SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #96

December 06, 2013

TOP OF THE NEWS

NSA Gathering Huge Quantities of Mobile Phone Location Data
Internet Traffic Deliberately Re-routed by Manipulating Border Gateway Protocol
Data Thieves Stole Millions of Account Login Credentials

THE REST OF THE WEEK'S NEWS

ZeroAccess Botnet Disrupted
Proof-of-Concept Malware Jumps Air Gap
Microsoft's December Patch Tuesday Will Address Flaws in Windows, IE, and Exchange
Chinese Banks Forbidden From Handling Bitcoin Transactions
Arrests in Germany and China Related to Bitcoin
US Lawmaker Seeks Answers From Car Makers About Cybersecurity and Privacy
JPMorgan Chase Breach Exposed Pre-Paid Cash Card Customer Data

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 ****************************
Do you think you're safe from the Advanced Persistent Threat? Take this short assessment to learn how safe you really are. When you're done we'll create a customized action plan with steps you can take to better protect your organization. http://www.sans.org/info/145595
***************************************************************************
TRAINING UPDATE


- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

NSA Gathering Huge Quantities of Mobile Phone Location Data (December 5, 2013)

According to documents leaked to the Washington Post, the NSA logs nearly five billion mobile phone location records every day. This particular data collection program "allows the NSA to track individuals and map relationships 'in ways that would have been previously unimaginable.'" According to May 2012 internal briefing, the massive data collection is "outpacing
[the NSA's ]
ability to ingest, process, and store."
-http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-loc
ations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca9
4801fac_story.html
-http://arstechnica.com/tech-policy/2013/12/nsa-collects-nearly-5-billion-cellpho
ne-location-records-per-day/
-http://www.theregister.co.uk/2013/12/05/nsa_collects_up_to_five_billion_mobile_p
hone_locations_daily/

Internet Traffic Deliberately Re-routed by Manipulating Border Gateway Protocol (December 3 & 5, 2013)

Earlier this year, researchers noticed that Internet traffic was being deliberately rerouted through Belarus and Iceland. The subtle attack, a version of man-in-the-middle, was launched by manipulating the Border Gateway Protocol (BGP) to trick the targeted traffic into taking a specified route and then sending it on to its intended destination. BGP manipulation can be used legitimately to filter traffic from DDoS attacks, for example, and there have been some incidents in which errors caused traffic to be rerouted. These recent events, however, bear characteristics indicating that they are not due to errors but are the result of deliberate effort. The targeted traffic appeared to be handpicked, focusing on government agencies and businesses around the world.
-http://www.csmonitor.com/World/Security-Watch/2013/1203/Cyber-security-puzzle-Wh
o-is-sending-Internet-traffic-on-long-strange-trips
-http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/

Data Thieves Stole Millions of Account Login Credentials (December 4, 2013)

Researchers found a server containing login credentials for at least two million user accounts. The breach affects Facebook, Google, Twitter, and other website accounts, as well as for email addresses, FTP accounts, remote desktops, and secure shells. The stolen data come from more than 100 countries. While at first glance the majority of the compromised accounts appear to have been taken from computers in the Netherlands, closer examination reveals that most emanated from a single IP address that "functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which
[is ]
in the Netherlands as well."
-http://arstechnica.com/security/2013/12/found-hacker-server-storing-two-million-
pilfered-paswords/
-http://news.cnet.com/8301-1009_3-57614479-83/researchers-discover-database-with-
2m-stolen-login-credentials/
-http://www.bbc.co.uk/news/technology-25213846
-http://www.computerworld.com/s/article/9244513/Logins_stolen_from_Facebook_Googl
e_ADP_payroll_processor?taxonomyId=17
[Editor's Comment (Northcutt): As these millions of accounts keep getting exposed, the databases of how people choose passwords get better and better. The 8-character password is unlikely to be secure in 2013:
-http://deloitte.wsj.com/riskandcompliance/2013/07/19/the-8-character-password-is
-no-longer-secure/]

---

************************** Sponsored Links: ******************************
1) . Protect Your Healthcare Data: Revisiting Results of SANS Healthcare Cyber Security Survey featuring SANS healthcare expert Barbara Filkins Wednesday, January 18, 1 PM EDT http://www.sans.org/info/145600

2) Today's Hybrid Data Center: Why Scanning May Not Work, featuring SANS Instructor, Dave Shackleford http://www.sans.org/info/145605

