******************************
SANS NewsBites December 19, 2014 Vol. 16, Num. 100
******************************
TOP OF THE NEWS
FBI Accuses North Korea of Sony Pictures Attack
US Points Finger at North Korea in Sony Pictures Attack
Breach Attribution is No Easy Task
Sony Hack Code Not Sophisticated
THE REST OF THE WEEK'S NEWS
US Government Personnel Data May Have Been Compromised in Breach
New York Financial Institutions Will be Evaluated on Cyber Security
Misfortune Cookie Affects Millions of Routers
Backdoor in Coolpad Android Devices
ICANN Accounts Hijacked Through Phishing Attack
Google Tightens Security for Gmail Extensions
Google Plans to Warn Chrome Users on All HTTP Connections
Indications of Breach at Park-n-Fly
Dutch Privacy Watchdog Hounds Google and Facebook
STORM CENTER TECH CORNER
*********************** Sponsored By Symantec ****************************
Report Highlights: Over 41 percent of email-borne malware contained a
link to a malicious or compromised website. Kelihos and Gamut are the
top two most active botnets in November. Crypto- ransomware made up 38
percent of all ransomware seen in the month of November.
http://www.sans.org/info/173292
***************************************************************************
TRAINING UPDATE
--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 |
30 courses. Bonus evening presentations include Gone in 60 Minutes: Have
You Patched Your System Today? A Night of Crypto; and NetWars Tournament
of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014
--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015
11 courses. Bonus evening sessions include Stop Giving the Offense an
Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015
--Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 |
Brian Krebs, renowned Data Breach and Cybersecurity journalist who first
reported on the malware that later become known as Stuxnet and also
broke the story on the Target and will keynote the CTI Summit.
Adversaries leverage more knowledge about your organization than you
have, learn how to flip those odds at the CTI Summit combined with 4
intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015
--10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 |
At the ICS summit you will learn what is the nature of ICS-focused
threats & implications of targeted attacks, what is not working and what
are the paths (options) to build your program around. In addition Kim
Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the
World's First Digital Weapon, to keynote. Come prepared to learn about
the recent onset of ICS-focused attacks and how you need to hone your
skills to defend our critical infrastructure systems. Plus 6 top-rated
ICS courses.
http://www.sans.org/event/ics-security-summit-2015
--SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015
6 courses.
http://www.sans.org/event/munich-2015
--Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!
--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
--Looking for training in your own community?
http://www.sans.org/community/
- - --Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Brussels, Dubai, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*****************************************************************************
TOP OF THE NEWS
--FBI Accuses North Korea of Sony Pictures Attack
(December 19, 2014)
Citing "similarities in specific lines of code, encryption algorithms,
data deletion methods, and compromised networks" as well as classified
pieces of evidence, the FBI today issued a statement saying that it "now
has enough information to conclude that the North Korean government is
responsible for" the attack.
http://www.washingtonpost.com/world/national-security/us-attributes-sony-attack-to-north-korea/2014/12/19/fc3aec60-8790-11e4-a702-fa31ff4ae98e_story.html
http://www.nytimes.com/2014/12/20/world/fbi-accuses-north-korean-government-in-cyberattack-on-sony-pictures.html?hp&action=click&pgtype=Homepage&module=first-column-region®ion=top-news&WT.nav=top-news
--US Points Finger at North Korea in Sony Pictures Attack
(December 17, 2014)
US officials say that law enforcement and intelligence agencies have
gathered sufficient evidence to indicate that North Korea is behind the
attack on Sony Pictures. The officials are not providing details, as
doing so might reveal how the US was able to penetrate North Korean
networks to find the source of the attack. Sony has cancelled the
release of the movie that the attackers have been protesting after the
group claiming responsibility for the attack threatened violence at
theaters if the film was released.
http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html
http://www.bloomberg.com/news/2014-12-18/u-s-is-said-set-to-blame-north-korea-for-sony-hack.html
[Editor's Note (Murray): Whether or not North Korea conducted or simply
paid for this attack, they have scored a huge victory. They have
humiliated both the World's remaining "superpower" and Japan, their
ancient enemy and recent occupier. They have won what may be the first
and only battle in this "cyberwar." They have demonstrated not only
that Sony's security was weak but that Sony had documented the weakness
without a budget or schedule for mitigation. They have reinforced the
fear that our national infrastructure is vulnerable to crippling attack
from the Internet. They have demonstrated that they need only whisper
the magic words "nine one one" to get the risk averse, not to say
fearful and feckless, American people to compromise the First Amendment
and betray all those who have sacrificed life and limb to defend it.
