[Owasp-cuiaba] Fwd: SANS NewsBites Vol. 16 Num. 011 : The White House is about to step in cyber doo doo; Target testifies; PCI Discussed at Senate Banking Committee Hearing; US Defense Contractors Take Steps to Prevent Data Leaks; FBI Issues Solicitation for Malware

Kembolle Amilkar contato em kembolle.com.br
Segunda Fevereiro 10 04:49:07 UTC 2014

Noticia da SANS trazendo informações sobre:
The Federal Government's Track Record on Cybersecurity and Critical
Infrastructure. Vale a pena conferir.


- Kembolle Amilkar de Oliveira, Esp.
| T.A.D.S | G.P.N.T.I. |  G.T. I. | Seg. Info. |
Contact: Homepage <http://www.kembolle.com.br> |
Gtalk<contato em kembolle.com.br>|
MSN <contato em kembolle.com.br> | XMMP <contato em kembolle.com.br> |

---------- Forwarded message ----------
From: The SANS Institute <NewsBites em sans.org>
Date: 2014-02-07 18:25 GMT-03:00
Subject: SANS NewsBites Vol. 16 Num. 011 : The White House is about to step
in cyber doo doo; Target testifies; PCI Discussed at Senate Banking
Committee Hearing; US Defense Contractors Take Steps to Prevent Data Leaks;
FBI Issues Solicitation for Malware
To: contato em kembolle.com.br

Hash: SHA1

Ooops. The White House is about to step in cyber doo doo. Rather than
allowing the impotent and irrelevant "Cyber Framework" to quietly fade
away, Michael Daniel, the White House Cyber Coordinator, plans to
highlight it as an illustration of Obama Administration leadership.  The
Framework is the kind of non-effective guidance that led to the
Administration's cyber leadership failures documented by Senator Coburn
earlier this week. The Coburn report is posted at
Coburn's accompanying comment: "Congress needs to hold the White House
and its agencies accountable."

Just 5 more days to beat the early registration deadline for the largest
cybersecurity training conference: SANS 2014 with 40 courses and a huge
evening bonus program on hottest topics. It is coming soon in balmy
Orlando.  http://www.sans.org/event/sans-2014

SANS NewsBites               February 7, 2013            Vol. 16, Num. 011
  Target and Neiman Marcus Executives Testify at Senate Committee Hearing
  Payment Card Security Discussed at Senate Banking Committee Hearing
  US Defense Contractors Take Steps to Prevent Data Leaks
  FBI Issues Solicitation for Malware
    Microsoft's February Patch Tuesday Will Include Five Bulletins
    Wireless Devices Attacked at Sochi
    Critical Infrastructure Cybersec Bill Heads to House Floor
    UK Financial Institutions Cyberattack Exercise
    UK Government to Hold Cybersecurity Exercises for Critical
      Infrastructure Sectors
    Oldboot Android Trojan
    Facebook Redirect Attempt Unsuccessful Due to Registrar Locks
    Target Systems Accessed with HVAC Contractor's Credentials
    Adobe Patches Critical Flash Vulnerability
    Microsoft Calls for Collaborative Effort to Eradicate Malware Families
    Application Security Survey

***********************  Sponsored By Bit9  ****************************

Are you unable to upgrade your XP systems to Windows 7 or 8? If so, are
you still deciding how to keep your XP systems secure and compliant
after XP end of life on April 8, 2014?  Download this XP End-of-Life
Handbook for the Upgrade Latecomer.



