SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVII - Issue #88
November 10, 2015
High-end on-line cyber talent fairs appear to helping companies and
agencies gain access to cyber people with strong skills. The fourth
SANS CyberTalent Fair will be held online on Nov. 19:
https://app.brazenconnect.com/events/SANS-cybertalent-fair-2.
See the last story for a list of employers and more data.
TOP OF THE NEWS
The Linux Kernel and the Question of SecurityFFIEC Warns Banks About Cyberextortion
DHS Will Fast Track 1,000 Cybersecurity Hires
NIST Advice on Whitelisting
THE REST OF THE WEEK'S NEWS
TLS Certificates Mistakenly Issued for Forbidden DomainsMilitary Smartphones Not Patched Against Stagefright
Judge Rules NSA Metadata Gathering "Likely Violates the Constitution"
Comcast Resets Compromised User Passwords, But Says its Systems were Not Breached
Florida College Students Win Cybersecurity Competition
Cyber Insurance Claims on the Rise
Ransomware Targets Linux Web Servers
Ford Promises to Protect Customer Data
Files Encrypted by Buggy Ransomware are Not Recoverable
Bills Would Help Ports and States Fight Cyberattacks
CYBER FAIR PARTICIPANTS AND LINKS
CYBER FAIR PARTICIPANTS AND LINKSSTORM CENTER TECH CORNER
STORM CENTER TECH CORNER************************* Sponsored By Splunk *****************************
Have you implemented the SANS Top 20 Critical Security Controls? This time-proven, "what works" list of 20 controls can be used to minimize security risks to enterprise systems and the critical data they maintain. Learn how Splunk software can provide new insights to verify, execute and support requirements for the SANS Top 20 CSC.
http://www.sans.org/info/181402
***************************************************************************
TRAINING UPDATE
- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx
- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX
- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7
- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch
- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy
Plus Ft. Lauderdale, Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
The Linux Kernel and the Question of Security (November 5, 2015)
As Linux becomes more widely used, the security of the open source kernel has become a contentious subject. Linux creator Linus Torvalds believes that security can never be perfect and must be weighed alongside other considerations, including ease of use and speed. Others believe that the Linux kernel is due for an overhaul.-http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kerne
l-of-the-argument/
-http://www.zdnet.com/article/linus-torvalds-vs-the-internet-security-pros/
[Editors Note (Pescatore): I think Apple/iOS and even Google/Android have shown that security can be a feature that doesn't impact ease of use or speed and, in fact, can lead to safety levels that speed adoption. Linux as a server side operating system has different issues but the virtualization and cloud players are already past their "security is an add-on" phase and recognizing it needs to be built in/Job 1, etc. ]
FFIEC Warns Banks About Cyberextortion (November 3, 2015)
The Federal Financial Institutions Examination Council (FFIEC) has issued a warning to banks about cyberextortion. FFIEC exhorts the financial institutions to "address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems." The banks are also urged to notify law enforcement and regulators immediately if they are targeted by extortionists.-http://www.foxbusiness.com/industries/2015/11/03/regulator-warns-cyberattack-ext
ortion-targeting-banks/
-https://www.ffiec.gov/press/pr110315.htm
DHS Will Fast Track 1,000 Cybersecurity Hires (November 9, 2015)
The US Department of Homeland Security (DHS) will fast track as many as 1,000 new cybersecurity hires. DHS hopes to make the hires by June 2016. Last year, legislators passed a The Border Patrol Agent Pay Reform Act of 2014, which allows DHS to streamline hiring and offer perks.-http://www.nextgov.com/cybersecurity/2015/11/homeland-security-fast-track-hiring
-1000-new-cyber-personnel/123528/?oref=ng-channeltopstory
