The ISSA Colorado Springs Newsletter incorporates open source news articles as a

training method to educate readers on security matters in compliance with USC Title 17,

section 107, Paragraph a.

The views expressed in articles obtained from public sources within this newsletter do

not necessarily reflect those of ISSA, this Chapter or its leadership.

I n 1939 Dr. Albert Einstein was the head of the Physics Department at Princeton University. One of his duties was to de-

velop the final exam for the students. He did this and sent them to his professors for distribution on exam day.

One of his professors looked at the exam after dis-tributing it to his students, and became panicked. He went to Dr. Einstein and very excitedly told him, “Dr. Ein-stein, Dr. Einstein! There is a problem with the exam – the ques-tions are the same as last year’s exam.”

Dr. Einstein told him not to worry. “Yes, the questions are the same, but this year the answers are all different.”

Thus it is with Information Assurance, and 2013 will not be any different. The threats continue to evolve, sometimes faster than we can adequately address them. We still face the same questions that we have faced in the past, but the answers will tend to be different.

This challenge is why we have the Infor-mation System Security Association. We are able to come together and address those questions with our peers and hash over those new answers. What we have in common is our profession, but that is where the similarity may end. We are sometimes exposed to a possible solution to a problem coming from a different perspective from our peers in other industries. Through that diversity we develop our strengths.

2013 will present new challenges along with the old ones. While we’ll have a new US

Congress, they have much unfinished busi-ness on their plates. The United Nations is discussing their potential control of the Inter-net through taxation or other means. The

Great Firewall of China is becoming more porous making life more

difficult for their leadership. Anonymous is still trying to make itself relevant (their recent “cyber-attack” on Syr-ian interests after Syria cut

(and two days later restored) its connection to the Internet on

November 29th supports this. Their attacks on Israel? Uh, not so much.) New technolo-

gies will be released that will promise better security, but will provide

little, if any, once in the hands of bright, ne-farious individuals. Cyber War and a Digital Pearl Harbor will still be talked about as being just over the horizon, or have they already started?

So… what to do? Hang on tight, ‘cuz we could be in for a wild ride. Or maybe not. We’ll know by 2014.

Don’t forget the luncheon on December 14th at Carrabba’s Italian Grill (North).

If you survive the “end of the Mayan Cal-endar”, have a very happy holiday season however you choose to celebrate it.

Don Creamer

A Note From The Editor I N S I D E T H I S

I S S U E :

A look at the Russian Underground Cyber Market

2

Are You Missing Your Coin?

3

News Ripped From the Headlines

4

Responding to a Data Breach

5

Quantum Physics Fights Cybercrime 6

New Money-Destroying Virus Attacks Iran

6

CyberCity allows gov-ernment hackers to train for attacks

7

Adobe, now 'married' to Microsoft, moves Flash updates to Patch Tuesday

8

Lockheed says cyber attacks up sharply, suppliers targeted 9

Report: Fifty-eight percent of Energy

10

Network Security Les-sons from Sandy

11

New Hack Abuses Cloud-Based Browsers

12

KILL THE PASSWORD: Why a String of Char-acters Can’t Protect Us

13

Chapter Information 14

Elections 15

Chapter Meetings 15

Augmented Light Bulb Turns A Desk Into A Touch Screen

16

W W W . I S S A - C O S . O R G ISSA-COS NEWS

D E C E M B E R 2 0 1 2 V O L U M E 1 , N U M B E R 1 0

P A G E 2

I S S A - C O S N E W S

“The Russian shadow economy is an economy of scale, one that is service oriented and that has become a kleptocracy wherein crony capitalism has obtained a new lease on life in cyberspace”

tools for hacking Gmail, Hotmail, and Ya-hoo! Mail are also somewhat available but at premium prices.”

The report is full of ‘adverts’ taken from the forums and translated into English by Trend. Zeus, one of the most popular and effective financial theft trojans and bot-net builders, is frequently advertised. “I’ll sell ZeuS 2.0.8.9 source code. Private sale of source code. Price: US$400–500; bar-gaining (swapping) is possible,” reads one post. “Selling ZeuS 2.1.0.1 bin + set up on your hosting for US$200 escrow is ac-cepted,” reads another. Zeus has the ability to intercept and alter communications be-tween a browser and a website. It steals bank credentials and can redirect transac-tions to a different account. “Hackers... util-ize ZeuS to install all of the necessary soft-ware in a bot as well. As such, even com-puters that do not have confidential infor-mation saved in them can still prove useful for a variety of malicious activities, hence, ZeuS’s infamy,” notes Trend Micro.

Russia is well-known for the technical expertise of its hackers (see, for example, Peter the Great beats Sun Tzu in cyber-crime), and it is generally considered that a high proportion of botnets are controlled from east European countries and Russia. Nevertheless, it is somewhat surprising to see such a complete criminal shadow economy operating beneath the law. Per-haps more worryingly, Trend Micro says, “This paper covered only the most basic and fundamental tools and technologies cybercriminals create and use to enhance their business.”

Professor John Walker, chair of the London chapter ISACA and CTO of Se-cure-Bastion, sees a road-map for APT laid out by the report. “In a nutshell,” he told Infosecurity, “what the Trend Micro report is confirming is that the much debated logical attack vectors of the Advanced Persistent Threat (APT), and the more focused Ad-vanced Evasion Techniques (AET) as re-ported by StoneSoft are not hype, but real-ity.

Read the rest here:

http://www.infosecurity-magazine.com/view/29077/a-look-at-the-russian-underground-cyber-market/

Information-Security, 31 October 2012

Rus s ian Unde rg round 101 (h t tp : / /www. t rendmic ro .com/c loud -content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf)

is a Trend Micro study into the cybercrimi-nal underground in Russia. It is based on data gathered from online forums and ser-vices and articles written by hackers. What it finds is a complete shadow economy of cybercriminality where virtually every form of online criminal activity can be bought and sold at surprisingly low prices.

It includes, for example, encryption services to disguise malicious files, VPN services for secure communications, bul-let-proof host servers resistant to take-downs, botnet rentals for DDoS attacks and spam campaigns, specific trojans and rootkits, activation keys for pirated soft-ware, and hacking for hire and more.

