Internet Security Alliance Daily Brief
** Your source for current and relevant cyber security issues **
** Your source for current and relevant cyber security issues **
Board Teleconference Notes
Sponsors, the notes from the August 2nd Board teleconference have been circulated for review and comment.
The DARPA Information Innovation Office is Seeking Private Sector Recommendation
The Defense Advanced Research Projects Agency (DARPA) Information Innovation Office (I2O) is requesting information on innovative technologies and approaches to secure the Nation’s infrastructure and to ensure the survival of the Department of Defense’s cyber capabilities in case of attack.
Specifically, answers are sought to the following questions:
1. At present, attackers in cyberspace seem to have the initiative and hence the advantage. What specific technologies should DARPA develop to address the imbalance?
2. Attacks on embedded computing systems have received much attention. What specific technologies should DARPA develop to secure embedded computing systems?
3. If DARPA could only invest in one cyber-security research area, what should that be and why?
Based on the responses to this announcement, DARPA will invite individuals from the technical community to participate in the DARPA Colloquium on Future Directions in Cyber Security, to take place on November 7, 2011 in Arlington, Virginia. For more information, contact Josh Magri at jmagri@isalliance.org
ISA in the News Sponsors, the notes from the August 2nd Board teleconference have been circulated for review and comment.
The DARPA Information Innovation Office is Seeking Private Sector Recommendation
The Defense Advanced Research Projects Agency (DARPA) Information Innovation Office (I2O) is requesting information on innovative technologies and approaches to secure the Nation’s infrastructure and to ensure the survival of the Department of Defense’s cyber capabilities in case of attack.
Specifically, answers are sought to the following questions:
1. At present, attackers in cyberspace seem to have the initiative and hence the advantage. What specific technologies should DARPA develop to address the imbalance?
2. Attacks on embedded computing systems have received much attention. What specific technologies should DARPA develop to secure embedded computing systems?
3. If DARPA could only invest in one cyber-security research area, what should that be and why?
Based on the responses to this announcement, DARPA will invite individuals from the technical community to participate in the DARPA Colloquium on Future Directions in Cyber Security, to take place on November 7, 2011 in Arlington, Virginia. For more information, contact Josh Magri at jmagri@isalliance.org
August 22, C-SPAN – In this edition of the "The Communicators," cybersecurity experts Larry Clinton, President and CEO of the Internet Security Alliance, and Marc Rotenberg, Executive Director of the Electronic Privacy Information Center, discuss the Obama Administration's proposals for reducing cyber threats against the U.S.
Source: http://www.youtube.com/watch?v=7u4YUpsGteQ
Trade group: Obama's cybersecurity plan won't protect networks. August 16, The HILL.com – The White House's cybersecurity plan is too focused on punishing companies that suffer attacks and does little to improve cybersecurity, said the head of an industry association representing firms that would be covered by the plan. Internet Security Alliance president and CEO Larry Clinton argued the White House's cybersecurity legislative proposal unveiled in May takes an antiquated approach to cybersecurity that fails to recognized how threats have evolved over the past several years.
Source: http://thehill.com/blogs/hillicon-valley/technology/177071-trade-group-blasts-white-house-cybersecurity-plan
In Today's News
Hackers break into Linux source code site. August 31, IDG News Service – IDG News Service reported hackers broke into the Kernel.org Web site that is home to the Linux project in August. They gained root access to a server known as Hera and ultimately compromised “a number of servers in the kernel.org infrastructure,” according to a note on the Kernel site August 31. Site administrators learned of the problem August 29 and soon discovered many bad things were happening on servers. Files were modified, a malicious program was added to the server’s start-up scripts, and some user data was logged. Kernel.org’s owners contacted law enforcement in the United States and Europe, and are in the process of reinstalling the site’s infrastructure and figuring out what happened. They think the hackers may have stolen a user’s log-in credentials to break into the system, and the site is making each of its 448 users change their passwords and secure shell keys. The hack is problematic because Kernel.org is the place where Linux distributors download the source code for the widely used operating system’s kernel. However, Kernel.org’s note said that, even with root access, it would be difficult for a hacker to slip malicious source code into the Linux kernel without it being noticed, because Linux’s change-tracking system takes a cryptographic hash of each file at the time it is published.
