The ISSA Colorado Springs Newsletter incorporates open source news articles as a

training method to educate readers on security matters in compliance with USC Title 17,

section 107, Paragraph a.

The views expressed in articles obtained from public sources within this newsletter do

not necessarily reflect those of ISSA, this Chapter or its leadership.

N ow that Sequestration is here there is a lot of FUD going around. Haven’t heard that

acronym? It means “Fear, Uncertainty and Doubt.”Is it going to cause cut-backs in IA staff within the govern-ment sector? How will the furloughs impact security? Will our systems be left wide open to any hacker that comes along???

Take a deep breath. I for one do not believe that it is going to be as bad as many people think. Yes, the Flight Demonstration Team for the Air Force (a.k.a., Thunderbirds) have can-celled their 2013 season. They are an easy target. The important work is still being done.

Of course, TDY’s are much more difficult now. If there is any way that a conference or other meetings can be handled in ways other than flying across country, then that is the way they are to be conducted. Maybe this will give teleconferencing a significant boost.

I N S I D E T H I S

I S S U E :

What It’s Like To Be Hacked By China

2

China Weaponizes Cyberspace 3

News Ripped From the Headlines

4

A taxonomy for the National Cybersecurity Doctrine

5

The Threat of Silence 6

Meet the Symbiote: The Ironclad, Adapt-able Future of Antivirus Protection

7

Obama Signs Execu-tive Order on Cyberse-curity

8

Welcome to the Mal-ware-Industrial Com-plex

9

Targeted Hacking Forces a New Reality on Antivirus Compa-nies

10

RSA 2013: As cyberse-curity receives more attention

11

The Reality of Ad-vanced Threats and

12

How HIPAA final rule and meaningful use

13

Offense and defense 13

Article for the Newslet-ter?

14

Training 15

Chapter Meetings 15

Pwn Pad—The Way of the Future?

16

W W W . I S S A - C O S . O R G

ISSA-COS

NEWSLETTER M A R C H 2 0 1 3 V O L U M E 2 , N U M B E R 3

Sadly, in the mean time real peo-ple are going to be impacted in real ways. I’ve had to take a 20% pay cut before, and it is not at all pleasant!

And for those of you in govern-ment security, don’t forget that you may have a few disgruntled employ-ees due to the furloughs!

I gave a briefing today about some Blue Team testing that we are going to be conducting this Spring, and when I mentioned “disgruntled employees” and “furlough” in the same sentence, there was a bit of nervous laughter in the room.

All we can do is our best, and re-member that “This too shall pass.”

On another note, have you visited our new website? While there is still work to be done (a lot of innovations are currently being beaten into sub-mission on the test site), I believe our web team is doing a crack job! I hope that you agree.

Don Creamer

P A G E 2

It’s Hard To Appreciate the Value of Privacy Be-fore Some-one Thor-oughly In-vades It. That’s What ‘Eric’ Did.

By William G e r r i t y ,

Zócalo Public Square, February 7, 2013

In 2007 I opened an e-mail from an unknown sender. The message greeted me by a nickname known only to family and close friends. I was in Shanghai, un-winding late at night after a long day, pleased to be contacted by someone fa-miliar from across the Pacific. I figured someone close to me must have gotten a new e-mail address. But the note was signed “Eric.” I did not know an Eric.

The message was friendly and chatty, with several attachments, and it contained a proposal: I could pay one mil-lion renminbi (about $150,000 at the time), in exchange for which the sender would not forward the attachments to my busi-ness partners or competitors. It took me a second—in that out-of-body, as-if-movie-watching state we go to when totally disori-ented—to digest what was happening. This was no friendly e-mail from the home front, no business proposition in any tradi-tional sense. This was blackmail, or extor-tion, or some other noun that I would never associate with my life.

Last week, I read of the infiltration of The New York Times and other media by Chinese hackers, and I can imagine how Times staffers must be feeling. It brought back all too vividly the violation-induced nausea of my own experience with China’s hacker army.

At the time, I was the chairman of a company that was building shopping cen-ters in China. The company was a partner-

ship of three entities: a major U.S. bank, a

What It’s Like To Be Hacked By China

“The whole process of being hacked and blackmailed was eerily akin to undergoing a diagnostic colonoscopy without any anesthetic, which, relying on dubious medical advice, I’ve also experienced.”

Chinese state-owned enterprise, and my firm. We were building centers in third- and fourth-tier cities. The anchor tenant was a multi-national hypermarket. Nearly all the employees were Chinese. It was an exhila-rating adventure for me, but it was of little consequence politically. The enterprise was building Chinese shopping centers in Chinese cities for Chinese consumers.

Even so, all of our Internet activity was monitored. There was a small modem-like device attached to the primary server in our computer room. It was not terribly clan-destine. We were told that the “government” would be restricting access to international news sites and various Chi-nese sites.

Our Chinese employees were used to this sort of thing. But for my American col-leagues and me, the monitoring was a nov-elty. Although most international sites were accessible, certain stories on news web-sites were blacked out. When the power or the Internet would go down, we would promptly get a phone call from China Tele-com, our service provider. They were on a friendly, first-name basis with our Shang-hainese-speaking IT guy. “What’s up?” they’d ask. “Why are you offline?” They feared we would just disconnect the moni-toring device, and they wanted to let us know they were paying attention. But I did-n’t have anything to hide, so I didn’t give it much more thought.

I looked at the documents that were attached to the blackmail request. There were operating budgets and business plans. There were confidential memos to the senior management of my financial partner, written at their request, reviewing the progress of their projects. There were memos critical of staff. There were e-mails between my own team and me exchanging casual commentary on people and places, frustrations and triumphs. Perfectly appro-priate for private consumption, but not for public consumption. Then there were e-mails from my personal account. Some concerned the troubled life of my recently deceased mother.

Read the rest here:

http://www.zocalopublicsquare.org/2013/02/ 0 7 / w h a t - i t s - l i k e - t o -b e -hack ed -b y -china/ideas/nexus/ I S S A - C O S N E W S

P A G E 3 V O L U M E 2 , N U M B E R 3

China Weaponizes Cyberspace By Arnold Ahlert, Strategy Page, February 21, 1913

A damning, 60-page report

(http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf) r e l e a s e d b y A m e r i c a n c o m p u t e r s e c u -rity firm Mandiant reveals that a 12-story building on the out-skirts of Shanghai is most likely the epicenter of ongoing cyber attacks perpetrated against a number of American corporations and government agencies, as well as entities such as power grids, gas lines and water works. The building, located in a run-down section of the city, is the headquarters of the People’s Liberation Army (PLA) Unit 61398. A 2010 report by Mandiant questioned whether the Chinese government was directly involved in such hacking. No longer. “The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them,” the report states.

