Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #20

March 10, 2014


A Promising Solution for the Cyber Skills Shortage: The shortage of technical cyber talent is now so acute that large companies and agencies are paying enormous salaries to steal technical cyber talent from other employers. That raises costs without any long-term improvement in security. Many smaller security service providers (and sadly, some large ones) are coping by hiring unqualified people (those who can talk about what to do but cannot do it because they have no hands-on cybersecurity skills) and assigning them to federal agencies or hospitals or other enterprises leaving the enterprise computers and data nearly completely unprotected.

There is no easy solution. Colleges claiming to be teaching cybersecurity usually fail to teach the hands-on skills and current knowledge the employers need. However, there are some untapped pipelines. Seven governors this year sponsored a cool program that identified 10,000 people with some cyber skills; many of the colleges' cyber clubs are identifying extraordinary talent; and many men and women leaving the military have developed cyber skills. SANS and CyberAces are connecting the more talented people in these three pipelines with some of the coolest employers who have open positions. Each job candidate is given the option to stand out by taking the SANS Cyber Talent exam which usually costs $2500 but is free to job candidates participating in this program.

The program is open to any employer who has cyber vacancies; email Max Shuftan at mshuftan@gmail.com. Any college cyber club members or veterans or others with cyber talent who may not have already signed up are welcome to review the open vacancies and/or sign up for the Cyber Talent exam. Register at nationalcybersecuritycareerfair.com to get more data.

Alan

TOP OF THE NEWS

Sophisticated Malware Infecting Machines in US and Europe
Cybersecurity Stock Valuations on the Rise

THE REST OF THE WEEK'S NEWS

Apple Releases iOS 7.1
Edward Snowden Speaks at South by Southwest Conference
Foreign Intelligence Surveillance Court Denies Gov't Request to Extend Data Retention Period
Remote Access Trojan Found in Google Play Store App
Judge Grants Mt. Gox Temporary Bankruptcy Protection in US
Veracity of Mt. Gox's Bitcoin Theft Claims Questioned
NIST Publication Offers Guidance on Access Control
South Korean Government Investigating Breach at KT Corp.
Siesta Malware Sleeps to Evade Detection
Johns Hopkins University Server Breached, Student Data Stolen

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


********************* Sponsored By The Economist Group ********************
How much money did that attack just cost your company? What's the value of prevention? Find out when The Economist Intelligence Unit unveils CyberTab, a free, anonymous tool that tallies the bill from specific attacks, sponsored by Booz Allen Hamilton. Enter expense and lost-business estimates, and get a detailed report. Opt-in to join the EIU research programme.
http://www.sans.org/info/154655
***************************************************************************
TRAINING UPDATE

- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

Cybersecurity Stock Valuations on the Rise (March 9, 2014)

During the past year, venture capital firms invested a record-high $1.4 billion in 239 cybersecurity companies-from mobile-app security platforms to online-authentication infrastructures, according to research firm CB Insights. Nearly 80 cybersecurity start-ups have exited, either through acquisition or IPO, with an average tenfold return on investment. The median deal size and pre-money valuation for security companies has increased significantly over the past five years as well.
-http://www.cnbc.com/id/101468460

Sophisticated Malware Infecting Machines in US and Europe (March 7, 2014)

Sophisticated malware known as Turla has been infecting computers in the US and Europe. Researchers and intelligence officials believe that Turla is of Russian origin. The malware has also been called Uroburos and Snake. Some researchers say it may date back to 2006.
-http://uk.reuters.com/article/2014/03/07/russia-cyberespionage-idUKL1N0M302H2014
0307

-http://www.scmagazine.com/experts-analyze-snake-uroburos-malware-samples-dating-
back-to-2006/article/337403/



************************** Sponsored Links: ******************************
1) Leverage the Power of Advanced Threat Protection for Endpoints and Servers Take a 5-day Free Trial Today! http://www.sans.org/info/154660

2) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465

3) ATTN Security professionals: 2014 Salary Survey is open and we need your input before April 1 st . Go to http://www.sans.org/info/154665
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Apple Releases iOS 7.1 (March 10, 2014)

