SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #15

February 21, 2014

SANS Orlando 2014: Early registration discount ($250 on any 4-6 day course) if you register by Wednesday Feb 26.

http://www.sans.org/event/sans-2014

---

TOP OF THE NEWS

ICS-CERT Report Says Many Attacks on Critical Infrastructure Go Undetected
HSBC Bank USA Requiring Two-Factor Authentication for Some Transactions
Windows Crash Report Analysis Reveals New Advanced Persistent Threat and Point-of-Sale Attacks

THE REST OF THE WEEK'S NEWS

Microsoft Provides Stopgap Security Measure for IE Vulnerability
Adobe Issues Emergency Patch for Flash Vulnerabilities
NIST Releases Draft Proposal for Revising Cryptographic Standard Development
Online Gaming Site Offers Cash Reward for Attackers' Conviction
University of Maryland Database Breach Affects More Than 300,000 Students and Staff
How Forbes Responded to the Recent Attack
French Defense Contractor Network Breached
Target Breach Has Cost Banks and Credit Unions More than US $200 Million
Routers and Home Automation Tool Vulnerabilities

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*************************** Sponsored By Bit9 ****************************
Are Your POS and Store Systems Secure? Now is the time to Lock-Down Point of Sale and Fixed-Function Devices! If you can't block advanced malware in real-time, control change and protect your customers from real-world threats - then you should take a Free POS Security Assessment today!
http://www.sans.org/info/152612
***************************************************************************
TRAINING UPDATE


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

ICS-CERT Report Says Many Attacks on Critical Infrastructure Go Undetected (February 19, 2014)

A report from the Department of Homeland Security's (DHS's) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says that many attacks against the networks of organizations that operate elements of the US's critical infrastructure remain undetected because of insufficient detection and logging. ICS-CERT recommends that organizations improve their incident detection, monitoring, and response capabilities and that they report incidents to develop a broader understanding of attacks. Some of the most common method of initiating breaches were watering-hole attacks (planting malware on a site that targeted users are likely to visit); spear phishing, and SQL injection.
-http://www.govinfosecurity.com/report-cyberthreat-detection-lacking-a-6516
-https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-D
ec2013.pdf
[Editor's Note (Assante): Lack of a clear security view into ICS networks and on devices results in unbounded attacker free time. ICS networks are special-purpose networks that can be understood and managed well enough to determine predictability. Being able to detect unnecessary communications and attempts to exploit weaknesses in protocols and software should be a priority along with outbound filtering and monitoring. Simply creating a fence around these systems is insufficient, as we all must accept, a prevention only defense is not an adequate protection strategy.
(Paller): The boards of directors of most large power companies understand the risk. The challenge they now face is that their control systems were engineered decades ago and can neither be fully protected nor separated from corporate networks. An innovative few power companies are following Mike Assante's recommendation by establishing small teams of full-time watchers to find intrusions quickly and eliminate them. A practical approach to a difficult problem. ]

HSBC Bank USA Requiring Two-Factor Authentication for Some Transactions (February 20, 2014)

HSBC Bank USA now requires retail customers to use two-factor authentication for certain online transactions. Retail customers will be required to use the additional technology for money transfers, wire transfers, and account beneficiary changes. Customers may choose between a hardware token or a mobile application to generate the additional security code. The bank will supply the technology at no extra charge.
-http://www.bankinfosecurity.com/interviews/hsbc-requires-dual-authentication-i-2
189
[Editor's Note (Murray): The report describes this action as "ground breaking." Not. Many banks have been requiring strong authentication of commercial customers for years and offering it as an option to retail customers. However, what may be novel is that HSBC is REQUIRING this strong authentication for at least some sensitive retail transactions.
(Honan): Nice to see HSBC Bank USA take security seriously and introduce two factor authentication for their US clients, something they have been offering for UK clients since 2006
-http://www.finextra.com/news/fullstory.aspx?newsitemid=15169
(Northcutt): This is not magic, modern malware waits till you are authenticated and then executes transactions, but it is a HUGE step in the right direction. I will look into closing a bank account that does not have two factor and opening one with HSBC. eTrade and Schwab also have banks that offer two factor authentication. If readers know of others please drop me a note: (stephen@sans.edu), thank you! ]

