The ISSA Colorado Springs Newsletter incorporates open source news articles as a

training method to educate readers on security matters in compliance with USC Title 17,

Section 107, Paragraph a.

The views expressed in articles obtained from public sources within this newsletter do

not necessarily reflect those of ISSA, this Chapter or its leadership.

I N S I D E T H I S

I S S U E :

W W W . I S S A - C O S . O R G

ISSA-COS

NEWSLETTER S E P T E M B E R 2 0 1 3 V O L U M E 2 N U M B E R 8

The Cybercrime of Things

2

Elections for Your Board of Directors

3

Security+ Class 4

Two Updated Guides 5

NSA's Own Tips for Securing Computers

5

Hacking Industrial Sys-tems Turns Out to be

6

The Impact of Cyberse-curity Legislation and

7

Chinese Hacking Team Caught

8

FBI Taps Hacker Tactics to Spy on Suspects

9

The Rise (and Risk) of Modern Media

10

White House publishes preliminary list of cyber-security incentives

11

New Report Lays Out Principles for Sound Cybersecurity Policy 11

NASA Didn't Even Come Close to Creating a Secure Cloud Network

12

Cloud Computing Pre-sents a Unique Forensic Challenge 12

Cocky, Sloppy and Busted 13

News Ripped From the Headlines

14

Productivity Tools for Cybercrime

15

Bitcoin gets the FBI, Homeland treatment 16

Accessing Public Web-sites Ain't a Crime

17

Risk Management isn’t Just an Obligation

18

The Insecure Pace-maker

19

Mutually Assured Cyber Destruction 20

Go Ahead, Blame China 20

Chapter Information 21

Philips Hue Light Bulbs Are Highly Hackable

22

Miranda-was-carrying-password-fo r -sec re t - f i l es -on -p iece -o f -paper.html

From the subhead on the arti-cle: “A journalist’s partner who was detained carrying thousands of British intelligence documents through Heathrow airport was also holding the password to an en-crypted file written on a piece of paper, the government has dis-closed.”

Regardless of how you may feel about the NSA data, this inci-dent shows that people “still don’t get it.” Aren’t we constantly telling people, Don’t write down your passwords”?

Ann Althouse (a law professor at the University of Wisconsin) ob-served that this was, “A level con-cern for security lower than what I have for my Facebook page.” Fur-thermore, this individual was carry-ing data that could send him to gaol (to use a British term for jail) for a very long time.

Folks, our work is nowhere near complete. Even in the simple things.

Don Creamer

H ope that you had a good and restful Labor Day holi-day weekend.

Elections for Chapter officers are coming up (details are on Page 3.) The positions are President (Mark has decided to have some-one else take the reins,) Vice Presi-dent, Treasurer, Communications Officer and Member-at-Large. Please give some serious thought to running.

BTW—I shall not be running for Communications Officer (the posi-tion I currently occupy.) I really like just doing the Newsletter and am willing to continue doing that under the new Communications Officer.

If you know anyone who would like a brief but good Security+ one-day course, ensure that they see the announcement on Page 4. This probably won’t be repeated until March 2014.

Now on to other things

If you haven’t been following the fallout from the Edward Snowden caper (the unauthorized release of NSA documents) then you might want to read this article in the UK newspaper Telegraph:

http://www.telegraph.co.uk/news/uknews/cr ime/10276460/Dav id -

P A G E 2

I S S A - C O S N E W S

By Christopher Mims, The Atlantic, August 6, 2013

Recent work by securi ty re-searchers indi-cates that one of the problems with having a "smart" home is that some day, it might be smart enough to attack you. The es-sence of the f o r t h c o m i n g " in ternet of things" is that everything we

own, from our refrigerators and egg cartons to our cars and thermostats, will some day be outfitted with internet-connected sen-sors and control systems, allowing all our possessions, and ultimately all of our civic infrastructure, to communicate with each other and be controlled remotely.

The potential security implications of this future are fairly obvious: Imagine if the same hackers that are stealing our credit card numbers suddenly had the ability to take over or at least monitor just about every device in reach. But to date, thinking through the specifics has been tricky. Here, then, is a handy guide to the basic vulner-abilities we'll be adding to our lives once we have connected all of our worldly goods to the internet of things:

Direct attacks that force objects to ex-ceed their design parameters or operate in ways that are unpleasant or danger-

ous

The most successful cyber-attack on physical infrastructure ever--an attack on Iran's uranium enrichment facility, sus-pected to be a join US-Israeli project, that set Iran's nuclear ambitions back by at least a year--illustrates a basic principle of internet-connected devices: Having the ability to control them remotely could mean giving hackers the ability to damage them remotely, or re-purpose them for nefarious uses.

Coming Soon: The Cybercrime of Things

“These are fundamental design flaws in the way pretty much everything works”

In the Stuxnet attack on Iran's nuclear pro-gram, software was used to spin uranium cen-trifuges at a speed and duration that physically damaged these delicate instruments, requiring what was probably months of subsequent re-pair. Similarly, at this year's Defcon conference for hackers, security company Cima-tion demonstrated an attack that could damage a water treatment facility--causing a pipe to burst or a tank to overflow--or any other plant that uses a common protocol for controlling infrastructure that was invented in the 1970s.

Granted, our homes do not include uranium centrifuges or plumbing we control remotely--yet. An attack on the Inax Satis smart toilet would allow a hacker to activate this $4,000 toilet's bidet remotely.

Misdirection leading to user error and dam-

age

As with the internet itself, we will in time become ever more reliant on the internet of things. Baby and pet monitors, home automa-tion systems and even our cars will send us information in ways that will make our lives eas-ier but also encourage our dependence on these systems. In this way, hackers do not even need to figure out how to harm us or damage our connected devices to cause mayhem: They simply need to send us false readings from the sensor systems we're using.

In the Stuxnet attack on Iran, the reason operators at the uranium enrichment facility did not shut down the infected centrifuges is that the same software that was spinning them at dangerous speeds made it look as if everything was normal. Some systems in, for example, the oil and gas industry are already vulnerable to attacks in which operators are led to believe that everything is fine when equipment may actually be operating at unsafe temperatures and pressures.

This could allow hackers to set up scenar-ios in which users would be the agents of their own undoing. For example, a smart thermostat set to keep a house at a certain temperature for pets while an owner is away could send false readings to the user, encouraging them to send instructions to it remotely, perhaps to make the house warmer, without realizing that the home's heating system is already at full blast.

Read the rest here:

http://www.theatlantic.com/technology/archive/2013/08/coming-soon- the-cybercr ime-of -things/278409/

P A G E 3 V O L U M E 2 N U M B E R 8

Elections for Your Board of Directors

To quote from the ISSA-COS By-Laws: The business of the Chapter shall be managed by the Board of Directors. A Board quorum for business shall consist of at least four (4) board members present. This Board may, from time to time, establish special committees for various purposes as required.

There are five positions (defined below) which are up for election on the ISSA-COS Board of Directors. The other positions on the Board (Executive Vice President, Recorder and a Member at Large position) will be elected in 2014. The Communications Officer position will also be up for re-election in 2014 to re-store a proper balance to which positions are up for election and which are not. With the exception just men-tioned these are all two-year positions.

Who is qualified to run for a position on the Board (again, quoting from the ISSA-COS By-Laws)? The offi-cers of the Chapter must be General Members in good standing as of the date of their election.

THE FOLLOWING OFFICES (WITH JOB DESCRIPTIONS) ARE UP FOR ELECTION THIS YEAR:

The President shall be the executive head of the Chapter and shall preside at all meetings of the Chapter. The President shall have the power to call special meet-ings with a nominal five (5) day notification to the general membership if deemed necessary for the benefit of the Chapter. The President shall also have the power to assign the duties of the monthly reconciliation of the bank account to any officer other than the Treasurer.

The Vice President shall attend to the duties of the President in the absence of the President and Executive Vice President and shall attend to any other duties as the

President may require. The Vice President shall have the power to call a meeting of the Board without the consent of the President. The Vice President shall provide liaison with standing committees within the Chapter.

The Treasurer shall be responsible for Chapter financial administration as outlined in Article VIII. The Treasurer shall receive all Chapter membership dues from ISSA and receive and disperse other monies inci-dental to Chapter activities. The Treasurer shall maintain an accounting of articles of value belonging to the Chapter, and shall keep an accurate accounting of all treasury receipts, expenditures, and deposits.

The Communications Officer shall maintain sufficient membership address lists as to ensure that all members in good standing are notified of meetings, and that all other correspondence necessary to the con-duct of the Chapter is received by the members. At the direction of the President, the Communications Officer shall also transmit and respond to all correspondence of the Chapter, and perform any other duties customar-ily associated with the office of Communications Officer. The Communications Officer shall approve content of Chapter sponsored websites and newsletters. Additionally, the Communications Officer shall be responsi-ble for the publication of the Chapter Newsletter and/or website, either directly or by supervising an appointed editor/webmaster.

