SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #21

March 14, 2014

Target Breach Underlying Cause Uncovered In today's cover story in Business Week and our top story, investigative reporter Mike Riley provides the backstory on why the Target breach was not stopped in time, despite adequate, specific alerts being delivered to the Target security team. Precisely the same causal error is happening every day in agencies and companies where CIOs have made compliance a higher priority than security, and where security teams focus on monthly reporting and not threat analysis, prevention, and rapid incident response. Dangerous mismanagement - verging on negligence; the CIO at Target has already resigned. Other CIOs and CISOs should use the Target and Nieman Marcus breaches as catastrophic events to drive change in their own approach to security - or risk resigning in disgrace after yet another breach event discloses similar negligence in actually protecting customers. http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hac
k-of-credit-card-data

The new 2014 CyberSecurity Salary Survey is out. SANS hadn't done one since 2008 because we felt that we would be more supportive of our students if we published them when the salaries had risen and the survey could help educate management about the growing value of cyber skills. Preliminary results show salaries are rising sharply once again, especially for certain skills. We will publish final results in a few weeks. You can get a free copy of the important details (for your industry, region, experience, etc.) ONLY by being one of the first 2,000 people to accurately complete the survey or by completing it by next Wednesday (about 670 are in now). Otherwise the details will be in a $250 report. Complete the survey at https://www.surveymonkey.com/s/2014SANSSalarySurvey

Alan

---

TOP OF THE NEWS

More Details on Why The Target Breach Happened
Retailers Say Migrating to EMV Alone Will Not Provide Adequate Security

THE REST OF THE WEEK'S NEWS

Samsung Devices May Have Backdoor
EU Legislators Approve New Cybersecurity Law
Adobe Patches Critical Shockwave Flaw
Google Encrypting Searches by Default, Even in China
Six-Year-Old Worm May Have Inspired Current Malware
Microsoft Security Updates Include Fix for Critical IE Flaw
WordPress "Pingback" Feature Exploited to Amplify DDoS Attack
Retailers Considering Forming Own Information Sharing and Analysis Center
Judge Freezes Mt. Gox Bitcoin's US Assets
Old School "Hacking" Fed Innovation

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Bit9 ******************************
As a result of the recent data breaches at high-profile retailers compromising credit and debit card and other personally identifiable information for hundreds of millions of consumer's, data security has become priority No. 1 - Read more on how to protect your company. http://www.sans.org/info/155050
**************************************************************************
TRAINING UPDATE


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

More Details on Why The Target Breach Happened (March 13, 2014)

This article offers new details of the attack on Target's point-of-sale system. Among the key points: Target did not respond to alerts from specialists monitoring system activity. In Congressional testimony, Target said it became aware of the breach only after being notified by the Justice Department. While reviewing the logs, it became clear that had the alerts been heeded, the data theft could possibly have been prevented. Target was using a FireEye product that essentially provides a sandbox environment that allows the attacker's tools to perform their functions in an observable environment so suspicious activity can be detected. Target had turned off a feature in the FireEye product that would have deleted malware when it is detected.
-http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hac
k-of-credit-card-data
[Editor's Note (Pescatore): The Neiman Marcus breach investigation also showed lots of alerts but lack of action. Many organizations are using SIEM and other products to collect logs but aren't developing the capabilities to prioritize the alerts based on vulnerability and threat status - compliance reporting is satisfied but security is neglected.
(Murray): The lesson from these latest revelations is that before dismissing alerts as false positives, one still needs to know what caused them.
(Paller): John Pescatore and Bill Murray's comments help explain why the salaries for policy people have stagnated and the number of policy/compliance jobs in cybersecurity is falling, while demand and compensation for people who have deep technical cyber skills is rising sharply. Get the salary survey at
-https://www.surveymonkey.com/s/2014SANSSalarySurvey]

Retailers Say Migrating to EMV Alone Will Not Provide Adequate Security (March 13, 2014)

The National Retail Federation (NRF) has expressed its dissatisfaction with MasterCard and Visa's plan to accelerate adoption of EMV chip technology. A statement from the organization urged the adoption of chip-and-PIN technology to better protect the security of payment card transactions. Chip-and-PIN is widely used in countries around the world, but the US has not yet adopted that technology.
-http://www.scmagazine.com/mastercard-visa-to-push-emv-nfr-calls-for-use-of-pins/
article/338019/
National Retail Federation Statement:
-http://www.nrf.com/modules.php?name=News&op=viewlive&sp_id=1781
[Editor's Note (Murray): Chips" (e.g. EMV) protect against disclosure of credit card numbers in normal use. PINs protect against the fraudulent use of lost or stolen cards. The EMV standard includes a number of different ways to use PINs, depending upon the application. For example, the application might permit as many as ten small offline transactions before requiring an online transaction with a PIN. The use of PINs is far safer with an EMV card than with a mag-stripe card, where both the card number and the PIN might be leaked in the same use. ]

