SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #16
February 24, 2017TOP OF THE NEWS
Less Than 25 Percent of Cybersecurity Job Applicants Are Qualified
Which Colleges Prepare People For Entry Level Cybersecurity Jobs?
Google Cracks SHA-1 With Hash Collision Attack
THE REST OF THE WEEK'S NEWS
Cloudflare Fixes Flaw That Leaked Customer Data
Secretaries of State Oppose Critical Infrastructure Designation for Voting Systems
British Police Arrest Deutsche Telekom Cyber Attack Suspect
Fix for Linux Kernel Local Root Bug
Expired Certificates at DHS Network Prevented Employees from Accessing Systems
Malware Can Be Used to Exfiltrate Data Across Air Gap
Dutch Banking Industry Security Needs Work
Microsoft Releases Fix for Critical Flash Flaws
U.S. Dept. of Energy Awards Grants for Projects to Protect Grid
GSA Inspector General Says 18F Violated Security Requirements
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER***************************Sponsored By Malwarebytes*********************Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper." http://www.sans.org/info/192292 ***************************************************************************
TRAINING UPDATE
-- SANS London March 2017 | London, GB | March 13-28, 2017 | https://www.sans.org/event/london-march-2017 -- SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017 -- SANS ICS Security Summit & Training | Orlando, FL | March 20-27, 2017 | https://www.sans.org/event/ics-security-summit-2017 -- SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017 -- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017 -- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017 -- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017 -- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017 -- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017 -- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses. OnDemand - https://www.sans.org/ondemand/specials vLive - https://www.sans.org/vlive/specials -- Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ -- View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
Less Than 25 Percent of Cybersecurity Job Applicants Are Qualified (February 22, 2017)
According to a report from ISACA, fewer than 25 percent of applicants for cybersecurity positions are qualified for the job. More than half of available positions take from three to six months to fill. The report notes that hands-on experience is more important than training.[Editor Comments]
[Williams] There's a lot behind this article and some of the measurements don't jive with the results. Many organizations dipping their toes into infosec hiring are offering dramatically low salaries. In the negative unemployment infosec market, your salary offers will impact your ability to hire qualified candidates or even get them to apply. Read more in: Dark Reading: Fewer Than One Fourth Of Cybersecurity Job Candidates Are Qualified http://www.darkreading.com/vulnerabilities---threats/fewer-than-one-fourth-of-cybersecurity-job-candidates-are-qualified/d/d-id/1328244
Which Colleges Prepare People For Cybersecurity Jobs? (February 23, 2017)
Google's An email to the Cybersecurity Advisory Board a few days ago: "We recently added an entry-level position for our Information Security team. Among the candidates we received (and we got a pretty good response) were a number of recent Cyber Security degree (B.S.) graduates. We were a little surprised at what they have been learning. They understand the need for policies and standards. They know about anti-virus, patching, "the Kali", and Encase and think it is great. Pen testing is very cool. They know a little bit about social engineering and phishing. They give great answers on the difference between a vulnerability and a threat. They have a basic understanding of encryption and access models. These are all very good things. However, there seems to be quite a bit missing from what I would consider a "cyber" perspective. When it came to their college training, no one seemed to have learned the basics of computers. XSS, buffer overflows, even the basics of an operating system are not taught. The concept of salting and hashing were unknown to most of them, and even knowledge of keys was very rudimentary. Maybe these are more advanced topics, but I was disappointed. We spoke to graduates of 3 separate college programs, 2 of which are on the NSA / DHS Center of Academic Excellence list, and I had hoped for more. Does anyone know of any colleges that prepare their cybersecurity grads including some hands on experience with the "five foundations" that will make them effective? (The 5 foundations are: 1. Computer basics including how computers work, operating systems and virtualization, and networking; 2. Linux fundamentals; 3. Windows fundamentals; 4. Programming including C, Python, HTML and Java; 5. Security basics from buffer overflows to SQL injection to the basics of finding attackers in networks.)" If any NewsBites readers know of a college that ensures their cyber graduates have these foundations, let us know and we'll pass it along to the CISO who wrote the note to the Advisory Board, and give the college full credit and highlight them on the list of "Best undergraduate colleges for cybersecurity education". Email apaller@sans.org with your suggestions.Google Cracks SHA-1 With Hash Collision Attack (February 23, 2017)
Researchers from Google and Centrum Wiskunde & Informatica research center in Amsterdam, Netherlands, have developed a collision attack that defeats the SHA-1 cryptographic algorithm. While SHA-1 has not been used in websites' digital certificates for more than a year and many browsers are starting to deprecate SHA-1 certificates, SHA-1 is still used to validate the integrity of documents.[Editor Comments]
[Murray] Collisions are inevitable. Collision attacks, while perhaps cheaper than previously thought, remain expensive; the issue is not feasibility but efficiency. All that said, SHA-1 is made obsolete by the availability of efficient alternatives. Changing to stronger alternative is indicated but not urgent. [Williams] The SHA-1 collision took nine quintillion SHA1 calculations to generate. Details are yet to emerge, but it may also rely on the specific type of data for which collisions are being generated. PDF's are immensely complex and the complexity of the file format might help with this. Regardless, most organizations don't have the resources to create a SHA-1 collision. Even MD5 continues to be useful for threat hunting. In short, SHA-1 should not be used for trust relationships, but don't read this and think "SHA-1 is dead in all applications."
