*********************** Sponsored By BreakingPoint ********************** What is Resiliency and why is it Important to Network Security? Does your organization measure the impact of security threats, blended traffic and extreme load on the overall performance, security and stability of network devices and systems? Take our SANS network resiliency survey and help us find out if organizations have security resiliency on their radars. Complete the survey and be entered in a drawing for a $250 American Express Gift Certificate! Results will be announced in our June 30 SANS Analysts Webcast, 1PM EST.
TRAINING UPDATE - -- SANSFIRE 2010, Baltimore, June 6-14, 2010 36 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report http://www.sans.org/sansfire-2010/
- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat http://www.sans.org/rocky-mountain-2010/
- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives http://www.sans.org/network-security-2010/
US Cyber Command Chief Warns of Remote Network Sabotage; Defines Need For Continuous Monitoring (June 3, 2010)
In his first public remarks since his confirmation last month, the head of the Pentagon's Cyber Command, General Keith Alexander, said that there are signs that US military networks are being targeted for remote sabotage, and that "the potential for sabotage and destruction is now possible and something we must treat seriously." Speaking on June 1 at the Center for Strategic and International Studies (CSIS) in Washington, DC, Alexander spoke of the need to establish clear rules of engagement for cyber space and the need for improved real-time monitoring and threat-data sharing. General Alexander is also the director of the National Security Agency (NSA). -http://www.washingtonpost.com/wp-dyn/content/article/2010/06/03/AR2010060302355_ pf.html -http://www.businessweek.com/news/2010-06-03/cyber-command-director-alexander-war ns-of-network-sabotage-.html -http://www.executivegov.com/2010/06/general-keith-alexander-speaks-on-cybersecur ity-landscape/ -http://www.google.com/hostednews/afp/article/ALeqM5gu7-0iyRZOhNeGQq0hD-_mqwwpQg [Editor's Note (Pescatore): The DoD really needs to focus on eliminating or mitigating the continuing *vulnerabilities* in DoD networks that have led to recent incidents. Fix those problems, attacks are blocked and effectiveness of all threats is greatly reduced. Focusing on the threat and monitoring attacks without focusing on eliminating DoD's vulnerabilities just means continued successful attacks. (Paller): In his address at CSIS, General Alexander defined a new standard of due care in cyber security, made necessary by the new level of threat. He defined the new goal, saying, "real-time situational awareness on our network to see where something bad is happening and take action there at that time." He said. "We must share indications and warning threat data at net speed." The short title used by military leaders for this new standard is "dynamic security." It means they know the status of every machine on the network at all times, they can reach into every machine for additional data on security, and they can take action to eliminate problems instantly. Barry McCullough Jr., Commander of the Navy's Tenth (Cyber) Fleet promised the Chief of Naval Operations that he would have dynamic security "in place by the end of the summer." Although that deadline may slip to the end of the year, the leadership Admiral McCullough is showing is exemplary. Civilian agencies, where the problems are just as acute as in the military, are approaching dynamic security at different speeds - ranging from "brisk" in the best agencies to "comatose." An agency scorecard will be published later this summer showing which federal CIOs have made the most progress toward dynamic security. Early data show two civilian agencies and two military services leading the way. For a copy of the scoring system, email me at firstname.lastname@example.org. ]
Canada Launches Investigation into Google Wi-Fi Data Gathering (June 1 & 2, 2010)
Canada has joined Germany, Italy and France in launching investigations into Google's inadvertent collection of data from unsecured wireless networks. Google collected the data by accident while gathering images for its Street View service. In April, Google said it was collecting only wireless network names and media access control (MAC) addresses, but an audit requested by German authorities proved they were collecting payload data as well. Google acknowledged the issue in May. The US Federal Trade Commission (FTC) has also begun an informal investigation. Several countries have asked that Google be barred from destroying any of the data it has collected while they investigate the potential for criminal prosecution. Google has provided all the collected data to a third party company, ISEC Partners, for safekeeping. Google is facing several lawsuits as well. -http://www.computerworld.com/s/article/9177583/Google_faces_privacy_investigatio n_in_Canada?taxonomyId=84 -http://www.msnbc.msn.com/id/37455927/ns/technology_and_science-security/ -http://lastwatchdog.com/googles-wifi-data-harvest-draws-widening-probes/ [Editor's Note (Pescatore): Just as "features and fast to market are more important than security" was baked into the DNA of software companies in the early 1990s, "collect and expose user information" is baked into the DNA of today's generation of companies that sell advertising around other peoples data. ]
UK NHS Tops ICO's List of Breach Reports (June 1, 2010)
**************************** Sponsored Links: ************************** 1) The SANS WhatWorks in Virtualization and Cloud Computing Summit will help you better understanding of the various types of virtualization available and the kinds of problems that they're meant to solve. http://www.sans.org/info/60133 *************************************************************************
THE REST OF THE WEEK'S NEWS
Federal Officials To Discuss Continuous Monitoring and FISMA Compliance (June 4, 2010)
The three federal officials who have had and are having the greatest impact on eliminating waste in Federal cyber security reporting will be speaking on June 15 at the Reagan Center in Washington DC. Their purpose is to help federal CIOs and other federal officials (above GS 13), and officers of the large service providers, understand the issues and the way forward. This breakfast also be one of the first public discussions of CAESARS - the new online reporting framework. Panelists include Matt Coose, Director of Federal Network Security, John Streufert, CISO of US Department of State, and Jerry Davis, CISO of NASA. The discussion will be moderated by Tim Clark, founder and long-time editor and publisher of Government Executive Magazine. There is no cost, but only federal officials and other qualified persons may attend. It is a key installment in the "Cybersecurity Insiders Program." -http://www.govexec.com/cyber_insider/ [Editor's Note (Paller): The Government Executive magazine folks just told me that they have an absolute capacity of 200 seats, and that 158 are already spoken for. So register quickly if you are going to be in DC and have the qualifying job level. ]