Hacking for hire is the underground version of freelance or contract program-ming. Just as companies hire whitehat hackers for penetration testing and secu-rity auditing, so criminals can hire blackhat hackers to undertake the same services – but for a different purpose. One of the most common ‘requirements’ is to gain access to specific user accounts. “The most popular email domains cybercrimi-nals hack in Russia,” notes the report, “are Mail.ru, Yandex.ru, and Rambler.ru (with prices ranging from $16–$97). Social net-works, Vkontakte and Odnoklassniki, are also popular targets (prices range from $97–$130 for known accounts, and from $325 for unknown accounts). Services and

A look at the Russian

Underground Cyber Market

P A G E 3 V O L U M E 1 , N U M B E R 1 0

A

Adams, Tim

Aguryanov, Sergey

Alexeev, Eugene

Anders, Christopher

Anderson, Richard

Andrus, Thip

Archer, Cliona

Arrington, Charles

B

Bailey, Craig

Beasley, Marke

Bilyeu, Raymond

Birkeland, Rolf

Bond, David

Bone, Regina

Borer, Arthur

Bowers, Mark

Brown, Clark

Brown, George

Brown, Jason

Brown, Josh

Buckley, Lisa

Buehler, Scott

Bull, Justin

Burns, R.

Burton, James

C

Callaghan, John

Calloway, Ernest

Carlson, George

Chisesi, Dan

Ciampa, John

Coffman, Darrell

Collier, Andrew

Collins, David

Copeland, Brian

Are You Missing Your Coin? Here is the list of current and former ISSA members that Deborah Johnson has at least one coin for. Please take a look at the list to see if you know any of these folks. The coins can be picked up by proxy, or she can mail them to folks if they can be lo-cated. Deborah’s email address is djohnson@swcp.com and her telephone number is 719-329-4495 (voicemail) if folks want to contact her directly. Thank you!

Corlew, Michael

Coultrap, Michael

Crout, John

D

Dailey, Shane

de la Garza, Enrique

Donjon, Dan

E

Egert, Dan

F

Fanberg, Kevin

Farrar, Nathan

Farrow, Chris

Fermanis, Timothy

Fernandez, Damian

Frankovich, Dawn

Freeman, James

Fry, Josh

G

Garate, Reynaldo

Gates, Ryan

Gobeo, Michael

Gonzales, Mark

Gosnell, Steven

Guzman, Henry

H

Halloran, David

Hardin, David

Harper, Brian

Henninge, Fred

Herod, Dan

Herrera, Steven

Hill, Butch

Hinze, Kevin

Hoefelmeyer, Ralph

Hooper, William

Hughes, Jeff

Hughes, Paul

Hutchison, James

I

Ingram, Louis

J

Jones, Bryant

Jordan, Erin

K

Kidder, Peter

Kieffer, Steven

Killoy, Margaret

Koch, Chriss

Kolb, Garrett

Krzywonski, Branden

L

Laborwit, Al

Lanham, Michael

LeFebvere, Brad

Levesque, Robert

Loehndorf, Jon

Lorenc, Chad

Lund, Tim

Lundmark, Dennis

M

Malone, David

Mance, Howard

Mann, John

Marchand, Hummer

Martens, Pamela

Martin, Jeremy

Martinez, Mitch

Masincupp, Danny

Matthews, Clint

Menkhus, Mark

Mercer, Samuel

Miles, Tracy

Modisette, Mark

Mohl, Darrick

Moll, Joseph

Mondello, Mark

Moore, Kathryn

Morrison, Richard

Myers, Ryan

N

Neely, Richard

Nieman, Joann

Norquist, Bruce

Novak, Heath

O

Oliphant, Thomas

Olson, Robert

O'Neill, Michael

Oswald, John

P

Palmer, Scott

Paynter, Stephen

Peralta, Rex

Playle, Greg

Puryear, Scott

R

Ray, Lori

Regan, Joseph

Rodrigues, Rory

Rogelio, Raymond

Ross, Clark

Roth, Lee

S

Saporito, Tia

Sawyer, Jim

Schierholz, Andrew

Schooley, Christopher

Schwoerer, Ralf

Shepherd, Stephen

Shriver, Karen

Slavick, Mike

SMALLEY, JACKIE

Smith, Harry

Spencer, Dawn

Spinney, Byron

Staggs, Michael

Stoddard, Lewis

Sullivan, Michael

SUMPTER, TIMOTHY

Swinnich, David

T

Tang, Freddy

Taylor, Jeremy

Tesch, John

Thomas, Christopher

Tracy, John

Trevino, Manuel

Trussell, Terry

Tugade, Medarlo

Turner, Deborah

Tyree, George

U

Underwood, Ralph

V

Van Cura, Robert

Vulcan, Leland

W

Wahl, Sarah

Walls, Todd

Weatherford, Mark

Weiss, Brian

White, Steve

Williams, Jarold

Wright, Christopher

P A G E 4

News Ripped From

the Headlines November 22, Softpedia – (International) Experts find way to crack default WPA2 passwords of Belkin routers. Security researchers claim that the default WPA2 passwords used by many Belkin routers can be easily guessed by an attacker who knows the device’s WAN MAC address. A number of Belkin wireless routers are shipped with a default WPA2 password to protect network connections. The apparently random passwords are printed on a label on the bottom of the router. Although this approach should in theory be more secure, because the password is likely stronger than what many users would set themselves, it turns out that the random passphrases are not so random. The researchers determined that the password is based on the device’s WAN MAC address, and since this information is not so difficult to obtain, a remote attacker could easily hack into a targeted network if the default configuration is used. The default password is made of 8 characters which can be determined by replacing each hex-digit of the WAN MAC address with another value from a static substitution table. Sev-eral device models are affected, including Belkin N450 Model F9K1105V2 and Belkin Surf N150 Model F7D1301v1. Source: http://news.softpedia.com/news/Experts-Find-Way-to-Crack-Default-WPA2-Passwords-of-Belkin-Routers-309081.shtml

November 2, The Register – (National) One in seven North American home networks full of malware. One in seven home networks in North America are infectewith malware, a recent study reveals. Half the threats detected during the third quarter of 2012 were made up of spam-distributing zombies or banking trojans, while the remainder were mostly adware and other lesser threats, according to the study by Kindsight Security Labs. The study was based on data gathered from the security firm'service provider customers. Consumers most commonly get infected with malware after visiting Web sites contaminated with exploit kits via drive-by attacks. Kindsight names the ZeroAccess botnet as among the worst menaces to Internet safety. ZeroAccess was the most active botnet in the third quarter, with more than 2 million infected users worldwide with 685,000 in the United States alone. Source: http://www.theregister.co.uk/2012/11/02/malware_infestation_us_survey/