-https://www.congress.gov/bill/113th-congress/senate-bill/1691
[Editor's Note (Paller): The last time DHS did this (under Sec. Napolitano) the DHS components redefined "cyber jobs" to having at least 25% of their time on cyber-related tasks. One innovative DHS component decided that all of their IT positions qualified and therefore they used more than 650 of the 1,000 positions to hire people who had no specific cyber skills into jobs that had no specific cyber responsibilities. Other components followed suit. This behavior may be innovative, but it led to an agency where cyber skills are not valued by management and most important cyber technical tasks are contracted out. If the DHS Inspector General cares to look more closely, I have the specific data from my time as Co-Chair (with Jeff Moss) of the DHS Task Force on Cyberskills, and will be happy to share. I bring it up now because DHS matters and the quality of its technical cyber skills matters; the 1,0000 new cyber jobs should not be wasted. (Ullrich): Hiring the right people will take money, a well defined carrier path which includes training and time for professional development, and a meaningful position that allows a talented individual to make a difference. ]
NIST Advice on Whitelisting (November 6, 2015)
The US National Institute of Standards and Technology (NIST) published the Guide to Application Whitelisting to help organizations implement the technology. Whitelisting is the number one mitigation on both the NSA's Top Ten and the Australian Signals Directorate's Top Four Strategies to Mitigate Targeted Cyber Intrusions.-http://www.nextgov.com/cybersecurity/2015/11/nist-releases-how-guide-implementin
g-automatic-whitelisting/123486/?oref=ng-channeltopstory
-http://www.computerworld.com/article/3002516/security/deploying-application-whit
elisting-nist-has-some-advice-for-you.html
-http://www.theregister.co.uk/2015/11/09/considering_application_whitelist_tryst_
nist_will_help_you_clear_the_mist/
-http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf
[Editor's Note (Paller): Given that application whitelisting is the number one mitigation that both the US and Australia most experienced cyber defenders (ASD and NSA/IAD) point to for stopping most attacks, this guide could make an important contribution. It is not! Its content is mostly a general description on the technology and guidance on new capability implementation that is nearly all too generalized to be very useful (although John Pescatore points out one useful suggestion below)." Other content ranges from silly to just plain wrong. The authors obviously have not implemented application white listing at scale nor do they seem to have interviewed the agencies in the US or Australia that have gone through the process and discovered the actual implementation problems and their solutions. Bottom line: skip it. If you need an overview that is a much faster read, see
-http://www.asd.gov.au/publications/protect/application_whitelisting.htm
(Pescatore): The guide wisely suggests starting in limited deployment in audit mode. Try it - these days, server-side whitelisting is largely barrier free and even desktop whitelisting hits way fewer problems than years ago. As a minimum, whenever you start planning for Windows 10, work it in to the migration plan. ]
************************** SPONSORED LINKS ********************************
1) Download the free eGuide: Application Control Observations and Strategies for Success: http://www.sans.org/info/181407
2) Bad threat intelligence raining on your parade? Learn best practices and get a behind-the-scenes look at how to improve cloud security with real-time threat intelligence during this free webinar on November 17, 2015 at 1:00 PM ET: http://www.sans.org/info/181412
3) Join John Pescatore and Gavin Millard as they discuss the issues that really qualify for a logo to get the attention deserved and how focusing on the foundational, rather than the latest trend, can improve overall hygiene http://www.sans.org/info/181417
***************************************************************************
THE REST OF THE WEEK'S NEWS
TLS Certificates Mistakenly Issued for Forbidden Domains (November 9, 2015)
