***************************** SPONSORED BY SANS *************************** Tool Talk Webcast: DFIR Techniques using the SIFT Workstation (the coolest new forensics software - and free) SANSFIRE 2012 - Washington Monday, June 18, 2012 at 1:00 PM ED http://www.sans.org/info/106779 **************************************************************************** TRAINING UPDATE --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses. http://www.sans.org/forensics-incident-response-summit-2012/
--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis. http://www.sans.org/canberra-2012/
--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years. http://www.sans.org/ipv6-summit-2012/
--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more. http://www.sans.org/sansfire-2012/
--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception. http://www.sans.org/san-francisco-2012/
--SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge. http://www.sans.org/boston-2012/
Plus Malaysia, Bangkok, San Diego, San Antonio, and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************************
TOP OF THE NEWS
Germany Has Top Secret Cyberwarfare Unit (June 5, 2012)
A German parliamentary document reveals that the country's military has an operational top secret cyberwarfare unit. The document provided no details about the unit's size, location, or its capabilities beyond noting that "the initial capacity to operate in hostile networks has been achieved." The unit was established in 2006. Legislators were surprised by the revelation, and some questioned whether the military had the authority to launch cyberattacks without first obtaining parliamentary clearance. -http://www.stripes.com/news/germany-confirms-existence-of-operational-cyberwarfa re-unit-1.179655 Editor's Comment (Northcutt): Well it is not a secret anymore! There is a bit more info from a Slashdot post: -http://yro.slashdot.org/story/12/06/07/1524221/germany-readying-offensive-cyberw arfare-unit-parliament-told (Honan): The German legislators are correct to raise their concerns. In the real world a civilised country's military forces are controlled by many legislative safeguards to prevent rogue military actions. The rules should equally apply to cyber space. (Murray): The world military seems bent on killing the goose that lays the golden eggs. This is not their space to contaminate and it is high time that the "civil authority" said so. (Paller): Bill Murray's suggestion seems about as feasible as asking the commercial world to stop using the Internet because "it wasn't created for them and they pollute the Internet with commercialism." (Ullrich): Rule of thumb: if a nation has an air force, they probably have some kind of cyberwarfare unit as well (offensive and defensive). ]
Pentagon Contractors Posting Jobs for Black Hat Hackers (June 15, 2012)
DHS to Present Standards for Finding and Fixing Vulnerabilities In Cloud Providers Within 72 Hours (June 14, 2012)
Later this month, the US Department of Homeland Security (DHS) will provide federal computer contractors and cloud services companies with standards for detecting and mitigating vulnerabilities within 72 hours. The standards aim to add an ingredient that was missing from the practice of automated continuous monitoring; merely knowing about the vulnerabilities does not improve network security. The standards will be part of the FedRAMP certification process for contractors and cloud providers. The practice could eventually be required of government agencies. -http://www.nextgov.com/cloud-computing/2012/06/policy-would-require-agencies-pat ch-cybersecurity-holes-within-72-hours-discovery/56271/ [Editor's Note (Murray): Fixing things in the order of their discovery, rather than in the order of their importance, is never efficient and only rarely effective. (Paller): Bill Murray is correct; the article created a misperception. I was in attendance. What DHS Deputy Undersecretary Weatherford said was that security in systems offered by approved cloud service providers will be measured every 72 hours and mitigation will be as important as monitoring. Since John Streufert (who moved to DHS from the Department of State) is running the program, his approach is likely to be used. It is an elegant system that ensures the most important problems are fixed first and makes the operations people partners with the security people. It caused rapid and prolonged risk mitigation in 220,000 systems in 24 time zones and enabled unparalleled speed in responding to new threats. ]
Apple's Java Update Released the Same Day as Oracle's Java Updates (June 13 & 14, 2012)
************************* Sponsored Links: ************************* 1) Top 5 Reasons to Choose SolarWinds(R) Log & Event Manager Over Splunk(R) SolarWinds LEM with node-based licensing is an affordable alternative to volume-based pricing from Splunk. Powerful SIEM software for log collection, analysis and event management, SolarWinds LEM protects your IT environment before, during, and after an attack. http://www.sans.org/info/106784 2) Server Security and Compliance Plus a Review of McAfee's Product Portfolio for Server Security, Tuesday, July 31, 1 PM EDT http://www.sans.org/info/106789 ***********************************************************************
THE REST OF THE WEEK'S NEWS
