SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #5

January 20, 2015

TOP OF THE NEWS

UK and US to Conduct Joint Cyber Attack Simulation
US Infiltrated North Korea's Networks in 2010

THE REST OF THE WEEK'S NEWS

New Documents On China Theft of F-35 Fighter Jet Data
Chinese Government Allegedly Responsible for Attack Against Outlook.com
Verizon Fixes Data Exposure Vulnerability in My FiOS
Proposed Changes to US Laws Could Have Chilling Effect on Research
Google Discloses More Unpatched Windows Flaws
UK Police Make Arrest in Connection with Sony Attacks
UPI and New York Post Twitter Accounts Hijacked
New Jersey Law Requires Stored Health Data be Encrypted

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec ***************************
Compliments of Symantec: Gartner Magic Quadrant for Endpoint Protection Platforms - Find out which vendors Gartner positions as Leaders, Challengers, Visionaries or Niche Players based on their ability to execute and their completeness of vision. Gain in-depth knowledge of the market. Learn about factors driving market growth and unique challenges. Get an unbiased analysis of vendors.
http://www.sans.org/info/173792
***************************************************************************
TRAINING UPDATE


-SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


-Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


-10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


-DFIR Monterey 2015 | Monterey, CA | Feb 23-28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/event/dfir2015


-SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


-SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015


-Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


-Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-Looking for training in your own community?
http://www.sans.org/community/


-Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, Bangalore, and Oslo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

***************************************************************************

---

TOP OF THE NEWS

UK and US to Conduct Joint Cyber Attack Simulation (January 16 & 19, 2015)

US and UK Intelligence agencies will collaborate on a simulated cyber attack against financial sector companies. The countries will also establish a joint cyber cell that will include FBI and NSA staff and their UK counterparts.
-http://www.scmagazine.com/us-and-uk-to-team-up-in-cyber-defense-exercises/articl
e/393118/
-http://www.cnet.com/news/obama-cameron-agree-to-closer-collaboration-on-cyberwar
fare/
-http://thehill.com/policy/cybersecurity/229779-us-uk-to-flex-joint-cyber-muscle
[Editor's Note (Murray): In the past, such exercises (remember Michael Chertoff on TV) have demonstrated the impotence of government in the face of the (Hollywood?) scenarios used. One would hope that the network operators and the banks, who must play the central roles in any such defense, will be included in any such exercises. Otherwise, the results will be used to justify that government must be given more power. ]

US Infiltrated North Korea's Networks in 2010 (January 18 & 19, 2015)

According to reports in The New York Times and Der Spiegel, US officials' confidence in blaming North Korea for the attacks against Sony Pictures' networks is due to the fact that the NSA infiltrated North Korean computers in November 2010.
-http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networ
ks-before-sony-attack-officials-say.html?_r=0
-http://www.cnet.com/news/nsa-was-tracking-north-korea-back-in-2010-docs-reveal/
-http://www.bbc.com/news/technology-30879637
-http://www.v3.co.uk/v3-uk/news/2390845/nsa-hacked-north-korea-with-custom-malwar
e-long-before-sony-breach
-http://arstechnica.com/information-technology/2015/01/nsa-secretly-hijacked-exis
ting-malware-to-spy-on-n-korea-others/

---

**************************** SPONSORED LINKS ******************************
1) White Paper: Benefits of Antivirus and Advanced Endpoint Threat Protection - without paying for both! http://www.sans.org/info/173797

2) Avoid Making the Headlines. Protect Your Retail Business from Cyber Attacks. Wednesday, January 28 at 1:00 PM EST with Isabelle Dumont and Dave Shackleford. http://www.sans.org/info/173747

3) How is your application security program changing? Tell us in the 2015 Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/173802
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

New Documents On China Theft of F-35 Fighter Jet Data (January 19, 2015)

The BBC reports that Chine stole 50 terabytes of data regarding the US military's F-35 fighter jet. The information about the theft was in leaked NSA documents. The theft was originally reported in 2009. China has denied the allegations.
-http://www.bbc.com/news/world-australia-30875442
-http://www.cnn.com/2015/01/19/world/china-us-f35-fighter-denial/
-http://www.siliconrepublic.com/enterprise/item/40244-snowden-documents-reveal/

Chinese Government Allegedly Responsible for Attack Against Outlook.com (January 19, 2015)

A company that monitors censorship in China says that the country's government may be responsible for an attack on Microsoft's Outlook email system there. GreatFire says that the outlook.com website was the target of a man-in-the-middle attack which lasted about 24 hours. The attack comes just a few weeks after China blocked Gmail in that country.
-http://www.zdnet.com/article/microsoft-outlook-hacked-following-gmail-block-in-c
hina/
-http://www.theregister.co.uk/2015/01/19/microsoft_outlook_hit_by_mitm_attack_say
s_china_great_fire_org/
-http://thehill.com/policy/cybersecurity/229914-china-suspected-of-cyberattack-on
-microsoft
Greatfire Post:
-https://en.greatfire.org/blog/2015/jan/outlook-grim-chinese-authorities-attack-m
icrosoft
[Editor's Note (Ullrich): Oddly, these attacks use simple, self-signed certificates, while the Chinese government would have access to valid certificates. Bulletin boards within China have attributed some of these attacks to criminal activity vs. government interference. At the same time, we keep receiving reports about misconfigurations of the DNS servers that are part of the "Great Chinese Firewall" redirecting users within China to random web sites which as a result experience DoS conditions. ]

