************************** SPONSORED BY Bit9 ***************************** Server Security - With 94% of data stolen in 2011 coming from servers, how has the evolution of advanced threats changed your approach to security? Take the 5 minute survey now and be entered to win an iPad Mini! Learn More http://www.sans.org/info/117017 **************************************************************************** TRAINING UPDATE - --SANS London 2012 London November 26-December 3, 2012 16 courses. Bonus evening presentations include Why to Organizations Get Compromised; Dissecting Smart Meters; and 10 Things Security Teams Need to Know About Cloud Security. http://www.sans.org/london-2012/
- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations. http://www.sans.org/event/cyber-defense-initiative-2012
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013
- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III. http://www.sans.org/event/north-american-scada-2013
Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************
TOP OF THE NEWS
South Carolina Dept. of Revenue Security Practices Did Not Detect Breach (November 15, 2012)
The South Carolina Department of Revenue (SCDOR) recently acknowledged a data security breach that compromised the tax records of 4.5 million people and businesses who had filed returns with the agency. The US Secret Service informed that state of the incident a month after it occurred. The contractor hired by SCDOR to attend to network security focused on SCDOR's compliance with requirements regarding entities that retain credit card information rather than stopping malware from infecting systems. While SCDOR ran an antivirus and antimalware scan periodically, it was not able to detect the breach, either. South Carolina Governor Nikki Haley has now ordered her Cabinet to use stronger computer security, including the Division of State Information Technology's computer network monitoring services, which detects anomalous uploads and downloads and suspicious programs quickly. Governor Haley has acknowledged that the state "need [s ] somebody in the office 24 hours a day monitoring those computers," which is what the services will provide. -http://www.goupstate.com/article/20121114/WIRE/211151017/1088/SPORTS?Title=Secur ity-contractor-didn-t-detect-hacker-from-SCDOR-website [Editor's Note (Pescatore): We periodically go through cycles where the threats get ahead of the "due diligence" levels of security and active monitoring of the network is generally the first point that will detect this. The key term is "active" monitoring - detecting new threats takes active effort. On the compliance side, other than for extremely small businesses, having the Cardholder Data Environment pass a PCI assessment in no way means the overall network is sufficiently protected from today's targeted attacks. (Honan): Unfortunately the South Carolina Dept. of Revenue Security is not alone in not detecting breaches. According to the Verizon 2012 Data Breach Investigations Report -http://www.verizonbusiness.com/about/events/2012dbir/ 92% of companies were informed of a security breach by a third party. As an industry we need to move away from compliance led security to properly focused operational security. (Murray): The quotes attributed to the governor suggest that the state was simply indifferent to its responsibility to protect citizen privacy. Great argument for federalism. It is to be hoped that most states have a more responsible attitude and that the remainder will learn form this event. (Paller): With this newspaper article, the general public begins to understand the fundamental failure of cybersecurity. Compliance regimes are measuring the wrong things or the consultants implementing them are doing only part of the job. ]
President Signs Secret Cybersecurity Policy Directive for US Military (November 14, 2012)
DHS Looks at Ways to Attract and Retain Talented Cybersecurity Workers (November 13, 2012)
US government agencies are competing against each other to hire talented computer professionals, especially those with cybersecurity expertise. Not only do they have to fight each other for the best employees, but government agencies also have to compete against private sector salaries which regularly outstrip those offered by the CIA, NSA or the Department of Homeland Security (DHS), which is seeking to hire 600 people to work in the cyber arena. Earlier this year, DHS Secretary Janet Napolitano formed a task force to determine how best to develop a cyber security workforce and help her agency recruit and retain talented workers. High on the list of recommendations from the task force is to reserve the "cool jobs," such as penetration testing and incident response, for government employees. -http://www.washingtonpost.com/world/national-security/federal-agencies-private-f irms-fiercely-compete-in-hiring-cyber-experts/2012/11/12/a1fb1806-2504-11e2-ba29 -238a6ac36a08_story.html
************************** SPONSORED LINKS ***************************** 1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/117022 2) Analyst Webcast: Secure Content Management in a Mobile Age Tuesday, Dec. 4, 2012 at 1:00PM EST. http://www.sans.org/info/117027 3) Webcast: APT: It is Not Time to Pray, It is Time to Act Featuring: Dr. Eric Cole. http://www.sans.org/info/117032 ************************************************************************
THE REST OF THE WEEK'S NEWS
