SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #10

February 04, 2014

In this morning's Washington Post:
Documented failure of U.S. Federal agency cybersecurity programs Two basic causes: lack of both accountability and consequences, and federal workers without the requisite technical skills to protect the systems.
http://www.washingtonpost.com/business/technology/senate-cybersecurity-report-fi
nds-agencies-often-fail-to-take-basic-preventive-measures/2014/02/03/493390c2-8a
b6-11e3-833c-33098f9e5267_story.html

Just 8 more days for early registration discounts for the largest cybersecurity training conference: SANS 2014 with 40 courses and a huge evening bonus program on hottest topics. It is coming soon in balmy Orlando.
http://www.sans.org/event/sans-2014

Alan

---

TOP OF THE NEWS

US Legislators Introduce Data Privacy and Breach Notification Bill
PCI Security Standards Council Says Standards Do Not Need to be Amended
LabMD Shuts its Doors Amid FTC's Data Breach Investigation
Coding Error Redirects British National Health Service Site Visitors to Malicious Pages

THE REST OF THE WEEK'S NEWS

Tech Companies Publish Foreign Intelligence Surveillance Court Data Requests
New Delivery Method for ZeuS
US Legislators Introduce Bill to Reinstate Net Neutrality Rules
Orange User Data Compromised
Hotel Management Company Investigating Data Breach
Google Makes Resetting Hijacked Browser Settings Easier
California High School Students Expelled for Using Keystroke Logger
Android App Notifies Users When Other Apps Request Location Data

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec *************************
Gartner 2014 Magic Quadrant for Endpoint Protection Platforms - Complementary Copy Symantec Endpoint Protection 12.1 was, once again, positioned as a Leader in Gartner's Magic Quadrant and rated highest in the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. http://www.sans.org/info/150825
***************************************************************************
TRAINING UPDATE

- -- SANS Cyber Threat Intelligence Summit Arlington, VA Feb. 4-11, 2014 This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

US Legislators Introduce Data Privacy and Breach Notification Bill (February 3, 2014)

Members of the US Senate Commerce, Science, and Transportation Committee have introduced a bill that would establish a federal standard for consumer data protection and data breach notification. The legislation calls for the Federal Trade Commission (FTC) to issue security standards for companies that retain consumers' personal and financial data. In the event of a breach, the bill would require companies to notify affected customers within 30 days in most cases.
-http://www.govinfosecurity.com/yet-another-data-breach-bill-introduced-a-6466
[Editor's Note (Pescatore): There is a lot of wording in this proposal beyond national requirements for breach reporting. Having the FTC define national privacy-related breach reporting standards would be a good thing but adding more security "standards" and more layers of reporting requirements, and "encouraging" the use of specific technologies will divert resources away from security to just more compliance reporting.
(Henry): There have been almost identical bills circulating on Capitol Hill for more than five years. I and many others have spoken to Congressional members and their staffs for years about this issue, yet there's not been a substantive bill passed on cybersecurity for more than ten years. It appears reporting surrounding recent retail breaches has gotten their attention. One specific issue contained herein, standards in breach reporting, would be very helpful to those global companies that now have to navigate scores of state laws. It's a complex issue, but designing and implementing a better, common way to share threat intelligence will go a long way in enabling better defenses and identifying adversaries, helping to mitigate the consequences of data breach. Let's hope there's something valuable that comes from this. ]

PCI Security Standards Council Says Standards Do Not Need to be Amended (February 3, 2014)

