|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Feb 19 2008 - 13:26:05 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SANS Delays Penetration Testing Summit
For the first time in its 19 years of existence, SANS has postponed a
scheduled event. The Penetration Testing and Ethical Hacking Summit was
moved from March to June, but for a very good reason: to allow the Pen
Testing folks to also attend the web application security sessions at
SANS Application Security Summit, and vice versa. But that's not the
only good news. By delaying it to June, we were also able to persuade
both Johnny Long (the highest rated hacking speaker other than Ed
Skoudis - who will chair the Summit) and H.D. Moore (the renowned author
of Metasploit) to come share their latest findings at the Pen Testing
and Ethical Hacking Summit.
So if you buy penetration testing services or if you perform penetration
testing or red teaming, please join others with like interests in Las
Vegas June 2-3 (courses June 4-5).
More information: http://www.sans.org/pentesting08_summit/
Alan
*************************************************************************
SANS NewsBites February 19, 2008 Vol. 10, Num. 14
*************************************************************************
TOP OF THE NEWS
Indiana Lawmakers Consider Requiring Companies to Encrypt Customer Data
White House Wary of Proposed Changes to FISMA
UK and Australia Mull Making ISPs Piracy Monitors
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Teen Pleads Guilty in Botnet Scheme
SEC Appeals Judge's Order to Release Illegal Profits to Hacker
Woman Fined for Intercepting Nanny Agency eMail
Former Intern Arrested for Allegedly Accessing City eMail
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
UK Information Commissioner's Office Says Number of Data Breaches
Not Out of the Ordinary
ISP Gave FBI More Data Than it Sought in National Security Letter
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Nine Sued for Selling Pirated Software on eBay
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
FreeBSD Flaws Fixed
MISCELLANEOUS
Halifax Bank Blocks Credit Card Payments to WoW Publisher
LIST OF UPCOMING FREE SANS WEBCASTS
***************** Sponsored By Credant Technologies *********************
FULL DATA ENCRYPTION2 = Full Disk without the Risk
Full disk encryption methods require unwelcome compromises to IT
operations, and can't provide the level of data security that
enterprises now need.
New Full Data Encryption2 is here! Protect What Matters: Your Data.
Download overview.
http://www.sans.org/info/24194
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
-- Indiana Lawmakers Consider Requiring Companies to Encrypt Customer Data
(February 16, 2008)
Indiana state legislators are considering a bill that would require
companies to encrypt customers' personal data to protect them from
identity fraud. The Indiana House version of the bill requires that
companies use high-level encryption for customer data and that they
report breaches to affected customers and to the state attorney
general's office, where a list of all reported breaches would be
available for citizens' perusal. The Senate version of the bill would
not require as high a level of encryption or notification of the
attorney general's office. The House and Senate are trying to reconcile
their bills.
http://www.indystar.com/apps/pbcs.dll/article?AID=/20080216/BUSINESS/802160415/-1/LOCAL17&template=printart
See the text of the bill here:
http://www.in.gov/apps/lsa/session/billwatch/billinfo?year=2008&session=1&request=getBill&docno=1197
[Editor's Note (Shpantzer): Interesting thing about the wording here,
it says that a ""Breach of the security of a system" means unauthorized
acquisition of computerized data that compromises the security,
confidentiality, or integrity of personal information." So if someone
causes a database to crash, (attack on integrity), but no information
is leaked (confidentiality is maintained), then the law says a 'breach'
has occurred..
(Schultz): It is troubling to learn that the biggest obstacle to this
bill's being passed is controversy concerning whether the Indiana
attorney general's office must be notified when data security breaches
occur. The proposal that all customer data be encrypted is both
exemplary and groundbreaking--it needs to become law regardless of
whether the provision concerning required reporting goes through. ]
-- White House Wary of Proposed Changes to FISMA
(February 14, 2008)
The White House is questioning the need for many changes to the Federal
Information Security Management Act (FISMA) described in the Federal
Agency Data Protection Act. One section would require US government
agencies to inform Congress about the methods they are using to protect
their systems from the risks of peer-to-peer file sharing programs. The
objection to this element stems largely from a reluctance to focus on a
specific technology in outlining security requirements. The proposed
legislation "would [also] require agencies to develop policies and plans
to identify and protect personal information and to develop requirements
for reporting data breaches." Office of Management and Budget (OMB)
administrator for e-government and information technology Karen Evans
is resistant to some of the proposals because they could "seriously
impact established security and privacy practices while not necessarily
achieving the outcomes of improved privacy and security." The bill's
sponsor, Representative William Clay (D-Mo.) maintains that it "would
move us toward more rigid security requirements while staying within the
FISMA framework."
