SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #68

September 01, 2015

TOP OF THE NEWS

Secretary of Defense Says US Could Fall Behind Adversaries in Cybersecurity
DHS's Continuous Diagnostics and Mitigation Implementation Moving Too Slowly

THE REST OF THE WEEK'S NEWS

HTTPS Frustrates Russia's Attempt to Censor Wikipedia
KeyRaider Malware Steals Account Credentials
White House Drafting Sanctions Against China
Six Arrested for Allegedly Using Lizard Stresser DDoS Tool
Phishing Campaign Sends Users to Phony Electronic Frontier Foundation Site
US Army Seeks to Streamline Acquisition Process for Cyber Tools
DHS Project Aims to Develop Mobile Security Technologies
Underhanded C Competition

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By iSIGHT Partners ***********************

FREE TRIAL: Thinking of adding cyber threat intelligence to your security strategy? You aren't alone. Today's top security teams are turning to iSIGHT Partners for real-time, context based intelligence on their adversaries. Don't drown in dumb data passing itself off as intel, request a free trial and experience the iSIGHT difference.
http://www.sans.org/info/179885

***************************************************************************

TRAINING UPDATE

- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- --SANS Cyber Defense Initiative 2015 | Washington DC | December 12-19, 2015 | CDI Washington DC December 12-19 36 courses
http://www.sans.org/u/7Qx

- --Data Breach Investigation Summit | Dallas, TX | September 21-26, 2015 | Data Breach Investigation Summit and Training Dallas. TX September 21-26 4 courses
https://www.sans.org/event/data-breach-investigation-summit-2015
http://www.sans.org/u/7QM

- --SANS Baltimore 2015| Baltimore, MD | September 21-26, 2015 | 4 courses
http://www.sans.org/u/7tq

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
https://www.sans.org/event/seattle-2015
Newsbites - http://www.sans.org/u/7QR
@Risk - http://www.sans.org/u/7QW

- --SANS Tysons Corner 2015 | Tysons Corner, VA | October 12-17, 2015 | 8 courses
https://www.sans.org/event/tysons-corner-2015
Newsbites - http://www.sans.org/u/7R6
@Risk - Link: http://www.sans.org/u/7R1

- --SANS DFIR Prague 2015 | Prague, Czech Republic | October 5-17, 2015 | 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore, Singapore | October 12-24, 2015 | 8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials -
http://www.sans.org/u/Xy

Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Secretary of Defense Says US Could Fall Behind Adversaries in Cybersecurity (August 27, 2015)

In the wake of revelations that attackers believed to be working on behalf of Russia or China infiltrated a server used by the Pentagon's Joint Chiefs, US military leaders expressed concern that the country could "fall behind" its adversaries in the cybersecurity arena. Defense Secretary Ash Carter said, "We have to be better at network defense than we are now." The public sector is having a hard time finding skilled and talented employees because the pay is better at private companies, the lag time in hiring, and the culture of government work, which does not mesh well with the lifestyle of some potential employees.
-http://www.washingtonexaminer.com/military-leaders-warn-u.s.-is-falling-behind-i
n-cybersecurity/article/2570945
[Editor's Note (Pescatore): I think the bigger DoD cybersecurity problems are spending in the right places and having people do the right things in cyberdefense vs. simply needing more money for more people. In the current 2015 DoD fiscal year, cybersecurity spending at the Cyber Command is 13.9% of total IT spending - which is nearly double the industry average. A portion of that goes to offensive operations and you would expect protecting classified systems and data to be more expensive. But, it would be nice to see a "Critical Security Controls"-like prioritization approach applied to any additional resources, whether funding or staff. (Paller): DoD's failures in cybersecurity, accurately characterized by John Pescatore above, were immortalized in the Defense Science Board's "Task Force Report on Resilient Military Systems and the Advanced Cyber Threat." From the executive summary: "DoD is not prepared to defend against this
[cyber ]
threat." The DSB calls for specific changes in cyber defense that can be implemented only, in my opinion, with wholesale changes in DoD cybersecurity policy. Those changes will happen only when the Secretary replaces the soft-skilled cyber staff in the DoD CIOs office. It's time for the war fighters to stop putting their faith in people who don't know how the current attacks are executed and what can actually stop most and detect the rest very quickly, and to prove they can do that reliably. Anything less is dangerously unacceptable. ]

DHS's Continuous Diagnostics and Mitigation Implementation Moving Too Slowly (August 24, 2015)

