SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #102

December 30, 2014

All of us at SANS hope that the coming year brings you health and happiness.

Alan

---

IDEAS FOR 2015

Sony's Wake Up Call for Cybersecurity
CyberSkills Mastery and Degrees
Defense Lessons From the Pipeline Attack

THE REST OF THE WEEK'S NEWS

US Justice Dept. Establishes New Cyber Security Office
Xbox Live, PlayStation Network Target of DDoS Attacks
Gmail Blocked in China
Internet Systems Consortium Site Infected with Malware
WordPress Offers Automatic Updates with Newest Version of Jetpack
NSA Releases 12 Years Worth of Internal Reports
Ireland Chimes in on Microsoft Data Privacy Case
US Secret Service Has Not Submitted Digital Cyber Defense Reports, Says Auditor
BackOff Attack Tactic
Apple Issues First Automatic Update

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Sophos ****************************
Why do so many businesses leave data unencrypted? Organizations today need to keep data safe without affecting productivity. Many are forgoing encryption because it's complicated to manage and a pain for end users. Fortunately, encryption solutions aren't all the same, and you have better options. Download this Encryption Buyer's Guide to learn more:
http://www.sans.org/info/173407
***************************************************************************

TRAINING UPDATE


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


- --10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


- --SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- - - --Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

IDEAS FOR 2015

Sony's Wake Up Call for Cybersecurity

How corporate executives may respond to the Sony Hack.
-http://fortune.com/2014/12/29/is-the-sony-hack-corporate-americas-cybersecurity-
wakeup-call/

CyberSkills Mastery and Degrees

Given the shift to more damaging attacks, and the growing demand for people with advanced skills, more people are searching for ways to complete multiple SANS courses quickly to accelerate their mastery of key advanced defense techniques. A promising 2015 solution is through a graduate certificate programs at
-http://www.sans.edu/academics/certificates.
Those who complete one of the three targeted graduate certificates are also more than half way to a Master of Science degree in Cybersecurity Engineering

Defense Lessons From the Pipeline Attack

An Industrial Control Systems (ICS) Defense Use Case paper from SANS examines what is known about the 2009 attack on a pipeline in Turkey. While details about the recent report have not all been confirmed, the story as reported provides valuable insights regarding cyber defense. Organizations can look at their systems from the perspective of an adversary, then turn that knowledge into useful defense actions.
-https://ics.sans.org/media/Media-report-of-the-BTC-pipeline-Cyber-Attack.pdf

---

**************************** SPONSORED LINKS ******************************
1) Analyst Webcast: Securing Oracle Databases Made Easy. Wednesday, January 21 at 1:00 PM EST (18:00:00 UTC)with Pete Finnigan. http://www.sans.org/info/173412

2) Another chance to win $400 Amazon Card - Take New Survey on Insider Threats. http://www.sans.org/info/173397

3) Analyst Webcast: Simplifying Compliance and Forensic Requirements with HP ArcSight Logger Tuesday, January 27 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford. http://www.sans.org/info/173417
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Justice Dept. Establishes New Cyber Security Office (December 29, 2014)

A new unit operating under the US Department of Justice's (DoJ's) Computer Crime and Intellectual Property division will provide legal advice for cyber crime investigations worldwide. The unit will concentrate on proactive considerations to help reduce the likelihood of attacks.
-http://www.federalnewsradio.com/489/3769859/DoJs-new-cybersecurity-office-to-aid
-in-worldwide-investigations

Xbox Live, PlayStation Network Target of DDoS Attacks (December 25, 28, & 29 2014)

Last week, users found they were unable to log into the PlayStation Network and Xbox Live; Sony says the problems were caused by distributed denial-of-service (DDoS) attacks. The trouble began on the evening of December 24 As of Sunday, December 28, the PlayStation network is back online. The FBI is reportedly investigating the attacks.
-http://www.computerworld.com/article/2863446/sony-says-playstation-network-is-ba
ck-online-now-really.html
-http://www.theregister.co.uk/2014/12/28/sony_blames_playstation_outage_on_ddos_a
ttack/
-http://arstechnica.com/security/2014/12/grinches-steal-christmas-for-xbox-live-p
laystation-network-users/
-http://arstechnica.com/security/2014/12/fbi-claimed-to-be-investigating-xbox-liv
e-playstation-network-ddos-perps/
[Editor's Note (Murray): International criminal hacking continues to be seen as such a low-risk crime that it is an attractive career choice for teenagers. ]

Gmail Blocked in China (December 29, 2014)

China is reportedly blocking access to Gmail inside the country. China began blocking various Google services in 2009 and started blocking Gmail access earlier this year. Users have been seeking third party email clients to access their accounts, and now those have been blocked as well. The only way to access Gmail in China now is through virtual private networks (VPNs).
-http://www.csmonitor.com/Innovation/2014/1229/Gmail-gets-burned-by-China-s-Great
-Firewall
-http://www.zdnet.com/article/gmail-reportedly-booted-out-by-chinas-great-firewal
l/
-http://arstechnica.com/tech-policy/2014/12/the-great-firewall-keeps-growing-as-c
hina-blocks-all-gmail-access/
-http://www.nytimes.com/2014/12/30/technology/gmail-is-blocked-in-china-after-mon
ths-of-disruption.html?ref=technology
-https://zh.greatfire.org/blog/2014/dec/gmail-completely-blocked-china

Internet Systems Consortium Site Infected with Malware (December 28 & 29, 2014)

