SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #86

November 03, 2015

TOP OF THE NEWS

Federal CIO Issues Cybersecurity Strategy and Implementation Plan
US Navy to Develop a Cybersecurity Aptitude Test
Cybersecurity Section May be Added to US Military Standardized Test

THE REST OF THE WEEK'S NEWS

US and UK Joint Cybersecurity Exercise Planned for this Month
Google Releases Android Updates for Nexus
Another Arrest in TalkTalk Breach
Vodafone Says Accounts Breached with Access Credentials Stolen Elsewhere
License Plate Reader Data Exposed
New Tor Chat Tool
US Nuclear Regulatory Commission Publishes New Cybersecurity Requirements
CoinVault and Bitcryptor Ransomware Decryption Keys Recovered
First National Bank of Omaha Issues New Debit Cards After Breach at Unnamed Company
DroidJack Arrest Follow Raids
Cyber Crime Terminology: What Constitutes a Cyberattack?

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

***************** Sponsored By Blue Coat Systems, Inc. ********************

Expose Advanced Threats Cloaked in SSL:
Malware hiding in SSL/TLS has become an urgent priority for security executives. It's time for a better approach to manage encrypted traffic. Read "Enterprise Traffic Management for Dummies," a new e-book brought to you by Blue Coat.
http://www.sans.org/info/181247

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Sydney 2015 | Sydney, Australia | November 9-21, 2015 | 6 courses.
http://www.sans.org/u/9bN

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Ft. Lauderdale, Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Federal CIO Issues Cybersecurity Strategy and Implementation Plan (October 30, 2015)

US Federal CIO Tony Scott has released the Cybersecurity Strategy and Implementation Plan (CSIP), which defines a major breach and establishes rules for reporting them to Congress. CSIP builds on this summer's "cybersecurity sprint," which directed agencies to take steps to tighten online security in the wake of the OPM breach.
-http://www.nextgov.com/cybersecurity/2015/10/white-house-issues-governmentwide-c
yber-action-plan/123302/?oref=ng-HPriver
-http://www.nbcnews.com/tech/security/white-house-details-plan-bring-feds-cyberse
curity-date-n454861
-https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf
-https://fcw.com/articles/2015/10/30/tony-scott-cyber-strategy.aspx
[Editor's Note (Pescatore): To paraphrase an old wedding saying, the Cybersecurity Strategy and Implementation Plan has somethings old, somethings new, not enough borrowed and too much that will make us blue. Things like "identifying High Value Assets" are just new terms for what agencies have been required to do forever. The new things are good - focus on hiring, training; each Department must have a SOC defined, etc. Much of the discussion around use of EINTSTEIN and shared services ignores what is proven and available and in use by private industry and could be borrowed. The huge, huge area missing (and making me blue) is any "lessons learned" and absolutely no attacking the root cause of why so many agencies have had breaches - what are the barriers to agencies achieving essentially basic security hygiene? The answer is not sprinkling more security services and products on top of badly administered PCs and servers. ]

US Navy to Develop a Cybersecurity Aptitude Test (October 30, 2015)

The Navy Cyber Aptitude and Talent Assessment will aim to identify recruits with skills that indicate they would do well in the cybersecurity field. The test will be developed by the University of Maryland's Center for Advanced Study of Language, which created a Defense Language Aptitude Battery (DLAB) to identify recruits' likely facility with learning new languages. The new test is being called Cyber DLAB, and will assess raw talent.
-http://www.nextgov.com/cybersecurity/2015/10/pop-quiz-which-navy-n00bs-have-gift
-stopping-hacks/123298/
[Editor's Comment (Paller): This is a worthwhile endeavor. In the U.S., the Army and Air Force have been working this issue as have the British and two other nations. The result is a much, much more effective screening process that many large companies are also using to assess cyber talent so they can invest in the people most likely to succeed. If your organization will be assessing at least 50 people, contact Max Shuftan at SANS and he can arrange access to the tests and scoring for your recruits. Mshuftan@sans.org
(Northcutt): Done well, these can work. Several of the instructors at SANS Seattle joined us for dinner and one told a story of his enlistment in the Army. He took the ASVAB test. Upon completion he was moved to a smaller room and given another test and another. Then off to boot camp. About 2/3 of the way through bootcamp, he and six others from the training command were summoned, given a small presentation, and told they had to decide "right now" and they had an opportunity to leave bootcamp and show up for specialized training. He left, he trained, he served and now he is a SANS instructor. By screening at the recruit level for aptitude more than experience, the Navy has a good chance to fill entry level jobs and then grow their workforce. Interesting to note that the US Navy is not using the existing, tested, proven testing regimen:
-http://www.nationaldefensemagazine.org/archive/2014/August/Pages/CyberLaborShort
ageNotWhatitSeemsExpertsSay.aspx
-https://www.sans.org/cybertalent/assessment-products]

