SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #3

January 13, 2015

The 2015 Cyber Threat Intelligence Summit in Washington, DC in early February brings together the nation's top threat analysts: Brian Krebs as Keynote, Scott Roberts and Kyle Maxwell on "Hunting Adversaries Across the Internet;" Alex Pinto on "From Threat Intelligence to Defense Cleverness: A Data Science Approach," and Paul Vixie on "DNS As A Control Point For Cyber Risk." Plus five intensive courses to advance your careers:

http://www.sans.org/event/cyber-threat-intelligence-summit-2015

---

TOP OF THE NEWS

Cyber Attack Caused Damage at German Steel Mill
British Prime Minister Wants to Prohibit Unbreakable Communications Encryption
US Military Social Media Accounts Hijacked
Obama Wants Breach Disclosure Law

THE REST OF THE WEEK'S NEWS

Google Discloses Another Unpatched Windows Flaw and Microsoft is Not Happy
Dept. of Energy Offers Cybersecurity Guidance
Skeleton Key Malware
United Mileage Plus Accounts Compromised
Apple Spotlight Runs Roughshod Over Mail Privacy Settings
Bitstamp Bitcoin Exchange Operational Again
Ross Ulbricht's Silk Road Trial Will be Closely Watched
Paris Airport Security Made Security Expert Decrypt Laptop Hard Drive
Logs Can be Helpful Forensic Security Tools if Used Properly

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By Bit9 + Carbon Black ******************
POS devices have become a constant target for criminal hackers. Download the new free eBook: Point-of-Sale Security for Dummies to learn the steps you can take today to prevent a data breach in your organization.

http://www.sans.org/info/173587
***************************************************************************

TRAINING UPDATE


- -SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- -Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


- -10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- -SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015


- -Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


- -Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -Looking for training in your own community?
http://www.sans.org/community/


- -Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, Bangalore, and Oslo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

***************************************************************************

---

TOP OF THE NEWS

Cyber Attack Caused Damage at German Steel Mill (January 8, 2015)

A report released in mid-December disclosed that a cyber attack on a German steel mill caused damage to the facility. The attackers disrupted the plant's control system to make it impossible to shut down a blast furnace properly. The damage was described as "massive," but no details were provided. This is the second documented case of a cyber attack causing physical damage - the first, of course, was Stuxnet. The date of the German attack was not provided. But the report said that the attackers gained initial foothold in the system through the corporate network and worked their way from there to the production networks.
-http://www.wired.com/2015/01/german-steel-mill-hack-destruction/
[Editor's Note (Weatherford): "Buckle up. This flight is about to get bumpy." ]

British Prime Minister Wants to Prohibit Unbreakable Communications Encryption (January 12 & 13, 2015)

British Prime Minister David Cameron is questioning the use of encrypted messaging. Cameron says that if he is re-elected, he will ban encryption that cannot be broken by intelligence services. He says that there should be no concern about abuse because the Home Secretary would personally sign each order.
-http://www.zdnet.com/article/uk-pm-looking-to-outlaw-encrypted-online-communicat
ion/
-http://www.cnet.com/news/david-cameron-pledges-to-target-encrypted-messaging-aft
er-paris-attacks/
-http://www.theregister.co.uk/2015/01/12/iranuk_in_accord_as_pm_promises_to_block
_encrypted_comms_after_election/
-http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-int
o-messaging-apps-or-hell-ban-them/
[Editor's Note (Pescatore): Dj vu all over again, back to the crypto export control and key escrow debates of the mid 1990s. Of course, the easy answer is that no crypto is *unbreakable* - just a matter of how long it takes to break it, so the issue is really the size of the intelligence agency's crypto-breaking budget. The bottom line is the good guys need strong encryption at least as much, and probably more, than the bad guys.
(Ullrich): Another week, another stupid idea to legislate insecurity in the name of national security. Does nobody remember the "Clipper Chip"?
(Honan): This is really a shining example of how politicians and policy makers do not understand how the Internet or how online security works. The Internet knows no borders resulting in citizens in the UK being able to access encrypted services outside of that jurisdiction. It could also impact on the UK's "Digital Economy" plans as companies will not feel they can ensure the security or privacy of their products and services and look to locate their business elsewhere. ]

