<div dir="ltr"><span><font size="3">Noticia da SANS trazendo informações sobre: <br>The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure. Vale a pena conferir. <br><br><br></font></span><div><div>
--<br></div><div><img src="http://i49.tinypic.com/13ygdw2.png" style="font-family: verdana,sans-serif; font-size: x-small;" height="96" width="96"><br>
</div><div><font size="1"><span style="font-family:courier new,monospace">- Kembolle Amilkar de Oliveira, Esp. <br>| T.A.D.S | G.P.N.T.I. |  G.T. I. | Seg. Info. |  <br></span></font></div><div><font size="1"><span style="font-family:courier new,monospace">Contact: <a rel="nofollow" href="http://www.kembolle.com.br" target="_blank">Homepage</a> | <a rel="nofollow" href="mailto:contato@kembolle.com.br" target="_blank">Gtalk</a> | <a rel="nofollow" href="mailto:contato@kembolle.com.br" target="_blank">MSN</a> | <a rel="nofollow" href="mailto:contato@kembolle.com.br" target="_blank">XMMP</a> | SkypeID:Oliverkall</span></font><br>

</div><font><div style="font-size:x-small;font-family:verdana,sans-serif"></div></font></div>
<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">The SANS Institute</b> <span dir="ltr"><<a href="mailto:NewsBites@sans.org" target="_blank">NewsBites@sans.org</a>></span><br>

Date: 2014-02-07 18:25 GMT-03:00<br>Subject: SANS NewsBites Vol. 16 Num. 011 : The White House is about to step in cyber doo doo; Target testifies; PCI Discussed at Senate Banking Committee Hearing; US Defense Contractors Take Steps to Prevent Data Leaks; FBI Issues Solicitation for Malware<br>

