SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #24

March 25, 2014

Good progress on the national cybersecurity salary survey with 3,600 completed. It closes on Monday, March 31. If you haven't completed yours, you may at http://www.sans.org/info/154665

---

TOP OF THE NEWS

Coming Clean About Becoming Cyberwarriors
STEM is Not the Answer to Boosting Number of Skilled Cybersecurity Workers
Identifying Cyber Talent: Measuring Aptitude and Mastery

THE REST OF THE WEEK'S NEWS

Most US Government Agencies Have Upgraded from Windows XP
Attackers Exploiting Unpatched Flaw in Microsoft Word
Android Memory Corruption Flaw Could be Exploited to "Brick" Devices
Vulnerabilities Grant Elevate Malicious Apps' Permissions When Android Updates
NSA Infiltrated Huawei Networks, Installed Backdoors
Google Makes Gmail Transport Encryption Mandatory
California DMV Investigating Possible Data Breach
AT&T Says it Will Lower Internet Bills if FCC Abandons Net Neutrality
Netflix Will (Reluctantly) Pay ISPs to Maintain Quality of Content Delivery
Bitcoin Software Update Addresses Transaction Malleability Issues
Mt. Gox Finds 200,000 Bitcoins in Old Format Digital Wallet

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec ****************************
Layered Security: Why It Works - SANS Analyst White Paper
Attackers are leaving no stone unturned, prying into web applications, operating systems and even deeper in the hardware. They're taking advantage of conventional endpoints and mobile devices, slipping past and through network security, and even taking advantage of the human element operating the devices. The layered model is more relevant than ever.
http://www.sans.org/info/155445
***************************************************************************
TRAINING UPDATE


-- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


-- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Coming Clean About Becoming Cyberwarriors (March 21, 2014)

The idea that people without technical backgrounds can become cybersecurity experts merely by obtaining a certification is doing a disservice to the people and to the cybersecurity industry. The demand for skilled cybersecurity professionals far outstrips their availability. One way to address this problem is by defining a cybersecurity career path, which could include learning foundational skills in systems administration or tech services, continuous training and skills development, and eventually more complex jobs.
-http://www.nextgov.com/cio-briefing/wired-workplace/2014/03/why-cyber-jobs-need-
career-path/81025/?oref=ng-channelriver

STEM is Not the Answer to Boosting Number of Skilled Cybersecurity Workers (March 24, 2014)

Richard Stiennon expresses his frustration with the focus on encouraging students to obtain science, technology, engineering, and math (STEM) degrees and his disappointment at the dearth of vocational/technical programs. Universities are focusing more on research, which does not provide students with concrete skills necessary to work in cybersecurity. Stiennon writes, "What we need in every state is a vibrant VoTech education system" that will "work with security vendors to teach and award certifications in major security tools."
-http://www.forbes.com/sites/richardstiennon/2014/03/23/stem-stinks-for-cybersecu
rity/
[Editor's Note (Assante): Richard's frustrations are very real. Exciting younger students about technology is important, but we have failed to provide a path for the development of their skills and in preparing them to meet the needs of the nation. Universities will rarely provide opportunities to learn about job requirements, build practical skills, use common tools, provide opportunity for simulation, or participate in practitioner delivered training. Many organizations (I am involved with Cyber Aces) are chipping away at the problem, but we have failed to develop the necessary connectors to take talented students from primary education (clubs and competitions) through predictable technical development paths and into the workforce.
(Murray): One should expect a two year program to prepare one for one's first job, with specialized knowledge, skills, and abilities that are current but have a short life. One should expect a professional education to prepare one for a career, with broad knowledge, skills, and abilities with a long life. Hiring managers and executives should not expect either source to meet all their needs. One needs both tacticians and strategists, both those who execute and those who plan, those who follow and those who lead, NCOs, technical specialists, and officers.]

