SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #8
January 28, 2014
The CNN and Microsoft hacking stories lead this issue of NewsBites because they illustrate the challenges that even the largest and most careful organizations have in attempting to protect their perimeters when under attack by highly motivated and targeted attackers - especially those funded by nation states and top criminal syndicates. They illuminate the critical need for incident response people who have the advanced technical skills to find the attackers fast and eliminate their electronic foothold. We also highlight the story about Admiral Rogers being given both the NSA and Cyber Command posts because it reinforces President Obama's public statements that NSA's cyber programs are central to the protection of the United States. More than 125 nations are building advanced cybersecurity teams and cyber capability centers. Those efforts were aided substantially by the data Snowden released. In fact the net effect of Snowden may be an acceleration in the international cyber arms race and an even more spirited competition in each country for the small number of people who have developed the advanced skills needed to defend information systems in the face of increasingly sophisticated attacks.
TOP OF THE NEWSCNN Blogs and Social Media Accounts Hijacked
Microsoft Says Attackers May Have Accessed Law Enforcement Inquiry Documents
Vice Admiral Michael S. Rogers Nominated as Director of NSA and US Cyber Command
THE REST OF THE WEEK'S NEWSDOJ Relaxes Gag Order on Government Data Requests
Eleven People Arrested in eMail Hacking-for-Hire Schemes
FBI Has its Own TorMail Data Stash
Microsoft to Maintain Software Removal Tool for XP Through July 2015
US Court Website Outage Causes Uncertain
Michaels Stores Confirms Security Breach
The Internet of Things: Foscam Software Flaw Allows Remote Access to Video
Visa Issued Alerts Last Year About Type of Attack Used Against Target and Neiman Marcus
Laptops Stolen From Coca-Cola Contained Unencrypted Employee Data
Stolen Laptop Contains Health Data of 620,000 Alberta, Canada Residents
Federal Guidance on Breach Notification Would Ease Way for Businesses
PESCATORE'S FIRST LOOK AT VMWARE'S PURCHASE OF AIRWATCHPESCATORE'S FIRST LOOK AT VMWARE'S PURCHASE OF AIRWATCH
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
************************* Sponsored By Symantec *************************
Gartner 2014 Magic Quadrant for Endpoint Protection Platforms - Complementary Copy Symantec Endpoint Protection 12.1 was, once again, positioned as a Leader in Gartner's Magic Quadrant and rated highest in the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned.
- -- SANS Cyber Threat Intelligence Summit Arlington, VA Feb. 4-11, 2014 This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
- -- SANS Northern Virginia Reston, VAMarch 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
CNN Blogs and Social Media Accounts Hijacked (January 24 & 27, 2014)Members of the Syrian Electronic Army (SEA) used phished passwords to social media accounts from CNN employees. The phishing messages were well written and appeared to come from other CNN employees. The compromised accounts were used to post propaganda; the unauthorized posts were removed minutes after they appeared.
Microsoft Says Attackers May Have Accessed Law Enforcement Inquiry Documents (January 27, 2014)Microsoft says that attackers who successfully phished access to some employee email accounts may have accessed documents associated with law enforcement inquiries. Several weeks, ago, Microsoft acknowledged the attack and said that no customer information was exposed. Now that it appears as though law enforcement-related documents were compromised, Microsoft "will take appropriate action" if it is determined that personal information was compromised.
Vice Admiral Michael S. Rogers Nominated as Director of NSA and US Cyber Command (January 25, 2014)President Obama has reportedly signed off on the nomination of Vice Admiral Michael S. Rogers to take on the dual helms of the National Security Agency (NSA) and the Pentagon's US Cyber Command. Rogers is a Navy cryptologist with a background in intelligence and has been commander of US Fleet Cyber Command since September 2011. As the nominee, Rogers will be questioned by the Senate Armed Services Committee. President Obama decided in December to maintain the current arrangement of naming one individual to lead both organizations, despite pressure from administration officials, including Director of National Intelligence James Clapper to split the duties into two separate roles.
