|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Jan 04 2008 - 12:04:56 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites January 4, 2008 Vol. 10, Num. 1
*************************************************************************
TOP OF THE NEWS
Australia Plans to Require Filtered Feeds from ISPs
Virginia Poised to Establish New Data Protection Laws
Privacy Advocates Appeal New German Data Retention Law
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Teen Draws 90-Day Sentence for Internet Service Disruption
Two Face Charges for Selling Phony Computer Components to US Military
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Passport Card Technology Concerns Privacy Advocates
POLICY & LEGISLATION
MPs Call for Tougher Data Breach Laws
German Justice Minister Denies Music Companies Access to Stored Data
for Civil Cases
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Warner Music to Offer its Catalog DRM-Free on Amazon MP3
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Just Two Security Bulletins for January's Patch Tuesday
US-CERT Warns of RealPlayer Flaw
MISCELLANEOUS
Should Digital Forensic Specialists Have to be Licensed PIs?
Malware Development Outpacing Anti-Virus
LIST OF UPCOMING FREE SANS WEBCASTS
************************** Sponsored By SANS ****************************
Penetration testing is going through radical changes. People trained as
little as two years ago are reporting that the techniques they learned
then are completely out of date. At the Penetration Testing and Ethical
Hacking Summit you will hear about the newest attacks and how the top
penetration testers are changing the way they do business. Las Vegas
March 17-18.
http://www.sans.org/info/21628
*************************************************************************
TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development,
Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS'
other top-rated courses?
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Australia Plans to Require Filtered Feeds From ISPs
(December 31, 2007)
In an effort to ensure that inappropriate Internet content does not
reach minors, the Australian government plans to require Internet
service providers (ISPs) to provide "clean" feeds to homes and schools.
If users want to opt out of the arrangement, they must contact their ISP
individually. The measure is aimed at protecting minors from
pornographic and violent material. Civil liberties advocates fear the
move is a large step backward in freedom of the Internet. There is also
some concern that parents will not monitor their children's Internet use
as closely as they should because they will be lulled into a false sense
of security. The mandatory filtering will be based in part on a list
of blacklisted sites provided by the Australian Communications and Media
Authority.
http://www.australianit.news.com.au/story/0,24897,22989956-15306,00.html
http://news.bbc.co.uk/2/hi/asia-pacific/7165987.stm
[Editor's Note (Pescatore): In most countries, demand for parental
controls has made them available at most ISPs already, so the only real
difference here is forcing opt out vs. allowing opt-in. Requiring ISPs
to make filtered Internet feeds the default is sort of like making
libraries have censored books on the shelves and requiring readers to
ask for the uncensored versions. Censorship is always a slippery slope
- - who gets to define "inappropriate"?]
--Virginia Poised to Establish New Data Protection Laws
(January 3, 2008)
Virginia Governor Timothy M. Kaine has announced proposed legislation
to help protect Virginia residents from identity fraud. The proposed
laws include required breach notification; state government would be
subject to the requirement as well. Entities would be exempt from the
notification requirement if they can prove that there is no reasonable
risk of harm as a result of the breach. Virginia residents would also
have the power to place freezes on their credit reports until issues
raised by the data breach are resolved.
http://www.govtech.com/gt/print_article.php?id=242006
[Editor's Note (Schultz): I have mixed reactions towards this proposed
legislation. Allowing state residents to freeze their credit reports
until identity theft and related issues are solved is good, but allowing
companies to decide whether there is a reasonable risk of harm is once
again proverbially putting the fox in charge of the hen house.]
--Privacy Advocates Appeal New German Data Retention Law
(January 2, 2008)
Citizens opposed to Germany's new data retention law are appealing it
in the country's Federal Constitutional Court. The law, which took
effect on January 1, requires telecommunications companies to retain
customer telephone and Internet connection data for at least six months.