The Member at Large shall be responsible for acting as a liaison between the ISSA-COS members and the Board, annually assessing the Board’s performance, and coordinating all committees not established as standing committees.

There will be a Nominating Committee selected at the November 14th meeting. You may volunteer for one of the two positions on this Committee.

Elections will occur at the December luncheon meeting and assumption of office will occur at the end of the December meeting.

P A G E 4

SECURITY+ EXAM PREP SEMINAR The Colorado Springs Chapter of ISSA is hosting an 8-Hour

Security+ Exam Prep Seminar.

Location: Colorado Technical University (CTU) Room 112

4435 N. Chestnut St., Colorado Springs, CO 80907

Date: 7 September 2013

Time: Check in between 8:00 AM – 8:15 AM Class starts at 8:15AM and runs to 4:45 PM (30 minute lunch)

REGISTRATION & VOLUNTEER INSTRUCTORS CONTACT:

Volunteers for instructors and support staff will be recruited through the chapter volunteer coordina-tor: David Henson (volunteer-coordinator@issa-cos.org)

To register for class provide your name, contact info, ISSA member number and student status to Dave Malone at: davem@peakpeak.com Questions; please call Dave at: 719 660 6310.

UPDATED COURSE CONTENT AND IN-CHAPTER INSTRUCTORS

Updated and expanded material - Test Objectives & Exam Tips Full day program with one session for each of the six domains Each block of instruction covers one exam objective All Instructors are Security+ Certified

TOPICS COVERED INCLUDE

Network Security

Compliance and Operational Security

Threats and Vulnerabilities

NEXT CLASS: The Next Security+ Exam Prep Seminar Is Currently

Scheduled For March 2014.

I S S A - C O S N E W S

Application, Data, and Host Security Access Control and Identity Manage-

ment Cryptography

P A G E 5 V O L U M E 2 N U M B E R 8

By Alexis C. Madrigal, The Atlantic, Aug 19 2013

Seems like everything gets hacked these days. Baby monitors. White House employees' personal email. Toilets.

If it's connected to the Internet, it seems at least a little vulnerable.

But surely we can trust that workhorse selfie-generator, the iSight webcam built into the top bezel of Mac laptops. Or... Maybe not. Yesterday, security researchers Steve Glass and Christopher Soghoian were passing around a National Security Administration factsheet with a little bit of advice for Mac users on how to "harden" their computers to attacks

(http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf).

Among the tips, we find the following suggestion: "Disable Integrated iSight and Sound Input."

"The best way to disable an integrated iSight camera is to have an Apple-certified technician remove it," the NSA writes (emphasis added). Then, you might try "placing opaque tape over the camera" or try the software-only method of removing one of the components of Quicktime's files. And if the NSA doesn't trust a particular piece of hard-ware can't be used for surveillance, it's probably safe to as-sume an average user shouldn't either.

The built-in microphone comes under scrutiny, too. The NSA suggests setting the mic input level to zero and remov-ing a file that cripples the sound system.

Read the rest here:

http://www.theatlantic.com/technology/archive/2013/08/among-the-nsas-own-tips-for-securing-computers-remove-the-webcam/278809/

Two Updated Guides Provide Latest NIST

Recommendations for System Patches,

Malware Avoidance

Among the NSA's

Own Tips for

Securing Computers:

Remove the Webcam And if the NSA doesn't trust a piece of

hardware, you probably shouldn't

either.

By NIST, August 20, 2013

The National Institute of Standards and Technology (NIST) has updated two of its series of computer security guides to help computer system managers protect their sys-tems from hackers and malware. Vulnerabilities in software and firmware are the easiest ways to attack a system, and the two revised publications approach the problem by pro-viding new guidance for software patching and warding off malware.

A common method to avoid attacks is to "patch" the vul-nerabilities as soon as possible after the software company develops a piece of repair software—a patch—for the prob-lem. Patch management is the process of identifying, acquir-ing, installing and verifying patches for products and sys-tems.

The earlier guidance on patching, Creating a Patch and Vulnerability Management Program, was written when patching was a manual process. The revision, Guide to En-terprise Patch Management Technologies,* is designed for agencies that take advantage of automated patch manage-ment systems such as those based on NIST's Security Con-tent Automation Protocol (SCAP).

Guide to Enterprise Patch Management Technologies explains the technology basics and covers metrics for as-sessing the technologies' effectiveness.

The second security document provides guidance to protect computer systems from malware—malicious code. Malware is the most common external threat to most sys-tems and can cause widespread damage and disruption.

NIST's Guide to Malware Incident Prevention and Han-dling for Desktops and Laptops** was updated to help agen-cies protect against modern malware attacks that are more difficult to detect and eradicate than when the last version was published in 2005. The new guidance reflects the grow-ing use of social engineering and the harvesting of social networking information for targeting attacks.

The new malware guide provides information on how to modernize an organization's malware incident prevention measures and suggests recommendations to enhance an organization's existing incident response capability to handle modern malware.

Guide to Enterprise Patch Management Technologies (NIST Special Publication 800-40, Revision 3) is available at:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf

Guide to Malware Incident Prevention and Handling for

Desktops and Laptops (Special Publication 800-83 Revision 1) can be found at:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf

P A G E 6

I S S A - C O S N E W S

Hacking Industrial Systems

Turns Out to be Easy New research from Black Hat shows it’s

possible to trick water and energy infra-

structure to cause physical damage—and

securing these systems remains painfully

slow. By Tom Simonite, MIT Technology Review, August 1, 2013

Three presentations scheduled to take place at the Black Hat computer security conference in Las Vegas today will reveal vulnerabilities in control systems used to manage energy infrastructure such as gas pipelines. These are just the latest sign that such systems remain dangerously sus-ceptible to computer attacks that could have devastating consequences; and although the researchers proposed fixes for each flaw they’ve identified, they caution that, on the whole, industrial infrastructure remains woefully vulnerable.

The vulnerabilities add to a growing list of problems identified due to a recent surge in research into the security of industrial systems. Progress to fix such security issues has been slow going, due partly to the poor design of exist-ing systems, and partly to a lack of strong incentives to fix the flaws quickly.

One demonstration today will spray the audience with water from a replica water plant component forced to over-pressurize. Another will show how wireless sensors com-monly used to monitor temperatures and pressures of oil pipelines and other industrial equipment could be made to give false readings that trick automatic controllers or human operators into taking damaging action. A third talk will detail flaws in wireless technology used in 50 million energy me-ters across Europe that make it possible to spy on home or corporate energy use and even impose blackouts.

U.S. officials have frequently warned that vulnerabilities in industrial control systems could permit damaging attacks on public infrastructure resulting in power outages, environ-mental damage, or even loss of life (see “U.S. Power Grids a Hacking Target”

http://www.technologyreview.com/news/429611/old -fashioned-control-systems-make-us-power-grids-water-plants-a-hacking-target/).

All the attacks to be mentioned today require signifi-cantly fewer resources and skill than what was required to employ the best-known attack on an industrial system, the U.S.-Israeli-backed Stuxnet operation against the Iranian

nuclear program (see “New Malware Brings Cyberwar One Step Closer”

http://www.technologyreview.com/news/425832/new-malware-brings-cyberwar-one-step-closer/).

“We have demonstrated a few scenarios that will cause a catastrophic breakdown—a pipe to burst or tank to over-flow—while sending a completely different view to the con-troller,” says Brian Meixell of Texas security company Cima-tion, who brought the replica water plant component to show off the vulnerabilities he discovered.

With colleague Eric Forner, Meixell exploited a protocol called Dbus that has been used to control industrial equip-ment since the 1970s and is still in wide use today on de-vices often connected directly to the Internet. Scans of pub-lic IP addresses have revealed that at least 90,000 industrial control devices are online and vulnerable to that type of at-tack, says Forner (see “What Happened When One Man Pinged the Whole Internet”

http://www.technologyreview.com/news/514066/what-happened-when-one-man-pinged-the-whole-internet/). Dbus is insecure because no one in the industry that uses it thought it was a priority to make it secure, says Meixell.

Lucas Apa, a researcher with IOActive, says this attitude also underpins the flaw he and colleague Carlos Mario Penagos found in wireless sensors that are used to monitor oil, water, nuclear, and natural gas infrastructure. The three leading suppliers of those sensors designed them so that they can be made to give spoof readings, or even be shut down with a relatively cheap 40-mile-range radio transmitter, says Penagos. “We can show total shutdown of the plant,” he says.

That problem—and the one discovered by the Cimation team—is now known to the companies that make the equip-ment, and to the industrial and infrastructure companies that buy them, thanks to a data-sharing program run by the De-partment of Homeland Security. That program, called ICS-CERT, for Industrial Control System Cyber Emergency Re-sponse Team, shares newly published data on vulnerabili-ties with affected companies and industrial operators.

However, just because ICS-CERT highlights a problem doesn’t mean it gets fixed promptly.

