Inside Security - July 18th, 2016

Inside Security (Jul 18th, 2016)

David’s Take

We cover a lot of useful tools for Devops this week, including a new Chef Automate tool, along with how to best secure your containers, and a cover up of a series of FDIC hacks. Plus, the upcoming finals of the latest DARPA challenge in Vegas.
-- David Strom, editor of Inside Security
New and noteworthy products

Chef Automate is a continuous deployment pipeline that includes automated compliance and security testing. Using the popular Chef development environment, you can take advantage of its collaborative features, use a shared workflow pipeline, and expand its analysis features.  If you already use its InSpec and Habitat automation tools, this is something to consider, and yes there is a free trial. It starts at $137 per node per year. -- CHEF
What are you using Chef for currently?
Looking for a security monitoring solution for your big data needs, you might want to consider the latest version of DgSecure v6, which was announced and available last month at the Hadoop Summit, and has a free trial too.  You can monitor both on-premises and cloud data repositories, detect where your most sensitive data is located, perform compliance audits, and implement various encryption and protection strategies. It starts at $2000 per node. -- DATAGUISE
Threats and attacks

Juniper products running Junos OS have a flaw in how they handle certificate validation for IPsec and key exchanges. And while the company isn’t aware of any active exploit, you probably want to read this security bulletin and fix the problem (a simple command line sequence is all that is needed) asap. -- JUNIPER KB 
Chinese hackers breached the FDIC, and its CIO covered it up, at least according to this Congressional report.  Repeated attacks between 2010 and 2013 included backdoors installed on several executives’ PCs and on numerous servers. None of these incidents were initially reported to CERT or other authorities and only came to light after another breach last fall.  Only then did the FDIC offer credit-monitoring services to the more than 160,000 individuals who were compromised. – ARS TECHNICA 
A new instance of Furtim malware called SFG has hit several European power generators. While just another variation, what is different is how it can disable certain Windows Group Policy settings to escalate privileges and avoid detection. It shares its botnet with numerous other exploits, pointing to cybercriminals looking to make money.  – DAMBALLA
A not-so-new ransomware attack using infected Microsoft Word documents called Cerber has been discovered and at least temporarily neutralized.  The attack process and its coercion messages are worth reviewing. – FIREEYE BLOG
Reports and evaluations
The NSA is looking for help from private industry and developed a series of VPN, wireless LANs and mobile access product requirements. Called Commercial Solutions for Classified Program, the idea is that if you provide your security in layers and properly configure them, you can protect classified data. (We’ll avoid any snarky comment here.) The first link is an explanation of what is going on along with the various components of the program. The second link is a report from (the Institute for Critical Infrastructure Technology (ICITech) that provides an overview about the new process and how to leverage the program and participate if you are a security vendor.  – ENTERPRISE TECH,  ICITECH
Methods and tools
Security and appdev don’t have to be at odds with each other, and in this post we examine their different perspectives. Even with a Mars/Venus style of relationship, you can cooperate and communicate to produce agile and secure apps that satisfy both parties. (Here are more words of wisdom along similar lines from Leila Powell, a security-based data scientist.) Security teams need to be more proactive about analyzing risk, while the business needs to define all networking requirements on the front end. – INFOSEC ISLAND
Any other words of wisdom here? 
If you are looking for ways to cut your Amazon Web Services monthly bill, a good place to start is this post, which offers some solid advice such as eliminating orphaned snapshots, looking at your data transfers outside AWS, and unused elastic IP addresses.  The company is one of many cloud costing vendors that can pay for themselves quickly and also help to improve your security posture too.  -- CLOUDYN
Have you used any cloud costing tool and if so, has it saved you money?
If you want to learn how to find command and control malware infections, this “playbook” is a great place to start. The post will walk you through how to identify C&C traffic, put together your own plan to hunt down the infection, and suggest some great methodologies and sources for additional information. -- DEMISTO
If you are looking to secure your containers, a very solid introductory guide can be found here that includes advice such as don’t use images from untrusted sources and use namespaces to isolate containers. Better yet, tune in to this great hour long podcast from Alex Williams and Joyent’s CTO Bryan Cantrill about how to use containers more securely and how to design security in at the beginning. -- THE NEW STACK
Are you doing anything else to secure your Docker installations?

Self Serving Dep't
This post covers what you need to know about DNSSEC and what happens when you get negative responses. While the post is somewhat self-serving (the company provides DNSSEC for free), it is still useful. This step-by-step walkthrough of the protocol dialogue will help if you want to secure your DNS queries and understand more about how the protocol works and how hackers can take advantage of it. -- CLOUDFLARE
Any other tools you are using for secure DNS?  
As the GOP convention begins today in Cleveland, here is a post from one of the 400-person team who designed the infosec for the 2012 Tampa convention. Most of this is common sense but still interesting reading. One item: “Do not wait until the last minute to involve security“ -- SECURITYCURRENT
Bug Bounties
If you liked the show Battlebots, you’ll want to be at the DARPA CyberGrand Challenge in Vegas next month, where seven finalist computers will try to automatically patch various security flaws. While not as sexy as watching automated autonomous vehicles as in previous DARPA challenges, there is that $2 million prize for the competitive capture-the-flag contest.  -- DEFENSEONE
Just for fun

Remember these token ring MAUs? You can visit this exhibit and see many more ancient computer artifacts from the past at Grace’s Place in St. Louis. – UNIVERSITY OF MISSOURI
How likely are you to recommend Inside Security to a friend or colleague?

More from Inside
Inside Security is just one of Inside's network of newsletters. Here are some others you might like:

Inside VR & AR: Diving deep into the virtual/augmented reality products, companies, communities, and news. (2x/week)

Inside Electric Vehicles: From Tesla to Faraday Future to the big car manufacturers, we're tracking everything in the EV industry. (2x/week)

Inside Daily Brief: A roundup of all the most interesting news, across verticals. (2x/day)

ReadThisThing: One link to a fascinating piece of journalism, daily.
Copyright © 2016 Inside, All rights reserved.

You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security