SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #73

September 18, 2015

TOP OF THE NEWS

US Military struggles to deploy cyber teams
A Well-Funded Global ISAC

THE REST OF THE WEEK'S NEWS

Cyber Command Bird's Eye Vulnerability View
American Airlines Flights Delayed Due to Computer Problems
New Hampshire Library Restores Tor Node
Legislators Want to Know How Auto Makers are Protecting Customers from Cyberthreats
Judge Invalidates Gag Order National Security Letter Gag Order
iOS 9 Mitigates Airdrop Vulnerability, and Fixes Many Other Flaws
Self-Destructing Chip Revealed at DARPA Conference
Let's Encrypt Issues its First SSL/TLS Certificate
Sanctions Against China Appear Unlikely Before President Xi's Visit
Two Guilty Pleas in Massive Payment Card Theft Scheme

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

***************** Sponsored By Blue Coat Systems, Inc. *******************

Expose Advanced Threats Cloaked in SSL. Malware hiding in SSL/TLS has become an urgent priority for security executives. It's time for a better approach to manage encrypted traffic. Read "Enterprise Traffic Management for Dummies," a new e-book brought to you by Blue Coat.
http://www.sans.org/info/180312

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --Data Breach Investigation Summit | Dallas, TX | September 21-26, 2015 | Data Breach Investigation Summit and Training Dallas. TX September 21-26 4 courses
http://www.sans.org/u/7QM

- --SANS Baltimore 2015| Baltimore, MD | Sept. 21-26 |4 courses
http://www.sans.org/u/7tq

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
http://www.sans.org/u/7QR

- --SANS Tysons Corner 2015 | Tysons Corner, VA | Oct. 12-17| 8 courses
http://www.sans.org/u/7R6

- --SANS DFIR Prague 2015 | Prague, Czech Republic | Oct. 5-17| 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Military Struggles To Deploy Cyber Teams (Sept. 16, 2015)

Five years after then US Cyber Command chief Keith Alexander asked each of the forces to contribute 3,000 well-trained cyber warriors to the mission, the Army, Navy and Air Force are struggling to supply even 60% of that that number, according to detailed readiness provide in the article. Admiral Rogers, the current Cyber Command chief told Congress, "We are already hard pressed to find qualified personnel, get them cleared and trained." Facing deep competition in recruiting, they services are increasingly identifying talent among men and women already enlisted, offering them more rapid promotion opportunities in cyber jobs, and then paying retention bonuses as high as $40-60,000, depending on the service, to keep them.
-https://www.govtechworks.com/military-battles-to-man-its-growing-cyber-force/#gs
.05oMXSI
[Editor's Note (Paller): Because of the rapid promotion opportunities in the cyber corps, services are having trouble identifying enlisted men and women with sufficient cyber talent. The standard military aptitude testing tool (ASVAB) has not been successful in differentiating between smart folks and folks with the mindset and talent needed for cyber jobs. Recently the Army and Air Force have tested a new suite of cyber-specific aptitude and talent assessment exams that appear to be far more effective. Versions of those cybertalent tests are also being adopted by commercial organizations to determine which of their current employees can be expected to do well in advanced cybersecurity education and roles. Details at
-https://www.sans.org/cybertalent]

A Well-Funded Global ISAC (September 16, 2015)

The Manhattan District Attorney's Office is establishing the Global Cybersecurity Alliance, an organization that will help international cyberthreat information sharing. Seed money for the organization comes from a US $15 million settlement paid by PNB Paribas for disregarding US sanctions. The goal is to share information in real time.
-http://www.wsj.com/articles/money-from-bnp-pact-to-back-cyber-alliance-144236888
4
-http://thehill.com/policy/cybersecurity/253830-manhattan-da-opens-international-
cyberthreat-sharing-nonprofit

---

**************************** SPONSORED LINKS ******************************
1) Behind the Curve? Getting Started on Endpoint Security Maturity. Wednesday, September 30 at 1:00 PM EDT (17:00:00 UTC) featuring G. Mark Hardy and Dwayne Melancon. http://www.sans.org/info/180317

2) Catching Stealth Attacks in Progress With Intelligence-Driven Security. Thursday, October 01 at 1:00 PM EDT (17:00:00 UTC) with Barb Filkins and Wade Williamson. http://www.sans.org/info/180322

3) Don't Miss: Automating the Hunt for Network Intruders. Friday, October 02 at 11:00 AM EDT (15:00:00 UTC featuring Dr. Eric Cole and Jamie Butler. http://www.sans.org/info/180327
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyber Command Bird's Eye Vulnerability View (September 17, 2015)

