Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #22

March 18, 2014


The 2014 CyberSecurity Salary Survey: Four More Days. Preliminary results, based on the first 2,400 entries, show salaries are rising sharply once again, especially for certain skills. We will publish final results in early May. You can get a free copy of the important details (by industry, region, experience, etc.) ONLY by completing the survey by this Friday (about 2,410 are in now). Otherwise the details will be in a $250 report. Complete the survey at https://www.surveymonkey.com/s/2014SANSSalarySurvey

Alan

TOP OF THE NEWS

Critical Flaws in Industrial Control Systems Used at Thousands of Facilities
DDoS Attacks Hit NATO Websites
DOD Changes Security Policy

THE REST OF THE WEEK'S NEWS

NY Waitress Arrested in Connection with Card Skimming Scheme
US Federal Judge Approves Unusual Class Action Settlement in Breach Case
ColdFusion Botnet Claims More Victims
Sally Beauty Acknowledges Payment Card Data Were Taken in Breach
Indictments in Online Bank Account Theft Scheme
IBM Says it Provided No Data to NSA
Employee Arrested in UK Grocery Store Payroll Data Theft
Apple's iOS7 PRNG Weaker Than Previous Version
US Cedes Control of DNS Root Zone
California Police Departments Have Been Secretly Using StingRay Devices

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


************************ Sponsored By Symantec **************************
Taking the Leap To Virtualization: Learn how virtualization offers dramatic benefits for midsize companies, including efficiency, cost savings, and increased reliability and performance. Read this white paper to find out the best way to implement a virtualization solution to allow you to do more with less and free up IT staff to focus on strategic projects that help your company grow.
http://www.sans.org/info/155160
***************************************************************************
TRAINING UPDATE


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

Critical Flaws in Industrial Control Systems Used at Thousands of Facilities (March 13 & 14, 2014)

Critical flaws in Yokogawa Electric Corporation's Centum CS 3000 R3 control system leave those systems vulnerable to malware like Stuxnet. The Windows-based system is used by more than 7,600 power and chemical plants worldwide. The flaws could allow information leaks and could also be exploited by attackers to compromise the human interface station (HIS). Once attackers have taken control of an HIS, they can control the devices managed from that system, such as power turbines and factory equipment. Yokogawa is releasing patches to address the flaws.
-http://www.v3.co.uk/v3-uk/news/2334217/critical-stuxnet-level-vulnerabilities-di
scovered-in-uk-power-plants

-http://www.infosecurity-magazine.com/view/37441/ics-flaws-discovered-that-could-
affect-thousands-of-plantmonitoring-systems/

DDoS Attacks Hit NATO Websites (March 16 & 17, 2014)

A distributed denial-of-service (DDoS) attack launched against NATO websites over the weekend is likely to have been a Domain Name Server (DNS) amplification attack or a Network Time Protocol (NTP) reflection attack, according to an expert. These variants of DDoS attacks are becoming more prevalent. The attacks did not affect NATO operations.
-http://www.scmagazine.com/ddos-attacks-against-nato-likely-dns-amplification-or-
ntp-reflection-expert-suggests/article/338524/

-http://www.cnn.com/2014/03/15/world/europe/nato-computers-cyberattack/
-http://www.zdnet.com/nato-websites-targeted-in-online-attack-7000027362/
[Editor's Note (Murray):While DDoS attacks and (DNS) reflection attacks are often used and seen in combination, they are different and require different mitigation. ]

DOD Changes Security Policy (March 14, 2014)

The US Defense Department (DOD) has made a change to its security policy, trading its DOD Information Assurance Certification and Accreditation Process (DIACAP) for a risk-based model developed by the National institute of Standards and Technology (NIST). The change brings DOD standards in line with those used by civilian agencies.
-http://www.informationweek.com/government/cybersecurity/defense-department-adopt
s-nist-security-standards/d/d-id/1127706



************************** Sponsored Links: ******************************
1) HP TippingPoint named a leader in the Gartner Magic Quadrant for Next-Generation Intrusion Prevention, 9 years in a row. The 2013 Gartner Magic Quadrant for Next-Generation Intrusion Prevention System (NGIPS) has been published and HP TippingPoint is in the Leaders Quadrant for the nine consecutive years. Read the report: http://www.sans.org/info/155165

2) Webcast: Power of Lossless Packet Capture (1G-100G) & Real-time Netflow. Monday, March 24 at 1:00 PM EDT Sonny Singh and Boni Bruno. http://www.sans.org/info/155180

