SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #23

March 21, 2014

Cybersecurity is changing in the face of forces ranging from cloud and mobile to Snowden. An impressive group of CISOs are meeting in Boston at the end of April with John Pescatore and other experts to sort out key security trends. Probably the most useful executive-level cybersecurity meeting in the country. http://www.sans.org/info/154465

---

TOP OF THE NEWS

Target May Face Federal Charges Over Breach
Many Companies Still Not Disclosing Breaches or Sharing Attack Information
Univ. of Maryland Discloses Another Data Breach

THE REST OF THE WEEK'S NEWS

Network Time Protocol Reflection Attacks Prompt Patching of Vulnerable Servers
Darlloz Worm Now Mines Cryptocurrencies
Malicious Tor App in Apple iOS App Store
Full Disclosure eMail List Shuts Down
Compromised Gaming Site Server Used to Steal Apple ID and Other Sensitive Info
PHP Hijacking Vulnerability Still Being Exploited
Man Arrested in Thailand Will be Extradited to Switzerland to Face Cybercrime Charges
Mozilla Releases Firefox 28
Operation Windigo Used Unix Servers to Infect Computers with Malware
UK Cyber Security Challenge Winner Named
Judge Says Government's Warrant Request is "Overly Broad"

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Bit9 *******************************
Data security has become the No. 1 priority for many retailers in 2014. Want to learn how your company can implement strategies to protect against costly data breaches? Find out 10 ways you can achieve this goal while maintaining required PCI compliance. Download this check list today! http://www.sans.org/info/155305
***************************************************************************
TRAINING UPDATE


- -- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Target May Face Federal Charges Over Breach (March 19, 2014)

Target has been communicating with the US Federal Trade Commission (FTC), but it is not yet known if the retailer will face federal charges related to a massive data breach that compromised payment card information of millions of customers late last year.
-http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-f
ailing-protect-customer-data-hackers/80824/?oref=ng-channelriver
[Editor's Note (Pescatore): I've been a big fan of FTC enforcement actions in the past that have happened *before* shoddy practices resulted in actual impact to consumers. I don't see much value in the FTC piling on here, but Target would be wise to commit to continuing voluntary third party (beyond PCI) assessments for the next 10 years.
(Murray): The American people expect, and media demands, that government provide blood sacrifice whenever something goes wrong. If government is unable to identify and punish the criminal, then it is well advised to further punish the victim. Regulatory agencies work better than law enforcement for this purpose; it is simply too difficult to prove "criminal" negligence. ]

Many Companies Still Not Disclosing Breaches or Sharing Attack Information (March 18, 2014)

According to a report from Arbor Networks and The Economist Intelligence Unit, many companies still do not publicly acknowledge data security breaches. While 77 percent of organizations responding to the survey said they had experienced a breach in the past year, 57 percent said they do not voluntarily disclose breaches that are not required to be disclosed by laws. Just over one-third of respondents said they share breach information with others in their industry.
-http://www.darkreading.com/attacks-breaches/many-organizations-dont-go-public-wi
th-d/240166693
[Editor's Note (Pescatore): The 43% that *are* making non-required disclosures need to explain to their shareholders why they are doing so. There are many, many things that go wrong at every business every day that are not required to be disclosed publicly and therefore are not. Imagine if every retail company disclosed every shoplifting or employee theft event!
(Assante): There are no surprises here as companies are struggling with the benefits of sharing attack information past trusted circles. The lack of discussion and facts related to both attacker moves and actions and target weaknesses/struggles/breakthroughs hurts our collective understanding and advancement of practices. While at NERC, I was hopeful and had a vision that we could do as good as a job of detailing cyber incidents as we did analyzing bulk power system outages and events. NERC has accomplished transparency on how regulated entities are struggling with compliance, but there are few organizations or regulatory programs that provide timely and 'responsible' transparency around reported cyber incidents.
(Paller): The key to breaking through on sharing is the British Information Exchange model - trusted groups of companies in tightly controlled disclosure groups. In the US federal involvement in these has been counter productive because they were mostly truing to force or coerce disclosure. However, data is emerging that DHS's NCICC has developed a new model, closer to the British model, that seems to be gaining corporate participation. PS The key is the British model is that the government gives useful (often sensitive/classified) data for a long time (generally 12 months) before the companies feel enough confidence to start sharing back.
(Honan): Another worrying finding from this report is that 1 in 3 businesses have no incident response plan. ]

