SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #13

February 14, 2014

If you are wondering what was wrong with the new Framework announced by the U.S. President, look at Mike Assante's comment after the second story in "Top of the News."

Alan

---

TOP OF THE NEWS

Microsoft Expands Multi-Factor Authentication to All Office 365 Subscribers
Cybersecurity Framework Released
Target Attackers Phished for HVAC Company Network Access Credentials

THE REST OF THE WEEK'S NEWS

CloudFlare Mitigated Huge DDoS Attack on French Site
Time to Update Linksys Router Firmware
Attack Infecting IE10 Users Through Drive-by Download
Study: Attack Detection is Time Consuming
Nevada Gaming Control Board Says Casino Attack Did Not Compromise Customer Data
Bitcoin Exchanges Under "Transaction Malleability" Attack
Sophisticated Careto Malware Targets Government, Energy Companies, Financial Firms
Microsoft and Adobe Release Security Updates

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Bit9 ****************************
Can you keep your XP systems compliant and secure after end of life without upgrading or paying for out-of-band support?
http://www.sans.org/info/151765
***************************************************************************
TRAINING UPDATE

--SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


--SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


-- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


-- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


-- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


--SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


--Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Microsoft Expands Multi-Factor Authentication to All Office 365 Subscribers (February 10 & 11, 2014)

All subscribers to Microsoft's Office 365 suite now have multifactor authentication. Microsoft made the decision to expand the feature's availability from subscribers with administrative roles to strengthen "the security of user logins for cloud services." There is no additional cost for the authentication feature.
-http://www.zdnet.com/microsoft-expands-multi-factor-authentication-for-office-36
5-7000026203/
-http://www.govtech.com/products/Use-Microsoft-Office-365-for-Business-Well-Get-Y
our-Free-Key-Fob.html
-http://news.cnet.com/8301-1009_3-57618687-83/multifactor-authentication-extended
-to-all-office-365-users/
-http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/
[Editor's Note (Pescatore): This could be huge if Microsoft, Google, Twitter, Facebook, etc. all really actively nudge consumer users to start using the text messaging second factor. Many of those consumers are also employees who hated hardware tokens for authentication at work, but have been feeling the personal pain of compromised passwords at home. Text messaging as a second factor is by no means bullet-proof but using that approach in place of reusable passwords is the equivalent of at least taking the keys out of the ignition to reduce car theft. (Murray): Com'n, Guys, stop whining! It's just not that bad. Its' only a one-time-password passed out-of-band, voice or text, land-line or cell-phone. It's OPT-IN; if you do not like it, you do not have to use it. (Of course, if you are compromised because you were not using it, well then....) I wish that Amazon and American Express used it but at least they give me real-time confirmations of significant activity. ]

Cybersecurity Framework Released (February 12 & 13, 2014)

The White House has released the first version of the Cybersecurity Framework, a collaborative effort between the National Institute of Standards and Technology (NIST) and companies in the private sector. The guidelines in the framework are voluntary measures that organizations that support elements of the country's critical infrastructure can use to develop their information security programs. However, because the program offers no financial incentives to help companies reduce the costs of implementing the guidelines, companies may opt not to participate. While the guidelines are voluntary for private industry, it is likely that they will be required for government contractors.
http://www.theregister.co.uk/2014/02/13/obama_cybersecurity_framework/
http://www.govinfosecurity.com/nist-releases-cybersecurity-framework-a-6497
http://www.informationweek.com/government/cybersecurity/feds-launch-cyber-securi
ty-guidelines-for-us-infrastructure-providers/d/d-id/1113816
http://www.computerworld.com/s/article/9246266/White_House_pushes_cybersecurity_
framework_for_critical_infrastructure?taxonomyId=17
http://www.nextgov.com/cybersecurity/2014/02/what-obamas-new-cyber-standards-mea
n-federal-contractors/78713/?oref=ng-HPtopstory
http://www.bloomberg.com/news/2014-02-11/obama-cybersecurity-plan-seen-lacking-p
erks-for-business.html
Cybersecurity Framework:
-https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
[Editor's Note (Assante): {Note to readers Mike Assante was CSO of both American Electric Power and NERC and oversaw the Idaho National Labs work on vulnerabilities in power systems; his comments on the Framework, summarized here, are authoritative and have begun changing the thinking at senior levels in Congress and the White House.} : I applauded the President's action and prioritization of the series of problems we identify with cyber threats and I appreciate that NIST called out the need to address operational technology (specifically automation and ICS) alongside of traditional information technology. At this stage we should have taken the opportunity to explain the real "what" (nature of cyber threats) and the practical "how" to enhance our collective cybersecurity posture. I believe "how" in this context is composed of two major dimensions - what actually works (for the threats that the Executive Order is addressing - those that are directed and structured) and what can be implemented in a prioritized fashion with reasonable effort (achievable competencies and capabilities). There are good elements and concepts in the framework but we are missing an opportunity to explain, prioritize, and define.