http://www.news.com/8301-10784_3-9872366-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.fcw.com/online/news/151642-1.html?type=pf
http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.04791:
-- UK and Australia Mull Making ISPs Piracy Monitors
(February 15 & 17, 2008)
The UK and Australian governments are considering policy changes that
would require Internet service providers (ISPs) to act as monitors of
illegal downloading. The ISPs would keep track of who is downloading
pirated content and possibly cut off their service if they do not
refrain from the activity. In the UK, the ISP industry association says
there are "legal and technical barriers" to them acting as anything more
than a "mere conduit." According to current law, ISPs may not inspect
the contents of packets traveling over their networks unless compelled
to do so by a warrant. Representatives from some ISPs acknowledge that
they engage in traffic management to prevent a few customers from
hogging available bandwidth. In Australia, the government is
considering a three strikes policy before users are cut off from the
Internet.
http://news.bbc.co.uk/2/hi/technology/7246403.stm
http://www.smh.com.au/news/technology/rudd-to-tackle-illegal-music-downloaders/2008/02/16/1202760662778.html
[Editor's Note (Schultz): Proposing that ISPs act as monitors of piracy
activity does not seem reasonable for many reasons, one of the most
important of which is that ISPs, many of which are currently not doing
all that well monetarily, do not really have the resources to engage in
such efforts.
(Paller): These UK and Australian initiatives are the front edge of a
wave of similar legislation that will be introduced asking ISPs to take
on added responsibility for improved privacy and security for their
customers. Users cannot protect themselves; asking them to do so is
disingenuous. Only their ISPs and their software providers are in a
position to make security and privacy feasible for most users.]
************************** Sponsored Links: ***************************
1) Complimentary White Paper: Beyond NetFlow, JFlow, and SFlow:
Harnessing Application-aware Flow Information to Improve Network Security
http://www.sans.org/info/24199
2) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed
since last year? Help us find out! Take the survey at
http://www.sans.org/info/24204
3) FREE Webcast "Shining a Spotlight on MPLS Security Issues" to utilize
network behavior analysis to overcome MPLS pitfalls.
http://www.sans.org/info/24209
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
-- Teen Pleads Guilty in Botnet Scheme
(February 19, 2008)
A US teenager has pleaded guilty to using botnets to place adware on
hundreds of thousands of computers. The unnamed teen worked with
Jeanson James Ancheta, who is currently serving a 57-month sentence for
his part in the attacks. The teenager will face a prison sentence of
between one year and 18 months when he is sentenced in May. The pair
infected computers at the Defense Information Security Agency (DISA) and
Sandia National Laboratories.
http://www.computerworld.com.au/index.php/id;1130354487;fp;;fpid;;pf;1
[Editor's Note (Northcutt): Teens do dumb things sometimes, I just hope
that Ancheta doesn't get out of prison and get famous with a book or
movie deal. Here is his picture, don't hire him!
http://images.usatoday.com/tech/_photos/2006/04/24/ancheta-mug.jpg ]
-- SEC Appeals Judge's Order to Release Illegal Profits to Hacker
(February 15 & 18, 2008)
The Securities and Exchange Commission (SEC) is appealing a ruling that
would have them release illegally obtained funds to a Ukrainian hacker.
Oleksandr Dorozhko broke into the servers of IMS Health and viewed the
company's results announcement hours before it was released to the
public. He then used the information to place sell orders on which he
earned nearly US $300,000. The judge who made the initial ruling said
the actions did not violate US securities laws. The judge acknowledged
that the situation was unusual, but said she had no choice and the most
reasonable avenue to pursue would be a hacking prosecution. The US
Department of Justice has rejected that option possibly because of the
anticipated difficulty of obtaining a conviction in the Ukraine.
http://www.channelweb.co.uk/articles/print/2209899
http://www.nytimes.com/2008/02/15/business/15norris.html?pagewanted=print
-- Woman Fined for Intercepting Nanny Agency eMail
(February 18, 2008)
A woman has been fined GBP 500 (US $975) for reading email messages from
her previous employer's account. Susan Holmes had worked for a nanny
agency that accepted registration forms through an AOL email account.
