viernes, 7 de septiembre de 2012

SANS News Weekend Sept 07, 2012



The international consortium on the 20 Critical Controls, led by Tony
Sager, will have its first meeting as part of the National Cybersecurity
Innovation Conference (to be keynoted by NSA's IAD Director, Deborah
Plunkett) October 3-4-5 at the Baltimore Convention Center. Attendees
will also see the top rated session from RSA - Ed Skoudis on the Five
Most Dangerous New Attack Techniques.  You'll get the only U.S. briefing
(plus a Q&A workshop) by the Australians on their breakthrough that
stops targeted attacks (APT) and two very cool NSA innovations. Plus
you'll learn how NASA and HHS were able to automate security risk
mitigation quickly and cost effectively. Senior federal officials will
provide policy discussion on where the government is taking cyber
security defense and automation and you will also be able to attend (at
no additional cost) the collocated DHS/NSA/NIST program on continuous
monitoring.  Register at sans.org/ncic-2012


**************************************************************************
SANS NewsBites               September 7, 2012           Vol. 14, Num. 072
**************************************************************************
TOP OF THE NEWS
  UK's GCHQ Chooses Top 20 Security Controls to Enable Businesses To
    Protect Their Systems from Cyber Attacks
  FTC Issues Mobile Security and Privacy Guidelines for Mobile App Developers
  Government Lawyers Say Cell Phone Location Data Can be Obtained
    Without Probable-Cause Warrant
THE REST OF THE WEEK'S NEWS
    Court: Employee Had Valid Access Rights When He Downloaded
      Proprietary Data
    Pushdo Variant Hides Communication With Command-and-Control Server
    Flash Not Patched in Windows 8 With IE10
    Light Patch Tuesday Allows Time to Prepare for New Certificate
      Requirements
    Sony Acknowledges Customer Data Compromised
    ICS-CERT Warns of Vulnerability in GarrettCom Network Switches
    Huawei Maintains it is Not Engaged in Cyber Espionage
    FBI Says Laptop Not Breached; Apple Says it Did Not Provide UDID
      List to FBI
    Two Men Charged with Attempting to Buy Trade Secrets

*************************** Sponsored By SANS *****************************

Special Webcast: Harvesting the Rotten Fruit II: Injecting until the
Application leaks! Monday, September 10, 2012 at 1:00 PM EDT - Featuring
Kevin Johnson. In this the second part of this trilogy, we will explore
how SQL injection affects our applications. We will also discuss some
basic methods for finding these issues and tools to make it easier for
organizations.

http://www.sans.org/info/112852

****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference,
Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors
that have tools for automating the 20 critical controls and for
continuous monitoring.  www.sans.org/ncic-2012
**Featured Conference 2: The IT Security Automation Conference (ITSAC)
Oct 3-5, Baltimore - featuring DHS and other government leaders
providing a clear picture of the changes coming in federal cybersecurity
- - - especially in cloud and continuous monitoring. Not to miss.  We try
never to promote conferences where SANS doesn't control the program, but
is an exception because the DHS and NIST folks have done a great job!
https://itsac.g2planet.com/itsac2012/

- --SANS Capital Region Fall 2012  September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/
- --SANS Crystal City 2012          Arlington, VA    September 6-11, 2012
4 courses. Bonus evening presentations include SIFT Workstation: The Art
of Incident Response.
http://www.sans.org/crystal-city-2012/
- --SANS Baltimore 2012    October 15-20, 2012
6 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/
- --SANS Network Security 2012, Las Vegas, NV   September 16-24, 2012
43 courses. Bonus evening presentations include Evolving Threats; New
Legal Methods for Collecting and Authenticating Cyber Investigation
Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/
- --SANS Forensics Prague 2012   Prague, Czech Republic     October 7-13, 2012
6 courses. Bonus evening presentations include Big Brother Forensics:
Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/
- --SANS Singapore 2012   Singapore, Singapore     October 8-20, 2012
5 courses, including the new Virtualization and Private Cloud Security
course, and Advanced Forensics and Incident Response.
Don't miss this opportunity to upgrade your IT skills, work toward your
GIAC security certification, and network with other top information
security professionals.
http://www.sans.org/singapore-sos-2012/
- --SANS Seattle 2012     Seattle, WA              October 14-19, 2012
5 courses. Bonus evening presentations include What's New in Windows 8
and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/
- --SANS Chicago 2012            Chicago, IL      October 27-November 5, 2012
9 courses. Bonus evening presentations include Securing the Kids and
Securing the Human.
http://www.sans.org/chicago-2012/
- --SANS London 2012            London, UK      November 26-December 3, 2012
16 courses.
http://www.sans.org/london-2012/
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Dubai, San Diego, Johannesburg, Seoul, and Tokyo all
in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

