The ISSA Colorado Springs Newsletter incorporates open source news articles as a train-

ing method to educate readers on security matters in compliance with USC Title 17, Section

107, Paragraph a.

The views expressed in articles obtained from public sources within this newsletter do

not necessarily reflect those of ISSA, this Chapter or its leadership.

I N S I D E T H I S

I S S U E :

W W W . I S S A - C O S . O R G

ISSA-COS NEWSLETTER

J A N U A R Y 2 0 1 4 V O L U M E 3 N U M B E R 1 Man fined $183k after joining Anonymous DDoS of Koch Industries for one minute

2

Scientist-developed malware prototype cov-ertly jumps air gaps using inaudible sound

4

Snowden’s Leaks Have Finally Forced Compa-nies to Enhance Their Security

4

Credit card fraud comes of age with advances in point-of-sale botnets 5

Quality Assurance Prac-tices for Computer Fo-rensics: Part 1

6

Quality Assurance Prac-tices for Computer Fo-rensics: Part 2

7

Top mobile security concerns: Blacklisted apps and password protection

8

The evolution of text messaging and its impact on mobile e-discovery

9

DOS Attacks and Free DOS Attacking Tools 10

ROTC cadets, recent graduates offered re-lease from service com-

10

What Would Nostrada-mus Have Said About Cyber Security in 2014?

11

Weak Security In Most Mobile Banking Apps

11

Cyber weapons: this century's nukes?

12

Bitcoin’s Rise Con-strained by Heists and Lost Fortunes

13

Comment: Cyber War-fare – The Modern Cold War

14

Help Bring Privacy Laws Into The 21st Century

15

News Ripped From the Headlines

16

What It's Like to Be a Tech Geek in Prison

17

IT Planning and Risk in 2014

18

You Should Never, Ever Leave Your Webcam Uncovered When You Aren't Using It

18

F ellow Chapter Members, as we begin 2014 the state of your ISSA chapter is strong, and your Chapter Board is

committed to supporting you and helping to take this chapter to an even higher level. At the first board meeting for the newly elected leadership we agreed that our focus must be centered on providing training and education opportunities to our members and providing professional networking opportunities. While these have been the focus of past boards, and they have done exceptional work in these areas we want to explore new ideas and opportunities to see if we can’t do an even better job of meeting your needs in these areas and others.

Training & Education

In Training and Education, we intend to continue with the spring 1-day conference in March, but instead of the chapter planning the confer-ence we will be using Federal Business Council (FBC) who is already our partner for the 2-day Cyber Security Training Forum that we host each Au-gust. What does this mean for us? We have brokered a deal with them where members will be able to attend the conference for free, we will have the March chapter meeting at lunch and ISSA members will get a free lunch, and FBC will pay our chapter $1000. In exchange, our chapter will advertise the conference through free channels such as radio and word of mouth, FBC will send us potential speakers, we will select them, and we will ensure strong attendance by encour-aging our membership to come out in full force. This is a great opportunity for us to forge a strong relationship with FBC, but the real success of it will be determined by the number of attendees we help generate. More details to come over the next month, and your board would greatly appreciate your support of this event.

Our Training and Education team will continue to provide training events such as Security+ reviews, CISSP reviews, and a host of other potential training we are consid-ering. The continued strength of these pro-grams rests on the shoulders of chapter members who support the classes either by attending, helping to teach a particular sub-ject, or supporting in some other way. Jim Stephens has done a tremendous job lead-ing our Training and Education team so if you have ideas or wish to help please con-tact Jim at jstephens22@comcast.net. He

would appreciate hearing from you.

Job Opportunities

In the life of a Security Engi-neer there will be times when you are probably looking for other job opportunities, and the chapter wants to be there to help you. We have done a good job sharing potential opportunities with our chap-ter members, but we want to do more. We will be building a strong committee whose primary intent will be to help

chapter members through a professional network, and we need members who are willing to participate in this process by help-ing to design what that committee will look like and develop processes to help fellow members. I envision this committee will also work closely with the board on our outreach programs as we educate the community on our capabilities which will allow us to make professional contacts throughout the city. If you are interested in serving on this commit-tee please contact me at plaverty1961@gmail.com.

Website

Many of you have gone to our chapter website and probably been a bit discouraged because it needs some work. I know some of

(Continued on page 4)

By Dr. Patrick Laverty

Colorado Springs

ISSA President

Focus on

P A G E 2

I S S A - C O S N E W S

“Was the fine excessive? I can imagine that most hackers might find it so.”

it is to end reproductive rights, and they were a key funding source for those who attempted to kill collective bargaining rights for public sector unions in Wisconsin in 2011.

It was the union-busting that got Anony-mous to fire up the anti-Koch operation.

On 27 February 2011, Anonymous asked its followers to use the LOIC to attack a Koch Industries site, quiltednorthern.com.

The next day, Anonymous asked its follow-ers to attack Kochind.com with the LOIC.

According to IT World, Rosol and the gov-ernment agreed that the losses directly result-ing from the 28 February attack on Ko-chind.com amounted to less than $5,000.

Koch Industries, however, argued that it had hired a consulting group to protect its web-sites at a cost of approximately $183,000, and therein lies the price explosion for 15 minutes of downtime.

Rosol could have been facing a maximum penalty of five years in federal prison and a fine up to $250,000 on each of the two original charges: one count of conspiracy to damage a protected computer and one count of damaging a protected computer.

While he's off the hook for prison time and will instead only be on probation for two years, Rosol's fine is being added to a growing list of what's considered by many to be extraordinarily harsh penalties for computer crimes.

The most recent was the conviction of Jere-my Hammond, a US hacker and political activist who was sentenced in November 2013 to 10 years in US Federal Prison for the theft of 60,000 credit card numbers and the personal information of 860,000 customers of Stratfor through the whistle-blowing website Wikileaks.

Some efforts have been made to curb the charges used in such crimes, including Repre-sentative Zoe Lofgren's proposal of the so-called "Aaron's Law".

Aaron's Law was proposed as a means of changing the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute - laws that formed the basis of 13 felony counts of hacking and wire fraud brought against internet activist Aaron Swartz, who apparently took his own life in the midst of federal prosecution.

Read the rest here:

http://nakedsecurity.sophos.com/2013/12/11/man-fined-183k-after-joining-anonymous-ddos-of-koch-industries-for-1-minute/

Man fined $183k after joining Anonymous

DDoS of Koch Industries for one minute

By Lisa Vaas, Naked Security, December 11, 2013

A 38-year-old man from the US state of Wisconsin has been sentenced to two years of federal proba-tion and will pay a $183,000 fine for taking part in a distributed denial of ser-vice (DDoS) attack orga-nized under the Anonymous hacktivist

brand.

Eric J. Rosol, of Black Creek, Wiscon-sin, pleaded guilty to one misdemeanor count of accessing a protected computer, the Department of Justice said in a state-ment (http://www.justice.gov/usao/ks/PressReleases/2013/Dec2013/Dec2a.html).

US Attorney Barr Grissom said on 2 December that Rosol admitted to down-loading a program called Low Orbit Ion Cannon (LOIC) - a tool that Anonymous has encouraged people to download so as to flood a targeted website with enough traffic to knock it senseless.

The target in this particular operation was Kochind.com, a web page of Koch Industries, which wound up going offline for 15 minutes because of the attack.

Koch Industries is an enormous, multi-national corporation based in Wichita, Kan-sas, that has its fingers in all sorts of pies: manufacturing, refining and distribution of petroleum, chemicals, energy, fiber, inter-mediates and polymers, minerals, fertiliz-ers, pulp and paper, chemical technology equipment, ranching, finance, and com-modities trading.

For their part, the billionaire brothers Charles and David Koch - principals in Koch Industries - are the US's sugar dad-dies when it comes to certain political caus-es.

The brothers have dispensed tens of millions of dollars to groups whose mission

P A G E 3 V O L U M E 3 N U M B E R 1

By Dan Goodin, arstechnica, December 2, 2013

Malware communicates at a distance of 65 feet using built-in mics and speakers

Computer scientists have proposed a malware proto-type that uses inaudible audio signals to communicate, a capability that allows the malware to covertly transmit key-strokes and other sensitive data even when infected ma-chines have no network connection.

The proof-of-concept software—or malicious trojans that adopt the same high-frequency communication methods—could prove especially adept in penetrating highly sensitive environments that routinely place an "air gap" between com-puters and the outside world. Using nothing more than the built-in microphones and speakers of standard computers, the researchers were able to transmit passwords and other small amounts of data from distances of almost 65 feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlled devices that repeat the audio signals.

The researchers, from Germany's Fraunhofer Institute for Communication, Information Processing, and Ergonom-ics, recently disclosed their findings in a paper published in the Journal of Communications. It came a few weeks after a security researcher said his computers were infected with a mysterious piece of malware that used high-frequency transmissions to jump air gaps. The new research neither confirms nor disproves Dragos Ruiu's claims of the so-called badBIOS infections, but it does show that high-frequency networking is easily within the grasp of today's malware.

