SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #98

December 12, 2014

Just one story at the Top of the News - Jordan Robertson's in-depth coverage of the previously untold story of the 2008 oil pipeline attack is one of the best of the year!

Holiday Greetings! We hope you enjoy the eleventh SANS #HolidayHack challenge designed to help you build your information security skills and have some holiday fun in the process. This year, you'll match wits with an Artificially Intelligent agent, exploit a target machine, and do some detailed packet capture and file analysis, all with the goal of unraveling the mysteries of the Ghosts of Hacking Past, Present, and Future. Everyone is invited to participate and compete for really cool prizes. http://pen-testing.sans.org/holiday-challenge/2014.

Alan

---

TOP OF THE NEWS

Cyber Attack on Oil Pipeline in Turkey Predates Stuxnet

THE REST OF THE WEEK'S NEWS

Sands Casino Network Hit by Cyber Attack Earlier This Year
Sony Taking Steps to Prevent Download of Stolen Data
Sony Pictures Attack: Lots of Adjectives, Not Much Explanation
Swedish ISP Suffers When Gaming Site is Targeted by DDoS Attack
Senate Passes Cybersecurity Protection Act
Malware Appears to be Updated Version of Red October
Tech Alliance FIDO Releases Specifications for Two-Factor Authentication
The Pirate Bay Offline After Swedish Authorities Seize Servers
Mobile Payments Provider Acknowledges Malware Infection Led to Stolen Data
Microsoft and Adobe Security Updates
Microsoft Pulls Problematic Exchange Server 2010 SP3 Update

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Sophos ******************************
The results are in! Network experts, Miercom, have run extensive tests comparing firewall performance in the most common day-to-day scenarios. Read this report to see how Sophos, Fortinet, Dell SonicWALL and WatchGuard all stack up in independent tests. Learn more: http://www.sans.org/info/173157
**************************************************************************
TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


- --10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


- --SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Cyber Attack on Oil Pipeline in Turkey Predates Stuxnet (December 10, 2014)

In 2008, an oil pipeline running through Turkey was attacked, causing an explosion. The incident was kept largely secret. The pipeline had sensors and cameras monitoring its entire 1,099 length. The attackers gained access in the systems through the vulnerabilities in the surveillance cameras' communications software, made their way to the larger network, found a computer that was used to manage the alarm management network, and put malware on it. From there, they managed to disable alarms and alter the pressure of the oil to cause the explosion. The incident is significant because of its timing - predating Stuxnet by two years.
-http://www.bloomberg.com/news/2014-12-10/mysterious-08-turkey-pipeline-blast-ope
ned-new-cyberwar.html
-http://www.bloomberg.com/news/2014-12-10/the-map-that-shows-why-a-pipeline-explo
sion-in-turkey-matters-to-the-u-s-.html
[Editor's Note (Assante): If the sources hold up and the story proves true, it will fit the prediction that a destructive cyber attack involving industrial systems would take months to years to sort out. The preliminary cyber look at the August 2003 Northeast Blackout demonstrated the challenges involved with conducting an accident/event investigation with a cyber component. The attack vector as reported by Bloomberg should have been anticipated by the pipeline operator. The attackers were aided by a significant weaknesses shared by most SCADA systems - the lack of internal network monitoring. Industrial Control Systems (ICS) have purposeful and thus predictable communication profiles and defenders need to leverage this important difference between an ICS and IT network. ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free White Paper: Point of Sale Systems and Security. http://www.sans.org/info/173162

2) In case you missed it: If All Is Quiet, Are You Really Secure? Understanding Zero-Day Vulnerabilities Thursday, December 11 at 3:00 PM EST (20:00:00 UTC) Jayson Jean and Michael Roytma. http://www.sans.org/info/173167

3) Analyst Webcast: Securing Oracle Databases Made Easy Wednesday, January 21 at 1:00 PM EST (18:00:00 UTC) with Pete Finnigan. http://www.sans.org/info/173172
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Sands Casino Network Hit by Cyber Attack Earlier This Year (December 11, 2014)

In February 2014, staff at the Las Vegas Sands Corp. noticed things starting to go very wrong very quickly with its computer network. Hard drives at the headquarters of the world's largest gaming company were being wiped. Early on, Iran was suspected of being behind the campaign, an apparent retaliation for remarks made by casino CEO and majority shareholder Sheldon Adelson. Sands spends millions on security, protecting Adelson and his family, and protecting the company's assets, but cyber security was lagging. The attackers made their way into one system at a casino in Pennsylvania and eventually worked their way to the company's Las Vegas servers. When the extent of the attackers' intended destruction became apparent, the Sands severed itself from the Internet. The attack, which was kept largely under wraps, is similar to the recent attack on Sony Pictures because the perpetrators are seeking not financial gain, but retribution. The attacks are far-reaching, but because they do not pose a threat to national security, the government is unlikely to take action.
-http://www.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adel
sons-sands-casino-in-las-vegas#p1

Sony Taking Steps to Prevent Download of Stolen Data (December 10 & 11, 2014)