November 7, Computerworld – (International) Adobe, now 'married' to Microsoft, moves Flash updates to Patch Tuesday. November 6, Adobe announced that it will pair future security updates for its popular Flash Player with Microsoft's Patch Tuesday schedule. At the same time, Adobe issued an update that patched seven critical Flash vulnerabilities, and Microsoft shipped fixes for Internet Explorer 10 (IE10), which includes an embedded copy of Flash. However, the move to synchronize Flash Player up-dates with Microsoft's monthly patch schedule was the bigger news. "Starting with the next Flash Player security update, we plan to release regularly-scheduled security updates for Flash Player on 'Patch Tuesdays,'" Adobe said. Source: http://www.computerworld.com/s/article/9233342/Adobe_now_married_to_Microsoft_moves_Flash_updates_to_Patch_Tuesday

November 8, Ars Technica – (International) Mushrooming ransomware now extorts $5 million a year. Malware that disables computers and demands that hefty cash payments be paid to purported law-enforcement agencies before the machines are re-stored is extorting as much as $5 million from end-user victims, researchers said. The estimate, contained in a report published November 8 by researchers from antivirus provider Symantec, is being fueled by the mushrooming growth of so-called ransom-ware. Once infected, computers become unusable and often display logos of local law-enforcement agencies, along with warn-ings that the user has violated statutes involving child pornography or other serious offenses. The warnings then offer to unlock the computers if users pay a fine as high as $200 within 72 hours. The report identified at least 16 different ransomware versions spawned by competing malware gangs. Many are completely different families of malware, rather than multiple variants of the same family, and most have their own unique behavior. Source: http://arstechnica.com/security/2012/11/mushrooming-growth-of-ransomware-extorts-5-million-a-year/

November 26, Dark Reading – (International) Evolving DDoS attacks force defenders to adapt. In the past, attackers using distributed denial-of-service (DDoS) attacks to take down Web sites or network servers typically adopted one of two tactics; flooding the site with a deluge of data or overwhelming an application server with seemingly valid requests. Yet increasingly, at-tackers are using a hybrid approach, using multiple vectors to attack. The attacks that hit financial firms in September and Octo-ber, for example, often used a massive flood of data packets that would overwhelm a victim’s network connection, while a much smaller subset of traffic would target vulnerable applications functions, consuming server resources. The one-two punch is po-tent. Many financial firms thought they had the defenses in place to defeat such attacks but had problems staying accessible dur-ing the onslaught. Companies prepared to handle application-layer attacks or smaller volumetric attacks could not handle the 20Gbps or more that saturated their Internet connection. A recent report from network-security firm Prolexic found that the aver-age attack bandwidth increased to nearly 5Gbps, with 20Gbps attacks quite common. In a year, the average volume of attacks had doubled, the firm found. Source: http://www.darkreading.com/security-services/167801101/security/perimeter-security/240142616/evolving-ddos-attacks-force-defenders-to-adapt.html

I S S A - C O S N E W S

P A G E 5 V O L U M E 1 , N U M B E R 1 0

Responding to a Data Breach

So, you’ve already figured out that your organization is the victim of a data breach. Conrad Constantine explains what your next steps should be.

By Conrad Constantine, AlienVault, 13 November 2012

Anyone that’s worked on a major data breach for their employer is familiar with this experience: in the space of 24 hours you can go from yet another day at the office, to feel-ing like the company is collapsing around you. To all my compatriots out there that have been ‘that person’ – pouring through all the log data – I salute you. Those of you that haven’t yet run this gauntlet should know that the days after the discovery of a data breach are a mélange of panic and discord. Following are some techniques to coordinate the chaos.

Build a timeline: More important than any other effort you engage in – as you embark on the forensic investigation – is the construction of a timeline about how everything went down. This is the information that your executive, legal and PR teams need the most.

Before you start any other work, those first few hours should be about preparing a coherent method of delivering information up the command chain, which means a timeline with details a business audience can understand. Put one person in charge of nothing else but managing this docu-ment, but make it visible for the rest of the team to spot dis-crepancies or submit changes as new information arises.

Build a map: Hand in hand with that timeline, you will need to create a visual representation of what was done and where. Show the attackers’ path through the system, your business processes and your data.

Don’t jump to conclusions: You’re going to see your attacker making leaps between systems that (at the time) could only be explained by psychic powers or extreme amounts of insider information. Just assume, for the time being, that there’s a simple explanation for this.

Now for the one that is perhaps hardest to accept. Don’t be afraid to carry out seemingly drastic reactions for ‘small’ breaches – that is, unless you have packet-by-packet analysis of everything an intruder did and saw, you’re better off safe than sorry. Forcing everyone in the company to change their password is a small price to pay, in compari-son to an attacker coming back a few weeks later after cracking thousands of valid credentials.

When a data breach occurs, damage to information and systems has already occurred; the damage to a com-

pany’s reputation and corporate culture is just beginning. The biggest risk mitigation on your plate right now is don’t panic and make things worse. A few inept keystrokes can make the difference between finding the smoking gun and erasing vital evidence forever.

The timeline and map are keys to making sure no stone is left unturned. It may seem that intruders have al-ready taken what they needed, but there is still a chance they left a few doorways to return through later. The timeline and map will be guides to finding blind spots – the places where you have not yet looked – to ensure, for the time be-ing, you have closed the re-entry doors. You can bet money on being asked to prove this to your command chain; it’s best to have an answer prepared. Identifying how the attack-ers planned their assault is a vital part of the post-incident learning process. After an investigation of what went wrong, you will often find that what at first appeared miraculous be-comes ordinary in hindsight.

Breaches of enterprise information systems are inevita-

ble. Compartmentalization of data is vital to truly minimize the ROI for attackers. One person, one account, or one ac-cess role should never hold all the keys – separation of duty is a crucial concept. Think of the myth of the Coca-Cola, which only allows two executives to know the recipe, and each only possesses half of it. Look at the most vital corporate data you have, and find a way to break it up into different systems and stages. I can’t tell you how to do this, but it should be part of any mature risk management pro-gram.

