************************** SPONSORED BY Bit9 ***************************** Server Security - With 94% of data stolen in 2011 coming from servers, how has the evolution of advanced threats changed your approach to security? Take the 5 minute survey now and be entered to win an iPad Mini! Learn More http://www.sans.org/info/117662 **************************************************************************** TRAINING UPDATE - --SANS London 2012 London November 26-December 3, 2012 16 courses. Bonus evening presentations include Why to Organizations Get Compromised; Dissecting Smart Meters; and 10 Things Security Teams Need to Know About Cloud Security. http://www.sans.org/london-2012/
- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations. http://www.sans.org/event/cyber-defense-initiative-2012
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013
- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III. http://www.sans.org/event/north-american-scada-2013
Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************
TOP OF THE NEWS
VA Fails Basic Security Test - Doesn't Install Encryption Software - Wastes Multi-Million Dollar Investment (October 16, 2012)
[Thank you to former NewsBites Editor Gal Shpantzer for pointing us to this story in light of the recent laptop security issues at NASA. ] A report from the Department of Veterans Affairs Office of the Inspector General found that of 300,000 encryption software licenses purchased in 2006, and another 100,000 purchased in 2011, the VA's Office of Information Technology (OIT) had installed just 65,000, or 16 percent. The licenses purchased in 2006 cost US $3.7 million. The reason given for the licenses not being activated are that "OIT did not allow time to test the software to ensure compatibility with VA computers, ensure sufficient human resources were available to install the encryption software on VA computers, and adequately monitor the project to ensure encryption of all VA laptop and desktop computers." The encryption project was undertaken following the May 2006 theft of a hard drive containing personally identifiable information of 26 million veterans. -http://www.va.gov/oig/pubs/VAOIG-12-01903-04.pdf -http://www.fiercegovernmentit.com/story/oig-finds-85-percent-va-encryption-licen ses-lay-dormant/2012-10-16 [Editor's Note (Paller): VA has one of the best CIO-CISO teams in government, but one layer below them, the managers do not seem to follow through in implementing effective security. VA was one of the first agencies to deploy universal automated monitoring tools (costing more than $15 million) but the managers never used them to improve security like the State Department did. Even worse, the security training programs that VA implemented create and celebrate people who can talk about security but cannot perform the technical tasks required to protect systems. It would have been sensible and simple for the hundreds (more than 600 last time I looked) of information security officers (ISOs) at VA to install the encryption software, but neither they nor their managers appear to have the basic computer skills needed to implement important or even simple technical defenses. It is high time for VA to give the ISOs pathways to develop technical cybersecurity skills and give them the choice of taking advantage of those pathways or moving on to other jobs.
Georgian Ministry Officials Arrested for Alleged Hacking Scheme (November 19, 2012)
Nearly a dozen Georgian interior ministry officials and the country's former deputy interior minister have been arrested for allegedly hacking into the computers of political opponents, purportedly to gather intelligence to help them influence recent parliamentary election results. Those arrested also allegedly conducted phone tapping. -http://www.theregister.co.uk/2012/11/19/georgia_cyber_spy_plot_government/
Major Tech Companies Support FCC's Net Neutrality Rules (November 16, 2012)
************************** SPONSORED LINKS ***************************** 1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/117667 2) Supporting Packet Decryption for Security Scanning by Dave Shackleford http://www.sans.org/info/117672 ************************************************************************
THE REST OF THE WEEK'S NEWS
Trojan Communicates With Command-and-Control Server Through Google Docs (November 19, 2012)
Users who have installed software packages through the FreeBSD Project since September 19 should completely reinstall their machines, as hackers have compromised two of the Project's servers. The intrusions were detected on November 11, and those machines have been taken offline so they could be analyzed. FreeBSD also took a number of other machines offline as a precaution. The compromise affected the collection of third-party software packages distributed by the FreeBSD Project. An audit of the FreeBSD basic system found that the operating system's kernel, system libraries, complier, and core command-line tools were not affected. The organization's security team believes the intruders gained access to the servers using a SSH authentication key that was stolen from a developer. Because of the intrusion, the integrity of packages that were available for installation between September 19, 2012, and November 11, 2012 is called into question. -http://www.computerworld.com/s/article/9233822/Hackers_break_into_two_FreeBSD_Pr oject_servers_using_stolen_SSH_keys?taxonomyId=17 -http://www.h-online.com/security/news/item/Hackers-obtained-access-to-FreeBSD-se rvers-1752060.html
