SANS NewsBites - Volume: XVI, Issue: 9

*************************************************************************
SANS NewsBites                     January 31, 2014                    Volume: XVI, Issue: 9
*************************************************************************
TOP OF THE NEWS

  Target Breach Used Stolen Vendor Access Credentials
  Yahoo Resetting Passwords After Compromise Attempts

THE REST OF THE WEEK'S NEWS

  Securities and Exchange Commission to Examine Asset Managers' Security Practices
  US Justice Department is Investigating Target Breach
  ChewBacca Malware Targets Point-of-Sale Systems
  Twitter Account Lost to Extortionist
  Terrorism Defendant Challenging FISA Amendments Act
  NSA Appoints Internal Civil Liberties and Privacy Officer
  Cross-Platform Java Malware
  Accessing Proprietary Data With Valid Credentials Not a Violation of CFAA
  Dutch Court Lifts Ban on The Pirate Bay
  SpyEye Author Enters Guilty Plea

STORM CENTER TECH CORNER

  STORM CENTER TECH CORNER


************************ Sponsored By Bit9 *****************************
When it comes to endpoint security, organizations find themselves in a difficult situation. Most enterprises have host-based security software (i.e., antivirus software) installed on almost every PC and server, yet their IT assets are constantly attacked and compromised by sophisticated malware and targeted attacks. Download this whitepaper to learn more. http://www.sans.org/info/150335
***************************************************************************
TRAINING UPDATE

- -- SANS Cyber Threat Intelligence Summit Arlington, VA Feb. 4-11, 2014 This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at

http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

Target Breach Used Stolen Vendor Access Credentials (January 30, 2014)
A Target spokesperson said that the breach that compromised payment card details and personal information of millions of the retailer's customers came about through credentials stolen from a vendor. A preliminary look at the malware used in the breach suggested that the attackers may have exploited a vulnerable feature in IT management software on the company's internal network.
-http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452
-http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapp
ed-vendor-credentials/d/d-id/1113641

-http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials-
7000025780/

-http://www.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendo
r_credentials?taxonomyId=17

-http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdo
or-in-widely-used-server-software/

-http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
[Editor's Note (Pescatore): That just means that (1) Target was allowing 3rd parties to access its network without strong authentication; and (2) Target wasn't monitoring what those weakly authenticated 3rd parties were doing once they got on Target's internal network.
(Murray): This report is very late in coming but no surprise. The failure to report this on a timely basis has invited an incredible amount of hardly credible but misleading speculation. The Verizon Data Breach Incident Report shows that perhaps a third of the breaches in their (admittedly biased) dataset involve misuse of privileged vendor access. Often the victims are not even aware of this access. ]


Yahoo Resetting Passwords After Compromise Attempts (January 30, 2014)
Yahoo has reset passwords for Yahoo Mail accounts that appear to have been compromised. Yahoo said that the attackers had likely stolen usernames and passwords from a third-party database and attempted to use the information to log into Yahoo Mail accounts. Users whose accounts were affected received messages from Yahoo notifying them of "unusual activity on the network." Internet Storm Center:
-https://isc.sans.edu/forums/diary/Attack+on+Yahoo+mail+accounts/17543
-http://money.cnn.com/2014/01/30/technology/security/yahoo-hack/
-http://www.computerworld.com/s/article/9245908/Yahoo_resets_passwords_after_emai
l_hack?taxonomyId=17

-http://www.theregister.co.uk/2014/01/31/yahoo_mail_users_change_your_password_no
w/

-http://arstechnica.com/security/2014/01/mass-hack-attack-on-yahoo-mail-accounts-
prompts-password-reset/

[Editor's Note (Pescatore): Yahoo seems to have moved quickly on this attack, a good thing. Yahoo also passes the "security sniff test" - www.yahoo.com/security is actually a useful site.
(Ullrich): Yet another case of shared passwords leading to compromise. Use different passwords for different accounts, or your password is only as secure as the security of the weakest site you use it with. A compromised e-mail account can also easily lead to more targeted attacks (remember HB Gary?). ]