Hackers may have stolen over 200 SSL certificates. August 31, Computerworld – Hackers may have obtained more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo, and the Tor project, a security researcher reported August 31. The count is considerably higher than DigiNotar first acknowledged. Earlier the week of August 29, a company spokesman said “several dozen” certificates had been acquired by the attackers. “About 200 certificates were generated by the attackers,” said the principal security consultant and founder of Madison Gurka, a Dutch security company, citing a source he said wished to remain confidential. Among the certificates acquired by the attackers in a mid-July hack of DigiNotar, the consultant’s source said, were ones valid for mozilla.com, yahoo.com, and torproject.org. Mozilla confirmed a certificate for its add-on site had been obtained by the DigiNotar attackers. The consultant’s number is similar to the tally of certificates that Google has blacklisted in Chrome. An entry in the Chromium bug-tracking database lists 247 certificates that the project blacklisted August 30.
Source: http://www.computerworld.com/s/article/9219663/Hackers_may_have_stolen_over_200_SSL_certificates
Mac OS X can’t properly revoke dodgy digital certificates. August 31, IDG News Service – A programming glitch in Apple’s OS X operating system has made it difficult for Mac users to tell their computers not to trust digital certificates, exacerbating an ongoing security problem with a Dutch certificate authority that was recently hacked. Mac users began reporting problems August 30 when they tried to revoke digital certificates issued by DigiNotar, a Dutch company whose servers were compromised in July and used to issue fraudulent digital certificates. Mac users revoked the certificates on their computers, but still saw some sites that used those certificates being marked as trustworthy.
Opera 11.51 closes security holes. August 31, H Security – Opera released version 11.51 of its Web browser, a maintenance and security update that addresses a high risk vulnerability. According to the developers, Opera 11.51 closes a hole that could have been exploited by an attacker to bypass certain security features. The issue is caused by an error when loading content that causes the browser to display the security information of a trusted site instead of the actual untrusted site. The update also adds support for the full-screen app mode in Mac OS X 10.7 Lion, and addresses a number of bugs on all supported platforms. The developers said the update also fixes a “low severity issue;” however, details of the vulnerability were not disclosed.
Hackers push Sipvicious VoIP tools in malicious attacks. August 31, threatpost – Researchers at NSS Labs claim they have spotted attacks that use Sipvicious, a common auditing tool for Voice over IP (VoIP) networks as part of malicious attacks aimed at taking control of vulnerable VoIP servers. The attacks are apparently aimed at taking control of VoIP servers to place unauthorized calls. A description of the attacks, posted on the NSS blog August 31, said researchers at NSS witnessed the sipvicious tool installed by a trojan downloader program on systems, most of which had first been compromised in drive-by Web site attacks. The attacks use a known trojan, jqs(dot)exe, and connect to command and control servers to receive instructions on downloading instructions as well as the sipvicious tool from a .cc domain. After installation, sipvicious is run to scan for Session Initiation Protocol devices on the compromised computer’s network and then to launch brute force attacks to guess the administrative password on those systems. Source: http://threatpost.com/en_us/blogs/hackers-pushing-sipvicious-voip-tools-malicious-attacks-083111
Upcoming Events
September 2 at 1:00pm: IT-Sector Coordinating Council – Risk Assessment Committee Working Group (Joint) Meeting
September 6 at 5:00pm: IT-Sector Coordinating Council Executive Committee Conference Call
September 12 at 5:00pm: Partnership for Critical Infrastructure Security Conference Call
September 13 at 3:00pm: IT-Sector Coordinating Council International Committee
September 26 &27: ACI Cyber and Data Risk Insurance
Larry Clinton will discuss the latest federal regulatory developments and enforcement actions and its impact on insurance coverage and litigation.
