************************** SPONSORED BY Bit9 **************************** Getting (and Staying) Ahead of Advanced Threats - Download this workbook and create a personalized scorecard that assesses the effectiveness of your current security strategy and understand why a trust-based application control and whitelisting solution is your best defense against advanced malware. Download Today http://www.sans.org/info/118865
**************************************************************************** TRAINING UPDATE
- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations. http://www.sans.org/event/cyber-defense-initiative-2012 - --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013 - --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III. http://www.sans.org/event/north-american-scada-2013
White House Amends Draft Executive Order on Cybersecurity (November 30, 2012)
The White House's draft executive order on cybersecurity has been updated to incorporate concerns raised in meetings with representatives from technology trade associations and the US Chamber of Commerce. The changes include language clarifying that the guidance does not dictate the use of one security technology over another. "To enable technical innovation and account for organizational differences, the cybersecurity framework will provide cybersecurity guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the" requirements. The draft has also been amended to include a directive to the Treasury and Commerce Departments to recommend potential incentives for critical infrastructure operators to voluntarily join a program to follow certain cybersecurity standards. The incentives must fall within the purview of an executive order. The order has been anticipated ever since the Senate rejected cybersecurity legislation last month. -http://thehill.com/blogs/hillicon-valley/technology/270429-white-house-draft-cyb er-order-adds-changes-to-mollify-tech-industry
DARPA Introduces Vetting Commodity Software and Firmware Program (November 30, 2012)
************************** SPONSORED LINKS ***************************** 1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/118875
3) SANS Analyst Webcast: Secure Content Management in a Mobile Age sponsored by SAP, Tues. Dec. 4, 1PM EDT http://www.sans.org/info/118885 ************************************************************************
THE REST OF THE WEEK'S NEWS
Lack of Technical Understanding Undermines Cybersecurity Legislation (November 30, 2012)
Electronic Frontier Foundation (EFF) staff technologist Dan Auerbach said that legislators who do not have a firm grasp of the technological issues involved in cybersecurity often make missteps when developing legislation. For example, there is a difference between cyberattacks and cybercrime and it is unlikely that both could be adequately addressed in one bill. Also, the idea of attributing activity on the Internet to an individual is "absurd." -http://www.zdnet.com/clueless-officials-hamper-cybersecurity-law-making-70000081 40/
Pentagon Directive Seeks to Improve Cybersecurity (December 3, 2012)
A US Department of Defense directive dated November 5 aims to "establish policy and assign responsibilities to minimize the risk that DoD's warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system's mission critical functions or critical components." The directive is signed by DoD CIO Teresa Takai and under secretary of Defense for acquisition, technology, and logistics Frank Kendall. -http://www.nextgov.com/defense/2012/12/pentagon-directive-targets-fake-parts-vul nerabilities-arms-systems/59897/?oref=ng-channelriver -http://cryptome.org/dodi/dodi-5200-44.pdf [Editor's Note (Pescatore): Supply chain risk management is a big, important issue. Making sure products and systems do not have exploitable vulnerabilities or hidden capabilities is doable and needed (see DARPA VET program item), and the improving the system engineering and system development processes in DoD to emphasize that is long overdue. However, having intelligence agencies rate vendors is a potential snake pit. (Murray): In the unlikely case that it is written in the active voice, it might be mistaken for "policy." ]
McAfee Unwittingly Exposes Location Through Digital Photo Metadata (December 3, 2012)
Microsoft Gets Court Order to Control ZeuS Command and Control Servers for Two Years (December 1, 2012)
Microsoft has won a court order allowing the company to retain control of command-and-control servers for two ZeuS botnets for the next two years. A US District Court in New York granted the court order in a default judgment. Microsoft initially took down the servers located in Illinois and Pennsylvania in March 2012. Microsoft intends to help Internet service providers (ISPs) and Computer Emergency Response Teams (CERTs) scrub ZeuS malware from infected machines. -http://www.eweek.com/security/microsoft-can-retain-control-of-zeus-botnet-under- federal-court-order/
Malware Used To Steal Data on Japanese Solid-Fuel Rocket Project (November 30, 2012)
