|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jan 22 2013 - 12:58:53 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tomorrow is the last day to save $500 on courses at SANS 2013 - the
largest training program in cybersecurity - in early March in Orlando.
http://www.sans.org/event/sans-2013
**************************************************************************
SANS NewsBites January 22, 2013 Vol. 15, Num. 006
**************************************************************************
TOP OF THE NEWS
Australia's National Security Strategy Includes Heavy Focus on Cyber Threats
US Dept. of Health and Human Services Releases HIPAA Omnibus Rule
Critical Infrastructure Systems Seen as Vulnerable to Attack
THE REST OF THE WEEK'S NEWS
Canadian Computer Science Student Expelled Over Live Site Scan
More Details About Attacks Targeting Industrial Control System Passwords
Google Researchers' Paper Describes Encrypted Authentication Token
Indian Police Arrest Two in Connection with Online Bank Account Theft
Polish Domain Registrar Takes Over Virut Botnet Domains
Two Vulnerabilities in ESPN Mobile App
Red October Operators Appear to be Shutting Down Operations
Vulnerability in Cisco Linksys Router
AMD Files Lawsuit Against Former Employees for Alleged Theft of
Intellectual Property
************************ SPONSORED BY Symantec ****************************
Symantec Endpoint Protection 12 and Critical System Protection are
positioned highest in Gartner's Magic Quadrant for completeness of
vision and the ability to execute. Read the report to learn about the
Endpoint Protection landscape, growth drivers and challenges, and where
vendors are positioned. Learn More. http://www.sans.org/info/121822
****************************************************************************
TRAINING UPDATE
- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click Is All It Takes ...; Human Nature and Information
Security: Irrational and Extraneous Factors That Matter; and
Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013
- --North American Industrial Controls Systems and SCADA Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The only technical security and training program in ICS security - for
program managers, control systems engineers, IT security professionals
and critical infrastructure protection specialists from asset owning and
operating organizations along with control systems and security vendors
who have innovative solutions for improving security. Every attendee
leaves with new tools and techniques they can put to work immediately.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID
(smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013
- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer
Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Offensive Countermeasures, Active Defenses,
and Internet Tough Guys; and Tactical SecOps: A Guide to Precision
Security Operations. http://www.sans.org/event/cyber-guardian-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current
Plus Cairo, New Delhi, Scottsdale, Brussels, and Johannesburg
all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***************************************************************************
TOP OF THE NEWS
--Australia's National Security Strategy Includes Heavy Focus on Cyber Threats
(January 21, 2013)
Australian Prime Minister Julia Gillard will make a speech later this
week in which she will describe the government's national security
objectives for the next five years. While the document itself has not
been officially released, "it is said to focus ... heavily on the threat
of cyber intrusions, which has grown massively in the [last] three
years," according to a press release.
http://www.theaustralian.com.au/national-affairs/defence/cyber-war-china-key-to-security-says-julia-gillard/story-e6frg8yo-1226557811625
[Editor's Note (Paller): The Australians are doing much more than
admiring the threat. They have found four specific actions that actually
stop the targeted attacks doing all the damage, and they are engaged in
a government-wide initiative, led by the nation's leaders, to make sure
every agency has those critical controls n place. Those four controls
are directly highlighted in the new 20 Critical Controls benchmark
document that will be released at RSA and are the target of a U.S.
national pilot program in federal, state and commercial organizations
designed to measure how well they work and to determine whether any
significant disruptions occur when they are implemented.]
--US Dept. of Health and Human Services Releases HIPAA Omnibus Rule
(January 18 & 21, 2013)
The US Department of Health and Human Services (HHS) has released the
HIPAA omnibus rule, which updates the original HIPAA (Health Insurance
Portability and Accountability Act) rule, which dates back to 1996. It
clarifies the responsibilities of healthcare providers and other
entities that process health insurance claims. The new rule also
clarifies when breaches must be reported to HHS. The new rule will take
effect on March 26, 2013; entities affected by the rule will have 180
days beyond that date to become compliant.
http://healthitsecurity.com/2013/01/18/hhs-posts-final-hipaa-omnibus-rule/
http://www.medpagetoday.com/PracticeManagement/InformationTechnology/36940
[Editor's Note (Henry): Glad to see HHS's recognition of this issue, and
the need to promulgate rules for data breach reporting. Unfortunately,
in many cases of actual breach, the criteria requiring this reporting
cannot be met. For example, the factor that "the protected health
information (was) actually viewed or acquired", can often not be
determined, even when you're aware there's been a breach. I'd like to
see tougher requirements that breaches themselves are reported,
regardless of the speculation around what might have occurred while the
adversary was prancing around the network.
