|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Mar 01 2013 - 13:10:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Quick summary and urls for two extraordinary talks at RSA this week:
1. Ed Skoudis' briefing on cyberwarfare (in the session on the Five Most
Dangerous New Attacks) with a demonstration of how attacks on power
systems actually get through and his eye opening disclosure that the
health electronic medical records system used in many hospitals had so
many security flaws that his team had to harden it before it could be
useful in the CyberCity simulation - it was too easy to take over
without hardening. CyberCity is the cyber range used by the military
that includes actual SCADA systems and trains and water supplies and
missiles. There was a great front page article on it in the Washington
Post. Here's the url if you missed it:
http://www.washingtonpost.com/investigations/cybercity-allows-government-hackers-to-train-for-attacks/2012/11/26/588f4dae-1244-11e2-be82-c3411b7680a9_story_1.html
2. Jonathan Trull's talk (he was the IT auditor and is now the CISO of
Colorado) on how Colorado will be implementing the Top 4 across the
state in the next 3-4 months along with his admission that as the IT
security auditor for the state he had audited against the "600 pages of"
NIST 800-53 and how wrong he had been. The proof was overwhelming. He
had made agencies spend far too much on compliance when they should have
been implementing known defenses against active attacks. The large
audience broke into spontaneous applause when a co-panelist said the new
Executive Order was deeply flawed because it went back to the same
agency that wrote 800-53 and gave NIST a year to study the problem
again. The applause came when he said, "the White House should
immediately act to implement the Top 4 controls that stop most of the
attacks." The CSIS report on the Top 4 is posted at
http://csis.org/publication/raising-bar-cybersecurity
Alan
PS Critical Threat Intelligence is one of two fastest growing
professional categories in cybersecurity. All the big banks have threat
intelligence operations and they report that this is their most
important security function. Register by next Wednesday:
http://www.sans.org/event/what-works-cyber-threat-2013
**************************************************************************
SANS NewsBites March 1, 2013 Vol. 15, Num. 017
**************************************************************************
TOP OF THE NEWS
Cyberspies Targeted US Natural Gas Pipeline Control Systems
Openness About Security Breaches Helps Security for All
House Judiciary Committee to Consider Modernizing ECPA
Point and Counterpoint: NewsBites Editors Debate Focusing on Improving
Defenses vs. Fighting Back
THE REST OF THE WEEK'S NEWS
Bradley Manning Enters Plea
ISPs Disclose Their Illegal Filesharing Penalties Under the Copyright
Alert System
UK High Court Says ISPs Must Block Three Filesharing Sites
Trojan Used for International Cyberespionage
Adobe Issues Third Flash Update in One Month
Australian Broadcasting Corporation Investigating Security Breach
Rental Company Facing Lawsuit Over Spyware
Symantec Researcher Say Stuxnet Two Years Older Than Previously Thought
US Justice Department Defers Prosecution of Alleged Channelsurfing
Website Operator
Investors Consider Companies' Data Breach History
********************** SPONSORED BY Symantec *************************
Symantec Endpoint Protection 12 and Critical System Protection are
positioned highest in Gartner's Magic Quadrant for completeness of
vision and the ability to execute. Read the report to learn about the
Endpoint Protection landscape, growth drivers and challenges, and where
vendors are positioned. Learn More. http://www.sans.org/info/125837
************************************************************************
TRAINING UPDATE
- -- SANS 2013 Orlando, FL March 8-March 15, 2013
47 courses. Bonus evening sessions include Please keep Your Brain Juice
Off My Enigma: A True Story; InfoSec in the Financial World: War Stories
and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! -
The Recon-ng Framework.
http://www.sans.org/event/monterey-2013
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Offensive Countermeasures, Active Defenses,
and Internet Tough Guys; and Tactical SecOps: A Guide to Precision
Security Operations. http://www.sans.org/event/cyber-guardian-2013
- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
(Mostly) Dead.
http://www.sans.org/event/security-west-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentations include APT: It is Time to Act;
and Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013
- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer
Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***************************************************************************
TOP OF THE NEWS
--Cyberspies Targeted US Natural Gas Pipeline Control Systems
(February 27, 2013)
According to a classified US Department of Homeland Security (DHS)
report, Chinese-linked cyberespionage campaigns targeted 23 US natural
gas pipeline operators between December 2011 and June 2012. The
companies were targeted through spear phishing attacks. The DHS report
does not name China, but the indicators of compromise (IOCs) reported
to DHS match those that Mandiant has linked to a group, known by several
different names, with ties to China's People's Liberation Army. The
information stolen in the attacks - usernames, system manuals, and
pipeline control system access credentials - could allow attackers to
cause damage to compressor stations. The cyberspies also appear to be
targeting information related to fracking.
http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leaves-natural-gas-pipelines-vulnerable-to-sabotage?nav=87-frontpage-mostViewed
[Editor's Comment (Assante): The "who" is not insignificant but the
important point to consider is the focused interest in pipeline control
systems and operations related information, reported here. It is
getting more difficult to understand the different motivations
associated with these highly targeted attacks. Many people believe the
Industrial Control System security model is all about "availability",
but I believe the most important element is "Integrity" as it is the
foundation for safe and reliable operations.]
