SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #84

October 21, 2016

TOP OF THE NEWS

How To Attract and Retain 'Cyber Ninjas': High Pay Is Not the Top Requirement
NSA Contractor Allegedly Stole 50 Terabytes of Data
FedRAMP Improvements
US Bank Regulators Seek Comment on Draft Cybersecurity Standards

THE REST OF THE WEEK'S NEWS

Talos's New Tool Protects Windows Master Boot Records from Modification
Yahoo Wants Surveillance Order Declassified
India Payment Card Data Breach
Linux Kernel "Dirty COW" Vulnerability
St. Jude Medical to Create Cybersecurity Advisory Board; Muddy Waters Releases More Vulnerability Allegations
LinkedIn Breach Suspect Arrested in Czechia
Intel Chip Flaw Lets Attackers Bypass ASLR
Oracle Security Updates Fixes More than 250 Flaws

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By AlienVault ************************

Get expert tips on network incident response. Download our free eBook "Insider's Guide to Incident Response" to learn best practices, procedures, tools and training tips. http://www.sans.org/info/189287

***************************************************************************

TRAINING UPDATE

--Pen Test HackFest Summit & Training | Crystal City, VA | November 2-9, 2016
https://www.sans.org/event/pen-test-hackfest-2016

--SANS Sydney 2016 | November 3-19, 2016 | Sydney, Australia |
https://www.sans.org/event/sydney-2016

--SANS London 2016 | November 12-21, 2016 | London, UK |
https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV |
https://www.sans.org/event/las-vegas-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan |
https://www.sans.org/event/secure-japan-2017

***************************************************************************

---

TOP OF THE NEWS

How To Attract and Retain 'Cyber Ninjas': High Pay Is Not the Top Requirement(October 19, 2016)

For seasoned cybersecurity professionals, motivation for sticking with their current jobs doesn't mean big management promotions or higher salaries, a new Center for Strategic and International Studies (CSIS) report finds. Skilled cybersecurity professionals most value a position that includes challenging work with plenty of variety, regular access to advanced training and career development, and where they work alongside similarly highly-skilled security pros. These are the professionals in high demand who have the skills to excel at penetration testing, network and event analysis, digital forensics, and secure coding.


[Editor Comments ]



[Skoudis ]
This report is vital reading for anyone who manages technical talent in the cyber security realm. It provides a lot of insights into how to incentivize skilled practitioners, helping readers attract and retain these extremely valuable individuals to their organizations. It's good stuff!

Read more in:

Dark Reading: 'Kevin Durant Effect': What Skilled Cybersecurity Pros Want
-http://www.darkreading.com/vulnerabilities---threats/kevin-durant-effect--what-s
killed-cybersecurity-pros-want-/d/d-id/1327215?ngAction=register

CSO: Cybersecurity 'ninjas' value challenges, training and flexible schedules over pay
-http://www.csoonline.com/article/3132416/it-careers/cybersecurity-ninjas-value-c
hallenges-training-and-flexible-schedules-over-pay.html

The Report: CSIS: Recruiting and Retaining Cybersecurity Ninjas (PDF)
-https://csis-prod.s3.amazonaws.com/s3fs-public/publication/161011_Reeder_CyberSe
curityNinjas_Web.pdf

NSA Contractor Allegedly Stole 50 Terabytes of Data (October 20, 2016)

Harold T. Martin III, the former NSA contractor who allegedly stole documents, computers, and data storage devices from the agency also allegedly stole more than 50 terabytes of data from government computers over a period of 20 years, according to the US Department of Justice (DoJ). On Friday, October 21, federal prosecutors are expected to charge Martin with violating the Espionage Act.


[Editor Comments ]



[Williams ]
The court filings say the government recovered 50TB of media from Martin's residence, not that he stole 50TB of data. Many news organizations have erroneously made the leap that all of this is sensitive data, but that fact has not been disclosed in court filings. Three extremely disturbing facts were revealed in the court filings. First, Martin took hand written notes on printed classified documents that appear to have been explaining the context of the documents to an outsider. Second, forensic artifacts suggest he communicated in Russian language on his computer. Finally, investigators recovered a letter Martin wrote in 2007 to his coworkers which makes him appear extremely disgruntled. All of these items seem to bolster the government's case for pretrial confinement.

