From: The SANS Institute (NewsBitessans.org)
Date: Tue Jul 10 2012 - 15:24:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSA Chief on consensus standards for cyber security:
The Washington Post reported yesterday that General Keith Alexander said
that standards were necessary, but "the hard part" was figuring out how
to set them. He pointed as a possible model to the SANS Institute's 20
Critical Security Controls, a set of baseline measures.
http://www.washingtonpost.com/blogs/2chambers/post/cybersecurity-chief-urges-action-by-congress/2012/07/09/gJQAP4gMZW_blog.html

**************************************************************************
SANS NewsBites July 10, 2012 Vol. 14, Num. 055
**************************************************************************
TOP OF THE NEWS
  Head of Pentagon's Cyber Command Calls for Clear Cyber Security Legislation
  Thieves Exploiting Vulnerability in On-Board Diagnostic System to Steal BMWs
THE REST OF THE WEEK'S NEWS
    ISPs Set Up Substitute DNS Servers to Help Customers Infected with DNSChanger
    Requests for Data from Mobile Providers on the Rise
    Two Sentenced for Phishing Schemes
    Malicious App in Apple and Google App Stores Steals Phone Book Data
    US Cyber Challenge Co-Hosting Summer Cyber Security Camp
    Judge Pushes Back Megaupload Extradition Hearing to March 2013
    AT&T Drops Lawsuit Seeking US $900,000 Bill Run Up by Hackers
    Linksys Router Users No Longer Forced to Use Cisco Cloud Connect

***************** SPONSORED BY ForeScout Technologies *********************

Special white paper: IDC Report on Architecting a Flexible BYOD Strategy

IDC security analyst Phil Hochmuth examines a tiered service approach
to enterprise mobile security while exploring how NAC and MDM, as
complementary controls, offer necessary network and device level
defenses to enable IT organizations to realize mobility advantages while
reducing security and compliance exposures.

http://www.sans.org/info/109794
****************************************************************************
 
TRAINING UPDATE
 --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012
8 courses. Bonus evening presentations include All Your Hash Are Belong
to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing
and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/
 --SANS Boston 2012, Boston, MA August 6-11, 2012
8 courses. Bonus evening presentations include SIFT Workstation: The Art
of Incident Response; and Everything I Know is Wrong! How to Lead a
Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/
 --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/
 --SANS Virginia Beach 2012, Virginia Beach, VA August 20-31, 2012
10 courses. Bonus evening presentations include Information Assurance
Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/
 --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012
46 courses. Bonus evening presentations include Evolving Threats; New
Legal Methods for Collecting and Authenticating Cyber Investigation
Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/
 --Looking for training in your own community?
http://www.sans.org/community/
 --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Bangkok, San Antonio, Melbourne, Arlington, VA, and Prague all in the
next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

***************************************************************************
 
TOP OF THE NEWS
 --Head of Pentagon's Cyber Command Calls for Clear Cyber Security Legislation
(July 9, 2012)
US Army General Keith Alexander, head of the Pentagon's Cyber Command
and the National Security Agency (NSA), has called for legislators to
clarify who is responsible for what in defending the country's computer
systems from attacks. General Alexander says it's important that the
issues get sorted out before the US is the target of a major cyber
attack. He pointed to the SANS 20 top controls as a model standard for
what organizations need to do to protect their systems. Responsibility
for defending the country's computer systems falls to several government
agencies, including the Department of Defense, the FBI, and the
Department of Homeland Security. General Alexander said, "The
probability for crisis is mounting."
Video: http://www.c-spanvideo.org/program/ThreatstotheU
http://www.washingtonpost.com/blogs/2chambers/post/cybersecurity-chief-urges-action-by-congress/2012/07/09/gJQAP4gMZW_blog.html
http://thehill.com/blogs/hillicon-valley/technology/236813-cyber-command-chief-urges-action-on-information-sharing-legislation
http://security.blogs.cnn.com/2012/07/09/cyber-chief-warns-of-rising-danger-from-cyber-attacks/?hpt=hp_t2
[Editor's Note (Pescatore): Actually, the responsibility for defending
the "country's computer systems" falls to each organization that owns
and operates each individual computer system, much the way protecting a
business is the responsibility of that business.]

