SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #93

November 22, 2013

TOP OF THE NEWS

GitHub User Accounts Hijacked
Audit Finds Brisbane, Australia Traffic Control Systems Inadequately Protected
Suspicious Internet Route Hijacking Raises Concerns

THE REST OF THE WEEK'S NEWS

Cupid Media Data Breach Affects Millions of Accounts
Coin Addresses Some Critics' Concerns
LG Investigating Reports of Smart TV Data Snooping
Alleged Credit Card Scammer Being Tried on Racketeering Charges
Radio Free Europe/Radio Liberty Targeted in DDoS Attacks
US Defense Dept. Contractors Now Required to Implement Security Standards
Google Beats SSL Upgrade Deadline
Mozilla Issues Interim Firefox Security Update

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By Trend Micro Inc. ***********************
Trend Micro Forward-Looking Threat Researchers recently published information about the vulnerabilities found within Automated Identification Systems (AIS) which is used for tracking vessels on water. Read about this new research and watch a few videos that show what is possible from ship spoofing to triggering false SOS signals within this environment.
http://www.sans.org/info/144352

***************************************************************************
TRAINING UPDATE

- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Asia Pacific ICS Security Summit Singapore, Singapore December 2-8, 2013 3 courses. Bonus evening presentations include First Things First: The Top 4 Security Mitigation Strategies.
http://www.sans.org/event/asia-pacific-ics-security-summit-training


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Diego, Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

GitHub User Accounts Hijacked (November 20, 2013)

Software development site GitHub has noted a significant uptick in user account hijackings. Automated login attempts appear to be emanating from 40,000 unique Internet addresses. GitHub has reset passwords for affected accounts and is enforcing a strong passcode requirement.
-http://arstechnica.com/security/2013/11/github-resets-user-passwords-following-r
ash-of-account-hijack-attacks/
[Editor's Note (Murray): Sounds like an application for Peter Capek's "inductor" which resists brute force attacks by slowing down the logon prompt after a failure or two.
(Shpantzer): Github added two-factor authentication in September:
-https://help.github.com/articles/about-two-factor-authentication]

Audit Finds Brisbane, Australia Traffic Control Systems Inadequately Protected (November 20 & 21, 2013)

According to a report from the Queensland (Australia) Audit Office (QAO), traffic management systems in its capital city of Brisbane were found to be vulnerable to cyberattacks. QAO performed penetration tests in preparation for the G20 Summit scheduled to be held there next year. The testers were able to gain unauthorized access to the systems. The QAO testers found that they were able to circumvent both technical and physical measures to access the systems.
-http://www.zdnet.com/au/hackers-could-control-brisbane-traffic-controls-report-7
000023405/
-http://www.itnews.com.au/News/364790,qld-traffic-systems-vulnerable-to-g20-attac
k.aspx
-http://www.theregister.co.uk/2013/11/21/scada_flaws_put_world_leaders_at_risk_of
_terrible_traffic_jam/
QAO Report:
-http://www.qao.qld.gov.au/files/file/Reports%20and%20publications/Reports%20to%2
0Parliament%202013-14/RTP5Trafficmanagementsystems.pdf

Suspicious Internet Route Hijacking Raises Concerns (November 20, 2013)

Earlier this year, researchers began noticing suspicious activity called route hijacking, a type of man-in-the-middle attack on Internet traffic. The technique routes the traffic through countries around the world where it could be inspected and possibly altered before being sent on to its final destination. Internet traffic by its very nature can travel widely and by what would not appear to be the most direct path, but the recent attacks indicate that the traffic is deliberately being routed in certain ways. In some cases, large chunks of traffic from financial institutions, government agencies, and service providers in several countries have been routed through servers in Iceland and Belarus.
-http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-i
nternet-traffic-researchers-warn/
-http://www.nbcnews.com/technology/wheres-your-data-going-hacks-redirect-traffic-
through-distant-lands-2D11624570

---

************************** Sponsored Links: ******************************
1) App Developers and Managers! Share Your Expertise by Taking SANS' 2nd AppSec Survey and Enter to Win an iPad! http://www.sans.org/info/144357

2) Webcast: Prowling Peer-to-Peer Botnets Monday, December 02 at 1:00 PM EST George Kurtz and Tillmann Werner, co-founders, Crowdstrike. In this live webcast, attendees will learn how to use prowler to reconnoiter and track peer-to-peer botnets. http://www.sans.org/info/144362

3) Ask The Expert Webcast: Safety in Numbers: The Value of Crowd-Sourced Threat Intelligence. Wednesday, December 04 at 11:00 AM EST with Dave Shackleford and Jaime Blasco. http://www.sans.org/info/144367
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cupid Media Data Breach Affects Millions of Accounts (November 20, 2013)