"In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh net-work," one of the authors, Michael Hanspach, wrote in an e-mail. "Over this covert network, information can travel over multiple hops of infected nodes, connecting completely iso-lated computing systems and networks (e.g. the internet) to each other. We also propose some countermeasures against participation in a covert network."

The researchers developed several ways to use inaudi-ble sounds to transmit data between two Lenovo T400 lap-tops using only their built-in microphones and speakers. The most effective technique relied on software originally devel-oped to acoustically transmit data under water. Created by the Research Department for Underwater Acoustics and Geophysics in Germany, the so-called adaptive communica-tion system (ACS) modem was able to transmit data be-tween laptops as much as 19.7 meters (64.6 feet) apart. By chaining additional devices that pick up the signal and re-peat it to other nearby devices, the mesh network can over-come much greater distances.

The ACS modem provided better reliability than other techniques that were also able to use only the laptops'

Scientist-developed malware prototype covertly

jumps air gaps using inaudible sound speakers and microphones to communicate. Still, it came with one significant drawback—a transmission rate of about 20 bits per second, a tiny fraction of standard network con-nections. The paltry bandwidth forecloses the ability of trans-mitting video or any other kinds of data with large file sizes. The researchers said attackers could overcome that short-coming by equipping the trojan with functions that transmit only certain types of data, such as login credentials captured from a keylogger or a memory dumper.

"This small bandwidth might actually be enough to trans-fer critical information (such as keystrokes)," Hanspach wrote. "You don't even have to think about all keystrokes. If you have a keylogger that is able to recognize authentication materials, it may only occasionally forward these detected passwords over the network, leading to a very stealthy state of the network. And you could forward any small-sized infor-mation such as private encryption keys or maybe malicious commands to an infected piece of construction."

Remember Flame? The hurdles of implementing covert acoustical network-

ing are high enough that few malware developers are likely to add it to their offerings anytime soon. Still, the require-ments are modest when measured against the capabilities of Stuxnet, Flame, and other state-sponsored malware dis-covered in the past 18 months. And that means that engi-neers in military organizations, nuclear power plants, and other truly high-security environments should no longer as-sume that computers isolated from an Ethernet or Wi-Fi con-nection are off limits.

The research paper suggests several countermeasures that potential targets can adopt. One approach is simply switching off audio input and output devices, although few hardware designs available today make this most obvious countermeasure easy. A second approach is to employ au-dio filtering that blocks high-frequency ranges used to cov-ertly transmit data. Devices running Linux can do this by using the advanced Linux Sound Architecture in combination with the Linux Audio Developer's Simple Plugin API. Similar approaches are probably available for Windows and Mac OS X computers as well. The researchers also proposed the use of an audio intrusion detection guard, a device that would "forward audio input and output signals to their desti-nation and simultaneously store them inside the guard's in-ternal state, where they are subject to further analyses."

Read an update and the rest here:

http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/

I S S A - C O S N E W S

P A G E 4

By Christopher Soghoian, MIT Technology Review, Decem-ber 17, 2013

Last week, Google, Microsoft, and five other leading Web companies formally requested that the U.S. govern-ment rein in its use of dragnet surveillance. These compa-nies don’t have to wait for the government to act, though. Encryption technology can protect the privacy of innocent users from indiscriminate surveillance, but only if tech com-panies deploy it. In the wake of the Snowden disclosures, they are starting to do so. It shouldn’t have taken them this long.

In October of 2010, security researcher Eric Butler re-leased an easy-to-use tool designed to hack into the web-mail accounts of people using public Wi-Fi networks. Butler’s Firesheep wasn’t the first technology to make Wi-Fi sniffing possible, but it made it easy to intercept e-mails and docu-ments, and even to capture authentication cookies that could be used at a later time to log in to a victim’s account.

Firesheep exploited the fact that most webmail and so-cial networking sites at the time did not use HTTPS encryp-tion to protect their customers’ information, or provided such encryption only to users who enabled an obscure configura-tion option most people were unaware of.

Google embraced encryption by default for its Gmail service a few months before Firesheep was released. Other major Web companies ignored calls from Pamela Jones Harbour, a commissioner with the Federal Trade Commis-sion, for them to follow suit. One year later (soon after Fire-sheep was written about in the New York Times), Senator Chuck Schumer wrote a letter to Yahoo, Amazon, and Twit-ter urging them to enable HTTPS by default.

Twitter, Facebook, and Microsoft’s e-mail service even-tually did switch to HTTPS encryption by default. However, Yahoo continued to expose its customers’ private infor-mation not only to hackers using tools like Firesheep, but also to governments around the world that are capable of intercepting the communications of their own citizens. In January of this year the company finally announced an opt-in encryption setting, which few users were likely to use.

Read the rest here:

http://www.technologyreview.com/view/522756/snowdens-leaks-have-finally-forced-companies-to-enhance-their-security/

Snowden’s Leaks Have

Finally Forced

Companies to Enhance

Their Security

you are web developers or at least have some experience in this area so if you are willing to help your chapter in this en-deavor please contact Brian Kirouac at mello@melloman.net. This effort will not require a lot of time because we envision 4-5 people sharing the responsibility but a well-designed functioning website is critical to our suc-cess as a chapter, so I would really appreciate it if some of you would step up to this challenge.

Membership

At our December luncheon our Past President Mark Spencer spoke of the challenge of keeping membership numbers up. The board has decided that it is time for a membership drive to try and get our numbers up. There are many benefits that come from having a larger chapter, and one of those is that it is easier to speak with sponsors and stress the increasing numbers of our chapter when asking them to support a chapter event. I’ve seen this first-hand as I’ve been reaching out to potential sponsors the past few weeks. When our chapter shows a record of coming out in large numbers for events it will be much easier to garner support from external organizations, and the result will be an immense boost to our chapter. The board will be meeting with our Membership Chair Dave Reed in the next week and we will start discussing what a membership drive should look like, how long it should be, how we should advertise it, etc. The real success of a membership drive will only come about if our entire chapter gets behind it and through word of mouth shares it with co-workers, friends, family, etc. We also intend to focus strongly on student memberships so if you have academia contacts in the local area please share those with us.

In closing, I want to tell you I appreciate the opportunity to serve as this chapter’s President. For those who don’t know me well, I am very results oriented, and I don’t tend to overthink issues too much. Your chapter needs your sup-port so if you want the opportunity to take a more active role please contact me…we need all our members to participate to really energize our chapter and take it to the next level to ensure we provide outstanding service and support to all our members. Thanks.

(Continued from page 1)

Focus on

P A G E 5 V O L U M E 3 N U M B E R 1

By Dan Goodin, arstechnica, December 4, 2013

Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers' credit and debit card payments.

The botnet remained active at the time of writing and had compromised more than 20,000 payment cards since August, researchers from IntelCrawl-er, a Los Angeles-based security in-telligence provider, told Ars. The re-searchers arrived at the findings after infiltrating one of the control servers used to send commands to infected machines and receive pilfered data from them. A recently captured screenshot (above) showed that it was controlling 31 machines that the researchers said belonged to US-based restaurants and retailers. Some of the infected machines are servers, so the number of affected PoS devices could be much higher. The researchers have reported their findings to law enforcement agencies that they declined to identify by name.

PoS-based hacking is nothing new. The best-known incident stole data for more than 146,000 cards after infecting 200 terminals used at Subway Sandwich shops and other small merchants. According to federal prosecutors, the criminals behind that intrusion infected one or more servers with "sniffing" software that logged payment card numbers and sent them to a remote server. Although the now-convicted crooks were able to install a backdoor on the computers they accessed so they could change configuration settings and install new programs, there is no evidence of a botnet that actively controlled the infected machines in lockstep.

The infections observed by IntelCrawler, by contrast, are much more advanced. They allow attackers to corral large numbers of PoS devices into a single botnet. The interface makes it easy to monitor the activities of infected machines in real time and to issue granular commands. In short, they are to PoS terminals what ZeuS, Citadel, and other banking trojans are to online bank accounts. The code helping to streamline the process has been dubbed StarDust. It's a major revision of Dexter, a previously discovered piece of malware targeting PoS devices that has already been fin-gered in other real-world payment card swindles.

"The unique side of our case is that it is a real botnet with C&C functions, which is active close to half a year and controlled by a group of criminals which has a new type of Dexter," IntelCrawler CEO Andrey Komarov wrote in an e-mail. "The infected PoS merchants are installed in different places and cities... which makes it different as the bad ac-tors infected them separately and then organized a botnet from it."

