BF-SIRT Newsletter 2013-48

Welcome back to the newsletter! This newsletter contains news from the last two weeks as the previous week was skipped.
There are plenty of interesting stories to check out now, ranging from how there is No Bail for Alleged Silk Road Mastermind and some very interesting information about how The Underground Hacking Economy is Alive and Well.
There is also a reminder from US-CERT about Holiday Season Phishing Scams and Malware Campaigns.
If you are interested in small and very basic security thoughts that should be implemented as a minimum, then you should also make sure you keep an eye at the Basefarm Secure Christmas Calendar 2013!

Top 5 Security links
A look into the MongoHQ breach
Stratfor hacker Jeremy Hammond given 10 year sentence
Six more arrested in breathtaking $45 million ATM theft
Cupid Media Hack Exposed 42M Passwords
No Bail for Alleged Silk Road Mastermind

Top 5 Business Intelligence links
Microsoft opens Cybercrime Center to tackle malware and cyber crime
Holiday Season Phishing Scams and Malware Campaigns
FBI sends memo to sysadmins: You’ve been hacked… for the past YEAR
The Underground Hacking Economy is Alive and Well
Old JBoss vuln in the wild, needs patching

Basefarm Secure Christmas Calendar 2013

Basefarm Christmas calendar 2013

Christmas is just around the corner, and even if you are traveling for Christmas or staying home, it’s important to secure your IT for Christmas for security reasons. To help you out, we have created a Christmas calendar with basic security tips from our security team. We will give you 24 tips for a secure Christmas, a new tip every day until Christmas. Remember that we celebrate Christmas Eve December 24 in Europe, and make sure to follow these daily tips for a chance to win a Christmas gift! 🙂

Drupal core – Highly Critical Vulnerability

Drupal has sent out a notification about new highly critical issues with the Drupal core. This means that anyone running Drupal should update as soon as possible.

Advisory ID: DRUPAL-SA-CORE-2013-003
Project: Drupal core
Version: 6.x, 7.x
Date: 2013-November-20
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

More information:

BF-SIRT Newsletter 2013-46

This week, SIRT member Kian has written a write-up about the PCI-DSS meetup that he attended, which is definitely worth a read!
We also had Patch Tuesday this week, so make sure to patch your affected systems.
Some of our other recommendations to read are how popular site ended up serving malware to its visitors and how CryptoLocker have surged since the author of BlackHole got caught.

Next week, the newsletter will take a break, but will return on week 48 as usual.

Top 5 Security links
Feds Charge Calif. Brothers in Cyberheists
Macrumors Forums Breach Exposes 860,000 Accounts
Yesterday on – Malware
Nation-State Likely Behind Attack on IE Zero-Day Flaw
Cryptolocker surge directly tied with Blackhole downfall

Top 5 Business Intelligence links
Dutch National Cyber Security Strategy and the Third Cyber Security Assessment
Simulated attacks give London banks a trial run in readiness
Compromised Adobe accounts include military and government users
GCHQ used fake LinkedIn, Slashdot pages to spy on Belgacom employees
Banking Malware Infections Rise to Highest Level Since 2002


Basefarm at 2013 European PCI Community Meeting – PCI DSS 3.0

The annual European PCI Community Meeting was held in Nice, France from October 29th to 31st. As a Participating Organization, Basefarm sent two representatives to the meeting.The big news here was of course the new 3.0 standard, available in draft version at the time. There is currently much focus on the entities that have a low level of PCI awareness, typically small merchants in brick-and-mortar shops. The catchphrase for PCI DSS 3.0 is “Business As Usual”, so much used that it got it’s own TLA; “BAU”. Expect to see the term BAU being used whenever PCI DSS compliance is discussed. It has to be implemented into the daily procedures, which also the “Maintaining Compliance” Special Interest Group has emphasized. In this blog post I will attempt to highlight the most significant changes from the perspective of Basefarm as a hosting provider and how it may affect our customers.

E-commerce requirements

To begin with, the big change discussed at the Community Meeting is how the new e-commerce requirements will actually be implemented. Basically, a lot of web shops managed to avoid the issue of PCI DSS compliance by simply redirecting their customers to the Payment Service Provider at the time of checkout. In 3.0, the definition of PCI DSS Scope (page 6 of the Draft) now defines web redirection servers as systems that may impact the security of the CDE. They are also included in requirement 10.6.1 as part of the system components you have to include in your daily log review. The document “Summary of Changes from PCI DSS Version 2.0 to 3.0 – Draft” does not explicitly mention these changes. Rumours have it that large e-commerce sites must expect to run ASV scans and be prepared to have the payment brands review these. We’ll see what happens, I expect the first reaction of the E-commerce software vendors will be to describe how they have somehow implemented their redirects in a way that leaves them out of scope.

The challenge for PCI DSS hosting providers

As a PCI DSS hosting provider, there has been much focus on third parties during the last year. The “Third Party” Special Interest Group has looked at all kinds of third parties involved and created guidelines. Some of the issues that have been discussed during the creation of the guidelines have been included into the PCI DSS 3.0 standard under 12.8.x instead. One item that will complicate matters for service providers is the new requirement 8.5.1 which says “8.5.1 Service providers with access to customer environments must use a unique authentication credential (such as a password/phrase) for each customer environment.“. The guidance further emphasizes that you cannot use “similar” authentication credentials, such as simply prefixing your password with the customer name. Service providers will have to come up with a solution before the extended time period of June 30th, 2015.