US Military Social Media Accounts Hijacked (January 12, 2015)

The Twitter and YouTube accounts of the US military's Central Command (Centcom) have reportedly been hijacked by people claiming to be operating on behalf of Islamic State. Both accounts were temporarily suspended. Centcom has called the incident vandalism, and says it did not affect operations, nor was it a serious data breach. Some information about military personnel was posted, but it came from the Massachusetts Institute of Technology (MIT), not from military systems. The compromised accounts were taken offline.
-http://www.bbc.com/news/world-us-canada-30785232
-http://www.wired.com/2015/01/centcoms-twitter-hack/
-http://www.cnet.com/news/us-military-social-media-accounts-hit-with-hacking-atta
ck/
-http://www.scmagazine.com/us-central-command-social-media-accounts-hacked/articl
e/392128/
-http://www.nextgov.com/defense/2015/01/hacking-central-command/102651/?oref=ng-c
hannelriver
-http://www.zdnet.com/article/hackers-claim-breach-at-u-s-central-command/
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/01/12/the-centcom-hack-th
at-wasnt/
[Editor's Note (Henry) This is clearly embarrassing, but not a critical "attack" or breach as some in the media have made it out to be. Dual factor authentication of social media accounts, by sending a token to a mobile device, for example, is a quick fix and provides a higher level of security with little aggravation. ]

(Ullrich): While I doubt that the CENTCOM twitter account has any importance for military operations, appearances matter and the military should not look week and vulnerable in cyber space.
(Weatherford): While the Twitter and YouTube hacks were technically ho-hum actions, mislabeling them as nuisance and vandalism events undervalues the optic that the rest of the international community (good guys and bad guys) sees the US Military - the mightiest military in the world - as vulnerable. ]

Obama Wants Breach Disclosure Law (January 10 & 12, 2015)

President Obama is asking legislators to pass a bill that would require companies to disclose data security breaches that expose customer data within 30 days. The move is a response to recent breaches that have compromised the personal information of millions of people. Obama also wants the bill to include a provision prohibiting companies from selling students' information to third party companies.
-http://www.darkreading.com/attacks-breaches/obama-calls-for-30-day-breach-notifi
cation-policy-for-hacked-companies/d/d-id/1318578?
-http://www.theregister.co.uk/2015/01/12/obama_pushes_mandatory_breach_disclosure
_laws/
-http://www.computerworld.com/article/2867244/obama-aims-to-tighten-laws-on-data-
hacking-and-student-privacy.html
-http://www.cnet.com/news/obama-to-outline-new-cybersecurity-measures/
[Editor's Note (Henry): There has been legislation on the hill addressing this very issue for about 10 YEARS. There was a plan on the president's desk to address this issue when he took office 7 YEARS ago. Did it take the SONY release of emails about Angelina Jolie being "a spoiled brat" to move this forward? The plan is a start, but will require much more rigor. ]

---

**************************** SPONSORED LINKS ******************************
1) Analyst Webcast: Simplifying Compliance and Forensic Requirements with HP ArcSight Logger. Tuesday, January 27 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford. http://www.sans.org/info/173592

2) Avoid Making the Headlines Protect Your Retail Business from Cyber Attacks Wednesday, January 28 at 1:00 PM EST Isabelle Dumon. http://www.sans.org/info/173602

3) Another chance to win $400 Amazon Card - Take New Survey on Insider Threats. http://www.sans.org/info/173397
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Google Discloses Another Unpatched Windows Flaw and Microsoft is Not Happy (January 12, 2015)