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
*****************************************************************************

THE REST OF THE WEEK'S NEWS

NY Waitress Arrested in Connection with Card Skimming Scheme (March 18, 2014)

A waitress at a Long Island Dave & Busters restaurant has been arrested for allegedly using a skimming device to steal customers' payment card data. The waitress allegedly provided the stolen information to three accomplices who used it to make purchases at a mall.
-http://www.nbcnewyork.com/news/local/Dave-Busters-Waitress-Arrested-Skimming-Cus
tomers-Credit-Card-250705311.html

ColdFusion Botnet Claims More Victims (March 17, 2014)

Attackers are exploiting unsecured installations of Adobe's ColdFusion web server platform to install data-stealing malware on vulnerable websites. Among the malware's victims are the Smucker's website and the SecurePay website. In addition, two lighting products companies and the car manufacturer Citroen found that their sites had been compromised.
-http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/
-http://www.theguardian.com/technology/2014/mar/17/citroen-adobe-coldfusion-hacke
d-backdoor

-http://arstechnica.com/security/2014/03/new-victims-inducted-into-botnet-preying
-on-websites-running-coldfusion/

Sally Beauty Acknowledges Payment Card Data Were Taken in Breach (March 17, 2014)

US retailer Sally Beauty has now confirmed that its networks were breached and that the intruders took payment card data. The company had earlier confirmed a breach but at that time said no payment card data were stolen. The company is conducting an internal investigation and is working with the US Secret Service on its investigation of the breach. The breach appears to affect "card present" data, which is the information stored on the cards' magnetic strips.
-http://krebsonsecurity.com/2014/03/sally-beauty-confirms-card-data-breach/

US Federal Judge Approves Unusual Class Action Settlement in Breach Case (March 14 & 17, 2014)

While US courts have usually dismissed class action data breach lawsuits in which there are no demonstrable financial damages, a federal judge in Florida has approved a US $3 million settlement that includes compensation for people whose data were on stolen laptops, even if they did not experience identity fraud as a result. The incident involves the December 2009 theft of two laptops from Florida health insurer AvMed. The US $3 million includes compensation for people whose data were on the laptop as well as a reserve fund for people who suffer identity fraud as a result of the breach, and attorneys' fees of US $750,000.
-http://www.computerworld.com/s/article/9247017/Court_approves_first_of_its_kind_
data_breach_settlement?taxonomyId=17

-http://www.natlawreview.com/article/potentially-ground-breaking-class-settlement
-data-breach-relief

[Editor's Note (Honan): This case may send a wakeup call to companies that security breaches have a real impact on peoples' lives, not just monetary impact. The judge is saying that people entrusted with protecting customer information need to take that responsibility seriously.
(Northcutt): The reserve fund is a great idea and it seems to be the way to legal system is slowly headed:
-http://files.consumerfinance.gov/f/201304_cfpb_proposed-rule_civil-penalty-fund.
pdf
]

Indictments in Online Bank Account Theft Scheme (March 17, 2014)

A federal grand jury in New Jersey has indicted three men in connection with an attempt to steal US $15 million by breaking into accounts at US financial institutions and the Department of Defense's payroll service. Two men from Ukraine and one from Brooklyn were indicted on charges of conspiracy to commit wire fraud, conspiracy to commit access device fraud and identity theft, and aggravated identity theft. Five other alleged conspirators were named in a federal complaint last June.
-http://www.nbcnews.com/tech/tech-news/men-ukraine-new-york-charged-international
-cybercrime-scheme-n55171

-http://www.nj.com/news/index.ssf/2014/03/three_men_indicted_in_international_hac
king_scheme_us_customers_targeted_authorities_say.html

-http://www.justice.gov/usao/nj/Press/files/Sharapka,%20Oleksiy%20et%20al.%20Indi
ctment%20News%20Release.html

IBM Says it Provided No Data to NSA (March 16 & 17, 2014)

IBM says it is not involved with National Security Agency (NSA) surveillance programs and that it has not provided customer data to government entities, or to any other third parties. In a blog post, IBM Senior Vice President of Legal and Regulatory Affairs Robert C. Weber noted that if the government requested information, IBM would refer the government directly to that client. According to the post, IBM has not provided any information to the US government under a FISA order or a National Security Letter. If the company were to receive such an order accompanied by a gag order, it expects it would challenge that order.
-http://www.zdnet.com/ibm-denies-assisting-nsa-in-customer-spying-7000027380/
-http://www.computerworld.com/s/article/9246996/IBM_denies_links_to_NSA_spy_progr
am?taxonomyId=17