3) SANS is conducting this survey to investigate the use of endpoint protections and improvements in managing/securing them and to identify additional areas that must be addressed to reduce risk and improve protection and compliance practices. Have your voice heard. Complete the survey: http://www.sans.org/info/145610
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

ZeroAccess Botnet Disrupted (December 5, 2013)

Microsoft, along with other technology industry leaders and European and US law enforcement agencies, has disrupted yet another botnet. The ZeroAccess botnet hijacks search results to redirect users to sites designed to steal personal information. It generates phony clicks on advertisements to receive payments from advertisers. Microsoft has been authorized to "block incoming and outgoing communications between computers located in the US and the 18 identified IP addresses" the botnet uses.
-http://krebsonsecurity.com/2013/12/zeroaccess-botnet-down-but-not-out/
-http://www.bbc.co.uk/news/technology-25227592
-http://www.microsoft.com/en-us/news/press/2013/dec13/12-05zeroaccessbotnetpr.asp
x

Proof-of-Concept Malware Jumps Air Gap (December 5, 2013)

Computer scientists in Germany have developed proof-of-concept malware that can infect computers that are not connected to networks by using audio signals that are inaudible to humans. The attack uses built in microphones and speakers on standard computers to initiate "communications that have not been considered in the design of the computing system." Several weeks ago, a different security researcher said that three years before, his computers became infected with malware that used high-frequency transmissions to jump the air gap.
-http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jum
ps-air-gaps-using-inaudible-sound/
-http://news.cnet.com/8301-1009_3-57614442-83/malware-jumps-air-gap-between-non-n
etworked-devices/
-http://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/
Researchers' Paper:
-http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&
id=600
[Editor's Note (Pescatore): There are a few scenarios where this attack might make a top ten risk list, such as when a single user has to use multiple PCs at one desktop, each connected to a network at a different security level. So, it is a good idea to default to microphones off. But, this is much more likely to remain an academic attack - and much more likely that insecure Bluetooth or USB ports will be used to jump that air gap.
(Murray): Like every other security mechanism, "air gaps" must be evaluated in the context of the application and environment. Similarly, attacks must be evaluated in terms of their cost, including work, access required, indifference to detection, special knowledge, and time to detection and remediation. That said, communication requires a listener as well as a transmitter. In this case the "receiver" is "malware;" if one can install it, one does not need the channel to install more malware. ]

Microsoft's December Patch Tuesday Will Address Flaws in Windows, IE, and Exchange (December 5, 2013)

Microsoft plans to issue 11 security bulletins next week to address security issues in Windows, Internet Explorer, and Exchange. Five of the bulletins slated for release on December 10 are rated critical. One of the fixes will likely address a vulnerability that is being actively exploited.
-http://www.computerworld.com/s/article/9244569/Microsoft_lines_up_critical_Windo
ws_Office_and_IE_fixes_for_next_week?taxonomyId=17
-http://www.zdnet.com/microsoft-likely-to-patch-zero-day-next-week-7000023999/
-http://www.theregister.co.uk/2013/12/06/five_critical_fixes_on_the_way_for_patch
_tuesday/
-http://technet.microsoft.com/en-us/security/bulletin/ms13-dec

Chinese Banks Forbidden From Handling Bitcoin Transactions (December 5, 2013)

The People's Bank of China has forbidden banks in that country from handling transactions involving Bitcoin. The institution says the decision was made because the virtual currency is not backed by any central authority and because of its association with illegal activity. The bank said that it would not prevent individuals from conducting Bitcoin transactions, but that they need to be aware of the risks involved with using the currency.
-http://www.zdnet.com/cn/china-forbids-banks-to-transact-in-bitcoin-7000023967/
-http://www.bbc.co.uk/news/technology-25233224

Arrests in Germany and China Related to Bitcoin (December 4 & 5, 2013)

Police in Germany arrested two people for allegedly breaking into computers and using the machines' processing capabilities to generate more than US $950,000 in Bitcoin. The infected machines were also used to steal "digital identities." Germany allows people to use Bitcoin for private transactions, but the Federal Financial Supervisory Authority must approve its use for commercial transactions. In an unrelated case in China, authorities detained three people after the GBL Bitcoin trading platform shut down abruptly, leaving people without access to their funds. GBL began operating in May 2013; on October 26, the company shut down the website and provided a phony street address for contact information.
-http://www.computerworld.com/s/article/9244551/Two_charged_with_hacking_computer
s_to_generate_bitcoins?taxonomyId=17
-http://www.bbc.co.uk/news/technology-25217386

