SANS NewsBites - Volume: XIV, Issue: 59

*************************************************************************
SANS NewsBites                     July 24, 2012                    Volume: XIV, Issue: 59
*************************************************************************
TOP OF THE NEWS

  Pentagon Secure Network Access Program Being Expanded to Other Agencies
  Senators Introduce Modified Version of Cybersecurity Bill

THE REST OF THE WEEK'S NEWS

  Three-Strikes Rule Cuts Piracy Rates in New Zealand
  Stolen MapleSoft Customer Data Used to Spread ZeuS
  DARPA Awards Contract to Develop Anomalous User Behavior Detection Technology
  Survey Shows Users Unclear About Benefits of Updates
  Legislators Concerned About Drone GPS Hacking
  Project Aims to Help Fight Cybercrime in Developing Countries
  Preliminary Reports from Dropbox Show No Evidence of Internal System Intrusion
  UK Government Losing Skilled Cybersecurity Workers to Private Industry


******************* SPONSORED BY ForeScout Technologies ****************
Special white paper: IDC Report on Architecting a Flexible BYOD Strategy - - IDC security analyst Phil Hochmuth examines a tiered service approach to enterprise mobile security while exploring how NAC and MDM, as complementary controls, offer necessary network and device level defenses to enable IT organizations to realize mobility advantages while reducing security and compliance exposures.
http://www.sans.org/info/110400
****************************************************************************
TRAINING UPDATE
- --SANS San Francisco 2012 San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- --SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Seattle all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

Pentagon Secure Network Access Program Being Expanded to Other Agencies (July 20, 2012)
The Pentagon is expanding its network protection program to civilian agencies. Users who do not have the new tokens will not be able to access federal classified networks. The effort is aimed at preventing leaks of secret data. The plan was announced by Defense Secretary Leon Panetta and marks a movement toward extending the security implemented on networks within the defense department to other agencies.
-http://www.nextgov.com/cybersecurity/2012/07/agencies-dole-out-new-hardware-keys
-secret-networks/56907/?oref=ng-channelriver

[Editor's Note (Murray): The use of strong authentication in the US Government is at least a decade overdue. It has been delayed by the choice of a technology that requires readers on edge devices and too much infrastructure. ]


Senators Introduce Modified Version of Cybersecurity Bill (July 19, 20 & 23, 2012)
US lawmakers have released a revised version of the Cyber Security Act of 2012. In the latest version, organizations would not be required to meet established cybersecurity standards, but would be offered incentives, such as some immunity from liability, to adopt strong security practices. The newest version of the bill also clarified privacy protections, such as specifying and limiting the circumstances under which organizations would be required to share information with law enforcement agencies and limiting what information can be shared.
-http://www.scmagazine.com/senate-intros-revised-security-bill-to-appease-privacy
-woes/article/251404/

-http://www.computerworld.com/s/article/9229417/Civil_liberties_groups_praise_rev
ised_cybersecurity_bill?taxonomyId=17

-http://news.cnet.com/8301-1009_3-57476215-83/senators-soften-latest-cyber-securi
ty-measure/

-http://thehill.com/blogs/hillicon-valley/technology/239115-overnight-tech-senato
rs-make-final-push-for-cybersecurity-bill





THE REST OF THE WEEK'S NEWS

Three-Strikes Rule Cuts Piracy Rates in New Zealand (July 23, 2012)
The Recording Industry Association of New Zealand (Rianz) says that piracy rates have dropped by 50 percent since the inception of a three-strikes rule in September 2011. (In New Zealand, the most stringent punishment is a fine, not being cut off from the Internet.) Violators can be fined up to NZ $15,000 (US $11,850) after three illegal filesharing offenses. Rianz says they have sent out nearly 2,800 infringement letters since September. Despite the disincentive program, an estimated 41 percent of New Zealand's Internet users still access "copyright infringing services online." Rianz is seeking to have the fee it pays to Internet service providers who issue the notices reduced from NZ $25 (US $20), while the ISPs are calling for a fourfold increase.
-http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10821492
-http://www.bbc.co.uk/news/technology-18953353


Stolen MapleSoft Customer Data Used to Spread ZeuS (July 23, 2012)
Hackers are using customer data stolen from MapleSoft to send spam containing malware. MapleSoft has acknowledged that its administrative database was breached on July 17; compromised information includes customer names, email addresses, and names of associated institutions. The malicious messages appear to come from MapleSoft Security Update Team and urge recipients to install an accompanying critical patch for the software. However, the link infected users' computers with ZeuS malware.
-http://www.cso.com.au/article/431358/hackers_pose_hacked_software_vendor_spread_
zeus_trojan/



DARPA Awards Contract to Develop Anomalous User Behavior Detection Technology (July 23, 2012)
The Defense Advanced Research Projects Agency (DARPA), the arm of the US military that searches out and supports innovative solutions for some of the most challenging technology issues facing the nation, awarded a contract to a software company to help develop systems that can detect unauthorized users by identifying behavioral patterns that differ from those generated by regular users. The program aims to develop "cognitive fingerprints" of users by tracking their interactions with their computers.
-http://www.nextgov.com/cybersecurity/2012/07/pentagon-aims-detect-network-intrud
ers-their-strange-behavior/56933/?oref=ng-channeltopstory



