SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #98

December 18, 2015

TOP OF THE NEWS

Fixing the Cyber Talent Pipeline: Air Force's VetSuccess Finds CyberTalent, Then Trains and Places Veterans In Civilian Cyber Workforce
US Agencies Face Deadline To Identify Primary Needs for Cybersecurity Personnel
FireEye Issues Emergency Alert and Patches Vulnerability
CISA Buried in Omnibus Bill

THE REST OF THE WEEK'S NEWS

Silver Shadow Cybersecurity Exercise Emphasizes International Cooperation
Non-Healthcare Companies Have Exposed Personal Health Information in Breaches
Android Malware Pretends to be RSA SecurID App
What MacKeeper Breach Means
Boston City Hall Target of DDoS
Payment Card Terminals Compromised at Some Colorado and California Safeway Stores
Seleznev Challenge Dismissed
Arrest in VTech Breach
Firefox 43
Committee Seeks Input on Draft Investigatory Powers Bill

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Sophos ***************************

Advanced attacks are more coordinated than ever before. Now, with Sophos Security Heartbeat, your defenses can be too. Read this technical paper to learn how this unique capability shares intelligence in real time between your endpoints and your firewall, delivering smarter, better protection.
http://www.sans.org/info/182422

***************************************************************************

TRAINING UPDATE

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses including the new FOR578: Cyber Threat Intelligence course.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Fixing the Cyber Talent Pipeline: Air Force's VetSuccess Finds Cyber Talent, Then Trains and Places Veterans In Civilian Cyber Workforce (December 7, 2015)

Air Force Chief Master Sgt. Alexander Hall, 50th Network Operations Group superintendent, and Chief Master Sgt. Charles Campbell received a 2015 Difference Maker award for their VetSuccess initiative which identifies veterans leaving the Air Force with aptitude for advanced cyber jobs, trains them using hands-on immersion courses, gets them certified, and places them in high paying jobs.
-http://www.afspc.af.mil/news/story.asp?id=123464835
[Editor's Note (Paller): One of the veterans in the first cohort had offers for $30-$40,000 help desk jobs. He applied for VetSuccess, got in and did well in the training and certification exams. Now he is choosing among three offers in the $70,000 to $100,000 range. Guest Commentator (Max Shuftan, SANS Cyber Talent Program Director): One of the largest MSSPs is launching multiple customized VetSuccess cohorts in which talented candidates get extra training in that MSSP's specific processes - so they are ready to perform effectively on day one. Employers that have substantial demand for cybersecurity skills, and like the ideas of giving opportunities to America's veterans, can email mshuftan@sans.org for information and help. If it fits your priorities, also ask about the parallel program to find, train and place women with extraordinary cyber talent, coming out of college, that starts in February. ]

US Agencies Face Deadline To Identify Primary Needs for Cybersecurity Personnel (December 15, 2015)

US government agencies have until December 31, 2015, to inform the White House of the top five areas in which they do not have enough cybersecurity personnel. In April 2016, the Office of Management and Budget (OMB) and the Office of Personnel Management (OPM) plan to publish a cybersecurity HR strategy for the government.
-http://www.nextgov.com/cybersecurity/2015/12/agencies-get-marching-orders-fillin
g-major-cyber-talent-shortage/124520/?oref=ng-channeltopstory
[Editor's Note (Assante): It is time to be deliberate in the design of our future Cybersecurity workforce. I have found very few strategies that map job requisitions to goals or go beyond enhancing architectures and passive defenses. It is time to recognize the types of roles and skills necessary to mount a credible active defense to curb the damages stemming from unabated targeted attacks. (Murray): One fears that the agencies did not know the answer to the question and that they did not learn it in time to meet the deadline. (Paller): A blue-ribbon panel established by the Secretary of Homeland Security provided an authoritative list of the 10 critical roles where shortages are causing the most damage. Many agencies have bulked up on people in policy and compliance roles rather than in these "red zone" roles - with increasingly apparent catastrophic consequences. The critical roles are listed, along with task descriptions and consequences of not having enough skilled people, on page 7 of the Homeland Security Advisory Council report posted at
-https://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report
%20-%20Final.pdf]

FireEye Issues Emergency Alert and Patches Vulnerability (December 15, 16, and 17 2015)

