SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #49

June 20, 2014

TOP OF THE NEWS

PF Chang's Breach Persisted for Nine Months
APT Campaign Targeted 75 US Airports
UK Government Can Intercept Social Media Posts Without Warrant

THE REST OF THE WEEK'S NEWS

Do You Remember Where You Put Your Keys?
Code Spaces Hit with Multi-Pronged Attack, Shuts Down
Bill Would Amend ECPA, Require Warrant to Search eMail
Chinese-Made Cell Phone Star N9500 Ships with Malware Pre-Installed
FBI Arrests Alleged NullCrew Member
Fake Google Play App Steals Online Banking Credentials
Network Attached Storage Devices Compromised to Mine Dogecoin
Girls Who Code Summer Program Expands
Google's Hard Line on Chrome Extensions Gets Some Grumbles
Ten Ideas for Improving Cyber Security

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

***************************** Sponsored By SANS **************************
Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - - PART II. August 1, 2014 in Washington, DC. This SANS CDM event provides government security managers the opportunity to get the latest status on the DHS Continuous Diagnostic and Mitigiation program and to learn how the early adopters in government are using CDM to increase security. http://www.sans.org/info/159487
***************************************************************************
TRAINING UPDATE


- --SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- - - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

PF Chang's Breach Persisted for Nine Months (June 18, 2014)

It appears that the security breach at PF Chang's began in September 2013 and was still active until June 11, 2014. The breach compromised continental US customers' payment card data. A PF Chang's spokesperson did not comment on the timing of the attack, but noted that it does not appear to have affected the company's Pei Wei Asian Diner restaurants.
-http://krebsonsecurity.com/2014/06/p-f-changs-breach-likely-began-in-sept-2013/

APT Campaign Targeted 75 US Airports (June 19, 2014)

According to the Center for Internet Security's (CIS) 2013 Annual Report, a campaign to gain a foothold in aviation systems at US airports was detected in 2013. The government notified CIS of evidence suggesting advanced persistent threats on systems at four US airports. CIS notified those airports and requested their network logs for analysis. CIS was then notified that eight more airports had been targeted. The organization was able to identify a public document as a likely source the attackers used when sending phishing messages. CIS contacted all the airports in the list and learned that 75 had been targeted; most had not opened the messages. The attackers managed to compromise two systems, which have both been cleaned with help from CIS.
-http://www.nextgov.com/cybersecurity/2014/06/nation-state-sponsored-attackers-ha
cked-two-airports-report-says/86812/?oref=ng-HPtopstory
CIS Report (The section about APT campaign targeting airports is on page 25.):
-http://www.cisecurity.org/about/documents/2013AnnualReportspreads.pdf

UK Government Can Intercept Social Media Posts Without Warrant (June 17, 2014)

The British government can collect posts from social media sites like Google, Twitter, and Facebook without a warrant because the content is considered "external communications." This revelation comes from court testimony from the Director General of the UK's Office for Security and Counterterrorism published ahead of a hearing scheduled for mid-July. The distinction between the types of communications is made in sections 8(1) and 8(4) of the UK's Regulation of Investigatory Powers Act (RIPA).
-http://arstechnica.com/tech-policy/2014/06/uk-official-reveals-secret-justificat
ion-for-govt-social-media-spying/
-http://www.bbc.com/news/technology-27887639
-http://www.computerworld.com/s/article/9249158/U.K._allows_British_spies_to_inte
rcept_Google_and_Facebook_traffic?taxonomyId=17
Testimony:
-https://www.privacyinternational.org/sites/privacyinternational.org/files/downlo
ads/press-releases/witness_st_of_charles_blandford_farr.pdf

---

************************** Sponsored Links: ******************************
1) Provide input to the Critical Security Controls Survey and enter to win iPad! Tell us your wins, misses and wish lists with the CSCs here: http://bit.ly/2014CSCSurv. At the end of the survey, sign up for the paper and results webcast airing on September 9: http://www.sans.org/info/162000

2) Webcast: Insider Threat Kill Chain: Detecting Human Indicators of Compromise Thursday, June 26 at 12:30 PM EDT (16:30:00 UTC). Bryce Schroeder, Director of Systems Engineers, Tripwire. http://www.sans.org/info/162177

3) Using a SOC as a Security Force Multiplier - Wednesday, June 25 at 1:00 PM EDT (17:00:00 UTC) Eric Cole, Henri Van Goethem, John Pescatore. http://www.sans.org/info/162182
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Do You Remember Where You Put Your Keys? (June 19, 2014)

Researchers at Columbia University have found that many Android app developers hide secret authentication keys in their code. The keys could be used to access private cloud accounts or social media profiles.
-http://arstechnica.com/security/2014/06/secret-keys-stashed-in-google-play-apps-
pose-risk-to-android-users-developers/
-http://www.darkreading.com/mobile/google-play-apps-expose-users-to-attack/d/d-id
/1278716?