Survey Shows Users Unclear About Benefits of Updates (July 23, 2012)
July 23, 2012 marked the beginning of "International Technology Upgrade Week," an effort to encourage users to keep their software up-to-date. A recent Skype-commissioned survey found that 40 percent of adult computer users do not always install security updates the first time they are prompted to do so, and that 25 percent do not bother to update at all because they do not understand the benefits of updating and what the updates are supposed to do.
-http://www.theregister.co.uk/2012/07/23/skype_software_update_survey/
-http://www.computerworld.com/s/article/9229477/Quarter_of_users_see_no_benefit_i
n_updating_software?taxonomyId=17

[Editor's Note (Murray): After sixty years, the software industry still has not learned that patch and fix is more expensive than doing it right in the first place. This research suggests that they want to blame the failure of their strategy on the user. Am I the only one who sees irony there?
(Paller): In fact the software industry has learned just the opposite. There is no economic model yet that persuades software companies to engineer in security from the outset. In fact some government integrators and custom development organizations actually make money writing bad code and then make more money fixing it. ]


Legislators Concerned About Drone GPS Hacking (July 22, 2012)
At a recent House Homeland Security Oversight subcommittee hearing, US legislators expressed concern about the possibility of hackers hijacking and jamming drone aircraft GPS signals. The Federal Aviation Administration (FAA) has an approaching deadline for creating regulations and licensing to incorporate drones into national airspace. University of Texas assistant professor Todd Humphreys, who recently demonstrated GPS spoofing of drones, said in his testimony before the committee that "civil GPS spoofing also presents a danger to manned aircraft, maritime craft, communications systems, banking and finance institutions, and the national power grid."
-http://arstechnica.com/tech-policy/2012/07/fear-of-drone-gps-hacking-raised-by-c
ongress-as-faa-deadline-looms/



Project Aims to Help Fight Cybercrime in Developing Countries (July 19 & 20, 2012)
The International Cyber Security Protection Alliance (ICSPA) has launched a project aimed at helping countries around the world fight cybercrime. The program will focus on developing countries where cybercrime is likely to grow as Internet access there is improved. ICSPA, which comprises members from law enforcement agencies, cybersecurity companies, and businesses, hopes to identify how cyberattacks will evolve in the coming years.
-http://www.bbc.co.uk/news/technology-18930953
-http://www.scmagazineuk.com/project-2020-set-to-investigate-global-trends-in-cyb
er-crime/article/250885/



Preliminary Reports from Dropbox Show No Evidence of Internal System Intrusion (July 20, 2012)
Dropbox says that a third-party investigation into reports of users receiving spam at email addresses associated with Dropbox have not turned up any evidence that the company's systems were penetrated. According to a post, the investigation has "found no intrusions into our internal systems and no unauthorized activity in Dropbox accounts." The spam reports were coming from users in several different European countries; the accompanying messages which advertised online gambling, were written in the appropriate language for each country.
-http://www.zdnet.com/dropbox-finds-no-intrusions-continues-spam-investigation-70
00001321/

-http://www.computerworld.com/s/article/9229420/Dropbox_says_no_evidence_of_hack_
in_investigation_of_spam?taxonomyId=82



UK Government Losing Skilled Cybersecurity Workers to Private Industry (July 18, 2012)
Last year, the UK's Intelligence and Security Committee (ISC) recommended that the Government Communications Headquarters (GCHQ) find ways to help retain skilled IT security professionals, who are increasingly being hired away by private industry. GCHQ recently adopted a bonus system for particular skills. However, the ISC's 2011-12 annual report found that "GCHQ
[is ]
losing critical staff with high end cyber technology skills at up to three times the rate of the corporate average." GCHQ has proposed a new model, in which staff members are trained with the expectation that they will at some point move to private industry, and that "if they're working with some of those companies that we work closely with, perhaps there is a benefit that we can get from them."
-http://www.cso.com.au/article/430984/gchq_3_times_more_likely_lose_cyber_securit
y_skills_than_private_sector/

[Editor's Comment (Northcutt): Government will always lose trained people to private industry. The loss can be slowed by creating valuable and valued career paths. If you need to keep security people, then you need to have career paths that allow for challenging work and promotion, prestige, and compensation. Multiple surveys have shows that one of the most important things employers do to maintain satisfaction of security people is to allow them to maintain their skills through training and interesting projects.
(Cole): A key way of dealing with this problem is moving from less manually intensive security measures to more automation. The critical controls (
-http://www.sans.org/critical-security-controls/)
provide a framework for implementing more automated security controls which will allow organizations to have effective security with less skilled professionals. The British CPNI have adopted those controls as a national initiative so there is reason to anticipate that the UK will lead the world in this important transformation to automating cyber security. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/