SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #11

February 07, 2014

Ooops. The White House is about to step in cyber doo doo. Rather than allowing the impotent and irrelevant "Cyber Framework" to quietly fade away, Michael Daniel, the White House Cyber Coordinator, plans to highlight it as an illustration of Obama Administration leadership. The Framework is the kind of non-effective guidance that led to the Administration's cyber leadership failures documented by Senator Coburn earlier this week. The Coburn report is posted at http://www.hsgac.senate.gov/download/?id=8BC15BCD-4B90-4691-BDBA-C1F0584CA66A Coburn's accompanying comment: "Congress needs to hold the White House and its agencies accountable."

Just 5 more days to beat the early registration deadline for the largest cybersecurity training conference: SANS 2014 with 40 courses and a huge evening bonus program on hottest topics. It is coming soon in balmy Orlando. http://www.sans.org/event/sans-2014

Alan

---

TOP OF THE NEWS

Target and Neiman Marcus Executives Testify at Senate Committee Hearing
Payment Card Security Discussed at Senate Banking Committee Hearing
US Defense Contractors Take Steps to Prevent Data Leaks
FBI Issues Solicitation for Malware

THE REST OF THE WEEK'S NEWS

Microsoft's February Patch Tuesday Will Include Five Bulletins
Wireless Devices Attacked at Sochi
Critical Infrastructure Cybersec Bill Heads to House Floor
UK Financial Institutions Cyberattack Exercise
UK Government to Hold Cybersecurity Exercises for Critical Infrastructure Sectors
Oldboot Android Trojan
Facebook Redirect Attempt Unsuccessful Due to Registrar Locks
Target Systems Accessed with HVAC Contractor's Credentials
Adobe Patches Critical Flash Vulnerability
Microsoft Calls for Collaborative Effort to Eradicate Malware Families
Application Security Survey

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Bit9 ****************************
Are you unable to upgrade your XP systems to Windows 7 or 8? If so, are you still deciding how to keep your XP systems secure and compliant after XP end of life on April 8, 2014? Download this XP End-of-Life Handbook for the Upgrade Latecomer.
http://www.sans.org/info/151290
***************************************************************************
TRAINING UPDATE

- -- SANS Cyber Threat Intelligence Summit Arlington, VA Feb. 4-11, 2014 This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Target and Neiman Marcus Executives Testify at Senate Committee Hearing (February 4 & 5, 2014)

At a US Senate Judiciary Committee hearing, executives from Target and Neiman Marcus voiced differing opinions about the value of implementing chip-and-PIN technology in payment cards. A Target executive said that the company plans to implement the technology by early next year, while a Neiman Marcus executive voiced concerns about shifting to the new technology so quickly. Both executives provided lawmakers with additional details of the breaches. The executives also appeared before the House Energy and Commerce Committee's commerce subcommittee.
-http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472
-http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-cre
dit-card-data-hack-n22131
-http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-p
ush-chip-cards/article/332868/
-http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_de
fend_security_practices?taxonomyId=17
[Editor's Note (Honan): As a European I find it difficult to understand why the US does not implement Chip & Pin technology. It has already been working in Europe successfully for a number of years. It is important to note that while Chip & Pin technology reduces card present fraud, it does nothing to help reduce card not present fraud.
(Paller): The photos of Target CIO and CFO responding to Senate questioning
[halfway down the page at
-http://www.nydailynews.com/news/national/target-executive-apologies-retailer-act
ion-security-article-1.160173380]

could serve as a great motivator for executives who need a little push to focus more resources on security. ]

Payment Card Security Discussed at Senate Banking Committee Hearing (February 3, 2014)

Payment systems experts told the Senate Banking Committee's Subcommittee on National Security and International Trade and Finance that adopting chip and PIN technology would go a long way in helping to protect American consumers from payment card fraud resulting from data breaches, but cautioned that no "single technology is a silver-bullet solution."
-http://www.govinfosecurity.com/finger-pointing-at-breach-hearing-a-6468

US Defense Contractors Take Steps to Prevent Data Leaks (February 5, 2014)

According to a recent study of 100 US federal defense contractors, three-quarters have taken steps to improve data security within their organizations following the Snowden leaks. The majority of changes involved increasing employee training and being on "high alert" for anomalous behavior. Forty-four percent are restricting user access, and 34 percent are restricting administrator privileges.
-http://www.darkreading.com/attacks-breaches/nsa-document-leaks-prompt-security-c
hang/240165931
-http://www.nextgov.com/cybersecurity/2014/02/75-percent-pentagon-contractors-adj
usted-security-after-snowden-leaks/78302/?oref=ng-HPtopstory

