SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #72

September 10, 2013

Career growth in cybersecurity?

On Friday, four more graduates and their families will celebrate their new Masters Degrees in Security Engineering - degrees focused exclusively on people working in the field who seek rapid career advancement. Just working toward this degree has impacted all their careers: (1) From "firewall guy" to "technology manager" at a very large telecom company "frequently communicating with senior management and writing the executive briefings," (2) From "tech person" to "the most senior technical manager" at an insurance company, "always the liaison between upper management and the technical people," (3) From "analyst" to "manager" to "director" at a large software company, in part because of the new "technical communication skills I developed during my degree program," and (4) From "information security manager" to "CISO" and then to directing cyberskills development for a big part of the military. If you are working in cybersecurity and considering pathways to promotion, getting a SANS' Masters degree (www.sans.edu) makes sense. Connect with Mary Kay Porter (mkporter@sans.edu) to learn whether your academic and professional backgrounds make you eligible.

Alan

PS While earning this masters degree you will complete several GIAC certifications, which are now recognized as the certifications with the fastest growing demand and economic value among all 61 IT certifications, not just security certifications.

* GIAC Certified Incident Handler, which spiked 22.2% in demand
according to Foote Partners.
* GIAC Certified Firewall Analyst, rising 20%.
* GIAC Certified Forensics Examiner, up 16.7%.
Two more GIAC certifications are rapidly gaining value, as well:
* GIAC Certified Intrusion Analyst, up 10%.
* GIAC Certified Forensics Analyst, up 10%.

---

TOP OF THE NEWS

Internet Companies Seek Permission to Disclose Government Data Requests
Indian Government is Snooping on its Citizens

THE REST OF THE WEEK'S NEWS

Sykipot Variant Steals US Civil Aviation Data
South Korea Steps Up Authentication Measures to Fight Online Financial Fraud
Verizon/FCC Case Oral Arguments on September 9
Long Shot Bill Would Prohibit NSA From Putting Backdoors in Encryption
Spike in Number of Tor Users Blamed on Botnet

SPECIAL THIS WEEK:

Valuable New Research Papers From The SANS Masters Program and Reading Room

---

************************* Sponsored By Bit9 ****************************
Why have targeted Advanced Threats succeeded so dramatically when most organizations have architected sophisticated defense-in-depth strategies? Because most of the tools and strategies organizations possess were built for the last generation of security threats. Download this interactive whitepaper and learn why
http://www.sans.org/info/138965
*************************************************************************
TRAINING UPDATE

-- Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


-- Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


-- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- SANS London 2013 London, UK November 16-25, 2013 17 courses.
http://www.sans.org/event/london-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Chicago, and Ft. Lauderdale all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Internet Companies Seek Permission to Disclose Government Data Requests (September 9, 2013)

Facebook, Google, and Yahoo have filed a petition with the US Foreign Intelligence Surveillance Court, seeking permission to disclose more information about secret data requests made by the government. The companies are stepping up their push because earlier efforts, made in the wake of revelations about the existence of PRISM and other government surveillance programs surfaced earlier this summer, were not successful. The companies want to disclose detailed information about national security requests made under FISA. Google has asked that the hearing be made public.
-http://www.nbcnews.com/technology/after-nsa-encryption-furor-tech-companies-ask-
more-transparency-8C11114402
-http://news.cnet.com/8301-1009_3-57601988-83/google-facebook-yahoo-seek-permissi
on-to-publish-fisa-requests/
-http://www.computerworld.com/s/article/9242262/Facebook_Google_Yahoo_ask_the_fed
s_to_break_out_more_data_requests?taxonomyId=17

Indian Government is Snooping on its Citizens (September 9, 2013)

According to an Indian newspaper, the Indian government is conducting broad Internet surveillance of that country's citizens. An investigation revealed that Lawful Intercept and Monitoring systems (LIMs) were being used in violation of the Indian government's laws. LIMs are separate from monitoring systems that telecommunications companies use in India as part of the government's Central Monitoring System.
-http://www.theregister.co.uk/2013/09/09/india_surveillance_intercept_isp_covert/
-http://www.zdnet.com/in/india-govt-reportedly-monitors-web-activities-without-is
p-knowledge-7000020396/

---

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/138970

2) ALERT: Learn how to unmask stealthy web application attacks- Free 30 Day Trial http://www.sans.org/info/138975

3) "New Paper available in the SANS reading room: How to Fight the Real DDoS Threat" by John Pescatore? http://www.sans.org/info/138980
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Sykipot Variant Steals US Civil Aviation Data (September 9, 2013)

A new version of malware known as Sykipot was observed targeting US civil aviation. Over the past 6 years, 15 versions of Sykipot were seen targeting organizations in the defense industries. Sykipot inserts backdoors onto target PCs, spreading through malicious attachments.
-http://www.darkreading.com/vulnerability/sykipot-malware-now-targeting-civil-avi
a/240160988
-http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting
-us-civil-aviation-sector-information/

South Korea Steps Up Authentication Measures to Fight Online Financial Fraud (September 9, 2013)

