************************ SPONSORED BY Bit9 ******************************* LIVE WEBCAST: Trust-based Application Control 101 - 8% of enterprise endpoints are infected with malware at any given time. And 80% of stolen data comes from servers the enterprise thinks are secure. These alarming statistics show why antivirus and other traditional security products are ineffective against advanced threats and targeted attacks. Register today for this webcast http://www.sans.org/info/121342 **************************************************************************** TRAINING UPDATE - --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013
- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III. http://www.sans.org/event/north-american-scada-2013
- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster. http://www.sans.org/event/sans-2013
- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security. http://www.sans.org/event/monterey-2013
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts. http://www.sans.org/event/northern-virginia-2013
Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************
TOP OF THE NEWS
Red October Cyberespionage Operation Steals Data From Computers and Mobile Devices (January 14, 2013)
Dept. of Homeland Security Urging Companies to Protect Industrial Control Systems (January 11 & 14, 2013)
Researchers used the Shodan search engine to identify vulnerable Internet connected supervisory control and data acquisition (SCADA) systems that support elements of US critical infrastructure. 7,200 systems were found to be using weak default passwords. The US Department of Homeland Security (DHS) has contacted those responsible for the identified systems and warned them about the security issues. -http://www.bbc.co.uk/news/technology-20984827 -http://news.techworld.com/security/3420347/important-scada-systems-secured-using -weak-logins-researchers-find/ [Editor's Note (McBride): 7200 weakly-protected systems likely includes PLCs that don't require access credentials at all. The biggest issue is that control systems are not generally under the direct purview of risk management teams -- and hence you have automation folks, including system integrators and contractors -- hooking things up without thinking twice. Couple that with the fact that many ICS systems are insecure by design and default, and you get this result. ]
New Jersey Gov. Christie's Cybersecurity Competition Offers Intense Training and Six-Month Internships (January 14, 2013)
New Jersey Governor Chris Christie is inviting New Jersey citizens to participate in a cybersecurity competition to win scholarships to the new Jersey CyberCenter, a program that offers intense, advanced, hands-on coursework, certifications, and six-month residencies at banks, the FBI, military organizations, and other organizations that help support the country's critical infrastructure. The top 60 scorers in the initial six-week online competition will earn the chance to participate in a cyberattack simulation competition at Brookdale. From that competition, 15-20 people will be chosen to participate in the program. As of last weekend, more than 700 people had already signed up for the initial competition. The CyberCenter students will be required to achieve accredited certifications in cybersecurity and to take intense, hands-on classes in both defensive and offensive cyber activity. They will also be required to select a specialization area: advanced forensics, advanced penetration testing; or advanced secure configurations. The competition is free and is open to all veterans, current services members, people seeking employment or second jobs, and New Jersey high school and college students. -http://www.nextgov.com/cybersecurity/2013/01/new-jersey-invites-vets-compete-cyb er-residencies-key-institutions/60632/?oref=ng-HPriver [Editor's Note (Paller): Today is the last day for New Jersey students and returning veterans to register. Separately, the New Jersey program is a model for the nation; 50 educational leaders and senior federal officials met outside Washington last Saturday to learn from the New Jersey experience and design the national rollout of this critically national cyber manpower pipeline program. ]
US Banks Ask NSA for Help Fighting DDoS Attacks (January 11, 2013)
Singapore Amends Computer Misuse Act to Allow Preemptive Measures Against Cyberattacks (January 14, 2013)
Singapore's Parliament has approved an amendment to the Computer Misuse Act that allows the government to take preemptive action against cyberattacks. The amendment also imposes a fine of SG $50,000 (US $40,800) and a 10-year jail term for failing to comply with ministerial orders to take preemptive action. Prior to the amendment, the Ministry of Home Affairs had the authority to take action only after an attack on critical information infrastructure (CII) has been detected. -http://www.zdnet.com/sg/spore-beefs-up-cybersecurity-law-to-allow-preemptive-mea sures-7000009757/ -http://www.mha.gov.sg/news_details.aspx?nid=Mjc1NQ%3d%3d-OPxAwlOrs50%3d [Editor's Note (Shpantzer): "What could possibly go wrong?" Let's see: Create the impression (via chat rooms, other easily monitored 'threat intel' channels) that competitor X is about to be attacked. Government forces them to institute 'preemptive measures,' etc.]
US Defense Department Wants Automated Systems to Help with Cyberattack Analysis (January 14, 2013)
The Defense Department's (DOD's) Department's Defense Advanced Research Projects Agency (DARPA) is hoping to use machines to help analyze network vulnerabilities. The Cyber Targeted Attack Analyzer will gather data from various sources so that anomalies can be more easily detected. DARPA will likely issue a request for proposals in mid-February, following a January 30 briefing for prospective contractors for the project. One of the hurdles the contractors will face is integrating data from devices that are not compatible with each other. -http://www.nextgov.com/big-data/2013/01/pentagon-cyberwarriors-unload-some-defen sive-tasks-big-data/60633/?oref=ng-HPtopstory -https://www.fbo.gov/?s=opportunity&mode=form&id=cf7cca2473228d78c5549e8b 922548dc&tab=core&_cview=1 [Editor's Note (Henry): Glad to see DARPA promoting this. You must assume the adversary is on your network. Constantly monitoring and "hunting" for them is the best way to mitigate the consequences of the inevitable breach. Sharing the intelligence gathered, at network speed rather than the speed of humans, is the best opportunity to make the network more resilient. ]
Microsoft Releases Fix for Critical IE Vulnerability (January 14, 2013)
Australian Intelligence Organization Seeking Broader Device Access Powers to Fight Terrorism (January 13, 2013)
The Australian Attorney General's Department is seeking authority for the Australian Security Intelligence Organisation (ASIO) to use private citizens' computers to break into and take control of computers and mobile devices of suspected terrorists. Privacy groups are critical of the proposal, calling it "extraordinarily broad and intrusive." The plan would allow ASIO to gain access to third party computers "for the specific purpose of gaining access to a target computer." The action would require explicit approval from the Attorney General. Currently, ASIO is prohibited from taking action to "add, delete, or alter data or interfere with, interrupt, or obstruct the lawful use of the target computer," but it wants the ban lifted. -http://www.news.com.au/technology/spy-agency-asio-wants-powers-to-hack-into-pers onal-computers/story-e6frfro0-1226552661701
Banks and ISPs Not Forthcoming with Information About Cyberattacks (January 11, 2013)
Global Payments Breach Costs Estimated to be US $94 Million (January 10, 2013)
The Global Payments data breach that was disclosed last April has cost the company nearly US $94 million. The breach is estimated to have affected 1.5 million payment cards. The costs are largely the result of changes that Global Payments has made to improve data security and to comply with the Payment Card Industry Data Security Standard (PCI-DSS). -http://www.bankinfosecurity.com/global-payments-breach-tab-94-million-a-5415 [Editor's Note (Murray): If an enterprise is part of the payment card industry and has contracted to do so, the cost of PCI DSS compliance is a cost of doing business. To attribute that cost to a breach that demonstrated that the enterprise was not compliant is disingenuous. ]
A Note on the Loss of Adam Swartz
Many of you know of the tragic loss of Aaron Swartz. I did not know the man, but I have lived through the suicide of someone close to me and fifteen years later I still feel loss, pain, and confusion. So, we want to express our concerns, hopes and prayers for those who did know him and want to express heartfelt sympathy for their loss. - Stephen Northcutt
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/