SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #59

July 25, 2014

At the August 1st SANS CDM Workshop in Washington DC, hear from John Streufert, Kim Watson and George Moore of DHS, and Bob Brese, CIO of DoE on implementation and plans for Continuous Diagnostics and Monitoring in federal, state and local government networks. Free in-person and simulcast for government employees, register at http://www.sans.org/event/continuous-monitoring-workshop-2014

---

TOP OF THE NEWS

European Central Bank Breach
Six Charged in Connection with StubHub Fraud

THE REST OF THE WEEK'S NEWS

Is the Internet of Things Getting Too Big?
Wisconsin Supreme Court Allows Stingray Use in Murder Case
UK Travel Agency Fined for Violating Data Protection Act
WordPress MailPoet Plug-in Flaw is Being Actively Exploited
Mozilla Releases Firefox 31
Microsoft to "Unify" Windows Development
Wall Street Journal Acknowledges Breach
Swiss Bank Accounts Targeted in DNS and Malware Attacks
US-CERT Warns of Flaw in Huawei Routers
Possible Breach of Goodwill Systems

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By Bit9 + Carbon Black *******************
Have your antivirus technologies become less effective at stopping attacks? Forrester Research recommends considering third-party AV alternatives like application whitelisting, endpoint execution isolation and endpoint visibility & control. Download the free Forrester report today.
http://www.sans.org/info/164817
***************************************************************************
TRAINING UPDATE


--SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


--SANS Virginia Beach 2014 Virginia Beach, VA August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


--Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


--Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share their lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


--DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
http://www.sans.org/event/dfir-prague-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

European Central Bank Breach (July 24, 2014)

An attacker broke into the network of the European Central Bank (ECB) and took personal information belonging to people who had registered for conferences and visits, which was held for ransom. Police in Germany are investigating.
-http://www.bbc.com/news/business-28458323
-http://www.zdnet.com/european-central-bank-suffers-security-breach-personal-data
-stolen-7000031958/
[Editor's Note (Honan): It appears the breach was the result of an SQL Injection attack
-http://www.scmagazineuk.com/european-central-bank-loses-personal-records-after-d
ata-breach/article/362538/
Something which could have been addressed, have the developers of the site referred to the SANS Top 25 most Dangerous Software Errors
-http://www.sans.org/top25-software-errors/]

Six Charged in Connection with StubHub Fraud (July 23 & 24, 2014)

US authorities have charged six people in connection with a fraud scheme that targeted eBay's StubHub ticket reselling service. The group reportedly stole more than US $10 million worth of tickets. People connected with the theft were arrested in the UK, Canada, and Spain; they are from Russia and the US. The StubHub accounts were breached using access credentials stolen in other breaches; StubHub itself was not breached.
-http://www.computerweekly.com/news/2240225359/Six-cyber-criminals-charged-in-1m-
Stubhub-fraud
-http://krebsonsecurity.com/2014/07/feds-hackers-ran-concert-ticket-racket/
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/07/24/stubhub-wasnt-hacke
d-but-its-users-were/
[Editor's Note (Pescatore): Stubhub seemed to notice this one very quickly and react well. But, it is another example of where even a simple strong authentication approach like text messaging challenge/response would have defeated this attack - but not very complex attacks, like the Swiss Bank one.
(Murray): eBay is an Internet company; it must be held to a higher security standard than others. Instead of setting an example of good security for others, it is ignoring the good examples set by its peers, e.g., Google, Dropbox, Twitter, but also that of its subsidiary, PayPal. eBay does not understand "strong authentication." This is the second report in as many months of successful attacks, one against eBay insiders, one against its customers, involving fraudulent reuse of eBay credentials. I do not "understand" eBay; I have closed my account and sold my stock. ]

---

**************************** SPONSORED LINKS ******************************
1) Compromises Happen: Learn How to Prepare in Aug 20 Webcast! Register: http://www.sans.org/info/164827

2) New SANS survey looks at security and compliance in managing data center server assets. Take survey and enter to win an iPad. Results Webcast on 10/29. http://www.sans.org/info/164507

3) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II. August 1, 2014 in Washington, DC. This SANS CDM event provides government security managers the opportunity to get the latest status on the DHS Continuous Diagnostic and Mitigiation program and to learn how the early adopters in government are using CDM to increase security. http://www.sans.org/info/159487
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Is the Internet of Things Getting Too Big? (July 24, 2014)