FBI Issues Solicitation for Malware (February 4 & 6, 2014)

The FBI is calling for cybersecurity experts to send them all the samples of malware they have to be used for research. The FBI will pay for the malware samples. The request comes from the FBI Investigative Analysis Unit of the Operational Technology Division, and notes that "the collection of malware from multiple industries, law enforcement, and research sources is critical to the success of the IAU's mission to obtain global awareness of the malware threat."
-http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/02/fbi-market-mal
ware/78218/?oref=ng-channelriver
-http://www.zdnet.com/uncle-sam-i-want-you-to-sell-me-malware-7000026058/
-http://www.nbcnews.com/tech/security/fbi-request-give-us-your-malware-your-worms
-n22266
-https://www.fbo.gov/index?s=opportunity&mode=form&id=5b4b8745e39bae3510f
0ed820a08c8e2&tab=core&_cview=0

---

************************** Sponsored Links: ******************************
1) Join Scott Simkin, Senior Cyber Analyst for Palo Alto Networks, for a webcast and demo where he will present our latest threat research, and lead a discussion on how to optimize the cyberattack kill-chain to prevent known and unknown threats. Register Now: http://www.sans.org/info/151305
2) Join us March 7 in NYC at a morning briefing to discuss Financial Services Cybersecurity Trends And Challenges. http://www.sans.org/info/151350 Don't live in the area? Event will be simulcast as well. Register at: http://www.sans.org/info/151355
3) The Critical Security Controls Draft Version 5.0 is available at http://www.sans.org/info/151295. All feedback can be communicated by sending emails to CriticalControls@CouncilOnCyberSecurity.org. The finalized 5.0 version will then be formally announced at the RSA Conference in late February 2014.
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft's February Patch Tuesday Will Include Five Bulletins (February 6, 2014)

On Tuesday, February 11, Microsoft plans to release five security bulletins to address security issues in all supported versions of Windows as well as in Microsoft Forefront Protection 2010 for Exchange Server.
-http://www.zdnet.com/microsoft-to-patch-windows-forefront-this-month-7000026061/
-http://www.networkworld.com/news/2014/020614-patch-tuesday-278528.html
-https://technet.microsoft.com/en-us/security/bulletin/ms14-feb
[Editor's Note (Ullrich): Also note that MD5 signed certificates will no longer be recognized as valid in Windows as of next Tuesday. ]

Wireless Devices Attacked at Sochi (February 6, 2014)

Proving correct predictions that wireless devices will be targeted by cyber criminals at the Sochi Olympics, NBC foreign correspondent Richard Engel found that two laptops and his smartphone were quickly compromised with malware that enabled attackers to use the devices to eavesdrop and access data on the devices. The laptops were probed within minutes of connecting to the Internet, and soon after, Engel received a phishing message. A researcher who accompanied Engel has acknowledged that the laptops were fresh out of the box with no updates and no security software, and that the phone was compromised after the user agreed to install an .apk from a Sochi website. Even so, visitors to Sochi are likely to face a barrage of attempted cyber attacks.
-http://www.nbcnews.com/storyline/sochi-olympics/richard-engel-sochi-open-hunting
-season-hackers-n22346
-http://www.scmagazine.com//sochi-hackers-compromise-reporters-laptops-smartphone
/article/333073/
-http://www.theregister.co.uk/2014/02/05/forget_skijumping_russian_hackers_settin
g_records_in_sochi_visitor_hacking/
[Editor's Note (Ullrich): This story is an example of very sensationalized reporting. It would be better if they would have spent the time giving some actionable advice to users. In general, the internet in Sochi (or Moscow where the story was actually recorded) is probably about as safe as in any hotel or coffee shop in he US.
(Honan): Actually the reporter was not in Sochi, but in Moscow. He also visited websites relating to the Olympics so the compromises could happen anywhere in the world where people connect to those sites. Overall a lot of sensationalism in this report which is already being debunked online, see
-http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html#.UvTCI_l_sR
o]

Critical Infrastructure Cybersec Bill Heads to House Floor (February 6, 2014)

The National Cybersecurity and Critical Infrastructure Protection Act unanimously passed the House Homeland Security Committee and now heads to the full House of Representatives. The bill would require the Department of Homeland Security to codify cybersecurity standards for government and critical infrastructure systems.
-http://www.govinfosecurity.com/cybersecurity-bill-heads-to-house-floor-a-6480
-http://thehill.com/blogs/hillicon-valley/technology/197539-house-panel-approves-
cybersecurity-bill
[Editor's Note (Murray): Read it. This is one more attempt to grant private enterprise immunity from liability to its customers for disclosing their PII to government agencies. All the rest is "window dressing" to disguise this. This provision has been included in every proposal for legislation in this space, draws the opposition of privacy advocates, and kills the bill. They keep hoping to sneak it through. ]