The report further notes that “Mandiant continues to track dozens of APT (Advanced Persistent Threat) groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as ‘APT1′ and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.”

The units involved in the hacking from APT1 are known as the “Comment Crew” or “Shanghai Group” by those they have victimized in the U.S. And while Mandiant cannot de-termine with absolute certainty that the attacks are coming from the building itself, they insist that the high volume of hacking attacks originating from such a small area offers no other plausible explanation. “Either they are coming from inside Unit 61398,” said Kevin Mandia, CEO and founder of Mandiant, in a recent interview, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”

The base, well-known to those who live in the area, is guarded by men in PLA uniforms. Although there is no sign identifying the building, orders printed in English and Chi-nese have been posted outside: “Restricted military area. No photographing or filming.” According to Mandiant, the army of cyberwarriors operating out of the Shanghai headquarters has “systematically stolen hundreds of terabytes of data from at least 141 organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.” Such thefts include “broad categories of intellectual property, including technology blueprints, pro-prietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leader-ship.”

The increase in thefts has apparently forced President Obama’s hand. Yes terday, the Associa ted Press reported that the White House is considering fines and/or other trade penalties as a means of blunting the on-going cyber espionage, according to officials who spoke on condition of anonymity because they were not authorized to speak publicly about the issue.

U.S. officials also refused to comment directly on Man-diant’s report. But they did reveal that cyber-defenses are being strengthened, and that such strengthening is under-scored by an executive order aimed at improving them. Also as a result of that order, signed by the president last week, the government will begin sharing with U.S. Internet provid-ers information regarding the unique “digital signatures” of the largest APT groups, including Comment Crew and oth-ers, emanating from the vicinity where PLA Unit 61398 is based. Yet due to diplomatic sensitivities, the attacks will not be specifically linked to the Chinese army. Whether the at-tackers themselves will be publicly named–and accused of stealing–is currently under debate. However, administration officials have revealed China will be notified that the ongoing volume and sophistication of the attacks threatens the “fundamental relationship” between the two nations.

State Department spokeswoman Victoria Nuland and White House Press Secretary Jay Carney confirmed on Monday that a dialogue with the “highest levels” of the Chi-nese government, including with “officials in the military,” has been initiated. ”It is a major challenge for us in the na-tional security arena,” Carney added.

On Tuesday, White House spokeswoman Caitlin Hay-den, who noted that the administration was aware of Mandi-ant’s report, echoed those concerns. The United States “has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions, including the theft of commercial information,” she said.

Read the rest here:

ht tp: / / f rontpagemag.com/2013/arnold -ahlert /china-weaponizes-cyberspace/

P A G E 4

News Ripped

From the

Headlines

I S S A - C O S N E W S

February 26, ACLU—(International) New Document Sheds Light on Government’s Ability to Search iPhones. Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique. A document submitted to court in con-nection with a drug investigation, which we recently discovered, provides a rare inventory of the types of data that federal agents are able to obtain from a seized iPhone using advanced forensic analysis tools. The list starkly demonstrates just how invasive cell phone searches are—and why law enforcement should be required to obtain a warrant before conducting them. Source: http://www.aclu.org/blog/technology-and-liberty-criminal-law-reform-immigrants-rights/new-document-sheds-light

February 13, Help Net Security - (International) Global malicious websites increase by 600%. These attacks were staged predominantly on legitimate sites and challenge traditional approaches to security and trust. The timed, targeted nature of these advanced threats indicates a new breed of sophisticated attacker who is intent on compromising increasingly higher-yield targets. Source : http://www.net-security.org/malware_news.php?id=2411

February 14, Softpedia – (International) Hackers offer phone flooding services that “take care” of competitor’s phone lines. Cybercriminals have been seen advertising automated phone flooding services that could be used to disrupt businesses or prevent financial institutions from receiving reports of fraud. Webroot experts have found that cybercriminals are offering “phone ring flooding” services that are advertised as being capable of disrupting the competition’s phone lines. The service, which has been in operation for 3 years, is similar to SMS flooding and it’s guaranteed to work. It can be successfully used not only to “take care of a competitor’s phone line,” as it’s advertised, but also to launch denial-of-service attacks against the cus-tomers of banks and payment processors in an effort to preventing them from learning about fraudulent transactions. Source: http://news.softpedia.com/news/Hackers-Advertise-Phone-Flooding-Services-That-Take-Care-of-Competitor-s-Phone-Lines-329559.shtml

February 22, H Security – (International) Certified online banking trojan in the wild. An employee with Eset discovered tro-jans that could allow online banking access to spyware by successfully passing superficial tests. The flawed certificate and signature validations in question were produced by two companies that no longer exist. Source: http://www.h-online.com/security/news/item/Certified-online-banking-trojan-in-the-wild-1808898.html

February 21, Softpedia – (International) Huawei welcomes the US’s cybersecurity executive order. The U.S. President’s cybersecurity executive order was approved by Huawei who is working towards clearing their reputation for being a threat to national security. The company believes the strategies presented in the order will help prevent security issues and enhance resiliency of critical infrastructures. Source: http://news.softpedia.com/news/Huawei-Welcomes-the-US-s-Cybersecurity-Executive-Order-331554.shtml

February 26, Computerworld – (National) Six-strikes piracy alert system rolling out in the US. After a strain of delays a new anti-piracy system will be implemented in the U.S. that holds Internet service providers accountable for warning and educating users on the dangers of obtaining copyrighted material. Source: http://www.computerworld.com/s/article/9237146/Six_strikes_piracy_alert_system_rolling_out_in_the_US

February 26, Softpedia – (International) Cyber fighters to resume attacks against US banks on March 5. A hacktivist group threatened to resume their attack on a number of U.S. banks unless the all remaining digital copies of a Muslim-based movie are removed from the Internet. Source: http://news.softpedia.com/news/al-Qassam-Cyber-Fighters-to-Resume-Attacks-Against-US-Banks-on-March-5-332647.shtml

P A G E 5 V O L U M E 2 , N U M B E R 3

By Doug DePeppe, January 21, 2013, CSO

Dan Lohrmann recently blogged in another forum about a c a l l f o r a U S c y b e r s e c u r i t y d o c t r i n e ( h t t p : / / w w w . g o v t e c h . c o m / b l o g s / l o h r m a n n - o n -c y b e r s e c u r i t y / D e f i n i n g - a - N a t i o n a l - D o c t r i n e -121612.html?name=Doug+DePeppe%2C+LLM%2C+JD&email=&field=Dan%2C+Excellent+piece!++Very+insightful.%0D%0A%0D%0AThe+following+is+intended+to+add+to+the+dialogue+called+for+in+). Having written on a related topic and participated in other national framework initiatives be-fore, this piece further expounds upon the question of doc-trine. Or, more precisely, the question should be framed as implicating deeper and prerequisite considerations about an emerging field.

