SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #87

October 31, 2014

Special SANS Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course.
Learn more at http://www.sans.org/info/170727

---

TOP OF THE NEWS

ICS-CERT Issues Alert About Ongoing BlackEnergy Malware Campaign
NIST Issues Information Sharing Guidelines for Public Comment

THE REST OF THE WEEK'S NEWS

European Security Agency Holds Cyber Security Exercise
Survey Shows Organizations Disable Firewall Security to Improve Network Performance
Malware on Popular Science Website
Danish Court Finds Pirate Bay Co-Founder Warg Guilty of Computer Intrusions
Drupal Team Warns Users to Assume Sites are Compromised
Deloitte & Touche Report Offers Guidance for Determining Veracity of Data Leak Claims
London Police Arrest Three In Connection with Theft of Millions from ATMs
White House Unclassified Network Breached
US Defense Department Starting to Roll Out Chip-and-PIN Cards for Travelers

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*************************** Sponsored By SANS ****************************
Did you miss the Data Center Server Security webcast? Find the archived webcast & whitepaper here:
http://www.sans.org/info/170647
***************************************************************************
TRAINING UPDATE


--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


--SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


--Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more
http://www.sans.org/online-security-training/specials


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Sydney, Tokyo, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

ICS-CERT Issues Alert About Ongoing BlackEnergy Malware Campaign (October 29, 2014)

Groups have been using malware known as BlackEnergy to target industrial control systems (ICS) since 2011, according to a security advisory released earlier this week by the US Department of Homeland Security's (DHS's) ICS-CERT. The malware affects human-machine interface (HMI) software from several different vendors. (The GE report is especially informative)
-http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/K
B/16000/KB16399/en_US/GEIP14-05_Cimplicity_Targeted_by_an_Advanced_Threat_Actor.
pdf
-http://www.computerworld.com/article/2840164/attack-campaign-infects-industrial-
control-systems-with-blackenergy-malware.html
-http://threatpost.com/blackenergy-malware-used-in-attacks-against-industrial-con
trol-systems/109067
-https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A
[Editor's Note (Assante): This is another revelation of special-purpose ICS-targeted malware engineered to be modular and deliver a foothold onto an ICS component. The earlier reports focused on one ICS supplier's HMI implementation, but it was expected to see an exploit capability against additional targets. This delivery vehicle was designed to take advantage of poor architectures as the scope of the problem of ICS components being connected with direct Internet accessibility is increasing (see Project SHINE
[SHINE meaning SHodan Intelligence Extraction ]
report by Bob Radvanovsky, of www.infracritical.com).
(McBride): ICS-CERT is emphasizing the "automated" nature of attacks against Internet-connected ICS (especially GE Cimplicity), but hasn't said much about how the attacks are "automated". At present, the attacks do not appear quite as advanced as what we saw with Havex/Yeti/Dragonfly - -- which looks for ICS on the internal network. It is also interesting that GE's advisory on the issue mentions: 1) attacks against GE Cimplicity software connected to the business network; and, 2) phishing attacks trying to get users to load malicious CIMPLICITY software files. The ICS-CERT Alert has not mentioned those techniques. ]

NIST Issues Information Sharing Guidelines for Public Comment (October 30, 2014)

The US National Institute of Standards and Technology (NIST) has released a draft of its Guide to Cyber Threat Information Sharing for public comment. "The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices." NIST will be accepting comments through November 28.
-http://net-security.org/secworld.php?id=17554
-http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf
[Editor Note (Murray): All infrastructure enterprises should read and respond to this guidance. Response should begin with comparing the maturity of one's program to that implied by the guidance. However, it should be noted that these recommendations do not imply, suggest, or require the sharing of PII, IP or, business plans or programs. Compliance is good business and does not require the granting of any special legislative authority or immunity.
(Northcutt): The document is well worth reading, The concepts of security intelligence and and information sharing are crucial. In fact they may mandated by law:
-https://www.congress.gov/bill/113th-congress/senate-bill/2588]

---

**************************** SPONSORED LINKS ******************************
1) Build bridges between Security and Development. Register for this webinar on Secure Agile featuring Adrian Lane of Securosis and Chris Eng of Veracode. http://www.sans.org/info/170652

