SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #100

December 20, 2014

TOP OF THE NEWS

FBI Accuses North Korea of Sony Pictures Attack
US Points Finger at North Korea in Sony Pictures Attack
Breach Attribution is No Easy Task
Sony Hack Code Not Sophisticated

THE REST OF THE WEEK'S NEWS

US Government Personnel Data May Have Been Compromised in Breach
New York Financial Institutions Will be Evaluated on Cyber Security
Misfortune Cookie Affects Millions of Routers
Backdoor in Coolpad Android Devices
ICANN Accounts Hijacked Through Phishing Attack
Google Tightens Security for Gmail Extensions
Google Plans to Warn Chrome Users on All HTTP Connections
Indications of Breach at Park-n-Fly
Dutch Privacy Watchdog Hounds Google and Facebook

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec ****************************
Report Highlights: Over 41 percent of email-borne malware contained a link to a malicious or compromised website. Kelihos and Gamut are the top two most active botnets in November. Crypto- ransomware made up 38 percent of all ransomware seen in the month of November.
http://www.sans.org/info/173292
***************************************************************************

TRAINING UPDATE


--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


--Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


--10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


--SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015

--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


- - --Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

FBI Accuses North Korea of Sony Pictures Attack (December 19, 2014)

Citing "similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks" as well as classified pieces of evidence, the FBI today issued a statement saying that it "now has enough information to conclude that the North Korean government is responsible for" the attack.
-http://www.washingtonpost.com/world/national-security/us-attributes-sony-attack-
to-north-korea/2014/12/19/fc3aec60-8790-11e4-a702-fa31ff4ae98e_story.html
-http://www.nytimes.com/2014/12/20/world/fbi-accuses-north-korean-government-in-c
yberattack-on-sony-pictures.html?hp&action=click&pgtype=Homepage&mod
ule=first-column-region®ion=top-news&WT.nav=top-news

US Points Finger at North Korea in Sony Pictures Attack (December 17, 2014)

US officials say that law enforcement and intelligence agencies have gathered sufficient evidence to indicate that North Korea is behind the attack on Sony Pictures. The officials are not providing details, as doing so might reveal how the US was able to penetrate North Korean networks to find the source of the attack. Sony has cancelled the release of the movie that the attackers have been protesting after the group claiming responsibility for the attack threatened violence at theaters if the film was released.
-http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hackin
g.html
-http://www.bloomberg.com/news/2014-12-18/u-s-is-said-set-to-blame-north-korea-fo
r-sony-hack.html
[Editor's Note (Murray): Whether or not North Korea conducted or simply paid for this attack, they have scored a huge victory. They have humiliated both the World's remaining "superpower" and Japan, their ancient enemy and recent occupier. They have won what may be the first and only battle in this "cyberwar." They have demonstrated not only that Sony's security was weak but that Sony had documented the weakness without a budget or schedule for mitigation. They have reinforced the fear that our national infrastructure is vulnerable to crippling attack from the Internet. They have demonstrated that they need only whisper the magic words "nine one one" to get the risk averse, not to say fearful and feckless, American people to compromise the First Amendment and betray all those who have sacrificed life and limb to defend it. Not bad for a starving country that numbers its Internet users in the low thousands. ]

Breach Attribution is No Easy Task (December 17 & 18, 2014)

Not everyone agrees that the Sony Pictures attack emanated from North Korea. Attribution for cyber attacks is difficult. Attackers can use proxies and phony IP addresses, and they can plant false clues inside the code of their malware. The initial attack on Sony Pictures appears to have been financially motivated. The film was not mentioned until later in the chain of events.
-http://www.csmonitor.com/World/Passcode/2014/1218/Did-North-Korea-really-hack-So
ny-Cybersecurity-pros-at-odds-video
-http://www.wired.com/2014/12/north-korea-did-not-hack-sony-probs/

Sony Hack Code Not Sophisticated (December 17, 2014)

The malware used in the attack that erased data from hard drives at Sony Pictures was unsophisticated and riddled with bugs. However, it did what it was supposed to do; the malware's purpose did not require complex code. However, the malware's construction indicates a familiarity with the Sony Pictures network.
-http://arstechnica.com/security/2014/12/state-sponsored-or-not-sony-pictures-mal
ware-bomb-used-slapdash-code/
[Editor's Note (Pescatore): The mainstream press tends to focus on giving the attackers "superpowers," which leads to the "don't blame me, it was an APT" syndrome and failure to address basic cybersecurity weaknesses that enable the attacks. It seems popular to say "don't blame the victims" and it is true that if I leave the keys in my car's ignitions with the doors unlocked and my wallet on the front seat, someone stealing my car or wallet is committing a crime. But, it does *not* mean that my insurance company has to pay off, since I did *not* live up to basic security hygiene. ]