Code Spaces Hit with Multi-Pronged Attack, Shuts Down (June 18 & 19, 2014)

Code hosting company Codespaces.com has indefinitely ceased operations after an attacker accessed the company's Amazon Elastic Compute Cloud (EC2) control panel and deleted customer data. The company also lost most of its backups. The attack began with a distributed denial-of-service (DDoS) attack and a demand for payment to make that attack stop. The cloud services the company was using claimed to have "a full recovery plan that has been proven to work and is, in fact, practiced."
-http://www.scmagazine.com/code-spaces-shuts-down-following-ddos-extortion-deleti
on-of-sensitive-data/article/356774/
-http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-se
rvice-with-proven-backup-plan/
-http://www.computerworld.com/s/article/9249232/Hacker_puts_39_full_redundancy_39
_code_hosting_firm_out_of_business?taxonomyId=17
-http://www.theregister.co.uk/2014/06/18/code_spaces_destroyed/
-http://www.codespaces.com
-http://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/10
6761
[Editor's Note (Honan): One thing to learn from this incident is to confirm the claims of third party providers. In this case, the cloud provider company claims "a full recovery plan that has been proven to work and is, in fact, practiced" looks to have not been the case. Trust but verify! ]

Bill Would Amend ECPA, Require Warrant to Search eMail (June 18 & 19, 2014)

A bill that would require the government to obtain a warrant before searching people's email and other stored communications now has majority support in the US House of Representatives. The Email Privacy Act would amend 1986's outdated Electronic Communications Privacy Act (ECPA). The proposed legislation would bar third-party service providers from disclosing customers' communications to law enforcement unless they have a warrant.
-http://www.computerworld.com/s/article/9249216/Bill_to_require_warrant_for_email
_searches_gains_ground_in_House?taxonomyId=17
-http://www.cnet.com/news/google-cheers-growing-support-for-ecpa-reform/
Text of Bill:
-https://beta.congress.gov/113/bills/hr1852/BILLS-113hr1852ih.pdf

Chinese-Made Cell Phone Star N9500 Ships with Malware Pre-Installed (June 19, 2014)

Certain Smartphones made in China ship with malware already installed. The device is known as the Star N9500; the pre-loaded malware could be used to steal data, make calls, and activate the device's camera and microphone remotely. The phone is available through the Internet; the manufacturer is currently unknown.
-http://www.darkreading.com/spyware-found-on-chinese-made-smartphone/d/d-id/12786
99?

FBI Arrests Alleged NullCrew Member (June 17, 18 & 19, 2014)

Federal authorities in the US have arrested a man in connection with attacks on computer systems at universities and private companies. Timothy French is allegedly a member of the NullCrew group, which is responsible for stealing usernames and passwords and posting them to the Internet.
-http://www.zdnet.com/fbi-arrests-alleged-nullcrew-hacktivist-7000030714/
-http://www.theregister.co.uk/2014/06/17/fbi_arrests_claims_nullcrew_hacker_in_te
nnessee_takedown/

Fake Google Play App Steals Online Banking Credentials (June 18, 2014)

A malicious app that claims to be Google Play actually steals online banking information. The malware targets people who speak Korean; about 200 devices have been infected so far. The malware's icon looks like Google Play's icon, so users could be tricked into clicking on it. Once activated, the app steals text messages, signature certificates, and bank account passwords. The app, which goes by the name of "Google Play Stoy," has been removed from the Google Play Store.
-http://www.darkreading.com/mobile/malicious-google-play-clone-steals-banking-cre
dentials/d/d-id/1278692?
-http://www.scmagazine.com/google-yanks-malicious-app-from-play-store/article/356
748/

Network Attached Storage Devices Compromised to Mine Dogecoin (June 17 & 18, 2014)

An attacker or attackers took control of Synology Network Attached Storage (NAS) devices and used their computing resources to mine more than US $620,000 in Dogecoin over two months. The attack exploited vulnerabilities for which Synology had issued patches last fall. The amount was mined over a two-month period. Earlier this year, Synology NAS owners had begun to complain online that their devices were running slowly and that CPU usage was unexpectedly high. The scheme was uncovered by Dell SecureWorks, whose report can be read here:
-http://www.secureworks.com/resources/blog/hacker-hijacks-synology-nas-boxes-for-
dogecoin-mining-operation-reaping-half-million-dollars-in-two-months/
-http://www.computerworld.com/s/article/9249169/Hacker_mines_620K_in_cryptocurren
cy_under_victims_noses?taxonomyId=17
-http://www.wired.com/2014/06/hacker-hijacks-storage-devices-mines-620000-in-doge
coin/
-http://arstechnica.com/security/2014/06/hacker-infects-synology-storage-devices-
makes-off-with-620000-in-dogecoin/
-http://www.zdnet.com/nas-device-botnet-mined-600000-in-dogecoin-over-two-months-
7000030662/

