SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #99

December 16, 2014

TOP OF THE NEWS

Senator Argues Against Back Doors for Government
Agencies Encourage Adoption of Cyber Security Standards

THE REST OF THE WEEK'S NEWS

Microsoft Draws Support for Fight Against Government Demand for Customer eMails
WordPress Sites Infected with Malware
Shellshock Flaw Exploited to Spread Worm
Sony Pictures Warns Media Against Use of Stolen Data
Guilty Plea in SpamHaus DDoS Case
FBI Warns of Potential for Cyber Attacks from Iranian Group
Expired Certificate Causes Some Card Payment Terminals to Stop Working
Enhanced Security for Microsoft Office 365

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec ****************************
Report Highlights: Over 41 percent of email-borne malware contained a link to a malicious or compromised website. Kelihos and Gamut are the top two most active botnets in November. Crypto-ransomware made up 38 percent of all ransomware seen in the month of November.
http://www.sans.org/info/173212
***************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


- --10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


- --SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at

http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Senator Argues Against Back Doors for Government (December 15, 2014)

Noting that a back door placed in software and electronic communication devices to allow government access is also a backdoor that could be exploited by entities with malicious intents, US Senator Ron Wyden (D-Oregon) has proposed legislation that would prohibit government agencies from requiring back doors in digital products.
-http://www.theregister.co.uk/2014/12/15/us_senator_to_congress_close_all_the_bac
kdoors/
Wyden's Op/Ed in LA Times:
-http://touch.latimes.com/#section/-1/article/p2p-82272348/
[Editor's Note (Pescatore): I'm not a big fan of more legislation, but Senator Wyden is right. Products need to be more secure, not less. Back in the 1990s, the government pushed for crypto export controls due to a fear that if strong crypto was in use by terrorists and national security targets, our national defense and law enforcement interests would be harmed. The government lost that battle and today we see that widespread use of data encryption was delayed and has enabled criminals and nation states to steal information from defense contractors, government agencies, critical infrastructure providers and the rest of private industry. Those export controls aren't the only reason, but they serve as a good proofpoint that making products less secure does *not* increase national security.
(Ullrich): Finally a politician who explains the real problem with government mandated backdoors and data collection. We shouldn't make it easier than it is already for the bad guys by providing standardized access methods and collecting large troves of data in one spot. ]

Agencies Encourage Adoption of Cyber Security Standards (December 15, 2014)

Government agencies have begun encouraging industries that they oversee to adopt applicable cyber security guidelines from the US National Institute of Standards and Technology (NIST). While the standards in the guidelines are voluntary, there is a possibility that they could become mandatory. NIST published the voluntary standards as part of the Framework for Improving Critical Infrastructure Cybersecurity.
-http://www.nextgov.com/cybersecurity/2014/12/agencies-mold-regulations-around-vo
luntary-cyber-standards/101217/?oref=ng-channeltopstory
[Editor's Note (Pescatore): The government using its buying power to raise the cybersecurity for suppliers is a good thing and was the best part of President Clinton's Presidential Decision Directive 63 back in *1998*. Along the same lines, GSA has recently issued a Request for Information on how to judge the risk of suppliers.
(Murray): The "NIST Framework" is about governance and management of information risk, not about security standards. Rather than propose any new security standards, it simply encourages the voluntary selection and use of good practices already articulated and promulgated by other organizations. Intrinsically, effective and efficient security is about a balance requiring judgment that cannot be "mandated." ]

---

**************************** SPONSORED LINKS ******************************
1) Proactively Prepare for a Breach - Download the free eGuide: Designing a Continuous Response Architecture. http://www.sans.org/info/173217

2) Analyst Webcast: Securing Oracle Databases Made Easy Wednesday, January 21 at 1:00 PM EST (18:00:00 UTC) with Pete Finnigan. http://www.sans.org/info/173037

