Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: The SANS Institute (NewsBitessans.org)
Date: Fri Jun 21 2013 - 13:12:09 CDT
-----BEGIN PGP SIGNED MESSAGE-----
SANS NewsBites June 21, 2013 Vol. 15, Num. 049
TOP OF THE NEWS
US and Russia Will Establish Cybersecurity Hotline
Reforming the Computer Fraud and Abuse Act
Microsoft Announces Bug Bounty Programs With a Twist
Future Version of Firefox Will Block Most Tracking
THE REST OF THE WEEK'S NEWS
India Moves To Increase Number of Government Cybersecurity Experts
France Gives Google Three Months to Address User Data Privacy Concerns
US Seized 1,700 Domains Over Three Years in Anti-Piracy Operation
Swedish Court Gives Warg Two-Year Sentence for Hacking
LinkedIn Outage Blamed on Human Error
Yahoo Plans to Recycle Dormant User IDs
Oracle Fixes 40 Vulnerabilities in Java
Google Challenges Constitutionality of Gag Orders Accompanying FISA
National Security Orders
****************** SPONSORED BY White Hat Security **********************
ALERT: How Hackers Launch the Top Ten Web Attacks
Every year the number and creativity of web hacks increases, and the
damage from these attacks rises exponentially, costing organizations
millions every year. Learn about the latest and most insidious Web-based
attacks researched and compiled from a panel of world-class web
application security experts.
- -- Industrial Control System (ICS) Security Training
In-depth, hands-on technical courses taught by top SCADA experts. Gain
the most current information regarding SCADA and Control System threats
and learn how to best prepare to defend against them. Leave the event
with solutions that you can immediately put to use in your organization.
--Washington, DC (August 12-August 16)
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013
42 courses. Bonus evening sessions include Avoiding Cyberterrorism
Threats Inside Hydraulic Power Generation Plants; and Automated Analysis
of Android Malware.
- -- Security Impact of IPv6 Summit Washington, DC June 14-16
Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6
Summit offers discussions and panels with IPv6 security experts, ISPs,
early adopters, and industry vendors. You will come away with best
practices from those who have already implemented IPv6. A two-day,
post-summit class follows:
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013
10 courses. Bonus evening sessions include OODA - The Secret to
Effective Security in Any Environment; and APT: It is Not Time to Pray,
It is Time to Act.
- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013
7 courses. Bonus evening sessions include Offensive Digital Forensics;
and Base64 Can Get You Pwned!
- -- SANS Boston 2013 Boston, MA August 5-10, 2013
9 courses. Bonus evening sessions include Cloud R and Forensics; and You
Can Panic Now. Host Protection is (Mostly) Dead.
- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013
10 courses. Bonus evening presentations include Thanks for Recovering
... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is
Time to Act.
- -- SANS London Summer 2013 London, UK July 9-July 16, 2013
4 courses. SANS has added a new London date to the security-training
calendar, giving security professionals the opportunity to take one of
four of SANS' most popular 6-day courses and the excellent 2 day
Securing The Human course.
- -- SANS Mumbai 2013 Mumbai, India July 22-27, 2013
Our two most popular security courses that will get you started on your
security career - SEC 401 Security Essentials Bootcamp Style and
SEC504: Hacker Techniques, Exploits & Incident Handling.
- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013
SANS's European forensics summit and dedicated forensics training event.
Four of SANS's most important forensics training courses and
opportunities to network with leading digital forensics experts.
- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
- -- Multi-week Live SANS training
- -- Looking for training in your own community?
- -- Save on On-Demand training (30 full courses) - See samples at
Plus Canberra, Austin, Bangkok and Melbourne all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--US and Russia Will Establish Cybersecurity Hotline
(June 17 & 20, 2013)
The US and Russia have agreed to communicate about cybersecurity issues
to help reduce the risk of cyberconflict. Through real-time
communication related to that used more than 25 years ago to address
nuclear weapons concerns, the countries hope to avoid disasters caused
by misunderstandings or lack of information. The countries plan to warn
each other about cyber exercises that could be mistaken for aggressive
action and to ask about cyber activity that could be perceived as
threatening and that appears to emanate from the other country's
cyberspace. They will also set up a hotline so that leaders can speak
to each other directly if necessary.
