SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #2

January 09, 2015

TOP OF THE NEWS

US Intelligence Authorities Still Pointing Finger at North Korea for Sony Attack
And Critics Still Say Evidence is Flimsy
Microsoft Advance Security Notification Changes

THE REST OF THE WEEK'S NEWS

OpenSSL Project Updates
Asus Router Flaw
DISA Posts RFI for Next-Generation Security
Trojan Targets Linux Systems
Thieves Steal US $5 Million in Bitcoins from Bitstamp
FTC Chair Says Internet of Things Presents "Significant Privacy and Security Implications"
AOL Halts Malware Being Served by its Advertising Platforms
Correction on Morgan Stanley Data Theft

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec *************************
The BYOD Challenge, Jan 13 at 10am PT - Join Symantec and ITS Partners in a practical conversation about the current landscape of devices, industry-specific challenges for BYOD and just how to keep your workforce connected, secure, and productive.
http://www.sans.org/info/173557
***************************************************************************

TRAINING UPDATE


--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


--Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


--10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


--SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


--SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


- - - - --Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, Bangalore, and Oslo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

***************************************************************************

---

TOP OF THE NEWS

US Intelligence Authorities Still Pointing Finger at North Korea for Sony Attack (January 8, 2015)

US FBI director James Comey reiterated the agency's position that the Sony Pictures attack was launched by North Korea. Calling the perpetrators "sloppy," Comey said that in some cases, the attackers did not use proxy servers, which unintentionally revealed that the attacks were emanating from IP addresses used "exclusively" by North Korea.
-http://www.computerworld.com/article/2866431/fbi-blames-north-korea-again-for-so
ny-big-hack-attack.html
-http://www.darkreading.com/fbi-director-says-sloppy-north-korean-hackers-gave-th
emselves-away/d/d-id/1318520?
-http://arstechnica.com/security/2015/01/fbi-director-says-sony-hackers-got-slopp
y-exposed-north-korea-connection/
-http://www.cnet.com/news/sony-hackers-were-sloppy-fbi-chief-says/
-http://www.wired.com/2015/01/fbi-director-says-north-korean-hackers-sometimes-fa
iled-use-proxies-sony-hack/
[Editor's Note (Honan): This attack differs significantly from past attacks as this is the first to have major impacts on international diplomatic relations, with sanctions being imposed on North Korea. With this in mind and the potential geo-political affects it could have, the FBI need to assure us that they are not solely relying on IP addresses to assign attribution to any parties. Stating that IP addresses are used "exclusively" by North Korea does not make any sense as any IP address can be compromised or spoofed to hide the real attacker's identity. Also given that the FBI still has not identified the original attack vector, it is even more important that it can provide more information to support their claims. ]

And Critics Still Say Evidence is Flimsy (January 8, 2015)

Critics are still wary that the evidence presented points definitively to North Korea as the perpetrator of the Sony Pictures attack. In the attack's initial phase, the attackers attempted to extort funds from the company but did not mention the film that later became central to the matter. The critics also note the possibility that the North Korean IP addresses were hijacked and used as proxies to make it look as though the attacks were coming from that country.
-http://www.wired.com/2015/01/critics-say-new-north-korea-evidence-sony-still-fli
msy/
[Editor's Note (Honan): The FBI may have additional sources of information to give them the confidence to blame North Korea and may not simply be relying on digital evidence alone. If so, and given the political consequences of this attack, it would be helpful for the FBI to indicate what those sources without necessarily revealing the details. ]

Microsoft Advance Security Notification Changes (January 8, 2015)