To truly minimize the damage during a breach, follow the example of the medical profession: ‘first, do no harm’. Stop the bleeding, create time to breathe, and think. The damage an organization can do to itself during the discovery and investigation of a breach can far outlast the pain of a few copied gigabytes.

http://www.infosecurity-magazine.com/view/29286/responding-to-a-data-breach/

P A G E 6

I S S A - C O S N E W S

Quantum Physics Fights Cybercrime Digital Forensic Investigator, Nov. 05, 2012

Using quantum physics and tiny light particles to foil hackers and online criminals may sound like the stuff of Bond movies and sci-fi thrillers, but scientists have now suc-cessfully demonstrated how to protect finance, retail and other sectors from crippling e-crime.

Physicists at Heriot-Watt Univ. and Univ. of Strathclyde have worked with tiny particles of light to create a new way of verifying electronic messages and transactions as authen-tic, helping address the huge cost of e-crime (£205.4 million in 2011/12 for the UK retail sector alone) and avoiding po-tentially catastrophic fraud, online hacking and theft of digital data.

The work shows how the fundamental particles of light, known as photons, can be used to verify security and au-thenticity of any transaction or communication with a "digital signature."

Currently, "digital signatures" underpin internet shop-ping, electronic banking, electronic voting and many soft-ware updates. Whenever the padlock symbol is displayed in a web browser, digital signatures are in use.

However, with traditional online security, these signa-tures are based on mathematical formulae — and can be cracked, leading to fraud and other online security breaches. Quantum digital signatures use a different approach which ensures authenticity and origin of messages.

Prof. Gerald Buller from Heriot-Watt Univ. says, “Computer virus attacks have shown that ‘signatures’ or spe-cific codes can be hijacked, potentially causing chaos with systems being crippled, accounts hacked and industry and consumers losing millions of pounds. Our new approach, using quantum mechanics rather than just maths to create signatures for multiple recipients (or customers), and could make hacking, fraud and theft near-impossible.”

Recent estimates of the value of 2011 online UK retail sales are at minimum £25 billion (according to the Office of National Statistics) and could be as high as £50.34 billion (Centre for Retail Research, 2011).

E-crime is the biggest emerging threat to the retail sec-tor as the rapid growth in e-commerce in the UK sees new ways of shopping being accompanied by new types of crime, according to the British Retail Consortium’s recent report.

Read the rest here:

http://www.dfinews.com/news/quantum-physics-fights-cyber-crime?et_cid=2930685&et_rid=454841830&linkid=http%3a%2f%2fwww.dfinews.com%2fnews%2fquantum-physics-fights-cybercrime

New Money-Destroying Virus Attacks Iran

After the US and Israel cooked up Stuxnet—a potent cyber weapon aimed at Iran's nuclear facilities—whenever a virus targets Iran, it could be something major. This time around, the web threat wants to erase Iranian banks.

The worm, which Symantec has dubbed W32.Narilam, started creeping through Iranian financial servers over the past several days:

Just like many other worms that we have seen in the past, the threat copies itself to the infected machine, adds registry keys, and spreads through removable drives and network shares. It is even written using Delphi, which is a language that is used to create a lot of other malware threats. All these aspects of this threat are normal enough, what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is ac-cessible by OLEDB. The worm specifically targets SQL da-tabases with three distinct names: alim, maliran, and shahd.

The following are some of the object/table names that can be accessed by the threat:

Hesabjari ("current account" in Arabic/Persian). Holiday Holiday_1 Holiday_2 Asnad ("financial bond" in Arabic) A_sellers A_TranSanj R_DetailFactoreForosh ("forosh" means "sale" in Per-sian) person pasandaz ("savings" in Persian) BankCheck End_Hesab ("hesab" means "account" in Persian) Kalabuy Kalasales REFcheck buyername Vamghest ("instalment loans" in Persian)

That might look like gibberish, but it can be distilled down to one idea: the worm makes its way into computers and then screws up code that includes financial terms. If you're a bank, this is very bad news, potentially (and perma-nently) screwing up very valuable databases. Symantec notes that, interestingly, the worm doesn't have any ambi-tions of spying—it just goes in and ruins data, rather than reporting it back to some third party. But any bank hit by Narilam will be hurting.

Read the rest here:

http://gizmodo.com/5963259/new-money+destroying-virus-attacks-iran

P A G E 7 V O L U M E 1 , N U M B E R 1 0

By Robert O’Harrow Jr., The Washington Post, Nov 27, 2012

CyberCity has all the makings of a regular town. There’s a bank, a hospital and a power plant. A train station operates near a water tower. The coffee shop offers free WiFi.

But only certain people can get in: government hack-ers preparing for battles in cyberspace.

The town is a virtual place that exists only on com-puter networks run by a New Jersey-based security firm working under contract with the U.S. Air Force. Computers simulate communications and operations, including e-mail, heating systems, a railroad and an online social networking site, dubbed FaceSpace.

Think of it as something like the mock desert towns that were constructed at military facilities to help American soldiers train for the war in Iraq. But here, the soldier-hackers from the Air Force and other branches of the mili-tary will practice attacking and defending the computers and networks that run the theoretical town. In one scenario, they will attempt to take control of a speeding train contain-ing weapons of mass destruction.

To those who participate in the practice missions, the digital activity will look and feel real. The “city” will have more than 15,000 “people” who have e-mail accounts, work passwords and bank deposits. The power plant has em-ployees. The hospital has patients. The coffeeshop custom-ers will come and go, using the insecure WiFi system, just as in real life.

To reinforce the real-world consequences of cyberat-tacks, CyberCity will have a tabletop scale model of the town, including an electric train, a water tower and a minia-ture traffic light that will show when they have been at-tacked.

“It might look to some people like a toy or game,” Ed Skoudis, founder of Counter Hack, the security firm in cen-tral New Jersey that is developing the project, said recently while giving a reporter a tour of the fledgling system. “But cyberwarriors will learn from it.”

CyberCity provides insight into some of the Penta-gon’s closely guarded plans for cyber war. It also reflects the government’s growing fears about the vulnerabilities of the computers that run the nation’s critical infrastructure. Last month, Defense Secretary Leon E. Panetta said that digital attacks “could be as destructive as the terrorist attack on 9/11” and virtually paralyze the country.

