|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jul 24 2007 - 13:10:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Good News on Application Security:
In addition to the White House mandate reported earlier, more than 150
companies that are implementing secure coding programs are coming to
Washington in three weeks to hear VISA clarify the application security
requirements in the PCI standard and to hear application security
pioneers from Morgan Stanley, Cisco, LexisNexis, Oracle, Honeywell,
Sovereign Bank, Depository Trust, Polk, TSA, Ounce, SpiDynamics,
TippingPoint, and the FBI share the lessons they learned in establishing
their secure application development programs: how to manage outsourced
application development securely; how to get the developers engaged; how
to pick the right tools; how to train and test programmer skills and
much more. If you are building an application security program and/or
if you are subject to PCI, attending the Application Security Summit
will save you months of research and will help you avoid the pitfalls
that have hurt other programs.
Agenda and registration: http://www.sans.org/appsummit07
Companies attending the Summit also get scholarships for two of their
programmers to participate in the Secure Software Certification
Examinations (in Java and in C) the day before the Summit.
Details: http://www.sans.org/gssp07/ Questions: email apallersans.org.
*************************************************************************
SANS NewsBites July 23, 2007 Vol. 9, Num. 58
*************************************************************************
TOP OF THE NEWS
iPhone Vulnerability Lets Attackers Take Control
Standard Windows Desktop Configuration Image Expected Early Next Month
DoJ Proposes Enhanced Identity Theft Legislation
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Ten Indicted in Academic Record Altering Scheme
Former Employee Sues Pfizer Over Data Exposure
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
SAIC Breach Exposes Armed Services Personnel Data
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
U of Michigan Databases Breached
Ohio IG's Report Says Blame for Stolen Data is Shared
M&T Bank Issues New Visa Cards in Wake of Retailer Breach
STATISTICS, STUDIES & SURVEYS
Irish Companies Unaware of Liability for Employees' Internet Behavior
MISCELLANEOUS
eVoting Machines Undergo Rigorous Testing in California
Search Engines Jump on the Privacy Bandwagon
LIST OF UPCOMING FREE SANS WEBCASTS
************************ Sponsored By ArcSight, Inc. ********************
Free Whitepaper: Calculating Return on Security Investment
With budgets shrinking and regulations growing, today's IT managers need
to justify every security infrastructure purchase. Calculating Return
on Security Investment (ROSI) means measuring the intangibles. Learn how
to measure ROSI with our free whitepaper.
Brought to you by ArcSight, the leader in security, compliance and
insider threat.
http://www.sans.org/info/11666
*************************************************************************
SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the
largest fall conference on cybersecurity with more than 40 courses and
wonderful evening sessions and a big vendor exposition. Most
importantly, it brings together the top rated teachers in cybersecurity
in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented
immediately in the work place." (Christopher O'Brien, Booz Allen
Hamilton)
"The quality of teachers, speakers, and even attendees is far superior
to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true
experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/
*************************************************************************
TOP OF THE NEWS
--iPhone Vulnerability Lets Attackers Take Control
(July 23, 207)
A trio of individuals has contacted Apple Computer regarding a flaw they
discovered in the iPhone that could be exploited to take control of the
device. The three recommended a patch for the flaw and noted that the
phone has strong security measures, but "once [they] managed to find a
hole, [they] were in complete control." One of the three plans to
present additional information about the vulnerability at a conference
at the beginning of August. Once in control, attackers could use the
phone to make calls, access data on the phone, or even use it as a
bugging device. The flaw can be exploited through malicious sites or a
man-in-the-middle attack; users need to be tricked into accessing a
malicious wireless access point. The three also observed that "all
processes of interest run with administrative privileges. This implies
that a compromise of any application gives an attacker full access to
the device."
http://www.nytimes.com/2007/07/23/technology/23iphone.html?_r=1&oref=slogin&pagewanted=print
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027560&source=rss_topic17
[Editor's Note (Pescatore): This may not sound like an enterprise worry,
but it is pretty easy to connect the iPhone to corporate email systems.
You know that it will creep into use by your employees regardless of
policy that says "Don't." Like all immature software, more
vulnerabilities will continue to be found - Apple needs to provide
enterprise support features so that vulnerability management and data
protection can be extended to the iPhone.]