Writing a doctrine or a strategy is counter-productive, in my judgment, if the field remains ill-defined.

My launch point is founded upon a belief that this new cyber realm requires its own disciplinary construct. I would be concerned that doctrine -- without a full understanding of the field -- might add further confusion and perhaps need correction. The Monroe Doctrine, for example, did not need updating and correction. But then, the field of international diplomacy and sovereign regional interests was not a new study in the early 1800s. We do not want to be changing our National Cyber Doctrine in five or ten years -- which we have de facto done with the 2003 National Strategy to Secure Cyberspace.

What am I getting at? I believe academia needs to play a significant role in helping us first understand the cyber do-main, and to shape its contours and interdisciplinary dimen-sions.

For example, the dust hasn't really settled on which federal department is in charge of cybersecurity. Until we have defined the domain as either homeland security, de-fense, intelligence, law enforcement, or even some new model (e.g., a public-private partnership), it would be impos-sible to set down a doctrine. How, for example, could we assert a Monroe-like doctrine about protecting sovereign cyberspace rights -- implicitly invoking a defense model -- if the responding department to most incidents were law en-forcement or homeland security? National policy is not yet firm even on what constitutes an armed attack in cyber-space. If cybersecurity authorities span several departments based on the nature of the incident, that smacks of an ill-defined domain. How can doctrine be written for an ill-defined domain?

Thomas Kuhn's "The Structure of Scientific Revolu-tions" set out a useful model for understanding the nature and evolution of new beginnings. Kuhn wrote about how outliers, first rejected, eventually become studied and result in recognition of a new field, a new science. Until that disci-plinary construct emerges and is addressed as its own

A taxonomy for the National Cybersecurity

Doctrine

unique field, outdated and often inapplicable methods and protocols from the previous field are applied to it.

The Kuhn paradigm again calls to mind the 2003 Na-tional Strategy to Secure Cyberspace. Add to that additional attempts at defining the way forward as a nation: The White House 60-day Cyberspace Policy Review, and various other national strategy, military strategy, international strategy, and other top-level strategy and implementation documents in different departments of the Federal Government. We can also look at lexicon shifts: network security, information se-curity, data protection, cyber security, cybersecurity& This uncertain landscape reminds me of my partner's reference to cybersecurity as a "five-year old soccer game, with every-one chasing the ball in a cluster and without a game plan."

The "5-year old soccer game" analogy is useful be-cause the unstructured and elusive chase of the cybersecu-rity ball is emblematic of Kuhn's observation about the emer-gence of new disciplines. The revisions of strategy, changes in lexicon, and general lack of structure seemingly bear out Kuhn's model. We remain in an immature state with respect to cybersecurity. Academic study and shaping of a cyberse-curity discipline would therefore seem more helpful than a new doctrine.

This call for doctrine seemingly aligns with the Presi-dent's pending executive order. The released draft cyberse-curity executive order places responsibility in NIST for creat-ing a "Cybersecurity Framework", which will include more than standards and protocols. NIST will develop a frame-work including methodologies and procedures as well, in essence an inventory and study of the cybersecurity field in establishing a baseline framework for the Nation. The only piece missing, in my judgment, is a role for academia to study the domain, and all its intersections with society. That is, approaching cybersecurity as an All of Society problem during a period of transition, rather than primarily a technol-ogy integration challenge.

Another reason for academic study is the above phrase "period of transition". Law often plays a prominent role in rebalancing societal interests during periods of change. I submit that law must play a principle role in development of the disciplinary construct and in the field itself. It is widely understood already that law has this role in the cyber field. However, I point to a much more core role.

Read the rest here:

http://www.csoonline.com/article/727099/a-taxonomy-for-the-national-cybersecurity-doctrine

Hat tip to Stephen Long for sending this article.

P A G E 6

I S S A - C O S N E W S

The Threat of Silence Meet the groundbreaking new encryption app set to revolutionize privacy

and freak out the feds. By Ryan Gallagher, Slate, Feb 4, 2013

For the past few months, some of the world’s leading cryptographers have been keeping a closely guarded secret about a pioneering new invention. Today, they’ve decided it’s time to tell all.

Back in October, the startup tech firm Silent Circle ruffled governments’ feathers with a “surveillance-proof” smartphone app to allow people to make secure phone calls and send texts easily. Now, the company is pushing things even further—with a groundbreaking encrypted data transfer app that will enable people to send files securely from a smart-phone or tablet at the touch of a button. (For now, it’s just being released for iPhones and iPads, though Android versions should come soon.) That means photographs, videos, spreadsheets, you name it—sent scrambled from one person to another in a matter of sec-onds.

“This has never been done before,” boasts Mike Janke, Silent Circle’s CEO. “It’s going to revolutionize the ease of privacy and security.”

True, he’s a businessman with a product to sell—but I think he is right.

The technology uses a sophisticated peer-to-peer en-cryption technique that allows users to send encrypted files of up to 60 megabytes through a “Silent Text” app. The sender of the file can set it on a timer so that it will automati-cally “burn”—deleting it from both devices after a set period of, say, seven minutes. Until now, sending encrypted docu-ments has been frustratingly difficult for anyone who isn’t a sophisticated technology user, requiring knowledge of how to use and install various kinds of specialist software. What Silent Circle has done is to remove these hurdles, essen-tially democratizing encryption. It’s a game-changer that will almost certainly make life easier and safer for journalists, dissidents, diplomats, and companies trying to evade state surveillance or corporate espionage. Governments pushing for more snooping powers, however, will not be pleased.