Windows Crash Report Analysis Reveals New Advanced Persistent Threat and Point-of-Sale Attacks (February 19, 2014)

Websense's analysis of Microsoft Windows crash reports has turned up evidence of a new advanced persistent threat attack and a new point-of-sale (POS) attack. Websense recently revealed that Windows crash reports could be abused by attackers because the system reports log data in cleartext. Websense has now released free source code that allows companies to analyze crash reports to detect breaches.
-http://www.darkreading.com/attacks-breaches/microsoft-windows-crash-reports-reve
al-n/240166207
-http://www.infosecurity-magazine.com/view/37010/using-windows-error-reports-to-d
etect-unknown-breaches/
[Editor's Note (Ullrich): Great step forward by Websense to provide this tool. Crash reports have too long been overlooked. In particular for an enterprise scenario, crash reports can be a very efficient and automated way to learn about new malware. ]

---

************************** Sponsored Links: ******************************
1) Free Financial Cyber Security Brief in NYC! SANS presents: The SANS Financial Cybersecurity Trends and Challenges briefing. Join John Pescatore, Tony Sager and Alan Paller for this important event for the Financial Community. Set in the heart of the NY Financial District, this FREE breakfast briefing provides critical information on upcoming security trends, an end-user security panel on how your colleagues are dealing with threats, and information from sponsors on the future direction of their solutions. http://www.sans.org/info/152927

2) Prevent APTs and Malware in Real Time! Join SANS for a webcast to look at keeping these threats at bay and the Damballa FailSafe solution. Get a look at automating defenses and getting detailed incident info for actionable response in this in-depth SANS product review. http://www.sans.org/info/152617

3) NEW Analyst Paper in the SANS Reading Room: Application Security Survey - Programs on the Rise, Skills Lacking: A SANS Survey http://www.sans.org/info/152622 And in Case You Missed it, please join the associated Webcast to learn results, featuring SANS Instructor Frank Kim http://www.sans.org/info/152627
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft Provides Stopgap Security Measure for IE Vulnerability (February 20, 2014)

Microsoft has released a temporary "Fixit" for a vulnerability in Internet Explorer (IE) that is being actively exploited. The flaw affects IE9 and IE10. Microsoft is working on a patch for the issue, but has not said when it will be available. The temporary fix instructs affected services to go into a restricted mode that blocks the current attacks.
-http://www.v3.co.uk/v3-uk/news/2329967/microsoft-combats-snowman-hackers-with-ru
sh-fix-for-internet-explorer
-http://www.computerworld.com/s/article/9246461/Microsoft_delivers_stopgap_defens
e_against_active_IE10_attacks?taxonomyId=17
-http://www.scmagazine.com//microsoft-issues-temporary-fix-for-ie-zero-day-target
ing-service-members/article/334929/
-http://technet.microsoft.com/en-us/security/advisory/2934088

Adobe Issues Emergency Patch for Flash Vulnerabilities (February 20, 2014)

Adobe has released an emergency fix for three critical vulnerabilities in Flash Player. One of the flaws is being exploited in active drive-by attacks on three non-profit websites. This is the second time in less than a month that Adobe has patched Flash outside of its regular update cycle.
-http://www.theregister.co.uk/2014/02/20/flash_adobe_posts_emergency_fix/
-http://arstechnica.com/security/2014/02/adobe-releases-emergency-flash-update-am
id-new-zero-day-drive-by-attacks/
-http://www.computerworld.com/s/article/9246475/Adobe_Flash_exploit_targets_secur
ity_public_policy_sites?taxonomyId=17
-http://www.scmagazine.com//adobe-releases-another-zero-day-fix-for-flash/article
/334974/
-http://krebsonsecurity.com/2014/02/adobe-microsoft-push-fixes-for-0-day-threats/