Identifying Cyber Talent: Measuring Aptitude and Mastery (March 25, 2014)

In assessments being undertaken with four very large employers of cyber talent, the SANS Institute is evaluating multiple testing regimens designed to identify people likely to succeed in developing the most sought after skills. The plan is to help employers decide whom to hire and train as advanced technical cyber professionals. Part of this program involves working with more than 30 employers to determine career paths in cybersecurity and on-ramps to help people plan pathways to demonstrate and develop their talent. At least one promising test is expected to go live late this spring as part of the National Cyber Security Career Fair (nationalcybersecuritycareerfair.com). This early notification is a call for collaborators. If your organization has experience in cyber talent assessment, and you wish to collaborate, email cybertalent@sans.org and provide a very brief summary of what you have done.

---

************************** Sponsored Links: ******************************
1) SOC maturity varies widely: As the incidence and cost of cyber crime have escalated, organizations have responded by establishing security operations centers (SOCs) to detect and counter cyber attack and to assure compliance with industry guidelines. Download the report http://www.sans.org/info/155450

2) Financial Accounts and Endpoints Most at Risk: SANS Survey on Financial Services Security Programs Webcast two-part series. Wednesday March 26 at 1 PM EDT http://www.sans.org/info/155455 and Thursday, March 27 at 1 PM EDT http://www.sans.org/info/155460

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Most US Government Agencies Have Upgraded from Windows XP (March 24, 2014)

The majority of US government agencies running Windows XP on their systems have upgraded or are in the process of upgrading to newer platforms. However, an estimated 10 percent of agencies will still be running XP after the support deadline of April 8, 2014 passes. Microsoft is offering incentives to the agencies that have no plans to upgrade. The company will continue to support XP for a fee and is offering discounts on new products. The reasons some agencies have given for not upgrading are systems not connected to the Internet, and the impossibility of overhauling the system they already have in place.
-http://www.nextgov.com/cio-briefing/2014/03/microsoft-retains-grasp-feds-die-out
-xp/81082/?oref=ng-HPtopstory
-http://www.nextgov.com/cybersecurity/2014/03/feds-not-worried-about-windows-xp-v
ulnerabilities/80986/?oref=ng-channelriver
-http://www.informationweek.com/government/cybersecurity/windows-xp-feds-brace-fo
r-end-of-support/d/d-id/1127856
Banks are working to upgrade the approximately 2.2 million ATMs that are XP-based.
-http://www.bankinfosecurity.com/end-xp-support-are-banks-really-ready-a-6659
-http://www.cnbc.com/id/101503334
[Editor's Note (Pescatore): One of the most common deficiencies government agencies get from their FISMA audits is poor inventory management - lack of knowledge of what devices are on their networks, what software is on those devices and how well the software is configured. So, the 10% XP figure feels low to me, not even counting all the embedded XP appliances and machinery that is in use in government hospitals, credit unions, labs, etc.
(Murray): The cost of software can be expected to spike dramatically as it approaches end of life. The cost may be in extended support or in increased errors, fraud, or other risks. At some point it becomes cheaper to abandon or migrate. We are called "managers" and are "paid the big bucks" for making such hard choices. ]

Attackers Exploiting Unpatched Flaw in Microsoft Word (March 24, 2014)

Attackers are exploiting a flaw in Microsoft Word to try to take control of vulnerable computers. The attacks involve specially crafted Rich Text Format documents. The vulnerability can be exploited to run code remotely when the documents are viewed in Microsoft Outlook with Word as the email viewer. Attackers could ultimately obtain privilege levels equal to those of the Word user. The current attacks target 2010, but the flaw affects all versions of Word for Windows and Mac. Microsoft has released a Fix it tool that disables RTF support. Microsoft's Enhanced Mitigation Experience Toolkit also helps protect users from attacks exploiting the vulnerability.
-http://www.computerworld.com/s/article/9247151/Microsoft_warns_Word_users_of_ong
oing_attacks_exploiting_unpatched_bug?taxonomyId=17
-http://www.zdnet.com/microsoft-reveals-zero-day-attacks-against-word-7000027648/
-http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word
-under-active-attack/
Microsoft Advisory:
-https://technet.microsoft.com/en-us/security/advisory/2953095
Fix it Tool:
-https://support.microsoft.com/kb/2953095
Internet Storm Center:
-https://isc.sans.edu/forums/diary/New+Microsoft+Advisory+Unpatched+Word+Flaw+use
d+in+Targeted+Attacks/17849