Opponents call the law unconstitutional because it treats everyone like
potential criminals. Proponents of the law say it is necessary to help
fight terrorism and organized crime.
http://www.heise.de/english/newsticker/news/101196
http://www.theregister.co.uk/2008/01/02/german_data_retention_objection/print.html
[Editor's Note (Shpantzer): For a quick glimpse into the potential data
mining capabilities available with this information, see
http://www.i2inc.com/Solutions/MajorInvestigations/default.asp ]
************************* Sponsored Links: ***************************
1) Rediscover New Orleans and hear about Process Control Security
issues. - Process Control & SCADA Summit January 16-17.
http://www.sans.org/info/21633
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Teen Draws 90-Day Sentence for Internet Service Disruption
(January 3, 2008)
A Wisconsin teenager was sentenced to 90 days in jail for breaking into
a computer network and cutting off Internet access to residents of the
Marshfield, Wisconsin area for 18 hours last April. Shaun Lancaster was
granted work-release status for his term. He was also ordered to serve
three years probation and to pay restitution of approximately US $6,000.
http://www.thenorthwestern.com/apps/pbcs.dll/article?AID=/20080103/OSH/80103040/1987
--Two Face Charges for Selling Phony Computer Components to US Military
(December 24, 2007)
Two men have been charged with felony crimes for allegedly selling phony
computer products to branches of the US military and US government
agencies. Brothers Michael and Robert Edman allegedly imported
imitation computer components as well as counterfeit Cisco Systems
stickers to make the components appear legitimate. The brothers also
allegedly sold phony components to federal prisons, a cable television
company and local law enforcement agencies on the west coast.
http://www.click2houston.com/news/14920413/detail.html
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--Passport Card Technology Concerns Privacy Advocates
(December 31, 2007)
The US State Department has approved technology that will allow US
citizens traveling to Canada, Mexico, Bermuda and the Caribbean to use
passport cards that can be machine read from a distance of 20 feet. The
card can be used in place of a passport. Critics of the plan believe
more should be done to protect the information contained on the card.
The card will not contain biographical data, according to Ann Barrett,
deputy assistant secretary for passport services at the State
Department.
http://www.msnbc.msn.com/id/22454148/
[Editor's Note (Pescatore): There are some security features with the
card (a protective sleeve, minimal data on the chip) since it is really
just an RFID chip. However, there are issues around cloning or spoofing
that arise because of the simplicity. By far the biggest issue, though:
why hasn't there been an open security review during the design phase?]
POLICY & LEGISLATION
--MPs Call for Tougher Data Breach Laws
(January 3, 2008)
A report from a committee of UK members of Parliament (MPs) says
government officials should face criminal charges if they handle
personal information in a reckless manner that puts it at risk of
misuse. The Commons Justice Committee's report was prompted by the
recent disclosure that 25 million individuals' personally identifiable
information was lost by HM Revenue and Customs (HMRC). The committee
was surprised to learn that the changes made by HMRC after the breach
had not been in place long ago. Furthermore, it appears that other
ministers may soon be coming forward with admissions of data loss. The
committee's report calls for entities that lose data to be legally
obligated to notify both those affected and the information
Commissioner. The report also called for giving Information
Commissioner Richard Thomas the authority to conduct unannounced spot
checks on data security procedures in both in the government and in
private industry.
http://news.bbc.co.uk/2/hi/uk_news/politics/7168588.stm
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2008/01/03/ndata203.xml
--German Justice Minister Denies Music Companies Access to
Stored Data for Civil Cases
(January 2, 2008)
German Justice Minister Brigitte Zypries says that the music industry
does not have the right to demand stored Internet data to pursue its
copyright violation allegations in civil cases. Only police and the
public prosecutor's office may use the stored data.
http://www.heise.de/english/newsticker/news/101210
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Warner Music to Offer its Catalog DRM-Free on Amazon MP3
(December 27, 2007 & January 2, 2008)
The Warner Music Group has reached a deal with Amazon to sell music from
its catalog over the Internet without digital rights management (DRM)
protection. The music will be available on Amazon MP3 and will play on
any personal music device. The agreement between Warner and Amazon
leaves BMG as the only major recording label that has not signed on with
Amazon MP3.
