SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #6

January 23, 2015

TOP OF THE NEWS

Some Say North Korean Tie to Sony Attacks Still Doesn't Add Up
Google Discloses Three OS X Flaws Through Project Zero
NSA Information Assurance Directorate Report Offers Malware Defense Best Practices

THE REST OF THE WEEK'S NEWS

High School Students Face Felony Charges for Computer Intrusion
Barrett Brown Gets Five Year Prison Sentence
WordPress Disconnects Unpatched Self-Hosted Sites
Guilty Plea in Online Intellectual Property Theft Case
NSW Auditor Says Traffic Signals Management Networks Lack Sufficient Security
Adobe Issues Emergency Flash Patch
Unpatched Adobe Flash
Oracle Issues Java Updates
Progressive Insurance Device Security Issues
Technology Analyzes ICS Power Consumption to Detect Attacks
GoDaddy Fixes Serious Site Flaw

PESCATORE FIRST LOOK AT PRESIDENT OBAMA'S CYBER SECURITY MESSAGE IN TH

PESCATORE FIRST LOOK AT PRESIDENT OBAMA'S CYBER SECURITY MESSAGE IN THE STATE OF THE UNION ADDESSS

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************* Sponsored By RSA, The Security Division of EMC *************
Malware: Finding the Evil in the Haystack - Live Webcast February 11 at 11:00 am ET/8:00 am PT. Hear firsthand from an RSA/EMC Tier 3 analyst about how to quickly identify malware on the endpoint and how to start "pulling threads" to identify other potential infections on the network.
Learn more: http://www.sans.org/info/174002
***************************************************************************

TRAINING UPDATE


- -Cyber Threat Intelligence Summit | Washington, DC | February 2- 9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


- -10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


- -DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/event/dfir2015


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/event/secure-canberra-2015


- -SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2015


- -Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


- -Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -Looking for training in your own community?
http://www.sans.org/community/


- -Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, Bangalore, and Oslo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

***************************************************************************

---

TOP OF THE NEWS

Some Say North Korean Tie to Sony Attacks Still Doesn't Add Up (January 21, 2015)

US authorities' confidence in pointing the finger at North Korea over the Sony Pictures attacks was recently bolstered by documents alleging that the NSA infiltrated North Korean networks in 2010. However, for some, doubts still linger regarding the source of the attacks. The profile of the attack does not fit that of a nation-state, but rather that of someone bent on revenge, according to Adallom vice president of strategy Tal Klein. And researchers and blogger Robert Graham questions the assumption that the reports that the NSA's infiltration of systems proves North Korea's culpability. If the US did have such access, its monitoring either missed signs of the coming attack and/or did not warn Sony about what was coming.
-http://www.eweek.com/security/doubts-persist-over-north-korean-link-to-sony-hack
-despite-nsa-claim.html
[Editor's Note (Honan): Our concerns should focus more on how the attack happened rather than who did it. Knowing how the attack was launched and how it succeeded will provide more value to other organizations trying to defend their systems. ]

Google Discloses Three OS X Flaws Through Project Zero (January 22, 2015)

Google has disclosed three more vulnerabilities as part of its Project Zero program. This time the flaws are in Apple's OS X. Google notified the company of their existence in October, 90 days prior to Google's public disclosure of them. Each of the flaws requires some degree of access to targeted devices for successful exploits.
-http://arstechnica.com/security/2015/01/google-drops-three-os-x-0days-on-apple/
-https://code.google.com/p/google-security-research/issues/detail?id=130
-https://code.google.com/p/google-security-research/issues/detail?id=135

NSA Information Assurance Directorate Report Offers Malware Defense Best Practices (January 22, 2015)

The NSA's Information Assurance Directorate has released a report titled "Defensive Best Practices for Destructive Malware." The document encourages proactive defense so organizations can minimize the possibility that they will have to clean up after a massive attack like the one launched against Sony Pictures. Recommended best practices include segregating network systems and functions, and reducing and protecting administrator privileges.
-http://www.darkreading.com/attacks-breaches/nsa-report-how-to-defend-against-des
tructive-malware/d/d-id/1318734?

---

**************************** SPONSORED LINKS ******************************
1) Download our new PDF "A CISO's Guide to Uncovering SAP Security Challenges" to learn how to best identify and prevent against threats facing your SAP systems. http://www.sans.org/info/174007

2) How is your application security program changing? Tell us in the 2015 Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/174012

3) Best Practices for Eliminating SSL Encrypted Traffic Blind Spots. Wednesday, February 04 at 1:00 PM EST with John Pescatore, Greg Mayfield, and David Wells. http://www.sans.org/info/174017
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

High School Students Face Felony Charges for Computer Intrusion (January 22, 2015)

Two Illinois high school students are facing felony charges for allegedly breaking into their school's computer system changing attendance information and accessing staff email. One of the students was charged with aggravated computer tampering; the other was charged with computer fraud. The students allegedly managed to circumvent the system's firewall and install keystroke logging software.
-http://www.scmagazine.com/two-illinois-teenage-students-reportedly-face-felony-c
harges-for-hacking/article/393724/
[Editor's Note (Weatherford): You can't save everyone, and these guys undoubtedly knew what they were doing was wrong and probably illegal, but I doubt they knew that they were messing up their lives with a felony offense. Not making excuses for criminals but we need to do a better job of trying to save young people like this who could be valuable, contributing members of society. ]