“If a crippling cyberattack were launched against our nation, the American people must be protected,” he said. “And if the commander in chief orders a response, the De-fense Department must be ready to obey that order and to act.”

CyberCity allows government hackers to train

for attacks Behind those fears is an unset-tling reality: Net-works in the United States will remain vulnerable to attacks for the foreseeable fu-

ture because no one understands cyberspace well enough to ensure security.

In the four decades since the Internet began, most cybersecurity research was conducted on the fly or as an afterthought, according to interviews with security special-ists and computer scientists. Now, with the world linking up its communications, infrastructure, military, banking, medi-cal and other systems at a lightning pace, the dynamic of cyberspace has grown too complex. Rigorous scientific ex-perimentation that might lead to security breakthroughs is only beginning.

In the meantime, attackers hold a huge advantage. They can choose the time, place and method of strikes. Defenders almost always have to settle for reacting, making fixes after the damage has been done.

CyberCity aims to prepare government hackers to hold their own until long-term solutions can be found.

“The problem is the bad guys are getting better much faster than we are,” Skoudis said. “We don’t want to fall further behind on this.”

Realistic virtual environments

CyberCity is one of hundreds of virtual environments — often known as cyber ranges or test beds — launched in recent years by military, corporate and academic research-ers to confront the mind-bending security challenges posed by cyberspace, where millions of attacks or intrusions occur every day.

Some small ranges study the effects of malicious soft-ware and viruses. Some hope to emulate the Internet itself and become scientific instruments of sorts, akin to moun-taintop telescopes or particle accelerators, that will enable researchers to seek out the elusive fundamentals of cyber-space. The most ambitious of these, the National Cyber Range, was developed by the Defense Advanced Research Projects Agency. It has cost about $130 million since 2008. The agency said seven large-scale experiments have been conducted by Pentagon researchers.

Read the rest here:

http://www.washingtonpost.com/investigations/cybercity - a l l o w s - g o v e r n m e n t - h a c k e r s - t o - t r a i n - f o r -a t t acks /2012 /11 /26 /588 f 4dae -1244 -11e2 -be82 -c3411b7680a9_story.html

P A G E 8

I S S A - C O S N E W S

Adobe, now 'married' to Microsoft,

moves Flash updates to Patch Tuesday By Greg Kaiser, November 6, 2012, Computerworld

Adobe on Tuesday announced that it will pair future security updates for its popular Flash Player with Microsoft's Patch Tuesday schedule.

At the same time, Adobe issued an update that patched seven critical Flash vulnerabilities, and Microsoft shipped fixes for Internet Explorer 10 (IE10), which includes an em-bedded copy of Flash.

But the move to synchronize Flash Player updates with Microsoft's monthly patch schedule was the bigger news. "Starting with the next Flash Player security update, we plan to release regularly-scheduled secu-rity updates for Flash Player on 'Patch Tues-days,'" Adobe said in a statement yesterday.

" M i c r o s o f t a n d Adobe are now officially married," cracked Andrew Storms, director of secu-rity operations at nCircle Security, in an email reply to questions. "They started dating when they decided to share the MAPP program [and] once Microsoft agreed to embed Flash in IE10, [it was] inevitable that Adobe was going to be strong-armed into following Microsoft's patch cadence."

Under MAPP, for "Microsoft Active Protections Pro-gram," Microsoft provides select security vendors pre-patch information to give them time to craft detection signatures for upcoming exploits or malware. In July 2010, Adobe began using MAPP to deliver vulnerability information about its products to security firms.

Microsoft issues its security updates on the second Tuesday of each month, but up to now Adobe has released Flash bug fixes at irregular intervals. So far this year, Adobe has released nine Flash security updates: One in February, two in March, one each in May and June, two in August, one in October, and one in November.

The two companies' unsynchronized patching became an issue after Microsoft announced it would bake Flash Player into IE10 for Windows 8 and its tablet spin-off, Win-

dows RT. But problems surfaced in September when Micro-soft said it would not patch IE10 for at least six weeks, even though Adobe had issued updates the month before that addressed at least one vulnerability hackers were already exploiting.

Microsoft later recanted and issued an update to IE10, then followed with another in October on the same day Adobe shipped its Flash fixes.

At the time, security experts criticized both Adobe and Microsoft for releasing unexpected updates -- Microsoft rarely deviates from its Patch Tuesday timetable -- and said those updates confused customers, especially enterprise IT staffers who rely on Microsoft's pre-dictable schedule.

Even though the Flash updates will add more Patch Tuesday work for users, security profes-sionals praised Adobe's change.

"Concentrating updates on a single day is a bene-fit for any organization

that manages patch roll-outs," said Wolfgang Kandek, CTO of Qualys, in an email. "That way the update can be handled by the same decision process, which should streamline roll-outs and get Flash updates [installed] more widely."

Storms agreed. "In a few months, the Flash update will just be a regular part of the Patch Tuesday cycle," he pre-dicted. "The move is going to force Adobe to get into a regu-lar cycle with repeatable processes that their end users will come to recognize and appreciate."

Adobe spokeswoman Wieke Lips said her firm had "discussed both internally and coordinated with Microsoft" the move to Patch Tuesday.

Storms and Kandek suspected that Adobe's hand was forced -- whether of its own volition or at the urging of Micro-soft -- when the latter decided to bundle Flash with IE10.

Read the rest here:

http://www.computerworld.com/s/article/9233342/Adobe_now_married_to_Microsoft_moves_Flash_updates_to_Patch_Tuesday

P A G E 9 V O L U M E 1 , N U M B E R 1 0

By Andrea Shalal-Esa, Reuters, Nov 12, 2012

The Pentagon's No. 1 supplier, Lockheed Martin Corp, on Monday cited dramatic growth in the number and sophis-tication of international cyber attacks on its networks and said it was contacting suppliers to help them shore up their security.

Chandra McMahon, Lockheed vice president and chief information security officer, said about 20 percent of the threats directed at Lockheed networks were considered "advanced persistent threats," prolonged and targeted at-tacks by a nation state or other group trying to steal data or harm operations.

"The number of campaigns has increased dramatically over the last several years," McMahon told a news confer-ence. "The pace has picked up."

She said the tactics and techniques were becoming increasingly sophisticated, and attackers were clearly target-ing Lockheed suppliers to gain access to information since the company had fortified its own networks.