http://www.siliconrepublic.com/news/news.nv?storyid=single9933
http://news.bbc.co.uk/2/hi/business/7162280.stm
[Editor's Note (Shpantzer): I tried this service out last week and it
worked fine for me. Between iTunes Plus and Amazon MP3, we're beginning
to see great DRM-free download services that are user friendly, cheap
and include the most popular music available.]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Just Two Security Bulletins for January's Patch Tuesday
(January 3, 2008)
Microsoft's first security release of 2008 will include just two
updates, according to Microsoft's Advance Notification. Both updates
will address vulnerabilities in Windows. One of the two bulletins has
a maximum severity rating of critical, while the other's highest rating
is important. Many expect that the bulletin with the critical rating
will address a remote code execution flaw in all supported versions of
Windows. The second bulletin addresses a local elevation of privileges
flaw in all versions of Windows except for Vista. The bulletins will
be released on Tuesday, January 8.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9055182&source=rss_topic17
http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx
--US-CERT Warns of RealPlayer Flaw
(January 3, 2008)
The United States Computer Emergency Readiness Team (US-CERT) has issued
a warning about a critical flaw in RealPlayer software. The stack
overflow vulnerability exists in RealPlayer version 11 on Windows XP
with Service Pack 2. Although the group that discovered the flaw has
not released technical details, it has released proof-of-concept exploit
code.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9055038&source=rss_topic17
http://www.theregister.co.uk/2008/01/03/realplayer_vuln/print.html
http://www.scmagazine.com/uk/news/article/774594/us-cert-warns-realplayer-exploit
MISCELLANEOUS
--Should Digital Forensic Specialists Have to be Licensed PIs?
(January 2, 2008)
Proposed legislation in South Carolina would require that all digital
forensic evidence be gathered by a licensed private investigator (PI)
or through a PI licensed agency. Not only would evidence gathered by
unlicensed individuals not be admissible in court, but the people who
gathered the evidence could face criminal prosecution. At least seven
states have pursued legal action against digital forensic specialists
who work without a PI license. A proponent of the pending legislation
says its aim is to protect the integrity of digital evidence and the
quality of digital forensics. The claims have some basis in experience;
evidence has been thrown out because investigators did not procure the
digital evidence with enough caution, and others have used digital
evidence that should not be admissible but the defendants are not
knowledgeable enough to challenge its validity.
http://www.baselinemag.com/print_article2/0,1217,a=222483,00.asp
[Guest Editor's Note (Rob Lee): While several years old, the debate over
whether InfoSec consultants need to be licensed Private Investigators
(PIs) to handle digital evidence seems to be gathering steam and lobbied
for by existing PIs. Legislators should be extremely careful in passing
such licensing requirements. A nurse can collect evidence of sexual
assault or an accounting firm's CPAs could discover evidence of fraud.
Given the technical nature of digital evidence, courts should be quick
to recognize that special skills are required in the same vein as
nursing, accounting, and other special skills certifications. Digital
forensic and InfoSec training, experience, and certification are the
right answer, not licensing without technical qualifications.
(Northcutt): Ex-cops that get their PI license and can barely push
Encase around are not able to deal with anti-forensics tools. If you
hear about PIs lobbying for this in your state or country, please drop
me a note, stephensans.edu, we need to quit settling for the lowest
common denominator.]
--Malware Development Outpacing Anti-Virus
(January 1, 2008)
Protecting computers from malware infections requires a combination of
anti-virus products, firewalls, tools that detect behavioral anomalies,
and good old-fashioned human caution. Anti-virus alone cannot do the
job because malware purveyors are growing skilled at releasing new
variants that won't immediately be detected by signature-based
anti-virus products. There are tools available on the Internet that
allow users to test whether pieces of code are detectable by different
anti-virus systems. Some malware creators have reportedly even set up
their own laboratories to ensure that their latest releases will have
time to infect computers before anti-virus companies learn of the new
malware's existence.
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9054758
SANS Reading Room Paper Review by Stephen Northcutt
VoIP Security Vulnerabilities
By David Persky with Joey Niem as the paper advisor.
This GIAC Gold gets off to a slow start, but hang in there. If you keep
hitting page down, I promise you will be rewarded by some serious
nuggets. Overall, great material, the author clearly knows what he is
talking about. Page 11 introduces the problem VoIP causes with
perimeters. According to a reference in the paper, 75% of the polled
organizations plan to replace their security appliance after
implementing VoIP. On page 14, the author introduces VoIP penetration
testing and provides a reference to a company that does this. The author
then discusses general threats and architecture issues. On page 24,
things start to get really interesting. We see a GUI interface for a
Cisco VoIP phone and the Google search Persky used to find it. I typed
the search into Google and sure enough, Cisco phones started appearing
in my browser. We then learn how to do the same thing with the Uniden
UIP1868P VoIP phone. Next, we learn how to take advantage of
undocumented features in a Hitachi IP5000 VOIP WIFI Phone 1.5.6. On page
37, Persky begins a list of tools that can be used to test the security
of a VoIP system. There are a number of pages that are required reading
if you run the popular Asterisk VoIP PBX. On page 85, we reach my
favorite section of the paper, a discussion on Skype. The author talks
about vulnerabilities, but there is also a great discussion on how to
detect Skype and how that is getting harder and harder to do. The final
technical section is an in-depth discussion on the Cisco IP phone. If
you are running VoIP or plan to run VoIP, or even believe you are NOT
running VoIP, this is a valuable paper to read. I give it two thumbs up!