Read the rest here:

http://www.technologyreview.com/news/517731/hacking-industrial-systems-turns-out-to-be-easy/

P A G E 7 V O L U M E 2 N U M B E R 8

By InfoSecuroty, August 13, 2013,

Among the issues discussed by the panel were privacy, industry blowback, and congressional efforts to address cy-bersecurity for critical infrastructure operators (CI) – most of which are privately owned in the US.

Norman Pearlstine, chief content officer for Bloomberg LP and chairman of Bloomberg Businessweek, moderated the discussion, and first highlighted for-mer Sen. Joe Lieberman’s efforts to get a comprehensive cybersecurity bill passed. He considered this one of the most note-worthy recent developments, mostly due to the resistance it received from the busi-ness community, including the US Cham-ber of Commerce.

The defeat of the Cybersecurity Act of 2012 in the US Senate, as Pearlstine observed, was a major factor in President Obama’s February 2013 executive order (http://www.whitehouse.gov/the-press-of f ice/2013/02/12/execut ive -order-i mp rov i ng -c r i t i c a l - i n f ras t ruc tu re -cybersecurity) on cybersecurity for CI. “It has changed some of the rules in terms of some of our behavior”, he commented to an audience of security and intelli-gence professionals during last week’s SINET Innovation Summit at New York’s Columbia University.

Recent moves by the administration – including the ex-ecutive order – have attempted to address counter-terrorism, hazards, resiliency and cybersecurity issues for CI, according to an evaluation given by Bruce McConnell, the Department of Homeland Security’s acting Deputy Un-dersecretary for Cybersecurity. A major issue raised in the debate over the executive and its proposed framework is the degree to which privacy concerns will be addressed, mainly for the protection of the infrastructure operators themselves.

“We can get both privacy and security” McConnell as-serted. “The way to do that is by building trust through trans-parency.” Examples he provided included adequate over-sight and reporting by the government – namely unclassified privacy impact assessments that outline how information is collected and used.

Privacy is one part of the “three-legged stool” McConnell outlined as part of these legislative/policy efforts; the other components comprise information sharing (both classified and unclassified) by the government with CI operators and the proposed Cybersecurity Framework spearheaded by NIST.

McConnell said the framework currently in development will be the basis of a voluntary program for CI operators,

with a beta version expected in October 2013, followed by an expected finalized framework in February 2014. The voluntary framework will have a scaled model, he anticipated, based on an organization’s maturity and needs, rather than being one all-encompassing “ceiling-type model” for operators to implement.

Mark Weatherford formerly held McCon-nell’s position at DHS, and is now a princi-pal with the Chertoff Group, a security advi-sory firm. He said legislative efforts in the area failed because of industry backlash, in addition to poor communication of the im-peratives involved by those promoting them. As for the executive order, Weatherford offered more tempered praise: “It raises the dialogue...without going to far. It advances the ability of the government, through NIST, and advances the conversa-

tion across the industry. There are limitations”, he continued, adding “there is a certain amount of distrust among indus-try”.

Weatherford also identified “scaling issues” with the ex-ecutive order, with respect to the information sharing provi-sions. The issue of additional security clearances within the private sector is a primary concern, he noted, especially given the post-Snowden era the US government is now op-erating within.

He concluded that the executive order would be an “evolutionary process”, but would be an overall positive de-velopment for CI cybersecurity and the industry as a whole. “It will take a number of years to get this framework to a place where industry accepts it and embraces it”, Weatherford concluded.

Read the rest here:

http://www.infosecurity-magazine.com/view/33977/the-impact-of-cybersecurity-legislation-and-policy/

The Impact of Cybersecurity

Legislation and Policy A panel of critical infrastructure security experts gathered last week to discuss the impact of

recent legislative and policy initiatives. According to one Obama Administration official, the

industry should expect the first version of the NIST-led cybersecurity framework in early 2014.

P A G E 8

I S S A - C O S N E W S

Chinese Hacking Team Caught Taking

Over Decoy Water Plant

A hacking group ac-cused of being oper-ated by the Chinese army now seems to be going after industrial control systems.

By Tom Simonite, MIT Tech-nology Review, August 2, 2013

A Chinese hacking group accused this February of being tied to the Chinese army was caught last De-cember infiltrating a decoy water control system for a U.S. municipality, a researcher revealed on Wednesday.

The group, known as APT1, was caught by a research project that provides the most significant proof yet that peo-ple are actively trying to exploit the vulnerabilities in indus-trial control systems. Many of these systems are connected to the Internet to allow remote access (see “Hacking Indus-t r i a l S ys tems Tu rns Ou t t o B e E as y ” (http://www.technologyreview.com/news/517731/hacking-power-plants-turns-out-to-be-easy/). APT1, also known as

Comment Crew, was lured by a dummy control system set up by Kyle Wilhoit, a researcher with security company Trend Micro, who gave a talk on his findings at the Black Hat conference in Las Vegas.

The attack began in December 2012, says Wilhoit, when a Word document hiding malicious software was used to gain full access to his U.S.-based decoy system, or “honeypot.” The malware used, and other characteristics, were unique to APT1, which security company Mandiant has claimed operates as part of China’s army (see “Exposé of Chinese Data Thieves Reveals Sloppy Tactics” http://www.technologyreview.com/news/511456/expos-of-chinese-data-thieves-reveals-sloppy-tactics/).

“You would think that Comment Crew wouldn’t come after a local water authority,” Wilhoit told MIT Technology Review, but the group clearly didn’t attack the honeypot by accident while seeking another target. “I actually watched the attacker interface with the machine,” says Wilhoit. “It was 100 percent clear they knew what they were doing.”

Wilhoit went on to show evidence that other hacking groups besides APT1 intentionally seek out and compromise water plant systems. Between March and June this year, 12 honeypots deployed across eight different countries at-tracted 74 intentional attacks, 10 of which were sophisti-

cated enough to wrest com-plete control of the dummy control system.

Cloud software was used to create realistic Web-based login and configuration screens for local water plants seemingly based in Ireland, Russia, Singapore, China, Japan, Australia, Brazil, and the U.S. If a person got be-yond the initial access screens, they found control panels and systems for con-trolling the hardware of water plant systems.

None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems. Four of the attacks displayed a high level of knowledge about industrial systems, using tech-niques to meddle with a specific communication protocol used to control industrial hardware.

Wilhoit used a tool called the Browser Exploitation Framework, or BeEF, to gain access to his attackers’ sys-tems and get precise data on their location. He was able to access data from their Wi-Fi cards to triangulate their loca-tion.

The 74 attacks on the honeypots came from 16 different countries. Most of the noncritical attacks, 67 percent, origi-nated in Russia, and a handful came from the U.S. About half the critical attacks originated in China, and the rest came from Germany, U.K., France, Palestine, and Japan.

The results lead Wilhoit to conclude that water plants, and likely other facilities, around the world are being suc-cessfully compromised and taken control of by outside at-tackers, even if no major attack has been staged. “These attacks are happening and the engineers likely don’t know,” he told MIT Technology Review.

Wilhoit previously published the first research that proved some people were actively trawling the Internet with the intention of compromising industrial control systems (see “Honeypots Lure Industrial Hackers Into the Open” http://www.technologyreview.com/news/514216/honeypots-lure-industrial-hackers-into-the-open/). He now plans to put honeypots inside real industrial facilities to attempt to cap-ture details of targeted attacks.

Read the rest here:

http://www.technologyreview.com/news/517786/chinese-hacking-team-caught-taking-over-decoy-water-plant/

P A G E 9 V O L U M E 2 N U M B E R 8

By Jennifer Valentino-Devries and Danny Yadron, Wall Street Journal, August 3, 2013

Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age.

Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more com-monly associated with attacks by criminals.

People familiar with the Federal Bureau of Investiga-tion's programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can't be wiretapped like a phone, is called "going dark" among law enforcement.

A spokeswoman for the FBI declined to comment.

The FBI develops some hacking tools internally and purchases others from the private sector. With such technol-ogy, the bureau can remotely activate the microphones in phones running Google Inc.'s Android software to record conversations, one former U.S. official said. It can do the same to microphones in laptops without the user knowing, the person said. Google declined to comment.

The bureau typically uses hacking in cases involving organized crime, child pornography or counterterrorism, a former U.S. official said. It is loath to use these tools when investigating hackers, out of fear the suspect will discover and publicize the technique, the person said.

The FBI has been developing hacking tools for more than a decade, but rarely discloses its techniques publicly in legal cases.

Earlier this year, a federal warrant application in a Texas identity-theft case sought to use software to extract files and covertly take photos using a computer's camera, according to court documents. The judge denied the application, say-ing, among other things, that he wanted more information on how data collected from the computer would be minimized to remove information on innocent people.

Since at least 2005, the FBI has been using "web bugs" that can gather a computer's Internet address, lists of pro-grams running and other data, according to documents dis-closed in 2011. The FBI used that type of tool in 2007 to trace a person who was eventually convicted of emailing bomb threats in Washington state, for example.

The FBI "hires people who have hacking skill, and they purchase tools that are capable of doing these things," said a former official in the agency's cyber division. The tools are

FBI Taps Hacker Tactics

to Spy on Suspects used when other surveil-lance methods won't work: "When you do, it's because you don't have any other choice," the official said.

