SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #7

January 24, 2014

Save $400 on SANS' highest-rated courses and teachers by registering for SANS2014 (Orlando) by February 12.

---

TOP OF THE NEWS

More Details on Neiman Marcus Data Breach
Bulk of China's Internet Traffic Temporarily Redirected to US-Based Addresses

THE REST OF THE WEEK'S NEWS

Judge Who Ruled NSLs Unconstitutional Enforces New Orders
Study Says France's Three-Strike Policy Has Not Curbed Piracy
Verizon Releases Transparency Report
Google Downplays Eavesdropping Possibility in Chrome Speech Recognition Feature
Cross-Platform Malware Targeting Android Devices
Android Malware Intercepts Incoming Communications
Patch NTP Servers to Prevent Their Abuse in Amplification Attacks
Tor Spy Nodes Detected
Thirteen People Indicted in Gas Pump Bluetooth Skimming Scheme
DHS Warns Contractors of Data Breach
Heads of Credit Card Companies Affected by South Korean Data Breach Apologize

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Bit9 ****************************
Windows XP will be going end of life in a few short months. Are you ready? This new eBook explains how you can keep your XP systems compliant and secure after end of life without upgrading or paying for out-of-band support. Download today http://www.sans.org/info/149435
***************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- -- SANS Cyber Threat Intelligence Summit Feb. 4-11, 2014 Arlington, VA This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

More Details on Neiman Marcus Data Breach (January 23, 2014)

In a statement on its website, retailer Neiman Marcus says that a recently acknowledged data breach of point-of-sale systems at stores affected 1.1 million payment card accounts. The data were stolen between July 16 and October 30, 2013. Although the FAQ portion of Neiman Marcus's breach notice says that the company has "no knowledge of any connection to" the Target breach, the same malware appears to have been used in both breaches.
-http://www.zdnet.com/neiman-marcus-1-1-million-cards-compromised-7000025513/
-http://www.nytimes.com/2014/01/24/business/neiman-marcus-breach-affected-1-1-mil
lion-cards.html
-http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat?icid=topPromo_hmp
g_ticker_SecurityInfo_0114
[Editor's Note (Murray): Both Target and N-M continue to use the term "point-of-sale" in their PR even as such little other information as they have disclosed makes it unlikely that the Windows based malware could possibly have run at the point-of-sale. While it is possible that they even think of these servers as part of their point-of-sale system, use of this term is at best confusing, in some cases obviously misleading. The likely point of compromise is credentials of privileged users of payment system servers. The methods of attack are those well documented by the Verizon Data Breach Incident Report. The appropriate responses include Strong Authentication for privileged users and two-step or two-person controls for any change to software on these systems.
(Paller): Actually it appears the attack did exploit Windows-based point of sale systems, though the original entry point was likely separate (wireless are SQL injection are possibilities). The solutions Bill Murray points out are useful as an interim fix, but a much better fix is to move to chip and pin credit cards as Europe has done. Sadly, the credit card companies earn profits on fraudulent transactions - only the retailers lose money. Unless the retailers stand up, as one, to demand chip and pin, the credit card companies probably won't make the needed investment. ]

Bulk of China's Internet Traffic Temporarily Redirected to US-Based Addresses (January 22, 2014)

Earlier this week, many Chinese websites were redirecting users to a blank page run by a company in the US. Chinese Internet users found they were unable to access websites hosted either in China or overseas that were part of top level domains like .com, .net, and .org. Sites with the .cn domain were unaffected by the incident. The situation did not last long - several hours - but its effect was felt for quite some time after the problem was resolved because users were still accessing cached versions of pages. While Chinese authorities said the incident was the result of an attack, a more likely scenario is a glitch in the way the country's censorship system was being managed. The company that operates the page to which surfers were redirected runs services designed to circumvent China's stringent Internet censorship program.
-http://www.zdnet.com/cn/china-websites-suffer-breach-in-suspected-attack-7000025
431/
-http://arstechnica.com/security/2014/01/hack-most-likely-not-the-reason-chinese-
traffic-bombarded-us-addresses/
-http://www.nextgov.com/cybersecurity/2014/01/chinese-censors-may-have-accidental
ly-hacked-themselves-and-caused-major-internet-outage/77297/?oref=ng-channeltops
tory
-http://www.computerworld.com/s/article/9245626/China_blames_Internet_outage_on_h
acking_attack?taxonomyId=17
-http://bits.blogs.nytimes.com/2014/01/22/big-web-crash-in-china-experts-suspect-
great-firewall/
[Editor's Note (Pescatore): This ranks right up there as one of the largest Denial of Service events ever. The Chinese Internet NIC has pointed out that China really needs to invest in more stable and secure DNS services. They probably also need to avoid mucking around with DNS as part of national "Great NetNanny of China" efforts. ]