To: <a href="mailto:contato@kembolle.com.br" target="_blank">contato@kembolle.com.br</a><br><br><br>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Ooops. The White House is about to step in cyber doo doo. Rather than<br>
allowing the impotent and irrelevant "Cyber Framework" to quietly fade<br>
away, Michael Daniel, the White House Cyber Coordinator, plans to<br>
highlight it as an illustration of Obama Administration leadership.  The<br>
Framework is the kind of non-effective guidance that led to the<br>
Administration's cyber leadership failures documented by Senator Coburn<br>
earlier this week. The Coburn report is posted at<br>
<a href="http://www.hsgac.senate.gov/download/?id=8BC15BCD-4B90-4691-BDBA-C1F0584CA66A" target="_blank">http://www.hsgac.senate.gov/download/?id=8BC15BCD-4B90-4691-BDBA-C1F0584CA66A</a><br>
Coburn's accompanying comment: "Congress needs to hold the White House<br>
and its agencies accountable."<br>
<br>
Just 5 more days to beat the early registration deadline for the largest<br>
cybersecurity training conference: SANS 2014 with 40 courses and a huge<br>
evening bonus program on hottest topics. It is coming soon in balmy<br>
Orlando.  <a href="http://www.sans.org/event/sans-2014" target="_blank">http://www.sans.org/event/sans-2014</a><br>
<br>
                                Alan<br>
**************************************************************************<br>
SANS NewsBites               February 7, 2013            Vol. 16, Num. 011<br>
**************************************************************************<br>
TOP OF THE NEWS<br>
  Target and Neiman Marcus Executives Testify at Senate Committee Hearing<br>
  Payment Card Security Discussed at Senate Banking Committee Hearing<br>
  US Defense Contractors Take Steps to Prevent Data Leaks<br>
  FBI Issues Solicitation for Malware<br>
THE REST OF THE WEEK'S NEWS<br>
    Microsoft's February Patch Tuesday Will Include Five Bulletins<br>
    Wireless Devices Attacked at Sochi<br>
    Critical Infrastructure Cybersec Bill Heads to House Floor<br>
    UK Financial Institutions Cyberattack Exercise<br>
    UK Government to Hold Cybersecurity Exercises for Critical<br>
      Infrastructure Sectors<br>
    Oldboot Android Trojan<br>
    Facebook Redirect Attempt Unsuccessful Due to Registrar Locks<br>
    Target Systems Accessed with HVAC Contractor's Credentials<br>
    Adobe Patches Critical Flash Vulnerability<br>
    Microsoft Calls for Collaborative Effort to Eradicate Malware Families<br>
    Application Security Survey<br>
STORM CENTER TECH CORNER<br>
<br>
***********************  Sponsored By Bit9  ****************************<br>
<br>
Are you unable to upgrade your XP systems to Windows 7 or 8? If so, are<br>
you still deciding how to keep your XP systems secure and compliant<br>
after XP end of life on April 8, 2014?  Download this XP End-of-Life<br>
Handbook for the Upgrade Latecomer.<br>
<br>
<a href="http://www.sans.org/info/151290" target="_blank">http://www.sans.org/info/151290</a><br>
<br>
***************************************************************************<br>
<br>
TRAINING UPDATE<br>
- -- SANS Cyber Threat Intelligence Summit Arlington, VA   Feb. 4-11, 2014<br>
This summit will focus on the tools, techniques, and analytics that<br>
enterprises need to collect and analyze threat data and turn it into<br>
action to mitigate risks and elevate security.<br>
<a href="http://www.sans.org/event/sans-cyber-threat-intelligence-summit" target="_blank">http://www.sans.org/event/sans-cyber-threat-intelligence-summit</a><br>
- --SANS Scottsdale 2014    Scottsdale, AZ       February 17-22, 2014<br>
6 courses. Bonus evening presentations include Offensive Digital<br>
Forensics; and Cloud IR and Forensics.<br>
<a href="http://www.sans.org/event/sans-scottsdale-2014" target="_blank">http://www.sans.org/event/sans-scottsdale-2014</a><br>
- --SANS Cyber Guardian 2014     Baltimore, MD   March 3-8, 2014<br>
7 courses. Bonus evening presentations include Continuous Ownage: Why<br>
You Need Continuous Monitoring; Code Injection; and How the West was<br>
Pwned.<br>
<a href="http://www.sans.org/event/cyber-guardian-2014" target="_blank">http://www.sans.org/event/cyber-guardian-2014</a><br>
- -- ICS Summit Orlando          Lake Buena Vista, FL      March 12-18, 2014<br>
Come join us at the ICS/SCADA Security Orlando Summit where we will take<br>
a deep look at embedded system attack surfaces, discover what you can<br>
do to improve their security, and take away new tools that you can put<br>
to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7<br>
courses.<br>
<a href="http://www.sans.org/event/north-american-ics-scada-summit-2014" target="_blank">http://www.sans.org/event/north-american-ics-scada-summit-2014</a><br>
- -- SANS Northern Virginia           Reston, VA                March 17-22, 2014<br>
11 courses. Bonus evening presentations include Windows Exploratory<br>
Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous<br>
Monitoring; and Real-World Risk - What Incident Responders Can Leverage<br>
from IT Operations.<br>
<a href="http://www.sans.org/event/northern-virginia-2014" target="_blank">http://www.sans.org/event/northern-virginia-2014</a><br>
- --SANS Brussels 2014   Brussels, Belgium       February 17-22, 2014<br>
4 courses.<br>
<a href="http://www.sans.org/event/belgium-2014" target="_blank">http://www.sans.org/event/belgium-2014</a><br>
- --SANS Secure Singapore 2014   Singapore, Singapore    March 10-26, 2014<br>
7 courses. Bonus evening presentations includes Incident Response and<br>
Forensics in the Cloud.<br>
<a href="http://www.sans.org/event/singapore-2014" target="_blank">http://www.sans.org/event/singapore-2014</a><br>
- --Can't travel?  SANS offers LIVE online instruction.<br>
Day (<a href="http://www.sans.org/simulcast" target="_blank">www.sans.org/simulcast</a>) and Evening courses (<a href="http://www.sans.org/vlive" target="_blank">www.sans.org/vlive</a>) available!<br>
- --Multi-week Live SANS training<br>
<a href="http://www.sans.org/mentor/about" target="_blank">http://www.sans.org/mentor/about</a><br>
Contact <a href="mailto:mentor@sans.org" target="_blank">mentor@sans.org</a><br>
- --Looking for training in your own community?<br>
<a href="http://www.sans.org/community/" target="_blank">http://www.sans.org/community/</a><br>
- --Save on On-Demand training (30 full courses) - See samples at<br>
<a href="http://www.sans.org/ondemand/discounts.php#current" target="_blank">http://www.sans.org/ondemand/discounts.php#current</a><br>
Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.<br>
For a list of all upcoming events, on-line and live: <a href="http://www.sans.org" target="_blank">www.sans.org</a><br>
*****************************************************************************<br>
<br>
TOP OF THE NEWS<br>
 --Target and Neiman Marcus Executives Testify at Senate Committee Hearing<br>
(February 4 & 5, 2014)<br>
At a US Senate Judiciary Committee hearing, executives from Target and<br>
Neiman Marcus voiced differing opinions about the value of implementing<br>
chip-and-PIN technology in payment cards. A Target executive said that<br>
the company plans to implement the technology by early next year, while<br>
a Neiman Marcus executive voiced concerns about shifting to the new<br>
technology so quickly. Both executives provided lawmakers with<br>
additional details of the breaches. The executives also appeared before<br>
the House Energy and Commerce Committee's commerce subcommittee.<br>
<a href="http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472" target="_blank">http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472</a><br>
<a href="http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-card-data-hack-n22131" target="_blank">http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-card-data-hack-n22131</a><br>


<a href="http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chip-cards/article/332868/" target="_blank">http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chip-cards/article/332868/</a><br>


<a href="http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defend_security_practices?taxonomyId=17" target="_blank">http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defend_security_practices?taxonomyId=17</a><br>