Girls Who Code Summer Program Expands (June 17, 2014)

The Girls Who Code organization aims to "inspire, educate, and equip girls with the computing skills to pursue 21st century opportunities." The program started in 2012 in New York City. This year's 2014 Summer Immersion Program aims to involve 380 young women in five cities. The program is seven weeks long and offers the high-school aged girls classes in robotics, web design, and mobile development, and mentorship from female executives, entrepreneurs, and engineers.
-http://www.scmagazine.com/girls-who-code-kicks-off-summer-immersion-program/arti
cle/356016/
-http://girlswhocode.com/programs/
[Editor's Note (Honan): This is a very welcome initiative. It is similar to the CoderDojo www.codedojo.com movement which started in Ireland and is now in over 45 countries. It is aimed at encouraging young people from 7 to 17 years old to get involved in coding. The more initiatives we have in encouraging young people to get involved in coding and computers at an early age the better. ]

Google's Hard Line on Chrome Extensions Gets Some Grumbles (June 16, 2014)

Google has drawn a hard line regarding extensions for its Chrome browser; extensions that are not hosted by the Chrome Web Store are no longer supported. Some companies and their customers have expressed frustration and anger with the new policy. The decision was announced last year and is intended to stop "bad actors" from putting malicious extensions on Windows machines. Google gave developers a six-month heads-up to give them time to migrate their extensions to the Chrome store.
-http://www.cnet.com/news/outrage-grows-as-google-axes-some-chrome-extensions/
[Editor's Note (Pescatore): There should be *more*, not less, of this type of grumbling - the big platform players (Google, Microsoft, Apple, Facebook, Amazon, etc) *should* be driving app developers to higher levels of security than they would go to *without* grumbling. When the auto industry finally got serious about quality, all of the suppliers grumbled - but the cars got more reliable. The days of platforms winning in the market because they have the most ISVs and apps is over - the winners will have the best apps on their platforms and a big part of "best" is "doesn't steal your data or blow up in your face." ]

Ten Ideas for Improving Cyber Security (June 30, Forbes)

Ten cyber experts' best ideas for thwarting digital security threats include changing the way we think about security and being proactive about protecting sensitive data; encouraging transparency from cloud services about data handling; making better use of encryption; developing systems that present smaller attack surfaces; developing a new secure network for critical infrastructure; and establishing privacy and data security regulation and enforcement for companies. Most acknowledged that there are no easy and quick fixes.
-http://www.forbes.com/sites/kashmirhill/2014/06/18/10-ways-to-fix-cybersecurity/
[Editor's Note (Northcutt): This was a fun read and a very diverse set of people. I found Mr. Krebs' opening sentence particularly sobering: "Being safe and secure online fundamentally requires a mindset shift." I am sure many of the NewsBites readers remember of the attacks he has put up with:
-http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/
-http://arstechnica.com/security/2013/03/security-reporter-tells-ars-about-hacked
-911-call-that-sent-swat-team-to-his-house/
-http://krebsonsecurity.com/tag/swatting/
-https://www.schneier.com/blog/archives/2014/02/brian_krebs.html]

---

STORM CENTER TECH CORNER

Critical Supermicro IPMI Vulnerability Leaks Passwords
-http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extra
s/

Pineapple Script Published to Impersonate XFinity Access Points
-http://blog.logrhythm.com/security/xfinity-pineapple/

iOS 7 Activation Block Significantly Lowers iPhone Thefts. MSFT/Google to follow
-http://www.ag.ny.gov/press-release/ag-schneiderman-and-da-gasc¢n-announce-google
-and-microsoft-will-include-smartphone

Users Will Run Malware if paid as little as $0.01
-https://www.andrew.cmu.edu/user/nicolasc/publications/CEVG-FC11.pdf

More Javascript Crypto Libraries: Microsoft
-http://research.microsoft.com/en-us/downloads/29f9385d-da4c-479a-b2ea-2a7bb335d7
27/default.aspx

Elcomsoft Releases Tool that Allows Download of iCloud Backups with Tokens Retrieved from Device
-http://blog.crackpassword.com/2014/06/breaking-into-icloud-no-password-required/

Microsoft Patches DoS Issue in Malware Protection Engine
-https://technet.microsoft.com/library/security/2974294

Canadian Anti-Spam Legislation could lead to Phishing E-Mails
-https://isc.sans.edu/forums/diary/Canada+s+Anti-Spam+Legislation+CASL+2014/18267

Micorosoft Stops Referer Header Leakage from OneDrive
-https://blog.onedrive.com/update-for-shared-links/
(Old diary discussing this problem and solutions:
-https://isc.sans.edu/diary/When+does+your+browser+send+a+%22Referer%22+header+(o
r+not)%3F/16433)

Android Devices Vulnerable to Recent Linux Kernel Privilege Escalation Flaw
-http://threatpost.com/android-root-access-vulnerability-affecting-most-devices/1
06683

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/