Surveillance technologies are coming under increased scrutiny after disclosures about data collection by the Na-tional Security Agency. The NSA gathers bulk data on mil-lions of Americans, but former U.S. officials say law-enforcement hacking is targeted at very specific cases and used sparingly.

Still, civil-liberties advocates say there should be clear legal guidelines to ensure hacking tools aren't misused. "People should understand that local cops are going to be hacking into surveillance targets," said Christopher Sog-hoian, principal technologist at the American Civil Liberties Union. "We should have a debate about that."

Mr. Soghoian, who is presenting on the topic Friday at the DefCon hacking conference in Las Vegas, said informa-tion about the practice is slipping out as a small industry has emerged to sell hacking tools to law enforcement. He has found posts and resumes on social networks in which peo-ple discuss their work at private companies helping the FBI with surveillance.

A search warrant would be required to get content such as files from a suspect's computer, said Mark Eckenwiler, a senior counsel at Perkins Coie LLP who until December was the Justice Department's primary authority on federal crimi-nal surveillance law. Continuing surveillance would necessi-tate an even stricter standard, the kind used to grant wire-taps.

But if the software gathers only communications-routing "metadata"—like Internet protocol addresses or the "to" and "from" lines in emails—a court order under a lower standard might suffice if the program is delivered remotely, such as through an Internet link, he said. That is because nobody is physically touching the suspect's property, he added.

An official at the Justice Department said it determines what legal authority to seek for such surveillance "on a case-by-case basis." But the official added that the department's approach is exemplified by the 2007 Washington bomb-threat case, in which the government sought a warrant even though no agents touched the computer and the spyware gathered only metadata.

Read the rest here:

http://online.wsj.com/article_email/SB1000142412788732399 7 0 0 4 5 7 8 6 4 1 9 9 3 3 8 8 2 5 9 6 7 4 -lMyQjAxMTAzMDAwMTEwNDEyWj.html

P A G E 1 0

I S S A - C O S N E W S

The Rise (and Risk) of Modern Media Tablets, smartphones, GPS devices, flash drives, and other devices have

become a way of life, changing the way we acquire forensic evidence. By Gary Torgersen, DFI News, May 28, 2013

Modern media is changing the forensic process. We are increasingly seeing the need to acquire forensic evidence from tablets, smartphones, GPS devices, flash drives, solid state hard drives, and other devices. They have become a way of life. We use them in business, in our homes, and in our cars.

These kinds of devices store data differently than the traditional computer hard drive. The rotating platters and magnetic heads of conventional hard disk drives enable us to set up a standardized process for predictable data acqui-sition, including recovery of deleted files. They also provide complete metadata logs, tracking every process that hap-pens. In contrast, these new gadgets, which are so useful and convenient in everyday life, can be a bane to the foren-sic technician.

Each of the new storage media has its own logic about how and when it writes, overwrites, moves, and deletes files. Additionally, while they can be manipulated by external com-mands—some more than others—some actions may be performed automatically that can actually destroy evidence.

There is also a significant amount of variation among these devices. We may run into a number of operating sys-tems in dealing with conventional computer hard drives, but a phone, for example, may have hundreds, even thousands, of options. Beyond the multiple brand names, there are dif-ferent models, systems, versions, applications, and other factors, including if they have been “rooted” or “jailbroken.”

In terms of forensic collection and analysis, these are significant issues that create the dilemma of not being able to know if all data has effectively been gathered. Plus, the many differences require that we create and tailor processes that are customized to each specific device. And still we may lose evidence.

These new and continually changing technologies re-quire constant study and flexibility. Our industry does a re-markable job of adapting and evolving processes to accom-modate new media and provide the most complete and ac-curate collection methods possible.

Yet, the biggest issue in collecting data from these de-vices is not actually associated with the device itself. The real problem is in determining who has control of the device.

Do You Know Where Your Data Is?

The Bring Your Own Device (BYOD) phenomenon is affecting forensic data acquisition because it creates cross-over between data that is controlled by an individual versus by a company. People are using their personal devices for

work-related tasks because it can seem easier than trying to use typical work resources. For example, an employee may use a tablet to take notes during an office meeting, or phone to text a work colleague, or portable hard drive to transport files to be able to work from home. That may be more con-venient for the user, but if the data on that device needs to be collected, it may mean collecting personal information as well.

Forensically, the main problem is the opposite scenario: if the corporation’s data needs to be collected from a per-sonal device and that company does not have control of or access to the device, it can effectively halt the investigation and collection process.

It is vital for corporations to establish thorough policies for managing data on mobile and portable devices. If that information needs to be collected as digital evidence for fo-rensic analysis or electronic discovery, it is the company’s responsibility to know where their data is.

Here are some tips for safeguarding your data in a BYOD world.

1. Only allow devices that will actually be used for cor-porate items. Just because someone has a personal iPad does not mean they should be able to connect it to the cor-porate environment. Unless there is a legitimate business usage for the device, it should be excluded from access.

An argument can be made that it’s reasonable to allow access to some groupware services, such as e-mail or a company calendar, on a personal device. After all, that data is stored somewhere in the cloud and only viewed (not housed) on a phone or tablet. That may be true for some companies, but I caution you against it. Once the door is open, it can be easy to let other things out.

2. Devices must be able to be controlled from within the organization. Corporate IT resources must be able to re-motely lock and wipe a device. This ensures that corporate data can be deleted remotely if a device is lost or stolen or an employee is terminated.

A data ownership agreement between the employee and the company should fully disclose the policy and ramifi-cations. In addition to being able to remotely lock or wipe the device, it should grant authority to the company and estab-lish procedures for creating passwords, accessing company resources, installing updates and applications, tracking us-age, and backing up the data.

Read the rest here:

http://www.dfinews.com/articles/2013/05/rise-and-risk-m o d e r n -media?et_cid=3409465&et_rid=454841830&location=top

P A G E 1 1 V O L U M E 2 N U M B E R 8

By Jennifer Martinez , The Hill, August 6, 2013,

The White House on Tuesday released (http://m.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework) a preliminary set of incentives it may offer power plants, water companies and others that operate critical infrastructure to get them to join a cybersecurity program chaired by the Homeland Se-curity Department.

Companies could receive insurance from agencies if they adopt certain cybersecurity best practices and stan-dards within their computer networks, priority consideration for grants and technical assistance from the government, and public recognition for compliance with the voluntary program's cybersecurity standards.

The administration compiled the list of preliminary in-centives in accordance with the cybersecurity executive order signed by President Obama in February. The cyber order directed the Commerce, Treasury and Homeland Se-curity departments to develop a list of incentives that the government could offer companies to entice them to join the cybersecurity program.

"Over the next few months, agencies will examine these options in detail to determine which ones to adopt and how, based substantially on input from critical infra-structure stakeholders," the White House said in a blog post. "We believe that sharing the findings and our plans for continued work will promote transparency and sustain a public conversation about the recommendations."

The White House stressed that publishing these pre-liminary incentives "is an interim step" and should not be considered its "final policy position on the recommend[ed] actions."

The president signed the executive order after Con-gress failed to reach agreement on cybersecurity legislation twice last year. Top national security and intelligence offi-cials have warned that the United States is vulnerable to a devastating cyberattack that could led to disruption or fatali-ties.

Unlike legislation, an executive order must stay within the parameters of existing law and cannot grant new pow-ers or authorities. This limits the types of carrots the gov-ernment can offer to companies without having to pass new legislation.

For example, the executive branch cannot offer compa-nies liability protection without passing new legislation first. Cybersecurity legislation considered in Congress last year would have granted companies protection from lawsuits if they're part of the cybersecurity program run by DHS and still suffer a security breach on their computer networks.

Read the rest here:

http://thehill.com/blogs/hillicon-valley/technology/315795-white-house-publishes-preliminary-list-of-cybersecurity-incentives

White House publishes preliminary list of cybersecurity incentives

The Heartland Institute , August 7, 2013

Cyber crime and cyber attacks are genuine threats, with reports of data breaches, hacks, or thefts appearing regu-larly in the news. But as law enforcement, industry, aca-demic, and government experts prepare to gather in New York City on August 5–8, 2013, for the fourth International Conference on Cybersecurity (ICCS 13), it’s worth asking whether the threat has been overstated and the govern-ment’s approach to it, overreaching.

In “U.S. Cybersecurity Policy: Problems and Principles,” ( h t t p : / / h e a r t l a n d .o r g / s i t e s / d e f a u l t / f i l e s / 0 8 -0 1 -13_titch_policy_brief_cybersecurity.pdf) a new Policy Brief from The Heartland Institute, IT policy analyst Steven Titch summarizes the three broad categories of cyber threat — theft/fraud, espionage/exposure, and disruption/destruction — and describes the appropriate responses to each. He explains why “the current, one-size-fits-all approach to cy-bersecurity, exemplified by CISPA [the Cyber Intelligence Sharing and Protection Act], the Cybersecurity Act, and CFAA [the Computer Fraud and Abuse Act] cannot help but fail.”