Sony is trying to prevent people from downloading leaked films and other files by planting phony files with the same signature on filesharing websites. The seeded files slow downloading times.
-http://arstechnica.com/tech-policy/2014/12/sony-fights-spread-of-stolen-data-by-
using-bad-seed-attack-on-torrents/
-http://recode.net/2014/12/10/sony-pictures-tries-to-disrupt-downloads-of-its-sto
len-files/

Sony Pictures Attack: Lots of Adjectives, Not Much Explanation (December 10, 2014)

The FBI says the group responsible for the attack on the Sony Pictures computer network is "organized" and "persistent." The attack would have been difficult for any organization to prevent, according to Joseph Demarest, assistant director of the FBI's cyber division, who testified before the Senate Banking, Housing, and Urban Affairs Committee. The company that Sony Pictures hired to investigate the breach, Mandiant, has called the attack "unprecedented."
-http://www.cnet.com/news/fbi-official-calls-sony-attackers-organized-persistent/
-http://arstechnica.com/security/2014/12/sony-hackers-could-have-slipped-past-90-
of-defenses-fbi-director-says/

Swedish ISP Suffers When Gaming Site is Targeted by DDoS Attack (December 11, 2014)

A distributed denial-of-service (DDoS) attack against a specific website site inadvertently disrupted broadband service for Swedish customers. Customers of Swedish Internet service provider (ISP) Telia were without service for about an hour on Tuesday, December 9, and experienced intermittent outages over the following 24 hours. The attack, which was aimed at gaming site, disrupted fixed-line broadband, digital TV, and VoIP connections.
-http://www.zdnet.com/article/ddos-of-unprecedented-scale-stops-sweden-working-th
e-target-a-gaming-site/

Senate Passes Cybersecurity Protection Act (December 10, 2014)

The US Senate has passed the National Cybersecurity Protection Act, its version of the House's National Cybersecurity and Critical Infrastructure Protection Act. The bill authorized the Department of Homeland Security's (DHS's) National Cybersecurity and Communications Integration Center, which gathers information from government and private industry organizations, conducts analysis, and shares information about cyber threats.
-http://thehill.com/policy/cybersecurity/226639-senate-passes-dhs-cyber-bill
[Editor's Note (Pescatore): Not much to this one, mostly formally authorizing things DHS has been doing and requiring a bunch of reports on DHS activities. The FISMA modernization bill giving OMB a bigger role in federal cybersecurity made it out of the House on Monday, but the Senate has not yet passed it.
(Murray): This is a more measured and appropriate Bill than previous legislative efforts to address this space. It directs and funds government effort rather than blame and order the private sector. It avoids the trap of granting further immunity to the banks for breaching customer trust which doomed earlier legislative efforts. That said, it also demonstrates the impotence of legislation in addressing the problem that confronts us. ]

Malware Appears to be Updated Version of Red October (December 10, 2014)

Malware dubbed Inception by some and Cloud Atlas by others targets digital devices belonging to diplomats, military officers, and oil, financial, and engineering company executives. The malware is capable of recording calls made and received on smartphones running on a variety of platforms. The target organizations are largely in Russia and Eastern Europe. Clues left in the malware's code seem designed to misdirect and confuse.
-http://www.darkreading.com/perimeter/inception-cyber-espionage-campaign-targets-
pcs-smartphones/d/d-id/1318046?
-http://www.stripes.com/news/europe/inception-malware-dropped-clues-have-hacker-e
xperts-stymied-1.318317
-http://arstechnica.com/security/2014/12/nation-backed-malware-targets-diplomats-
iphones-androids-and-pcs/
-http://www.scmagazine.com/unknown-hackers-take-measures-to-remain-hidden-in-ince
ption-attack-framework/article/387699/

Tech Alliance FIDO Releases Specifications for Two-Factor Authentication (December 9 & 10, 2014)

The FIDO (Fast Identity Online) Alliance, a consortium of high-profile tech companies, has released the first specifications for manufacturers to develop two-factor and biometric authentication systems that will work on different devices. The document addresses two login systems: the Universal Authentication Framework (UAF), and Universal 2nd Factor (U2F). FIDO members will share patent licensing on the developed technologies, which should hasten their adoption.
-http://www.computerworld.com/article/2857496/security-group-plans-for-a-future-w
ithout-passwords.html
-http://www.scmagazine.com/fido-alliance-publishes-uaf-u2f-specs/article/387469/
-http://www.theregister.co.uk/2014/12/10/rip_password/
FIDO Press Release:
-https://fidoalliance.org/news/item/fido-1.0-specifications-published-and-final
[Editor's Note (Pescatore): By far the biggest obstacle to most advanced threats would be having reusable passwords replaced with stronger authentication. Consumers have actually started to recognize this, enabling fingerprint login on their iPhones and slowly signing up for "two step verification" on their online accounts. Yet, most high value targets at businesses (CEOs, CFOs, sys admins) are still logging in with reusable, phishable passwords. FIDO's efforts could help change that but Apple and Facebook don't appear to be part of the FIDO Alliance, which will slow down penetration.
(Murray): We have had a generation in which our vulnerability to reusable passwords has grown exponentially while we have done almost nothing to resist it. Now their use will continue to explode despite any efforts to replace them. Can you say "passwords do not scale?" ]