[Editor's Note  (Honan): As a European I find it difficult to understand<br>
why the US does not implement Chip & Pin technology. It has already been<br>
working in Europe successfully for a number of years. It is important<br>
to note that while Chip & Pin technology reduces card present fraud, it<br>
does nothing to help reduce card not present fraud.<br>
(Paller): The photos of Target CIO and CFO responding to Senate<br>
questioning [halfway down the page at<br>
<a href="http://www.nydailynews.com/news/national/target-executive-apologies-retailer-action-security-article-1.160173380" target="_blank">http://www.nydailynews.com/news/national/target-executive-apologies-retailer-action-security-article-1.160173380</a>]<br>


could serve as a great motivator for executives who need a little push<br>
to focus more resources on security.]<br>
<br>
 --Payment Card Security Discussed at Senate Banking Committee Hearing<br>
(February 3, 2014)<br>
Payment systems experts told the Senate Banking Committee's Subcommittee<br>
on National Security and International Trade and Finance that adopting<br>
chip and PIN technology would go a long way in helping to protect<br>
American consumers from payment card fraud resulting from data breaches,<br>
but cautioned that no "single technology is a silver-bullet solution."<br>
<a href="http://www.govinfosecurity.com/finger-pointing-at-breach-hearing-a-6468" target="_blank">http://www.govinfosecurity.com/finger-pointing-at-breach-hearing-a-6468</a><br>
<br>
 --US Defense Contractors Take Steps to Prevent Data Leaks<br>
(February 5, 2014)<br>
According to a recent study of 100 US federal defense contractors,<br>
three-quarters have taken steps to improve data security within their<br>
organizations following the Snowden leaks. The majority of changes<br>
involved increasing employee training and being on "high alert" for<br>
anomalous behavior. Forty-four percent are restricting user access, and<br>
34 percent are restricting administrator privileges.<br>
<a href="http://www.darkreading.com/attacks-breaches/nsa-document-leaks-prompt-security-chang/240165931" target="_blank">http://www.darkreading.com/attacks-breaches/nsa-document-leaks-prompt-security-chang/240165931</a><br>


<a href="http://www.nextgov.com/cybersecurity/2014/02/75-percent-pentagon-contractors-adjusted-security-after-snowden-leaks/78302/?oref=ng-HPtopstory" target="_blank">http://www.nextgov.com/cybersecurity/2014/02/75-percent-pentagon-contractors-adjusted-security-after-snowden-leaks/78302/?oref=ng-HPtopstory</a><br>


<br>
 --FBI Issues Solicitation for Malware<br>
(February 4 & 6, 2014)<br>
The FBI is calling for cybersecurity experts to send them all the<br>
samples of malware they have to be used for research. The FBI will pay<br>
for the malware samples. The request comes from the FBI Investigative<br>
Analysis Unit of the Operational Technology Division, and notes that<br>
"the collection of malware from multiple industries, law enforcement,<br>
and research sources is critical to the success of the IAU's mission to<br>
obtain global awareness of the malware threat."<br>
<a href="http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/02/fbi-market-malware/78218/?oref=ng-channelriver" target="_blank">http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/02/fbi-market-malware/78218/?oref=ng-channelriver</a><br>


<a href="http://www.zdnet.com/uncle-sam-i-want-you-to-sell-me-malware-7000026058/" target="_blank">http://www.zdnet.com/uncle-sam-i-want-you-to-sell-me-malware-7000026058/</a><br>
<a href="http://www.nbcnews.com/tech/security/fbi-request-give-us-your-malware-your-worms-n22266" target="_blank">http://www.nbcnews.com/tech/security/fbi-request-give-us-your-malware-your-worms-n22266</a><br>
<a href="https://www.fbo.gov/index?s=opportunity&mode=form&id=5b4b8745e39bae3510f0ed820a08c8e2&tab=core&_cview=0" target="_blank">https://www.fbo.gov/index?s=opportunity&mode=form&id=5b4b8745e39bae3510f0ed820a08c8e2&tab=core&_cview=0</a><br>