Not bad for a starving country that numbers its Internet users in the
low thousands.]
--Breach Attribution is No Easy Task
(December 17 & 18, 2014)
Not everyone agrees that the Sony Pictures attack emanated from North
Korea. Attribution for cyber attacks is difficult. Attackers can use
proxies and phony IP addresses, and they can plant false clues inside
the code of their malware. The initial attack on Sony Pictures appears
to have been financially motivated. The film was not mentioned until
later in the chain of events.
http://www.csmonitor.com/World/Passcode/2014/1218/Did-North-Korea-really-hack-Sony-Cybersecurity-pros-at-odds-video
http://www.wired.com/2014/12/north-korea-did-not-hack-sony-probs/
--Sony Hack Code Not Sophisticated
(December 17, 2014)
The malware used in the attack that erased data from hard drives at Sony
Pictures was unsophisticated and riddled with bugs. However, it did what
it was supposed to do; the malware's purpose did not require complex
code. However, the malware's construction indicates a familiarity with
the Sony Pictures network.
http://arstechnica.com/security/2014/12/state-sponsored-or-not-sony-pictures-malware-bomb-used-slapdash-code/
[Editor's Note (Pescatore): The mainstream press tends to focus on
giving the attackers "superpowers," which leads to the "don't blame me,
it was an APT" syndrome and failure to address basic cybersecurity
weaknesses that enable the attacks. It seems popular to say "don't blame
the victims" and it is true that if I leave the keys in my car's
ignitions with the doors unlocked and my wallet on the front seat,
someone stealing my car or wallet is committing a crime. But, it does
*not* mean that my insurance company has to pay off, since I did
*not* live up to basic security hygiene.]
**************************** SPONSORED LINKS ******************************
1) In Case you missed it: Analyst Webcast: Advanced Network Protection
with McAfee Next Generation Firewall with Dave Shackleford and Steve
Smith. http://www.sans.org/info/173297
2) Another chance to win $400 Amazon Card - Take New Survey on Insider
Threats: http://www.sans.org/info/173302
3) In case you missed it: Tis the Season for Data Breaches and Stolen
Identity with Chester Wisniewski: http://www.sans.org/info/173307
***************************************************************************
THE REST OF THE WEEK'S NEWS
--US Government Personnel Data May Have Been Compromised in Breach
(December 18, 2014)
A breach at KeyPoint Government Solutions may have left personally
identifiable information about nearly 50,000 US government employees
exposed to possible theft. KeyPoint conducts federal employee background
checks for security clearances. The Office of Personnel Management has
notified people whose information may have been compromised. This is not
the first time that a company providing background checks for government
employees has suffered a breach. Earlier this year, a breach at USIS
exposed personally identifiable information of 25,000 people.
http://www.nextgov.com/cybersecurity/2014/12/opm-alerts-feds-second-background-check-breach/101622/?oref=ng-HPtopstory
[Editor's Note (Murray): One would expect the remedy for the victims
here to be a class action suit. However, in similar breaches in the
past, it has been difficult to link the damage to the breach. The
courts have accepted the defense argument that the plaintiffs do not
have standing to sue. The government needs to write the contracts in
such a way as to give the victims just compensation and the contractors
sufficient motivation.]
--New York Financial Institutions Will be Evaluated on Cyber Security
(December 18, 2014)
The Superintendent of New York's Department of Financial Services has
asked member organizations to consider cyber security "an integral
aspect of their overall risk management strategy" instead of an issue
for just information technology. Banks and other financial institutions
in New York will be evaluated on their cyber security, including their
use of multi-factor authentication and identity and access management.
The requirements affect all financial institutions operating with a New
York state charter or license.
http://www.zdnet.com/article/ny-bank-regulators-cybersecurity-plan-includes-strong-authentication-identity/
[Editor's Note (Pescatore): Saying "just information technology" to most
businesses today is like saying "just oxygen" to most Earth-based life
forms. Honestly, I really do *not* want cybersecurity assessment blended
into the financial industry "risk management" programs that seem to give
us constant streams of failed investments, financial meltdowns, insider
trading, etc. That said, NY State put together a pretty sensible list
of questions - I'd like to see reduction in use of reusable passwords
move up in priority.