Android Memory Corruption Flaw Could be Exploited to "Brick" Devices (March 23, 24, & 25, 2014)

Vulnerabilities in the Android mobile platform could be exploited to make devices running the operating system useless. Malicious apps could be used to put devices into endless reboot, rendering it unusable.
-http://www.v3.co.uk/v3-uk/news/2335963/android-smartphones-and-tablets-could-be-
bricked-by-security-flaw
-http://arstechnica.com/security/2014/03/malicious-apps-can-brick-android-phones-
erase-data-researchers-warn/
-http://www.theregister.co.uk/2014/03/25/another_day_another_android_vuln/

Vulnerabilities Grant Elevate Malicious Apps' Permissions When Android Updates (March 23, 2014)

In a separate story, a half-dozen flaws recently found in Android puts all devices running the mobile operating system at risk of privilege elevation attacks. The newly-defined class of vulnerabilities increase permissions of malicious apps when Android is updated.
-http://www.zdnet.com/android-bugs-leave-every-smartphone-and-tablet-vulnerable-t
o-privilege-escalation-7000027589/
-http://www.informatics.indiana.edu/xw7/papers/privilegescalationthroughandroidup
dating.pdf

NSA Infiltrated Huawei Networks, Installed Backdoors (March 22 & 23, 2014)

According to reports from The New York Times and Der Spiegel, the US National Security Agency (NSA) broke into servers at China's Huawei Technologies to spy on company communications, gather information about the company's products, and establish backdoors on the systems. The NSA has declined to comment. The US has for years been vocal about its concerns that Huawei networking equipment could pose a national security threat because of the possibility that the company created backdoors to spy on customers.
-http://thehill.com/blogs/hillicon-valley/technology/201478-snowden-docs-nsa-targ
eted-chinese-telecom-giant
-http://www.computerworld.com/s/article/9247128/NSA_hacked_into_servers_at_Huawei
?taxonomyId=17
-http://www.theguardian.com/world/2014/mar/22/nsa-huawei-china-telecoms-times-spi
egel
-http://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-a
s-spy-peril.html
-http://www.zdnet.com/nsa-spies-on-china-networking-giant-huawei-7000027599/

Google Makes Gmail Transport Encryption Mandatory (March 22, 2014)

Gmail users no longer have the option of turning off HTTPS encryption. The new requirement protects traffic between Google servers and users from snooping. HTTPS has been on in Gmail by default since 2010, but until now users have had the option of disabling the feature. While the move does improve the security of communications, it does not constitute end-to-end encryption. Gmail algorithms can still read email text to display targeted advertisements, and Google will also have the ability to access messages if necessary.
-http://www.informationweek.com/mobile/mobile-applications/google-makes-https-for
-gmail-mandatory/d/d-id/1127855?
-http://www.nbcnews.com/tech/security/google-enhances-encryption-technology-email
-n58696
[Editor's Note (Pescatore): If you were more worried about Government snooping than Google snooping, this is slightly meaningful. At least people using Gmail at WiFi hotspots will have SSL turned on as they read their email. But people should realize that all advertising supported IT like Gmail means you are allowing the provider to read every word you send or receive over email and a long list of advertisers get lots of detailed information about you from that. ]

California DMV Investigating Possible Data Breach (March 22, 2014)

Evidence suggests that the California Department of Motor Vehicles experienced a data security breach. Banks have received alerts from MasterCard about a "card-not-present" breach that appears to affect cards used to make online payments at the California DMV. The DMV has been alerted to the situation, and issued a statement that says while "there is no evidence at this time of a direct breach of the DMV's computer systems. However, ... the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement."
-http://krebsonsecurity.com/2014/03/sources-credit-card-breach-at-california-dmv/

AT&T Says it Will Lower Internet Bills if FCC Abandons Net Neutrality (March 24, 2014)

