Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 44 : DHS and White House change the game in federal cybersecurity reporting and management; Another defense contractor hit in RSA SecureID attack

  • From: The SANS Institute
  • Date: Fri Jun 03 14:26:29 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FLASH: Earlier this morning, the White House and Department of Homeland
Security announced what will, I think, be a huge improvement in federal
cybersecurity - one that will result in rapid risk reduction and
potentially allow the government to lead by example in showing how to
manage cyber security effectively. The newly released document, "FY 2011
Chief Information Officer FISMA Reporting Metrics," requires agencies
to report on their progress in automating the continuous (daily)
measurement of the most critical security risks. "What gets measured
gets done." These new metrics asses agency progress in implementing the
sensors and systems needed for continuous monitoring of the small number
of key controls defined by NSA, DHS and the other agencies and companies
that are fully aware how cyber attacks are executed and what controls
are needed to block those attacks or mitigate damage.  For a copy of the
new document, click the button at the top of the screen at

    http://www.sans.org/critical-security-controls/

Kudos to Matt Coose of DHS and to the White House team.
                  
Of direct relevance to people interested in continuous monitoring: NSA
is just releasing complementary documents on continuous improvement of
the critical controls detailed in the metrics required by DHS, and SANS
will release an updated version of the Twenty Critical Controls later
this month. More on both of those next week.

                                    Alan

**************************************************************************
SANS NewsBites                  June 3, 2011             Vol. 13, Num. 044
**************************************************************************
TOP OF THE NEWS    
  Another Defense Contractor Targeted in RSA SecurID Attacks
  Pentagon Cyber Warfare Strategy
  Tennessee Law Prohibits Sharing Login Credentials
THE REST OF THE WEEK'S NEWS 
    Apple Playing Catch-Up With Malware Variants
    All Sony PSN Services Now Restored
    Google Thwarts Spear Phishing Attack Against Government Officials
    Second Annual UK Cyber Security Challenge Launched
    Facebook Video Scam Spreading
    Honda Canada Facing Class Action Lawsuit Following Breach
    Google Pulls Malware-Infected Apps From Android Market
    HHS Proposes Changes to HIPAA Privacy Rule

***************************************************************************
TRAINING UPDATE
- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
8 courses.  Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/
- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011
41 courses.  Bonus evening presentations include Ninja Developers:
Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/
- -- SANS Boston 2011, Boston, MA, August 8-15, 2011
12 courses.  Bonus evening presentations include Cost Effectively
Implementing PCI through the Critical Controls; and More Practical
Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/
- -- SANS Virginia Beach 2011, August 22- September 2, 2011
11 courses.   Bonus evening presentations include SANS Hacklab;
Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/
- -- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011
5 courses.   Bonus evening presentations include DNS Sinkhole: Peer
Into Your Network While You Sleep; and I See What You Did There:
Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/
- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011
43 courses.   Bonus evening presentations include Securing the Kids;
Who is Watching the Watchers?; and Emerging Trends in the Law of
information Security and Investigations
http://www.sans.org/network-security-2011/
- -- Looking for training in your own community?
http://sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus London, Austin, Canberra and Ottawa all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

******************* SPONSORED BY Symantec *************************

Modern malware rarely strikes the same way twice. Today's malicious code
rapidly mutates, bypassing traditional defenses.  Traditional antivirus
approaches no longer work. Download the Symantec Endpoint Protection 12
beta to see how Symantec can help mitigate threats today and tomorrow
for both small businesses and the largest enterprises.
http://www.sans.org/info/79184
****************************************************************************

TOP OF THE NEWS
 --Another Defense Contractor Targeted in RSA SecurID Attacks
(May 31 & June 1 & 2, 2011)
More US defense contractors may have been targeted in attacks using
information stolen from RSA in March. An internal message sent to
employees of L-3 Communications said the company "has been actively
targeted with penetration attacks leveraging the compromised
information." What is not known is whether the attackers were
successful. L-3 reportedly uses RSA's SecurID to allow access to an
unclassified corporate network. Another defense contractor, Lockheed
Martin, recently acknowledged that it suffered a cyber attack which has
also been linked to the RSA data breach. A third defense contractor may
have been targeted as well. Emerging reports are saying that last week,
Northrup Grumman, cut remote access to its network and initiated a
"domain name and password reset across the entire organization."
http://www.wired.com/threatlevel/2011/05/l-3/
http://www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/
http://www.scmagazineus.com/lockheed-admits-to-hack-that-may-portend-more-breaches/article/204205/
http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/
http://news.cnet.com/8301-27080_3-20068051-245.html
 
