SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVII - Issue #76
September 29, 2015
The National Cyber Career Fair Opens November 19. See short blurb at the
end of this newsletter.
TOP OF THE NEWS
BitPay Sues Insurance Company After Cyberattack Claim is RejectedUS and China Announce Cyber Espionage Agreement
Women Underrepresented in Cybersecurity
THE REST OF THE WEEK'S NEWS
US Defense Department Hires Breach Notification Management HelpDARPA Seeking Research Proposals for Analysis of Involuntary Analog Emissions
Chinese Smartphone Browsers Hijacked to Launch DDoS Attack
Facebook Outages
Foreign Intelligence Surveillance Court Public Advocate Named
Hilton Investigating Point-of-Sale System Breach Claims
STORM CENTER TECH CORNER
STORM CENTER TECH CORNERCYBER CAREER FAIR OPENS NOVEMBER 19
CYBER CAREER FAIR OPENS NOVEMBER 19************************ Sponsored By Splunk ******************************
Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/180462
***************************************************************************
TRAINING UPDATE
- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx
- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
http://www.sans.org/u/7QR
- --SANS Tysons Corner 2015 | Tysons Corner, VA | Oct. 12-17| 8 courses
http://www.sans.org/u/7R6
- --SANS DFIR Prague 2015 | Prague, Czech Republic | Oct. 5-17| 11 courses
http://www.sans.org/u/7tF
- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses http://www.sans.org/u/7tK
- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy
Plus San Diego, Tokyo, Sydney, Cape Town, and Dallas all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
BitPay Sues Insurance Company After Cyberattack Claim is Rejected (September 18 & 21, 2015)
Bitcoin payment processor BitPay is suing Massachusetts Bay Insurance Company (MBIC) for refusing to pay a claim after the BitPay lost US$1.85 million in fraudulently conducted transactions. MBIC maintains the claim does not satisfy the criteria of the policy because the attack was initiated by compromising the account of a BitPay business associate, which was used to send a spear phishing email to BitPay's CFO.-http://www.networkworld.com/article/2984989/security/cyber-insurance-rejects-cla
im-after-bitpay-lost-1-8-million-in-phishing-attack.html
-http://www.csoonline.com/article/2984777/social-engineering/bitpay-insurance-cla
im-rejected-due-to-contract-wording.html
[Editor's Note (Murray): Cyber insurance is very profitable for insurance companies. Premiums are not comparable or competitive; they are not paying many claims. Policies are artfully written. (Pescatore): This demonstrates several of the many reasons why cyber insurance has shown to be ineffective in bounding risk with any positive ROI: (1) The policy specifically excluded the common attack pattern of a business partner or trusted third party getting compromised and then spear phishing being launched from there; (2) the policy would have only paid off half of the direct loss and it seems like it would cover none of the indirect costs of the breach, which are often larger than the direct costs. Cyber insurance does *not* increases security and in many cases is not even reducing liability, because premium costs and deductibles often add up to more than what will be paid out in the event of a breach. And that doesn't even include the lost opportunity costs if the premiums were instead spent on actually getting more secure instead. ]
US and China Announce Cyber Espionage Agreement (September 25, 27, & 28, 2015)
At a press conference last week, US President Obama and Chinese President Xi Jinxing announced that they had reached a "common understanding" regarding cyber espionage. The leaders agreed that both countries will not "conduct or knowingly support cyber-enabled threat of intellectual property." There is skepticism that the agreement will result in change.-http://www.scmagazine.com/little-change-expected-in-the-wake-of-the-us-china-cyb
er-deal/article/441446/
-http://www.wired.com/2015/09/us-china-reach-historic-agreement-economic-espionag
e/
-http://www.darkreading.com/attacks-breaches/china-us-agree-to-not-conduct-cybere
spionage-for-economic-gain/d/d-id/1322370?
