************************** SPONSORED BY Bit9 ***************************** WEBCAST: Today's Application Control and Whitelisting - November 13th 2pm Eastern - Join EMA Managing Research Director, Scott Crawford, and Bit9 Director of Product Marketing, Ian Lee to learn how today's Application Control and Whitelisting solutions gives organizations more than a strong answer to today's more demanding threats. Attendees will learn how today's technologies make effective security more transparent and adaptable to business requirements. REGISTER TODAY http://www.sans.org/info/116547 **************************************************************************** TRAINING UPDATE - --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses. Special Event evening bonus sessions: I've Been Geo-Stalked! Now What? And Tactical SecOps: A Guide to Precision Security Operations. http://www.sans.org/event/sydney-2012
- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts). http://www.sans.org/event/san-diego-2012
- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations. http://www.sans.org/event/cyber-defense-initiative-2012
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013
- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III. http://www.sans.org/event/north-american-scada-2013
Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************
TOP OF THE NEWS
Stuxnet Hit Chevron in 2010 (November 8, 2012)
The Stuxnet malware infected Chevron's network in 2010. The malware was detected shortly after it made the jump from its target in Iran to other systems. A Chevron spokesperson says that Stuxnet did not harm its IT systems. Chevron is the first US company to acknowledge that Stuxnet infected its systems; most experts believe that the majority of attacks and infections remain unreported. Other malware aimed at damaging computers has emerged over the past months. A natural gas company in Qatar was attacked last summer, and malware dubbed Shamoon managed to destroy information on 30,000 computers at Saudi Arabian oil company Saudi Aramco in August 2012. Protecting systems from such stealthy and harmful attacks requires expert understanding of cybersecurity and the systems a given organization is running. These people know what network traffic is supposed to look like and the country has far too few of them. -http://blogs.wsj.com/cio/2012/11/08/stuxnet-infected-chevrons-it-network/?mod=ws jcio_hps_cioreport [Editor's note (Murray): The fundamental problem with the use of viruses as weapons is that once deployed, one loses control of it. It is as likely to damage one's friends as one's enemies. (Paller): Bill Murray is highlighting the difference between cyber weapons and kinetic weapons. Cyber weapons are often enhanced and then launched against their creators. That's why the shortage of advanced technical cyber skills has become an existential issue for the U.S. and several other developed nations. There are no automated defense systems that can protect power systems and other critical infrastructure resources against these advanced attacks. The only defense - admittedly imperfect - is radically improved technical skills. (McBride): "Escaped" continues to be a puzzling term when applied to a virus that relied on numerous Microsoft 0-day vulnerabilities and propagation vectors. On the other hand, if your system was not the single underground facility in Iran that Stuxnet was intended to disrupt, the infection was benign. Such collateral damage is part of the price industry gets to pay for (what was then) two more years of Iran without a nuclear weapon. ]
US Government is Being Sold Phony Equipment and Technology (November 8, 2012)
According to one study, companies that have been identified as "high risk" have nonetheless been selling technology equipment and products to the US military and other government agencies. Some of the products have been found to be fake, leading to concerns about missiles not firing, airplane parts not working properly, and cyberespionage. The companies that have been given the high-risk identifier are known to be associated with counterfeiting operations, wire fraud, product tampering, and other illegal activity. Of more than 9,500 companies that had been "banned" and had still managed to sell equipment to the government, 10 percent of the instances were found to involve phony parts and/or equipment. -http://money.cnn.com/2012/11/08/technology/security/counterfeit-tech/index.html [Editor's Note (Pescatore): Most of the attention paid to "supply chain integrity" has been focused on attacks by foreign nations, while shoddy procurement processes are allowing counterfeit IT devices to routinely be included in procurements. NSA and DoE have pretty strong programs in this area - the U.S. government should enable those best practices to be understood and adopted across agency procurements. (McBride): Even the stuff that is legit might not work right... not mention back doors. And get this, everyone is being sold software with bugs in it too! Risk management is a matter of understanding your risks to a reasonable depth before accepting them. Inquiring minds are finally getting at little bit of traction, and press coverage, on the supply chain front. (Murray and Paller): Does anyone know who banned the 9,500 companies and why? ]
New Jersey eMail Voting Called "Risky" (November 6 & 7, 2012)