Not your father's PoS malware

StarDust developers have intimate knowledge of the inner workings of PoS applications such as Clearview PoS. As a result, the malware can ferret out where in computer memory sensitive data, in some cases in cleartext form, is stored. StarDust can also sniff network traffic and is able to extract Track1 and Track2 card data. To remain covert, the soft-ware transfers card details only when the terminal is inactive and the screensaver is on. It also uses the RC4 cipher to encrypt data before sending it to the control server.

The discovery comes as researchers from a separate security firm called Arbor Networks published a blog post on Tuesday reporting an active PoS compromise campaign. The advisory is based on two servers found to be hosting Dexter and other PoS mal-ware. Arbor researchers said the campaign looks to be most active in the Eastern Hemisphere. There was no mention of a botnet or of US res-taurants or retailers being infected, so the report may be observing a campaign independent from the one

found by IntelCrawler.

It remains unclear how the attackers manage to initially infect PoS terminals and servers that make up the botnet. In the past, criminals have targeted known vulnerabilities in applications that many sellers of PoS software use to re-motely administer customer systems. Weak administrator passwords, a failure to install security updates in a timely fashion, or unknown vulnerabilities in the PoS applications themselves are also possibilities.

Read the rest here:

http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/

Credit card fraud comes of age with

advances in point-of-sale botnets

I S S A - C O S N E W S

P A G E 6

Quality Assurance Practices for Computer

Forensics: Part 1 By John J. Barbara, DFI News, December 3, 2013

Regardless of whether a Computer Forensics unit is a stand alone entity within a law enforcement agency, a sec-tion within a forensic laboratory, or is housed within a private corporation or business, Quality Assurance Practices are essential to its overall success. Quality Assurance Practices are an overall means to assess the quality of analytical pro-cesses and must be in place prior to beginning forensic analysis. They often include systematic and planned activi-ties by management to ensure that the analytical processes are sound and capable of providing quality results. A primary factor controlling quality in any setting is the incorporation and utilization of good scientific practices.

The results of the analysis of digital data routinely lead to either civil or criminal litigation. Prior to litigation, the unit’s management and legal counsel have to be assured that the results are accurate, reliable, verifiable, and repeatable. The successful completion of forensic imaging/analysis training classes by examiners does not guarantee those assurances. Rather, training classes can often give the examiners a false sense of security, which leads to the belief that they are pre-pared to provide quality results. This is a fallacy. There are many other complex, interrelated issues that must be ad-dressed if the results are to be considered a quality product. All are critical and have to be clearly articulated and well documented before proceeding with any forensic analysis:

What was the probable cause that initiated the re-quest for analysis?

Where was the digital data stored on the computer or computer network?

How many individuals had access to the computer and the digital data?

How was the evidence collected? • What training did the examiner receive prior to analyzing cases?

Is there a documented training program? • Did the examiner demonstrate competency prior to performing the analysis requested?

Has the examiner been proficiency-tested on a reg-ular basis?

How reliable were the tools (both software and hardware) used in the analysis?

Are the procedures for analysis documented and have they been verified/validated?

Were scientific practices and principles followed during the analysis of the data?

One of the implications of working in a forensic environment is that

every analytical report generated could result in litigation. In Computer Forensics, the analytical processes are technical-

ly complicated and can literally change week to week. Digital data can be stored anywhere on a hard drive and be difficult to find (for example; deleted, hidden, encrypted, or partially overwritten files or directories). Thus, it is not an easy task to explain to the court what was found, where it was found, how it got there, and who may have put it there. Of consider-able importance is the expert testimony of the examiner. The court has to be assured that the results obtained were both accurate and reliable. Invariably, most lay jurors and justices do not have the technical knowledge to accurately assess the testimony provided. Although an examiner’s testimony will often sound very credible and believable, many ques-tions can and should arise from that testimony:

What exactly is the evidence: The computer itself? Its hard drive? Probative data found on the hard drive? Exported digital data? 1

Was the digital data ‘tainted’ or ‘compromised’ dur-ing its collection and analysis?

Can the ‘chain-of-custody’ be fully documented for the collection, submission, and analysis of the evi-dence?

Does an examiner’s ‘on-the-job experience’ auto-matically qualify him/her as an ‘expert’?

Does the examiner have the necessary training and competency to perform the analysis?

Were new, novel techniques and procedures used during the analysis?

Were the analytical procedures used and the results obtained by the examiner technically peered re-viewed?

What were the results of the examiner’s proficiency testing?

What other analyses were performed on the foren-sic computers and when?

Who maintains the forensic computers? How often is the software/hardware updated?

Were licensed copies of the forensic software tools used during the analysis?

Does the examiner have documentation demon-strating that the forensic software and hardware tools were verified/validated in his/her laboratory prior to their use?

What standards/controls were used during the anal-ysis?

Did any of the software tools used contain docu-mented (or undocumented) ‘bugs’?

Did any of the analytical processes have the poten-tial to alter or change the evidentiary data?

Read the rest here:

http://www.dfinews.com/articles/2013/12/quality-assurance-practices-computer-forensics-part-1?et_cid=3637874&et_rid=454841830&location=top

P A G E 7 V O L U M E 3 N U M B E R 1

By John J. Barbara, DFI News, December 10, 2013

Quality Assurance Practices are essential to ensure the overall quality of services that a Computer Forensics unit provides. Two of the fundamentals of quality assurance are a documented Quality Assurance Manual (QAM) and an individual designated as the Quality Manager (QM) who, irrespective of other responsibilities, has the authority and obligation to ensure that the require-ments of the quality system are imple-mented and maintained. These two fun-damentals are essential irrespective of whether the Computer Forensics unit is a stand-alone entity, a section within a forensic laboratory, or is part of a private corporation or business. Minimally, the QAM will include quality policies and describe the various elements of the quality system and the quality practices that are to be followed. The QAM can be, but does not necessarily need be, an all-encompassing voluminous document. Rather it can include many detailed qual-ity documents while making reference to others that can be found elsewhere with-in the unit. Over the past several years, I have reviewed both types of QAMs. As long as all the quality assurance docu-ments are readily available, either ap-proach will work.

The QAM must include all elements of the quality system and be readily available to staff members to ensure that they understand its expectations. To the staff member(s) assigned to develop a QAM, it is often viewed as a lengthy, detailed, time-consuming process. (I am personally aware of many instances where it took an agency one to two years to develop their QAM. This appears to be the norm rather than the exception). Furthermore, once the QAM has been devel-oped and approved by management, it then becomes the responsibility of the QM to ensure that its requirements are maintained. Often when management “designates” someone as the QM, that person does not always understand what is expected of him/her. Ideally, the QM should not be part of the management structure and whenever possible, should be autonomous to the technical operations of the unit. In addition, management should ensure that the QM has some training in the concepts and techniques of quality assurance.

If a Computer Forensics unit is part of an accredited laboratory, the existing laboratory’s QAM was probably mod-ified to include the unit’s quality practices. Additionally, the laboratory QM would oversee the implementation of any additional practices necessary to ensure that the unit com-plied with the requirements of the QAM. However, if the Computer Forensics unit is not part of an accredited labora-tory, then most likely no QAM exists, nor has a person been designated as a QM to oversee the unit’s quality practices.

From personal knowledge, most non-accredited Computer Forensics units in the law enforcement community and in the private sector do not have a QAM in place nor do they have a QM. Likewise, there appears to be a general lack of docu-

mentation concerning analytical policies and procedures and quality practices. This could have potentially disastrous consequences if legal challenges arise out of the unit’s analytical practices or the unit resides in a state that requires any entity performing forensic analysis to be accredited. The unit’s manage-ment needs to assess its mission, be-ginning by asking some hard questions: Are we providing quality services? How do we know that we are? What do we need to do to demonstrate that we can provide quality results?

To avoid these potential consequences, any Computer Forensic unit operating without a QAM should develop one as soon as possible, regardless of whether or not the unit will seek accreditation. Listed below in outline form is a sug-gested Table of Contents for a QAM. It has been compiled from several differ-ent sources and can be used as a guide:

1.0 INTRODUCTION

1.1 Agency/Management Authority and Management Related Issues.

1.2 Agency/Computer Forensics Unit Mission State-ment.

1.3 Quality Policy Statement and Objectives.

1.4 Organization and Management Structure (Organizational Chart).

1.5 Relationships and Responsibilities of Management, Technical Operations, and Support Services.

1.6 Position Descriptions, Statement of Qualifications, and Training Records.

1.7 Departures from Policy and Procedures and Excep-tions to the QAM.

1.8 Communications within the Unit/Agency and with External Agencies.

Read the rest here:

http://www.dfinews.com/articles/2013/12/quality-assurance-practices-computer-forensics-part-2?et_cid=3652171&et_rid=454841830&location=top

Quality Assurance Practices for Computer

Forensics: Part 2

P A G E 8

Top mobile security

concerns: Blacklisted apps

and password protection

By Will Kelly, TechRepublic, December 11.2013

Password protection and application security are high on the list of security concerns as more organiza-tions move to mobile first and Bring Your Own Device (BYOD) strategies.

