NETSEC Archives
Date Prev | Date Next |
Date Index |
Author Index |
Historical
[Netsec] SANS NewsBites Vol. 14 Num. 18 : NSA Addresses Mobile Security; Republican Senators Introduce Cyber Security Legislation; Air Force Makes Cyber A Career Option; Arrest 25 in Connection with Anonymous
- From: The SANS Institute
- Date: Fri Mar 02 15:12:00 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The biggest story from the RSA conference this week is the first story
in this issue: NSA found and described a path to security for mobile
devices - not one they will build exclusively for military use but one
all large organizations can use by ensuring their vendors deliver tools
and services that follow the NSA roadmap. The second biggest story from
RSA isn't in the news, because reporters were excluded from the meeting
where it played out. Top US and Canadian government cybersecurity
leaders met to discuss why and how to standardize (as the Brits have
done) on the 20 Critical Controls and on automated continuous (daily)
monitoring and mitigation were now the sensible path forward. With the
President adding $200 million to the Budget for rapid acquisition and
implementation of the tools for automated continuous monitoring of those
controls across government, "we have reached the tipping point," wrote
one of the US officials who was at the meeting.
Checks are flowing in for the Paul Bartock Scholarship Fund, the total
passed $10,500 today. Some people stopped me at RSA and asked if they
could use credit cards. To do so, go to thecommunityfoundation.org; on
right hand side of web site click on DONATE; where it says "What would
you like to donate to?" hit the drop down menu and select Paul Bartock
Scholarship (it will be under P); complete the form including amount you
would like to donate and credit card info; submit form.
Alan
**************************************************************************
SANS NewsBites March 2, 2012 Vol. 14, Num. 018
**************************************************************************
TOP OF THE NEWS
NSA Addresses Mobile Security
Republican Senators Introduce Cyber Security Legislation
US Air Force Makes Cyber A Career Option
Police in South America and Europe Arrest 25 in Connection with
Anonymous Activity
THE REST OF THE WEEK'S NEWS
Cyber Challenge Competitions Offer Hands-on Training
Malware Launches Man-in-the-Middle Attacks on Online Banking Transactions
Two Arrested in France in Connection with Mobile Trojan
Microsoft Acknowledges Attack on Microsoft Store India
The Pirate Bay Switches to Magnet Links
NIST Releases Draft Update of Security and Privacy Guidance for
Federal Agencies
Officials Crack Encryption on Defendant's Laptop
Stolen NASA Laptop Was Unencrypted
Ireland Passes Copyright Act Amendment
********************** SPONSORED BY LogLogic, Inc. **********************
Manage your Big Data with the most scalable log & security intelligence
platform for the Enterprise & Cloud.
Don't take our word. Try it yourself! For a limited time, download here:
http://www.sans.org/info/100684
**************************************************************************
TRAINING UPDATE
--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012
5 courses. Bonus evening presentations include Introduction to Windows
Memory Analysis; and Why Our Defenses are Failing Us: One Click is All
It Takes ...
http://www.sans.org/singapore-2012/
-- SANS Mobile Device Security Summit: The Growing and Constantly
Changing Challenge,
Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012
Mobile device security experts and practitioners from organizations
that have implemented successful programs will discuss the most
promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/
--SANS 2012, Orlando, FL March 23-29, 2012
40 courses. Bonus evening presentations include Exploiting
Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving
Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012
7 courses. Bonus evening presentations include Linux Forensics for
Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012
11 courses. Bonus evening presentations include Ninja Assessments:
Stealth Security testing for Organizations; and Adjusting Our Defenses
for 2012.
http://www.sans.org/cyber-guardian-2012/
--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012
5 courses.
http://www.sans.org/appsec-2012/
--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012
12 courses.
http://www.sans.org/secure-amsterdam-2012/
--SANS Security West 2012, San Diego, CA May 10-18, 2012
25 courses. Bonus evening presentations include Metametrics - A New
Approach to Information Security Management Metrics; and Malware
Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
--Looking for training in your own community?
http: sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Stuttgart, Abu Dhabi, Toronto, Brisbane, and Bangalore all
in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***********************************************************
TOP OF THE NEWS
- --NSA Addresses Mobile Security
(February 29, 2012)
A national Security Agency (NSA) pilot program aims to model secure
classified communications over commercial mobile devices. However, the
NSA has found that off-the-shelf products are inconsistent in their
implementation of the standards and protocol that NSA requires. The
agency would prefer not to have to be tied to one platform, but for the
time being, they have no choice.
http://www.cio.com/article/701252/National_Security_Agency_Defines_Smartphone_Strategy_Think_Android_Maybe_
http://gcn.com/articles/2012/02/29/rsa-10-nsa-secure-android-phones.aspx
[Editor's Note (Pescatore): Back in the late 80s NSA and the DoD tried
to push multi-level secure versions of Windows, Solaris, Unix etc
because the commercial versions weren't "consistent in their
implementation of..." and after a few years even the DoD and
Intelligence community found they could not use the MLS versions and had
to use the commercial versions. The use of encrypted data containers,
mobile device management and "business strength" app stores on mobile
devices will be more mainstream approaches.
