Year: 2015

To provide insight into the positive strides the (ISC)² Global Academic Program (GAP) and its member schools are making in filling the pipeline for qualified professionals, we’re going to highlight a different GAP school every other month.

The National Center for Systems Security and Information Assurance (CSSIA), one of the country’s first comprehensive Centers for Advanced Technology Education, became a GAP member school in 2014. CSSIA has four goals focused on innovation in cybersecurity education:

• Expanding and enhancing cybersecurity curriculum labs, skills events and competitions
• Building a national infrastructure of qualified cybersecurity educators
• Developing national infrastructure remote virtualization lab environment and content
• Enhancing programs for historically minority and underrepresented academic institutions

According to Dr. John Sands, GAP instructor, department chair for Computer Integrated Technologies for Moraine Valley Community College and co-founder for CSSIA, who has taught cybersecurity for 28 years, CSSIA recognized the need for trained cybersecurity pros years ago. “Early on, we saw the scary things that were out there, and we knew there was going to be a future in this area. We established the first National Science Foundation (NSF) Advanced Technology Education (ATE) National Resource Center for cybersecurity in 2002 through an investment by the federal government in fields that have shortages.”

Back then, there weren’t many cyber programs available in the two-year colleges, and even the four-year schools were focused more on management than on preparing practitioners. CSSIA conducted national surveys to understand better the workforce gaps and to identify the barriers that were preventing schools from teaching cybersecurity. They identified three core areas and tried to engineer their programs to overcome those obstacles.

Obstacles Preventing Schools from Teaching Cybersecurity

1)      Experiential learning for students. The first area they discovered was that many schools were tentative about teaching students on their production network. So, CSSIA designed a virtual teaching environment and created a series of over 200 labs in which students can recreate attack systems. They serve as a clearinghouse for courses and content that can be taught virtually. Today, 260 schools now either use CSSIA’s system or have replicated it. Overcoming that barrier was huge, because it allows CSSIA to provide students critical hands-on learning.

Sands elaborates, “We are big believers in experiential learning. Students need to learn more than just how to isolate the tools. They need to have a target with vulnerabilities and tools that exploit those, and our lab allows them to do that. The beauty of our system is that by putting in a remotely accessible virtual lab, students can work on it 24×7 and work on it over and over again until they master that skill. This has made a big difference in students’ skill level and in readying them for cybersecurity jobs.

2)      Faculty professional development. CSSIA created the Professional Development Academy after identifying a deep need for continuing education and professional development for faculty. Since 2004, CSSIA has instructed more than 4,000 teachers and college faculty in cybersecurity-related areas. Surveys show that 73% of these teachers are already using or plan to use curricula and instructional materials provided at the professional development programs. They work closely with NSA and DHS on the Centers of Academic Excellence (CAE) program. To qualify for the CAE, you have to prove that your faculty has the credentials to teach the program. Sands adds, “It’s a nice blend that students benefit from – we are able to offer them access to qualified faculty AND offer them hands-on experience.

3)      Community outreach to underrepresented groups. The final core area CSSIA identified as needing development was outreach to communities that traditionally haven’t pursued a cybersecurity education, such as females, minorities, and veterans. As a result, they began casting a broader net to improve the types of training they offered, as well as their instructor pool and the number of students from those groups. CSSIA’s commitment of its vast resources, including an outreach toolkit, faculty training, state-of-the-art virtual learning environments, real-world learning experiences such as cyber competitions and subject matter knowledge and support, will help educators fulfill the increased student and industry demands for effective cyber security curricula.

To engage students in creative ways and make the learning fun, they hold several competitions, such as an annual Collegiate Cyber Security Competition, with heavy participation from student volunteers. One graduate who consistently volunteers his time at this event is now one of the top pen testers in the area. They also run Cyber Camps, which are on-line competitions that test students’ abilities to identify vulnerabilities in a virtual network and answer questions related to their findings.