Spyware Variant Targets Macs (June 1, 2010)
Spyware that targets Mac users has been detected on three widely-used download sites. The OSX/OpinionSpy software spreads through the Softpedia, MacUpdate and VersionTracker sites. OpinionSpy scans hard drives for information and injects code into certain applications that allows it to search for email addresses, message headers and other information. The spyware downloads during the installation process of certain applications and screensavers the users download from those sites. OpinionSpy is a variant of spyware that has been infecting Windows machines since 2008. The spyware asks for the users' administrative passwords, claiming the software that will be installed will collect browsing and online shopping history. Instead, OpinionSpy installs and "runs as root ... with full rights to access and change any file on the infected ... computer." -http://www.theregister.co.uk/2010/06/01/mac_spyware/ -http://voices.washingtonpost.com/fasterforward/2010/06/mac_spyware_alert_is_noth ing_n.html -http://www.pcworld.com/businesscenter/article/197696/security_firm_discovers_spy ware_in_mac_software.html [Editor's Note (Pescatore): While there is *less* Mac malware around than PC malware, there is plenty around. The new calculus of targeted attacks means using a low market share product gains you *no* security through obscurity - if you are using Macs or Linux or whatever, when someone targets you they go after the numerous vulnerabilities in those platforms - or in reality, the vulnerabilities of your users. ]
Microsoft to Release 10 Security Bulletins on June 8 (June 3, 2010)
Cyber Attacks a Top Risk for US Power Grid (June 2, 2010)
According to a report from the North American Electric Reliability Corp. (NERC), the three top threats to the US power grid are cyber attacks, pandemics and electromagnetic disturbances. The report, "High-Impact, Low-Frequency Risk to the North American Bulk Power System," recommends that power grid providers and the government be better coordinated. A coordinated cyber attack in concert with a physical attack is the top concern. NERC president and CEO Gerry Cauley said there has been "suspicious activity around control systems." -http://www.csoonline.com/article/595729/Cyberattacks_Top_threat_to_U.S._power_gr id?source=CSONLE_nlt_update_2010-06-03 [Editor's Note (Pescatore): A good deal of overhype here. The effort focused solely on those 3 threats, so it was guaranteed they'd be the top 3! There wasn't a cyber-attack category; it was coordinated physical/cyber attack. This is why the most frequent, high impact risk wasn't discussed - lack of maintenance of the physical plant has almost invariably been the cause of major outages for the past several years. (Northcutt): Let's all make sure we keep this in perspective. Cyber attacks are possible and if we put in a smart grid without redundant security controls, inevitable. However, in a year where an unpronounceable volcano shut down air traffic and an oil well spill looks like it will devastate the Caribbean, we would be wisest to put electromagnetic disturbances at the top of the list and far and above the other two threats. One potential issue is the sun "acting out", but if a terrorist organization is able to acquire a nuclear weapon and set off an air burst, that would also cause the power infrastructure to go topsy turvy. However, our risk could be greatly reduced if we just segmented our power grid a bit more. I just put in solar and the inspectors would not approve me (without jumping through even more hoops) going off the grid. Get this, if there is a power outage, they want my system to shut down too. The reason they give is to keep my system from electrocuting power line workers. I am all for that, but we have not one, but two, disconnect switch points in the system, yet to get my permits, I had to agree to be part of their grid, under their control. ]
Home Windows Machine Proves Detrimental to Bank Account (June 2, 2010)
A businessman learned the hard way that using his home Windows computer to authorize a transfer from his company's bank account was a bad idea. David Green always used his Mac laptop to access the account, but in late April, he found himself sick at home without the computer, so he decided to authorize a necessary transfer from his home computer, which had apparently been infected with a password-stealing Trojan horse program. Within days of the home-authorized transaction, Green found that cyber thieves had drained the account of nearly US $100,000. Just US $22,000 of the US $98,000 stolen has been recovered. Green's company now has a strict online bank account access policy in place; transfer authorizations can now be made only from Green's Mac. -http://krebsonsecurity.com/2010/06/using-windows-for-a-day-cost-mac-user-100000/ [Editor's Note (Schultz): This sorry episode provides excellent material for security training and awareness programs. (Honan): Before everyone runs out to change their banking PCs from Windows to Macs remember that more and more malware is targeting the Mac platform (see the piece on that story elsewhere in this NewsBites.) A better approach would be to ensure that you conduct sensitive online business only from a secure computer, regardless of the operating system it is using. ]
Active Exploits Detected for Flaw in Windows 2000 (June 2, 2010)
The Federal Trade Commission (FTC) and CyberSpy software have reached a settlement regarding the company's RemoteSpy product. In 2008, the FTC sued CyberSpy for selling RemoteSpy as a completely undetectable keystroke logger. The settlement allows CyberSpy to keep selling the product, but must not provide instructions for installing the software surreptitiously on others' computers. The software must notify users when it is going to install and obtain their consent. The company must also inform users that abuse of the software may constitute violation of state or federal law. The company was also ordered to remove legacy versions of the software from machines on which it has already been installed. The software is now being touted as a tool to keep track of what happens on one's own computer. -http://www.computerworld.com/s/article/9177620/FTC_cracks_down_on_spyware_seller ?taxonomyId=17 -http://www.pogowasright.org/?p=10780 -http://www.ftc.gov/opa/2010/06/cyberspy.shtm
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
I have never seen such high quality training, distilled to a perfected message, and compressed into a timeframe that any organization should willingly commit employee time to taking as a risk reduction strategy. -- Jim Richards III