|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Feb 01 2013 - 12:54:34 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
How to get maximum value for security investments. John Pescatore has
been a cyber defense analyst and vice president at Gartner for the last
14 years where he became the most trusted analyst in cybersecurity.
John just agreed to begin sharing the data he has been learning more
openly in a 2-3 times per week blog where you can also engage in the
conversation, and to conduct CIO and CISO round tables on the most
important new areas of cybersecurity. He explains why here:
http://www.sans.org/security-trends/2013/01/31/surfacing-at-sans
Alan
**************************************************************************
SANS NewsBites February 1, 2013 Vol. 15, Num. 009
**************************************************************************
TOP OF THE NEWS
Chinese Hackers Infiltrate New York Times; Wall Street Journal, Too.
Survey Finds Fortune 500 Companies Willing to Accept Voluntary
Cybersec Standards
THE REST OF THE WEEK'S NEWS
Opera 12.13 Addresses Security and Stability Issues
New Ransomware and Phishing Variants Detected
Alleged Cyberextortionist Arrested
All Plug-Ins (Except for Flash) Will be Click-to-Play in Upcoming
Version of Firefox
PayPal Fixes SQL Injection Flaw
Another Critical Fix for Ruby on Rails
Universal Plug-and-Play Security Vulnerabilities Prompt
Recommendation to Disable the Technology
More Headaches for Java
************************ SPONSORED BY Symantec ***************************
Are You Ready for the Cyber Readiness Challenge? Join the competition
that puts you in the hacker's shoes to understand their targets,
technology and thought processes so you can ultimately better protect
your organization. Come test your skills within a unique and real world
environment, network with your peers, enter to win prizes and expand
your security awareness. Register Today.
http://www.sans.org/info/122995
****************************************************************************
TRAINING UPDATE
- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click Is All It Takes ...; Human Nature and Information
Security: Irrational and Extraneous Factors That Matter; and
Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013
- --North American Industrial Controls Systems and SCADA Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The only technical security and training program in ICS security - for
program managers, control systems engineers, IT security professionals
and critical infrastructure protection specialists from asset owning and
operating organizations along with control systems and security vendors
who have innovative solutions for improving security. Every attendee
leaves with new tools and techniques they can put to work immediately.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID
(smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013
- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer
Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Offensive Countermeasures, Active Defenses,
and Internet Tough Guys; and Tactical SecOps: A Guide to Precision
Security Operations. http://www.sans.org/event/cyber-guardian-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current
Plus New Delhi, Scottsdale, Brussels, Johannesburg, Abu Dhabi, and Seoul
all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***************************************************************************
TOP OF THE NEWS
--Chinese Hackers Infiltrate New York Times; Wall Street Journal, Too.
(January 31, 2013)
The New York Times reports that Chinese hackers targeted its computer
systems in an attack that began in September 2012. The attackers managed
to gains access to a domain controller that holds account access
credentials for all Times employees; this particular attack targeted the
accounts of the current and former Times Beijing bureau chiefs. The
hackers appear to have been looking for information identifying sources
in China who may have provided information to journalists investigating
a story about the fortunes amassed by family members of Chinese Prime
Minister Wen Jiabao. The hackers took circuitous routes, directing their
attacks through previously compromised systems at several different US
universities and shifting IP addresses often. Such deceptive strategy
is similar to that used in other cyberattacks that have been linked to
China. Chinese officials deny involvement in the attacks. The Times
called in Mandiant to help monitor and block the attacks, gather
evidence, and expunge the hackers. The attackers have been ousted from
the system for now and more cyberdefenses have been established, but the
Times harbors no illusions that its systems will not be targeted again.
Bloomberg was targeted in a similar attack earlier last year after they
published a story about the net worth of then-vice president Xi
Jinping's family members.
http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?hp&_r=0
(Editor's Note: The video accompanying the story is thorough and well
worth watching.)
The Wall Street Journal says Chinese hackers have also targeted its
computer systems, presumably for the purpose of monitoring the paper's
China coverage. The attacks "are not an attempt to gain commercial
advantage or to misappropriate customer information."
http://online.wsj.com/article/SB10001424127887323926104578276202952260718.html
http://news.cnet.com/8301-1009_3-57566995-83/wall-street-journal-china-hackers-hit-us-too/]
[Editors Note (Paller): Three big takeaways from this story: (1) the
attackers were in for a long time before they were discovered; (2) the
antivirus and other defenses were useless; (3) they didn't have people
with technical security skills on staff to deal with it. These three
facts are true of more than 1,400 companies in the United States
including most power companies, large law firms, other major newspapers
and media companies, telecommunications, high tech, natural resources,
manufacturers, and defense industrial base companies, just to name a
few. It's easy to point fingers. In a couple of weeks you'll see what
can actually be done to stop these attack.