<br>
**************************  Sponsored Links:  ******************************<br>
<br>
1) Join Scott Simkin, Senior Cyber Analyst for Palo Alto Networks, for<br>
a webcast and demo where he will present our latest threat research, and<br>
lead a discussion on how to optimize the cyberattack kill-chain to<br>
prevent known and unknown threats.  Register Now:<br>
<a href="http://www.sans.org/info/151305" target="_blank">http://www.sans.org/info/151305</a><br>
<br>
2) Join us March 7 in NYC at a morning briefing to discuss Financial<br>
Services Cybersecurity Trends And Challenges.<br>
<a href="http://www.sans.org/info/151350" target="_blank">http://www.sans.org/info/151350</a><br>
Don't live in the area? Event will be simulcast as well. Register at:<br>
<a href="http://www.sans.org/info/151355" target="_blank">http://www.sans.org/info/151355</a><br>
<br>
3) The Critical Security Controls Draft Version 5.0 is available at<br>
<a href="http://www.sans.org/info/151295" target="_blank">http://www.sans.org/info/151295</a>. All feedback can be communicated by<br>
sending emails to CriticalControls@CouncilOnCyberSecurity.org.  The<br>
finalized 5.0 version will then be formally announced at the RSA<br>
Conference in late February 2014.<br>
<br>
*****************************************************************************<br>
<br>
THE REST OF THE WEEK'S NEWS<br>
 --Microsoft's February Patch Tuesday Will Include Five Bulletins<br>
(February 6, 2014)<br>
On Tuesday, February 11, Microsoft plans to release five security<br>
bulletins to address security issues in all supported versions of<br>
Windows as well as in Microsoft Forefront Protection 2010 for Exchange<br>
Server.<br>
<a href="http://www.zdnet.com/microsoft-to-patch-windows-forefront-this-month-7000026061/" target="_blank">http://www.zdnet.com/microsoft-to-patch-windows-forefront-this-month-7000026061/</a><br>
<a href="http://www.networkworld.com/news/2014/020614-patch-tuesday-278528.html" target="_blank">http://www.networkworld.com/news/2014/020614-patch-tuesday-278528.html</a><br>
<a href="https://technet.microsoft.com/en-us/security/bulletin/ms14-feb" target="_blank">https://technet.microsoft.com/en-us/security/bulletin/ms14-feb</a><br>
[Editor's Note (Ullrich): Also note that MD5 signed certificates will<br>
no longer be recognized as valid in Windows as of next Tuesday.]<br>
<br>
 --Wireless Devices Attacked at Sochi<br>
(February 6, 2014)<br>
Proving correct predictions that wireless devices will be targeted by<br>
cyber criminals at the Sochi Olympics, NBC foreign correspondent Richard<br>
Engel found that two laptops and his smartphone were quickly compromised<br>
with malware that enabled attackers to use the devices to eavesdrop and<br>
access data on the devices. The laptops were probed within minutes of<br>
connecting to the Internet, and soon after, Engel received a phishing<br>
message. A researcher who accompanied Engel has acknowledged that the<br>
laptops were fresh out of the box with no updates and no security<br>
software, and that the phone was compromised after the user agreed to<br>
install an .apk from a Sochi website. Even so, visitors to Sochi are<br>
likely to face a barrage of attempted cyber attacks.<br>
<a href="http://www.nbcnews.com/storyline/sochi-olympics/richard-engel-sochi-open-hunting-season-hackers-n22346" target="_blank">http://www.nbcnews.com/storyline/sochi-olympics/richard-engel-sochi-open-hunting-season-hackers-n22346</a><br>


<a href="http://www.scmagazine.com//sochi-hackers-compromise-reporters-laptops-smartphone/article/333073/" target="_blank">http://www.scmagazine.com//sochi-hackers-compromise-reporters-laptops-smartphone/article/333073/</a><br>


<a href="http://www.theregister.co.uk/2014/02/05/forget_skijumping_russian_hackers_setting_records_in_sochi_visitor_hacking/" target="_blank">http://www.theregister.co.uk/2014/02/05/forget_skijumping_russian_hackers_setting_records_in_sochi_visitor_hacking/</a><br>


[Editor's Note (Ullrich): This story is an example of very<br>
sensationalized reporting. It would be better if they would have spent<br>
the time giving some actionable advice to users. In general, the<br>
internet in Sochi (or Moscow where the story was actually recorded) is<br>
probably about as safe as in any hotel or coffee shop in he US.<br>
(Honan): Actually the reporter was not in Sochi, but in Moscow. He also<br>
visited websites relating to the Olympics so the compromises could<br>
happen anywhere in the world where people connect to those sites.<br>
Overall a lot of sensationalism in this report which is already being<br>
debunked online, see<br>
<a href="http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html#.UvTCI_l_sRo" target="_blank">http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html#.UvTCI_l_sRo</a>]<br>
<br>
 --Critical Infrastructure Cybersec Bill Heads to House Floor<br>
(February 6, 2014)<br>
The National Cybersecurity and Critical Infrastructure Protection Act<br>
unanimously passed the House Homeland Security Committee and now heads<br>
to the full House of Representatives. The bill would require the<br>
Department of Homeland Security to codify cybersecurity standards for<br>
government and critical infrastructure systems.<br>
<a href="http://www.govinfosecurity.com/cybersecurity-bill-heads-to-house-floor-a-6480" target="_blank">http://www.govinfosecurity.com/cybersecurity-bill-heads-to-house-floor-a-6480</a><br>
<a href="http://thehill.com/blogs/hillicon-valley/technology/197539-house-panel-approves-cybersecurity-bill" target="_blank">http://thehill.com/blogs/hillicon-valley/technology/197539-house-panel-approves-cybersecurity-bill</a><br>


