|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Mar 04 2008 - 13:24:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tomorrow is the deadline for the big early registration discount for
SANS 2008 in Orlando. Infoc: http://sans.org/info/20042
Alan
*************************************************************************
SANS NewsBites March 4, 2008 Vol. 10, Num. 18
*************************************************************************
TOP OF THE NEWS
Naming Names: Identity Theft Study Identifies Banks
Pentagon Report Says Cyber Attacks Appear to Emanate from China
Virginia Supreme Court Upholds Spammer's Conviction
Wikileaks Ruling Dissolved
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Prison Time for Data Thieves
NZ Man in Court to Face Botnet Charges
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Encryption Pays Off for VA
NIST Seeks Comments on Authentication and PIV Guidance Documents
Dutch Tax Office Accidentally Deletes 730,000 Electronic Returns
UK Health Minister Wants Harsher Punishment for Unauthorized Access to NHS Data
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lawyer Admits to Snooping on Other Law Firm's Network
STATISTICS, STUDIES & SURVEYS
Most Spam Comes from Just Six Botnets
MISCELLANEOUS
Futures Trader Costs Firm US $141.5 Million
LIST OF UPCOMING FREE SANS WEBCASTS
********************** Sponsored By PacketMotion ************************
How do you safeguard intellectual property, sensitive information and
compliance-relevant data without hampering employee and contractor
productivity? Find the facts, blind spots and new technology regarding
real-time visibility and control of network user transactions and
information assets. Download the FREE, must-read whitepaper "TRUST BUT
VERIFY: 24/7 User Activity Monitoring to Protect Business Critical
Information" now.
http://www.sans.org/info/25063
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, CISSP,
and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad
bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Naming Names: Identity Theft Study Identifies Banks
(February 29, 2008)
The Center for Law and Technology at the University of California at
Berkeley reviewed thousands of FTC complaints and identified the 25
financial institutions whose customers have experienced the most
identity theft. Non financial institutions with FTC identity theft
complaints were also identified. Bank of America was top on the
financial institution list while AT&T was top on the non-financial list.
http://www.bankinfosecurity.com/articles.php?art_id=724
(subscription required)
[Editor's Note (Schultz): Although this study has several flaws, it
paves the way for more studies of this nature that put the spotlight
institutions that ostensibly don't do enough to prevent identity theft.
The likely effect is to exert pressure on these institutions to "clean
up their act."]
--Pentagon Report Says Cyber Attacks Appear to Emanate from China
(March 3, 2008)
The Pentagon's annual report to Congress on China's military power says
that "in the past year, numerous computer networks around the world ...
were subject to intrusions that appear to have originated within the
[People's Republic of China]." This marks the first time that the
Defense Department (DoD) has so clearly pointed a finger at China for
such attacks, but does not make as bold a statement as a report from the
US-China Economic and Security Review sent to Congress late last year.
In that report, vice chairman of the joint Chiefs of Staff Marine
General James Cartwright viewed the potential damage from a Chinese
cyber attacks comparable to that "of a weapon of mass destruction."
http://www.govexec.com/story_page.cfm?articleid=39438&dcn=todaysnews
http://www.cnn.com/2008/US/03/03/pentagon.china/
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/03/AR2008030302516_pf.html
http://www.defenselink.mil/pubs/pdfs/China_Military_Report_08.pdf
--Virginia Supreme Court Upholds Spammer's Conviction
(March 1 & 3, 2008)
By a vote of 4-3, the Virginia Supreme Court upheld the felony
conviction of Jeremy Jaynes, who in 2004 was found guilty of spamming
and sentenced to nine years in prison; it was the first felony
conviction for spamming in the US. Jaynes and his lawyer maintained
that the Virginia law under which he was convicted violates both the
First Amendment and the interstate commerce clause of the US
Constitution, but the court rejected those claims.
http://www.informationweek.com/security/showArticle.jhtml?articleID=206901389&cid=RSSfeed_TechWeb
http://news.smh.com.au/prolific-spammers-conviction-upheld/20080301-1w04.html
--Wikileaks Ruling Dissolved
(February 29, March 2, 3 & 4, 2008)
Citing concerns about First Amendment rights, US federal district court
judge Jeffrey White has rescinded an earlier order to shut down the
Wikileaks.org website. In February, White had ordered that the
whistleblower site be shut down after a Swiss bank accused the site of
posting purloined internal documents. Judge White also expressed
concern about the effectiveness of disabling the site.
