SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #95

December 02, 2014

Good news for veterans and current military members building their cybersecurity careers: SANS' graduate programs are now eligible for GI Bill funding. With both Security Essentials (401) and Hacker Exploits (504) in Annapolis, February is a terrific time to begin either the master's program or any of the shorter graduate certificate programs, especially since the associated housing stipend more than covers any cost of travel. Best web link: www.sans.edu/veterans

Alan

---

TOP OF THE NEWS

Intruders Stole Insider Information To Beat Wall Street
Emergency SCADA Patch from Siemens
Sony Pictures Attackers Leak Unreleased Movies

THE REST OF THE WEEK'S NEWS

US Prosecutors Want Phone Makers to Help Them Access Data on Encrypted Devices
European Police Shutter Websites Hawking Counterfeit and Pirated Products
Weather Channel Web App Vulnerabilities Fixed
BND Says it Can Spy on Citizens if They Work for Foreign Entity
StealthGenie Seller Fined and Ordered to Surrender Source Code
Security Checklists Useful as Part of Larger Strategy
Plea Agreement for Man Who Scanned County Website
POS Malware Identified
Flash Patch Redux

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By AlienVault **************************
The Bash Vulnerability: Practical Tips to Secure your Environment: Wednesday, December 10 at 1:00 PM EST - with Victor Obando, Garrett Gross. Join us for a live demo covering: Insights on how attackers are exploiting this vulnerability, Practical tips to minimize your exposure to attack, and How AlienVault USM can detect the bash vulnerability, and alert you of active attacks. http://www.sans.org/info/172492
**************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --SANS 10th Annual ICS Security Summit | Orlando, FL | February 23-March 2, 2015 7 courses.
http://www.sans.org/event/ics-security-summit-2015


- --SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Intruders Stole Insider Information To Beat Wall Street (December 1, 2014)

Information thieves used phishing messages to gain access to systems at more than 100 publicly traded companies and stole data about merger discussions, product information, and legal action, which could be used to help inform investment decisions. The majority of affected companies are in the health care and pharmaceutical industries.
-http://arstechnica.com/security/2014/12/phishing-scam-that-penetrated-wall-stree
t-just-might-work-against-you-too/
-http://money.cnn.com/2014/12/01/technology/security/stock-market-hack/index.html

Emergency SCADA Patch from Siemens (November 27, 2014)

Siemens has released emergency fixes for vulnerabilities in several of the company's supervisory control and data acquisition (SCADA) products. Some of the flaws may have been exploited in attacks over the past few months.
-http://www.theregister.co.uk/2014/11/27/siemens_issues_emergency_scada_patch/
-http://www.computerworld.com/article/2852502/weathercom-fixes-web-app-flaws.html
-http://www.computerworld.com/article/2853113/siemens-patches-critical-scada-flaw
s-likely-exploited-in-recent-attacks.html
-https://ics-cert.us-cert.gov/advisories/ICSA-14-329-02
[Editor's note (Assante) Today's SANS ICS Webcast on BlackEnergy2 covers the potential exploitation of one of the patched vulnerabilities in recent ICS-focused campaigns. It may have ended by the time you get this but the archive will be up shortly.
-https://www.sans.org/webcasts/blackenergy-2-ics-focused-threats-97537
(McBride): Just because the patches were released after a DHS announcement that Siemens HMI software was possibly under attack, doesn't mean the patches are related to the attacks. In fact, there are dozens of publicly-disclosed vulnerabilities in Siemens HMI software.
(Northcutt): This is a state change. In the past Industrial Control Vendors have been very reluctant to issues patches because we all need the systems to work and as they are released they tend to work. I guess we are evolving to live with the changes based on the so-called Internet of things. ]

Sony Pictures Attackers Leak Unreleased Movies (November 26, 28, & 30, & December 1, 2014)