UK Financial Institutions Cyberattack Exercise (February 5 & 6, 2014)

The Bank of England has released the results of a November 2013 cyberattack simulation exercise for UK financial institutions. While the exercise, known as Waking Shark II, "successfully demonstrated cross sector communications and coordination," it also notes that the UK's financial sector is vulnerable to attacks. One recommendation that arose from analysis of the exercise is that there needs to be a single entity responsible for managing communications between institutions within the financial sector. Organizations also need to report attacks to regulators and law enforcement.
-http://www.zdnet.com/wargames-test-uk-banks-resolve-against-massive-cyber-attack
-7000025997/
-http://www.theregister.co.uk/2014/02/06/waking_shark_ii_post_mortem/
-http://www.v3.co.uk/v3-uk/news/2327303/bank-of-england-warns-uk-financial-sector
-unprepared-for-cyber-attacks
Bank of England Report on UK Financial Sector Cyberattack Exercise:
-http://www.bankofengland.co.uk/financialstability/fsc/Documents/wakingshark2repo
rt.pdf
[Editor's Note (Honan): The only times a cyber-attack exercise fails is when we do not apply the lessons learnt from them. I recommend that we all review the report from this exercise to see what lessons can be applied to our own environments. ]

UK Government to Hold Cybersecurity Exercises for Critical Infrastructure Sectors (February 5, 2014)

The UK government plans to hold cyberattack exercises much like Waking Shark for public sector elements of critical infrastructure. The exercises are part of government reforms aimed at protecting the country from cyberattacks.
-http://www.v3.co.uk/v3-uk/news/2327115/government-plans-cyber-attack-tests-for-u
k-critical-industries
[Editor's Note (Honan): When asked "How do you get to Carnegie Hall?" the violinist Mischa Elman is supposed to have said "Practice". Likewise the only way ensure your incident response plans work is to practice. The European Network and Information Security Agency (ENISA) has an excellent repository of exercise material for CERTs available for free at
-http://www.enisa.europa.eu/activities/cert/support/exercise]

Oldboot Android Trojan (February 5, 2014)

An Android Trojan known as Oldboot has infected 350,000 devices. The malware is difficult to delete because some of its components are loaded into the Android file system's boot partition. Oldboot may be spreading through firmware that has been seeded with the malware. The majority of infected devices are in China.
-http://www.theregister.co.uk/2014/02/05/china_targeted_by_new_android_trojan/
[Editor's Note (Murray): Unfortunately, this is not an "Android" problem; the problem is that there is no "Android." Rather there are dozens of androids from so many sources that it is nigh impossible for a user to know what he has or what its vulnerabilities may be.
(Northcutt): And we thought boot sector malware was yesterday's news. Honestly, I think the best hope for mobile devices is OS on the chip. ]

Facebook Redirect Attempt Unsuccessful Due to Registrar Locks (February 5 & 6, 2014)

The Syrian Electronic Army launched an unsuccessful attempt to hijack Facebook's domain. The attack was not on Facebook itself but on the company responsible for maintaining Facebook's domain registration. While the attackers managed to change Facebook's domain registration information, the attack was ultimately unsuccessful because Facebook had established registrar locks that require manual checking with live human beings before making any changes.
-http://www.v3.co.uk/v3-uk/news/2327344/syrian-electronic-army-hackers-target-fac
ebook
-http://www.computerworld.com/s/article/9246083/Hackers_try_to_hijack_Facebook_ot
her_high_profile_domains_through_registrar?taxonomyId=17
-http://recode.net/2014/02/05/syrian-hackers-mess-with-facebooks-domain-nothing-h
appens/
Example:
-https://twitter.com/Official_SEA16/status/431208035050991616
[Editor's Note (Honan): Great to see security controls work as planned. If you have not enabled registrar locks on your domains, you should do so ASAP. ]

Target Systems Accessed with HVAC Contractor's Credentials (February 5 & 6, 2014)