Target Attackers Phished for HVAC Company Network Access Credentials (February 12 & 13, 2014)

The Target data breach appears to have gained a toehold through a phishing attack that tricked an employee of an HVAC company that works for Target into opening an email that contained malware. The attackers breached Target's system with network access credentials that were issued to Fazio Mechanical. Fazio's cyber defenses were unsophisticated.
-http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-targe
t/
-http://arstechnica.com/security/2014/02/epic-target-hack-reportedly-began-with-m
alware-based-phishing-e-mail/
-http://www.nextgov.com/cybersecurity/2014/02/heres-how-hackers-stole-110-million
-americans-data-target/78740/?oref=ng-channeltopstory
-http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-targ
et-7000026299/
[Editor's Note (Murray): Strong authentication! All the best people are doing it. Even Microsoft is doing it. Not fool-proof but it really does raise the cost of attack. ]

---

************************** Sponsored Links: ******************************
1) Live from New York! SANS presents: The SANS Financial Cybersecurity Trends and Challenges briefing. Join John Pescatore, Tony Sager and Alan Paller for this important event for the Financial Community. Set in the heart of the NY Financial District, this FREE breakfast briefing provides critical information on upcoming security trends, an end-user security panel on how your colleagues are dealing with threats, and information from sponsors on the future direction of their solutions. Join us! http://www.sans.org/info/151470
2) Prevent APTs and Malware in Real Time! Join SANS for a webcast to look at keeping these threats at bay and the Damballa FailSafe solution. Get a look at automating defenses and getting detailed incident info for actionable response in this in-depth SANS product review. http://www.sans.org/info/151770
3) NEW Analyst Paper in the SANS Reading Room: Application Security Survey - Programs on the Rise, Skills Lacking: A SANS Survey http://www.sans.org/info/151775 And in Case You Missed it, please join the associated Webcast to learn results, featuring SANS Instructor Frank Kim. http://www.sans.org/info/151780
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

CloudFlare Mitigated Huge DDoS Attack on French Site (February 11 & 13, 2014)

French content delivery and security provider CloudFlare has reported that it helped stem a distributed denial-of-service (DDoS) attack against a French website, the magnitude of which was greater than any other DDoS attack ever reported - nearly 400 Gigabits per second. The attack took advantage of vulnerable Network Time Protocol (NTP) servers to magnify the intensity of the attack.
-http://www.scmagazine.com/cloudflare-fights-off-massive-ntp-reflection-ddos-atta
ck/article/333585/
-http://www.zdnet.com/worst-ddos-attack-of-all-time-hits-french-site-7000026330/
-http://www.computerworld.com/s/article/9246230/Attackers_use_NTP_reflection_in_h
uge_DDoS_attack?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57618762-83/record-breaking-ddos-attack-in-euro
pe-hits-400gbps/
[Editor's Note (Pescatore): when I hear "largest DDoS attack ever" it makes me think of "World's Hottest Coffee." After a certain point, the scale is really only an issue to the all the ISPs who allowed that traffic to be carried over their networks and consume their bandwidth. ]

Time to Update Linksys Router Firmware (February 13, 2014)

