************************ SPONSORED BY SANS **************************** New Analyst paper in the SANS Reading Room: A Review of Oracle Entitlement Server, by SANS Oracle Security expert, Tanya Baccam. Paper: http://www.sans.org/info/104324 ************************************************************************** TRAINING UPDATE - --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses. http://www.sans.org/appsec-2012/
- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/
- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux. http://www.sans.org/security-west-2012/
- --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats. http://www.sans.org/toronto-2012/
- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised? http://www.sans.org/rocky-mountain-2012/
- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses. http://www.sans.org/forensics-incident-response-summit-2012/
- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Tales From the Crypt: TrueCrypt Analysis. http://www.sans.org/canberra-2012/
- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years. http://www.sans.org/ipv6-summit-2012/
- - - - --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure? http://www.sans.org/sansfire-2012/
- --Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies. http://www.sans.org/vulnerability-summit-2012/
- --SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems. http://www.sans.org/scada-sec-training-2012/
Plus Johannesburg, Atlanta, Brisbane, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************************
TOP OF THE NEWS
Number of Conficker Infections Increased in 2011 (April 26, 2012)
As Deadline Approaches, Efforts to Clean Machines of DNS Changer Increase (April 24 & 25, 2012)
The FBI and the ad hoc DNSChanger Working group are stepping up efforts to inform users that their machines may still be infected with the DNSChanger malware. At its height, the malware had infected four million machines. The malware redirected users' computers to web sites crafted specifically for the purpose of fraud. It also disabled antivirus software on infected machines. As suggested by its name, DNSChanger change DNS server settings on infected machines, redirecting them to sites under the hackers' control. The operation was busted last fall, and at that time, the FBI obtained a court order allowing the Internet Systems Consortium to run alternate DNS servers in the place of those the criminal group had set up. Infected machines were then communicating with the new servers and appeared to be accessing the Internet as usual. When the order expires, the servers will be taken offline and people whose computers remain infected will not be able to access the Internet. Initially, that court order expired in March, but the FBI was granted an extension through July 9. The efforts to clean up the remaining infected machines are include expanded news coverage of news story and availability of resources to help detect the malware and remove it from infected machines. -http://news.cnet.com/8301-1009_3-57421311-83/renewed-efforts-to-revert-dnschange r-in-effect/ -http://gcn.com/articles/2012/04/24/dnschanger-fbi-working-group-new-campaign.asp x [Editor's Note (Murray): We can count them but not identify them? We can clean up DNSchanger but not Conficker? Is the difference a judge? A corrupt machine is a corrupt machine ]
House Passes CISPA Despite Threat of Veto (April 25 & 26, 2012)
*************************** Sponsored Links: ************************* 1) Sorting Through the Noise: SANS 8th Log and Event Management Survey, part I http://www.sans.org/info/104329 Tuesday May 1, 1 PM EDT 2) Learning from Logs: SANS 8th Log and Event Management Survey, part II http://www.sans.org/info/104334 Thursday, May 3, 1 PM EDT ************************************************************************
THE REST OF THE WEEK'S NEWS
UK's Anti-Piracy Legislation Delayed at Least Two Years (April 26, 2012)
DOD Set to Expand Cyber Threat Information Sharing Program (April 25, 2012)
The success of a US Department of Defense's (DOD) cyber threat information sharing pilot program has prompted the DOD to make plans to expand the program and make it permanent. The defense industrial base (DIB) pilot program would then expand from the original 37 participating entities to approximately 200 firms. The proposal to expand the program and make it permanent is awaiting approval from the Office of Management and Budget (OMB). The program was started two years ago when it became apparent that foreign attackers were targeting firms in the US's defense industrial base to steal information. The information sharing runs both ways; the companies share threat information with the government agencies, and the agencies share it with the participating members of private industry. -http://www.federalnewsradio.com/?nid=411&sid=2840342 [Editor's Note (Honan): The article form FederalNewsRadio.com is worth the time taken to read it as it offers some interesting insights behind the headlines we see. For example "most incidents that are characterized as "attacks" are more aptly described as probes, intelligence gathering or espionage" are among some of the more sensible commentary on the issues surrounding cyber security. ]
Backdoor Found in Industrial Control Systems (April 25, 2012)
(Murray): We are already having a hard enough time identifying and eliminating the vulnerabilities in this space; we did not need this. I remember when a plenary session of the National Computer Security Conference was told that they would never be professionals unless and until they stopped paying rogues for after dinner confessions. Programmers will never be software "engineers" until they are willing to "stand under the bridge while the army marches across." There must be someone between the brand and the code to accept accountability for the product. ]
Majority of Fines for Data Breaches in UK Fall to Public Sector (April 25, 2012)
Although more than a third of the data security breaches reported in the UK in a recent 11 month period occurred in the private sector, the fines imposed on those firms are significantly lower than those imposed on public sector organizations. Between March 2011 and February 2012, there were five fines imposed on public sector entities, totaling GBP 790,000 (US $1.28 million), while there was just one fine imposed on a private sector for GBP 1,000 (US $1,619). According to the Information Commissioner's Office, fines may be imposed only if certain conditions are met. -http://www.bbc.co.uk/news/technology-17843371 -http://www.scmagazineuk.com/ico-has-issued-only-one-1000-fine-to-the-private-sec tor/article/238148/
[Editor's Note (Murray): Without counting, I would suggest that here the major fines are paid by hospitals. Not all malware is the same but a corrupt machine is a corrupt machine. (Honan): A striking aspect of the breaches reported is the number that are caused by to human error. Of the 730 incidents reported, 281 were due to emails or documents sent to the wrong people, while another 108 incidents were the result of lost equipment and 17 due to incorrect disposal. That means 55% of incidents were self-inflicted breaches, while only 170, or 23%, of the incidents reported were due to theft of data or hardware. A good reminder that we need to focus on better security awareness training for users and controls to compensate for when users make mistakes or break policy. ]
eMail Gaffe Sent Termination Notice to All Employees (April 23, 2012)
An email slip-up sent job termination notices to more than 1,300 employees of a London-based investment firm. Aviva Investors has offices throughout Europe and in Canada and the US. The message was supposed to have been sent to just one person. A message correcting the error was sent out soon after. Aviva announced in January that it planned to cut approximately 160 jobs worldwide and a part of its restructuring efforts. -http://www.ibtimes.com/articles/332138/20120423/aviva-investors-accidentally-fir es-company-email-text.htm
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
SANS provides the best up to date training relating to security issues. The sessions are relevant and well presented with well written manuals. -Ravindranath Goswami, The Power Generation Company of Trinidad and Tobago Ltd.