 --Thieves Exploiting Vulnerability in On-Board Diagnostic System to
    Steal BMWs
(July 7 & 9, 2012)
Thieves have figured out a way to steal BMWs with keyless entry
technology. They are able to bypass alarm systems. It is believed that
the thieves are gaining access to the cars' On-Board Diagnostic (OBD)
system to program new key fobs. The vehicles' OBD ports are constantly
powered, even when the vehicles are off, and they do not require
passwords.
http://www.zdnet.com/hackers-steal-keyless-bmw-in-under-3-minutes-video-7000000507/
http://www.technolog.msnbc.msn.com/technology/technolog/hackers-steal-bmws-3-minutes-using-security-loophole-868400
[Editor's Note (Pescatore): Another good reason to stick to cars that
require a physical key to be inserted into a physical ignition switch
so that car thieves have to steal cars the old fashioned way.]

************************* Sponsored Links: *************************
1) Tool Talk Webcast: Label Based Access Controls in Oracle Database 11g.
Thursday, July 12th, 1:00 EDT. http://www.sans.org/info/109799

2) Special Webcast: Endpoint Visibility, Control and Remediation
Leveraging NAC. Tuesday, July 10, 2012 at 1:00 PM EDT.
http://www.sans.org/info/109804
************************************************************************

THE REST OF THE WEEK'S NEWS
 --ISPs Set Up Substitute DNS Servers to Help Customers Infected with DNSChanger
(July 9, 2012)
In an attempt to prevent their customers from being cut off from the
Internet, some Internet service providers (ISPs) have set up substitute
DNS servers to maintain connectivity for customers whose machines are
still infected with DNSChanger malware. The DNSChanger Working Group had
set up alternative servers when law enforcement authorities took down
the DNSChanger command-and-control infrastructure last year; those
machines were taken offline on Monday, July 9. The court order allowing
the operation of those machines was extended twice.
http://www.csmonitor.com/USA/2012/0708/Will-your-Internet-be-cut-off-by-DNS-Changer-Monday-How-to-find-out
http://www.theregister.co.uk/2012/07/09/dnschanger_plug_pulled/
http://www.computerworld.com/s/article/9228932/ISPs_downplay_DNSChanger_impact_as_substitute_servers_go_dark?taxonomyId=17
[Editor's Note (Honan): The way that CERTs, ISPs, vendors, voluntary
groups, ISC, the FBI and other law enforcement agencies worked together
to minimize the impact DNS Changer had on its victims is a great example
of how our industry can work together.
(Swa Franzen): The media are blowing this up way out of proportion. Only
about 0.01% of internet users are affected.]

 --Requests for Data from Mobile Providers on the Rise
(July 9, 2012)
According to information obtained by US legislators, in the past year,
mobile service carriers have responded to 1.3 million requests from law
enforcement for subscriber data. The requested information includes text
messages and phone location data. The Congressional privacy
investigation elicited submissions from nine mobile service carriers.
The data also show that law enforcement agencies have been requesting
"cell tower dumps," or lists of all phone numbers that have connected
to a specified cell phone tower within a given period of time.
http://www.wired.com/threatlevel/2012/07/massive-phone-surveillance/

 --Two Sentenced for Phishing Schemes
(July 9, 2012)
A UK Court has sentenced two men to prison sentences for their roles in
phishing scams that netted more than GBP 1.5 million (US $2.33 million).
Damola Clement Olatunji was sentenced to 6.5 years, and Amos Njoroge
Mwango was sentenced to three years, three months. The two men are not
believed to have worked together, but both participated in schemes that
targeted UK students through emails that purported to be from government
loan organizations.
http://www.v3.co.uk/v3-uk/news/2190055/britons-jailed-gbp15m-phishing-scams

 --Malicious App in Apple and Google App Stores Steals Phone Book Data
(July 9, 2012)
A malicious app managed to slip past security measures and has been
available in the iOS Apple App Store and Google Play. The "Find and
Call" app steals copies of iPhone and Android contact books and sends
them to a remote server controlled by those responsible for the
malicious app. The app's end-user license agreement (EULA) does not
mention the fact that the data will be sent to a remote server. This
appears to be the first significant instance of malware making its way
into the iOS Apple App Store.
http://www.informationweek.com/news/security/mobile/240003363