According to Sands, the most rewarding part of his job is watching CSSIA graduates make a difference. “One of our graduates who started his own company actually came back to thank us after a few years and even invited a couple of us out for a show and dinner,” recalls Sands. “He now works for Cisco as a Tier 1 engineer. To see the type of work he’s doing and how he’s making a contribution to defending our nation’s infrastructure gives you such a sense of accomplishment. He works on some of the largest accounts Cisco has – Dish Networks, Fed Reserve, and he’s one of the top engineers in the country right now. It was very rewarding to hear about his success and know that CSSIA has played a part in that.”

CSSIA joined the GAP because they were looking for more ways to certify their faculty that they train in the Professional Development Academy. They’re offering an (ISC)² certification course this month, and it filled up in five days. They do a needs assessment every year, and certification training is always one of the top three requests faculty express.

To track graduates’ success, CSSIA did a three-year survey post-graduation, and the key to students’ success seems to be the number of certifications and amount of hands-on experience they leave the program with.

Sands reflects, “We’ve built this mantra into our program, but it’s extremely important to fill the gap. The vulnerability we have as a nation is tremendous. Anything the professional community can do to encourage the brightest minds to come into this field to protect our country is essential. We’re always chasing our tail, but in modern life, we’re so dependent on these systems. It’s critical that we have the best of the best to protect them.”

Part of CSSIA’s future efforts are to reach students earlier in school (even as early as elementary students) and let them know about the opportunity this field offers. Over the next four years, CSSIA’s efforts are going to focus on targeting this age group by giving them the opportunity to talk to people in the field and to introduce them to what it’s really like. More and more occupations require some knowledge of cybersecurity. CSSIA sees it as their mission to proliferate their knowledge combined with experiential approach into all schools at all levels. As part of that mission, they are actively helping other schools to meet the CAE requirements.

Sands reflected, “We believe our relationships with the government and all the professional associations are critical. The work (ISC)² is doing in this area through the GAP is really important, and it’s critical that we all work together to shore up the cybersecurity workforce.”

(ISC)² Management

[(ISC)² Blog]

Built off the Tinba banking Trojan and distributed through the elusive HanJuan exploit kit, Fobber info-stealer defies researchers with layers upon layers of encryption.

A stealthy new info-stealing browser injection malware aims to make security researchers’ job very difficult. Fobber evades detection and defies anaylsis by sliding from one program to another, using randomly generated filenames, encrypting command-and-control communications with a custom algorithm, and encrypting individual pieces of code within the payload, so that each function must be separately, painstakingly decrypted before it can be run.

Researchers at Malwarebytes discovered Fobber, and Fox-IT researchers have confirmed that it is based off of the Tinba banking Trojan. So far, Malwarebytes has not witnessed Fobber stealing banking credentials, but that may just be a matter of time, according to Malwarebytes senior security researcher Jerome Segura.

“I think they’re testing the waters,” he said. All infections, thusfar, have been in the Netherlands, so Segura believes the Fobber authors are still testing out the tool before rolling out operations on a larger scale.

Malwarebytes found Fobber by accident when they stumbled across activity by the elusive HanJuan exploit kit. Opportunities to study HanJuan are rare, because it usually takes great pains to hide itself. Malwarebytes simply referred to it as the “Unknown exploit kit” when they first wrote about it in August 2014.

“It’s a very discreet exploit kit,” said Segura, “so that’s what caught our attention.”

Considering its usual discretion, the researchers discovered HanJuan acting in a way that seemed out of character. It was being hosted on a legitimate Dutch website that had been compromised, and was being distributed through a malvertising campaign. An embedded ad within the Adf.ly URL shortener service directed victims to the compromised site.

Once researchers had a look at the payload HanJuan was delivering, they saw “we have something new on our hands,” says Segura. “It’s very well encrypted. A lot of attention to detail in there.”

Written for both Flash and Windows Explorer, Fobber uses a memory stack pivoting exploit. As Segura wrote in a blog post “Unlike a normal Windows program, Fobber makes it a habit to ‘hop’ between different programs.” Fobber.exe itself will eventually terminate, and the malware execution will continue in Verify Class ID, until that terminates and picks up again in Windows Explorer, until that terminates and picks up again in a web browser.

Beginning with the Verify Class ID process, Fobber really frustrates any security researcher’s attempts to analyze it. The code for each function must be decrypted before it can be executed; then it re-encrypts itself after completion.