October 6: DHS Critical Infrastructure Partnership Advisory Council Plenary
In Case You Missed It
ISA to Appear on C-SPAN
C-SPAN, the official, but independently operated, network of the US Congress is doing a special program covering the Administration's Cyber Security Legislative proposal. They have asked the Internet Security Alliance to provide the private sector perspective. Marc Rotenberg from the Electronic Privacy Information Center will be interviewed to represent individual privacy perspectives on the proposal. ISA’s comments during the interview were based on the ISA testimony before the House Homeland Security Committee in June and Larry Clinton’s appearance before the Congressional cyber Security Task Force set up by Speaker Boehner in July.
The 30 minute C-SPAN program aired three times - Saturday, August 20 at 6:30 PM EDT on C-SPAN, Monday, August 22 at 8 AM, and again, at 8 PM on C-SPAN II.
NIST Seeks Comment on the National Initiative for Cybersecurity Education Draft Strategic Plan
The National Institute of Standards and Technology (NIST) is pleased to announce that the Draft National Initiative for Cybersecurity Education (NICE) Strategic Plan is available for comment. The plan, “Building a Digital Nation,” outlines NICE’s mission, vision, goals and objectives. NIST and its interagency NICE partners seek comments from all interested citizens and organizations concerned with cybersecurity awareness, training and education.
Comments on this draft should be entered into the Comment-Template_Draft-NICE.xls and e-mailed to nicestratplan@nist.gov. Comments on the NICE draft strategic plan are due by September 12. NIST’s federal partners that contributed to the plan include the Department of Homeland Security, the Department of Defense, the Department of Education, the National Science Foundation, the Office of Personnel Management, and the National Security Agency.
NIST coordinates the interagency NICE program, which is a national campaign focused on enhancing cybersecurity in the United States by accelerating the availability of educational and training resources designed to improve the cyber behavior, skills and knowledge of every segment of the population. The program aims to improve secure use and access to digital information in a way that advances America’s economic prosperity and national security.
http://csrc.nist.gov/nice/documents/nicestratplan/NICE-Strategic-Plan-Announcement.pdf
Draft Guideline for Securing Electronics Supply Chain Available for Comment
ISA is circulating to its members the product of its multi-year effort to outline cost effective measures for securing the electronics supply chain. The paper is a 50 page set of instructions intended to be a both a guidebook for managing the supply chain as well as reference document in drafting contracts between producers and suppliers of electronic products in a way that hopefully secures greater benefits from globalization. The guidelines are affirmatively shaped by technical as well as economic considerations. The guidelines are written so as to be accessible both to technical as well non-technical personnel. More than 60 government and industry players collaborated in the development of the guidelines in a series of technical and legal workshops under the direction of Scott Borg of the US-CCU. Member comments can be provided to Josh Magri at jmagri@isalliance.org.
DPA Survey Request for Comments
ISA has developed a set of bullet points that speak to the fact that an effort is underway to compel potentially thousands of companies to provide proprietary data under the Defense Production Act (DPA) under the threat of fines and criminal prosecution. While use of the DPA has ample precedent, the current use seems to go well beyond its intended purposes with targets well beyond the traditional DIB companies. We are told as many as 5000 companies from a variety of industry sectors may receive these compulsory surveys.
US House Homeland Security Committee Hearing
ISA President, Larry Clinton has been ask to testify before the Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. The hearing is entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal. The webcast can be viewed live through the following link: http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity
Summer 2011, Journal of Strategic Security
"A Relationship on the Rocks: Industry-Government Partnership for Cyber Defense" authored by Larry Clinton was published in a recent issue. To view click here and then select the PDF file next to the article's title.
May 2011, Cutter IT Journal
ISA President Larry Clinton authored the article, "A Theory to Guide US Cyber Security Policy." To view the article click here, download the issue and go to page 30.
Spring 2012, Conflict and Cooperation in the Commons
Larry Clinton has authored the chapter "Cyber Security Social Contract". This book is forthcoming from Georgetown University Press.
No comments:
Post a Comment