---

**************************** SPONSORED LINKS ******************************
1) In Case you missed it: Analyst Webcast: Advanced Network Protection with McAfee Next Generation Firewall with Dave Shackleford and Steve Smith. http://www.sans.org/info/173297

2) Another chance to win $400 Amazon Card - Take New Survey on Insider Threats: http://www.sans.org/info/173302

3) In case you missed it: Tis the Season for Data Breaches and Stolen Identity with Chester Wisniewski: http://www.sans.org/info/173307
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Government Personnel Data May Have Been Compromised in Breach (December 18, 2014)

A breach at KeyPoint Government Solutions may have left personally identifiable information about nearly 50,000 US government employees exposed to possible theft. KeyPoint conducts federal employee background checks for security clearances. The Office of Personnel Management has notified people whose information may have been compromised. This is not the first time that a company providing background checks for government employees has suffered a breach. Earlier this year, a breach at USIS exposed personally identifiable information of 25,000 people.
-http://www.nextgov.com/cybersecurity/2014/12/opm-alerts-feds-second-background-c
heck-breach/101622/?oref=ng-HPtopstory
[Editor's Note (Murray): One would expect the remedy for the victims here to be a class action suit. However, in similar breaches in the past, it has been difficult to link the damage to the breach. The courts have accepted the defense argument that the plaintiffs do not have standing to sue. The government needs to write the contracts in such a way as to give the victims just compensation and the contractors sufficient motivation. ]

New York Financial Institutions Will be Evaluated on Cyber Security (December 18, 2014)

The Superintendent of New York's Department of Financial Services has asked member organizations to consider cyber security "an integral aspect of their overall risk management strategy" instead of an issue for just information technology. Banks and other financial institutions in New York will be evaluated on their cyber security, including their use of multi-factor authentication and identity and access management. The requirements affect all financial institutions operating with a New York state charter or license.
-http://www.zdnet.com/article/ny-bank-regulators-cybersecurity-plan-includes-stro
ng-authentication-identity/
[Editor's Note (Pescatore): Saying "just information technology" to most businesses today is like saying "just oxygen" to most Earth-based life forms. Honestly, I really do *not* want cybersecurity assessment blended into the financial industry "risk management" programs that seem to give us constant streams of failed investments, financial meltdowns, insider trading, etc. That said, NY State put together a pretty sensible list of questions - I'd like to see reduction in use of reusable passwords move up in priority.
(Murray): New York State only regulates banks that operate with state, rather than national, charters, i.e., many small institutions rather than the few "too big to fail" institutions that dominate its market. The state regulators have indicated that they will expect "multi-factor authentication," a requirement which federal regulators, under the "Guidance" of the FFIEC, have artfully avoided. ]

Misfortune Cookie Affects Millions of Routers (December 18, 2014)

A critical flaw in more than 200 models of residential gateway devices and small office home routers could be exploited to gain administrative privileges. The issue lies in an embedded web server that the routers use. Attackers could potentially sniff traffic and launch attacks against other systems. The vulnerability has been called Misfortune Cookie because it resides in a problem within the HTTP cookie management mechanism.
-http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vul
nerable-to-critical-hijacking-hack/
-http://www.computerworld.com/article/2860843/vulnerability-in-embedded-web-serve
r-exposes-millions-of-routers-to-hacking.html
-http://www.scmagazine.com/crucial-vulnerability-could-compromise-at-least-200-ro
uter-models/article/389149/

Backdoor in Coolpad Android Devices (December 18, 2014)

A backdoor in certain Android devices made by Chinese smartphone manufacturer Coolpad could be exploited to download, install, and activate applications without user interaction; disable other applications; remove data from the device; and receive updates that install applications. Known as CoolReaper, the backdoor appears to be deliberately installed on the devices by the manufacturer.
-http://www.siliconrepublic.com/digital-life/item/39925-chinese-coolpad-devices/
-http://www.theregister.co.uk/2014/12/18/coolreaper_android_backdoor/

ICANN Accounts Hijacked Through Phishing Attack (December 17 & 18, 2014)