The general manager of the Payment Card Industry (PCI) Security Standards Council says that despite recent news of data breaches of retailers, the organization's standards are solid and do not need to be changed. Bob Russo said, "Incidents like these ... highlight the need for businesses to build security into their day-to-day practices."
-http://www.computerworld.com/s/article/9245984/Despite_Target_data_breach_PCI_se
curity_standard_remains_solid_chief_says?taxonomyId=17
-http://www.govinfosecurity.com/interviews/pci-council-responds-to-critics-i-2175
[Editor's Note (Pescatore): I agree with Bob Russo, general manager of the PCI SSC: "As the most recent industry forensic reports indicate, the majority of the breaches happening are a result of some kind of breakdown in security basics - poor implementation, poor maintenance of controls." Those breakdown in basics should be caught by the PCI assessment process - that is what needs to be fixed, not some magical new requirements. Which is pretty much the reason why the Critical Security Controls effort has resonated.
(Murray): The PCI Council is certainly correct, at least to the extent that tougher rules or sanctions on merchants will not fix this broken system. It cannot significantly reduce the fraudulent reuse of credit card numbers to an acceptable level. While I am all in favor of responsible merchant behavior, PCI DSS was never intended to be more than a Band-Aid on what has now become a sucking chest wound. We now need a merchants' council to demand fundamental fixes from the brands and issuers before this house of "cards" comes tumbling down about our ears. ]

LabMD Shuts its Doors Amid FTC's Data Breach Investigation (January 31, 2014)

The CEO of LabMD, an Atlanta-based medical laboratory, said the company has ceased operations due to the US Federal Trace Commission's (FTC's) aggressive pursuit of its investigation of LabMD for alleged data security issues stemming from a breach. Michael Daugherty says that the FTC has overreached its authority in the course of the investigation. The case started in 2010 when a peer-to-peer (P2P) network monitoring service found a 1,700-page LabMD billing document on one of the networks it was monitoring. The data affected 9,000 patients and included Social Security numbers (SSNs) and treatment codes. LabMD has challenged the FTC's authority in court, claiming that the Commission cannot use a section of the FTC act that prohibits unfair and deceptive practices to impose penalties on companies for data breaches.
-http://www.computerworld.com/s/article/9245911/Medical_lab_says_FTC_breach_probe
_forced_it_to_close?taxonomyId=17
[Editor's Note (Pescatore): This is like a vermin-infested restaurant closing its doors because the health department fined it for unsanitary conditions. Other than notifying affected patients and actually fixing the deficiencies that lead to them exposing patient information, LabMD would have had to undergo 10 external audits over the next 20 years - annoying, but hardly financially onerous.
(Murray): This strikes close to home because we have praised the activity of the FTC on security. ]

Coding Error Redirects British National Health Service Site Visitors to Malicious Pages (February 3, 2014)

Numerous National Health Service-related URLs were found to contain coding errors that redirected visitors to sites that contain advertising or malware. In a statement, NHS said that the issue was not caused by an attack and that it had been addressed. The issue was caused by a typo in NHS website source code; it became a serious problem when someone detected the typo and registered the incorrectly spelled address to take advantage of the situation. NHS has taken steps to fix the problem.
-http://www.bbc.co.uk/news/technology-26016802
-http://www.v3.co.uk/v3-uk/news/2326540/coding-error-on-hundreds-of-nhs-sites-red
irects-users-to-dodgy-pages
[Editor's Note (Ullrich): Interesting breach and a new take on "typo squatting". One reason to prevent errors like this is monitoring of error logs. But relying on external references is always tricky and should be avoided if possible. ]

---

************************** Sponsored Links: ******************************
1) Are you an IT professional working in the financial services community? Complete the SANS Financial Services Survey and enter to win a new iPad: http://www.sans.org/info/150830

2) Special discount for Government Employees (e.g., federal, state, local, DoD) to attend The SANS Cyber Threat Intelligence summit on February 10th & 11th in Arlington, VA. Use "CTISummit" for a $1000 discount on the summit alone or "CTICourse" for free summit attendance in conjunction with a full-priced course. http://www.sans.org/info/149440

3) Advanced threats require modern security. Find out the 10 must-haves for your next security solution. Download your buyer's guide now! http://www.sans.org/info/150340
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Tech Companies Publish Foreign Intelligence Surveillance Court Data Requests (February 3, 2014)

