SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #101

December 23, 2014

TOP OF THE NEWS

Attack on German Steel Factory System Caused "Massive Damage"
South Korean Nuclear Operator to Conduct Security Drill in Response to Threats
Russian Group Stole Millions from Banks

THE REST OF THE WEEK'S NEWS

Network Time Protocol (NTP) Flaws
Sony Breach Was Cyber Vandalism, Not an Act of War
North Korea Experiencing Internet Connectivity Issues
JPMorgan Chase Breach Likely Made Through Inadequately Secured Server
Tor Exit Nodes Offline
Obama Wants Congress to Introduce Information Sharing Legislation
Patch Available for Git Vulnerability
Staples Breach
ICANN Says IANA Unaffected by Breach

FIRST LOOK: AUSTRALIANS RELEASE STANDARDS FOR CLOUD SECURITY

FIRST LOOK: Australians Release Standards for Cloud Security

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************* Sponsored By McAfee, a Division of Intel Security **********
In case you missed it: Analyst Webcast: Advanced Network Protection with McAfee Next Generation Firewall. SANS had the opportunity to review McAfee NGFW in a test environment, exploring a number of capabilities: clustering and redundancy, numerous varieties of VPN access, policy options and features such as end-user identification and advanced anti-evasion tools.
http://www.sans.org/info/173352
***************************************************************************

TRAINING UPDATE


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


- --10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


- --SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- - - --Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Attack on German Steel Factory System Caused "Massive Damage" (December 22, 2014)

Attackers breached security of a German steel mill's network and caused considerable damage by manipulating the controls of a blast furnace. The attackers gained initial foothold in the network through a phishing email, and from there were able to make their way into the plant's production network. The attack was disclosed in the annual report of the German Federal Office for Information Security.
-http://www.bbc.com/news/technology-30575104
-http://www.theregister.co.uk/2014/12/22/hackers_pop_german_steel_mill_wreck_furn
ace/
-http://www.computerworld.com/article/2861531/cyberwarfare-digital-weapons-causin
g-physical-damage.html
-http://www.itworld.com/article/2861675/cyberattack-on-german-steel-factory-cause
s-massive-damage.html
[Editor's Note (Pescatore): Another bad example of weak reusable passwords used for very sensitive access. Many other security failures here, but the root cause of so many breaches traces back to the use of reusable passwords and the ease of compromise, whether via phishing or eavesdropping or keystroke capture malware.
(Weatherford): This is a classic example of the air-gap mythology that endures in industrial control system environments. Most companies in these historically non-technology based critical infrastructure industries continue to operate as if they don't need to be concerned about cybersecurity when in fact they should be more concerned than the companies whose greatest fear is simply losing data. And - they need to re-evaluate their architecture to ensure physical separation of IT and OT. ]

South Korean Nuclear Operator to Conduct Security Drill in Response to Threats (December 22, 2014)

Following a recent breach of its networks, the Korea Hydro and Nuclear Power Company (KHNP) has planned drills to test its response and resilience to attacks. Unknown intruders posted plant equipment designs and manuals to the Internet earlier this month. The post was accompanied by a vague threat of physical damage if the company did not close three reactors by Christmas.
-http://www.bbc.com/news/world-asia-30572575

Russian Group Stole Millions from Banks (December 22, 2014)

A cyber crime group has been targeting banks, payment systems, and retail companies in Russia and countries that were once part of the Soviet Union. Known as Anunak, the group stole funds, credit card data, and intellectual property. They stole from cash machine networks, which means the finds are being stolen from the banks and not customers' accounts. In all, the group has stolen more than US $25 million.
-http://www.computerworld.com/article/2861449/cybercrime-group-steals-millions-fr
om-russian-banks-targets-us-and-european-retailers.html
-http://krebsonsecurity.com/2014/12/gang-hacked-atms-from-inside-banks/
-http://www.theregister.co.uk/2014/12/22/russian_cyber_heist_gang_rakes_in_15m/
-http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: XP End-of-Life Upgrade Handbook - Healthcare Edition. http://www.sans.org/info/173357

2) Analyst Webcast: Securing Oracle Databases Made Easy Wednesday, January 21 at 1:00 PM EST (18:00:00 UTC) with Pete Finnigan http://www.sans.org/info/173362