(Murray): HIPAA has already set such a high hurdle that hospitals and
physicians prefer paper records to electronic. 180 days to understand
and comply with 550 pages of new rules is called a very high hurdle. We
need simplification and clarity.]
--Critical Infrastructure Systems Seen as Vulnerable to Attack
(January 17, 2013)
Spear phishing is the starting point for many attacks against the
computers run by power companies. A recent test of the resiliency of
power systems to social engineering showed 26 percent of employees who
work closely with industrial control systems fell victim to the social
engineering attack. Among their job titles were: a control room
supervisor, a pipeline controller, an automation technician, a process
controls engineer and a senior vice president for operations and
maintenance.
http://bits.blogs.nytimes.com/2013/01/17/critical-infrastructure-systems-seen-as-vulnerable-to-attack/?src=rechp
(McBride): Interesting piece of research here. It seems that we so often
focus on technological post-attack remedies (FW, AV, IDS) that we ignore
targeting all together. Klingler and associates showed that this is a
serious fallacy, especially for firms that operate critical
infrastructure ICS.
(Assante): Engineers and operators need tailored awareness/behavior
changing programs to reduce the attack surface and understand how cyber
realities impact their decisions and work.
************************ Sponsored Links: *******************************
1) The recent Java 7 and IE 0days have shaken the industry. Many pundits
and even US-CERT advise to uninstall Java or move away from IE - but
this is ridiculous advice given how many of your internal apps rely on
both...how about a real solution? Kill 0-days in their tracks. See how
Invincea stops these 0days WITHOUT signatures -
http://www.sans.org/info/121827
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4!
http://www.sans.org/info/121832
3) SANS Survey on SCADA Security results revealed by SCADA expert, Matt
Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/121837
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Canadian Computer Science Student Expelled Over Live Site Scan
(January 21, 2013)
Dawson College in Quebec has expelled a computer science student for a
"serious professional conduct issue." Ahmed Al-Khabaz and another
student found a security problem in a mobile application used by the
school to manage and allow access to student information. When Al-Khabaz
initially informed Dawson of the issue, he was told that the problem
would be fixed. The incident escalated when, several days later,
Al-Khabaz decided to see if the vulnerability still existed by using a
website security scanning tool. The tool is designed to be used with
off-line copies of web applications, not on live sites. Dawson deemed
Al-Khabaz's actions an attack and expelled him.
http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/
--More Details About Attacks Targeting Industrial Control System Passwords
(January 18, 2013)
The US Department of Homeland Security (DHS) is warning companies that
operate elements of the country's critical infrastructure of an attack
on industrial control systems that guesses passwords. The attack focuses
on Siemens S7 programmable logic controllers. DHS is advising the
affected companies to ensure that their industrial control systems are
not connected to the Internet and to partition those systems from their
business networks.
http://www.nextgov.com/cybersecurity/2013/01/dhs-warns-password-cracker-targeting-industrial-networks/60767/?oref=ng-channeltopstory
--Google Paper Describes Encrypted Authentication Token
(January 18, 2013)
A paper from Google VP of Security Eric Grosse and Engineer Mayank
Upadhyay describes the need to develop technologies to take the place
of most passwords. They write that "passwords and simple bearer tokens
such as cookies are no longer sufficient to keep users safe." The paper
also proposes the use of an encrypted device that would be used to allow
people to log in to online accounts that are normally protected with
passwords. Google paper suggests integrating the authentication token
into something people already carry, such as a smartphone or jewelry.
The paper will be published later this month in the IEEE Security &
Privacy Magazine.
http://www.computerworld.com/s/article/9235971/Google_sees_one_password_ring_to_rule_them_all?taxonomyId=17
http://news.cnet.com/8301-1009_3-57564788-83/googles-password-proposal-one-ring-to-rule-them-all/
http://www.wired.com/wiredenterprise/2013/01/google-password/?cid=5394044
http://news.cnet.com/8301-1009_3-57564788-83/googles-password-proposal-one-ring-to-rule-them-all/
--Indian Police Arrest Two in Connection with Online Bank Account Theft
(January 18 & 21, 2013)
Police in India have arrested two men in connection with theft from
online banking accounts. The men allegedly managed to find a way around
the bank's two-factor authentication system. They allegedly bought
information about the accounts they targeted and used social engineering
tactics to convince mobile phone companies to supply the replacement SIM
cards that they then used in the scheme.
http://www.theregister.co.uk/2013/01/21/indian_sms_bank_fraud_arrests/
http://www.financialexpress.com/news/duo-arrested-for-internet-banking-fraud/1061205/1
--Polish Domain Registrar Takes Over Virut Botnet Domains
(January 18 & 21, 2013)
Polish domain registrar NASK has taken over 23 domains that were being
used to control the Virut botnet network. Traffic to those domains has
been rerouted to a domain under control of CERT Polska, which is run by
NASK. Virut has been used to distribute the ZeuS malware and more
recently to distribute Waledac malware. Virut has also been using
Russian (.ru) and Austrian (.at) domains. The Russian domains have also
been shut down and the .at domain registry and Austrian CERT have been
notified of the issue.