Read more in:
Google: Announcing the first SHA1 collision https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html WSJ: Google Team Cracks Longtime Pillar of Internet Security https://www.wsj.com/articles/google-team-cracks-longtime-pillar-of-internet-security-1487854804 Wired: A Super-Common Crypto Tool Turns Out to be Super Insecure https://www.wired.com/2017/02/common-cryptographic-tool-turns-majorly-insecure/ The Register: 'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time http://www.theregister.co.uk/2017/02/23/google_first_sha1_collision/ SC Magazine: On shaky ground: SHA-1 web standard cracked https://www.scmagazine.com/on-shaky-ground-sha-1-web-standard-cracked/article/639790/ Ars Technica: At death's door for years, widely used SHA1 function is now dead https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/ ***************************SPONSORED LINKS********************************
1) Stop Ransomware Before It Starts - Download the Ransomware on the Rise eBook Now: http://www.sans.org/info/192297
2) Endpoint Protection...What really matters? Register now for this 5-part Webcast Series: http://www.sans.org/info/192302
3) It's time to reimagine your identity strategy. Join RSA identity experts to learn how. Register: http://www.sans.org/info/192307
******************************************************************************
THE REST OF THE WEEK'S NEWS
Cloudflare Fixes Flaw That Leaked Customer Data (February 23 & 24, 2017)
Cloudflare has fixed a security issue in its software that leaked sensitive customer data, including passwords, cookies, and authentication tokens. The bug affected 3,400 websites that use Cloudflare's content delivery and security services. The problem was caused by a flaw in an HTML parser.[Editor Comments]
[Williams] This bug is much like Heartbleed, but only impacts customers protected by CloudFlare. Also unlike Heartbleed, by the time the vulnerability was disclosed, the bug had been completely patched. The bug was mitigated within hours, highlighting the difference between patching a problem at a service provider and patching software (many active servers are still vulnerable to Heartbleed today). Even if organizations performed vulnerability assessments after deploying their sites behind Cloudflare, they may not have noticed the issues since their site may not have triggered the error.[Honan] Companies can learn a lot from how Cloudflare handled and responded to this situation. Their communications to their customers was timely, informative, and covered the key points required. Emails were sent to each customer providing them with details, and Cloudflare published a blog post which is available at https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Read more in:
Ars Technica: Serious Cloudflare bug exposed a potpourri of secret customer data https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/ CNET: Uber, Fitbit, OKCupid information exposed by wide-reaching flaw https://www.cnet.com/news/uber-fitbit-okcupid-cybersecurity-password-information-exposed-wide-reaching-flaw/ ZDNet: Cloudflare found leaking customer HTTP sessions for months http://www.zdnet.com/article/cloudflare-found-leaking-customer-https-sessions-for-months/ CyberScoop: Cloudflare has been massively leaky for months https://www.cyberscoop.com/cloudflare-has-been-leaking-massive-data-for-months/?category_news=technology The Register: Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug http://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/
Secretaries of State Oppose Critical Infrastructure Designation for Voting Systems (February 23, 2017)
At its winter meeting earlier this month, the National Association of Secretaries of State adopted a resolution opposing the Department of Homeland Security's (DHS's) designation of election systems as critical infrastructure. Organization members are concerned about the potential for federal government overreach into state systems, and about the fact that DHS has not been forthcoming with information about what the designation means for states.Read more in:
eWeek: States Oppose Designating Election Systems as Critical Infrastructure http://www.eweek.com/security/states-oppose-designating-election-systems-as-critical-infrastructure.html GCN: States resist 'critical infrastructure' designation for election systems https://gcn.com/articles/2017/02/23/voting-critical-infrastructure-opposition.aspx?admgarea=TC_SecCybersSec
British Police Arrest Deutsche Telekom Cyber Attack Suspect (February 23, 2017)