Google, Facebook, Microsoft, and other tech companies have taken advantage of new rules allowing them to disclose, within broad ranges, the number of requests for user data they have received through US Foreign Intelligence Surveillance Court orders. The companies have published the number of user accounts affected by the requests, because some requests are for multiple user accounts.
-http://arstechnica.com/tech-policy/2014/02/google-yahoo-microsoft-reveal-how-man
y-accounts-are-snooped-by-govt/
-http://news.cnet.com/8301-1009_3-57618266-83/tech-firms-reveal-even-more-about-f
isa-requests/

New Delivery Method for ZeuS (February 3 & 4, 2014)

A new ZeuS variant, known as Gameover, uses encryption to make its way onto computers. Spam messages contain a .zip file that downloads encrypted versions of ZeuS from the Internet. Older versions of ZeuS have .exe extensions, which are detected by up-to-date security programs, but the encrypted files has an .enc extension, which does not currently set off any alarms. The .zip file decrypts the .enc file once it has been downloaded to the infected machine.
-http://www.theregister.co.uk/2014/02/04/gameover_zeus_adds_nasty_trick/
-http://www.computerworld.com/s/article/9245970/Hackers_use_.enc_trick_to_deliver
_Zeus_banking_malware?taxonomyId=17
[Editor's Note (Henry): IT Security can't continue to focus on blocking adversaries based solely on signatures; there are just too many, adversaries continue to use surreptitious delivery methods, and it is an untenable situation. Rather, we need to focus on the specific actions of the adversaries to identify malicious activity. We already do this in law enforcement in the physical world. We don't look for a person merely because they fit a certain profile. Instead, we look for people who are committing bad acts. For example, if someone walks into a flight school and says "I want to learn how to fly planes, but I don't need to learn how to land them," that's suspicious behavior. I don't care about their "signature"....their race, sex, nationality, or the clothes they're wearing...only that they're taking actions that indicate they want to cause harm. Apply those same concepts to cybersecurity...focus on the effects the code is trying to achieve rather than merely what it looks like...and we're headed in the right direction. ]

US Legislators Introduce Bill to Reinstate Net Neutrality Rules (February 3, 2014)

Just weeks after a federal appeals court struck down portions of the US Federal Communication Commission's (FCC's) net neutrality rules, two members of the House of Representatives have introduced legislation to reinstate those rules. The court noted that its decision resulted from the Commission's failure to implement the rules properly, which would have required reclassifying Internet service providers (ISPs) as common carriers. The Open Internet Preservation Act would reinstate the rules until the FCC "adopts replacement rules." A companion bill is expected to be introduced in the Senate.
-http://arstechnica.com/tech-policy/2014/02/democrats-try-to-reinstate-net-neutra
lity-laws-struck-down-by-court/
-http://www.nextgov.com/emerging-tech/2014/02/long-shot-net-neutrality-bill-intro
duced/78101/?oref=ng-channelriver

Orange User Data Compromised (February 3, 2014)

Attackers accessed the "My Account" portal of Orange.fr, exposing personal data of roughly 800,000 people who use the French version of the mobile operator. The attack affected approximately three percent of Orange users in France. While passwords appear not to have been accessed, sufficient information was available to allow the attackers to use it to conduct phishing attacks. The breach occurred in mid-January.
-http://www.zdnet.com/hackers-access-800000-orange-customers-data-7000025880/
-http://www.scmagazineuk.com/orange-france-confirms-hackers-stole-800000-customer
-records/article/332217/

Hotel Management Company Investigating Data Breach (January 31 & February 3, 2014)

A company that manages several well-known hotel chains, including Hilton, Marriott, Sheraton, and Westin has acknowledged that there is an active investigation into a possible data breach. White Lodging Services manages 168 hotels in 21 states. The breach appears to have affected payment cards used at hotel restaurants, gift shops, and other businesses within the hotels, but not those used at the check-in desk. Information shared within the banking community indicated a pattern of fraud on payment cards that had been used at the hotels between late March and December 2013.
-http://krebsonsecurity.com/2014/01/hotel-franchise-firm-white-lodging-investigat
es-breach/
-http://www.bbc.co.uk/news/technology-26015428
-http://www.darkreading.com/attacks-breaches/hotel-company-investigates-data-brea
ch-c/240165902
-http://www.nextgov.com/cybersecurity/2014/02/hotels-appear-be-latest-victims-cre
dit-card-data-breach/78026/?oref=ng-HPriver
[Editor's Note (Murray): The Verizon Data Breach Incident Report (DBIR) suggests that the hospitality industry is a target, because there are credit card numbers there, and vulnerable, in part because of their heavy reliance on third parties to provide and operate their payment systems. ]