http://news.smh.com.au/us-judge-restores-wikileaks-website/20080302-1w76.html
http://government.zdnet.com/?p=3690
http://www.news.com.au/technology/story/0,25642,23316821-5014239,00.html
http://www.washingtonpost.com/wp-dyn/content/article/2008/02/29/AR2008022903277.html
************************** Sponsored Links: ***************************
1) Secure your Web 2.0 and Web applications with Rapid7 Unified
Vulnerability Management
http://www.sans.org/info/25068
2) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed
since last year? Help us find out! Take the survey at
http://www.sans.org/info/25073
3) Register Now! Live eSeminar: Hertz, Forrester, and GuardianEdge
Discuss Endpoint Data Protection - Beyond Encryption
http://www.sans.org/info/25078
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Prison Time for Data Thieves
(March 1, 2008)
Two people have received prison sentences for their roles in a data
theft scheme that victimized patients of the Kelsey-Seybold Clinic in
Houston, Texas. Former insurance analyst Kretia Lutriel Griffin stole
personal data belonging to approximately 200 of the clinic's patients.
She sold them to Aubry Johnson, who used the information to open charge
accounts at various stores. Johnson was sentenced to seven years in
prison for access device fraud and aggravated identity theft. Griffin
received a two-year sentence for conspiracy. The clinic has notified
patients whose data were compromised. A clinic spokesperson said that
no medical data were involved.
http://www.chron.com/disp/story.mpl/headline/metro/5583753.html
[Editor's Note (Liston): Even if you do everything right, you'll still
always be susceptible to data theft by a malicious insider. These types
of convictions and the hefty sentences imposed are the best deterrent
that we have against those who would abuse their positions of trust. ]
--NZ Man in Court to Face Botnet Charges
(February 29, 2008)
An 18-year-old New Zealand man is in court to face charges stemming from
his alleged role as the mastermind of a botnet scheme that infected more
than one million computers around the world. The network was used to
steal online banking and credit card information, send spam, launch
denial-of-service (DoS) attacks, and place adware on computers. Owen
Thor Walker has been charged with two counts of accessing a computer for
dishonest purposes, two counts of accessing a computer without
permission, one count of damaging a computer system, and possessing
hacking software. If convicted, he could face up to 10 years in prison.
http://www.theregister.co.uk/2008/02/29/nz_botmaster_latest/print.html
http://www.smh.com.au/news/security/bail-for-alleged-spybot-leader/2008/02/29/1204226977398.html
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--Encryption Pays Off for VA
(March 3, 2008)
Security measures put in place at the Veterans Affairs department (VA)
after the widely publicized theft of computer equipment in 2006 have
proven to be effective. A laptop stolen last month from the home of an
employee at the VA's Austin (TX) Corporate Data Center was encrypted,
and department officials knew precisely what data were on the computer.
The employee had permission to have the computer at home and had locked
it down to furniture.
http://www.fcw.com/online/news/151810-1.html?type=pf
[Editor's Note (Schultz): This is a wonderful information security
success story. The VA appears to be very determined to greatly improve
its practice of data security and is already reaping some benefits.
(Cole): The weakest link with full disk encryption is the password used
to protect the encryption keys. Organizations cannot claim they are
protected just because they use full disk encryption. If your company
does not have a robust password policy or two factor authentication,
full disk encryption is only adding an illusion of security. ]
--NIST Seeks Comments on Authentication and PIV Guidance Documents
(March 3, 2008)
The National Institute of Standards and Technology (NIST) is seeking
comments on two draft documents. Draft Special Publication 800-63
Revision 1 supplements Office of Management and Budget (OMB) guidelines
for designing systems that allow remote authentication of citizens over
open networks. NIST will accept comments on the draft through April 10,
2008. Special Publication 800-79-1 offers guidelines for federal
agencies that are working to certify and accredit organizations that
issue Personal Identity Verification (PIV) cards. Comments on this
document will be accepted before March 30, 2008.
http://www.gcn.com/online/vol1_no1/45917-1.html?topic=security&CMP=OTC-RSS
http://csrc.nist.gov/publications/drafts/800-63-1/Draft_SP-800-63-1_2008Feb20.pdf
http://csrc.nist.gov/publications/drafts/800-79-1/DRAFT_SP800-79-1_public-review.pdf
--Dutch Tax Office Accidentally Deletes 730,000 Electronic Returns
(February 29, 2008)
More than 730,000 people who filed taxes returns with the Dutch tax
office for 2007 will have to resubmit their information after a computer
problem deleted all their data except for social security numbers.