- -- SANS Cyber Threat Intelligence Summit Arlington, VA   Feb. 4-11, 2014
This summit will focus on the tools, techniques, and analytics that
enterprises need to collect and analyze threat data and turn it into
action to mitigate risks and elevate security.
- --SANS Scottsdale 2014    Scottsdale, AZ       February 17-22, 2014
6 courses. Bonus evening presentations include Offensive Digital
Forensics; and Cloud IR and Forensics.
- --SANS Cyber Guardian 2014     Baltimore, MD   March 3-8, 2014
7 courses. Bonus evening presentations include Continuous Ownage: Why
You Need Continuous Monitoring; Code Injection; and How the West was
- -- ICS Summit Orlando          Lake Buena Vista, FL      March 12-18, 2014
Come join us at the ICS/SCADA Security Orlando Summit where we will take
a deep look at embedded system attack surfaces, discover what you can
do to improve their security, and take away new tools that you can put
to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7
- -- SANS Northern Virginia           Reston, VA                March
17-22, 2014
11 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous
Monitoring; and Real-World Risk - What Incident Responders Can Leverage
from IT Operations.
- --SANS Brussels 2014   Brussels, Belgium       February 17-22, 2014
4 courses.
- --SANS Secure Singapore 2014   Singapore, Singapore    March 10-26, 2014
7 courses. Bonus evening presentations includes Incident Response and
Forensics in the Cloud.
- --Can't travel?  SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive)
- --Multi-week Live SANS training
Contact mentor em sans.org
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

 --Target and Neiman Marcus Executives Testify at Senate Committee Hearing
(February 4 & 5, 2014)
At a US Senate Judiciary Committee hearing, executives from Target and
Neiman Marcus voiced differing opinions about the value of implementing
chip-and-PIN technology in payment cards. A Target executive said that
the company plans to implement the technology by early next year, while
a Neiman Marcus executive voiced concerns about shifting to the new
technology so quickly. Both executives provided lawmakers with
additional details of the breaches. The executives also appeared before
the House Energy and Commerce Committee's commerce subcommittee.
[Editor's Note  (Honan): As a European I find it difficult to understand
why the US does not implement Chip & Pin technology. It has already been
working in Europe successfully for a number of years. It is important
to note that while Chip & Pin technology reduces card present fraud, it
does nothing to help reduce card not present fraud.
(Paller): The photos of Target CIO and CFO responding to Senate
questioning [halfway down the page at
could serve as a great motivator for executives who need a little push
to focus more resources on security.]

 --Payment Card Security Discussed at Senate Banking Committee Hearing
(February 3, 2014)
Payment systems experts told the Senate Banking Committee's Subcommittee
on National Security and International Trade and Finance that adopting
chip and PIN technology would go a long way in helping to protect
American consumers from payment card fraud resulting from data breaches,
but cautioned that no "single technology is a silver-bullet solution."

 --US Defense Contractors Take Steps to Prevent Data Leaks
(February 5, 2014)
According to a recent study of 100 US federal defense contractors,
three-quarters have taken steps to improve data security within their
organizations following the Snowden leaks. The majority of changes
involved increasing employee training and being on "high alert" for
anomalous behavior. Forty-four percent are restricting user access, and
34 percent are restricting administrator privileges.

 --FBI Issues Solicitation for Malware
(February 4 & 6, 2014)
The FBI is calling for cybersecurity experts to send them all the
samples of malware they have to be used for research. The FBI will pay
for the malware samples. The request comes from the FBI Investigative
Analysis Unit of the Operational Technology Division, and notes that
"the collection of malware from multiple industries, law enforcement,
and research sources is critical to the success of the IAU's mission to
obtain global awareness of the malware threat."

**************************  Sponsored Links:  ******************************

1) Join Scott Simkin, Senior Cyber Analyst for Palo Alto Networks, for
a webcast and demo where he will present our latest threat research, and
lead a discussion on how to optimize the cyberattack kill-chain to
prevent known and unknown threats.  Register Now:

2) Join us March 7 in NYC at a morning briefing to discuss Financial
Services Cybersecurity Trends And Challenges.
Don't live in the area? Event will be simulcast as well. Register at:

3) The Critical Security Controls Draft Version 5.0 is available at
http://www.sans.org/info/151295. All feedback can be communicated by
sending emails to CriticalControls em CouncilOnCyberSecurity.org.  The
finalized 5.0 version will then be formally announced at the RSA
Conference in late February 2014.


 --Microsoft's February Patch Tuesday Will Include Five Bulletins
(February 6, 2014)
On Tuesday, February 11, Microsoft plans to release five security
bulletins to address security issues in all supported versions of
Windows as well as in Microsoft Forefront Protection 2010 for Exchange
[Editor's Note (Ullrich): Also note that MD5 signed certificates will
no longer be recognized as valid in Windows as of next Tuesday.]