The service provider requirements are clarified with regards to two-factor authentication (8.3) and remote administration (8.1.5) – vendors must be 2FA authenticated and their accounts must be disabled when not in use. The Third Party SIG has also emphasized that the entity required to comply with PCI DSS will retain this responsibility, but all service providers must now be made aware that they are supporting a PCI DSS environment and ensure that they also comply with their relevant requirements (12.8.x). Hopefully, this will ensure that the service providers are professional and knowledgeable in PCI DSS.

In general, the document contains a lot of clarifications and some entirely new items. Here are a few other quick highlights from 3.0:

  • The PCI Council apparently agree with the rest of the world that passwords are dead. There are still specific requirements with regards to password policies and quality, but more importantly they use the more general term “credentials” instead of actual passwords.
  • For the larger merchants, there is a new requirement (9.9) to keep inventory of POS terminals and inspect them for skimming. This has of course to be documented so it can be presented during audit. A necessary update to the standard, but still a time-consuming job. It is one of the requirements that are only best practice until they take effect July 1st 2015.
  • There is a new requirement 2.4 where an inventory of system components must be maintained. If you have cared about any other standards such as ITIL, Cobit, anything ISO or even the SANS Top 20 this is usually high on the list, but has been absent from the PCI requirements. This means it should already be in place for most companies that care about PCI DSS, but it is good to finally see it included in the standard. The PCI justification for the requirement centers around scoping, as asset management has perhaps not been considered an important part of security before. However, you can’t patch what you don’t know you have. Orphaned assets are a known problem in many organisations, where they are only discovered when they are infected with malware and causing network issues.
  • There are some more details on what exactly constitutes a pentest according to the PCI Council, but the main requirement is that you must base the methodology on industry-accepted standards (NIST SP800-115 is mentioned as an example). It is sufficient to demonstrate organizational independence of the tester, there are no approval programs for pentesters (yet). With the focus on pentesting I have seen in previous SIG proposals, I expect this to mature further during future PCI standard versions.
  • In chapter 12, otherwise known as the paperwork requirements, the items that must be included in the security policy have now been relocated from the single 12.1 requirement into each separate requirement. Risk assessments now have to be done not only annually, but after “significant changes to the environment”. And 12.4.1 makes one specific type of separation of duties clearer – security must be handled by an independent role.

All in all, a very useful update to a standard that is maturing and kept up to date. And of course, going to the community meetings create opportunities to meet and chat informally with vendors, colleagues and competitors in a friendly manner. With the usual exchange of war stories about hackers and crazy audit findings.

Patch Tuesday November 2013

Another month, another patch tuesday. This month, Microsoft has released three critical and five important updates.
Adobe on the other hand has released security updates for Adobe Flash Player and ColdFusion to address multiple vulnerabilities.
These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

More information:

BF-SIRT Newsletter 2013-45

This week got some very interesting stories, some which could very well fit in spy novels. Read how Fake femme fatale dupes IT guys at US government agency and Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps.
In other news, there are some articles going through how Iris ID Systems work. Krebs have also written some updates about CryptoLocker, the malware that encrypts your files once infected and then demands a ransom in order to decrypt them.

Top 5 Security links
Fake femme fatale dupes IT guys at US government agency
Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps
Cyber dragnet: Five new HACKERS join FBI’s ‘most wanted’ list
CryptoLocker Crew Ratchets Up the Ransom
Hackers Take Limo Service Firm for a Ride

Top 5 Business Intelligence links
Iris ID Systems Go Mainstream
Most organizations unafraid of phishing
Most visits to a login page are made by malicious tools
The Danger of Cybersecurity ‘Ghettos’
Biggest Risks in IPv6 Security Today

BF-SIRT Newsletter 2013-44

This week, we’ve had quite a few things happening! To start off, Obama had his Twitter account compromised by the SEA. MongoHQ also had a bad week due to being compromised and having their database leaked. More information about the Adobe Breach became known as well; and it doesn’t look good as this has impacted at least 38 million Adobe Online users, and it appears that the Photoshop source code, amongst other things, got stolen.
As for our own posts, we have added information about the latest Mozilla Vulnerabilities that you should update.

Top 5 Security links
Syrian Electronic Army claims Obama social media hijacking
Hack of MongoHQ exposes passwords, user databases to intruders
Adobe Breach Impacted At Least 38 Million Users, Photoshop source code stolen
British Man Charged with Hacking NASA and US Military Computers
4 Dutch Men Arrested for Allegedly Using TorRAT to Plunder Bank Accounts

Top 5 Business Intelligence links
Visual investigations of botnet command and control behavior
Symantec to create cross-industry big data cloud hub to fight targeted attacks
When the phone call is more dangerous than malware
ATM Malware May Spread From Mexico to English-speaking World
Mozilla addresses teenager’s purported mobile Firefox OS malware

Mozilla Vulnerabilities