SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #72

September 10, 2014

TOP OF THE NEWS

Home Depot Confirms Payment System Breach
Home Depot Breach Launched With Same Malware Used in Target Breach
Dyre Malware Targeting Salesforce Users

THE REST OF THE WEEK'S NEWS

OpenSSL Project Announces Vulnerability Management Policy
China Snooping on Scholars' Google Searches
FBI Says Silk Road Server Located Through Data Generated by Misconfigured Login Window
Mozilla Retires 1,024-bit Certificates; 100,000+ Websites Now "Untrusted"
New Zealand ISP Outage Blamed on Poorly-Configured Modems and DDoS
Windows Cyber Espionage Malware Ported to Mac
NIST Seeks to Determine Awareness and Effectiveness of Cyber Security Framework

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ***************************
Symantec Webcast: The Internet of Things (IOT) today is in its infancy. There are no standards overall and there are industry nuances that further complicate security. Join our webcast to learn what the IoT means today, what devices have been hacked and what have not and best practices for dealing with the security issues that IoT creates.
http://www.sans.org/info/166877
***************************************************************************

TRAINING UPDATE


- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by September 17 and save $200. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 16 courses.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Home Depot Confirms Payment System Breach (September 8, 2014)

Home Depot has confirmed that its payment system was breached, compromising customer payment card data. The attack appears to affect transactions in USA and Canadian stores since April 2014; stores in Mexico and online transactions appear not to have been affected. Home Depot plans to implement chip-and-PIN security by the end of this calendar year.
-http://arstechnica.com/security/2014/09/home-depot-confirms-breach-but-stays-mum
-as-to-size/
-http://www.nbcnews.com/tech/security/home-depot-confirms-credit-card-data-breach
-n198621
[Editor's Note (Murray): Home Depot's commitment to join other retail chains in Implementing EMV is welcome. It must be met by the large credit card issuers issuing EMV cards. However, even this is only a small step in addressing the leakage of credit card numbers from mag-stripes and the ease with which credit card numbers can be fraudulently used. (This afternoon we expect Apple to announce that the iPhone 6 will include an NFC radio for use in retail payments. At one extreme NFC can be used to emulate RFID credit cards that pass the credit card number in the clear. While no more secure than mag-stripe, such an implementation would have the advantage of being compatible with many existing systems. At the other extreme, NFC could be used to pass a one-time token value in place of the credit card number. This implementation would be very secure but would not be compatible with existing systems. Between these two extremes there are many possibilities. One hopes that Apple, as it has done so often in the past, uses its clout and creativity to change the game.) ]

Home Depot Breach Launched With Same Malware Used in Target Breach (September 7 & 8, 2014)

The malware used to steal customers' payment card data from point-of-sale systems at Home Depot is a variant of that used in last year's Target breach. The new version of the BlackPOS malware has been dubbed KAPTOXA. Brian Krebs also notes that cards stolen from Home Depot were appearing on the same underground forum where cards stolen from Target's systems had appeared.
-http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/
-http://www.scmagazine.com/blackpos-malware-that-struck-target-also-linked-to-hom
e-depot-breach-report-says/article/370362/
[Editor's Note (Murray): Yes, and it likely got in the same way. If you operate remote access, you MUST use strong authentication. If you operate point of sale systems, you MUST resist and monitor arbitrary changes to the program content of such systems; "restrictive access control policy," "lock-down," "application white-listing," "TripWire," etc. Questions? ]

Dyre Malware Targeting Salesforce Users (September 8, 2014)

Salesforce is warning that malware known as Dyre or Dyreza is being used to target its customers. Dyre was first noticed in June 2014; criminals were using it to steal online banking account access credentials. Now they could be using it to target Salesforce credentials, which would allow them to steal databases or spread the malware more widely.
-http://www.theregister.co.uk/2014/09/08/salesforcecom_warns_users_they_are_the_t
arget_for_new_rat_dyre/
-http://www.scmagazine.com/salesforce-warns-of-dyre-malware-possibly-targeting-us
ers/article/370366/
-https://help.salesforce.com/apex/HTViewSolution?urlname=Security-Alert-Dyre-Malw
are&language=en_US
[Editor's Note (Murray): The source of the warning, the target, and the malware are not the important issues here. This is simply one more example of permanent and significant escalation in the threat environment. While Salesforce users might want to implement the recommended "work-around," we all must implement systemic changes to our security strategies and architectures. ]