The website of the Internet Systems Consortium has been taken offline because a malware infection was redirecting users to the Angler Exploit Kit. The Internet Systems Consortium manages the Berkeley Internet Name Domain program, which is widely used DNS software. The site, which runs on WordPress, was likely compromised through a vulnerable plugin.
-http://www.scmagazine.com/isc-website-compromised-possibly-due-to-vulnerable-wor
dpress-plugin/article/390192/
-http://www.zdnet.com/article/internet-systems-consortium-site-hacked/
-http://www.cyphort.com/isc-org-infected/

WordPress Offers Automatic Updates with Newest Version of Jetpack (December 29, 2014)

WordPress has introduced automatic updating for plugins in its content management system. The WordPress Jetpack plugin offers users a suite of services. The newest release of Jetpack, version 3.3, includes an option to enable automatic updates for plugins.
-http://www.eweek.com/security/wordpress-makes-fix-to-end-all-manual-updates.html

NSA Releases 12 Years Worth of Internal Reports (December 26 & 27, 2014)

On December 24, the US National Security Agency (NSA) made public 12 years worth of internal reports for the President's Intelligence Oversight Board. Even so, the reports indicate that the NSA conducted illegal surveillance with mild or no consequences. The reports, which are heavily redacted, were released in response to a Freedom of Information Act (FOIA) lawsuit brought by the American Civil Liberties Union (ACLU).
-http://arstechnica.com/tech-policy/2014/12/on-christmas-eve-nsa-quietly-releases
-12-years-worth-of-internal-reports/
-http://www.theregister.co.uk/2014/12/26/nsa_doc_dump_shows_staff_routinely_spyin
g_where_they_shouldnt_for_12_years/

Ireland Chimes in on Microsoft Data Privacy Case (December 24, 2014)

Ireland has filed a friend-of-the-court brief in support of Microsoft's refusal to provide the US government with customer email held on a server in Ireland. The document asks the US to respect Ireland's sovereignty. Microsoft maintains that the US's Electronic Communications Privacy Act (ECPA) stored communications provisions are not applicable outside US borders. The data pertain to a criminal case in the US.
-http://www.cnet.com/news/ireland-says-it-might-help-us-recover-e-mails-from-micr
osoft/
[Editor's Note (Murray): This really is a question of sovereignty and should be dealt with state to state. It is rare for states to put protecting their sovereignty ahead of cooperating in criminal investigations. However, they do not want to be "hacked." Microsoft is in a dilemma, trying to abide by the laws of all the jurisdictions in which it does business. Resolving such issues is an essential part of creating a global market. ]

US Secret Service Has Not Submitted Digital Cyber Defense Reports, Says Auditor (December 24, 2014)

According to a report from an internal auditor, the US Secret Service does not use two-factor authentication for network access and it does not abide by established rules for government agencies regarding network security monitoring. The report from the DHS inspector general says that the Secret Service has not made digital reports about its cyber defenses. The USSS CIO was concerned about "operational security" of data feeds.
-http://www.nextgov.com/cybersecurity/2014/12/secret-service-misses-bar-cybersecu
rity/101979/?oref=ng-channeltopstory
-http://www.oig.dhs.gov/assets/Mgmt/2015/OIG_15-16_Dec14.pdf

BackOff Attack Tactic (December 23 & 24, 2014)

Criminal groups using BackOff point-of-sale malware use poorly protected IP cameras to ensure that the businesses they aim to infect are worthy targets. Earlier this year, US-CERT issued an alert, saying that machines were being infected with BackOff through brute-force attacks on machines that run remote desktop applications.
-http://www.darkreading.com/attacks-breaches/backoff-malware-validates-targets-th
rough-infected-ip-cameras/d/d-id/1318377
-http://www.theregister.co.uk/2014/12/24/opendaylight_vulnerability/
-https://www.us-cert.gov/ncas/alerts/TA14-212A
[Editor's Note (Murray): This report suggests that our broken retail payment system provides a choice of targets rather than targets of choice. There is no simple fix to this problem; we will need both tools (e.g., The Twenty Critical Controls, strong authentication, automatic monitoring) and diligence. Every merchant must remove itself from the target of opportunity population. ]

Apple Issues First Automatic Update (December 23, 2014)

Apple has pushed out its first automated update. The fix aims to address flaws in the Mac OS X network time protocol (NTP) segment. Apple has had the capability to push out fixes for several years, but this is the first time it has actually used the service. The vulnerability fixed in this patch lies in the NTP in OS X clock systems.
-http://www.v3.co.uk/v3-uk/news/2388048/apple-issues-first-automatic-os-x-securit
y-update
-http://www.scmagazine.com/apple-premiers-automatic-update-for-security-flaw/arti
cle/389804/

---

STORM CENTER TECH CORNER

Will 2015 be the year we finally do something about DDoS
-https://isc.sans.edu/forums/diary/Will+2015+be+the+year+we+finally+do+something+
about+DDoS/19127/

"The Interview" Android Banking Trojan
-http://grahamcluley.com/2014/12/the-interview-android-app-malware/

Leaked e-mail shows inner working of "50 Cent" party
-http://qz.com/311832/hacked-emails-reveal-chinas-elaborate-and-absurd-internet-p
ropaganda-machine/

More Details About "misfortune cookie"
-http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf

"Rocket Kitten" Off The Shelf APT Solutions
-https://isc.sans.edu/forums/diary/Rocket+Kitten+Is+it+still+APT+if+you+can+buy+i
t+off+the+shelf/19123/

Reconstruction Fingerprints from Photographs
-http://www.ccc.de/en/updates/2014/ursel

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.