SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #46
June 10, 2016
Why are some employers better places to work for security people? What are the key characteristics of organizations that are great places to work for cybersecurity practitioners with hard-to-find skills (like advanced forensics, incident response, intrusion analysis, reverse engineering, secure coding, security architecture/engineering, continuous monitoring and log analysis, application penetration testing and more)? SANS is partnering with the Center for Strategic and International Studies to try to find authoritative answers to why some employers are so much better than others. The goal is to help employers learn what they can do to be more successful in recruiting, nurturing and retaining these critically important cyber ninjas. If you are one of those people, please help by answering few questions before next Wednesday. The survey is posted at http://cyberninjas.csis.org/
TOP OF THE NEWSUS Cyber Command Has Difficulty Retaining Cybersecurity Talent
Singapore to Ban Civil Servants' Access to Internet on Work Computers
Federal Regulators Warn Banks of Possible Cybertheft Threat
University of Calgary Pays Up in Ransomware Attack
THE REST OF THE WEEK'S NEWSArbitrary Code Execution Flaw in Chrome's PDF Reader
Morgan Stanley to Pay US $1 Million Fine for Failure to Protect Customer Data
Bruce Schneier on the Internet of Things
Wendy's Breach Likely Larger Than Earlier Reports Suggested
Firefox Updated to Version 47
IRS Relaunches Get Transcript with Enhanced Security
Winners of SANS Boston Judy Novak PCAP Puzzle #2 Announced.
INTERNET STORM CENTER TECH CORNERINTERNET STORM CENTER TECH CORNER
************************ Sponsored By Sophos Inc. ***********************
Next-Gen Endpoint Protection Explained: with APTs on the rise organizations are looking for next-gen endpoint solutions to protect users and devices. But with many vendors claiming to offer next-gen solutions, it can be difficult to separate 'must have' features from the merely average. Find out what you need to keep your systems secure.
--SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
--DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
--SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
--SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
--Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | Two days of Security Awareness talks and 6 SANS courses: Intro to Info Security, Advanced Security Essentials, Critical Security Controls, CISSP Cert Preparation, Intro to Cyber Risk, Securing the Human
--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!
-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
--Looking for training in your own community?
Community - http://www.sans.org/u/Xj
--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy
Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI
TOP OF THE NEWS
US Cyber Command Has Difficulty Retaining Cybersecurity Talent (June 7, 2016)Although recruiting talented cybersecurity specialists is a top priority at US Cyber Command, the organization is having trouble attracting and retaining qualified personnel, due is some part to the compensation discrepancy between the public and private sectors. Major General Paul Nakasone, commander of the US Cyber Command's National Mission Force, said, "The near-term challenge we must address is keeping the already high level of trained, talented personnel on our teams."
[Editor's Note (Murray): Personnel development and retention is much more efficient than recruiting and indoctrination. (Paller) To identify employer characteristics that make cyber talent want to stay, CSIS and SANS launched a survey of the people who know: the cyber ninjas. If you are one, go to
Singapore to Ban Civil Servants' Access to Internet on Work Computers (June 9, 2016)In an attempt to protect the Singapore government's servers from malware and prevent email and document leaks, Singapore will ban its civil servants from most Internet access at work. The initiative was piloted at the country's Information Development Authority earlier this spring and is expected to be fully adopted in May 2017. Civil servants who require Internet use will have access to Internet terminals. They will also be able to access the Internet with their personal devices while at work.
[Editor's Note (Williams): I anticipate this will lead to increased tethering of government laptops to personal cell phones to bypass the policy. When employees tether from personal devices (and they will find a way), the organization loses visibility into user activity and protections of proxies and content inspection firewalls that may be deployed. ]
Federal Regulators Warn Banks of Possible Cybertheft Threat (June 7, 2016)US banking regulators are urging banks to examine their systems for signs of cyberattacks in the wake of the US $81 million theft from the Bangladesh central bank earlier this year. Banks were specifically told to review their risk management procedures and controls for payment systems networks.
[Editor's Note (Murray): The creation of the capability used at the Bangladesh Central Bank was not trivial. It included enough special knowledge and privilege to suggest insider involvement. It might not be easily replicated at other banks. Please do not bet on it. One historical defense against this kind of fraud has been the difficulty of getting the proceeds out of the banking system (Mark Stanley Rifkin bought diamonds; legend has it from agents of the KGB who shopped him to the FBI.) As anonymous digital currency facilitates extortion, it also helps with fraud cash out. ]
University of Calgary Pays Up in Ransomware Attack (June 7 and 8, 2016)The University of Calgary has paid CAD $20,000 (US $15,700) to regain access to encrypted data after its systems became infected with ransomware. The attack affected more than 100 computers. The university paid the ransom a week after the initial infection. University vice-president of finances and services said the school decided to pay the ransom to "protect the quality and the nature of the information we generate at the university."
