From: The SANS Institute (NewsBitessans.org)
Date: Fri Feb 22 2013 - 16:08:11 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The promised status report on implementation of the White House
Executive Order: (1) Days since announcement: 10 (2) Progress on
moving to action: none.
The White House's Michael Daniel and NIST Director Gallagher know
exactly what needs to be done,
(https://csis.org/publication/raising-bar-cybersecurity). Sadly the
people who brought you NIST SP-800-53 and 800-37 appear to be winning
the fight to make federal agencies write another billion dollars worth
of reports admiring the problem instead of using that money to fix the
problem.

                                        Alan

PS For the press folks on this list, if you are coming to RSA, email me
and I'll send you the list of the sessions that are the game changers.
(apallersans.org)

**************************************************************************
SANS NewsBites February 22, 2013 Vol. 15, Num. 015
**************************************************************************
TOP OF THE NEWS
  Colorado's New CISO Sets A Higher Standard for State's Cybersecurity Issues
  Cyberthieves Used DDoS Attack to Hide Fraudulent ACH Transfers
  Apple is the Latest Company to be Hit Through Drive-by Waterhole Attack
  White House Publishes Strategy to Mitigate Theft of Trade Secrets
THE REST OF THE WEEK'S NEWS
    Bit9 Was First Infiltrated in July 2012
    Oracle Releases Java Updates
    Apple Issues Java Update and Malware Detection Tool
    Adobe Issues Emergency Fixes for Flaws in Reader and Acrobat
    Dutch MP Fined for "Hacking"
    Firefox 19 Includes Native PDF Viewer
    Password Hashing Competition Now Accepting Submissions

************************* SPONSORED BY Symantec ***************************

Symantec Endpoint Protection 12 and Critical System Protection are
positioned highest in Gartner's Magic Quadrant for completeness of
vision and the ability to execute. Read the report to learn about the
Endpoint Protection landscape, growth drivers and challenges, and where
vendors are positioned. Learn More. http://www.sans.org/info/125057

****************************************************************************
TRAINING UPDATE

- -- SANS 2013 Orlando, FL March 8-March 15, 2013
47 courses. Bonus evening sessions include Please keep Your Brain Juice
Off My Enigma: A True Story; InfoSec in the Financial World: War Stories
and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! -
The Recon-ng Framework.
http://www.sans.org/event/monterey-2013

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Offensive Countermeasures, Active Defenses,
and Internet Tough Guys; and Tactical SecOps: A Guide to Precision
Security Operations.
http://www.sans.org/event/cyber-guardian-2013

- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
(Mostly) Dead.
http://www.sans.org/event/security-west-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentations include APT: It is Time to Act;
and Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer
Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013

- -Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

***************************************************************************

TOP OF THE NEWS
 --Colorado's New CISO Sets A Higher Standard for State's Cybersecurity Issues
(February 21, 2013)
When Jonathan Trull took over as Colorado's Chief Information Security
Officer (CISO), he faced state computer systems with numerous security
problems and just US $6,000 remaining in his operating budget, which has
to last through June 30, 2013. Before becoming CISO, Trull was the
Colorado State Auditor. While in that position, he ran penetration tests
against state systems that led to "horrifying" results. As auditor, he
realized that there was too strong a focus on compliance issues and not
enough focus on whether or not policies were actually working to make
systems more secure. Trull decided that the SANS 20 Critical Security
Controls was the best place to start. He plans to implement the first
five controls within the next year and the remaining controls over a
three-year period. To make things work with the small sum available
until the fiscal year ends at the end of June, Trull says his staff is
"using existing technologies [such as] application whitelisting, ...
[and] doing a lot with open source and other tools and features that are
already built into [their] existing software." Trull also stopped buying
security products, conducted an inventory of what they had and found
that lots of products had been purchased and were not being used. He
plans to involve vendors in the security process, holding them
accountable for the effectiveness of their products. Trull has also
established cybersecurity internships to help build the workforce. He
is seeking an increased budget for the next fiscal year.
http://www.csoonline.com/article/729218/how-colorado-s-ciso-is-revamping-the-state-s-information-security-on-a-6-000-budget?source=CSONLE_nlt_update_2013-02-21
[Editor's Note (Pescatore): This is sort of like one of the movies where
the rich guy and the poor guy get zapped by the same lightning strike
and switch lives. Compliance needs to follow security - mostly by
documenting the controls and processes put in place to protect and
enable business - not the other way around. It is also a good example
of the need for most organizations with limited budgets to focus on the
highest payback security controls first.]