(Paller): On the other hand, perhaps NSA learned a great deal from those
experiences in the 80s and a joint approach involving major industrial
buyers and other nations will have a different outcome this time.]
--Republican Senators Introduce Cyber Security Legislation
(February 29 & March 1, 2012)
Republican legislators have introduced their own cyber security bill in
the US Senate. The SECURE IT Act is being promoted as less regulatory
than the Cyber Security Act. The bill aims to encourage cyber threat
information sharing through incentives. Most information sharing would
be voluntary; the only case in which it would be required is if the
threat information is related to a federal contract. The newer bill
would also stiffen penalties for those convicted of certain cyber
crimes.
http://www.federalnewsradio.com/?nid=473&sid=2768801
http://www.computerworld.com/s/article/9224813/Republican_senators_introduce_their_own_cybersecurity_bill?taxonomyId=17
http://www.msnbc.msn.com/id/46595432/ns/technology_and_science-security/
http://thehill.com/blogs/hillicon-valley/technology/213307-republicans-to-introduce-cybersecurity-alternative-thursday
--US Air Force Makes Cyber A Career Option
(March 1, 2012)
The Air Force has established career paths for both enlisted personnel
and officers that allow them to stay in the field of computers for the
duration of their careers. Previously, people were given one tour in the
cyber arena followed by tours in other areas. People with an interest
in computers left to work for private industry so they could stay in the
areas they enjoyed. The Air Force is aware that it cannot compete with
a private sector salary, but "when you're working with the right
authorities here, you can do a lot of things that can get you put in
jail in the private sector," according to Skip Runyan, technical
director for the Air Force's main cyber training unit.
http://www.federalnewsradio.com/?nid=396&sid=2768121
--Police in South America and Europe Arrest 25 in Connection with
Anonymous Activity
(February 28 & 29, 2012)
Police in Argentina, Chile, Colombia, and Spain have arrested a total
of 25 people in connection with the Anonymous hacking collective. The
arrests are part of "Operation Unmask," which also resulted in the
seizure of 250 pieces of equipment. The action was taken in response
to cyber attacks on government, political, and corporate websites.
http://www.wired.com/threatlevel/2012/02/anonymous-arrested-interpol/
http://www.h-online.com/security/news/item/Interpol-coordinates-arrests-of-Anonymous-hackers-1445286.html
*********************** SPONSORED LINKS: *****************************
1) Privileged Password Sharing: Root of All Evil. Featuring Senior SANS
Analyst, J. Michael Butler, and Jason Fehrenbach from Quest Software
http://www.sans.org/info/100689
2) Take the SANS 8th Annual Log and Event Management Survey and be entered
to WIN a $250 American Express Card. http://www.sans.org/info/100694
3) Demystifying External Authorization: Oracle Entitlements Server Review.
Featuring: Tanya Baccam and Roger Wigenstam
http://www.sans.org/info/100699
************************************************************************
THE REST OF THE WEEK'S NEWS
--Cyber Challenge Competitions Offer Hands-on Training
(February 29, 2012)
Panelists speaking at the RSA Conference in San Francisco earlier this
week said that according to the Cyber Challenge, colleges are not
adequately preparing students to work in the field of cyber security.
Cyber Challenge national director Karen Evans compared the problem to
"trying to field a professional baseball team when there's no little
league team out there." One competitor, Alex Levinson, said his college
education did not prepare him to work in cyber security, and that the
Cyber Challenge competitions provide the opportunity "to go through and
learn the actual hands-on skills that you're going to use in the
workplace." Cyber Challenge is a public-private partnership that offers
cyber security competitions and camps for high school and college
students as well as working professionals.
http://wiredworkplace.nextgov.com/2012/02/cyber_challenge_fills_education_void.php?oref=latest_posts
--Malware Launches Man-in-the-Middle Attacks on Online Banking Transactions
(February 28, 2012)
A new piece of malware dubbed Shylock is being used to conduct
man-in-the-middle attacks on customers who use online banking services.
The attacks have focused mainly on business banking customers. Shylock
hijacks sessions after users log in to their accounts; it pops up a live
chat session window in which users are told the session has been
suspended for one reason or another, and then the attacker poses as a
customer service representative, who transmits information to the bank
and steals funds. The live chat session seeks the information necessary
to carry out the fraudulent transaction.
http://www.theregister.co.uk/2012/02/28/banking_trojan_hijack_live_chat/
http://www.trusteer.com/blog/speaking-devil-%E2%80%93-malware-adds-live-chat-commit-fraud
--Two Arrested in France in Connection with Mobile Trojan
(February 28, 2012)
Law enforcement authorities in France have arrested two people in
connection with a malware scam involving Android phones. The pair
allegedly infected the devices with the Foncy Trojan horse program,
which sent text messages to premium rate numbers, costing infected users
4.5 euros (US$6) each. The two allegedly netted 100,000 euros
(US$133,000) through the scheme.
