SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #26
April 01, 2014
TOP OF THE NEWSUS Defense Dept. Plans to Build Cyber Security Force From Within Ranks
DHS Wants Hiring Flexibility to Attract Cybersecurity Talent
Banks Withdraw Target Class Action Lawsuit
Lawsuit Naming Target Auditor Holds Potential to Address Concerns About Security Standards
THE REST OF THE WEEK'S NEWSResearchers Say Mt. Gox's Woes Might Not Have Been Caused by Transaction Malleability Flaw
Bitcoin Employees Were Concerned About Company's Financial Practices
Microsoft Anti-Virus Scammer Gets Suspended Sentence
Seventeen Indicted in ATM Skimming Scheme
DOJ Seeks to Expand Authority to Break Into Computers Remotely
US Law Enforcement Notified 3,000 Companies of Breaches Last Year
Towson University Wins Regional Collegiate Cyber Security Competition
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
************************** Sponsored By Symantec **************************
In 2013, data breaches hit businesses hard. The end of last year provided a painful reminder that everyday cyber-crime remains, and threats from adversaries continue to target businesses and consumers. Join us for the 2014 Symantec Internet Security Threat Report Webcast. You'll learn more about important key trends to help keep you and your organization safe.
- -- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
- --SANS Pen Test BerlinBerlin, GermanyJune 15-21, 2014 6 courses.
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Munich, Austin, Malaysia, and London all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
US Defense Dept. Plans to Build Cyber Security Force From Within Ranks (March 28, 2014)Noting that, "Our nation's reliance on cyberspace outpaces our cybersecurity," Defense Secretary Chuck Hagel says the size of the DOD's cyber warfare corps needs to increase significantly; he expects it to surpass 6,000 people by 2016. DOD is looking to build up its cyber security forces from within its own ranks. Hagel was speaking at the retirement ceremony for General Keith Alexander, who is stepping down from his dual positions of NSA chief and head of DOD's Cyber Command.
[Editor's Note (Murray): Myth to the contrary notwithstanding, SANS has demonstrated that our knowledge, skills, and abilities are teachable and learnable. The DoD has a huge pool of talent and has demonstrated its ability to identify, deploy, train, and exploit talent to meet its needs. As in aviation and other specialties, the military may be a source for trained security personnel for industry.
(Northcutt): To make this work, they will need that rare combination of someone that really knows their stuff AND has the ability to make bits and bytes interesting. These people exist; they exist in DoD. However, if we can't give them a career path and pay them what they are worth, they will leave. As I understand it, the Israelis are able to train from within even with a constant turnover of young men and women doing their time of service. In fact, they are now starting to export cybersecurity expertise. ]
DHS Wants Hiring Flexibility to Attract Cybersecurity Talent (March 26, 2014)The US Department of Homeland Security is asking Congress for help with its mission to attract and retain top cyber security talent. DHS undersecretary for cybersecurity Phyllis Schneck asked the Senate Homeland Security and Governmental Affairs Committee for flexibility to offer competitive compensation. The government is not currently able to compete with salaries offered in private industry.
[Editor's Note (Henry): Attracting, recruiting, and maintaining the "best and brightest" is a continuing challenge, and I see an increased movement in personnel from the government to the private sector. While compensation is certainly an important consideration, I've seen increasing frustration by some government employees with bureaucracy and concern that they are having a real impact. One tremendous benefit the government historically offered was "job security," but that, too, is threatened by government budget woes and last year's sequestration.
(Murray): Sometimes it is cheaper to build than to buy. Compare to DoD. ]
Banks Withdraw Target Class Action Lawsuit (March 31, 2014)Trustmark National Bank has withdrawn from the class action lawsuit it filed along with Green Bank against Target and Trustwave, the company that certified Target's PCI DSS compliance. Green Bank has now also dismissed its claims related to the lawsuit. The decisions to dismiss the claims may have been prompted by revelations that some of the assumptions made in the lawsuit's assertions are erroneous.
[Editor's Note (Murray): The bad news is that this decreases the possibility that we will ever learn what really happened. ]
Lawsuit Naming Target Auditor Holds Potential to Address Concerns About Security Standards (March 28, 2014)One of the lawsuits filed in the wake of the Target breach named Trustwave, a company that certified Target's systems as compliant with the payment card industry data security standard (PCI DSS) several months prior to the breach, as a defendant. The lawsuit alleged that Trustwave failed to detect issues that could have prevented the massive breach. While several of the lawsuits assertions are erroneous it also "gets at the core of a problem that has gone unresolved for years" - that the externally imposed security standards and audits do not work. (Editorial comment: The banks that brought the suit originally have both dismissed their claims. See story above.)
[Editor's Note (Murray): Compliance does not make one "breach proof" and a breach is not "proof of non-compliance." PCI DSS was never intended, and never claimed, to make merchants "breach proof." Rather they were intended to reduce the risk to the system by addressing widely prevalent vulnerabilities. The Target breach is much more about the fundamental weakness in the system, fraudulent reuse of card numbers, than it is about a failure of PCI DSS. ]
************************** Sponsored Links: ******************************
1) The number of cyber attacks against midsize companies has doubled in the last year. And cost per employee is more than three times that of larger companies. While midsize companies often lack the sophisticated defenses of large enterprises, many fail to recognize their vulnerability and are overconfident in their ability to spot and counter threats. http://www.sans.org/info/156010
2) Want to combat advanced threats and zero-day attacks? A new approach is needed - Download the report! http://www.sans.org/info/156015
3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
THE REST OF THE WEEK'S NEWS
Researchers Say Mt. Gox's Woes Might Not Have Been Caused by Transaction Malleability Flaw (March 31, 2014)Researchers from the Distributed Computing Group at the Swiss Federal Institute of Technology in Zurich have published a paper suggesting that Mt. Gox's financial woes were not due to attackers exploiting a transaction malleability vulnerability. Just over 1,800 bitcoins were involved in transaction malleability attacks before Mt. Gox ceased allowing withdrawals.