Read more in:

The Washington Post: Government alleges former NSA contractor stole 'astonishing quantity' of classified data over 20 years
-https://www.washingtonpost.com/world/national-security/government-alleges-massiv
e-theft-by-nsa-contractor/2016/10/20/e021c380-96cc-11e6-bb29-bf2701dbe0a3_story.
html

Ars Technica: Feds: NSA contractor stole at least 50TB worth of highly classified data
-http://arstechnica.com/tech-policy/2016/10/feds-nsa-contractor-stole-at-least-50
tb-worth-of-highly-classified-data/

ZDNet: Prosecutors say contractor stole 50 terabytes of NSA data
-http://www.zdnet.com/article/contractor-allegedly-steals-50-terabytes-of-nsa-dat
a/

eWeek: NSA Contractor Committed 'Breathtaking' Thefts, DOJ Alleges
-http://www.eweek.com/security/nsa-contractor-committed-breathtaking-thefts-doj-a
lleges.html

FedRAMP Improvements (October 20, 2016)

FedRAMP (the Federal Risk Authorization and Management Program) has streamlined the process cloud services companies must go through to be approved, which has increased the number of authorized services. FedRAMP has also implemented a new dashboard that is easier for federal agencies to use.


[Editor Comments ]



[Pescatore ]
There are something like 22 million federal, state and local employees and there are now something like 8M users of Microsoft and Google FedRAMP certified government cloud services - 36% penetration already. That should mean that a lot of wasted spending on Certifying and Accrediting the systems replaced by cloud services will not be required 3 years from now - and should instead be focused on making other government systems more secure.

Read more in:

FederalNewsRadio: FedRAMP overhaul begins paying dividends
-http://federalnewsradio.com/cloud-computing/2016/10/fedramp-overhaul-begins-payi
ng-dividends/

US Bank Regulators Seek Comment on Draft Cybersecurity Standards (October 19, 2016)

The US Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation have released draft proposed cybersecurity standards for the country's large, interconnected banks and third-party services provided to those banks. Comments will be accepted through January 17, 2017.


[Editor Comments ]



[Pescatore ]
The proposed regulations aren't really cybersecurity standards, they are all about risk reporting - with a few nuggets of security improvement scattered about. The document admits "the agencies are not aware of any consistent methodologies to measure cyber risk across the financial sector using specific cyber risk management objectives" but essentially is looking at requiring risk measurement in a variety of forms and levels anyway. I would hate to see those same "risk" models that contributed to the last financial meltdown being used to produce similarly useless cybersecurity risk reports.


[Honan ]
Maybe I am getting older and more cynical but why are various groups around the world coming up with their own security standards? There are already a number of excellent resources available such as the SANs Critical Controls which is every organisation followed it would significantly raise the cybersecurity bar.

Read more in:

Reuters: U.S, calls on banks to secure set higher cyber security standards
-http://www.reuters.com/article/us-usa-banks-cyber-idUSKCN12J1Q6

FCW: Bank regulators mull new cyber standards
-https://fcw.com/articles/2016/10/20/banks-cyber-regulations.aspx

Federal Reserve: Enhanced Cyber Risk Management Standards (PDF)
-https://www.federalreserve.gov/newsevents/press/bcreg/bcreg20161019a1.pdf

---

*************************** SPONSORED LINKS ********************************

1) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/189292

2) Threat Intelligence & Ransomware: Hot Topics of 2016! Check out the NEW! "SANS Security Insights" blog for more info: http://www.sans.org/info/189297

3) Is there a gap between cyber security and IR functions? Take the SANS 2016 Security Optimization Survey: http://www.sans.org/info/189302

******************************************************************************

---

THE REST OF THE WEEK'S NEWS

Yahoo Wants Surveillance Order Declassified (October 20, 2016)

Yahoo has asked the US Director of National Intelligence to declassify the order demanding that the company build a tool that could scan all incoming email for certain phrases. Yahoo cannot disclose any information about the FISA demand due to an accompanying gag order.

Read more in:

SC Magazine: Yahoo asks feds to declassify surveillance demand
-http://www.scmagazine.com/yahoo-asks-feds-to-declassify-surveillance-demand/arti
cle/567199/

Ars Technica: Yahoo "demands" feds confirm mass snooping order "if it exists"
-http://arstechnica.com/tech-policy/2016/10/yahoo-demands-feds-confirm-secret-mas
s-snooping-order-if-it-exists/

Yahoo: Letter to DNI Director James Clapper (PDF)
-https://s.yimg.com/ge/lg/Letter.pdf

India Payment Card Data Breach (October 20, 2016)

A security breach in India has compromised as many as 3.2 million payment cards. The data-stealing malware infected the Hitachi Payment Services platform, which is used in ATMs and point-of-sale (POS) systems. The malware allegedly affected 19 banks as well as the Visa and Mastercard card networks. Some victims have reported that their cards are being used fraudulently in China. Banks are replacing compromised cards and asking customers to change their security codes.