Security experts have called the decision by New Jersey officials to allow residents affected by Hurricane Sandy to vote by email "risky." Some voters were reporting that the email inboxes set up to collect the incoming ballots were full and their votes were being bounced back. Many New Jersey residents have been displaced by the storm due to flooding and lack of utilities. Furthermore, many roads are difficult to drive because of storm damage. The state allows residents living overseas to cast their ballots by email and extended that permission to those dislocated by Hurricane Sandy. -http://www.nextgov.com/cybersecurity/2012/11/election-takeaway-emergencies-arent -time-experimenting/59336/?oref=ng-channeltopstory -http://www.bbc.co.uk/news/technology-20217810 [Editor's Note (Murray): Everything one does is "risky." In this case the risk that some votes might be cast and not counted must be weighed against a far greater number not cast at all. (Pescatore): Since most companies routinely tell their customers "we would never ask for your password or account information over email" it is not hard to say email voting is extremely risky. It appears NJ did back this up with physical paper ballots to minimize the risk but we'd be much better off if some candidate secure approaches were developed and tried out in advance local elections, and then debugged and vetted for such emergency use in a presidential election. ]
************************** SPONSORED LINKS ***************************** 1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/116552 2) "New in the SANS Reading Room: SANS Survey on Mobility/BYOD Security Policy and Practices" http://www.sans.org/info/116557 ************************************************************************
THE REST OF THE WEEK'S NEWS
RIM's BlackBerry 10 Receives FIPS Certification Ahead of Launch (November 8, 2012)
MegaUpload Case Carries Privacy and Property Rights Implications for Cloud Storage (November 7, 2012)
The MegaUpload case could have far-reaching implications for privacy and property rights of data stored in the cloud. Electronic Frontier Foundation attorney Julie Samuels is representing an Ohio man in his efforts to regain access to files he stored on MegaUpload servers. Kyle Goodwin is a videographer whose only copies of his files remain on MegaUpload servers as his own hard drive crashed. The federal government has put in place requirements that make it virtually impossible for anyone to retrieve their data from MegaUpload servers. They imply that Goodwin will need to produce several witnesses to testify that the content stored in his MegaUpload account actually belongs to him. Furthermore, they maintain that some of his files include MD5 hash values indicating that they contain pirated music, which also indicates that the government has looked at Goodwin's files. Last year, the US government seized domains belonging to overseas gambling sites, but a New York Federal Court judge did eventually establish a process for people to file claims to get back the money in their gambling accounts. The Motion Picture Association of America says that its only concern in solving the problem of returning files to their owners is making sure that there are "safeguards to prevent retrieval of infringing materials." -http://www.wired.com/threatlevel/2012/11/megaupload-data-what-to-do/ Federal Authorities' Brief: -http://www.wired.com/images_blogs/threatlevel/2012/10/fedsbrief.pdf MPAA Response: -http://www.wired.com/images_blogs/threatlevel/2012/11/mpaadotcom.pdf
Manning is Willing to Take Responsibility for Leaking Documents (November 7, 2012)
Company Sues for Royalties Over Use of SSL and TLS Protocols (November 7 & 8, 2012)
A Texas company is adding defendants to its long list of companies that have allegedly failed to pay royalties for using certain forms in encryption on their websites. TQP Development reportedly holds a patent titled, "Encrypted data transmission system employing means for randomly altering the encryption keys". The lawsuit maintains that companies whose websites use the secure sockets layer (SSL) and transport layer security (TLS) protocols owe TQP royalties. TQP has filed patent infringement complaints against Google, Apple, eBay, Expedia and other companies. In the past month, TQP has added Yelp, MovieTickets.com, and Intel to that list. None of the cases that TQP has filed have gone to trial, which means that some of the companies have settled. -http://arstechnica.com/security/2012/11/patent-suits-target-google-intel-hundred s-more-for-encrypting-web-traffic/ -http://www.theregister.co.uk/2012/11/08/tqp_sues_everyone/ [Editor's Note (Murray): Old News. This kind of trading in, and exploitation of, patents, taints the whole system. ]
Additional Defendants Named in South Carolina Dept. of Revenue Breach Case (November 6, 2012)
Former South Carolina state senator John Hawkins has filed a lawsuit against the state's governor, Nikki Haley, and the South Carolina Department of Revenue over a security breach that exposed information held in a database. Earlier this week, Hawkins added the South Carolina Division of State Information Technology and cybersecurity company Trustwave to the list of defendants in his lawsuit. The suit alleges that the defendants acted negligently in allowing an environment in which the state department of revenue database was breached and failing to disclose the incident for more than two weeks after it was detected. Hawkins has called the events "a systematic failure." The South Carolina Department of revenue had hired Trustwave to monitor the breached systems. Shortly after the breach came to light, Governor Haley said that the encryption of the Social Security numbers was in line with industry practices. While it is "true that most banks don't encrypt customer data, ... [they ] do a decent job of instituting strong protections around sensitive customer data," according to Gartner analyst Avivah Litan. -http://www.postandcourier.com/article/20121106/PC16/121109507/1177/cyber-securit y-company-among-new-defendants-added-to-sc-hacking-lawsuit -http://www.computerworld.com/s/article/9233074/S.C._governor_s_post_breach_data_ encryption_claims_are_off_base_analysts_say
Adobe Releases Updates for Flash and AIR (November 6 & 7, 2012)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors. -Christoper O'Keefe, CPC