US Cyber Command is creating a system that will provide an overview of security issues in military computer networks, weapons systems and installations. The system is expected to help determine how to prioritize fixes for the vulnerabilities. While information will initially be entered manually, the goal is for the system to eventually be automated so attacks can be detected and dealt with promptly.
-http://www.reuters.com/article/2015/09/17/us-usa-military-cybersecurity-idUSKCN0
RH2SF20150917
[Editor's Note (Assante): This concept is long overdue as vulnerability reporting and mapping was first introduced back in 2000. Possessing top sight of the location of vulnerabilities and determining susceptibility is a necessary part of risk-based decision making and prioritization. The military appreciates the danger that comes with not knowing if a susceptible vulnerability can impact their mission. ]

American Airlines Flights Delayed Due to Computer Problems (September 17, 2015)

American Airlines said that a computer connectivity issue was responsible for flights being delayed at airports in Miami, Chicago, and Dallas/Fort Worth. The problem started around noon Eastern Time on Thursday, September 7, and was resolved within three hours. Other airlines have experienced similar problems over the past few months.
-http://thehill.com/policy/transportation/254058-american-airlines-grounds-flight
-due-to-computer-glitch
-http://www.usatoday.com/story/news/nation/2015/09/17/technical-issues-delaying-a
merican-airlines-flights/32562037/

New Hampshire Library Restores Tor Node (September 16 & 17, 2015)

A library in Lebanon, New Hampshire that suspended its operation of a Tor relay due to concerns raised by a Department of Homeland Security investigator has restored the node. The library's IT director said that there was no pressure to take down the relay, but that they volunteered to take it down until the board met and voted on Tuesday, September 15. The Kilton Library is a pilot participant in the Library Freedom Project. The publicity generated by the story has prompted a dozen more libraries across the US to ask for information on hosting Tor nodes.
-http://arstechnica.com/tech-policy/2015/09/small-town-library-restores-tor-relay
-which-had-gone-dark-for-weeks/
-http://www.theregister.co.uk/2015/09/17/library_freedom_project_dozen_more_tor_n
odes/

Legislators Want to Know How Auto Makers are Protecting Customers from Cyberthreats (September 16, 2015)

Two US legislators have sent questions to automobile makers seeking more information about how they plan to protect vehicles and thus customers from cyberattacks. It is the second set of questions regarding vehicles and cybersecurity from Senators Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut), who have co-sponsored the SPY Car Act, a bill that would have the government set cybersecurity standards for vehicle manufacturers.
-http://thehill.com/policy/cybersecurity/253814-senators-want-more-cyber-answers-
from-automakers

Judge Invalidates Gag Order National Security Letter Gag Order (September 14 & 16, 2015)

A US District judge has issued a decision invalidating a National Security Letter (NSL) gag order. Judge Victor Marrero found no "good reason" to impose the gag order on Nicholas Merrill, a programmer who is the executive director of the non-profit privacy advocacy Calyx Institute. Merrill must wait 90 days for the judge's order to take effect, during which time the government may appeal the decision. Merrill received the letter in 2004.
-http://www.scmagazine.com/nicholas-merrill-can-discuss-nsl/article/438988/
-https://www.calyxinstitute.org/news/federal-court-invalidates-11-year-old-fbi-ga
g-order-national-security-letter-recipient-nicholas

iOS 9 Mitigates Airdrop Vulnerability, and Fixes Many Other Flaws (September 16, 2015)

Apple has released iOS 9, the latest version of its mobile device operating system. Among the issues addressed is a vulnerability in Bluetooth Airdrop that could be exploited to infect devices with malware. The person who found the AirDrop flaw says the fix is incomplete and should be regarded as a mitigation. The vulnerability allows devices to be infected with no user interaction as long as users have enabled AirDrop for that device. In all, iOS addresses more than 100 security issues.
-http://arstechnica.com/security/2015/09/apple-mitigates-but-doesnt-fully-fix-cri
tical-ios-airdrop-vulnerability/
-http://www.theregister.co.uk/2015/09/16/airdrop_hole_malware_pre_ios_9/
-http://www.wired.com/2015/09/hack-brief-upgrade-ios-9-now-avoid-bluetooth-iphone
-attack/
-http://www.theregister.co.uk/2015/09/16/ios_9_security_updates/
-https://support.apple.com/en-us/HT205212
[Editor's Note (Murray): Apple deserves a lot of credit for the security of the iOS system. Their strategy of a closed system and integrated hardware and software has protected both their users and users of the Internet. Enterprise users should learn about and exploit all of the features and capabilities built into iOS 9 for protecting data and sensitive applications. ]