(Murray): New York State only regulates banks that operate with state,
rather than national, charters, i.e., many small institutions rather
than the few "too big to fail" institutions that dominate its market.
The state regulators have indicated that they will expect "multi-factor
authentication," a requirement which federal regulators, under the
"Guidance" of the FFIEC, have artfully avoided.]
--Misfortune Cookie Affects Millions of Routers
(December 18, 2014)
A critical flaw in more than 200 models of residential gateway devices
and small office home routers could be exploited to gain administrative
privileges. The issue lies in an embedded web server that the routers
use. Attackers could potentially sniff traffic and launch attacks
against other systems. The vulnerability has been called Misfortune
Cookie because it resides in a problem within the HTTP cookie management
mechanism.
http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/
http://www.computerworld.com/article/2860843/vulnerability-in-embedded-web-server-exposes-millions-of-routers-to-hacking.html
http://www.scmagazine.com/crucial-vulnerability-could-compromise-at-least-200-router-models/article/389149/
--Backdoor in Coolpad Android Devices
(December 18, 2014)
A backdoor in certain Android devices made by Chinese smartphone
manufacturer Coolpad could be exploited to download, install, and
activate applications without user interaction; disable other
applications; remove data from the device; and receive updates that
install applications. Known as CoolReaper, the backdoor appears to be
deliberately installed on the devices by the manufacturer.
http://www.siliconrepublic.com/digital-life/item/39925-chinese-coolpad-devices/
http://www.theregister.co.uk/2014/12/18/coolreaper_android_backdoor/
--ICANN Accounts Hijacked Through Phishing Attack
(December 17 & 18, 2014)
The ICANN was the target of a data breach following a phishing campaign.
The organization's root zone administration system was compromised. The
attack occurred late last month and was detected a week later. The
compromised data include personal information of people who do business
with the organization.
http://www.bbc.com/news/technology-30497392
http://www.theregister.co.uk/2014/12/17/icann_hacked_admin_access_to_zone_files/
http://www.computerworld.com/article/2860408/icann-data-compromised-in-spearphishing-attack.html
http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/
--Google Tightens Security for Gmail Extensions
(December 16 & 17, 2014)
Google has implemented the W3C's Content Security Policy (CSP) standard
for Gmail extensions. CSP provides a layer of protection against
cross-site scripting attacks. Those extensions that do not comply with
the standard will no longer be functional.
http://www.theregister.co.uk/2014/12/17/google_bakes_w3c_malwarebuster_into_gmail/
http://gmailblog.blogspot.com/2014/12/reject-unexpected-content-security.html
--Google Plans to Warn Chrome Users on All HTTP Connections
(December 16, 2014)
Google plans to flag all HTTP traffic as unsecure in its Chrome browser.
Chrome users will see alerts when they attempt to visit HTTP sites.
Google plans to implement the change in 2015.
http://www.theregister.co.uk/2014/12/16/chrome_devs_hatch_plan_to_mark_all_http_traffic_insecure/
http://www.bbc.com/news/technology-30505970
http://www.eweek.com/cloud/google-chrome-browser-to-warn-users-of-sites-that-dont-use-https.html
[Editor's Note (Pescatore): I think Google is actually trying to kick
off a debate about how to warn browser users of good/questionable/lack
of SSL connections. However, today all browsers already give
red/yellow/green indications when SSL is in use but the browser/CA
industry has never made any investment in educating users/consumers what
it means! More colors and beeps and popups without such education is a
waste of time. The "questionable use of SSL" is critical for education,
just pushing "SSL in use will make everything secure" philosophy just
sends us back to the eyewash days of "as long as you see the little
solid key, no worries".]
--Indications of Breach at Park-n-Fly
(December 16, 2014)
Financial institutions are noting a pattern of fraud suggesting that
Park-n-Fly, a company operates parking lots near airports, experienced
a security breach, exposing customers' payment card data, according to
KrebsOnSecurity. The company said it has employed third-party security
companies to investigate claims of breaches. The breach could also be
in the chain of the company's online payment card processing system.
http://krebsonsecurity.com/2014/12/banks-park-n-fly-online-card-breach/
--Dutch Privacy Watchdog Hounds Google and Facebook
(December 16 & 17, 2014)
The Dutch data protection authority College Bescherming Persoonsgegevens
(CBP) has ordered Google to abide by that country's privacy rules or be
subject to penalties of as much as 15 million euros (US $18.4 million).