--Standard Windows Desktop Configuration Image Expected Early Next Month
(July 16 & 23, 2007)
The test image for standard Windows configuration is expected to be
available for US government agencies in early August, more than three
months after the April 20 deadline set by the Office of Management and
Budget (OMB). The National Institute of Standards and Technology (NIST)
will release a virtual PC and virtual security settings so agencies can
test applications in that environment without running into problems on
their own systems. The delay of the Windows desktop image means it will
be likely that agencies will not meet the February 2008 implementation
deadline.
http://www.gcn.com/print/26_18/44694-1.html?topic=security&CMP=OTC-RSS
http://www.fcw.com/article103221-07-16-07-Print&printLayout
--DoJ Proposes Enhanced Identity Theft Legislation
(July 20, 2007)
The US Department of Justice (DoJ) has submitted the Identity Theft
Enforcement and Restitution Act of 2007 to Congress. The proposed
legislation expands identity theft and aggravated identity theft
statutes to include prosecution for those who steal data from
organizations as well as from individuals. The bill would also provide
financial restitution for people who have to spend time fixing the
problems created by identity theft.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201200149
[Editor's Note (Schultz): This proposed legislation is extremely
significant in the fight against identity fraud. At the same time,
however, I would not count on it passing given the US Congress' voting
record concerning issues that affect the welfare of the public over the
last few years.]
*************************** SPONSORED LINKS ***************************
1) ALERT: Web 2.0 Hacking - Attack Scenarios and Examples
http://www.sans.org/info/11671
2) Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.sans.org/info/11676
3) Learn how this innovative, intelligence-led security strategy can
proactively address risks in today's online world. New FREE report
provides the facts.
http://www.sans.org/info/11681
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Ten Indicted in Academic Record Altering Scheme
(July 23, 2007)
The director of the computer center and the director of admissions at
Touro College have both been charged in connection with a grade altering
and transcript-forging scheme. The pair took bribes to alter the
academic records of current Touro students and forge transcripts for
people who never attended the college. Eight other people were
indicted, including another Touro employee. "Touro College's own
vigilance and oversight led to the discovery of unauthorized changes in
student records." The indicted employees have been fired.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201200429
http://www.touro.edu/general/statements/records-jul1707.asp
[Editor's Note (Pescatore): The fact that the college *did* detect the
changes probably puts them in the upper 10% of enterprises as far as
having processes and controls that actually assure the integrity of data
from sys admin actions. Many have gotten better at detecting senstive
data leaving the enterprise, but protecting stored data from
unauthorized actions by authorized people is still a major weakness.
(Weatherford): It may sound naive, but the lack of moral compass here
is appalling. Another case of people thinking they are above the law.
The positive message is that they had auditing and a control process in
place to identify this activity and then the administration had the
gravities to take action and fire the criminals!
(Grefer): Kudos to the college for not only having policies and
procedures in place, but also enforcing them.]
--Former Employee Sues Pfizer Over Data Exposure
(July 20, 2007)
A former Pfizer employee has filed a class action lawsuit against the
company over personal data that was exposed on the Internet. The data
made their way to the Internet through a file-sharing program that had
been installed on a Pfizer-owned laptop by an employee's spouse. The
suit seeks identity theft insurance and the creation of a fund to pay
for damages incurred by the affected individuals. The exposed data
include names, Social Security numbers (SSNs) and bonus pay information
of approximately 17,000 current and former Pfizer employees. Pfizer
notified people affected by the breach more than two months after the
data's exposure.