3) The Few, The Proud, The Privileged: Controlling the Use of Administrator Passwords to Achieve Critical Security Control #12. Monday, January 26 at 1:00 PM EST (18:00:00 UTC) with G.Mark Hardy, Scott Lang. http://www.sans.org/info/173367
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Network Time Protocol (NTP) Flaws (December 22, 2014)

A quartet of critical vulnerabilities in the network time protocol (NTP) could be exploited to gain root access on servers. NTP daemons running version 4.2.8 and older need to be updated. The US Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has issued an advisory.
-http://www.eweek.com/security/four-flaws-expose-critical-network-time-keeping-se
rvers-to-attack.html
-http://www.theregister.co.uk/2014/12/22/dangerous_ntp_hole_ruins_your_chrissy_lu
nch/
-http://www.computerworld.com/article/2862138/exploits-for-dangerous-network-time
-protocol-vulnerabilities-can-compromise-systems.html
Apple has released a security update to address the vulnerability in OS X.
-http://www.zdnet.com/article/apple-releases-security-update-for-critical-ntp-vul
nerability-in-os-x/

Sony Breach Was Cyber Vandalism, Not an Act of War (December 21 & 22, 2014)

President Obama told a television interviewer that he does not view the recent attack on Sony Pictures computer network as an act of war. Obama called it "cyber vandalism that was very costly," and noted that it would be taken seriously.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/22/obama-called-the-so
ny-hack-an-act-of-cyber-vandalism-hes-right/
-http://www.computerworld.com/article/2862112/sony-hack-was-cyber-vandalism-not-a
ct-of-war-says-obama.html
-https://isc.sans.edu/forums/diary/Which+NTP+Servers+do+You+Need+to+Patch/19095/
-https://isc.sans.edu/forums/diary/Critical+NTP+Vulnerability+in+ntpd+prior+to+42
8/19093/
-http://support.apple.com/en-us/HT6601
[Editor's Note (Weatherford): While I think there has been too much hyper-ventilating by those who are calling this cyber-terrorism, I also think that calling it cyber-vandalism seriously minimizes the gravity of the incident. ]

North Korea Experiencing Internet Connectivity Issues (December 22, 2014)

Internet service in North Korea has reportedly become increasing unreliable over the past several days. The instability became noticeable shortly after President Obama said that the US would respond "proportionately" to the Sony Pictures attack, which US authorities say was perpetrated by North Korea. Network outages are common in North Korea, and systems in that country have reportedly been under sporadic attack for several weeks.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/22/north-koreas-intern
et-is-going-suspiciously-haywire/
-http://www.scmagazine.com/slowdown-makes-access-undependable/article/389485/
-http://arstechnica.com/information-technology/2014/12/north-korea-drops-off-the-
internet-in-suspected-ddos-attack/
-http://www.arbornetworks.com/asert/2014/12/north-korea-goes-offline/

JPMorgan Chase Breach Likely Made Through Inadequately Secured Server (December 22, 2014)

Investigations have revealed how attackers likely gained purchase in the JPMorgan Chase system earlier this year: one of the company's network servers had not been upgraded to require two-factor authentication.
-http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-id
entified/
[Editor's Note (Pescatore): Like the German steel plant and many others - - weak authentication as root cause for breach.
(Murray): Every year the Verizon Data Breach Incident Report points out that Orphan Servers are a cause of data leakage. If trusted, they also compromise the network. Reduce the level of mutual trust in your network. ]

Tor Exit Nodes Offline (December 22, 2014)

A cluster of Tor exit nodes was taken offline over the weekend of December 20-21. Last week, the Tor project warned users that the network's directory authority servers could be seized, but did not say who was responsible.
-http://www.theregister.co.uk/2014/12/22/stay_away_popular_tor_exit_relays_look_r
aided/
-http://arstechnica.com/security/2014/12/cluster-of-tor-servers-taken-down-in-une
xplained-outage/

Obama Wants Congress to Introduce Information Sharing Legislation (December 22, 2014)