Microsoft is displeased that Google has disclosed another vulnerability in Windows prior to the availability of a patch. In late December, Google disclosed a flaw in Windows 8.1, 90 days after notifying Microsoft of the issue. On Sunday, January 11, Google disclosed a second flaw in Windows 8.1, again 90 days after it notified Microsoft. Microsoft is planning to issue a fix for the second disclosed flaw on Tuesday, January 13, and had specifically asked Google to wait until the day the patch was released. Google's Project Zero program is designed to encourage companies to issue patches more quickly.
-http://www.eweek.com/security/microsoft-blasts-googles-handling-of-windows-8.1-f
law-disclosure.html
-http://www.informationweek.com/mobile/mobile-devices/microsoft-protests-bug-disc
losure-by-google/d/d-id/1318577
-http://arstechnica.com/security/2015/01/google-sees-a-bug-before-patch-tuesday-b
ut-windows-users-remain-vulnerable/
-http://www.cnet.com/news/microsoft-irked-by-googles-revealing-of-windows-bug/
-http://www.theregister.co.uk/2015/01/12/google_microsoft_coordinated_vulnerabili
ty_disclosure_policy_battle/
-http://www.v3.co.uk/v3-uk/news/2389798/microsoft-criticises-google-for-windows-8
1-bug-disclosure-tactics
[Editor's Note (Skoudis): It's fascinating to watch giants battle. If smaller researchers were doing what Google is trying here, I'm sure they would be called irresponsible by some people. But, with Google's backing, the goal of pushing other vendors into shorter patching times might happen. ]

Dept. of Energy Offers Cybersecurity Guidance (January 9, 2015)

The US Department of Energy has released voluntary guidelines for energy companies and utilities to help them decide what steps to take to improve their cyber security posture. The Energy Sector Cybersecurity Framework Implementation Guidance offers ideas for developing risk management strategies and implementing best practices.
-http://www.federaltimes.com/story/government/cybersecurity/2015/01/09/energy-cyb
ersecurity-framework/21500813/
-http://energy.gov/sites/prod/files/2015/01/f19/Energy%20Sector%20Cybersecurity%2
0Framework%20Implementation%20Guidance_FINAL_01-05-15.pdf

Skeleton Key Malware (January 12, 2014)

Malware dubbed Skeleton Key bypasses Active Directory systems using single-factor authentication and can be used to access infected systems. It does not need passwords and it triggers no warnings.
-http://www.darkreading.com/skeleton-key-malware-bypasses-active-directory/d/d-id
/1318570?
-http://www.forbes.com/sites/thomasbrewster/2015/01/12/skeleton-key-malware-night
mare/
[Editor's Note (Skoudis): This looks like it has taken some of the ideas of the old Linux rootkits and implemented them in memory on a Windows domain controller. Pretty powerful, but definitely not revolutionary.
(Ullrich): Very neat backdoor to provide persistent access to the systems after they are compromised. However, this isn't exactly a vulnerability, but the result of exploiting such a vulnerability. At this point, an attacker could also add a new domain administrator account. The main difference here is that this modification to AD is harder to detect then a new domain admin account. ]

United Mileage Plus Accounts Compromised (January 12, 2015)

Thieves using logon information obtained from a third-party managed to access about 35 United Airlines Mileage Plus accounts and arranged free travel and upgrades. United was not the source of the breach; the access credentials were used in attacks against other companies as well.
-http://www.computerworld.com/article/2867241/security0/stolen-credentials-used-t
o-access-united-airlines-mileageplus-accounts.html
-http://www.washingtonpost.com/business/economy/thieves-target-american-united-ai
rline-customers-miles/2015/01/12/f093bab0-9a99-11e4-a7ee-526210d665b4_story.html
[Editor's Note (Weatherford): Not only is there some significant $$ associated with these kind of "Reward and Frequent Flyer" accounts, there is also a lot of sensitive personal information including Trusted Traveler and Global Entry information and they the perfect avenue to move laterally within a company. The comment that the same access credentials were used in other attacks at other companies indicates that the message to have unique passwords for different accounts is still not taken seriously. ]

Apple Spotlight Runs Roughshod Over Mail Privacy Settings (January 9 & 10, 2015)

Apple's Spotlight desktop search engine in OS X Yosemite ignores privacy settings in the Mail email client. The searches results could include pictures and other files linked to email messages, even if users have told Mail not to load remote content. HTTP requests sent to the pages hosting the content will reveal users' IP addresses. Users can prevent this leak by unchecking "Mail & Mailboxes" in Spotlight System Preferences.
-http://www.theregister.co.uk/2015/01/10/spotlight_caught_spreading_your_delicate
s/
-http://www.computerworld.com/article/2867010/glitch-in-os-x-search-can-expose-pr
ivate-details-of-apple-mail-users.html
-http://arstechnica.com/security/2015/01/spotlight-search-in-yosemite-exposes-pri
vate-user-details-to-spammers/
[Editor's Note (Ullrich): Heise, the publishing company that first discovered the flaw, also released a plugin to stop Spotlight from retrieving images. ]