[Editor's Note (Murray): "Nice people do not pay extortion." That said, these sleaze bags have studied Price Theory and are very good at pricing. Anonymous digital currency (e.g., Bitcoin) has made extortion into a low risk crime. This article in MIT Technology Review
suggests that businesses are stockpiling such currency in anticipation of paying extortion. Note that using your computer to hide your data from you requires the ability to install arbitrary programs on your computer and "write" access privileges to your data. (Paller): Nice people do pay extortion when the perceived business benefits outweigh the costs. (Williams): I recommend that victims pay immediately before the attackers realize they have deep pockets on the hook. Increasingly large ransom demands like we see here are usually observed only when the attackers realize they have hooked a whale. Still, $15,700 USD is a small price to pay compared to the business loss incurred while the data is held hostage. ]
*************************** SPONSORED LINKS *****************************
1) Warning: Email may be Hazardous to your business. Wednesday, June 15th, 2016 at 3:00 PM (15:00:00 EDT/US Eastern) with John Devenyns. http://www.sans.org/info/186577
2) Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey. Tuesday, June 21st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Barbara Filkins, Benjamin Wright, David Bradford and Julian Waits. http://www.sans.org/info/186582
3) Take the SANS 2016 Breach Prevention Survey and enter to win $400 Amazon gift certificate! http://www.sans.org/info/186587
THE REST OF THE WEEK'S NEWS
Arbitrary Code Execution Flaw in Chrome's PDF Reader (June 9, 2016)A heap buffer overflow in Google's Chrome browser could be exploited to execute arbitrary code. The flaw lies in Chrome's default PDF reader, PDFium. Google fixed the problem within six days of being notified.
[Editor's Note (Ullrich): The issue with PDF is less Adobe's implementation of PDF Reader, but the specification which is very difficult to implement securely. PDFs are really a mix of various other difficult to correctly parse file formats, and if one of the parsers for any of the formats (like in this case JPEG2000) is vulnerable, the entire PDF pyramid falls. ]
Morgan Stanley to Pay US $1 Million Fine for Failure to Protect Customer Data (June 8 and 9, 2016)Morgan Stanley will pay a US $1 million fine for violating the Safeguards Rule. The bank "failed to adopt written policies and procedures reasonably designed to protect customer data," which allowed a former employee to transfer client information to a computer at his home. A third party later accessed that computer and the data were offered for sale on the Internet.
[Editor's Note (Pescatore): Good to see the SEC join the FTC in using existing laws to punish companies that don't live up to basic security hygiene. Even better, this action wasn't just about written policy - Morgan Stanley was fined because they "didn't audit or test the 'relevant authorization modules' or monitor or analyze employees' access to portals containing sensitive data." (Williams): This story highlights the need to adopt policies to comply with regulatory requirements. But an often-overlooked area is the enforcement of existing policies. Having a policy to mitigate a risk establishes (in the legal sense) that the organization recognized that a risk exists. If the organization then fails to enforce the policy, it's hard to argue they were ignorant of the risk. (Honan): The use of personal devices and personal cloud services by employees for working on company data is one many organizations I have assessed tend to overlook. Yet, as this example shows it is a very real threat to the security of that information. Remember though that policies alone will not prevent this from happening you need to combine technical and personnel controls to reduce this risk. ]
Bruce Schneier on the Internet of Things (June 9, 2016)Bruce Schneier told an audience at the Infosecurity Europe 2016 conference, "The Internet of Things is our next big challenge and I think it's the way we're going to be colliding with the world in interesting ways." Schneier expressed his concern that governments lack the necessary expertise to establish security policy for the Internet of Things (IoT).
Wendy's Breach Likely Larger Than Earlier Reports Suggested (June 9, 2016)The payment card data breach affecting Wendy's restaurants is now believed to be more widespread than first reported. The company's first quarter financial statement, released last month, said that the breach affected five percent of its stores. In a statement earlier this week, Wendy's indicated that the number of affected stores was "considerably higher." The breach appears to have occurred in two waves.
Firefox Updated to Version 47 (June 9, 2016)Mozilla has updated its Firefox browser to version 47. The newest version of Firefox includes fixes for 13 vulnerabilities, including several that could be exploited to crash the browser. Two of the flaws are rated critical.
IRS Relaunches Get Transcript with Enhanced Security (June 7, 2016)The US Internal Revenue Service (IRS) has relaunched its Get Transcript service, a year after it was disabled following a security breach. People using the service will now be required to use two-factor authentication.
[Editor's Note (Pescatore): The IRS spent a year rolling this out, so I'm hoping the verification process and implementation is solid. Assuming that is true, this is great to see - the use of text messaging for a second factor by itself is far from invincible but it does significantly raise the bar against phishing attacks. In too many areas, the federal government has continued to use reusable passwords because either perfect solutions weren't available, or flawed and unusable solutions (like Smart Cards) had been chosen long ago. ]
Winners of SANS Boston Judy Novak PCAP Puzzle #2 announced. (June 7, 2016)According to judges Andrew Laman, Patrick Mooney, and Sally Vandeven, in a unanimous decision, the highest-ranking solution for the Judy Novak PCAP Puzzle #2 was submitted by Tanner Kinkead. Congratulations Tanner! Other fine submissions were by: Raymond Melzer, Ian Hayes, Joshua Roback, Jean-Yves Saghbini, Hasan Eray Dogan. (Northcutt): Congratulations to all the packet ninjas! It is great to see that level of capability and talent. You can read about the puzzle and the winning solution here:
INTERNET STORM CENTER TECH CORNERVarious Internet Sites Flag Password Reuse
Facebook Chat Vulnerability Patched
DNS Cookies: Making DNS More Security
CryptXXX Switches From Angler to Neutrino EK
Android Flash Keyboard Uses Excessive Permissions
D-Link Camera Vulnerable To Remote Exploit
BITS used to make malware more persistent
Google Continues to Remove SSLv3 Support
Mobile Phone Vibration Sensor Can Be Used As Microphone
Keypass Fixes Vulnerable Update Procedure
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create