SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #94

November 25, 2014

TOP OF THE NEWS

Regin Malware: Stealth "Cyber Pearl Harbor"
Untangling Breach Loss Liability
FBI Wants to Change the Way it Assigns Cyber Crime Cases to Agents

THE REST OF THE WEEK'S NEWS

Sony Pictures Security Breach
Docker Update Addresses Critical Flaw
Craigslist Suffers DNS Redirect Attack
European Police Arrest 15 for Remote Access Trojan Use
PayPal Patches Flaw
WordPress Updates Address Critical Flaws
Private Investigator Fined for Illegal Data Access
UK Bill Would Expand Service Law Enforcement Access to Internet User Information

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By SolarWinds **************************
SolarWinds(r) Log & Event Manager is a comprehensive SIEM for any security pro. Need security management, compliance monitoring, and root-cause analysis? LEM offers powerful real-time analysis and automated monitoring in an easy-to-use virtual appliance. Download a free, fully-functional trial and start analyzing your log files within an hour.
http://www.sans.org/info/172257
***************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --SANS 10th Annual ICS Security Summit | Orlando, FL | February 23-March 2, 2015 7 courses.
http://www.sans.org/event/ics-security-summit-2015


- --SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Regin Malware: Stealth "Cyber Pearl Harbor" (November 23 & 24, 2014)

The Regin malware targets telecommunications, energy, and health organizations. Its sophistication and complexity suggest that it was developed by a nation state for "persistent, long-term surveillance." Regin can be customized for each targeted system and has been in use since at least 2008. The majority of detected Regin infections are in Russia and Saudi Arabia. It is also believed to have been used in attacks on networks owned by the European Commission, Belgacom, and a Belgian cryptographer.
-http://www.wired.com/2014/11/mysteries-of-the-malware-regin/
-http://www.theregister.co.uk/2014/11/24/regin/
-http://www.bbc.com/news/technology-30145265
-http://arstechnica.com/security/2014/11/highly-advanced-backdoor-trojan-cased-hi
gh-profile-targets-for-years/
-http://www.computerworld.com/article/2851513/traces-of-regin-malware-may-date-ba
ck-to-2006.html
Symantec:
-http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stea
lthy-surveillance
[Editor's Note (Northcutt): This is not just another piece of malware, it is a game changer. The Symantec blog listed above is the best source of accurate data. ]

Untangling Breach Loss Liability (November 21 & 23, 2014)

Target says that it is not liable for losses incurred by banks as a result of the retailer's massive breach during the holiday shopping season a year ago. Five of the banks that issued the compromised cards - - there were at least 40 million card numbers affected - have filed a federal lawsuit against the company. Target's legal team said that the company is not liable for the banks' losses because payments are processed by third parties.
-http://arstechnica.com/tech-policy/2014/11/target-to-judge-banks-losses-in-our-c
ard-breach-arent-our-problem/
-http://www.insurancejournal.com/news/national/2014/11/23/347859.htm
[Editor's Note (Murray): The banks were compensated very generously to assume all fraud and credit risk. Now they want to renege on the deal. The fundamental vulnerability of technology that they deployed makes all their merchant customers targets and makes their consumer customers victims. In a year in which merchants and acquirer/processors have scrambled to add EMV capability to the point of sale, the banks have failed to issue any significant number of EMV cards. As the arbitrary October 2015 mandate for merchants and acquirer/ processors appears to be late and no longer necessary, the brands have failed to issue a similar date of mandate for issuers. Brands and issuers have done little to patch the gaping hole of "card not present" transactions. In point of fact, the brands and issuers have done little but whine and finger point in the year since the Target Breach. Shame! ]

FBI Wants to Change the Way it Assigns Cyber Crime Cases to Agents (November 20, 2014)

The FBI wants to assign cases involving cybercrime to the agents most skilled in that area, rather than assigning the cases based on agent location, as is its current practice. Cyber crime takes place across state borders, which is a game changer for jurisdiction considerations. The FBI is also seeking to gain authority to break into and snoop on devices even when they cannot determine those devices' locations.
-http://thehill.com/policy/cybersecurity/224823-fbi-will-fight-cyberattacks-based
-on-severity-not-location
[Editor's Note (Pescatore): This type of thinking and operational change at the national law enforcement agencies is long overdue. Cybercrime is the largest driving factor behind the majority of breaches and progress against those threats will come from law enforcement, not departments of defense or intelligence agencies. ]

---

**************************** SPONSORED LINKS ******************************
1) How do you secure your big data programs? Last week to take SANS survey and enter to win a new iPad! http://www.sans.org/info/172262

2) SURVEY: Who's Using Cyberthreat Intelligence & How? Participate by 12/1 & Enter to Win iPad. http://www.sans.org/info/172267

3) Find out what is driving INFOSEC health care priorities in 2015. Survey results in two parts: Part 1 - December 9 at 1 pm ET: http://www.sans.org/info/172272 Part 2 - December 11 at 1 pm ET: http://www.sans.org/info/172277
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Sony Pictures Security Breach (November 25, 2014)

Sony Pictures is in digital lockdown while it investigates a breach in which intruders reportedly stole more than 200MB of data and defaced employees' workstations. Sony Pictures staff are being asked to disconnect computers and personal devices from the network and to shut down virtual private networks (VPNs).
-http://www.theregister.co.uk/2014/11/25/sony_pictures_in_it_lockdown_after_alleg
ed_hacker_hosing/
-http://www.nextgov.com/cybersecurity/threatwatch/2014/11/breach/1778/?oref=TW_hp
_module

