SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #27

April 04, 2014

You'll find a powerful concept in John Pescatore's note following the Windows XP Final Fixes story (2nd story in "Rest of the Week's News"). I have seen his approach work extremely well, and you won't have another chance to exploit the opportunity for 7-10 years.

Check out the STI Graduate Certificate programs in penetration testing, incident response, and core security engineering. These certificates were designed to identify the collection and level of capabilities necessary for a security professional to demonstrate mastery of an area of cybersecurity and employers will increasingly seek them in hiring and promotion. They elegantly solve the problem employers complain about of the person who takes a single course, passes a certification and immediately claims to be a "certified hacker." Best of all they can be funded with tuition reimbursement rather than your department's training funds and if you have already completed one of the included courses you are well on your way. Also, if you ultimately want to earn a masters degree, they are 100% included in the degree requirements. If you want data on them and are coming to SANS in Orlando next week, attend the briefing Monday evening at 6. If you are not coming to Orlando, check out the Certificate Programs at http://www.sans.edu/academics/certificates

Alan

---

TOP OF THE NEWS

Who Do You Want To Staff and Run Your Security Operations Center?
DHS Cyberthreat Information Sharing Program
FFIEC Warns Financial Institutions of ATM Cash Out Fraud and DDoS Threats

THE REST OF THE WEEK'S NEWS

Ransomware Stores Decryption Key on Infected Machines
Microsoft Advance Notification for Windows XP and Office 2003 Final Fixes
State Attorneys General Investigating Data Breach of Experian Subsidiary
Japanese Banking Group Completes Migration to Windows 8
Target Breach Illustrates Value of Limiting Exfiltration
Android Botnet Targets Banks in Middle East
Apple Updates Safari to Fix 27 Vulnerabilities
Bitcoin Mining Malware Found on Surveillance Camera DVRs
Google is Asking Supreme Court to Rule on Unprotected Wi-Fi Sniffing
Researchers Find RSA Has More Encryption Ties to NSA

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bromium **************************
Isolation: A Revolutionary, New Security Architecture
Traditional layers of anti-malware haven't been enough to protect endpoints at even the best-resourced enterprises. Are they actually protecting yours? Learn how Bromium is redefining endpoint security by isolating every threat with micro-virtualization - instead of depending on unreliable detection - effectively eliminating compromises on the endpoint, false positives and costly remediation.
http://www.sans.org/info/156105
*************************************************************************
TRAINING UPDATE


-- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


-- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses.
http://www.sans.org/event/pentest-berlin-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Who Do You Want To Staff and Run Your Security Operations Center? (April 2, 2014)

One of the most seasoned chief security officer shares the lessons he has learned about who to hire if you want to have an effective Security Operations Center (SOC). The best people for the job have acquired context through experience in various areas, including IT help desks, data center server management, and security stack management. While certifications alone are not a good indicator of who will do the best job in an SOC position, the best people for the job know how to use security tools effectively and how to interpret the information they generate in meaningful ways. Finally, the best employees have great communication skills; they can explain what they do to a variety of audiences.
-http://www.darkreading.com/operations/careers-and-people/the-right-stuff-staffin
g-your-corporate-soc/d/d-id/1127873

DHS Cyberthreat Information Sharing Program (April 2, 2014)

The Department of Homeland Security's (DHS's) Cybersecurity Information Sharing and Collaboration Program allows private companies and government agencies to share information about cyberthreats. The program creates bulletins in machine-readable format so protections can be put in place, and also creates recommendations in plain text.
-http://www.nextgov.com/cybersecurity/2014/04/dhs-delivers-hacker-footprints-indu
stry-secret/81784/?oref=ng-channeltopstory
[Editor's Note (Paller): As much as this sounds like "business as usual," early data from participants say it is a refreshingly useful information sharing program. They give data and don't demand anything in return, but greatly appreciate what does come. That fosters actual sharing. If you had considered "government information sharing" to be an oxymoron, maybe it's time to give them another chance. ]

FFIEC Warns Financial Institutions of ATM Cash Out Fraud and DDoS Threats (April 2 & 3, 2014)