By design, Silent Circle’s server infrastructure stores minimal information about its users. The company, which is headquartered in Washington, D.C., doesn’t retain metadata (such as times and dates calls are made using Silent Circle), and IP server logs showing who is visiting the Silent Circle

website are currently held for only seven days. The same privacy-by-design approach will be adopted to protect the security of users’ encrypted files. When a user sends a pic-ture or document, it will be encrypted, digitally “shredded” into thousands of pieces, and temporarily stored in a

“Secure Cloud Broker” until it is transmitted to the recipient. Silent Circle, which charges $20 a month for its service, has no way of access-ing the encrypted files because the “key” to open them is held on the users’ devices and then deleted after it has been used to open the files. Janke has also committed to making the source code of the new technology avail-able publicly “as fast as we can,” which means its security can be independently au-dited by researchers.

The cryptographers behind this innovation may be the only ones who could have pulled it off. The team includes Phil Zimmermann, the creator of PGP encryption, which is still con-sidered the standard for email security; Jon Callas, the man behind Apple’s whole-disk encryption, which is used to secure hard drives in Macs across the world; and Vincent Moscaritolo, a top cryptographic engineer who previously worked on PGP and for Ap-ple. Together, their combined skills and ex-

pertise are setting new standards—with the results already being put to good use.

According to Janke, a handful of human rights report-ers in Afghanistan, Jordan, and South Sudan have tried Si-lent Text’s data transfer capability out, using it to send pho-tos, voice recordings, videos, and PDFs securely. It’s come in handy, he claims: A few weeks ago, it was used in South Sudan to transmit a video of brutality that took place at a vehicle checkpoint. Once the recording was made, it was sent encrypted to Europe using Silent Text, and within a few minutes, it was burned off of the sender’s device. Even if authorities had arrested and searched the person who trans-mitted it, they would never have found the footage on the phone. Meanwhile, the film, which included location data showing exactly where it was taken, was already in safe hands thousands of miles away—without having been inter-cepted along the way—where it can eventually be used to build a case documenting human rights abuses.

Read the rest here:

http://www.slate.com/articles/technology/future_tense/2013/02/silent_circle_s_latest_app_democratizes_encryption_governments_won_t_be.single.html

Silent Circle CEO

Mike Janke

P A G E 7 V O L U M E 2 , N U M B E R 3

By Lily Newman, 26 February 2013, GIZMODO

Ang Cui has a lot of power. With enough time he can take control of pretty much any networked device. He could watch you through your iSight or track the Netflix on your smart TV. But he has big-ger fish to fry, so your Catfish marathons are safe for now. From him, at least.

A Columbia PhD student in computer science, Cui has been working for the last five years on developing offensive attacks and defensive solutions for vulnerabilities in embedded devices. This Thursday his company, Red Balloon Security—cofounded by Cui's advi-sor Sal Stolfo—will present proof that its security software, the "symbiote," can protect a standard IP office phone from malicious attacks. And this IP phone demo is just the begin-ning.

Eventually, the symbiote could protect virtually any connected device you can think of.

"Really [IP phones] are just computers too, and they're running these super secret proprietary operating systems that very few people have actually seen, and very few peo-ple have actually tested the security of," Cui told us in a re-cent interview. "And you know, the work that we've been doing in the lab is to show that those things are just as inse-cure as the general purpose computers you have, and once you exploit those things there are definitely advantages to that over just getting root access to a server somewhere, which is what everybody in security largely has been fo-cused on for the last forever."

The symbiote is a tiny piece of code, about 200 bytes, that is injected into an IP phone's kernel (the thing that bridges applications and hardware-level data processing) without impacting computing speed or device functionality. And the symbiote is operating-system agnostic, meaning it can run on and monitor any device without being tailored to a specific OS. When it is injected, the symbiote uses Cui's firmware evaluation tool, Firmware Reverse Analysis Kon-sole (FRAK) to unpack the device's firmware, replace its signing key (a basic security feature) and repack. Then it runs in the background, and randomly samples executed code at regular intervals to ensure that nothing unusual is going on.

Without knowing detailed specifics about an OS, the symbiote can still establish a baseline for normal behavior in a device using functions that are shared among different types of firmware and can reasonably be expected to be

Meet the Symbiote: The Ironclad, Adaptable

Future of Antivirus Protection

present. In Cui's demonstration, two IP phones sit side by side. One is running the symbiote and the other isn't. When

Cui launches an attack, the unguarded phone is easily exploited, but the symbiote on the other phone detects the intrusion and alerts Cui by calling his cell phone. When he answers, an automated message says , "Hel l o neighbor. My IP phone has been pon3d."

The goal of Red Balloon Secu-rity is to offer the symbiote as a security solution for all em-bedded devices. If an IP

phone can be hacked, so can any other internet-enabled device, but because the symbiote is OS agnostic it can easily translate to any device—even a rice cooker—and be incorporated seamlessly. Multiple symbiotes running on the same network could even monitor each other as an addi-tional way of checking for unusual activity on any one de-vice.

Cui and Stolfo have increasingly gained widespread recognition for their research, a body of work that consists of intensely creepy but nonetheless badass hacks. In 2011 they demonstrated a flaw in HP printer firmware that was the perfect entryway for an attack. If a hacker could get someone to print a malware-tainted document, like a re-sume, from any targeted HP printer, she could take over the whole thing and instruct the printer to send her copies of whatever it was printing, or provide her with access to the network server.

Shortly after Cui exposed the vulnerability, HP re-leased a patch. "We found 201 HP laser jet printers in the DOD's network that were vulnerable to my attack like five months after the patch was out. We found two in HP [headquarters]" just through publicly available IP ad-dresses.

For his next hack in 2012, Cui found the IP phone vulnerability in Cisco office phones that the symbiote now secures. He demonstrates the attack on a standard-issue Columbia University phone sitting on his desk, though he emphasizes that Cisco is not the only company producing vulnerable devices. "On the phone, there's just no indica-tion that anything strange is going on. And it just continu-ously forwards all the data to my computer where I can record the sound or do whatever. It's just a computer put into a plastic shell that looks like a telephone."

Read the rest here:

http://gizmodo.com/5986960/meet-the-symbiote-the-ironclad-adaptable-future-of-antivirus-protection

P A G E 8

I S S A - C O S N E W S

Obama Signs Executive Order on Cybersecurity By AFP on February 12, 2013

WASHINGTON - Warning that cyberattacks pose a danger to US security, President Barack Obama signed an executive order on Tuesday designed to better protect critical infrastructure from computer hackers.

