SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #42

May 27, 2014

TOP OF THE NEWS

eBay Facing Investigations Over Breach
Bill Would Eliminate Requirement for NIST to Consult with NSA on Encryption Standards Development
London Police Report Rise in Electronically-Enabled Car Break-ins

THE REST OF THE WEEK'S NEWS

Zberp Trojan Targets 450 Financial Institutions
WordPress Sends Browser Cookie in Plaintext
New Zealand Supercomputer Intrusion
Federal Prosecutors Seek Light Sentence for LulzSec Member Turned Informant
Proposed Legislation Aims to Punish Those Who Benefit from Economic Cyber Espionage
Shockwave Player Contains Outdated Version of Flash
Apple Issues Safari Updates
Nemanja Malware Botnet
Microsoft Technically Won the Battle, but FBI Got the Information Anyway
Cyber Security Requirements and US Government Procurement

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec **************************
Webcast: 2013 Year of the Mega Breach - Fight Back with a Layered Defense May 29, 10:00am PT - From spam to Heartbleed and everything in between - protecting your business is well past just antivirus. Whether you are a large or small business there are bad guys looking to exploit any vulnerability they can find in your systems. Today smart business protection calls for a layered defense strategy. Join us to find out how you can protect your business. http://www.sans.org/info/160357
***************************************************************************
TRAINING UPDATE


- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


- --SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- - - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http:/www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

eBay Facing Investigations Over Breach (May 23, 2014)

Attorneys general in three US states are launching a joint investigation into the eBay breach. The UK's Information Commissioner is considering a formal probe of the incident that compromised personal information of 145 million account holders.
-http://www.cnet.com/news/ebay-to-face-formal-investigations-over-data-breach/
-http://www.scmagazine.com/states-probe-ebay-after-breach-affects-all-its-users/a
rticle/348422/
-http://www.bbc.com/news/technology-27539799
-http://www.theregister.co.uk/2014/05/23/ebay_security_breach_investigations/
[Editor's Note (Pesactore): The CEO "walk of shame" on national TV is common after big oil spills, business failures, auto safety fiascoes, etc. It is good to see it becoming common for big breaches, too - even though eBay has had a pretty good track record overall. Security folks need to be prepared to tell their CEO, "Here's why it won't happen to you up there" or "Here's what I've been saying we have to do, or else it *will* be you."
(Murray): This is far and away the most damaging breach in the history of the Internet. eBay has been successful in keeping the public focused on passwords, the one piece of data that was encrypted. While eBay is a victim and I generally oppose "piling on" victims, this case is an exception to my rule. eBay is not simply a "bricks and mortar" merchant with a web site. It is one of the two big Internet merchants that owe their business model to the Internet. An investigation is likely to show that their security did not include strong authentication for privileged users, effective encryption for sensitive customer data, and isolation of that data from the public networks. They must be held to a higher standard than that. ]

Bill Would Eliminate Requirement for NIST to Consult with NSA on Encryption Standards Development (May 26, 2014)

US legislators have passed a bill that would remove the requirement that the National Institution of Standards and Technology (NIST) consult with the National Security Agency on the development of encryption standards. NIST has denied weakening standards at the NSA's request after information released by Edward Snowden suggested otherwise.
-http://www.theregister.co.uk/2014/05/26/congress_divorces_nist_from_nsa/
[Editor's Note (Pescatore): Even if there were no legislative requirement for NIST to consult with NSA on crypto standards, common sense says they *should* consult with the largest group of crypto experts in the US, as well as NSA's counterparts in other countries. I hope the "Committee of Visitors" reviewing NIST's crypto standards development process recommends a high-transparency approach for doing so. ]

London Police Report Rise in Electronically-Enabled Car Break-ins (May 20, 2014)