 --Cyberthieves Used DDoS Attack to Hide Fraudulent ACH Transfers
(February 19, 2013)
In late December 2012, cyberthieves launched a distributed
denial-of-service (DDoS) attack against a bank in California as a
distraction while they attempted to steal more than US $900,000 from the
accounts of a Sacramento construction company with fraudulent automated
clearinghouse transactions. The thieves used 62 money mules in the US
to help launder the funds. The construction company's president said
that when the company controller tried to access the banking page on
December 24, she found she was unable to - her computer was actually
being controlled by the hackers, preventing her from accessing the
bank's online banking services. It is likely that other companies' bank
accounts were looted as well.
http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/
[Editor/s Note (Henry): DDOS attacks conducted against financial
institutions are often used as a smoke screen for the "real" attack
against accounts...to keep the consumer from identifying changes
occurring as the theft takes place, and to tie up the banks resources
and make it more difficult to detect the substantive crime.
(Pescatore): DDoS attacks are like power fluctuations on the AC power
to your data center - they have been happening, they will continue to
happen, you can't afford to let them impact your systems. DDoS
mitigation should be a standard part of business continuity planning for
all Internet connectivity.]

 --Apple is the Latest Company to be Hit Through "Drive-by Waterhole Attack"
(February 20, 2013)
The malware that infected computers at Apple, Facebook, and Twitter
appears to have come from drive-by download attacks from an iOS
developer website. It is called a waterhole attack because the malware
was placed on a website that was likely to draw traffic from desirable
targets. The attack exploited a then-undisclosed vulnerability in Java;
patches for the vulnerability have since been made available. Hackers
were able to compromise an administrator account at iPhoneDevSDK's
website and insert the Java exploit.
http://www.computerworld.com/s/article/9236996/Many_companies_likely_affected_by_iOS_developer_forum_compromise?taxonomyId=17
http://www.h-online.com/security/news/item/iPhone-developer-site-confirmed-as-corporate-attack-source-1806603.html

 --White House Publishes Strategy to Mitigate Theft of Trade Secrets
(February 20 & 21, 2013)
The White House has released the Administration Strategy on Mitigating
the Theft of US Trade Secrets. The report outlines a five-pronged
approach to protecting US intellectual property that incorporates
diplomatic efforts; promotion of voluntary best practices in private
industry; enhanced domestic law enforcement operations; improved
domestic legislation; and public awareness and stakeholder outreach. The
report describes incidents of Chinese and Russian cyber espionage, and
also notes the threat of insider intellectual property theft.
http://www.washingtonpost.com/world/national-security/us-launches-effort-to-stem-trade-secret-theft/2013/02/20/26b6fbce-7ba8-11e2-a044-676856536b40_story.html
http://www.nextgov.com/cybersecurity/2013/02/administration-bolsters-plans-counter-cyber-spys/61423/?oref=ng-HPriver
http://www.theregister.co.uk/2013/02/21/us_revamped_cyber_strategy/
http://s3.documentcloud.org/documents/605299/tade-secrets-022013.pdf
[Editor's Note (Murray): This is a good start and a good approach. It
is addressed to appointees of the President in the active voice. It
directs them to do legitimate things within the president's authority;
it does not encourage or condone mischief. It has milestones and
timetables. It fosters transparency and accountability. It places
clear limits on what may be done in its name and cause. That said, the
problem that it addresses is cultural and changing culture takes time.]

*************************** Sponsored Link: *******************************

1) Take the Mobile Application security Survey! Enter to Win an iPad!
http://www.sans.org/info/125062

*****************************************************************************

THE REST OF THE WEEK'S NEWS
 --Bit9 Was First Infiltrated in July 2012
(February 20, 2013)
The hackers who broke into systems at Bit9 made their initial intrusion
as early as July 2012 with an SQL injection attack, according to experts
investigating the incident. The malware used in the attack is the same
as malware that was used last year to launch cyberattacks against US
Defense contractors. At Bit9, cyberthieves stole a digital certificate,
which was then used to make malware appear to be legitimately signed
software. Bit9 did not become aware of the breach until late January
2013.
http://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/

 --Oracle Releases Java Updates
(February 20, 2013)
Oracle has released a critical patch update for Java; the update is for
all versions of the Java runtime environment from version 1.4 through
7, which is the current version. The update fixes three critical
vulnerabilities and two other less severe security issues.
http://www.h-online.com/security/news/item/Oracle-plugs-security-holes-Updates-for-Java-1-4-to-7-1806784.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
[Editor's Note (Pescatore): Is it just me or is the "Security Update for
Java" pop up starting to look like just a new cursor icon? - it is up
on my screen constantly. It is like here in the Washington DC area where
they seem to get the jackhammers out before the last shovelful of
faux-asphalt they dumped in the crater sized pothole has even dried.
Might be time to hang a "Road Closed Due to Construction" on WebEx and
SSL VPN and those things are still requiring Java to run, dig the road
up a bit more, put in a more stable surface, let it cure - and reopen
when safe to drive again.]