A group of cyber intruders who claim responsibility for breaking into computer systems at Sony Pictures have reportedly leaked five unreleased films to file-sharing sites. Many Sony Pictures employees still do not have Internet access - the company shut down its network after learning of the breach.
-http://www.bbc.com/news/technology-30276049
-http://www.cnet.com/news/hackers-leak-new-sony-movies-to-file-sharing-sites/
-http://arstechnica.com/security/2014/11/sony-pictures-hackers-release-list-of-st
olen-corporate-files/
-http://www.theregister.co.uk/2014/11/28/sony_staff_reduced_to_pencil_and_paper_a
s_computers_still_crippled_by_hackers/
[Editor's Note (Murray): Breaches of large networks are all but inevitable. Loss of the "crown jewels" should not follow. ]

---

**************************** SPONSORED LINKS ******************************
1) Deconstructing a Targeted Attack interactive webinar and demo. December 4th at 8:00am PST http://www.sans.org/info/172497

2) If All Is Quiet, Are You Really Secure? Understanding Zero-Day Vulnerabilities Thursday, December 11 at 3:00 PM EST with Jayson Jean and Michael Roytman. http://www.sans.org/info/172502

3) Find out what is driving INFOSEC health care priorities in 2015. Survey results in two parts: Part 1 - December 9 at 1 pm ET: http://www.sans.org/info/172507 Part 2 - December 11 at 1 pm ET: http://www.sans.org/info/172512
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Prosecutors Want Phone Makers to Help Them Access Data on Encrypted Devices (December 1, 2014)

Federal prosecutors have invoked an 18th century law, the All Writs Act, to compel smartphone makers to decrypt seized devices in two separate cases. Judges in both cases ordered the device manufacturer to provide "reasonable technical assistance" to help decrypt the information.
-http://arstechnica.com/tech-policy/2014/12/feds-want-apples-help-to-defeat-encry
pted-phones-new-legal-case-shows/
-http://www.theregister.co.uk/2014/12/01/feds_turn_to_1789_law_to_force_smartphon
e_makers_to_decrypt_handsets/

European Police Shutter Websites Hawking Counterfeit and Pirated Products (December 1, 2014)

Law enforcement agencies in Europe have seized nearly 300 domains associated with selling counterfeit electronics and medications as well as pirated movies and music. No arrests have been made yet.
-http://www.bbc.com/news/technology-30276056
-http://www.computerweekly.com/news/2240235626/UK-helps-in-operation-to-shut-down
-websites-selling-counterfeit-goods

Weather Channel Web App Vulnerabilities Fixed (December 1, 2014)

The Weather Channel has acknowledged that a spate of vulnerabilities affecting three quarters of links on the site exposed users to cross-site scripting attacks. Site administrators were alerted to the situation and have addressed the problems. The issue lay in a web application security problem.
-http://www.theregister.co.uk/2014/12/01/weather_channel_forecast_bleak_with_a_ch
ance_of_xss/
-http://www.computerworld.com/article/2852502/weathercom-fixes-web-app-flaws.html

BND Says it Can Spy on Citizens if They Work for Foreign Entity (November 30, 2014)

German intelligence agency BND claims it has the authority to spy on German citizens if those citizens work for a foreign organization. German law forbids intelligence agencies in that country to spy on German citizens, but BND claims a loophole in this case for communications attributed to the foreign employer.
-http://arstechnica.com/tech-policy/2014/11/german-spy-agency-can-monitor-its-own
-citizens-via-technicality/

StealthGenie Seller Fined and Ordered to Surrender Source Code (November 30 & December 1, 2014)

Hammad Akbar has been sentenced to time served and fined US $500,000 for selling spyware known as StealthGenie. Akbar must also turn over the malware's source code to the US government. StealthGenie affects mobile devices. Once it has gained purchase, it can monitor communications.
-http://www.zdnet.com/stealthgenie-spyware-seller-fined-500000-in-landmark-convic
tion-7000036271/
-http://www.theregister.co.uk/2014/11/30/stealthgenie_vxer_arrested/
-http://www.justice.gov/opa/pr/man-pleads-guilty-selling-stealthgenie-spyware-app
-and-ordered-pay-500000-fine

Security Checklists Useful as Part of Larger Strategy (November 28, 2014)

