SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #19

March 10, 2014

A moment of opportunity: Whenever a CIO is fired or resigns after a major breach (as happened this week at Target) other CIOs get much more interested in security and much more receptive to change - but the window lasts 3-6 months at best. Use the publicity around this to make some advances in privilege management, strong authentication for remote and third party access and faster detection and shielding/mitigation of vulnerabilities.

Also this week: Smuckers joins the club that includes Sears, Neiman Marcus, and Target.

Alan

---

TOP OF THE NEWS

Target CIO Leaves Job in Wake of Breach
Ukraine/Russia Conflict Has Cyber Component
Smucker's Acknowledges Data Security Breach
Fake Netflix App Found Pre-Installed on Some New Android Devices

THE REST OF THE WEEK'S NEWS

Microsoft's March Security Update to Include Fix for Actively Exploited Flaw in IE
Anomaly Detection Tool Identifies and Contains Malicious Apps
Flexcoin Shuts Doors, Citing Theft of US $600,000 Worth of Bitcoins
Poloniex Bitcoin Exchange Reports Theft
CIA IG Launches Inquiry Over Allegations that the Agency Spied on Senate Intelligence Committee Staffers
DOJ Dropping Most Charges Against Barrett Brown
Sally Beauty Payment System May Have Been Breached
Vulnerability in GnuTLS Library
Governments Cyber Espionage Tools Will Weaken Internet Security

TWO-FACTOR BANKING FILE UPDATE

Two-Factor Banking File Update

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*************************** Sponsored By Bit9 ****************************
10 Ways to Protect Your Company from a Data Breach As a result of the recent data breaches at high-profile retailers compromising credit and debit card and other personally identifiable information for hundreds of millions of consumer's, data security has become priority No. 1 - Read more on how to protect your company.
http://www.sans.org/info/154450
***************************************************************************
TRAINING UPDATE


--SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


-- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


-- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


-- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/specials

Plus Canberra, Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Target CIO Leaves Job in Wake of Breach (March 5 & 6, 2014)

Target CIO Beth Jacob has resigned. The company plans to overhaul its approach to security and compliance by hiring a new CIO and creating the positions of chief information security officer (CISO) and chief compliance officer.
-http://www.darkreading.com/attacks-breaches/target-begins-security-and-complianc
e-ma/240166451?cid=NL_DR_Weekly_240166451&elq=ba4b21883039429595bc1c6decd0ae
ed
-http://www.computerworld.com/s/article/9246773/Target_CIO_resigns_following_brea
ch?taxonomyId=17

Ukraine/Russia Conflict Has Cyber Component (March 4, 5, & 6, 2014)

Disruptive cyber activity is escalating in the Ukraine/Russia Conflict. Both sides have launched attacks on government agency and news websites, and a Ukrainian phone company says its network in Crimea was damaged when unknown people took control of communication centers. There are also reports that Internet service has been severed between Crimea and the rest of Ukraine. In the 2008 conflict between Russia and Georgia, Russia allegedly used distributed denial-of-service (DDoS) attacks, although the Kremlin denied involvement.
-http://www.bbc.com/news/technology-26447200
-http://www.theregister.co.uk/2014/03/04/ukraine_cyber_conflict/
-http://www.bloomberg.com/news/2014-03-05/russia-ukraine-standoff-going-online-as
-hackers-attack.html
[Editor's Note (Assante): Media reporting is most certainly lagging real world events here. There is a mixture of messaging and active protest occurring alongside of activities to support military deployments and a campaign to justify the deployment of Russian troops. Cyber force is being used on the bet that it can contribute to undermining confidence in the new government of Ukraine. Information control is an expected tactic for forces trying to sow confusion, suppress voices, and fabricate their own reality on the ground. ]

Smucker's Acknowledges Data Security Breach (March 4, 2014)

Smucker's has temporarily closed its online store after a security breach compromised customer credit card information. The breach appears to be part of a larger operation that targeted several companies. Smucker's has published an FAQ about the incident in which the method the attackers used is described.
-http://krebsonsecurity.com/2014/03/thieves-jam-up-smuckers-card-processor/
Smucker's Breach FAQ:
-https://onlinestore.smucker.com/datafaq.cfm

Fake Netflix App Found Pre-Installed on Some New Android Devices (March 5, 2014)

There are reports that some new Android devices are pre-loaded with malicious apps. What appears to be a Netflix app is not authentic; it harvests sensitive data and sends them to Russia. It is likely that the applications slipped onto the devices in a bundle installed by someone in the supply chain.
-http://www.net-security.org/malware_news.php?id=2724
-http://www.computerworld.com/s/article/9246764/Pre_installed_malware_found_on_ne
w_Android_phones?taxonomyId=17&pageNumber=2
[Editor's Note (Henry): We've seen compromised hardware and software, often exploited while processed through the supply chain, for several years. Fraudulent applications are a logical attack vector, and carriers and manufacturers will have to ensure adequate vetting is conducted. ]

