SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #97

December 09, 2014

The SANS Technology Institute is honored to announce that US veterans can now use GI Bill-related education benefits to earn an elite SANS master's degree or graduate certificate. Cyber education and skills development is an ideal use of your veterans education benefits. Start Live as soon as Feb or online even earlier. Learn more at www.sans.edu/veterans

Alan

---

TOP OF THE NEWS

Sony Pictures Employees Threatened; Execs Received Extortion eMails Prior to Attack
Linux Turla Variant Detected
US Treasury Department Says Tor is a Major Source of Financial Account Takeovers

THE REST OF THE WEEK'S NEWS

Poodle Impacts TLS Protocol
White House Issues New Commitments to Support Computer Science Education
Former Apple Executive Gets prison Sentence for Selling Insider Data
ISP Content Filters Blocked Access to CCC Sites
Vulnerabilities in Google App Engine
UK Police Not Receiving Adequate Cyber Crime Training
German Court Blocks Turkish Man's Extradition to US
Judge Says Banks Can Sue Target

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec *****************************
Symantec Webcast: Strong Cyber Protection - Keep Bad Stuff Out and Good Stuff In, Dec 10 Join Enterprise Security Group (ESG) and Symantec for a practical discussion on the ever evolving threat landscape, how you can keep up and protect yourself and your business.
http://www.sans.org/info/172992
***************************************************************************

TRAINING UPDATE


--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


--Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


--10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


--SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


--Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Sony Pictures Employees Threatened; Execs Received Extortion eMails Prior to Attack (December 8, 2014)

Additional information about the Sony Pictures attack is emerging. The attackers appear to have used the network of a fancy hotel in Bangkok, Thailand, to leak stolen data (ed: but the attack as been variously attributed to North Korea and others). Reports also say that Sony Pictures executives received extortion emails three days before the initial attack. Employees of Sony Pictures have reported receiving threatening email messages.
-http://www.eweek.com/security/hacker-group-reportedly-threatens-sony-employees.h
tml
-http://www.computerworld.com/article/2857272/legal/hackers-contacted-top-sony-ex
ecutives-before-attack.html
[Editor's Note (Pescatore): Since it is often executive admins that read executive emails first, this is a good reminder that those admins should get some specific education on what to do if they see a ransomware-type email, as well as more concentrated phishing recognition education since execs will get the most targeted types of malicious emails.
(Honan): For me one of the biggest lessons from this attack is how important it is for the victim organisation to communicate often and clearly on the breach. The lack of information from Sony about the attack has led to many wild speculations in various media outlets as to who is behind the attack and what their motivations are. ]

Linux Turla Variant Detected (December 8 & 9, 2014)

A stealthy Trojan horse program that targets Linux systems may have been around for as long as four years. The malware, known as Turla, has been used to steal information from governments and pharmaceutical companies. A Windows variant of Turla has infected systems in at least 45 countries. The Linux variant may have been around for years, but was only recently detected.
-http://www.theregister.co.uk/2014/12/09/deadly_snake_lurks_in_watering_hole_bite
s_linux/
-http://arstechnica.com/security/2014/12/powerful-highly-stealthy-linux-trojan-ma
y-have-infected-victims-for-years/
[Editor's Note (Murray): This item is significant as one more of such reports in 2014 of evidence of compromise, affecting tens of enterprises, and otherwise undetected for months to years. These are "low and slow" attacks targeting intellectual property. They are more damaging, but less likely to be detected, than fraud. Once identified they are easy to eradicate but the damage has already been done. Moreover, the presence of one detected is evidence of a vulnerability that might have also been exploited by others yet undetected. I prefer access controls close to the data that act early but exfiltration controls may be useful in detecting the existence, if not the identity, of such compromise. ]

US Treasury Department Says Tor is a Major Source of Financial Account Takeovers (December 5, 2014)

In a non-public report, the US Treasury Department says that many bank account hijackings could have been prevented if financial institutions had known to block transactions that came through the Tor network. The Treasury Department's Financial Crimes Enforcement Network analyzed suspicious activity reports that banks filed between August 2001 and July 2014.
-http://krebsonsecurity.com/2014/12/treasury-dept-tor-a-big-source-of-bank-fraud/
[Editors' Note (Pescatore, Murray): Focusing on blocking known Tor IP addresses is classic Whack a Mole behavior - Tor is just the public face of the fact that anonymizers exist and will exist on the Internet. The bigger issue: most bank account hijacking could have been prevented if banks moved away from the use of reusable passwords to drive stronger authentication of their customers, and use proven fraud detection techniques where reusable passwords are still in use.
(Northcutt): Bzzt. Tor is just a pipeline, bank accounts need to be protected at the server. eTrade, Charles Schwab, Bank of America all offer two factor authentication. Instead of blaming Tor, more banks need to get on the bus. And no, asking what your childhood's pet name was does not cut it. Many people have posted that kind of data on Facebook etc.