---

************************** Sponsored Links: ******************************
1) SANS AppSec Summit 2014 offers four training courses that will help you find and fix critical vulnerabilities in your applications. http://www.sans.org/info/148550

2) 2nd SCADA ICS survey: control systems security experts, give us your thoughts on the issues that keep you up at night! We want your opinions on the threats and challenges facing our infrastructure today. Take our survey now and you might win a free iPad. http://www.sans.org/info/148540

3) Special discount for Government Employees (e.g., federal, state, local, DoD) to attend The SANS Cyber Threat Intelligence summit on February 10th & 11th in Arlington, VA. Use "CTISummit" for a $1000 discount on the summit alone or "CTICourse" for free summit attendance in conjunction with a full-priced course. http://www.sans.org/info/149440
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Judge Who Ruled NSLs Unconstitutional Enforces New Orders (January 23, 2014)

US District Judge Susan Illston, who last year ruled that the government's use of National Security Letters (NSLs) is unconstitutional, has since enforced several of those same orders. In March 2013, Judge Illston ordered the government to stop using NSLs as they unconstitutionally impinge free speech. She also ordered the government to stop enforcing the gag order imposed by NSLs that had already been issued. Judge Illston's logic is that because the Ninth Circuit court will be hearing the appeal of her ruling, it would be best to maintain the status quo until that court issues its ruling.
-http://www.wired.com/threatlevel/2014/01/judge-nsl/

Study Says France's Three-Strike Policy Has Not Curbed Piracy (January 23, 2014)

A study of French Internet users found that the country's "three-strikes" anti-piracy policy has had little to no effect on users obtaining pirated content. The policy "has not deterred individuals from engaging in digital piracy
[nor has it lessened ]
illegal activity of those who did engage in piracy," according to the report's authors, researchers at the University of Delaware and the University of Rennes. The report does mention another study that found a 20-25 percent increase in sales of French music on iTunes shortly before the law took effect, but they say it was due to "public education efforts" instead of the law itself.
-http://arstechnica.com/tech-policy/2014/01/study-of-french-three-strikes-piracy-
law-finds-no-deterrent-effect/
-http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2380522
[Editor's Note (Honan): In other news for the music industry, "water is wet." It is high time the music industry stopped criminalizing its customers and engaged in business models which reflect today's way that people consume content. ]

Verizon Releases Transparency Report (January 22, 2014)

Verizon has released its transparency report for 2013, which shows that the US government made more than 321,000 requests for user data in that calendar year. Verizon is the first telecommunications company to publish a transparency report. Of those 321,000 requests, at least 6,000 were court orders for real-time metadata.
-http://arstechnica.com/tech-policy/2014/01/verizon-says-it-received-over-321000-
legal-orders-for-user-data-in-2013/
-http://www.nextgov.com/emerging-tech/2014/01/feds-seek-verizons-data-far-more-of
ten-googles-report-reveals/77309/?oref=ng-HPtopstory
-http://news.cnet.com/8301-1009_3-57617614-83/verizon-transparency-report-reveals
-164000-subpoenas-1500-wiretaps/

Google Downplays Eavesdropping Possibility in Chrome Speech Recognition Feature (January 22 & 23, 2014)