The Pirate Bay Offline After Swedish Authorities Seize Servers (December 9 & 10, 2014)

Authorities in Sweden have raided seized the servers of The Pirate Bay, causing the torrent tracking website to go dark. The site has been taken down before but previously has always returned quickly. This time, the site does not appear to be bouncing back as quickly. One of The Pirate Bay's founders, Peter Sunde, says he is fine with the site's disappearance, because he does not like what it has become. Other filesharing sites reportedly also went down on the same day, but it is not clear if the incidents are related.
-http://www.eweek.com/blogs/security-watch/pirate-bay-torrent-tracking-site-goes-
dark.html
-http://www.bbc.com/news/technology-30411782
-http://www.wired.com/2014/12/pirate-bay-raided-taken-down/
-http://www.computerworld.com/article/2857703/swedish-police-raid-pirate-bay-and-
force-it-offline.html

Mobile Payments Provider Acknowledges Malware Infection Led to Stolen Data (December 9, 2014)

Mobile payments provider Charge Anywhere says that malware infected its system and compromised customers' payment card data. The company receives and sends some data in plaintext. The malware planted on Charge Anywhere's system captures segments of outbound traffic. The issue was detected after the company began investigating reports of fraudulent card activity on cards that had been used at certain merchants; it affects transactions conducted between November 2009 and September 2014.
-http://krebsonsecurity.com/2014/12/unencrypted-data-lets-thieves-charge-anywhere
/
-http://arstechnica.com/security/2014/12/hacked-payment-card-service-transmitted-
some-data-in-plaintext/
Charge Anywhere Statement:
-https://www.chargeanywhere.com/notice/_defaultmerchant.aspx

Microsoft and Adobe Security Updates (December 9, 2014)

On Tuesday, December 9, Microsoft released seven security bulletins to address 24 flaws in a variety of products. Three of the bulletins have been rated critical. On the same day, Adobe released patches for two critical vulnerabilities in its Flash, Reader, and Acrobat products. One of the flaws in Flash is already being actively exploited. Storm Center:
-https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+-+December+2014/19043
-http://krebsonsecurity.com/2014/12/microsoft-adobe-push-critical-security-fixes-
2/
-http://www.computerworld.com/article/2857734/patch-tuesday-updates-aim-for-excha
nge-and-explorer-flaws.html
-http://www.zdnet.com/article/microsoft-patches-windows-ie-office-and-exchange/
-https://technet.microsoft.com/library/security/ms14-dec
-http://helpx.adobe.com/security/products/flash-player/apsb14-27.html

Microsoft Pulls Problematic Exchange Server 2010 SP3 Update (December 10, 2014)

Microsoft has pulled one of the updates it released on December 9. The Exchange Server 2010 SP3 Update Rollup 8 was reportedly been causing problems for some users, preventing Outlook from connecting to Exchange. This issue does not affect other Exchange Server updates. Microsoft recommends that users uninstall the unreliable update if they have already applied it.
-http://www.zdnet.com/article/microsoft-pulls-exchange-2010-update/
-http://www.theregister.co.uk/2014/12/10/exchange_2010_update_recall/
-https://support.microsoft.com/kb/2986475
-http://blogs.technet.com/b/jribeiro/archive/2014/12/10/update-rollup-8-for-excha
nge-2010-sp3-has-been-released-kb2986475.aspx

---

STORM CENTER TECH CORNER

GMail quirk used to subvert spam tracking and blacklisting
-https://isc.sans.edu/forums/diary/GMail+quirk+used+to+subvert+website+spam+track
ing/19051

Demonstrating the Impact of XSS With Wordpress
-https://blog.gaborszathmari.me/2014/12/10/wordpress-exploitation-with-xss/

Putty Rider: Inspect "putty" ssh connections
-https://github.com/seastorm/PuttyRider

Apple Releases Safari 8.0.2
-http://lists.apple.com/archives/security-announce/2014/Dec/msg00002.html

SONY Private Key Leaked, Used in PoC to sign malware
-https://isc.sans.edu/forums/diary/Malware+Signed+With+Valid+SONY+Certificate+Upd
ate+This+was+a+Joke+/19049

D-Link Router SSH Password Brute Forcing
-https://isc.sans.edu/forums/diary/Odd+new+ssh+scanning+possibly+for+D-Link+devic
es/19055

InfiniteWP SQL Injection Vulnerability
-https://www.securityweek.com/sql-injection-other-vulnerabilities-found-infinitew
p-admin-panel

Old X-Window Bug Found and Patched
-http://lists.x.org/archives/xorg-announce/2014-December/002500.html

Microsoft Exchange Patch Causing Problems
-http://www.edugeek.net/forums/enterprise-software/146585-outlook-client-issues-f
ollowing-exchange-2010-rollup-8-a.html

iOS Update
-http://support.apple.com/en-us/HT1222

Google Updated "ReCAPTCHA" reverse analysis
-https://github.com/ReCaptchaReverser/InsideReCaptcha#readme

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.