[Editor's Note (Pescatore): The US and Russia first discussed this back
in 2011 and it is a good thing. There really are many similarities
between the uneasy Cold War years with Mutually Assured Destruction as
the stabilizing mechanism deterring the use of nuclear weapons by the
major superpowers. But, and this is a gigantic but, governments had a
monopoly on the funding and scientists needed to create nuclear weapons.
That is *not* true of cyber weapons. The ways nations cooperate to fight
crime, and the way businesses and people have to largely protect
themselves against criminals is a much more apt analogy.]
--Reforming the Computer Fraud and Abuse Act
(June 20, 2013)
US Representative Zoe Lofgren (D-California) and Senator Ron Wyden
(D-Oregon) explain in detail why the country's Computer Fraud and Abuse
Act (CFAA) needs to be changed and what they believe those changes
[Editor's Noyte (Pescatore): The CFAA was amended in 2008 but hasn't
changed much since 1986. I think some of the proposed rewording will
need work (requiring that someone "knowingly" circumvented access
controls seems hard to prove) but in general the proposed changes are
--Microsoft Announces Bug Bounty Programs With a Twist
(June 19, 2013)
Microsoft has joined Google and Mozilla in offering a bug bounty
program. In fact, Microsoft is launching three bounty programs. The
first is much like other companies' programs, but with a time
constraint. For example, Microsoft plans to release Internet Explorer
on June 26; the company will pay up to US $11,000, and in some cases
even more, for critical flaws discovered by July 26. The second and
third programs do not have established end dates. In those programs the
Mitigation Bypass Bounty and the BlueHat Bonus for Defense, Microsoft
will pay as much as US $100,000 for attacks that manage to get past
Windows 8.1 anti-exploitation mechanisms. Microsoft will also pay US
$50,000 for defense techniques for the exploit that are submitted at the
same time. Mike Reavey, senior director with the Microsoft Security
Response Center is hopeful that the new bug bounty programs will draw
hackers away from the Pwn2Own hacking contest.
--Future Version of Firefox Will Block Most Tracking
(June 19, 2013)
Mozilla developers are moving ahead with plans to block tracking in
future versions of Firefox. Advertisers are opposed to the changes
because they say that tracking lets them deliver targeted advertisements
that bring revenue to websites. Cookies would still be permitted if
users give explicit permission for the website or when users visit a
site regularly. The companies that will feel the change the most are
those that track users' activity without their knowledge.
*************************** Sponsored Links: ******************************
1) Analyst Webcast: Getting Hitched: Converging Endpoint and Network
Data Analysis for Improved Visibility and Control, Featuring Jerry
Shenk, Wednesday, July 10, 2013 at 1:00 PM EDT.
2) Take the SANS survey on Security Intelligence and Analytics and enter
to win an iPad! http://www.sans.org/info/133432
3) Analyst Webcast: Critical Security Controls Survey. Tuesday, June 25,
2013 at 1:00 PM EDT. http://www.sans.org/info/133437
THE REST OF THE WEEK'S NEWS
--France Gives Google Three Months to Address User Data Privacy Concerns
(June 20, 2013)
French data privacy body, Commission Nationale de l'Informatique et des
Libertes (CNIL), has given Google three months to implement changes to
the way it collects and manages customer data. The commission found
Google to be in violation of the French Data Protection Act. CNIL's June
10 decision lists the changes it expects from Google, including
explaining to users how the data they collect will be used, and not
retaining data beyond the time necessary for the purpose for which they
were collected. If Google does not comply with the order, the company
could face sanctions. Google is facing enforcement action over privacy
practices in several other EU countries, including Spain and Germany.
[Editor's Note (Pescatore): 90 days is a long time! Google recently
shortened to 7 days the time it will give software vendors before it
discloses vulnerabilities in their products, so I'm sure that within a
week Google will clear up these privacy violations...]
--US Seized 1,700 Domains Over Three Years in Anti-Piracy Operation
(June 20, 2013)
"Operation In Our Sites," an ongoing effort by US authorities to thwart
intellectual property fraud, has seized more than 1,700 websites in the
past three years. The offending sites offered illegally streamed
sporting events; sold bogus apparel, accessories and counterfeit drugs;
and allowed illegal downloads of music and movies. US authorities were
able to seize the sites because the domains - .net, .com, and .org - are
controlled by US entities.