Certificate Authority (CA) Comodo says it accidentally issued TLS (transport security layer) credentials for several forbidden names. Comodo has revoked those certificates, but notes that other CAs have made the same mistake. The CA Browser Forum's baseline requirements prohibit CAs from issuing certificates for internal server names. CAs must abide by the requirements if they wish to be trusted by major browsers.-http://arstechnica.com/security/2015/11/https-certificates-with-forbidden-domain
s-issued-by-quite-a-few-cas/
-http://www.theregister.co.uk/2015/11/10/comodo_kills_forbidden_certs/
-https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_3_1.pdf
[Editor's Note (Pescatore): The CA Browser rules on this just kicked in on 1 November, and Comodo apparently didn't notice a bug in its update for this. They seemed to have reacted quickly and appropriately - the key is if they make sure to change the process that led to the flawed code getting approved for going out on production systems. (Ullrich): Layer 8 (human error) strikes again. With all the effort spent moving from SSLv3 and weak DH configurations, the real vulnerability nobody is addressing are insufficient controls to prevent human error at certificate authorities. ]
Military Smartphones Not Patched Against Stagefright (November 9, 2015)
Smartphones used by the US military are not being patched in a timely manner. Many in the military are using Android devices that have not been patched against Stagefright. Part of the problem lies with Google, which is slow to release fixes for the older devices. In addition, military users cannot simply patch their phones; they must wait until the Pentagon has cleared the fix.-http://arstechnica.com/tech-policy/2015/11/everyone-blames-someone-else-as-class
ified-military-smartphones-lack-patches/
Judge Rules NSA Metadata Gathering "Likely Violates the Constitution" (November 9, 2015)
A US federal judge in the District of Columbia has ruled that the National Security Agency's (NSA's) phone metadata gathering program violated the Constitution. US District Judge Richard Leon's ruling applies only to the case's two plaintiffs. The data collection program is scheduled to end on November 29.-http://thehill.com/policy/national-security/259550-judge-calls-for-nsa-to-halt-p
hone-records-program
-http://www.wired.com/2015/11/judge-blocks-nsa-spying-and-sets-an-important-prece
dent/
Comcast Resets Compromised User Passwords, But Says its Systems were Not Breached (November 9, 2015)
Account information for 200,000 Comcast customers was found for sale on the Dark Web. The telecommunications company says that its systems were not breached, and that it will reset the affected passwords.-https://www.washingtonpost.com/news/the-switch/wp/2015/11/09/comcast-says-its-no
t-to-blame-after-200000-accounts-were-illegally-put-up-for-sale/
-http://www.zdnet.com/article/comcast-resets-passwords-after-login-details-posted
-on-dark-web/
Florida College Students Win Cybersecurity Competitions (November 9, 2015)
Students from the University of Central Florida (UCF) won two of three team competitions and took second place in the third at CyberSEED, a conference hosted by the University of Connecticut.-https://today.ucf.edu/ucf-students-win-25500-at-cybersecurity-competition/
-http://www.csi.uconn.edu/cyberseed/
Cyber Insurance Claims on the Rise (November 6, 2015)
According to a Wells Fargo survey of 100 mid-sized and large US companies, 85 percent said they had purchased cybersecurity insurance, and more than 40 percent have filed a cyber insurance claim over a breach.-http://www.nbcnews.com/tech/security/4-10-businesses-have-filed-cyber-insurance-
claim-survey-n458886
[Editor's Note (Pescatore): There is a lot of mythology around cybersecurity insurance and not a lot of hard data on whether it is cost effective or not. That same survey shows the top 2 barriers are "difficulty in obtaining" and "cost." SANS is having a webinar on cybersecurity insurance on November 19th, where myself, SANS instructor Ben Wright and San Diego City CISO Gary Haslip will inject some reality into the conversation.