Those affected filed electronically; the Dutch tax office did not back
up the files. A similar problem occurred last year when 400,000
companies had to resubmit payroll information.
http://www.theregister.co.uk/2008/02/29/sorry_we_lost_your_tax_return/print.html
[Editor's Note (Liston): And their reason for not backing up the data
would be...?]
--UK Health Minister Wants Harsher Punishment for Unauthorized
Access to NHS Data
(February 29 & March 3, 2008)
UK health minister Ben Bradshaw is calling for more stringent penalties
for NHS staff who violate the Data Protection Act. Bradshaw noted that
the only people who may access individuals' health records are
"authorized NHS health care professionals who must be authenticated
users and members of the health care teams directly involved in the ...
patient's care." In a separate but pertinent story, a document obtained
under the Freedom of Information Act indicates that the new national
summary care record database will be accessible by non-clinical NHS
staff.
http://www.e-health-insider.com/news/3516/dh_seeks_tougher_sanctions_for_security_breaches
http://www.computerweekly.com/Articles/2008/03/03/229636/patient-database-open-to-access-by-non-qualified-nhs.htm
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Lawyer Admits to Snooping on Other Law Firm's Network
(March 2, 2008)
A Charleston, West Virginia lawyer has admitted to accessing email and
other private documents at the law firm where his wife worked. At
first, he was suspicious that she was having an affair, but then
admitted he kept accessing and reading the material because he was
curious. He allegedly accessed the law firm's computer system more than
150 times between November 2003 and March 2006. Michael P. Markins was
employed at another law firm at the time, and at one point, the two
firms were representing opposing sides in a case. The Lawyer
Disciplinary Board has recommended that Markins's law license be
suspended for two years. Before he could be reinstated, he would have
to complete 12 hours of legal education in ethics and then he would be
subject to one year of supervised practice.
http://sundaygazettemail.com/News/200803010561
[Editor's Note (Liston): I sincerely doubt that if the same situation
occurred in any field outside the practice of law that the sanctions
would be so ludicrously petty. Where's the jail time?]
STATISTICS, STUDIES & SURVEYS
--Most Spam Comes from Just Six Botnets
(February 29 & March 3, 2008)
According to research from an email security vendor, six botnets are
responsible for 85 percent of all spam. Srizbi is identified as the
largest of the bot networks, responsible for sending out an estimated
39 percent of all spam. The research also found that the size of a
botnet does not correlate with its activity. For instance, the Mega-D
botnet comprises 35,000 "drones" and generates 11 percent of spam; the
Storm network has 85,000 "drones," yet generates just two percent of
spam.
http://www.heise-online.co.uk/security/Six-botnets-responsible-for-nearly-all-spam--/news/110219
http://www.theregister.co.uk/2008/02/29/botnet_spam_deluge/print.html
MISCELLANEOUS
--Futures Trader Costs Firm US $141.5 Million
(February 29, 2008)
A Tennessee man has allegedly made unauthorized trades in the wheat
futures market that cost his firm US $141.5 million in losses. Evan
Dooley's firm, MF Global, normally has electronic protections in place
to prevent such situations, but the controls were deactivated for
certain traders, Dooley among them, because they slowed down
transactions.
http://www.iht.com/articles/2008/02/29/business/29trader.php
LIST OF UPCOMING FREE SANS WEBCASTS
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Tom Turner
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
Universities continue to face a challenge in the balancing act of two
diametrically opposed networking requirements. On one hand, IT services
have must meet the requirements of delivering an open campus network
with minimal restriction on use. And, on the other hand, you have
networks and systems that maintain sensitive information that requires
tight security controls, often under the scrutiny of specific regulatory
mandates.
***
SANS Special Webcast: The Little Hybrid Web Worm That Could
WHEN: Thursday, March 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Billy Hoffman
http://www.sans.org/info/24614
Sponsored By: HP
The past year has seen several web worm attacks against various online
applications. While these worms have gotten more sophisticated and made
use of additional technologies like Flash and other media formats, they
all have had some basic limitations such as infecting new domains and
using new injection methods. These worms are fairly easily detected
using signatures, so they are annoying, but ultimately controllable.