I recently spoke with Jonathan Dale, director of marketing for Fiberlink (recently acquired by IBM), and James Brown, chief digital technologist at Compuware Professional Services, and they answered some questions concerning the blacklisting and whitelisting of apps and password security.

Creating app blacklists and whitelists

According to Jonathan Dale, “File sharing apps are the most common blacklisted apps in the enterprise. The top five blacklisted apps include Dropbox, SugarSync, Box, Facebook, and Google Drive.” Fiberlink’s app data comes from over 4,500 of their customers using a mix of corporate- and employee-owned devices.

Figure A shows the top 10 list of blacklisted iOS and Android apps amongst Fiberlink customers:

Dale says, “The top concern for most corporations is knowing that their data is safe and always in the right hands. Blacklisting can play a role, but we find that there are both right and wrong times to restrict apps. For instance, restricting an app for no reason is a quick way to get your BYOD deployment to backfire. Even corporate-owned devices with blacklisting apps can make employees unhappy.”

Right now, blacklisting occurs on 10% of the devices that Fiberlink man-ages, prohibiting a specific app or apps from running. This means that IT is trying to ensure the intended use of the device and prevent the loss of cor-porate data, which is considered a ma-jor security risk. Dale recommends blacklisting and even whitelisting where appropriate.

Figure B shows the top 10 list of whitelisted iOS and Android apps amongst Fiberlink customers:

Read the rest here:

http://www.techrepublic.com/blog/smartphones/top-mobile-security-concerns-blacklisted-apps-and-password-protection/

I S S A - C O S N E W S

Top 10 Blacklisted Apps: iOS Devices Top 10 Blacklisted Apps: Android Devices

Dropbox

SugarSync

Box

Facebook

Google Drive

Pandora

SkyDrive

Angry Birds

HOCCER

Netflix

Dropbox

Facebook

Netflix

Google+

Angri Birds

Google Play Movies & TV

Google Play Books

SugarSync

Google Play Music

Google+ Hangouts

Top 10 Whitelisted Apps: iOS Devices Top 10 Whitelisted Apps: Android Devices

iBooks

Adobe Reader

Google

Citrix Receiver

Numbers

Dropbox

Pages

iTunes U

Keynote

WebEx

NITDroid

Adobe reader

Lookout

Google

Skype

Citrix Receiver

Android Translator

Antivirus

ZXing

Google maps

P A G E 9 V O L U M E 3 N U M B E R 1

By Mike May and Andrew Russell, Esq., Association of Cer-tified E-Discovery Specialists ®, December 5, 2013

The relevance of text messages continues to grow as an important component of e-discovery. At the same time, the diversity and complexity of the options available for texting is steadily increasing. While text messaging may at times be used as a quick and informal way to communicate, today these messages have legal implications across a wide range of civil cases.

One might easily understand how the content of a text message can influence a divorce case or a personal injury case where the defendant is accused of tex-ting while driving. More surprising is the impact texts are having in other types of cases, including contract law. In the case of CX Digital Media, Inc. vs. Smoking Everywhere, Inc. (S.D. Fla. Mar. 23, 2011), the word “Awesome!” at the end of a string of text messages affected the amendment of a contract and resulted in a $1.2 million judgment. This case demonstrated that contracts and amendments to contracts can be made without executing a formal definitive agree-ment by hand.

Identifying, preserving and collecting text messages

Text messages pose thorny challenges for e-discovery professionals when it comes to identifying, preserving, and collecting them. Texts include short electronic messages, and increasingly, images, audio, or video content frequently known as Multimedia Message Service (MMS).

A common way to collect evidence of text messages is to acquire Call Detail Records (CDRs) from the wireless ser-vice provider through a legal process. CDRs include metadata that describes a specific instance of a telecommu-nication transaction, and a breakdown of all of the call, text, and data usage. Details of text or SMS usage may include date and time, originating and terminating numbers, and a description of what is known about the message. Cellular data usage records include temporal connection and termi-nation data but, unlike calls with origin and destination num-bers, data usage records may only include the number of data bytes transmitted up and received down. These data records indicate that a data network connection was estab-lished that may be used to access web-based services like Internet browsers, social media sites, and other online ser-vices.

Mobile e-discovery seeks to follow the phases of the Electronic Discovery Reference Model (EDRM). Critical among these phases is the preservation of electronically stored information (ESI). Wireless carriers have varying poli-

cies and procedures for how they manage their legal pro-cess and retain data. These differences may include what data is retained as well as the period of time that the data is stored. Certain critical pieces of information may be held for as short as three to five days. This fact makes it imperative to identify and preserve the desired Call Detail Records as soon as possible.

The forensic collection path

An alternate method of collecting evidence of text mes-sages is to acquire the text message data from the mobile device itself through a digital forensic examination. While there may be logistical obstacles to overcome using this method, a more thorough collection of “text message” data may be collected. Empirical data suggests that most mobile device users rarely delete their text messages.

This, combined with the short data reten-tion practices of the wireless carriers, suggests that it is more likely that rele-vant text message content will be availa-

ble for preservation and collection from the device than from the carrier. While major wireless carriers have legal compli-ance departments whose responsibility it is to comply with court orders and other legal processes, often, varying poli-cies and procedures impede the timely response to mobile e-discovery requests. When the data to be preserved and collected is resident on the device and under the control of a party to the litigation, the matter of “possession, custody, or control” of the text messages may be a matter more easily resolved during the meet and confer phase.

In a recent InformationWeek article (http://www.informationweek.com/mobile/mobile-devices/10-mobile-chat-apps-that-beat-sms/d/d-id/1109729?), Eric Zeman wrote that mobile device users sent an average of 36.6 billion messages per day throughout 2012. Not all of them were SMS messages, however. In fact, fewer than half were routed through traditional, carrier-based SMS services. Analyst Informa says that 19 billion messages were sent each day from mobile chat apps, while 17.6 billion were sent via Short Message Service. This means that more messag-es were transmitted outside of the carrier’s message centers than within.

The impact is that traditional Call Detail Records (CDRs) that might otherwise be relied upon as evidence may not exist.

Read the rest here:

http://www.aceds.org/the-evolution-of-text-messaging-and-its-impact-on-mobile-e-discovery/

The evolution of text messaging

and its impact on mobile e-discovery

P A G E 1 0

I S S A - C O S N E W S

By Pavitra Shankdhar, INFOSEC Institute, October 29, 2013

The denial of service (DOS) attack is one of the most powerful attacks used by hackers to harm a company or organization. Don’t confuse a DOS attack with DOS, the disc operating system developed by Microsoft. This attack is one of most dangerous cyber attacks. It causes service outages and the loss of millions, depending on the duration of attack. In past few years, the use of the attack has increased due to the availability of free tools. This tool can be blocked easily by having a good firewall. But a widespread and clever DOS attack can bypass most of the restrictions. In this post, we will see more about the DOS attack, its variants, and the tools that are used to perform the attack. We will also see how to prevent this attack and how not to be the part of this attack.

What Is a Denial of Service Attack?

A DOS attack is an attempt to make a system or server unavailable for legitimate users and, finally, to take the ser-vice down. This is achieved by flooding the server’s request queue with fake requests. After this, server will not be able to handle the requests of legitimate users.

In general, there are two forms of the DOS attack. The first form is on that can crash a server. The second form of DOS attack only floods a service.

DDOS or Distributed Denial of Service Attack

This is the complicated but powerful version of DOS attack in which many attacking systems are involved. In DDOS attacks, many computers start performing DOS at-tacks on the same target server. As the DOS attack is dis-tributed over large group of computers, it is known as a dis-tributed denial of service attack.

To perform a DDOS attack, attackers use a zombie net-work, which is a group of infected computers on which the attacker has silently installed the DOS attacking tool. When-ever he wants to perform DDOS, he can use all the comput-ers of ZOMBIE network to perform the attack.

In simple words, when a server system is being flooded from fake requests coming from multiple sources (potentially hundreds of thousands), it is known as a DDOS attack. In this case, blocking a single or few IP address does not work. The more members in the zombie network, more powerful the attack it. For creating the zombie network, hackers gen-erally use a Trojan.

There are basically three types of DDOS attacks:

Application-layer DDOS attack

Protocol DOS attack

Volume-based DDOS attack

Application layer DDOS attack: Application-layer DDOS attacks are attacks that target Windows, Apache, OpenBSD, or other software vulnerabilities to perform the

DOS Attacks and Free DOS Attacking Tools

attack and crash the server.

Protocol DDOS attack: A protocol DDOS attacks is a DOS attack on the protocol level. This category includes Synflood, Ping of Death, and more.

Volume-based DDOS attack: This type of attack includes ICMP floods, UDP floods, and other kind of floods performed via spoofed packets.