Titch also explains why fears that the U.S. may be vul-nerable to a cyber-terrorist attack are likely overblown and should be viewed rationally. Could a cyber attack cause death and destruction on a massive scale? Could power plants be shut down, the rail system be hacked so freight trains derail or crash, or the air traffic control system be so crippled as to cause mid-air collisions? Titch addresses all of these concerns and more.

Read the rest here:

http://www.dfinews.com/news/2013/08/new-report-lays-out-p r i n c i p l e s - s o u n d - c y b e r s e c u r i t y -policy?et_cid=3409465&et_rid=454841830&location=top

New Report Lays Out Principles for Sound Cybersecurity Policy

P A G E 1 2

I S S A - C O S N E W S

NASA Didn't Even

Come Close to Creating

a Secure Cloud Network

Cloud Computing

Presents a Unique

Forensic Challenge By John J. Barbara , DFI News, October 30, 2009

Over the past several years, cloud computing has be-gun to expand in the business community. For those unfa-miliar with the terminology, cloud computing is a style of computing which allows and provides for scalable and virtu-alized computer related resources using the Internet. One of its major advantages is that a business does not need to have any knowledge, expertise, or control of the infrastruc-ture. Obviously, this can become a huge cost savings for those businesses who utilize the services inherent with cloud computing. For instance, some services include online business applications that are accessible through any browser from any computer. The actual software and data resides on servers external to the business itself. It is easy to understand how this becomes very attractive to busi-nesses; they would not have to invest huge sums of money in software and hardware. Since they do not own the host infrastructure, they only pay the provider for services and resources they consume (analogous to paying the water utility company for the amount of water used each month). There is probably no limit to the types of services that can be obtained via cloud computing. Some of these include:

Compute facilities provide computational services so

that users can use central processing unit (CPU) cycles without buying computers.

Storage services provide a way to store data and docu-

ments without having to continually grow farms of stor-age networks and servers.

SaaS companies offer CRM services through their multi

tenant shared facilities so clients can manage their cus-tomers without buying software.

These represent only the beginning of options for deliv-ering all kinds of complex capabilities to both businesses and individuals.

Cloud computing providers usually offer a variety of ser-vices. Some of those providers include VMware, Sun Micro-systems, Rackspace US, IBM, Amazon, Google, BMC, Mi-crosoft, Ubuntu, and Yahoo.

Irrespective of the provider, cloud computing relies on the use of Virtual Machines (VMs) and some combination of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS). VMs are soft-ware implementations of a computer which can execute programs like a real computer and can be spawned on any computer as needed. There are two types of VMs: the sys-tem VM which supports the execution of a complete operat-ing system, and the process VM which is designed to run a single program supporting a single process.

Read the rest here:

http://www.dfinews.com/articles/2009/10/cloud-computing-another-digital-forensic-challenge

By Adam Clark Estes, Gizmodo, July 29, 2013

Like a lot of organizations, NASA's doing its best to keep up with the times and move its computer systems onto the cloud. Like only a government agency can do, it's failing fan-tastically at doing so securely.

A review released on Monday by NASA's inspector gen-eral (http://oig.nasa.gov/audits/reports/FY13/IG-13-021.pdf) had nothing good to say about the space agency's cyberse-curity situation. The report found that a large number of cloud initiatives suffered from dangerously poor security, so poor that they would have "severe adverse effects" on NASA if compromised. And out of five contracts reviewed, "none came close" to offering adequate cybersecurity. And on top of that, over 100 of NASA's internal and external websites were found to have no security measures in place whatso-ever.

This shouldn't be so surprising. NASA's historically terri-ble at cybersecurity. Seriously, it seems like the space agency gets hacked every other week. In February of this year, for example, Anonymous hit NASA and leaked a bunch of data. That looks like child's play compared to last year, when NASA admitted to thousands of breaches due to lack of security. Heck, a 15-year-old hacker even broke into NASA back in 1999 and shut down the computers that run the International Space Station for nearly a month. That's just to name a few security breaches.

Read the rest here:

http://gizmodo.com/nasa-didnt-even-come-close-to-creating-a-secure-cloud-954677339

P A G E 1 3 V O L U M E 2 N U M B E R 8

By James Dunnigan, Strategy Page, August 6, 2013

This month a Chinese firm (Sinovel) was indicted by an American federal prosecutor for stealing wind turbine design details and software from an American firm (AMSC). It is claimed that the theft (carried out by former employees of AMSC) cost the American company nearly a billion dollars in lost revenue over the last two years. There are going to be a lot more court cases like this because Chinese firms are becoming bolder in how they exploit stolen software and other technology. In the past the Chinese were only so bla-tant in the use of stolen tech when exporting military equip-ment copied from Russian designs. The Chinese had started doing this during the Cold War, which sometimes got fairly hot (there were some deadly border skirmishes) be-cause China and Russia developed some territorial and ideological disputes that did not settle down until the Soviet Union dissolved in 1991. The Russians are still angry about the continued Chinese theft of their tech and growing Rus-sian threats over this caused the Chinese to sign agree-ments to stop stealing and reselling Russian tech. This only slowed the Chinese down, but it placated the Russians for a while. The Americans are starting to sound like the Rus-sians in the 1990s, but the Americans have more legal and economic clout to deploy and this situation is liable to get ugly before (if ever) it gets better.

In the last year most American officials have come to openly admit that a whole lot of American military and com-mercial technical data has been stolen via Chinese Internet (and more conventional) espionage efforts. The Americans are not providing details of exactly how they collected all the evidence, but apparently it is pretty convincing for many American politicians and senior officials who had previously been skeptical. The Chinese efforts have resulted in most major American weapons systems having tech details re-vealed, in addition to a lot of non-defense technology (as in the AMSC case above). It’s not just the United States that is being hit but most nations with anything worth stealing. Many of these nations are noticing that China is the source of most of this espionage and few are content to remain silent any longer.

It’s no secret that Chinese intelligence collecting efforts in the last decade have been spectacularly successful. As the rest of the world comes to realize the extent of this suc-cess, there is a building desire for retaliation. What form that payback will take remains to be seen. Collecting informa-tion, both military and commercial, often means breaking laws and hacking back at the suspected attackers will in-volve even more felonies. China has broken a lot of laws. Technically, China has committed acts of war because of the degree to which it penetrated military networks and car-ried away copies of highly secret material. The U.S., and many other victims, has been warning China there will be consequences. As the extent of Chinese espionage be-comes known and understood, the call for “consequences” becomes louder.

China has tried hard to conceal its espionage efforts. Not just denying anything and everything connected to its hacking and conventional spying but also taking precau-tions. But as their success continued year after year, some of the Chinese hackers became cocky and sloppy. At the

Cocky, Sloppy

And Busted same time, the victims became more adept at detecting Chi-nese efforts and tracing them back to specific Chinese gov-ernment organizations or non-government hackers inside China.

Undeterred, China has sought to keep its espionage ef-fort going and has even expanded operations. For example, during the last five years China has opened National Intelli-gence Colleges in many major universities. In effect, each of these is an "Espionage Department" where, each year, sev-eral hundred carefully selected applicants are accepted in each school, to be trained as spies and intelligence opera-tives. China has found that espionage is an enormously prof-itable way to steal military and commercial secrets and re-wards those who have talent and make a career of it. The Internet based operations, however, are only one part of China’s espionage efforts.

While Chinese Cyber War operations in this area get a lot of publicity, the more conventional spying brings in a lot of stuff that is not reachable on the Internet. One indicator of this effort is the fact that American counter-intelligence efforts are snagging more Chinese spies. This is partly due to in-creased spying effort by China, as well as more success by the FBI and CIA. All this espionage, in all its forms, has played a large part in turning China into one of the mightiest industrial and military powers on the planet. China is having a hard time hiding the source of the new technologies they are incorporating into their weapons and commercial products. Many of the victims initially had a hard time accepting the fact that the oh-so-eager (to export) Chinese were robbing their best customers of intellectual property on a grand scale. Now Western firms are a lot more wary about dealing with the Chi-nese.

