SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #48

June 16, 2014

A couple of interesting debates in this issue - where should the CIO report (the Target story) and the value of the release of intelligence/attribution versus vulnerability reduction (the Chinese Espionage story at the end).

More than 4,000 newly identified security people (winners of the CyberAces statewide competitions in 7 states) as well as experienced pros are participating in tomorrow's virtual career fair. 18 cool employers ranging from JPMorgan and Citi, NBC/Comcast and CBS, to KPMG, Accenture, E&Y, Solutionary and other service providers, along with INSCOM and NSA. nationalcybersecuritycareerfair.com

Alan

---

TOP OF THE NEWS

Chinese Spies Stockpiling Critical Infrastructure Vulnerabilities
PF Chang's Acknowledges Breach; Company Now Using Carbon Copy Payment
Appeals Court Upholds Decision in Favor of Bank in Fraudulent Wire Transfer Case
Windows 7 Users Must Install April Update to Receive IE 11 Patches

THE REST OF THE WEEK'S NEWS

Turning Private WiFi Routers into Public Hotspots
Canadian Supreme Court Says Warrant Required to Obtain Customer Data From ISPs
Target's Decision to Hire CISO Lauded, But Position in Chain of Command Questioned
Three Month Sentence for Former Microsoft Employee Who Leaked Information to Blogger
Judge Says DOJ May Have Improperly Withheld Documents, Orders 66 Pages for Review
Canadian Teen Arrested in Connection with Bell Canada Customer Data Breach
Report of Second Chinese Military Cyber Espionage Unit Questioned

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Sophos Inc. ***********************
Organizations today need to keep data safe without affecting user productivity. Encryption solutions need to be simple to manage and protect corporate information wherever it goes. Download this Encryption Buyers Guide to help you choose the right solution for your organization. Learn More:
http://www.sans.org/info/161905
***************************************************************************
TRAINING UPDATE

- --SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Chinese Spies Stockpiling Critical Infrastructure Vulnerabilities (June 13, 2014)

A man in China using the online handle UglyGorilla appears to have gained access to the network of a Northeastern US utility company. The intruder copied schematics and security guard memos, sought out systems that regulate natural gas flow. The man, who is one of five people indicted last month by the US Justice Department (DOJ), appears to have been on a scouting mission to prepare for possible cyber warfare. The group that he is part of has allegedly been focused on SCADA systems, looking for flaws that could be exploited to manipulate availability of utilities and mapping physical infrastructure. The strategy is compared to the stockpiling of nuclear weapons during the Cold War.
-http://www.bloomberg.com/news/2014-06-13/uglygorilla-hack-of-u-s-utility-exposes
-cyberwar-threat.html
[Editor's Note (Assante): What is not being emphasized enough here is that our current defenses are stopping virtually none of these actors from gaining footholds, we are rarely seeing them from inside the target, and we have little confidence that we can remove them. The ironic tragedy is that the ICS network is far more defendable, than connected enterprise networks, as it is designed with specific purpose and functionality. We fail to take advantage of this attribute as most have little or no security visibility on the inside and lack a baseline of normal communications. ICS end-users need to re-think maintaining credentials and leveraging services on the less trusted and more accessible enterprise network. The only way to maintain a secure and therefore reliable and predictable ICS is to rely on secure architecture & practices, deploy real-time monitoring tools, and equip your engineers and security staff with the knowledge and methods to manage the integrity of your operational technology.
(Murray): My assumption has always been that most such target identification activity is quiet, subtle, and beneath the target's level of notice. We probably should be more vigilant. ]

PF Chang's Acknowledges Breach; Company Now Using Carbon Copy Payment (June 13, 2014)

Arizona-based restaurant chain PF Chang's has confirmed that a breach of its computer systems compromised customers' payment card information. The US Secret Service notified the company of the breach on June 10. It has not yet been officially determined how the system was breached. As a security precaution, PF Chang's is now using manual credit card imprinting until the company can be more certain that the electronic payment system is secure. While the company has restaurants in Canada, Mexico and countries in South American and the Middle East, the breach appears to affect only cards from the continental US.
-https://isc.sans.edu/forums/diary/A+welcomed+response+PF+Chang+s/18259
-http://pfchangs.com/security/
-http://www.scmagazine.com/pf-changs-investigates-breach-shifts-to-manual-payment
-card-imprinting/article/355753/
[Editor's Note (Murray): Agh! Well, this way, P.F. Chang may not leak as many credit card numbers. On the other hand, they will not be able to recognize lost or stolen cards that are presented to them. Do you suppose Visa and MasterCard will return to publishing the big books of canceled card numbers, the ones we had to use before we had online point of sale systems. Security is harder than it looks and intuition does not serve very well.
(Honan): The interesting part of this story is how PF Chang used a workaround, using carbon copies, while they investigation the breach and ensure their systems are secure. Let it be a lesson to all in incident response to have alternative solutions to keep the business running to give you time to investigate a breach more thoroughly. ]