More details are emerging about the way attackers infiltrated Target's systems to steal payment card data. It now appears that the attackers gained a foothold in Target's systems by using the access credentials of a refrigeration and HVAC company that had worked at several Target locations. The president of Fazio Mechanical Services acknowledged that the US Secret Service had visited company offices in Pennsylvania, and noted that his company's "connection with Target was exclusively for electronic billing, contract submission, and project management," suggesting that there may have been a network segmentation error.
-http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
-http://news.cnet.com/8301-1009_3-57618439-83/heating-vents-may-have-given-target
-hackers-their-opening/
-http://money.cnn.com/2014/02/06/technology/security/target-breach-hvac/index.htm
l
-http://www.scmagazine.com//target-vendor-fazio-mechanical-confirms-being-victim-
of-attack/article/333051/
-http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of
_a_basic_network_segmentation_error?taxonomyId=17
The HVAC company's statement on the issue is on their website at
-http://faziomechanical.com/Target-Breach-Statement.pdf
[Editor's Note (Murray): I agree that this report illustrates the importance of network layering and segmentation. However, it also demonstrates that, any vulnerability exposes the entire payment system. Taken across all merchants and networks, breaches of the payment system are inevitable. What is not inevitable is that those breaches must result in the fraudulent reuse of credit card numbers. It is both obvious and urgent that the brands and banks must implement measures, e.g., EMV, out-of-band one-time-passwords, to resist replay. We cannot rely upon a system that requires all merchants to get it right all the time.
(Honan): This story reinforces the importance of restricting access to key network resources for those connecting to your network from remote locations, be they partners, suppliers, or staff working remotely. ]

Adobe Patches Critical Flash Vulnerability (February 4 & 5, 2014)

Adobe has released an out-of-cycle patch for a critical remote code execution vulnerability in Flash Player. The flaw affects versions of Flash for Windows, Mac, and Linux systems and could be exploited to take control of vulnerable systems. Windows and Mac users are urged to upgrade to Flash version 12.0.0.44 and Linux users to Flash version 11.2.202.336. For Windows and Mac users unable to upgrade to version 12, Adobe has also released Flash version 11.7.700.261. Flash in Google Chrome and Internet Explorer 10 and 11 will be automatically updated. The flaw is being actively exploited to steal online services login credentials.
-http://www.scmagazine.com//adobe-releases-patch-for-flash-zero-day/article/33287
3/
-http://www.zdnet.com/adobe-issues-critical-flash-player-update-7000025953/
-http://news.cnet.com/8301-1009_3-57618367-83/adobe-issues-emergency-flash-update
-for-windows-and-mac/
-http://krebsonsecurity.com/2014/02/adobe-pushes-fix-for-flash-zero-day-attack/
-http://www.computerworld.com/s/article/9246026/Adobe_releases_critical_emergency
_update_for_Flash_Player
-http://www.computerworld.com/s/article/9246065/Flash_exploit_distributes_credent
ial_stealing_malware?taxonomyId=17
-http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
-http://blogs.adobe.com/psirt/?p=1047

Microsoft Calls for Collaborative Effort to Eradicate Malware Families (February 3, 2014)

Microsoft's Partner Program Manager for Microsoft Malware Protection Center Dennis Batchelder is calling for security companies, ISPs, law enforcement agencies, CERTs, and other organizations to work together to wipe out entire families of malware. Currently, organizations leverage their strengths to disrupt malware, but "the goal of coordinated malware eradication is to bring industry partners who have specific strengths" to work together to more thoroughly rid the Internet of malware families.
-http://www.darkreading.com/vulnerability/microsoft-calls-for-industry-collaborat
i/240165888?cid=NL_DR_Daily_240165888&elq=c650908616f44834b03a03da5191a291

Application Security Survey (February 3, 2014)

The SANS 2014 Application Security Programs and Practices survey found that there is a shortage of skills in application security, which hinders implementation of effective Appsec programs. The percentage of organizations that have established Appsec programs increased from 66 percent last year to 83 percent this year.
-http://www.darkreading.com/applications/sans-institute-application-security-surv
/240165885

---

STORM CENTER TECH CORNER

SplashID Server Failure Leeds to Data Loss
-http://www.heise.de/security/meldung/Daten-Safe-SplashID-schreddert-Passwort-Con
tainer-2107289.html
(German only)

Security Risks Overstated by News Program
-https://isc.sans.edu/forums/diary/To+Merrillville+or+Sochi+How+Dangerous+is+it+t
o+travel+/17579
-http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf

Monthly Ouch Newsletter: Malware
-http://www.securingthehuman.org/ouch

Comcast Mail Servers Breached
-http://www.databreaches.net/nullcrew-claims-hack-of-comcast-mail-servers

ASUS Routers Enumerated Internet Wide
-http://nullfluid.com/asusgate.txt

Odd "ping" Packet (NVidia related?)
-https://isc.sans.edu/forums/diary/Odd+ICMP+Echo+Request+Payload/17570

PNG IFrame Injection
-http://blog.sucuri.net/2014/02/new-iframe-injections-leverage-png-image-metadata
.html

Firefox Update
-http://www.mozilla.org/en-US/mobile/27.0/releasenotes/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/