Google has been using user data to offer targeted advertising. The
watchdog group has also turned its attention to Facebook, launching an
investigation into that company's new privacy policy, which is scheduled
to take effect on January 1, 2015.
http://touch.latimes.com/#section/618/article/p2p-82306693/
http://www.zdnet.com/article/facebook-to-dutch-regulators-whats-the-privacy-problem-nothings-changed/
http://www.theguardian.com/technology/2014/dec/16/google-15m-fines-privacy-breaches-netherlands
[Editor's Note (Murray): Google and Facebook users have struck a bargain
with the devil. Nation states will find that undoing that bargain will
be somewhere between very difficult and impossible.]
STORM CENTER TECH CORNER
Evolution of the Nuclear Exploit Kit
https://isc.sans.edu/forums/diary/Exploit+Kit+Evolution+During+2014+-+Nuclear+Pack/19081
phpBB Compromised
https://www.phpbb.com/community/viewtopic.php?f=14&t=2278081
Checkpoint Misfortune Cookie
http://mis.fortunecook.ie
Git Vulnerability
https://github.com/blog/1938-git-client-vulnerability-announced
Microsoft Releases Fixed IE Patch
http://support.microsoft.com/kb/3025390
Coolpad Adds ROM Backdoor to Smartphones
https://www.paloaltonetworks.com/threat-research.html
Delta Mobile Boarding Pass Hackable
https://medium.com/@thedanigrant/need-a-last-minute-flight-45af88ec8df3
Linux x86_64 Kernel Priv. Escalation Vulnerabilities
http://seclists.org/oss-sec/2014/q4/1052
Ettercap Vulnerabilities
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
Memory Forensics with "Forensic Suite" and Volatility
https://isc.sans.edu/forums/diary/Some+Memory+Forensic+with+Forensic+Suite+Volatility+plugins+/19071
"Grinch" Polkit Vulnerability
https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO. He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure
industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He leads SANS' efforts to raise the bar in
cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager
and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
SANS NewsBites December 19, 2014 Vol. 16, Num. 100
******************************
TOP OF THE NEWS
FBI Accuses North Korea of Sony Pictures Attack
US Points Finger at North Korea in Sony Pictures Attack
Breach Attribution is No Easy Task
Sony Hack Code Not Sophisticated
THE REST OF THE WEEK'S NEWS
US Government Personnel Data May Have Been Compromised in Breach
New York Financial Institutions Will be Evaluated on Cyber Security
Misfortune Cookie Affects Millions of Routers
Backdoor in Coolpad Android Devices
ICANN Accounts Hijacked Through Phishing Attack
Google Tightens Security for Gmail Extensions
Google Plans to Warn Chrome Users on All HTTP Connections
Indications of Breach at Park-n-Fly
Dutch Privacy Watchdog Hounds Google and Facebook
STORM CENTER TECH CORNER
*********************** Sponsored By Symantec ****************************
Report Highlights: Over 41 percent of email-borne malware contained a
link to a malicious or compromised website. Kelihos and Gamut are the
top two most active botnets in November. Crypto- ransomware made up 38
percent of all ransomware seen in the month of November.
http://www.sans.org/info/173292
***************************************************************************
TRAINING UPDATE
--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 |
30 courses. Bonus evening presentations include Gone in 60 Minutes: Have
You Patched Your System Today? A Night of Crypto; and NetWars Tournament
of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014
--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015
11 courses. Bonus evening sessions include Stop Giving the Offense an
Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015
--Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 |
Brian Krebs, renowned Data Breach and Cybersecurity journalist who first
reported on the malware that later become known as Stuxnet and also
broke the story on the Target and will keynote the CTI Summit.
Adversaries leverage more knowledge about your organization than you
have, learn how to flip those odds at the CTI Summit combined with 4
intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015
--10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 |
At the ICS summit you will learn what is the nature of ICS-focused
threats & implications of targeted attacks, what is not working and what
are the paths (options) to build your program around. In addition Kim
Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the
World's First Digital Weapon, to keynote. Come prepared to learn about
the recent onset of ICS-focused attacks and how you need to hone your
skills to defend our critical infrastructure systems. Plus 6 top-rated
ICS courses.
http://www.sans.org/event/ics-security-summit-2015
--SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015
6 courses.
http://www.sans.org/event/munich-2015
--Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!
