SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #96

December 05, 2014

This week's top stories are evidence of a long-predicted wave of highly dangerous and destructive attacks. Additional damaging attacks on major organizations are not being publicly reported but are consuming internal and external security teams at unprecedented rates. This wave translates directly to a skyrocketing (and continuing) demand for people with advanced forensics and technical incident handling skills who can find the malicious code, determine what it did, and recover from the attack. Outside firms have good people, but not nearly enough. For large enterprises, it makes sense to find the talented people inside your organization (and among candidates being considered) and support their education and development of needed advanced technical skills. A new talent identification program has proven remarkably effective in identifying people with the talent to excel in these challenging areas. Information at http://www.sans.org/info/172242

Alan

---

TOP OF THE NEWS

Operation Cleaver
Sony Pictures Attackers Release Sensitive Data
Sony Attack Code Analysis

THE REST OF THE WEEK'S NEWS

PayPal Fixes Cross-Site Request Forgery Vulnerability
Defense Industrial Base ISAC to Launch in February 2015
DOJ Establishing Cybersecurity Unit
Malware Pre-Installed on Certain Smartphones
Google Rethinking CAPTCHA
Microsoft Plans to Release Seven Security Bulletins Next Tuesday
Authorities in Kenya Arrest 77 People
Probable Defense Secretary Nominee is Proponent of Cybersecurity

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec *****************************
Symantec Webcast: Strong Cyber Protection - Keep Bad Stuff Out and Good Stuff In, Dec 10, Join Enterprise Security Group (ESG) and Symantec for a practical discussion on the ever evolving threat landscape, how you can keep up and protect yourself and your business.
http://www.sans.org/info/172922
***************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --SANS 10th Annual ICS Security Summit | Orlando, FL | February 23-March 2, 2015 7 courses.
http://www.sans.org/event/ics-security-summit-2015


- --SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Operation Cleaver (December 2 & 3, 2014)

A sustained cyber attack campaign dubbed Operation Cleaver has compromised computer networks at several high profile organizations, including governments and companies supporting elements of critical infrastructure, over the past two years. There are 50 known compromised targets in 16 countries worldwide and it is likely that there are many more that have not been detected.
-http://www.v3.co.uk/v3-uk/news/2384729/iranian-operation-cleaver-hackers-hit-50-
organisations-in-16-countries
-http://arstechnica.com/security/2014/12/critical-networks-in-us-15-nations-compl
etely-owned-by-iran-backed-hackers/
[Editor's Note (Assante): Thank you to Cylance for taking the time to stitch together the bits and pieces of evidence they were observing with their technology and experts. I would like to see additional mapping of the underlying data and plotting more timelines to gain a better understanding of the various of actors and efforts. Iran had publicly announced it was pursuing the development of offensive cyber capabilities and it stands to reason that capabilities are best developed through training and time on keyboards ('hands-on' doing). Did anyone really think the extent of their activity was limited to website defacements, DDoS attacks targeting financial institutions, and the high profile Armco and RasGas incidents? Current geopolitical struggles are providing opportunities for rapid advancement of cyber attack skill and tradecraft. Protracted campaigns translate into 'applied learning,' let's simply hope, as defenders, that we can learn as quickly. ]

Sony Pictures Attackers Release Sensitive Data (December 3 & 4, 2014)

The attackers responsible for infiltrating the Sony Pictures computer network have leaked more than 40 gigabytes of stolen data, including compensation details for top executives, and a slew of passwords for computers, social media accounts and web services. The attackers claim to have stolen more than 100 terabytes of data. Despite speculation that North Korea was involved in the attacks, a more likely scenario is that they are the result of activists or disgruntled former employees.
-http://www.csmonitor.com/Innovation/2014/1204/Trove-of-Sony-financial-data-passw
ords-movies-leaked-online
-http://www.wired.com/2014/12/sony-hack-what-we-know/
[Editor's Note (Murray): From the wide range of data compromised, we may fairly conclude that Sony had not yet had the intent, design, time, or resources to apply the lessons that might have, should have, been taken from their own earlier breaches and those of others reported in 2014 but dating from months to years earlier. The rest of us have little enough time to apply those lessons. They include, but are not limited to, more compartmentation, true end to true end encryption on the enterprise network, fewer privileged users and more multi-party controls, more structured data stored only on enterprise servers, controls (Active Directory) to resist access and gratuitous copies, and timely egress and other anomaly detection and mitigation. Only doing harder what we have been doing for decades will not serve. ]

