|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jan 08 2013 - 12:55:59 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**************************************************************************
SANS NewsBites January 8, 2013 Vol. 15, Num. 002
**************************************************************************
TOP OF THE NEWS
Analysts Claim Cyberwarfare Will Go Mainstream in 2013
National Defense Authorization Act for 2013 Addresses Cyber Operations
CIA Nominee a Proponent of Federal Cybersecurity Legislation
CyberCity Simulates "Kinetic Effects" of Cyberwarfare
THE REST OF THE WEEK'S NEWS
Claims That Group Who Attacked Google in 2010 Behind Most Recent IE
Attacks
Adobe Warns of Flaw in ColdFusion
Los Alamos National Lab Replaced Huawei Switches Last Fall
DHS Website Attacked Through Directory Traversal Flaw
Guilty Plea Expected in US $100 Million Software Piracy Scheme
Hospice Fined for Potential HIPAA Violations; Fewer Than 500
Patients Affected
Former South Carolina Dept. of Revenue Computer Security Admin Tells
State Legislators About Agency Security Problems
USPS to Pilot Federated Identity Management Program
Systems Administrator Cyber Skills Assessment Program
****************************************************************************
TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
Champions.
http://www.sans.org/event/security-east-2013
- --North American Industrial Controls Systems and SCADA Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The only technical security and training program in ICS security - for
program managers, control systems engineers, IT security professionals
and critical infrastructure protection specialists from asset owning and
operating organizations along with control systems and security vendors
who have innovative solutions for improving security. Every attendee
leaves with new tools and techniques they can put to work immediately.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID
(smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013
- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click Is All It Takes ...; Human Nature and Information
Security: Irrational and Extraneous Factors That Matter; and
Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013
- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current
Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra
all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***************************************************************************
TOP OF THE NEWS
--Analysts Say Cyberwarfare Will Go Mainstream in 2013
(January 7, 2013)
Security analysis are predicting that 2013 will be the year that
cyberwarfare escalates. Last year, the Iranian government was targeted
in large-scale cyberattacks and Iran is rumored to be behind recent
distributed denial-of-service (DDoS) attacks launched against major US
banks. Some are predicting that governments will step up their
cyberwarfare spending. Others say that attacks against power grids and
other elements of critical infrastructure could lead to the loss of
human life. Still others say that concern is overblown.
http://money.cnn.com/2013/01/07/technology/security/cyber-war/index.html
[Editor's Note (Assante): The primary regulating factors that have kept
us from seeing more cyber initiated destruction are... 1) there is
little money in destruction, especially in comparison to the risk, and
2) organizations that deal in violence are slow to change.
Unfortunately the latter factor is diminishing in our hyper connected
cyber world. I have never liked the term cyber war as it is misleading
on many fronts. Our primary take away from these predictions is that
traditional attempts at trying to analyze risk (estimating likelihood
and consequences) are becoming less relevant than developing a competent
and highly skilled defense team.
(McBride): I think its important to remember that causing specific
kinetic effects via cyber attack is a different sport than stealing
intellectual property. Like rugby and American football, they are
similar, but require different skills and techniques. Each industrial
automation and control system has different logic controlling the way
it operates, different safety systems intended to limit the impact of
failures. The current state of cyber attacker-engineer domain competence
is not to the point where kinetic effects are going "mainstream", but
we are seeing an uptick in interest. ]
--National Defense Authorization Act for 2013 Addresses Cyber Operations
(January 3 & 4, 2013)
The US National Defense Authorization Act (NDAA) for fiscal year 2013
includes requirements that the Defense Department (DOD) "acquire
next-generation host-based cybersecurity tools and capabilities" and
report to Congress on its cyber activity. It also provides guidelines
for reporting cyberintrusions and calls for the military to adopt new
testing rules for software development and licensing through the new
"baseline software assurance policy," which will require checking for
problems from the software throughout its lifetime starting in the
software's development phase.
http://www.informationweek.com/government/security/new-defense-budget-aims-to-improve-cyber/240145571
http://fcw.com/articles/2013/01/03/ndaa-provisions.aspx
http://www.nextgov.com/cybersecurity/2013/01/defense-law-aims-preempt-software-supply-chain-attacks/60495/?oref=ng-channeltopstory
[Editor's Note (Pescatore): Any change in government procurement regs
causes change sloooowly but requiring developers and software vendors
to demonstrate use of automated vulnerability assessment tools is a
very, very good thing. But there is one glaring need: how can such tools
be specified or testing, to make sure that quality tools are in use? We
need someone like NIST to maintain the "bug-ridden" software standard
test database, much the way they maintain test standard in many other
areas.]