US Grand Jury Indicts UK Man on Hacking Charges (June 13 & 14, 2012)
Retired Judge Will Work to Get Megaupload Users Access to Their Files (June 13, 2012)
A retired New York federal judge is donating his legal expertise and services to help Megaupload users regain access to their legitimately owned content. The files were rendered inaccessible when the US government shut down the file sharing site and seized associated domain names. The US Department of Justice said that the government is not obligated to help users access their files. Retired federal judge Abraham David Sofaer, who is also a former US State Department legal adviser, said the situation illustrates "how [the government is ] failing to apply traditional standards in the new context." Sofaer has joined the Electronic Frontier Foundation (EFF) in pushing for a US federal court to set up a system that allows Megaupload customers to get their legitimate content back. -http://www.wired.com/threatlevel/2012/06/retired-judge-megaupload/
Microsoft Patches 27 Vulnerabilities (June 13, 2012)
UK Street View Investigation Reopened (June 12, 2012)
The UK information Commissioner's Office (ICO) has reopened its investigation into Google's Street View data collection. Google vehicles gathering images and data for its Street View feature on Google Maps were also found to be gathering personal information from unsecured wireless networks. In a letter to a Google executive, the ICO's head of enforcement has asked for answers to several questions about why the company was able to collect the extra information. A recent finding from the UK Federal Communications Commission (FCC) said that the data were "likely [to have been ] deliberately captured." The letter says that the ICO now believes that Google's earlier statements that the data were collected in error were misleading and asks when Google executives became aware that the software would gather extra data. -http://www.v3.co.uk/v3-uk/news/2183839/ico-reopens-google-street-view-investigat ion-fcc-revelations -http://www.theregister.co.uk/2012/06/12/google_investigated_by_ico_over_street_v iew_again/
Facebook Must Reveal IP Addresses of Users Who Harassed British Woman (June 11 & 12, 2012)
A judge in Britain has granted a court order that compels Facebook to reveal the identity of users who harassed a woman on the social networking site. British Justice Secretary Ken Clarke said that "it will be very important to ensure that these measures do not inadvertently expose genuine whistleblowers." Facebook will provide the IP addresses of the users who posted the defamatory content; the associated names will be obtained through Internet service providers. Once the woman has the information, she can file a private lawsuit against the individuals. -http://www.bbc.co.uk/news/technology-18404621 -http://www.informationweek.com/news/security/client/240001792
Man Charged in Credit Card Theft (June 11 & 12, 2012)
A Dutch man appeared in federal court is Seattle earlier this week for allegedly breaking into computers and stealing at least 44,000 credit card numbers. David Benjamin Schrooten entered a plea of not guilty to a 14-count indictment that include charges of access device fraud, bank fraud, and aggravated identity theft. Schrooten was arrested in Romania in March and arrived in Seattle on June 9. The 44,000 credit card numbers are believed to have come from one site and may be "just the tip of the iceberg." Another man, Christopher A. Schroebel, was arrested in the US in connection with the attacks in November 2011. He pleaded guilty and will be sentenced in August. Schroebel allegedly placed malware in computerized sales systems at dozens of businesses. -http://www.informationweek.com/news/security/attacks/240001930 -http://news.cnet.com/8301-1009_3-57450977-83/theft-of-44k-credit-cards-is-tip-of -the-iceberg-police-say/
The 2012 National Cybersecurity Innovation Awards
The 2012 National Cybersecurity Innovation Awards will recognize 12 more innovations than last year's program and will reach out even further into the cybersecurity community. Executives from 40 major companies will help identify innovators, whose achievements will then be reviewed by a prestigious and trusted panel of judges who know what actually works. In all, there will be 25 awards for proven innovation and 10 more awards for promising innovations. The winners will be featured at a special plenary session at the National Cybersecurity Conference in October 2012. By presenting their innovations and lessons learned along the way, these award-winning professionals will help others follow in their footsteps. Substantial web and press coverage will serve to disseminate their innovations as widely as possible. View the 2011 award winners at -https://www.sans.org/press/2011-national-cybersecurity-innovation-awards.php
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/