|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Apr 06 2012 - 12:42:48 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**************************************************************************
SANS NewsBites April 6, 2012 Vol. 14, Num. 028
**************************************************************************
TOP OF THE NEWS
Apple Issues Fix For Java Flaw; Mozilla Blacklists Older Java Versions
in Firefox
Sky News Admits to eMail Hacking
Megaupload Attorney Says Case Could Set Troubling Precedent
Survey Underscores Need for Bring Your Own Device Policies in Workplace
THE REST OF The WEEK'S NEWS
Guilty Plea in Sony Hack
Microsoft's Patch Tuesday for April to Fix 11 Security Flaws
Hackers Steal Utah Medicaid Claim Data
Prison Sentence for Online Data Theft
Federal Utility's Cyber Security Weaknesses Not Uncommon
British MPs to Consider Proposal to Expand Government's Surveillance Powers
VA Getting Tough About Employee Security Training
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Sponsored By CyberQuests 2012 National Collegiate Cybersecurity Competition
Registration opened yesterday for the only national collegiate cyber
competition where individual college students can play without having
to form teams. No special preparation needed - it tests your mastery.
Colleges with lots of participants win awards; students who participate
win access to cool jobs with great employers, scholarships to summer
"Cyber Camps" where they will interact with some of the nation's top
cyber security gurus, and recognition from national leaders. Check it
out at http://uscc.cyberquests.org/
*************************************************************************
TRAINING UPDATE
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012
7 courses. Bonus evening presentations include Linux Forensics for
Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012
11 courses. Bonus evening presentations include Ninja Assessments:
Stealth Security testing for Organizations; and Adjusting Our Defenses
for 2012.
http://www.sans.org/cyber-guardian-2012/
--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012
Listen to two of the best minds in Application Security, Jeremiah
Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training
by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/
--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012
10 courses.
http://www.sans.org/secure-amsterdam-2012/
--SANS Security West 2012, San Diego, CA May 10-18, 2012
24 courses. Bonus evening presentations include Metametrics - A New
Approach to Information Security Management Metrics; and Malware
Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
--SANS Toronto 2012, Toronto, ON May 14-19, 2012
5 courses. Bonus evening presentations include I've Been Geo-Stalked!
Now What? And What Should Keep You Up at Night: The Big Picture and
Emerging Threats.
http://www.sans.org/toronto-2012/
--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012
10 courses. Bonus evening presentations include Adjusting Our Defenses
for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/
--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding
to crimes and attacks. Maximize your training by also attending one or
more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/
--SANS Canberra 2012, Canberra, Australia July 2-10, 2012
5 courses.
http://www.sans.org/canberra-2012/
--Looking for training in your own community?
http: sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Johannesburg, Brisbane, Jakarta, and Malaysia all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***********************************************************
TOP OF THE NEWS
--Apple Issues Fix For Java Flaw; Mozilla Blacklists Older Java
Versions in Firefox
(April 4 & 5, 2012)
Apple has released a fix for a vulnerability in the Mac OS X Java
implementation, but not before more than 500,000 computers were infected
with malware that targets machines running Apple's operating system. A
variant of the Flashback Trojan horse program has been infecting
vulnerable Macs. The Java problem was patched for Windows more than a
month ago. The Java fix for Mac addresses 12 issues in all, and they
were all rated critical. The update is for Mac OS X 10.6 and 10.7, Snow
Leopard and Lion. While Apple did respond quickly to the issue once it
became clear the flaw was being actively exploited to spread malware,
some are questioning the overall delay in getting out the Java fix.
Mozilla has also taken steps to protect users from Java exploits;
changes made in Firefox will block older versions of Java.
http://www.h-online.com/security/news/item/Apple-and-Mozilla-take-on-Java-vulnerabilities-1500931.html
http://www.theregister.co.uk/2012/04/04/apple_java_update/
http://www.computerworld.com/s/article/9225837/Apple_patches_Mac_Java_zero_day_bug?taxonomyId=82&pageNumber=2
http://krebsonsecurity.com/2012/04/urgent-fix-for-zero-day-mac-java-flaw/s
http://tech.fortune.cnn.com/2012/04/05/apple-closes-a-trojan-loophole-after-550000-macs-are-infected/
http://www.v3.co.uk/v3-uk/news/2166330/half-million-macs-enslaved-botnet
http://news.cnet.com/8301-1009_3-57409619-83/more-than-600000-macs-infected-with-flashback-botnet/
--Sky News Admits to eMail Hacking
(April 5, 2012)
Sky News, a company owned in part by the Murdoch News Corporation, has
admitted to authorizing a reporter to hack email accounts of private
citizens on two separate occasions. Sky News maintains that the action
was taken in the public interest, but the UK's Computer Misuse Act makes
no such allowances. The person responsible for both incidents was Sky
News North of England correspondent Gerard Tubb. In one case, he broke
into the Yahoo email account of a man who faked his own death in 2002
so that his wife could collect on a large life insurance policy. In the
other, Tubb accessed the email account of an alleged pedophile.
http://arstechnica.com/tech-policy/news/2012/04/sky-news-admits-to-hacking-e-mail-accounts.ars
http://www.telegraph.co.uk/news/uknews/crime/9188402/Sky-News-admits-hacking-emails-of-canoe-man-John-Darwin.html
http://www.usatoday.com/news/world/story/2012-04-05/rupert-murdoch-sky-news-hacking/54041982/1
[Editor's Note (Honan): Breaking into the email accounts "in the public
interest" does not make it any less illegal.
