Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #9

January 31, 2014


Target Breach Used Stolen Vendor Access Credentials
Yahoo Resetting Passwords After Compromise Attempts


Securities and Exchange Commission to Examine Asset Managers' Security Practices
US Justice Department is Investigating Target Breach
ChewBacca Malware Targets Point-of-Sale Systems
Twitter Account Lost to Extortionist
Terrorism Defendant Challenging FISA Amendments Act
NSA Appoints Internal Civil Liberties and Privacy Officer
Cross-Platform Java Malware
Accessing Proprietary Data With Valid Credentials Not a Violation of CFAA
Dutch Court Lifts Ban on The Pirate Bay
SpyEye Author Enters Guilty Plea



************************ Sponsored By Bit9 *****************************
When it comes to endpoint security, organizations find themselves in a difficult situation. Most enterprises have host-based security software (i.e., antivirus software) installed on almost every PC and server, yet their IT assets are constantly attacked and compromised by sophisticated malware and targeted attacks. Download this whitepaper to learn more.

- -- SANS Cyber Threat Intelligence Summit Arlington, VA Feb. 4-11, 2014 This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.

- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.

- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.

- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.

- -- SANS Northern Virginia Reston, VAMarch 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.

- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.

- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.

- --Can't travel? SANS offers LIVE online instruction. Day ( and Evening courses ( available!

- --Multi-week Live SANS training

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.

For a list of all upcoming events, on-line and live:



Target Breach Used Stolen Vendor Access Credentials (January 30, 2014)

A Target spokesperson said that the breach that compromised payment card details and personal information of millions of the retailer's customers came about through credentials stolen from a vendor. A preliminary look at the malware used in the breach suggested that the attackers may have exploited a vulnerable feature in IT management software on the company's internal network.




[Editor's Note (Pescatore): That just means that (1) Target was allowing 3rd parties to access its network without strong authentication; and (2) Target wasn't monitoring what those weakly authenticated 3rd parties were doing once they got on Target's internal network.
(Murray): This report is very late in coming but no surprise. The failure to report this on a timely basis has invited an incredible amount of hardly credible but misleading speculation. The Verizon Data Breach Incident Report shows that perhaps a third of the breaches in their (admittedly biased) dataset involve misuse of privileged vendor access. Often the victims are not even aware of this access. ]

Yahoo Resetting Passwords After Compromise Attempts (January 30, 2014)

Yahoo has reset passwords for Yahoo Mail accounts that appear to have been compromised. Yahoo said that the attackers had likely stolen usernames and passwords from a third-party database and attempted to use the information to log into Yahoo Mail accounts. Users whose accounts were affected received messages from Yahoo notifying them of "unusual activity on the network." Internet Storm Center:



[Editor's Note (Pescatore): Yahoo seems to have moved quickly on this attack, a good thing. Yahoo also passes the "security sniff test" - is actually a useful site.
(Ullrich): Yet another case of shared passwords leading to compromise. Use different passwords for different accounts, or your password is only as secure as the security of the weakest site you use it with. A compromised e-mail account can also easily lead to more targeted attacks (remember HB Gary?). ]

************************** Sponsored Links: ******************************
1) Advanced threats require modern security. Find out the 10 must-haves for your next security solution. Download your buyer's guide now!

2) Tune in for a SANS "Special Webcast" sponsored by IBM, "Continuous Monitoring & Mitigation: Responding to Emerging Threats".

3) Join SANS' Dr. Eric Cole and BeyondTrust's, Mike Yaffe in a live webinar where they will discuss and focus on the 8 Critical Security Controls specifically designed to address user and asset-based risks.


Securities and Exchange Commission to Examine Asset Managers' Security Practices (January 30, 2014)

The US Securities and Exchange Commission (SEC) plans to find out whether asset managers have established policies to prevent, detect, and respond to cyber attacks against their systems. Part of the examination will focus on whether the managers are taking adequate precautions to protect their systems from the dangers that could arise from vendors having access to those systems. The security policy scrutiny will be incorporated into the SEC's regular examination of investment advisers and companies.

[Editor's Note (Pescatore): Honestly, I would rather the SEC examiners devote all their time to finding financial scandals and misconduct earlier in their audit processes. Having SEC examiners evaluate asset managers' security policies is going to be about as effective as security experts reviewing asset managers financial policies. ]

US Justice Department is Investigating Target Breach (January 29, 2014)

US Attorney General Eric Holder says that the Department of Justice (DOJ) is investigating the Target data breach. The DOJ hopes to find the people responsible for the attack as well as people who use the stolen information. DOJ does not normally publicize its involvement in investigations. The Secret Service is also investigating the breach.



ChewBacca Malware Targets Point-of-Sale Systems (January 30, 2014)

A strain of malware known as ChewBacca has infected numerous retailers' point-of-sale (POS) systems and uses keylogging and memory scraping features to steal customers' personal information, including payment card details. Over the past three months, ChewBacca appears to have infected nearly 120 POS terminals at 45 different retailers, compromising more than 50,000 payment cards. Affected retailers have not been named, but there does not appear to be a connection between ChewBacca and the breaches of systems at Target, Neiman Marcus, and Michaels.


