************************* SPONSORED BY BIT9 **************************** Today's Advanced Threats Require Next-Generation Protection. Are you using or considering a next-generation threat protection solution? Join this webcast and learn how you can multiply the value of your investment by integrating network and endpoint security. Register Today http://www.sans.org/info/130682
*************************************************************************** TRAINING UPDATE
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead. http://www.sans.org/event/security-west-2013
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware. http://www.sans.org/event/sansfire-2013
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act. http://www.sans.org/event/rocky-mountain-2013
- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead. http://www.sans.org/event/boston-2013
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors. http://www.sans.org/event/pentest-berlin-2013
- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course. http://www.sans.org/event/london-summer-2013
Eight Charged in Connection with US $45 Million Cybertheft (May 9, 2013)
US Federal prosecutors have charged eight people for their alleged roles in a pair of cybertheft schemes that stole more than US $45 million through ATMs in more than 20 different countries. The schemes involved breaking into computers at financial institutions that process prepaid debit cards to steal data and eliminate the withdrawal limits on the cards. The first attack targeted a processor that managed pre-paid card transactions for a bank in the United Arab Emirates. The cards data were sent to accomplices in 20 countries who used them to fraudulently withdraw US $5 million. The second scheme involved an institution that processed card transactions for a bank in Oman; accomplices in 24 countries withdrew US $40 million within 10 hours. The eight people charged in New York participated in both schemes, withdrawing a total of US $5.2 million through ATMs in New York. All eight live in Yonkers, New York. They face charges of conspiracy to commit access device fraud, conspiracy to launder money, and money laundering. -http://www.wired.com/threatlevel/2013/05/eight-charged-in-bank-heist/ -http://www.washingtonpost.com/business/economy/atm-thieves-conducted-massive-cyb erattack/2013/05/09/0c3c3a1c-b8ec-11e2-92f3-f291801936b8_story.html -http://money.cnn.com/2013/05/09/technology/security/cyber-bank-heist/index.html -http://www.justice.gov/usao/nye/pr/2013/2013may09.html#FOOT1 [Editor's Note (Honan): In 2011 a payment card processor in Florida, FIS, was victim of a similar attack to the tune of US $13m and RBS Worldpay suffered a loss of US $9m in 2008. A key element in the success of these attacks is the lack of Chip and Pin technology, which is already in place in many European countries and makes cards more difficult to clone. (Paller): And while we are waiting - probably years - for the U.S. Government to require chip and pin - there is ample evidence that the processors know how to protect their computers against these attacks and are not doing it. The PCI standard is so far out of date and the verification that PCI auditors are doing is missing so much, that this $45 million will seem small in a couple of years. The key is that the people who write the standards (PCI and NIST in particular) are the ones who should be held accountable for these losses because their guidance is encouraging organizations to implement the wrong defenses. ]
U.S. Department of Homeland Security ISC-CERT Issues Warning of Heightened Risk of Attack on Critical Infrastructure (May 9, 2013)
The US Department of Homeland Security (DHS) issued a warning "on a computer network accessible only to authorized industry and government users" about an increased threat of a cyberattack against "US critical infrastructure organizations." The intent appears to be not only theft of intellectual property, but "to disrupt ... control processes." The unclassified alert came from DHS's Industrial Control System Computer Emergency Response Team (US-CERT). It made specific suggestions for steps to take to protect systems from harm. Another document listed indicators to determine if systems have been compromised. -http://www.washingtonpost.com/world/national-security/us-warns-industry-of-heigh tened-risk-of-cyberattack/2013/05/09/39a04852-b8df-11e2-aa9e-a02b765ff0ea_story. html [Editor's Note (McBride): The mounting evidence of US-led cyber operations against Iran, including some industrial control systems there may have been a factor in this reported "escalation". ]
Executive Order Requires US Government Agencies to Adopt Open Data Standards (May 9, 2013)