Office of Personnel Management (OPM) director of IT security operations Jeff Wagner said that the DHS's CDM (Continuous Diagnostics and Mitigation) program is great, its "timeframe, timing, issuance, and getting things moving" is frustrating his agency's implementation efforts. The DHS-funded tools and technologies are expected to be ready in spring 2016, but because Wagner needs them now, he decided to renew the security tools he already has that CDM will replace.
-http://federalnewsradio.com/contractsawards/2015/08/cdm-quandary-many-agencies-f
acing/
[Editor's Note (Pescatore): Unfortunately, that is a very common view of the CDM program from the government security managers: great idea, moved way too slowly and is in danger of becoming totally irrelevant. It would be good to quickly see another government "Cybersecurity Sprint" that is totally CDM-focused. ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Detection - What You Need to Know: http://www.sans.org/info/179890

2) Do Not Miss: Making DNS Your Greatest Ally in Active Defense: Thursday, September 03 at 1:30 PM EDT (17:30:00 UTC) featuring Dave Shackleford and Tim Helming. http://www.sans.org/info/179895

3) Learn what it takes to build a successful threat intelligence program from real-world examples. Live webinar featuring Solutionary, a leading MSSP, on Wednesday, September 16 at 2:00 PM ET. Register now: http://www.sans.org/info/179905
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

HTTPS Frustrates Russia's Attempt to Censor Wikipedia (August 25, 28, & 31, 2015)

Russian governmental media watchdog Roskomnadzor ordered Internet service providers (ISPs) to block a page about hashish on Wikipedia. However, Wikipedia uses HTTPS for all its sites, so the government decided to order ISPs to block the entire Russian language Wikipedia site. The site was briefly unavailable, but the block appears to have been removed.
-http://www.scmagazine.com/russias-attempts-to-block-access-to-wiki-thwarted-by-h
ttps/article/435759/
-https://www.eff.org/deeplinks/2015/08/russias-wikipedia-ban-buckles-under-https-
encryption
-https://www.washingtonpost.com/news/worldviews/wp/2015/08/24/russias-war-with-wi
kipedia/
[Editor's Note (Pescatore): Best data point in the article: "The popularity of the Russian-language Wikipedia article on charas skyrocketed on the two days from 200-400 visits per day up to more than 193,000 on Tuesday, with the entry becoming the most visited Wikipedia page in Russia." (Northcutt): TSK, TSK, this sure does make the Russians sound bad; to be willing to trash access to Wikipedia over some almost nonexistent variant of cannabis is silly at best, chilling at worst. But how far away is the United States from such madness? We started on such a path right after we passed the Patriot Act to monitor and control the Internet and fifteen years later are still headed in a direction that cannot be supported by common sense:
-http://slashdot.org/story/01/11/29/0512208/doj-already-monitoring-cable-internet
-traffic
-http://www.wired.com/2014/05/sandvine-report/
-http://www.wired.com/2014/04/https/
-http://news.yahoo.com/blogs/lookout/doj-wants-internet-providers-track-customer-
activity-20110126-105642-476.html
-http://www.cnet.com/news/u-s-gives-big-secret-push-to-internet-surveillance/
-http://www.cnet.com/news/doj-we-dont-need-warrants-for-e-mail-facebook-chats/]

KeyRaider Malware Steals Account Credentials (August 31, 2015)

Malware known as KeyRaider hides in code for jailbroken Apple devices. KeyRaider intercepts traffic to steal iTunes account credentials and send the information to a remote server. More than 225,000 accounts have been affected.
-http://thehill.com/policy/cybersecurity/252369-malware-attack-hits-225000-iphone
s
-http://www.theregister.co.uk/2015/08/31/keyraider_apple/
-http://www.wired.com/2015/08/hack-brief-malware-hits-225000-jailbroken-mostly-ch
inese-iphones/
[Editor's Note (Murray): We do not call it jail "broken" for nothing. However, it was never "jail." It was kindergarten. Those who were unwilling to submit to its gentle discipline will go through life paying a price. ]

White House Drafting Sanctions Against China (August 30, 2015)

The White House is reportedly developing economic sanctions against individuals and companies in China who are believed to be involved in espionage. The planned sanctions are being called "unprecedented." The White House has not said if or when the sanctions will be issued.
-https://www.washingtonpost.com/world/national-security/administration-developing
-sanctions-against-china-over-cyberespionage/2015/08/30/9b2910aa-480b-11e5-8ab4-
c73967a143d3_story.html
[Editor's Note (Pescatore): Sanctions are certainly appropriate when nations violate global norms, but this action seems to be dependent on differentiating Chinese cyberespionage as economic espionage (not OK?) vs. what the US and every other country does as political espionage (OK?) ]

