Our Registration System will be undergoing scheduled maintenance on August 20th from 11:30pm - 12:30 am EDT.
Get an iPad with Online Courses Now!

SANS NewsBites - Volume: XV, Issue: 27


Tony Sager was the top cyber defender at NSA and John Pescatore was the
top security analyst at Gartner, and both joined SANS in the last year.
On April 18, for the very first time, you can hear them discussing
solutions that work (and don't) at a breakfast workshop on April 18 (in
Washington or simulcast for people around the world). It is likely to
be the single most useful half-day seminar on effective cyber security
(for stopping the targeted attacks doing all the damage) and the cost
is right - it is free for Government attendees. Register at:
http://www.sans.org/info/128292
To register for this event via simulcast, visit
http://www.sans.org/info/128297

Alan

PS If you work in a major consulting firm or medium-large enterprise,
and have adopted the Critical Security Controls as you framework for
effective cybersecurity, please email me at apaller@sans.org because
there is a request from the White House and Commerce Department where
your innovation may add value.

*************************************************************************
SANS NewsBites                     April 05, 2013                    Volume: XV, Issue: 27
*************************************************************************
TOP OF THE NEWS

  Google Challenging National Security Letter
  FBI Wants Broader Realtime Surveillance Authority
  Government Seeks Veterans to Fill Cybersecurity Positions

THE REST OF THE WEEK'S NEWS

  Bitcoin Exchanges Hit by DDoS
  Court Grants Class Action Status in ComScore Privacy Lawsuit
  Microsoft Will Release Nine Bulletins in Next Week
  Japanese Internet Portals Hacked
  European Security Report Finds Skimming Thieves Targeting Ticket Kiosks and Parking Meters
  Harvard Secret eMail Search Prompts Privacy Policy Review
  Firefox 20 Improves Private Browsing
  Nationwide Insurance Takes Steps to Keep Breach Information Secret
  Attacks on Financial Institutions Meant to be Destructive


*********************** SPONSORED BY BIT9 ********************************
Webcast: Next-Generation Security Solutions: How Integrating Server/Endpoint and Network Tools will Improve Your Security Posture. Are you using or considering next-generation network security tools such FireEye and Palo Alto Networks? You can multiply the value of next-gen network security tools by integrating them with a solution that gives you real-time visibility into all threats across your network and servers/endpoints from a single console. Register Today: http://www.sans.org/info/128560
****************************************************************************
TRAINING UPDATE

- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013


- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013


- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2012 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- SANS Secure Europe 2013 Amsterdam, Netherlands April 15-April 27, 2013 10 courses. http://www.sans.org/event/secure-europe-2013


- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) -
See samples at http://www.sans.org/ondemand/specials

Plus Seoul, Bangalore, Johannesburg, and Malaysia all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

Google Challenging National Security Letter (April 4, 2013)
Google has filed a petition challenging a National Security Letter (NSL), a demand for information about a user or users issued by government agencies. Most NSLs include a gag order, prohibiting the recipient from discussing its contents or even the fact that it was received. The petition was filed late last month under seal in US District Court of Northern California. Earlier in March a US District Judge in that state ruled that NSLs are unconstitutional because of the gag order. Judge Susan Illston's ruling ordered the government to stop issuing NSLs and to cease enforcement of gag orders for those that have already been issued. The Google NSL challenge has been assigned to Judge Illston.
-http://www.wired.com/threatlevel/2013/04/google-fights-nsl/
[Editor's Note (Murray): It took someone with Google's clout and courage to finally get the government into court over a law that is, at least arguably, unconstitutional.]


FBI Wants Broader Realtime Surveillance Authority (March 26, 2013)
Speaking at a meeting of the American Bar association last month, FBI general counsel Andrew Weissmann said that a "top priority" for his agency this year is increasing its wiretapping authority to include a broader range of Internet communications and storage. The increase in the use of email and social media has presented problems for the FBI, which wants to monitor communications in realtime.
-http://www.slate.com/blogs/future_tense/2013/03/26/andrew_weissmann_fbi_wants_re
al_time_gmail_dropbox_spying_power.html



Government Seeks Veterans to Fill Cybersecurity Positions (April 1, 2013)
The government is recruiting veterans to help defend the country's critical systems from cyberattacks. Earlier this year, the Pentagon said it plans to recruit 4,000 "skilled cyberwarriors ... to conduct operations in cyberspace." Returning veterans face a tough job market, but because many of them already have security clearances necessary for Pentagon work, they are sought after for these positions. Veterans are being invited to enter cybersecurity competitions in which top performers receive scholarships to cybersecurity training programs.
-http://www.huffingtonpost.com/2013/04/01/military-veterans-hackers_n_2990052.htm
l?1364836168&utm_hp_ref=technology