Apple has released iOS 7.1. This is the first major update to the mobile device operating system since the company released iOS 7 in September 2013. iOS 7.1 addresses 41 vulnerabilities. Nineteen of the flaws are in the Webkit browser engine used by Safari browser accounts; all 19 could be exploited to take remote control of vulnerable devices. Internet Storm Center:
-https://isc.sans.edu/forums/diary/Apple+iOS+7+1/17789
-http://www.cnn.com/2014/03/10/tech/mobile/ios-7-update
-http://www.zdnet.com/apple-ios-7-1-patches-41-vulnerabilities-7000027164/
-http://news.cnet.com/8301-13579_3-57620109-37/apples-ios-7.1-lands-with-carplay-
improved-fingerprint-scanner/

[Editor's Note (Murray): It should be of interest that there are no reports of any of these vulnerabilities having been exploited, perhaps in part because of compensating controls in the Apple "eco-system." Perhaps not totally safe for amateurs, children, and the elderly, but no more dangerous than other household appliances. ]

Edward Snowden Speaks at South by Southwest Conference (March 10, 2014)

Edward Snowden spoke via video feed at the SXSW conference on Monday. He said that because US legislators are dragging their feet about curbing NSA surveillance, tech companies need to develop technologies that will protect online communications from snooping. Snowden noted that implementing end-to-end encryption would thwart mass data collection. American Civil Liberties Union (ACLU) principal technologist Chris Soghoian pointed out that because of Snowden's leaks about NSA snooping, prominent online service companies like Google and Yahoo began improving their security for customer communications.
-http://www.washingtonpost.com/world/national-security/snowden-mass-surveillance-
is-backfiring-on-us-in-effort-to-combat-terrorism/2014/03/10/61573dfa-a877-11e3-
8d62-419db477a0e6_story.html

-http://www.wired.com/threatlevel/2014/03/edward-snowdens-tech-call-arms/
-http://www.darkreading.com/vulnerability/snowden-encryption-is-defense-against-t
h/240166547

Foreign Intelligence Surveillance Court Denies Gov't Request to Extend Data Retention Period (March 10, 2014)

The US Foreign Intelligence Surveillance Court (FISC) has denied the government's request to retain phone call metadata beyond the current five-year limit. The government argued that the evidence could be required in future civil lawsuits. FISC Presiding Judge Reggie B. Walton ruled that to extend the length of time the government may retain data would be a further infringement on citizens' privacy. The ruling allows the Justice Department to file a new motion if new facts or analysis emerge.
-http://www.computerworld.com/s/article/9246844/Court_rejects_U.S._gov_t_bid_to_h
old_phone_records_beyond_five_years?taxonomyId=17

-http://www.zdnet.com/secret-u-s-court-prohibits-nsa-from-holding-phone-records-b
eyond-five-years-7000027135/

Remote Access Trojan Found in Google Play Store App (March 7 & 10, 2014)

An app in the Google Play store was found to be harboring a Remote Access Trojan (RAT) that was created with the Dendroid malware development tool, which is being offered for sale in underground forums. The malicious app was downloaded between 10 and 50 times before Google removed it from the store. The RAT can hijack phones' cameras, download photos, record phone calls, audio, and video, and send texts from devices it infects.
-http://www.scmagazine.com//saboteurs-slip-dendroid-rat-into-google-play/article/
337607/

-http://arstechnica.com/security/2014/03/malware-designed-to-take-over-cameras-an
d-record-audio-enters-google-play/

[Editor's Note (Murray): Android can be safely used only by geeks, not by amateurs, the very young or the very old. ]

Judge Grants Mt. Gox Temporary Bankruptcy Protection in US (March 10, 2014)

Mt. Gox, which recently filed for bankruptcy protection in Japan, was also granted temporary Chapter 15 bankruptcy protection in the US. Mt. Gox sought the protection in the US to allow the company "a necessary breathing period
[in which ]
to focus on restructuring efforts without the distraction ...
[of ]
certain litigation pending in the US."
-http://www.bbc.com/news/technology-26523826
-http://arstechnica.com/tech-policy/2014/03/mtgox-files-for-us-bankruptcy-protect
ion-to-put-ongoing-lawsuits-on-hold/

Veracity of Mt. Gox's Bitcoin Theft Claims Questioned (March 9 & 10, 2014)

Attackers have taken control of some accounts belonging to Mt. Gox CEO Mark Karpeles. The attack appears to be fueled by the former Bitcoin exchange's unwillingness to provide information about the circumstances that caused it to shut down. The attackers took control of Karpeles's personal blog and Reddit account. They posted a 716 MB file containing data they found about trading activity at Mt. Gox; the information seems to suggest that Mt. Gox is still in possession of the bitcoins it says were stolen. However, it could also be an indication of how badly the company's books were managed.
-http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchange
s-ceo-claim-to-publish-evidence-of-fraud/

