SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #31

April 18, 2014

BREACHES ACKNOWLEDGED THIS WEEK

Michaels Stores Says Breach Compromised Three Million Payment Cards
UK Cosmetic Surgery Firm Notifies Patients of Data Theft
Hard Drive Maker LaCie Admits Yearlong Breach

TOP OF THE NEWS

THE REST OF THE WEEK'S NEWS

SEC Document Describes Cyber Security Inspections
Communications Satellite Terminals Vulnerable to Attacks
DDoS Attacks Shifting Away from Botnets, Toward Amplification and Reflection
Appeals Court Upholds Lavabit Contempt Ruling
Lavabit Case Supports NSA's Assertion That They Did Not Have Heartbleed
German Space Research Center Finds Malware on Multiple Machines
Microsoft Cuts Price of Windows XP Extended Support
Microsoft Extends Windows 8.1 Update Installation Deadline for Companies
Oracle's Critical Patch Update Addresses 104 Flaws, 37 in Java
Canadian Man Arrested for Allegedly Stealing Taxpayer Data Through Heartbleed Bug

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

**************************** Sponsored By Bit9 ***************************
XP End of Life is here - there are NO MORE security updates and your systems are now experiencing critical patches. How will you protect your organization? Keep your XP systems compliant and secure - without upgrading or paying for out-of-band support! Positive security is the best compensating control. Download the eBook: http://www.sans.org/info/157515
**************************************************************************
TRAINING UPDATE

- -- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

BREACHES ACKNOWLEDGED THIS WEEK

Michaels Stores Says Breach Compromised Three Million Payment Cards (April 17, 2014)

Michaels Stores, a chain of retail craft stores, has acknowledged that as many as three million payment cards were exposed when point-of-sale systems at its stores and those of a subsidiary, Aarons Brothers, were compromised. The incident affected approximately 2.6 million payment cards during the Michaels breach between May 8, 2013 and January 27, 2014 and an additional 400,000 payment cards during the Aarons Brothers breach between June 26, 2013 and February 27, 2014.
-http://www.scmagazine.com/pos-malware-risks-millions-of-payment-cards-for-michae
ls-aaron-brothers-shoppers/article/343180/
-http://krebsonsecurity.com/2014/04/3-million-customer-credit-debit-cards-stolen-
in-michaels-aaron-brothers-breaches/
-http://www.zdnet.com/michaels-stores-confirms-data-breach-3-million-cards-affect
ed-7000028563/
[Editor's Note (Murray): The decision of the credit card brands and issuers to delay deployment of EMV in the US looks more expensive by the minute. (I have cut up all my MC and Visa cards.) I continue to use AmEx only because they send me intraday alerts for all activity on my account. This is an efficient compensating control for the fundamental vulnerability of credit card numbers to fraudulent reuse. It addresses both card counterfeiting and "card not present" fraud. It helps to restore user confidence. ]

UK Cosmetic Surgery Firm Notifies Patients of Data Theft (April 16, 2014)

The Harley Medical Group, a private cosmetic surgery firm in the UK, has warned its customers that attackers accessed the company's computers and stole customer data in an extortion attempt. The breach affects 480,000 patients. The stolen data include names, addresses, email addresses, and procedures patients inquired about, but financial and medical records were not taken. The Harley Medical group has 21 clinics in the UK.
-http://www.v3.co.uk/v3-uk/news/2340171/hackers-hit-harley-medical-group-in-custo
mer-data-extortion-attempt
-http://www.telegraph.co.uk/technology/internet-security/10770922/Hackers-steal-5
00k-patient-records-from-Harley-Medical-Group.html
[Editor's note (Honan): Extortion demands are increasingly becoming part of online criminals' arsenals. Make sure to include this scenario as part of your incident response plans. ]

Hard Drive Maker LaCie Admits Yearlong Breach (April 15 & 16, 2014)

LaCie, the French hard-drive manufacturer, has disclosed that its online store was breached, exposing customer payment card and contact information. The FBI notified the company that attackers might have harvested customer data entered in the LaCie online store. The breach is believed to have been active for nearly a year, starting in late March 2013 and ending on March 10 of this year. The breach affects anyone who shopped on the LaCie site during that time period. Experts are surprised that LaCie did not detect the breach internally. The attackers are believed to have exploited flaws in Adobe ColdFusion. (LaCie became a subsidiary of Seagate in 2012, but still markets products under its own name.)
-http://www.bbc.com/news/technology-27046971
-http://www.theregister.co.uk/2014/04/16/lacie_breach/
-http://www.cnet.com/news/lacie-admits-to-year-long-credit-card-breach/
-http://www.zdnet.com/lacie-admits-year-long-malware-security-breach-customer-dat
a-at-risk-7000028479/
-http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-long-c
redit-card-breach/