-http://www.theregister.co.uk/2014/03/16/we_didnt_hand_over_data_to_prism_says_ib
m/

Weber's Letter:
-http://asmarterplanet.com/blog/2014/03/open-letter-data.html

Employee Arrested in UK Grocery Store Payroll Data Theft (March 14 & 17, 2014)

Police in West Yorkshire, UK have arrested a man in connection with the theft of employee payroll data from the UK supermarket chain Morrisons. The suspect is a Morrisons employee, and is believed to have stolen names, addresses, and bank account information. Morrisons became aware of the theft when the stolen data appeared online.
-http://www.v3.co.uk/v3-uk/news/2334287/morrisons-loses-100-000-employees-payroll
-details-during-cyber-heist

-http://www.theguardian.com/business/2014/mar/17/morrisons-employee-arrested-sala
ry-leak-investigation

-http://www.theregister.co.uk/2014/03/14/morrisons_payroll_data_robbery_100k_deta
ils_leaked/

Apple's iOS7 PRNG Weaker Than Previous Version (March 14 & 16, 2014)

Apple changes its internal pseudorandom number generator (PRNG) with iOS 7 and researchers are saying that it is weaker than the previous version. The weakness could allow attackers to more easily exploit a vulnerability in the operating system's kernel.
-http://www.theregister.co.uk/2014/03/16/ios_7_has_weak_random_number_generator/
-http://www.scmagazine.com/researcher-finds-easier-way-to-exploit-ios-7-kernel-vu
lnerabilities/article/338390/

[Editor's Note (Murray): "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." --John von Neumann There are an infinite number of such methods, most of them flawed. ]

US to Cede Control of DNS Root Zone (March 14, 2014)

The US government says it will relinquish control of the Internet Corporation for Assigned Names and Numbers (ICANN) to a new, global oversight body. The decision was made amid growing concern from countries around the world about the US's control over the Internet and reports of the NSA spying on foreign governments.
-http://arstechnica.com/tech-policy/2014/03/in-sudden-announcement-us-to-give-up-
control-of-dns-root-zone/

-http://thehill.com/blogs/hillicon-valley/technology/200889-us-to-relinquish-inte
rnet-control

-http://www.bbc.com/news/technology-26033686
-http://www.latimes.com/business/technology/la-fi-tn-us-policy-web-icann-20140314
,0,5402676.story#axzz2wEY7Yg00

-http://www.theregister.co.uk/2014/03/15/us_to_hand_dns_stewardship_over_to_icann
/

California Police Departments Have Been Secretly Using StingRay Devices (March 13, 2014)

Police departments in California have secretly been using cellphone interception technology that tricks devices into connecting to it instead of to the actual phone towers. The practice has been going on for at least six years according to a Sacramento news outlet, which obtained documents indicating that police were spending hundreds of thousands of dollars on cellphone tracking technology. The reason the technology has been used so long in secret is that the police departments signed non-disclosure agreements with the device manufacturer. A staff attorney with the American Civil Liberties Union (ACLU) of Northern California said that the "working law doctrine" requires government entities to be transparent about regular operating procedures, and that non-disclosure agreements should not be made if they prevent such disclosure. Twenty-five other police departments across the country are reportedly using the StingRay technology.
-http://www.nbcnews.com/tech/security/stingray-records-show-secret-cellphone-surv
eillance-calif-cops-n52181


STORM CENTER TECH CORNER

Apache Update
-https://isc.sans.edu/forums/diary/New+Apache+web+server+release/17819

FCKEditor File Manager Scans
-https://isc.sans.edu/forums/diary/Scans+for+FCKEditor+File+Manager/17821

Google Drive used to host fake Google loging pages
-http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-p
hishing-scam

Pwn2own Competition
-http://www.pwn2own.com/2014/03/

Update on Samsung Backdoor
-https://twitter.com/djrbliss/status/444116904568164352
-http://arstechnica.com/security/2014/03/virtually-no-evidence-for-claim-of-remot
e-backdoor-in-samsung-galaxy-phones/

vBulletin PHP Object Injection
-http://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-
injection.html

-https://www.owasp.org/index.php/PHP_Object_Injection

Target received warnings of intrusion
-http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hac
k-of-credit-card-data

NTIA announces transition of root name server control
-http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-
internet-domain-name-functions



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/