Sony Attack Code Analysis (December 2 & 3, 2014)

The malware used in the attack against the Sony Pictures network can spread over network file shares and is capable of destroying data on Windows computers it infects. The FBI has sent confidential notifications to certain businesses, urging them to be vigilant about malware like that used in the Sony attack.
-http://www.pcmag.com/article2/0,2817,2472989,00.asp
-http://arstechnica.com/security/2014/12/inside-the-wiper-malware-that-brought-so
ny-pictures-to-its-knees/
[Editor's Note (Northcutt): The Sony attack has similarities to other destructive attacks:
-http://news.yahoo.com/sony-hack-fits-pattern-recent-destructive-attacks-19590056
5.html;_ylt=A0SO8xpKm4FUBloAPxtXNyoA]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Detection - What You Need to Know: http://www.sans.org/info/172927

2) If All Is Quiet, Are You Really Secure? Understanding Zero-Day Vulnerabilities Thursday, December 11 at 3:00 PM EST with Jayson Jean and Michael Roytman. http://www.sans.org/info/172932

3) The Bash Vulnerability: Practical Tips to Secure your Environment: Wednesday, December 10 at 1:00 PM EST - with Victor Obando, Garrett Gross. http://www.sans.org/info/172937
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

PayPal Fixes Cross-Site Request Forgery Vulnerability (December 4, 2014)

PayPal has fixed a cross-site request forgery vulnerability that put every account at risk of being taken over. A successful attack would have required users to be tricked into clicking on a malicious link.
-http://www.theregister.co.uk/2014/12/04/paypal_csrf_bug_bounty/
-http://yasserali.com/hacking-paypal-accounts-with-one-click/

Defense Industrial Base ISAC to Launch in February 2015 (December 4, 2014)

The Defense Industrial Base Information Sharing and Analysis Center (DIB-ISAC) is scheduled to open in February 2015. The center will allow member organizations to share information about threats and mitigations. The DIB-ISAC will be based in Huntsville, Alabama and will support chapters all over the US. Membership fees are based on the size of the company.
-http://www.al.com/business/index.ssf/2014/12/defense_contractors_fighting_c.html
-http://www.dibisac.net
[Editor's Note (Pescatore): There has been resurgence in ISAC activity - - and for all the right reasons. SANS recently partnered with the National Health ISAC for a Healthcare Security Summit that was a great success, the ICS-ISAC is growing and the retail world began an ISAC effort this year. While threat sharing is often highlighted, I think the "What Works" sharing of best practices, how obstacles were overcome and metrics data are actually the bigger benefits of the successful ISACs.
(Murray): Government and industry are coming to an understanding that "intelligence sharing" is a hard problem, that it will work best, if at all, only among small groups of professionals known to and trusted by one another. The Traffic Light Protocol (TLP) is an important tool in "responsible disclosure." Its habitual use is an important step in the maturation of our profession. NewsBites is TLP Green. ]

DOJ Establishing Cybersecurity Unit (December 4, 2014)

The US Justice Department (DOJ) is creating a new unit in its criminal division that will be focused on fighting cyber crime. "Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance," according to Assistant Attorney general Leslie Caldwell.
-http://thehill.com/policy/cybersecurity/226028-doj-forms-dedicated-cyber-unit
-http://www.npr.org/2014/12/04/368351872/justice-department-plans-new-cybercrime-
team
[Editor's Note (Pescatore): It will be good to see more of the federal government level focus on cybersecurity swing back to national law enforcement agencies rather than defense/intelligence agencies. ]

Malware Pre-Installed on Certain Smartphones (December 4, 2014)

Malware has been found pre-installed on certain smartphones from lesser-known vendors in Asia and Africa. Most of the phones are inexpensive or are counterfeit versions of better known brands. The malware is called DeathRing and pretends to be a ringtone application. Because it is pre-installed in the phones' system directory, it is impossible to remove.
-http://www.darkreading.com/mobile/deathring-malware-found-pre-installed-on-smart
phones/d/d-id/1317901?
-http://www.theregister.co.uk/2014/12/04/cheapo_androids_prepwned_with_mobile_mal
ware/
-https://blog.lookout.com/blog/2014/12/04/deathring/