The Federal Financial Institutions Examination Council (FFIEC) has warned of an increase in attacks on small- to medium-sized financial institutions in which thieves attempt to gain access to ATM control panels, which set withdrawal and geographic limits on ATM transactions. FFIEC asks that the institutions examine their controls over the systems. FFIEC issued a second notice to member institutions about distributed denial-of-service (DDoS) attacks and risk mitigation.
-http://www.computerworld.co.nz/article/542008/smaller_banks_warned_hackers_raisi
ng_atm_withdrawal_limits/
-http://www.bankinfosecurity.com/ffiec-addresses-fraud-ddos-a-6705
ATM and Card Authorization Notice:
-http://docs.ismgcorp.com/files/external/FFIEC_ATM_Cash_Out_Statement.pdf
DDoS Notice:
-http://docs.ismgcorp.com/files/external/FFIEC_DDoS_Joint_Statement.pdf
[Editor's Note (Pescatore): The DHS and NCUA DDoS guidance documents the FFIEC referenced are pretty weak on mitigation. A recent SANS DDoS survey showed that about 75% of respondents used dedicated DDoS mitigation products and services, with 23% using a mix of on-premise equipment and ISP or cloud service DDoS mitigation services. This hybrid approach has been proving to be the most effective and cost effective approach.
(Murray): The message here is for the examiners, not the banks. The news, if any, for the banks is that the examiners are now aware and can be expected to be looking for mitigation. ]

---

************************** Sponsored Links: ******************************
1) According to the Ponemon Institute's 2013 Cost of Cyber Crime study, the average cost to businesses of cyber crime is more than $7M per year-a 30% increase over last year. And the average number of attacks per company grew 20% to 73 successful attacks annually. With the incidence and cost of cyber crime rising sharply, this study of 234 companies in six countries details the types of cyber attacks found to be most common and the losses resulting from each type of attack. http://www.sans.org/info/156110

2) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465

3) Announcing NEW Analyst Papers in the SANS Reading room: - Loss and Security Spending in the Financial Sector: A SANS Survey by Gmark Hardy - - DDoS Attacks Advancing and Enduring: A SANS Survey by John Pescatore - - Finding Advanced Threats Before They Strike: A Review of Damballa Failsafe Advanced Threat Protection and Containment by Jerry Shenk. To access this exciting new content go to: http://www.sans.org/info/156120
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Ransomware Stores Decryption Key on Infected Machines (April 1 & 3, 2014)

Ransomware known as CryptoDefense encrypts users' files with a 2048-bit key, then demands a US $500 ransom to decrypt infected machines. If users do not pay within four days, the ransom doubles. However, the authors made an error by storing the unencrypted decryption key on the infected machine's hard disk.
-http://www.theregister.co.uk/2014/04/03/cryptodefense_rsa_private_key_on_disk/
-http://www.computerworld.com/s/article/9247348/CryptoDefense_ransomware_leaves_d
ecryption_key_accessible
-http://www.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-
over-34000-one-month
[Editor's Note (Skoudis): This story is a classic, one that should be long-remembered about the importance of careful analysis and review of crypto solutions and code.
(Murray): A fundamental design principle is to store application state (e.g., keys) on the guest system; the alternative does not scale well. On the other hand, one of the most efficient attacks against cryptography is to find a copy of the key.
(Pescatore): Strong crypto is hard, for both bad guys and good guys. ]

Microsoft Advance Notification for Windows XP and Office 2003 Final Fixes (April 3, 2014)

