SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #36

May 06, 2014

The prospects for finding employees with strong cyber talent seems to have brightened. With a partial focus on returning veterans, nearly 2,000 people seeking jobs (43% with security certifications, 24% with security clearances) have registered for the National Cybersecurity Career Fair in June that will connect jobseekers with employers. Great employers like JP Morgan Chase, KPMG, Pricewaterhouse Coopers, CBS, Solutionary are participating. If your organization is looking for talent, email Max Shuftan (mshuftan@cyberaces.org). Deadline June 1. The participants get to use a special SANS talent and skills assessment to demonstrate their unique skills to prospective employers. Info:
nationalcybersecuritycareerfair.com.

---

TOP OF THE NEWS

Target CEO Resigns
Attackers Targeting Critical Infrastructure Systems Running XP and IE8
Gartner: The Internet of Things Will Drive Security Convergence

THE REST OF THE WEEK'S NEWS

Massachusetts Cyber Aces State Championship
Legislative Cyber Security Emergency Simulation
Florida High School Student Allegedly Broke Into Computer and Changed Grades
White House Big Data Report Focuses on Privacy, Government, Economy
FTC Can be Compelled to Reveal Standards Used in Deciding When to File Breach Complaints
Covert Redirect Vulnerability in OAuth and OpenID
Attack Targets Facebook Users in India
National Collegiate Cyber Defense Competition
Missile Launch Control System Uses Eight-Inch Floppy Disks

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Sophos Inc. *********************
Whitepaper: Simple Security is Better Security
Did you know that small and mid-sized businesses were the victims in 40% of all data breaches last year? Security vendors seem to ignore the needs of small businesses when designing their products. But hackers are targeting this big market. Download this whitepaper to learn about cloud-based endpoint security.
http://www.sans.org/info/158607
***************************************************************************

TRAINING UPDATE


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANSFIRE 2014 Baltimore, ND June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Target CEO Resigns (May 5, 2014)

A statement from Target notes that "the board and Gregg Steinhafel have decided that now is the right time for new leadership at Target." Steinhafel has been with Target for 35 years and has served as CEO since 2008. He will stay on as an advisor during the company's executive transition. Last year's data breach affected as many as 110 million customers. In March, Target reported a 46 percent fall-off in profits. The company faces nearly a dozen lawsuits, all seeking class action status.
-http://www.cnet.com/news/target-ceo-gregg-steinhafel-resigns-after-data-breach-f
allout/
-http://www.bbc.com/news/business-27283872
-http://www.forbes.com/sites/clareoconnor/2014/05/05/target-ceo-gregg-steinhafel-
resigns-in-wake-of-data-breach-fallout/
[Editor's Note (Murray): Given that reports have suggested that the initial penetration of the Target network involved fraudulent reuse of credentials, I was disappointed that the list of remedial measure that Target plans does not include strong authentication.
(Northcutt): I don't know how much stock I would put into the CEO stand down; 35 years with Target, (or any company), is a lot of service. However, this is destined to be a business/security case study. So many companies have suffered data breaches; they had a minimal impact on stock price and profits. Target's stock is down 15% in a year and profits are off more than 40%. The thing to watch is their roll out of Mastercard's Chip and Pin. It is tough asking consumers to make a change. Chip and Pin will happen, but there is an ancient saying that pioneers are the folks with arrows in their backs. This transition to the new Redcard is going to need to be managed carefully. On the plus side, their customer's are the youngest of any of the major retailers so maybe they are less set in their ways.
-https://www.google.com/finance?q=tgt&ei=heNnU_CPNMSciQK9hQE
-http://www.forbes.com/sites/maggiemcgrath/2014/02/26/target-profit-falls-46-on-c
redit-card-breach-and-says-the-hits-could-keep-on-coming/
-http://www.cnbc.com/id/101624275
-http://pressroom.target.com/backgrounders/target-guests]

Attackers Targeting Critical Infrastructure Systems Running XP and IE 8 (May 2, 2014)

Attackers are exploiting a critical flaw in Internet Explorer (IE) for which Microsoft issued an emergency fix late last week. The flaw affects all versions of IE. The attack, which has been named Operation Clandestine Fox, is specifically targeting computers responsible for supporting US and European critical infrastructure that are still running Windows XP and IE 8. The security company that detected the attack believes it is state-sponsored.
-http://money.cnn.com/2014/05/02/technology/security/internet-explorer-hack/index
.html
-http://www.v3.co.uk/v3-uk/news/2342998/hackers-target-windows-xp-users-with-inte
rnet-explorer-attacks
-http://www.theregister.co.uk/2014/05/02/cyberspies_throw_ie_0day_against_win_xp/

Gartner: The Internet of Things Will Drive Security Convergence (May 2, 2014)