---

THE REST OF THE WEEK'S NEWS

SEC Document Describes Cyber Security Inspections (April 16, 2014)

The US Securities and Exchange Commission (SEC) has released a document describing how it will determine financial companies' preparedness to detect and prevent cyber attacks. The companies are likely to be asked for comprehensive lists of when they found malware on their systems; when they were the targets of a denial-of-service attack; and when they discovered network breaches.
-http://news.yahoo.com/u-sec-releases-cyber-security-examination-blueprint-210636
467--sector.html
Office of Compliance Inspection and Examinations' Cybersecurity Initiative:
-http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+
4.15.14.pdf
[Editor's Note (Pescatore): The SEC "Identification of Risks/Cybersecurity Governance" sample questions start out promising, by largely asking about the Critical Security Controls. However, the SEC doesn't stop there - it is a very long list of questions covering most areas in NIST 800-53 and ISO 27001 and then some. Many trees will be killed providing answers, much reporting software will be updated and sold to the financial industry to reduce the time spent producing the reports that kill the trees to feed the auditors. The expense to do so will more likely divert resources from increasing security.
(Murray): Compliance is an expensive way to achieve security, even in the rare cases in which it works at all. ]

Communications Satellite Terminals Vulnerable to Attacks (April 17, 2014)

A white paper from IOActive describes critical vulnerabilities in the firmware of satellite communications (SATCOM) terminals from at least 10 manufacturers put military, aeronautics, and maritime communication in danger of interception, tampering, and blocking. The issues include backdoors, hardcoded credentials, and weak encryption. The vulnerabilities could be exploited to disrupt communications, send false information, such as incorrect ship locations or phony emergencies, and could be used to locate other devices. According to the paper, "If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk."
-http://www.darkreading.com/vulnerabilities---threats/satellite-communications-wi
de-open-to-hackers/d/d-id/1204539?
-http://arstechnica.com/security/2014/04/mission-critical-satellite-communication
s-wide-open-to-malicious-hacking/
-http://www.scmagazine.com/researchers-uncover-critical-flaws-impacting-satellite
-communications/article/343149/
White Paper:
-http://www.ioactive.com/pdfs/IOActive_SATCOM_Security_WhitePaper.pdf
[Editor's Note (Pescatore): At last year's SANS "Securing the Internet of Things" Summit, Jon Clay of Trend Micro demonstrated glaring vulnerabilities in a satellite navigation system. The OpenSSL Heartbleed vulnerability is an example of the "well intended feature implemented without any thought of misuse" problem - the Internet of Things has no shortage of those. Take advantage of the Heartbleed publicity to also take a deep look at SATCOM, SCADA/ICS, medical equipment, etc. "Things" that need be mitigated or shielded.
(Assante): SATCOM has traditionally been treated as secure by proxy of being tied to the defense industry. Threats were discussed and analyzed in classified settings or told as story lines in Clancy novels. The more we realize the underlying parts include firmware-based terminals connected to common computing infrastructure with all the same challenges the better. We teach students in our ICS courses to consider and address the attack surfaces associated with VSAT use for field SCADA applications.
(Northcutt): For a number of communication disaster recovery options this is the last line of defense. It is highly advisable to perform a risk analysis in which you ask, "What if this does not work".]

DDoS Attacks Shifting Away from Botnets, Toward Amplification and Reflection (April 17, 2014)

A global distributed denial-of-service (DDoS) report from Akamai shows that in the first quarter of 2014, DDoS attacks appeared to be moving away from traditional botnet infections and toward reflection and amplification methods. Rather than infecting individual machines and harnessing their power to launch the attacks, the attackers are exploiting Internet protocols, including Character Generator (CHARGEN), Network Time Protocol (NTP), and Domain Name System (DNS).
-http://www.net-security.org/secworld.php?id=16707
[Editor's Note (Pescatore): I think it is more a case of DDoS attackers adding weapons to their arsenal rather than shifting weapons. The recent SANS DDoS survey showed that the majority of serious DDoS attacks use multiple techniques that shift over the course of an attack. The most effective mitigation approach has been some local DDoS mitigation capability on-premise at high value sites combined with DDoS mitigation services from ISPs or cloud-based providers. ]