FireEye has patched a remote code execution flaw in a module in the NX, EX, AX, FX series of its products that could be exploited to gain access to the networks they monitor. The vulnerability could be exploited by sending a single maliciously crafted email to a network member. FireEye was alerted to the issue by Google's Project Zero.
-http://www.bankinfosecurity.com/fireeye-patches-flaw-found-by-google-a-8755
-http://arstechnica.com/security/2015/12/when-a-single-e-mail-gives-hackers-full-
access-to-your-network/
-http://www.zdnet.com/article/googles-project-zero-uncovers-critical-flaw-in-fire
eye-products/
-https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-rce-vulnera
bility.pdf
-http://www.theregister.co.uk/2015/12/16/fireeye_ultra_critical_flaw/
-http://www.computerworld.com/article/3015693/security/google-researchers-uncover
-a-remote-execution-bug-in-fireeye-appliances.html
[Editor's Note (Ullrich): This is not a new problem. Not sure if anybody still remembers the "Witty Worm" (March 2004). It infected systems running ISS's "Black Ice" product. The problem was a bug in a parser for AOL IM traffic. The reason we have these products is to protect us from ubiquitous flaws in various file parsers. However, this comes at the cost of integrating these parsers into these devices, exposing them more then they were before. To do so, much thought should be given to the architecture of the device, properly isolating these vulnerable components. Fireeye should not stop at fixing this flaw (there will be more, think about "Adobe Flash", just exposed at your perimeter.) Instead, Fireeye needs to seriously evaluate the architecture of its devices. A flaw in one component can now lead to the entire device being exposed. ]

CISA Buried in Omnibus Bill (December 16, 2015)

A version of the Cybersecurity Information Sharing Act (CISA) with most privacy protections eliminated has been incorporated into the omnibus bill, which is likely to pass as the bill comprises a large portion of funding for the federal government. As currently amended, CISA no longer requires companies to anonymize data they turn over to the government, and it broadens the scope of purposes for which the government may use the data.
-http://www.wired.com/2015/12/congress-slips-cisa-into-omnibus-bill-thats-sure-to
-pass/
-http://www.theregister.co.uk/2015/12/16/congress_strips_out_privacy_protections_
from_cisa_security_bill/
[Editor's Note (Murray): The sponsors of this pernicious legislation are not only committed but they are upping the ante. Instead of increasing transparency and accountability, what the community has been demanding, this bill reduces it. Under this legislation, enterprises and consumers will no longer be able to rely upon the good behavior of their ISPs. ]

---

************************** SPONSORED LINKS ********************************
1) Infosec Pros: Are your threat hunting efforts beneficial? Tell us in the new SANS Survey & enter to win $400 Amazon Gift Card. Thanks and Happy Holidays!! http://www.sans.org/info/182427

2) Don't Miss: Why You Need Application Security: Thursday, January 28 at 1:00 PM EDT (18:00:00 UTC) with Johannes Ullrich. http://www.sans.org/info/182432

3) Webcast: Threat Hunting. Tuesday, February 02 at 1:00 PM EST (18:00:00 UTC) featuring Rob Lee, Robert M. Lee, Luis Maldonado. http://www.sans.org/info/182437
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Silver Shadow Cybersecurity Exercise Emphasizes International Cooperation (December 16, 2015)

The Silver Shadow Cybersecurity exercise drew participants from law enforcement agencies in eight countries. The international exercise was undertaken to focus on "how investigators and prosecutors would work together in the event of a massive cyber-attack spanning many legal jurisdictions."
-http://www.scmagazine.com/nca-leads-international-cyber-crime-exercise-with-fbi-
and-europol/article/460217/

Non-Healthcare Companies Have Exposed Personal Health Information in Breaches (December 16 and 17, 2015)

According to a study from Verizon, nearly 20 percent of breaches involving healthcare information are not detected for at least one year. This is due in part to the fact that some organizations outside the healthcare sector are unaware that they have healthcare data stored in their systems. Twenty percent of healthcare breaches of health records involved privilege abuse.
-http://www.darkreading.com/analytics/90--of-industries-not-just-healthcare-have-
disclosed-phi-in-breaches/d/d-id/1323535?
-http://www.theregister.co.uk/2015/12/16/verizon_health_breaches_survey/
[Editor's Note (Murray): Verizon is scrupulous about acknowledging the fact that this intelligence is drawn only from identified breaches and may be biased. That said, this a very informative source. Most of the breaches that we are seeing might have been avoided or mitigated by following its recommendations. ]

Android Malware Pretends to be RSA SecurID App (December 16, 2015)

Malware targets people using mobile banking apps. It uses an Android SMS hijacker app that is disguised to look like an RSA SecurID app. The attack could be used to initiate fraudulent wire transactions.
-https://blogs.rsa.com/beware-of-greeks-bearing-mobile-app-downloads/

What MacKeeper Breach Means (December 16, 2015)

The discovery that MacKeeper customer information was publicly available has brought attention to the fact that there are other databases out there with the same security problem. The Shodan port-scanning service found more than 35,000 MongoDB servers that were not protected with passwords; in all, the unprotected servers expose 684.8 terabytes of data.
-http://www.eweek.com/security/mackeeper-leak-highlights-danger-of-misconfigured-
databases.html
-http://www.computerworld.com/article/3016216/security/over-680tb-of-data-exposed
-in-mongodb-databases.html

Boston City Hall Target of DDoS (December 16, 2015)