NIST Releases Draft Proposal for Revising Cryptographic Standard Development (February 20, 2014)

The National Institute of Standards and Technology (NIST) has released a draft of a proposal to revise the way it develops cryptographic standards. The proposal is a response to concern that the NSA had a hand in the development of earlier standards; NIST is committed to making the standard development process transparent, open, and impartial.
-http://www.govinfosecurity.com/nist-unveils-crypto-standards-proposal-a-6519
-http://www.fiercegovernmentit.com/story/nist-proposes-encryption-standard-develo
pment-process-internal-guidance/2014-02-20
-http://csrc.nist.gov/publications/drafts/nistir-7977/nistir_7977_draft.pdf

Online Gaming Site Offers Cash Reward for Attackers' Conviction (February 19 & 20, 2014)

Online role-playing game website Wurm is offering a 10,000 euro (US $13,700) reward for information that leads to the conviction of those responsible for knocking the site offline earlier this week. Wurm was rendered unreachable by a distributed denial-of-service (DDoS) attack that was launched just after Wurm updated to version 1.2. Wurm's web hosting company took the site offline because the attack was affecting other customers. Wurm is now back online on new servers with a new web host.
-http://www.zdnet.com/cyberattack-victim-gaming-website-offers-13000-to-bring-hac
kers-to-justice-7000026553/
-http://arstechnica.com/security/2014/02/knocked-offline-by-ddos-game-site-promis
es-13000-for-perps-conviction/
-http://www.slashgear.com/wurm-mmorpg-provider-offers-bounty-for-ddosers-convicti
on-19317479/

University of Maryland Database Breach Affects More Than 300,000 Students and Staff (February 19, 2014)

University of Maryland President Wallace D. Loh has disclosed a breach of a university database that compromised personal information of more than 300,000 students and staff members. The incident affects anyone who was associated with the university's College Park and Shady Grove campuses dating back to 1998. The exposed data include birth dates, Social Security numbers (SSNs) and school ID numbers, but not financial, academic, or health data. Forensic investigators are examining the breached files and logs. University CIO Brian Voss said the intruder copied the information in the database.
-http://www.washingtonpost.com/local/college-park-shady-grove-campuses-affected-b
y-university-of-maryland-security-breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8
ba7f7942_story.html
-http://www.computerworld.com/s/article/9246460/Database_attack_exposes_personal_
data_at_University_of_Maryland?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57619169-83/data-breach-at-university-of-maryla
nd-exposes-300k-records/
-http://www.slashgear.com/university-of-maryland-hacker-nabs-ss-trove-19317520/
Letter from President Loh:
-http://www.umd.edu/datasecurity/
[Editor's Note (Murray): Resign! Resign! Resign! We have tried transparency without accountability and it is not working. It is time for stronger measures.]

How Forbes Responded to the Recent Attack (February 18, 2014)

Forbes Media Chief product Officer Lewis DVorkin describes in detail how Forbes.com responded to a recent attack against its publishing system that compromised user login credentials and hindered contributors' ability to publish stories. The attack began on February 13 and persisted through the next day. The attacker or attackers provided information to Forbes making clear that they had gained access to the company's publishing platform. Forbes locked down the publishing platform while making adjustments to security and twice attempted to reopen the system, only to discover that the attack was still ongoing. The company decided to shut down the publishing process for the weekend. Forbes.com was still available to the public the whole time, but was not able to post new content. The company mapped computers in the New York office to a "safe haven" server and established a special mailbox where contributors could submit posts. Forbes used social media to let readers know about the attack and is contacting users, urging them to change their passwords.
-http://www.forbes.com/sites/lewisdvorkin/2014/02/18/inside-forbes-after-a-digita
l-attack-a-story-of-recovery-and-what-it-means/
[Editor's Note (Honan): This is an excellent read for incident handlers and offers lessons that can be applied in your own organization. ]