(Honan): This story claims that a major factor in the success of the
attackers was the fact the anti-virus software used by the New York
Times did not detect 44 pieces of custom made malware used against the
Times' network. If you are relying solely on anti-virus software to
protect your systems, especially against custom made malware, then you
will get breached. The 20 Critical Controls should be an essential part
of any security managers defensive arsenal
http://www.sans.org/critical-security-controls and especially the 4 that
stop the attacks that the Times and Journal experienced. ]
--Survey Finds Fortune 500 Companies Willing to Accept Voluntary
Cybersec Standards
(January 30, 2013)
A US Senate survey of Fortune 500 companies found that many would
support voluntary cybersecurity standards. Senator Jay Rockefeller
(D-West Virginia) sent a letter to the companies in September 2012. The
staff of the Senate Committee on Commerce, Science, and Technology
compiled a report from the 300 responses the letter generated. The
responses were largely supportive of cybersecurity legislation and
public/private collaboration, but many were concerned about
cybersecurity standards becoming mandatory.
http://www.nbcnews.com/technology/technolog/top-firms-open-voluntary-cybersecurity-rules-senate-1B8185954
[Editor's Note (Pescatore): Of course, there is already no shortage of
voluntary standards, and there are many mandatory ones that enterprises
are already subject to. The real issue is reducing vulnerabilities -
the government should focus on using its power in the market to drive
reductions in the vulnerabilities in software and online services, and
enterprises should focus not on compliance with more standards but on
addressing the critical security controls that give the biggest bang for
the buck in thwarting attacks.]
************************** Sponsored Links: ******************************
1) SANS Survey on SCADA Security results revealed by SCADA expert, Matt
Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/123000
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4!
http://www.sans.org/info/123005
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Opera 12.13 Addresses Security and Stability Issues
(January 31, 2013)
Opera has released an updated version of its browser that addresses four
vulnerabilities, including a pair of arbitrary code execution flaws and
a privilege elevation flaw. Opera 12.13 also addresses several stability
issues. Some users have reported crashes while attempting to install the
most recent version of Opera. The problem may be related to plug-ins or
to the 64-bit version of the browser.
http://www.h-online.com/security/news/item/Opera-12-13-update-closes-security-vulnerabilities-1794826.html
http://www.v3.co.uk/v3-uk/news/2240335/opera-posts-security-update-for-browser
--New Ransomware and Phishing Variants Detected
(January 31, 2013)
Ransomware known as Police Virus carries more strength that previous
versions of the malware as it actually has the capacity to encrypt all
data on infected machines. This variant disables regedit, task manager,
and msconfig to further confound users. The malware tells users that
because of a criminal offense, they must pay money or their computers
will be encrypted. It spreads through malicious links, infected files,
or drive-by downloads.
http://www.v3.co.uk/v3-uk/news/2240584/evolved-police-virus-ransomware-able-to-encrypt-user-data
There has also been a surge in phishing emails that appear to come from
FedEx. The messages tell recipients that because FedEx was unable to
deliver a package, they must click a provided link to print a receipt
to bring to their local FedEx office to retrieve the package. The link
instead leads to a malicious site that infects their computers with a
Trojan horse program. FedEx has posted a statement online warning of the
scam and reminding people that the company "does not send unsolicited
emails to customers requesting information regarding packages, invoices,
account numbers, passwords, or personal information."
http://www.v3.co.uk/v3-uk/news/2240103/automated-blackhole-trojan-targeting-fedex-customers
[Editor's Note (Honan): A new nasty turn in the psychology the criminals
are using in this campaign in Germany is to accuse the victim of having
a system containing pictures of child pornography and then subsequently
displaying such material on the victim's computer
http://www.h-online.com/security/news/item/BKA-malware-shocks-victims-with-child-pornography-1793910.html
So make sure you have your own incident response team's procedures
modified to deal with such an event should a PC in your company become
infected.]
--Alleged Cyberextortionist Arrested
(January 29, 30 & 31, 2013)
The FBI has arrested a California man in connection with numerous
instances of cyberextortion in which he threatened to post compromising
pictures of women whose social networking accounts he had hacked
hijacked. Investigators believe that Karen "Gary" Kazaryan had more than
350 victims between 2009 and 2011. A recently unsealed indictment
charges Kazaryan with 15 counts of computer intrusion and 15 counts of
aggravated identity theft.
http://www.informationweek.com/security/privacy/fbi-busts-alleged-skype-sextortionist/240147336
http://www.bbc.co.uk/news/technology-21274531
http://www.theregister.co.uk/2013/01/30/fbi_arrest_sexploitation_hacker/
http://www.justice.gov/usao/cac/Pressroom/2013/016.html
Indictment (October 2012): http://www.scribd.com/doc/122847760/Kazaryan-indictment-pdf
[Editor's Note (Murray): Before engaging in extortion, one would do well
to remember that the FBI made their reputation on extortion, protection,
and kidnapping. Following the money is what they do and they are very
good at. The modern money system makes that easier than ever.]