---

************************** Sponsored Links: ******************************
1) The latest HP Cyber Risk Report presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat landscape. It provides information you need to effectively plan your cyber security strategy and deploy your defenses. Download it today. http://www.sans.org/info/154455

2) Leverage the Power of Advanced Threat Protection for Endpoints and Servers Take a 5-day Free Trial Today! http://www.sans.org/info/154460

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft's March Security Update to Include Fix for Actively Exploited Flaw in IE (March 6, 2014)

Microsoft's scheduled security updates for March will include five bulletins to address vulnerabilities in Windows, Internet Explorer (IE), and Microsoft Silverlight 5. One of the IE vulnerabilities that will be fixed is a flaw that is being actively exploited.
-http://www.zdnet.com/microsoft-to-issue-windows-ie-and-silverlight-patches-70000
27068/
-http://www.computerworld.com/s/article/9246809/Microsoft_plans_to_patch_critical
_under_attack_IE_bug_next_week?taxonomyId=17
-http://technet.microsoft.com/en-us/security/bulletin/ms14-mar

Anomaly Detection Tool Identifies and Contains Malicious Apps (March 5 & 6, 2014)

Researchers at North Carolina State University have developed a tool that uses anomaly detection to determine if an Android app is actually a root exploit. If the Practical Root Exploit Containment (PREC) determines that an app is malicious, it will contain the code to prevent it from executing. The researchers who developed PREC focus only on C code, the language in which most Android root exploits are written. This approach aims to reduce the number of false positives.
-http://www.darkreading.com/vulnerability/new-technique-targets-c-code-to-spot-co
n/240166476
-http://www.scmagazine.com/tool-uses-anomaly-detection-to-discern-real-android-ap
ps-from-root-exploit-malware/article/337004/
[Editor's Note (Murray): Interesting but hardly a fix for this fundamentally flawed system. ]

Flexcoin Shuts Doors, Citing Theft of US $600,000 Worth of Bitcoins (March 5, 2014)

Canadian Bitcoin Bank Flexcoin has ceased operations after attackers stole nearly US $600,000 worth of the digital currency by exploiting "a flaw in the
[front-end ]
code which allows transfers between Flexcoin users."
-http://news.cnet.com/8301-1009_3-57619967-83/bitcoin-bank-flexcoin-shuts-down-af
ter-hack/
-http://www.informationweek.com/security/attacks-and-breaches/bitcoin-heists-caus
e-more-trouble/d/d-id/1114142?page_number=2
-http://flexcoin.com

Poloniex Bitcoin Exchange Reports Theft (March 6, 2014)

Bitcoin exchange Poloniex is reporting that attackers stole just under US $50,000 in Bitcoins. The theft amounts to 12.3 percent of Poloniex's bitcoins. Poloniex's owner said the thief exploited a flaw in the site's withdrawal processing code.
-http://arstechnica.com/security/2014/03/yet-another-exchange-hacked-poloniex-los
es-around-50000-in-bitcoin/

CIA IG Launches Inquiry Over Allegations that the Agency Spied on Senate Intelligence Committee Staffers (March 4 & 5, 2014)

The CIA office of inspector general (IG) is examining whether the CIA spied on the Senate Intelligence Committee. The IG is trying to determine whether the agency gained unauthorized access to Senate Intelligence Committee staffers' computers seeking information about a report the staffers were working on. The report described problems with the CIA's detention and interrogation program, which is no longer in operation. The alleged intrusions were prompted by concerns that those creating the report had obtained an internal CIA review of the now-defunct program. The IG's office has asked the Justice Department to investigate.
-http://www.nytimes.com/2014/03/05/us/new-inquiry-into-cia-employees-amid-clashes
-over-interrogation-program.html?hp
-http://www.washingtonpost.com/world/national-security/cia-draws-scrutiny-over-se
arching-senate-panels-computers-for-interrogation-data/2014/03/05/5d93ac66-a4a4-
11e3-a5fa-55f0c77bf39c_story.html
-http://www.nextgov.com/cybersecurity/2014/03/cia-accused-hacking-senate-staffer-
computers/79963/?oref=ng-HPriver
-http://www.theregister.co.uk/2014/03/05/cia_senate_watchdog_spying_row/

DOJ Dropping Most Charges Against Barrett Brown (March 5, 2014)