Police in Britain have arrested a man wanted in connection with a November 2016 cyberattack against Deutsche Telekom that caused service disruptions for 900,000 people. The attack attempted to infect Deutsche Telekom customers' routers with malware to make them part of a botnet. Germany considers the attack a federal matter because it posed a threat to the country's communications infrastructure. The suspect is expected to face an extradition hearing by early next week.Read more in:
Computerworld: Police arrest man suspected of building million-router German botnet http://computerworld.com/article/3173350/security/police-arrest-man-suspected-of-building-million-router-german-botnet.html BBC: Router hack suspect arrested at Luton airport http://www.bbc.com/news/technology-37510502 V3: Brit arrested over Mirai botnet attack on Deutsche Telekom http://www.v3.co.uk/v3-uk/news/3005254/brit-arrested-over-mirai-botnet-attack-on-deutsche-telekom
Fix for Linux Kernel Local Root Bug (February 23, 2017)
Linux distributions have begun releasing patches for a vulnerability in the Linux kernel that has likely been present since 2005. The "double free flaw" lies in the kernel's implementation of Datagram Congestion Control protocol (DCCP) and could be exploited to gain root privileges. Used in conjunction with other vulnerabilities, the flaw could allow attackers to execute arbitrary code. [Editor Comments] [Murray] For twelve years this obscure vulnerability has been a very small risk. That just changed. Read more in: ZDNet: Linux's decade-old flaw: Major distros move to patch serious kernel bug http://www.zdnet.com/article/linuxs-decade-old-flaw-major-distros-move-to-patch-serious-kernel-bug/ The Register: Linux kernel gets patch for 11-year-old local-root-hole security bug http://www.theregister.co.uk/2017/02/23/linux_kernel_gets_patch_against_12yearold_bug/ Computerworld: Eleven-year-old root Linux kernel flaw found and patched http://computerworld.com/article/3173235/security/eleven-year-old-root-linux-kernel-flaw-found-and-patched.htmlExpired Certificates at DHS Network Prevented Employees from Accessing Systems (February 21 & 23, 2017)
On Tuesday, February 21, some employees at the U.S. Department of Homeland Security (DHS) found themselves unable to access federal information systems. The problem was identified as an expired security certificate and was mitigated within hours of its discovery. The issue affected four Citizenship and Immigration Services facilities in the Washington, D.C. area.Read more in:
Reuters: U.S. Homeland Security employees locked out of computer networks: sources http://www.reuters.com/article/us-usa-cyber-dhs-idUSKBN160240 NextGov: Expired Security Certificates Locked DHS Employees Out of Network http://www.nextgov.com/cybersecurity/2017/02/expired-security-certificates-locked-dhs-employees-out-network/135616/?oref=ng-channeltopstory
Malware Can Be Used to Exfiltrate Data Across Air Gap (February 22 & 23, 2017)
Israeli university researchers have developed a data exfiltration technique that defeats the air gap by deciphering blinks from a hard drive's LED indicator. The attack requires that someone with inside access place malware on the targeted system. In a demonstration, the researchers used a drone hovering outside a window to read the information being transmitted by a hard drive's blinks. [Editor Comments] [Murray] One purpose of an "air gap" is to resist leakage; the other is to resist contamination via a network connection. It is not intended to, or effective for, resisting insiders. If an attacker is privileged to install a malicious program on a system, he certainly has a cheaper and faster way to exfiltrate the data than this. Read more in: Wired: Malware Lets a Drone Steal Data by Watching a Computer's Blinking LED https://www.wired.com/2017/02/malware-sends-stolen-data-drone-just-pcs-blinking-led/ The Register: Boffins exfiltrate data by blinking hard drives' LEDs http://www.theregister.co.uk/2017/02/23/hard_drive_light_used_to_exfiltrate_data/Dutch Banking Industry Has Low DNSSEC Implementation (February 22, 2017)
A study conducted by Dutch Internet registry SIDN found that Dutch domain names do not adequately employ DNSSEC security. The DNSSEC Inventory 2017 examined 7,000 .nl domains owned by various industries. Domain names associated with the Internet infrastructure showed a 64 percent DNSSEC implementation rate; government followed with 59 percent. Among domains in the banking industry examined in the study, just six percent had implemented DNSSEC. Read more in: The Register: How's your online bank security looking? The Dutch studied theirs and ... yeah, not great http://www.theregister.co.uk/2017/02/22/dutch_banking_industry_security_bad/ SIDN: SIDN sounds the alarm on DNSSEC security status of Dutch domain names https://www.sidn.nl/a/internet-security/sidn-sounds-the-alarm-on-dnssec-security-status-of-dutch-domain-names?language_id=2Microsoft Releases Fix for Critical Flash Flaws (February 22, 2017)