Obama, in his annual State of the Union speech to a joint session of the US Congress, said the United States is facing a "rapidly growing threat from cyberattacks."

"We know hackers steal people's iden-tities and infiltrate private email," he said. "We know foreign countries and companies swipe our corporate secrets.

"Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems," Obama added.

"We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

Obama said his executive order would "strengthen our cyber defenses by increasing information sharing, and de-veloping standards to protect our national security, our jobs and our privacy."

The president also urged Congress to pass legislation "to give our government a greater capacity to secure our networks and deter attacks."

The executive order

(http://www.securityweek.com/downloads/reports/Obama-Cybersecurity-executive-order.pdf) calls for voluntary report-ing of threats to US infrastructure, such as power grids, pipelines and water systems.

The directive, which follows two failed attempts in Con-gress to pass cybersecurity legislation, allows the govern-ment to lead an information-sharing network but stops short of making mandatory the reporting of cyber threats.

A senior administration official said the order does not preclude the need for legislation but gets a cybersecurity program started that can encourage sharing information that may be confidential or classified.

The order allows for "sharing of classified information in a way that protects that classified information but enables the broader use of it to protect our critical infrastructure," the official said.

Read the rest here:

http://www.securityweek.com/obama-signs-executive-order-cybersecurity

DFI News, February 13, 2012

White House officials are revealing details of President Barack Obama's initial plans for protecting the computer

networks of crucial American industries from cyberat-tacks.

Their description of Obama's executive order was planned for Wednesday, a day after the president signed it. The announcement was also coming hours after the president urged Congress in his annual State of the Union address to pass legislation taking even tougher steps.

In his speech, Obama said America's enemies are "seeking the ability to sabotage our power

grid, our financial institutions and our air traffic control systems. We cannot look back years from

now and wonder why we did nothing in the face of real threats to our security and our economy."

He added, "Now, Congress must act as well by pass-ing legislation to give our government a greater capacity to secure our networks and deter attacks."

On Tuesday, senior administration officials said Obama's order starts the development of voluntary stan-dards to protect the computer systems that run critical sec-tors of the economy like the banking, power and transporta-tion industries. It also directs U.S. defense and intelligence agencies to share classified threat data with those compa-nies.

Obama's executive order has been months in the mak-ing and is the product of often-difficult negotiations with pri-vate sector companies that oppose any increased govern-ment regulation.

While largely symbolic, the plan leaves several practi-cal questions unanswered:

Should a business be required to tell the government if

it's been hacked and U.S. interests are at stake?

Can a person sue her bank or water treatment facility if

those companies don't take reasonable steps to protect her?

If a private company's systems are breached, should

the government swoop in to stop the attacks — and pick up the tab?

Read the rest here:

http://www.dfinews.com/news/white-house-reveals-obamas-cybersecurity-plan?et_cid=3089236&et_rid=454841830&linkid=http%3a%2f%2fwww.dfinews.com%2fnews%2fwhite-house-reveals-obamas-cybersecurity-plan

P A G E 9 V O L U M E 2 , N U M B E R 3

By Tom Simonite, MIT Technology Review, February 13, 2013

Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating criti-cal security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven’t been quite so dramatic in recent years.

One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a “zero-day” vulnerability because the software makers have had no time to develop a fix, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.

This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing por-tions of the U.S. national defense budget, reshape interna-tional relations, and perhaps make the Web less safe for everyone.

Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communica-tions or even shut down a power plant.

It became clear that this type of assault would define a new era in warfare in 2010, when security researchers dis-covered a piece of malicious software, or malware, known as Stuxnet. Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to pub-licly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully de-signed to infect multiple systems needed to access and control industrial equipment used in Iran’s nuclear pro-gram. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet’s many striking features.

Since then, more Stuxnet-like malware has been un-covered, and it’s involved even more complex techniques ( s e e “ T h e A n t i v i r u s E r a I s O v e r ” http://www.technologyreview.com/news/428166/the-antivirus-era-is-over/). It is likely that even more have been deployed but escaped public notice. Meanwhile, govern-ments and companies in the United States and around the world have begun paying more and more for the exploits

Welcome to the Malware-Industrial Complex

needed to make such weapons work, says Christopher Soghoian, a principal technologist at the American Civil Liberties Union.

“On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participat-ing in a global market in vulnerabilities and pushing up the prices,” says Soghoian, who says he has spoken with peo-ple involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the dis-coverer of a zero-day vulnerability receives a monthly pay-ment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In a discussion on Twitter last month, in which he was called an “arms dealer,” he tweeted that “exploits are not weapons,” and said that “an exploit is a component of a toolchain … the team that produces & maintains the toolchain is the weapon.”

The Grugq contacted MIT Technology Review to state that he has made no “public statement about exploit sales since the Forbes article.”

Some small companies are similarly up-front about their involvement in the trade. The French security com-pany VUPEN states on its website that it “provides govern-ment-grade exploits specifically designed for the Intelli-gence community and national security agencies to help them achieve their offensive cyber security and lawful inter-cept missions.” Last year, employees of the company pub-licly demonstrated a zero-day flaw that compromised Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

Read the rest here:

http://www.technologyreview.com/news/507971/welcome-to-the-malware-industrial-complex/

P A G E 1 0

I S S A - C O S N E W S

By Jessica Leber, MIT Technology Review, February 14,

2013

When the New York Times revealed this month that hackers had recently breached its networks, what turned the heads of security experts wasn’t that the attacks had oc-curred. It was a top antivirus company’s unusually candid admission about the limits of its own technology.

Symantec was put on the defensive because its soft-ware only once detected and quaran-tined any of the 45 pieces of custom malware the hackers had used to tar-get the New York Times and ferret out certain reporters’ e-mails, a heist the newspaper itself reported in a news article. According to a Times spokes-woman, the paper did have the latest antivirus software on all computers on its network; but to guard against so-called advanced persistent threats, “antivirus software alone is not enough,” read Symantec’s statement.

That its core product was essentially useless against the attack—allegedly sponsored by the Chinese govern-ment—came as no surprise to those in the know. But the blunt admission points to a rapidly changing computer secu-rity landscape and a growing threat to Symantec’s $6.7-billion-a-year business. A recent study by Imperva, a Califor-nia data security startup, found that antivirus products from top vendors detected less than 5 percent of more than 80 new viruses tested.