US presidential policy advisers are concerned that the Internet of Things is simply too large. Companies that are making some of the items, such as refrigerators, "are not information companies, and the effect is that we are much more vulnerable," according to Defense Policy Board and President's Intelligence Advisory Board member Richard Danzig. A report from Danzig's Center for a New American Security suggests that security can be improved by paring down systems to their essentials, so that they may be able to do less, but also will present fewer opportunities for security problems.
-http://www.nextgov.com/cybersecurity/2014/07/some-things-should-be-banned-intern
et-things/89636/?oref=ng-channeltopstory
[Editor's Note (Pescatore): There are some good thoughts in this report but if we really pared things down to their essentials to be more secure, cars would not have radios or cup holders and PCs would not include network interfaces. Trying to force technology changes to match old approaches to security is not a real world option.
(Honan): If I am reading this report correctly, this is a classic example of why we should not rely solely on our policy makers to make us more secure. If we were to take the fallacy of their argument into the physical world we would be looking to reduce the human population as the more humans there are the more criminals there will be. Instead of stopping innovation policy makers should focus on how to make sure manufacturers develop technologies in a secure way.
(Murray): The issue is that gratuitous functionality, such as a general purpose operating system, included in an appliance, will inevitably be co-opted and used for malicious purposes.
(Northcutt): For the past 20 years the battle has been features vs. safety and features always wins. We use 5% or less of the capability of Adobe Flash or Microsoft Word, yet how many threats have been delivered via both platforms? For the life of me I do not think there is any reason my refrigerator needs to whistle Dixie, but like every other consumer, that is the one I am going to choose in the showroom. ]

Wisconsin Supreme Court Allows Stingray Use in Murder Case (July 24, 2014)

In a narrow decision, the Supreme Court of Wisconsin upheld a lower court decision permitting the warrantless use of devices known as stingrays, which can track cell phone locations. In this particular case, the court found that while Milwaukee police had not obtained a warrant to use the stingray to determine a murder suspect's location, a related judicial order served the same purpose.
-http://arstechnica.com/tech-policy/2014/07/court-allows-use-of-stingray-cell-tra
cking-device-in-murder-case/
-https://www.documentcloud.org/documents/1234903-wisconsin-stingray-20140724.html

UK Travel Agency Fined for Violating Data Protection Act (July 24, 2014)

The UK Information Commissioner's Office (ICO) has fined a travel company GBP 150,000 (US $255,000) for failing to adequately protect customer data. By exploiting a coding error on the company's website, attackers were able to steal customers' credit card details dating back to 2006. Payment card data had never been deleted from the system and the system had never been tested. The company, Think W3 Limited, was found to have violated the Data Protection Act.
-http://www.v3.co.uk/v3-uk/news/2357033/ico-fines-travel-firm-gbp150-000-after-ha
cker-steals-over-a-million-card-details
-http://www.theregister.co.uk/2014/07/24/travel_agent_data_breach/
[Editor's Note (Honan): It is important to remember that this company is not being fined for being hacked, it is fined because it did not take adequate security measures to protect the data which resulted in the hack happening. ]

WordPress MailPoet Plug-in Flaw is Being Actively Exploited (July 23 & 24, 2014)

Attackers have been exploiting a known vulnerability in a WordPress plug-in to compromise websites. Approximately 50,000 sites have been affected. Version 2.6.7 of the MailPoet Newsletters plug-in, which was released on July 1, addresses the flaw, and users are urged to apply the update as soon as possible. Unpatched versions of the plug-in allow attackers to upload arbitrary PHP files. MailPoet has been downloaded more than 1.7 million times.
-http://www.computerworld.com/s/article/9249949/Thousands_of_sites_compromised_by
_WordPress_plug_in_flaw?taxonomyId=17
-http://arstechnica.com/security/2014/07/mass-exploit-of-wordpress-plugin-backdoo
rs-sites-running-joomla-magento-too/

Mozilla Releases Firefox 31 (July 24, 2014)

Mozilla has released an update for Firefox to version 31. Three of the 11 issues addressed in the upgrade are deemed critical. Mozilla has also released an updated version of Thunderbird.
-http://www.theregister.co.uk/2014/07/24/mozilla_patches_security_bugs_in_firefox
/

Microsoft to "Unify" Windows Development (July 23, 2014)

Microsoft CEO Satya Nadella says the company is working on unifying portions of different Windows operating systems. Microsoft plans to "streamline the next version of Windows from three operating systems into one single converged operating system for screens of all sizes." The three systems are the one used on phones, the one used on tablets and PCs, and the one used on Xbox systems. This does not mean that Microsoft will move to a single OS, but instead that the links between the various OSes will be deepened.
-http://www.bbc.com/news/technology-28440288
-http://money.cnn.com/2014/07/23/technology/enterprise/microsoft-windows-rt/index
.html
[Editor's Note (Pescatore): From a security perspective, this raises the specter of vulnerabilities in Xbox showing up in a Windows phone and a Windows PC. It also sounds kinda dj vu all over again from circa 2000 when the "same OS on your desktops and your servers" was deemed a competitive "feature" by Microsoft. ]

Wall Street Journal Acknowledges Breach (July 23, 2014)

