SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #4

January 14, 2014

TOP OF THE NEWS

US Supreme Court Lets Stand Border Gadget Search Case
Oracle's Quarterly Update Will Include Nearly 150 Fixes
Cisco Warns of Vulnerability in Several Devices

THE REST OF THE WEEK'S NEWS

Samsung Responds to Report of Flaw in Knox Security Platform
Healthcare Industry to Hold Cyber Attack Simulation
Target Says Malware Found of Point-of-Sale Terminals
Study Finds NSA Phone Metadata Collection Not An Effective Tool Against Terrorism
Neiman Marcus Investigating Payment Card Data Breach
US Air Force Academy Cyber Team Wins National Competition
US Supreme Court to Hear Aereo Case
House Passes HealthCare.gov Security Bill
Data Protection and Breach Notification Legislation Reintroduced in US Senate

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ************************
Layered Security: Why It Works - SANS Analyst White Paper
Attackers are leaving no stone unturned, prying into web applications, operating systems and even deeper in the hardware. They're taking advantage of conventional endpoints and mobile devices, slipping past and through network security, and even taking advantage of the human element operating the devices. The layered model is more relevant than ever.
http://www.sans.org/info/148535
***************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- -- SANS Cyber Threat Intelligence Summit Feb. 4-11, 2014 Arlington, VA This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

US Supreme Court Lets Stand Border Gadget Search Case (January 13, 2014)

The US Supreme Court has let stand an appellate court ruling that says border agents may search electronic gadgets without reason for suspicion. However, the lower court ruling also found that for the border agents to conduct in-depth forensic analysis of the devices, they must have reasonable suspicion of criminal activity. The case involves a California man whose laptops and cameras were seized and searched upon his return to the US from Mexico. The agents found evidence of child pornography on the devices. The appellate court ruled that the agents did have reasonable suspicion to search Howard Cotterman's devices because his name was on a watch list as he is a convicted sex offender and travels frequently to places known for sex tourism.
-http://www.wired.com/threatlevel/2014/01/scotus-border-gadget-searches/
-http://www.computerworld.com/s/article/9245368/Justices_let_stand_appeals_court_
decision_on_border_searches_of_laptops?taxonomyId=17

Oracle's Quarterly Update Will Include Nearly 150 Fixes (January 10, 2014)

Oracle's quarterly security update will address 147 issues in a variety of products. Thirty-six of the fixes are for Java SE, the majority of which can be exploited remotely without user names or passwords.
-http://www.computerworld.com/s/article/9245341/Oracle_preps_147_security_patches
_including_36_for_Java?taxonomyId=17
-http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
[Editor's Note (Pescatore): How many times will the Oracle patches try to trick us into installing toolbars and other unwanted/unrelated software?
(Ullrich): Time for the regular reminder: Uninstall Java or at least use modern browser's ability to restrict it! ]

Cisco Warns of Vulnerability in Several Devices (January 10,13 & 14, 2014)

Cisco has issued a security advisory warning of a vulnerability in some of its small business devices. The flaw could be exploited to gain root access to WAP4410N Wireless-N Access Points, WRVS4400N Wireless-N Gigabit Security Routers, and RVS4000 4-port Gigabit Security Routers. There are presently no workarounds for the issue, but Cisco says it will release updates to fix the problem by the end of the month. Internet Storm Center:
-https://isc.sans.edu/forums/diary/Cisco+Small+Business+Devices+backdoor+fix/1739
9/
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
140110-sbd
-http://www.theregister.co.uk/2014/01/14/cisco_small_business_router_flaw/
-http://www.computerworld.com/s/article/9245354/Cisco_says_it_will_fix_backdoor_f
ound_in_routers?taxonomyId=17
[Editor's Note (Ullrich): Cisco calls it an "undocumented test interface". "Backdoor" is probably a better description of the functionality provided by this test interface. We set up a simple tool to scan home routers from the "outside" at
-https://isc.sans.edu/quickscan.html
(login required). The tool will not just scan for this latest backdoor but also for commonly exposed admin interfaces. Also note that Cisco isn't the only vendor affected here. It appears that affected routers, regardless the label found on the router, were manufactured by SerComm and that SerComm added the backdoor, something supported by the fact that the string to activate the backdoor is "ScMM". Network equipment manufacturers still don't take these supply chain issues serious enough. It is also disappointing that a simple open listening port shipped with millions of devices remained undiscovered for such a long time. Does nobody scan their network proactively anymore? Or are we all used to "random listening ports"?
(Northcutt): When I first heard the term "Internet of Things", I thought it was pretty dumb. Now every week I realize who was dumb; me. I wish I had attended the Internet of things conference and if they repeat it will try to get there:
-http://www.sans.org/event/internet-of-things-summit
-https://isc.sans.edu/forums/news/SANS+Announces+Results+of+its+2013+Securing+the
+Internet+of+Things+Survey/785978/]