2) Continuous Diagnostics and Mitigation for Government Agencies: Is It Working? A SANS Survey Friday, November 07 at 1:00 PM EST (18:00:00 UTC) Tony Sager, Tim Woods, Wallace Sann, Joshua Stegall and Kenneth Durbin. http://www.sans.org/info/170657

3) The Evolution of IDS: Why Context is Key Wednesday, November 05 at 1:00 PM EST (18:00:00 UTC) Joe Schreiber, AlienVault and Dave Shackleford, SANS. http://www.sans.org/info/170662
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

European Security Agency Holds Cyber Security Exercise (October 30, 2014)

On Thursday, October 30, the European Network and Information Security Agency (ENISA) held a cyber security exercise that drew the participation of more than 200 organizations and 400 cyber security professionals from 29 countries. The exercise simulated a real attack to gauge the responses of Computer Emergency Response Teams (CERTs), ministries, and companies in the communications, financial, and energy sectors.
-http://www.v3.co.uk/v3-uk/news/2378570/europe-hosts-its-biggest-ever-cyber-secur
ity-exercise
-http://www.theregister.co.uk/2014/10/30/the_threats_to_europes_cybersecurity_are
nt_what_you_think_they_are/

Survey Shows Organizations Disable Firewall Security to Improve Network Performance (October 30, 2014)

According to a report from McAfee, while 60 percent of 504 surveyed IT professionals say security is paramount in network design, about 30 percent of organizations responding to the survey said that firewall security features are often disabled to boost network performance. McAfee senior director of network security Jennifer Geisler noted that "the way most firewalls are designed, it forces the trade-off so this is not a negative reflection on the administrator."
-http://www.scmagazine.com/operators-disable-firewall-features-to-increase-networ
k-performance-survey-finds/article/380341/

Malware on Popular Science Website (October 29 & 30, 2014)

The Popular Science website was reportedly hosting a malicious iFrame that redirects visitors to a third-party domain where an exploit kit attempts to infect their machines.
-http://threatpost.com/popular-science-website-infected-serving-malware/109089
-http://www.scmagazine.com/science-magazine-serves-malicious-code-on-website/arti
cle/380074/

Danish Court Finds Pirate Bay Co-Founder Warg Guilty of Computer Intrusions (October 30, 2014)

Gottfrid Svartholm Warg, co-founder of The Pirate Bay, has been found guilty of breaking into computers and downloading sensitive information, including police files and Danish social security and driver's license data. Warg could face up to six years in prison when he is sentenced on October 31.
-http://arstechnica.com/tech-policy/2014/10/pirate-bay-co-founder-convicted-in-de
nmarks-largest-hacking-case-ever/
-http://www.bbc.com/news/technology-29832318
-http://www.scmagazine.com/pirate-bay-co-founder-found-guilty-faces-up-to-five-ye
ars/article/380307/

Drupal Team Warns Users to Assume Sites are Compromised (October 29 & 30, 2014)

The Drupal security team says that users should assume that all Drupal 7 websites have been compromised unless they were patched within seven hours of the October 15, 11pm UTC announcement of a vulnerability that could be exploited through an SQL injection attack. Automated attacks were launched within hours of the flaw's disclosure. While updating to the most recent version, 7.32, does fix the vulnerability, websites that were compromised prior to the update will remain compromised. The team recommends that sites be restored with backups created before October 15.
-http://www.scmagazine.com/assume-drupal-7-sites-are-compromised-unless-patched-o
r-updated-to-732-within-hours/article/380303/
-http://www.computerworld.com/article/2841320/drupal-warns-unpatched-users-assume
-your-site-was-hacked.html
-http://www.theregister.co.uk/2014/10/30/drupal_sites_considered_hosed_if_sqli_ho
le_unclosed/
-http://www.zdnet.com/drupal-warns-unless-you-patched-within-seven-hours-youre-ha
cked-7000035219/
[Editor's Note (Ullrich): Please don't underestimate this Drupal vulnerability. We received multiple reports of compromises that took advantage of this vulnerability. For the most part, the attacks were pretty simple and it should be easy to spot an affected system. Many of the compromised systems are being used as DDoS bots. As usual, start by getting a good inventory of Drupal sites either passively by observing traffic, or by using standard vulnerability scanning tools. ]

Deloitte & Touche Report Offers Guidance for Determining Veracity of Data Leak Claims (October 29, 2014)