Read the rest here:

http://www.strategypage.com/dls/articles/Cocky-Sloppy-And-Busted-8-6-2013.asp

P A G E 1 4

I S S A - C O S N E W S

News Ripped

From the

Headlines August 3, IDG News Service – (International) Defcon researchers reveal tricks behind their car hack. Two security re-searchers delivered a presentation at the DEF CON 21 conference where they demonstrated how they were able to take con-trol of several car systems and perform actions such as steering, acceleration, displaying incorrect speedometer readings, and others. Source: http://www.pcworld.com/article/2045895/researchers-reveal-methods-behind-car-hack-at-defcon.html

August 6, The Register – (International) Windows Phones BLAB passwords to hackers, thanks to weak crypto. Microsoft warned users to take precautions after it was found that the encryption Windows Phones use to transmit domain credentials is cryptographically weak, allowing rogue hotspots to intercept and decrypt the information. Microsoft advised IT departments to distribute a special root certificate that allows the phones to confirm that they are connecting to a genuine access point before transmission. Source: http://www.theregister.co.uk/2013/08/06/microsoft_win_phone_wifi_vuln/

August 8, Help Net Security – (International) Chrome not the only browser that stores plain-text passwords. Google re-sponded to a software developer’s post that discussed how the Chrome browser displays saved passwords by stating that if an attacker compromises a user’s operating system account then there would be insufficient means to prevent them from access-ing passwords. Several security researchers debated whether the saved passwords systems represent a security threat, while one noted that Firefox also stores passwords in a similar manner. Source: https://www.net-security.org/secworld.php?id=15376

August 12, CNET – (International) Hacker pleads not guilty to stealing 160M credit cards. A man accused of participating in the biggest hacking scheme in U.S. history spanning from 2005 to 2012 pleaded not guilty August 12 to stealing more than 160 million credit card numbers by hacking into corporations and selling the stolen credit card information to other parties. The Rus-sian national and several others cost the companies and customers a combined total of more than $300 million. Source: http://news.cnet.com/8301-1009_3-57598232-83/hacker-pleads-not-guilty-to-stealing-160m-credit-cards/

August 15, 2013, SCNet—(Washington) U.S. defense contractor sustains data breach. Employees for and applicants to the linguist program of Virginia-based defense contractor Northrop Grumman may have had their sensitive information compro-mised when a database was accessed by an unauthorized party. How many victims? Unknown. Northrop Grumman employs more than 70,000 people, thousands of whom work as linguists, according to reports. What type of personal information? Names, contact information, date of births, blood types, Social Security numbers and other government-issued identification numbers. What happened? A database related to the linguist program was accessed by an unauthorized party, Source: http://www.scmagazine.com/us-defense-contractor-sustains-data-breach/article/307498/#

August 14, Help Net Security – (Texas) Hacker hijacks baby monitor camera, terrorizes family. A couple in Houston re-ported that an attacker hijacked an Internet-connected baby monitor, yelling through its speakers and controlling its camera. Source: https://www.net-security.org/secworld.php?id=15406

August 27, Softpedia – (International) Java 6 zero-day spotted in the wild, users advised to update to Java 7. Researchers at F-Secure spotted a zero-day vulnerability in Java 6 currently being exploited in the wild. Users are advised to update to Java 7 as there will be no patch for the no-longer-supported Java 6. Source: http://news.softpedia.com/news/Java-6-Zero-Day-Spotted-in-the-Wild-Users-Advised-to-Update-to-Java-7-378432.shtml

P A G E 1 5 V O L U M E 2 N U M B E R 8

By Bill Davidow, The Atlantic, August 23, 2013

Stealing ten million dollars a few hundred dollars at a time used to be too labor-intensive to be a great business. Not anymore. The Internet and advances in semiconductor technology are revolutionizing theft and fraud. Thieves can now steal tens of millions of dollars at very high profit mar-gins from low-value targets--at very low cost to themselves.

The recent indictment of a global hacker ring by federal prosecutors is a harbinger of cybercrime's future. The ring stole 160 million credit card numbers and sold the data for about $10 per USA card. The same group stole information on 800,000 bank accounts. More than $300 million was taken from three affected companies.

And now the news for cybercriminals is getting even better: a shadowy cybercrime underground is providing them with tools and services that will make them more efficient.

The productivity of low-level cyber-laborers can be stag-gering. No minimum wages here. The recent $45 million cyber-theft that targeted Bank of Muscat of Oman and Na-tional Bank of Ras Al Khaimah PSC (RAKBANK) of the United Arab Emirates spanned 27 countries. In ten hours, approximately $40 million was stolen in 36,000 transactions, or about $1,100 per transaction. The leaders of global crime ring that pulled off the heist have yet to be identified. Seven of the eight cyber-laborers who worked New York City have been apprehended. The eighth is believed to have died. The eight were able to steal $2.9 million in ten hours. The local gang kept around 20% or roughly $600,000. That comes out to about $7500 per hour per thief--more than one thousand times the city's minimum wage of $7.25 per hour. What a great alternative to flipping burgers.

One cybercrime's most important products is the botnet, short for robotic network, software programs that run on servers. The person in charge of the botnet is called a cracker. The goal of the botnet servers is to install malicious software on computers and turn them into zombie com-puters. Zombies take orders from the botnet servers. They may be commanded to send out spam, engage in denial of service attacks, or install software on other people's com-puters that enables them to track keystrokes. By tracking keystrokes, zombie computers can get access to user names and passwords linked to online bank accounts.

The computer in your home office may be one of these zombies--an active foot soldier in a cybercrime army.

The scale of these operations is difficult to comprehend. Microsoft recently broke up the Citadel Botnet Ring. The ring consisted of 1,500 botnet servers, the virtual equivalent of mafia consigliere that recruited and managed 1.2 million zombies. Microsoft claims Citadel Botnets were responsible for $500 million in thefts.

Productivity Tools for Cybercrime It's a lot easier to steal hundreds of millions of dollars now

than it used to be Large-scale, sophisticated botnet criminal rings have

been quite expensive to set up. But now, criminal start-up entrepreneurs can do it on the cheap. They can buy software and services and get in business for as little as $595. They can even buy surplus zombies for pennies. Zombies under the control of the Zeus botnet were recently offered at $60 per thousand, or 6 cents per foot soldier. Payment in an anonymous Internet currency was required making it ex-tremely difficult to identify the buyer or seller.

Service companies have sprung into existence to do the jobs computers can't. One of the techniques web sites use to thwart bots is captchas--the string of distorted letters users have to type in when setting up accounts on Internet sites. Because these distorted letters are difficult for machines to read, humans must do the job. Numerous sweatshops em-ploying hundreds of workers have been set up in Asia, where low-wage workers decode captchas for less than a dollar per thousand. Some bots even contain interfaces that will auto-matically submit captchas to the sweatshops.

Shutting down a botnet ring is no easy task. One tech-nique is to get court orders to disable botnet servers. When authorities in Panama and the Netherlands took down the Grum botnet that was primarily employed in sending out pharmaceutical spam emails from their countries, the cyber-criminals brought up servers in the Ukraine, a safe haven for cybercriminals, to carry on their work. Another technique is to use "sinkhole" servers that can block botnets from getting access to the website they are trying to attack. Sinkholes can be used to discover zombie computers and notify their own-ers to disinfect them or take the infected computers offline.

Rapid technological advances are creating opportunities to expand the cybercrime market. RSA, the security division of EMC, a multibillion dollar company, believes that one of the major industry trends is that cybercriminals will discover new ways to monetize non-financial data such as utility statements and medical records. Barclays recently deter-mined that cyber pickpockets using mobile phones could compromise its new secure contactless credit cards when they brushed by the electronic wallets with mobile phones. Researchers at University of California--San Diego discov-ered that plastic keys in ATM's warm to the user's touch. Using a thermal camera to photograph the keypads and they could identify the keys pressed after ten seconds in 80% of the cases and using the size of the thermal footprint they could identify the key order in many cases.

The opportunities are endless.

Read the rest here:

http://www.theatlantic.com/technology/archive/2013/08/productivity-tools-for-cybercrime/278974/

P A G E 1 6

Bitcoin gets the FBI,

Homeland treatment By Matt Clinch , CNBC, August 14, 2013

Virtual currency bitcoin is to be investigated by both the Federal Bureau of Investigation (FBI) and the U.S. Senate Committee that oversees the Department of Homeland Security (DHS).

The DHS was sent a letter on Monday from the U.S. Senate Committee on Homeland Security and Govern-mental Affairs asking for any information, plans or strate-gies on how it currently or plans to treat virtual currencies, including bitcoin.

The letter, posted on the Committee's website (http:/ /www.hsgac.senate.gov/download/letter -to-secretary-napolitano-on-virtual-currencies), explains the attractiveness of the currency for investors and entrepreneurs with its potential for profit and quick payment solu-tions. But it also warns that its "near anonymous and de-centralized nature has also attracted criminals who value few things more than being allowed to operate in the shadows".

The Committee indi-cates that it has initiated an inquiry into virtual currencies because they are an important emerging area and urges the DHS to reply with information before the end of the month.

"As with all emerging technologies; the federal gov-ernment must make sure that potential threats and risks are dealt with swiftly; however, we must also ensure that rash or uninformed actions don't stifle a potentially valu-able technology," Committee Chairman Thomas Carper and Ranking Member Tom Coburn said in the letter ad-dressed to the Secretary of Homeland Security Janet Na-politano.

Meanwhile, a commerce, justice and science bill from July requests an FBI briefing on the subject of bitcoins and money laundering.

"The Committee directs the FBI, in consultation with the Department and other Federal partners, to provide a briefing no later 120 days after the enactment of this Act on the nature and scale of the risk posed by such ersatz

currency, both in financing illegal enterprises and in undermin-ing financial institutions," said the bill, which was posted on the Committee's website

(http://appropriations.house.gov/uploadedfiles/hrpt-113-hr-fy2014-cjs.pdf), and reported Tuesday by several industry

blogs.