************************** Sponsored Links: ******************************
1) Advanced threats require modern security. Find out the 10 must-haves for your next security solution. Download your buyer's guide now! http://www.sans.org/info/150340

2) Tune in for a SANS "Special Webcast" sponsored by IBM, "Continuous Monitoring & Mitigation: Responding to Emerging Threats". http://www.sans.org/info/150345

3) Join SANS' Dr. Eric Cole and BeyondTrust's, Mike Yaffe in a live webinar where they will discuss and focus on the 8 Critical Security Controls specifically designed to address user and asset-based risks. http://www.sans.org/info/150350
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Securities and Exchange Commission to Examine Asset Managers' Security Practices (January 30, 2014)
The US Securities and Exchange Commission (SEC) plans to find out whether asset managers have established policies to prevent, detect, and respond to cyber attacks against their systems. Part of the examination will focus on whether the managers are taking adequate precautions to protect their systems from the dangers that could arise from vendors having access to those systems. The security policy scrutiny will be incorporated into the SEC's regular examination of investment advisers and companies.
-http://www.baltimoresun.com/business/sns-rt-us-sec-cyber-assetmanagers-20140130,
0,6544544.story

[Editor's Note (Pescatore): Honestly, I would rather the SEC examiners devote all their time to finding financial scandals and misconduct earlier in their audit processes. Having SEC examiners evaluate asset managers' security policies is going to be about as effective as security experts reviewing asset managers financial policies. ]


US Justice Department is Investigating Target Breach (January 29, 2014)
US Attorney General Eric Holder says that the Department of Justice (DOJ) is investigating the Target data breach. The DOJ hopes to find the people responsible for the attack as well as people who use the stolen information. DOJ does not normally publicize its involvement in investigations. The Secret Service is also investigating the breach.
-http://www.computerworld.com/s/article/9245873/U.S._is_investigating_Target_data
_breach_AG_Holder_says?taxonomyId=17http://www.govinfosecurity.com/feds-investig
ating-target-breach-a-6450

-http://news.cnet.com/8301-1009_3-57617999-83/justice-department-looking-into-tar
get-data-breach/

-http://www.scmagazine.com//doj-gets-involved-in-target-breach-investigation/arti
cle/331671/



ChewBacca Malware Targets Point-of-Sale Systems (January 30, 2014)
A strain of malware known as ChewBacca has infected numerous retailers' point-of-sale (POS) systems and uses keylogging and memory scraping features to steal customers' personal information, including payment card details. Over the past three months, ChewBacca appears to have infected nearly 120 POS terminals at 45 different retailers, compromising more than 50,000 payment cards. Affected retailers have not been named, but there does not appear to be a connection between ChewBacca and the breaches of systems at Target, Neiman Marcus, and Michaels.
-http://www.darkreading.com/attacks-breaches/point-of-sale-system-attack-campaign
-hit/240165813

-http://www.computerworld.com/s/article/9245905/Tor_enabled_malware_stole_credit_
card_data_from_dozens_of_retailers?taxonomyId=17

[Editor's Note (Murray): The use of the unique software relates the attack to one or a few attackers. Similar attacks account for a significant portion of those in the Verizon Data Breach Incident Report. This report is likely not being read by small merchants nor by the application vendors that serve them. ]


Twitter Account Lost to Extortionist (January 29 & 30, 2014)
A California man claims to have lost his Twitter account to an extortionist who was allegedly holding the man's other online accounts and services hostage. Naoki Hiroshima has been using the @N Twitter account since 2007 and says that there have been numerous other attempts to steal it. The extortionist managed to gain control of Hiroshima's domain name and through that, was able to control Hiroshima's email. Hiroshima surrendered the Twitter handle to regain control of the domain names, and was also able to get the hacker to tell him how he managed to gain control of the domain names in the first place.
-http://www.theregister.co.uk/2014/01/30/rare_twitter_account_stolen/
-http://arstechnica.com/security/2014/01/how-i-lost-my-50000-twitter-username/
-http://www.eweek.com/blogs/security-watch/saving-n-how-social-engineering-stole-
a-user-identity.html