As attacks become more targeted and customized (see “The Antivirus Era Is Over”

http://www.technologyreview.com/news/428166/the-antivirus-era-is-over/), startups are positioning themselves as alternatives to conventional antivirus vendors. Some are advocating that security managers, especially those on a budget, use free or low-budget antivirus software to catch simple, common viruses, and invest in specialized services to better protect key assets.

Ashar Aziz, chief information officer of one startup sell-ing technology to ward off a “new breed of cyberattacks,” argues that the faulty assumption that antivirus software is effective against today’s cyber threats has created “a wide and gaping hole” in every security architecture that exists. “I have yet to go into an organization and find that they are completely clean. It has never happened,” Aziz says.

Rather than using a blacklist to block known threats—the conventional method employed by antivirus software—FireEye works by assuming everything is suspect and test-

Targeted Hacking Forces a New Reality

on Antivirus Companies ing programs in a safe “sandbox” before allowing them to run on a machine. In November, the CEO of the major secu-rity vendor McAfee left to join FireEye, which claims that nearly 30 percent of Fortune 500 companies are its custom-ers and has raised more than $100 million in venture capital funds.

FireEye is far from the only startup gaining traction as malware becomes more targeted and as the latest methods of the most sophisticated hackers become more quickly

democratized and disseminated.

And while the established industry is clearly aware of the shortcomings of its long-held defensive approaches, it may have been slow to adopt new methods. Imperva’s director of secu-rity strategy, Rob Rachwald, believes the industry has expended less effort on staying on the cutting edge of pro-tection, and more on developing “nice

whiz-bang dashboards” to impress customers. Aziz, who now works side by side with McAfee’s former CEO, says the large vendors are now racing to catch up to where FireEye began in 2004.

From the perspective of Liam O’Murchu, Symantec’s manager of security response operations, these views that his company’s products aren’t keeping up are already out-dated.

The California-based business now sells advanced detection methods and includes some in its standard anti-virus programs. These include programs that score links sent via e-mail or IM and applications based on the reputa-tion of their source, scan for suspicious patterns of behavior, and look to predict the behavior of a file itself. In develop-ment, says O’Murchu, are technologies designed specifi-cally to protect against so-called “zero-day” attacks, so named because software makers aren’t yet aware of them and thus have had no time to react. These are the kind of attacks that well-funded criminal organizations or govern-ments are most likely to use (see “Welcome to the Malware-Industrial Complex”).

The way companies approach security will likely change, as will the services they buy, says Nicolas Christin, a security researcher at Carnegie Mellon University, though he also notes that some alternative approaches may be less effective than many security sellers make them seem. For example, he says, even a behavioral detection engine still requires some definition of what “bad behavior” looks like, and that might not always be obvious.

Read the rest here:

http://www.technologyreview.com/news/510826/targeted-hacking-forces-a-new-reality-on-antivirus-companies/

P A G E 1 1 V O L U M E 2 , N U M B E R 3

InfoSecurity Magazine, 26 February 2013

With media coverage of cyber attacks proliferating, and public sector policy shops giving security increasing atten-tion, the US Department of Homeland Security finds itself at the front lines of securing the nation’s digital assets.

That was the message imparted today by Mark Weatherford, DHS’ Deputy Undersecretary of Cybersecurity, during his keynote address to the Cloud Security Alliance (CSA) Summit in San Francisco. Weatherford heads the DHS’ Cybersecurity Communications Directorate, which is tasked with securing civilian public sector networks at the federal level, in addition to consulting with critical infrastruc-ture companies, and coordinating responses to cyber at-tacks of national importance.

Weatherford was delighted that President Obama dedi-cated two paragraphs of his recent State of the Union ad-dress to the topic of cybersecurity, during which the nation’s chief executive highlighted an executive order he signed earlier in the day that would require increased information sharing about threats between the public and private sec-tors. The executive order also included development of a Cybersecurity Framework that will “incorporate voluntary consensus standards and industry best practices to the full-est extent possible... to help owners and operators of critical infrastructure identify, assess, and manage cyber risk”, Obama noted during his Feb. 12 address to the nation.

The order does not require industry to adopt the frame-work, but includes measures to encourage its adoption. As a result, a DHS-compiled list of ‘critical infrastructure at great-est risk’ has been developed, and the only way for an owner of critical infrastructure to get off this list is to comply with the framework.

One of the deputy undersecretary’s objectives is to make DHS “the cyber 9-1-1 for the nation” – the place or-ganizations call first when they fear a suspected cyber intru-

RSA 2013: As cybersecurity receives more

attention, DHS becomes a critical player sion. Weatherford added: “We want to be that first phone call, and if we can’t deal with it, we will get you to the right people”.

The DHS is becoming the “centerpiece” of cybersecurity information sharing between the private and public sector in the US, Weatherford told the audience, and its role as a cen-tral clearinghouse for threat information is critical to the na-tion’s security and economic competitiveness.

“While I do believe we are getting better at security and developing defensive technologies to combat cyber crime, the bad guys are getting better, faster than we are getting better”, he noted, speaking to a room full of information se-curity professionals. It’s an arms race of sorts, Weatherford continued, congratulating the assembled audience for its efforts, but acknowledging “as we get better, they get bet-ter”.

One of the areas of security that lacks fundamental in-novation, according to Weatherford, is authentication, where simple IDs and user passwords remain the standard. Another area was continued reliance on regular software patches.

“We need better innovation to solve [security] prob-lems”, he opined. “We are at the beginning at the next great evolution of technology that will make the past obsolete. I think the cloud, and our ability to take advantage of big data, is changing the development of products and services…and how the government purchases those services”.

Jim Howie, COO of the CSA, agreed with the assess-ment, with one small addition: “We have always struggled to understand what consumers want”, he told Infosecurity in an interview. “Building environments to process the data we col-lect but don’t always use has been extremely expensive. But cloud computing offerings have made it possible to use this data effectively at a more reasonable cost. He warned, how-ever: “But you must keep privacy and security in mind” when employing all of this data for security intelligence or other business purposes.

In closing his comments to the CSA Summit, Weatherford highlighted what he considers one of the most fundamental obstacles to a more secure cyberspace.

“We don’t have enough people in the pipeline to protect our private sector organizations, critical infrastructure, or the nation”, he lamented. “Cultivating the next generation of se-curity professionals is critical to our economic viability and the future of our country”.