--CIA Nominee a Proponent of Federal Cybersecurity Legislation
(January 7, 2013)
John Brennan, recently nominated by President Obama to be the director
of the US Central Intelligence Agency (CIA), has been a vocal advocate
of federal cybersecurity legislation. Brennan has been Deputy National
Security Advisor for Homeland Security and Counterterrorism. In August,
Brennan urged US legislators to pass the Cybersecurity Act of 2012.
http://www.computerworld.com/s/article/9235378/Obama_s_CIA_nominee_an_advocate_for_federal_cybersec_regulations?taxonomyId=17
--CyberCity Simulates "Kinetic Effects" of Cyberwarfare
(January 4, 2013)
Much cybersecurity simulation training concentrates on the cyber
environment, but CyberCity simulates the effects of cyberwarfare on
physical infrastructure.
http://www.theatlantic.com/technology/archive/2013/01/the-future-of-cybersecurity-could-be-sitting-in-an-office-in-new-jersey/266849/
[Editor's Note (Paller): CyberCity is the most advanced example so far
of the simulators that will revolutionize cyber skills development the
way flight simulators revolutionized pilot training. Already more than
1,200 "top guns" and those aspiring to develop advanced skills are using
NetWars (the foundation of CyberCity) on a continuous basis to test
their skills and then learn more and then test again. SANS is building
a new course around NetWars to make this capability available with
instructors so people can get the maximum value out hands-on skills
development.
************************* Sponsored Link: ********************************
1) NEW paper in the SANS reading room: SANS Survey on Application
Security Policies in Enterprises http://www.sans.org/info/120622
Associated webcast featuring SANS Analyst Frank Kim:
http://www.sans.org/info/120627
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Claims That Group Who Attacked Google in 2010 Behind Most Recent IE Attacks
(January 7, 2013)
Recent attacks exploiting a zero-day flaw in older versions of Internet
Explorer (IE) appear to be the work of the same hacker group that
infiltrated servers at Google and other companies in 2010. The group,
dubbed the Elderwood Gang, "continues to produce new zero-day
vulnerabilities for use in watering hole attacks," according to Symantec
researchers.
http://arstechnica.com/security/2013/01/latest-ie-attack-brought-by-same-gang-that-hacked-google/
[Editor's Comment (Northcutt): Most of what you read on this topic is a
rehash of the Symantec blog. Here is a link to the Elderwood Blog post.
Also, in the post is a link to their research paper titled The Elderwood
Project which is a fascinating read:
http://www.symantec.com/connect/blogs/elderwood-project-behind-latest-internet-explorer-zero-day-vulnerability
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
(McBride): Interesting combination of targets -- remembering of course
that that the compromised Web sites are not the actual targets, but the
targeting mechanism. The parties behind the attacks have left clues that
seem to demonstrate that from a certain perspective, opsec is not all
that important to them. Equally important to the analytical conclusions
in these write-ups is the question of *why* these Web sites were
compromised.]
--Adobe Warns of Flaw in ColdFusion
(January 7, 2013)
Adobe has issued a security advisory warning users that hackers are
exploiting several unpatched flaws in its ColdFusion application server
software. The vulnerabilities affect ColdFusion versions 10, 9.0.2,
9.0.1, and 9.0. One of the flaws can be exploited to take control of
vulnerable servers; another can be exploited to access restricted
directories; and the third can be exploited to allow information
disclosure. Adobe says it is working on patches for the flaws and
expects to have them ready for release on January 15; in the mean time,
the company has offered suggestions for protecting their machines from
attacks through the flaws.
Internet Storm Center:
https://isc.sans.edu/diary/Adobe+ColdFusion+Security+Advisory/14827
http://www.computerworld.com/s/article/9235358/Adobe_warns_of_actively_exploited_ColdFusion_flaws?taxonomyId=17
http://www.adobe.com/support/security/advisories/apsa13-01.html
--Los Alamos National Lab Replaced Huawei Switches Last Fall
(January 7, 2013)
In a document obtained by Reuters and dated November 5, 2012, the Los
Alamos National Laboratory in New Mexico removed a pair of Huawei
network switches from its computer systems due to concerns about the
equipment's security. The lab replaced the components, which were made
by H3T, a joint venture between Huawei and 3Com. The letter in question
was sent from the lab to the Department of Energy's security
directorate.
http://www.guardian.co.uk/world/2013/jan/07/los-alamos-chinese-computer-parts
http://www.zdnet.com/huawei-gear-discovered-removed-from-u-s-nuclear-lab-7000009476/
--DHS Website Attacked Through Directory Traversal Flaw
(January 7, 2013)
Hackers claim to have exploited a trivial directory traversal
vulnerability to gain access to portions of a US Department of Homeland
Security (DHS) website that offers advice for foreigners who are seeking
to study in the US. The attackers were reportedly able to access the
site's configuration file that contains a password for a database for
the blogging software used by the website. The information was posted
to a Pastebin page.
http://www.theregister.co.uk/2013/01/07/nullcrew_dhs_hack/
[Editor's Note (Pescatore): Most CEO's or Agency Heads would not drive
their car very far if the "Check Engine" light was pulsing an angry red
color on their dashboard. There are many tools that can detect well
known vulnerabilities in web code - both for doing so *before* the code
goes on the web site (by far the best approach) and against live,
production web sites. The lack of use of such tools should automatically
trigger a "Check Engine!!" light on any meaningful web site.]