************************** Sponsored Links: ******************************
1) Windows XP will be going end of life in a few short months. Are you ready? This new eBook explains how you can keep your XP systems compliant and secure after end of life without upgrading or paying for out-of-band support. Download today http://www.sans.org/info/149815
2) Advanced threats require modern security. Find out the 10 must-haves for your next security solution. Download your buyer's guide now! http://www.sans.org/info/149820
3) Special discount for Government Employees (e.g., federal, state, local, DoD) to attend The SANS Cyber Threat Intelligence summit on February 10th & 11th in Arlington, VA. Use "CTISummit" for a $1000 discount on the summit alone or "CTICourse" for free summit attendance in conjunction with a full-priced course. http://www.sans.org/info/149440
THE REST OF THE WEEK'S NEWS
DOJ Relaxes Gag Order on Government Data Requests (January 27, 2014)In response to legal challenges from tech companies, the US Justice Department (DOJ) has agreed to relax the gag orders that accompany certain government requests for data. Companies are now permitted to release information about the numbers of National Security Letters (NSLs) and Foreign Intelligence Surveillance Court (FISC) requests they receive; those numbers must be reported within ranges of 1,000. The companies may also release information, again in the broad ranges, of the number of customer accounts affected by the requests. If the companies choose to combine the data for NSL and FISC requests, they may publish within ranges of 250. The data may be published every six months with a six-month delay. The DOJ has also imposed a two-year delay on reporting statistics from the date "the first order ... is served on a company for a platform, product, or service ... for which the company has not previously received such an order."
FISA Court Notice:
Eleven People Arrested in eMail Hacking-for-Hire Schemes (January 27, 2014)Eleven people have been arrested in four countries in connection with several websites that offered to gain access to email account passwords. In the US, five people have been arrested. Two have been charged with operating websites that advertised the services, and the three others have been charged for using similar services offered on websites hosted outside the US. Four people were arrested in Romania, and one person each in India and China.
FBI Has its Own TorMail Data Stash (January 27, 2014)In the course of an investigation last year, the FBI seized the anonymous webmail service TorMail's entire email database. Now reports indicate that the FBI is plumbing those data in connection with an unrelated investigation. The situation came to light in a case in Florida in which a man was indicted for allegedly selling counterfeit credit cards. In the course of that investigation, a search warrant served on a Gmail account revealed that orders for the cards had been sent to a TorMail account. The FBI obtained a warrant for that account and then accessed the account from its own copy.
Microsoft to Maintain Software Removal Tool for XP Through July 2015 (January 26, 2014)Although Microsoft will cease providing support for Windows XP after April 8, 2014, the company will still be able to access machines running the operating system to remove malware if necessary. The Microsoft Software Removal Tool (MSRT), which is a cleaning utility, will be updated through July 2015. According to one estimate, Windows XP was running on 29 percent of PCs as of December 2013; that figure is expected to be 20 percent by end of 2014.
[Editor's Note (Pescatore): Microsoft previously extended Microsoft Security Essentials support for Windows XP to July 2015, so this is consistent. ]
US Court Website Outage Causes Uncertain (January 25 & 27, 2014)The FBI is reassessing its initial analysis of an outage that caused US court websites to be unavailable for several hours on the afternoon of Friday, January 24. Initially, the outage, which affected federal court websites and a site known as PACER, which provides access to court documents, was blamed on a distributed denial-of-service (DDoS) attack. The FBI then said that the outage was the result of technical problems, not an attack. On Saturday, a spokesperson for the Administrative Office of the US Courts said an attack is believed to have caused the outage. The FBI is reassessing its analysis.
[Editor's Note (Northcutt): Whether it was an attack or human error is unknown. However, it is wise not to be too quick to blame cyberattacks for every system failure. Human error caused the Virginia State Government to lose access to IT services. Hurricane Sandy was a reminder not to put the backup power generator in the basement when you are by the ocean. The great Northeast blackout of 2003 may or may not have been caused by Blaster, I will never know, but the human frailty factor had to be a contributing factor:
Michaels Stores Confirms Security Breach (January 25 & 27, 2014)Michaels Stores has acknowledged that a security breach has compromised payment cards used at its stores. The breach was detected after several financial institutions noticed a pattern of fraud on payment cards that had recently been used at the chain of US craft stores. The US Secret Service is investigating.
Statement from Michaels:
The Internet of Things: Foscam Software Flaw Allows Remote Access to Video (January 23 & 24, 2014)A security weakness in software used in webcams, IP surveillance cameras (also known as webcams), and baby monitors from Foscam could be exploited to remotely view live and recorded video. All the attackers would need to know is the targeted device's Internet address; in many cases, attackers could bypass the authentication prompt by clicking "OK". Foscam planned to issue a firmware security update by January 25.
Visa Issued Alerts Last Year About Type of Attack Used Against Target and Neiman Marcus (January 24, 2014)Data breaches at major retailers Target and Neiman Marcus have made headlines recently, but Visa issued warnings months ago about just the sort of point-of-sale system attacks that were launched against these two companies. Two Visa Data Security Alerts - issued in April and August 2013 - describe the type of memory-scraping malware used in the recently disclosed attacks. Earlier this month, US-CERT issued an alert about malware targeting POS systems that included six areas for POS administrators to pay attention to. The article's author notes that "From a penetration tester's perspective, it is all too common to find merchants considered compliant as not necessarily secure."