Google Makes Resetting Hijacked Browser Settings Easier (January 31 & February 3, 2014)

Google is now making it easier for users to reset settings in the Chrome browser. The top complaint among Chrome users is having their browser settings hijacked. In October 2013, Google introduced a "reset browser settings" option on Chrome's settings page. Now Chrome will use pop-up messages to ask users if they would like to reset their browser settings if the Chrome detects that they may have been changed without the user's permission. Selecting the option will disable all extensions, themes, and apps, but users may reactivate them manually.
-http://arstechnica.com/security/2014/02/new-google-chrome-feature-warns-users-wh
en-browser-has-been-hijacked/
-http://news.cnet.com/8301-1009_3-57618189-83/chrome-fights-back-against-settings
-hijackers/
-http://chrome.blogspot.de/2014/01/clean-up-your-hijacked-settings.html
[Editor's Note (Murray): One supposes that it would be futile to ask why Chrome does not require user permission to change the settings in the first place. We always need new features in browsers to compensate for the security problems associated with features in browsers. ]

California High School Students Expelled for Using Keystroke Logger (January 30 & 31, 2014)

Eleven Corona del Mar High School students have been expelled for placing keystroke loggers on teachers' computers and using the credentials obtained from the loggers to change grades and access exams. No charges have been filed at this point, although police have obtained search warrants, which suggests they may pursue felony counts against the students. A private tutor has also been implicated in the case.
-http://touch.latimes.com/#section/-1/article/p2p-79094718/
-http://www.scmagazine.com//calif-high-schoolers-expelled-after-using-keylogger-d
octoring-grades/article/332113/
-http://news.cnet.com/8301-1009_3-57618144-83/teens-expelled-in-keylogging-of-sch
ool-computers/s

Android App Notifies Users When Other Apps Request Location Data (January 30, 2014)

Researchers at Rutgers University have created an Android app that lets users know when other apps are tracking their location. Android devices display a flashing GPS icon when apps are requesting location data, but some users may not notice the alert and others may not understand what it is trying to tell them. The app, which is currently being called the RutgersPrivacyApp, will make it clearer to users when apps are requesting their location information. It is not yet available for the Play Store.
-http://www.computerworld.com/s/article/9245910/Researchers_create_Android_app_th
at_shows_when_other_apps_track_you?taxonomyId=17
[Editor's note (Northcutt): This is fairly clever and may stimulate some new ideas. Personally, I would like to see the GPS on a removable card. Software can always be defeated, but if the phone is in my right pocket and the chip in the left, I'm starting to get that airgap feeling. ]

---

STORM CENTER TECH CORNER

Syrian Electronic Army Hijacked UK Website for Paypal and eBay
-http://grahamcluley.com/2014/02/syrian-electronic-army-paypal/

UK Healthcare Website Distributes Malware
-http://www.reddit.com/r/unitedkingdom/comments/1wv91h/nhsuk_compromised_many_pag
es_are_serving_malware/

Encrypted Zeus Variant Evading Defenses
-http://garwarner.blogspot.com.au/2014/02/gameover-zeus-now-uses-encryption-to.ht
ml

Odd Traffic from Anti-DDoS Services
-https://isc.sans.edu/forums/diary/Looking+for+packets+from+three+particular+subn
ets/17552

USB Modem CSRF Attack to Send SMS Messages
-https://3vildata.com/?p=837

Beating WRT120N Firmware Obfuscation
-http://www.devttys0.com/2014/02/reversing-the-wrt120n-firmware-obfuscation/

Sysinternals Process Explorer Now with Virustotal Integration
-http://technet.microsoft.com/en-us/sysinternals/bb896653

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/