SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #18

March 03, 2014

Sears joins Neiman Marcus and Target in the public breach spotlight. More retailers will be joining their club soon.

For people who work with industrial control systems (ICS), general security awareness programs don't work very well. A group of major power companies and other ICS users worked together to customize the most widely used security awareness program (Securing the Human with 3.4 million users) so it works in the challenging ICS environment. They did a great job. The new ICS security awareness program meets compliance requirements through continued training and standard reporting, but goes further and actually changes human behavior and reduces risk.
http://www.securingthehuman.org/info/153247

---

TOP OF THE NEWS

Illinois Bank Urges People to Stop Using Credit Cards in Cabs in Chicago
Secret Service and Sears Investigating Possible Breach of Corporate Network
Sands Casino Says Breach Did Compromise Some Customer and Employee Data

THE REST OF THE WEEK'S NEWS

DHS's Phyllis Schneck Talks About Continuous Diagnostics and Mitigation Initiative
Mt. Gox Files for Bankruptcy Protection
Mt. Gox Backend Code Posted to Internet
Catching the Bitcoin Thieves?
Thousands of Wireless Routers Hijacked
Microsoft Will Offer Free Migration Tool to Encourage XP Users to Upgrade
Florida Police Did Not Tell Judges About Their Use of Cell Phone Tracking Technology
Meetup Targeted by DDoS Attacks After Ignoring Extortionists' Demands
Zbot Using Photos to Update Malware

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ***************************
Demystifying Point of Sale Malware and Attacks - Symantec Security Response Blog
Credit and debit card data theft is one of the earliest forms of cybercrime and persists today. Cybercrime gangs organize sophisticated operations to steal vast amounts of data before selling it in underground marketplaces. There are multiple ways to steal this data. One route criminals use is to target the point at which a retailer first acquires that card data - the Point of Sale (POS) system. Read more in the Symantec Security Response blog and white paper on just how these attacks are happening and how to prevent them.
http://www.sans.org/info/153957
***************************************************************************
TRAINING UPDATE


--SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


-- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


-- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


-- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Illinois Bank Urges People to Stop Using Credit Cards in Cabs in Chicago (March 3 & 4, 2014)

First American Bank in Illinois is urging cab riders in Chicago to avoid paying with credit or debit cards, warning of an ongoing data breach that seems to be connected with card processing systems used by a large number of taxis in Chicago. First American became aware of the situation in early February when several customers complained about fraudulent charges on their accounts. The commonality among the cards was having been used in Chicago taxis. The bank has begun cancelling the cards of customers who charge taxi fare and issuing them new ones. The bank has reported the issue to MasterCard.
-http://krebsonsecurity.com/2014/03/illinois-bank-use-cash-for-chicago-taxis/
-http://www.scmagazine.com/bank-reports-payment-cards-used-in-chicago-cabs-being-
compromised/article/336550/
-http://arstechnica.com/security/2014/03/beware-of-credit-card-hack-affecting-chi
cago-taxis-bank-tells-customers/
-http://www.theregister.co.uk/2014/03/04/bank_tells_chicago_cab_fares_to_pay_cash
_only/
[Editor's Comment (Murray): The retail payment system, based upon mag-stripes and credit card numbers, is fundamentally broken. Warning people not to use it in specified places is the same as saying it is not safe to use. While issuers push the cost of fraud onto the merchants, the cost is systemic; we are all paying it. Only the card issuers can fix it.
(Northcutt): In the US the customer is largely protected if the 16 digit Primary Account Number (PAN) is compromised. However, when my card gets exposed because some retailer failed to protect my PAN, I may not lose money, but I lose time. I have to fix it with my auto insurance, my water utility, Amazon and who knows how many other providers. I have been through this three times in the past two years. The best solution would be multi-factor authentication. If you have followed the last few issues of NewsBites you can probably guess I am doing research to update my course on multi factor. I envision a USB key with an embedded chip that keeps my PAN from being intercepted by a keystroke logger, or a Man in the Middle attack from my browser and EVEN from my hapless retail vendor. Instead, it would go directly to the payment gateway and my vendor would receive a "transaction approved" record. I know about the iron key solution, if you know about others I would love to hear from you, (stephen@sans.edu). I know about chip and pin: it is part of the solution. I think we need to employ it in the U.S. to catch up with the rest of the world, but it is not THE complete solution:
-http://creditcardforum.com/blog/chip-and-pin-credit-cards-usa/
-http://www.sans.org/course/security-leadership-essentials-managers-knowledge-com
pression]