Univ. of Maryland Discloses Another Data Breach (March 20, 2014)

The University of Maryland College Park (UMCP) has disclosed another security breach, the second in as many months. UMCP cybersecurity task force chair Ann G. Wylie said that in the latest breach, the personal information of "one senior university official" was compromised. The earlier breach affected hundreds of thousands of current and former students, faculty, and staff.
-http://www.baltimoresun.com/news/maryland/education/blog/bs-md-umd-another-cyber
attack-20140320,0,798878.story
[Editor's Note (Paller): This story illuminates a key opportunity to improve cybersecurity around the world. Colleges need to teach hands-on cybersecurity as part of their core programming classes, not as electives. The web sites (which now UMCP officers say are being reviewed) were developed by people who rarely learned secure coding or about vulnerabilities in web application development systems like ColdFusion which are today the most commonly exploited access method for malicious actors attacking state and local governments and universities. Stopping errors from getting into the applications in the first place is the most promising proactive cyber defense action, but unless UMCP President Mote and his counterparts at other schools force their faculty to first learn and then teach secure, defensive programming as part of the core curriculum, they will continue to be a major part of the cybersecurity problem. ]

---

************************** Sponsored Links: ******************************
1) Custom cyber attacks evade traditional defenses There are no "signatures" for advanced targeted cyber attacks, because each attack is unique. Cyber criminals custom create them to penetrate your network and steal your data, so traditional cyber defenses can fall short and leave you unprotected. Watch the video: http://www.sans.org/info/155310

2) Webcast: IP Theft: Collecting Artifact Evidence from the Cloud and Mobile. Tuesday, March 25 at 1:00 PM EDT Heather Mahalik, Jad Saliba and Jamie McQuaid. http://www.sans.org/info/155250

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Network Time Protocol Reflection Attacks Prompt Patching of Vulnerable Servers (March 20, 2014)

A recent uptick in Network Time Protocol (NTP) reflection attacks has prompted the patching of vulnerable devices. Approximately 93 percent of the 1.6 million vulnerable NTP servers have now been patched.
-http://www.bbc.com/news/technology-26662051

Darlloz Worm Now Mines Cryptocurrencies (March 20, 2014)

The Darlloz Linux worm, which has been targeting home routers and security cameras, has now been modified to infect computers. The malware has also been updated to mine cryptocurrencies like Dogecoins and MinCoins. Once it has ensconced itself on a computer, Darlloz block other malware from infecting the machine and prevents attackers from accessing the machine through previously established backdoors.
-http://www.net-security.org/malware_news.php?id=2740
-http://www.computerworld.com/s/article/9247077/The_Darlloz_Linux_worm_diversifie
s_to_mine_cryptocurrencies?taxonomyId=17
-http://www.scmagazine.com/darlloz-variant-infects-intel-systems-to-mine-dogecoin
s-mincoins/article/338971/
[Editor's Note (Pescatore): I don't think we should call these things "crypto-currencies," as the term "currency" implies a whole lot of criteria that none of these *.coin offerings meet, like broad use and some kind of guarantee of value. Cyber-scrip would be better but probably cyber-tulip would be best. ]

Malicious Tor App in Apple iOS App Store (March 19 & 20, 2014)

A phony Tor app has been available in the Apple Store since November, according to the Tor Project, which has been unsuccessful in its attempts to get Apple to remove the possibly malicious app. The questionable Tor Browser app is bundled with adware and spyware, according to Tor developers.
-http://www.computerworld.com/s/article/9247090/Fake_Tor_app_has_been_sitting_in_
Apple_39_s_App_Store_for_months_Tor_Project_says?taxonomyId=17
-http://arstechnica.com/security/2014/03/fake-tor-browser-for-ios-laced-with-adwa
re-spyware-members-warn/

Full Disclosure eMail List Shuts Down (March 19 & 20, 2014)