[Editor's Note (Murray): The use of the unique software relates the attack to one or a few attackers. Similar attacks account for a significant portion of those in the Verizon Data Breach Incident Report. This report is likely not being read by small merchants nor by the application vendors that serve them. ]

Twitter Account Lost to Extortionist (January 29 & 30, 2014)

A California man claims to have lost his Twitter account to an extortionist who was allegedly holding the man's other online accounts and services hostage. Naoki Hiroshima has been using the @N Twitter account since 2007 and says that there have been numerous other attempts to steal it. The extortionist managed to gain control of Hiroshima's domain name and through that, was able to control Hiroshima's email. Hiroshima surrendered the Twitter handle to regain control of the domain names, and was also able to get the hacker to tell him how he managed to gain control of the domain names in the first place.

[Editor's Note (Ullrich): This isn't the first time the last four digits of a credit card lead to further compromise. About 1 1/2 years ago, a journalist's iCloud account was compromised after using the last four digits of a credit card to reset his password. Do not rely on "public" information for authentication, and make sure your password reset process isn't the weak link in your authentication procedure.
(Honan): This story, and that of Mat Honan from last year, make interesting reading on how social engineering attacks are utilising pieces of information that we leave at different providers around the Internet. They highlight why we should employ two factor authentication on all the services that provide it. In particular, as more and more companies move to engage with various cloud service providers they should ensure that the systems to access those accounts are as protected as they can be. ]

Terrorism Defendant Challenging FISA Amendments Act (January 29, 2014)

A man who was charged based on evidence gathered by the NSA's warrantless surveillance programs has filed a lawsuit challenging the constitutionality of that program. Jamshid Muhtorov is a political refugee and permanent US resident from Uzbekistan now living in Colorado. Last year, the Supreme Court ruled against a suit challenging the same law because the plaintiffs in that case could not prove that their communications had been intercepted.




Motion to Suppress:

NSA Appoints Internal Civil Liberties and Privacy Officer (January 29, 2014)

The US National Security Agency (NSA) has appointed its first civil liberties and privacy officer. Rebecca Richards has served as a deputy privacy official at the US Department of Homeland Security (DHS). When she begins her new responsibilities next month, Richards will "serve as the primary advisor to the Director of NSA for ensuring that privacy is protected and civil liberties are maintained by all of NSA's missions, programs, policies, and technologies."



[Editor's Note (Honan): As a non-US citizen I, and many others outside the US, hope that this role also considers the civil liberties and privacy rights of non-US citizens. ]

Cross-Platform Java Malware (January 29, 2014)

Researchers have found Java-based malware that is capable of infecting Windows, Mac OS X, and Linux systems. The malware exploits a known flaw in Java 7 u21 and earlier for which Oracle released a patch in June 2013. The malware communicates with an Internet relay chat channel that serves as a command-and-control server. The network of computers compromised by this malware is used to launch distributed denial-of-service (DDoS) attacks.

[Editor's Note (Ullrich): Not only does this malware run on different operating systems, but it is also smart enough to add itself as an auto-start program on each operating system. ]

Accessing Proprietary Data With Valid Credentials Not a Violation of CFAA (January 29, 2014)

The US District Court for the Northern District of California has dismissed a lawsuit against Keith Freedman, who was accused of accessing and copying information from his former employee's servers. The suit alleged that Freedman had violated provisions of the Computer Fraud and Abuse Act (CFAA). Freedman used valid credentials to access the information, according to the court, which does not constitute a violation of the CFAA. Freedman was accused of accessing his former employer's data while using access credentials issued to one of the firm's customers while Freedman was doing work for both companies. US Magistrate Judge Paul Grewal wrote, "CFAA regulates access to data, not its use by those entitled to access it."


Dutch Court Lifts Ban on The Pirate Bay (January 28 & 29, 2014)

A Dutch court has lifted a ban on The Pirate Bay, allowing Internet service providers to permit users to access the torrent site. The Dutch Court of Appeals in The Hague determined that a ban on The Pirate Bay had proven to be ineffective at stopping piracy. The court found that while the block order reduced traffic to The Pirate Bay, torrent levels did not decline. Users determined to obtain copyrighted material illegally were finding ways of obtaining the content. The ruling also means that the anti-piracy group that brought the original case must now pay ISPs 400,000 euros (US $542,000) in legal costs. That group, Brein, is considering taking the case to the country's Supreme Court.

SpyEye Author Enters Guilty Plea (January 28 & 29, 2014)

Aleksandr Andreevitch Panin has pleaded guilty to charges of conspiracy to commit wire and bank fraud in connection with creating the SpyEye malware. At its peak, SpyEye infected more than 1.4 million computers around the world. It was used to steal financial account access information, which was then used to conduct fraudulent transactions. Panin sold SpyEye for between US $1,000 and US $8,000, customizing the toolkit for different customers. Panin was arrested in the US last July. His sentencing is scheduled for late April.



[Editor's Note (Honan): Well done to all the parties involved in this case. It is a good example of how information sharing and cooperation between law enforcement agencies and private sector companies can result in criminals being jailed. This case involved law enforcement agencies in the US, UK, Thailand, Australia, The Netherlands, The Dominican Republic, and Bulgaria. Private sector companies included Trend Micro, Microsoft, Dell Secureworks, Mandiant, and a Norwegian security research team. Details of the case, and of those involved are available on the US Department of Justice's website


How to Debug DKIM Deployments

Exploit for Oracle Reports Vulnerability Now Public

MediaWiki Security Patch

How to Send Mass E-Mail the Right Way

Android IMSI Catcher Detector

New gTLD Names

Linux 3.4 Kernel Priv. Escalation Vulnerability

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit