If your child attends a math/science magnet high school, and/or a high
school with good a computer science program, that school could be
eligible to be included in a national talent development program to find
the next generation of cybersecurity professionals, and you can help get
them connected. Significant scholarship money is available. Email
firstname.lastname@example.org (subject High school talent program) with your city and
state, the school name, and I'll send you the relevant information.
Applies to US only right now.
************************************************************************* SANS NewsBites January 10, 2012 Volume: XIV, Issue: 3 *************************************************************************
************************** SPONSORED BY SANS *************************** SANS 8th Annual Log and Event Management Survey is Under Way
Take the SANS 8th Annual Log and Event Management Survey. Be a part of this industry leading survey cited in top technology publications and blogs! Also be entered to WIN a $250 American Express Card giveaway when survey results are released during SANS webcasts held in early May at www.sans.org/webcasts. Follow this link to the survey: http://www.sans.org/info/96561
- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP PenTesting: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/
- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012 http://www.sans.org/north-american-scada-2012/
- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/
- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/
- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/
- --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/
FedRAMP Cloud Security Specifications Released (January 9, 2012)
The US government has released a list of more than 150 security controls that need to be in place for government agencies and cloud services vendors to be in compliance with the Federal Risk and Authorization Management Program (FedRAMP), which takes effect in June 2012. The General Services Administration (GSA) is expected to release instructions for the compliance auditing process by February 8. -http://www.nextgov.com/site_services/print_article.php?StoryID=ng_20120109_2589 -http://www.govinfosecurity.com/articles.php?art_id=4391 [Editor's Note (Paller): FedRAMP is the most perfect example of "grasping defeat from the jaws of victory" that I have witnessed in federal cybersecurity. Had the authors not been fully briefed on what was wrong with FedRAMP, in the White House conference center, their errors might be excused. Since they were fully aware the opportunity they had and what was at stake, their failure is inexcusable. ]
US Expels Venezuelan Diplomat Over Alleged Cyber Attack Conversations (January 9, 2012)
************************** SPONSORED LINK **************************** 1) What devices are accessing what resources and by whom? Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012! Follow this link to the survey: http://www.sans.org/info/96566
2) Do not miss the FIRST Internet Storm Center Update for 2012 tomorrow! Register at http://www.sans.org/info/96571 ************************************************************************
THE REST OF THE WEEK'S NEWS
FTC Settles Data Privacy Charges Against Membership Reward College Saving Company (January 5 & 9, 2012)
The US Federal Trade Commission has settled charges against the company Upromise, which helps students save money for college. Upromise asked customers to download a toolbar that would help them locate participating merchants in the rebate program. The users were told that by enabling the "Personalized Offers" portion of the toolbar, they would receive offers tailored to their needs. The associated data that Upromise collected were transmitted in unencrypted form, despite a company statement that said it would encrypt all confidential data while in transmission. The terms of the settlement require Upromise to erase all customer data gathered through the Personalized Offer portion of the toolbar that it currently holds and to contact all users who have enabled that feature to inform them of the data security issue. Upromise must also clearly disclose its data collection practices. -http://www.scmagazine.com/ftc-settles-with-rewards-company-over-security-infract ions/article/222391/ -http://ftc.gov/opa/2012/01/upromise.shtm [Editor's Note (Pescatore): The lack of "clearly disclosing ... data collection practices" is just as serious an issue as not encrypting the collected data. Under the guise of "personalization" they collected usernames, passwords, credit card numbers, social security numbers - anything the user entered in any web site. The tradeoff of getting free Internet-based services in return for some personal information is well understood - but only if the consumer is provided clear and accurate information about how personal "personal" will get ]
Google Updates Chrome 16, Enhances Download Warnings in Chrome 17 Beta (January 9, 2012)