The ICANN was the target of a data breach following a phishing campaign. The organization's root zone administration system was compromised. The attack occurred late last month and was detected a week later. The compromised data include personal information of people who do business with the organization.
-http://www.bbc.com/news/technology-30497392
-http://www.theregister.co.uk/2014/12/17/icann_hacked_admin_access_to_zone_files/
-http://www.computerworld.com/article/2860408/icann-data-compromised-in-spearphis
hing-attack.html
-http://arstechnica.com/security/2014/12/icann-e-mail-accounts-zone-database-brea
ched-in-spearphishing-attack/

Google Tightens Security for Gmail Extensions (December 16 & 17, 2014)

Google has implemented the W3C's Content Security Policy (CSP) standard for Gmail extensions. CSP provides a layer of protection against cross-site scripting attacks. Those extensions that do not comply with the standard will no longer be functional.
-http://www.theregister.co.uk/2014/12/17/google_bakes_w3c_malwarebuster_into_gmai
l/
-http://gmailblog.blogspot.com/2014/12/reject-unexpected-content-security.html

Google Plans to Warn Chrome Users on All HTTP Connections (December 16, 2014)

Google plans to flag all HTTP traffic as unsecure in its Chrome browser. Chrome users will see alerts when they attempt to visit HTTP sites. Google plans to implement the change in 2015.
-http://www.theregister.co.uk/2014/12/16/chrome_devs_hatch_plan_to_mark_all_http_
traffic_insecure/
-http://www.bbc.com/news/technology-30505970
-http://www.eweek.com/cloud/google-chrome-browser-to-warn-users-of-sites-that-don
t-use-https.html
[Editor's Note (Pescatore): I think Google is actually trying to kick off a debate about how to warn browser users of good/questionable/lack of SSL connections. However, today all browsers already give red/yellow/green indications when SSL is in use but the browser/CA industry has never made any investment in educating users/consumers what it means! More colors and beeps and popups without such education is a waste of time. The "questionable use of SSL" is critical for education, just pushing "SSL in use will make everything secure" philosophy just sends us back to the eyewash days of "as long as you see the little solid key, no worries". ]

Indications of Breach at Park-n-Fly (December 16, 2014)

Financial institutions are noting a pattern of fraud suggesting that Park-n-Fly, a company operates parking lots near airports, experienced a security breach, exposing customers' payment card data, according to KrebsOnSecurity. The company said it has employed third-party security companies to investigate claims of breaches. The breach could also be in the chain of the company's online payment card processing system.
-http://krebsonsecurity.com/2014/12/banks-park-n-fly-online-card-breach/

Dutch Privacy Watchdog Hounds Google and Facebook (December 16 & 17, 2014)

The Dutch data protection authority College Bescherming Persoonsgegevens (CBP) has ordered Google to abide by that country's privacy rules or be subject to penalties of as much as 15 million euros (US $18.4 million). Google has been using user data to offer targeted advertising. The watchdog group has also turned its attention to Facebook, launching an investigation into that company's new privacy policy, which is scheduled to take effect on January 1, 2015.
-http://touch.latimes.com/#section/618/article/p2p-82306693/
-http://www.zdnet.com/article/facebook-to-dutch-regulators-whats-the-privacy-prob
lem-nothings-changed/
-http://www.theguardian.com/technology/2014/dec/16/google-15m-fines-privacy-breac
hes-netherlands
[Editor's Note (Murray): Google and Facebook users have struck a bargain with the devil. Nation states will find that undoing that bargain will be somewhere between very difficult and impossible. ]

---

STORM CENTER TECH CORNER

Evolution of the Nuclear Exploit Kit
-https://isc.sans.edu/forums/diary/Exploit+Kit+Evolution+During+2014+-+Nuclear+Pa
ck/19081

phpBB Compromised
-https://www.phpbb.com/community/viewtopic.php?f=14&t=2278081

Checkpoint Misfortune Cookie
-http://mis.fortunecook.ie

Git Vulnerability
-https://github.com/blog/1938-git-client-vulnerability-announced

Microsoft Releases Fixed IE Patch
-http://support.microsoft.com/kb/3025390

Coolpad Adds ROM Backdoor to Smartphones
-https://www.paloaltonetworks.com/threat-research.html

Delta Mobile Boarding Pass Hackable
-https://medium.com/@thedanigrant/need-a-last-minute-flight-45af88ec8df3

Linux x86_64 Kernel Priv. Escalation Vulnerabilities
-http://seclists.org/oss-sec/2014/q4/1052

Ettercap Vulnerabilities
-https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/

Memory Forensics with "Forensic Suite" and Volatility
-https://isc.sans.edu/forums/diary/Some+Memory+Forensic+with+Forensic+Suite+Volat
ility+plugins+/19071

"Grinch" Polkit Vulnerability
-https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.