SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Sign Up Now
• Editorial Board

Volume XVI - Issue #16

February 25, 2014

John Pescatore (the nation's most respected cyber analyst) is hosting a meeting of security managers in the financial industries on March 7 in New York City focusing on the top issues they face and sharing lessons learned by experienced CISOs who have found effective solutions. The fee is waved for SANS alumni, NewsBites readers, and their co-workers: Details at
http://www.sans.org/vendor/event/sans-financial-services-cybersecurity-trends-an
d-challenges-briefing-new-york-mar2014
Early registration discount ($250 on any 4-6 day course) for SANS 2014 at Disney in early April, if you register by Wednesday Feb 26.
http://www.sans.org/event/sans-2014

Alan

---

TOP OF THE NEWS

Neiman Marcus Hackers Set Off 60,000 Alarms Missed By Defenders Because of Misguided Automation
Researchers Develop Exploit That Bypasses Microsoft's EMET
Apple Issues Fix for Critical iOS Flaw
Apple Will Fix Encryption Flaw in OS X "Very Soon"

THE REST OF THE WEEK'S NEWS

US Attorney General Pushes for Federal Breach Notification Law
Pony Botnet Steals Digital Wallets and Account Access Credentials
Neiman Marcus Says Fewer Cards Affected by Breach Than Originally Stated
Harvard University Researcher Allegedly Used Supercomputing Cluster to Mine Digital Currency
South Korea Plans to Develop Cyberweapons to Use Against North Korean Nuclear Facilities
Source Code for Android iBanking Malware Leaked
Malicious Apps in Google Play Store
Namecheap Hit by 1100 Gbps DDoS Attack

READERS RESPOND TO TWO-FACTOR AUTHENTICATION FOR ONLINE BANKING

READERS RESPOND TO Two-Factor Authentication for Online Banking

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ***************************
Webcast: Recent Retail Breaches in the News - What Can You Learn? March 4 10:00AM Pacific. Join Symantec CTO Steve Trilling and SVP Fran Rosch (who recently testified about privacy and cybercrime on Capital Hill) in a discussion on the latest targeted attacks to hit US retailers. Gain insights from Symantec on how targeted attacks are being perpetrated and how a properly configured endpoint can block even the most determined attackers.
http://www.sans.org/info/153267
**************************************************************************
TRAINING UPDATE


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/special

Plus Canberra, Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Neiman Marcus Hackers Set Off 60,000 Alarms Missed By Defenders Because of Misguided Automation (February 21, 2014)

Hackers who raided the credit-card payment system of Neiman Marcus Group set off alerts on the company's security systems about 60,000 times, but went unnoticed for more than eight months. The reason: automation deleted the card-stealing software automatically each day. The attackers reloaded it every day. Card data were taken from July through October.
-http://www.businessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60
-000-alerts-while-bagging-credit-card-data

Researchers Develop Exploit That Bypasses Microsoft's EMET (February 23 & 24, 2014)

Researchers have developed a proof-of-concept exploit that bypasses protections in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). The toolkit was created to help reduce risk of attacks that exploit zero-day vulnerabilities. One of the researchers who developed the exploit noted, "The question really is not can EMET be bypassed? Rather, does EMET sufficiently raise the cost of exploitation?"
-http://www.darkreading.com/attacks-breaches/researchers-bypass-protections-in-mi
cros/240166227
-http://arstechnica.com/security/2014/02/new-attack-completely-bypasses-microsoft
-zero-day-protection-app/
-http://www.eweek.com/security/microsofts-emet-security-technology-isnt-impenetra
ble-bromium.html

Apple Issues Fix for Critical iOS Flaw (February 22, 23, & 24 2014)

Apple has released an update for iOS, its mobile operating system, to fix a critical SSL connection vulnerability. The updated version for iOS 7.x is 7.0.6, and for iOS 6.x, it is 6.1.6. The problem appears to stem from a simple coding error that entirely bypassed the security mechanism. The flaw could be exploited to intercept traffic containing sensitive information, such as bank account access credentials and payment card data.
-http://www.wired.com/threatlevel/2014/02/gotofail/
-http://news.cnet.com/8301-1009_3-57619299-83/apple-security-update-fixes-ios-vul
nerability/
-http://krebsonsecurity.com/2014/02/ios-update-quashes-dangerous-ssl-bug/
-http://www.v3.co.uk/v3-uk/news/2330460/apple-ios-and-os-x-security-bug-leaves-us
ers-open-to-attack

Apple Will Fix Encryption Flaw in OS X "Very Soon" (February 22 & 23, 2014)