--Openness About Security Breaches Helps Security for All
(February 27 & 28, 2013)
By disclosing cyberattacks on their computer systems, high profile
organizations such as The New York Times and The Wall Street Journal
have provided insight into the attackers' methods. The breached
organizations are starting to use tools that gather information about
how the cyberintruders are operating. Companies are developing tools
to analyze and share information about cyberintruders' tactics and
goals.
http://www.usatoday.com/story/tech/2013/02/27/proactive-intelligence-corporate-network-breaches/1949879/
--House Judiciary Committee to Consider Modernizing ECPA
(February 27, 2013)
The US House Judiciary Committee will consider a bill that would
"modernize the decades-old Electronic Communications Privacy Act
(ECPA)," according to committee chairman Representative Bob Goodlatte
(R-Virginia). The proposed legislation would require law enforcement
agents to obtain warrants before reading people's electronic
communications, such as email and Facebook messages. Currently, ECPA
requires only a subpoena, available without judicial approval, to read
the contents of email that has been opened or is more than 180 days old.
http://thehill.com/blogs/hillicon-valley/technology/285397-overnight-tech-house-to-consider-email-privacy-bill
[Editor's Note (Pescatore): The ECPA in 1986 was an update to Title III
legislation back in 1968, which was when telephone wiretaps were first
made legal - for the first 90 years or so of telephone use, wiretapping
was illegal. There are a lot of key provisions in the Title II
regulations, like "minimization" and "necessity" that were very key in
balancing privacy and law enforcement needs, and making abuse of
wiretapping much less likely. As personal and business communications
blur, those same considerations are necessary in any update.
(Northcutt): Here is the ACLU's take on this (they support):
http://www.aclu.org/technology-and-liberty/modernizing-electronic-communications-privacy-act-ecpa
And there is the Electronic Freedom Foundation's take (they also support):
https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communications-privacy-act
And oh by the way, it has already passed the house:
http://www.slate.com/blogs/future_tense/2012/11/29/ecpa_leahy_senate_committee_finally_update_email_privacy_law_require_warrant.html ]
- --Point and Counterpoint: NewsBites Editors Debate Focusing on Improving
Defenses vs. Fighting Back
On Tuesday, February 26, we ran a story suggesting that instead of
focusing on the fact that cyberattacks appear to be emanating from
China, US organizations should instead turn their attentions to shoring
up their networks' cybersecurity. (News of Cyberattacks Emanating From
China Overshadows the Real Issue:
http://www.informationweek.com/security/vulnerabilities/dont-blame-china-for-security-hacks-blam/240149309)
NewsBites editor Shawn Henry responds:
(Henry) "Don't blame China...blame yourself"?! Really? If someone
breaks into my home by breaking a window, am I to blame for not having
bars on it? If a woman is sexually assaulted, is she wrong for wearing
a skirt rather than a wool overcoat? If a drunk driver hits a man, is
it because he shouldn't be out on the road after 11pm? While I
completely concur that we must maintain a strong and aggressive defense
in depth, it's time to stop blaming victims and start holding the
perpetrators accountable. These attacks will continue...forever...until
the COST of committing them outweighs the benefit. That cost increases
when deterrent actions are applied against all potential
adversaries...criminals, terrorists, and nation states...and it is THEY
who are accountable for their malicious acts.
The counterpoint is:
(Paller): "Shawn is absolutely correct, and if law enforcement
professionals and diplomats had demonstrated that they could even begin
to slow the wave of attacks by raising the cost to the attackers, I
would be right next to him. Their efforts, though extraordinary and
laudable, are having no discernible effect. So defenders must act to
raise the bar, and do it together, so we lower the costs of effective
defenses. Jim Lewis of CSIS provided the evidence and manifesto showing
we know what needs to be done and how to do it and that it works.
(http://csis.org/publication/raising-bar-cybersecurity and
http://www.sans.org/critical-security-controls/). Acting jointly to
make it much harder for these attacks to succeed is, today, the most
effective use of time and money in cybersecurity."
Additional commentary from other NewsBites editors:
(Pescatore): Yes, crime is crime and criminals should definitely be
prosecuted. But if you leave your keys in the ignition, or drive with
your eyes closed, or go sailing in a paper mache boat in a hurricane,
or leave your front door wide open, or let your children play in the
middle of an Interstate highway, yes - first blame yourself for putting
yourself and your property and your loved ones at totally unnecessary
risk.