***************************************************************************

TOP OF THE NEWS
 --UK's GCHQ Chooses Top 20 Security Controls to Enable Businesses To
    Protect Their Systems from Cyber Attacks
(September 5 & 6, 2012)
The UK's GCHQ is introducing a new program to help British businesses
protect their computer systems from attacks. The program is called Cyber
Security for Business and was launched on Wednesday, September 5. This
marks the first time that intelligence services in the UK will be
working directly with private sector organizations to help better their
cybersecurity stance. GCHQ has created a guide titled Top 20 Critical
Controls for Effective Cyber Defence, which is aimed at helping
organizations reduce the risk of cyberthreats and prevent or deter most
attacks. GCHQ director Iain Lobban says the approach will "make the bad
guys' job harder and won't cost a fortune."
http://www.v3.co.uk/v3-uk/news/2203085/gchq-to-arm-uk-businesses-against-cyber-attacks
http://www.telegraph.co.uk/news/uknews/defence/9521715/PLS-PIC-AND-PUB-GCHQ-to-advise-senior-business-leaders-on-how-to-fight-cyber-attacks.html
http://www.independent.co.uk/news/uk/politics/spooks-to-show-businesses-how-to-fight-cyber-attacks-8105025.html
http://www.theregister.co.uk/2012/09/05/cyber_security_gchq_launch/
http://www.scmagazineuk.com/if-the-government-talks-about-cyber-security-will-anyone-listen/article/257733/
[Editor's Note (Honan): The Top 20 security controls are available from
http://www.bis.gov.uk/policies/business-sectors/cyber-security/downloads
The executive companion document is interesting in that it provides case
studies to help senior management understand the impact of a breach and
the steps to prevent it. ]

 --FTC Issues Mobile Security and Privacy Guidelines for Mobile App Developers
(September 5, 2012)
The US Federal Trade Commission (FTC) has issued guidelines for mobile
application developers to help them avoid privacy and security pitfalls.
Privacy recommendations include being transparent about data practices;
giving users control over how their information is used; and retaining
data only after obtaining explicit consent. The guidelines also remind
developers to use clear language when describing their practices and of
the steps they will have to take with their customers if they change
their privacy practices at a later date. The FTC's security
recommendations include making sure that apps collect only the
information they really need and that they do not keep the information
when it is no longer necessary. Developers are also reminded to make
sure their practices live up to promises.
http://www.scmagazine.com/ftc-offers-guidance-for-mobile-application-development/article/257656/
http://business.ftc.gov/documents/bus81-marketing-your-mobile-app
[Editor's Note (Pescatore): Ahh, another example of how the FTC just
keeps on doing its job, doesn't seem to need new regulations, etc.
There's also an interesting thing going on: the "consumerization of IT"
has lead to lots of advertising-subsidized "free" IT being used by both
consumers *and* businesses. The FTC has been playing a meaningful role
in enforcing privacy rules but also tends to be the tip of the
enforcement spear around deceptive advertising. The two areas have
increasing overlap.]

 --Government Lawyers Say Cell Phone Location Data Can be Obtained
    Without Probable-Cause Warrant
(September 5, 2012)
Citing a 1976 US Supreme Court precedent, US government lawyers said
that the public does not have a "reasonable expectation of privacy"
regarding cellphone location data, and that therefore, the information
may be obtained from wireless carriers without need for a probable-cause
warrant. The lawyers maintain that the information is consistent with
the definition of "third-party records," meaning that customers do not
have the right to keep the information private. The case in question is
one brought against Antoine Jones, whose conviction on drug dealing
charges was overturned by the Supreme Court earlier this year because
they ruled that the use of a GPS device on Jones's car was tantamount
to an illegal search. After that ruling, the FBI halted the use of 3,000
GPS tracking devices.
http://www.wired.com/threatlevel/2012/09/feds-say-mobile-phone-location-data-not-constitutionally-protected/
http://www.pcworld.com/article/261957/us_takes_second_crack_at_gps_tracking_target.html

**************************   Sponsored Links:  ****************************

1) "New Analyst Paper in the SANS Reading Room!  Secure Configuration
Management Demystified, by senior SANS Analyst Dave Shackleford"
http://www.sans.org/info/112857

2) SANS Analyst Webcast!  Monitoring is Nothing without the Ability to
Respond: Using the Principles of Continuous Monitoring for Threat
Modeling and Response. Thursday, October 11, 1 PM EST, featuring SANS
executive leadership course instructor and federal expert, G. Mark Hardy
and Tiffany Jones, senior manager of products at Symantec.
http://www.sans.org/info/112862