Secret Service and Sears Investigating Possible Breach of Corporate Network (February 28 & March 1, 2014)

Despite reports that the US Secret Service is investigating a possible attack on the network of Sears Holding Corp., the company says it has found no indication of a breach of its systems. Sears is "actively reviewing
[its ]
systems to determine if
[it has ]
been a victim of a breach." It is possible that the suspicion of a breach was raised by a false alarm in banks' anti-fraud systems. Common Point of Purchase analysis conducted in the wake of another breach could fail to account for overlapping purchase patterns and set off a false alarm.
-http://www.theregister.co.uk/2014/03/01/sears_tied_to_secret_service_attack_inve
stigation/
-http://arstechnica.com/security/2014/02/report-secret-service-investigates-possi
ble-network-breach-of-sears/
-http://krebsonsecurity.com/2014/02/breach-rumor-mill-puts-retailers-on-defensive
/
[Editor's Note (Pescatore): Haven't seen much mention of the Secret Service in breach investigations in a while. It would be good to see the US government go back to focusing on cyber-attacks as crime vs. a threat to national defense. ]

Sands Casino Says Breach Did Compromise Some Customer and Employee Data (February 28, 2014)

The Las Vegas Sands Casino now says that attackers who breached company websites in February did compromise customer and employee data, including Social Security numbers (SSNs) and driver's license numbers. Initially, the casino said that customer data were unaffected. The breach affected customers at the casino's Bethlehem, Pennsylvania location. The Sands is trying to determine if other locations were affected as well. The breach affects less than one percent of the Pennsylvania casino's customers since its 2009 opening, but a number was not provided. The intruders also accessed a mailing database.
-http://www.scmagazine.com//las-vegas-sands-confirms-attackers-accessed-sensitive
-employee-customer-info/article/336569/
-http://www.nbcnews.com/tech/security/sands-casino-website-hacking-some-customers
-data-was-stolen-n41601

---

************************** Sponsored Links: ******************************
1) Bad things happen in blind spots. Learn how to take uncertainty out of your network security. http://www.sans.org/info/153962

2) Join Us for the Largest Gathering of Enterprise Security Experts in the World. March 31-April 2, 2014 at the Cosmopolitan, Las Vegas: http://www.sans.org/info/153967

3) Join SANS in NYC at the SANS Financial Cybersecurity Trends and Challenges breakfast briefing on March 7. John Pescatore, Tony Sager and Alan Paller head this important event for the Financial Community providing critical information on upcoming security trends, an end-user security panel on how your colleagues are dealing with threats, and information from sponsors on the future direction of their solutions. Earn 4 CPE/CMU credit hours. Fees waived for SANS alumni, NewsBites readers, and their co-workers. http://www.sans.org/info/153647 Not in the NYC area - attend via simulcast: http://www.sans.org/info/153672
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DHS's Phyllis Schneck Talks About Continuous Diagnostics and Mitigation Initiative (March 4, 2014)

US Department of Homeland Security (DHS) deputy undersecretary for cybersecurity Phyllis Schneck talks about the agency's continuous diagnostics and mitigation initiative, which it is helping other agencies to implement. If agencies can demonstrate security improvements via the CDM approach, the continuous monitoring model can replace the annual FISMA compliance model that provided a snapshot of IT systems at a single point in time and generated thousands of pages of reports.
-http://www.govinfosecurity.com/interviews/continuous-diagnostics-game-changer-i-
2222
[Editor's Note (Pescatore): There is a lot of fluff in federal spending around cybersecurity but the CDM program is aimed squarely at the key security areas where federal, state and local agencies can make meaningful improvements in cybersecurity. I'm not a big fan of the "Diagnostics" term but given the sensitivity around "government monitoring." ]