Microsoft has issued its advance notification for the April security update, which includes the final security updates for Windows XP and Office 2003. Microsoft plans to release four bulletins on Tuesday, April 8, two of which are rated critical. One of the flaws that will be fixed is a RTF (rich text format) file handling issue in Word that is being exploited in limited, targeted attacks.
-http://www.zdnet.com/final-windows-xp-office-2003-patch-tuesday-a-light-one-7000
028037/
-http://www.computerworld.com/s/article/9247427/Microsoft_sketches_out_final_Wind
ows_XP_security_updates_for_next_week?taxonomyId=17
-http://technet.microsoft.com/en-us/security/bulletin/ms14-apr
[Editor's note (Pescatore): if you are using the end of XP to make a major migration to Windows 7 or Windows 8, take advantage of the transition to upgrade some security capabilities. Look at whitelisting, admin privilege management, auto-update, tighter browser safety settings, etc - and have info on those features included in all employee training on the upgrade, not as separate "security will now do this to you" communication.
(Northcutt): As much as things have changed, it is hard to believe XP had a 12 year run. Wonder if the focus of attacks will shift to Windows 8.1? If you still have an XP at home, or your parents, neighbors, siblings do, might make sense to run Upgrade Assistant:
-http://go.microsoft.com/fwlink/p/?LinkId=321548
-http://windows.microsoft.com/en-us/windows/end-support-help
-http://windows.microsoft.com/en-us/windows-8/upgrade-from-windows-vista-xp-tutor
ial]

[Editor's Note (Skoudis): It's the end of an era, as Windows 2002 (better known as XP) officially walks off the stage. However, I'm sure we'll see numerous organizations continue to struggle with left-over Windows XP boxes in their networks. And, with virtualization, XP may live forever in some organizations. Thus, the market for exploits against it will remain robust for the foreseeable future. Make sure you keep those network-based IPS solutions tuned to blocking exploits, even against older Windows boxes. ]

State Attorneys General Investigating Data Breach of Experian Subsidiary (April 3, 2014)

Attorneys General in at least two US states are investigating a data breach at a subsidiary of US credit bureau Experian that compromised 200 million Social Security numbers (SSNs). The investigations were prompted by an October 2013 story reported by Bran Krebs. A Vietnamese national, Hieu Minh Ngo, allegedly tricked an Ohio company called US Info Search into giving him access to the information. He has pleaded guilty to operating an identity fraud service.
-http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/
-http://www.nbcnews.com/tech/security/states-investigating-data-breach-experian-r
eport-n71246

Japanese Banking Group Completes Migration to Windows 8 (April 2, 2014)

In February, weeks ahead of Microsoft's end of support for Windows XP, a Japanese banking group completed its migration of 30,000 XP-based terminals to Windows 8. Resona Holdings began the move two years ago.
-http://www.zdnet.com/japanese-bank-beats-xp-deadline-moves-30000-terminals-to-wi
ndows-8-7000027964/

Target Breach Illustrates Value of Limiting Exfiltration (April 2, 2014)

Because Target had blocked outbound paths from its point-of-sale (POS) system, the attackers needed to set up a control center within the network and move the stolen information out later. Limiting the machines that can access the POS system could have helped, as could "build
[ing ]
a better maze" by making exfiltration difficult.
-http://www.darkreading.com/attacks-breaches/operation-stop-the-exfiltration/d/d-
id/1171947?

Android Botnet Targets Banks in Middle East (April 2, 2014)

A recently detected botnet targets Android users who do business at banks in the Middle East. More than 2,700 Android phones have been infected, and more than 28,000 text messages intercepted.
-http://krebsonsecurity.com/2014/04/android-botnet-targets-middle-east-banks/

Apple Updates Safari to Fix 27 Vulnerabilities (April 2, 2014)

Apple has updated its Safari browser to address 27 security issues, all but one of which are remotely exploitable. The most current versions of Safari are now 7.0.3 and 6.1.3. Apple did not issue an update for Safari 5.x.
-http://www.theregister.co.uk/2014/04/02/apple_patches_safari_bugs_thanks_to_goog
le/
-http://www.computerworld.com/s/article/9247381/Apple_patches_Safari_s_Pwn2Own_vu
lnerability_two_dozen_other_critical_bugs?taxonomyId=17
-http://support.apple.com/kb/HT6181
[Editor's Note (Murray): This illustrates that writing secure code for open systems with popular tools is difficult, and that "browsers" are particularly difficult to write because they are so open and feature rich. ]

Bitcoin Mining Malware Found on Surveillance Camera DVRs (April 1 & 2, 2014)