Gartner predicts that by 2020, the number of Internet connected devices will number 26 billion. While many of the devices will not pose large threats to security, others will be used to control environments, monitor equipment, and track assets. A report from Gartner says that the sheer volume of Internet-connected devices will likely bring IT, physical, and industrial control security practices together.
-http://www.computerworld.com/s/article/9248069/The_Internet_of_Things_likely_to_
drive_an_upheaval_for_security?taxonomyId=17
[Editor's Note (Murray): Experience to date is not nearly so hopeful. It suggests that much of this software will be written by novices who will focus on function while unnecessarily and unwittingly leaving exposed a huge target surface. ]

---

************************** Sponsored Links: ******************************
1) Webcast: Closing the Book on Heartbleed - and Avoiding Future Sad Stories: John Pescatore will moderate a panel of vendor experts in a discussion around lessons learned from dealing with Heartbleed and best practices for mitigating or shielding the risks due to vulnerabilities in open source and other third party software.Tuesday, May 06 at 1:00 PM EDT. http://www.sans.org/info/158090

2) Webcast: Effective Anti-malware in Virtualized Environments Thursday, May 15 at 1:00 PM EDT John Pescatore, Maxim Weinstein, Jeremiah Cornelius. http://www.sans.org/info/158612

3) Government IT Pros! Tell Us Your Wins and Misses with the Continuous Diagnostics and Mitigation Program by Taking This Survey: http://www.sans.org/info/158617
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Massachusetts Cyber Aces State Championship (May 4, 2014)

About 60 people were invited to participate in the Massachusetts Cyber Aces State Championship competition in Boston on Saturday, May 3. The competitors were the top performers in a pool of more than 1,000 in the state who participated in the competition's online courses. The state championship pitted competitors against each other in the SANS NetWars simulation program, which the US military uses to train its officers. The three top finishers received scholarships and additional training opportunities. Other contestants who did well will have the opportunity to participate in an online job fair with government agencies and private businesses.
-http://www.bostonglobe.com/metro/2014/05/03/hackers-hone-their-skills-cybersecur
ity-competition-umass-boston/Jcbnuv3D1Tdc09MYJITs8J/story.html

Legislative Cyber Security Emergency Simulation (May 4, 2014)

Three hundred fifty members of the Truman National Security Project participated in a simulation designed to test whether lawmakers would be able to pass emergency legislation following a catastrophic cyber attack. Matt Rhoades, who directs the Project's cyberspace and security program has "felt for a long time ... that it's unlikely that we will get much policy movement in the cyber area without a crisis." The simulation was designed to explore two questions: First, what is the threshold for a crisis that would spur legislation? And second, are decisions made in the face of a crisis better or worse than those made in a less frenetic atmosphere? Simulation participants were able to squeak out a bill that included mandatory cyber security requirements for industry.
-http://www.defenseone.com/technology/2014/05/were-saved-experts-show-how-fix-us-
cybersecurity/83734/?oref=ng-channelriver

Florida High School Student Allegedly Broke Into Computer and Changed Grades (May 4 & 5, 2014)

A Florida high school student has been arrested for allegedly breaking into his school's computer system and changing grades for himself and at least four other students. The 18-year-old faces eight felony counts, including offenses against intellectual property and offenses against computer users.
-http://arstechnica.com/security/2014/05/high-school-senior-charged-with-hacking-
report-card-system/
-http://digitaljournal.com/news/crime/miami-student-accused-of-hacking-into-datab
ase-changing-grades/article/382862
-http://miami.cbslocal.com/2014/05/02/student-accused-of-changing-grades-arrested
/

White House Big Data Report Focuses on Privacy, Government, Economy (May 2, 2014)

A White House report on Big Data observes that the expanding Internet of Things could pose privacy concerns. Sensors and smart meters could give attackers a view into what's happening inside homes and offices - whether or not the space is occupied, how people are moving within the space, and even what kind of activity is taking place there. The report also calls for Congress to establish a national data breach-reporting standard and to amend the Electronic Communications Privacy Act (ECPA) to protect email content stored in the cloud. Current law allows authorities warrantless to access data stored on third-party servers for more than 180 days. President Obama requested the Big Data review in January.
-http://www.scmagazine.com/in-big-data-report-white-house-calls-for-national-brea
ch-reporting-standard/article/345390/
-http://www.computerworld.com/s/article/9248086/The_Internet_of_Things_could_encr
oach_on_personal_privacy?taxonomyId=17
-http://arstechnica.com/tech-policy/2014/05/obama-panel-supports-warrant-requirem
ent-for-e-mail-cloud-content/
Report:
-http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1
_2014.pdf
[Editor's Note (Murray): The purpose of this report is to justify legislation that the bureaucracy wants in any case. It will also be used in an attempt to convince citizens that they should fear business more than government. ]

