*************************** SPONSORED BY SANS **************************** At the Mobile Device Security Summit experts and practitioners will detail proven approaches to securing BYOD. Organizations who have developed successful programs will share how they developed and gained management support for their plans, and provide lessons learned and pitfalls to avoid. http://www.sans.org/info/129480 **************************************************************************** TRAINING UPDATE
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead. http://www.sans.org/event/security-west-2013
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware. http://www.sans.org/event/sansfire-2013
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act. http://www.sans.org/event/rocky-mountain-2013
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors. http://www.sans.org/event/pentest-berlin-2013
Plus Bangalore, Johannesburg, Malaysia, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org *****************************************************************************
TOP OF THE NEWS
Verizon Report shows China As Source of Most Cyber Attacks (April 23, 2013)
Former Hosting Provider Admin Allegedly Placed backdoors on 2,700 Servers (April 19, 2013)
A man who was once employed by hosting provider Hostgator has been arrested and charged with breach of computer security. Eric Gunnar Gisse worked as an administrator at Hostgator from September 2011 through February 15, 2012. He allegedly installed backdoors on more than 2,700 company servers. The day after Gisse was dismissed from his position, officials at Hostgator detected the backdoor application that he had installed. The backdoor was disguised to look like a Unix administration tool. -http://arstechnica.com/security/2013/04/former-employee-arrested-charged-with-ro oting-2700-hostgator-servers/ [Editor's Note (Pescatore): This is the nightmare scenario for all outsourcing, including the use of the cloud. A lot of the transparency needed from cloud service providers falls in this area: separation of duties, privilege management, change control etc. the FedRAMP continuous monitoring guidelines (which map quite well to the Critical Security Controls) capture this very well. (Paller): The practice of leaving back doors is more widespread than is commonly known. Programmers do it in writing code so they can more easily maintain the code if the owner of the software changes the access methods. And "trusted" security practitioners sometimes do it. I still have the audio tape of one of the best-known speakers in the security field, currently president of an organization of information security practitioners, saying that he left back doors on his penetration testing clients' computers. He gave a reason that made me think that if they ever did anything he didn't like he would consider using the back door. Hubris. ]
Bank Sues Fraud Victim to Recover US $336,600 (April 19, 2013)
A North Carolina bank is suing one of its customers for funds the bank maintains were provided as a short-term loan to cover a US $336,600 fraudulent transaction. Wallace & Pittman PLLC, a company that specializes in real estate legal services, is refusing to repay the funds, claiming it was not a loan. Park Sterling Bank says it provided the funds as a short-term loan so that the company would not overdraw its trust account, and to allow the company to try to recover the stolen money. Wallace & Pittman has an online ledger transaction that calls the funds classified as "reverse previous wire entry." The company also alleges that the bank did not employ adequate security; Wallace & Pittman maintains that Park Sterling Bank should have noticed that the IP address used to initiate the transfer was one that had never before been associated with the company and that the destination of the transfer - Russia - should have raised suspicions because the company had never before made a wire transfer to a bank outside the US. -http://krebsonsecurity.com/2013/04/bank-sues-cyberheist-victim-to-recover-funds/ Park Sterling's Complaint: -http://krebsonsecurity.com/wp-content/uploads/2013/04/Park-Sterling-Bank-Complai nt.pdf Wallace & Pittman's Response: -http://krebsonsecurity.com/wp-content/uploads/2013/04/Answer-Wallace-Pittman.pdf [Editor's Note (Pescatore): The FFIEC is pretty clear about the need for "risk-based authentication" and this type of electronic funds transfer system is an obvious candidate for something stronger than reusable passwords. However, the bank doesn't seem to have offered that. With most free consumer email services offering two-factor authentication, businesses ought to demand the same from their commercial banking services - and those services probably ought to refrain from suing their customers unless they are offering secure alternatives. (Shpantzer): Lame authentication of the end user AND lame verification of the legitimacy of the transaction. You really should pick just one, if you must pick. The bank's complaint, however, says that the customer declined to use the 'dual control' method of two representatives' authorization in order to trigger a transaction, a claim that the customer denies in the answer to the laws. (Northcutt): As I understand it personal accounts have more protection (probability of being reimbursed) and business accounts have less, but there have been cases where the business has won in court. In the mean time, repeat after me, if you use a computer to do online banking for your business, do not use that computer for anything else: -http://normantranscript.com/x1301512034/Who-pays-when-your-bank-account-is-hacke d]
*************************** Sponsored Links: ****************************** 1) AlienVault USM delivers complete security visibility in minutes. Download the Free 30-Day Trial. http://www.sans.org/info/129485
2) "Data Center Virtualization from a Security Perspective," featuring Dave Shackleford and Deepak Thakkar, Wednesday, May 1, at 1 PM EDT http://www.sans.org/info/129490
US Air Force Academy Team Wins Cyber Defense Competition (April 23, 2013)