Read the rest here:

http://www.infosecurity-magazine.com/view/30907/rsa-2013-as-cybersecurity-receives-more-attention-dhs-becomes-a-critical-player/

P A G E 1 2

I S S A - C O S N E W S

The Reality of Advanced Threats and

the Technology Needed to Fight Them By John Vecchi on February 19, 2013 , Security Week

So far this year, the Washington Post, Wall Street Journal, New York Times and Bloomberg News joined the ranks of U.S. defense contractors, leading Internet and energy companies penetrated by hackers using advanced threats and targeted attacks.

For years we’ve built strong perimeters and complex firewall rules to keep the enemy out—deploying more and more security point-products along the way in an effort to stay ahead of the threat. Now, attackers simply slice through these ‘robust fortresses’ with a well-aimed phishing attack or advanced Web browser exploit. And, once they are in our network, they stay in.

Advanced Persistent Threats (APTs) are advanced because they get in – 72% of them compromise their target in seconds or minutes. And APTs are persistent because they stick around for a long time – 72% of them take weeks, months or years to dis-cover. In this series of articles, I will focus on advanced threats and targeted attacks and the emerg-ing security tools needed to find and defeat them.

Solving the problem of today’s advanced threat land-scape requires knowing our attackers and what we must protect. However, our networks are rapidly evolving. So are the devices and users that are on them. Not all are welcome. In enterprises and organizations all over the world, we have multiple hostile parties on our networks. Let’s take a look at the most prominent among them:

1. ‘Opportunistic infections’ of botnets and mal-

ware, without specific targeting by hackers

Opportunistic malware is the kind of untargeted mal-ware that infects users every day when surfing the Inter-net. It’s often comprised of classic botnets used for send-ing spam email or clickjacking. The objective of opportun-istic malware is often to expand the number of bots – as opposed to harvesting the value of the infected endpoints. The DNSChanger botnet, for example, enabled clickjack-ing and infected over four million devices until it was deac-tivated in 2012. Just weeks ago, Microsoft Corp and Sy-mantec Corp – along with the U.S. Marshall Service – helped disrupt the Bamital botnet, a global cybercrime operation that hijacked nearly a million PCs for use in ‘click fraud’ schemes. Today, these opportunistic infec-tions are being replaced by more advanced threats.

2. Targeted malware placed by cybercriminals fo-

cused on stealing information and money

Like other hostile parties, cybercriminals continue to evolve in sophistication. Today, criminal organizations are modifying Nation State malware for their own use. With the spread of sophisticated malware such as Stuxnet and Red October, they have ultimately fallen into criminal hands. Unfor-tunately, cybercriminals have been heavily focused on reverse

engineering and emulating these advanced threats. Those involved in corporate espio-nage have already learned to harness the document-stealing abilities of the Zeus bank-ing Trojan to carry out their goals surrepti-tiously and effectively. As of today, Zeus has stolen hundreds of millions of dollars from bank customers globally. And, bank Trojan kits are now easily converted into corporate theft malware.

3. Hacktivists looking for secrets that can be leveraged to publicly damage an or-

ganization or enterprise

Two years ago the world was rocked by the onslaught of Anonymous and LulzSec, and by the discovery of remote access tools (RATs) on secure networks. The compro-mise of RSA’s SecurID that enabled the fruition of APTs throughout the federal military complex meant one thing for sure: things were changing, and they were changing fast. And, with the evisceration of HBGary Federal by Anonymous, the world was able to get a sense of the advanced skill-set ac-quired by certain hacktivist groups. In recent months, the hacktivist group behind Operation Ababil has used sophisti-cated DDoS attacks to effectively knock all the U.S. major banks offline. And, last week’s Federal Reserve breach by Anonymous – likely the result of an SQL injection – once again proved that hacktivists are powerful enemies to those they target.

4. Unauthorized and unmanaged BYODs (bring your own device), which can provide encrypted backdoors into

the network

From within one’s own firewall, large BYOD initiatives have brought thousands of consumer-level devices onto our networks. Many devices are compliant with policy, while others are acting in excess of authority. Protected information is leav-ing our networks this very second – often through covert en-crypted tunnels.

Read the rest here:

http://www.securityweek.com/reality-advanced-threats-

and-technology-needed-fight-them

What used to protect us has stopped work-ing (and perhaps it did a long time ago). Pre-

vention of security breaches and data loss from enemies

without and within is no longer realistic.

P A G E 1 3 V O L U M E 2 , N U M B E R 3

How HIPAA final rule and meaningful

use could drive data security By Mary Mosquera, January 21, 2013, GovernmentHealthIT

The enhanced set of protections finalized in the omnibus

HIPAA privacy and security rule now becomes the new base-line for anyone who handles health information.

It doesn’t change meaningful use requirements, but combined, the two may drive more providers to protect pa-tient data, according to privacy and security experts.

The clear and comprehensive view of privacy, security and enforcement that comprise the final rule now was miss-ing at the dawn of the meaningful use program as physi-cians and hospitals began to adopt electronic health records (EHRs).

To make up for that, some privacy and security experts were inclined to think that the meaningful use rule should include additional protections, according to Deven McGraw, director of health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee.

“Meaningful use is meant to incentivize behavior above an expected baseline. The privacy rule should be the base-line, and not a set of additional hoops that only people who are getting federal incentive dollars should have to jump through,” she said.

Meaningful use became a vehicle that had the potential to do more because there wasn’t clarity in the privacy rule for everybody, McGraw said. On the other hand, getting pro-viders to implement EHRs in a meaningful way is a voluntary program.

“There is a lot that we are asking of people for mean-ingful use. To sort of load up additional privacy and security regulations on that is problematic for a lot of reasons. For one, it would only reach a certain population, and it might tip the scale for providers not to participate. The reality is that the privacy rule should be required of everyone,” she said.

In meaningful use stage 2, providers have two security requirements: Perform a security risk assessment and attest to

that and explicitly address encryption, said Lisa Gallagher, di-rector of privacy and security for HIMSS.

“Those things are not affected by any changes in HIPAA.

The security rule remains structurally the same. It’s risk-based,” she said.

To protect consumers in an era of growing exchange of

health information, the final rule is by and large what was in the draft rule, including patient rights to access their own data, but “it’s definitely moving in that direction,” Gallagher said.

Read the rest here:

http://www.govhealthit.com/news/hipaa-final-rule-plus-meaningful-use-may-drive-data-security

By David Perera, February 25, 2013, FierceGovernmentIT

The differences between offensive and defensive op-erations in cyberspace are uncertain to the point of not al-ways being clearly separable, said Maj. Gen. Brett Williams, director of operations at Cyber Command.

"People that operate in this space know that you can't do those in isolation," Williams told an industry audience dur-ing a Feb. 22 AFCEA DC cybersecurity conference held in Washington, D.C. "You can't clearly define what is defense and what is offense."

He drew on a medieval battle analogy, saying that "catching arrows is not all that much fun. At some point, it's preferable to go kill the archer."

As a result, a previous policy emphasis on "deconfliction" is no longer tenable, Williams said. There are rules for DoD cyberspace operations, Williams said, stating that the Defense Department doesn't operate "like a hacker in his basement" and must consider the wide variety of sec-ondary effects made possible by the interconnectedness of military and civilian online infrastructure.

The DoD doesn't do "everything we possibly could" in cyberspace, he added.

But although differences exist between cyberspace and other warfare domains such as land, sea or air, "there's no such thing as cyber conflict, there is only conflict, and in cy-ber lies just another medium in which to exercise the ele-ments of national power," Williams said.

Cyber Command is undergoing a reorganization to align its force structure to particular missions, Williams said. Combatant commanders should be able to ask for cyber units in type and number such as in the way they can ask for Army Stryker brigades.

The command is in need of a mission planning and executing system the equivalent of the Theater Battle Man-agement Core Systems that Air Force generals use to coor-dinate and link individual tactical missions to strategy, Wil-liams said.

The Defense Advanced Research Projects Agency has a broad agency announcement for such a thing under the name of Plan X, he noted.

See General Wilson’s speech here:

h t tp : / /www.c -span .o rg /Even ts /AFCEA -DC-Ho l ds -Cybersecurity-Conference/10737438295-4/

Offense and defense not clearly separable in cyberspace, says Cybercom general

P A G E 1 4

Article for the Newsletter? If you would like to submit an article...

Are you a budding journalist? Do you have something that the Colo-rado Springs ISSA community should know about? Can you inter-view one of the “movers and shak-ers”? Tell us about it!

We are always looking for arti-cles that may be of interest to the broader Colorado Springs security community.

Send your article ideas to Don Creamer at:

doncreamer-issa@q.com

Ensure that “Newsletter” is in the subject line.

Looking forward to seeing you in print!

I S S A - C O S N E W S

Date Time Location

Mar 14 5:30 to 7:30 Bambino's Italian Eatery and Sports Bar, 2849 East Platte Avenue, Colorado

Springs, 719) 630-8121

Apr 11 11:00 to 1:00 Bambino's

May 9 5:30 to 7:30 Bambino's

Jun 13 11:00 to 1:00 Bambino's

Jul 11 5:30 to 7:30 Bambino's

Aug 8 11:00 to 1:00 Bambino's

Sep 12 5:30 to 7:30 Bambino's

Oct 10 11:00 to 1:00 Bambino's

Nov 14 5:30 to 7:30 Bambino's

Dec 6 11:00 to 1:00 Carrabba’s North

P A G E 1 5 V O L U M E 2 , N U M B E R 3

40-Hour CISSP Examination Preparation Seminar

Colorado Technical University (CTU) Room 100, 4435 N. Chestnut St., Colorado Springs, CO

Mar 23 // Apr 6 & 20 // May 4 & 18 2013

Check in between 8:00 AM and 8:15 AM on Mar 23

Class starts on the dates provided and runs from 8:15 AM to 4:45 PM each day (with a 30-minute lunch)

Cost:

Non-ISSA and Trial Members - $500

Current ISSA Members (not ISSA-COS) - $210

Current CTU CSS 200 students - $175

Current ISSA-COS members - $125

Current ISSA-COS members who are also Current CSS 200 Students $100

ISSA members, who have already taken the class but would like to attend as a refresher, please con-tact Dave Malone for tuition rates.

To register for class provide your name, contact info, ISSA member number and student status to Dave

Malone at: davem@peakpeak.com. Questions; please call Dave at: 719 660 6310.

Training

The Information Systems Security Association

(ISSA)® is a not-for-profit, international organization

of information security professionals and practitio-

ners. It provides educational forums, publications,

and peer interaction opportunities that enhance the

knowledge, skill, and professional growth of its

members.

The primary goal of the ISSA is to promote man-

agement practices that will ensure the confidential-

ity, integrity, and availability of information re-

sources. The ISSA facilitates interaction and educa-

tion to create a more successful environment for

global information systems security and for the pro-

fessionals involved. Members include practitioners

at all levels of the security field in a broad range of

industries such as communications, education,

healthcare, manufacturing, financial, and govern-

ment.

Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally

Colorado Springs Chapter

W W W . I S S A - C O S . O R G

Chapter Officers:

Mark Spencer—Chapter President

Dr. George J. Proeller—President Emeritus

Tim Hoffman—Executive Vice President

David Willson—Vice President

Melody Wilson—Treasurer

Royal Harrell—Communications Officer

Lora Woodworth—Recorder

Jeff Pettorino—Member at Large

Brian Kirouac—Member at Large

———————————-

Position Chair:

Deborah Johnson—Coins

James Stephens—Director of Training

Published at no cost to ISSA Colorado Springs by Sumerduck Publishing TM, Woodland Park, Colorado

Pwn Pad—The Way of the Future?

Tablets are great for slouching on the sofa and checking your Facebook, but they can also be super sleek hack-machines. Take the new Pwnie Express Pwn Pad as an example; it's a fully-loaded hacker suite designed to puncture any network.

Built from a Nexus 7, the Pwn Pad obviously makes use of Google Android OS, but also has Ubuntu 12.04 tucked away inside to handle some of the more complex software built in. And that's not the only addition to the tablet's arsenal either; it also comes with a TP-Link wireless adapter to support packet injection at a far higher range than the Nexus 7's meager little wireless chip could do on its own.

Positioned as a tool for a serious security professional—a tool that could go so far as to replace a laptop in the field—the Pwn Pad doesn't come cheap. You can expect to pay a

cool $795 for one when they ship in early April. And, even with that price tag, Pwn Pads don't really offer any additional functionality or software than a standard penetration-testing

laptop doesn't have, but damned if it isn't slick as hell. This is definitely a professional device. For awesome professionals.

http://pwnieexpress.com/collections/pwn-pad/products/pwnpad