Jon Matonis, executive director of the Bitcoin Foundation, which aims to promote and protect the cryptocurrency, told CNBC that the wording of the bill is the type that encourages innovative startups to seek out more acceptable international jurisdictions.

"It is difficult to see how this could be favorable for the U.S. in trying to attract bitcoin technology startups," he

said.

Bitcoin is a virtual currency that allows users to exchange online credits for

goods and services. While there is no central bank that issues them, bitcoins can be created online by using a computer to com-plete difficult tasks, a process known as mining. Currently one

bitcoin is worth just over $111.

A leaked internal document from April 2012 revealed the FBI had

concerns that the digital payment system was helping criminals hide

from authorities and anticipated in-creased money laundering activities for bit-

coin.

'Pushing the envelope'

More recently it has attracted attention from regulators from around the globe. The New York Department of Financial Services (DFS) issued subpoenas on Monday to several com-panies associated with bitcoin as part of an inquiry into busi-ness practices of the virtual currency industry. In July, U.S. securities regulators charged a Texas man with running a vir-tual currency Ponzi scheme, through which he raised about $60 million worth of bitcoin.

In May, major currency exchange Mt. Gox from Japan made moves to placate regulators by altering its code of con-duct after the U.S. government seized two accounts associ-ated with the firm.

Read the rest here:

http://finance.yahoo.com/news/bitcoin-gets-fbi-homeland-treatment-054851386.html

I S S A - C O S N E W S

P A G E 1 7 V O L U M E 2 N U M B E R 8

By Hanni Fakhoury, Gizmodo, August 21, 2013

In the ongoing legal battle between craigslist and 3taps, a new court opinion makes clear that people are "authorized" under the Computer Fraud and Abuse Act (CFAA) to access a public website. But what the court gave with one hand it took with the other, as it also ruled that sending a cease-and-desist letter and blocking an IP address is enough to "revoke" this authoriza-tion.

3taps collects real-estate data from craigslist and makes it available to other companies to use. One of those companies, Padmapper, republished craigslist apartment postings over a map to enable users to view apartment listings geographically, a feature then unavailable on the craigslist site. Craigslist's terms of service prohibits people from "scraping" or copying data from craigslist's site.

After learning about 3Taps and its clients, craigslist sent 3taps a cease-and-desist letter de-manding they stop using craigslist data this way and then blocked 3taps' IP address from accessing the craigslist site. Ultimately, craigslist sued 3taps in fed-eral court, arguing that 3taps had violated the CFAA. 3taps moved to dismiss the case, arguing that under the Ninth Circuit Court of Appeals decision in United States v. Nosal, 3taps could not be liable under the CFAA for violating craigslist's terms of service.

While the court agreed with 3taps on this point, it ques-tioned whether the CFAA even protected information avail-able on a publicly accessible website like craigslist in the first place. After the court agreed to accept additional brief-ing on this point, we along with a number of law professors, filed an amicus brief with the court urging it to rule that eve-ryone is "authorized" to visit a public website under the CFAA.

Last week, the court ruled that this interpretation of the CFAA "makes sense," meaning that everyone starts out as "authorized" to access a publicly accessible website. But it found that, with respect to 3taps, craigslist had used its "power to revoke, on a case-by-case basis, the general per-mission it granted to the public to access the information on its website" by sending the cease and desist letter and blocking 3taps' IP address. The decision is certainly a mixed bag.

First the positive.

It is encouraging to see courts recognize that the CFAA—which creates both civil and criminal liability—doesn't criminalize accessing information from a publicly accessible website. The government used that precise the-

Accessing Public Websites Ain't a Crime,

Hiding an IP Address Could Be

ory to prosecute Andrew "Weev" Auernheimer for exposing an AT&T security flaw that publicly revealed thousands of customers' email addresses. The possibility of imposing CFAA liability on someone from using information made freely available on the web posed a major threat on the openness and innovation of the Internet.

Moreover, by focusing on the IP blocking, the court es-sentially agreed with the basic principle we've suggested as a means to limit the reach of the CFAA: that there must be circumvention of a technological barrier before a person can be found to have "accessed" information or data "without authorization." In fact one proposal to reform the CFAA cur-rently before Congress, "Aaron's Law," defines "access with-out authorization" to mean precisely that: "knowingly circum-venting one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information." The court adopted this idea in principle when it found that craigslist's CFAA claim was based on something more than violating the terms of service of a publicly accessible website, and indeed something more than the cease and desist letter alone.

Now for the troubling part of the court's opinion.

Read the rest here:

http://gizmodo.com/accessing-public-websites-aint-a-crime-hiding-an-ip-a-1176428192

P A G E 1 8

I S S A - C O S N E W S

Risk Management isn’t Just an Obligation, or Something

other Execs Want to See…

When Done Right, It really works. By Dr. Mike Lloyd SecurityWeek, August 23, 2013

Risk management is easy enough to say, but pretty tricky to get right in practice. Some organizations are asked to do it by concerned board members looking for reassur-ance in an increasingly scary online world. Other organiza-tions are forced to do it – notably Federal agencies respon-sible to build Continuous Moni-toring programs according to the Risk Management Frame-work laid out by NIST. Others do it because they see it as the right thing to do – in a world where the security budget is never more than a few percent of what it would take to build out everything we could do, there’s an ever-present need to spend the few chips we get as wisely as we can, and Risk Manage-ment is as good a name as any for “I can’t do it all, so what is most important?”.

There is a trap, though, if we just treat Risk Management as a nice label for “doing more with less”. We miss a significant opportunity for career advance-ment. Think of it like this: if the CFO cuts your budget, and you come back a while later with a status report of “good news, I took the cuts, survived, and am still getting lots of good work done” – something that might seem upbeat, even praiseworthy at the time – what message does it send to the CFO? That there was over-spending before and you have now either made the right level, or there’s some fat left to trim. And how do you think the CFO will go about answering that question?

No, cheerful survival, “doing more with less”, and claim-ing you must be delivering good security because you’ve not been on the front page of The Wall Street Journal on your watch isn’t going to work. What will? We’ve played the Fear, Uncertainty and Doubt card so often that the picture is wear-ing off the card. (Some say it’s coming back as a viable ap-proach, now that so many breaches are being publicized, but that’s going to vary by organization – how often have you and your predecessors cried wolf?) What else is there?

Risk Management, done right, can be the path out of this quandary. It shows you’re being proactive. Done right, it shows that you neither deliver security (a sure way to get fired after the next breach), but nor do you just spend

money for nothing – you manage risk. Executives under-stand managing – what it is, and what it is not. So you need to show what it is you’re managing, so you can show both why your funding level buys something, but also why it doesn’t buy the luxury of forgetting about security – not at current funding levels, anyway.

And if you really get this right, you won’t just be “managing up”, you’ll be “managing out” – it’s possible to have real impact on the wider organization, in the ever-intractable problem of get-ting busy ops teams to clean up their messy, lax security after-thoughts.

What evidence is there that this works? For that, I’d like to point to a largely unsung hero of Risk Management – John Streufert, the Director of Federal Network Resilience at the Department of Homeland Security. I find his work is reasonably well-known in Federal circles, but not nearly well enough outside the Beltway. (For full disclosure, I’ve not sold any products to Mr. Streufert – this isn’t a stealth advertorial for

my own approach to Risk Management. I just think Mr. Streufert’s approach and public results are worth attention, since they illustrate many of the important lessons in how to get ahead through Risk Management.)

His first work on Continuous Monitoring and Risk Man-agement was while he was CISO at the US Department of State, working on a project known as iPost. This was ground-breaking in its day – 2008 – and is still a level of automation of security assessment that a good number of agencies have yet to achieve or exceed. Is iPost the end game? No, I’d have to say it isn’t, but it’s a source of great lessons. First, and above all, it’s an automated dashboard system – it delivers on the old adage that “sunlight is the best disinfectant”. It measures a wide variety of metrics about host compliance – AV signature status, patch levels, etc. – across a huge infrastructure, including US embassies worldwide. And it cranks through them to generate scores. Does it do everything? No, it won’t make coffee. It doesn’t actually implement changes – it’s a dashboard. But in my experience, it’s the single most effective publicly docu-mented dashboard project I’ve seen.

Read the rest here:

ht tp: / /www.securi tyweek.com/how-get-ahead-r isk-management

InfoSecuriity, August 26, 2013

Implantable or worn devices exist in many environments, like hospitals, homes, clinics, blood banks, laboratories and care homes. Given their pervasive nature, and the fact hat they

are increasingly connected by wireless, the FDA is urging manufacturers to first and foremost fully assess the risk of building wireless technology into devices before it’s imple-mented. The concerns range from patient data theft (information is often contained on the devices themselves) to more horrific worries, like a murderer shutting down vital functions via re-mote-access control.