U.S. officials have stepped up their warnings about cyber attacks on U.S. banks and other institutions in recent months, warning that attackers are developing the ability to strike U.S. power grids and government systems.

Lockheed officials declined to say if any of the attacks they had seen originated in Iran, which has been linked to recent denial-of-service attacks against U.S. financial institu-tions.

Rohan Amin, Lockheed program director for the Penta-gon's Cyber Crime Center (DC3), said internal analysis showed that the number of campaigns had clearly grown, and multiple campaigns were often linked.

Lockheed recently wrested a $450 million contract to run the military cyber center away from long-time holder General Dynamics Corp.

"HUGE PROBLEM"

As the top information technology provider to the U.S. government, Lockheed has long worked to secure data on computer networks run by a range of civilian and military agencies. The company is also trying to expand sales of cybersecurity technology and services to commercial firms, including its suppliers, and foreign governments, Lockheed executives said.

"Suppliers are still a huge problem," said Charlie Croom, Lockheed's vice president of cybersecurity solutions, noting the large number of companies that provide products and components for Lockheed, which has annual sales of just under $47 billion.

Croom, the former head of the Pentagon's Defense Information Systems Agency, said cybersecurity was a cru-cial area for Lockheed, but said it was difficult to pinpoint exactly how much business it generates because network security is part of nearly everything the company sells and does for the government.

He estimated that 5 to 8 percent of Lockheed's reve-nues in the information systems sector were related to cyber-security. Lockheed generated $9.4 billion sales in that divi-sion in 2011.

McMahon said Lockheed had seen "very successful" attacks against a number of the company's suppliers, and was focusing heavily on helping those companies improve their security.

She said a well-publicized cyber attack on Lockheed's networks in May 2011 came after the computer systems of two of its suppliers -- RSA, the security division of EMC Corp and another unidentified company -- were compromised.

"The adversary was able to get information from RSA and then they were also able to steal information from an-other supplier of ours, and they were able to put those two pieces of information together and launch an attack on us," McMahon said.

She said Lockheed had been tracking the adversary for years before that attack, and was able to prevent any loss of data by using its in-house detection and monitoring capabili-ties.

One of the lessons the company learned was the im-portance of sharing data with other companies in the de-fense sector, and suppliers, to avert similar attacks, McMa-hon said.

"It's just one example of how the adversary has been very significant and tenacious and has really been targeting the defense industrial base," she said.

Social media, websites and malware introduced by emails remain major areas of concern, Lockheed executives said.

http://www.reuters.com/article/2012/11/13/net-us-lockheed-cyber-idUSBRE8AC02S20121113

Lockheed says cyber attacks up sharply,

suppliers targeted

P A G E 1 0

I S S A - C O S N E W S

By Aliya Sternstein, NextGov, November 15, 2012

A perhaps disturbing summation of the state of fed-eral cyber security: An internal audit found nearly 60 per-cent of Energy Department desktop computers were miss-ing critical software patches -- and those findings don’t surprise security experts.

Officials risk disrupting agency business by applying patches because fixes likely would require pausing widely used programs, said Patrick Miller, chief executive officer of EnergySec, a federally funded public-private partner-ship.

The inspector general audit, which was released this week, covered unclassified systems at administrative of-fices department wide.

“It would actually be more damaging to the organization to patch it than to not patch it,” Miller said. “The reality is most organizations, the larger they get, the harder it is for them to manage their patching.” It is unclear whether the department compensated for holes by using other safeguards, such as firewalls.

The assessment revealed that many desktops and servers were running without security patches. Department-level systems handle budgeting and human resources data, as well as information on public-private investments, such as the controversial economic stimulus loan to solar power firm Solyndra. The now-bankrupt recipient of a more than $500 million Recovery Act award obtained court approval Thursday to sell its headquarters for $90 million.

About 58 percent of the Energy desktops tested used operating systems or software without fixes for weak-nesses that had been discovered, in some cases, up to six months earlier. Also, 41 network servers were running operating systems no longer supported by their develop-ers.

But, Miller said, defects are typical at fiscally strained federal agencies that are overseeing massive networks. “Those numbers are quite low for an agency of its size,” he said.

Some of the flawed systems operate critical depart-ment operations, though the report did not identify specific activities.

Report: Fifty-eight percent of Energy computers went

months without bug fixes

“These vulnerabilities could have resulted in a compromise of business information or unauthorized access to critical appli-cation functionality and data, as well as loss or disruptions of critical operations,” Energy Inspector General Gregory H. Fried-man wrote.

Systems that run federal utilities and handle nuclear testing were not part of the evaluation.

The probe was conducted between February and Novem-ber and examined facilities overseen by the undersecretary for nuclear security, undersecretary of energy and undersecretary for science.

A separate agency, the Health, Safety and Security Office of Enforcement and Oversight, studies cyber

controls for Energy national security systems.

The study did not try to spot actual breaches.

In a Nov. 5 response to a draft report, Energy Chief Information Officer Robert Breese agreed to follow up on the uncov-ered problems. “The weaknesses noted in this report have been reviewed and correc-tive actions, to include the implementation of appropriate controls, have been identi-fied,” he wrote. Energy offices will be ex-

pected to report quarterly to the CIO on their progress bolstering systems.

Systems powering federal utilities have come under the IG’s microscope several times during the past

year.

In late October, the inspector general reported that the gov-ernment's largest renewable power delivery agency was using a default password to protect a scheduling database, and regularly failed to update security software. The Western Area Power Ad-ministration distributes hydroelectric energy to utilities serving millions of homes and businesses in the Rocky Mountain, Sierra Nevada, Great Plains and Southwest regions.

Read the rest here:

http://www.nextgov.com/cybersecurity/2012/11/report-fifty-eight-percent -energy-computers -went -months -wi thout -bug-fixes/59559/

P A G E 1 1 V O L U M E 1 , N U M B E R 1 0

Network Security Lessons from Sandy By Danelle Au, Security Week, November 12, 2012

As our thoughts and prayers go out to those affected by Super Storm Sandy and the many who continue to deal with the aftermath of the storm, it seems timely to also re-flect on the lessons learned from this natural disaster. What can we glean from Sandy that will help us deal with security events as disruptive in nature as Super Storm Sandy? Do we need a strategic shift in how we respond to incidents? What are key security observations from this storm? Con-sider these three key learnings:

Plan for All Disasters, Not Just Natural Ones

Disaster recovery is about preparing and recovering from any event that impacts business and infrastructure con-tinuity. In this case, it was super size storm, but it could have been any event –power failure, floods, earthquakes or a tar-geted attack. Disaster recovery is not only about preparing for something that may happen to your business at some point (the disaster), but also the ability to safeguard and re-store the data (recovery) so you can get back to business as usual.