A data security breach at online dating network Cupid Media has exposed personal information from 42 million accounts. The compromised data include email addresses and unencrypted passwords. The data theft was discovered because it was stored on the same server where attackers had stored data stolen from Adobe, PR Newswire, and several other organizations. The Cupid Media breach apparently occurred in January 2013, and users were notified. The Australia-based company operates more than 30 specialized dating websites.
-http://www.computerworld.com/s/article/9244202/Hackers_reportedly_steal_42M_cust
omer_records_from_online_dating_network_Cupid_Media?taxonomyId=17

Coin Addresses Some Critics' Concerns (November 20, 2013)

When Coin released information about its all-in-one digital credit card last week, some critics voiced concern about the technology's security and reliability issues. For example, some wondered how securely the credit card information is stored and whether the device could be used as a card skimmer. Others expressed concern that the device would not work if the associated phone is out of power, and wondered whether or not merchants would be willing to accept Coin for payments. Coin has announced some changes, including a method for reactivating the device even if users' phones are out of battery. Coin will also lock onto the payment method users have chosen to avoid accidentally switching to other payment methods stored in the device. The company says that the stored card information is encrypted.
-http://money.cnn.com/2013/11/20/technology/innovation/coin-card-startup/index.ht
ml
[Editor's Note (Murray): It seems clear that these folks had not thought through all of the implications of this application. That said, the power of the Internet and the mobile computer may be able to overcome some of the problems. For example, the skimming/replication problem might be overcome, in part, by designing the app so that it used the Internet to validate ownership of a credit card number before pushing it from the mobile to the COIN; e.g., the waiter's app would not replicate the customer's card. Since possession of an un-repudiated card is normally sufficient for its use, there is no service already in the Internet for validating the bind between a card and its owner. Moreover, such a scheme assumes that the app is trusted and not hacked. How long before a hacked app will be available for download? ]

LG Investigating Reports of Smart TV Data Snooping (November 19, 20, & 21 2013)

LG is looking into reports that some of its Smart TVs are gathering information about customer viewing habits and sending the data back to the manufacturer. The activity reportedly occurs even when customers have turned on certain privacy settings. A recent blog (link in BBC story) said that the TVs gather data about which channels customers watch and what devices are connected to the television. The blogger found that an option allowing collection of viewing data was on by default, but even after he switched it off, the information was still being sent, although a flag in the data indicated that he had changed that preference. A second blogger says that LG Smart TVs share not only that information but also the names of files shared on home and office networks.
-http://www.bbc.co.uk/news/technology-25018225
-http://arstechnica.com/security/2013/11/smart-tv-from-lg-phones-home-with-users-
viewing-habits-usb-file-names/
-http://arstechnica.com/security/2013/11/lg-smart-tv-snooping-extends-to-home-net
works-second-blogger-says/
[Editor's Note (Pescatore): At the recent SANS "Securing the Internet of Things" Summit, many presentations pointed out this is a common problem in much new Internet connected consumer gear. Earlier this week I spoke on a panel with FTC commissioners Julie Brill and Maureen Ohlhausen - the FTC had a workshop the next day to kick off public comment on the privacy issues around the "Internet of Things." I also did a session with the National Security Telecommunications Advisory Council (NSTAC) who has started an "Industrial Internet" working group to look at what policy guidance needs to be developed around these emerging issues. ]

Alleged Credit Card Scammer Being Tried on Racketeering Charges (November 20, 2013)

David Ray Camez is the first person in the US to be tried on racketeering charges for his alleged involvement with cybercrime. Prosecutors will need to make the case that the Carder.su website is an organized crime operation, on par with the Mafia or a street gang. Camez is facing charges of conspiracy to violate RICO and violating RICO. RICO is the acronym for the US's Racketeer Influenced and Corrupt Organizations Act, which allows federal prosecutors to hold every member of such an organization responsible for the actions of the entire organization. Although Camez was not allegedly the site's operator, he did allegedly work through the site. The US Department of Justice (DOJ) has sent an attorney from its Washington Organized Crime and Gang division to help with the case.
-http://www.wired.com/threatlevel/2013/11/open-market-trial-begins/

Radio Free Europe/Radio Liberty Targeted in DDoS Attacks (November 19 & 21, 2013)

Prague-based Radio Free Europe/Radio Liberty says its servers have been targeted by distributed denial-of-service (DDoS) attacks. The intermittent attacks began last week. The attacks disrupted the organization's news and information services, hindering the ability to upload new stories, pictures, and videos.
-http://www.rferl.org/content/radio-free-europe-internet-attack/25171864.html
-http://www.bellinghamherald.com/2013/11/19/3324882/us-funded-radio-says-it-faces
.html