Microsoft will no longer provide advance notification about its monthly security bulletins to the general public. Instead, the information will be available only to paying Premier support customers and to organizations that participate in the company's security programs. The service, which began more than a decade ago, provided information about bulletins on the Thursday prior to the patches' Tuesday release. Microsoft has said that the main reason for the change is that most customers no longer use the information available in advance.
-http://www.zdnet.com/article/microsofts-advance-security-notification-service-no
-longer-publicly-available/
-http://www.computerworld.com/article/2866996/microsoft-abruptly-dumps-public-pat
ch-tuesday-alerts.html
-http://blogs.technet.com/b/msrc/archive/2015/01/07/evolving-advance-notification
-service-ans-in-2015.aspx
[Editor's Note (Pescatore): Microsoft points to a very positive trend as part of their justification for discontinuing the Advanced Notification Service - more and more organizations are letting patches get pushed out automatically shortly after the monthly Microsoft Vulnerability Tuesday. Not so much for servers - change windows are still limited in the data center, and more application QA testing is required, though way less than in the past. But for PCs, there is very little reason (other than IT organizations' resistance to change) *not* to use simple mechanisms like WSUS or auto-update to patch immediately.
(Murray): This practice will move Microsoft in the direction of the procedure adopted by IBM two generations ago. It preserves the access demanded by MS enterprise customers. but upon which they rarely act, while not making it available to others.
(Ullrich): I am not buying that they don't think people need the advance notice. We already received notes from ISC readers saying that they used and appreciated the Advance Notifications. On the other hand, Microsoft had a lot of problems with patch quality in the past year. Anything that can streamline their process, and maybe put less pressure on Microsoft to release patches that are not quite done yet, should help end users. In my opinion, this move was at least in part done to make it easier to retract patches at the last minute. ]

---

**************************** SPONSORED LINKS ******************************
1) Analyst Webcast: Securing Oracle Databases Made Easy. Wednesday, January 21 at 1:00 PM EST (18:00:00 UTC) with Pete Finnigan. http://www.sans.org/info/173562

2) Simplify PCI DSS Compliance with AlienVault USM. Tuesday, January 20 at 1:00 PM EST with Mark Allen, Technical Sales Engineer. http://www.sans.org/info/173567

3) Another chance to win $400 Amazon Card - Take New Survey on Insider Threats. http://www.sans.org/info/173397
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

OpenSSL Project Updates (January 8, 2015)

The OpenSSL Project has released new versions of its open-source software to address a series of vulnerabilities. OpenSSL 1.0.1k, 1.0.0p, and 0.9.8zd include fixes for eight security issues, two of which could be exploited to create denial-of-service conditions.
-http://www.scmagazine.com/two-moderate-six-low-severity-openssl-vulnerabilities-
fixed/article/391700/
Advisory:
-https://www.openssl.org/news/secadv_20150108.txt
[Editor's Note (Ullrich): Luckily not another POODLE or Heartbleed. No need to rush this one out. Wait for the patches to arrive from your vendor then test and apply using your normal patch process.
(Murray): "Open Source" may result in quality. However, like all quality, it will require design and intent. It is not likely to result by default. ]

Asus Router Flaw (January 8, 2015)

An unpatched flaw in the firmware of nearly all versions of Asus wireless routers could be exploited from within networks to gain administrative control of the vulnerable devices. With administrative permissions, a malicious actor could redirect users to certain websites and possibly install other firmware updates. The flaw is not remotely exploitable.
-http://arstechnica.com/security/2015/01/got-an-asus-router-someone-on-your-netwo
rk-can-probably-hack-it/

DISA Posts RFI for Next-Generation Security (January 7, 2015)

The US Defense Information Systems Agency has published a request for information regarding "next-generation" endpoint security systems. DISA is seeking solutions that will help streamline security for the millions of devices that connect to the Pentagon's networks. Companies have until February 2, 2015 to respond.
-http://www.nextgov.com/defense/2015/01/disa-aims-next-generation-system-secure-n
etwork-endpoints/102426/?oref=ng-HPtopstory
RFI:
-https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&id=682ee3
8a751757acc6d41aa1b273c366&_cview=0
[Editor's Note (Northcutt): If they sought my advice I would say to make the award only to a group that has already implemented their requirements at a large scale. Microsoft runs over a half million servers. I hate to say it, but the best solution may be to model on that as Microsoft does everything they are asking for. ]

Trojan Targets Linux Systems (January 7, 2015)

A Trojan that has been named XOR.DDoS is targeting Linux systems, with the possible aim of creating a network of infected systems to be used to conduct distributed denial-of-service (DDoS) attacks. The malware tailors its installation to each system's Linux environment, and it installs a rootkit on vulnerable systems to evade detection.
-http://www.scmagazine.com/malware-targets-linux-and-arm-architecture/article/391
497/

Thieves Steal US $5 Million in Bitcoins from Bitstamp (January 6, 2015)