French Defense Contractor Network Breached (February 18, 2014)

Attackers breached the network of French aerospace engine manufacturer Snecma. The intruders exploited a vulnerability in Internet Explorer to gain access to the network. The attack on Snecma reportedly used different malware than was recently used to exploit the same vulnerability in the VFW site.
-http://news.yahoo.com/exclusive-france-39-snecma-targeted-hackers-researcher-202
729022--sector.html
-http://www.computerworld.com/s/article/9246426/Researcher_claims_two_hacker_gang
s_exploiting_unpatched_IE_bug

Target Breach Has Cost Banks and Credit Unions More than US $200 Million (February 18, 2014)

The Target breach that affected more than 40 million payment cards has cost financial institutions more than US $200 million so far. That figure comes from information released by the Consumer Bankers Association and the Credit Union National Association. There are doubtless additional costs incurred by financial institutions that are not members of either association. The costs are those associated with issuing replacement cards for customers affected by the breach. The Target breach exposed personal information of as many as 110 customers.
-http://www.nextgov.com/cybersecurity/2014/02/target-data-hack-cost-banks-more-20
0-million/78965/?oref=ng-channeltopstory
-http://news.cnet.com/8301-1009_3-57619083-83/target-hack-strips-banks-and-credit
-unions-of-$200m/
[Editor's Note (Murray): I have little sympathy for the banks here. For reasons of cost, they have chosen to accept fraud losses rather than move to a payment system (e.g., EMV for POS, out-of-band authentication for on-line commerce) more resistant to replay. Merchant breaches are inevitable. Fraudulent reuse of credit card numbers is not. ]

Routers and Home Automation Tool Vulnerabilities (February 18 & 20, 2013)

Recently, two families of routers have been found to be vulnerable to attacks. Nearly 1,000 Linksys routers have been infected with malware dubbed TheMoon. The routers are vulnerable if the Remote Management Access feature is enabled; Linksys ships the devices with that feature switched off by default. Some ASUS routers along with storage devices connected directly to them may be open to anyone online; again, the issue exists when users have enabled the remote access features. ASUS has released firmware to address the problem. Similar issues have also been found in Belkin WeMo Home Automation tools. The flaws in these devices allow anyone on the Internet to remotely take control of the devices. Belkin has issued updates to address the issues.
-http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/
-http://www.theregister.co.uk/2014/02/20/belkin_on_wemo_bug_get_the_patch/
[Editor's Note (Ullrich): Turn off remote access to devices. We have been talking about this for too long, time to take action. Over the last month, every major router/device vendor had to deal with major security flaws in widely deployed devices, and for many, a patch will never be released. ]

---

STORM CENTER TECH CORNER

Cisco Unified SIP Phone 3905 root access
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
140219-phone

Cisco UCS Default SSH admin account credentials
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
140219-ucsd

Metasploit Module added for Android WebView Vulnerability
-http://threatpost.com/70-percent-of-android-devices-exposed-for-93-weeks-to-simp
le-attack/104359

More Details About "TheMoon" Linksys Worm
-https://isc.sans.edu/forums/diary/More+Details+About+TheMoon+Linksys+Worm/17669

Belkin Wemo Vulnerabilities
-http://www.kb.cert.org/vuls/id/656302

WordPress Two Factor Authentication Vulnerability
-https://www.duosecurity.com/blog/wordpress-multisite-vulnerability-in-two-factor
-authentication

Adobe Zero Day Used in Waterhole Attack (and Patch Available)
-http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywo
nk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-
day-exploit.html

Linksys WRT120N Buffer Overflow
-http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/

Namecheap DDoS Attack
-http://status.namecheap.com/?p=14846

Chrome Update
-http://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html

Bitcrypt Malware Encryption Broken
-http://blog.cassidiancybersecurity.com/post/2014/02/Bitcrypt-broken

Zeus Trojan Using Images for Covert Communication
-http://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-sto
ry-about-a-sneaky-banking-trojan/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/