[Editor's Note (Murray): I do not understand the focus on the functionality of the malware rather than on how it gets itself installed. A compromised system is a compromised system and credit card numbers are easily monetized. What am I missing? ]
Laptops Stolen From Coca-Cola Contained Unencrypted Employee Data (January 27, 2014)The theft of unencrypted laptops from the Coca-Cola Company has compromised personal information of about 74,000 current and former employees. The data on the computers include names, Social Security numbers (SSNs) and driver's license numbers. A former employee who had been responsible for maintaining and decommissioning equipment took the computers; they have since been recovered.
[Editor's Note (Pescatore): First off, Coca Cola should have been thinking that laptops without encryption are like soda bottles without bottle caps. But, this also raises the question: does the person in charge of decommissioning/surplussing PCs have admin access to laptop encryption keys anyway?
(Honan): Encryption is not just to prevent access from unauthorized external users, it also protects sensitive data from the insider threat. Given the availability and ease of use of modern encryption solutions there really is no excuse for not encrypting laptops. ]
Stolen Laptop Contains Health Data of 620,000 Alberta, Canada Residents (January 23, 2014)A laptop stolen from an IT consultant contains unencrypted health data of 620,000 residents of Alberta, Canada. The data include names, birth dates, provincial health card numbers, and diagnostic codes. The Medicentres Family Health Care Clinics notified Edmonton police and the Alberta Information Privacy Commissioner about the incident on October 1, 2013, but Alberta's health minister was informed just last week.
[Editor's Note (Pescatore): In the spirit of the similar Coca Cola item, Alberta should have been thinking that allowing consultants to have unencrypted privacy data is like allowing a hockey goalie to use a balsa wood hockey stick.
(Honan): Many may point the finger of blame at the IT consultant who stored such sensitive data onto an unencrypted laptop, however the Medicentres Family Health Care Clinics are the ones ultimately responsible for the data and should insist on their providers implementing proper security measures. You can outsource the task but not the responsibility. ]
Federal Guidance on Breach Notification Would Ease Way for Businesses (January 23, 2014)Although many businesses balk at the idea of government regulation, some now appear to want the government to establish federal standards for data breach notification policies. Currently, companies must navigate a jumble of rules in 46 states and the District of Columbia regarding breach notification, which is a compliance nightmare. Legislators opposed to regulation may be hard to convince that the move would benefit businesses. Others are concerned that a national standard would weaken laws in states that have more stringent requirements in place.
[Editor's Note (Pescatore): The down side of a federal breach bill is if it introduces loopholes and languages that actually reduce breach reporting effectiveness. Previous draft versions of such federal bills have done just that. ]
PESCATORE'S FIRST LOOK AT VMWARE'S PURCHASE OF AIRWATCHSummary: VMware Buys Mobile Security Firm for $1.54 Billion VMware said on Wednesday that it had agreed to buy AirWatch, a start-up based in Atlanta that makes mobile management and security software for businesses. VMware is paying about $1.18 billion in cash and $365 million in installment payments and assumed unvested equity.
Pescatore's First Look: This acquisition is a reach for VMware, mostly about diversifying VMware beyond virtualization and into the high growth Mobile Device Management area. MDM has been proving to be a better match for businesses needing to balance mobility and security than have client-side virtualization solutions like VMWare's Horizon Mobile Secure Workspace and others. WMWare's previous acquisitions in the security space have been technology buys that got integrated into VMware's data center virtualization products and not maintained as stand-alone products. AirWatch users should look out for possible integration with Horizon Mobile as well as changes in support when considering renewing AirWatch usage. Summary: VMware Buys Mobile Security Firm for $1.54 Billion VMware said on Wednesday that it had agreed to buy AirWatch, a start-up based in Atlanta that makes mobile management and security software for businesses. VMware is paying about $1.18 billion in cash and $365 million in installment payments and assumed unvested equity.
Pescatore's First Look: This acquisition is a reach for VMware, mostly about diversifying VMware beyond virtualization and into the high growth Mobile Device Management area. MDM has been proving to be a better match for businesses needing to balance mobility and security than have client-side virtualization solutions like VMWare's Horizon Mobile Secure Workspace and others. WMWare's previous acquisitions in the security space have been technology buys that got integrated into VMware's data center virtualization products and not maintained as stand-alone products. AirWatch users should look out for possible integration with Horizon Mobile as well as changes in support when considering renewing AirWatch usage.
STORM CENTER TECH CORNERNew ShodanHQ Host Identified
Quick Intorduction to Mandiant Highlighter
Toymaker Hasbro's Website Serving Java Exploit
Oracle Reports Vulnerabilities
Fake LinkedIn Profile Used for Social Engineering / Data Collection
Cisco Security Report
More Point of Sales Malware
"Technical Issues", not DoS responsible for USCourt.gov Outage
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/