There are many tools available for free that can be used to flood a server and perform an attack. A few tools also support a zombie network to perform DDOS attacks. For this post, we have compiled a few freely available DOS attacking tools.

For a list of Free DOS Attacking Tools read the rest here:

http://resources.infosecinstitute.com/dos-attacks-free-dos-attacking-tools/

Hat tip to Mike Daetwyler for sending this on.

ROTC cadets, recent

graduates offered release

from service commitments

By Air Force Times, December 3, 2013

The Air Force is offering future officers preparing to graduate from the ROTC program in 2014 the opportunity to walk away from their service commitments without having to repay their scholarships or monthly stipends, the service announced Tuesday.

Recent graduates in the Individual Ready Reserve who are waiting to enter active duty also may be eligible for re-lease from their military service commitment, according to a release.

Cadets and graduates in the following career fields may apply for early release Jan. 6-24:

13M Airfield Operations

13N Nuclear and Missile Operations

14N Intelligence

17D Cyberspace Operations (emphasis added by

Newsletter Editor)

21A Aircraft Maintenance

21M Munitions and Missile Maintenance

21R Logistics Readiness

31P Security Forces

35P Public Affairs

38P Personnel

63A Acquisition

64P Contracting

Read the rest here:

http://www.airforcetimes.com/article/20131203/CAREERS/312030009/ROTC-cadets-recent-graduates-offered-release-from-service-commitments

P A G E 1 1 V O L U M E 3 N U M B E R 1

By Mark hatton, Security Week, December 3, 2013

It’s that time of year again when everyone wants to wow you with their insights and pre-dictions about what the next year will bring us in terms of technology and hacks in the

security industry. Don’t get me wrong, always thinking ahead and applying a predictive approach to security is an idea and practice I fully endorse. However, I would like to ask the security community as a whole to please not waste our time with vagaries and statements that are so broad that they could apply to anything, and/or at the same time, nothing.

For those unfamiliar with the name or work, Michel de Nostredame, aka Nostradamus, was a French apothecary and reputed seer who published collections of prophecies that have become famous worldwide. While he is the most famous of the prognosticators, his predictions are largely panned by the scientific community as being too general as to be moldable to fit multiple scenarios and situations. His most famous of all predictions was that the world was going to end in 1994, and then again in 1998 or maybe it was 2000. No, it was definitely going to end on December 21, 2012. Well, I’m writing this in November of 2013 so I guess that didn’t quite work out the way he had envisioned after all.

The reason I bring this up is that if Nostradamus had envisioned our networked world of 2014 and had written predictions about the security challenges that existed, I’d expect them to look something like this:

Hackers will target data in the cloud

Attacks will continue to become more sophisticated

Cybercriminals will be motivated by profit

China and other nation states will remain a top security concern

Mobile devices will be under increased scrutiny

Please raise your hand if any of these predictions have helped you shore up your security planning for 2014. Any-one? I didn’t think so. While I changed some of the word-ing to protect the guilty, the themes of each of these predic-tions was a direct pull from members of our industry. For-ward-thinking and practical advice from experts is always appreciated, but we need to do a better job making con-structive points in our observations.

Read the rest here:

http://www.securityweek.com/what-would-nostradamus-have-said-about-cyber-security-2014

What Would Nostradamus Have Said About Cyber Security in 2014?

Weak Security In Most Mobile Banking Apps

By Kelly Jackson Higgins, Dark Reading, December 12, 2013

Most mobile banking apps -- including those of major financial institutions -- contain configuration and design weaknesses that leave them with weakened security.

Security experts this month tested 275 Apple iOS- and Android-based mobile banking apps from 50 major financial institutions, 50 large regional banks, and 50 large U.S. credit unions. Overall, they found that eight out of 10 apps were improperly configured and not built using best practic-es software development. Among the big-name banks whose mobile apps were tested by security firm Praetorian include Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Capital One Financial, and Sun-trust Banks. Praetorian did not disclose how each bank's apps fared in the tests.

Praetorian's research comes at a time when mobile banking is starting to take off, albeit slowly. Some 35 per-cent of U.S. adults conduct mobile banking, up from 24 per-cent in 2012, according to the Pew Research Center. A new report by NSS Labs says some banks report seeing mobile banking grow by up to 70 percent per year.

Nathan Sportsman, founder and CEO of Praetorian, says the security weaknesses in the mobile banking apps he and his team tested are not pure software vulnerabilities, so they are relatively low-risk issues that could ultimately lead to exploitation.

"These aren't business-logic or application-specific is-sues. They are weaknesses across the mobile apps -- things developers should be doing" but they are not, Sportsman says. The apps were downloadable from the Apple App Store and Google Marketplace.

The weaknesses the researchers tested for are well-known mitigation functions in software, and the tests were performed on each local device's mobile app, not back-end Web servers and services. Sportsman says the test only represents a snapshot of the full attack surface of mobile banking because between 75 to 90 percent of mobile bank-ing occurs on the back end.

"This was not intrusive testing. We weren't looking for SQL injection and would need permission to do that, so we were really looking at the configuration of the mobile apps," he says. His firm hopes to next test these apps for how in-formation gets stored on the local device, he says.

Read the rest here:

http://www.darkreading.com/vulnerability/weak-security-in-most-mobile-banking-app/240164731

P A G E 1 2

I S S A - C O S N E W S

By Jamie Bartlett, The Telegraph (UK), December 13, 2013

In June 2013 the doors of cell block A suddenly swung open in the Turner Guildford Knight Correctional Centre in Miami, Florida. And block B. In fact, every cell door in the prison. The reason? A computer malfunction. The prison had recently linked its security locks to the internet.

More and more things are going online, most worryingly our "critical national infrastructure" – a technical term for what essentially means "if it breaks we’re all f–––––": water systems, power grids, telecommunications, banking ser-vices. Connectivity makes them vulnerable to disruption too: from hackers, from serious criminals who are increasingly inching online, from hostile foreign governments, from terror-ist groups.

In fact, they already are. In 2010 the Stuxnet computer virus – possibly emanating from Israel, though no one is sure – infected and seriously disrupted an Iranian nuclear enrich-ment facility. Most cyber attacks try to access a computer system to steal data or valuable information: but an increas-ing number like Stuxnet can destroy hardware too, infecting computers and stopping them from doing what they are sup-posed to. Stuxnet was the first virus to successfully disrupt or damage critical infrastructure.

Since then a cyber arms race has taken hold: Duqu in 2011 Gauss in 2012, Red October in 2013, all targeting in-frastructure. Cyber weapons are different to conventional weapons. It’s hard to reverse engineer a detonated missile: but once you’ve been hit by a cyber weapon, you can quickly work out how it functions and send it right back, meaning the cost falls and technical know-how proliferates fast. Stuxnet cost an estimated $100m to create. Sources tell me that one of the more recent weapons, "Icefog", cost under $10k. Ac-cording to Eugene Kaspersky – CEO of the world’s private largest internet security company Kaspersky Lab – his team deals with 300,000 new viruses a day. Every day. Last year it was 200,000. In 2011, 70,000. Of course very few are in the Stuxnet league but Kaspersky expects more of these will involve successful attacks on major critical national infra-structure in the coming years, most likely from a foreign gov-ernment or terrorist group (both of which are far more dan-gerous than the more visible hacktivist collectives like Anon-ymous).

He would say that, because he sells internet security. Not everyone is convinced. According to a new book by the academic Thomas Rid, talk of cyber "warfare" is often exag-gerated and misleading. Threatening, but not enough to jus-tify running for the hills. Paul Gill, an expert on cyber threats

Cyber weapons: this century's

nukes?

at University College London, thinks cost and technical know-how in particular means that the use of cyber weapon-ry by terrorists is "unlikely" in the near term.

Our government is less sanguine. Although we have world class cyber defences – the recently much maligned GCHQ is to thank for a lot of that – no system is perfect. According to the head of GCHQ Sir Ian Lobban 20 industrial sectors are under constant threat from cyber attack, includ-ing our critical infrastructure. Sir Malcolm Rifkind, chair of Intelligence and Security Committee recently said the scale of this activity is "disturbing". A clue to how worried the Gov-ernment is the increased cyber budgets for both the intelli-gence agencies and Scotland Yard. GCHQ and BIS has recently created the Academic Centres of Excellence in Cyber Security Research scheme.

Perhaps the big risk here is in how we respond. We all see, feel and understand major offline terror attacks or seri-ous crime. But cyber is silent, so it’s hard to know how wor-ried we should be. The most effective cyber defence system is like a good football referee: unnoticed. That’s not a popu-lar way to spend resources. We’ve upped our spending in recent years – the US invests over $4bn a year – but many experts still think it’s insufficient.