--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
--Looking for training in your own community?
http://www.sans.org/community/
- - --Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Brussels, Dubai, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*****************************************************************************
TOP OF THE NEWS
--FBI Accuses North Korea of Sony Pictures Attack
(December 19, 2014)
Citing "similarities in specific lines of code, encryption algorithms,
data deletion methods, and compromised networks" as well as classified
pieces of evidence, the FBI today issued a statement saying that it "now
has enough information to conclude that the North Korean government is
responsible for" the attack.
http://www.washingtonpost.com/world/national-security/us-attributes-sony-attack-to-north-korea/2014/12/19/fc3aec60-8790-11e4-a702-fa31ff4ae98e_story.html
http://www.nytimes.com/2014/12/20/world/fbi-accuses-north-korean-government-in-cyberattack-on-sony-pictures.html?hp&action=click&pgtype=Homepage&module=first-column-region®ion=top-news&WT.nav=top-news
--US Points Finger at North Korea in Sony Pictures Attack
(December 17, 2014)
US officials say that law enforcement and intelligence agencies have
gathered sufficient evidence to indicate that North Korea is behind the
attack on Sony Pictures. The officials are not providing details, as
doing so might reveal how the US was able to penetrate North Korean
networks to find the source of the attack. Sony has cancelled the
release of the movie that the attackers have been protesting after the
group claiming responsibility for the attack threatened violence at
theaters if the film was released.
http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html
http://www.bloomberg.com/news/2014-12-18/u-s-is-said-set-to-blame-north-korea-for-sony-hack.html
[Editor's Note (Murray): Whether or not North Korea conducted or simply
paid for this attack, they have scored a huge victory. They have
humiliated both the World's remaining "superpower" and Japan, their
ancient enemy and recent occupier. They have won what may be the first
and only battle in this "cyberwar." They have demonstrated not only
that Sony's security was weak but that Sony had documented the weakness
without a budget or schedule for mitigation. They have reinforced the
fear that our national infrastructure is vulnerable to crippling attack
from the Internet. They have demonstrated that they need only whisper
the magic words "nine one one" to get the risk averse, not to say
fearful and feckless, American people to compromise the First Amendment
and betray all those who have sacrificed life and limb to defend it.
Not bad for a starving country that numbers its Internet users in the
low thousands.]
--Breach Attribution is No Easy Task
(December 17 & 18, 2014)
Not everyone agrees that the Sony Pictures attack emanated from North
Korea. Attribution for cyber attacks is difficult. Attackers can use
proxies and phony IP addresses, and they can plant false clues inside
the code of their malware. The initial attack on Sony Pictures appears
to have been financially motivated. The film was not mentioned until
later in the chain of events.
http://www.csmonitor.com/World/Passcode/2014/1218/Did-North-Korea-really-hack-Sony-Cybersecurity-pros-at-odds-video
http://www.wired.com/2014/12/north-korea-did-not-hack-sony-probs/
--Sony Hack Code Not Sophisticated
(December 17, 2014)
The malware used in the attack that erased data from hard drives at Sony
Pictures was unsophisticated and riddled with bugs. However, it did what
it was supposed to do; the malware's purpose did not require complex
code. However, the malware's construction indicates a familiarity with
the Sony Pictures network.
http://arstechnica.com/security/2014/12/state-sponsored-or-not-sony-pictures-malware-bomb-used-slapdash-code/
[Editor's Note (Pescatore): The mainstream press tends to focus on
giving the attackers "superpowers," which leads to the "don't blame me,
it was an APT" syndrome and failure to address basic cybersecurity
weaknesses that enable the attacks. It seems popular to say "don't blame
the victims" and it is true that if I leave the keys in my car's
ignitions with the doors unlocked and my wallet on the front seat,
someone stealing my car or wallet is committing a crime. But, it does
*not* mean that my insurance company has to pay off, since I did
*not* live up to basic security hygiene.]