Verizon Fixes Data Exposure Vulnerability in My FiOS (January 18 & 19, 2015)

Verizon has fixed a security flaw in its My FiOS mobile application that exposed inboxes and private messages of as many as five million user accounts. The data could be viewed by manipulating user ID numbers in web requests.
-http://www.theregister.co.uk/2015/01/19/verizon_fios_vulnerability/
-http://www.computerworld.com/article/2871488/flawed-verizon-my-fios-mobile-app-e
xposed-email-accounts.html
[Editor's Note (Ullrich): Great save by Verizon to not only fix the flaw within 2 days, but also reward the user for responsible disclosure. ]

Proposed Changes to US Laws Could Have Chilling Effect on Research (January 18, 2015)

Proposed changes to the US Computer Fraud and Abuse Act (CFAA) and the Racketeering Influenced and Corrupt Organizations (RICO) Act could make the law more open to interpretation and could potentially criminalize certain research activity. For example, the changes could criminalize accessing a public document without the approval of the owner.
-http://www.eweek.com/security/proposed-u.s.-cyber-security-legislation-worries-r
esearchers.html
-http://www.whitehouse.gov/the-press-office/2015/01/13/securing-cyberspace-presid
ent-obama-announces-new-cybersecurity-legislat

Google Discloses More Unpatched Windows Flaws (January 16, 2015)

Google has disclosed two additional vulnerabilities in Windows 90 days after alerting Microsoft to their presence. The disclosures are part of Google's Project Zero program, which aims to get companies to issue patches more quickly. A patch for one of the flaws had been planned for Microsoft's January updates but it was pulled due to compatibility issues. It will likely be included in the next round of Microsoft updates, which are scheduled for February 10. Google has been facing criticism for its strict adherence to the program's 90-day policy.
-http://www.computerworld.com/article/2870967/google-goes-public-with-more-window
s-bugs.html
-http://arstechnica.com/information-technology/2015/01/google-drops-more-windows-
0-days-somethings-gotta-give/
-https://code.google.com/p/google-security-research/issues/detail?id=128

UK Police Make Arrest in Connection with Sony Attacks (January 16, 2015)

UK police have arrested one person in connection with the December attacks on Sony's PlayStation Network and Microsoft's Xbox Live. The individual, an 18-year-old male, also faces charges related to swatting attacks.
-http://www.computerworld.com/article/2871659/uk-police-make-arrest-in-dos-attack
s-on-playstation-xbox-networks.html
-http://www.bbc.com/news/technology-30849172
-http://krebsonsecurity.com/2015/01/another-lizard-arrested-lizard-lair-hacked/

UPI and New York Post Twitter Accounts Hijacked (January 16, 2015)

The Twitter accounts of UPI and the New York Post appear to have been hijacked. Fake news headlines were posted on both accounts. The attacks follow close on the heels of attacks on the YouTube and twitter accounts of the US Central Command.
-http://www.bbc.com/news/world-us-canada-30853311
-http://www.computerworld.com/article/2871800/new-york-post-twitter-account-hacke
d-upis-compromised-too.html
-http://www.washingtonpost.com/blogs/erik-wemple/wp/2015/01/16/upi-new-york-post-
twitter-accounts-hacked/
[Editor's Note (Murray): Twitter needs to enable the use of their strong authentication by supporting multiple users of these kinds of accounts. ]

New Jersey Law Requires Stored Health Data be Encrypted (January 12, 13 & 16, 2015)

A newly enacted New Jersey law in requires health insurance companies doing business in that state to encrypt personal data they retain on computers. The law, which takes effect later this year, goes beyond data protection requirements specified in the Health Insurance Portability and Accountability Act (HIPAA). The law was prompted by health data breaches in New Jersey.
-http://www.natlawreview.com/article/new-jersey-law-to-impose-encryption-obligati
ons-health-insurance-carriers
-http://www.scmagazine.com/christie-signs-bill-to-protect-personal-information/ar
ticle/392123/
-http://www.govinfosecurity.com/nj-law-requires-insurers-to-encrypt-a-7780
Text of the Bill:
-http://www.njleg.state.nj.us/2014/Bills/S1000/562_R1.PDF
[Editor's Note (Ullrich): Not a bad idea, but the law appears to apply only to "end user systems" not servers. The legislation appears to address the "lost laptop" problem, not so much the bulk theft of data from servers. ]

---

STORM CENTER TECH CORNER

Traffic Patterns For CryptoWall 3.0
-https://isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/

LizardStresser Database Leaked
-https://krebsonsecurity.com/2015/01/another-lizard-arrested-lizard-lair-hacked

Verizon Mobile App API Allows Authentication Bypass
-http://randywestergren.com/critical-vulnerability-verizon-mobile-api-compromisin
g-user-email-accounts/

Shellshock Keeps On Giving
-https://isc.sans.edu/forums/diary/Shellshock+keeps+on+giving/19197/

Odd HTTP Requests For PHP Scripts
-https://isc.sans.edu/forums/diary/Strange+Random+GET+PHP+Queries/19199/

Details And Possible PoC For Telnet Vulnerability (Google cache link below. May not survive much longer)
-http://webcache.googleusercontent.com/search?q=cache%3Ahttp%3A%2F%2Fdrops.wooyun
.org%2Fpapers%2F4621&ie=utf-8&oe=utf-8

Vulnerable OBD2 Vehicle Ports
-http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressiv
e-insurance-dongle-totally-insecure

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.