SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #25
March 28, 2014
The first story highlights an important refocusing of responsibility in cyber security. The first person known to be fired in the aftermath of a cyber attack was the chief auditor of a major New York bank. That was 1995. In the intervening years, businesses have moved away from holding auditors responsible and blamed CIOs. As the cost of attacks rise, however, it is more critical than ever to place the responsibility where it belongs. In the PCI compliance world, too many companies look for cheap auditors who will give them a (false) "clean bill of health." Banks are right to hold the auditors responsible. In addition, corporate audit and risk committees should lay the blame for breach-related stock price reductions against the security compliance people who gamed the PCI auditing system. Holding the auditor responsible for unfixed flaws is especially important in the federal government where IGs and auditing contractors follow NIST guidance. Once agency chiefs start holding their auditors responsible for ensuring that security flaws are fixed, NIST guidance will need to be improved or discarded.
TOP OF THE NEWSBanks Suing Target and Company That Certified its PCI Compliance
White House Calls on Lawmakers to End NSA Bulk Metadata Collection
Liability for Companies Sharing Threat Information is Significant Legislative Obstacle
THE REST OF THE WEEK'S NEWSAndroid Apps in Google Play Store Secretly Mine Cryotocurrencies
Senate Committee Questions Target CFO and Univ. Of Maryland President About Breaches
Cisco Patches Six DoS Flaws in IOS Software
Full Disclosure 2.0
Devices with Embedded XP Pose Risk for Government Agencies
Law Enforcement Agencies Being Secretive About Stingray Use
ATM Malware Variant Uses Text Messages to Dispense Cash
IRS Says That for Tax Purposes Bitcoin is Property
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
**************************** Sponsored By Bit9 ***************************
Data security has become the No. 1 priority for many retailers in 2014. Want to learn how your company can implement strategies to protect against costly data breaches? Find out 10 ways you can achieve this goal while maintaining required PCI compliance.
Download This Check List Today! http://www.sans.org/info/155935
- -- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
- --SANS Pen Test BerlinBerlin, GermanyJune 15-21, 2014 6 courses.
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Munich, Austin, Malaysia, and London all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Banks Suing Target and Company That Certified its PCI Compliance (March 25 & 26, 2014)Two banks have filed a lawsuit against Target and Trustwave Holdings, the company that certified Target as being compliant with Payment Card Industry (PCI) security standards. The lawsuit, filed by Trustmark National Bank and Green Bank NA, alleges that Trustwave failed to detect and address security problems on Target's network and that both Trustwave and Target did not take adequate measures to protect customer data.
White House Calls on Lawmakers to End NSA Bulk Metadata Collection (March 24, 26 & 27, 2014)The White House is urging Congress to pass legislation that would put an end to the NSA's wholesale collection of phone metadata. The administration plans to reauthorize the program for another 90 days. While the President did not specify a time frame in which to pass the legislation, an administration official's exhortation to "act swiftly" implies that the White House expects Congress to pass a bill within the next three months.
Liability for Companies Sharing Threat Information is Significant Legislative Obstacle (March 27, 2014)The biggest hurdle facing US comprehensive cybersecurity legislation is disagreements over the level of liability protection granted to organizations that share cyberthreat information. Those opposed to broad liability coverage for companies fear that it could be used as a cover for collusion. Opponents of more narrowly defined liability say that companies would be less inclined to share information if they could still face legal repercussions.
[Editor's Note (Pescatore): The FTC and DoJ have long had "Competitor Collaboration" guidelines out, and there are no real legal obstacles to businesses sharing threat information with each other. This has routinely been done for many years in the physical crime and fraud realms, anyway, since doing so has enabled businesses to reduce the impact of crime and fraud. The bigger concern is sharing that information with the government - which has little to no benefit to industry and opens up potential paths for exposure and liability that aren't covered under existing guidelines.
(Shpantzer): Collusion is real, no need for information-sharing orgs to be involved, though...
Seems to me that there are too many JDs involved to be able to think straight. ]
************************** Sponsored Links: ******************************
1) 10 Ways to Protect Your Company from a Data Breach - Download the Check List! http://www.sans.org/info/155940
2) Higher Ed IT Pros! What's On Your Security Wish List? Tell us here: http://www.sans.org/info/155945
3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
THE REST OF THE WEEK'S NEWS
Android Apps in Google Play Store Secretly Mine Cryotocurrencies (March 26 & 27, 2014)Two Android apps available in the Google Play store surreptitiously mine for cryptocurrencies like Bitcoin once they are downloaded. One of the identified apps has been downloaded more than one million times and is still available. The other app, which was downloaded more than 10,000 times, has been removed from the Google Play store. Other similarly infected apps have been found in unofficial app stores. The apps will quickly deplete the batteries on the devices to which they have been downloaded.