http://www.theregister.co.uk/2012/02/28/french_android_malware_arrests/
http://www.scmagazineuk.com/duo-arrested-in-france-over-100000-android-malware-scam/article/229665/
--Microsoft Acknowledges Attack on Microsoft Store India
(February 28, 2012)
Microsoft is now acknowledging that an attack on its Microsoft Store
India website may have compromised the credit card information and other
financial data of customers who have used that site. The site has been
offline since early February, when the attack was detected. Microsoft
said it has notified all potentially affected customers.
http://www.theregister.co.uk/2012/02/28/microsoft_india_card_breach/
http://www.computerworld.com/s/article/9224699/Microsoft_India_warns_that_hackers_accessed_customer_data
--The Pirate Bay Switches to Magnet Links
(February 28, 2012)
As of February 29, The Pirate Bay is no longer providing torrent files.
Instead, the site is offering magnet links, which allow users to
download files from other BitTorrent users. In an interview, members of
The Pirate Bay team said that "it shouldn't make that much of a
difference for the average user." Their explanation for the change is
that Torrents consume a lot of space and time. Aside from using fewer
resources, magnet links are also less likely to get a site shut down.
http://news.cnet.com/8301-1009_3-57387238-83/the-pirate-bay-tosses-all-torrents/
--NIST Releases Draft Update of Security and Privacy Guidance for
Federal Agencies
(February 29, 2012)
The National Institute of Standards and Technology (NIST) has issued the
first public draft of the updated version of Special Publication 800-53,
Security and Privacy Controls for Federal Information Systems and
Organizations. The document was last updated in 2009, before the
widespread adoption of cloud computing and the WikiLeaks scandal. The
new draft document includes guidance on spotting and dealing with an
employee who may pose a threat to data security. The publication also
address smartphone security issues, including the recommendation that
ensuring that data on the devices can be remotely purged if they are
lost or stolen. NIST is accepting comments on the draft document through
April 6, 2012.
http://www.informationweek.com/news/government/security/232601767
http://www.nextgov.com/nextgov/ng_20120229_2095.php
--Officials Crack Encryption on Defendant's Laptop
(February 29 & March 1, 2012)
Federal law enforcement officials have decrypted a seized laptop
belonging to Ramona Fricosu, rendering moot a judge's order for her to
decrypt the drive or face jail time for contempt of court. Fricosu and
her former husband are defendants in a mortgage fraud case. The case was
being closely watched because it was addressing the question of whether
or not ordering a defendant to decrypt a laptop violated the defendant's
Fifth Amendment rights.
http://www.wired.com/threatlevel/2012/02/decryption-flap-mooted/
http://www.theregister.co.uk/2012/03/01/forced_decryption_ruling_moot/
--Stolen NASA Laptop Was Unencrypted
(February 29 & March 1, 2012)
A laptop computer stolen from NASA last March contained information used
to send commands to the International Space Station. In written
testimony provided to US legislators, NASA inspector general Paul Martin
said that the laptop was not encrypted. Martin's testimony also
mentioned that between April 2009 and April 2011, NASA reported 48
laptops or mobile devices lost or stolen. Martin also noted that NASA's
IT chief lacks the authority to enforce IT security policies.
http://www.nextgov.com/nextgov/ng_20120229_1209.php
http://www.theregister.co.uk/2012/03/01/nasa_stolen_laptop_unencrypted/
http://www.v3.co.uk/v3-uk/news/2156457/nasa-admits-losing-laptop-containing-space-station-controls
http://science.house.gov/sites/republicans.science.house.gov/files/documents/hearings/HHRG-112-SY21-WState-PMartin-20120229.pdf
[Editor's Note (Honan): Policies that are not enforced are about as
useful as a chocolate coffee pot.]
--Ireland Passes Copyright Act Amendment
(February 29 & March 1, 2012)
Irish lawmakers have passed an amendment to the Copyright Act that is
being compared to the US's now-defunct SOPA bill. The law allows
copyright holders to seek injunctions against Internet service providers
(ISPs) that let users access websites offering pirated content.
Opposition to the amendment is being expressed through an online
petition. The public outcry has prompted the Irish government to
undertake a review of existing copyright law.
http://www.v3.co.uk/v3-uk/news/2156496/ireland-passes-sopa-anti-piracy-legislation-despite-protests
http://www.irishtimes.com/newspaper/ireland/2012/0301/1224312582020.html
http://www.rte.ie/news/2012/0229/copyright.html
http://siliconrepublic.com/new-media/item/26025-irish-govt-to-review/
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk9RE1YACgkQ+LUG5KFpTkZ9+gCcDZP/gPPC+Sh32wU3IVuTbQZ5
WeIAnAwqAUCpPR68qSxbdhFq8ajTu+Ws
=noPz
-----END PGP SIGNATURE-----
|