Read more in:

ZDNet: India experiences catastrophic cyberattack, 3.2 million debit card account details stolen
-http://www.zdnet.com/article/india-experiences-catastrophic-cyberattack-with-the
ft-of-3-2-million-debit-cards-account-details/

SC Magazine: 3.2M payment cards affected in massive POS breach
-http://www.scmagazine.com/millions-affected-in-one-of-biggest-financial-breaches
-to-hit-india/article/567203/

The Register: Three million debit cards at risk after hackers raid Indian payment systems
-http://www.theregister.co.uk/2016/10/20/indian_banks_fear_3m_debit_cards_at_risk
/

Linux Kernel "Dirty COW" Vulnerability (October 20 & 21, 2016)

Linux users are being urged to patch servers to fix a vulnerability known as "Dirty COW." The privilege elevation flaw is caused by "a race condition ... in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings." Linux vendor Red Hat says that the flaw is being actively exploited. The flaw has been present in the Linux kernel since 2007, and is trivial go exploit. Linus Torvalds acknowledged that he tried, unsuccessfully, to fix the problem more than 10 years ago.


[Editor Comments ]



[Ullrich ]
This is a privilege escalation vulnerability that was introduced in Linux about 11 years ago. An exploit has been used in some attacks to take advantage of this vulnerability, but the exploit has not been made public yet. Systems based on RedHat ES 5 and 6, which are vulnerable, appear to be not susceptible to the exploit as this particular exploit requires write access to /proc/self/mem. Given that this exploit requires user access, and the actual exploit is only in limited distribution (but this may change soon), "branding" this exploit is hyping a minor and common vulnerability and only serves to distract administrators from more important tasks. Deal with patches for this vulnerability like you would deal with any other kernel patch.


[Williams ]
Ironically, this bug was introduced while fixing a different copy on write (COW) vulnerability. That this vulnerability remained undiscovered for 10 years speaks to the complexity of the Linux kernel. It also challenges the notion that open source makes bugs easy to find. Open source makes certain classes of bugs (such as buffer overflows) easier to audit for, but bugs such as this logic error leading to a race condition are difficult to discover through source code auditing. Open source doesn't automatically imply safe software.

Read more in:

The Register: Dirty COW explained: get a moooo-ve on and patch Linux root hole
-http://www.theregister.co.uk/2016/10/21/linux_privilege_escalation_hole/

V3: Linux users urged to protect against 'Dirty COW' security flaw
-http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-protect-against-dirt
y-cow-security-flaw

RedHat: Advisory
-https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

St. Jude Medical to Create Cybersecurity Advisory Board; Muddy Waters Releases More Vulnerability Allegations (October 19, 2016)

St. Jude Medical says it plans to establish an advisory board to focus on cybersecurity issues affecting its devices and the patients who use them. The US Food and Drug Administration (FDA) is investigating allegations made by investment company Muddy Waters Capital and research company MedSec Holdings that certain St. Jude devices contain vulnerabilities that could be exploited to cause harm to patients. Muddy Waters has renewed its efforts to discredit St. Jude, releasing additional information regarding alleged flaws in St. Jude devices.


[Editor Comments ]



[Pescatore ]
More care provider focus on cybersecurity in healthcare is a good thing. The first step should be requiring all medical device procurements to have simple and proven clauses to require device manufacturers to demonstrate they meet already agreed upon levels of basic security hygiene.

Read more in:

Reuters: St. Jude forms cyber panel after claims of heart-device bugs
-http://www.reuters.com/article/us-st-jude-medical-cyber-idUSKBN12H286

Bloomberg: St. Jude Faces New Safety Charges From Muddy Waters Capital
-http://www.bloomberg.com/news/articles/2016-10-19/st-jude-faces-new-safety-charg
es-from-muddy-waters-capital

Dark Reading: Muddy Waters Releases New Info About St. Jude Medical Device Flaws
-http://www.darkreading.com/iot/muddy-waters-releases-new-info-about-st-jude-medi
cal-device-flaws/d/d-id/1327223

Reuters: BRIEF-St. Jude says Muddy Waters misleading patients for own financial gain
-http://www.reuters.com/article/idUSL1N1CP0IH

LinkedIn Breach Suspect Arrested in Czechia (October 19, 2016)

Police in Czechia have arrested a Russian man who is believed to have had a role in the 2012 LinkedIn breach that led to the theft of more than 117 million user passwords. The man's arrest was the result of a coordinated effort between Czech police and the FBI. No decision has been made yet regarding extradition.