Appeals Court Upholds Decision in Favor of Bank in Fraudulent Wire Transfer Case (June 16, 2014)

The 8th Circuit Court of Appeals has upheld a lower court ruling, which found a Mississippi-based bank not liable for a company's losses due to a fraudulent wire transfer. In this case the company, Choice Escrow and Land Title LLC, had explicitly chosen not to use dual controls - requiring two employees to approve transactions - which the bank offered as another layer of security. Choice Escrow had sought to recover the nearly US $450,000 that was stolen in a single wire transfer in 2010.
-http://krebsonsecurity.com/2014/06/ruling-raises-stakes-for-cyberheist-victims/
-http://krebsonsecurity.com/wp-content/uploads/2014/06/choice-appeal-decision.pdf

Windows 7 Users Must Install April Update to Receive IE 11 Patches (June 15 & 16, 2014)

Last week, Microsoft did not serve patches for Internet Explorer 11 (IE 11) to Windows 7 users who had not yet installed an April 2014 update for the browser. Users are urged to apply fixes found in Microsoft bulletin MS14-018,
-http://www.computerworld.com/s/article/9249125/Microsoft_strips_some_Windows_7_u
sers_of_IE11_patch_privileges?taxonomyId=17
-http://www.theregister.co.uk/2014/06/16/ie_11_apply_april_fix_or_be_hacker_fodde
r/

---

************************** Sponsored Links: ******************************
1) Webcast: Reaping the Benefits of Continuous Monitoring and Mitigation At Pioneer Investments. Wednesday, June 18 at 3:00 PM EDT (19:00:00 UTC) John Pescatore and Ken Pfeil. http://www.sans.org/info/161910

2) Kill Malware with Intelligent sensors, a review of SANS network security survey, featuring Rob Vandenbrink Thursday, June 19, Special Time of 3 PM EDT http://www.sans.org/info/161915

3) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II to learn how the early adopters in government are using CDM to increase security. August 1, 2014 in Washington, DC. http://www.sans.org/info/159487
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Turning Private WiFi Routers into Public Hotspots (June 16, 2014)

Over the past year, Comcast started exchanging customers' home wi-fi routers for models that allow them to be used as public hotspots. The arrangement does not allow passers-by access to password-protected home networks, but is instead intended to allow users with registered Xfinity accounts access wi-fi connections while visiting friends or in public places. The routers do not have a stronger signal, meaning people driving past homes are not likely to piggyback on strangers' networks. The change means that users do not have to provide visitors with the password to their home network. People who use the Xfinity public network will also be required to sign in with their Comcast customer access credentials. One concern is that vulnerabilities in routers could be exploited to tamper with the devices.
-http://money.cnn.com/2014/06/16/technology/security/comcast-wifi-hotspot/

Canadian Supreme Court Says Warrant Required to Obtain Customer Data From ISPs (June 16, 2014)

Canada's Supreme Court has ruled that law enforcement agencies must obtain a warrant to request customer information, such as names, addresses, and phone numbers, from Internet service providers (ISPs). The court ruled that individuals are entitled to a reasonable expectation of privacy, but did not overturn the conviction of the man whose case brought the issue before it because the police had been acting in good faith.
-http://www.theregister.co.uk/2014/06/16/canada_supreme_court_privacy_isp_warrant
/

Target's Decision to Hire CISO Lauded, But Position in Chain of Command Questioned (June 16, 2014)