Once RF capability has been deemed satisfactory, manu-

facturers should "consider appropriate security control meth-ods" for their devices, the FDA said. Suggestions for doing so include:

Limiting access to trusted users via authentication ap-

proaches such as user ID, password, smartcard and biometrics;

Ensuring secure data transfer to and from the medical

device, using encryption when appropriate; and

Implementing fail-safe device features that protect criti-

cal functionality and also deploying features that let or-ganizations recognize, log and act upon security com-promises.

“The correct, timely, and secure transmission of medical data and information is important for the safe and effective use of both wired and wireless medical devices and device systems,” the report said. That means including protocols that maintain the security of the communications while avoiding known shortcomings of existing older protocols, and using up-to-date wireless encryption.

Interference is another big concern. The FDA recom-mends that consideration should be given to any limitations or restrictions for proper operation and RF wireless perform-ance (e.g., alarms, back-up functions, alternative modes of operation) when the RF wireless link is lost or corrupted. In addition, worldwide frequency band allocation and interna-tional compatibility is critical to the operations of RF wireless medical devices, and should be considered in their design and development.

The recently deceased security researcher Barnaby Jack brought security concerns around medical devices to the forefront by stopping an insulin pump remotely, live on

The Insecure Pacemaker: FDA Issues

Guidance for Wireless Medical Device Security The concept of a hacker causing a heart attack by remotely compromising a pacemaker or shutting down an insulin pump on a diabetic is unfortunately not in the realm of science fiction, with very real vulnerabilities having been found in connected medical devices. The US Food and Drug Administration (FDA) is now addressing the issue with a 24-page set of recommendations for regulating medical devices with wireless connectivity.

stage at the Hacker Halted conference in 2011. Jack dem-onstrated how he could scan radio frequencies and access implanted insulin pumps within a 300-meter range. Jack used his friend, a diabetes sufferer, in the audience to dem-onstrate how he could then control the insulin dispersed re-motely, or shut it down.

Read the rest here:

http://www.infosecurity-magazine.com/view/34151/the-insecure-pacemaker-fda-issues-guidance-for-wireless-medical-device-security/

P A G E 1 9 V O L U M E 2 N U M B E R 8

By Jarno Limnell, InfoSecurity, August 13, 2013

The truth is that all nations – from the US and Europe to China and non-state actors – are actively building a cyber-presence and investing a significant amount of resources in doing so. The aim? Both strategic and financial advantages. Pinpointing China as the main offender is not only challeng-ing, it’s completely unsubstantiated. Such claims cannot be made without concrete evidence, and formulating this evi-dence is almost impossible. Instead, these claims trigger political backlash and retaliation. Why is it impossible to form a concrete case for China being the main cyber-espionage offender?

Attribution of an action against another nation, state or entity with 100% confidence is immensely challenging be-cause of the ‘nature’ of the cyberspace battleground. Due to the potential for anonymity and diversion inherent to net-worked structures, without anybody claiming responsibility for an action – either aloud or tacitly – it’s almost impossible to perfectly identify the origin. Actions may be routed and re-routed and network addresses translated. Plus, different actions result in diverse outcomes – some are likely to do more damage than others. Whether an actor should be named as the main offender depends not only on the amount of activity attributable to them, but also on the qual-ity of the acts.

Pointing the finger squarely at China is also problematic due to wavering definitions over the term ‘offender’. It begs the question: Offender against whom? Western countries and businesses are not the only ones harassed in cyber-space. For example, China stated in April that the majority of actions against its interests in cyberspace originated from the US.

It is also unclear whether China’s actions against its own citizens should be taken into account. Although China re-ceives a lot of bad press in this area, all countries seem to be gradually restricting their own citizens’ freedom to act or decide upon the use of their personal information in cyber-space.

Furthermore, different types of activity have been de-tected as originating from different regions. In Verizon’s 2013 Da ta B reach Inves t iga t i ons Repor t , (http://www.infosecurity-magazine.com/view/32033/verizon-financial-malware-statesponsored-hacking-dominated-2012-data-breaches) China was named as the main actor operat-ing in the field of cyber-espionage, yet the US and Eastern Europe dominated the field of financially motivated incidents. The truth is that there is no single enemy or main offender – and claims that one exists are misguided.

Read the rest here:

http://www.infosecurity-magazine.com/view/33962/mutually-assured-cyber-destruction

By David Stupples, InfoSecurirty, Aug 13, 2013

The majority of cyber-attacks relating to espionage ac-tivity concern the theft of intellectual property and commer-cial intelligence material. So, one should ask which country has the most to gain from the theft of such material?

There are several candidates, given the possibilities for stolen IP to accelerate economic growth, provided an in-dustrial base exists within the country. However, to suc-cessfully engage in cyber-espionage, a nation must also have access to skilled individuals with the ability to manipu-late and exploit the internet and a systems infrastructure that can cloak this activity. China would appear to be the primary candidate.

Mandiant, a US-based security company, agrees with this view and has identified three important historical fac-tors supporting the notion that the People’s Republic of China (PRC) conducts cyber-espionage:

Traditional Chinese approaches to commerce have

never emphasized a distinct divide between the public and private sectors, and there is no stigma attached to espionage in general, much less for economic pur-poses

Over the past three decades, strengthening the coun-

try’s technological and industrial base at all costs and through all means has been a critical national security concern for the PRC to avoid both the humiliations China has suffered in the past at the hands of imperial-ist powers and to assume the role of a great power in the future

The Communist Party of China (CPC) has banked its

legitimacy almost completely on the promise of break-neck economic growth, having largely abandoned Marxism as a dead end and instead attempts to adapt the country to a modern market economy.

Read the rest here:

http://www.infosecurity-magazine.com/view/33963/go-ahead-blame-china

Mutually Assured Cyber Destruction

P A G E 2 0

I S S A - C O S N E W S

Go Ahead,

Blame China

Date Time Location

Sep 12 5:30 to 7:30 Bambino's Italian Eatery and Sports Bar, 2849 East Platte Avenue, Colorado

Springs, (719) 630-8121

Oct 10 11:00 to 1:00 Bambino's

Nov 14 5:30 to 7:30 Bambino's

Dec 6 11:00 to 1:00 Carrabba’s North

P A G E 2 1 V O L U M E 2 N U M B E R 8

Volunteers Needed

Deborah Johnson is soliciting volunteers for the next ISSA-COS conference committee. Please contact her if you have an interest in helping on this com-mittee. The venue is being narrowed down, but there are other planning tasks that need to be handled as well, such as marketing and publicity, brochures, pro-grams, sponsors, door prizes, etc. so if you would like to take on any of these roles, let her know.

If you are interested in helping please contact her (djohnson@swcp.com).

Thank you in advance!

Training: The next Security + training session will be September 7 at

Colorado Technical University. See page 4 in this newsletter.

I S S A - C O S N E W S

Article for the Newsletter? If you would like to submit an article...

Are you a budding journalist? Do you have something that the Colo-rado Springs ISSA community should know about? Can you inter-view one of the “movers and shak-ers”? Tell us about it!

We are always looking for arti-cles that may be of interest to the broader Colorado Springs security community.

Send your article ideas to Don Creamer at:

doncreamer-issa@q.com

Ensure that “Newsletter” is in the subject line.

Looking forward to seeing you in print!

The Information Systems Security Association

(ISSA)® is a not-for-profit, international organization

of information security professionals and practitio-

ners. It provides educational forums, publications,

and peer interaction opportunities that enhance the

knowledge, skill, and professional growth of its

members.

The primary goal of the ISSA is to promote man-

agement practices that will ensure the confidential-

ity, integrity, and availability of information re-

sources. The ISSA facilitates interaction and educa-

tion to create a more successful environment for

global information systems security and for the pro-

fessionals involved. Members include practitioners

at all levels of the security field in a broad range of

industries such as communications, education,

healthcare, manufacturing, financial, and govern-

ment.

Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally

Colorado Springs Chapter

W W W . I S S A - C O S . O R G

Chapter Officers:

Mark Spencer—Chapter President

Dr. George J. Proeller—President Emeritus

Tim Hoffman—Executive Vice President

David Willson—Vice President

Melody Wilson—Treasurer

Lora Woodworth—Recorder

Don Creamer—Communications Officer

Jeff Pettorino—Member at Large

Brian Kirouac—Member at Large

———————————-

Position Chairs:

Deborah Johnson—Coins

James Stephens—Director of Training

Published at no cost to ISSA Colorado Springs by Sumerduck Publishing TM, Woodland Park, Colorado

By Jamie Condliffe, Gizmodo, August 14, 2013

If you're the proud owner of some smart Philips Hue light bulbs, watch out for blackouts—because the bulbs seem to be susceptible to malicious attacks accord-ing to new research.

Work by Nitesh Dhanjani shows that Hue's control portal—referred to as "the bridge"—uses a pretty shaky authentication system to communicate wirelessly with devices like phones and tablets. In fact, it uses the MAC address of the bridge in its communication—which makes it a cinch to hack and, well, switch off.

Read the rest here:

http://gizmodo.com/how-philips-hue-light-bulbs-are-highly-hackable-1133092324

Philips Hue Light Bulbs Are Highly Hackable