Bitcoin Employees Were Concerned About Company's Financial Practices (March 29 & 31, 2014)Two years before bitcoin exchange Mt. Gox filed for bankruptcy protection, employees at the Tokyo company approached CEO Mark Karpeles with concerns about mishandled client funds. Unnamed current and former employees suspected that client funds were being used for operating costs. At the time, Karpeles reportedly denied that client funds were being used to cover business expenses, but declined to explain how the company was covering operating costs.
Microsoft Anti-Virus Scammer Gets Suspended Sentence (March 31, 2014)A UK court has given Mohammed Khalid Jamil a four-month jail sentence, suspended for one year, for running a scheme that tricked people into paying for free antivirus programs. Jamil hired people at a call center to tell victims that they worked for Microsoft and needed remote access to their computers. Once the access was granted, the victims' computers were compromised and the caller offered to sell them software to fix the problem for between GBP 35 and GBP 150 (US $58 - US $250). The products were available from Microsoft at no cost. Jamil was also ordered to pay a fine of GBP 5,000 (US $8,330) as well as about GBP 20,000 (US $33,300) in compensation and prosecution costs.
[Editor's Note (Murray): The prosecutors must be very disappointed in this Phyrric victory. This kind of sentencing encourages, rather than discourages, computer related crime. ]
CERT-UK Launched (March 31, 2014)The UK has launched its Computer Emergency Response Team (CERT-UK). The organization is part of the UK's National Cyber Security Strategy, and aims to help both the public and the private sector. The organization will oversee the coordination of national cyber security incidents.
[Editor's Note (Honan): Congrats to all involved and best of luck in what is a vital role, not just to make the UK Internet space safer but to make the Internet safer for us all.
(Shpantzer): "Oversee coordination" is code for "has no authority" in many cases. Seller beware. ]
Seventeen Indicted in ATM Skimming Scheme (March 28, 2014)Seventeen people have been indicted in connection with an ATM skimming scheme that netted a quarter of a million dollars. The ATM card information was stolen in Europe. It was used to manufacture phony cards, which were used at ATMs in the Chicago area.
DOJ Seeks to Expand Authority to Break Into Computers Remotely (March 27, 2014)The US Department of Justice (DOJ) is seeking to broaden its authority to break into suspects' computers. DOJ has proposed changes to federal court rules about search warrants to allow them to cover computers in unknown locations or outside certain judicial districts, and for cases in which the targeted computer is part of a larger network of computers that spans multiple jurisdictions.
[Editor's Note (Murray): The obvious appeal of such warrants is that they need not be disclosed to the target. This is a place where the government should be required to demonstrate that this is "the least intrusive means," We would not want such warrants to be used for "fishing expeditions." ]
US Law Enforcement Notified 3,000 Companies of Breaches Last Year (March 24 & 26, 2014)Last year, US law enforcement agents notified more than 3,000 companies in the US that their computer networks had been breached. The FBI, the Secret Service, and other law enforcement agencies made two-thirds of the notifications in person or by phone. The agencies know about the breaches before the victims because they infiltrate criminal forums and have access to information not available to companies.
[Editor's Note (Henry): I am glad to see increased victim notification by the government. While it's been done for many years, often times victims are provided with little more than "you've been breached, and that's all we can tell you." What companies need is increased sharing of "actionable" intelligence IN ADVANCE of the breach, so they can better protect themselves. While this is not criticism of law enforcement...they are providing what they're currently legally able to share...the USG needs to change its practices and separate much of the data they currently "classify" so companies can implement it into their security programs.
(Shpantzer): This kind of threat intelligence is no longer the sole province of law enforcement. As Marcus Ranum noted during the RSA conference, 'threat intelligence' is kind of a big deal (all kidding aside):
Towson University Wins Regional Collegiate Cyber Security Competition (March 31, 2014)Johns Hopkins University Applied Physics Laboratory hosted the Mid-Atlantic Collegiate Cyber Defense Competition on March 26-29, 2014. The competition's scenario saw eight collegiate teams setting up a network of first responders during a powerful blizzard while defending those networks against attacks from a Red Team of professionals. The competition was designed to set up situations with unrealistic expectations for the participants. The Towson University team was declared the winner and will move on to national championship at the end of April in Texas.
[Editor's Note (Shpantzer): Of all the colleges and universities in this .edu-dense region, much respect to Towson for taking the competition. ]
STORM CENTER TECH CORNERMalware recovered from DVRs responsible for some of the Synology Scans
Hacking Tesla Cars
Bypassing Same Origin Policy via Wildcard DNS
Port 5000 Update: DVR scanning for Synology NAS
Philips TV WiFi Weakness
Federal Trade Commission Sanctions Fendango, Credit Karma, over failure to use SSL in Mobile Apps
CACert Removed From Trusted SSL CA Store in Debian Linux
Turkey Hijacking Networks for DNS Providers and Others
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/