Barrett Brown Gets Five Year Prison Sentence (January 22, 2015)

Barrett Brown, a journalist with ties to the Anonymous collective, has been sentenced to five years in prison. Brown pleaded guilty to federal charges of making Internet threats, being an accessory to unauthorized access of a protected computer, and obstructing a search warrant. Brown copied a hyperlink to data taken from Stratfor systems from one IRC channel to another, which prosecutors maintained made him party to the data theft. The charge related to the hyperlink was ultimately dropped.
-http://arstechnica.com/tech-policy/2015/01/its-all-over-barrett-brown-formerly-o
f-anonymous-sentenced-to-63-months/
-http://www.wired.com/2015/01/barrett-brown-sentenced-5-years-prison-connection-s
tratfor-hack/
-http://www.cnet.com/news/journalist-with-links-to-anonymous-sentenced-to-5-years
-in-prison/

WordPress Disconnects Unpatched Self-Hosted Sites (January 22, 2015)

WordPress has disconnected self-hosted sites running its content management and blogging platform that have not yet patched the jetpack add-on. The measure was taken to protect users from security threats.
-http://www.eweek.com/security/wordpress-disconnects-unpatched-sites.html

Guilty Plea in Online Intellectual Property Theft Case (January 20 & 22, 2015)

A Maryland man has pleaded guilty to conspiracy to commit computer intrusion and criminal copyright infringement for his role in a scheme that infiltrated systems at technology companies and stole intellectual property. Losses are estimated at more than US $100 million.
-http://www.scmagazine.com/nathan-leroux-pleads-guilty-to-hacking-charges/article
/393789/
-http://www.fbi.gov/baltimore/press-releases/2015/third-member-of-international-c
omputer-hacking-ring-pleads-guilty-to-hacking-and-intellectual-property-theft-co
nspiracy

NSW Auditor Says Traffic Signals Management Networks Lack Sufficient Security (January 21 & 22, 2015)

According to a report from the Auditor-General of New South Wales, the systems used to manage traffic signals in the Australian state "are not as secure as they should be." The systems could potentially be accessed without authorization and manipulated to disrupt traffic. Of particular concern are weak system passwords, staff inadequately prepared to respond to security incidents, and patching that is not frequent enough.
-http://www.theregister.co.uk/2015/01/22/nsw_traffic_lights_need_better_infosec_a
uditorgeneral/
-http://www.zdnet.com/article/auditor-general-warns-of-nsw-roads-network-vulnerab
ilities/

Adobe Issues Emergency Flash Patch (January 22, 2015)

Adobe has released an emergency patch for Flash on Thursday, January 22 to address a vulnerability that is being actively exploited (see story below). The most current versions are now Flash Player 16.0.0.287 for Windows and Mac OS X, Flash Player 11.2.202.438 for Linux, and Flash Player Extended Support Release 13.0.0.262. ISC:
-https://isc.sans.edu/forums/diary/OOB+Adobe+patch/19217/
-http://krebsonsecurity.com/2015/01/flash-patch-targets-zero-day-exploit/
-http://www.scmagazine.com/adobe-issues-emergency-fix-for-flash-player-vulnerabil
ity/article/393977/
-http://www.computerworld.com/article/2873541/adobe-fixes-just-one-of-two-zero-da
y-flaw-in-flash-player.html
[Editor's Note (Northcutt): I usually avoid Wikipedia as an authoritative source, but this article sums up the Adobe-universe as well as anything I have seen. Bottom line, upgrade frequently. If you do not have the support of an organization IT group support, consider letting the Adobe updates be done automatically. At the end of ever update cycle they will give you that choice:
-http://en.wikipedia.org/wiki/Adobe_Flash_Player]

Unpatched Adobe Flash (January 21 & 22, 2015)

An unpatched flaw in Adobe Flash Player is currently being exploited via compromised websites. Users' browsers are surreptitiously redirected to other sites where an exploit kit attempts to infect their computers. The exploit kits decide which malware to download onto the computers based on the browser installed and its plug-ins. Adobe is investigating the report of the vulnerability.
-http://www.eweek.com/security/doubts-persist-over-north-korean-link-to-sony-hack
-despite-nsa-claim.html
-http://www.theregister.co.uk/2015/01/22/angler_ek_exploits_flash_0day/
-http://www.computerworld.com/article/2872708/attackers-are-exploiting-a-zero-day
-flaw-in-flash-player.html
-http://www.darkreading.com/vulnerabilities---threats/adobe-investigating-new-fla
sh-zero-day-spotted-in-crimeware-kit/d/d-id/1318707?
-http://arstechnica.com/security/2015/01/attack-for-flash-0day-goes-live-in-popul
ar-exploit-kit/

Oracle Issues Java Updates (January 21, 2015)