[Editor Comments ]



[Honan ]
A nice reminder to criminals that Law Enforcement are in this for the long haul and will wait for you to make a mistake or to visit somewhere they can get you.

Read more in:

Christian Science Monitor: International cooperation helped nab Russian hacker in Czech Republic
-http://www.csmonitor.com/Technology/2016/1019/International-cooperation-helped-n
ab-Russian-hacker-in-Czech-Republic

Ars Technica: LinkedIn says hacking suspect is tied to breach that stole 117M passwords
-http://arstechnica.com/tech-policy/2016/10/linkedin-says-hacking-suspect-is-tied
-to-breach-that-stole-117m-passwords/

Computerworld: Czech police nab Russian hacker suspected of targeting U.S.
-http://computerworld.com/article/3131943/security/czech-police-nab-russian-hacke
r-suspected-of-targeting-us.html

ZDNet: Feds catch hacker allegedly responsible for LinkedIn hack
-http://www.zdnet.com/article/feds-catch-hacker-allegedly-responsible-for-linkedi
n-hack/

Intel Chip Flaw Lets Attackers Bypass ASLR (October 19 & 20, 2016)

A flaw in Intel's Haswell CPUs could be exploited to circumvent address space layout randomization (ASLR). The proof-of-concept exploit was presented at the IEEE/ACM International Symposium on Microarchitecture in Taipei earlier this week. ASLR randomizes memory addresses of certain operating system processes to defend against attackers' attempts to inject malicious code.


[Editor Comments ]



[Williams ]
ASLR only protects against remote exploits, but does nothing to prevent local exploits or privilege escalation on Windows. Still, this novel technique for bypassing ASLR (therefore making remote exploits more reliable) is likely to fuel research into branch prediction algorithms on other hardware models.

Read more in:

The Register: Boffins exploit Intel CPU weakness to run rings around code defenses
-http://www.theregister.co.uk/2016/10/20/aslr_bypass_hardware_hack/

Ars Technica: Flaw in Intel chips could make malware attacks more potent
-http://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-malware-a
ttacks-more-potent/

Computerworld: Flaw in Intel CPUs could help attackers defeat ASLR exploit defense
-http://computerworld.com/article/3131975/security/flaw-in-intel-cpus-could-help-
attackers-defeat-aslr-exploit-defense.html

Oracle Security Updates Fixes More than 250 Flaws (October 19, 2016)

Oracle has released a batch of security updates for a variety of products. In all, the updates address 253 vulnerabilities in 76 products. Fifteen of the vulnerabilities are rated critical.


[Editor Comments ]



[Skoudis ]
Wow!

Read more in:

Computerworld: Oracle fixes 100s of vulnerabilities that put enterprise data at risk
-http://computerworld.com/article/3131932/security/oracle-fixes-100s-of-vulnerabi
lities-that-put-enterprise-data-at-risk.html

SC Magazine: Oracle issues large batch of updates
-http://www.scmagazine.com/oracles-issues-large-batch-of-updates/article/566725/

---

INTERNET STORM CENTER TECH CORNER

SSL Client Hellos Soliciting SSH Banners from HAProxy
-https://isc.sans.edu/forums/diary/OpenSSH+Protocol+Mismatch+In+Response+to+SSL+C
lient+Hello/21609/

Dyre is Back as Trickbot
-http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html

How Stolen iPhones Are Unlocked
-https://www.linkedin.com/pulse/sin-card-how-criminals-unlocked-stolen-iphone-6s-
renato-marinho?trk=pulse_spock-articles

Spam Delivered Via .ICS Files
-https://isc.sans.edu/forums/diary/Spam+Delivered+via+ICS+Files/21611/

Comodo OCR Errors Leads to SSL Certificate Verification Issues
-https://heise.de/-3354229
(german only)

Oracle Quarterly Critical Patch Update
-http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Images Used to Exfiltrate CC Numbers From Web Stores
-https://blog.sucuri.net/2016/10/magento-credit-card-swiper-exports-image.html

NanoCore RAT Malspam Update
-https://isc.sans.edu/forums/diary/Malspam+delivers+NanoCore+RAT/21615/

Dirty Cow Privilege Escalation Flaw
-https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

Lexmark Markvision Enterprise Application Vulnerability
-https://www.digitaldefense.com/blog-zero-day-lexmark-markvision/

WebRTC Security Overview
-https://webrtc-security.github.io

UPnP Scanner
-https://www.tenable.com/blog/do-you-know-where-your-upnp-is

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create