There’s a moral hazard here: that cyber defence is not given priority because we don't get to see shiny new build-ings or more nurses for our money. Our intelligence services and companies need to be a little more open and honest about what’s happening and what we need to do in re-sponse. Like terrorism, the Government should publish an open evaluation of cyber threats: where is it? Who is it com-ing from? Who will be affected? The UK has already an-nounced an expansion of its offensive cyber capability – are we sure we want to continue the arms race?

Read the rest here

http://blogs.telegraph.co.uk/technology/jamiebartlett/100011795/cyber-weapons-this-centurys-nukes/

P A G E 1 3 V O L U M E 3 N U M B E R 1

By Tom Simonite, MIT Technology Review, December 11, 2013

A man showed up at a trash heap in Wales last month with an unusual request: he needed help finding a hard drive he had thrown out weeks earlier that held the crypto-graphic key to 7,500 bitcoins, currently worth over $6 mil-lion.

James Howells is unlikely to ever be reunited with that digital cash, and he’s far from alone in having lost a fortune in the math-backed currency. Pioneers of Bitcoin are in high spirits due to the currency’s rising value and the friendly reception it has received from U.S. regulators (see “Regulators See Value in Bitcoin”

http://www.technologyreview.com/news/521636/regulators-see-value-in-bitcoin-and-other-digital-currencies/). But the ease with which bitcoins can be lost or stolen remains a barrier to mainstream adoption. And no obvious remedy is in sight.

The problem is caused by the design of the software that underpins Bitcoin. It uses cryptography to allow people to exchange funds securely without trusting each other or needing a third party to oversee the trade. But individual collections of bitcoins are secured using an alphanumeric private key that is impossible to recover or reset if lost or stolen, and is near impossible to memorize.

A private key resides in a simple text file called a wallet file and looks something like this: E9 87 3D 79 C6 D8 7D C0 FB 6A 57 78 63 33 89 F4 45 32 13 30 3D A6 1F 20 BD 67 FC 23 3A A3 32 62. If someone else learns that key or cop-ies your wallet file, he or she can spend your bitcoins; if you lose your key or wallet file, Bitcoin’s cryptographic design makes it impossible to regain access to your bitcoins.

“The hackers figured this out really quickly. I think this is a really bad thing for the bitcoin ecosystem,” said venture capitalist William Quigley at the Future of Money conference in San Francisco on Monday. He believes that bitcoins can’t become more than a plaything for speculators unless tools and companies appear that make it easier to manage and safeguard a bitcoin wallet.

It’s a concern echoed by other bitcoin investors and entrepreneurs, including Steve Kirsch, a software entrepre-

Bitcoin’s Rise Constrained by Heists and Lost Fortunes

Bitcoin is underpinned by unbreakable codes,

but the secret keys that protect personal fortunes are easily lost or stolen.

neur turned investor. He has converted over $1 million into bitcoins over the past six months and has struggled to keep them both secure and accessible. “I think that all of the exist-ing mechanisms are problematic.”

The easiest way to manage bitcoins is to leave them with a company providing exchange services between virtual and conventional currencies, where they can be accessed by log-ging into a website. Even if you lose your password, it should be possible to reset it and recover your wallet. But Kirsch believes this option is the least safe.

“If you have any amount in any of the exchanges today, you’re a fool,” he says. “An attack on your computer could steal all your bitcoins.” Such attacks are not unusual. In April, for example, users of Mt.Gox, the oldest and one of the larg-est bitcoin exchanges, were targeted by malware that stole their login credentials. Exchanges have themselves been directly targeted by thieves who have compromised their sys-tems and made off with bitcoins.

People who choose to store their bitcoin wallet on their own computer can also be targeted by malware or other at-tacks. One of the earliest high-profile heists in the crypto-currency world occurred in 2011, when a person identifying online as allinvain complained that their computer had been compromised and 25,000 bitcoins removed. That haul was worth $500,000 at the time and would be valued at many millions of dollars today (see “Crypto-currency Security under

Scrutiny”

http://www.technologyreview.com/news/424335/crypto-currency-security-under-scrutiny/).

Such hazards have led many people to instead keep their bitcoins in a wallet on a computer or memory stick not attached to the Internet—an approach dubbed “cold storage.” Sometimes they add additional protection by using encryption

software to secure the wallet with passwords. “I keep most of my bitcoin offline in software called Bitcoin Armory, but it’s very inconvenient to access,” says Kirsch, who bought an extra laptop to store bitcoins on.

Cold storage comes with its own problems, as became all too clear to Howell when he figured out he had thrown his bitcoins in the trash. Jered Kenna, co-founder of bitcoin ex-change Tradehill, says cold storage is the best approach to-day, but he acknowledges that it’s all too easy to get wrong. “I wouldn’t want my mom trying to make an encrypted backup of her bitcoins,” he says. “I have friends that are cryptography experts who have accidentally lost coins trying to protect them.” One programmer Kenna knows lost 7,000 bitcoins that way, a sum today worth almost $7 million.

Read the rest here:

http://www.technologyreview.com/news/522411/bitcoins-rise-constrained-by-heists-and-lost-fortunes/

P A G E 1 4

I S S A - C O S N E W S

Comment: Cyber Warfare – The Modern Cold War

Ross Parsell of Thales UK discusses why cyber threats to the world’s critical national infrastructure are the modern-day Cold War weaponry, for

which governments and militaries are rapidly increasing their defense budgets

By Ross Parsell, Thales UK, December 12, 2013

This year marks the 50th anniversary of the Moscow-Washington nuclear hotline. A remainder of the Cold War, the hotline provided – and still provides – a direct line of communication between the leaders of the US and Rus-sia. Following the Cuban Missile Crisis, the two nations realized how crucial a quick, clear and direct mode of communication between their leaders was.

Eerily, nearly 50 years to the day later, it was an-nounced from the G8 Summit that the nuclear hotline orig-inally set up during the Cold War would serve an addition-al purpose. Having revised their national security policies to recognize the emerging political-military and criminal threats coming from cyber space, the new hotline will ena-ble the US and Russia to share information on hacking incidents and other cyber-attacks seen in their countries.

This move is a direct reflection of the very real shift in threats we are facing today, and shows that the real ‘ammunition’ to cause damage to the world’s critical na-tional infrastructure is now virtual as opposed to physical. Without doubt, a nuclear attack would cause widespread destruction. Yet the ease and speed at which hackers could potentially take down a power station, for example, is truly sinister – and typically happens with no warning. Cyber-attacks have undoubtedly emerged as one of most serious national and international security challenges we face in the 21st century, and have become the modern-day Cold War weaponry to which governments and militar-ies need to react, rapidly.

There are now numerous instances of cyber-attacks causing real damage to the well-being of nation-states. Consider the 2007 cyber attacks on Estonia in which the websites of prominent Estonian organizations such as ministries, the media and banks were suspended or de-faced by extended denial-of-service attacks via ping floods and botnets. There were the attacks on US government or private business websites, attributed by the US govern-ment to foreign powers under the ‘Titian Rain’ label; or the attacks during the South Ossetia war of 2008 that disabled a number of Georgian, Russian, Ossetian and Azeri web-sites.

The line between physical and virtual defense has almost completely blurred, and this has been reflected in the past few years with radical changes in the defense industry. It was announced earlier this year that the UK’s

Territorial Army (TA) will retrain its reservists to become spe-cialists in cybersecurity. Other reservists would also specialize in chemical-biological warfare and intelligence, demonstrating that the threat of war is no longer just one dimensional. With the advent of cyber espionage and a recent rise in the number of attacks that threaten the security of critical national infra-structure, the need for a holistic approach to security is long overdue, and the TA is taking its share of responsibility for this alongside its traditional physical defense remit.

In addition, and just as importantly, this move will help enormously in positioning public sector cybersecurity as an attractive career prospect for the next generation. The need for cybersecurity experts across the globe far exceeds our pool of qualified personnel, creating a widespread cyber skills shortage. This shortage in turn raises the minimum starting salary package for cyber experts, which present many chal-lenges for firms, particularly public sector organizations that struggle to compete with the compensation packages offered by the private sector.

This is another example of the UK’s Ministry of Defence (MoD) doing a great job in advertising their cybersecurity posi-tions, giving applicants potentially more rewarding work to do than private sector counterparts. Cyber employees at the MoD really are at the forefront of cyber warfare: protecting the UK from malicious attacks from criminal gangs and other nations.

Countries are taking the threat of cyber warfare much more seriously of late, with some seeking out their nearest allies to strengthen their own cyber defenses. In September this year, Argentine Defence Minister Agustín Rossi and his Brazilian counterpart Celso Amorim issued a joint statement stating that they were to form a cyber-defense alliance against potential cyber-espionage, in response to the NSA PRISM revelations. The countries have agreed that, starting in 2014, Brazil will provide cyber-warfare training to Argentine officers, echoing what the UK’s MoD is doing with the Territorial Army. Rossi said in the statement that the combined efforts will allow Brazil and Argentina to “diminish situations of vulnerability.”