3) SANS What Works: University Uses Fireeye Advanced Threat Detection to Reduce Malware Impact Tuesday, January 13 at 1:00 PM EST (18:00:00 UTC) John Pescatore and Dan Han. http://www.sans.org/info/173222
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft Draws Support for Fight Against Government Demand for Customer eMails (December 15, 2014)

Major tech companies, including Apple, Verizon, and eBay, are lending their support to Microsoft in its effort to resist a US Justice Department demand for information held on a company server in Ireland. The companies, along with business associations and news media outlets have filed briefs urging that the Justice Department's warrant be thrown out. Many noted that to require Microsoft to surrender the data would cause damage to US businesses. In a blog post, Microsoft General Counsel Brad Smith wrote, "This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology."
-http://www.nextgov.com/cybersecurity/2014/12/tech-giants-join-microsofts-privacy
-fight-against-justice-department/101307/?oref=ng-channeltopstory
-http://www.csmonitor.com/Innovation/2014/1215/Microsoft-fights-against-the-US-go
vernment-accessing-data-stored-overseas
-http://www.wired.com/2014/12/microsoft-allies-fight-for-overseas-data-privacy/
-http://www.computerworld.com/article/2859708/microsoft-gets-help-in-telling-us-t
o-back-off-on-irish-search-warrant.html

WordPress Sites Infected with Malware (December 15, 2014)

More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in, which the company has known about since September 2014.
-http://arstechnica.com/security/2014/12/some-100000-or-more-wordpress-sites-infe
cted-by-mysterious-malware/
-http://www.zdnet.com/article/google-blacklists-11000-wordpress-sites-amid-malwar
e-campaign/
-http://threatpost.com/google-blacklists-wordpress-sites-peddling-soaksoak-malwar
e/109884

Shellshock Flaw Exploited to Spread Worm (December 15, 2014)

Malware exploiting the critical Shellshock vulnerability is spreading in the wild. The malware installs a backdoor on QNAP network-attached storage (NAS) systems.
-https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storag
e+Devices/19061
">https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storag
e+Devices/19061
-http://arstechnica.com/security/2014/12/worm-exploits-nasty-shellshock-bug-to-co
mmandeer-network-storage-systems/
[Editor's Note (Ullrich): With no simple way to alert owners to patch these devices, they will remain vulnerable and continue to be exploited for a long time. Interestingly, this worm will patch the device for you, but at the cost of setting up various backdoors.
-https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storag
e+Devices/19061
">https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storag
e+Devices/19061]

Sony Pictures Warns Media Against Use of Stolen Data (December 14 & 15, 2014)

Sony Pictures has begun contacting journalists and media organizations, warning them not to disclose any data stolen from Sony's network. The company is also demanding that the journalists and media outlets destroy any of the stolen information they may have obtained. Sony may not have much legal ground to stand on; unless the organizations stole the documents themselves, they are protected by the First Amendment.
-http://krebsonsecurity.com/2014/12/in-damage-control-sony-targets-reporters/
-http://www.scmagazine.com/hackers-renew-threats-sony-legal-team-strives-to-stem-
damage/article/388429/
-http://www.cnet.com/news/sony-demands-news-organizations-delete-leaked-data/
-http://www.washingtonpost.com/news/morning-mix/wp/2014/12/15/why-sony-probably-c
ant-stop-the-media-from-publishing-details-of-the-hack/
This link includes the text of Sony's letter:
-http://recode.net/2014/12/14/sony-demands-end-to-publishing-leaks-from-stolen-da
ta/
[Editor's Note (Murray): This is probably not the place to argue the common misunderstanding that the First Amendment protects anyone from the consequences of their own bad behavior; rather it restricts the behavior of the state. Neither is it the place to argue whether the same law that restricts the use of stolen property also restricts that of stolen data. The damage to Sony has been done: there is little to be gained by responsible journalists "piling on." This is hardly the place for media to assert its fundamental right to publish. ]

Guilty Plea in SpamHaus DDoS Case (December 14 & 15, 2014)

