********************** SPONSORED BY Tripwire, Inc. ********************** Analyst webcast! SANS 20 Critical Security Controls and Federal Systems featuring G. Mark Hardy Thursday, April 19, 1 PM EDT. http://www.sans.org/info/103319 ************************************************************************** TRAINING UPDATE --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack http://www.sans.org/northern-virginia-2012/
--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/
--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses. http://www.sans.org/appsec-2012/
--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux. http://www.sans.org/security-west-2012/
--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats. http://www.sans.org/toronto-2012/
--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised? http://www.sans.org/rocky-mountain-2012/
--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses. http://www.sans.org/forensics-incident-response-summit-2012/
--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years. http://www.sans.org/ipv6-summit-2012/
--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure? http://www.sans.org/sansfire-2012/
--Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies. http://www.sans.org/vulnerability-summit-2012/
--SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems. http://www.sans.org/scada-sec-training-2012/
Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***********************************************************
TOP OF THE NEWS
US Army Running Short on Qualified IT Security Staff; Lowering Standards (April 10, 2012)
The US Army is finding itself without enough qualified IT staff to fill available positions. Defense Department (DOD) Directive 8570.01-M spells out the training and certifications that military personnel and contractors must have to be considered for positions in which they operate DOD information systems. The Army is changing guidelines so that fewer employees will be required to have the training and certifications. Those with the necessary credentials will have greater network access and likely higher pay. -http://www.computerworld.com/s/article/9226053/US_Army_Military_finds_IT_securit y_certification_difficulties?taxonomyId=17 [Editor's Comment (Northcutt): First this article appears to be based on a single source; always dangerous journalism. Second, the US Army is always running short on something, but when you look at the details, you always find the Army is very, very big. So while they may feel they are running short, they are still the largest consumer on planet earth. Finally, this article is very simplistic, the Army has an entire certification schoolhouse/factory operation. Suggest that we encourage Computerworld reporter Mesmer to do a bit of digging.]
FBI Concerned About Smart Meter Hacking (April 9, 2012)
According to an FBI cyber bulletin, an unnamed utility company in Puerto Rico was the target of attacks against smart meters, costing the company hundreds of millions of dollars. This appears to be the first report of such attacks and the FBI expects that the occurrence of similar attacks will rise as the smart grid technology is more widely adopted. The FBI believes that former employees of the meter manufacturer reprogrammed meters for between US $300 and US $3,000 so that the associated buildings appeared to be consuming less power than they actually used. Most meters are read remotely, making fraud detection difficult. The alterations require physical access. -http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/
Howard Schmidt: Energy Companies Need to Monitor Security Issues (April 11 & 12, 2012)
White House Cybersecurity official Howard Schmidt says that the country's utilities need to actively and continuously identify security risks in their systems. The administration, along with the Departments of Energy and Homeland Security plan to run a pilot program for power companies to voluntarily share information about their security postures and pinpoint where best to focus attention on improving security. Schmidt also noted that smart meters are becoming targets for hackers. -http://www.executivegov.com/2012/04/howard-schmidt-energy-companies-need-continu ous-monitoring-practices/ -http://www.nextgov.com/nextgov/ng_20120411_4285.php?oref=topstory [Editor's Note (Murray); The power grid is a special case. While it is a small part of SCADA, it is fundamentally fragile. We have not even identified the scope of the exposure and only speculate about the threat. However, the potential consequences are so high that it constitutes a risk, one that we need not and should not tolerate. ]
*************************** Sponsored Links: ************************* 1) Is Your Encryption Solution A Nightmare? Do you have Tales of Encryption? Wake up to a new Reality with WinMagic. Join us for our live broadcast on Wed, Apr 18, 2012 1:00 PM - 2:00 PM EDT to learn how WinMagic SecureDoc can dispel encryption myths and secure your data. Register Today http://www.sans.org/info/103324 2) Read this new whitepaper, Privileged Password Sharing: "root" of All Evil, from Quest Software to learn how to effectively manage privileged accounts. http://www.sans.org/info/103329 3) Webinar: OpenID Connect-How it Can Work for You Link: http://www.sans.org/info/103334 ************************************************************************
THE REST OF THE WEEK'S NEWS
Apple Steps Up Account Security (April 12, 2012)
Apple has tightened account security to protect users from having their App Store accounts hijacked. The changes were made on April 11 and include choosing three security questions that users will have to answer correctly before being permitted to download apps from the App Store. Users are also being asked to supply a backup email address. Users have expressed frustration that Apple did not let them know ahead of time that the new measures were going to be put in place. -http://news.cnet.com/8301-1009_3-57413072-83/apple-ratchets-up-app-store-securit y/
Oracle's Quarterly Critical Patch Update Set for April 17 (April 12, 2012)
Court Publishes Opinion in Goldman Sachs Source Code Download Case (April 11, 2012)
The 2nd US Circuit Court of Appeals has published its opinion in the case regarding Sergey Aleynikov, who was released from prison in February after the court reversed his December 2010 conviction for source code theft from his former employer. The ruling states that the high-frequency trading system source code Aleynikov downloaded from Goldman Sachs before leaving the company in 2009 does not satisfy the definition of being a physical object, and because Aleynikov did not "assume physical control" over any object when he took the code, he did not violate the National Stolen Property Act. The court also said that Aleynikov is not guilty of violating the Economic Espionage Act because the source code was not made for interstate or foreign commerce, which is a requirement of being charged under that law. With regard to the NSPA, the court wrote, "We decline to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age." -http://arstechnica.com/tech-policy/news/2012/04/a-federal-appeals-court-has-2.ar s -http://news.cnet.com/8301-1009_3-57412779-83/code-cant-be-stolen-under-federal-l aw-court-rules/ -http://www.wired.com/threatlevel/2012/04/code-not-physical-property/
Apple Delivers Flashback Removal Tool (April 11, 2012)
Retailers Using Return and Exchange Tracking Service (April 9, 2012)
Retail stores in the US are starting to use a service that tracks consumers' product return histories. A man who brought a defective Blu-Ray disk back to a BestBuy store in Connecticut was asked for his driver's license before the disk was accepted. He was told that the store would not be able to authorize any returns or exchanges for 90 days following the activity, regardless of whether or not he had a valid receipt. The service is provided by a California-based company called The Retail Equation that tracks consumers' return and exchange activity. The Retail Equation says that its software identifies the roughly 1 percent of consumers who routinely commit return fraud or abuse. The Connecticut man had returned or exchanged several items earlier in the year, each with a valid receipt, apparently enough activity for the software to flag him. -http://www.courant.com/business/custom/consumer/hc-bottom-line-best-buy-returns- 20120409,0,5063368.column
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors. -Christoper O'Keefe, CPC