SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #16

February 24, 2017

TOP OF THE NEWS

THE REST OF THE WEEK'S NEWS

INTERNET STORM CENTER TECH CORNER

TRAINING UPDATE

TOP OF THE NEWS

Less Than 25 Percent of Cybersecurity Job Applicants Are Qualified (February 22, 2017)

Which Colleges Prepare People For Cybersecurity Jobs? (February 23, 2017)

Google Cracks SHA-1 With Hash Collision Attack (February 23, 2017)

THE REST OF THE WEEK'S NEWS

Cloudflare Fixes Flaw That Leaked Customer Data (February 23 & 24, 2017)

Secretaries of State Oppose Critical Infrastructure Designation for Voting Systems (February 23, 2017)

British Police Arrest Deutsche Telekom Cyber Attack Suspect (February 23, 2017)

Fix for Linux Kernel Local Root Bug (February 23, 2017)

Expired Certificates at DHS Network Prevented Employees from Accessing Systems (February 21 & 23, 2017)

Malware Can Be Used to Exfiltrate Data Across Air Gap (February 22 & 23, 2017)

Dutch Banking Industry Has Low DNSSEC Implementation (February 22, 2017)

Microsoft Releases Fix for Critical Flash Flaws (February 22, 2017)

U.S. Dept. of Energy Awards Grants for Projects to Protect Grid (February 22, 2017)

GSA Inspector General Says 18F Violated Security Requirements; Staff Says Compliance Does Not Equal Security (February 21, 2017)