---

**************************** SPONSORED LINKS ******************************
1) Revelations about recent European infrastructure compromises involving ICS-capable malware is grabbing headlines. Cut through the speculation and take a deep look why our exposure is growing. Learn from leading researchers and practitioners how to safeguard your control systems from targeted attacks. Don't miss out on the SANS ICS Summit Amsterdam. http://www.sans.org/info/166882

2) Security for the People: End-User Authentication Security on the Internet Tuesday, September 23 at 3:00 PM EDT (19:00:00 UTC) with Mark Stanislav and Paul Robert. http://www.sans.org/info/166887

3) Database Encryption - Defining the Root of Trust - Friday, September 19 at 1:00 PM EDT (17:00:00 UTC) Andreas Philipp and Greg Porter. http://www.sans.org/info/166892
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

OpenSSL Project Announces Vulnerability Management Policy (September 8, 2014)

The OpenSSL Project has released its vulnerability management policy. Security issues will be classified as high, moderate, or low severity. High severity issues will remain private to OpenSSL's development team with the exception of notification of certain Linux and BSD distributions so they can create fixes to release. The OpenSSL Project cautions those vendors against using vulnerabilities disclosures to their competitive advantage. Organizations that receive pre-notification will be dropped from that program if they leak information or do not add value by providing feedback and test results.
-http://www.zdnet.com/openssl-to-prenotify-distros-of-severe-security-fixes-70000
33409/
-http://www.pcworld.com/article/2604440/openssl-warns-vendors-against-using-vulne
rability-info-for-marketing.html
[Editor's Note (Pescatore): The policy is a departure from older open source practices of making all bugs (including security vulnerabilities) known immediately, but is pretty much in line with well-established and well-understood responsible vulnerability reporting norms. Third parties will add CVSS scores, but it would be good to see OpenSSL do that to show that their high/moderate/low ratings are repeatable. ]

China Snooping on Scholars' Google Searches (September 5 & 8, 2014)

People conducting research in China are being watched by authorities when they conduct Google searches. Public Internet users in China are not able to use Google at all, but scholars at research institutions are able to use the search engine through the CERNET education network. Authorities in China were able to see what those scholars were researching until Google began encrypting searches. Now China uses a man-in-the-middle attack to keep an eye on CERNET users' searches.
-http://www.infosecurity-magazine.com/news/china-man-in-the-middle-attack/
-http://www.nextgov.com/cybersecurity/2014/09/china-intercepting-researchers-goog
le-searches/93326/?oref=ng-channelriver
-http://www.netresec.com/?page=Blog&month=2014-09&post=Analysis-of-Chines
e-MITM-on-Google
In a related story, a Chinese man is suing state telecommunications company China Unicom for blocking his access to Google.
-http://www.pcworld.com/article/2603240/chinese-man-sues-state-telecom-firm-for-b
locking-google.html

FBI Says Silk Road Server Located Through Data Generated by Misconfigured Login Window (September 6 & 8, 2014)

The FBI says it was able to exploit a leaky CAPTCHA tool to detect the location of Silk Road servers and ultimately arrest the online black marketplace's founder Ross William Ulbricht. The server was in a facility in Iceland and was hidden through the Tor network. Ulbricht's defense team had accused the US government of using illegal tactics to locate the servers and demanded an explanation of their methods. The FBI says that the location of the server was not discovered by illegal means, but by exploiting a misconfigured login window for the site that leaked its IP address.
-http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk
-roads-server/
-http://www.v3.co.uk/v3-uk/news/2363958/fbi-used-leaky-captcha-to-catch-silk-road
s-hidden-web-servers
-http://arstechnica.com/tech-policy/2014/09/feds-say-nsa-bogeyman-did-not-find-si
lk-roads-servers/
-http://www.scribd.com/doc/238844570/FBI-Explanation-of-Silk-Road-vulnerability

Mozilla Retires 1,024-bit Certificates; 100,000+ Websites Now "Untrusted" (September 8, 2014)