The Full Disclosure mailing list has suspended operations "indefinitely." Administrator John Cartwright said the decision was the result of pressure from a researcher to remove huge amounts of content from the list archives. The list was created in July 2002. ISC:
-https://isc.sans.edu/diary/Full+Disclosure+list+shuts+down/17831
-http://www.zdnet.com/full-disclosure-security-mailing-list-shuts-down-7000027503
/
-http://www.computerworld.com/s/article/9247068/Full_Disclosure_mailing_list_shut
s_down_indefinitely?taxonomyId=17
-http://www.net-security.org/secworld.php?id=16548
-http://www.theregister.co.uk/2014/03/19/full_disclosure_closes/
[Editor's Note (Murray): It is difficult to argue against transparency. However, it seems clear that the publication of special knowledge on this list has lowered the cost of attack for criminal hackers. No other "security" community in history has ever freely shared its esoterica with amateurs. Perhaps this move will make security research as satisfying as vulnerability research. ]

Compromised Gaming Site Server Used to Steal Apple ID and Other Sensitive Info (March 19 & 20, 2014)

An online gaming server was being used to host a phishing-related site that tried to steal Apple IDs, payment card data, and personal information. The attackers appear to have infiltrated the server through flaws in old calendar software. The server, which belongs to Electronic Arts, has been fixed.
-http://www.theregister.co.uk/2014/03/20/ea_games_server_hosts_phishing_site/
-http://news.cnet.com/8301-1009_3-57620607-83/hackers-transform-ea-web-page-into-
apple-id-phishing-scheme/
-http://www.bbc.com/news/technology-13846031
-http://www.scmagazine.com/hacked-ea-games-server-puts-apple-ids-and-card-data-at
-risk/article/338984/

PHP Hijacking Vulnerability Still Being Exploited (March 19, 2014)

A PHP vulnerability first disclosed nearly two years ago is still going unpatched, despite a report last fall about an easier way to exploit the flaw. More than 80 percent of websites are written in PHP; of those, about 16 percent are vulnerable to the exploit, which allows attackers to execute arbitrary commands. A patch for the flaw was released in May 2012.
-http://www.v3.co.uk/v3-uk/news/2335062/hackers-besiege-php-sites-with-30-000-att
acks-hitting-patched-exploit
-http://arstechnica.com/security/2014/03/php-bug-allowing-site-hijacking-still-me
naces-internet-22-months-on/
-http://www.scmagazine.com/unpatched-servers-still-enabling-exploitation-of-two-y
ear-old-php-vulnerability/article/338973/

Man Arrested in Thailand Will be Extradited to Switzerland to Face Cybercrime Charges (March 19, 2014)

Authorities in Thailand have arrested a man wanted in Switzerland for allegedly breaking into computer systems at banks in that country causing US $4 billion in damage. Farid Essebar has previously served prison time for other cyber crimes. He will likely be extradited within the next 90 days.
-http://www.scmagazine.com/authorities-arrest-infamous-hacker-diabl0-in-bangkok/a
rticle/338982/
-http://www.theregister.co.uk/2014/03/19/diabl0_hacker_arrested_bangkok/
-http://www.networkworld.com/news/2014/031914-hacker-diabl0-arrested-in-thailand-
279863.html

Mozilla Releases Firefox 28 (March 18 & 19, 2014)

Mozilla has released Firefox 28. The newest version of the browser addresses 20 vulnerabilities, five of which were found at the Pwn2Own contest last week. The next version of the browser, Firefox 29, is scheduled for release on April 29.
-http://www.computerworld.com/s/article/9247062/Mozilla_patches_20_Firefox_flaws_
plugs_Pwn2Own_holes?taxonomyId=17
-http://news.cnet.com/8301-1001_3-57620482-92/firefox-28-aims-for-easier-media-pl
ayback/

Operation Windigo Used Unix Servers to Infect Computers with Malware (March 18 & 19, 2014)