This webcast examines the possibility of hybrid web worms which use
several methods to overcome the limitations of current web worms.
Specifically the authors examine how a hybrid web worm (1) mutates
itself to evade defenses; (2) updates itself with new attack vectors
while in the wild; and (3) finds and exploits targets regardless of
whether they are client web browsers or web servers.
***
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
https://www.sans.org/webcasts/show.php?webcastid=91884
This webcast will provide attendees with actionable advice on how to
reduce their organization's risk against the Cold Boot Attack using
encryption tools and real-world best practices. Hear responses from
leading providers in the encryption market to gain better understanding
of how these solutions can help mitigate or avoid the vulnerabilities
associated with the Cold Boot Attack. Attendees will walk away with
actionable advice on how this vulnerability can impact their
organization and which encryption solutions can provide best-in-class
protection from this and other security risks.
***
ISC Threat Update: March 2008
WHEN: Wednesday, March 12, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johaness Ullrich and Tony Magallanez
http://www.sans.org/info/24623
Sponsored By: F-Secure
The SANS Internet Storm Center (ISC) uses advanced data correlation and
visualization techniques to analyze data collected from thousands of
sensors in over sixty countries. Experienced analysts constantly monitor
the Storm Center data feeds searching for trends and anomalies in order
to identify potential threats. When a threat is identified, the team
immediately begins an intensive investigation to gauge the threat's
severity and impact. This monthly webcast discusses recent threats
observed by the Internet Storm Center, and discusses new software
vulnerabilities or system exposures that were disclosed over the past
month. The general format is about 30 minutes of presentation by senior
ISC staff, followed by a question and answer period.
***
WhatWorks Webcast: PaulDotCom's Penetration Testing Dojo: Core IMPACT Style
WHEN: Tuesday, March 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Paul Asadoorian
http://www.sans.org/info/24628
Sponsored By: Core Security Technologies
When beginning a security process at a consortium of non-profits, senior
network security engineer, Paul Asadoorian of Pauldotcom began looking for a
penetration testing tool that did network, web application and social
engineering tests. The tool he purchased is low on manpower use, mostly
self-maintaining and reliably proves the existence of network
vulnerabilities. Please attend this webcast to find out why Paul selected
CORE IMPACT and learn how it can help you safely perform network, web
application and end-user penetration testing.
***
SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole
This Month's Topic: Encryption
WHEN: Wednesday, March 19, 2008 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info/24633
Based on first-hand experience, this talk will look at areas where
encryption should be used and how to avoid common mistakes. Dr. Cole
will also identify areas where encryption should not be deployed.
Overall, this talk will provide expert knowledge of the landscape of
encryption, proper uses and common pitfalls. Register now for this free
webcast!
***
Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
https://www.sans.org/webcasts/show.php?webcastid=91808
Sponsored By: Norman Data Defense Systems
The threat landscape changes constantly, driven in part by the "bot
economy" and changing malcode techniques. In response, incident handler
techniques must keep pace. This presentation will cover the use of
RAPIER, a security tool built to facilitate first response procedures
for incident handling. It is designed to acquire commonly requested
information and samples during an information security event, incident,
or investigation. RAPIER automates the entire process of data collection
and delivers the results directly to the hands of a skilled security
analyst. From detection and discovery, capture and containment, count
on a useful discussion meant to further your incident response
practices.
***
Tool Talk Webcast: Are You Naked? Why virtualization and service
processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Bill Johnson
https://www.sans.org/webcasts/show.php?webcastid=91798
Sponsored By: Tdi
Virtualization and on board service processors are making log management
systems obsolete and opening their customers to huge compliance issues.
All existing log management systems are based on an 'inside out' agent
based, SYSLOG and SNMP architecture. This model is obsolete in today's
datacenter. Traditional log management systems do not log all events or
watch the data center all the time, opening the door to Sarbanes Oxley,
HIPAA and other compliance risks.
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription, (and
for free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkfNlW8ACgkQ+LUG5KFpTkbHKQCcDNqYvSICWmsUXtN2Q9vNl1sK
nB0AnRz4Ehp44zQ+FF/jTTmSSgRk4chT
=MWeG
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]