(Murray): I am an advocate of the Rule of Law. To me, "self defense"
means "dial 911," not "buy a shotgun." That said, given two statements
of a problem, I prefer the one that permits of a solution. Given two
solutions, I prefer the one in my own hands. I can control
vulnerability; I cannot control threat, so I leave it to the police. I
do my job, they do theirs. Together we are more efficient than either
of us alone.
*************************** Sponsored Links: *****************************
1) Take the Mobile Application security Survey! Enter to Win an iPad!
http://www.sans.org/info/125842
2) Analyst Webcast: Secure Configuration in Action Featuring new
deployment information from the City of Oregon.
http://www.sans.org/info/125847
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Bradley Manning Enters Plea
(February 28, 2013)
Pfc Bradley Manning has pleaded guilty to charges of misusing and
transmitting classified information, but not guilty to the charge of
aiding the enemy. Manning admitted to downloading more than a quarter
of a million sensitive documents including intelligence reports,
diplomatic cables, and combat videos from Afghanistan. Manning said that
he first attempted to give the information to The New York Times and the
Washington Post, but those newspapers were not interested. He then
turned to WikiLeaks. Manning disputes government claims that the leaked
information could have threatened people's lives and hurt the country.
Manning's full court martial is scheduled to start on June 3, 2013 and
is expected to take several weeks.
http://www.theregister.co.uk/2013/02/28/bradley_manning_court_martial_starts/
http://www.wired.com/threatlevel/2013/02/bradley-manning/
--ISPs Disclose Their Illegal Filesharing Penalties Under the Copyright
Alert System
(February 28, 2013)
US Internet service providers (ISPs) are starting to describe how they
will implement the Copyright Alert System (CAS) warnings and penalties
for illegal filesharing. Comcast says that if users do not respond to
earlier warnings, it will hijack the browsers of users who persist in
illegal filesharing, making it impossible for them to surf the web.
Cablevision Systems plans to suspend access for 24 hours for subscribers
who continue to engage in illegal filesharing after a fifth offense. The
suspension will be imposed only if users do not call Cablevision.
Comcast says it does not plan to terminate users' Internet access.
Verizon has already said that it may throttle Internet speeds for repeat
offenders. AT&T plans to hijack browsers as well and redirect users to
an online portal with information about copyright infringement. CAS does
not prevent users from being sued by copyright holders.
http://www.wired.com/threatlevel/2013/02/comcast-browser-hijack/
--UK High Court Says ISPs Must Block Three Filesharing Sites
(February 28, 2013)
The UK High Court has ordered major Internet service providers (ISPs)
there to block Kickass Torrents, H33T, and Fenopy, three websites that
provide links to pirated movie and music content. The ISPs have 15 days
in which to comply. There is some disagreement as to whether such
tactics are effective over the long run. Some evidence suggests that
last year's ordered block of The Pirate Bay was effective for a short
time, but then peer-to-peer filesharing returned to pre-block levels.
Another report indicates that the number of people downloading pirated
music has decreased, and more people are using legitimate music
streaming sites.
http://www.bbc.co.uk/news/technology-21601609
http://www.guardian.co.uk/media/2013/feb/28/online-piracy-isps-block-access
--Trojan Used for International Cyberespionage
(February 27 & 28, 2013)
A Trojan horse program known as MiniDuke is being used to conduct
targeted attacks on international companies and government institutions.
It infects computers by exploiting a vulnerability in Adobe Reader's
sandbox feature. Adobe issued a fix for the flaw on February 20.
MiniDuke spreads through maliciously crafted PDF documents by pretending
to be information regarding human rights or NATO issues. Once ensconced
on a computer, MiniDuke connects with command and control servers
through twitter and Google to get instructions for downloading more
code. MiniDuke has infected machines in 23 countries.
http://www.h-online.com/security/news/item/Highly-specialised-MiniDuke-malware-targets-decision-makers-1813304.html
http://arstechnica.com/security/2013/02/bizarre-old-school-spyware-attacks-governments-sports-mark-of-the-beast/
http://news.cnet.com/8301-1009_3-57571571-83/miniduke-malware-takes-aim-at-euro-governments-via-adobe/
http://www.computerworld.com/s/article/9237201/Researchers_uncover_new_global_cyber_espionage_campaign?taxonomyId=17
--Adobe Issues Third Flash Update in One Month
(February 27, 2013)
Adobe has issued another emergency update to address three critical
vulnerabilities in its Flash Player. The flaws can be exploited to crash
vulnerable systems and allow attackers to take control of them. Two of
the vulnerabilities are being actively exploited. This is the third
Flash update and the fourth update overall that Adobe has issued in
February. A February 7 update addressed a pair of vulnerabilities that
were being actively exploited. On February 12, Adobe released its
regularly scheduled security update. Last week, Adobe released an
emergency update for Reader.