*************************** Sponsored Links: ******************************
1) Attend the SANS 20 Critical Security Control Briefing, Thursday, April 18, 2013 in Washington, DC at the JW Marriott. Tony Sager and John Pescatore will provide an overview of the 20 CSC, showcase the 20 CSC In Action, and also moderate a Vendor Panel. Event is free to Government attendees. For more information go to http://www.sans.org/info/128292 To register for this event via simulcast, visit http://www.sans.org/info/128297

2) Datacenter Virtualization from a Security Perspective, Wednesday, May 1, featuring Dave Shackleford http://www.sans.org/info/128565

3) Take the New SANS Survey on the Critical Security Controls and enter to win a new iPad! http://www.sans.org/info/128570
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Bitcoin Exchanges Hit by DDoS (April 4, 2013)
Mt. Gox, a major exchange for the virtual currency Bitcoin, has come under a distributed denial-of-service attack. The attack has significantly affected the price of Bitcoin. Tokyo-based Mt. Gox processes 80 percent of Bitcoin trades in US dollars and 70 percent of Bitcoin trades in other currencies. The Instawallet website, which also trades in Bitcoin, has been knocked offline by an attack. The attacks are presumed to be an attempt to game the trading system.
-http://www.computerworld.com/s/article/9238118/Mt._Gox_under_largest_DDoS_attack
_as_bitcoin_price_surges?taxonomyId=17

-http://www.bbc.co.uk/news/technology-22026961
[Editor's Note (Pescatore): Since Bitcoin's business model pretty much requires very high availability of Internet connectivity, you would think they would have denial of service protection on that connectivity - - much they way I'm sure they have uninterruptible power supplies on their data centers. ]


Court Grants Class Action Status in ComScore Privacy Lawsuit (April 4, 2013)
A court in Chicago has granted class action status to a lawsuit filed against an Internet tracking company. The lawsuit alleges that ComScore collected and sold Internet user's personal data, including credit card and Social Security numbers (SSNs), and passwords. ComScore says that it collects data about users, strips them of identifying information, and sells the results to its clients. The lawsuit alleges that comScore altered security settings and installed back doors on users' computers and used the access to steal information from word processing documents, email messages, and PDFs.
-http://www.computerworld.com/s/article/9238137/Judge_awards_class_action_status_
in_privacy_lawsuit_vs._comScore?taxonomyId=17

[Editor's Note (Pescatore): Anonymizing user information is good practice, but only on information the user agreed to allow to be collected. Imagine if office cleaning crews that service Comscore's buildings copied business information from Comscore CEO, CFO, etc. desks - - I don't think Comscore would be fine with that if the cleaning company said "well, we stripped it of all identifying information" ]


Microsoft Will Release Nine Bulletins in Next Week (April 4, 2013)
On Tuesday, April 9, Microsoft plans to issue nine security bulletins to address vulnerabilities in a number of its products, including Windows, Internet Explorer, Office, and Microsoft Server Software. Two of the bulletins have been given maximum severity ratings of critical; these bulletins address flaws in Windows and Internet Explorer.
-https://technet.microsoft.com/en-us/security/bulletin/ms13-apr
-http://www.computerworld.com/s/article/9238136/Microsoft_to_patch_IE10_Pwn2Own_b
ugs_next_week_says_security_expert?taxonomyId=17



Japanese Internet Portals Hacked (April 4, 2013)
Two Japanese Internet portals were hacked recently, prompting one of them, Goo, to lock 100,000 accounts to prevent unauthorized access. Yahoo Japan detected malware on its servers that was attempting to steal user data, but the attack was stopped before the information made it out of the network.
-http://www.computerworld.com/s/article/9238123/Japanese_web_portals_hacked_up_to
_100_000_accounts_compromised?taxonomyId=17



European Security Report Finds Skimming Thieves Targeting Ticket Kiosks and Parking Meters (April 3, 2013)
Thieves bent on skimming payment card information are branching out from ATMs, according to a report from the European ATM Security Team (EAST). Skimming devices have been found on transportation ticket kiosks in at least five European countries. Parking meters and point-of-sale terminals at fuel stations have also been targeted. The majority of card skimming occurs in countries that have not yet adopted chip-and-PIN security technology.
-http://www.bbc.co.uk/news/technology-22013231
-http://www.theregister.co.uk/2013/04/03/card_skimmer_atm_fraud_trends/