US Rep. Tries Crowdsourcing Legislative Proposal on Piracy-Related Website Seizures (November 19, 2012)
Verizon and Time Warner Reveal Plans to Dissuade Illegal Filesharers (November 16, 2012)
Verizon plans to start throttling the Internet speeds of customers who persist in illegal downloading. Violators will first receive email and voicemail warnings. Other Internet service providers (ISPs) are developing plans of their own to help fight piracy. Time Warner Cable plans to use pop-ups to warn users; those who ignore those messages will later find their browsing restricted - they will find themselves redirected to a landing page. The music and movie industry acknowledges that those who are determined to pirate digital content will always find a way to do so, but says that this plan is aimed at educating users who may not be aware that what they are doing is illegal. -http://www.bbc.co.uk/news/technology-20361952
Judge Approves Google's US $22.5 Million Offer to Settle Safari Cookie Complaint (November 19, 2012)
MoneyGram Agrees to Pay Fine for Money Laundering and Wire Fraud Violations (November 19, 2012)
MoneyGram International has agreed to pay a US $100 million fine for its role in aiding and abetting wire fraud, as well as for not having a reasonable anti-money laundering program in place. MoneyGram is often used by cybercriminals running scams in which they pretend to be a friend or relative in urgent needs of funds or in which they offer expensive products and deep discounts, or other fraudulent offers. The targets are directed to send the funds through MoneyGram. In a press release, the US Department of Justice wrote that "MoneyGram knowingly turned a blind eye to scam artists and money launderers who used the company to perpetrate fraudulent schemes targeting the elderly and other vulnerable victims." -http://krebsonsecurity.com/2012/11/moneygram-fined-100-million-for-wire-fraud/ -http://www.justice.gov/opa/pr/2012/November/12-crm-1336.html
Facebook Rolls Out HTTPS as Default Protocol (November 19, 2012)
Facebook has begun using HTTPS as its default protocol for all pages for all users. Facebook announced its intention to make the switch last year. The shift is being introduced first in North America and will eventually be rolled out to users around the world. Facebook started offering HTTPS as an option in January 2011; prior to that, it used the protocol only for pages that required passwords. The change may slow down connections slightly. Facebook will allow users to opt out of using HTTPS if they wish. -http://www.informationweek.com/security/application-security/facebook-adopts-sec ure-web-pages-by-defa/240142310 -http://www.cnn.com/2012/11/19/tech/social-media/facebook-https/index.html [Editor's Note (Murray): While the use of end-to-end encryption may not be absolutely necessary, it takes a very long list of possible attacks off the table. While it does not, as an FBI director was fond of asserting, provide "perfect security," it raises the security in the middle to that of the end points and it does so at a tolerable cost. (Pescatore): I think moving to SSL is being oversold by consumer web sites. Yes, ubiquitous use will make WiFi sniffing much more difficult but the vast, vast majority of information compromises occur *on* these websites, not during communications to and from them. Turning on SSL is sort of like putting on a raincoat when going out in a hurricane. The overall gain in security and privacy would be much higher if the same sites went to user "Opt In" for personal information disclosure. ]
Internet Companies Will Pay US $2 Million for Misleading Online Advertising (November 16, 2012)
Two Internet companies have agreed to pay US $2 million to settle a Federal Trade Commission (FTC) complaint alleging that they hired other companies to market products with phony testimonials and other misleading information. Clickbooth.com and IntegraClick were accused of hiring affiliates to put up fake news sites on the Internet hawking the products. The complaint also alleged that the companies failed to inform customers that they would be billed for their free trial samples of products if they did not cancel their accounts within the designated period of time. -http://www.scmagazine.com/online-marketers-behind-spam-ads-to-pay-2m-to-ftc/arti cle/268741/ [Editor's Note (Murray): FTC enforcement continues to demonstrate that the power of government can be used in favor of the consumer. ]
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
I've been managing multi-million dollar projects for years but always felt muddled as to the formal activities required. Halfway through the SANS PM course, things are becoming clear at last. -Matt Harvey, US DOJ