In an effort to combat cyber fraud, South Korea's Financial Supervisory Service (FSS) says that as of September 26, 2013, people who conduct online transactions with banks, insurance companies, brokerage firms, and other financial institutions will be required to identify themselves through text messages or automated response systems.
-http://www.zdnet.com/s-korea-financial-sector-to-step-up-user-authentication-700
0020384/
[Editor's Note (Pescatore): While moving to stronger authentication is a very, very good thing, trying to dictate the mechanism used always results in "shooting behind the duck."
(Shpantzer): Authenticating the user is one aspect of protecting from fraud. Another important aspect is making sure the transaction makes sense. We're still seeing large transfers going to never-seen-before accounts. Hostile bank-account takeover specialists are good at circumventing authentication, so we should assume a compromised endpoint as part of the threat model and not over-rely on user-authentication, letting suspicious transfers through.
-http://krebsonsecurity.com/category/smallbizvictims/]

Verizon/FCC Case Oral Arguments on September 9 (September 8 & 9, 2013)

On Monday, a three-judge US Court of Appeals for the DC Circuit panel heard oral arguments from the Federal Communications Commission (FCC) and Verizon regarding the former's net neutrality rules. The FCC adopted the Open Internet Order in December 2010; Verizon has sued to stop the order. Verizon maintains that the FCC is overstepping its authority and that the rules are unconstitutional because they restrict the transmission of speech over its networks. The judges reportedly "grilled an FCC lawyer on the agency's legal basis for creating
[the ]
rules."
-http://www.washingtonpost.com/business/technology/appeals-court-skeptical-of-fcc
s-internet-access-rules/2013/09/09/2e7fbeb2-1983-11e3-8685-5021e0c41964_story.ht
ml
-http://www.bbc.co.uk/news/technology-24020670
-http://www.zdnet.com/verizon-battles-fcc-on-net-neutrality-consumer-content-7000
020392/
-http://arstechnica.com/tech-policy/2013/09/verizons-bid-to-kill-network-neutrali
ty-law-goes-to-court-monday/
-http://www.forbes.com/sites/waynecrews/2013/09/08/net-neutrality-fcc-and-verizon
-finally-head-to-court/
(Please note that The New York Times website requires a paid subscription)
-http://www.nytimes.com/2013/09/09/business/verizon-and-fcc-net-neutrality-battle
-set-in-district-court.html?pagewanted=all&_r=0

Long Shot Bill Would Prohibit NSA From Putting Backdoors in Encryption (September 8, 2013)

A US legislator has introduced a bill that would prohibit the National Security Agency (NSA) from introducing backdoors into encryption. The bill was originally introduced in July, but has received renewed attention following recent revelations about the NSA's snooping activities. It seeks to repeal the Patriot Act and the FISA Amendments Act of 2008. As currently written, the bill stands virtually no chance of passing out of committee, let alone reaching the floor.
-http://arstechnica.com/tech-policy/2013/09/long-shot-bill-forbidding-nsa-backdoo
rs-in-encryption-has-some-renewed-attention/
[Editor's Note (Pescatore): I have asked my state senator to sponsor a long shot bill that prohibits cyber attackers from sending out malware that puts backdoors onto PCs and servers. ]

Spike in Number of Tor Users Blamed on Botnet (September 6, 2013)

A recent spike in the number of users of the Tor network is being explained as being a botnet known as Mevade.A. The increased traffic on the anonymizing network caught the attention of the Project Tor director, who asked the public to suggest possible explanations. Early ideas included people wanting to protect their communications in the wake of reports of NSA surveillance, but the steadily increasing number of users suggests that "these Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight."
-http://www.theregister.co.uk/2013/09/09/malware_culprit_fingered_in_mysterious_t
or_traffic_spike/
-http://www.bbc.co.uk/news/technology-23984814
-http://www.net-security.org/secworld.php?id=15530

---

SPECIAL THIS WEEK:

SPECIAL THIS WEEK: New Research Papers From The SANS Masters' Program Dr. Johannes Ullrich, Chief Research Officer at the SANS Technology Institute (graduate school) chose two papers to highlight this week: 1. A great paper that already got a lot of attention: SSL/TLS: What's Under the Hood
-http://www.sans.org/reading-room
/whitepapers/authentication/ssl-tls-whats-hood-34297">
-http://www.sans.org/reading-room
/whitepapers/authentication/ssl-tls-whats-hood-3
4297
But first read the summary to see what all the fuss is about:
-https://isc.sans.edu/diary/Psst.+Your+Browser+Knows+All+Your+Secrets./16415
) This paper is a good example of how impressive the students in SANS masters degree programs really are. 2. A relevant paper because this is how you *could* prevent some spear phishing if anybody would care to do so: Using DomainKeys Identified Mail (DKIM) to Protect Your Email Reputation
-http://www.sans.org/reading-room
/whitepapers/intrusion/domainkeys-identified-mail-dkim-protect-email-reputation-34317">
-http://www.sans.org/reading-room
/whitepapers/intrusion/domainkeys-identified-mai
l-dkim-protect-email-reputation-34317
More than 2,000 other original cybersecurity research papers, in 75 topic areas, are available exclusively at the SANS Reading Room. The most recent 25 are always available at:
-http://www.sans.org/reading-room

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/