A team from the US Air Force Academy has taken top honors in the National Security Agency's (NSA's) 13th annual Cyber Defense Exercise (CDX). Teams from US military academies as well as the Royal Military College of Canada participated in the competition, which required them to design and build their own networks. NSA Red Team members then launched attacks against those networks for 84 straight hours. CDX not only provides a chance for the teams to develop their defensive strategies, but also allows NSA's Red Team the opportunity to practice offensive hacking. The competition required that the teams log all their activity and explain their decisions to examiners. -http://www.theregister.co.uk/2013/04/23/us_airforce_hacking_competition/ [Editor's Note (Skoudis): The CDX competition is very impressive, and really does a great job in helping cadets learn how to defend their networks from very determined attackers. The scale, complexity, and quality of CDX are unparalleled in cyber challenge competitions. Congrats to the US Air Force Academy on their victory! (Paller): Since more than half the 250,000 NewsBites subscribers are SANS alumni, I wanted to share a note from the computer science professor at the Air Force Academy who built the program that enables winning teams year after year: "I just wanted to write and thank SANS again for its tremendous support of cadet cyber education and training at the Air Force Academy. SANS has really been a force multiplier in what we've been able to do to prepare officers who will excel in cyber, and we're really grateful." The Air Force Academy is one of the recipients of SANS' academic grants program through which we provide training support where it can make a major difference in national security. ]
Yet Another Java Vulnerability Surfaces (April 22 & 23, 2013)
Hacking Trial Illustrates Over-Broad Interpretation of Computer Fraud and Abuse Act (April 22, 2013)
Jury deliberations have begun in a case involving David Nosal, a California man who is accused of violating the Computer Fraud and Abuse Act (CFAA). Nosan allegedly accessed a proprietary database at a company where he had previously worked using access credentials provided by two former colleagues. Authorities say Nosal used the information in the database to build a competing business. Nosal's legal team tried unsuccessfully to convince the judge to throw out the charges because the CFAA does not apply in this case. -http://www.wired.com/threatlevel/2013/04/hacking-trial-sans-hacking/ [Editor's Note (Murray): While some fraud and abuse may take the form of hacking, the law is not about hacking per se. "Hacking" is not a necessary predicate for the application of the act. ]
Reuters Fires Man Who Allegedly Helped Anonymous Hack LA Times Story (April 22, 2013)
Reuters has fired Matthew Keys following his indictment on charges he conspired with members of the Anonymous hacking group to help them gain access to a Tribune Co. website and alter a story on the Los Angeles Times website. Keys was Reuters' deputy social media editor. The incident that prompted the charges occurred in December 2010. Keys had been employed at a Tribune television station through October 2010. He allegedly supplied the login credentials to Anonymous members after leaving that job. -http://www.latimes.com/local/lanow/la-me-ln-matthew-keys-fired-20130422,0,507046 2.story
Brian Krebs writes that multiple sources have warned of a breach involving payment cards at Teavana, a US retail chain that sells tea and related items. Starbucks acquired the company last year, and has so far not confirmed a breach, but did say that it is responding to inquiries from card-issuing banks and payment card companies. One card issuing institution said that in March 2013, its fraud team noticed a spike in purchased of gift cards using counterfeit payment cards. The majority of the counterfeit cards were clones of cards used legitimately at Teavana stores. -http://krebsonsecurity.com/2013/04/sources-tea-leaves-say-breach-at-teavana/
The Fox broadcasting company has sent Digital Millennium Copyright Act (DMCA) takedown notices regarding URLs linking to a novel, written by Cory Doctorow, called "Homeland." Fox produces a television show with the same name; the two are in no way related. Further complicating matters is the fact that Doctorow published his novel under a Creative Commons license, which means its availability on BitTorrent is completely legal, so Fox's takedown notices are causing legitimate content to be removed from the Internet. There is little recourse in situations like this. The DMCA requires that the takedown notices be issued in good faith, but it is easy enough to blame the erroneous notices on carelessness. In any case, the party whose content was wrongly taken down can recover only costs and attorney's fees. -http://arstechnica.com/tech-policy/2013/04/not-that-homeland-fox-sends-bogus-tak edowns-for-copyright-reformers-book/ [Editor's Note (Shpantzer): DMCA robo-notices have been problematic for some time. For a hilarious (and terrifying) account of copyright shenanigans and DMCA notices, see here: -http://dmca.cs.washington.edu/]
Google Fined a Pittance for Street View Data Collection In Germany (April 22, 2013)
Japan's National Police Agency Wants ISPs to Block Tor for Those Who "Abuse" It (April 21 & 22, 2013)
Japan's National Police Agency (NPA) may begin asking Internet service providers (ISPs) there to block Tor, a network that helps people anonymize their online activity. (Tor stands for The Onion Router). The ISPs would be asked to block people's use of Tor if those people had been found to be abusing the network. Japanese police were thwarted in their efforts to nab a cybercriminal because he used Tor. The NPA's plan comes in response to a recommendation from a panel brought together to help decide how to fight crime that is committed with the help of Tor. -http://arstechnica.com/tech-policy/2013/04/japanese-police-ask-isps-to-start-blo cking-tor/ -http://www.bbc.co.uk/news/technology-22248692 -http://www.theregister.co.uk/2013/04/22/tor_japan_police_ban/ [Editor's Note (Murray): This is a troubling and confusing report. Use of anonymizers should not "be read as a presumption of guilt." Resort to anonymizers is rare, mostly legitimate, and sometimes even necessary. On the other hand, such use in the furtherance of a crime should be treated as aggravating. "To block people's use of Tor if those people had been found (presumably by a court) to be abusing the network" seems appropriate. However, it should take something more than a mere assertion on the part of the police. ]
BadNews Malware Snuck Into Google Play Apps (April 20 & 22, 2013)
************************************************************************ The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/