--Swedish Court Gives Warg Two-Year Sentence for Hacking
(June 20, 2013)
A Swedish court has sentenced Gottfrid Svartholm Warg to two years in
prison for hacking into computer systems at Logica, an IT company that
provides tax services to the Swedish government, and Scandinavian bank
Nordea, from which he made a fraudulent funds transfer. Warg was found
guilty of data intrusions, attempted aggravated fraud, and aggravated
fraud. An unnamed accomplice was found guilty as well. The court was
unconvinced by arguments that someone else was remotely controlling the
defendants' computers. Warg could be extradited to Denmark to face
hacking charges there.
--LinkedIn Outage Blamed on Human Error
(June 20 & 21, 2013)
More than half of LinkedIn users were unable to access their accounts
for a number of hours late Wednesday evening and into early Thursday
morning US Eastern time. People attempting to access the site were
redirected to the wrong site. The company said that the issue resulted
from "a problematic response to a DDOS incident by service provider
Network Solutions." Earlier reports suggested that the outage was due
to DNS hijacking.
--Yahoo Plans to Recycle Dormant User IDs
(June 19 & 20, 2013)
Yahoo plans to recycle Yahoo user IDs that have been inactive for a year
or more. The company is aware of concerns about the old IDs falling into
hands of people with malicious intents, but says it is going to
"extraordinary lengths to ensure that nothing bad happens to our users."
One concern that has been voiced is that is someone acquiring a Yahoo
ID that is linked with someone's Gmail account could request a password
reset for the Gmail account and take control of it. The same thing could
potentially be done with social media and financial accounts. Yahoo
released a statement noting that "any personal data and private content
associated with these accounts will be deleted and will not be
accessible to the account holder."
[Editor's Note (Shpantzer): "Own the email, own the person," indeed:
--India Moves To Increase Number of Government Cybersecurity Experts
(June 19, 2013)
Although India is a recognized "information technology superpower," the
number of cybersecurity experts working in the country's government is
a fraction of the number working in China, the US, and Russia. India has
just 556 experts total in all government departments, a "grossly
inadequate" figure. The US has more than 91,000 and China 125,000. India
intends to increase the number of cybersecurity experts in government
[Editor's Note (Pescatore): Well, more cybersecurity expertise is better
than less but I'm not sure where they got their numbers. For example,
they say "Similarly, the U.S. has 91,080 experts in its cyber security
workforce, of whom 88,169 are in the Department of Defense alone." That
implies that there are only 3,000 cyber security experts in private
industry in the US, which makes no sense.
(Paller): The DoD numbers are close to correct - approximately 100,000
people in DoD and the major defense contractors call themselves
cybersecurity professionals. The military services and Cyber Command
have discovered that very few of those professionals have the
mission-critical, hands-on skills needed to protect the nation. They
don't know how to do network traffic analysis or reverse engineering or
deep forensics or counter-intelligence based script development or
advanced penetration testing and exploitation. That's why you heard
about U.S. Cyber Command's new technical skills recruiting program
seeking 4,000 people. India is starting out on the right track with a
national "train the trainer" program focused on developing hands-on
cybersecurity skills. The first program is in Mumbai at the end of July
(https://www.sans.org/event/mumbai-2013). Those who do best in that
training program and the associated certification exams can qualify to
advance into a national teacher development program.]
--Oracle Fixes 40 Vulnerabilities in Java
(June 18 & 19, 2013)
On Tuesday, June 18, Oracle issued a Critical Patch Update for Java 7
for Mac and for Windows. The update fixes 40 security issues and enables
online certificate revocation checking by default. On the same day,
Apple issued an updated version of Java 6 for OS X Snow Leopard, Lion,
and Mountain Lion. Snow Leopard users cannot upgrade to Java 7.
--Google Challenges Constitutionality of Gag Orders Accompanying FISA
National Security Orders
(June 18, 2013)
Google has filed legal documents with the Foreign Intelligence
Surveillance Court challenging the constitutionality of the gag orders
that accompany FISA court orders. The legal challenge asserts that the
orders tread on the Google's First Amendment rights. Google is asking
to publish the number of requests for data it receives from the
government as discrete categories. Google was the first company to
publish data about National Security letters (NSLs) in its transparency
reports. The government has granted permission for the number to be
aggregated with the number of NSLs, but Google wants to list them
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO. He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----