Six Arrested for Allegedly Using Lizard Stresser DDoS Tool (August 28 & 31, 2015)

UK authorities have arrested six teenagers for allegedly using the Lizard Squad's Lizard Stresser tool to launch distributed denial-of-service (DDoS) attacks. The tool appropriates bandwidth from home routers protected by weak security. These six young men bought Lizard Stresser with "alternative currency such as Bitcoin" in an effort to remain anonymous. None of the six arrested is a member of Lizard Squad.
-http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-attack-tool/
-http://arstechnica.com/security/2015/08/six-uk-teens-arrested-for-being-customer
s-of-lizard-squads-ddos-service/

Phishing Campaign Sends Users to Phony Electronic Frontier Foundation Site (August 28, 2015)

A phishing campaign aimed at harvesting passwords and other data contained a link to a website that pretended to be that of the Electronic Frontier Foundation (EFF). The attack may have the ability to infect Mac and Linux machines as well as those running Windows. The phony EFF site appears to have been serving malware since early August.
-http://arstechnica.com/security/2015/08/fake-eff-site-serving-espionage-malware-
was-likely-active-for-3-weeks/

US Army Seeks to Streamline Acquisition Process for Cyber Tools (August 27, 2015)

The US Army is using a template called the Information Technology Box to hasten acquisition of cyber tools. Army officials say they hope to be able to provide soldiers with the tools within weeks instead of the months or years regular acquisition paths may take. The IT Box template was developed in 2008 and updated in 2012.
-http://fcw.com/articles/2015/08/27/army-cyber-acquisition.aspx

DHS Project Aims to Develop Mobile Security Technologies (August 27, 2015)

The US Department of Homeland Security's (DHS's) Science and Technology Directorate is funding a US $8.9 million Mobile Device Security research and development project. Seven universities and companies are developing the technologies, which were showcased for government stakeholders in late August.
-http://fcw.com/articles/2015/08/27/dhs-secure-mobile-tech.aspx
[Editor's Note (Murray): In DoD they call this "preparing for the last war." (Pescatore): DISA had a very similar initiative earlier in the year. Meanwhile, the government seems to have made no progress in "bigger bang for the buck" initiatives like a government-wide secure app store or secure mobile virtual network operator offerings that were talked about as far back as 2011. ]

Underhanded C Competition (August 24, 2015)

The Underhanded C Competition, which has been running annually since 2005, gives programmers coders the chance to craft elegantly disguised, yet dangerous vulnerabilities in the C programming language. Dr. Scott Craver, who runs the competition, said, "Our goal is to demonstrate how difficult it is to write secure software by showing off innocent looking code that misbehaves." Craver is hopeful that by considering how code may hide bugs, people will write and audit code more carefully.
-http://www.csmonitor.com/World/Passcode/2015/0824/How-developing-and-disguising-
software-bugs-can-help-cybersecurity

---

STORM CENTER TECH CORNER

Automating Metrics Using RTIR REST API
-https://isc.sans.edu/forums/diary/Automating+Metrics+using+RTIR+REST+API/20087/

OWASP Automated Threat Handbook
-https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

"Vote Hacking" Is Not Just About Voting Machines
-http://visiontoamerica.com/23638/virginia-counties-have-more-people-registered-t
o-vote-than-people-alive/

EICAR Test PDF/DOC Document
-https://isc.sans.edu/forums/diary/Test+File+PDF+With+Embedded+DOC+Dropping+EICAR
/20085/

FBI Publishes Numbers to Business Email Compromisie Losses
-http://www.ic3.gov/media/2015/150827-1.aspx

Gift Card from Marriott Spam
-https://isc.sans.edu/forums/diary/Gift+card+from+Marriott/20097/

Encryption of Data At Rest
-https://isc.sans.edu/forums/Encryption+at+rest+what+am+I+missing/959

Detecting File Changes on Microsoft Systems With FCIV
-https://isc.sans.edu/diary/Detecting+file+changes+on+Microsoft+systems+with+FCIV
/20091/

Keyraider iOS Malware
-http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-
over-225000-apple-accounts-to-create-free-app-utopia/

Linux Foundation Internal Security Checklist
-https://github.com/lfit/itpol/blob/master/linux-workstation-security.md

Cisco Identity Services Engine Unauthorize Access Vulnerability
-http://tools.cisco.com/security/center/viewAlert.x?alertId=40691

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/