http://arstechnica.com/security/2013/02/adobe-releases-third-security-update-this-month-for-flash-player/
http://krebsonsecurity.com/2013/02/flash-player-update-fixes-zero-day-flaws/
http://www.zdnet.com/adobe-issues-another-patch-for-flash-vulnerabilities-7000011872/
https://www.adobe.com/support/security/bulletins/apsb13-08.html
--Australian Broadcasting Corporation Investigating Security Breach
(February 27, 2013)
The Australian Broadcasting Corporation (ABC) is investigating reports
of a security breach on its website. The individual claiming to have
hacked the site has posted information that was allegedly taken from the
site. The information includes names, email addresses, hashed passwords
and IP addresses of site users. ABC has shut down the affected subdomain
and plans to contact users affected by the breach.
http://www.zdnet.com/au/australian-broadcasting-corporation-confirms-hack-7000011876/
--Rental Company Facing Lawsuit Over Spyware
(February 27, 2013)
Court documents filed in a class action lawsuit against rental company
Aaron's, Inc. say that spyware installed on computers that the company
rented out sent 185,000 email messages to the company's corporate
computers. The emails contained sensitive information, including
pictures taken surreptitiously by the computers' webcams, and
information such as Social Security numbers, account passwords, and
straightforward keystroke logging. Aaron's claims that it did not
install the spyware on the computers and places the blame for the
software on individual franchises. Attorneys for one of the franchises
say that the software, called PC Rental Agent, simply shuts down the
machines if the renters fall behind on payments. However, the US Federal
Trade Commission (FTC) found that the software's "Detective Mode" goes
beyond those tasks to take screenshots, webcam images, and log
keystrokes and send the harvested information back to Aaron's computers.
http://www.nbcnews.com/technology/technolog/185-000-spyware-emails-were-sent-aarons-computers-1C8595813
--Symantec Researcher Say Stuxnet Two Years Older Than Previously Thought
(February 26, 2013)
Researchers at Symantec have found evidence that Stuxnet has been around
two years longer than had previously been believed. Stuxnet first made
headlines in 2010 when it was linked to a 2009 attack on an Iranian
uranium enrichment facility. Symantec researchers now say they have
found a code string that dates back to 2005.
http://www.wired.com/threatlevel/2013/02/new-stuxnet-variant-found/
http://www.washingtonpost.com/world/national-security/stuxnet-worm-targeting-iran-in-works-as-early-as-2005-symantec-finds/2013/02/26/4cb562d8-8059-11e2-8074-b26a871b165a_story.html
http://www.symantec.com/connect/blogs/stuxnet-05-how-it-evolved
http://www.wired.com/threatlevel/2011/07/stuxnet-timeline/
--US Justice Department Defers Prosecution of Alleged Channelsurfing
Website Operator
(February 26, 2013)
The US Justice Department (DOJ) has reached a deal with Brian McCarthy,
who was arrested in 2011 for allegedly operating the
Channelsurfing<dot>net website, which offered links to unauthorized
streamed sporting events. The site was seized in February 2011. The
terms of the agreement under which McCarthy's prosecution will be
deferred require him to demonstrate good behavior, find a legitimate
job, refrain from activity that involves illegal streaming, and repay
more than US $350,000 that he allegedly made in profits from the site.
Federal prosecutors said that deferring McCarthy's prosecution is in the
"interest of the United States," but did not explain how that decision
was reached.
http://arstechnica.com/tech-policy/2013/02/online-sports-streaming-site-owner-avoids-jail-time-in-new-deal-with-feds/
http://news.cnet.com/8301-1009_3-57571497-83/feds-strike-a-deal-with-alleged-illegal-streaming-site-operator/
--Investors Consider Companies' Data Breach History
(February 25, 2013)
A survey of 405 US investors found that cybersecurity breaches play a
significant role in their investment decisions. Seventy percent of
respondents said they would research companies' cybersecurity practices
and incidents, and 78 percent said that they would be unlikely to invest
in a company that has experienced multiple breaches. Fifty-seven percent
of those responding said that they considered customer data theft a more
serious problem than theft of intellectual property; 29 percent held the
inverse opinion.
http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breaches/240149279/investors-value-a-company-s-cybersecurity-record
[Editor's Note (Pescatore): Small surveys like this one tend to come out
every few years (especially as part of the derecho of press releases
coming out of the annual RSA Conference) but larger longer term
investigations into stock valuations and security incidents (or
financial shenanigans) at companies does not have any meaningful
correlation.]
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of
STI, the premier skills-based cyber security graduate school,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAlEw9qgACgkQ+LUG5KFpTka7pgCgnxf/PqIbhp5Ny2jDtgJpYZEU
Di0An3G/kgcK9imae36t/ngNBxSWdEKU
=M5Jt
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]