The White House has issued an executive order requiring that "the default state of new and modernized Government information resources shall be open and machine readable." Over the next six months, agencies must compile lists of all the datasets they collect and maintain. They must also indicate which of those lists are supposed to be available to the public. They also must make the publicly available data easy to find and to access and to use. -http://www.nextgov.com/big-data/2013/05/white-house-orders-agencies-follow-new-o pen-data-standards/63068/?oref=ng-HPtopstory Text of Executive Order: -http://cdn.govexec.com/media/gbc/docs/pdfs_edit/050913jm1.pdf [Editor's Note (Pescatore): The EO does contain the required privacy directives: "It is vital that agencies not release information if doing so would violate any law or policy, or jeopardize privacy, confidentiality, or national security." However, it seems to be missing any concern about the *integrity* of the data. The US CIO and CTO have 30 days to release policy and best practices - I hope they include requirements for due diligence in web site and web application security for government sites that will host such data. ]
*************************** Sponsored Links: ****************************** 1) Special Webcast Friday, 5/24: "The Intractable Problem of Software Security". Chris Wysopal, Veracode's Co-Founder and CTO, will dive into the data that drive the predictions detailed in the Veracode's fifth annual State of Software Security Report. http://www.sans.org/info/130687
2) At the Mobile Device Security Summit experts and practitioners will detail proven approaches to securing BYOD - Attend SEC575 and SEC579. http://www.sans.org/info/130692
3) Having trouble managing your security information? Don't miss our new Analyst webcast: Advanced Intelligence in Action-SANS review of McAfee's Enterprise Security Manager by Dave Shackleford, Wednesday, May 22 at 1:00 PM EDT http://www.sans.org/info/130697 *****************************************************************************
THE REST OF THE WEEK'S NEWS
Name.com Customer Data Breach Includes Encrypted Passwords and Credit Card Info (May 9, 2013)
Patch Tuesday to Include Fix for IE8 Flaw Exploited in Attack on Dept. of Labor Site (May 9, 2013)
On Tuesday, May 14, Microsoft will issue 10 security bulletins to address vulnerabilities in Windows, Internet Explorer, Office and several other products. The company has indicated that the vulnerability in IE8 for which it has already recommended a work around and issued a Fix-it measure, will be patched in one of the bulletins. The bulletins will address a variety of issues that could be exploited to allow remote code execution, spoofing, information disclosure, privilege elevation, or create denial-of-service conditions. -http://www.computerworld.com/s/article/9239064/Microsoft_rushes_IE8_zero_day_fix _into_next_week_s_Patch_Tuesday?taxonomyId=17 -https://technet.microsoft.com/en-us/security/bulletin/ms13-may [Editor's Note (Pescatore): Looks like two Critical patches coming out in next week's Windows Vulnerability Tuesday. Last month, Microsoft had a bit of patch quality backsliding and had to rerelease MS13-036 due to crash problems. Seemed like an isolated incident vs. a trend, but probably worth a bit more QAing of this month's patches. ]
Microsoft Issues Stopgap "Fix-it" Measure for IE8 Flaw (May 9, 2013)
China's Success in Cyberespionage Does Not Indicate Technical Superiority (May 8, 2013)
Experts say that China's success in gaining access to government, military, and corporate computer systems in the US does not indicate the country's "technical superiority" but rather its patience and persistence in targeting systems and individuals and remaining hidden in the network for long periods of time. John Pescatore noted that China is "not smarter in software than [the US ] . If they were, we would see them starting up new companies" rather than conducting cyberespionage. Rather than concern themselves with the sources of attacks, US companies would be well advised to make sure their systems are as secure as they can make them by addressing basic vulnerabilities and configuration issues. What is notable about China's approach "is that they use the least amount of force necessary to accomplish their goals," according to Dan McWhorter, Mandiant's managing director of threat intelligence. -http://www.computerworld.com/s/article/9239015/Chinese_hackers_master_the_art_of _lying_in_wait_?taxonomyId=17
2012 FBI Domestic Investigation Guide Says No Warrant Needed to Access eMail (May 8, 2013)
************************************************************************ The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/