 --Apple Issues Java Update and Malware Detection Tool
(February 19 & 20, 2013)
After discovering that several company computers were infected with
malware (see story above), Apple isolated those machines from the
company network. The malware exploited a flaw in the Java plug-in for
browsers. Apple has issued an update for Java that addresses 30
vulnerabilities and includes a tool that detects and deletes the malware
from infected machines.
http://www.siliconrepublic.com/strategy/item/31549-apple-attacked-by-same/
http://www.computerworld.com/s/article/9236969/Apple_ships_Java_update_malware_scrubber_after_confirming_attacks_on_own_Macs?taxonomyId=17
http://arstechnica.com/apple/2013/02/apple-hq-also-targeted-by-hackers-will-release-tool-to-protect-customers/
http://www.theregister.co.uk/2013/02/20/apple_java_omnishambles/
http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/240148810/mac-update-closes-java-security-holes-following-apple-hack.html.html
http://support.apple.com/kb/HT5651?viewlocale=en_US&locale=en_US

 --Adobe Issues Emergency Fixes for Flaws in Reader and Acrobat
(February 20, 2013)
On Wednesday, February 20, Adobe released emergency fixes for two
vulnerabilities in Reader and Acrobat that are being actively exploited.
The flaws are of particular concern because they manage to circumvent
the sandbox features in Reader X and XI. The updates bring Reader XI to
version 11.0.2 and Reader X to version 10.1.6. Reader 9.x has been
updated to 9.5.4. Updates are available for Reader and Acrobat for
Windows, Mac, and Linux.
http://www.computerworld.com/s/article/9236994/Adobe_releases_emergency_patches_for_Reader_and_Acrobat?taxonomyId=244
http://krebsonsecurity.com/2013/02/critical-security-updates-for-adobe-reader-java/
http://www.h-online.com/security/news/item/Adobe-s-emergency-patch-for-Reader-1807369.html
http://www.darkreading.com/application-security/167901123/security/attacks-breaches/240148967/adobe-fixes-sandbox-flaw-used-in-attacks.html
http://news.cnet.com/8301-1009_3-57570478-83/adobe-patches-critical-security-flaws-in-reader-acrobat/

 --Dutch MP Fined for Hacking
(February 19, 2013)
A court in the Netherlands has fined a Dutch MP 750 euros (US $988) for
gaining illegal access to computer systems at a medical laboratory in
that country. The court accepted in part Henk Krol's defense that he was
acting in the public's interest to expose weak security practices at the
company, but said that Krol had not given the company enough time to
address the issues before he went public with his findings and that he
had accessed more records that necessary to prove his point.
http://www.theregister.co.uk/2013/02/19/dutch_mp_ethical_hacking_fine/
[Editor's Note (Murray): If one does not have an agreement with the
owner of the system, one works alone, and one shows the data to those
not authorized to see it, or engages in coercion, then the activity,
whatever one wants to call it, is more likely criminal than "ethical."
This is not a game of "gotcha."]

 --Firefox 19 Includes Native PDF Viewer
(February 19 & 20, 2013)
Mozilla latest version of its Firefox browser addresses four critical
security flaws and includes a native PDF viewer. The addition of this
feature aims to reduce the likelihood of infections from malware spread
through vulnerabilities in third-party PDF reader browser plug-ins.
Another improvement is that Firefox 19 will not execute code until the
browser's initial window is visible.
http://www.zdnet.com/firefox-19-launches-with-native-pdf-viewer-on-board-7000011553/
http://www.webmonkey.com/2013/02/firefox-19-brings-built-in-pdf-viewer-faster-startup-times/
http://www.h-online.com/security/news/item/Firefox-19-brings-PDF-viewer-and-4-critical-security-fixes-1806437.html
http://arstechnica.com/information-technology/2013/02/firefox-19-gets-a-pdf-viewer-and-a-couple-of-bug-fixes/

 --Password Hashing Competition Now Accepting Submissions
(February 18, 2013)
The Password Hashing Competition is now accepting submissions; the
deadline is January 31, 2014. The contest organizers are seeking a
cryptographic standard that generates hashed passwords slowly enough to
make it more difficult for hackers to use brute force attacks to crack
those passwords, but fast enough to be used on websites so that users
do not have to wait too long to access the information they want.
http://news.techworld.com/security/3426763/password-hashing-competition-aims-to-beef-up-security/
https://password-hashing.net/index.html
[Editor's Note (Pescatore): The Googles and others of the world are
slowing nudging users away from reusable passwords, which is a very good
thing. Of course, much of the world has been slowly nudging human beings
away from smoking cigarettes, another good thing - but people don't make
radical change from such addictive processes very quickly... For now,
increasing the strength of stored password hashes is a very needed thing
- - along with other Internet infrastructure upgrades. See
http://www.sans.org/security-trends/2013/02/20/this-old-internet-putting-norm-rich-and-tom-to-work-on-replacing-rotted-out-internet-joists-and-plumbing]

************************************************************************
The Editorial Board of SANS NewsBites
 
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of
STI, the premier skills-based cyber security graduate school,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
 
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
 
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.
 
Brian Honan is an independent security consultant based in Dublin, Ireland.
 
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
 
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlEn6a0ACgkQ+LUG5KFpTkYChQCfW32nnh2bD92gjiWoxW3ybcMj
DqoAn129cdBQl5aC5Xy3+U8RGFgOqrnO
=QzSV
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]