The Wall Street Journal has acknowledged that someone was able to access at least one of the newspaper's databases by exploiting a vulnerability in a web-based graphics system using an SDQL injection attack. The affected system was taken offline.
-http://www.theregister.co.uk/2014/07/22/wsj_vice_hack_claims_w0rm_punts_stolen_d
ata/
-http://www.computerworld.com/s/article/9249915/SQL_injection_flaw_opens_door_for
_Wall_Street_Journal_database_hack?taxonomyId=17

Swiss Bank Accounts Targeted in DNS and Malware Attacks (July 22 & 23, 2014)

Attackers have been targeting Swiss bank accounts by intercepting SMS tokens and changing domain name system (DNS) settings. Systems are infected when users received phishing email messages and were prompted to install an Android app that claimed to secure their online banking transactions. The malware reconfigures the users' computers then deletes itself. Targeted users are redirected to pages that appear to be those of the bank they were using. Trend Micro has dubbed the attack Operation Emmental.
-http://www.theregister.co.uk/2014/07/23/ruskie_vxers_change_dns_nuke_malware_in_
swiss_bank_raids/
-http://www.scmagazine.com/op-emmental-spoofs-bank-sites-uses-android-malware-to-
maintain-account-access/article/362215/
Trend Micro Report:
-http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape
rs/wp-finding-holes-operation-emmental.pdf
[Editor's Note (Pescatore): This was a very complex, targeted, multi-step attack but a good example of a high value application where just adding text messaging challenge response *isn't* enough. But, silly to point to this one as a reason not to use this approach for the vast majority of apps and threats where it does raise the bar with minimal business impact.
(Honan): What is interesting about this attack is how criminals targeted the two factor authentication system to bypass the bank's security. As we develop more effective security controls, criminals will develop more effective ways to bypass those controls.
(Murray): Strong Authentication is necessary, but not sufficient for secure online banking. Also indicated are real-time transaction confirmations, anomalous transaction controls, and, for enterprise accounts, multi-party controls. None of these are a substitute for vigilance and prudence. However, this attack also illustrates the danger of using the same device or connection for both banking and authentication. ]

US-CERT Warns of Flaw in Huawei Routers (July 22, 2014)

According to a warning from the US Computer Emergency Response Team (US-CERT), a vulnerability in the Huawei E355 wireless broadband modem could be exploited to launch cross-site scripting attacks. Huawei is aware of the problem and issued an advisory last month indicating that it is working on a fix.
-http://www.v3.co.uk/v3-uk/news/2356560/us-warns-of-huawei-wifi-modem-xss-securit
y-threat
US-CERT Vulnerability Note:
-http://www.kb.cert.org/vuls/id/688812

Possible Breach of Goodwill Systems (July 21 & 23, 2014)

Financial institutions in the US have noticed activity suggesting that Goodwill Industries network was breached and customers' payment cards compromised. Goodwill and the US Secret Service are investigating. Goodwill says it first learned of a possible breach on July 18.
-http://krebsonsecurity.com/2014/07/banks-card-breach-at-goodwill-industries/
-http://www.forbes.com/sites/katevinton/2014/07/23/potential-breach-at-goodwill-h
ighlights-that-not-even-charities-are-safe-from-cybercrime/

---

STORM CENTER TECH CORNER

Windows "Previous Version" Feature
-https://isc.sans.edu/forums/diary/Windows+Previous+Versions+against+ransomware/1
8439

Fake "Google Bots" used for attacks
-http://www.incapsula.com/blog/googlebot-study-mr-hack.html
-https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/

Firefox Improving Malware Protection
-https://blog.mozilla.org/security/2014/07/23/improving-malware-detection-in-fire
fox/

New ISC Feature: SSH Passwords
-https://isc.sans.edu/forums/diary/New+Feature+Live+SSH+Brute+Force+Logs+and+New+
Kippo+Client/18433

Apple Documents "Mystery" Services
-http://support.apple.com/kb/HT6331?viewlocale=en_US&locale=en_US

Malware Stores Itself in Registry Value
-http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377
-http://techhelplist.com/index.php/spam-list/483-scheduled-package-delivery-faile
d-date-multi-malware

Tor Vulnerabilities
-http://www.robgjansen.com/publications/sniper-ndss2014.pdf

Tails Vulnerabilities
-http://blog.exodusintel.com/2014/07/23/silverbullets_and_fairytails/

Host Names with many Labels Used for Magnitude Exploit Kit
-https://isc.sans.edu/forums/diary/Ivan+s+Order+of+Magnitude/18419

FoxIt Mobile Beacons Back to Advertiser
-https://isc.sans.edu/forums/diary/App+telemetry+/18425

Password Brute Forcing Against WordPress Uses XMLRPC Functions
-https://isc.sans.edu/forums/diary/+WordPress+brute+force+attack+via+wp+getUsersB
logs/18427

Android Voice Commands Can be Used to Escalate Privileges
-http://arxiv.org/abs/1407.4923

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org