3) Simplifying Identity Management: SANS Product Review of Oracle
Identity Governance Solutions by Senior SANS Analyst, Dave Shackleford
Thursday, September 27, 2012, 9 am Pacific/12 Noon Eastern.
http://www.sans.org/info/112867

***************************************************************************

THE REST OF THE WEEK'S NEWS
 --Court: Employee Had Valid Access Rights When He Downloaded Proprietary Data
(September 6, 2012)
A US Federal Appeals Court has ruled that an employee who downloaded
proprietary data from his employer cannot be prosecuted under federal
anti-hacking laws because he used valid access rights to obtain the
information. Mike Miller and his assistant, Emily Kelley, allegedly
downloaded proprietary information from WEC Carolina Energy Solutions
shortly before resigning from the company in April 2010. Miller
allegedly used the information to get business for his new employer,
which is a rival of WEC. WEC sued Miller and Kelly under a number of
state laws and the 1986 federal Computer Fraud and Abuse Act (CFAA). WEC
maintained that when Miller and Kelley downloaded the proprietary
information, they violated company use policies, thus forfeiting their
authorized access, and were therefore able to be prosecuted under CFAA.
On February 2011, the US District Court in South Carolina rejected those
claims, saying that Miller still had authorized access when he
downloaded the data. The US Court of Appeals for the Fourth Circuit
upheld the lower court's decision.
http://www.computerworld.com/s/article/9230998/Worker_had_proper_access_when_he_snagged_corporate_data_court_rules?taxonomyId=82
http://www.tradesecretsnoncompetelaw.com/uploads/file/WEC.pdf
[Editor's Note (Honan): This story shows why the insider threat is
difficult to managed and why it is so important to regularly manage the
access rights staff have to sensitive information.  You also need to
monitor those access rights for unusual behaviours to ensure they are
not being abused. ]

 --Pushdo Variant Hides Communication With Command-and-Control Server
(September 6, 2012)
In the last several weeks, more than 100,000 computers have been
infected with a new variant of the Pushdo Trojan horse program. This
version of Pushdo sends HTTP requests to 300 legitimate websites in an
attempt to disguise its communication with the actual
command-and-control server, making it more difficult for researchers to
gather information about the botnet's behavior. Earlier Pushdo versions
used the same technique, but sent the misleading traffic to high-profile
websites, which made it easier for researchers to weed out the nonsense
traffic. The hidden HTTP traffic has been heavy enough at times to knock
the legitimate sites offline. Pushdo generally spreads through drive-by
download attacks.
http://www.scmagazine.com/new-pushdo-variant-infects-more-than-100k-computers/article/257666/

 --Flash Not Patched in Windows 8 With IE10
(September 6, 2012)
Users running Windows 8 with Internet Explorer 10 (IE10) are at risk
from security flaws in Adobe Flash that could be exploited to crash and
possible take control of vulnerable systems. Adobe has released fixes
for the flaws, but the version of Flash that comes with IE10 is not
updated to address the most recent security concerns. Users running
Windows 7 who have enabled automated updates are protected, as are Mac
users. However, the version of Flash that comes with IE10 is a built-in
component instead of a plug-in, it can be updated only by Microsoft.
Google does the same thing with Chrome, but addresses the issue by
including Flash updates when it pushes out its automatic Chrome updates.
http://www.zdnet.com/microsoft-puts-windows-8-users-at-risk-with-missing-flash-update-7000003834/

 --Light Patch Tuesday Allows Time to Prepare for New Certificate Requirements
(September 6, 2012)
On Tuesday, September 11, Microsoft will issue two security bulletins
to address a total of four vulnerabilities. Both have maximum severity
ratings of important. The light load for September is to allow time to
prepare for the October update which will invalidate all digital
certificates that have keys smaller than 1,024 bits. Microsoft is
implementing the requirement to help protect users from the likes of
Flame malware, which used spoofed Microsoft certificates.
http://www.scmagazine.com/light-patch-tuesday-will-include-new-encryptiorule/article/257870/
http://www.computerworld.com/s/article/9230995/Microsoft_gives_users_a_patch_break_and_time_to_prep_for_certificate_slaying?taxonomyId=85
http://technet.microsoft.com/en-us/security/bulletin/ms12-sep

