Your daily source of Pwnage, Policy and Politics.

Episode 458 – 20 Controls Updated, China, Cell Phone Privacy, PHP Problems & Be the Ostrich

InfoSec Daily Podcast Episode 458 for August 24, 2011.  Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Karthik Rangarajan, and Varun Sharma.

Announcements:

#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html

@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/

Toorcon 13
When: October 7-9, 2011
Where: San Diego Convention Center
http://sandiego.toorcon.org/
Call for papers now open!

SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504

Hack3rCon 2011
When: October 21-23rd, 2011
Where: the Charleston House Hotel and Conference Center
http://www.hack3rcon.org/

2011 Fall Information Security Conference
When:  November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org

Stories:

Source:  
http://devcentral.f5.com/weblogs/psilva/archive/2011/08/23/sans-20-critical-security-controls.aspx

A couple days ago, The SANS Institute announced the release of a major update (Version 3.0) to the 20 Critical Controls, a prioritized baseline of information security measures designed to provide continuous monitoring to better protect government and commercial computers and networks from cyber attacks.  The information security threat landscape is always changing, especially this year with the well publicized breaches.  The particular controls have been tested and provide an effective solution to defending against cyber-attacks.  The focus is critical technical areas than can help an organization prioritize efforts to protect against the most common and dangerous attacks.  Automating security controls is another key area, to help gauge and improve the security posture of an organization.

The update takes into account the information gleaned from law enforcement agencies, forensics experts and penetration testers who have analyzed the various methods of attack.  SANS outlines the controls that would have prevented those attacks from being successful.  Version 3.0 was developed to take the control framework to the next level.  They have realigned the 20 controls and the associated sub-controls based on the current technology and threat environment, including the new threat vectors.  Sub-controls have been added to assist with rapid detection and prevention of attacks.  The 20 Controls have been aligned to the NSA’s Associated Manageable Network Plan Revision 2.0 Milestones.  They have added definitions, guidelines and proposed scoring criteria to evaluate tools for their ability to satisfy the requirements of each of the 20 Controls.  Lastly, they have mapped the findings of the Australian Government Department of Defence, which produced the Top 35 Key Mitigation Strategies, to the 20 Controls, providing measures to help reduce the impact of attacks.

The 20 Critical Security Controls are:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  5. Boundary Defense
  6. Maintenance, Monitoring, and Analysis of Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based on the Need to Know
  10. Continuous Vulnerability Assessment and Remediation
  11. Account Monitoring and Control
  12. Malware Defenses
  13. Limitation and Control of Network Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Loss Prevention
  16. Secure Network Engineering
  17. Penetration Tests and Red Team Exercises
  18. Incident Response Capability
  19. Data Recovery Capability
  20. Security Skills Assessment and Appropriate Training to Fill Gaps (CISSP :D )

And of course,F5 has solutions that can help with most, if not all, the 20 Critical Controls.

Source:http://www.f-secure.com/weblog/archives/00002221.html

China is often blamed for launching online attacks, but the evidence is almost always circumstantial. Many of the targeted espionage trojans seem to come from China, but we can't actually prove it.
 

However, some new evidence has just surfaced.

 

On 17th of July, a military documentary program titled "Military Technology: Internet Storm is Coming" was published on the Government-run TV channel CCTV 7, Millitary and Agriculture (at military.cntv.cn)
The program seems to be a fairly standard 20-minute TV documentary about the potential and risks of cyber warfare. However, while they are speaking about theory, they actually show camera footage of Chinese government systems launching attacks against a U.S. target. This is highly unusual. The most likely explanation is that this footage ended up in the final cut because the editor did not understand the significance of it.

 

Here's the critical snippet from the program:

 

GIVE OF ACTUAL ATTACK
http://www.f-secure.com/weblog/archives/china_slipup.gif

 

Rough translations of the texts shown in the dialog:

 

 People's Liberation Army Information Engineering University
 
 Select Attack Destinations
 
 Target IP
 
 List of Falung Gong sites
 
 Falun Dafa in North America
 Falun Dafa website
 Meng Hui website
 Witnesses of Falun Gong website 1
 Witnesses of Falun Gong website 2
 
 ATTACK   CANCEL

 

The targets listed in the tool are related to Falun Gong or Falun Dafa — a religious organization that is banned in China. In particular, the attack is launched against an IP address, 138.26.72.17, which belongs to a U.S. University. What kind of an attack is launched remains unclear. But already the existence of such software with such targets is breaking news.