The best practice for disaster recovery involves ade-quate planning and investment to ensure every potential disaster has an appropriate solution. This can range from what to do due to loss of electricity or lack of fuel needed to power backup generators, to the operational aspect of disas-ter recovery such as operating procedures, staffing support plans and backup communications. Because disaster recov-ery is a continual process of analysis and improvement, fre-quent drills must be held to instill processes and procedures. It’s very similar to what we incorporate in training for other activities – for example, the key part of pilot training isn’t just how to fly an airplane, but how to react when something goes wrong with the plane or engine.

But, it’s important that this planning extend to network security as well. If Mother Nature can deliver so much havoc, then can your IT infrastructure, electric utilities and water systems withstand intentional modern attacks? Home-land Security Secretary Janet Napolitano said after Sandy,

"If you think a control-system attack that takes down a utility

even for a few hours is not serious, just look at what is hap-pening now that Mother Nature has taken out those utilities." How will your team handle a breach in the network in a way that mitigates and minimizes downtime for the network, and protects other critical data? There is no guarantee of 100 percent security for your network, therefore a good security architecture must be balanced with preparations for network breaches, however infrequently they may occur.

The proper network security plan can accomplish a number of key goals - minimize loss of data, address regulatory compliance issues and preserve appropriate information so that your forensics team and/or law enforcement has enough information to identify the attackers and prevent at-tacks from occurring in future.

Consumerization is Alive and Thriving

In the aftermath of Sandy, a key portion of the East Coast population either lost access to applications (email servers etc), or were unable to physically get to their offices. Many defaulted towards using consumer applications for business – Google Mail, Skype, Dropbox.

The behavior of leveraging personal technology and applications isn’t new. How many of you have sent docu-ments to co-workers via Dropbox because you didn’t want to send huge files via email and crash a co-worker’s inbox? We’ve been seeing this dissolution of traditional distinction

between business and personal use within the enterprise, and this behavior will continue. In this case, the ability to util-ize these applications during the storm actually enhanced business productivity. At the same time, it does stress the need for network security that can safely enable applications based on users, applications and content. For example, the Dropbox application should have been enabled only for the right filetypes and functions (i.e. no uploads of sensitive cor-porate information), whether during sunny or stormy days.

Read the rest here:

http://www.securityweek.com/network-security-lessons-sandy

P A G E 1 2

I S S A - C O S N E W S

By Kelly Jackson Higgins , Dark Reading, Nov 28, 2012

A team of NC State University and University of Ore-gon researchers in their proof-of concept used Google's MapReduce technique that allows parallel computing for performing fast computing in the cloud and the Puffin cloud-based browser service. They stored large data packets on URL-shortening sites to disguise the traffic between multi-ple nodes in order to test how the browsing service could be used for more than browsing.

"To do that computation normally, you would rent space. If you want to do a job anonymously, like crack-ing passwords ... you could use these available services" rather than paying for Amazon EC2 services, for instance, says William Enck, as-sistant professor of computer science at NC State and a co-author of the research paper pub-lished today by the team. "This is a way of getting that computation [power] without going through the hurdle [of payment fraud]."

The researchers were able to generate more than 24,000 hashes per second in password-cracking tests with Puffin and their proof-of-concept.

Cloud-based pass-word cracking using cloud-based computing has been proved before, with tools like the WPACracker service, cre-ated by researcher Moxie Marlinspike, to test the strength of passwords used in the encryption of wireless access points, and the Cloud Cracking Suite, built by European researcher Thomas Roth, that uses the Amazon EC2 cloud to decrypt passwords and break into wireless networks via a brute-force password-cracking attack.

With this latest research in what is sometimes called "parasitic computing," the problem lies with the cloud browser providers themselves, whose resources can be abused by bad actors.

"Like any other online service, cloud browser providers

New Hack Abuses Cloud-Based Browsers Turns out those cloud-based browsers that offload processing in the cloud for mo-

bile devices can also be a cybercriminal's best friend: Researchers have found that

those browser services can be abused to crack passwords, wage denial-of-service at-

tacks, or perform other unauthorized computations with the free computing power.

must ensure adequate security controls are in place to pre-vent their end users from abusing the system," says

Jeremiah Grossman, CTO of WhiteHat Secu-rity.

NC State's Enck says there are ways for cloud-based browsing

providers to better monitor their traffic -- namely, by

associating accounts with the users so they can detect possible abuse or rogue traffic.

Just like blacklisting of-fending IP addresses in a

DDoS attack, for example, he says, this would allow cloud browser provid-

ers to quash abuse. "It's similar: You can say, 'Here are the clients from where [the traffic] is com-ing from and the IP addresses.'"

Cloud browser providers can also limit the comput-ing resources used by each user or client, he says, which also would help detect abuse.

Some providers currently employ features that can help minimize abuse. The Amazon Kindle Fire's Silk browser, for example, entails user registration and also sends a private key specific to the tablet as part of its handshake with the cloud-based serv-ers. "Such a strategy is particularly helpful in miti-gating the ability to clone instances. Additionally, existing techniques such as CAPTCHAs can limit the rate of creating new accounts," the researchers wrote in their paper.

In their proof-of-concept, the researchers used 1-, 10- and 100-megabyte data packets rather than larger ones. "When we ran our experiments, we didn't overly tax the services. Our goal was to show these things are feasible and not to demonstrate large-scale use of this in practices and put undue strain on the technology we were using," Enck says.

"By rendering Web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays. The example applications shown in this paper were an academic exercise targeted at demon-

strating the capabilities of cloud browsers. Read the rest here:

h t t p : / / w w w . d a r k r e a d i n g . c o m / c l o u d -security/167901092/security/news/240142718/new-hack-abuses-cloud-based-browsers.html

P A G E 1 3 V O L U M E 1 , N U M B E R 1 0

By Mat Honan, Wired, November 15, 2012

You have a secret that can ruin your life.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank ac-count. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The pre-cise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.

Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting pass-words has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail pass-words were all robust—seven, 10, and 19 characters, re-spectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

Since that awful day, I’ve devoted myself to research-ing the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and sup-ply your name plus maybe the city you were born in, info

KILL THE PASSWORD: Why a String of Characters

Can’t Protect Us Anymore

that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two min-utes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five min-utes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Net-flix. With yet 10 more, I could take over your AT&T, Comcast, and Ver-

izon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the pass-word. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.

In 413 BC, at the height of the Peloponnesian War, the Athenian general Demosthenes landed in Sicily with 5,000 soldiers to assist in the attack on Syracusae. Things were looking good for the Greeks. Syracusae, a key ally of Sparta, seemed sure to fall.

But during a chaotic nighttime battle at Epipole, Demosthenes’ forces were scattered, and while attempting to regroup they began calling out their watchword, a prear-ranged term that would identify soldiers as friendly. The Syracusans picked up on the code and passed it quietly through their ranks. At times when the Greeks looked too formidable, the watchword allowed their opponents to pose as allies. Employing this ruse, the undermatched Syracu-sans decimated the invaders, and when the sun rose, their cavalry mopped up the rest. It was a turning point in the war.

Read the rest here:

http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

Upcoming ISSA Events

2013 Spring Conference, Friday, Mar 8,

Crowne Plaza Hotel 7:30 – 5:00

2013 Fall Conference, Friday, Nov 15,

Crowne Plaza Hotel 7:30 – 5:00

P A G E 1 4

Article for the Newsletter? If you would like to submit an article...

Are you a budding journalist? Do you have something that the Colorado Springs ISSA community should know about? Can you interview one of the “movers and shakers”? Tell us about it!

We are always looking for articles that may be of interest to the broader Colorado Springs security community.

Send your article ideas to Don Creamer at

doncreamer-issa@q.com or

william.creamer.ctr@us.af.mil

Ensure that “Newsletter” is in the subject line.

Looking forward to seeing you in print!

From Harry Smith: Here is one that may interest ISSA-COS members:

Information Security and Risk

Management in Context https://www.coursera.org/#course/inforiskman

At the very least it is good for some CPEs. (And it's free!)

I S S A - C O S N E W S

Training

Date Time Location

Dec 14 11:00 to 1:00 Carrabba’s Italian Grill (North)

Jan 10 5:30 to 7:30 Bambino's Italian Eatery and Sports Bar, 2849 East Platte Avenue, Colorado Springs, 719) 630-8121

Feb 14 11:00 to 1:00 Bambino's

Mar 14 5:30 to 7:30 Bambino's

Apr 11 11:00 to 1:00 Bambino's

May 9 5:30 to 7:30 Bambino's

Jun 13 11:00 to 1:00 Bambino's

Jul 11 5:30 to 7:30 Bambino's

Aug 8 11:00 to 1:00 Bambino's

Sep 12 5:30 to 7:30 Bambino's

Oct 10 11:00 to 1:00 Bambino's

Nov 14 5:30 to 7:30 Bambino's

Dec 6 11:00 to 1:00 Carrabba’s North

P A G E 1 5 V O L U M E 1 , N U M B E R 1 0

2013 - 2014 ISSA-COS Elections

Executive Vice President

Recorder

Member-at-Large These are two-year positions.

Elections at December luncheon (Carrabba’s). For nominations contact any Board member (see the back page of this Newsletter for their contact information)

Chapter Meetings: Note that the meetings will be on

the 2nd Thursday of the month in 2013. (except Dec.)

The Information Systems Security Associa-

tion (ISSA)® is a not-for-profit, international or-

ganization of information security professionals

and practitioners. It provides educational fo-

rums, publications, and peer interaction oppor-

tunities that enhance the knowledge, skill, and

professional growth of its members.

The primary goal of the ISSA is to promote

management practices that will ensure the con-

fidentiality, integrity, and availability of informa-

tion resources. The ISSA facilitates interaction

and education to create a more successful envi-

ronment for global information systems security

and for the professionals involved. Members in-

clude practitioners at all levels of the security

field in a broad range of industries such as

communications, education, healthcare, manu-

facturing, financial, and government.

Information Systems Security Association Developing and Connecting Cybersecurity Leaders Globally

Colorado Springs Chapter

W W W . I S S A - C O S . O R G

Chapter Officers:

Mark Spencer—Chapter President

Dr. George J. Proeller—President

Emeritus

Tim Hoffman—Executive Vice President

David Willson—Vice President

Melody Wilson—Treasurer

Royal Harrell—Communications Officer

Lora Woodworth—Recorder

Jeff Pettorino—Member at Large

William “Wells” Fargo—Member at Large

———————————-

Position Chair:

Deborah Johnson—Coins

James Stephens—Director of Training

Published at no cost to ISSA Colorado Springs by Sumerduck Publishing TM, Woodland Park, Colorado

Augmented Light Bulb Turns A Desk

Into A Touch Screen Powerful computers are becoming small and cheap enough to cram into all

sorts of everyday objects. Natan Linder, a student at MIT’s Media Lab, thinks that fitting one inside a light bulb socket, together with a camera and projector, could provide a revolutionary new kind of interface—by turning any table or desk into a simple touch screen.

The LuminAR device, created by Linder and colleagues at the Media Lab, can project interactive images onto a surface, sensing when a person’s finger or hand points to an element within those images. Linder describes LuminAR as an augmented-reality system because the images and interfaces it projects can alter the function of a surface or object. While LuminAR might seem like a far-fetched concept, many large technology companies are experimenting with new kinds of computer interfaces in hopes of discovering new markets for their prod-ucts.

Linder’s system uses a camera, a projector, and software to recognize objects and project imagery onto or around them, and also to function as a scanner. It connects to the Internet using Wi-Fi. Some capabilities of the prototype, such as object recognition, rely partly on software running on a remote cloud server.

LuminAR could be used to create an additional display on a surface, perhaps to show information related to a task in hand. It can also be used to snap a photo of an object, or of printed documents such as a magazine. A user can then e-mail that photo to a contact by interacting with LuminAR’s projected interface.

Read the rest here:

http://www.technologyreview.com/news/507836/augmented-light-bulb-turns-a-desk-into-a-touch-screen/