At his end-of-year press conference, President Obama indicated that he would like to see the reintroduction of an intelligence-sharing bill in this legislative session. In the wake of the Sony Pictures breach, Obama said that he has a team working on seeing what can be done to prevent such attacks in the future, and that he would like to see Congress focus on "stronger cyber security laws that allow for information sharing across private sector platforms as well as the public sector."
-http://www.zdnet.com/article/white-house-wants-congress-to-revisit-controversial
-cispa-style-cybersecurity-laws-after-sony-attack/
[Editor's Note (Pescatore): These information sharing bills are largely ceremonial, sort of like legislation naming the magpie as the official bird of cybersecurity. ]

Patch Available for Git Vulnerability (December 19 & 20, 2014)

There is a patch available for a flaw in the Git open-source development tool. The vulnerability affects Git implementations clients running on Windows and Mac OS X.
-http://www.eweek.com/security/git-vulnerability-exposed-patch-now-or-be-hacked-l
ater.html
-http://www.scmagazine.com/github-for-windows-and-mac-vulnerable-to-bug/article/3
89352/
-https://github.com/blog/1938-vulnerability-announced-update-your-git-clients

Staples Breach (December 19, 2014)

US office supply chain Staples has acknowledged a breach that exposed the payment card data of 1.16 million customers. The issue - compromised point-of-sale terminals - affected 115 stores across the country between July 20 and September 16, 2014.
-http://krebsonsecurity.com/2014/12/staples-6-month-breach-1-16-million-cards/
-http://www.theregister.co.uk/2014/12/19/staples_hackers_took_million_customer_ca
rds/
-http://www.computerworld.com/article/2861856/staples-says-hack-may-have-compromi
sed-1-million-plus-payment-cards.html
[Editor's Note (Murray): Christmas is a good time to remind consumers to reconcile their credit card accounts at least weekly (if on line, otherwise on receipt of paper statement), to prefer Apple Pay to cards, prefer credit cards to debit cards, "Chip" (EMV) cards to magnetic stripes, and new cards to old. They might even go so far as to use checks or even currency. ]

ICANN Says IANA Unaffected by Breach (December 19, 2014)

ICANN says that a recent phishing attack that targeted the organization did not affect the IANA, which allocates IP addresses and manages global DNS. The accounts compromised in the phishing attack belonged to individuals who do not have access to the IANA systems.
-http://www.theregister.co.uk/2014/12/19/icann_stresses_critical_internet_systems
_not_hacked/

---

FIRST LOOK: AUSTRALIANS RELEASE STANDARDS FOR CLOUD SECURITY

PESCATORE FIRST LOOK at Australian Signals Directorate Cloud Computing Security for Tenants guidelines:
-http://www.asd.gov.au/infosec/cloudsecurity.htm

In general, the Australian Cyber Security Center has put together a "Critical Security Controls"-like look at the most important security processes to examine when considering a cloud service provider. There are several recommendations that are meaningful/doable and rightly prioritized (like "choose a CSP that has been assessed, yearly test incident response, protection authentication credentials, tokenize data, etc.). There is a sensible differentiation between what security issues are most relevant to Software as a Service vs. Infrastructure as a Service, etc. The CSP version is pretty much just the Tenant document with the syntax changed such that an auditor looks to see that the Tenant recommendations were followed.

On the negative side, several are just high level mandates that are either way too generic (Implement security governance) or easy to say/hard to do (encrypt data at rest, obtain and promptly analyze detailed logs/real time alerts). These are all good things to do but in the real world the business/mission is requiring cloud services now and well thought out phases strategies are required that do the high value/easy to implement security controls first and over time incrementally address the "long poles in the tent."

Overall, these documents are much more useful for actual implementations than NIST SP 800-144 or 500-291 that are huge thought pieces, totally unusable by anybody trying to actually make a cloud service as secure as possible for business use. I think the Australian one is definitely in the spirit of the Critical Controls in picking the most important, keeping it short, etc., and there is a direct mapping from the Critical Controls to the major elements of the Australian list. Those who have adopted the Critical Controls will find the Australian documents useful for assessing cloud services.
-http://www.asd.gov.au/infosec/cloudsecurity.htm

---

STORM CENTER TECH CORNER

US-Cert Technical Analysis of SONY Compromise
-https://www.us-cert.gov/ncas/alerts/TA14-353A

Thunderbolt EFI Firmware Security Vulnerability
-https://trmm.net/EFI

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.