SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #6

January 21, 2014

TOP OF THE NEWS

Target Malware and Possible Suspects Identified
Six Other Retailers Targeted by Data Thieves
Two People Arrested; Carrying Fraudulent Payment Cards
US State Department Inspector General Finds Security Issues Remain Unaddressed

THE REST OF THE WEEK'S NEWS

Second-Hand Chrome Extensions Are Being Turned into Adware
Cisco Urges Users to Apply Patch for Critical Flaws
South Korean Credit Bureau Employee Arrested For Allegedly Selling Personal Data to Telemarketers; Executives Resign
Refrigerator Botnet Report Sparks Skepticism
ICS-CERT Warns of Buffer Overflow Flaw in Ecava IntegraXor SCADA System
House Bill Would Amend Affordable Care Act, Require Weekly Report of Site's Tech Issues
Several Legislative Committees Want to Hold Hearings About Target Breach
Study Says US Government Workers Do Not Practice Good Mobile Device Security

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ***************************
Layered Security: Why It Works - SANS Analyst White Paper: Attackers are leaving no stone unturned, prying into web applications, operating systems and even deeper in the hardware. They're taking advantage of conventional endpoints and mobile devices, slipping past and through network security, and even taking advantage of the human element operating the devices. The layered model is more relevant than ever.
http://www.sans.org/info/149080
***************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- -- SANS Cyber Threat Intelligence Summit Feb. 4-11, 2014 Arlington, VA This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Target Malware and Possible Suspects Identified (January 17 & 20, 2014)

More information is starting to emerge about the malware used in the Target data breach and about those suspected of being involved in the attack. Two people in Russia have been identified by a security company in California as having allegedly participated in coding the malware used in the attack. The malware, known as Kaptoxa, is a modified version of a known hacking tool called BlackPOS. The same type of malware is also believed to have been used in the attack on Neiman Marcus payment systems.
-http://www.computerworld.com/s/article/9245568/Two_coders_closely_tied_to_Target
_related_malware?taxonomyId=17
-http://investigations.nbcnews.com/_news/2014/01/17/22341717-thieves-tweaked-off-
the-shelf-malware-for-target-data-heist-security-firm-says
-http://www.wired.com/threatlevel/2014/01/target-malware-identified/
-http://www.scmagazine.com//report-indicates-kaptoxa-operation-led-to-massive-ret
ailer-breaches/article/329945/
[Editor's Note (Murray): We are still left to infer that the method of attack was to compromise manager credentials (by the usual means documented in the Verizon DBIR), and that the target was enterprise payment processing servers (not "point-of-sale," not store controllers) running Windows. The most interesting thing about the malware is that it exploited system code, not application specific code, to access application traffic.
(Honan): I see a worrying trend where security companies are looking to security breaches as a marketing vehicle for their research. I hope that before publishing such research that those companies are cooperating fully with law enforcement agencies to ensure they are not compromising any active and ongoing investigations. Catching criminals should be a higher priority than media coverage. ]

Six Other Retailers Targeted by Data Thieves (January 17, 2014)

Reports of additional retailers suffering data breaches suggest that the attacks on Target and Neiman Marcus are part of a larger effort involving at least half a dozen stores. The same malware appears to have been used in all of the attacks. The other affected businesses have not been named.
-http://www.govinfosecurity.com/6-more-retailers-breached-a-6407
-http://news.cnet.com/8301-1009_3-57617447-83/targets-data-breach-yes-it-gets-wor
se/
-http://www.computerworld.com/s/article/9245531/Six_more_U.S._retailers_hit_by_Ta
rget_like_hacks?taxonomyId=17

Two People Arrested; Carrying Fraudulent Payment Cards (January 20, 2014)

Two people arrested in Texas were found to have 90 fraudulent payment cards in their possession. The cards appear to have been fabricated using information that was stolen in the Target data breach.
-http://www.computerworld.com/s/article/9245557/Officials_Two_people_used_fake_cr
edit_cards_linked_to_Target_data_breach?taxonomyId=17
-http://www.seattlepi.com/news/texas/article/2-nabbed-at-Texas-border-in-credit-c
ard-fraud-case-5160888.php
-http://www.latimes.com/business/la-fi-target-arrests-20140121,0,728960.story#axz
z2r1DhIHVv
[Editor's Note (Murray): While Target will be pilloried for this breach, the fundamental vulnerability, that of credit card numbers and PINs to replay, is not their fault. This is an industry problem for which the card brands and issuers, not the merchants, bear the major responsibility. These compromises are the inevitable result of the failure of the industry to implement a replay resistant technology (e.g., EMV) on a timely basis. ]

US State Department Inspector General Finds Security Issues Remain Unaddressed (January 16, 2014)