Women Underrepresented in Cybersecurity (September 28, 2015)
According to a study from (ISC)2 and Booz Allen Hamilton, women make up just 10 percent of the cybersecurity workforce, a drop of one percent from last year's numbers. The report also notes that the number of women moving into the industry is increasing, but is not keeping pace with the growing workforce. The report also notes that there are more women than men in the areas of governance, risk, and compliance.-http://www.darkreading.com/operations/new-data-finds-women-still-only-10--of-sec
urity-workforce/d/d-id/1322371
-http://techcrunch.com/2015/09/28/women-could-be-the-solution-to-fighting-cyberse
curity-threats/
-http://thehill.com/policy/cybersecurity/255183-gender-gap-in-cybersecurity-widen
s-survey-shows
[Editor's Note (Murray): When I was managing development, my "go to" engineers were women. (Paller): Echoing Murray, the two best intrusion detection analysts in the early days of cybersecurity were named Vicki and Judy. By not recruiting women for critical technical cybersecurity roles, we are depriving ourselves of at least 50% of the most talented candidates (some would argue far more). One step in the right direction is being led by Ruthe Farmer at the National Center for Women in Technology. She has identified more than 16,000 young women who are proud to be geeks through a program called Aspirations in Computing (AiC). She is inviting college juniors and seniors in AiC to test their cyber aptitude and talent to be among 30 women chosen for $360,000 in scholarships for accelerated immersion training in key areas of cybersecurity plus interviews with their favorites among the 50 employers recognized as the "nation's best employers for high performance cybersecurity professionals." We'll cover the public announcement of the program in NewsBites next week so readers can let other talented women graduating from college know about the program. ]
************************** SPONSORED LINKS ********************************
1) Mitigate the Healthcare Endpoint Security Challenges - Read More: http://www.sans.org/info/180467
2) Trend Micro Forward-Looking Threat Research publish report examining the past 10 years of US data breaches. http://www.sans.org/info/180472
3) RSA Webcast: Active Incident Response Do's & don't's of handling a security incident & more. http://www.sans.org/info/180482
***************************************************************************
THE REST OF THE WEEK'S NEWS
US Defense Department Hires Breach Notification Management Help (September 28, 2015)
The Defense Information Systems Agency (DISA) has hired a company to help notify the 21.5 million people whose personal data were compromised in the Office of Personnel Management (OPM) breach. The contract was awarded without open competition because the Pentagon was having trouble meeting breach notification deadlines and needed support quickly. The plan is to have a tool for determining why mail was returned in place by October 9 and a functional website for people to check whether or not their data were compromised by November 17.-http://www.nextgov.com/cybersecurity/2015/09/pentagon-hires-investigators-find-h
acked-feds/122228/?oref=ng-HPtopstory
[Editor's Note (Murray): Few enterprises have sufficient resources to remediate a major breach. However, a contingency plan, with resources identified and contracted for in advance of what is now a foreseeable event, may well be efficient. ]
DARPA Seeking Research Proposals for Analysis of Involuntary Analog Emissions (September 28, 2015)
The Pentagon's Defense Advanced Research Projects Agency (DARPA) is looking for technology capable of monitoring Internet connected devices like refrigerators and thermostats, often referred to as the Internet of Things (IoT). Specifically, DARPA is seeking "algorithms, tools, and devices for mapping analog emissions of digital devices."-http://www.nextgov.com/emerging-tech/2015/09/darpa-looking-tech-protect-internet
-things/122231/?oref=ng-HPriver
-https://www.fbo.gov/index?s=opportunity&mode=form&id=916dd7ee159a12bc221
bdd442ebf4409&tab=core&_cview=0
Chinese Smartphone Browsers Hijacked to Launch DDoS Attack (September 28, 2015)