[Editor's Note (Ullrich): This isn't the first time the last four digits of a credit card lead to further compromise. About 1 1/2 years ago, a journalist's iCloud account was compromised after using the last four digits of a credit card to reset his password. Do not rely on "public" information for authentication, and make sure your password reset process isn't the weak link in your authentication procedure.
(Honan): This story, and that of Mat Honan from last year, make interesting reading on how social engineering attacks are utilising pieces of information that we leave at different providers around the Internet. They highlight why we should employ two factor authentication on all the services that provide it. In particular, as more and more companies move to engage with various cloud service providers they should ensure that the systems to access those accounts are as protected as they can be. ]


Terrorism Defendant Challenging FISA Amendments Act (January 29, 2014)
A man who was charged based on evidence gathered by the NSA's warrantless surveillance programs has filed a lawsuit challenging the constitutionality of that program. Jamshid Muhtorov is a political refugee and permanent US resident from Uzbekistan now living in Colorado. Last year, the Supreme Court ruled against a suit challenging the same law because the plaintiffs in that case could not prove that their communications had been intercepted.
-http://www.washingtonpost.com/world/national-security/terrorism-suspect-challeng
es-warrantless-surveillance/2014/01/29/fb9cc2ae-88f1-11e3-a5bd-844629433ba3_stor
y.html

-http://www.wired.com/threatlevel/2014/01/electronic-surveillance-challenge/
-http://arstechnica.com/tech-policy/2014/01/in-rare-move-terrorism-suspect-challe
nges-core-of-warrentless-snooping-law/

-http://www.computerworld.com/s/article/9245874/Man_charged_with_aiding_terrorist
_group_challenges_use_of_NSA_collected_data?taxonomyId=17

-http://news.cnet.com/8301-1009_3-57618053-83/nsas-warrantless-surveillance-gets-
a-constitutional-challenge/

Motion to Suppress:
-http://apps.washingtonpost.com/g/documents/world/defendant-challenges-nsas-warra
ntless-surveillance-program/765/



NSA Appoints Internal Civil Liberties and Privacy Officer (January 29, 2014)
The US National Security Agency (NSA) has appointed its first civil liberties and privacy officer. Rebecca Richards has served as a deputy privacy official at the US Department of Homeland Security (DHS). When she begins her new responsibilities next month, Richards will "serve as the primary advisor to the Director of NSA for ensuring that privacy is protected and civil liberties are maintained by all of NSA's missions, programs, policies, and technologies."
-http://www.nextgov.com/cybersecurity/2014/01/nsa-finally-names-its-internal-priv
acy-advocate/77774/?oref=ng-channeltopstory

-http://www.scmagazine.com//nsa-hires-first-ever-privacy-and-civil-liberties-offi
cer/article/331656/

-http://www.computerworld.com/s/article/9245840/NSA_gets_its_first_civil_libertie
s_and_privacy_officer?taxonomyId=17

[Editor's Note (Honan): As a non-US citizen I, and many others outside the US, hope that this role also considers the civil liberties and privacy rights of non-US citizens. ]


Cross-Platform Java Malware (January 29, 2014)
Researchers have found Java-based malware that is capable of infecting Windows, Mac OS X, and Linux systems. The malware exploits a known flaw in Java 7 u21 and earlier for which Oracle released a patch in June 2013. The malware communicates with an Internet relay chat channel that serves as a command-and-control server. The network of computers compromised by this malware is used to launch distributed denial-of-service (DDoS) attacks.
-http://arstechnica.com/security/2014/01/java-based-malware-driving-ddos-botnet-i
nfects-windows-mac-linux-devices/

-http://www.zdnet.com/cross-platform-java-bot-found-7000025736/
[Editor's Note (Ullrich): Not only does this malware run on different operating systems, but it is also smart enough to add itself as an auto-start program on each operating system. ]