[Editor's Note (Murray): Read it. This is one more attempt to grant<br>
private enterprise immunity from liability to its customers for<br>
disclosing their PII to government agencies.  All the rest is "window<br>
dressing" to disguise this.  This provision has been included in every<br>
proposal for legislation in this space, draws the opposition of privacy<br>
advocates, and kills the bill.  They keep hoping to sneak it through.]<br>
<br>
 --UK Financial Institutions Cyberattack Exercise<br>
(February 5 & 6, 2014)<br>
The Bank of England has released the results of a November 2013<br>
cyberattack simulation exercise for UK financial institutions.  While<br>
the exercise, known as Waking Shark II, "successfully demonstrated cross<br>
sector communications and coordination," it also notes that the UK's<br>
financial sector is vulnerable to attacks. One recommendation that arose<br>
from analysis of the exercise is that there needs to be a single entity<br>
responsible for managing communications between institutions within the<br>
financial sector. Organizations also need to report attacks to<br>
regulators and law enforcement.<br>
<a href="http://www.zdnet.com/wargames-test-uk-banks-resolve-against-massive-cyber-attack-7000025997/" target="_blank">http://www.zdnet.com/wargames-test-uk-banks-resolve-against-massive-cyber-attack-7000025997/</a><br>
<a href="http://www.theregister.co.uk/2014/02/06/waking_shark_ii_post_mortem/" target="_blank">http://www.theregister.co.uk/2014/02/06/waking_shark_ii_post_mortem/</a><br>
<a href="http://www.v3.co.uk/v3-uk/news/2327303/bank-of-england-warns-uk-financial-sector-unprepared-for-cyber-attacks" target="_blank">http://www.v3.co.uk/v3-uk/news/2327303/bank-of-england-warns-uk-financial-sector-unprepared-for-cyber-attacks</a><br>


Bank of England Report on UK Financial Sector Cyberattack Exercise:<br>
<a href="http://www.bankofengland.co.uk/financialstability/fsc/Documents/wakingshark2report.pdf" target="_blank">http://www.bankofengland.co.uk/financialstability/fsc/Documents/wakingshark2report.pdf</a><br>
[Editor's Note (Honan): The only times a cyber-attack exercise fails is<br>
when we do not apply the lessons learnt from them. I recommend that we<br>
all review the report from this exercise to see what lessons can be<br>
applied to our own environments.]<br>
<br>
 --UK Government to Hold Cybersecurity Exercises for Critical<br>
    Infrastructure Sectors<br>
(February 5, 2014)<br>
The UK government plans to hold cyberattack exercises much like Waking<br>
Shark for public sector elements of critical infrastructure. The<br>
exercises are part of government reforms aimed at protecting the country<br>
from cyberattacks.<br>
<a href="http://www.v3.co.uk/v3-uk/news/2327115/government-plans-cyber-attack-tests-for-uk-critical-industries" target="_blank">http://www.v3.co.uk/v3-uk/news/2327115/government-plans-cyber-attack-tests-for-uk-critical-industries</a><br>


[Editor's Note (Honan): When asked "How do you get to Carnegie Hall?" the<br>
violinist Mischa Elman is supposed to have said "Practice". Likewise the<br>
only way ensure your incident response plans work is to practice. The<br>
European Network and Information Security Agency (ENISA) has an<br>
excellent repository of exercise material for CERTs available for free<br>
at <a href="http://www.enisa.europa.eu/activities/cert/support/exercise" target="_blank">http://www.enisa.europa.eu/activities/cert/support/exercise</a>]<br>
<br>
 --Oldboot Android Trojan<br>
(February 5, 2014)<br>
An Android Trojan known as Oldboot has infected 350,000 devices. The<br>
malware is difficult to delete because some of its components are loaded<br>
into the Android file system's boot partition. Oldboot may be spreading<br>
through firmware that has been seeded with the malware. The majority of<br>
infected devices are in China.<br>
<a href="http://www.theregister.co.uk/2014/02/05/china_targeted_by_new_android_trojan/" target="_blank">http://www.theregister.co.uk/2014/02/05/china_targeted_by_new_android_trojan/</a><br>
[Editor's Note (Murray): Unfortunately, this is not an "Android"<br>
problem; the problem is that there is no "Android."  Rather there are<br>
dozens of androids from so many sources that it is nigh impossible for<br>
a user to know what he has or what its vulnerabilities may be.<br>
(Northcutt): And we thought boot sector malware was yesterday's news.<br>
Honestly, I think the best hope for mobile devices is OS on the chip.]<br>
<br>
 --Facebook Redirect Attempt Unsuccessful Due to Registrar Locks<br>
(February 5 & 6, 2014)<br>
The Syrian Electronic Army launched an unsuccessful attempt to hijack<br>
Facebook's domain. The attack was not on Facebook itself but on the<br>
company responsible for maintaining Facebook's domain registration.<br>
While the attackers managed to change Facebook's domain registration<br>
information, the attack was ultimately unsuccessful because Facebook had<br>
established registrar locks that require manual checking with live human<br>
beings before making any changes.<br>
<a href="http://www.v3.co.uk/v3-uk/news/2327344/syrian-electronic-army-hackers-target-facebook" target="_blank">http://www.v3.co.uk/v3-uk/news/2327344/syrian-electronic-army-hackers-target-facebook</a><br>
<a href="http://www.computerworld.com/s/article/9246083/Hackers_try_to_hijack_Facebook_other_high_profile_domains_through_registrar?taxonomyId=17" target="_blank">http://www.computerworld.com/s/article/9246083/Hackers_try_to_hijack_Facebook_other_high_profile_domains_through_registrar?taxonomyId=17</a><br>