http://www.sans.org/reading_room/whitepapers/voip/2036.php
LIST OF UPCOMING FREE SANS WEBCASTS
Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
http://www.sans.org/info/20187
Sponsored By: Core Security
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
SANS Tool Talk Webcast: NAC - After the Honeymoon
WHEN: Tuesday, January 15, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alok Agrawal, Jimmy Ray Purser, and Robb Boyd
https://www.sans.org/webcasts/show.php?webcastid=91714
Sponsored By: Cisco Systems
It's fair to say that NAC, or Network Admission Control, has certainly
enjoyed its day in the sun. Despite being a very real technology solving
very real problems, NAC has now moved out of the spotlight of center
stage and is firmly entrenched as a set of technologies that every
enterprise has some kind of an opinion on. Whether you have deployed
some type of NAC solution today, have plans for it in the future or
perhaps are truly wondering what the heck we are talking about.this
conversation is for you. The problems can be pretty easy to understand
but the devil is in the details - we promise to sort through the details
in this interactive conversation. Please join Robb Boyd from Cisco's
TechWiseTV as he welcomes his panel of experts, Jimmy Ray Purser, Chief
Geek for Cisco's TechWiseTV and Alok Agrawal, Manager of Technical
Marketing from Cisco's NAC Business Unit.
SANS Ask the Expert Webcast: Going beyond log management to solve
security, risk and audit challenges
WHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Vijay Basani
http://www.sans.org/info/20202
Sponsored By: eIQnetworks
In this webcast, learn the benefits of going beyond log management to
perform end-to-end correlation and analysis, how compliance can tie into
the use of security technologies, and why the future of security
information management (SIM) systems is shaping up to integrate
security, risk and audit management onto one platform.
SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
http://www.sans.org/info/20207
Sponsored By: Core Security
Embedded devices come into your network and appear in many different
forms, including printers, iPhones, wireless routers and network-based
cameras. What you might not realize is that these devices offer unique
opportunities for attackers to do damage and gain access to your network
- - and to the information it contains. This webcast will review known
embedded device vulnerabilities and cover how these vulnerabilities can
be used to gain control of devices, networks, and data - and, more
importantly, what can be done about it.
SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Barb Filkins
https://www.sans.org/webcasts/show.php?webcastid=91486
Sponsored By: Lumigent Technologies
On Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the
SANS Database Auditing and Compliance Survey. Conducted over three
months, 348 respondents answered a variety of questions ranging from
their perceptions of compliance issues to security frameworks and roles
and responsibilities for data privacy protection inside their
organizations. We will also be announcing the $250 American Express card
winner from among nearly 200 respondents who signed up for our drawing.
********************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Johannes Ullrich and John Weinschenk
http://www.sans.org/info/20062
Sponsored By: Cezic http://www.cenzic.com/
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
SANS Special Webcast: Pinpointing and Proving Web Application
Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Dr. Eric Cole
http://www.sans.org/info/20057
Sponsored By: Core Security
The September "Internet Security Threat Report" from Symantec reported
that 61% of all vulnerabilities disclosed in the first half of 2007 were
web application vulnerabilities. It's no wonder, since web apps are
often highly customized and can be rife with potential security holes.
Fortunately, recent advances in penetration testing products can help
you to pinpoint and prove web application security weaknesses - even in
customized apps.
SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN
NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED
SPEAKER: Jerry Shenk
http://www.sans.org/info/20052
Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and
how much data should it store for post-mortem analysis? Join this
Webcast to hear senior SANS Analyst Jerry Shenk go over his test results
on the NetDectector/NetVCR 2005 and features such as full packet
inspection and the ability to call up and review raw data in its native
format.
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkd+beAACgkQ+LUG5KFpTkZcdQCdGc6Zz4FeFUWxJDhqbsLdVCef
TqcAn3/0FC3ke0fjhVz8iYqi84bEgVex
=tJyO
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]