-https://www.sans.org/webcasts/cyber-insurance-role-security-program-101012
(Northcutt): Insurance is exactly one layer in a defense in depth approach. Insurance companies are smart and they are going to limit the coverage so they still make money even if there are claims:
-https://www.linkedin.com/pulse/defense-depth-how-much-enough-stephen-northcutt]
Ransomware Targets Linux Web Servers (November 6 and 9, 2015)
A new strain of ransomware is targeting Linux-based web servers. Linux.Encoder.1 encrypts the server's contents and demands payment of one Bitcoin to decrypt the data. In some instances, the attackers exploited the CMS Magento vulnerability; that flaw was patched on October 31.-http://techcrunch.com/2015/11/06/linux-ransomware-is-now-attacking-webmasters/?n
cid=tcdaily
-http://arstechnica.com/security/2015/11/new-encryption-ransomware-targets-linux-
systems/
-http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/
-http://www.scmagazine.com/linux-web-servers-targeted-in-new-ransomware-scam/arti
cle/452729/
-http://www.computerworld.com/article/3003100/malware-vulnerabilities/file-encryp
ting-ransomware-starts-targeting-linux-web-servers.html
Ford Promises to Protect Customer Data (November 6, 2015)
Ford executive Don Butler says that the company will protect customers' data and will ask permission before sharing them. Butler, Ford's executive director of connected vehicles and services, spoke at the Web Summit in Dublin, Ireland last week.-http://www.cnet.com/news/ford-our-cars-will-give-you-control-of-your-driver-data
/
[Editor's Note (Ullrich): It is nice that Ford considers protecting customer data an important goal. But in the end, large data collections will attract attacks. A better statement would have been that Ford carefully evaluates what data it collects and retains, and that Ford removes personal identifiable information whenever possible. ]
Files Encrypted by Buggy Ransomware are Not Recoverable (November 6, 2015)
A flawed version of the Power Worm ransomware encrypts files on computers it infects, but it also destroys keys to decrypt the data. Users who have been infected with this variant should not pay the ransom; they only recourse is to restore files from backups.-http://news.softpedia.com/news/epic-fail-power-worm-ransomware-accidentally-dest
roys-victim-s-data-during-encryption-495833.shtml
-http://www.bbc.com/news/technology-34765484
Bills Would Help Ports and States Fight Cyberattacks (November 5, 2015)
Last week, the US House Homeland Security Committee approved two bills aimed at improving cybersecurity. The first bill would direct the Department of Homeland Security's (DHS's) National Cybersecurity and Communications Integration Center (NCCIC) to provide state and local governments with technical information and strategies to protect their systems from cyberattacks originating outside the country. The second bill would pave the way for maritime ports to share information about cyberthreats. It was introduced after a hearing that addressed port security and the increased risk cyberthreats they face.-http://thehill.com/policy/national-security/259306-homeland-security-panel-oks-b
ills-to-help-states-ports-fight-hackers
CYBER FAIR PARTICIPANTS AND LINKS
High-end cyber talent fairs appear to helping companies and agencies gain access to cyber people with strong skills. The fourth SANS CyberTalent Fair will be held online on Nov. 19:-https://app.brazenconnect.com/events/SANS-cybertalent-fair-2.
Fourteen employers have already signed up to host booths, including L-3 Communications, Booz Allen Hamilton, Solutionary, Stroz Friedberg, UnitedHealth Group, Juniper, the 780th MI Cyber Brigade, UPS, QVC, Kellogg, and several others. The Talent Fair is open to interested jobseekers as well as employers who have cyber vacancies. Please contact mshuftan@sans.org or visit
-https://app.brazenconnect.com/events/SANS-cybertalent-fair-2
for more information
STORM CENTER TECH CORNER
Java Deserialization Vulnerability in commons-collections Framework-http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-
opennms-and-your-application-have-in-common-this-vulnerability/#thefix
Latest PageFair Victim to Come Forward: The Economist
-http://www.economist.com/help/pagefair
Nigerian Government Web Site Compromissed and Used For Phishing
-http://news.netcraft.com/archives/2015/11/05/nigerian-government-serving-up-fres
h-phish.html
Certificate Transparency Status And Extensions
-https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/
-https://datatracker.ietf.org/doc/draft-ford-trans-witness/
-https://web.stanford.edu/~aschulm/docs/imc15-revocation.pdf
End-to-End Measurement of Certificate Revocation in the Web's PKI
-https://web.stanford.edu/~aschulm/docs/imc15-revocation.pdf
Putty Vulnerability
-http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.htm
l
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/