Cybersecurity Section May be Added to US Military Standardized Test (October 29, 2015)

The Armed Services Vocational Aptitude Battery (ASVAB) may soon include a section that assesses recruits' cybersecurity skills. The general exam assesses verbal, mathematical, and mechanical aptitude. Military recruits take the exam to help decide career paths; the exam is also offered to high school students. The proposed cybersecurity section would assess skills likely developed through prior cybersecurity experience.
-http://www.nextgov.com/cybersecurity/2015/10/militarys-sat-could-soon-test-cyber
security-smarts/123265/?oref=ng-HPtopstory
[Editor's Note (Paller): Repeating the offer from the previous article, if you feel a validated cyberskills aptitude test might be useful in your organization, and you will be assessing at least 50 people, contact Max Shuftan at SANS and he can arrange access to the tests and scoring for your recruits. Mshuftan@sans.org ]

---

************************** SPONSORED LINKS ********************************
1) Download the free eGuide: Application Control Observations and Strategies for Success: http://www.sans.org/info/181252

2) Bad threat intelligence raining on your parade? Learn best practices and get a behind-the-scenes look at how to improve cloud security with real-time threat intelligence during this free webinar on November 17, 2015 at 1:00 PM ET: http://www.sans.org/info/181257

3) Threat Intelligence Briefing: Join SANS on November 5, 2015, in Golden Colorado for a half-day breakfast briefing on this critical topic. http://www.sans.org/info/181262 Not in the area? attend via simulcast: http://www.sans.org/info/181267
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US and UK Joint Cybersecurity Exercise Planned for this Month (November 2, 2015)

The US-CERT and the UK-CERT will conduct a joint cybersecurity exercise for the financial sector later this month. Participants in Operation Resilient Shield will include the US Treasury, the British finance ministry, and the Bank of England, which will also participate in planning the simulation. The exercise will focus on issues with information sharing and incident response rather than weaknesses in financial sector systems.
-http://www.darkreading.com/operations/uk-us-cyberattack-simulation-on-finance-se
ctor-set-for-this-month-/d/d-id/1322953?

Google Releases Android Updates for Nexus (November 2, 2015)

Google has fixed seven vulnerabilities in Android, including two critical flaws that could allow remote code execution when handling media files. Google released the Android update on Monday, November 2 as part of its new monthly security releases. Updates are available for Android 5.1 (Lollipop) and 6.0 (Marshmallow) for nexus devices.
-http://www.computerworld.com/article/3000492/security/google-patches-critical-me
dia-processing-flaws-in-android.html
-http://www.zdnet.com/article/two-critical-android-flaws-fixed-in-monthly-nexus-p
atch-update/
-https://groups.google.com/forum/#!topic/android-security-updates/n1aw2MGce4E

Another Arrest in TalkTalk Breach (November 1, 2015)

UK police have arrested a 20-year-old man in connection with the theft of customer data from telecommunications company TalkTalk. A 15-year-old and a 16-year-old were arrested last week. All three were arrested on suspicion of violating the Computer Misuse Act; they have all been released on bail.
-http://www.zdnet.com/article/third-arrest-made-in-talktalk-breach/

Vodafone Says Accounts Breached with Access Credentials Stolen Elsewhere (November 2, 2015)

Vodafone has disclosed a data breach in which personal account information, including financial account data, of more than 1,800 UK customers was stolen. The breach occurred late last month. Vodafone maintains that its own systems were not breached, but that the thieves used passwords and email addresses obtained in a different breach.
-http://www.zdnet.com/article/vodafone-admits-hack-customer-bank-details-stolen/
-http://www.theregister.co.uk/2015/11/02/voda_blocks_1800_accounts_after_attacker
s_knock_on_the_door/

License Plate Reader Data Exposed (October 28, 2015)

The Electronic Frontier Foundation learned that more than 100 automated license plate recognition (ALPR) cameras were exposed online. In some cases, the camera live streams could be accessed. ALPR systems capture images of license plates and alert authorities when they spot a plate on the "hot list." The data are collected and stored even if they belong to cars that have nothing to do with criminal activity.
-https://www.eff.org/deeplinks/2015/10/license-plate-readers-exposed-how-public-s
afety-agencies-responded-massive
[Editor's Note (Honan): This is a good reminder of why many in the industry are wary about Governments who tout having golden keys to encryption services. If Government agencies fail to protect the privacy of individuals on systems such as this, what confidence can we have that they will protect people's encryption keys? ]

New Tor Chat Tool (October 30 and 31, 2015)