US federal prosecutors have filed a motion to dismiss all but one of the dozen charges against Barrett Brown, a Texas man with alleged ties to the group known as Anonymous. The motion was filed the day after Brown's defense team filed a motion to dismiss the case, which centered on Brown having allegedly posted a link in a chat room that pointed to data stolen from Stratfor. Brown will still face one charge of possession of stolen credit card data with intent to defraud and a separate indictment in connection with allegedly threatening an FBI agent. No reason was given for the decision to drop the other charges.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/05/the-government-is-d
ropping-the-hyperlink-charges-against-barrett-brown/
-http://www.scmagazine.com/feds-move-to-dismiss-11-charges-against-barrett-brown/
article/337195/
-http://www.wired.com/threatlevel/2014/03/barrett-brown-motion-to-dismiss/
Government's Motion to Dismiss:
-http://www.scribd.com/doc/210801336/17717995604
Brown's Motion to Dismiss:
-http://www.wired.com/images_blogs/threatlevel/2014/03/Barrett-Brown-Motion-to-Di
smiss.pdf

Sally Beauty Payment System May Have Been Breached (March 5, 2014)

The in-store payment system at Sally Beauty appears to have been breached. Several banks bought back from an underground carder forum some of the cards they had issued to customers and ran a "common point of purchase" analysis. They determined that 15 of the cards had been used at Sally Beauty stores within the past 10 days. A Sally Beauty spokesperson said that the company's intrusion detection system had alerted them to anomalous activity, but the company found no evidence that card data had been stolen from the company's system. They even brought in an outside forensics company, which came to the same conclusion.
-http://krebsonsecurity.com/2014/03/sally-beauty-hit-by-credit-card-breach/
-http://www.scmagazine.com/sally-beauty-investigates-breach-no-evidence-of-stolen
-payment-cards/article/336991/

Vulnerability in GnuTLS Library (March 4 & 5, 2014)

A serious security flaw in the GnuTLS security library puts 200 or more operating systems and applications at risk. The vulnerability could be exploited to trick GnuTLS into accepting as valid a certificate that was not issued by a trusted certificate authority. GnuTLS is used in many open source products, including Red Hat, Ubuntu, and Debian.
-http://www.theregister.co.uk/2014/03/05/gnu_security_library_gnutls_fails_on_cer
t_checks_patch_now/
-http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundred
s-of-apps-open-to-eavesdropping/
[Editor's Note (Hoelzer): When you're asked about this in your company, make sure you've done your research and know the difference between OpenSSL and GnuTLS. Make sure you know which tools and systems are using which libraries!]

Governments Cyber Espionage Tools Will Weaken Internet Security (March 3, 2014)

Experts are concerned that the US government's development and use of cyber espionage tools and its purchases of zero-day vulnerabilities will ultimately weaken Internet security. Secret tools and information often make their way into the possession of criminals.
-http://www.reuters.com/article/2014/03/03/us-cybersecurity-governments-idUSBREA2
228K20140303
[Editor's Note (Murray): This report is worth the read. ]

---

TWO-FACTOR BANKING FILE UPDATE

As you keep sending information, we have updated the file where we have collected your responses on banks that support multi-factor authentication and also some of the technologies that some of you are using or are looking into:
-http://www.sans.edu/research/security-laboratory/article/2factor-banks

---

STORM CENTER TECH CORNER

Attempts to Prevent Gas Station Skimmers
-https://isc.sans.edu/forums/diary/Mitigation+Fail+for+Gas+Pump+Skimmers/17761

Uptick in Scans for TCP/5000 (UPnP?)
-https://isc.sans.edu/forums/diary/TCP+5000+-+The+OTHER+UPNP+Port/17763

Search Engines Directing Users to Fake iTunes
-http://whitenoise.gizmodo.com/this-is-why-my-coworkers-keep-getting-malware-late
ly-1502285729/1502922309/@barrett

New Mobile App Scanner App-Ray
-http://www.app-ray.de

TLS Renegotiation Weakness
-https://secure-resumption.com

GnuTLS Bug
-https://rhn.redhat.com/errata/RHSA-2014-0247.html

Microsoft Not Extending Support for Chinese Version of Windows XP
-http://www.zdnet.com/no-xp-support-extension-for-china-7000026947/

Windows XP EOL
-https://isc.sans.edu/forums/diary/XPired/17753

Port 5000 Update
-http://seclists.org/bugtraq/2013/Sep/42

Attacking HTTPS with Traffic Analysis
-http://arxiv.org/abs/1403.0297

Hacktivist defaces Fake Bank Website
-http://www.p0ison.com/ybs-bank-got-hacked-by-team-anonghost/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/