The SSL encryption vulnerability in iOS also exists in OS X, leaving users vulnerable to man-in-the-middle attacks. Apple says it will release a fix for the flaw in OS X "very soon."
-https://isc.sans.edu/forums/diary/IOS+SSL+vulnerability+also+present+in+OS+X/177
02
-http://www.theregister.co.uk/2014/02/23/apple_mac_os_x_10_9_ssl_fix/
-http://www.reuters.com/article/2014/02/22/us-apple-encryption-idUSBREA1L10220140
222
-http://news.cnet.com/8301-1009_3-57619332-83/apple-promises-to-fix-os-x-encrypti
on-flaw-very-soon/
A German security company has made available an unauthorized fix for the vulnerability in OS X Mavericks.
-http://www.computerworld.com/s/article/9246555/German_security_firm_offers_unaut
horized_patch_for_critical_encryption_bug_in_OS_X_Mavericks?taxonomyId=17
[Editor's Note (Hoelzer): Up until this point Apple has had a fairly decent record of being responsive to discovered security issues. In fact, their response to the iOS version of this flaw was commendable. However, having something that is so easy to fix and so easy to exploit

- -- but waiting?!?? They will deserve the abuse that the security community heaps on them for this! ]

---

************************** Sponsored Links: ******************************
1) Can you keep your XP systems compliant and secure after end of life without upgrading or paying for out-of-band support? http://www.sans.org/info/153272

2) Free Financial Cyber Security Brief in NYC! SANS presents: The SANS Financial Cybersecurity Trends and Challenges briefing. Join John Pescatore, Tony Sager and Alan Paller for this important event for the Financial Community. Set in the heart of the NY Financial District, this FREE breakfast briefing provides critical information on upcoming security trends, an end-user security panel on how your colleagues are dealing with threats, and information from sponsors on the future direction of their solutions. http://www.sans.org/info/153277

3) Prevent APTs and Malware in Real Time! Join SANS for a webcast to look at keeping these threats at bay and the Damballa FailSafe solution. Get a look at automating defenses and getting detailed incident info for actionable response in this in-depth SANS product review. http://www.sans.org/info/153282
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Attorney General Pushes for Federal Breach Notification Law (February 24, 2014)

US Attorney General Eric Holder is urging legislators to enact a law that would establish a national breach notification standard, noting that such legislation would better allow people to protect themselves from identity theft and would aid law enforcement investigations. The law would also hold entities that fail to adequately protect sensitive data accountable. While banks and hospitals are subject to federal data breach laws, other companies, such as retailers have no such standard. Forty-six US states and the District of Columbia each have their own versions of breach notification laws. In a letter to Congress last month, the National Retail Federation reiterated its support for a national breach notification standard.
-http://www.govinfosecurity.com/holder-calls-for-national-breach-law-a-6533
-http://www.computerworld.com/s/article/9246554/US_attorney_general_calls_for_dat
a_breach_notification_law?taxonomyId=17
-http://www.nbcnews.com/tech/security/attorney-general-seeks-standard-protect-aga
inst-identity-theft-n37161
[Editor's Note (Pescatore): No one has ever been against the idea of national breach notification standards in general. But every time any draft language gets written it is usually lowering the bar, not raising the bar - and rightly gets rejected. However, attempts to raise the bar attract lobbyists like antibodies to germs and those attempts usually die even sooner. Maybe some brave group of representatives will sneak strong language into the nooks and crannies of some popular bill... ]

Pony Botnet Steals Digital Wallets and Account Access Credentials (February 24, 2014)

Botnet malware known as Pony steals digital wallets from computers it infects. In all, the thieves have stolen about US $220,000 worth of virtual currency. Eighty-five digital wallets were pilfered between September 2013 and January 2014. The affected currencies include Bitcoins, Litecoins, Primecoins, and Feathercoins. The malware also stole access credentials for 725,000 website, FTP, secure shell, remote desktop, and email accounts.
-http://arstechnica.com/security/2014/02/pony-botnet-pilfers-digital-coins-worth-
220000-in-sustained-attack/
-http://www.nbcnews.com/tech/security/cybercriminals-use-pony-botnet-steal-bitcoi
ns-digital-currencies-n37571
-http://www.theregister.co.uk/2014/02/25/pony_up_more_bitcoins_go_missing_to_thei
ves/

Neiman Marcus Says Fewer Cards Affected by Breach Than Originally Stated (February 23, 2014)

Neiman Marcus has adjusted the number of payment cards it believes were affected by the recently disclosed security breach of its payment system. Initially, the number of affected cards was reported to be 1.1 million, but an investigation determined that the figure is closer to 350,000. Of those, 9,200 have been used in fraudulent transactions. The investigation also found that the attackers generated nearly 60,000 alerts on network security systems, which may have been believed to be false positives as the malware was given a name similar to that of the company's payment software. Although the system could have been configured to automatically block suspicious activity, that feature was turned off because it would have interfered with system maintenance.
-http://www.govinfosecurity.com/neiman-marcus-downsizes-breach-estimate-a-6532
-http://www.bloomberg.com/news/2014-02-21/neiman-marcus-hackers-set-off-60-000-al
erts-in-bagging-card-data.html
[Editor's Note (Pescatore): Some common patterns to this one: (1) A vulnerable server with access across security zones was a large factor. (2) As the old parable "The boy who cried wolf" pointed out a few years ago, false positives are kryptonite to security. But, there are lots of processes and products to aid in bubbling important alerts to the top of the list. ]

Harvard University Researcher Allegedly Used Supercomputing Cluster to Mine Digital Currency (February 21 & 22, 2014)