It also encrypts all communication with the command-and-control server, using a custom algorithm. According to Segura’s blog “Content sent by the server is signed by its RSA1 key (to prevent botnet hijacking) while the Fobber code has the public key embedded within, notifying the signature before processing the content.”

The malware then performs browser injection (it works on Internet Explorer, Google Chrome, and Mozilla Firefox), hooks into certain functions (InternetCloseHandle and HttpSendRequest in IE), and waits to see when interesting credentials are being requested.

Fobber could then act like a man-in-the-middle and lift those credentials, and then use them for a variety of attacks — including fraudulent banking transactions that would appear to the bank to be completely legitimate requests coming made from a customer’s own machine with their valid credentials.

All of these techniques make it difficult for security companies to discover malware, put a name to it, and develop effective countermeasures.

“If you don’t make the headlines,” says Segura, “you have less scrutiny, and you can keep using” the tool for longer.

Malwarebytes has passed on its information about Fobber, HanJuan, the malvertising campaign and the compromised website to Dutch law enforcement.

 

[Dark Reading]

Internet pioneer and DNS expert Paul Vixie says ‘passive DNS’ is way to shut down malicious servers and infrastructure without affecting innocent users.

Botnet and bad-actor IP hosting service takedowns by law enforcement and industry contingents have been all the rage for the past few years as the good guys have taken a more aggressive tack against the bad guys.

These efforts typically serve as an effective yet short-term disruption for the most determined cybercriminal operations, but they also sometimes inadvertently harm innocent users and providers, a problem Internet pioneer and DNS expert Paul Vixie says can be solved by employing a more targeted takedown method.

Vixie, CEO of FarSight Security, which detects potentially malicious new domain names and other DNS malicious traffic trends, says using a passive DNS approach would reduce or even eliminate the chance of collateral damage when cybercriminal infrastructure is wrested from the attackers’ control. Vixie will drill down on this topic during his presentation at Black Hat USA in August.

Takedowns typically include seizing domains, sinkholing IPs, and sometimes physically removing equipment, to derail a botnet or other malicious operation.

Perhaps the most infamous case of collateral damage from a takedown was Microsoft’s Digital Crimes Unit’s takeover of 22 dynamic DNS domains from provider No-IP a year ago. The move did some damage to Syrian Electronic Army and cybercrime groups, but innocent users were also knocked offline. Microsoft said a “technical error” led to the legitimate No-IP users losing their service as well, and No-IP maintained that millions of its users were affected.

The issue was eventually resolved, but not after some posturing in hearings on Capitol Hill, and debate over whether Microsoft was getting to heavy-handed in its takedown operations.

Vixie says the key to ensuring innocent users and organizations don’t get swept up in the law enforcement cyber-sweep is get a more accurate picture of just what is attached to and relying on the infrastructure in question. “There is a tool that you can use to find out [whether] the Net infrastructure belongs to bad guys so you don’t target anything else” that shares that infrastructure and is not malicious, Vixie says.

Passive DNS is a way to do that, says Vixie. With passive DNS, DNS messages among DNS servers are captured by sensors and then analyzed. While Vixie’s company does run a Passive DNS database, he says he’s advocating that investigators and task forces doing botnet or domain takedowns use any passive DNS tool or service.

Vixie says the two-part challenge in takedowns to date has been ensuring law enforcement “got it all” while not inadvertently cutting off innocent users and operations in the process.

Passive DNS not only can help spot critical DNS name servers, popular websites, shared hosting environments, and other legit operations so they aren’t hit in a takedown operation, he says, but it can also help spot related malicious domains that might otherwise get missed. That helps investigators drill down to the malicious tentacles of the operation, according to Vixie.

Vixie in his talk at Black Hat also plans to lobby for researchers and service providers to contribute data to passive DNS efforts.

Meanwhile, it’s unclear what long-term effects takedowns have had on the cybercrime underground. “I’m involved in the same [volume] of [takedown] cases than I ever was. The trend of bad guys is on an upward swing,” Vixie says.

 

[Dark Reading]