Oracle has released updates for Java that address 19 security issues, including disabling default support for SSL 3.0. The latest versions of Java are Java 7 Update 75 and Java 8 Update 31. Users still running Java 7 need to be aware that Oracle will use auto-update to migrate them to Java 8 over the next several days. The Java updates are part of Oracle's Quarterly Patch Update, which was released on Tuesday, January 20, and fixes 169 vulnerabilities in company products. Internet Storm Center:
-https://isc.sans.edu/forums/diary/Oracle+Critical+Patch+Update+for+Q1+2015+Inclu
des+Java+Updates/19211/
-http://krebsonsecurity.com/2015/01/java-patch-plugs-19-security-holes/
-http://www.computerworld.com/article/2873215/critical-java-updates-fix-19-vulner
abilities-disable-ssl-30.html
-http://www.zdnet.com/article/oracle-issues-critical-patch-update-169-new-securit
y-fixes/

Progressive Insurance Device Security Issues (January 20 & 21, 2015)

A wireless device used by Progressive Insurance to gather information about customers' driving habits lacks adequate security. A proof-of-concept attack showed how the weaknesses in the SnapShot device could be exploited to unlock car doors, start cars, and access engine information. SnapShot does not validate or sign firmware updates and does not use secure communication protocols. The device has been used in more than two million vehicles since 2008.
-http://arstechnica.com/security/2015/01/wireless-device-in-two-million-cars-wide
-open-to-hacking/
-http://www.scmagazine.com/insurance-dongle-could-be-compromised/article/393707/
[Editor's Note (Weatherford): The security landscape is rife with unintended consequences but that does not absolve the vendor of responsibility. IoT is going to result in all kinds of unintended consequences...we still have time, if we have the will.
(Assanted): Corey is a gifted researcher who understands the myriad of problems that come with embedded systems. The IoT will continue to suffer from the exaggerated Line of Site to those responsible and able to address security for firmware and device-to-system communications. We are building untold number of things that will interact with cyber-to-physical systems designed with little thought towards cybersecurity. Welcome back to the 1990s where many of the systems of today find their roots. ]

Technology Analyzes ICS Power Consumption to Detect Attacks (January 20, 2015)

A startup security company that got its start through DARPA funding focuses on detecting anomalies in power consumption to detect attacks against utilities and manufacturing systems. The technology developed by the company detected Stuxnet "in an experimental network before the malware went into action."
-http://www.darkreading.com/analytics/security-monitoring/new-technology-detects-
cyberattacks-by-their-power-consumption-/d/d-id/1318669

GoDaddy Fixes Serious Site Flaw (January 20 & 21, 2015)

Domain registrar GoDaddy has fixed a vulnerability that could be exploited through a cross-site forgery (CRSF) attack to manipulate domain settings and take control of the sites.
-http://www.scmagazine.com/godaddy-patches-csrf-bug-discovered-by-security-resear
cher/article/393299/
-http://www.theregister.co.uk/2015/01/21/godaddy_rushes_to_plug_domain_hijack_hol
e/

---

PESCATORE FIRST LOOK AT PRESIDENT OBAMA'S CYBER SECURITY MESSAGE IN TH

While President Obama's five sentences on cybersecurity during his State of the Union Address did not live up to the pre-SOTU hype, it did trigger a lot of mainstream press attention around cybersecurity legislation. The legislation President Obama mentioned was part of the Obama administration's May 2011 Cybersecurity Legislative Proposal, so not actually anything new.:

- - A national breach disclosure law, which could drive improvements in security - but only if the national bill raises, vs. lowers, the bar over the various state laws that currently exist.

- - Information sharing legislation which is mainly aimed at increasing the amount of information industry has to report to government, with only minor tweaks to improve threat information sharing in private industry.

- - Legislation to clarify and increase penalties for attacks and misuse of information - all good things.

I would have liked to hear President Obama's focus more be on increasing national law enforcement's ability to fight cybercrime, and for the government to use its buying powers to increase the security level (reduce the vulnerability level) of US products and services - such as he laid out in October 2014 Executive Order that talked about the US govt. BuySecure initiative.

---

STORM CENTER TECH CORNER

Chrome Update
-http://googlechromereleases.blogspot.com/2015/01/stable-update.html

Firefox Referer Meta Tag
-https://blog.mozilla.org/security/2015/01/21/meta-referrer/

Atlasian Bugs
-https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2015
-01-21

Flash 0 Day Exploit Used By Angler Exploit Kit
-https://isc.sans.edu/forums/diary/Flash+0Day+Exploit+Used+by+Angler+Exploit+Kit/
19213/

Cisco Security Report
-http://www.cisco.com/web/offers/pdfs/cisco-asr-2015.pdf

More Modem and Router Exploits
-http://www.gironsec.com/blog/2015/01/owning_modems_and_routers_silently/

Audit for Privilege Escalation Vulnerabilities
-https://isc.sans.edu/forums/diary/Finding+Privilege+Escalation+Flaws+in+Linux/19
207/

Oracle to Release Critical Patch Update
-http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.