**************************** SPONSORED LINKS ******************************
1) In Case you missed it: Analyst Webcast: Advanced Network Protection
with McAfee Next Generation Firewall with Dave Shackleford and Steve
Smith. http://www.sans.org/info/173297
2) Another chance to win $400 Amazon Card - Take New Survey on Insider
Threats: http://www.sans.org/info/173302
3) In case you missed it: Tis the Season for Data Breaches and Stolen
Identity with Chester Wisniewski: http://www.sans.org/info/173307
***************************************************************************
THE REST OF THE WEEK'S NEWS
--US Government Personnel Data May Have Been Compromised in Breach
(December 18, 2014)
A breach at KeyPoint Government Solutions may have left personally
identifiable information about nearly 50,000 US government employees
exposed to possible theft. KeyPoint conducts federal employee background
checks for security clearances. The Office of Personnel Management has
notified people whose information may have been compromised. This is not
the first time that a company providing background checks for government
employees has suffered a breach. Earlier this year, a breach at USIS
exposed personally identifiable information of 25,000 people.
http://www.nextgov.com/cybersecurity/2014/12/opm-alerts-feds-second-background-check-breach/101622/?oref=ng-HPtopstory
[Editor's Note (Murray): One would expect the remedy for the victims
here to be a class action suit. However, in similar breaches in the
past, it has been difficult to link the damage to the breach. The
courts have accepted the defense argument that the plaintiffs do not
have standing to sue. The government needs to write the contracts in
such a way as to give the victims just compensation and the contractors
sufficient motivation.]
--New York Financial Institutions Will be Evaluated on Cyber Security
(December 18, 2014)
The Superintendent of New York's Department of Financial Services has
asked member organizations to consider cyber security "an integral
aspect of their overall risk management strategy" instead of an issue
for just information technology. Banks and other financial institutions
in New York will be evaluated on their cyber security, including their
use of multi-factor authentication and identity and access management.
The requirements affect all financial institutions operating with a New
York state charter or license.
http://www.zdnet.com/article/ny-bank-regulators-cybersecurity-plan-includes-strong-authentication-identity/
[Editor's Note (Pescatore): Saying "just information technology" to most
businesses today is like saying "just oxygen" to most Earth-based life
forms. Honestly, I really do *not* want cybersecurity assessment blended
into the financial industry "risk management" programs that seem to give
us constant streams of failed investments, financial meltdowns, insider
trading, etc. That said, NY State put together a pretty sensible list
of questions - I'd like to see reduction in use of reusable passwords
move up in priority.
(Murray): New York State only regulates banks that operate with state,
rather than national, charters, i.e., many small institutions rather
than the few "too big to fail" institutions that dominate its market.
The state regulators have indicated that they will expect "multi-factor
authentication," a requirement which federal regulators, under the
"Guidance" of the FFIEC, have artfully avoided.]
--Misfortune Cookie Affects Millions of Routers
(December 18, 2014)
A critical flaw in more than 200 models of residential gateway devices
and small office home routers could be exploited to gain administrative
privileges. The issue lies in an embedded web server that the routers
use. Attackers could potentially sniff traffic and launch attacks
against other systems. The vulnerability has been called Misfortune
Cookie because it resides in a problem within the HTTP cookie management
mechanism.
http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/
http://www.computerworld.com/article/2860843/vulnerability-in-embedded-web-server-exposes-millions-of-routers-to-hacking.html
http://www.scmagazine.com/crucial-vulnerability-could-compromise-at-least-200-router-models/article/389149/
--Backdoor in Coolpad Android Devices
(December 18, 2014)
A backdoor in certain Android devices made by Chinese smartphone
manufacturer Coolpad could be exploited to download, install, and
activate applications without user interaction; disable other
applications; remove data from the device; and receive updates that
install applications. Known as CoolReaper, the backdoor appears to be
deliberately installed on the devices by the manufacturer.
http://www.siliconrepublic.com/digital-life/item/39925-chinese-coolpad-devices/
http://www.theregister.co.uk/2014/12/18/coolreaper_android_backdoor/
--ICANN Accounts Hijacked Through Phishing Attack
(December 17 & 18, 2014)
The ICANN was the target of a data breach following a phishing campaign.