Senate Committee Questions Target CFO and Univ. Of Maryland President About Breaches (March 27, 2014)Target CFO John Mulligan answered questions from members of the Senate Commerce, Science, and Transportation Committee about action the company could have taken to prevent the massive data breach late last year. The committee also heard testimony from University of Maryland President Wallace Loh, who told US legislators that the attackers who breached a school database used a Trojan horse program to steal login credentials, which allowed them to access the university database.
Cisco Patches Six DoS Flaws in IOS Software (March 27, 2014)Cisco has issued patches for a half-dozen flaws that could be exploited to create denial-of-service (DoS) conditions on vulnerable systems. The flaws affect Cisco's Internetwork Operating System (IOS) software.
Full Disclosure 2.0 (March 26 & 27, 2014)The Full Disclosure vulnerability mailing list, which last week announced its "indefinite" suspension, has reemerged under new management. Full Disclosure was created by John Cartwright and Len Rose in 2002 and was maintained by Cartwright, who made the decision to suspend the list after a researcher made a content removal request. The new list, which will be maintained by Gordon Lyon, also known as Fyodor, who created the NMap scanning tool in the 1990s. It will have the same name, but members will be required to resubscribe.
About the New List:
Devices with Embedded XP Pose Risk for Government Agencies (March 25, 2014)Microsoft will issue its last security update for the aging operating system on Tuesday, April 8. Some agencies are sticking with XP-based devices because the systems on which they run are not Internet connected, or because they are running proprietary software created to work specifically on XP. However, some agencies may be unaware that their equipment is running on Windows XP. Internet connected devices like printer servers and copy machines may have embedded versions of XP.
Law Enforcement Agencies Being Secretive About Stingray Use (March 25, 2014)Law enforcement agencies in US cities are being less than forthcoming about their use of international mobile subscriber identity (IMSI) catchers, or technology that mimics cell phone towers, to intercept communications. One such trademarked product goes by the name of Stingray, which has come to be used as the generic term name for the technology. The company that manufactures Stingray, Harris Corporation, requires law enforcement customers to sign non-disclosure agreements. In an effort to better understand the technology's legality and use, the American Civil Liberties Union (ACLU) has requested documents and information related to the technology's use in about 30 Florida law enforcement municipalities.
[Editor's Note (Shpantzer): For a clue about Stingray's use of IMSI catcher technology, see Chris Paget's talk about homemade IMSI catchers at DefCon in 2010:
Paget created this system with $1,500 of components. Something tells me that the Harris version is significantly more expensive. ]
ATM Malware Variant Uses Text Messages to Dispense Cash (March 25, 2014)Symantec says that a group of thieves has figured out a way to get ATMs to dispense cash by sending the machines text messages. The malware, which has been dubbed Ploutus, was first detected in Mexico. Because the attack requires physical access to the machine, the attackers have targeted standalone ATMs.
IRS Says That for Tax Purposes Bitcoin is Property (March 25, 2014)The US Internal Revenue Service (IRS) has issued guidelines describing its classification of Bitcoin and other cryptocurrencies as property and not as currency. For tax purposes, the IRS will treat Bitcoin like stocks or bonds, which means transactions would be subject to capital gains tax when the Bitcoins are sold. People who receive Bitcoins as payment for goods or services must include the fair market value of the currency on the day it was received in their gross income computations, and people mining bitcoins must include the amount as income.
[Editor's note (Northcutt): On the one hand this is a very sensible set of guidelines. On the other hand this is a huge day in the Bitcoin (and every other successful virtual currency) universe, because it demonstrates legitimacy. The IRS can say it is not a currency, but if you buy and sell things with viral currency over time and people speculate on the rise and fall of various virtual currencies, I suspect the rules governing currency trading.
STORM CENTER TECH CORNERWar of the Bots: When DVRs attack NASs
Sophisticated Phishing Attacks Using Plausible Domain Names
Mass XSSodus in PHP
Triggering USB Vulnerabilities Remotely
Synology Honeypot Improvements
PIN to lock Passports
A few updates on "The Moon" worm
MH 370 Video Used in Targeted Malware Attack
WordPress Websites Host Large Percentage of Malicious Sites
Secret AWS Keys Found On GitHub
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/