<a href="http://recode.net/2014/02/05/syrian-hackers-mess-with-facebooks-domain-nothing-happens/" target="_blank">http://recode.net/2014/02/05/syrian-hackers-mess-with-facebooks-domain-nothing-happens/</a><br>
Example: <a href="https://twitter.com/Official_SEA16/status/431208035050991616" target="_blank">https://twitter.com/Official_SEA16/status/431208035050991616</a><br>
[Editor's Note (Honan): Great to see security controls work as planned.<br>
If you have not enabled registrar locks on your domains, you should do<br>
so ASAP.]<br>
<br>
 --Target Systems Accessed with HVAC Contractor's Credentials<br>
(February 5 & 6, 2014)<br>
More details are emerging about the way attackers infiltrated Target's<br>
systems to steal payment card data. It now appears that the attackers<br>
gained a foothold in Target's systems by using the access credentials<br>
of a refrigeration and HVAC company that had worked at several Target<br>
locations. The president of Fazio Mechanical Services acknowledged that<br>
the US Secret Service had visited company offices in Pennsylvania, and<br>
noted that his company's "connection with Target was exclusively for<br>
electronic billing, contract submission, and project management,"<br>
suggesting that there may have been a network segmentation error.<br>
<a href="http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/" target="_blank">http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/</a><br>
<a href="http://news.cnet.com/8301-1009_3-57618439-83/heating-vents-may-have-given-target-hackers-their-opening/" target="_blank">http://news.cnet.com/8301-1009_3-57618439-83/heating-vents-may-have-given-target-hackers-their-opening/</a><br>


<a href="http://money.cnn.com/2014/02/06/technology/security/target-breach-hvac/index.html" target="_blank">http://money.cnn.com/2014/02/06/technology/security/target-breach-hvac/index.html</a><br>
<a href="http://www.scmagazine.com//target-vendor-fazio-mechanical-confirms-being-victim-of-attack/article/333051/" target="_blank">http://www.scmagazine.com//target-vendor-fazio-mechanical-confirms-being-victim-of-attack/article/333051/</a><br>


<a href="http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_basic_network_segmentation_error?taxonomyId=17" target="_blank">http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_basic_network_segmentation_error?taxonomyId=17</a><br>


The HVAC company's statement on the issue is on their website at<br>
<a href="http://faziomechanical.com/Target-Breach-Statement.pdf" target="_blank">http://faziomechanical.com/Target-Breach-Statement.pdf</a><br>
[Editor's Note (Murray): I agree that this report illustrates the<br>
importance of network layering and segmentation.  However, it also<br>
demonstrates that, any vulnerability exposes the entire payment system.<br>
Taken across all merchants and networks, breaches of the payment system<br>
are inevitable.  What is not inevitable is that those breaches must<br>
result in the fraudulent reuse of credit card numbers.  It is both<br>
obvious and urgent that the brands and banks must implement measures,<br>
e.g., EMV, out-of-band one-time-passwords, to resist replay.  We cannot<br>
rely upon a system that requires all merchants to get it right all the<br>
time.<br>
(Honan): This story reinforces the importance of restricting access to<br>
key network resources for those connecting to your network from remote<br>
locations, be they partners, suppliers, or staff working remotely.]<br>
<br>
 --Adobe Patches Critical Flash Vulnerability<br>
(February 4 & 5, 2014)<br>
Adobe has released an out-of-cycle patch for a critical remote code<br>
execution vulnerability in Flash Player. The flaw affects versions of<br>
Flash for Windows, Mac, and Linux systems and could be exploited to take<br>
control of vulnerable systems. Windows and Mac users are urged to<br>
upgrade to Flash version 12.0.0.44 and Linux users to Flash version<br>
11.2.202.336. For Windows and Mac users unable to upgrade to version 12,<br>
Adobe has also released Flash version 11.7.700.261. Flash in Google<br>
Chrome and Internet Explorer 10 and 11 will be automatically updated.<br>
The flaw is being actively exploited to steal online services login<br>
credentials.<br>
<a href="http://www.scmagazine.com//adobe-releases-patch-for-flash-zero-day/article/332873/" target="_blank">http://www.scmagazine.com//adobe-releases-patch-for-flash-zero-day/article/332873/</a><br>
<a href="http://www.zdnet.com/adobe-issues-critical-flash-player-update-7000025953/" target="_blank">http://www.zdnet.com/adobe-issues-critical-flash-player-update-7000025953/</a><br>
<a href="http://news.cnet.com/8301-1009_3-57618367-83/adobe-issues-emergency-flash-update-for-windows-and-mac/" target="_blank">http://news.cnet.com/8301-1009_3-57618367-83/adobe-issues-emergency-flash-update-for-windows-and-mac/</a><br>