---

************************** Sponsored Links: ******************************
1) State of Security Maturity Report As the incidence and cost of cyber crime have escalated, organizations have responded by establishing security operations centers (SOCs) to detect and counter cyber attack and to assure compliance with industry guidelines. http://www.sans.org/info/155065

2) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465

3) Webcast: Power of Lossless Packet Capture (1G-100G) & Real-time Netflow. Monday, March 24 at 1:00 PM EDT Sonny Singh and Boni Bruno. http://www.sans.org/info/155060
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Samsung Devices May Have Backdoor (March 13, 2014)

Certain Samsung Galaxy devices may contain a backdoor that allows remote access to user data. The vulnerability could also be exploited to activate built-in microphones and cameras. The issue lies in the devices' radio modems, which execute remote file system (RFS) commands. Internet Storm Center:
-http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor
-http://www.informationweek.com/security/mobile-security/samsung-galaxy-security-
alert-android-backdoor-discovered/d/d-id/1127675
-http://news.cnet.com/8301-1009_3-57620281-83/samsung-galaxy-devices-may-have-bac
kdoor-to-user-data-developer-says/
-http://www.theregister.co.uk/2014/03/13/samsung_remote_file_backdoor/
[Editor's Note (Pescatore): The original blog post on the Free Software Foundation site (or any of the articles cited) does not say that the Replicant developers who found this bug actually notified Samsung and followed accepted "responsible reporting" norms for giving the vendor time to respond before publicizing vulnerabilities. That's important, especially when the bugs are reported by competing products, whether free or not. That said, the issue of poor security in the baseband processors of all devices with cellular radios in them is a very big deal. ]

EU Legislators Approve New Cybersecurity Law (March 13, 2014)

Members of European Parliament have approved the Network and Information Security directive by a significant majority. The original draft of the legislation called for the major Internet companies like Google and Amazon to report breaches, but the revised law requires reporting from only companies that own, operate, or provide technology to critical infrastructure. Member states will be able to decide on their own how to incorporate the directive into their laws.
-http://www.networkworld.com/news/2014/031314-new-eu-cybersecurity-law-avoids-279
681.html
[Editor's Note (Pescatore): This bill is very narrowly focused on critical infrastructure technology providers reporting to government. That always tends to lead to more government databases but not much more transparency, or to be blunt CEO/board-level embarrassment, which is what drives change. ]

Adobe Patches Critical Shockwave Flaw (March 13, 2014)

Adobe has released a security update for a critical flaw in Shockwave Player. The memory corruption issue could allow arbitrary code execution. Users are urged to update to version 12.1.0.150 for Windows and Mac.
-http://www.computerworld.com/s/article/9246930/Adobe_patches_a_critical_flaw_in_
Shockwave_Player?taxonomyId=17

Google Encrypting Searches by Default, Even in China (March 12, 2014)

In an effort to strengthen privacy technology to help prevent surveillance by governments, law enforcement, and attackers, Google now encrypts web searches by default. The practice makes it more difficult for authorities in China and other countries known for snooping on people's activity to conduct online surveillance.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/12/google-is-encryptin
g-search-worldwide-thats-bad-for-the-nsa-and-china/

Six-Year-Old Worm May Have Inspired Current Malware (March 12, 2014)

Agent.btz, a worm that infiltrated US military computer systems in 2008, may be a precursor to more recently detected malware, such as Turla and Flame/Gauss. Agent.btz was introduced to the network of the US Central Command in the Middle East through a USB drive. The infection led to the establishment of the US Cyber Command.
-http://www.theregister.co.uk/2014/03/12/cyber_espionage_daddy

Microsoft Security Updates Include Fix for Critical IE Flaw (March 11, 2014)