FTC Can be Compelled to Reveal Standards Used in Deciding When to File Breach Complaints (May 2, 2014)

The US Federal Trade Commission's (FTC's) chief administrative law judge has ruled that the agency can be compelled to disclose the standards it uses to determine whether or not a company has implemented adequate security controls. The decision comes in response to a motion filed by LabMD. The company faced FTC imposed penalties for unfair trade practices after suffering a breach and has since gone out of business, citing expenses associated with fighting the FTC complaint. LabMD maintained that the FTC was holding the company to unofficial standards. LabMD is not alone in challenging the FTC's purview; Wyndham Hotels also maintains that the FTC overreached its authority in a complaint against that company.
-http://www.computerworld.com/s/article/9248085/FTC_told_to_disclose_the_data_sec
urity_standards_it_uses_for_breach_enforcement?taxonomyId=17

Covert Redirect Vulnerability in OAuth and OpenID (May 2 & 4, 2014)

A vulnerability known as Covert Redirect in the OAuth 2.0 and OpenID open-source login systems could be exploited to steal access credentials and other data. The tools are used on popular sites such as Facebook, Google, and LinkedIn. The flaw lies not within the login systems themselves, but instead within each website's implementation of the systems that allow open redirect.
-http://www.darkreading.com/security-flaw-found-in-oauth-20-and-openid-third-part
y-authentication-at-risk/d/d-id/1235062?
-http://www.zdnet.com/covert-redirect-mostly-hype-and-certainly-no-heartbleed-700
0029039/
-http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/
article/345407/
-http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
[Editor'sNote (Murray): The good news is that this vulnerability is limited to a known set of systems. The bad news is that we do not know which members of the set.]

Attack Targets Facebook Users in India (May 1 & 2, 2014)

An attack targeting Facebook users in India tries to lure people in with the offer of a tool that will supposedly allow them to break into other people's accounts. The attack directs users to a Google Drive document that contains JavaScript code. Users are instructed to cut and paste the code into their browser's console window. Instead of being able to break into other people's accounts, the users' own Facebook accounts are hijacked. The attack is called self cross-site scripting because the users are induced to run the attack code themselves. While the attack has clear signs that it is a scam, it has reportedly still racked up 50,000 to 100,000 likes for various pages.
-http://www.theregister.co.uk/2014/05/02/india_facebook_self_cross_site_scripting
_scam/
-http://www.pcworld.com/article/2150360/bogus-facebook-hacking-tool-dupes-users.h
tml

National Collegiate Cyber Defense Competition (April 29, 2014)

The eleventh annual National Collegiate Cyber Defense Competition (NCCDC) was held in San Antonio, Texas late last month. Students from the 10 universities that won regional championships were invited to participate in the three-day event. Each team is responsible for a fictional tech company with seven to 10 servers and 50 or more users. The teams must keep their servers running, address customer concerns, and balance business and security. Of course, a Red Team aims to make things difficult. A member of last year's winning team said, "A lot of material you learn in school is very watered down. The great thing about security competitions is that they give you pretty much every challenge you could see in a very short amount of time." In 2006, 24 universities participated in the competitions. In 2014, that number was 180. The University of Central Florida won this year's competition.
-http://www.csmonitor.com/Innovation/2014/0429/Next-generation-of-cyber-defenders
-prepare-for-expanding-battlefield-video

Missile Launch Control System Uses Eight-Inch Floppy Disks (April 27 & 28, 2014)

The April 27 edition of US television news magazine 60 Minutes included a story about the guardians of the country's land-based nuclear weapons. The story revealed that the computer system used to control the launch of nuclear missiles is so old that it still uses eight-inch floppy disks. Many of the systems in the facility featured in the story date back forty or fifty years. The system is not connected to the Internet.
-http://arstechnica.com/information-technology/2014/04/60-minutes-shocked-to-find
-8-inch-floppies-drive-nuclear-deterrent/
-http://www.cbsnews.com/news/whos-minding-the-nuclear-weapons/

---

STORM CENTER TECH CORNER

More About Coin Mining DVRs
-https://isc.sans.edu/forums/diary/Coin+Mining+DVRs+A+compromise+from+start+to+fi
nish+/18071

New Chrome UI Supposed to prevent phishing
-http://www.theregister.co.uk/2014/05/05/chrome_origin_chip_ui_controversy/

Smart Phone Accelerometers Can Identify Individual Phone
-http://www.technologyreview.com/news/527031/now-your-phones-tilt-sensor-can-iden
tify-you/

EFF Foundation: Privacy Badger
-https://www.eff.org/privacybadger

Recent security relevant changes to Browsers and HTML/HTTP Standards
-https://isc.sans.edu/forums/diary/And+the+Web+it+keeps+Changing+Recent+security+
relevant+changes+to+Browsers+and+HTML+HTTP+Standards/18075

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/