US Lawmaker Seeks Answers From Car Makers About Cybersecurity and Privacy (December 5, 2013)

US Senator Ed Markey (D-Massachusetts), has written to 20 automobile manufacturers, asking them how they plan to secure the wireless computer systems in their cars and how they plan to protect customers' privacy. Markey asks that the companies respond to 18 questions about security and privacy.
-http://www.tomsguide.com/us/markey-auto-security,news-17945.html
Text of Markey's letter:
-http://www.markey.senate.gov/documents/2013-12-2_GM.pdf
[Editor's Note (Pescatore): I'm not a big fan of "Senator to CEO" questionnaires, like this one or the one Senator Rockefeller sent to CEOs in 2012 asking about cybersecurity. They tend to lead to just more noise rather than actual progress. However, I was on an "Internet of Things" security panel with two FTC Commissioners a few weeks ago and when asked about what I thought the first real examples of Internet of Things security incidents would occur, I said in automobiles. The automobile industry sees a lot of increased revenue and cost reduction coming from in-vehicle connectivity - it would be really smart for them to be proactive about security. ]

JPMorgan Chase Breach Exposed Pre-Paid Cash Card Customer Data (December 5, 2013)

JPMorgan Chase has acknowledged that a security breach of its network compromised account information of 465,000 pre-paid cash card customers. The data were stored in plaintext. The attack occurred in July, but JPMorgan Chase did not learn of the incident until September. The vulnerability that the attackers exploited was addressed, and the incident was reported to the FBI and the Secret Service. The cards were issued on behalf of employers and the government to pay employees and issue benefits.
-http://www.zdnet.com/jpmorgan-chase-admits-network-hack-465000-card-users-data-s
tolen-7000023974/
-http://www.scmagazine.com/hackers-access-plain-text-info-on-nearly-500k-jpmorgan
-chase-cardholders/article/324285/
-http://arstechnica.com/security/2013/12/hack-on-jpmorgan-website-exposes-data-fo
r-465000-card-holders/

---

STORM CENTER TECH CORNER

VMware Security Patch
-http://blogs.vmware.com/security/2013/12/new-vmware-security-advisory-vmsa-2013-
0014.html

Pony Botnet Controller found with 2 Million Leaked Passwords
-http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html

Android Lock Screen Bypass Vulnerability
-https://cureblog.de/2013/11/cve-2013-6271-remove-device-locks-from-android-phone
/

Android Support vs. iOS
-http://www.fidlee.com/android-support-vs-ios-support/

pytacle decrypting GSM A5/1 encryption
-http://www.insinuator.net/2013/10/pytacle-alpha2/

Discovering Infected Systems While Monitoring Firewall Logs
-https://isc.sans.edu/forums/diary/Even+in+the+Quietest+Moments+/17141

RBS Outage Prevents Credit Card Authorizations on "Cyber Monday"
-http://www.theregister.co.uk/2013/12/03/rbs_it_outage/

"YourFreeProxy" VPN Software Includes BitCoin Miner
-http://blog.malwarebytes.org/fraud-scam/2013/11/potentially-unwanted-miners-tool
bar-peddlers-use-your-system-to-make-btc/

Simple "Skyjack" Kit Released to Hijack WiFi Drones
-http://threatpost.com/how-to-skyjack-drones-in-an-hour-for-less-than-400/103086

Bitcointalk DNS Breach and MitM Attack
-http://www.networkworld.com/news/2013/120213-bitcointalkorg-warns-passwords-in-d
anger-276469.html

Fake Customer Support Call
-https://isc.sans.edu/forums/diary/Windows+Support+calls/17165
-https://isc.sans.edu/reportfakecall.html

Microsoft Patch Tuesday Advance Notification
-http://blogs.technet.com/b/msrc/archive/2013/12/05/advance-notification-service-
for-december-2013-security-bulletin-release.aspx

FTC Reaches Settlement with Android Flashlight App Over Location Tracking
-http://www.theregister.co.uk/2013/12/06/ftc_torches_android_flashlight_app_for_s
pying_on_users/

Boxcryptor Integrates Client Side Encryption with Cloud Services Like Dropbox
-https://www.boxcryptor.com

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS IT operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/