Experts are questioning Target's decision to have its newly hired chief information security officer (CISO) report to the company's CIO rather than directly to the CEO. If the CISO is not seen as having equal footing with the CIO, security issues may not get the attention they require. Target hired its first CISO in the wake of a massive data breach that compromised data of 40 million payment cards.
-http://www.computerworld.com/s/article/9249129/Target_top_security_officer_repor
ting_to_CIO_seen_as_a_mistake?taxonomyId=17
[Editor's Note (Pescatore): The argument that the CISO shouldn't report to the CIO because the CIO just wants to "deliver on projects and quite often security controls and measures slow things down" makes no sense at all. Is there some other place for the CISO to report that *doesn't* want to deliver on projects - and would security actually improve if the CISO did report to such a place?? Security considered early the system development life cycle can actually speed time to market - is there somewhere outside the IT organization to make that happen faster? There has been absolutely no data that showed that the CISO position outside of the IT side of things results in better security.
(Henry): I responded to this very issue in an article last week. Having a CISO report to the CIO is the digital equivalent of having the auditor report to the CFO. The CIO in a corporation is responsible for delivering capabilities throughout the organization in an effective and efficient way, and I believe this reporting structure presents an inherent conflict which could impact security. I would much rather see the CISO in a company report to the CSO or the CRO, who have a very different mission and perspective.
(Northcutt): I agree with my colleague's assessment in most cases, however there is a potential conflict of interest. If the CIO has a bonus tied to a rollout date the security person may be quietly told to hush. Sad commentary on human nature, but have seen it happen. This debate has been going on since the beginning of time. I think Charles Cresson Woods did a pretty good job with who should report to who in his security roles and responsibilities book:
-http://www.informationshield.com/israr_main.htm
(Pescatore's response): This argument assumes such a conflict wouldn't happen if CISO reported to legal, to CEO, to COO, to CFO, etc. The conflict isn't really conflict - it is a difference in risk estimation - - the CISO says, "this risk is more important than the risk of business disruption" - and the CIO is rarely, if ever, the only CXO that disagrees with the CISO estimate of the risk.
Plenty of CISOs have reported outside of the CIO, and there is zero real-world correlation that security goes up - or down. I've looked at organizations that have gone from one way to the other, some that have gone back to putting the CISO under the CIO, etc. Just as many felt being under CFO or COO hurt their ability to influence IT as felt it allowed them to go around the CIO's objections. The one correlation: the lower the CISO reported (ie, not directly to the CXO) the more security problems. However, reporting as a peer to the CIO has never worked well - not enough data for that, but anecdotally usually more security problems.
The reality is that the businesses with the best security track records are where the CISO works well with his/her boss - regardless of whether their boss is the CFO or CIO or even CEO. I translate that to this: CISO's that work well with their bosses are good communicators and influencers. They have networks to audit, IT, finance, etc - and no matter where they report they do a better job than the not so good communicators/influencers! I saw this at Gartner CISO clients a lot. At an event before the RSA conference, I had a chat on this topic with the former CEO of a Fortune 100 company after he spoke on how CISOs should communicate to Boards of Directors when they got the chance - he said the same thing "It matters less who you report to than how you communicate/negotiate/manage." ]

Three Month Sentence for Former Microsoft Employee Who Leaked Information to Blogger (June 13 & 14, 2014)

A former Microsoft employee has been sentenced to three months in prison for leaking sensitive information. Alex Kibkalo worked for Microsoft in Russia and Lebanon. He provided a French blogger with several updates prior to their release dates; he leaked the information because he was unhappy with having received an unsatisfactory performance review. Kibkalo has been in custody since his March 19 arrest, so the majority of his sentence has already been served. When Kibkalo is released, he will be deported to Russia.
-http://www.csmonitor.com/Innovation/Horizons/2014/0613/Former-Microsoft-employee
-sentenced-to-prison-after-leaking-company-secrets
-http://arstechnica.com/tech-policy/2014/06/former-microsoft-employee-gets-3-mont
hs-in-jail-for-leaking-windows-8-secrets/
-http://www.theregister.co.uk/2014/06/11/kibkalo_sentencing/
[Editor's Note (Henry): The threat from the trusted insider is a significant risk in every organization. In my experience, insiders who leak information are often dismissed rather than prosecuted, and the issue is quietly "swept under the carpet." A public sentencing demonstrates clear sanctions for illegal actions, and may help to deter others inclined to engage in this activity. ]

Judge Says DOJ May Have Improperly Withheld Documents, Orders 66 Pages for Review (June 13, 2014)

A federal judge in California has ordered the US Justice Department (DOJ) turn over nearly 70 pages of documents for review, so she can decide whether the information was improperly withheld from the public. The documents include one opinion and four orders from the Foreign Intelligence Surveillance Court. Judge Yvonne Gonzalez Rogers's order says that there is evidence that DOJ withheld entire documents when only portions would have been required for disclosure.
-http://www.computerworld.com/s/article/9249111/Judge_orders_DOJ_to_turn_over_FIS
A_surveillance_documents?taxonomyId=17

Canadian Teen Arrested in Connection with Bell Canada Customer Data Breach (June 13, 2014)

Authorities in Canada have arrested a teenager in connection with a breach of a Bell Canada third-party IT supplier. The young man allegedly accessed customer data and posted them online.
-http://www.scmagazine.com/teen-arrested-and-charged-for-bell-canada-hack/article
/355752/
-http://www.cbc.ca/news/canada/montreal/quebec-youth-charged-with-bell-hack-and-o
nline-info-leak-1.2674803