 --Wireless Devices Attacked at Sochi
(February 6, 2014)
Proving correct predictions that wireless devices will be targeted by
cyber criminals at the Sochi Olympics, NBC foreign correspondent Richard
Engel found that two laptops and his smartphone were quickly compromised
with malware that enabled attackers to use the devices to eavesdrop and
access data on the devices. The laptops were probed within minutes of
connecting to the Internet, and soon after, Engel received a phishing
message. A researcher who accompanied Engel has acknowledged that the
laptops were fresh out of the box with no updates and no security
software, and that the phone was compromised after the user agreed to
install an .apk from a Sochi website. Even so, visitors to Sochi are
likely to face a barrage of attempted cyber attacks.
[Editor's Note (Ullrich): This story is an example of very
sensationalized reporting. It would be better if they would have spent
the time giving some actionable advice to users. In general, the
internet in Sochi (or Moscow where the story was actually recorded) is
probably about as safe as in any hotel or coffee shop in he US.
(Honan): Actually the reporter was not in Sochi, but in Moscow. He also
visited websites relating to the Olympics so the compromises could
happen anywhere in the world where people connect to those sites.
Overall a lot of sensationalism in this report which is already being
debunked online, see

 --Critical Infrastructure Cybersec Bill Heads to House Floor
(February 6, 2014)
The National Cybersecurity and Critical Infrastructure Protection Act
unanimously passed the House Homeland Security Committee and now heads
to the full House of Representatives. The bill would require the
Department of Homeland Security to codify cybersecurity standards for
government and critical infrastructure systems.
[Editor's Note (Murray): Read it. This is one more attempt to grant
private enterprise immunity from liability to its customers for
disclosing their PII to government agencies.  All the rest is "window
dressing" to disguise this.  This provision has been included in every
proposal for legislation in this space, draws the opposition of privacy
advocates, and kills the bill.  They keep hoping to sneak it through.]

 --UK Financial Institutions Cyberattack Exercise
(February 5 & 6, 2014)
The Bank of England has released the results of a November 2013
cyberattack simulation exercise for UK financial institutions.  While
the exercise, known as Waking Shark II, "successfully demonstrated cross
sector communications and coordination," it also notes that the UK's
financial sector is vulnerable to attacks. One recommendation that arose
from analysis of the exercise is that there needs to be a single entity
responsible for managing communications between institutions within the
financial sector. Organizations also need to report attacks to
regulators and law enforcement.
Bank of England Report on UK Financial Sector Cyberattack Exercise:
[Editor's Note (Honan): The only times a cyber-attack exercise fails is
when we do not apply the lessons learnt from them. I recommend that we
all review the report from this exercise to see what lessons can be
applied to our own environments.]

 --UK Government to Hold Cybersecurity Exercises for Critical
    Infrastructure Sectors
(February 5, 2014)
The UK government plans to hold cyberattack exercises much like Waking
Shark for public sector elements of critical infrastructure. The
exercises are part of government reforms aimed at protecting the country
from cyberattacks.
[Editor's Note (Honan): When asked "How do you get to Carnegie Hall?" the
violinist Mischa Elman is supposed to have said "Practice". Likewise the
only way ensure your incident response plans work is to practice. The
European Network and Information Security Agency (ENISA) has an
excellent repository of exercise material for CERTs available for free
at http://www.enisa.europa.eu/activities/cert/support/exercise]

 --Oldboot Android Trojan
(February 5, 2014)
An Android Trojan known as Oldboot has infected 350,000 devices. The
malware is difficult to delete because some of its components are loaded
into the Android file system's boot partition. Oldboot may be spreading
through firmware that has been seeded with the malware. The majority of
infected devices are in China.
[Editor's Note (Murray): Unfortunately, this is not an "Android"
problem; the problem is that there is no "Android."  Rather there are
dozens of androids from so many sources that it is nigh impossible for
a user to know what he has or what its vulnerabilities may be.
(Northcutt): And we thought boot sector malware was yesterday's news.
Honestly, I think the best hope for mobile devices is OS on the chip.]