-http://www.scmagazine.com//mt-gox-ceo-lied-about-massive-bitcoin-theft-according
-to-alleged-hackers/article/337613/

-http://news.cnet.com/8301-1023_3-57620092-93/mt-gox-ceos-blog-hacked-alleged-bit
coin-balances-posted/

-http://arstechnica.com/tech-policy/2014/03/anonymous-hackers-uncover-alleged-pro
of-of-mtgox-fraud-from-sites-ceo/

NIST Publication Offers Guidance on Access Control (March 7, 2014)

The National Institute of Standards and Technology (NIST) has issued a publication to help organizations share information while retaining control over data access. The Guide to Attribute Based Control Definition and Considerations presents "a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes."
-http://www.govinfosecurity.com/nist-guide-aims-to-ease-access-control-a-6612
-http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
[Editor's Note (Pescatore): We've had papers and guides on role-based access control since 1996 or so and the same for the broader topic of attribute-based access control since at least 2004 when XACML first came out. Yet, adoption is very low. What's really needed are case studies of successful implementations and how they overcame the many barriers to adoption. From what I've seen, it has only been very narrowly focused deployments that succeeded (small set of static or slowly changing attributes) even though research papers focus on broad, dynamic examples.
(Northcutt): Over the years, many security failures have been the result of improper access control. I have read 800-162 and I like the idea of Attribute Based Access Control, (ABAC), being one of the basic tools in the framework toolbox. That said, reading the document is a bit like drinking alphabet soup. There were so many new, at least new to me, terms and so little implementation guidance, my head started to hurt. I hope, over the next six months, we will start to see some reference implementations. In the mean time, I encourage security managers to scan the document and get familiar with the ideas. Implementation may be a few years away, but any opportunity to improve access control should not be overlooked. ]

South Korean Government Investigating Breach at KT Corp. (March 7, 2014)

Following a data breach that exposed personal information of 12 million customers of South Korea's KT Corp. telecommunications company, the government has launched an inquiry. Two people suspected of being responsible for the intrusion and data theft have been arrested along with the CEO of a telemarketing company. The thieves had been stealing data from KT Corp. since February 2013. The compromised data include names and bank account information. The South Korean telecommunications commission has ordered KT to inform customers of the breach and provide a way for customers to check if their data were compromised.
-http://www.theregister.co.uk/2014/03/07/kt_data_breach_12_million_customers/
-http://english.yonhapnews.co.kr/business/2014/03/07/17/0501000000AEN201403070009
00320F.html

Siesta Malware Sleeps to Evade Detection (March 7, 2014)

The Siesta cyperespionage campaign uses phishing emails to try to trick executives at targeted companies to download malware disguised as a PDF document. The messages appear to come from within the company. Hidden within what appears to be a link to a PDF file is a malicious executable called (TROJ_SLOTH). Clicking on the link brings up the actual PDF, which may be a document taken from the targeted organization's website. But while the document is being accessed, the malware is being downloaded. The malware listens for instructions from a command-and-control server to either download and execute a file or to "sleep" for a period of time, during which it does not connect to the command-and-control server.
-http://www.scmagazine.com/siesta-espionage-campaign-uncovered-by-researchers/art
icle/337409/

-https://www.net-security.org/secworld.php?id=16490

Johns Hopkins University Server Breached, Student Data Stolen (March 7, 2014)

The FBI is investigating a data breach at Johns Hopkins University. The thieves broke into a server and took the personal information of 1,300 current and former biomedical engineering students. When the university did not comply with their demands for user IDs and passwords to access the university's network, the attackers posted the information online. The breach occurred in 2013.
-http://www.scmagazine.com/johns-hopkins-university-web-server-breached-up-to-130
0-affected/article/337274/

Johns Hopkins University Statement:
-http://releases.jhu.edu/2014/03/07/server-breach/

STORM CENTER TECH CORNER

Microsoft Patch Tuesday
-https://isc.sans.edu/forums/diary/Microsoft+March+Patch+Pre-Announcement/17783

Twitter Bug Fix
-https://blog.twitter.com/2014/sms-follow-issue-and-fix-for-protected-account

200 Million Consumer Records Compromissed via Experian
-http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-ac
cess-200-million-consumer-records/

Dell KACE Vulnerability
-http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypirat
ela.html



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/