Deloitte & Touche has published a paper that contains advice for determining whether data found on the Internet are actually data stolen from a company or if posted information is fake. Companies can check to see if the posted data are duplicates of data that has been posted previously; they can also check to see if the listed usernames actually exist, and if the passwords abide by the company's password policy.
-http://www.scmagazine.com/research-helps-companies-determine-if-theyve-suffered-
data-leaks/article/380063/
-http://krebsonsecurity.com/2014/10/how-to-tell-data-leaks-from-publicity-stunts/
-http://www.darkreading.com/cloud/keep-calm-and-verify-how-to-spot-a-fake-online-
data-dump/d/d-id/1317066
Deloitte Report:
-http://krebsonsecurity.com/wp-content/uploads/2014/10/vetting_leaks_final.pdf
[Editor's Note (Murray): Consider "watermarking" or "seeding" data so that one can recognize it later and demonstrate its provenance to third parties when necessary. ]

London Police Arrest Three In Connection with Theft of Millions from ATMs (October 29, 2014)

Police in London, UK, have arrested three people in connection with an ATM theft scheme that stole GBP 1.6 million (US $2.6 million) over three days in May. The targeted ATMs were standalone equipment and had been physically accessed to install malware, which allowed the thieves to withdraw large amounts of cash. According to police reports, the malware was not on the machines when they were later examined.
-https://nakedsecurity.sophos.com/2014/10/29/arrests-made-after-specialist-malwar
e-used-in-1-6-million-atm-heist/
[Editor's Note (Murray): "Specialist malware" which disappeared before the authorities could see it is indistinguishable from fairy dust. ]

White House Unclassified Network Breached (October 28, 29, & 30, 2014)

Unnamed sources say that attackers managed to breach an unclassified White House network. The activity resulted in some service disruptions, but there appears to be no damage to the affected systems. The attack appears to have been the work of specialists working for the Russian government.
-http://www.washingtonpost.com/world/national-security/hackers-breach-some-white-
house-computers/2014/10/28/2ddf2fa0-5ef7-11e4-91f7-5d89b5e8c251_story.html
-http://www.nextgov.com/cybersecurity/2014/10/are-white-house-hackers-gone/97775/
-http://www.darkreading.com/attacks-breaches/white-house-says-unclassified-networ
k-hit-in-cyberattack/d/d-id/1317060?
-http://arstechnica.com/tech-policy/2014/10/white-house-unclassified-network-hack
ed-apparently-by-russians/

US Defense Department Starting to Roll Out Chip-and-PIN Cards for Travelers (October 28, 2014)

The US Department of Defense (DOD) has issued approximately 600 payment cards with chip-and-PIN technology to members of the military who travel. All 1.3 military travelers will have the new cards by the end of summer 2015. DOD military travelers may also request the cards starting in January 2015.
-http://www.nextgov.com/cybersecurity/2014/10/600-military-travelers-handed-chip-
and-pin-hack-resistant-credit-cards/97607/?oref=ng-channelriver

---

STORM CENTER TECH CORNER

NCSAM: False positives from Management
-https://isc.sans.edu/forums/diary/CSAM+Month+of+False+Postives+-+False+Positives
+from+Management/18901

Sandworm Vulnerability Used in Banking Trojan
-https://www.csis.dk/en/csis/blog/4498

Graphic Card Uses Radio to Leak Data
-http://cyber.bgu.ac.il/content/how-leak-sensitive-data-isolated-computer-air-gap
-near-mobile-phone-airhopper

Advanced Fraud Platform Advertised to Cash Out Stolen Credit Cards
-http://satoshibox.com/53fb31144c347beb4b0083a0?paid#

Microsoft Releases Fix It to disable SSLv3
-https://support.microsoft.com/kb/3009008

CurrentC Beta User's Info Exposed
-http://www.imore.com/depth-look-currentc-and-personal-data-they-want-collect

GMail used by malware for command and control
-http://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-steal-dat
a/

OS X 10.10 FTP remote command execution vulnerability
-http://cxsecurity.com/issue/WLB-2014100174

wget Vulnerability
-https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu
-wget-ftp-symlink-arbitrary-filesystem-access

Cisco ASA Vulnerabilities
-https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf

Open source script to detect auto-start processes on OS X
-https://github.com/synack/knockknock

Unsaved "recovery" documents saved to iCloud in OS X Yosemite
-https://datavibe.net/~sneak/20141023/wtf-icloud/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/