Mt. Gox Files for Bankruptcy Protection (February 28, March 2 & 3, 2014)

Tokyo-based Bitcoin exchange Mt. Gox has filed for bankruptcy, citing debts of US $63.6 million. Mt. Gox CEO Mark Karpeles said that the company had lost 850,000 bitcoins, worth US $474 million. Karpeles said that attackers stole the bitcoins by exploiting "a bug in the bitcoin system." Some have suggested that the situation is not a result of the transaction malleability attacks that hit several Bitcoin exchanges last month, but of possible malfeasance. Mt. Gox has established a call center for customers to get their questions answered.
-http://www.computerworld.com/s/article/9246659/Bitcoin_exchange_Mt._Gox_files_fo
r_bankruptcy_with_debts_of_63.6M?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57619708-83/bitcoin-losses-spur-mt-gox-to-bankr
uptcy-filing/
-http://www.bbc.com/news/technology-26420932
-http://arstechnica.com/business/2014/03/mtgox-sets-up-call-center-in-japan-for-q
ueries-from-worried-bitcoiners/
-http://www.theregister.co.uk/2014/03/03/mtgox_to_customers_your_call_is_importan
t_to_us_not/
[Editor's Note (Honan): Another Bitcoin exchange, Flexcoin, is also shutting down after being subject to an online attack
-http://flexcoin.com/index.html]

Mt. Gox Backend Code Posted to Internet (March 3, 2014)

PHP code that may be part of the backend of the Mt. Gox Bitcoin exchange has been posted to the Internet, lending credence to Karpeles's assertion that attackers broke into the system.
-http://arstechnica.com/business/2014/03/mtgox-code-posted-by-hackers-as-company-
files-for-bankruptcy-protection/

Catching the Bitcoin Thieves? (March 3, 2014)

University of California, San Diego computer scientist Sarah Meiklejohn describes how data in the blockchain, the shared ledger in which all Bitcoin transactions are stored, could be used to determine the identities of the people who allegedly stole hundreds of thousands of bitcoins from Mt. Gox.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/02/28/hackers-allegedly-s
tole-400-million-in-bitcoins-heres-how-to-catch-them/

Thousands of Wireless Routers Hijacked (March 3 & 4, 2014)

More than 300,000 wireless routers used in homes and in small office settings have been compromised. The attack reconfigured the DNS settings on D-Link, Micronet, Tenda, TP-Link, and other devices. So far, the compromised routers have not been used for any malicious purpose, but they could be used to redirect users to sites that try to steal financial account access information. Most of the compromised routers are in Eastern Europe, Vietnam, and Europe.
-http://www.theregister.co.uk/2014/03/04/team_cymru_ids_300000_compromised_soho_g
ateways/
-http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-rout
ers-make-malicious-changes/
-http://www.bbc.com/news/technology-26417441
[Editor's Note (Honan): This attack is a forerunner of the challenges we will see in how to protect the Internet of Things. Given the difficulties many consumers have in keeping their PCs updated with patches and anti-virus software, keeping routers and other devices secured will be beyond many of them. Vendors really need to include security into their products from the very start and look at ways to support users of their products when there is a security issue. ]

Microsoft Will Offer Free Migration Tool to Encourage XP Users to Upgrade (March 3, 2014)

Microsoft will offer a free migration tool to help XP users ease their transition to a newer, more secure version of Windows. The tool, which normally costs US $30, will be available for free download. Users will be able to migrate three applications to the new OS. A more comprehensive version of the tool that allows unlimited application migration will be discounted from US $60 to US $24. Microsoft is ending support for its popular operating system on April 8; after that date, there will be no more security updates, leaving users vulnerable to flaws. Starting March 8, XP users will see pop-ups reminding them of the impending deadline.
-http://www.computerworld.com/s/article/9246719/Microsoft_reacts_to_XP_upgrade_cr
itics_with_free_file_transfer_tool?taxonomyId=17
-http://www.zdnet.com/microsoft-to-start-nagging-windows-xp-users-about-april-8-e
nd-of-support-date-7000026932/
Microsoft Blog:
-http://blogs.windows.com/windows/b/windowsexperience/archive/2014/03/03/new-wind
ows-xp-data-transfer-tool-and-end-of-support-notifications.aspx
Internet Storm Center:
-https://isc.sans.edu/diary/XPired!/17753
[Editor's Note (Pescatore): The bigger XP upgrade issue is embedded systems/machinery/appliances that are based on XP and can't or won't be upgraded. Hopefully, those pop-ups won't be showing up on MRI machines, ATMs, etc. ]