Browsers on at least 650,000 Chinese smartphones have been recruited via malware to help launch a distributed denial-of-service attack against a web server. The malware was hidden in advertisements that were displayed on the phones.-http://www.bbc.com/news/technology-34379254
-http://www.zdnet.com/article/new-ddos-attack-uses-smartphone-browsers-to-flood-s
ite-with-4-5bn-requests/
-http://www.theregister.co.uk/2015/09/28/mobile_malvertiser_ddos_javascript_drip_
serves_site_with_45_billion_hits/
-http://www.computerworld.com/article/2987036/application-security/after-pushing-
malware-ad-networks-also-used-for-ddos.html
[Editor's Note (Murray): The major risk of the IoT is that gratuitous functionality in the appliances will be turned against the network and its users. ]
Facebook Outages (September 28, 2015)
Facebook was temporarily unavailable on Monday, September 28, the third time in a month that the site has experienced an outage. In a post on the Facebook developer site, an engineer wrote that Monday's outage was due to a problem with the Facebook Graph API.-http://www.bbc.com/news/world-us-canada-34383655
-https://www.washingtonpost.com/news/the-switch/wp/2015/09/28/facebook-is-hit-wit
h-yet-another-outage/
-http://venturebeat.com/2015/09/28/facebook-has-now-gone-down-three-times-this-mo
nth/
Foreign Intelligence Surveillance Court Public Advocate Named (September 26 & 28, 2015)
The first of five amici curae, friends of the court, has been appointed for the US Foreign Intelligence Surveillance Court (FISC). Preston Burton will serve as a public advocate at the court. The amici curae are being appointed as required in provisions of the USA Freedom Act, which passed in June 2015. Until the change, FISC hearings involved testimony only from the government.-http://thehill.com/policy/national-security/255163-secret-spy-court-approves-fir
st-outside-advisor
-http://arstechnica.com/tech-policy/2015/09/americas-most-secretive-court-invites
-its-first-outsider/
Hilton Investigating Point-of-Sale System Breach Claims (September 25, 2015)
Hilton Worldwide is investigating claims that a breach of point-of-sale systems may have exposed customers' payment card information. Sources within the banking industry said they noticed a pattern of fraudulent transactions that points to the likelihood that point-of-sale registers at Hilton restaurants and gift shops were compromised.-http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-properties/
-http://www.nbcnews.com/tech/security/hilton-hotels-looking-possible-data-breach-
n434071
STORM CENTER TECH CORNER
ATM Malware Dispenses Cash-https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser
Belkin Leaves Secret PGP Key in Light Switch Firmware
-https://twitter.com/mjg59/status/647242641822773248
-http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf
More Anti-Virus Vulnerabilities: ESET
-https://twitter.com/taviso/status/647408764505579520
Ad Networks Used for DDoS
-https://blog.cloudflare.com/mobile-ad-networks-as-ddos-vectors/
Traffic Ticket E-Mails
-https://isc.sans.edu/forums/diary/Transport+of+London+Malicious+EMail/20191/
Cisco Midyear Security Report
-http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html?keyco
de=000854785
Alcatel Lucent Report on Infected Systems Connected to Mobile Networks
-https://www.alcatel-lucent.com/solutions/malware-reports
CYBER CAREER FAIR OPENS NOVEMBER 19
CYBER CAREER FAIR OPENS NOVEMBEROn November 19, SANS will host its fourth online career fair to help employers and cybersecurity jobseekers connect in a virtual setting. The SANS CyberTalent Fair (
-https://app.brazenconnect.com/events/SANS-cybertalent-fair-2
)">
-https://app.brazenconnect.com/events/SANS-cybertalent-fair-2
)
opened registration last week and includes employers such as the US Army's INSCOM, Stroz Friedberg, L-3 Communications, and many others. The CyberTalent Fair is open to interested job seekers and any employer who has cyber vacancies. All registrants also have the opportunity to take the SANS CyberTalent Test at no cost. Please contact mshuftan@sans.org or visit
-https://app.brazenconnect.com/events/SANS-cybertalent-fair-2
to sign up.
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