(Murray): When one pleads civil disobedience, one must be prepared to
pay the consequences. I hope that this case sets a good example.
Bradley Manning may make the same plea.]
--Megaupload Attorney Says Case Could Set Troubling Precedent
(March 3, 2012)
The lawyer representing Megaupload in the US said that if the storage
service company is found guilty of charges against it, other cloud
storage service companies could be held liable for the content of their
customers' files. If US prosecutors are successful in their extradition
attempt and Megaupload and its executives are tried, it will be the
first criminal copyright infringement case brought against a cloud
services provider in the US. In a criminal case, the prosecution would
need to prove primary copyright infringement, in other words, that the
defendants were aware of the copyright violations and willfully violated
the laws. The indictment against Megaupload does not cite particular
content nor does it name any individuals who shared the content. The
indictment holds Megaupload and those operating the company responsible
for users' conduct. US privacy laws prohibit cloud storage service
providers from looking at the content their customers store.
http://www.computerworld.com/s/article/9225822/Megaupload_lawyer_says_case_could_affect_other_storage_services?taxonomyId=82
--Survey Underscores Need for Bring Your Own Device Policies in Workplace
(April 4 & 5, 2012)
According to SANS' First Annual Survey on Mobility Security, while some
companies allow employees to use their own mobile devices at work, many
of those companies do not know what devices their employees are using.
More than half of the organizations do not have or only "sort of" have
bring-your-own-device (BYOD) security and usage policies. The study
found that just nine percent of responding organizations were "fully
aware" of what devices they were allowing to access their networks.
http://gcn.com/articles/2012/04/05/byod-sans-report-organizations-in-the-dark.aspx
http://www.darkreading.com/mobile-security/167901113/security/news/232800317/sans-survey-byod-widespread-but-lacking-sufficient-oversight.html
[Editor's Note (Honan): BYOD is nothing new. Any companies that allow
remote web access to their email or allow users connect USB devices to
their systems has been running a BYOD program by default. Companies need
to recognize this and develop policies and controls accordingly.]
************************ Sponsored Links: ****************************
1) SolarWinds(R) Log and Event Manager for operations, compliance and
security is powerful, easy and affordable!
http://www.sans.org/info/103114
2) Learn the results of the SANS First Annual Mobility Security Survey
and gain practical advice for securely supporting mobility/BYOD
Thursday, April 12, 1 PM EST.
http://www.sans.org/info/103119
3) New SANS Analyst Paper: Privileged Password Sharing: Root of all
Evil, with Dave Shackleford http://www.sans.org/info/103124
For a full index of SANS Analyst papers, go here:
https://www.sans.org/reading_room/analysts_program/
************************************************************************
THE REST OF THE WEEK'S NEWS
--Guilty Plea in Sony Hack
(April 5, 2012)
Cody Kretsinger has pleaded guilty to felony charges for his role in
last year's security breach of Sony Pictures Entertainment. Kretsinger
admitted to helping to launch an SQL injection attack on a Sony website,
to stealing personal information of registered users of that site, and
to providing that information to other members of his hacking group so
they could post it to the Internet. Kretsinger was charged with
conspiracy and unauthorized impairment of a protected computer.
http://www.bbc.co.uk/news/uk-17628600
http://arstechnica.com/tech-policy/news/2012/04/accused-lulzsec-member-pleads-guilty-to-hacking-sony.ars
http://www.msnbc.msn.com/id/46971398/ns/technology_and_science/
--Microsoft's Patch Tuesday for April to Fix 11 Security Flaws
(April 5, 2012)
Microsoft plans to release six security bulletins on Tuesday, April 10,
to address a total of 11 vulnerabilities. Four of the bulletins have
maximum severity ratings of critical; the other two are rated important.