Some digital video recorders (DVRs) used to record images from surveillance cameras have been infected with malware that harnesses the devices' computing powers to mine for bitcoins. "The compromise of the DVR likely happened via an exposed telnet port and a default root password." There are two pieces of malware on the devices - one that mines for bitcoin, and one that appears to scan for other vulnerable devices, but which also may be capable of downloading more tools.
-https://isc.sans.edu/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+
Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879
-http://www.scmagazine.com/cryptocurrency-mining-malware-discovered-on-surveillan
ce-dvrs/article/341059/
-http://threatpost.com/dvr-infected-with-bitcoin-mining-malware/105167
-http://www.theregister.co.uk/2014/04/02/dvr_botnet_mines_bitcoins/
[Editor's Note (Honan): A prime example of the challenges we face with the Internet of Things. If you do not have a plan to talk to other areas of your business, such as facilities management, on what devices they plan to implement you may not be aware of the devices that could be on your network and not properly secured. ]

(Skoudis): The SETI@home project showed we could use spare CPU cycles for an interesting science experiment. Bitcoin mining showed how to commercialize spare (and increasingly stolen) CPU cycles. ]

Google is Asking Supreme Court to Rule on Unprotected Wi-Fi Sniffing (April 1 & 2, 2014)

Google is asking the US Supreme Court to rule on the legality of sniffing unencrypted wireless network traffic. Google has filed for a writ of certiorari, which asks the court to review or reverse a lower court's ruling that the company may have violated the Wiretap Act when it collected packets while gathering information and images for its Street View feature.
-http://www.wired.com/2014/04/threatlevel_0401_streetview/
-http://www.scmagazine.com/google-wants-supreme-court-to-rule-on-street-view-priv
acy-case/article/341068/
-http://arstechnica.com/tech-policy/2014/04/google-tells-supreme-court-its-legal-
to-packet-sniff-open-wi-fi-networks/
[Editor's Note (Pescatore): Google didn't seem too happy when it found out that NSA was reading Google's unencrypted traffic but feels it is OK when Google does it? ]

Researchers Find RSA Has More Encryption Ties to NSA (March 31 & April 2, 2014)

According to academic researchers, RSA Security adopted two NSA-developed encryption tools, which gave the intelligence agency greater capability to eavesdrop on Internet communications. Reports at the end of last year said that the NSA paid RSA US $10 million to use Dual Elliptic Curve encryption as the default in many products. Now researchers are saying that a second tool, known as the Extended Random extension, also allowed the NSA to decrypt communications.
-http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY2
0140331
-http://www.govinfosecurity.com/nsa-rsa-ties-raise-new-concerns-a-6703
[Editor's Note (Murray): In the 90s, when we were fighting the crypto wars and RSA had a market value in the hundreds of thousands to low millions, I often wondered why NSA did not simply buy them. Perhaps they did. This is more evidence of the culture of "If we can, we must." We can expect more evidence every week. ]

---

STORM CENTER TECH CORNER

Testing your IDS/IPS: Who is watching the watchers
-https://isc.sans.edu/forums/diary/Watching+the+watchers/17895

Vulnerabilities in Oracle's Java Cloud Service
-http://www.security-explorations.com/en/SE-2013-01-press2.html

Amazon Proactively Scanning Apps from Google App Store for Secret AWS Keys
-http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-
play-and

Nominum DNS DDoS Report
-http://nominum.com/ddos-amplification-attacks/

"HackIN" Browser Plugin Removed After LinkedIn Threat of Lawsuit
-http://blog.sellhack.com/post/81423404173/the-last-24-hours

Fireeye vs. Rovio on Angry Bird Privacy
-http://www.fireeye.com/blog/technical/mobile-threats/2014/03/a-little-bird-told-
me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html
-http://www.theregister.co.uk/2014/04/01/angry_birds_privacy_flap/

E-Bay ProStores Horizontal Authentication Bypass Fixed
-http://www.securatary.com/Portals/0/Vulnerabilities/Ebay/Prostore%20Admin%20Acco
unt%20Hijacking.pdf

Prezi Vulnerabilities Explained
-http://gynvael.coldwind.pl/?id=533

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/