 --Sony Acknowledges Customer Data Compromised
(September 5, 2012)
Sony has acknowledged that attackers stole the names and email addresses
of 400 mobile customers in China and Taiwan. No financial account
information was accessed. The data were taken from a server run by a
third-party provider in China.
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240006800/sony-allegedly-hacked-by-nullcrew.html
http://www.computerworld.com/s/article/9230977/Sony_says_400_customer_names_emails_from_mobile_division_leaked_in_China?taxonomyId=82

 --ICS-CERT Warns of Vulnerability in GarrettCom Network Switches
(September 4 & 5, 2012)
The US Industrial Control System Computer Emergency Response Team
(ICS-CERT) has issued a security advisory warning of a vulnerability in
certain GarrettCom network switches. The devices use hard-coded
passwords on default accounts. To exploit the vulnerability, attackers
would need to have access to a login account on the device. Once they
have access, however, attackers could elevate privileges and make
changes to electrical switches and other industrial controls attached
to the devices. According to the ISC-CERT advisory, the vendor issued a
patch for the flaw in May, but the release notes accompanying the patch
did not describe the issue so some customers may not have yet applied
it.
http://www.theregister.co.uk/2012/09/05/more_insecure_scada/
http://arstechnica.com/security/2012/09/secret-account-in-mission-critical-router-opens-power-plants-to-tampering/
http://www.h-online.com/security/news/item/GarrettCom-industrial-switches-open-to-attack-1701193.html
https://www.us-cert.gov/control_systems/pdf/ICSA-12-243-01.pdf

 --Huawei Maintains it is Not Engaged in Cyber Espionage
(September 4 & 5, 2012)
Huawei has issued a public statement asserting that it has never been
involved in cyber espionage or other illegal acts. The statement follows
close on the heels of news that Huawei and ZTE have been invited to
testify before a US Congressional subcommittee regarding cyberthreats
to the US critical infrastructure from its networking equipment.
http://www.theregister.co.uk/2012/09/05/huawei_denies_spying/
http://www.huawei.com/en/about-huawei/newsroom/press-release/hw-187387-securitywhitepaper.htm
[Editor's Note (Pescatore): There is a "glass houses and stone throwing"
kinda thing going on here. Could *any* IT hardware or software vendor
in *any* country actually prove to any *other* country's government that
it *never* agreed to its home country's government requests to support
intelligence efforts? ]

 --FBI Says Laptop Not Breached; Apple Says it Did Not Provide UDID List
    to FBI
(September 4 & 5, 2012)
An FBI spokesperson said that it is "aware of published reports alleging
that an FBI laptop was compromised and private data regarding Apple
UDIDs (unique device identifiers) was exposed. At this time there is no
evidence indicating that an FBI laptop was compromised or that the FBI
either sought or obtained this data." A subgroup of hackers claiming
affiliation with Anonymous said that it had obtained the file from an
FBI laptop. Apple says it never gave such a list to the FBI, and an
Apple spokesperson said the company "will soon be banning the use of the
UDID." The authenticity of the data have been verified, so the question
remains: where did the data come from?
http://arstechnica.com/apple/2012/09/apple-denies-giving-ios-device-identifier-list-to-fbi/
http://www.computerworld.com/s/article/9230918/FBI_denies_it_was_source_of_leaked_Apple_device_ID_data?taxonomyId=208
http://news.cnet.com/8301-1009_3-57505925-83/fbi-finds-no-evidence-that-antisec-hacked-its-laptop/
http://www.wired.com/threatlevel/2012/09/fbi-says-laptop-wasnt-hacked-never-possessed-file-of-apple-device-ids/

 --Two Men Charged with Attempting to Buy Trade Secrets
(September 4, 2012)
Two Chinese nationals have been charged with attempting to buy stolen
trade secrets. The men were arrested on September 2, 2012, after paying
a Pittsburgh Corning employee who was working with the FBI for documents
that were said to contain the proprietary information about Corning's
FOAMGLAS product. The men allegedly attempted to purchase the
information because they planned to open a competing facility in China.
The men were charged in US federal court in Kansas City, Missouri.
http://www.bizjournals.com/kansascity/news/2012/09/04/chinese-nationals-in-kansas-city-face.html
http://www.justice.gov/usao/mow/news2012/huang.com.html
[Editor's Comment (Northcutt): FOAMGLAS is cellular insulation. While
it has building applications, it also has industrial applications when
you need high performance and is restricted in certain companies.
http://www.foamglas.com/ ]

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.  Mason Brown is one of a
very small number of people in the information security field who have
held a top management position in a Fortune 50 company (Alcoa).  He is
leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

Todos los Sábados a las 8:00PM

Optimismo para una vida Mejor

Optimismo para una vida Mejor
Noticias buenas que comentar