Accessing Proprietary Data With Valid Credentials Not a Violation of CFAA (January 29, 2014)
The US District Court for the Northern District of California has dismissed a lawsuit against Keith Freedman, who was accused of accessing and copying information from his former employee's servers. The suit alleged that Freedman had violated provisions of the Computer Fraud and Abuse Act (CFAA). Freedman used valid credentials to access the information, according to the court, which does not constitute a violation of the CFAA. Freedman was accused of accessing his former employer's data while using access credentials issued to one of the firm's customers while Freedman was doing work for both companies. US Magistrate Judge Paul Grewal wrote, "CFAA regulates access to data, not its use by those entitled to access it."
-http://www.computerworld.com/s/article/9245867/Misuse_of_proprietary_data_alone_
doesn_t_violate_CFAA_judge_rules?taxonomyId=17

-http://www.courthousenews.com/2014/01/29/64921.htm


Dutch Court Lifts Ban on The Pirate Bay (January 28 & 29, 2014)
A Dutch court has lifted a ban on The Pirate Bay, allowing Internet service providers to permit users to access the torrent site. The Dutch Court of Appeals in The Hague determined that a ban on The Pirate Bay had proven to be ineffective at stopping piracy. The court found that while the block order reduced traffic to The Pirate Bay, torrent levels did not decline. Users determined to obtain copyrighted material illegally were finding ways of obtaining the content. The ruling also means that the anti-piracy group that brought the original case must now pay ISPs 400,000 euros (US $542,000) in legal costs. That group, Brein, is considering taking the case to the country's Supreme Court.
-http://www.bbc.co.uk/news/technology-25943716
-http://www.scmagazine.com//dutch-court-lifts-ban-on-torrent-website-due-to-ineff
ectiveness/article/331451/s



SpyEye Author Enters Guilty Plea (January 28 & 29, 2014)
Aleksandr Andreevitch Panin has pleaded guilty to charges of conspiracy to commit wire and bank fraud in connection with creating the SpyEye malware. At its peak, SpyEye infected more than 1.4 million computers around the world. It was used to steal financial account access information, which was then used to conduct fraudulent transactions. Panin sold SpyEye for between US $1,000 and US $8,000, customizing the toolkit for different customers. Panin was arrested in the US last July. His sentencing is scheduled for late April.
-http://www.scmagazine.com//spyeyes-primary-developer-and-distributor-pleads-guil
ty-in-us/article/331667/

-http://www.darkreading.com/attacks-breaches/spyeye-creator-got-sloppy-then-got-n
abbe/240165783

-http://www.wired.com/threatlevel/2014/01/spy-eye-author-guilty-plea/
-http://news.cnet.com/8301-1009_3-57617964-83/spyeye-malware-inventor-pleads-guil
ty-to-bank-fraud/

[Editor's Note (Honan): Well done to all the parties involved in this case. It is a good example of how information sharing and cooperation between law enforcement agencies and private sector companies can result in criminals being jailed. This case involved law enforcement agencies in the US, UK, Thailand, Australia, The Netherlands, The Dominican Republic, and Bulgaria. Private sector companies included Trend Micro, Microsoft, Dell Secureworks, Mandiant, and a Norwegian security research team. Details of the case, and of those involved are available on the US Department of Justice's website
-http://www.justice.gov/opa/pr/2014/January/14-crm-091.html]



STORM CENTER TECH CORNER

How to Debug DKIM Deployments
-http://dkim.org


Exploit for Oracle Reports Vulnerability Now Public
-http://www.exploit-db.com/exploits/31253


MediaWiki Security Patch
-http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html


How to Send Mass E-Mail the Right Way
-https://isc.sans.edu/forums/diary/How+to+send+mass+e-mail+the+right+way/17495


Android IMSI Catcher Detector
-https://github.com/SecUpwN/Android-IMSI-Catcher-Detector


New gTLD Names
-https://isc.sans.edu/diary.html?storyid=17540


Linux 3.4 Kernel Priv. Escalation Vulnerability
-http://www.openwall.com/lists/oss-security/2014/01/31/2


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/