People who own Linksys routers are being urged to update the firmware for their devices due to reports of active attacks that exploit a vulnerability that is present on at least two router models. Reports say that some networks have been compromised via the vulnerable routers.
-https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so
+far/17633
-https://isc.sans.edu/forums/diary/Suspected+Mass+Exploit+Against+Linksys+E1000+E
1200+Routers/17621
-http://arstechnica.com/security/2014/02/bizarre-attack-infects-linksys-routers-w
ith-self-replicating-malware/
-http://www.theregister.co.uk/2014/02/13/have_a_linksys_router_nows_a_good_time_t
o_update_that_firmware/
[Editor's Note (Pescatore): Linksys fails the /security sniff test - going to www.linksys.com/security gets you error 404. For home users that are familiar with the web management interface on their routers, not that hard to update (for the routers that are still supported, anyway). But not easy to get info on security issues for these products, by any means. ]

Attack Infecting IE10 Users Through Drive-by Download (February 13, 2014)

Microsoft has confirmed reports that an unpatched vulnerability in Internet Explorer 10 (IE10) is being exploited in active drive-by download attacks. The attack exploits a "use after free" vulnerability to circumvent ASLR (address space layout randomization). The attack also appears to affect IE9.
-http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-a
ctive-malware-attack-ms-warns/
-http://www.computerworld.com/s/article/9246328/IE10_under_attack_as_hackers_expl
oit_zero_day_bug?taxonomyId=17
-http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-fou
nd-in-watering-hole-attack-2.html

Study: Attack Detection is Time Consuming (February 13, 2014)

A Ponemon Institute study found that most companies believe that detecting cyberattacks takes too long. Eight-five percent of the more than 1,000 CISOs and security technicians who responded also said that they did not have a way to prioritize security incidents. More than 60 percent said that they received too many alerts from a variety of security products, many of which do not work well with other products.
-http://www.scmagazine.com/study-finds-attack-detection-takes-too-long/article/33
3988/
[Editor's Note (Honan): This is an issue I see time and time again when dealing with incidents with clients. Many only put in security devices to satisfy an audit or compliance requirement. Therefore no thought or planning go into what exactly is required and how to configure these tools to be most effective. CSOs need to realise no matter how good their defences are there will be a breach at some stage. To effectively deal with that requires planning, preparation and ongoing testing of the effectiveness of those plans. ]

Nevada Gaming Control Board Says Casino Attack Did Not Compromise Customer Data (February 13, 2014)

The Las Vegas Sands casino was the target of a cyberattack that took down its websites. The chairman of the Nevada Gaming Control Board said that the Sands' customer credit card database is secure and that the integrity of the casino's gambling systems was not breached. The Sands said in an email that it has "been able to confirm that certain core operating systems were not impacted." As of Monday, the sites were not fully operational. The attackers displayed what appeared to be a scrolling list of Sands employee names, email addresses, Social Security numbers (SSNs) and other personal data.
-http://www.theregister.co.uk/2014/02/13/dont_panic_no_credit_card_details_lost_a
fter_hackers_crack_worlds_largest_casino_group/
-http://abcnews.go.com/US/wireStory/regulator-sands-hackers-steal-credit-cards-22
502539
-http://www.bloomberg.com/news/2014-02-13/las-vegas-sands-cites-progress-on-websi
tes-after-attack-1-.html

Bitcoin Exchanges Under "Transaction Malleability" Attack (February 11, 12 & 13, 2014)

A form of distributed denial-of-service (DDoS) attacks on Bitcoin exchanges underscore some of the risks associated with using the virtual currency. Several of the exchanges have frozen withdrawals while the problems are being addressed. Because of the attacks and the shut downs, Bitcoin is not as liquid as it has been advertised to be and the value of Bitcoins has dropped. The attacks exploit a "transaction malleability." The affected exchanges include Bitstamp, Mt. Gox, and BTC-e. The exchanges are assuring customers that their Bitcoins are safe.
-http://in.reuters.com/article/2014/02/12/usa-bitcoin-security-idINDEEA1B0J820140
212
-http://www.bbc.co.uk/news/technology-26155157
-http://www.zdnet.com/bitcoin-under-mutated-transaction-dos-attacks-but-funds-saf
e-7000026237/
-http://arstechnica.com/security/2014/02/bitcoin-exchanges-buckle-under-strain-of
-phantom-transactions/
-http://www.theregister.co.uk/2014/02/11/mtgox_fallout_bogs_down_bitcoin_traders_
as_malleability_issue_goes_mainstream/
-http://www.theregister.co.uk/2014/02/11/mtgox_takes_heat_as_bitcoin_transactions
_remain_on_hold/
The new Silk Road says that it has been the target of a "transaction malleability" attack that managed to steal US $2.6 million worth of Bitcoins.
-http://arstechnica.com/security/2014/02/new-silk-road-hit-with-2-6-million-heist
-due-to-known-bitcoin-flaw/
[Editor's Note (Honan): This comes as no major surprise. Wherever there is money or valuable goods the criminals will follow. Even Dilbert managed to foresee this happening
-http://www.dilbert.com/blog/entry/who_didnt_see_this_coming/
. ]