Read the rest here:

http://www.infosecurity-magazine.com/view/36112/comment-cyber-warfare-the-modern-cold-war/?utm_campaign=eNews&utm_source=US17Dec&utm_medium=email

P A G E 1 5 V O L U M E 3 N U M B E R 1

By Brian Krebs, Krebs on Security, December 13, 2013

Lost in the ongo-ing media fire-storm over the National Security

Agency’s domestic surveillance activities is the discussion about concrete steps to bring the nation’s communications privacy laws into the 21st Century. Under current laws that were drafted before the advent of the commercial Internet, federal and local authorities can gain access to mobile phone and many email records without a court-issued war-rant. In this post, I’ll explain what federal lawmakers and readers can do to help change the status quo.

The Center for Democracy & Technology, a policy think-tank based in Washington, D.C., has a concise and informative primer on the Electronic Communications Priva-cy Act (ECPA), the 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting the ECPA, which gave email mov-ing over the network essentially the same protection as a phone call or postal letter. In short, it required the govern-ment to obtain a court-approved warrant to gain access to that information. But the Justice Department wanted differ-ent treatment for stored electronic communications. (Bear in mind that this was way before anyone was talking about “cloud” storage; indeed CDT notes that electronic storage of digital communications in 1986 was quite expensive, and it wasn’t unusual for email providers to delete messages that were more than a few months old).

CDT explains the bargain that was struck to accommo-date the government’s concerns:

“Congress said that after 180 days email would no long-er be protected by the warrant standard and instead would be available to the government with a subpoena, issued by a prosecutor or FBI agent without the approval of a judge,” CDT wrote. “At the same time, Congress concluded that, while the contents of communications must be highly pro-tected in transit, the ‘transactional data’ associated with communications, such as dialing information showing what numbers you are calling, was less sensitive. ECPA allowed the government to use something less than a warrant to ob-tain this routing and signaling information.”

Fast-forward to almost 2014, and we find of course that most people store their entire digital lives “in the cloud.” This includes not only email, but calendar data, photos and other sensitive information. Big cloud providers like Google, Mi-crosoft and Yahoo! have given users so much free stor-

Help Bring Privacy Laws Into

The 21st Century age space that hardly anyone has cause to delete their stuff anymore. Not only that, but pretty much everyone is carrying a mobile phone that can be used to track them and paint a fairly detailed account of their daily activities.

But here’s the thing that’s screwy about ECPA: If you’re the kind of person who stores all that information on your laptop, the government can’t get at it without a court-ordered warrant. Leave it in the hands of email, mobile and cloud data providers, however, and it’s relatively easy pickings for investigators.

“There has been an interpretation of the law from the government that says any document stored in the cloud can be accessed with a subpoena, regardless of how old it is,” said Mark Stanley, a communications strategist with CDT. “The government can access emails over 180 days old with just a subpoena. “We also know that the [Justice Depart-ment] has interpreted the law to say that any emails that are opened — regardless of how old they are — can be ac-cessed without a warrant.”

Just how easy is it to get an administrative subpoena? Mark Rasch, a Bethesda, Md. lawyer and former Justice Department prosecutor, said administrative subpoenas (which don’t need a sign-off from a judge and allow investi-gators to seek information without any external check) are extremely easy to get and to serve. The problem, he said, is that subpoenas place most of the burden on the recipient of the request.

“When you subpoena a third party, that third party has fundamentally no ability to challenge the request, because they don’t know if the request is relevant to the investigation or not,” Rasch said. “As a result, it’s in the submitter’s best interest to make the request as broad as possible in the hopes that it will turn up something that’s relevant to the in-vestigation.”

Take the hypothetical case of a subpoena that directs a free Webmail provider to turn over all of the Web browsing and email records of a specific customer for an entire year. Is that provider willing or able to pass the costs of complying with that request on to the consumer? In the vast majority of cases, Rasch said, it doesn’t make economic sense for the provider to challenge these subpoenas, so they simply com-ply.

Updating ECPA would mean that before prosecutors or other lawyers can get this information, they would have to make an argument to a court about what information they’re seeking and how it’s relevant to an investigation, Rasch said.

Read the rest here:

http://krebsonsecurity.com/2013/12/help-bring-privacy-laws-into-21st-century/

P A G E 1 6

I S S A - C O S N E W S

News Ripped

From the

Headlines

November 27, Softpedia – (International) 10 million new malware strains identified so far in 2013, Q3 study shows. Panda Security researchers reported that almost 10 million new malware strains have been identified so far in 2013, with close to 77 percent identified as Trojans, followed by worms, and viruses. Source: http://news.softpedia.com/news/10-Million-New-Malware-Strains-Identified-So-Far-in-2013-Q3-Study-Shows-404043.shtml

November 29, Softpedia – (International) JPEGS leveraged for targeted attacks. Researchers at Trend Micro discovered that some cyberattacks rely on malicious crafted JPEG files to perform updates on themselves or to deploy new threats. The image files contain encrypted data containing configuration files and binaries. Source: http://news.softpedia.com/news/JPEGs-Leveraged-for-Targeted-Attacks-404784.shtml

December 6, The Register – (International) Fiendish CryptoLocker ransomware survives hacktivists’ takedown. Members affiliated with hacktivist group Malware Must Die attempted to disable command and control servers associated with the CryptoLocker ransomware, suspending 138 targeted domains but fail-ing to eliminate the operation. Source: http://www.theregister.co.uk/2013/12/06/cryptolocker_takedown_fizzles/

December 9, Computerworld – (International) Other browser makers follow Google's lead, revoke rogue cer-tificates. Google, Mozilla, Microsoft, and Opera Software revoked rogue digital certificates that were mistak-enly issued by the French Network and Information Security Agency (ANSSI) and signed by the France's treasury department. Source: http://www.computerworld.com/s/article/9244645/Other_browser_makers_follow_Google_s_lead_revoke_rogue_certificates

December 19, The Register – (International) Macbook webcams CAN spy on you – and you simply CAN’T TELL. Researchers confirmed that the webcams in MacBooks can be used to spy on users without an LED warning light being turned on. The researchers released a proof-of-concept demonstrating how the hard-ware interlock that normally ties camera and LED activation together can be disabled to allow independent operation of either. Source: http://www.theregister.co.uk/2013/12/19/apple_isight_webcam_led_hack/

December 26, The Register – (International) Joke no more: Comedy virty currency Dogecoin gets real in big Xmas heist. Dogewallet, a wallet service for the Dogecoin virtual currency, reported December 25 that cybercriminals had compromised their systems and redirected all transactions to another address, stealing at least $18,000 worth of the currency. Source: http://www.theregister.co.uk/2013/12/26/dogecoin_christmas_heist/

P A G E 1 7 V O L U M E 3 N U M B E R 1

What It's Like to Be a Tech Geek in Prison

Hopefully, you’ll never need this information!

learned that giving and keeping your word is the ultimate measurement of character. I learned that loyalty is easy to promise, but few really deliver. Don't be that guy. Prison is really a learning crucible since the reactions are so quick and amplified. If you have annoying habits, you'll find out fast. If you are not respectful to others, you'll hear about it and you may get a 'tune up' to teach you respect."

Yes, they will think older white guys

are child molesters.

Mark Conway, former inmate at FMC Devens and now a managing partner at RS Analytics, confirms that the cliche is true: "As my first cellmate used to say about me: 'He kind of

strange, but he cool.' He got life for shooting a snitch in the head, and he was the one to greet me when I took that long walk across the floor, and yes there was laughter and snick-ering.

"The first assumption that other inmates make is that an older white guy is a pedophile, so the first order of business is showing them your paperwork. Even then, they didn't believe me until I got sent to the camp a few weeks later. Then a doc-tor decided that camp was 'vacation' for me, and I was

recalled back inside the fence. So, when I returned from camp, there was my old cellie waiting for me."

But tech geeks have certain advantages that regular

inmates do not.

"But geeks have real value in prison because if you can read, write, type, or research (especially legal work), then you can possibly help them. So, it was a good idea to be cool with me because I helped a lot of people with their mo-tions and communications with the courts. And as long as you showed respect for their life on the streets, then you usually got the same respect in return."

It won't exactly be the Algonquin Roundtable.

Mike Aguilar, a tech Web writer, says: "It really sucks when it's magazine delivery day and your copy of PC maga-zine shows up.