Tor has launched a chat tool that lets people communicate over the Tor network and hide their locations. Tor Messenger uses encryption by default. It cannot log chats. Tor Messenger is currently available to the public in beta.
-http://www.bbc.com/news/technology-34677323
-http://arstechnica.com/security/2015/10/how-to-use-tor-messenger-the-most-secure
-chat-program-around/

US Nuclear Regulatory Commission Publishes New Cybersecurity Requirements (October 30 and November 2, 2015)

The US Nuclear Regulatory Commission (NRC) issued new requirements for nuclear power reactor licensees. The rules establish guidelines for reporting incidents, including the type of information required in the reports. The new rules will take effect on December 2, 2015 and compliance is required by May 2, 2016.
-http://thehill.com/policy/cybersecurity/258663-white-house-updates-nuclear-plant
s-cyber-requirements
-https://www.federalregister.gov/articles/2015/11/02/2015-27855/cyber-security-ev
ent-notifications

CoinVault and Bitcryptor Ransomware Decryption Keys Recovered (October 30 and November 2, 2015)

The Dutch Public Prosecution Service and Kaspersky Lab have recovered decryption keys for CoinVault and Bitcryptor rasnomware. In all, 14,000 keys were recovered, and the malware's authors have been arrested. The keys have been uploaded to the ransomware decryptor service that Kaspersky launched in April.
-http://www.theregister.co.uk/2015/11/02/kaspersky_announces_death_of_coinvault_b
itcryptor_ransomware/
-http://www.computerworld.com/article/2999830/malware-vulnerabilities/all-coinvau
lt-and-bitcryptor-ransomware-victims-can-now-recover-their-files-for-free.html

First National Bank of Omaha Issues New Debit Cards After Breach at Unnamed Company (October 29 and 30, 2015)

The First National Bank of Omaha is sending new debit cards to customers in seven states. The bank says that it is issuing new cards because of a breach at an as yet unnamed national business. The affected customers are in the bank's seven-state service area, which includes Nebraska, Iowa, Kansas, Colorado, South Dakota, Texas, and Illinois.
-http://www.omaha.com/money/first-national-bank-warns-of-large-data-breach-at-uni
dentified/article_5816be02-7e6b-11e5-be00-c797af6bd18b.html
-http://www.scmagazine.com/first-national-bank-of-omaha-issuing-new-debit-cards-t
o-customers-in-seven-states/article/450688/

DroidJack Arrest Follow Raids (October 30, 2015)

UK police have arrested one person in connection with the use of DroidJack malware. Authorities in five European countries made related arrests last week. The raids targeted users of the malware.
-http://www.bbc.com/news/technology-34668337

Cyber Crime Terminology: What Constitutes a Cyberattack? (October 30, 2015)

While the US Director of National Intelligence and the Defense Department (DoD) would agree that the OPM breach did not meet the criteria to be classified a cyber attack, the National Institute of Standards and Technology (NIST) would classify the incident as a cyberattack. While the difference may not seem terribly important, the classification of an incident could have serious real-world repercussions. Actions that are deemed attacks could prompt sanctioned retaliation.
-http://www.nextgov.com/cybersecurity/2015/10/even-experts-dont-agree-definition-
cyber-terms/123303/?oref=ng-HPriver
[Editor's Note (Pescatore): There is an industry-wide hype problem with terms like "cyber-war" and "cyber-terrorism" but in reality the marketplace has learned those terms only get used to justify budget requests, sell books or as click bait to drive page views. But, the US federal government does need to re-look at how it defines cyber-attacks and classifies them as requiring law enforcement response or Department of Defense response. Imagine if we called out the DoD every time someone spray-painted graffiti on a government building or stole a government vehicle. ]

---

STORM CENTER TECH CORNER

Cryptowall Netting $325 Million Last Year
-http://cyberthreatalliance.org/cryptowall-report.pdf

Partially Encrypted Ransomware Files
-https://isc.sans.edu/forums/diary/Ransomware+Entropy+Your+Turn/20321/

Summary of Browser Behaviour to Mixed Language International Domain Names
-https://isc.sans.edu/forums/diary/This+Article+is+Brought+to+You+By+the+Letter+1
2494/20319/

Kaspersky Releases Decryptor for Bitcryptor Ransomware
-https://noransom.kaspersky.com

Tor Messenger Released
-https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily

Android Monthly Security Update
-https://groups.google.com/forum/#!topic/android-security-updates/n1aw2MGce4E

Zerodium Claims iOS 9.1 Zero Day Exploit
-http://motherboard.vice.com/read/somebody-just-won-1-million-bounty-for-hacking-
the-iphone

Page Fair Anti-Ad Blocker Compromised to Spread Fake Flash Update
-http://blog.pagefair.com/2015/halloween-security-breach/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/