--Guilty Plea Expected in US $100 Million Software Piracy Scheme
(January 7, 2013)
On Monday, January 7, 2013, a Chinese national was expected to plead
guilty to federal charges for his involvement with a US $100 million
software piracy ring. US authorities have called the scheme "one of the
most significant copyright infringement cases ever uncovered." The April
2012 indictment alleged that Xiang Li broke access controls on high-end
software and that he and a co-conspirator sold the pirated software for
a fraction of its retail value. Li and his unnamed accomplice netted US
$60,000 from the sale of software that, had it been legitimate, would
have been worth more than US $100 million. The products that Li and his
associate sold were used for defense, engineering, manufacturing, space
exploration, and other purposes.
http://www.wired.com/threatlevel/2013/01/piracy-scheme/
http://www.wired.com/images_blogs/threatlevel/2013/01/xingindictment1.pdf
--Hospice Fined for Potential HIPAA Violations; Fewer Than 500 Patients
Affected
(January 2 & 7, 2013)
The Hospice of North Idaho (HONI) is the first entity to be fined for a
potential Health Insurance Portability and Accountability Act (HIPAA)
Security Rule breach affecting fewer than 500 people. HONI will pay the
US Department of Health and Human Services US $50,000. In June 2010, an
unencrypted laptop was stolen from an employee's vehicle. The computer
contained personally identifiable information, including names, Social
Security numbers (SSNs), diagnoses, and other treatment information of
411 HONI patients. HONI was found to have failed to "conduct an accurate
and thorough risk analysis to the confidentiality of ePHI (electronic
protected health information) as part of its security management process
from 2005 through January 2012."
http://www.scmagazine.com/feds-step-up-hipaa-enforcement-with-hospice-settlement/article/274916/
http://www.hhs.gov/news/press/2013pres/01/20130102a.html
--Former South Carolina Dept. of Revenue Computer Security Admin Tells
State Legislators About Agency Security Problems
(January 4, 2013)
In testimony before a special state House committee investigating a
significant data security breach at the South Carolina state Department
of Revenue (SCDOR), Scott Shealy, a former computer security
administrator at the agency, said that the SCDOR computer chief did not
heed warnings about cybersecurity problems there. Shealy left his job
at SCDOR in September, 2011, because he was frustrated with the
situation there. His position remained unfilled for nearly a year and
Shealy's responsibilities were farmed out to other, "overtaxed"
employees. Shealy also spoke about "a lack of oversight in the
day-to-day operations that potentially could have spotted [the attack]
and stopped it." Shealy said that his former boss did not act on
suggestions to encrypt data or require multiple passwords to access data
in SCDOR computers. The attack resulted in the compromise of
information belonging to 6.4 million consumers and businesses.
http://www.thestate.com/2013/01/04/2576982/hacked-sc-agency-failed-to-heed.html#.UOshgkKVhmC
[Editor's Note (Honan): These are interesting claims as they highlight
two challenges we face in infosec. The first is ensuring we know how
best to raise our concerns with senior management so they take
appropriate action. The second is making sure infosec reports into an
appropriate function, too often the focus of infosec is more on
Confidentiality and Integrity while for the CIO the focus in on
Availability. If these challenges cannot be met then your choice can
be either stay and live with the situation, try and escalate it to other
senior management outside of IT or to simply change jobs.]
--USPS to Pilot Federated Identity Management Program
(January 4, 2013)
The US Postal Service (USPS) will pilot the Federal Cloud Credentialing
Exchange, a cloud-based federated identity management program. The
scheme would allow US citizens to register for online services at
government agencies without having to obtain passwords and usernames for
each agency.
http://www.nextgov.com/cloud-computing/2013/01/postal-service-host-cloud-based-public-private-id-protection-network/60468/?oref=ng-HPriver
http://www.informationweek.com/government/security/postal-service-pilots-next-gen-authentic/240145559
[Editor's Note (Pescatore): Back in the mid-1990s, back in the hype
around PKI, the USPS first tried to get this moving. Since Post Offices
play a key role in registering citizens for physical passports, makes
sense - but when you think about all the other infrastructure in place
to support the physical passport issuance, maintenance, etc the problem
is still really, really complex. Focusing on a single agency near term
win with digital IDs would be a good way to go, vs. trying to attack the
"federation" monster right away.]
Call for participation: If you are part of the SANS Hacker Guard
University Consortium
(https://www.sans.org/newsletters/newsbites/newsbites.php?vol=14&issue=83)
and would like to participate in the new GIAC system administrator
security skills assessment program, please send a note to swellsans.org
requesting to participate. Many universities are considering
administering a skills assessment program prior to allowing an
individual to serve as a system administrator or "privileged user".
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of
STI, the premier skills-based cyber security graduate school,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlDsZoAACgkQ+LUG5KFpTkbFBQCfUKjRkZrMlmpOrFyfubpBEfZS
H10AnRDc3VOg+cbqoo5N3NK3eUwlKlWT
=ljv/
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]