 --Facebook Redirect Attempt Unsuccessful Due to Registrar Locks
(February 5 & 6, 2014)
The Syrian Electronic Army launched an unsuccessful attempt to hijack
Facebook's domain. The attack was not on Facebook itself but on the
company responsible for maintaining Facebook's domain registration.
While the attackers managed to change Facebook's domain registration
information, the attack was ultimately unsuccessful because Facebook had
established registrar locks that require manual checking with live human
beings before making any changes.
Example: https://twitter.com/Official_SEA16/status/431208035050991616
[Editor's Note (Honan): Great to see security controls work as planned.
If you have not enabled registrar locks on your domains, you should do
so ASAP.]

 --Target Systems Accessed with HVAC Contractor's Credentials
(February 5 & 6, 2014)
More details are emerging about the way attackers infiltrated Target's
systems to steal payment card data. It now appears that the attackers
gained a foothold in Target's systems by using the access credentials
of a refrigeration and HVAC company that had worked at several Target
locations. The president of Fazio Mechanical Services acknowledged that
the US Secret Service had visited company offices in Pennsylvania, and
noted that his company's "connection with Target was exclusively for
electronic billing, contract submission, and project management,"
suggesting that there may have been a network segmentation error.
The HVAC company's statement on the issue is on their website at
[Editor's Note (Murray): I agree that this report illustrates the
importance of network layering and segmentation.  However, it also
demonstrates that, any vulnerability exposes the entire payment system.
Taken across all merchants and networks, breaches of the payment system
are inevitable.  What is not inevitable is that those breaches must
result in the fraudulent reuse of credit card numbers.  It is both
obvious and urgent that the brands and banks must implement measures,
e.g., EMV, out-of-band one-time-passwords, to resist replay.  We cannot
rely upon a system that requires all merchants to get it right all the
(Honan): This story reinforces the importance of restricting access to
key network resources for those connecting to your network from remote
locations, be they partners, suppliers, or staff working remotely.]

 --Adobe Patches Critical Flash Vulnerability
(February 4 & 5, 2014)
Adobe has released an out-of-cycle patch for a critical remote code
execution vulnerability in Flash Player. The flaw affects versions of
Flash for Windows, Mac, and Linux systems and could be exploited to take
control of vulnerable systems. Windows and Mac users are urged to
upgrade to Flash version and Linux users to Flash version For Windows and Mac users unable to upgrade to version 12,
Adobe has also released Flash version 11.7.700.261. Flash in Google
Chrome and Internet Explorer 10 and 11 will be automatically updated.
The flaw is being actively exploited to steal online services login

 --Microsoft Calls for Collaborative Effort to Eradicate Malware Families
(February 3, 2014)
Microsoft's Partner Program Manager for Microsoft Malware Protection
Center Dennis Batchelder is calling for security companies, ISPs, law
enforcement agencies, CERTs, and other organizations to work together
to wipe out entire families of malware. Currently, organizations
leverage their strengths to disrupt malware, but "the goal of
coordinated malware eradication is to bring industry partners who have
specific strengths" to work together to more thoroughly rid the Internet
of malware families.

 --Application Security Survey
(February 3, 2014)
The SANS 2014 Application Security Programs and Practices survey found
that there is a shortage of skills in application security, which
hinders implementation of effective Appsec programs. The percentage of
organizations that have established Appsec programs increased from 66
percent last year to 83 percent this year.

SplashID Server Failure Leeds to Data Loss

Security Risks Overstated by News Program

Monthly Ouch Newsletter: Malware

Comcast Mail Servers Breached

ASUS Routers Enumerated Internet Wide

Odd "ping" Packet (NVidia related?)

PNG IFrame Injection

Firefox Update

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO.  He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate

Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He leads SANS' efforts to raise the bar in
cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit


-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.owasp.org/pipermail/owasp-cuiaba/attachments/20140210/71d1affa/attachment-0001.html>

More information about the Owasp-cuiaba mailing list