http://www.computerworld.com/s/article/9235991/Security_researchers_cripple_Virut_botnet?taxonomyId=17
http://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/
http://www.theregister.co.uk/2013/01/21/virut_botnet_take_down/
[Editor's Note (Henry): I expect we'll see more government/private
sector organizations collaborate to take action against adversary
infrastructure...a movement towards focusing on the threat actor rather
than merely reducing vulnerabilities.]
--Two Vulnerabilities in ESPN Mobile App
(January 18, 2013)
A popular ESPN app appears to be affected by two security issues. A
cross-site scripting (XSS) flaw in the ESPN ScoreCenter app could be
exploited to circumvent access controls to gain access to user data. The
app is also reportedly vulnerable to an attack that could expose account
usernames and passwords, which could be problematic for people who use
the same usernames and passwords across multiple accounts. ScoreCenter
is a free app that is available for Android, iPhone, and Windows phone
platforms. The flaws affect version 3.0 of the app. An ESPN spokesperson
says that the problems have "been resolved."
http://www.scmagazine.com/xss-password-flaws-found-in-popular-espn-app/article/276723/
[Editor's Note (Murray): Incomplete parameter checking remains the most
persistent coding error in "modern" systems. Perhaps we might ostracize
programmers after the second offense.]
--Red October Operators Appear to be Shutting Down Operations
(January 18 & .21, 2013)
In the week since news of the Red October cyberespionage operation
broke, elements of the scheme's infrastructure have been shut down,
presumably by the scheme's operators. Red October appears to have been
created to steal data from computers and connected mobile devices of
embassies, governments, and scientific research facilities around the
world. The shutdown is occurring as Kaspersky Lab publishes additional
information about Red October and its technical details.
http://www.h-online.com/security/news/item/Red-October-closes-as-Kaspersky-publishes-more-details-1787774.html
http://arstechnica.com/security/2013/01/red-october-espionage-platform-unplugged-hours-after-its-discovery/
[Editor's Note (Shpantzer): For some analysis, including the openIOC
file, go here:
http://labs.alienvault.com/labs/index.php/2013/red-october-indicators-of-compromise-and-mitigation-data/ ]
--Vulnerability in Cisco Linksys Router
(January 17, 2013)
Cisco has acknowledged that there is a vulnerability in a Linksys router
that could be exploited to gain complete control of the device, which
is used for wireless home networks. Cisco says that despite earlier
reports suggesting that the flaw affects multiple models, it actually
occurs only in the Linksys WRT54GL model. Cisco has developed a patch
for the issue and is currently testing it. Until the fix is made
available users are urged to ensure that they have configured their
networks securely and that strangers and other untrusted individuals do
not connect to the router with an Ethernet cable.
http://www.csoonline.com/article/727005/cisco-confirms-linksys-firmware-flaw-says-only-one-router?source=CSONLE_nlt_newswatch_2013-01-18
[Editor's Note (Murray): We worry about home router vulnerabilities that
can be exploited from the Internet, where most of the attacks come from,
even ones that can be exploited from the air side. Less about those
that require physical access to the device.]
--AMD Files Lawsuit Against Former Employees for Alleged Theft of
Intellectual Property
(January 16, 2013)
AMD has filed a lawsuit in Massachusetts district court, alleging that
four former managers stole intellectual property from the company before
leaving to work for rival Nvidia. The lawsuit calls the events "an
extraordinary case of trade secret transfer/misappropriation and
strategic employee solicitation." AMD's lawsuit alleges that former AMD
manager Robert Feldstein used external hard drives to download licensing
agreements and strategic plans form his work computer and that Feldstein
recruited three other employees to move to Nvidia and bring proprietary
information with them.
http://www.theregister.co.uk/2013/01/16/amd_nvidia_spying_lawsuit/
[Editor's Note (Shpantzer): From the November 13, 2002 NewsBites: "Some
organizations make it a policy to forensically image the computers of
departing employees, whether they quit or were fired. This allows them
to come back later to a properly archived image and analyze it for
potential evidence." I think this comment still holds true, over a
decade later.
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=4&issue=46 ]
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen year. He
became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of
STI, the premier skills-based cyber security graduate school,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlD+2rYACgkQ+LUG5KFpTkYPBQCdGZcPfGam32mmRf9Zlq3rK/sD
c7EAmwVubDTlQi5QL0zzHYTpBfn9oNyk
=Ow8E
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]