Docker Update Addresses Critical Flaw (November 25, 2014)

Docker developers have released a security update for the Linux application containerization software to address a critical flaw that could be exploited to elevate access privileges and execute code remotely. The issue lies in the way Docker handles file-system image files. Users are urges to upgrade to Docker 1.3.2 as the flaw affects all earlier versions.
-http://www.theregister.co.uk/2014/11/25/docker_vulnerabilities/
-http://www.openwall.com/lists/oss-security/2014/11/24/5

Craigslist Suffers DNS Redirect Attack (November 24, 2014)

Some Craigslist users found themselves redirected to several other websites on the evening of Sunday, November 23. Craigslist CEO Jim Buckmaster said that the attackers altered DNS records. The records have been corrected with the registrar, but some servers were still redirecting users to other sites as of Monday afternoon.
-http://www.securityweek.com/attackers-hijack-craigslist-domain-name
-http://arstechnica.com/security/2014/11/craigslist-dns-hijacked-redirected-at-in
famous-prank-site-for-hours/
[Editor's Note (Pescatore): SANS recently published a white paper on DNS security issues and controls -
-http://www.sans.org/reading-room/whitepapers/analyst/securing-dns-thwart-advance
d-targeted-attacks-reduce-data-breaches-35597]

European Police Arrest 15 for Remote Access Trojan Use (November 21 & 22, 2014)

Police in seven European countries have arrested a total of 15 people in connection with allegedly using remote access Trojans (RATs) to conduct cyber crimes. The arrests were the result of a sting operation.
-http://www.zdnet.com/16-arrested-in-european-bust-over-rat-spyware-7000036090/
-http://arstechnica.com/tech-policy/2014/11/15-arrested-in-new-european-crackdown
-of-peeping-tom-malware-users/
-http://www.bbc.com/news/technology-30146176
-http://www.v3.co.uk/v3-uk/news/2382941/uk-cyber-cops-arrest-five-for-remote-acce
ss-trojan-scam

PayPal Patches Flaw (November 21, 2014)

PayPal has patched a remote code execution flaw in its web application and API that was detected 18 months ago.
-http://www.theregister.co.uk/2014/11/21/paypal_vuln/

WordPress Updates Address Critical Flaws (November 21 & 24, 2014)

WordPress has issued updates for several versions of its content management system software. Version 4.0.1 fixes nearly two dozen vulnerabilities, and versions 3.9.3, 3.8.5, and 3.7.5 address a single critical flaw that could be exploited by a cross-site scripting (XSS) attack. Comment with malicious JavaScript code - sites that allow comments without authentication.
-http://www.scmagazine.com/critical-xss-vulnerability-addressed-in-wordpress/arti
cle/384757/
-http://www.computerworld.com/article/2850883/critical-xss-flaws-patched-in-wordp
ress-and-popular-plug-in.html
-http://arstechnica.com/security/2014/11/four-year-old-comment-security-bug-affec
ts-86-percent-of-wordpress-sites/

Private Investigator Fined for Illegal Data Access (November 24, 2014)

A private investigator has been fined 5,000 Euros for gaining access to the Garda Pulse system without authorization. The investigator is a former garda.
-http://www.irishtimes.com/news/crime-and-law/private-investigator-fined-5-000-fo
r-accessing-garda-data-1.2012999
-http://www.irishexaminer.com/ireland/private-investigator-fined-for-mining-perso
nal-information-from-gardaiacute-299395.html

UK Bill Would Expand Service Law Enforcement Access to Internet User Information (November 23 & 24, 2014)

UK home secretary Theresa May is expected to propose a bill that would require companies to provide law enforcement agencies with information about the identities of people using computers and mobile devices. The bill would require service providers to retain data that links users to devices based on IP addresses, which are often shared by multiple users and often change. The data retention changes are expected to be part of the Counter-Terrorism and Security Bill. The plan has met with criticism because it allows for broad surveillance of online activity.
-http://www.bbc.com/news/uk-politics-30166477
-http://www.v3.co.uk/v3-uk/news/2383202/isps-and-security-experts-criticise-uk-we
b-snooping-law-plans

---

STORM CENTER TECH CORNER

Craigslist Outage due to DNS Registrar Compromise
-http://blog.craigslist.org/2014/11/24/craigslist-dns-outage/

Vulnerablity in less
-http://seclists.org/fulldisclosure/2014/Nov/74

Regin state sponsored malware dissection
-http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-netwo
rks/
-http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa
pers/regin-analysis.pdf

1 out of 5 spear phishing emails successful
-https://deepsec.net/speaker.html#PSLOT157

Multiple remote vulnerabilities in Hikvision DVRs
-https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hik
vision-dvr-devices--multiple-vulnerabilities

MSFT Overlooked "Sandworm" vulnerability in earlier patches
-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/SandWorm-s-target-A-patch
-history-of-Object-Packager/ba-p/6675618#.VHJ8QIsXkzB

PayPal Takes 18 Months to Fix Arbitrary Code Execution Flaw
-http://vulnerability-lab.com/get_content.php?id=936

ICMP Redirect Attacks Documented in the Wild
-http://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redi
rect-attacks-in-the-wild/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/