 --Pentagon Cyber Warfare Strategy
(May 31, 2011)
The Pentagon's forthcoming cyber warfare strategy will reframe cyber
attacks as possible acts of war, which would allow the US to respond to
certain attacks on critical systems with force. US government and
military systems have been facing cyber attacks from foreign powers more
at least eight years. Attackers have stolen sensitive information,
including data about the F35 fighter.
http://www.guardian.co.uk/world/2011/may/31/washington-moves-to-classify-cyber-attacks
http://www.computerworld.com/s/article/9217161/Cyberattacks_can_justify_armed_response_Pentagon_says?taxonomyId=17
http://www.theregister.co.uk/2011/05/31/hacking_as_act_of_war/
http://www.bbc.co.uk/news/world-us-canada-13614125
http://www.informationweek.com/news/government/security/229700205
http://www.nextgov.com/nextgov/ng_20110531_5712.php?oref=topnews
[Editor's Note (Paller) What you might have missed in the buzz caused
by the Wall Street Journal report on the upcoming DoD cyber strategy was
the report published this week by Ellen Nakashima of the Washington Post
detailing the Pentagon's list of cyber weapons and tools, including
viruses that can sabotage an adversary's critical networks, to
streamline how the United States engages in computer warfare.
http://www.washingtonpost.com/national/list-of-cyber-weapons-developed-by-pentagon-to-streamline-computer-warfare/2011/05/31/AGSublFH_story.html
(Schultz): Given that malicious code can be used as a weapon and that
attackers are capable of breaking into and controlling systems that are
part of the national infrastructure, the Pentagon's strategy makes
perfect sense.]

 --Tennessee Law Prohibits Sharing Login Credentials
(June 2, 2011)
Tennessee's governor has signed into law a bill that makes it illegal
to share login information - usernames and passwords - with anyone,
including family members. The law takes effect July 1 and applies only
within the borders of that state. The bill is an expansion of laws that
allow prosecution of people for stealing cable service or not paying for
restaurant meals. People convicted under the law of stealing up to US
$500 worth of entertainment could face a year in jail and a fine of up
to US $2,500. For those convicted of stealing more than US $500 of
content, penalties are greater.
http://news.cnet.com/8301-13506_3-20068233-17.html?tag=mncol;title

***************************  SPONSORED LINKS  ******************************
1) Learn how to secure your network during the IPv6 transition at the
Security Impact of IPv6 Summit July 15th in Washington DC and take
advantage of the post-Summit IPv6 Essentials course July 16th.
http://www.sans.org/info/79189

2) Hear industry experts discuss techniques to fight crimes at the
Forensics and Incident Response Summit in Austin, Texas - June 7-8th.
Make sure to also attend any of the 4 post-Summit courses June 9-14th.
http://www.sans.org/info/79194
****************************************************************************

THE REST OF THE WEEK'S NEWS
 --Apple Playing Catch-Up With Malware Variants
(May 31 & June 1 & 2, 2011)
Not even a day after Apple released an update for OS X to protect users
from attacks used to spread rogue anti-virus products, a variant of the
malware that evades the new protections was been detected.  Apple has
released yet another update to detect the new malware variant.
Researchers are calling the events a "cat-and-mouse game."
Internet Storm Center: https://isc.sans.edu/diary.html?storyid=10951
http://www.theregister.co.uk/2011/06/02/apple_mac_scareware_updte/
http://www.v3.co.uk/v3-uk/news/2075478/macdefender-bypasses-apples-security-patch
http://www.computerworld.com/s/article/9217269/Apple_strikes_back_at_newest_Mac_scareware?taxonomyId=17
http://www.theregister.co.uk/2011/06/01/mac_osx_scareware_evasion/
http://www.computerworld.com/s/article/9217210/Mac_scareware_gang_evades_Apple_s_new_anti_malware_defenses?taxonomyId=17
http://krebsonsecurity.com/2011/05/apple-update-targets-mac-malware/
 
 --All Sony PSN Services Now Restored
(June 2, 2011)
More than a month after a massive data breach forced Sony to shut down
its PlayStation Network (PSN) and Qriocity music service, both services
have been completely restored. Sony took down the sites on April 20, and
partially restored PSN in May. Users had been unable to access the PSN
Store until this week.
http://content.usatoday.com/communities/gamehunters/post/2011/06/sony-restores-all-playstation-network-services/1
http://www.washingtonpost.com/blogs/faster-forward/post/sony-playstation-store-back-online/2011/06/02/AGhwcEHH_blog.html
http://www.theglobeandmail.com/news/technology/video-games/controller-freak/sony-completes-full-restoration-of-playstation-network/article2044628/

 --Google Thwarts Spear Phishing Attack Against Government Officials
(June 1 & 2, 2011)
The US government is investigating a spear phishing attack that tricked
senior US government officials and military personnel into revealing
their Gmail login credentials. Google says it shut down the attack,
which appeared to emanate from Jinan in China, and also targeted
journalists, Chinese political activists and officials in other Asian
countries. A statement from a Chinese official called allegations of
China's involvement with the attack "groundless." The incident
underscores the security issues posed by cloud-based services.
http://www.washingtonpost.com/business/technology/google-says-hackers-based-in-china-accessed-us-officials-gmail-accounts/2011/06/01/AGwgRmGH_story.html?hpid=z1
http://www.wired.com/threatlevel/2011/06/gmail-hack/
http://news.cnet.com/8301-1009_3-20068229-83/feds-investigate-alleged-attacks-on-gmail-accounts/?tag=mncol;title
[Editor's Note (Pescatore): There appears to be a lot more research
being done using Facebook, LinkedIn and other social network posts to
make targeted phishing emails much more personalized.]