The bulletins address issues in Windows, Internet Explorer (IE), Office,
SQL Server, and Forefront United Access Gateway 2010, Microsoft's
virtual private networking platform.
http://technet.microsoft.com/en-us/security/bulletin/ms12-apr
http://www.computerworld.com/s/article/9225883/Microsoft_slates_critical_Windows_Office_IE_patches_next_week_including_head_scratcher_?taxonomyId=17
http://www.zdnet.com/blog/security/microsoft-readies-patch-for-gaping-ie-browser-security-holes/11366
http://www.scmagazine.com/microsoft-to-sew-up-11-security-vulnerabilities-next-week/article/235396/
[Editor's Comment (Northcutt): I realize most readers know this, but
just to reinforce. They may be fixing 11 flaws, but this means thousands
of changes. For organizations that track changes, this is going to be a
hard week. ]
--Hackers Steal Utah Medicaid Claim Data
(April 4 & 5, 2012)
Hackers in Europe are believed to be responsible for stealing files of
Medicaid patients. The breach occurred on a server at the Utah Health
Department. The hackers compromised 24,000 Medicaid claim files
according to initial estimates; now officials believe that many more
patients have been affected by the breach. Compromised information
includes names, Social Security numbers (SSNs), and other sensitive
data. The breached server has been shut down and new security measures
have been put in place. The breach was possible because employee error:
the security on the newly-set-up server was not complete. The hackers
gained access to the server on a Friday and began downloading data two
days later. The breach was detected on Monday morning.
http://www.v3.co.uk/v3-uk/news/2166363/eastern-european-hackers-suspected-medicaid-cyber-raid
http://www.sltrib.com/sltrib/news/53854948-78/state-utah-medicaid-health.html.csp
http://www.govinfosecurity.com/articles.php?art_id=4654
http://articles.chicagotribune.com/2012-04-04/news/sns-rt-us-usa-hackers-utahbre83404g-20120404_1_data-security-breach-cyber-attack-hackers
--Prison Sentence for Online Data Theft
(April 4 & 5, 2012)
A UK man has been sentenced to more than two years in prison for
stealing identity, payment card, and PayPal data. Edward Pearson was
caught after making just GBP 2,400 (US $3,800) in fraudulent
transactions. Pearson gained access to the accounts online over a
20-month period with the help of Trojan horse programs such as ZeuS and
SpyEye. The losses could have been considerably higher. Police were able
to track Pearson after his girlfriend used some of the stolen payment
card information to book rooms at upscale hotels.
http://www.csoonline.com/article/703537/uk-hacker-accessed-accounts-for-20-months-before-bust?source=CSONLE_nlt_update_2012-04-05
http://www.theregister.co.uk/2012/04/04/cybercrook_jailed/
--Federal Utility's Cyber Security Weaknesses Not Uncommon
(March 4, 2012)
According to an internal US Department of Energy (DOE) audit, the
Bonneville Power Administration in Portland, Oregon, has cyber security
weaknesses that make its systems vulnerable to breaches. Experts say
that the issues found at Bonneville are found at many other government
and industry systems as well. The audit found that 11 Bonneville servers
used weak passwords and 400 known vulnerabilities had not been fixed.
Bonneville is a federal utility that provides power to 30 percent of the
Pacific Northwest region.
http://www.nextgov.com/nextgov/ng_20120404_8857.php
[Editor's Note (Murray): Better to have had these vulnerabilities
discovered by one's auditors than by one's adversaries. Let only those
whose systems do not have any of the vulnerabilities on the SANS list
snigger.]
--British MPs to Consider Proposal to Expand Government's Surveillance Powers
(April 2, 2012)
Later this year, British legislators will examine a proposal that would
allow the government access to residents' text messages, phone calls,
email, and Internet browsing history. The government maintains that the
increased snooping powers are necessary to protect the country from
terrorism and other threats. But some citizens and some members of
Parliament (MPs) say the proposal goes too far and would move Britain
more deeply into a surveillance society. The proposal is not yet
complete, but some say it would grant powers beyond those the US
government has to access private information of its residents. Access
to the content of messages would still require warrants, but the time,
frequency, and destination of the communications would be accessible
without a warrant.
http://www.washingtonpost.com/world/europe/britain-weighs-proposal-to-allow-greatly-increased-internet-snooping/2012/04/02/gIQAOerQrS_story.html
--VA Getting Tough About Employee Security Training
(March 29 & April 2, 2012)
The US Department of Veterans Affairs is getting tough on its employees
regarding privacy and security training. Workers who do not complete
their mandatory annual training in those areas will find themselves
unable to access agency networks. Between VA employees and contractors,
there are 450,000 people who have access to information contained in VA
networks. Currently, the VA has a 95 percent compliance rate with the
training, which means 18,000 people would be locked out of the networks
if the program had gone into effect a year ago. The training program is
called the Continuous Readiness in Information Security Program (CRISP)
and involves a one-hour, online course that can be accessed within or
outside of the VA network.
http://gov.aol.com/2012/04/02/va-to-unplugs-employees-who-skip-cybersecurity-training/
http://www.govinfosecurity.com/articles.php?art_id=4629
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk9/J7wACgkQ+LUG5KFpTkYjgQCfaYweKzONSt0p6RS4X23wo4Ht
lHsAn3sh+jb7T275lbW6h+Ub9p3C30QA
=2uqz
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]