Harvard Secret eMail Search Prompts Privacy Policy Review (April 3, 2013)
In the wake of an email snooping scandal, Harvard University President Drew Faust has launched a review of the school's email privacy policies. Earlier this year, a story broke about Harvard administrators searching the email accounts of 16 resident deans; the search was conducted because administrators were looking for the source of an information leak regarding a cheating scandal. It now appears that the searches of the deans' email accounts were broader than initially acknowledged, and Faust is also asking an outside lawyer to investigate the extent of the searches.
-http://www.boston.com/metrodesk/2013/04/02/secret-mail-searches-harvard-cheating
-scandal-broader-than-initially-described/Mgz0mc8hSk3IgWGjxLwsJP/story.html

-http://www.computerworld.com/s/article/9238100/Harvard_to_review_privacy_policie
s_in_wake_of_email_search_scandal?taxonomyId=17



Firefox 20 Improves Private Browsing (April 2 & 3, 2013)
Mozilla has released Firefox 20, which fixes 13 security issues and makes private browsing easier. Five of the vulnerabilities are deemed critical and could be exploited to run malicious code or install software without user interaction. Firefox 20 also allows users to switch browser privacy status without closing or restarting Firefox; users can instead open a private window while the regular window is open. Firefox should update automatically for users with existing versions of the browser on their computers. Firefox 20 is available for Windows, Mac OS X, and Linux.
-http://www.scmagazine.com/firefox-20-released-makes-private-browsing-easier/arti
cle/287362/

-http://www.h-online.com/security/news/item/Firefox-20-has-per-window-privacy-and
-fixes-three-critical-bugs-1833854.html

[Editor's Note (Pescatore): The Interactive Advertising Bureau (IAB) and Association of National Advertisers (ANA) sort of attacked Mozilla for future plans to give users a default setting to block third party cookies in a future Firefox release. The basic argument seems to be that advertising is vital for the survival of the Internet, advertising requires tracking for some reason, but if users have to click to choose such valuable tracked/targeted advertising, for some reason they won't. It is sort of like broadcast TV services saying, "if TVs don't automatically come up on an ad-supported channel, users will never change the channel to watch advertising supported TV." ]


Nationwide Insurance Takes Steps to Keep Breach Information Secret (April 1 & 3, 2013)
Nationwide Insurance has taken an interesting route to keeping details of its October 2012 security breach out of the public eye. The company has hired a legal firm to investigate the incident, which exposed the personal information of 1.1 million people. Because the law firm is conducting the investigation, the findings will be granted the secrecy afforded by attorney-client privilege. Nationwide is not the first company to take this route; some law firms are starting to specialize in data breach investigation. While this measure protects the details of nationwide breach from becoming public knowledge for the time being, state and federal officials who are investigating the breach could mandate a third-party investigation. Those results would be public.
-http://www.theverge.com/2013/4/1/4170214/nationwide-insurance-covers-massive-sec
urity-breach-details-attorney-client-privilege

-http://www.liveinsurancenews.com/insurance-news-about-nationwides-management-of-
the-security-breach-is-covered-up/8521933/

[Editor's Note (Murray): While the work product of attorneys may be privileged, that does not extend to all information about the breach. Since the breach might result in tort liability, engaging lawyers early is only prudent. In the absence of other evidence, the inference that the intent of doing so is to conceal evidence is unwarranted. ]


Attacks on Financial Institutions Meant to be Destructive (March 28, 2013)
The cyberattacks launched against US financial institutions over the past six months appear to be designed to disrupt financial transactions. Intelligence officials and investigators suspect that the group behind the attacks is connected to Iran's government. While the attacks that appear to be coming from China are aimed at cyberespionage, these attacks aim to be destructive. South Korean banks were recently targeted in a cyberattack; the perpetrator in that case is suspected to be North Korea.
-http://www.nytimes.com/2013/03/29/technology/corporate-cyberattackers-possibly-s
tate-backed-now-seek-to-destroy-data.html?pagewanted=all&_r=1&

[Guest Editor's Note (Kevin Liston): Will our response plan differ if it's state-sponsored? No? Let's not waste intelligence resources on that, and focus on the nature of the attack then. ]


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/