 --Second Annual UK Cyber Security Challenge Launched
(June 1 & 2, 2011)
Registration has begun for the UK's second annual Cyber Security
Challenge, a competition designed to encourage people with interest and
skills in cyber security to pursue and develop careers to fill the need
for specialists to defend UK networks. Those who are interested can
register through the competition website to participate in a series of
challenges over the coming year. This year's competition has three
strands: secure network design, informed defence, and investigate and
understand.
http://www.bbc.co.uk/news/technology-13615091
http://www.eweekeurope.co.uk/news/cyber-security-challenge-open-for-registrations-30797

 --Facebook Video Scam Spreading
(June 1, 2011)
Some links spreading through Facebook that claim to lead to salacious
videos actually lead users to sites that install rogue security software
on their computers. Facebook has thus far been powerless to stop the
scareware attacks. The scheme targets both PCs and Macs. The ruse varies
with operating systems. PC users are told they need to install the most
recent version of Adobe Flash Player to view the video; Mac users are
greeted with a security warning pop-up that offers a "fix" button. The
malware redirects users to pornographic websites every five minutes
until they pay for a software license.
http://www.computerworld.com/s/article/9217229/Facebook_video_scam_puts_malware_on_Mac_and_Windows?taxonomyId=17

 --Honda Canada Facing Class Action Lawsuit Following Breach
(June 1, 2011)
Lawyers representing Honda Canada customers have filed a class action
lawsuit against the automobile company over a data security breach that
compromised information belonging to 283,000 customers. The breach
occurred in March 2011, but Honda Canada did not start notifying
customers until May. The compromised information included names,
addresses, vehicle identification numbers (VINs) and Honda Financial
Services account numbers stored on personalized web pages.  Some
customers who never entered the information are affected by the breach
because the company pre-populated pages with customer data before asking
them to customize their own pages.
http://www.informationweek.com/news/security/attacks/229700261

 --Google Pulls Malware-Infected Apps From Android Market
(May 31 & June 1, 2011)
Google has pulled nearly three dozen apps from its Android market after
learning that the mobile applications were infected with malware. The
questionable apps are maliciously altered versions of legitimate ones.
Several months ago, Google removed more than 50 apps from Android Market
over similar concerns. The malware in question this time is being called
DroidDream Light.
http://www.scmagazineus.com/new-android-malware-variant-lands-with-a-punch/article/204296/
http://www.theregister.co.uk/2011/05/31/android_market_malware/
http://www.theregister.co.uk/2011/06/01/android_trojan_rash/
http://www.computerworld.com/s/article/9217178/Google_faces_new_round_of_Android_malware?taxonomyId=17
[Editor's Note (Schultz): The real problem here is that apps for
smartphones (not just Androids) generally receive little if any security
scrutiny before they are made available to the public.
(Pescatore/Paller): We think the iPhone/iPad App Store approach has
proven the world is tired of constant malware problems when the platform
vendor provides no security value add via some testing of apps before
the malicious ones impact users. The Amazon AppStore for Android is a
step in the right direction, but Google really needs to raise the bar,
not lower it, in this area.]

 --HHS Proposes Changes to HIPAA Privacy Rule
(May 31, 2011)
The US Department of Health and Human Services (HHS) has proposed
changes to the Health Insurance Portability and Accountability Act
(HIPAA) that would allow patients to see the names of every person who
accesses their electronic health records. Paper records would be exempt
from the new rule. HIPAA currently gives consumers the right to know
when their health information has been shared with third parties, but
patients must request that information.
http://redtape.msnbc.msn.com/_news/2011/05/31/6757204-is-someone-snooping-your-health-records-new-rule-will-tell-you-who
http://www.informationweek.com/news/healthcare/policy/229700217
http://www.informationweek.com/news/security/government/229700300
http://www.healthcareitnews.com/blog/hitech-revises-hipaa-regulations
Text of proposed rule:
http://www.federalregister.gov/articles/2011/05/31/2011-13297/hipaa-privacy-rule-accounting-of-disclosures-under-the-health-information-technology-for-economic#p-35


************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
https://www.sans.org/account


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk3pGdoACgkQ+LUG5KFpTkaOBACeIM4O8NGabl1KX3ofyM8Mce73
ynQAoKR9xPvnX3EjMHL5asevVKiaHtbx
=n4Aa
-----END PGP SIGNATURE-----




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.