<a href="http://krebsonsecurity.com/2014/02/adobe-pushes-fix-for-flash-zero-day-attack/" target="_blank">http://krebsonsecurity.com/2014/02/adobe-pushes-fix-for-flash-zero-day-attack/</a><br>
<a href="http://www.computerworld.com/s/article/9246026/Adobe_releases_critical_emergency_update_for_Flash_Player" target="_blank">http://www.computerworld.com/s/article/9246026/Adobe_releases_critical_emergency_update_for_Flash_Player</a><br>


<a href="http://www.computerworld.com/s/article/9246065/Flash_exploit_distributes_credential_stealing_malware?taxonomyId=17" target="_blank">http://www.computerworld.com/s/article/9246065/Flash_exploit_distributes_credential_stealing_malware?taxonomyId=17</a><br>


<a href="http://helpx.adobe.com/security/products/flash-player/apsb14-04.html" target="_blank">http://helpx.adobe.com/security/products/flash-player/apsb14-04.html</a><br>
<a href="http://blogs.adobe.com/psirt/?p=1047" target="_blank">http://blogs.adobe.com/psirt/?p=1047</a><br>
<br>
 --Microsoft Calls for Collaborative Effort to Eradicate Malware Families<br>
(February 3, 2014)<br>
Microsoft's Partner Program Manager for Microsoft Malware Protection<br>
Center Dennis Batchelder is calling for security companies, ISPs, law<br>
enforcement agencies, CERTs, and other organizations to work together<br>
to wipe out entire families of malware. Currently, organizations<br>
leverage their strengths to disrupt malware, but "the goal of<br>
coordinated malware eradication is to bring industry partners who have<br>
specific strengths" to work together to more thoroughly rid the Internet<br>
of malware families.<br>
<a href="http://www.darkreading.com/vulnerability/microsoft-calls-for-industry-collaborati/240165888?cid=NL_DR_Daily_240165888&elq=c650908616f44834b03a03da5191a291" target="_blank">http://www.darkreading.com/vulnerability/microsoft-calls-for-industry-collaborati/240165888?cid=NL_DR_Daily_240165888&elq=c650908616f44834b03a03da5191a291</a><br>


<br>
 --Application Security Survey<br>
(February 3, 2014)<br>
The SANS 2014 Application Security Programs and Practices survey found<br>
that there is a shortage of skills in application security, which<br>
hinders implementation of effective Appsec programs. The percentage of<br>
organizations that have established Appsec programs increased from 66<br>
percent last year to 83 percent this year.<br>
<a href="http://www.darkreading.com/applications/sans-institute-application-security-surv/240165885" target="_blank">http://www.darkreading.com/applications/sans-institute-application-security-surv/240165885</a><br>
<br>
***********************************************************************<br>
STORM CENTER TECH CORNER<br>
SplashID Server Failure Leeds to Data Loss<br>
<a href="http://www.heise.de/security/meldung/Daten-Safe-SplashID-schreddert-Passwort-Container-2107289.html" target="_blank">http://www.heise.de/security/meldung/Daten-Safe-SplashID-schreddert-Passwort-Container-2107289.html</a> (German only)<br>


<br>
Security Risks Overstated by News Program<br>
<a href="https://isc.sans.edu/forums/diary/To+Merrillville+or+Sochi+How+Dangerous+is+it+to+travel+/17579" target="_blank">https://isc.sans.edu/forums/diary/To+Merrillville+or+Sochi+How+Dangerous+is+it+to+travel+/17579</a><br>