Self-Destructing Chip Revealed at DARPA Conference (September 13 & 15, 2015)

Scientists have developed a computer chip that is capable of self-destruction. The technology was debuted at the Defense Advanced Research Projects Agency (DARPA) "Wait, What?" event in St. Louis, Missouri, last week. Xerox PARC scientists developed the technology as part of DARPA's vanishing programmable resources project. The chip is made of Gorilla Glass, the substance used for smartphone touchscreens. In the demonstration, the self-destruct process was triggered by a photo-diode activated circuit with bright light, but it could also be triggered with a radio signal. The chip could be used to store encryption keys.
-http://www.theregister.co.uk/2015/09/15/self_destructing_chip/
-http://www.csmonitor.com/Technology/2015/0913/Why-we-should-design-our-computer-
chips-to-self-destruct
[Editor's Note (Pescatore): Obvious uses in high security scenarios and obvious denial of service risks. I think this kind of "disappearing ink" is needed for a wide number of "Internet of Things" devices that will have storage that should be encrypted or securely wiped at end of life. Think of copier machines and printers showing up on eBay often contain sensitive information in internal storage - and then multiply by a bajillion for IoT devices. ]

Let's Encrypt Issues its First SSL/TLS Certificate (September 15 & 16, 2015)

Let's Encrypt, the free open source certificate authority (CA), signed its first certificate earlier this week. The project is currently in beta status.
-http://www.zdnet.com/article/lets-encrypt-issues-first-free-digital-certificate/
-http://www.theregister.co.uk/2015/09/15/lets_encrypt/
-http://www.computerworld.com/article/2984396/encryption/encryption-project-issue
s-first-free-ssltls-certificate.html

Sanctions Against China Appear Unlikely Before President Xi's Visit (September 15, 2015)

President Obama will not impose sanctions against China before Chinese president Xi Jinping's visit, which will take place next week. Xi is scheduled to arrive on September 24. Sanctions are still very much a possibility. If sanctions are imposed, they would apply only to individuals and businesses, not to China's government.
-http://thehill.com/policy/cybersecurity/253654-white-house-official-no-sanctions
-before-chinese-state-visit

Two Guilty Pleas in Massive Payment Card Theft Scheme (September 15 & 16, 2015)

Vladimir Drinkman has pleaded guilty to charges of conspiracy to commit unauthorized access of protected computers and conspiracy to commit wire fraud in US federal court in New Jersey. The scheme with which Drinkman has admitted involvement resulted in the theft of more than 160 million payment card numbers between 2005 and 2012 and causing more than US $300 million in losses. The affected companies include Heartland Payment Systems and the Hannaford Bros. grocery store chain. Drinkman was extradited to the US from the Netherlands, where he was arrested in 2012. A second man involved in the case, Dmitriy Smilianets, has been in custody in the US since 2012. He has pleaded guilty to conspiracy to commit wire fraud. Three other alleged co-conspirators remain at large.
-http://thehill.com/policy/cybersecurity/253737-russian-hacker-admits-role-in-mas
sive-data-breach-scheme
-https://bol.bna.com/russian-hacker-drinkman-pleads-guilty-in-largest-data-breach
/
-http://www.nbcnews.com/tech/security/second-russian-man-pleads-guilty-massive-u-
s-credit-card-n428701

---

STORM CENTER TECH CORNER

A Day in The Life of a Pentester
-https://isc.sans.edu/forums/diary/A+day+in+the+life+of+a+pentester+or+is+my+job+
is+too+sexy+for+me/20157/

Bugzilla Bug Exposes Private Vulnerabilties
-https://www.bugzilla.org/security/4.2.14/

More Cloud Sidechannel Attacks
-https://eprint.iacr.org/2015/898

Why is it hard to secure a phone's lock screen?
-http://blog.martin-graesslin.com/blog/2015/09/lock-screen-security-of-phones/

Malware Cheats At Poker
-http://www.welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats
-at-poker/

iTunes Update for Windows
-https://support.apple.com/en-us/HT205221

Airdrop Flaw Could Be Used to Sent Malicious Apps
-http://www.theregister.co.uk/2015/09/16/airdrop_hole_malware_pre_ios_9/

Cryptome PGP Key Compromised
-http://cryptome.org

ZMap Scan For Compromissed Cisco Routers
-https://zmap.io/synful/

Malicious Spam With Zipped Javascript
-https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing
+js+files/20153/

Persistent Cisco Backdoor Found On Compromissed Routers
-https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html

Smartwatch Motion Sensors Can Detect Passwords
-https://www.ece.illinois.edu/newsroom/article/11762

Android Lock Screen Bypass
-http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/