40-Month Sentence for Camcorder Piracy (November 30, 2012)
A federal judge in Virginia has sentenced Gregory A. Cherwonik to 40 months in prison for his activities in a group that took camcorders into theaters to record new movies and make them available over the Internet. Last year, Cherwonik pleaded guilty to conspiracy to commit criminal copyright infringement. His sentence is the longest ever handed down for filesharing. Another member of the group, which calls itself IMAGiNE, has pleaded guilty to the same charge and will be sentenced in March 2013. Two others have already received their sentences and a fifth will be sentenced next month. -http://www.wired.com/threatlevel/2012/11/camcording-pirate-40-months/ -http://www.wired.com/images_blogs/threatlevel/2012/05/lovelady.pdf
Security companies are warning users about malware that infects computers via a vulnerability in the Windows AutoRun software. Machines running Windows 7 and Windows 8 will not launch autorun.inf files and Microsoft has released patches for older versions of Windows to protect them from similar exploits. Experts think that the increase in infections is due to unpatched computers, network shares, and social media. Users are urged to protect their computers by disabling AutoRun on all Windows systems and by restricting write permissions to share files. -http://www.csoonline.com/article/722724/security-firms-warn-of-spreading-windows -autorun-malware?source=CSONLE_nlt_update_2012-12-02 [Editor's Note (Ullrich): If you still have auto run enabled on a Windows PC, take the time to take a close look at what else it is infected with. -https://isc.sans.edu/diary.html?storyid=14584]
TOR Operator Charged For Content Sent Through His Servers (November 29 & 30, 2012)
An Austrian man who operated TOR servers has been charged with distributing child pornography. Authorities detected the images passing through the servers maintained by the man. Police seized 20 computers and other equipment from William Weber's home. TOR is an acronym for The Onion Router, a project developed by the US Naval Research Laboratory that allows people surf the web anonymously. It is often used by political dissidents, journalists, and law enforcement officers, and has also been used by criminals. The offending images were being distributed by a server in Poland and sent through Weber's servers. Weber operated exit servers; traffic from these nodes can be traced back to the servers' IP addresses. While the authorities became "friendlier" after understanding where the images came from, there is a precedent for holding TOR operators liable for content that passes through servers they operate. The Electronic Frontier Foundations acknowledges the risk that accompanies operating exit nodes and advises that "it's best not to run your exit relay in your home or using your home Internet connection." -http://arstechnica.com/tech-policy/2012/11/tor-operator-charged-for-child-porn-t ransmitted-over-his-servers/ -http://www.bbc.co.uk/news/technology-20554788 -http://www.zdnet.com/austrian-man-raided-for-operating-tor-exit-node-7000008133/ [Editor's Note (Ullrich): IMHO, the TOR operator acted like a transit ISP/NSP in this case. (Hoan): In many countries it is not illegal to run a Tor exit node. However, for anyone considering, or are already, running a Tor exit node you should familiarise yourself with the Electronic Frontier Foundation's Legal FAQ on the topic at -https://www.eff.org/torchallenge/legal-faq/]
Nationwide Insurance Network Breach Affects One Million (November 29, 2012)
A security breach of the Nationwide Insurance computer network compromised the personal information of approximately one million people. The data include names, Social Security Numbers (SSNs) and other personally identifiable information; the breach affects people in all 50 states. Those affected by the breach include both policy holders and individuals who requested quotes from the company. Employee data were not exposed. The incident occurred on October 3, 2012. The FBI is investigating. -http://www.scmagazine.com/personal-info-of-1m-compromised-in-nationwide-breach/a rticle/270448/
CONTROL SYSTEMS SECURITY STORIES
SHINE is a project to identify how much and what kinds of control systems are running in the open, on the Internet. The researchers express reluctance to disclose the information in raw form, because "it contains such a high volume of sensitive sites that we believe it could be turned in to a weapon." They say that preliminary discussions are underway with DHS, the FBI, and the RCMP on data management and handling protocols. -http://news.infracritical.com/pipermail/scadasec/2012-December/010162.html [Editor's Note (McBride): Nice to see a public statement from the group conducting the research into ICS/SCADA systems online. The most significant implications seem to be related to supply chain and wireless network providers. ]
************************************************************************ The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/