According to an audit report from the Office of Inspector General (OIG), there are "significant and recurring weaknesses in the Department of State information system security program." The IG was critical of the department's failure to address security problems found in previous audits.
-http://www.govinfosecurity.com/ig-state-department-security-program-weak-a-6405
-http://oig.state.gov/documents/organization/220066.pdf
[Editor's Note (Murray): Auditors begin every audit with the findings of previous audits. Auditors are often poorly qualified to assess the contribution of "compliance" to security.
(Paller): For nearly a decade, State Department auditors (and the outside security firms they hired to do independent audits) have repeatedly focused on the wrong things - leaving the organization extremely vulnerable. It is primarily a skills problem. They appear to have little of the critical technical mastery to understand how the attacks work, so they have no way of determining whether defenses are adequate. If auditors were held responsible for the breaches their audits failed to help prevent, they might up their game. ]

---

************************** Sponsored Links: ******************************
1) The SANS Cyber Threat Intelligence summit on February 10th & 11th in Arlington, VA will give you the inside knowledge needed to deal with the next wave of threats. http://www.sans.org/info/149075

2) SANS AppSec Summit 2014 offers four training courses that will help you find and fix critical vulnerabilities in your applications. http://www.sans.org/info/148550

3) 2nd SCADA ICS survey: control systems security experts, give us your thoughts on the issues that keep you up at night! We want your opinions on the threats and challenges facing our infrastructure today. Take our survey now and you might win a free iPad. http://www.sans.org/info/148540
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Second-Hand Chrome Extensions Are Being Turned into Adware (January 20, 2014)

At least two Chrome browser extensions that were sold have been used by their new owners to launch aggressive advertising campaigns. A developer reported last week that after he sold his extension, it was turned into adware. That extension had more than 30,000 users before it was sold. Another developer reported a similar incident. Chrome extensions are updated in the background without user interaction unless the extension's permissions are changed. The adware, which works in the background to inject specific ads into the sites users visit, violates the Chrome Web Store developer program policies. Google has banned the two now-questionable extensions from the Chrome Store. It is possible that second-hand extensions could be used for more malicious purposes.
-http://www.computerworld.com/s/article/9245551/Spammers_buy_Chrome_extensions_an
d_turn_them_into_adware?taxonomyId=17
-http://www.zdnet.com/firms-buy-popular-chrome-extensions-to-inject-malware-ads-7
000025342/
-http://www.latimes.com/business/technology/la-fi-tn-google-chrome-extensions-mal
ware-20140120,0,2201554.story#axzz2r0WPWUau
[Editor's Note (Pescatore): This is not specific to Chrome, really. All browser extensions and all apps have this same issue: if the original publisher sells the company, the new owner can use auto-updating to completely change the functions delivered. The various apps stores that Apple, Google, Microsoft, Firefox have or will have can remove them but that doesn't impact already installed extensions or apps. White list approaches that simply rely on publisher certificates won't catch this, either, or at least not quickly - need to have more traditional blacklisting to identify and then remove.
(Honan): Browser vendors should provide users with the ability to remove extensions or apps from their browsers rather than simply disabling them. ]

Cisco Urges Users to Apply Patch for Critical Flaws (January 20, 2014)

Cisco has issued a patch to address three security problems with the RMI implementation in its Secure Access Control System 5.5 and earlier. Users are urged to apply the patch as soon as possible. The three vulnerabilities are a privilege elevation flaw; an unauthenticated user access flaw; and an operating system command injection flaw.
-http://www.theregister.co.uk/2014/01/20/java_bug_burns_borg/

South Korean Credit Bureau Employee Arrested For Allegedly Selling Personal Data to Telemarketers; Executives Resign (January 20, 2014)

An employee of South Korea's Korea Credit Bureau has been arrested for allegedly selling personal information he had access to while working at the company. The breach appears to have affected as many as 20 million people. The compromised information includes names, credit card numbers, and expiration dates. The temporary employee allegedly stole information from the servers of KB Kookmin Card, Lotte Card, and NH Nonghyup Card, and sold the data to phone marketing companies. Managers of the phone marketing companies have been arrested as well.
-http://www.theregister.co.uk/2014/01/20/korea_personal_details_card_breach_20_mi
llion/
-http://www.zdnet.com/bank-data-of-20-million-customers-leaked-in-south-korea-700
0025332/
[Editor's Note (Honan): The top managers of affected credit card companies apologized for the breach and resigned en masse,
-http://www.koreaherald.com/view.php?ud=20140120001002
Now that is the way to get attention for security to the C-Suite. ]

Refrigerator Botnet Report Sparks Skepticism (January 17, 2014)