Appeals Court Upholds Lavabit Contempt Ruling (April 16 & 17, 2014)

Ladar Levison, owner of erstwhile secure email provider Lavabit has lost his bid to have contempt charges against himself and his company overturned. A federal appeals court in Virginia upheld a lower court's ruling finding Lavabit in contempt of court for hindering an investigation. In mid-2013, Lavabit was served with a pen register order, which seeks metadata on an account. It is widely believed that the account targeted in the investigation was that of Edward Snowden. Levison refused to comply with the order, which required that he surrender the master encryption keys that protected the privacy of all Lavabit users. He finally relented and then promptly shuttered his business. The appeals court made its ruling because Levison was introducing new issues that should have been raised at an earlier point in the legal process.
-http://www.bbc.com/news/technology-27063369
-http://www.wired.com/2014/04/lavabit-ruling/
-http://www.cnet.com/news/lavabit-loses-appeal-on-technicality/
-http://arstechnica.com/tech-policy/2014/04/lavabit-held-in-contempt-of-court-for
-printing-crypto-key-in-tiny-font/
-http://www.computerworld.com/s/article/9247723/Court_rejects_Lavabit_appeal_cite
s_improper_procedural_handling?taxonomyId=17
Appeals Court Ruling:
-http://pdfserver.amlaw.com/nlj/lavabit-usca4-op.pdf

Lavabit Case Supports NSA's Assertion That They Did Not Have Heartbleed (April 16, 2014)

Larry Seltzer observes that the Lavabit case supports the NSA's assertion that it did not know of or exploit the Heartbleed bug. If the NSA had been able to exploit that vulnerability, it would have had no need to seek the information it did from Lavabit. In an August 2013 interview, Levison stated that he used the OpenSSL cryptographic library for Lavabit.
-http://www.zdnet.com/lavabit-case-undermines-claims-nsa-had-heartbleed-early-700
0028517/
August 2013 Interview:
-http://arstechnica.com/tech-policy/2013/08/how-might-the-feds-have-snooped-on-la
vabit/

German Space Research Center Finds Malware on Multiple Machines (April 16, 2014)

According to a report in German news publication Der Spiegel, computers at a space research center in Cologne were breached in what is being called a state-sponsored attack. The German Aerospace Center found malware on machines used by researcher and systems administrators. Some of the malware was designed to self-destruct; other malware remained dormant for months before it was activated. The attack was described as "coordinated and systematic," suggesting it may be the action of a nation-state, but identifying the source of the attack is proving difficult.
-http://www.theregister.co.uk/2014/04/16/lacie_breach/
-http://www.lacie.com/uk/more/?id=10156

Microsoft Cuts Price of Windows XP Extended Support (April 16, 2014)

Microsoft has reduced the price of custom extended support for Windows XP. The price of custom support packages is negotiated on a company-by-company basis. One company reportedly turned down a US $2 million custom support contract with Microsoft, but several days later, was presented with a contract for US $250,000. The cap for custom support is now US $250,000; a baseline price of US $200 per device still stands, as does a 750 PC minimum. Companies seeking support must be enrolled in Microsoft's Premier Support plan. Although Microsoft has not said why it made the decision to change the prices, some believe that the company was concerned about the number of systems still running the 13-year-old operating system means that there could be serious repercussions in the event of a security breach.
-http://www.computerworld.com/s/article/9247708/Microsoft_slashes_Windows_XP_cust
om_support_prices_just_days_before_axing_public_patches?taxonomyId=17

Microsoft Extends Windows 8.1 Update Installation Deadline for Companies (April 16 & 17, 2014)

Microsoft has extended the deadline for companies to install Windows 8.1 Update. Last week, Microsoft announced that users who had not installed the update would be unable to receive updates in the future; at that time, Microsoft gave all users a 30-day window to install the update. The date has now been changed to August 12 for companies, although consumers must still install Windows 8.1 Update by May 13 if they wish to continue receiving support for the operating system.
-http://www.darkreading.com/microsoft-delays-enterprise-windows-81-support-doomsd
ay/d/d-id/1204522?
-http://www.zdnet.com/microsoft-gives-business-users-more-time-to-install-windows
-8-1-update-7000028513/
-http://blogs.technet.com/b/gladiatormsft/archive/2014/04/12/information-regardin
g-the-latest-update-for-windows-8-1.aspx

Oracle's Critical Patch Update Addresses 104 Flaws, 37 in Java (April 16, 2014)