---

************************** Sponsored Links: ******************************
1) 2nd SCADA ICS survey: control systems security experts, give us your thoughts on the issues that keep you up at night! We want your opinions on the threats and challenges facing our infrastructure today. Take our survey now and you might win a free iPad. http://www.sans.org/info/148540

2) The SANS Cyber Threat Intelligence summit on February 10th & 11th in Arlington, VA will bring together practitioners and experts to give you the knowledge you need to deal with the next wave of threats. http://www.sans.org/info/148545

3) SANS AppSec Summit 2014 offers four training courses that will help you find and fix critical vulnerabilities in your applications. http://www.sans.org/info/148550
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Samsung Responds to Report of Flaw in Knox Security Platform (January 13, 2014)

Samsung and Google have issued a joint advisory explaining that a security issue thought to be particular to Samsung devices is actually the result of using "legitimate Android network functions in an unintended way." Late last year, there were reports that a flaw in the implementation of the Knox security platform could expose sensitive data. The issue was thought to be specific to Samsung Galaxy S4 phones. The advisory notes that the "research did not identify a flaw or bug in Samsung KNOX or Android
[but instead ]
demonstrated a classic man-in-the-middle attack."
-http://www.theregister.co.uk/2014/01/13/knox_vuln_is_android_not_us_says_samsung
/
-http://www.zdnet.com/samsung-denies-data-leakage-flaw-in-knox-7000025074/
Joint Statement:
-https://www.samsungknox.com/en/blog/samsungs-official-response-recent-article-kn
ox-vulnerability

Healthcare Industry to Hold Cyber Attack Simulation (January 13, 2014)

In March, the Health Information Trust Alliance (HITRUST) will coordinate Cyber RX, a cyber attack simulation for hospitals, pharmaceutical manufacturers, insurers, the Department of Health and Human Services (HHS) and other organizations in the sector. It is the first such drill for the health sector. It is not clear if the exercise will include the HealthCare.gov website.
-http://www.nextgov.com/cybersecurity/2014/01/health-care-sector-test-reflexes-cy
ber-attack/76676/?oref=ng-HPtopstory
-http://www.darkreading.com/government-vertical/healthcare-organizations-plan-fir
st-indu/240165337

Target Says Malware Found of Point-of-Sale Terminals (January 12 & 13, 2014)

Target is now acknowledging that there was malware on its point-of-sale terminals. In addition, the breach, already one of the largest known breaches of payment card data to date, affected as many as 110 million Target customers, nearly three times the initial estimate. Target CEO Gregg Steinhafel says the company is planning "significant changes" in response to the breach, but did not elaborate.
-http://www.scmagazine.com//target-ceo-confirms-malware-on-pos-machines-talks-chi
p-cards/article/329166/
-http://news.cnet.com/8301-1009_3-57617106-83/target-confirms-malware-used-on-poi
nt-of-sale-terminals/
-http://krebsonsecurity.com/2014/01/target-names-emails-phone-numbers-on-up-to-70
-million-customers-stolen/
-http://www.computerworld.com/s/article/9245330/Update_Breach_exposes_data_on_110
_million_customers_Target_now_says?taxonomyId=17
-http://ca.news.yahoo.com/target-planning-quot-significant-changes-quot-data-brea
ch-043426651--sector.html
[Editor's Note (Murray): This is simply not a coherent report. "CCVs," and "names and addresses" do not appear at the "point-of-sale" while "PINs" are in the clear at the point-of-sale. Moreover contaminating enough point-of-sale devices to compromise more than a 100 million cards in two weeks would seem a daunting task. It seems far more likely that the payment card processing system was compromised but six weeks after the event, we are left with as many questions as answers. Steinhafel may be the right executive to assure us of Target's good intentions but not the one to enlighten us as to what happened. ]

Study Finds NSA Phone Metadata Collection Not An Effective Tool Against Terrorism (January 12 & 13, 2014)

A study from the New America Foundation finds that the NSA's bulk collection of phone metadata "has had no discernible impact on preventing acts of terrorism." The NAF analyzed the cases of "225 individuals ... charged in the United States with an act of terrorism since 9/11." In the majority of instances, conventional investigative methods provided the impetus to open the case. The study found that just one case had been initiated due to information obtained through the wholesale data collection.
-http://www.washingtonpost.com/world/national-security/nsa-phone-record-collectio
n-does-little-to-prevent-terrorist-attacks-group-says/2014/01/12/8aa860aa-77dd-1
1e3-8963-b4b654bcc9b2_story.html
-http://arstechnica.com/tech-policy/2014/01/report-nsa-bulk-metadata-collection-h
as-no-discernible-impact/
Study:
-http://www.newamerica.net/sites/newamerica.net/files/policydocs/Bergen_NAF_NSA%2
0Surveillance_1.pdf
[Editor's Note (Pescatore): Of course, after the next terrorist attack there will be equal and opposite studies from numerous foundations about the failure to collect the right information to have detected the attack in its preparation phase. ]

