-http://www.computerworld.com/s/article/9240542/Ubisoft_warns_of_account_database
_breach_after_website_attack?taxonomyId=17

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/