The company neglected to change the account password after Holmes left,
which allowed her access to the information. The company became
suspicious after a noticeable decline in the amount of email they
received on the account in the first few months of 2007. AOL
connections logs revealed IP addresses that eventually led to Holmes
being identified as the culprit. Last week, she pleaded guilty to
unauthorized access to a computer, in violation of section one of the
Computer Misuse Act 1990.
http://www.theregister.co.uk/2008/02/18/nanny_agency_hack_conviction/print.html
[Editor's Note (Northcutt): Great security awareness story, when someone
leaves, whether at work or home, change any password they may have had
access to.]
-- Former Intern Arrested for Allegedly Accessing City eMail
(February 16, 2008)
A former intern for a San Jose (CA) city councilman has been arrested
for breaking into the city's email system. Eric Hernandez worked as an
intern for Councilman Sam Liccardo; during his work there, he created
email accounts for Liccardo's staff and knew the account passwords.
Hernandez was allegedly trying to find information about another
Liccardo staff member with whom he was angry; he planned to give the
information to a blog and a newspaper. Hernandez faces up to three years
in prison for the felony charge made against him.
http://www.mercurynews.com/valley/ci_8280565
[Editor's Note (Northcutt): Trying to diss his former boss's girl
friend! Same song, second verse, a great security awareness story, when
someone leaves, whether at work or home, change any password they may
have had access to.]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
-- UK Information Commissioner's Office Says Number of Data Breaches
Not Out of the Ordinary
(February 18, 2008)
The UK Information Commissioner's Office (ICO) says the apparent upturn
in the number of security breaches within the government is due to a
growing recognition among government departments that reporting data
breaches is important. It does not signify a sudden increase in the
number of data breaches. The increased number of disclosures can be
attributed to "increasing scrutiny from legislators" and Whitehall's
examination of data-handling procedures.
http://software.silicon.com/security/0,39024888,39170070,00.htm
-- ISP Gave FBI More Data Than it Sought in National Security Letter
(February 17, 2008)
In what FBI officials have called an "apparent miscommunication," an
unnamed Internet service provider (ISP) provided the agency with far
more private information than they had requested. The extra records
were destroyed. The FBI sought information about email addresses sent
by one individual; the ISP provided the FBI with information about all
email accounts that use the same domain as that particular individual.
The incident took place in 2006 and was disclosed in papers obtained by
the Electronic Frontier Foundation (EFF) through a Freedom of
Information Act (FOIA) request.
http://www.nytimes.com/2008/02/17/washington/17fisa.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
-- Nine Sued for Selling Pirated Software on eBay
(February 14, 2008)
The Software & Information Industry Association has filed lawsuits
against nine people for allegedly selling pirated software on eBay. The
lawsuits were filed on behalf of Symantec and Adobe as part of SIIA'a
Auction Litigation Program, which offers rewards in the form of credit
toward legitimate copies of software to people who turn in those selling
the counterfeit software. The SIIA's antipiracy program has already
helped them catch other sellers of counterfeit software.
http://www.channelregister.co.uk/2008/02/14/ebay_pirate_auctions/print.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
-- FreeBSD Flaws Fixed
(February 15, 2008)
Developers have fixed two vulnerabilities in the FreeBSD open source
operating system. One of the flaws could be exploited to crash
vulnerable systems with just one network packet, but apparently cannot
be used to inject code. The other could allow local users to "access
protected information."
http://www.heise-online.co.uk/security/FreeBSD-closes-vulnerabilities--/news/110129
http://security.freebsd.org/advisories/FreeBSD-SA-08:04.ipsec.asc
http://security.freebsd.org/advisories/FreeBSD-SA-08:03.sendfile.asc
MISCELLANEOUS
-- Halifax Bank Blocks Credit Card Payments to WoW Publisher
(February 15, 2008)
The UK's Halifax bank has decided to block credit card payments to World
of Warcraft publisher Blizzard Entertainment after noting that an
unusually large number of payments being made through the company's
gaming sites involved stolen credit card information. Customers who
want to subscribe to Blizzard game sites with Halifax or Bank of
Scotland credit cards can contact the bank and make arrangements for the
payments to go through. It is not apparent that other banks or
financial institutions have followed Halifax's lead.