INTERNET STORM CENTER TECH CORNER

Microsoft Releases Flash Patch From Skipped February Update

Investigating Off-Premise Wireless Behaviour

"Bugdrop" Steals Large Amount of Audio

User Centric Mobile Device Security With Stethoscope

Fingerprinting Firefox With Intermediate Certificates

JudasDNS Attack DNS Proxy

Researchers Find SHA1 Collision

Arrest Made in Deutsche Telekom DSL Modem Attack

***************************Sponsored By Malwarebytes*********************Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper." http://www.sans.org/info/192292 ***************************************************************************-- SANS London March 2017 | London, GB | March 13-28, 2017 | https://www.sans.org/event/london-march-2017 -- SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017 -- SANS ICS Security Summit & Training | Orlando, FL | March 20-27, 2017 | https://www.sans.org/event/ics-security-summit-2017 -- SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017 -- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017 -- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017 -- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017 -- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017 -- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017 -- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses. OnDemand - https://www.sans.org/ondemand/specials vLive - https://www.sans.org/vlive/specials -- Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ -- View the full SANS course catalog https://www.sans.org/find-training/ ***************************************************************************According to a report from ISACA, fewer than 25 percent of applicants for cybersecurity positions are qualified for the job. More than half of available positions take from three to six months to fill. The report notes that hands-on experience is more important than training.[Editor Comments][Williams] There's a lot behind this article and some of the measurements don't jive with the results. Many organizations dipping their toes into infosec hiring are offering dramatically low salaries. In the negative unemployment infosec market, your salary offers will impact your ability to hire qualified candidates or even get them to apply. Read more in: Dark Reading: Fewer Than One Fourth Of Cybersecurity Job Candidates Are Qualified http://www.darkreading.com/vulnerabilities---threats/fewer-than-one-fourth-of-cybersecurity-job-candidates-are-qualified/d/d-id/1328244 Google's An email to the Cybersecurity Advisory Board a few days ago: "We recently added an entry-level position for our Information Security team. Among the candidates we received (and we got a pretty good response) were a number of recent Cyber Security degree (B.S.) graduates. We were a little surprised at what they have been learning. They understand the need for policies and standards. They know about anti-virus, patching, "the Kali", and Encase and think it is great. Pen testing is very cool. They know a little bit about social engineering and phishing. They give great answers on the difference between a vulnerability and a threat. They have a basic understanding of encryption and access models. These are all very good things. However, there seems to be quite a bit missing from what I would consider a "cyber" perspective. When it came to their college training, no one seemed to have learned the basics of computers. XSS, buffer overflows, even the basics of an operating system are not taught. The concept of salting and hashing were unknown to most of them, and even knowledge of keys was very rudimentary. Maybe these are more advanced topics, but I was disappointed. We spoke to graduates of 3 separate college programs, 2 of which are on the NSA / DHS Center of Academic Excellence list, and I had hoped for more. Does anyone know of any colleges that prepare their cybersecurity grads including some hands on experience with the "five foundations" that will make them effective? (The 5 foundations are: 1. Computer basics including how computers work, operating systems and virtualization, and networking; 2. Linux fundamentals; 3. Windows fundamentals; 4. Programming including C, Python, HTML and Java; 5. Security basics from buffer overflows to SQL injection to the basics of finding attackers in networks.)" If any NewsBites readers know of a college that ensures their cyber graduates have these foundations, let us know and we'll pass it along to the CISO who wrote the note to the Advisory Board, and give the college full credit and highlight them on the list of "Best undergraduate colleges for cybersecurity education". Email apaller@sans.org with your suggestions.Researchers from Google and Centrum Wiskunde & Informatica research center in Amsterdam, Netherlands, have developed a collision attack that defeats the SHA-1 cryptographic algorithm. While SHA-1 has not been used in websites' digital certificates for more than a year and many browsers are starting to deprecate SHA-1 certificates, SHA-1 is still used to validate the integrity of documents.[Editor Comments][Murray] Collisions are inevitable. Collision attacks, while perhaps cheaper than previously thought, remain expensive; the issue is not feasibility but efficiency. All that said, SHA-1 is made obsolete by the availability of efficient alternatives. Changing to stronger alternative is indicated but not urgent. [Williams] The SHA-1 collision took nine quintillion SHA1 calculations to generate. Details are yet to emerge, but it may also rely on the specific type of data for which collisions are being generated. PDF's are immensely complex and the complexity of the file format might help with this. Regardless, most organizations don't have the resources to create a SHA-1 collision. Even MD5 continues to be useful for threat hunting. In short, SHA-1 should not be used for trust relationships, but don't read this and think "SHA-1 is dead in all applications."Read more in:Google: Announcing