On Monday, January 5, Bitcoin exchange Bitstamp suspended service due to an attack. The exchange says that the attackers stole more than US $5 million worth of the cryptocurrency. The January 4 attack targeted Bitstamp's operation wallets, which are connected to the Internet and allow customers to conduct exchanges. Bitstamp says it keeps the majority of its Bitcoins in cold storage, which means they are not connected to the Internet, and that all balances will be honored in full.
-http://www.computerworld.com/article/2865800/hackers-steal-5m-in-bitcoin-currenc
y-during-bitstamp-exchange-attack.html
-http://arstechnica.com/security/2015/01/bitcoin-exchange-bitstamp-claims-hack-si
phoned-up-to-5-2-million/
[Editor's Note Ullrich): It doesn't look good for Bitcoin these days. In the end, a currency will need to be trusted to be taken seriously and have value. As usual, launching services ahead of competitors has been a priority over security. Many e-commerce services survived this phase, but for crypto currencies, trust is much more important than for a vendor delivering tangible goods. ]

FTC Chair Says Internet of Things Presents "Significant Privacy and Security Implications" (January 6 & 8, 2015)

In a speech at the International Consumer Electronics Show in Las Vegas, US Federal Trade Commission chairperson Edith Ramirez warned that the Internet of Things (IoT) presents "significant" privacy issues. The billions of connected device collect, store, and in some cases transmit data. Ramirez urged companies to make security a part of their product development process, to collect the minimum amount of data necessary, and to notify consumers of unexpected use of their data and provide simplified choices regarding this use.
-http://www.bbc.com/news/technology-30705361
-http://arstechnica.com/tech-policy/2015/01/one-on-one-with-ftc-chairwoman-edith-
ramirez-about-the-internet-of-things/
-http://www.v3.co.uk/v3-uk/news/2389013/ces-2015-ftc-warns-of-internet-of-things-
security-risks
Text of speech:
-http://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspee
ch.pdf

AOL Halts Malware Being Served by its Advertising Platforms (January 6, 2015)

AOL has stopped its advertising platforms from serving malicious ads after being alerted to the situation. The malicious ads redirected users to sites containing exploit kits that attempted to install malware on their computers. Users could be infected simply by visiting the malicious sites.
-http://www.scmagazine.com/ransomware-is-being-distributed-on-huffpo-site/article
/391235/
-http://www.computerworld.com/article/2865320/aol-halts-malicious-ads-served-by-i
ts-advertising-platform.html

Correction on Morgan Stanley Data Theft (from SANS NewsBites Vol. 17 Num. 001)

The data stolen by a Morgan Stanley employee who was fired for the theft included account numbers but did not include account access credentials. We regret any confusion this may have caused.

---

STORM CENTER TECH CORNER

Assessing The Risk of POODLE
-https://isc.sans.edu/forums/diary/Assessing+the+risk+of+POODLE/19159/

Patch Management for ICS Infrastructure
-https://isc.sans.edu/forums/diary/Why+patch+management+is+ALSO+REQUIRED+in+ICS+i
nfrastructure/19157/

Cryptowall 2.0
-http://blogs.cisco.com/security/talos/cryptowall-2

Red Star OS 3.0 Vulnerabilities
-http://richardg867.wordpress.com/2015/01/01/notes-on-red-star-os-3-0/

ICMPv6 egress fitler errors Type 1 Code 5
-https://isc.sans.edu/forums/diary/A+Packet+a+Day+ICMPv6+Type+1+Code+5/19153/

ATM "Black Box" Attacks
-http://krebsonsecurity.com/2015/01/thieves-jackpot-atms-with-black-box-attack/

FBI Director Speaks to Evidence Implicating North Korea in SONY Hack
-http://abcnews.go.com/Technology/sony-hack-fbi-director-speaks-evidence-pointing
-north/story?id=28061831

Abuse Hosts Blocking List stop service
-http://www.ahbl.org/content/last-notice-wildcarding-services-jan-1st

Bot Crawling GitHub For Amazon AWS Keys
-http://www.devfactor.net/2014/12/30/2375-amazon-mistake/

Gogo Inflight Wifi Spoofing Google SSL Certificates
-https://twitter.com/__apf__/status/551083956326920192/photo/1
-http://concourse.gogoair.com/technology/statement-gogo-regarding-streaming-video
-policy

SSH Crypto Guide
-https://stribika.github.io/2015/01/04/secure-secure-shell.html

Using HSTS to Track Users
-http://www.radicalresearch.co.uk/lab/hstssupercookies/

Windows 7 End of Mainstream Support
-http://windows.microsoft.com/en-us/windows/lifecycle

Please take part in our Stormcast Survey
-https://www.surveymonkey.com/s/KSVJXFP

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.