http://www.2theadvocate.com/news/8614177.html
[Editor's Note (Northcutt): This is the second time this year we have
covered a story of a spouse installing software on a corporate computer
leading to data compromise. I feel a security policy update coming on!]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--SAIC Breach Exposes Armed Services Personnel Data
(July 20, 21 & 23, 2007)
Science Applications International Corporation (SAIC) has acknowledged
that "personal information of certain uniformed service members, family
members, and others was placed at risk for potential compromise while
being processed" by the San Diego-based Pentagon contractor. The data
were transmitted over the Internet unencrypted. Approximately 580,000
households received notification of the breach; some of the households
have more than one affected member. The data include names, SSNs,
birthdates and some health information. The data belonged to TRICARE,
the health benefits program for armed service members, families and
retirees. SAIC was alerted to the breach on May 29 "by US Air Force
personnel in Europe [who] detected sensitive information being
transmitted in clear across the net." SAIC was aware of security
problems with this particular server even before the alert, two weeks
prior the company shut down the server "based on general concerns
regarding the security of transmissions." The server itself was not
secured, which violated both SAIC and US Defense Department policy. An
unspecified number of SAIC employees have been placed on administrative
leave pending the results of investigations.
http://www.theregister.co.uk/2007/07/23/whoops_sorry_have_a_complimentary_peanut/print.html
http://www.signonsandiego.com/uniontrib/20070721/news_1b21saic.html
http://www.chron.com/disp/story.mpl/ap/fn/4986322.html
http://www.armytimes.com/news/2007/07/military_saicdatabreach_070720w/
http://www.saic.com/response/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--U of Michigan Databases Breached
(July 21, 2007)
Following the discovery of unauthorized activity on a University of
Michigan (U-M) server, 5,500 current and former U-M School of Education
students have been notified that their personal information may have
been compromised. The breach affected two databases that contain names,
addresses, SSNs and in some instances, birth dates and the school
districts where graduates were employed. The breach was discovered on
July 3 and the notification letters were sent July 16.
http://www.freep.com/apps/pbcs.dll/article?AID=/20070721/NEWS06/70721011/
--Ohio IG's Report Says Blame for Stolen Data is Shared
(July 20 & 21, 2007)
A report from Ohio's inspector general (IG) says a series of decisions
made by a number of people are to blame for the theft of a data storage
device that holds personally identifiable information of more than one
million Ohio residents. The device was stolen from the car of state
office intern Jared Ilovar, who had been instructed to take the device
home as part of an arrangement to keep data backups offsite. David
White, the program manager of the Ohio Administrative Knowledge System
(OAKS) and Ilovar's supervisor, initially downplayed the seriousness of
the incident and advised Ilovar to keep pertinent information from
police. White's resignation was announced following the report's
release; Ilovar has been fired. The report also notes that a February
2007 audit indicated that sensitive data were accessible on a shared
drive on the OAKS intranet, but no steps were taken to mitigate that
problem. The report does not recommend criminal prosecution for any
state employees or IT contractors, though it does recommend disciplinary
action for some.
http://toledoblade.com/apps/pbcs.dll/article?AID=/20070720/BREAKINGNEWS/70720026
http://news.enquirer.com/apps/pbcs.dll/article?AID=/20070721/NEWS01/707210397/1077/COL02
[Editors' Note (Weatherford and Grefer): The blame is almost ALWAYS
shared! It's a rare incident where a single person is responsible for
everything from policy to physical security to information security.
Even if all of the policies and procedures are in place, the use of
"past practices" and informal methods of "being more productive" will
circumvent the best security policy. It's a culture thing! ]
--M&T Bank Issues New Visa Cards in Wake of Retailer Breach
(July 20, 2007)
Buffalo (NY)-based M&T bank is issuing new Visa cards to an unspecified
number of customers following a data security breach at an unnamed
retailer. The bank was alerted to the breach by Visa. Customers were
notified by letters dated July 13; the letters indicated that some card
information stolen in the breach and been used to conduct fraudulent
transactions.
http://www.pressconnects.com/apps/pbcs.dll/article?AID=/20070720/BUSINESS/707200312/1006
[Editor's Note (Northcutt): The pressure continues to build. In this
case the bank bears the cost of reissuing credit cards due to a breach
of security at a retailer. Meanwhile the retailer is working with a
credit card system that is inherently insecure; the proof of that being
the very large number of merchant breaches. The retailer bears the cost
of implementing manual procedures (Payment Card Industry practices) to
layer a degree of assurance over the inherently insecure design. At some
point we will find ourselves in a shootout, amazingly enough, 18 - 21%
interest only cures all up to a point and I think we are starting to
reach that point.