According to London's Metropolitan Police, nearly half of the 89,000 car break-ins reported last year were facilitated with electronic devices. One of the devices that thieves are using to break into cars' computers allows them to gain access to a car's integrated diagnostic unit; the information gleaned from that system could be used to manufacture a duplicate electronic key.
-http://www.forbes.com/sites/williampentland/2014/05/20/car-hacking-goes-viral-in
-london/

---

************************** Sponsored Links: ******************************
1) Download the free eBook: Endpoint Threat Detection, Response and Prevention for Dummies! http://www.sans.org/info/160362

2) Analyst Webcast: Kill Malware in its Tracks with Intelligent Sensors, featuring Rob Vandenbrink and Elissa Lippencort, thursday, June 19 at 3 PM EDT http://www.sans.org/info/160367

3) Government IT Pros! Tell us Your Wins and Misses with the Continuous Diagnostics and Mitigation Program by Taking This Survey: http://www.sans.org/info/160372. Also Enter to Win an iPad!
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Zberp Trojan Targets 450 Financial Institutions (May 26, 2014)

A newly detected Trojan horse program appears to combine the strengths of ZeuS and Carberp to target online banking accounts. Zberp targets 450 financial institutions worldwide. It can harvest IP addresses and other information about infected computers; take screen shots and send them to a remote server; steal FTP and POP3 credentials, SSL certificates, and data that users enter into web forms; hijack browser sessions; and establish remote desktop connections. Zberp also uses steganography to send configuration updates.
-http://www.computerworld.com/s/article/9248567/New_banking_Trojan_Zberp_offers_t
he_worst_of_Zeus_and_Carberp
[Editor's Comment (Northcutt): I do not understand something here. Carberp was being sold to people to do nefarious deeds and Zberp, an advanced variant is being given away. For people with a technical interest, securityintelligence has a nice write up:
-http://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/]

WordPress Sends Browser Cookie in Plaintext (May 26, 2014)

If users log in to a blog hosted by WordPress from public Wi-Fi or other unsecured connections, the site could be hijacked even if two-factor authentication is in place. The WordPress servers send an unencrypted cookie in plaintext that, if grabbed by someone else, could be used to bypass login requirements and give whoever has the cookie access to the account holder's information with the account holder's privileges. WordPress sites self-hosted on servers with full HTTPS support are not vulnerable to the attack.
-http://arstechnica.com/security/2014/05/unsafe-cookies-leave-wordpress-accounts-
open-to-hijacking-2-factor-bypass/
[Editor's Note (Murray): Privileged state must always be hidden, preferably by strong encryption. One expects that those developing widely used infrastructure application code to know that. ]

New Zealand Supercomputer Intrusion (May 26, 2014)

A supercomputer at New Zealand's National institute of Water and Atmospheric Research (NIWA) is back online after an intrusion. NIWA took the supercomputer offline last week after becoming aware that unauthorized users were attempting to access it. The computer is used to run scientific models. NIWA says that it holds no personal information.
-http://www.computerworld.co.nz/article/546034/niwa_supercomputer_back_online_/
-http://www.theregister.co.uk/2014/05/26/kiwis_unplug_niwa_super_after_intrusion_
spotted/
-http://www.stuff.co.nz/technology/60075949/niwa-supercomputer-hacked

Federal Prosecutors Seek Light Sentence for LulzSec Member Turned Informant (May 24 & 25, 2014)