Report of Second Chinese Military Cyber Espionage Unit Questioned (June 10, 2014)

Some experts are questioning the relevance of a recent report detailing the activity of a second group of Chinese cyber criminals intent on stealing information from military contractors and aerospace and satellite companies in the US and Europe. Identifying individuals behind attacks is usually not relevant outside of law enforcement or intelligence agencies. As John Pescatore observes, if you could jump back in time to the day before the breach, would it be better to know the identity of the attacker or the vulnerability that is being exploited? The direct link between the attacks and the Chinese group is also being called into question.
-http://www.govinfosecurity.com/china-hacking-report-questioned-a-6936
[Editor's Note (Henry): Disclaimer: I work for CrowdStrike, the company that released the report questioned here. John Pescatore, a fellow editor with me on the board at NewsBites, is one of the experts cited throughout this article. John has been involved in this field for many years, and is typically a solid voice on computer security. This is one area where he and I have a different perspective, and I disagree with a number of statements for which he is quoted.
John questions the value of the release of intelligence/attribution versus vulnerability reduction, as if the two are mutually exclusive. I believe the reduction of vulnerabilities is essential for security; eliminating vulnerabilities altogether would be ideal, if we lived in a perfect world. We don?t. The reality is we will never completely eliminate every vulnerability, so trying to identify and stop those that are exploiting the vulnerabilities (the "Threat") is an important component of all security plans. John says "Here's a simple thought experiment I always use: If I could send you back in time to the day before a breach, and arm you with one piece of knowledge - who will launch the attack, or what vulnerability are they going to exploit? - which would you choose?"
If this is completely static...in other words, the attacker will launch only one exploit against one vulnerability, and if you defend against it you're completely safe from that attacker forever...perhaps "vulnerability" is the answer. In real life this line of reasoning doesn't work, because the targeted attacker will continue to come back until they meet their objective (or until they are disrupted or deterred.) Let me pose a similar question, applied in the physical world. If I told you a trained assassin was coming to your house tonight, would you want to know who it was or would you want to know which window they planned to climb through? Boarding up one window might slow them down until they find the next window. Knowing "who" would allow you to collect better intelligence on their capabilities, know why they were coming so you could take evasive actions, contact and share intelligence with law enforcement or the intelligence community so they could take actions to mitigate the threat from the known person, etc.
John says this type of report "is value-free for corporate security managers, even the ones who might be targeted by this same
[group ]
." I can't imagine how increased intelligence about who is targeting you is "value-free." If I told you virus XYZ was going to exploit an IE browser vulnerability on 100 computers on your network, that's good intelligence and you could update your software to prevent that exploitation. That is John's "vulnerability reduction" model. What if, in addition to knowing the vulnerability, you also knew that exploit was created by a specific group funded and supported by the Russian government, that they had previously targeted four of your competitors looking for R & D related to your oil exploration capabilities, and that they typically used very specific tactics and tools (which you now knew) and very specific IP addresses as part of their Command and Control infrastructure (which you also now knew.) Would you be in a better position to proactively hunt on and defend your network, and also to share actionable intelligence with others that could help to deter the adversary? Of course...that's great value...and none of this suggests because you're collecting intelligence against your attackers that you shouldn't simultaneously "patch your vulnerabilities." Intelligence is additive and complimentary...though a necessary step in today's world of determined adversaries and targeted attacks.
John's argument that "the report may also be meant to curry favor with U.S. government officials in the wake of Edward Snowden's leaks at the National Security Agency," is cynical and has absolutely no merit. I followed this philosophy of intelligence-led investigation and adversary threat deterrence during more than two decades in the FBI, and CrowdStrike's intelligence program has been in place for more than two and a half years. The release of this information is intended to raise the public's awareness of the threat, and help organization better protect themselves from foreign government aggression. In this extensive 50+ page report, John may have missed the more than 6 pages of "mitigation and remediation" information...the very actionable intelligence that will allow companies to conduct the vulnerability reduction John rightfully advocates for. ]

---

STORM CENTER TECH CORNER

Domino's Attacker asking for Ransom in order to not leak stolen data.
-http://www.tomsguide.com/us/dominos-pizza-data-breach,news-18996.html

Verizon Stratfor Report
-https://pdf.yt/d/yGrhyxVVK5yKmbcq

RSA Observes New Trojan
-https://blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-varian
ts/

Paypal Business Logic Problem could be used to steal money
-https://cybersmartdefence.com/docs/Paypal-Safely-Double-your-Money.csd

Chinese Android Phone With Pre-Installed Malware
-http://thedroidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-in
stalled-93764

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/