---

**************************** SPONSORED LINKS ******************************
1) Download the free White Paper: Point of Sale Systems and Security http://www.sans.org/info/172997

2) Find out what is driving INFOSEC health care priorities in 2015. Survey results in two parts: Part 1 - December 9 at 1 pm ET: http://www.sans.org/info/173002 Part 2 - December 11 at 1 pm ET: http://www.sans.org/info/173007

3) Take the SANS 2nd Annual Endpoint Security Survey and enter to win a $400 Amazon Gift Card! http://www.sans.org/info/173012
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Poodle Impacts TLS Protocol (December 8 & 9, 2014)

The vulnerability known as Poodle has been found to impact the Transport Layer Security (TLS) protocol, so users who patched websites against the flaw in SSL earlier this year will need to check to see if they are still vulnerable to exploit through the flaw. Poodle was initially thought to affect only SSL 3.0, which is outdated but was commonly supported as a fallback measure.
-http://www.computerworld.com/article/2857113/the-poodle-flaw-returns-this-time-h
itting-tls-security-protocol.html
-http://www.theregister.co.uk/2014/12/09/zombie_poodle_wanders_in_cocks_leg_on_tl
s/
-http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-cryp
to-bites-10-percent-of-websites/
-https://www.imperialviolet.org/2014/12/08/poodleagain.html

White House Issues New Commitments to Support Computer Science Education (December 8, 2014)

A White House initiative to bring computer science education to US middle and high school students has participating school districts in Districts in New York, Los Angeles, Miami, Chicago and other large cities representing more than four million secondary school students. The districts have committed to offering computer science classes. Twenty million dollars in private donations will go to toward training teachers. The White House also noted that in 2016, the College Board will launch a new Advanced Placement course called Computer Science Principles.
-http://arstechnica.com/tech-policy/2014/12/coding-is-cool-as-white-house-unveils
-computer-science-school-initiative/
-http://www.whitehouse.gov/the-press-office/2014/12/08/fact-sheet-new-commitments
-support-computer-science-education

Former Apple Executive Gets prison Sentence for Selling Insider Data (December 8, 2014)

Former Apple global supply manager Paul Shin Devine has been sentenced to a year in prison for selling information about the company to its suppliers so they could negotiate better deals. Devine was arrested in 2010 after his scheme was discovered. The investigation was prompted by the discovery of emails in which he said he would provide insider information for cash.
-http://www.bbc.com/news/technology-30379825

ISP Content Filters Blocked Access to CCC Sites (December 8, 2014)

Content filters in use by Internet service providers (ISPs) Vodafone and Three have blocked users' access to the Chaos Communications Congress (CCC) as its annual conference approaches. As a result, people were unable to purchase tickets or peruse conference speaker listings.
-http://www.theregister.co.uk/2014/12/08/blightys_great_wall_blocks_chaos_compute
r_club/
-http://www.pcadvisor.co.uk/news/security/3590176/vodafone-blocks-chaos-computer-
club-site-fueling-net-censorship-concerns-in-uk/
[Editor's Note (Murray): We have tolerated, not to say encouraged, the hacker demimonde for more than a generation. It is a little late, not to say too late, to start to resist them now. By using their own methods against them, we legitimize those methods. ]

Vulnerabilities in Google App Engine (December 8 & 9, 2014)

Google is investigating reports of more than two dozen serious vulnerabilities in the Java environment of the Google App Engine. The flaws can allegedly be exploited to escape the Java VM sandbox and execute code remotely.
-http://www.zdnet.com/article/multiple-vulnerabilities-found-in-google-app-engine
/
-http://www.theregister.co.uk/2014/12/09/google_app_engine_has_thirty_flaws_says_
researcher/
-http://seclists.org/fulldisclosure/2014/Dec/26