the first SHA1 collision https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html WSJ: Google Team Cracks Longtime Pillar of Internet Security https://www.wsj.com/articles/google-team-cracks-longtime-pillar-of-internet-security-1487854804 Wired: A Super-Common Crypto Tool Turns Out to be Super Insecure https://www.wired.com/2017/02/common-cryptographic-tool-turns-majorly-insecure/ The Register: 'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time http://www.theregister.co.uk/2017/02/23/google_first_sha1_collision/ SC Magazine: On shaky ground: SHA-1 web standard cracked https://www.scmagazine.com/on-shaky-ground-sha-1-web-standard-cracked/article/639790/ Ars Technica: At death's door for years, widely used SHA1 function is now dead https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/ ***************************SPONSORED LINKS********************************1) Stop Ransomware Before It Starts - Download the Ransomware on the Rise eBook Now: http://www.sans.org/info/192297 2) Endpoint Protection...What really matters? Register now for this 5-part Webcast Series: http://www.sans.org/info/192302 3) It's time to reimagine your identity strategy. Join RSA identity experts to learn how. Register: http://www.sans.org/info/192307 ******************************************************************************Cloudflare has fixed a security issue in its software that leaked sensitive customer data, including passwords, cookies, and authentication tokens. The bug affected 3,400 websites that use Cloudflare's content delivery and security services. The problem was caused by a flaw in an HTML parser.[Editor Comments][Williams] This bug is much like Heartbleed, but only impacts customers protected by CloudFlare. Also unlike Heartbleed, by the time the vulnerability was disclosed, the bug had been completely patched. The bug was mitigated within hours, highlighting the difference between patching a problem at a service provider and patching software (many active servers are still vulnerable to Heartbleed today). Even if organizations performed vulnerability assessments after deploying their sites behind Cloudflare, they may not have noticed the issues since their site may not have triggered the error.[Honan] Companies can learn a lot from how Cloudflare handled and responded to this situation. Their communications to their customers was timely, informative, and covered the key points required. Emails were sent to each customer providing them with details, and Cloudflare published a blog post which is available at https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ Read more in:Ars Technica: Serious Cloudflare bug exposed a potpourri of secret customer data https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/ CNET: Uber, Fitbit, OKCupid information exposed by wide-reaching flaw https://www.cnet.com/news/uber-fitbit-okcupid-cybersecurity-password-information-exposed-wide-reaching-flaw/ ZDNet: Cloudflare found leaking customer HTTP sessions for months http://www.zdnet.com/article/cloudflare-found-leaking-customer-https-sessions-for-months/ CyberScoop: Cloudflare has been massively leaky for months https://www.cyberscoop.com/cloudflare-has-been-leaking-massive-data-for-months/?category_news=technology The Register: Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug http://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/ At its winter meeting earlier this month, the National Association of Secretaries of State adopted a resolution opposing the Department of Homeland Security's (DHS's) designation of election systems as critical infrastructure. Organization members are concerned about the potential for federal government overreach into state systems, and about the fact that DHS has not been forthcoming with information about what the designation means for states.Read more in:eWeek: States Oppose Designating Election Systems as Critical Infrastructure http://www.eweek.com/security/states-oppose-designating-election-systems-as-critical-infrastructure.html GCN: States resist 'critical infrastructure' designation for election systems https://gcn.com/articles/2017/02/23/voting-critical-infrastructure-opposition.aspx?admgarea=TC_SecCybersSec Police in Britain have arrested a man wanted in connection with a November 2016 cyberattack against Deutsche Telekom that caused service disruptions for 900,000 people. The attack attempted to infect Deutsche Telekom customers' routers with malware to make them part of a botnet. Germany considers the attack a federal matter because it posed a threat to the country's communications infrastructure. The suspect is expected to face an extradition hearing by early next week.Read more in:Computerworld: Police arrest man suspected of building million-router German botnet http://computerworld.com/article/3173350/security/police-arrest-man-suspected-of-building-million-router-german-botnet.html BBC: Router hack suspect arrested at Luton airport http://www.bbc.com/news/technology-37510502 V3: Brit arrested over Mirai botnet attack on Deutsche Telekom http://www.v3.co.uk/v3-uk/news/3005254/brit-arrested-over-mirai-botnet-attack-on-deutsche-telekom Linux distributions have begun releasing patches for a vulnerability in the Linux kernel that has likely been present since 2005. The "double free flaw" lies in the kernel's implementation of Datagram Congestion Control protocol (DCCP) and could be exploited to gain root privileges. Used in conjunction with other vulnerabilities, the flaw could allow attackers to execute arbitrary code. [Editor Comments] [Murray] For twelve years this obscure vulnerability has been a very small risk. That just changed. Read more in: ZDNet: Linux's decade-old flaw: Major distros move to patch serious kernel bug http://www.zdnet.com/article/linuxs-decade-old-flaw-major-distros-move-to-patch-serious-kernel-bug/ The Register: Linux kernel gets patch for 11-year-old local-root-hole security bug http://www.theregister.co.uk/2017/02/23/linux_kernel_gets_patch_against_12yearold_bug/ Computerworld: Eleven-year-old root Linux kernel flaw found and patched http://computerworld.com/article/3173235/security/eleven-year-old-root-linux-kernel-flaw-found-and-patched.html On Tuesday, February 21, some employees at the U.S. Department of Homeland Security (DHS) found themselves unable to access federal information systems. The problem was identified as an expired security certificate and was mitigated within hours of its discovery. The issue affected four Citizenship and Immigration Services facilities in the Washington, D.C. area.Read more in:Reuters: U.S. Homeland Security employees locked out of computer networks: sources http://www.reuters.com/article/us-usa-cyber-dhs-idUSKBN160240 NextGov: Expired Security Certificates Locked DHS Employees Out of Network http://www.nextgov.com/cybersecurity/2017/02/expired-security-certificates-locked-dhs-employees-out-network/135616/?oref=ng-channeltopstory Israeli university researchers have developed a data exfiltration technique that defeats the air gap by deciphering blinks from a hard drive's LED indicator. The attack requires that someone with inside access place malware on the targeted system. In a demonstration, the researchers used a drone hovering outside a window to read the information being transmitted by a hard drive's blinks. [Editor Comments] [Murray] One purpose of an "air gap" is to resist leakage; the other is to resist contamination via a network connection. It is not intended to, or effective for, resisting insiders. If an attacker is privileged to install a malicious program on a system, he certainly has a cheaper and faster way to exfiltrate the data than this. Read more in: Wired: Malware Lets a Drone Steal Data by Watching a Computer's Blinking LED https://www.wired.com/2017/02/malware-sends-stolen-data-drone-just-pcs-blinking-led/ The Register: Boffins exfiltrate data by blinking hard drives' LEDs http://www.theregister.co.uk/2017/02/23/hard_drive_light_used_to_exfiltrate_data/ A study conducted by Dutch Internet registry SIDN found that Dutch domain names do not adequately employ DNSSEC security. The DNSSEC Inventory 2017 examined 7,000 .nl domains owned by various industries. Domain names associated with the Internet infrastructure showed a 64 percent DNSSEC implementation rate; government followed with 59 percent. Among domains in the banking industry examined in the study, just six percent had implemented DNSSEC. Read more in: The Register: How's your online bank security looking? The Dutch studied theirs and ... yeah, not great http://www.theregister.co.uk/2017/02/22/dutch_banking_industry_security_bad/ SIDN: SIDN sounds the alarm on DNSSEC security status of Dutch domain names https://www.sidn.nl/a/internet-security/sidn-sounds-the-alarm-on-dnssec-security-status-of-dutch-domain-names?language_id=2 Microsoft has released an out-of-cycle security update to address critical flaws in Adobe Flash Player. Microsoft announced earlier this month that it would delay its scheduled February update due to "a last minute issue that could impact some customers." The rest of the patches will be distributed with the March 14 update. Read more in: ZDNet: Microsoft issues critical security patches but leaves zero-day flaws at risk http://www.zdnet.com/article/microsoft-issues-some-security-patches-but-leaves-zero-day-flaws-at-risk/ The Register: Microsoft catches up to Valentine's Day Flash flaw massacre http://www.theregister.co.uk/2017/02/23/microsoft_flash_security_update/ Microsoft: Microsoft Security Bulletin Summary for February 2017 https://technet.microsoft.com/library/security/ms17-feb The U.S. Department of Energy has given grants totaling USD 4 million to four companies for projects that are developing technology to help protect the country's power grid. The funded projects "will lead to next generation tools and technologies that will become widely adopted to enhance and accelerate deployment of cybersecurity capabilities for the U.S. energy infrastructure." [Editor Comments] [Murray] The US grid is fragile but resilient. The operators deal with hundreds of component failures and lightning strikes every day. Most of these failures are not visible to customers. They do not see or deal with many malicious attacks and tend to treat the few they do see as noise. They see the problem as natural limitations and events, rather than artificial or malicious events. We need "attitude adjustment" more than new technology. We need to hide the controls of the grid behind strong authentication and end-to-end application level encryption. These require intent and diligence but not new technology. Read more in: CyberScoop: DOE tries to spur development of defenses against Ukraine-style electric grid cyberattack https://www.cyberscoop.com/doe-tries-spur-development-defenses-ukraine-style-electrical-grid-cyberattack/ According to a report from the Inspector General (IG) of the U.S. General Services Administration (GSA), the agency's 18F digital services program was found to be using unapproved software, running applications on the network without proper authorization, and an absence of oversight and guidance. 18F officials disagree with the findings, saying that the IG report is more concerned with checking boxes than with evaluating security. One 18F staff member noted, "It is important to make the distinction between compliance and security." Read more in: Federal News Radio: GSA IG uncovers further misdeeds by 18F executives http://federalnewsradio.com/agency-oversight/2017/02/gsa-ig-uncovers-18f-misdeeds-executives/ NextGov: Auditor Thrashes 18F for IT Security Vulnerabilities, 18F Staffers Shoot Back http://www.nextgov.com/cybersecurity/2017/02/auditor-thrashes-18f-it-security-vulnerabilities-18f-staffers-shoot-back/135591/?oref=ng-channelriver ***********************************************************************The Editorial Board of SANS NewsBitesView the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create