Google has updated Chrome 16 and improved download warnings in the beta version of Chrome 17. The update for the Google browser addresses a trio of high risk vulnerabilities. The first beta version of Chrome 17 version expands the functionality of the browser's executable file analysis to help prevent users from allowing downloads that appear to be dangerous. Chrome has incorporated download warnings since version 12 of the browser; Google engineer Dominic Hamon said that they plan to keep expanding the types of files that the anti-malware warnings cover. If Google keeps pace with previous Chrome releases, the stable version of Chrome 17 should be available at the end of this month. -http://www.computerworld.com/s/article/9223260/Google_patches_Chrome_beefs_up_ma licious_file_blocking_tech?taxonomyId=17
Man Arrested in US $1.5 Million Skimming Case (January 6 & 9, 2012)
Mobile Device Ownership Raises Sticky Legal Questions (January 6, 2012)
Most companies are now permitting employees to use their own mobile devices for work purposes instead of requiring that they use work-issued devices. The BYOD (bring your own device) practice allows personal and professional data to mingle on the same device, raising legal issues surrounding data protection. There is no body of laws or legal precedents regarding who should legally own the devices used for work purposes and who owns the data that are created and used on the devices. Companies have, on their own, devised strategies to address these issues. The three main approaches that have emerged are shared management, in which employees who access business data from their devices give their employers the right to manage, lock down, or even wipe clean the devices; corporate ownership and provisioning, in which the employer purchases and retains ownership of the device, and may or may not allow its personal use as well; and legal transfer, in which the employer purchases the device from the employee. Often this last approach involves a nominal price, allows employees to use the devices for personal communications, and then allows them to buy the devices back for the same price when they leave the organization. The issue is different in Europe, where privacy rights allow employees to choose not to permit their employers to access their personal information. Mathias Thurman, the pseudonymous author of Computerworld's Security Manager's Journal, writes that BYOD is a good idea, because if it's acknowledged as something that's okay in a work environment, then organizations can begin to establish guidelines to bolster network security, such as securely deployed virtual desktop infrastructure. -http://www.infoworld.com/t/byod/lost-in-byods-uncharted-legal-waters-180793 -http://www.computerworld.com/s/article/9223224/Security_Manager_s_Journal_BYOD_P lanning_Gets_a_Boost?taxonomyId=15 -http://www.scmagazineuk.com/three-steps-to-ensuring-byod-doesnt-lead-to-byot-bri ng-your-own-threat/article/222272/ [Editor's Note (Pescatore): Companies definitely need policies to define this area, and many companies have developed policies. But the reality is that "BYOD" has been in use at most companies for years now - ever since Outlook Web Access and SSL VPNs began to be widely used, allowing employees to read company email on home PCs and other personally owned devices. There are technologies like Network Access Control and Mobile Device Management that provide visibility into whether unmanaged devices are in use and what risks are present, and support limiting access based on those factors. The real issue here is more the fact that the future of endpoints is consumer-driven and heterogeneous and rapid turnover of devices - it will no long just be Windows PCs and work and Windows PC access from home. That breaks the way IT is used to managing and securing user access - new approaches are needed. Guest Editor Comment (Ben Wright): One size does not fit all. For any enterprise the right BYOD policy must consider risk, cost, corporate culture and employee cooperation. If a policy is impractical, executives can be the worst about violating it. Eventually, technical solutions can help. They might include installing two operating systems on a device (one for work and one for personal) or storing all work data in the cloud. (Murray): Focus on the data, not the technology. Prefer controls that are close to where the data is stored, not where it is used. Prefer controls that resist gratuitous copies. ]
Stuxnet is a Product of New Malware Development and Delivery Model (January 6, 2012)
Researchers from two antivirus companies say that Stuxnet is the product of an operation aimed at creating custom malware with very specific targets. There have been at least seven launcher files that have grown out of a common software platform. Launcher files have the task of injecting malware into computers; they carry with them all the other tools necessary for successful deployment, including payload files and encryption keys. Two of the seven launcher files have been found to be associated with Stuxnet; another two are associated with Duqu. The remaining three do not appear to be associated with either Stuxnet or Duqu, leading to speculation that other destructive and as-yet undetected malware exists in the wild. The discovery of a common platform illuminates a watershed in the evolution of malware: a technique that allows more efficient development of cyber weapons. -http://www.csmonitor.com/USA/2012/0106/Stuxnet-cyberweapon-looks-to-be-one-on-a- production-line-researchers-say
Ballot Scanning Machines Found to Have A Laundry List of Security Problems (January 6, 2012)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/