US Defense Dept. Contractors Now Required to Implement Security Standards (November 19 & 20, 2013)

The US Department of Defense (DOD) will now require contractors to implement "established information security standards" on all classified and unclassified networks. Companies contracted to make weapons for DOD will be required to report all network security breaches "that result in the loss of unclassified controlled technical information." The requirements will be built into contracts.
-http://thehill.com/blogs/defcon-hill/policy-strategy/190805-pentagon-ramps-up-cy
bersecurity-measures-for-defense
-http://news.yahoo.com/pentagon-tightens-cybersecurity-rules-defense-contractors-
213454971--finance.html
-http://www.nextgov.com/defense/2013/11/new-defense-contracts-will-protect-vendor
-trade-secrets-hackers/74156/?oref=ng-HPtopstory
Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information:
-http://www.regulations.gov/#!documentDetail;D=DARS_FRDOC_0001-0658
[Editor's Note (Murray): Much of the security behavior that government wants from industry could be obtained through contract.
(Henry): I'm very glad to see this implemented after several years of debate, though there are still issues to resolve. Determining actual standards and monitoring compliance will be difficult; I imagine it will primarily be used to hold companies accountable only after a breach occurs, at least initially. Of note: During this regulation's "comment period", a number of respondents were concerned that if the DoD did not provide threat information to companies then they would be unable to determine adequate security for the controlled information. The government response? "There is a voluntary framework for eligible companies to exchange cyber threat information with the Government. Threat information is not needed to determine adequate security." I have serious concerns about that on two fronts. First, it sounds like a lot more of the same. You can share with us through an "exchange", but you don't need threat information back. Secondly, it's fundamentally untrue. Understanding the rapidly developing capabilities and tools of your adversaries is absolutely necessary to determine and implement adequate security. Nevertheless, I'm glad DOD is taking these steps, and am cautiously optimistic. ]

Google Beats SSL Upgrade Deadline (November 19, 2013)

Google has fulfilled its commitment to retire 1,024-bit encryption keys ahead of the scheduled target of the end of this year. Google has now replaced all certificates for its online services with new, 2,048-bit SSL certificates. The company is also taking steps to encrypt traffic between its data centers.
-http://news.cnet.com/8301-1009_3-57612905-83/google-finishes-2048-bit-security-u
pgrade-for-web-privacy/

Mozilla Issues Interim Firefox Security Update (November 19, 2013)

Mozilla is releasing a security update for Firefox outside of its regular schedule to address five vulnerabilities. Since 2011, Mozilla has implemented a release cycle that pushed out a new version of Firefox every six to eight weeks; in most cases, Mozilla has not felt the need to issue interim security updates. Mozilla said that it is not aware of any active exploits of the flaws that are patched in Firefox 25.0.1, but "the safest choice was to update our users swiftly." The vulnerabilities all concern the Network Security Services (NSS) library.
-http://www.eweek.com/security/mozilla-fixes-security-flaws-in-firefox-25-as-inte
rface-updates-debut.html
[Editor's Note (Murray): Latest Firefox updates block my password manager and offers another. Switching to Chrome. ]

---

STORM CENTER TECH CORNER

Brisbane Traffic Systems found to be vulnerable to attack
-http://www.qao.qld.gov.au/files/file/Reports%20and%20publications/Reports%20to%2
0Parliament%202013-14/RTP5Trafficmanagementsystems.pdf

Massachusetts Police Department Pays Cryptolocker Ransom
-http://www.heraldnews.com/news/x2132756948/Swansea-police-pay-750-ransom-after-c
omputer-virus-strikes

nginx vulnerability
-http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html

Simple Password Brute Forcing Tomcat Worm
-http://www.symantec.com/connect/blogs/all-your-tomcat-are-belong-bad-guys

e-sports Settlement
-http://nj.gov/oag/newsreleases13/pr20131119a.html

LG Smart TVs Phoning Home
-http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.
html

Renesys Discovers widespread route redirects
-http://www.renesys.com/2013/11/mitm-internet-hijacking/

WinpMem
-https://isc.sans.edu/diary/Winpmem+-+Mild+mannered+memory+aquisition+tool%3F%3F/
17054

vBulletin Update: No evidence of 0-day
-http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcem
ents_aa/4007719-regarding-claims-of-new-0-day-exploits-in-vbullet
in

JBoss Vulnerability Actively Exploited
-http://www.exploit-db.com/exploits/28713/
-http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-cod
e-injection.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/