An attack known as Operation Windigo has infected 25,000 Unix and Linux web servers which are being used to infect website visitors with a variety of malware. When Windows users visit compromised sites, Windigo redirects them to exploit pages. Mac users are redirected to dating site advertisements, and iPhone users are redirected to pornography advertisements. The compromised servers are also used to send spam.
-http://www.zdnet.com/botnet-of-thousands-of-linux-servers-pumps-windows-desktop-
malware-onto-web-7000027472/
-http://www.v3.co.uk/v3-uk/news/2334789/hackers-hit-unix-servers-to-send-35-milli
on-spam-messages-a-day
-http://arstechnica.com/security/2014/03/10000-linux-servers-hit-by-malware-servi
ng-tsunami-of-spam-and-exploits/
-http://www.scmagazine.com/windigo-op-infected-25000-servers-to-bolster-spam-malw
are-campaign/article/338769/
-http://www.theregister.co.uk/2014/03/18/windigo_unix_botnet/
[Editor's Note (Honan): Dealing with Windigo will be a major headache for system administrators as it requires the wiping of the server and re-installation of all software, resetting all passwords and re-issuing fresh SSH keys. This is a good example as to why you should integrate your security incident response with your business continuity plans to enable the business to continue to operate while you deal with the incident. ]

UK Cyber Security Challenge Winner Named (March 17 & 18, 2014)

A 19-year-old student has been named the winner of the UK's Cyber Security Challenge. The pool of 3,000 entrants was winnowed down to 42 finalists over the 12 months of competitions. William Shackleton outplayed 41 competitors in the Masterclass Final portion of the competition, which involved defending the city of London from a simulated cyberattack. Shackleton has an internship at Facebook for this summer. He will also choose from several prizes, including industry training, university classes, and information security industry events.
-http://www.v3.co.uk/v3-uk/news/2334762/student-wins-2014-cyber-security-challeng
e-as-uk-seeks-top-it-talent
-http://www.theregister.co.uk/2014/03/17/cyber_security_challenge_final_winner_ca
mbridge_student/

Judge Says Government's Warrant Request is "Overly Broad" (March 18 & 19, 2014)

A federal magistrate in the District of Columbia has denied a government request for a warrant to search a certain email address saying the request was too broad. Magistrate Judge John Facciola wrote, "The government continues to submit overly broad warrants and makes no effort to balance the law enforcement interests against the obvious expectation of privacy email account holders have in their communications." He goes on to observe that it appears that the government is seeking a particular set of email messages but the warrant request seeks "all electronically stored information in email accounts."
-http://arstechnica.com/tech-policy/2014/03/judge-rebukes-feds-for-overbroad-sear
ch-warrant-applications-for-e-mail/
-http://www.nytimes.com/2014/03/20/us/judge-rebukes-officials-over-requests-for-b
road-email-searches.html
[Editor's Note (Honan): It appears the desire to read emails is not isolated to the US Government, Microsoft has admitted to reading emails for one of its Hotmail customers while conducting an internal software leak investigation
-http://www.bbc.com/news/business-26677607
. Two timely reminders that email is not secure; and any sensitive data, commercial or otherwise, should be encrypted before sending by email. ]

---

STORM CENTER TECH CORNER

Normalizing IP Addresses
-https://isc.sans.edu/forums/diary/Normalizing+IPv6+Addresses/17837

Cisco Updates
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
140319-asyncos

Witty Worm 10 Year Anniversery
-http://blog.erratasec.com/2014/03/witty-10-years-later.html

Microsoft Internal Documents Published after Phishing Attack
-http://arstechnica.com/security/2014/03/taken-in-phishing-attack-microsofts-dirt
y-laundry-aired-by-hacktivists/

Google Now Encrypts Internal Traffic
-http://www.darkreading.com/privacy/google-now-encrypts-gmail-traffic-to-and/2401
66756

Java 8 Released
-http://www.oracle.com/technetwork/java/javase/8train-relnotes-latest-2153846.htm
l

Avast Safeprice Feature
-http://blog.check-and-secure.com/avast-safeprice-spies-us-shop/

Bypassing Web Application Firewalls using HTTP Proxy Headers
-http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-applicat
ion-firewalls-using-HTTP-headers/ba-p/6418366#.UyosA9w2LtB

WinSpy now includes Android component
-http://www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-
in-to-multi-vector-attack-mechanisms-in-rats.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/