"And then there's the fact that there's very few people to hold an intelligent conversation with: 'So, what are you in for?' 'Meth. There's a cockroach on the floor.' 'Were you selling it?' 'Yes. And using it. Now the cockroach is burrow-ing into my skin. KILLITKILLIT!' "

Read the rest here:

http://www.slate.com/blogs/business_insider/2013/12/26/what_is_it_like_to_be_a_tech_geek_in_prison.html

By Jim Edwards , Slate, December 26, 2013

What happens when tech geeks go to prison? It's probably not a question that gets asked around your office every day. But it can happen. A Microsoft executive was charged with insider trading last week, for instance (although he does not face prison time). Shawn Hogan and Brian Dunning, former eBay affiliate marketers accused of defrauding the auction site of $35 million, face up to 20 years in prison.

There is a long history of nerds who used their talents for criminal means rather than professional ones. On Quora, the question-and-answer site, there is a thread that appears to have been written entirely by tech geeks who have spent time in prison—and it's abso-lutely fascinating. We've ex-cerpted the highlights here, along with some quotes from other Quora threads that ad-dress aspects of prison life that might directly relate to tech professionals. The quotes were posted anonymously except where otherwise stated.

Yes, it will be scary.

This anonymous writer worked in IT consulting before he was sentenced: "It was scary, since I hadn't punched anyone since the seventh grade, and most of the people I might have to fight were 20 years younger than me ... Every-where you go, you have to be alert. There are so many dan-gers. You could be in danger if you bump into somebody, if you look at someone wrong, or for no reason at all. I am so much more vigilant of my surroundings, even years later. My ability to read people is greatly improved, because it was so important there."

But you'll also get opportunities.

"Before prison, I liked to play guitar. Inside prison, I got to play in the music program and got pretty good. It was a matter of putting in the time. I also had books sent in so I could study music theory. Before prison, I had six years of junior high and high school Spanish. In prison, I made friends with many people from Spanish-speaking countries and got fluent. I didn't just talk with them; I watched TV with them, studied the Bible in Spanish with them, read novels in Spanish. In those eight years I went from high school Span-ish to fluent. I also found a job where I could program com-puters, creating databases used within the facility for things like tracking sports leagues or scheduling medical appoint-ments. I then had books sent in to study new languages, design patterns, Xtreme and Agile methodologies, and more. I left knowing so much more than when I arrived."

You'll learn something about the way respect works.

"I learned many things from inmates that I never learned in my prior life. I learned that you should go straight to the person you're upset with rather than go to authorities. I

I S S A - C O S N E W S

Strategic Thinking:

IT Planning and Risk in 2014 In 2014, Will Your Security Team be Driving New Value,

or Responding to Yesterday’s Threats?

P A G E 1 8

By Gil Zimmermann, Security Week, December 24, 2013

In the 1940s, Peter Drucker wrote that one of the keys to organizational success is to publicly commit to specific, measurable goals. It is as relevant for a high-tech software company today as it was at General Motors in the years following the end of World War II, and I chal-lenge my staff to do so every year as we enter into our annual planning process.

The value in the exercise is in the accountability that it establishes, creating an incentive to stretch a bit further towards outcomes that drive growth and innovation. It is human nature to do what is comfortable, but to quote a somewhat more contemporary management consultant, what got you here won’t get you there. A secondary (but perhaps more important) result of public commitment to specific outcomes is that it fosters a discussion around identity and direction. If strategies and goals fail to mesh with that common vision, they can be quickly identified and set aside, without investing time and effort into activi-ties do not lead the company towards increased success.

As 2013 wanes, it makes sense take a few steps back and look at the state of the cloud and how it fits into the plans our customers and friends have been sharing with us. End of year retrospectives are fairly typical -- my com-pany posted one as part of our newsletter to our custom-ers, and I seem to receive a new one in my inbox daily -- but of the ones that discuss cloud strategy, most seem to be saying the same things: the cloud is finally taking off, companies are moving their data into a hybridization of cloud platforms (such as the adoption of both Salesforce and Google Apps), and accelerated growth is to be ex-pected.

While these may be accurate predictions, annual plan-ning sessions offer the unique opportunity to look not only at if cloud technologies will change your business, but to take a page from Drucker, to also ask why and how. In articulating an IT strategy around cloud initiatives, consid-er some of the largest media stories in 2013, and how shortcoming in traditional technology architecture man-agement resulted in data loss and increased risk: the Evernote password compromise in March, the access and release of thousands of federal employees’ personally identifiable information from the Federal Reserve in Au-gust, the massive credit card theft from Target’s stores in December. All played out differently, but there is a theme here: legacy system administration, where the responsibil-ity for platform security falls to internal resources, is prob-lematic at best.

In moving to the cloud, much of this risk can be miti-gated. I have written in previous articles about the “halo

effect” of cloud adoption, wherein organizations embrace a cloud platform but forget that the responsibility for managing data and account security remains on them. While not en-tirely true, there is a net benefit in that responsibility for in-frastructure security is handled by the platform provider. Moving data from legacy server rooms into modern cloud environments means a reduction in the number of operating system patches, network security devices, and physical se-curity safeguards against exploits that an IT team needs to manage.

Read the rest here:

http://www.securityweek.com/strategic-thinking-it-planning-and-risk-2014

By Tyler Lopez, Slate, December 19, 2013

Is your webcam recording you right now? If that little green light is off, you’d probably think the camera is, too. But think again. Wednesday, the Washington Post highlighted (http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/18/research-shows-how-macbook-webcams-can-spy-on-their-users-without-warning/) an un-nerving study published at Johns Hopkins University which found that a laptop webcam can function in relative secre-cy—a slightly subtler Eye of Sauron. Matthew Brocker and Stephen Checkoway’s paper, regrettably (though inevitably) titled “iSeeYou: Disabling the MacBook Webcam Indicator LED,” exposes the flaw in many Apple laptops built before 2008. But PC users shouldn’t rejoice—MacBooks are not the only devices at risk.

Webcam-spying—particularly the variant that involves disabling LED indicator lights—takes quite a bit of effort, but the practice isn’t limited to the realm of benevolent academ-ics. The FBI has also publicly acknowledged its ability to employ such techniques when investigating criminal activity: Last year, a federal magistrate rejected the agency’s request to secretly monitor a suspected criminal through his webcam. The Chinese government used a program called Ghostnet—which involved remote access to webcams—to spy directly on the Dalai Lama, though it is not known whether or not they first disabled the indicator light. But it isn’t just governments who are co-opting webcams to do their surveillance work.

Read the rest here:

http://www.slate.com/blogs/future_tense/2013/12/19/webcam_security_never_leave_it_uncovered_if_you_aren_t_using_it.html

You Should Never, Ever Leave Your Webcam Uncovered When You Aren't Using It

P A G E 1 9 V O L U M E 3 N U M B E R 1

I S S A - C O S N E W S

Article for the Newsletter? If you would like to submit an article...

Are you a budding journalist? Do you have something that the Colorado Springs ISSA community should know about? Can you inter-view one of the “movers and shakers”? Tell us about it!

We are always looking for articles that may be of interest to the broader Colorado Springs security community.

Send your article ideas to Don Creamer at:

doncreamer-issa@q.com

Ensure that “Newsletter” is in the subject line.

Looking forward to seeing you in print!

New Location for the January Luncheon!

January 9 from 11:00 until 1:00 The Retired Enlisted Association 834 Emory Circle, Colorado Springs

719-596-0927

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practition-ers. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.

The primary goal of the ISSA is to promote man-agement practices that will ensure the confidentiali-ty, integrity, and availability of information re-sources. The ISSA facilitates interaction and educa-tion to create a more successful environment for global information systems security and for the pro-fessionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and govern-ment.

Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally

Colorado Springs Chapter

W W W . I S S A - C O S . O R G

Chapter Officers:

Dr. Pat Laverty—Chapter President

Dr. George J. Proeller—President Emeritus

Tim Hoffman—Executive Vice President

Cindy Thornburg—Vice President

Melody Wilson—Treasurer

Lora Woodworth—Recorder

Jeff Pettorino—Communications Officer

Derek Issacs—Member at Large

Brian Kirouac—Member at Large

————————–———————-———-

Position Chairs:

Deborah Johnson—Coins

James Stephens—Director of Training

Don Creamer—Newsletter

Published at no cost to ISSA Colorado Springs by Sumerduck Publishing TM, Woodland Park, Colorado

30 Percent of the Internet Is Just a Copy of Itself By Mario Aguilar, Gizmodo, December 17, 2013

Sometimes it feels like the internet's just the same thing over and over. Google agrees: According to the search giant, 25-30 percent of everything online actually is a duplicate of something else somewhere else online.

On the GoogleWebmasterHelp YouTube channel that you didn't know existed, engineer Matt Cutts turns to the mailbag to answer a frequently asked question regarding how dupli-cate content affects a site's SEO. It turns out that Google doesn't see dupes—like blockquotes, reblogs, reposted images, etc—as spammy content. Instead, the mysterious Google algorithm groups all of the duplicated content into a single lump and attempts to sur-face the best of it.

Watch the video here:

http://www.youtube.com/watch?v=mQZY7EmjbMA&feature=player_embedded