Sophisticated Careto Malware Targets Government, Energy Companies, Financial Firms (February 10 & 11, 2014)

Sophisticated malware called Careto, also known as The Mask, has been used in international espionage operations since at least 2007, according to Kaspersky Lab. Careto is a suite of tools that can be used to compromise machines and steal information. Initial infection occurs when users receive a spear phishing email. If the recipients click on the provided link, they are sent to a website that scans their computers for vulnerabilities and attempts to infect them. There are versions of the malware tailored for Windows, Mac OS X, and Linux, and there may be versions for iOS and Android, according to Kaspersky. The malware has been used to target specific organizations in government, energy, finance, and research.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/02/10/this-malware-is-fri
ghteningly-sophisticated-and-we-dont-know-who-created-it/
-http://www.net-security.org/malware_news.php?id=2703
-http://www.scmagazine.com/seven-year-long-apt-campaign-identified-possibly-state
-sponsored/article/333427/
-http://arstechnica.com/security/2014/02/meet-mask-possibly-the-most-sophisticate
d-malware-campaign-ever-seen/
-http://www.zdnet.com/slides-from-kasperskys-the-mask-malware-presentation-700002
6291/

Microsoft and Adobe Release Security Updates (February 11, 2014)

Microsoft's security update for February addresses a total of 31 vulnerabilities with seven security bulletins, two more than the company's Advance Notification indicated last week. Four of the bulletins are rated critical and the other three are rated important. One of the critical bulletins is a cumulative update for Internet Explorer (IE) that addresses 24 flaws. Adobe also released security updates on Tuesday. The company released a patch for Shockwave Player to address two vulnerabilities. The newest version of Shockwave Player for Windows and Mac is 12.0.9.149. Microsoft:
-http://www.computerworld.com/s/article/9246231/Microsoft_addresses_critical_IE_v
ulnerabilities_for_Patch_Tuesday?taxonomyId=17
-http://www.scmagazine.com/microsoft-addresses-31-bugs-on-patch-tuesday-adds-last
-minute-fixes/article/333600/
-http://www.zdnet.com/microsoft-issues-multiple-critical-windows-patches-70000262
12/
-https://technet.microsoft.com/en-us/security/bulletin/ms14-feb
Adobe:
-http://www.computerworld.com/s/article/9246253/Adobe_patches_two_critical_vulner
abilities_in_Shockwave_Player?taxonomyId=17
-http://www.scmagazine.com/adobe-patches-critical-shockwave-flaws-allowing-remote
-control-of-system/article/333608/
-http://helpx.adobe.com/security/products/shockwave/apsb14-06.html
Both:
-http://krebsonsecurity.com/2014/02/security-updates-for-shockwave-windows/
-http://www.theregister.co.uk/2014/02/12/patch_tuesday_brings_seven_microsoft_fix
es_and_adobe_shockwave_update/

---

STORM CENTER TECH CORNER

Fake SSL Certificates
-http://news.netcraft.com/archives/2014/02/12/fake-ssl-certificates-deployed-acro
ss-the-internet.html

Numerous unprotected rsync shares found
-http://blog.steve.org.uk/secure_your_rsync_shares__please_.html

New Spamassassin now with IPv6 Support
-http://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.
4.0.txt

Apple Bootcamp Update
-http://support.apple.com/kb/HT6126

Facebook Fixes Instagram Vulnerability
-http://insertco.in/2014/02/10/how-i-hacked-instagram/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/