A 17-year-old in London, UK, has pleaded guilty to charges of computer misuse and money laundering for launching distributed denial-of-service (DDoS) attacks against SpamHaus and CloudFlare on March 2013. The teenager was arrested in September 2013.
-http://krebsonsecurity.com/2014/12/spamhaus-cloudflare-attacker-pleads-guilty-to
-computer-abuse-child-porn-charges/
-http://www.scmagazine.com/sean-nolan-mcdonough-narko-pleads-guilty/article/38838
7/

FBI Warns of Potential for Cyber Attacks from Iranian Group (December 12 & 14, 2014)

In a confidential report to US businesses, the FBI warned of techniques that have been used by an Iranian group believed to be responsible for attacks against computer networks at defense contractors, energy companies, and colleges and universities around the world. The warning follows a report from Cylance about Operation Cleaver, the name for the group's activity. `
-http://www.theregister.co.uk/2014/12/14/fbi_issues_iranian_hacking_warning/
-http://www.nbcnews.com/tech/security/fbi-warns-u-s-businesses-be-guard-against-i
ran-hack-n267561
-http://www.usnews.com/news/articles/2014/12/15/irans-growing-cybersecurity-threa
t
-http://www.reuters.com/article/2014/12/13/us-cybersecurity-iran-fbi-idUSKBN0JQ28
Z20141213

Expired Certificate Causes Some Card Payment Terminals to Stop Working (December 12, 2014)

On December 7, 2014, certain payment card terminals in use at stores in the US stopped working. Rather than being the result of an attack, the devices stopped working because a cryptographic certificate had expired. The issue affects older models of payment terminals made by Hypercom, which is owned by Equinox Payments. That company is working to replace certificates so the devices can be used again.
-http://krebsonsecurity.com/2014/12/security-by-antiquity-bricks-payment-terminal
s/
[Editor's Note (Pescatore): The Heartbleed vulnerability recently pointed out the security risks of not knowing where SSL software and certificates were in use. The denial of service risk of expired certificates is a different risk but one that is much more visible to the business side. Tools from vendors such as Qualys, Tenable and Venafi can provide inventory and tracking of certificates.
(Murray): To paraphrase Einstein, we should make key management as easy as possible but no easier. We put expiration dates on keys because using them for too long is dangerous. ]

Enhanced Security for Microsoft Office 365 (December 11, 2014)

Microsoft's Office 365 cloud services suite will have additional security from Palerra, a cloud security automation company.
-http://finance.yahoo.com/news/palerra-partners-microsoft-amplify-security-140100
463.html;_ylt=AwrSbhBaAYtU2HwAbmJXNyoA
[Editor comment (Northcutt): I hope they also work on usability. I just bought 365 for my new Mac and it does not accept the access code. I am not excited to travel to the Apple store, but it seems to be my best alternative. ]

---

STORM CENTER TECH CORNER

Windows Root Certificate Update Recalled/Updated
-https://support.microsoft.com/kb/3024777

Silverlight Update Failed
-https://support.microsoft.com/kb/3011970

FreeBSD stdio vulnerability
-http://blog.norsecorp.com/2014/12/10/buffer-overflow-vulnerability-in-freebsd-di
scovered-by-norse/

More Vulnerabilities in Docker
-https://groups.google.com/forum/#!msg/docker-user/nFAz-B-n4Bw/0wr3wvLsnUwJ

Interesting Phishing Attempts to Lure Users by asking them to call ISP
-https://isc.sans.edu/forums/diary/Customized+Support+Scam+Supported+by+Typo+Squa
tting/19065

Safari 8.0.2 still supports SSLv3 with block ciphers
-https://isc.sans.edu/forums/diary/Safari+8+0+2+Still+Supporting+SSLv3+with+Block
+Ciphers/19067

Entire National ID Database of Serbia Stolen
-http://securityaffairs.co/wordpress/31068/cyber-crime/serbia-hackers-stolen-nati
onal-database.html

Snort 3.0 Update
-http://blog.snort.org/2014/12/introducing-snort-30.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.