Bitstamp Bitcoin Exchange Operational Again (January 9, 2015)

Bitcoin exchange Bitstamp is once again open for business, after suspending services on Monday, January 5 in the wake of an attack. Bitstamp resumed services on Friday, January 9. Bitstamp has implemented a new three-key authentication system, and is running on new hardware, which allowed the company to "preserve the evidence for a full forensic investigation."
-http://www.computerworld.com/article/2867355/bitstamp-reopens-after-attack-shutt
ered-exchange.html
-http://arstechnica.com/security/2015/01/bitstamp-reopens-bitcoin-exchange-adds-s
ecurity-precautions/
[Editor's Note (Murray): Recent breaches that have exposed mission critical applications suggest that we should not be running those applications on the same networks and systems where we run high risk applications like e-mail and web browsing. ]

Ross Ulbricht's Silk Road Trial Will be Closely Watched (January 9 & 11, 2015)

If the trial of alleged Silk Road mastermind Ross William Ulbricht goes to trial on Tuesday, January 13, it will be the first court case to address some highly significant issues. Because Silk Road is a public marketplace whose operators and buyers and sellers are anonymous, one of the things that will be tested in court is the legality of the techniques law enforcement used to uncloak the identity of the administrators.
-http://www.wired.com/2015/01/why-silk-road-trial-matters/
-http://arstechnica.com/tech-policy/2015/01/who-was-silk-roads-dread-pirate-rober
ts-as-trial-nears-a-jury-will-decide/

Paris Airport Security Made Security Expert Decrypt Laptop Hard Drive (January 6, 2015)

When security expert Katie Moussouris was traveling through Paris's Charles de Gaulle airport on her way back to the US after a conference, she was asked by security personnel there not only to power up her laptop, but also to enter her passwords to decrypt the machine's hard drive. The laptop was not confiscated.
-http://www.theregister.co.uk/2015/01/06/former_ms_bug_bounty_program_developer_f
orced_into_paris_laptop_decryption/
[Editor's Note (Ullrich): At least on OS X systems, you have the option to setup a "Guest" account that can be accessed without decrypting the disk. Since this was more a "functionality" test, it would likely have sufficed to log in to the guest account.
(Murray): This procedure was far less intrusive than those used by ICE at US points of entry. In a world in which everything is connected to everything else, commercial travelers should consider not traveling with sensitive data, encrypted or otherwise. ]

Logs Can be Helpful Forensic Security Tools if Used Properly (January 6, 2015)

Many cyber attacks leave footprints in security event logs. However, many organizations collect so much information that it is hard to know where to begin looking for evidence. Many companies are not aware of what sorts of logs they have and what data they should be collecting.
-http://www.infoworld.com/article/2865292/security/have-you-been-hacked-get-your-
logs-in-order-to-find-out.html
[Editor's Note (Honan): This Windows logging cheat sheet may be a good start for organisations to look at when considering what they should be logging
-http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%
20Cheat%20Sheet%20v1.1.pdf]

---

STORM CENTER TECH CORNER

Are You PirateBay?
-https://isc.sans.edu/forums/diary/Are+You+Piratebay+thepiratebayorg+Resolving+to
+Various+Hosts/19175/

Supra Electronics Smart Plug Analysis
-https://isc.sans.edu/forums/diary/IoT+The+Rise+of+the+Machines+Guest+Diary/19173
/

Google Stops Patching of WebView for Jelly Bean and Prior
-https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-long
er-provides-patches-for-webview-jelly-bean-and-prior

Automatically Create Malicious Excel Spreadsheets
-https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1

Critical ASUS Router Vulnerability
-https://github.com/jduck/asus-cmd/blob/master/README.md

Extra Leap Second to be added June 30th/July 1st
-http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat

Paensy USB Attack Library
-http://malware.cat/?p=89

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.