Florida Police Did Not Tell Judges About Their Use of Cell Phone Tracking Technology (March 3, 2014)

Florida police have been using cell phone tracking technology without obtaining warrants. The police say that they signed a non-disclosure agreement with the company that manufactures the technology. The tool, which is thought to be Harris Corporation's Stingray, works by masquerading as a cellphone tower, so targeted phones connect to it, giving authorities information about the device's location. Police in Tallahassee were found to have been using the device in a certain case, and then admitted to using it at least 200 other times since 2010 without seeking a warrant.
-http://www.wired.com/threatlevel/2014/03/stingray/
-http://arstechnica.com/tech-policy/2014/03/police-hid-use-of-cell-phone-tracking
-device-from-judge-because-of-nda/

Meetup Targeted by DDoS Attacks After Ignoring Extortionists' Demands (March 3, 2014)

Social networking site Meetup has been targeted by distributed denial-of-service (DDoS) attacks since last Thursday. Meetup CEO said the company received an email demanding payment of US $300 prior to the start of the attacks, but the company chose not to pay the demand.
-http://www.scmagazine.com//meetup-battles-prolonged-ddos-attack/article/336525/
-http://www.nbcnews.com/tech/security/meetup-com-still-offline-refuses-pay-300-ra
nsom-hackers-n43306
-http://www.theregister.co.uk/2014/03/03/meetup_ddos_extortion/
[Editor's Note (Pescatore): The Meetup CEO says "We spend millions of dollars every year keeping the Meetup website and apps secure, stable, and reliable," but they seem to have had significant downtime from this DDoS attack. A SANS survey on DDoS mitigation practices we'll be publishing soon shows that using a mix of local DDoS mitigation plus external services is the most effective approach to balancing expense and effectiveness. Also, testing DDoS mitigation capabilities/switchover regularly is key. ]

Zbot Using Photos to Update Malware (March 3, 2014)

Zbot is communicating with infected machines through information embedded in images of sunsets and cats. The hidden data update infected machines' lists of targeted sites to monitor. The malicious images target machines that are already infected with Zbot.
-http://www.v3.co.uk/v3-uk/news/2331885/hackers-spreading-zbot-malware-using-cat-
and-sunset-pictures
-http://blogs.csoonline.com/malwarecybercrime/3029/criminals-using-steganography-
tricks-manage-zbot-attacks
-http://blog.trendmicro.com/trendlabs-security-intelligence/sunsets-and-cats-can-
be-hazardous-to-your-online-bank-account/
[Editor's Note (Pescatore): I imagine some legislator will now try to make pictures of cats illegal, which would be one of the few proposed bills I would actually support. ]

---

STORM CENTER TECH CORNER

Microsoft will continue to support Chinese Windows XP installs
-http://www.networkworld.com/news/2014/030314-china39s-windows-xp-users-to-279325
.html

Symantec Threatcon
-https://isc.sans.edu/forums/diary/Symantec+goes+yellow/17743

Python Buffer Overflow
-https://isc.sans.edu/diary.html?storyid=17749

G-Data Analysis of Uroburos
-https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GDa
ta_Uroburos_RedPaper_EN_v1.pdf

QNAP File Sharing Service
-https://isc.sans.edu/forums/diary/Oversharing/17737

Fiesta Exploit Kit
-https://isc.sans.edu/forums/diary/Fiesta/17739

RSA Mobile Application
-https://isc.sans.edu/forums/diary/How+not+to+code+your+mobile+app/17741

Google Maps Exploit
-http://gizmodo.com/its-ridiculously-easy-to-troll-google-maps-with-fake-l-153164
6581/1532886453/+ericlimer

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/