<a href="http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf" target="_blank">http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf</a><br>
<br>
Monthly Ouch Newsletter: Malware<br>
<a href="http://www.securingthehuman.org/ouch" target="_blank">http://www.securingthehuman.org/ouch</a><br>
<br>
Comcast Mail Servers Breached<br>
<a href="http://www.databreaches.net/nullcrew-claims-hack-of-comcast-mail-servers" target="_blank">http://www.databreaches.net/nullcrew-claims-hack-of-comcast-mail-servers</a><br>
<br>
ASUS Routers Enumerated Internet Wide<br>
<a href="http://nullfluid.com/asusgate.txt" target="_blank">http://nullfluid.com/asusgate.txt</a><br>
<br>
Odd "ping" Packet (NVidia related?)<br>
<a href="https://isc.sans.edu/forums/diary/Odd+ICMP+Echo+Request+Payload/17570" target="_blank">https://isc.sans.edu/forums/diary/Odd+ICMP+Echo+Request+Payload/17570</a><br>
<br>
PNG IFrame Injection<br>
<a href="http://blog.sucuri.net/2014/02/new-iframe-injections-leverage-png-image-metadata.html" target="_blank">http://blog.sucuri.net/2014/02/new-iframe-injections-leverage-png-image-metadata.html</a><br>
<br>
Firefox Update<br>
<a href="http://www.mozilla.org/en-US/mobile/27.0/releasenotes/" target="_blank">http://www.mozilla.org/en-US/mobile/27.0/releasenotes/</a><br>
<br>
***********************************************************************<br>
The Editorial Board of SANS NewsBites<br>
<br>
John Pescatore was Vice President at Gartner Inc. for fourteen years.<br>
He became a director of the SANS Institute in 2013. He has worked in<br>
computer and network security since 1978 including time at the NSA and<br>
the U.S. Secret Service.<br>
<br>
Shawn Henry recently retired as FBI Executive Assistant Director<br>
responsible for all criminal and cyber programs and investigations<br>
worldwide, as well as international operations and the FBI's critical<br>
incident response. He is now president of CrowdStrike Services.<br>
<br>
Stephen Northcutt teaches advanced courses in cyber security management;<br>
he founded the GIAC certification and was the founding President of STI,<br>
the premier skills-based cyber security graduate school, <a href="http://www.sans.edu" target="_blank">www.sans.edu</a>.<br>
<br>
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm<br>
Center and Dean of the Faculty of the graduate school at the SANS<br>
Technology Institute.<br>
<br>
Ed Skoudis is co-founder of CounterHack, the nation's top producer of<br>
cyber ranges, simulations, and competitive challenges, now used from<br>
high schools to the Air Force. He is also author and lead instructor of<br>
the SANS Hacker Exploits and Incident Handling course, and Penetration<br>
Testing course.<br>
<br>
Michael Assante was Vice President and Chief Security Officer at NERC,<br>
led a key control systems group at Idaho National Labs, and was American<br>
Electric Power's CSO.  He now leads the global cyber skills development<br>
program at SANS for power, oil & gas and other critical infrastructure<br>
industries.<br>
<br>
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy<br>
Under Secretary of Cybersecurity at the US Department of Homeland Security.<br>
<br>
William Hugh Murray is an executive consultant and trainer in<br>
Information Assurance and Associate Professor at the Naval Postgraduate<br>
School.<br>
<br>
Sean McBride is Director of Analysis and co-founder of Critical<br>
Intelligence, and, while at Idaho National Laboratory, he initiated the<br>
situational awareness effort that became the ICS-CERT.<br>
<br>
Rob Lee is the SANS Institute's top forensics instructor and director<br>
of the digital forensics and incident response research and education<br>
program at SANS (<a href="http://computer-forensics.sans.org" target="_blank">computer-forensics.sans.org</a>).<br>
<br>
Tom Liston is a Senior Security Consultant and Malware Analyst for<br>
InGuardians, a handler for the SANS Institute's Internet Storm Center,<br>
and co-author of the book Counter Hack Reloaded.<br>
<br>
Dr. Eric Cole is an instructor, author and fellow with The SANS<br>
Institute. He has written five books, including Insider Threat and he<br>
is a founder with Secure Anchor Consulting.<br>
<br>
Mason Brown is one of a very small number of people in the information<br>
security field who have held a top management position in a Fortune 50<br>
company (Alcoa).  He leads SANS' efforts to raise the bar in<br>
cybersecurity education around the world.<br>
<br>
David Hoelzer is the director of research & principal examiner for<br>
Enclave Forensics and a senior fellow with the SANS Technology<br>
Institute.<br>
<br>
Gal Shpantzer is a trusted advisor to CSOs of large corporations,<br>
technology startups, Ivy League universities and non-profits<br>
specializing in critical infrastructure protection. Gal created the<br>
Security Outliers project in 2009, focusing on the role of culture in<br>
risk management outcomes and contributes to the Infosec Burnout project.<br>
<br>
Alan Paller is director of research at the SANS Institute.<br>
<br>
Brian Honan is an independent security consultant based in Dublin, Ireland.<br>
<br>
David Turley is SANS operations manager and serves as production<br>
manager and final editor on SANS NewsBites.<br>
<br>
Please feel free to share this with interested parties via email, but<br>
no posting is allowed on web sites. For a free subscription, (and for<br>
free posters) or to update a current subscription, visit<br>
<a href="http://portal.sans.org/" target="_blank">http://portal.sans.org/</a><br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iEYEARECAAYFAlL1MVYACgkQ+LUG5KFpTkaHVgCfX3KD53iUFOcyOFyx4UUFXg91<br>
OawAn1g+R0uMz3ovcbcprsX83EeTcyA2<br>
=nQKz<br>
-----END PGP SIGNATURE-----<br>
</div><br></div>