Because Mozilla allowed its 1,024-bit certificates to expire, more than 100,000 websites are now considered untrusted by that company's browsers. Chrome has not allowed its 1,024-bit certificates to expire due to just those concerns.
-http://www.theregister.co.uk/2014/09/08/107000_dodgy_sites_struck_by_mozilla_unt
rusted_torpedo/
[Editor's Note (Pescatore): The Certificate Authority and Browser industries have invested very little in educating the public about the meaning of the color of URLs in the browser based on certificate status or on the best way to deal with popups with warnings. So, the vast majority of users will just click through, anyway. On the issue of should Mozilla wait longer before allowing 1024 bit certs to expire: if there are 5 million servers running public SSL certificates, 100K is only 2% - 98% won't have a problem.
(Northcutt): I applaud Mozilla. They were a bit slow in retiring MD5 signed certs, but are a leader here. Certificates are a key part of ecommerce. We need to continue to establish a practice of due care.]

New Zealand ISP Outage Blamed on Poorly-Configured Modems and DDoS (September 7, 2014)

New Zealand Internet service provider (ISP) Spark says that service outages over the weekend were the result of poorly-configured home modems that had been hijacked. The network was then used to launch a distributed denial-of-service (DDoS) attack against addresses in Eastern Europe.
-http://www.smh.com.au/it-pro/security-it/spark-still-probing-new-zealand-interne
t-outage-20140908-10dtwi.html
[Editor's Note (Honan): A timely reminder of the challenges we face in securing the so called Internet of Things. If consumers cannot manage to secure their DSL modems, we should not expect them to be able to secure other devices in their homes. This makes it even more essential that vendors look at ways to make managing, patching, and securing their devices by the average consumer simple and easy. Of course simple, easy, and secure is itself a big challenge. ]

Windows Cyber Espionage Malware Ported to Mac (September 5, 2014)

A variant of backdoor malware used to infect systems with advanced persistent threats (APTs) on Windows systems has now been found targeting Mac systems. The malware, known as XSLCmd, "was created and is used by a cyber espionage group that has been operating since at least 2009."
-http://www.scmagazine.com/apt-group-adapts-windows-backdoor-to-target-mac-comput
ers/article/370036/
-http://www.csoonline.com/article/2602956/security/cyberespionage-group-starts-us
ing-new-mac-os-x-backdoor-program.html

NIST Seeks to Determine Awareness and Effectiveness of Cyber Security Framework (August 26 & September 8, 2014)

The National Institute of Standards and Technology (NIST) has released a request for information (RFI) regarding the level of awareness about the cyber security framework among companies that operate elements of the country's critical infrastructure, NIST also wants to know what effect the framework is having on their security postures. Comments will be accepted through October 10, 2014.
-https://www.federalregister.gov/articles/2014/08/26/2014-20315/experience-with-t
he-framework-for-improving-critical-infrastructure-cybersecurity#h-9
">https://www.federalregister.gov/articles/2014/08/26/2014-20315/experience-with-t
he-framework-for-improving-critical-infrastructure-cybersecurity#h-9
-https://www.federalregister.gov/articles/2014/08/26/2014-20315/experience-with-t
he-framework-for-improving-critical-infrastructure-cybersecurity#h-9
">https://www.federalregister.gov/articles/2014/08/26/2014-20315/experience-with-t
he-framework-for-improving-critical-infrastructure-cybersecurity#h-9
[Editor's Note (Paller): What a self-serving, scientifically-flawed undertaking! The only people who will answer are those who have heard about the NIST framework and want to spend time to reinforcing it. Having no other data, NIST will report, "The vast majority of Americans (or respondents) know about the Framework and report that is an important element in their xx yy and zz." Wow! ]

---

STORM CENTER TECH CORNER

Brute Forcing Passwords for Spam?
-https://isc.sans.edu/forums/diary/Odd+Persistent+Password+Bruteforcing/18621

Microsoft Patch Tuesday
-http://technet.microsoft.com/library/security/ms14-sep

Adobe Patch Tuesday
-http://helpx.adobe.com/security/products/reader/apsb14-20.html

Fireeye Discovers XSLCmd backdoor being ported from Windows to OS X
-http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-x
slcmd-backdoor-now-on-os-x.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/