UK Police Not Receiving Adequate Cyber Crime Training (December 7, 2014)

According to a survey of UK police intelligence analysts, British police are not receiving adequate training to equip them with what they need to know to fight cyber crime. Just 30 percent of respondents said they felt they had the necessary skills to deal effectively with cyber crime.
-http://www.independent.co.uk/news/uk/crime/police-failing-to-train-key-staff-to-
fight-growing-threat-of-cyber-crime-9909334.html
-http://www.paconsulting.com/our-thinking/cybercrime/
[Editor's Note (Pescatore): First, a disclaimer: there has probably never been a survey in the history of surveys where *any* group *ever* replied "We get plenty of training"... That said, local and national law enforcement really does need to update its training mix to focus more on techniques for modern policing to perform prevention, investigation and prosecution in digital crimes against their communities. ]

German Court Blocks Turkish Man's Extradition to US (December 2 & 5, 2014)

A Germany court has blocked the extradition of Ercan Findikoglu to the US to face charges that he is the alleged mastermind responsible a series of online credit card thefts. The scheme involved breaking into systems at payment processing companies and raising limits on prepaid cards, then using the cards to withdraw large amounts of cash. The court said that Findikoglu, who is from Turkey, could face too harsh a sentence if he is sent to the US.
-http://www.scmagazine.com/ercan-findikoglu-extradition-blocked-in-germany/articl
e/386986/
-http://www.washingtonpost.com/business/top-german-court-blocks-hackers-extraditi
on-to-us/2014/12/02/c3731a88-7a20-11e4-8241-8cc0a3670239_story.html

Judge Says Banks Can Sue Target (December 4 & 8, 2014)

A US District Court judge in Minnesota has ruled that banks affected by the Target data breach may sue Target for negligence. The banks allege that target "failed to heed warning signs" that could have reduced banks' losses. District Court Judge Paul A. Magnuson noted that "Target played a key role in allowing the harm to occur ...
[when it ]
disabled one of the security features that would have prevented the harm ..."
-http://arstechnica.com/tech-policy/2014/12/judge-rules-that-banks-can-sue-target
-for-2013-credit-card-hack/
-http://www.zdnet.com/article/breach-epidemics-lurid-chapter-who-pays/
-http://cdn.arstechnica.net/wp-content/uploads/2014/12/document3.pdf
[Editor's Note (Murray): It is a matter of record that Target was one of a group of retailers pleading with the brands and issuers, months to years prior to this years epidemic of breaches, to fix (e.g., switch to EMV) their broken system. It would be ironic if the banks were to now switch the blame for their failure to their customers. It is specifically to protect them from credit and fraud loss that the merchants and consumers have been paying the banks their transaction fees If the banks succeed in this "bait and switch" scheme they may find that they have killed "the goose that laid the golden egg" as merchants continue to withdraw (Google "Merchant Customer Exchange") from this broken system.
(Pescatore): Over the years, higher courts have tended to reverse similar decisions or when they go to court, this argument usually loses. It is sort of like suing a company with a burglar alarm that kept going off even after they had reacted and shut the open door - after it kept going off, they started to ignore it, not realizing the door was open again. There is also a huge security negative to this kind of ruling - it reinforces the "better not to know, than to know and not do anything." For way too long that was used as a reason *not* to do vulnerability scanning or penetration testing - a huge mistake.]

---

STORM CENTER TECH CORNER

Kaspersky Internet Security Software Uses SSLv3 (Article in German)
-http://www.heise.de/newsticker/meldung/Kaspersky-Schutzsoftware-senkt-Sicherheit
-von-SSL-Verbindungen-2482344.html

HP Reveals IE 0-Day Vulnerability ahead of Patch Tuesday
-http://zerodayinitiative.com/advisories/ZDI-14-403/

Facebook File Upload Vulnerability
-http://josipfranjkovic.blogspot.com/2014/12/reading-local-files-from-facebooks.h
tml

Microsoft Patch Tuesday Pre-Notifications
-https://technet.microsoft.com/en-us/library/security/ms14-dec.aspx

Firefox/Thunderbird log all input in /tmp on OS X 10.10
-https://www.mozilla.org/en-US/security/advisories/mfsa2014-90/

Cylance Releases "Operation Cleaver" Report
-http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.