A Harvard University researcher who had been using the school's supercomputing cluster to mine a virtual currency known as Dogecoin has been permanently barred from using the school's research computing facilities. An internal email from Harvard University's Assistant Dean for Research Computing reads, in part, "... any activities using our shared resources for any scientific purpose that results or does not actually result in personal gain are ... clearly and explicitly denied."
-http://www.nbcnews.com/tech/internet/secret-dogecoin-mining-operation-harvard-co
mputers-results-ban-n35936
-http://www.theregister.co.uk/2014/02/22/harvard_student_abuses_supercomputer_to_
mine_dogecoin/
-http://arstechnica.com/tech-policy/2014/02/harvard-supercomputing-cluster-hijack
ed-to-produce-alt-cryptocurrency/
-http://www.wired.com/wiredenterprise/2014/02/harvard-dogecoin/
-http://www.thecrimson.com/article/2014/2/20/harvard-odyssey-dogecoin/

South Korea Plans to Develop Cyberweapons to Use Against North Korean Nuclear Facilities (February 21, 2014)

South Korea's defense ministry says that it plans to develop Stuxnet-like cyberweapons to use against North Korea's nuclear facilities. The defense ministry told the government of its plan earlier this month. At least one expert has warned that using cyberweapons against critical infrastructure could have unforeseen consequences. Stuxnet spread beyond its intended target.
-http://www.bbc.co.uk/news/technology-26287527
-http://www.v3.co.uk/v3-uk/news/2330331/south-korea-plans-stuxnet-style-cyber-wea
pons-to-sabotage-norths-nuclear-program

Source Code for Android iBanking Malware Leaked (February 21, 2014)

Source code for malware that disguises itself as an Android security app has been leaked, which means more variants of the Trojan are likely to appear. Known as iBanking, the malware had been selling for US $5,000 on underground websites. It targets the SMS messages used by banks to add a layer of authentication to transactions initiated over the Internet. It has the capability to redirect phone calls to another number. iBanking can also record audio from the device's immediate location and access the phone's call history log and contact list.
-http://www.scmagazine.com//source-code-for-data-stealing-android-app-leaks/artic
le/335201/
-http://www.computerworld.com/s/article/9246494/Source_code_for_Android_iBanking_
bot_surfaces_on_underground_forum?taxonomyId=17

Malicious Apps in Google Play Store (February 21, 2014)

Between 2011 and 2013, the percentage of malicious apps in the Google Play store increased by nearly fourfold, from 2.7 percent in 2011 to 12 percent in 2013. Over that same period of time, the number of malicious apps that Google removed dropped from 60 percent to 23 percent. The decline in removal of malicious apps could be explained by the fact that malware purveyors are using methods of infection that elude traditional detection tools.
-http://www.scmagazine.com//report-malicious-apps-in-google-play-store-grow-388-p
ercent/article/334961/
[Editor's Note (Pescatore): I'd like Apple, Google, Microsoft and any other major app stores to all agree to fund a common "App Security Evaluation" service that would use the same methodology across all and make the results publicly available. It would very, very nice to see competition on the security of software. ]

Namecheap Hit by 100 Gbps DDoS Attack (February 20, 2014)

Webhosting company Namecheap says it was targeted by a huge distributed denial-of-service (DDoS) attack late last week. While the company fends off attacks constantly, last week's attack proved too large for Namecheap to use the methods it has in the past. Namecheap said the attack bombarded its DNS servers with traffic measured at up to 100 Gbps.
-http://news.cnet.com/8301-1009_3-57619235-83/namecheap-targeted-in-monumental-dd
os-attack/
-http://www.csoonline.com/article/748570/namecheap-fends-off-ddos-attack-restores
-services

---

READERS RESPOND TO TWO-FACTOR AUTHENTICATION FOR ONLINE BANKING

Readers Respond: Two-Factor Authentication for Online Banking In SANS NewsBites Vol. 16 No. 015, we asked if people would mention banks other than HSBC USA that have two-factor authentication. Several readers contributed (thanks!) and we have summarized the information we received:
-http://www.sans.edu/research/security-laboratory/article/2factor-banks
[Editor's Note (Pescatore): Not that long a list but you can add Google, Microsoft, and many others to those offering it. However, while they all *offer* it, almost none of them *evangelize* for it, let alone *require* it. All these firms spend billions on marketing to convince customers to give them money or give them data to be sold to advertisers - could they all spend at least some money on a series of Public Service Announcements convincing people to "Just Say NO to Reusable Passwords"? ]

---

STORM CENTER TECH CORNER

Fake SPF Headers in UPS Malware Spam
-https://isc.sans.edu/forums/diary/UPS+Malware+Spam+Using+Fake+SPF+Headers/17693

"Trusted Proxy" IETF Draft
-https://isc.sans.edu/forums/diary/Explicit+Trusted+Proxy+in+HTTP+2+0+or+not+so+m
uch/17708

YouTube Ads Spread banking malware
-http://labs.bromium.com/2014/02/21/the-wild-wild-web-youtube-ads-serving-malware
/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/