US federal prosecutors are pushing for a light sentence for a member of the LulzSec group who turned informant and helped the FBI thwart more than 300 attacks against private companies, military systems, Congress and other entities. Hector Xavier Monsegur, known online as Sabu, participated in attacks against HBGary and other companies before his June 2011 arrest. He began cooperating with federal authorities immediately thereafter. Monsegur reportedly helped with the case against Jeremy Hammond, who is now serving a 10-year prison sentence for his role in the Stratfor attack. Although Monsegur could face up to 26 years in prison, the government is asking that his sentence be limited to time served because of his cooperation and help. Monsegur is set to be sentenced on Tuesday, May 27
-http://arstechnica.com/tech-policy/2014/05/prosecutors-ex-lulzsec-hacker-sabu-he
lped-authorities-stop-300-cyberattacks/
-http://money.cnn.com/2014/05/25/technology/security/hacker-sabu-fbi/index.html
-http://www.cnet.com/news/feds-recommend-lenience-for-lulzsec-hacker-sabu/
-http://www.computerworld.com/s/article/9248566/U.S._wants_leniency_for_Sabu_the_
Lulzsec_leader_turned_snitch?taxonomyId=17
-http://www.wired.com/2014/05/sabu-time-served-sentence/
Editor's Note (Northcutt): The CNN.COM has an interesting statement about Monsegur AKA Sabu, "He hacked thousands of computers, at first in a bid to build a legitimate computer security company and then to steal and pay his bills, prosecutors said." Hmmm, that is an interesting approach to create a legitimate security company. ]

Proposed Legislation Aims to Punish Those Who Benefit from Economic Cyber Espionage (May 22 & 23, 2014)

The same week that the US Justice Department (DOJ) indicted five members of China's people's Liberation Army (PLA) for alleged economic espionage, US legislators have introduced a bill that would impose penalties on people who gain from such activity. The Deter Cyber Theft Act is actually a revision of a bill proposed last year. It would give the President the authority to instruct the Treasury Department to freeze assets belonging to foreign individuals and entities that have been found "to have benefitted from theft of US technology or proprietary information stolen from the Internet."
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/05/23/lawmakers-want-to-s
anction-people-who-profit-from-economic-cyberspying/
-http://thehill.com/policy/technology/207007-senators-take-on-cyber-spying
-http://www.levin.senate.gov/newsroom/speeches/speech/senate-floor-statement-of-s
en-carl-levin-on-the-introduction-of-the-deter-cyber-theft-act/?section=alltypes
[Editor's Note (Pescatore): Birds gotta fly, legislators gotta legislate. But taking economic sanction against entities that do a slightly different "flavor" of cyber-espionage than US does seems very likely to have a boomerang effect if ever actually enacted and enforced.
(Honan): China is taking a number of retaliatory steps: banning the use of US based consulting firms, prohibiting Windows 8 on Chinese government machines, requesting Chinese banks to remove IBM hardware, and accusing Cisco of cooperating with the NSA in spying,
-http://arstechnica.com/tech-policy/2014/05/china-cites-us-for-unscrupulous-spyin
g-wants-ibm-out-of-banks/]

Shockwave Player Contains Outdated Version of Flash (May 21 & 23, 2014)

The most recent version of Adobe Shockwave Player contains 18 known vulnerabilities. The version of Flash Player included in the most recent version of Shockwave has not been updated since January 2013. Adobe plans to fix the problems in the next Shockwave update, but did not say when that update would be coming. The best way to protect vulnerable systems is to uninstall Shockwave until the fixed version is released.
-http://www.theregister.co.uk/2014/05/23/shockwave_shocker_movie_box_riddled_with
_0day_archive_of_antiquity/
-http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/
-http://www.kb.cert.org/vuls/id/323161

Apple Issues Safari Updates (May 22 & 23, 2014)

Apple has released updates for Safari to address 21 vulnerabilities in the browser, several of them critical. The newest versions of Safari are 6.1.4 and 7.0.4.
-http://www.v3.co.uk/v3-uk/news/2346481/apple-plugs-critical-safari-browser-vulne
rabilities
-http://www.eweek.com/blogs/security-watch/apple-fixes-safari-7.0.4-for-old-flaws
.html
[Editor's Note (Murray): Browsers continue to be the Achilles Heel of personal computers and the Internet. Too open, too many "features." ]

Nemanja Malware Botnet (May 22 & 23, 2014)