http://www.theregister.co.uk/2008/02/15/halifax_blizzard_block/print.html
LIST OF UPCOMING FREE SANS WEBCASTS
SANS Special Webcast Series: Part 1 of 3: "Security Insights with Dr. Eric Cole"
WHEN: Wednesday, February 20, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Dr. Eric Cole
https://www.sans.org/webcasts/show.php?webcastid=91783
The 2008 information security environment suggests new challenges and
increasing potential for organizations to fall victim to the latest
threats. While information security practices are improving, attackers
and business requirements continue to raise the bar for the security
professional. As organizations look at a technical landscape fraught
with viruses, web-based exploits and social-engineering attacks, data
loss challenges and beyond, the need to select proven technologies that
address threats to their unique environment is crucial. Too often
organizations are trying out new strategies and wonder what other
organizations have done in similar situations. One of the leading
experts in network security will draw above his teaching experience and
interacting with thousands of students and different organizations, to
show strategies that will allow organizations to implement cost
effective solutions. Participants will walk away with insights they can
directly apply, to increase their security. Register now for this free
webcast!
***
Ask the Expert: Security Needs a New Paradigm
WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
http://www.sans.org/info/22959
Sponsored By: Prism MicroSystems
In this webcast, we'll discuss the reasoning behind a "whitelist"
approach, how change monitoring can complement logging and event
monitoring in your security program, and common system changes that may
indicate malicious activity.
***
Tool Talk Webcast: A Practical Approach to Cyber Security within Control
System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Brian Contos
http://www.sans.org/info/22964
Sponsored By: ArcSight
Recently there has been substantial media hype surrounding cyber attacks
against critical infrastructure: oil and gas, power and energy,
chemical, etc. Few disagree that systems controlling critical
infrastructure make valuable targets for a wide range of attackers and
pursuits; but the FUD sometimes shadows the facts. So rather than debate
the threat level, this webcast will focus on empirical findings derived
from multiple, federally funded research projects. These collaborative
projects have brought together federal agencies, academia, control
system vendors, IT security vendors like ArcSight, and industry
representatives to research and test practical cyber incident
prevention, detection and response.
***
Ask the Expert Webcast: Regulatory Compliance and Securing Endpoint Data
against Internal Threats
WHEN: Wednesday, February 27, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Richard Stone
http://www.sans.org/info/22969
Sponsored By Credant Technologies
This webcast will then discuss why today's dynamic IT environments must
move away from first gen encryption products and to a more data-centric,
not stand-alone, platform-specific point product of old. Gone are the
days of the "encrypt everything" approaches, which lack protection
against insider threats and have significant manageability, recovery,
and usability issues. Hear how a new solution simultaneously meets
security, IT operations, and compliance needs.
***
SANS Special Webcast: How to Win Friends and Influence People (for
Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
http://www.sans.org/info/22984
Sponsored By: Core Security
The success of a security test is often determined in the planning
stage, when the "human element" plays a critical role. This is
especially true for penetration testing projects, which sometimes
encounter political hurdles before they even begin.
Please join us to learn how, with a little transparency and tact, you
can not only get approval for pen testing projects but also help
colleagues use the results to improve your overall security.
***
Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
https://www.sans.org/webcasts/show.php?webcastid=91808
Sponsored By: Norman Data Defense Systems
The threat landscape changes constantly, driven in part by the "bot
economy" and changing malcode techniques. In response, incident handler
techniques must keep pace. This presentation will cover the use of
RAPIER, a security tool built to facilitate first response procedures
for incident handling. It is designed to acquire commonly requested
information and samples during an information security event, incident,
or investigation. RAPIER automates the entire process of data collection
and delivers the results directly to the hands of a skilled security
analyst. From detection and discovery, capture and containment, count
on a useful discussion meant to further your incident response
practices.
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEUEARECAAYFAke7Ig4ACgkQ+LUG5KFpTkYO2ACYm0b8iLdIW8c0M96YF7LZJf/o
VACdGPAa6gY65f92MZAyD5+xaiVlgS4=
=KS3m
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]