(Weatherford): It's interesting to read about a breach by the financial
institution affected but the retail organization responsible for the
incident isn't identified.
(Grefer): WGRZ coverage refers to intrusions at several major US
companies rather than a single unnamed retailer.
http://www.wgrz.com/news/news_article.aspx?storyid=49584 ]
STATISTICS, STUDIES & SURVEYS
--Irish Companies Unaware of Liability for Employees' Internet Behavior
(July 19, 2007)
A Chambers Ireland eBusiness Survey found that just 37 percent are aware
that they are responsible for their employees' online behavior. Current
law allows businesses to be prosecuted if their employees engage in
illegal activity using electronic communications over the company
network. Many employers were also unaware that they are required to
inform employees if they are going to monitor files and email. The
survey covers other areas as well, including broadband use and converged
communications service.
http://www.theregister.co.uk/2007/07/19/chambers_ebusiness_survey/print.html
MISCELLANEOUS
--eVoting Machines Undergo Rigorous Testing in California
(July 23, 2007)
For two months, experts have been testing electronic voting machines on
the orders of California Secretary of State Debra Bowen. Bowen's report
on the machines is due on August 3, just six months before the
presidential primary elections in February 2008. Most evoting machine
testing until this point has centered on whether or not the machines do
what the vendors claim they do. This battery of tests put the machines
in real-world scenarios of active attacks aimed at altering the outcome
of elections. The report will indicate whether or not the machines
should be certified for use in upcoming elections. Voting machine
vendors and county registrars have vested interests in the outcome of
the report.
http://www.contracostatimes.com/technology/ci_6441197?nclick_check=1
[Editor's Note (Schultz): Good for Ms. Bowen and the state of
California! Voting machines should not be used unless they have passed
a series of rigorous tests, the kinds of tests Ms. Bowen is having
performed.]
--Search Engines Jump on the Privacy Bandwagon
(July 22 & 23, 2007)
Following Google's lead, other search engines are revamping and
publicizing their data retention policies. In March, Google announced
that it would begin anonymizing the search data it retains after the
data are between 18 and 24 months old unless faced with a legal
obligation to keep them longer. Microsoft plans to remove identifying
information from retained search data after 18 months, unless users want
the information held for a longer period. Microsoft search data will
be held separately from data that identifies users personally.
Microsoft also plans to offer a way for users to search anonymously on
Microsoft Windows Live websites. Yahoo! will start anonymizing IP
addresses associated with searches after 13 months, and Ask will not
retain users' search history at all if users request. If the users
allow their search data to be retained, Ask will anonymize the data
after 18 months. The issue of stored search data came to light last
year when AOL posted information about 650,000 searches on the website;
information included in some of the query data could be used to identify
the individuals who conducted searches. A joint statement from Ask and
Microsoft calls for search engines to create industry standards to make
clear to consumers what data they collect, how those data are used, and
what role the stored data play in advertising.
http://news.com.com/2102-1030_3-6198053.html?tag=st.util.print
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027579&source=rss_topic17
http://news.bbc.co.uk/2/hi/technology/6911527.stm
http://www.siliconrepublic.com/news/news.nv?storyid=single8845
[Editor's Note (Grefer): An opt-in model would be beneficial. Providing
certain types of value-added services that actually require this type
of information in order to properly function to only those people who
opt-in is not all that difficult to implement.]
LIST OF UPCOMING FREE SANS WEBCASTS
July 18, 2007: Ask The Expert: Making Your Web Applications PCI Compliant
http://www.sans.org/info/11651
Sponsored By: SPI Dynamics
June 28, 2007: Ask The Expert: The Importance of Web Application Security
for PCI Compliance
http://www.sans.org/info/11656
Sponsored By: Watchfire
June 27, 2007: WhatWorks in Log Management: Regulating Logs Globally
http://www.sans.org/info/11661
Sponsored By: LogLogic, Inc.
- ---end---
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFGpi8d+LUG5KFpTkYRAuZjAJ4ipYQL+KBIP6OPoD8TzuEmjhc1ygCfUj47
V2ZAgXagNcgS07SqtHB/VDE=
=FAEL
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]