The Boston Herald reported that a distributed denial-of-service (DDoS) attack interrupted Internet service at Boston City Hall. The temporary outage affected all agencies in the city, including police and fire departments. Emergency systems remained unaffected.
-http://www.bostonherald.com/news/local_coverage/2015/12/officials_call_city_hall
_cyberattack_minor

Payment Card Terminals Compromised at Some Colorado and California Safeway Stores (December 16, 2015)

Information from financial institutions indicates that payment card skimmers may have made their way onto terminals at checkout lanes at some Safeway stores in California and Colorado. The fraud patterns related to debit cards traced their use to certain lanes at Safeway stores.
-http://krebsonsecurity.com/2015/12/skimmers-found-at-some-calif-colo-safeways/
[Editor's Note (Ullrich): Overall, this year's holiday season seems to have less PoS compromise related news then last years. Maybe stores are getting better in securing and monitoring terminals, or it is just "old news" now and no longer reported as much as it used to. ]

Seleznev Challenge Dismissed (December 15, 2015)

Roman Seleznev has lost his bid to have charges against him for computer crimes dismissed. Seleznev allegedly broke into computer systems, stole credit card information, and sold it. Seleznev's lawyers had argued that federal agents violated US law when they arrested him in the Maldives.
-http://abcnews.go.com/US/wireStory/lawyers-prosecutors-make-closing-arguments-
hacking-case-35777089

Arrest in VTech Breach (December 15, 2015)

Authorities in the UK have arrested a man in connection with the VTech breach. He is being held on suspicion of violating the Computer Misuse Act. The breach exposed personal information of more than 6.4 million children.
-http://www.zdnet.com/article/british-man-arrested-over-vtech-child-data-hack/
-http://www.theregister.co.uk/2015/12/15/vtech_hack_arrest/
-http://www.computerworld.com/article/3015226/security/uk-police-arrest-man-suspe
cted-of-vtech-toy-hacking.html
-http://arstechnica.com/security/2015/12/man-arrested-in-toymaker-hack-says-he-wa
nted-to-expose-inadequate-security/

Firefox 43 (December 15 and 16, 2015)

On Tuesday, December 15, Mozilla released Firefox 43. The newest version of the browser includes expanded Tracking Protection; the feature now blocks trackers in embedded content as well as those found in advertisements and analytics. Firefox 43 addresses 16 vulnerabilities, including four rated critical. There is also now a 64-bit version of Firefox for Windows.
-http://www.eweek.com/security/mozilla-ups-security-tracking-protection-in-firefo
x-43.html
-http://www.theregister.co.uk/2015/12/16/mozilla_paints_firefox_43_in_windows_64b
it/

Committee Seeks Input on Draft Investigatory Powers Bill (December 8, 2015)

The Joint Committee on the Draft Investigatory Powers Bill was appointed by the two Houses of Parliament in the UK to explore key issues raised by the proposed legislation. The committee sought input from "interested individuals and organisations." Written evidence will be accepted through December 21, 2015.
-http://policy.bcs.org/consultations/joint-committee-draft-investigatory-powers-b
ill
-http://www.parliament.uk/documents/joint-committees/draft-investigatory-powers-b
ill/ipb-call-for-evidence.pdf/

---

STORM CENTER TECH CORNER

Security Management vs. Chaos: Understanding the Butterfly Effect to Manage Outcomes and Reduce Chaos
-https://isc.sans.edu/forums/diary/Security+Management+vs+Chaos+Understanding+the
+Butterfly+Effect+to+Manage+Outcomes+Reduce+Chaos/20495/

Fingerbank Device Fingerprint Database
-http://www.fingerbank.org

FireEye Exploitation
-http://googleprojectzero.blogspot.com/2015/12/fireeye-exploitation-project-zeros
.html

BIND 9.x Vulnerability
-https://kb.isc.org/article/AA-01317/

Cisco Offering Vulnerability Information via Open API
-https://developer.cisco.com/site/PSIRT/

Configuring a Plausible Sandbox
-https://isc.sans.edu/forums/diary/Playing+With+Sandboxes+Like+a+Boss/20501/

Grub2 Exploit
-http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html#exploit

Outlook Exploit
-https://0b3dcaf9-a-62cb3a1a-s-sites.googlegroups.com/site/zerodayresearch/BadWin
mail.pdf

When Hunting BeEF, Yara Rules (Part 2)
-https://isc.sans.edu/forums/diary/When+Hunting+BeEF+Yara+rules+Part+2/20505/

Juniper Security Announcement
-http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-a
bout-ScreenOS/ba-p/285554
-http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT
_1&actp=LIST

F-Secure Open Sources "Sandbox Execution Environment"
-https://pypi.python.org/pypi/python-see

Researcher Claims Foul Play By Instagram Over Bug Bounty
-http://exfiltrated.com/research-Instagram-RCE.php

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/