DOE IG's Report Finds Out-of-Date Software on Unclassified Systems (November 15, 2012)
According to a report from the inspector general of the US Department of Energy (DOE), nearly 60 percent of desktop computers at the agency lacked critical software patches. The IG's audit examined unclassified systems at DOE. One of the possible explanations is that applying patches means that the agency would have to pause programs that are used frequently. The larger an organization, the more unwieldy patching all systems becomes. The report also found that 41 percent of DOE network servers were running versions of operating systems that are no longer supported. The report also noted weak access controls and web applications with inadequate validation procedures. -http://www.nextgov.com/cybersecurity/2012/11/report-fifty-eight-percent-energy-c omputers-went-months-without-bug-fixes/59559/?oref=ng-channeltopstory -http://energy.gov/sites/prod/files/IG-0877.pdf [Editor's Note (Murray): Patching seems to be the default strategy (some seem to think that it is mandatory) it is only one strategy. On the other hand, one is not very hopeful that this agency had an alternative strategy to make patching unnecessary. ]
Adobe Takes Down Video Conferencing Forum After Data Breach (November 14 & 15, 2012)
Hamburg, Germany Prosecutor Says No Criminal Investigation into Google Street View (November 15, 2012)
The public prosecutor in Hamburg, Germany will not initiate a criminal investigation into Google Street View's inadvertent gathering of data from unprotected WiFi networks in Germany. Google has acknowledged that its Street View cars collected unencrypted data from open WiFi connections as they cruised along streets taking photographs for the Street View feature. The prosecutor said that German telecommunications law does not prohibit the interception of MAC addresses and SSIDs. -http://www.computerworld.com/s/article/9233698/Google_will_not_be_prosecuted_for _Street_View_Wi_Fi_sniffing_in_Germany?taxonomyId=17 [Editor's Note (Murray): The default is that if one broadcasts something, listening is not a crime. This is the reason that Wi-Fi has security features. While these features are not on by default and require some user setup, it is difficult to set up an access point without being aware of them and how to use them. ]
Man Indicted on Charges of Conspiracy to Commit Computer Intrusion and Extortion (November 15, 2012)
Hacker Could be Mysterious Founder of Antivirus Startup (November 14, 2012)
After receiving misleading and evasive answers about the location and founder of antivirus startup Anvisoft, journalist Brian Krebs delved into website registration records and the WHOIS database in an attempt to find out more. What he discovered led to the possibility that Anvisoft may have been started by Tan Dailin, a Chinese hacker who used the online handle "Withered Rose." Krebs acknowledges that there is no conclusive evidence linking Tan Dailin to Anvisoft, and notes that until the company is more forthcoming with information about its founder, it may have trouble establishing itself in the antivirus world. -http://krebsonsecurity.com/2012/11/infamous-hacker-heading-chinese-antivirus-fir m/
Skype Fixes Flaw in Password Reset Mechanism (November 14, 2012)
(Honan): Given that many modern operating systems have encryption facilities built into them and the myriad of third party solutions available it is astounding that NASA has not encrypted all its laptops. ]
Two Indicted for Allegedly Stealing Court System Records and Database Source Code (November 14, 2012)
The US Department of Justice has indicted two former Alabama state court system employees for allegedly stealing source code of a court records database. Michael David Carroll and Jill Hawthorne allegedly stole the code and gave it to an Orlando, Florida company. The two are also accused of stealing thousands of court records from Jefferson County, Alabama. Carroll and Hawthorne worked at Alabama's Administrative Office of the Courts, Carroll as director of information systems and Hawthorne as database administrator. The charges against the pair include stealing property with a value of US $5,000 or more by an employee of a state or local government agency that receives US $10,000 or more in federal assistance. -http://www.computerworld.com/s/article/9233678/Two_indicted_in_alleged_theft_of_ court_database_source_code?taxonomyId=17 -http://www.justice.gov/opa/pr/2012/November/12-crm-1357.html
Microsoft Security Updates for November Include Fixes for Flaws in IE and Windows 8 (November 13, 2012)
SCADA Safety In Numbers http://www.ptsecurity.com/download/SCADA_analytics_english.pdf
McBride: Nice to see a Russian firm trying to quantify the problem space somewhat. The numbers don't quite jive with previous analysis (see for example: -http://vimeopro.com/s42012/s4-2012/video/35801119) but the idea that security bug-finders are looking at SCADA more in the wake of Stuxnet is clear. Assante: Simply playing catchup to IT security vulnerability management is not going to protect our critical infrastructures. ICS Suppliers need to keep making progress by empowering and resourcing their product security officers and place security higher on the design requirements list.
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors. -Christoper O'Keefe, CPC