Reports that a botnet made up of Internet-connected devices including refrigerators, smart TVs, and home-networking routers prompted skepticism among knowledgeable tech journalists. The initial report from Proofpoint said that the botnet had been responsible for sending out three-quarters of a million malicious messages over a two-week period, and that the attackers exploited default passwords and old Linux flaws. While such a scenario is "feasible," according to Ars Technica, "There's a significant lack of technical detail for a report with such an extraordinary finding." The researchers did not monitor command-and-control servers, nor did they provide a malware sample.
-http://arstechnica.com/security/2014/01/is-your-refrigerator-really-part-of-a-ma
ssive-spam-sending-botnet/
-http://www.theregister.co.uk/2014/01/20/spam_spotted_leaving_the_fridge/
-http://www.cnn.com/2014/01/17/tech/gaming-gadgets/attack-appliances-fridge/index
.html
[Editor's Note (Ullrich): Malware infected devices are nothing new. Usually, the device is just infected like any other computer that runs the operating system installed on the device. They sometimes are easier to exploit as they are less likely to be patched. ]

ICS-CERT Warns of Buffer Overflow Flaw in Ecava IntegraXor SCADA System (January 17, 2014)

The US Department of Homeland Security's (DHS's) ICS-CERT (Industrial Control System Cyber Emergency Readiness Team) has warned of a buffer overflow vulnerability in the Ecava IntegraXor SCADA system. The flaw could be exploited to knock vulnerable systems offline or inject malware that could remotely monitor and control the systems. The vulnerable product is widely used in 38 countries. A proof-of-concept exploit has been found. The vendor has issued a customer notification that includes mitigation guidance.
-http://www.infosecurity-magazine.com/view/36514/critical-infrastructure-targeted
-by-nightmare-global-threat
-http://ics-cert.us-cert.gov/advisories/ICSA-14-016-01
-http://www.integraxor.com/blog/buffer-overflow-vulnerability-note/

House Bill Would Amend Affordable Care Act, Require Weekly Report of Site's Tech Issues (January 16, 2014)

US legislators have passed a second bill imposing requirements on the HealthCare.gov website aimed at bolstering the site's security. The bill would amend the Affordable Care Act to bring more transparency to the health care exchanges. The bill also calls for Congress to receive weekly reports about technical issues the site experiences, including privacy and security issues. Legislation passed the week before would require the healthcare website to notify people affected by breaches within two days of their discovery.
-http://www.govinfosecurity.com/house-passes-2nd-healthcaregov-bill-a-6402

Several Legislative Committees Want to Hold Hearings About Target Breach (January 14 & 15, 2014)

A Target representative will testify about the company's massive data breach before a House Commerce subcommittee in early February. The Senate Commerce Committee, Judiciary Committee, and Banking Committees are also seeking information from Target about the breach.
-http://thehill.com/blogs/hillicon-valley/technology/195664-target-to-testify-on-
data-breach-next-month
-http://www.politico.com/story/2014/01/congress-target-data-breach-security-senat
e-commerce-judiciary-banking-102179.html
-http://energycommerce.house.gov/press-release/target-law-enforcement-officials-t
estify-february-subcommittee-hearing-data-breach

Study Says US Government Workers Do Not Practice Good Mobile Device Security (January 14, 2014)

According to a study from the Mobile Work Exchange, many US federal government employees are not taking appropriate measures to secure their mobile devices, despite established security policies. The report, commissioned by Cisco Systems, focused on tablets, smartphones, and laptops. While physical security seems to be more entrenched - 86 percent of the workers lock their computers while away from their desks - - more than 40 percent of the 155 government workers surveyed use their mobile devices in ways that put their agencies and the devices at risk for a breach. Issues include using public wireless networks, failure to employ multi-factor authentication or encryption, and 25 percent do not use passwords for their devices. Also, downloading personal apps and opening messages from senders they do not know.
-http://www.darkreading.com/end-user/feds-failing-to-secure-their-mobile-devi/240
165345
-http://www.mobileworkexchange.com/hotzone/report

---

STORM CENTER TECH CORNER

Fake Utility Bills Used as Malware Lure
-https://isc.sans.edu/forums/diary/Anatomy+of+a+Malware+distribution+campaign/174
59

RFI Scans Linked to Vega Vulnerability Scanner
-https://isc.sans.edu/diary.html?storyid=17450

EncFS Audit Finds Significant Weaknesses
-https://defuse.ca/audits/encfs.htm

95% of ATMs Use Windows XP
-http://www.businessweek.com/articles/2014-01-16/atms-face-deadline-to-upgrade-fr
om-windows-xp

Port Scans Probing Commonly Used Alernative Ports
-https://isc.sans.edu/forums/diary/You+Can+Run+but+You+Can+t+Hide+SSH+and+other+o
pen+services+/17465

Google Chrome Extensions Taken Over by Spammers
-http://www.labnol.org/internet/sold-chrome-extension/28377/

Refrigerator Used to Send Spam
-http://www.marketwatch.com/story/proofpoint-uncovers-internet-of-things-iot-cybe
rattack-2014-01-16?reflink=MW_news_stmp

Fix for Starbucks iOS app released
-http://seclists.org/fulldisclosure/2014/Jan/64

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/