Lists of top vulnerabilities to look for and address are helpful, but only when used as part of a larger overall strategy. Each organization needs to use the list to complement its own risk assessment practices.
-http://www.zdnet.com/infosec-checklists-becoming-common-but-theyre-not-magic-700
0036219/
[Editor's Note (Pescatore): Did you ever sit in an airplane awaiting takeoff and see the pilots going through their pre-flight checklist? They don't do that *instead of* learning how to be good pilots, they do that to make sure they focus on the things most likely to lead to the plane crashing during takeoff. Technically detailed checklists, like the Critical Security Controls, provide that same level of focus and prioritization - something most compliance regimes lack. ]

Plea Agreement for Man Who Scanned County Website (November 26, 2014)

A man believed to have ties to the Anonymous collective recently reached a plea agreement with prosecutors over charges stemming from scanning a county website for vulnerabilities and launching brute force password attacks to access the site. Fidel Salinas pleaded guilty to misdemeanor computer fraud and abuse and agreed to pay US $10,000 in restitution. Several months ago, Salinas was facing 44 felony counts, which could have led to a sentence of 440 years in prison. Those charges have been dismissed. Salinas's attorney maintains that those charges were made to intimidate his client. Salinas now faces a maximum prison sentence of one year.
-http://www.wired.com/2014/11/from-440-years-to-misdemeanor/
-http://www.theregister.co.uk/2014/11/27/hacker_dodges_half_a_millennium_in_coole
r_for_scanning_sites/
[Editor's Note (Murray): Mandatory sentencing guidelines place discretion into the hands of prosecutors that heretofore was in the hands of judges. They are frequently used to bully defendants into copping a plea. However, one of the claims made for them by prosecutors is that they are used to force defendants to give up their accomplices. If it worked in this case, it is unlikely that any party to the agreement would be in a position to say so. ]

POS Malware Identified (November 26 & December 1, 2014)

Malware known as Daredevil (d4re|dev1|) used on some point-of-sale (POS) systems has RAM-scraping and keystroke-logging capabilities. It has been found on electronic ticketing kiosks and for transit systems as well as PCs connected to POS terminals.
-http://www.scmagazine.com/researchers-identify-pos-malware-targeting-ticket-mach
ines-electronic-kiosks/article/385558/
-http://www.theregister.co.uk/2014/12/01/dare_devil_malware_targets_kiosks_transp
ort_systems/

Flash Patch Redux (November 25, 2014)

Adobe has released an emergency patch for Flash Player to provide additional protection against attacks that exploit a flaw that was initially patched in October 2014. There are versions available for Windows, Mac, and Linux machines. Windows and Mac users are urged to upgrade to Adobe Flash version 15.0.0.239; Linux users are urged to upgrade to version 11.2.202.424.
-http://krebsonsecurity.com/2014/11/adobe-pushes-critical-flash-patch/
-http://www.computerworld.com/article/2852124/adobe-tries-to-fix-flash-vulnerabil
ity-again.html

---

STORM CENTER TECH CORNER

Fighting outdated SSH and SSL cipher configurations
-https://isc.sans.edu/forums/diary/Flushing+out+the+Crypto+Rats+-+Finding+Bad+Enc
ryption+on+your+Network/19009

Dridex Phishing Campaign uses Malicious Word Documents
-https://isc.sans.edu/forums/diary/Dridex+Phishing+Campaign+uses+Malicious+Word+D
ocuments/19011

All GPG 32bit key-IDs cloned
-https://evil32.com

Ticket Machines and Electronic Kiosks compromised by PoS Malware
-https://www.intelcrawler.com/news-24

Firefox 34 Released: SSLv3 off by default
-https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
-https://www.mozilla.org/en-US/firefox/34.0.5/releasenotes/

Entrypass Backdoor / Vulnerability
-https://www.redteam-pentesting.de/en/advisories/rt-sa-2014-011/-entrypass-n5200-
credentials-disclosure

Attack on CDN used to inject content into many high profile websites
-http://blog.gigya.com/regarding-todays-service-attack/

"Order Confirmation" Spam on the rise after Black Friday
-https://isc.sans.edu/forums/diary/Lots+of+Black+Friday+SPAM+Phishing/19003

Do you have a data breach response plan?
-https://isc.sans.edu/forums/diary/Do+you+have+a+Data+Breach+Response+Plan+/19005

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/