In a filing in the federal Communications Commission's (FCC's) "Protecting and promoting the Open Internet" proceeding, AT&T has promised to lower its customers Internet bills if the Federal Communications Commission (FCC) allows Internet service providers (ISPs) to charge companies like Netflix for faster content delivery. The FCC's initial attempt to establish net neutrality was vacated by a court decision; the Commission plans to redraft rules.
-http://arstechnica.com/business/2014/03/att-promises-to-lower-your-internet-bill
-if-fcc-kills-net-neutrality/
-http://apps.fcc.gov/ecfs/comment/view?id=6017609040

Netflix Will (Reluctantly) Pay ISPs to Maintain Quality of Content Delivery (March 21, 2014)

Netflix chief Reed Hastings says the company will pay premiums to Internet service providers (ISPs) to ensure that its customers receive good service, but is less than pleased with the arrangement. ISPs say that companies that use significant amounts of bandwidth should shoulder some of that cost. Proponents of net neutrality say that providing premium service for those who can afford it will stifle innovation.
-http://www.bbc.com/news/technology-26682298
-http://www.nbcnews.com/tech/internet/netflix-ceo-slams-isps-extracting-toll-beca
use-they-can-n58731
Hastings's Blog:
-http://blog.netflix.com/2014/03/internet-tolls-and-case-for-strong-net.html
[Editor's Note (Pescatore): I wonder if Netflix is "reluctant" to pay the Postal Service more when physical DVD renters turn around DVDs more quickly? The power companies and water companies charge factories for the materials they consume to product their product and USPS charges product vendors for delivering their products, all based on how much they consume. I'm sure they are "not pleased" with those expenses but seemed to have understood they are a cost of doing business. ]

Bitcoin Software Update Addresses Transaction Malleability Issues (March 20 & 21, 2014)

An updated version of Bitcoin software now available aims to prevent the "transaction malleability" attacks that preyed on several exchanges in recent months. The new software for the main wallet is Bitcoin Core 0.9.0. Tightened rules in the updated software prevent mutated transactions from being relayed or mined, and new functions report conflicting wallet transactions and those with incorrect balances.
-http://www.zdnet.com/bitcoin-devs-fix-wallet-bug-behind-mutated-transaction-atta
cks-7000027564/
-http://arstechnica.com/security/2014/03/bitcoin-software-gets-fix-for-weakness-t
hat-helped-bring-down-mt-gox/

Mt. Gox Finds 200,000 Bitcoins in Old Format Digital Wallet (March 20 & 21, 2014)

Bitcoin exchange Mt. Gox, which has filed for bankruptcy protection in the US and in Japan, says it has discovered 200,000 (presently worth $115,000) in a digital wallet from 2011. Mt. Gox CEO Mark Karpeles said that the company was not aware until earlier this month that the old-format wallet contained Bitcoins anymore.
-http://arstechnica.com/tech-policy/2014/03/mt-gox-suddenly-finds-200000-of-missi
ng-bitcoins-worth-over-115m/
-http://money.cnn.com/2014/03/21/technology/mt-gox-missing-bitcoin/index.html
-http://www.theregister.co.uk/2014/03/21/mtgox_finds_200000_bitcoin_in_old_wallet
s/
-http://www.bbc.com/news/technology-26677291

---

STORM CENTER TECH CORNER

DDoS Attacks against Basecamp and Hootsuite
-http://blog.hootsuite.com/hootsuite-responds-to-dos-attack/
-https://gist.github.com/dhh/9741477
-http://status.basecamp.com

How an Individual Account Compromise Leads to a Spam Incident
-https://isc.sans.edu/forums/diary/How+the+Compromised+of+a+User+Account+Lead+to+
a+Spam+Incident/17843

Microsoft Using Employees Private Hotmail Account To Track Down Intellectual Property Leak
-http://www.zdnet.com/how-microsoft-tracked-down-a-spy-who-leaked-its-secrets-700
0027545

Chrome will require Certificate Transparency from all EV Certificate Authorities after February 2015.
-https://sites.google.com/site/certificatetransparency/ev-ct-plan

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/