--All Plug-Ins (Except for Flash) Will be Click-to-Play in Upcoming
Version of Firefox
(January 30, 2013)
Mozilla says it will automatically disable all Firefox plug-ins with the
exception of the most current version of Adobe Flash. Mozilla says the
decision was prompted by security and stability concerns, particularly
the risk of drive-by attacks. Blocked plug-ins will include up-to-date
versions of Silverlight and Java. Currently, Firefox turns on
click-to-play only for those plug-ins that are deemed unsafe or
seriously out-of-date. Chrome and Opera offer click-to-play, but users
must enable the feature themselves.
http://www.computerworld.com/s/article/9236333/Mozilla_takes_drastic_step_to_automatically_block_virtually_all_plug_ins_in_Firefox?taxonomyId=17
http://www.h-online.com/security/news/item/Mozilla-pulling-plug-on-auto-running-nearly-all-plugins-1794162.html
[Editor's Note (Shpantzer): Gutsy move by Mozilla, hopefully the user
base will not rebel. Users need some help with the silliness of
allow-everything by default: Average people are their own system
administrators and the complexity of updating even legitimate
third-party apps (insecure by negligence, not malice) is ridiculous.]
--PayPal Fixes SQL Injection Flaw
(January 30, 2013)
PayPal has fixed a SQL injection vulnerability in its e-commerce website
application that could have been exploited to compromise company
databases and steal sensitive information. PayPal awarded a US $3,000
bounty to the organization that discovered the flaw and alerted the
company to its existence in August 2012.
http://www.theregister.co.uk/2013/01/30/paypal_sql_infection_flaw/
[Editor's Note (Shpantzer): Take a look at PayPal's approach and
contrast it to one recent reaction by a university, as we reported on a
few weeks ago:
http://www.newswire.ca/en/story/1101529/dawson-college-expels-student-for-exposing-vulnerabilities-in-student-portal.
I'm not expecting bug bounties in .edu but there are different ways to
handle things than shooting the messenger.]
-- Another Critical Fix for Ruby on Rails
(January 29, 2013)
Ruby on Rails developers have released yet another "extremely critical"
update for the web development framework. The developers urge users to
upgrade to versions 3.0.20 and 2.3.16 as soon as possible. The update
was released for 3.0.x even though that version is no longer supported.
The issues do not affect versions 3.1.x and 3.2.x.
http://www.computerworld.com/s/article/9236312/Ruby_on_Rails_receives_third_security_patch_in_less_than_a_month?taxonomyId=17
http://www.h-online.com/security/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.htmls
--Universal Plug-and-Play Security Vulnerabilities Prompt
Recommendation to Disable the Technology
(January 29, 2013)
Researchers have found three sets of vulnerabilities in the universal
plug-and-play (UPnP) component that allows devices to detect and
communicate with each other over networks. The flaws could be exploited
to steal passwords and documents and to hijack webcams, printers, and
other Internet-connected devices. The US Department of Homeland
Security's (DHS) US-CERT has issued an advisory on the matter.
http://www.wired.com/threatlevel/2013/01/plug-n-play-security-flaws/
http://news.cnet.com/8301-1009_3-57566366-83/upnp-networking-flaw-puts-millions-of-pcs-at-risk/
http://arstechnica.com/security/2013/01/to-prevent-hacking-disable-universal-plug-and-play-now/
http://www.zdnet.com/homeland-security-disable-upnp-as-tens-of-millions-at-risk-7000010512/
http://www.us-cert.gov/current/#cert_releases_upnp_security_advisory
[Editor's Note (Murray): UPnP is most used in SOHO configurations.
While it may be used internally by enterprises, it is rarely exposed to
the Internet by enterprises. This feature is a hole in firewalls and
has been associated with vulnerabilities for a long time. While the
vulnerability is pervasive, the threat and risk have been low. One
expects hoaxes at Christmas and exciting announcements right before
RSA.]
--More Headaches for Java
(January 30, 31, & February 1, 2013)
Apple has blocked Java completely in OS X 10.6 and above. Other
companies are taking steps to protect their users from Java as well;
virtually all plug-ins will be blocked in Firefox (see story above).
Oracle admits that there are serious problems with Java, but says that
those problems lie with the Java browser plug-ins and that server-side,
desktop, and embedded Java are not vulnerable to the same attacks.
http://arstechnica.com/apple/2013/01/for-second-time-in-a-month-apple-blacklists-java-web-plug-in/
http://www.theregister.co.uk/2013/02/01/apple_blocks_java_mac/
http://www.theregister.co.uk/2013/01/30/oracle_java_security_analysis/
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of
STI, the premier skills-based cyber security graduate school,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlEMDKAACgkQ+LUG5KFpTkYy7QCeN928me4exSbmwig93qYAM9C/
rJMAoKHkWeJCQbgWeMO8mYxeiTaA1GL9
=LuU+
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]