Microsoft's security update for March 2014 includes five bulletins addressing a total of 23 vulnerabilities. The affected products include Windows, Internet Explorer (IE), and Silverlight. Eighteen of the 23 flaws are in a cumulative update for IE; one of the flaws is being actively exploited. This is the penultimate security update for Windows XP; after April 8, 2014, Microsoft will not be issuing fixes for vulnerabilities in that operating system.
-http://www.zdnet.com/microsoft-patches-23-windows-ie-and-silverlight-vulnerabili
ties-7000027207/
-http://www.computerworld.com/s/article/9246895/Microsoft_Patch_Tuesday_rounds_up
_IE_flaws?taxonomyId=17
[Editor's Note (Pescatore): I'll repeat earlier warning about the biggest XP end-of-support issue being embedded systems, which often do not show up in anyone's Configuration Management Database, since they quite often weren't procured or managed by the IT organization. ]

WordPress "Pingback" Feature Exploited to Amplify DDoS Attack (March 11 & 13, 2014)

Attackers exploited the pingback feature in more than 162,000 WordPress websites to help launch a distributed denial-of-service (DDoS) attack against another website. The feature lets sites know when other sites have linked to their content. Internet Storm Center:
-https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801
-http://www.v3.co.uk/v3-uk/news/2333460/hackers-turn-162-000-wordpress-sites-into
-ddos-attack-tools
-http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-a
bused-in-powerful-ddos-attack/
-http://www.theregister.co.uk/2014/03/12/wordpress_vuln_creates_botnet_army/
-http://krebsonsecurity.com/2014/03/blogs-of-war-dont-be-cannon-fodder/

Retailers Considering Forming Own Information Sharing and Analysis Center (March 11, 2014)

Officials in the retail industry are considering forming of a Merchant and Retail Industry Information Sharing and Analysis Center (MRI-ISAC) to help them defend their systems from attacks. The recent breaches at Target and other major retailers have underscored the need for retailers to share threat information in an organized fashion.
-http://www.darkreading.com/attacks-breaches/retail-industry-mulls-forming-its-ow
n-is/240166552
[Editor's Note (Pescatore): Industry-led ISACs like the Financial ISAC have good track records while the ones that are lead or pushed by the government have almost invariably failed. The retail industry should lead an effort to increase information sharing across retail CISOs as well as increase merchant's ability to influence the PCI compliance regime to focus more on protecting consumers and less on protecting card brands and banks. ]

Judge Freezes Mt. Gox Bitcoin's US Assets (March 11, 2014)

A US federal judge has frozen the American assets of Mt. Gox, Tibanne KK, and Mark Karpeles, allowing a class-action lawsuit filed against the bitcoin exchange and its CEO to proceed. The lawsuit alleges fraud, negligence, breach of fiduciary duty, and breach of contract. Mt. Gox recently filed for bankruptcy in the US with the hope of halting the case.
-http://arstechnica.com/tech-policy/2014/03/judge-freezes-all-of-mtgoxs-us-assets
-lets-class-action-suit-continue/

Old School "Hacking" Fed Innovation (March 13, 2014)

Some successful technology innovators started out as hackers when the word did not carry the negative connotation that it does today. The activity was fueled by a relentless curiosity rather than a desire to do harm. Electronic Frontier Foundation (EFF) attorney Hanni Fakhoury cautions that overzealous application of the Computer Fraud and Abuse Act (CFAA) poses a threat to innovation.
-http://www.forbes.com/sites/andygreenberg/2014/03/13/the-worlds-richest-ex-hacke
rs/?google_editors_picks=true

---

STORM CENTER TECH CORNER

Odd Web Logs
-https://isc.sans.edu/forums/diary/Web+server+logs+containing+RS+/17803

Joomla SQL Injection Fix
-http://threatpost.com/joomla-fixes-critical-sql-injection-vulnerability/104717
-http://www.exploit-db.com/exploits/31459/

Pwn2Own / Pwn4Fun
-http://www.pwn2own.com/2014/03/pwn2own-results-for-wednesday-day-one/

New Comodo/Entrust Intermediate Certificate
-https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downlo
aditemid=94

iOS Random Number Generator
-http://threatpost.com/weak-random-number-generator-threatens-ios-7-kernel-exploi
t-mitigations/104757

Identification and Fraud Detection Difficulties
-https://isc.sans.edu/forums/diary/Identification+and+authentication+are+hard+fin
ding+out+intention+is+even+harder/17805

Unused Certificate Authorities
-https://www2.dcsec.uni-hannover.de/files/fc14_unused_cas.pdf

Mandiant Redline
-https://isc.sans.edu/forums/diary/Introduction+to+Memory+Analysis+with+Mandiant+
Redline/17797

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/