Oracle has released fixes for 104 vulnerabilities in a range of the company's products, as well as fixes for products vulnerable to Heartbleed. Oracle's update for Java accounts for 37 of the flaws. At least four of the flaws fixed by the update have been given the most critical rating by the Common Vulnerability Scoring System (CVSS). The most current versions are now Java 7 Update 55 and Java 8 Update 5.
-http://krebsonsecurity.com/2014/04/critical-java-update-plugs-37-security-holes/
-http://www.theregister.co.uk/2014/04/16/burnt_out_on_deploying_patches_this_mont
h_oracles_got_104_more_fixes_for_you/
-http://www.scmagazine.com/oracle-fixes-104-flaws-in-quarterly-update-addresses-h
eartbleed-bug/article/342942/
-http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
[Editor's Note (Pescatore): Adding insult to injury, the Oracle Java update still tries to sneak in a toolbar add-on to your browser. This is like General Motors saying "When we fix your ignition switch, unless you tell us not to, your radio will now play a commercial for a GM business partner every time you start your car." ]

Canadian Man Arrested for Allegedly Stealing Taxpayer Data Through Heartbleed Bug (April 16 & 17, 2014)

A 19-year-old Canadian man has been arrested in London, Ontario, and charged with unauthorized use of a computer and mischief in relation to data for allegedly exploiting the Heartbleed vulnerability to steal information from Canada's tax agency. The Canada Revenue Agency said that approximately 900 social insurance numbers were stolen and other data may have been taken as well.
-http://www.timescolonist.com/opinion/blogs/police-charge-man-19-in-heartbleed-br
each-at-canada-revenue-agency-1.965736
-http://www.scmagazine.com/arrested-canadian-hacker-believed-to-have-exploited-he
artbleed-bug/article/343166/
-http://www.nbcnews.com/tech/security/man-charged-heartbleed-attack-canada-tax-ag
ency-n82391
-http://www.nextgov.com/cybersecurity/2014/04/teen-arrrested-exploiting-heartblee
d-hack-canadian-tax-agency/82702/?oref=ng-channelriver
-http://money.cnn.com/2014/04/16/technology/security/canada-heartbleed/index.html
[Editor's Note (Murray): There may be limited evidence on the target system that an attack exploited the Heartbleed vulnerability but there will be plenty on the source system. ]

---

STORM CENTER TECH CORNER

GlobalSign CRL Rapidly Increases in Size Due to Heartbleed
-https://isc.sans.edu/forums/diary/Heartbleed+CRL+Activity+Spike+Found/17977

Impact of Heartbleed on CRL Growth and the Internet
-http://www.wired.com/2014/04/cost-of-heartbleed
-http://www.zdnet.com/internet-slowed-by-heartbleed-identity-crisis-7000028506/

Live Certificate Revocation List (CRL) Monitoring Resource
-https://isc.sans.edu/crls.html

DNP3 Security Authentication Version 5 in SCADA Networks
-https://isc.sans.edu/diary/Looking+for+malicious+traffic+in+electrical+SCADA+net
works+-+part+1/17967
-https://isc.sans.edu/forums/diary/Looking+for+malicious+traffic+in+electrical+SC
ADA+networks+-+part+2+-+solving+problems+with+DNP3+Secure+Authentication+Version
+5/17981

Bugs in Heartbleed Test Scripts
-http://www.hut3.net/blog/cns---networks-security/2014/04/14/bugs-in-heartbleed-d
etection-scripts-

Tor Blacklisting Heartbleed Vulnerable Exit Nodes
-http://www.mulliner.org/blog/blosxom.cgi/security/torbleed.html

Galaxy S5 Fingerprint Scanner Vulnerable to Fake Finger Molds
-http://threatpost.com/like-apples-touchid-galaxy-s5-vulnerable-to-fingerprint-ha
ck/105527

Heartbleed Exploit For OpenVPN Released
-https://news.ycombinator.com/item?id=7598616

SC Forefront Endpoint Protection Crashes Windows XP / Windows 2003
-https://isc.sans.edu/forums/diary/WinXP+and+or+Win2003+hanged+systems+because+of
+SC+Forefront+Endpoint+Protection+faulty+update/17975
-http://msmvps.com/blogs/kenlin/archive/2014/04/16/winxp-and-or-win2003-with-sc-f
orefront-endpoint-protection-installed-msmpeng-exe-crashes-after-definition-upda
te.aspx

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/