 --US Cyber Challenge Co-Hosting Summer Cyber Security Camp
(July 9, 2012)
The Third Annual Summer Cyber Security Camp is in session this week.
Hosted by the US Cyber Challenge and the Delaware USCC Coordinating
Council, the invitation-only camp runs from July 9-13 and provides
intensive classes, a career fair, and a cyber-attack/defense
competition, concluding with an awards ceremony. The camp is part of a
response to a report from the Center for Strategic and International
Studies that said the country needs 30,000 skilled cybersecurity
professionals to effectively defend computer networks. The 30
individuals selected to participated in the camp were chosen based in
part on their scores in Cyber Quests competitions; some people who did
exceptionally well in other competitions were invited as well.
http://www.prnewswire.com/news-releases/us-cyber-challenge-and-delaware-universities-to-host-3rd-annual-cyber-security-summer-camp--competition-161795705.html

 --Judge Pushes Back Megaupload Extradition Hearing to March 2013
(July 9 & 10, 2012)
A New Zealand judge has pushed back the extradition hearing for
Megaupload founders Kim Dotcom, Mathias Ortmann, Finn Batato, and Bram
van der Kolk to March 2013. The extradition had initially been set for
August 6 of this year. A High Court judge invalidated the warrants used
to seize property and funds from Dotcom. The judge also said that
because the warrants were so broad and general, the FBI's sending copies
of data from seized hard drives back to the US was also illegal.
http://www.stuff.co.nz/technology/7252387/Dotcom-extradition-hearing-delayed
http://www.wired.com/threatlevel/2012/07/dotcom-extradition-postponed/

 --AT&T Drops Lawsuit Seeking US $900,000 Bill Run Up by Hackers
(July 9, 2012)
AT&T will not pursue collection of a US $900,000 phone bill that hackers
ran up on a Massachusetts company's account. AT&T initially filed suit
seeking payment of US $1.15 million for charges and interest from
Ipswich-based Todd Tool and Abrasive Systems, but on June 9, the
telecommunications company announced that it has "decided not to pursue
the claims." Todd Tool president Michael Smith had filed a countersuit
which he has not yet dropped, because "what the AT&T media statement
said and what they told [Todd's] attorney is not the same."
http://www.upi.com/Odd_News/2012/07/09/Company-owes-14M-for-hackers-calls/UPI-60611341865435/?spt=hs&or=on
http://www.boston.com/businessupdates/2012/07/09/may-drop-million-suit-against-ipswich-business-owner/C8iEriPsvKwLS2ZtWGNixK/story.html
[Editor's Note (Honan): As more and more companies migrate their phone
systems to VOIP based solutions or allow for remote workers to access
the PBX we are seeing an increase in PBX fraud. The Irish Department
of Communications has issued some good guidelines on preventing PBX
fraud on their MakeITsecure website at
http://www.makeitsecure.org/en/pbx-security.html]

 --Linksys Router Users No Longer Forced to Use Cisco Cloud Connect
(July 6, 2012)
Cisco Connect Cloud service is no longer the default setting for
managing Linksys EA Series Wi-Fi routers. Users were upset recently when
Cisco pushed out a firmware update that made Connect Cloud the default
management setting. Users may now choose to use Cisco Cloud Connect.
Cisco has issued an apology and is trying to ease customers' concerns
about privacy and automated firmware updates.
http://www.eweek.com/c/a/Enterprise-Networking/Cisco-Cloud-Connect-No-Longer-Default-Setting-for-Linksys-Routers-110505/
http://www.computerworld.com/s/article/9228876/Cisco_apologizes_for_privacy_39_confusion_39_makes_cloud_service_an_opt_in_feature?taxonomyId=17

************************************************************************
The Editorial Board of SANS NewsBites
 
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
 
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting. Mason Brown is one of a
very small number of people in the information security field who have
held a top management position in a Fortune 50 company (Alcoa). He is
leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk/8iVAACgkQ+LUG5KFpTka1dgCdHaITD1Di2LwIIqwvhNDfCcNt
+ZsAoI0JuSR0TMN3LBj2Enj/izwaPqyR
=kQhc
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]