Google is downplaying reports that the speech recognition feature in its Chrome browser could be used to eavesdrop on users. A web developer created an exploit that could be used to let a website continue to listen on users' microphones even after the users believe they have left the site in question. Websites could be less than forthcoming about their actions, and could conceivably open a second window underneath the original site thus allowing the microphone access to remain on even after users believe they've left the site. Google says the issue is not a threat because the way the feature is designed, users must enable speech recognition for each site that requests it. When the speech recognition feature is being used, Chrome places a blinking red light in the browser tab and a camera icon in the address bar.
-http://www.computerworld.com/s/article/9245650/Google_dismisses_eavesdropping_th
reat_in_Chrome?taxonomyId=17
-http://www.theregister.co.uk/2014/01/23/chrome_speech_spying_vulnerability/
-http://arstechnica.com/security/2014/01/speech-recognition-hack-turns-google-chr
ome-into-advanced-bugging-device/
-http://www.nbcnews.com/technology/google-chrome-can-listen-your-conversations-2D
11975178
-http://www.bbc.co.uk/news/technology-25859360
[Editor's Note (Ullrich): Exploiting this bug requires that the user first give permission to the site to use the microphone. Due to the bug, it is not clear to the user when the use of the microphone ends. The easiest workaround is to not give sites permission to use the microphone, or if you do, exit the browser after you are done.
(Pescatore): This reminds me of back in 1999 when US intelligence agencies banned Furby dolls from classified facilities, due to fears of recognition and recording capabilities (which really didn't exist.) Two things to think about: (1) Why would people bring plushie electronic toys to work with them at intelligence agencies?? And (2) Given the performance of ad hoc, speaker independent, untrained speech recognition, should we really worry about this, even if red lights *weren't* blinking?? ]

Cross-Platform Malware Targeting Android Devices (January 23, 2014)

Researchers have detected malware that can jump from Windows PCs to Android handsets through USB connections. The malware, known as the Fakebank Trojan, uses a developer tool called Android Debug Bridge to send the malware from the PC to the Android device. The malware is designed to seek out certain Korean banking applications. If the apps are found on the device, users are prompted in install an update, which is a malicious version of the app. Fakebank also monitors SMS messages.
-http://www.v3.co.uk/v3-uk/news/2324750/windows-banking-trojan-jumps-to-target-an
droid
[Editor's Note (Shpantzer): Monitoring SMS can help intercept two-factor authentication SMS messages from the bank, then proceed to work with the banking app on the phone, post-authentication, to send money out. See also "Android Malware Intercepts Incoming Communications" story in this edition. ]

Android Malware Intercepts Incoming Communications (January 22, 2014)

Android malware called HeHe pretends to be a security app, but actually intercepts incoming calls and messages on infected phones. The malware appears to be targeting Korean users. It also collects phone ID data and disconnects some incoming calls.
-http://www.scmagazine.com/new-android-malware-disconnects-calls-intercepts-texts
-of-victims/article/330572/

Patch NTP Servers to Prevent Their Abuse in Amplification Attacks (January 21 & 22, 2014)

A recent spate of attacks on online gaming services exploited a flaw in Network Time Protocol (NTP) servers to amplify distributed denial-of-service (DDoS) attacks. Since the technique made headlines, researchers have compiled a list of vulnerable systems and are urging users to patch their NTP servers so they cannot be used in amplification attacks. Internet Storm Center:
-https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
-http://www.darkreading.com/vulnerability/no-easy-solution-to-stop-amplification-
a/240165528
-http://www.theregister.co.uk/2014/01/21/open_ntp_patching_project/

Tor Spy Nodes Detected (January 21 & 22, 2014)

Computer scientists at Karlstad University in Sweden have detected at least 20 exit nodes on the Tor anonymity network that appear to be conducting man-in-the-middle attacks on Tor traffic. (There are currently estimated to be about 1,000 exit nodes in the Tor network.) Connections between Tor relays are encrypted, but when traffic leaves the Tor network and is sent to their intended destination, it reverts to its original state, so people operating the exit nodes could potentially snoop on the traffic. Users are advised to employ HTTPS. The suspect nodes appear to be run by someone in Russia who intercepts traffic destined for specific sites, including Facebook.
-http://www.computerworld.com/s/article/9245628/Tor_exit_nodes_attempt_to_spy_on_
encrypted_traffic_researchers_find?taxonomyId=17
-http://www.wired.com/threatlevel/2014/01/russia-tor-attack/
-http://arstechnica.com/security/2014/01/scientists-detect-spoiled-onions-trying-
to-sabotage-tor-privacy-network/
-http://www.cs.kau.se/philwint/spoiled_onions/