Google Rethinking CAPTCHA (December 3, 2014)

Google is retooling the way it implements CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) authentication to incorporate behavioral information. Google's new system will ask users to click on a box indicating that they are not robots. The technology takes into account how the user moves the mouse. Google also uses other, undisclosed behavioral information. If the single click is inconclusive, users will be given a traditional CAPTCHA.
-http://www.wired.com/2014/12/google-one-click-recaptcha/
-http://www.theregister.co.uk/2014/12/03/google_moves_beyond_text_puzzles_with_no
_captcha_recaptcha/
-http://www.computerworld.com/article/2854959/security0/google-says-bye-bye-captc
has-well-mostly.html
-http://googleonlinesecurity.blogspot.com.es/2014/12/are-you-robot-introducing-no
-captcha.html
[Editor's Note (Pescatore): As online advertisers have tried to fight click fraud, there have been a number of advances in human vs. bot/malware detection that are much less annoying than CAPTCHAs. Some of that is being commercialized to help protect web apps from automated attacks. CAPTCHAs keep the fraud to a dull roar, but treating every user like a criminal has obvious usability issues - technology to reduce the times you treat real customers like potential criminals has long been needed. ]

Microsoft Plans to Release Seven Security Bulletins Next Tuesday (December 4, 2014)

Microsoft plans to issue seven security bulletins next week to address critical security issues in Internet Explorer (IE), Office, and Windows. The bulletins will also address security issues rated important in Microsoft Exchange, Office, and Windows.
-http://www.zdnet.com/windows-ie-exchange-and-office-to-be-patched-next-week-7000
036383/
-https://technet.microsoft.com/library/security/ms14-dec

Authorities in Kenya Arrest 77 People (December 4, 2014)

Police in Kenya have arrested 77 people in connection with an alleged plot to break into Kenya's communications systems. The alleged scheme was discovered when authorities responded to a fire at a rented house in Nairobi.
-http://www.scmagazine.com/kenyan-authorities-arrest-77-chinese-hackers/article/3
86776/

Probable Defense Secretary Nominee is Proponent of Cybersecurity (December 2, 2014)

Ashton Carter, former Deputy Secretary of Defense, is expected to be President Obama's nominee to replace Chuck Hagel as Secretary of Defense. Carter is a supporter of increasing US cyber security capabilities.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/02/obamas-pick-to-lead
-the-pentagon-is-big-on-cybersecurity/
-http://www.forbes.com/sites/susanadams/2014/12/03/what-theyre-saying-about-ashto
n-carter-defense-secretary-nominee/

---

STORM CENTER TECH CORNER

Getting Python to Speak SMB
-https://isc.sans.edu/forums/diary/Automating+Incident+data+collection+with+Pytho
n/19025

Apple Removes Safari 8.0.1 Update
-https://discussions.apple.com/thread/6706616

Vulnerable Social Login
-http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-
x-force-researchers

Patch Window: 1 Week
-http://info.recordedfuture.com/Portals/252628/resources/week-to-weak-report.pdf

Safari (OS X) Update
-http://lists.apple.com/archives/security-announce/2014/Dec/msg00000.html

Abusing F5 Load Balancer Cookies
-http://blog.ptsecurity.com/2014/12/ddos-attack-over-load-balancer-secure.html

Vulnerability Scanners Easily Bypassed by Foreign Language Error Messages
-https://isc.sans.edu/forums/diary/Does+Your+Vulnerability+Scanner+Speak+Portugue
se+/19017

OpenVPN DoS Vulnerability
-https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

FBI Releases Details/IOCs about MBR Malware
-http://www.scmagazine.com/fbi-warns-us-firms-of-data-wiping-malware-following-so
ny-attack/article/386267/

IBM Endpoint Manager Mobile Device Exploit
-http://seclists.org/fulldisclosure/2014/Dec/3

WhiteScope ICS/SCADA Whitelist
-http://www.icswhitelist.com

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.