The organization's root zone administration system was compromised. The
attack occurred late last month and was detected a week later. The
compromised data include personal information of people who do business
with the organization.
http://www.bbc.com/news/technology-30497392
http://www.theregister.co.uk/2014/12/17/icann_hacked_admin_access_to_zone_files/
http://www.computerworld.com/article/2860408/icann-data-compromised-in-spearphishing-attack.html
http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-breached-in-spearphishing-attack/
--Google Tightens Security for Gmail Extensions
(December 16 & 17, 2014)
Google has implemented the W3C's Content Security Policy (CSP) standard
for Gmail extensions. CSP provides a layer of protection against
cross-site scripting attacks. Those extensions that do not comply with
the standard will no longer be functional.
http://www.theregister.co.uk/2014/12/17/google_bakes_w3c_malwarebuster_into_gmail/
http://gmailblog.blogspot.com/2014/12/reject-unexpected-content-security.html
--Google Plans to Warn Chrome Users on All HTTP Connections
(December 16, 2014)
Google plans to flag all HTTP traffic as unsecure in its Chrome browser.
Chrome users will see alerts when they attempt to visit HTTP sites.
Google plans to implement the change in 2015.
http://www.theregister.co.uk/2014/12/16/chrome_devs_hatch_plan_to_mark_all_http_traffic_insecure/
http://www.bbc.com/news/technology-30505970
http://www.eweek.com/cloud/google-chrome-browser-to-warn-users-of-sites-that-dont-use-https.html
[Editor's Note (Pescatore): I think Google is actually trying to kick
off a debate about how to warn browser users of good/questionable/lack
of SSL connections. However, today all browsers already give
red/yellow/green indications when SSL is in use but the browser/CA
industry has never made any investment in educating users/consumers what
it means! More colors and beeps and popups without such education is a
waste of time. The "questionable use of SSL" is critical for education,
just pushing "SSL in use will make everything secure" philosophy just
sends us back to the eyewash days of "as long as you see the little
solid key, no worries".]
--Indications of Breach at Park-n-Fly
(December 16, 2014)
Financial institutions are noting a pattern of fraud suggesting that
Park-n-Fly, a company operates parking lots near airports, experienced
a security breach, exposing customers' payment card data, according to
KrebsOnSecurity. The company said it has employed third-party security
companies to investigate claims of breaches. The breach could also be
in the chain of the company's online payment card processing system.
http://krebsonsecurity.com/2014/12/banks-park-n-fly-online-card-breach/
--Dutch Privacy Watchdog Hounds Google and Facebook
(December 16 & 17, 2014)
The Dutch data protection authority College Bescherming Persoonsgegevens
(CBP) has ordered Google to abide by that country's privacy rules or be
subject to penalties of as much as 15 million euros (US $18.4 million).
Google has been using user data to offer targeted advertising. The
watchdog group has also turned its attention to Facebook, launching an
investigation into that company's new privacy policy, which is scheduled
to take effect on January 1, 2015.
http://touch.latimes.com/#section/618/article/p2p-82306693/
http://www.zdnet.com/article/facebook-to-dutch-regulators-whats-the-privacy-problem-nothings-changed/
http://www.theguardian.com/technology/2014/dec/16/google-15m-fines-privacy-breaches-netherlands
[Editor's Note (Murray): Google and Facebook users have struck a bargain
with the devil. Nation states will find that undoing that bargain will
be somewhere between very difficult and impossible.]
STORM CENTER TECH CORNER
Evolution of the Nuclear Exploit Kit
https://isc.sans.edu/forums/diary/Exploit+Kit+Evolution+During+2014+-+Nuclear+Pack/19081
phpBB Compromised
https://www.phpbb.com/community/viewtopic.php?f=14&t=2278081
Checkpoint Misfortune Cookie
http://mis.fortunecook.ie
Git Vulnerability
https://github.com/blog/1938-git-client-vulnerability-announced
Microsoft Releases Fixed IE Patch
http://support.microsoft.com/kb/3025390
Coolpad Adds ROM Backdoor to Smartphones
https://www.paloaltonetworks.com/threat-research.html
Delta Mobile Boarding Pass Hackable
https://medium.com/@thedanigrant/need-a-last-minute-flight-45af88ec8df3
Linux x86_64 Kernel Priv. Escalation Vulnerabilities
http://seclists.org/oss-sec/2014/q4/1052
Ettercap Vulnerabilities
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
Memory Forensics with "Forensic Suite" and Volatility
https://isc.sans.edu/forums/diary/Some+Memory+Forensic+with+Forensic+Suite+Volatility+plugins+/19071
"Grinch" Polkit Vulnerability
https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO. He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure
industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He leads SANS' efforts to raise the bar in
cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager
and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
No hay comentarios:
Publicar un comentario
Te agradezco tus comentarios. Te esperamos de vuelta.