Malware known as Nemanja is believed to have infected nearly 1,500 point-of-sale machines, accounting systems, and other back-office systems around the world. Nemanja has been used to compromise an estimated 500,000 payment cards. The malware has keystroke-logging capabilities, which allow it to collect credentials used to gain access to other systems.
-http://www.scmagazine.com/nemanja-pos-malware-compromises-1500-devices-half-a-mi
llion-payment-cards-worldwide/article/348183/
-http://www.computerworld.com/s/article/9248541/Researchers_find_a_global_botnet_
of_infected_PoS_systems?taxonomyId=17
[Editor's Note (Murray): EMV and strong authentication will not fix our broken payment system all by themselves but they are nonetheless essential to resisting these attacks. ]

Microsoft Technically Won the Battle, but FBI Got the Information Anyway (May 22, 2014)

A story last week reported that Microsoft successfully challenged an FBI National Security Letter (NSL) requesting information about an account belonging to one of the company's enterprise customers. The accompanying non-disclosure requirement of the NSL forbade Microsoft from telling the company about the FBI's request, and it was this portion that Microsoft successfully challenged in court. The story reported that the FBI withdrew the NSL upon Microsoft's challenge, but in fact, the FBI obtained the information it was seeking directly from the enterprise customer.
-http://www.computerworld.com/s/article/9248534/Microsoft_claims_win_over_FBI_but
_agency_still_got_info_it_wanted?taxonomyId=17
[Editor's Note (Honan): One of the big challenges law enforcement agencies have is obtaining digital evidence in a timely manner from other jurisdictions. Current MLAT (Mutual Legal Assistance Treaty) requests under which such information is sought are time consuming and cumbersome. While I commend Microsoft for challenging this NSL we still need to develop better ways for law enforcement agencies to work more effectively, but without undermining the rights of individuals or the sovereignty of other nations and their judicial processes. ]

Cyber Security Requirements and US Government Procurement (May 22, 2014)

Acquisitions experts speaking at a Coalition for Government Procurement panel last week said that while some initiatives have helped industry and government develop cyber security requirements, the government still "isn't speaking with one voice" regarding cyber security requirements and acquisition; there are still many different sources of guidance on the subject, and they do not all agree. Richard Blake, business management specialist with the Government Services Administration's (GSA's) Federal Acquisition Service Enterprise GWAC Center, says the GSA is seeking help from the private sector regarding about coordinating government contract cyber security requirements and the supply chain.
-http://fcw.com/articles/2014/05/22/cyber-aquisition.aspx
[Editor's Note (Pescatore): This discussion suffers from two fatal flaws: (1) it talks about "cyber-security sensitive" vs. making sure security is considered in all technology acquisitions; and (2) it talks about procurement regulations needing to change as threats change, vs. a focus on removing vulnerabilities in the products and services, which are what the multiple of threats exploit and don't change anywhere near as often. The DoD Defense Industrial Base effort seems to be doing some good work in this area. ]

---

STORM CENTER TECH CORNER

Extend Windows XP Update to 2019 (on your own risk!)
-http://www.networkworld.com/community/blog/registry-hack-enables-free-windows-xp
-security-updates-until-2019

Virustotal Now Supports Mac Malware
-https://www.virustotal.com/en/documentation/desktop-applications/mac-osx-uploade
r

Apple Forgets to Update Certificate
-http://www.macrumors.com/2014/05/25/apple-software-update-invalid/

Additional EBay Vulnerabilities
-http://www.heise.de/security/meldung/Cookie-Klau-durch-zwei-Monate-alte-eBay-Lue
cke-2196557.html
-http://www.ehackingnews.com/2014/05/researcher-finds-vulnerability-in-ebay.html

E-Bay Leaks For Sale Likely Fake
-https://twitter.com/kennwhite/status/469513812727451649

Facebook Leaking Skype E-Mail Addresses
-http://blog.internot.info/2014/05/facebook-skype-to-email-leak-3000-bounty.html

Destroyed Hardware Devices
-http://www.theregister.co.uk/2014/05/23/grauniad_peripherals_trashed_in_gchq_sno
wden_raid

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/