******************* SPONSORED BY Palo Alto Networks ********************** Download Free Modern Malware for Dummies eBook and learn how to stop the most dangerous threats facing your network. This book provides an in-depth analysis of how modern malware works and outlines the specific actions and technologies needed in order to regain control over today's malware. http://www.sans.org/info/108439 **************************************************************************** TRAINING UPDATE --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012 Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses. http://www.sans.org/forensics-incident-response-summit-2012/
--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis. http://www.sans.org/canberra-2012/
--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years. http://www.sans.org/ipv6-summit-2012/
--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more. http://www.sans.org/sansfire-2012/
--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception. http://www.sans.org/san-francisco-2012/
--SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge. http://www.sans.org/boston-2012/
Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************************
TOP OF THE NEWS
Whitelisting More Effective Than Anti Virus, Says AV Maker McAfee (June 21, 2012)
[Editor's Note (Paller): These findings are identical to the groundbreaking findings of the Australian Defense Signals Directorate that showed whitelisting to be critical to protecting against targeted intrusions (APT) while anti-virus had much less too offer. See: -http://www.dsd.gov.au/publications/Implementing_Top_4_for_Windows.pdf . Though the PNNL/McAfee findings would claim to apply to industrial control systems, they are just as important in general systems in any organization subject to theft of valuable military or civilian intellectual property and/or financial data. ]
XML Vulnerability Being Actively Exploited (June 20 & 21, 2012)
The Transportation Security Administration (TSA) is seeking software that it can use to snoop on its employees. Specifically, TSA wants to be able to detect inside threats. It is looking for technology capable of monitoring and logging keystrokes, chat activity, email, attachments, websites, network activity, files transferred, and documents. It must be able to perform these functions without revealing itself to the employees being monitored. -http://www.nextgov.com/cio-briefing/2012/06/tsa-wants-spyware-screen-employees-d igital-activities-leaks/56393/?oref=ng-HPtopstory -https://www.fbo.gov/?s=opportunity&mode=form&id=6b790f932382cb2aa5b5c724 9820ac72&tab=core&_cview=0 [Editor's Comment (Northcutt): This type of capability has existed for over twenty years. The CIA pioneered the concept; the IRS followed with a home grown insider misuse detection system. DOD funded Silent Runner, originally through the SBIR program. Misuse detection is built into most electronic health care record system. Plenty of solutions are available. The bigger problem is similar to the principal problem with data leakage protection solutions; they generate so much information that effective analysis becomes infeasible. ]
Japanese Researchers Develop Real-Time Monitoring System (June 20, 2012)
Researchers at Japan's National Institute of Information and Communications Technology (NICT) have developed a real-time monitoring and alert system it calls DAEDALUS (Direct Alert Environment for Darknet and Livenet Unified Security). DAEDALUS works by monitoring unused IP addresses, which it calls the darknet; it alerts security teams when active IP addresses within their organizations are attempting to send packets to an IP address in the darknet. -http://www.theregister.co.uk/2012/06/20/daedalus_nict_cyber_alert_system/
The Pirate Bay Users Circumvent UK ISP Blocks (June 20, 2012)
Earlier this week, BT became the last of the UK's major ISPs to block access to the Pirate Bay to comply with a High Court ruling. Virgin Media, Sky, TalkTalk, and others blocked the file sharing site earlier this year. However, users reportedly managed to circumvent the block "within minutes," despite BT having taken steps to block known proxy sites. The registry that manages the Swedish top-level domain, .SE, which The Pirate Bay is currently using, says that "the method used to block a domain are all relatively easy to circumvent and thus essentially ineffective [and that ] the domain name itself is not an accomplice in act of copyright infringement." -http://www.bbc.co.uk/news/technology-18518777 -http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/bt-blocks-the-pira te-bay-10026434/
Google "Surprised" that ICO Reopened Street View Investigation (June 19, 20, & 21, 2012)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/