Neiman Marcus Investigating Payment Card Data Breach (January 10, 2014)

Neiman Marcus says that it was also targeted in a data breach over the past few months. The retailer says its database was infiltrated in December. As in the Target breach, the attack affects people who shopped in physical stores but not online shoppers. Neiman Marcus is working with the Secret Service to investigate the breach.
-http://news.cnet.com/8301-1009_3-57617075-83/credit-card-hackers-hit-neiman-marc
us/
-http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/

US Air Force Academy Cyber Team Wins National Competition (January 12, 2014)

The US Air Force Academy's Cyber Team is ranked fifth in the world and first in the US. The team has 16 members who train four days a week and participate in simulated attack competitions against teams around the world. The team is preparing for the NSA's annual competition in April, which it has won for the last two years.
-http://www.stripes.com/news/air-force/air-force-academy-s-cyber-team-reaches-rar
e-heights-1.261732

US Supreme Court to Hear Aereo Case (January 10, 2014)

The US Supreme Court will hear a case brought by television and film studios against Aereo, a startup company that lets users stream content. The plaintiffs maintain that Aereo's business model redistributes, without a license, content they broadcast and that the activity constitutes copyright infringement. The companies want Aereo to pay them for the right to redistribute their content.
-http://www.wired.com/threatlevel/2014/01/supreme-court-decide-online-broadcast-t
vs-future/
-http://money.cnn.com/2014/01/10/technology/aereo-supreme-court/index.html
-http://arstechnica.com/tech-policy/2014/01/supreme-court-to-finally-settle-case-
between-broadcasters-aereo/
[Editor's Note (Murray): It should be noted that the lower courts have sided with Aereo and that Aereo "consented" to the appeal to the SCOTUS. ]

House Passes HealthCare.gov Security Bill (January 10, 2014)

The US House of Representatives has passed a bill that would impose strict new security requirements on the HealthCare.gov website. The legislation would require the Department of Health and Human Services (HHS) to notify people within two days if their personal information is compromised. HHS officials say that the website meets the government's information security standards and that no personal information has been compromised. The bill is unlikely to pass in the Senate.
-http://www.nextgov.com/health/2014/01/house-passes-new-security-requirements-hea
lthcaregov/76619/?oref=ng-HPtopstory
-http://politicalticker.blogs.cnn.com/2014/01/10/house-passes-obamacare-website-s
ecurity-bill/
[Editor's Note (Pescatore): Glad to hear it won't pass. Legislation mandating specific security requirements onto specific government websites is obviously not aimed at increasing security. ]

Data Protection and Breach Notification Legislation Reintroduced in US Senate (January 10, 2014)

US Senator Patrick Leahy (D-Vermont) has reintroduced legislation aimed at protecting people's privacy. This time, the bill includes provisions calling for the establishment of a federal standard for data breach disclosure, and data protection standards for businesses retaining sensitive information. The bill would also impose criminal penalties for people convicted of attempted computer hacking and conspiracy to commit computer hacking.
-http://www.lohud.com/usatoday/article/4397409
-http://rt.com/usa/leahy-data-privacy-cfaa-330/

---

STORM CENTER TECH CORNER

External Entity Attacks
-https://isc.sans.edu/forums/diary/Is+XXE+the+new+SQLi+/17375

Massive PHP RFI Scans
-https://isc.sans.edu/forums/diary/Massive+PHP+RFI+scans/17387

Microsoft Advance Notification for January Patch Tuesday
-http://technet.microsoft.com/en-us/security/bulletin/ms14-jan

Oracle Critical Patch Update Advance Notification
-http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

Avast False Positives
-http://www.youtube.com/watch?v=0WBXOHqAbj0&feature=player_embedded

Yahoo Webmail HTTPS Enabled, But Not Up to Current Standards
-http://threatpost.com/critics-cut-deep-on-yahoo-mail-encryption-rollout/103534

Cisco Publishes Firmware Update For Small Business Routers
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
140110-sbd

LinkedIn Trying to Identify Screen-Scrapers via Court Order
-http://www.theregister.co.uk/2014/01/09/data_scrapers_used_amazon_cloud_linkedin
/

Microsoft Blog and Social Media Accounts Breached
-http://news.cnet.com/8301-17852_3-57617085-71/microsofts-twitter-account-dont-us
e-our-e-mail/

Does your Firewall Block IPv6?
-https://isc.sans.edu/forums/diary/Got+an+IPv6+Firewall+/17417

Antivirus Support for Windows XP
-http://www.heise.de/ct/artikel/Support-ins-Ungewisse-2077373.html?view=zoom;zoom
=2

Dropbox Outage Caused by Misconfiguration, not DDoS
-https://blog.dropbox.com/2014/01/back-up-and-running/

FFMPeg and a Thousand Fixes
-http://j00ru.vexillium.org/?p=2211

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/