Thirteen People Indicted in Gas Pump Bluetooth Skimming Scheme (January 21, 22, & 23, 2014)

Thirteen people have been indicted in connection with a gas pump card-skimming scheme. The Bluetooth-enabled skimming devices were placed on gas pumps at stores in states in the southern US; those behind the scheme allegedly used the information from the skimmers to make more than US $2 million in fraudulent ATM withdrawals.
-http://www.theregister.co.uk/2014/01/23/us_card_scammers_pull_2m_petrol_heist/
-http://news.cnet.com/8301-1009_3-57617638-83/13-indicted-in-$2m-gas-station-card
-skimming-scheme/
-http://www.wired.com/threatlevel/2014/01/gas-station-skimming-scheme/
-http://krebsonsecurity.com/2014/01/gang-rigged-pumps-with-bluetooth-skimmers/

DHS Warns Contractors of Data Breach (January 21 & 22, 2014)

The US Department of Homeland Security (DHS) has notified contractors that sensitive data belonging to their companies, including private documents and bank account information, were compromised in a security breach. The incident affects at least 114 companies that bid on a DHS Science and Technology Division contract last year.
-http://www.darkreading.com/attacks-breaches/dhs-warns-contractors-about-breach-o
f-it/240165533
-http://krebsonsecurity.com/2014/01/dhs-alerts-contractors-to-bank-data-theft/

Heads of Credit Card Companies Affected by South Korean Data Breach Apologize (January 21 & 22, 2014)

Following a breach of credit card data allegedly launched by an employee at a South Korean credit bureau, chiefs of the three affected credit card companies have apologized for the incident and one has resigned. The breach occurred when an employee of the Korea Credit Bureau allegedly copied consumer information, including names, social security numbers, and credit card data, onto a USB stick and sold it to a marketing company. The stolen data were not encrypted.
-http://news.yahoo.com/south-korea-u-reacted-much-differently-credit-card-2140363
83.html

---

STORM CENTER TECH CORNER

Securing and Auditing Citrix Deployments
-https://isc.sans.edu/forums/diary/Taking+care+when+publishing+Citrix+services+in
side+the+corporate+network+or+to+the+Internet/17471

Microsoft Office Blog Compromised
-http://www.theregister.co.uk/2014/01/21/syrian_electronic_army_successfully_hack
s_microsoft_blogs_yet_again/

Chinese Domain Names Affected by Large Attack/Outage
-http://blogs.wsj.com/digits/2014/01/21/chinas-sina-baidu-and-other-big-websites-
are-hit-with-disruptions

Sniffing Bluetooth Using Cheap Software Defined Radios
-http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html

Learning from Breaches: Dept. of Energy Report
-http://energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf

More about Point of Sale Malware
-http://blog.bitsighttech.com/target-and-neiman-marcus-are-not-alone-malware-abou
nds-in-the-retail-sector

Would Chip-and-Pin have prevented the Target breach?
-http://blog.easysol.net/2014/01/22/emv-technology-alone-is-not-enough-to-stop-fr
aud/

13 Individuals Indicted in Skimmer Scam
-http://threatpost.com/13-indicted-in-2m-bluetooth-skimmer-scam/103810

WebRTC Feature in Chrome/Firefox can be used to determine browser local IP
-http://jsfiddle.net/wzh2C/

RSA's Report about Adobe Breach
-http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf

Chrome Allows Persistent Microphone Access
-http://talater.com/chrome-is-listening/

UK Porn Filter May Have Blocked Patch
-http://www.reddit.com/r/leagueoflegends/comments/1vitn8/attention_uk_summoners_t
he_new_antisex_law_may_be/

Survey of Tor Exit Nodes Reveals Man in the Middle Attacks
-http://threatpost.com/small-number-of-malicious-tor-exit-relays-snooping-on-traf
fic/103771

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/