Microsoft has released an out-of-cycle security update to address critical flaws in Adobe Flash Player. Microsoft announced earlier this month that it would delay its scheduled February update due to "a last minute issue that could impact some customers." The rest of the patches will be distributed with the March 14 update. Read more in: ZDNet: Microsoft issues critical security patches but leaves zero-day flaws at risk http://www.zdnet.com/article/microsoft-issues-some-security-patches-but-leaves-zero-day-flaws-at-risk/ The Register: Microsoft catches up to Valentine's Day Flash flaw massacre http://www.theregister.co.uk/2017/02/23/microsoft_flash_security_update/ Microsoft: Microsoft Security Bulletin Summary for February 2017 https://technet.microsoft.com/library/security/ms17-febU.S. Dept. of Energy Awards Grants for Projects to Protect Grid (February 22, 2017)
The U.S. Department of Energy has given grants totaling USD 4 million to four companies for projects that are developing technology to help protect the country's power grid. The funded projects "will lead to next generation tools and technologies that will become widely adopted to enhance and accelerate deployment of cybersecurity capabilities for the U.S. energy infrastructure." [Editor Comments] [Murray] The US grid is fragile but resilient. The operators deal with hundreds of component failures and lightning strikes every day. Most of these failures are not visible to customers. They do not see or deal with many malicious attacks and tend to treat the few they do see as noise. They see the problem as natural limitations and events, rather than artificial or malicious events. We need "attitude adjustment" more than new technology. We need to hide the controls of the grid behind strong authentication and end-to-end application level encryption. These require intent and diligence but not new technology. Read more in: CyberScoop: DOE tries to spur development of defenses against Ukraine-style electric grid cyberattack https://www.cyberscoop.com/doe-tries-spur-development-defenses-ukraine-style-electrical-grid-cyberattack/GSA Inspector General Says 18F Violated Security Requirements; Staff Says Compliance Does Not Equal Security (February 21, 2017)
According to a report from the Inspector General (IG) of the U.S. General Services Administration (GSA), the agency's 18F digital services program was found to be using unapproved software, running applications on the network without proper authorization, and an absence of oversight and guidance. 18F officials disagree with the findings, saying that the IG report is more concerned with checking boxes than with evaluating security. One 18F staff member noted, "It is important to make the distinction between compliance and security." Read more in: Federal News Radio: GSA IG uncovers further misdeeds by 18F executives http://federalnewsradio.com/agency-oversight/2017/02/gsa-ig-uncovers-18f-misdeeds-executives/ NextGov: Auditor Thrashes 18F for IT Security Vulnerabilities, 18F Staffers Shoot Back http://www.nextgov.com/cybersecurity/2017/02/auditor-thrashes-18f-it-security-vulnerabilities-18f-staffers-shoot-back/135591/?oref=ng-channelriverINTERNET STORM CENTER TECH CORNER
Microsoft Releases Flash Patch From Skipped February Update
https://technet.microsoft.com/en-us/library/security/MS17-005Investigating Off-Premise Wireless Behaviour
https://isc.sans.edu/forums/diary/Investigating+OffPremise+Wireless+Behaviour+or+I+Know+What+You+Connected+To/22089/"Bugdrop" Steals Large Amount of Audio
https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/User Centric Mobile Device Security With Stethoscope
http://techblog.netflix.com/2017/02/introducing-netflix-stethoscope.htmlFingerprinting Firefox With Intermediate Certificates
https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/JudasDNS Attack DNS Proxy
https://github.com/mandatoryprogrammer/JudasDNSResearchers Find SHA1 Collision
https://shattered.io/static/shattered.pdfArrest Made in Deutsche Telekom DSL Modem Attack
https://www.bleepingcomputer.com/news/security/uk-police-arrest-suspect-behind-mirai-malware-attacks-on-deutsche-telekom/***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create