|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jun 03 2008 - 13:26:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Three Useful New Initiatives for NewsBites Readers
1. What are the twenty coolest careers in cyber security?
Where can they be found? What does it take to qualify for them?
Those are the questions for SANS' new "Roadmaps To Great Careers In
Cyber Security" project being led by Rob Scola. As a first step, in the
last story in this issue, you will find a draft list of the twenty
coolest cyber security jobs with brief descriptions. You can help move
the project forward by answering either of the questions at the
beginning of the cool job list.
2. Can you find security flaws in code samples published in college text
books or popular programming books? Fortify's Chief Scientist, Brian
Chess, has repeatedly shown that it is possible, often in under 15
minutes. SANS will pay $100 for each of the first 30 unique examples
(one per book) plus $500 bonuses for each of the best three. Brian
offered to help judge. If you want to try, and also see how Brian does
it, as an example, email me (apallersans.org) with the subject Security
Errors In Programming Books.
3. SCADA and Control Systems Security. The US leads in identifying
vulnerabilities in control systems and in persuading control system
vendors to fix problems, but the Europeans are far ahead in
private/public partnerships that lead to actual implementation of
improved security in critical infrastructure organizations. The UK and
European Information Exchanges are important models for the future of
information sharing. Representatives of the governments of the UK,
Netherlands, Switzerland, Sweden, Germany and the European Community,
plus DHS and DoE and INL in the United States are pulling together the
best speakers on control system security for a Summit and Workshops on
SCADA Security in Amsterdam September 8-9. SANS is hosting the event.
The program will be posted next week. I am telling you about it early
because seats will be allocated by country, and the US gets 30. If
readers of NewsBites want to know about the program early enough to get
one of the seats, email me (apallersans.org) with "European SCADA
Summit" and I'll get you the program a few hours before it goes live on
the net.
Alan
*************************************************************************
SANS NewsBites June 3, 2008 Vol. 10, Num. 44
*************************************************************************
TOP OF THE NEWS
Microsoft Urges Users to Stop Using Safari Until Fix is Available for Flaw
Many UK IT Managers Support Mandatory Breach Notification
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Canadian Law Clinic Files Complaint Against Facebook
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Walter Reed Patient Data Exposed
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
More BNY Mellon Backup Tapes Lost
MediaDefender Accused of SYN Flood Attack on Revision3 Network
Stolen USB Stick with Patient Data Recovered
MISCELLANEOUS
Belgian University Integrates Secure Coding in Computer Science &
Engineering Courses
Philly Anchor's Computer Seized in Unauthorized eMail Access Case
Google Complies with Street View Take Down Requests
Attack on Russian Nuclear Info Sites Likely a Rumor
FUD Watch Column Launched
The Twenty Coolest Jobs In Cyber Security (Research Project)
LIST OF UPCOMING FREE SANS WEBCASTS
--Many UK IT Managers Support Mandatory Breach Notification
(May 29, 2008)
A poll of more than 100 IT managers at April's InfoSec security show in
London found that nearly 70 percent believe UK companies should be
required to disclose security breaches. Eighty percent of respondents
placed insider data leaks at the top of their list of security concerns,
while just 17 percent said outside threats were more dangerous than
internal ones. One third of those polled said they had made budget
allocations designated to improving internal security and auditing.
http://www.infosecnews.org/pipermail/isn/2008-June/016409.html
[Editor's Note (Pescatore): In the US mandatory breach notification lead
to an orgy of disclosures that I thought would lead to disclosures
becoming so routine that business managers would just tune them out.
That really didn't happen - turns out that the power of bad press is
very impressive.
(Schultz): Statutes that require data security breach notification will
in time be passed in most first world countries. The reason is that more
citizens of these countries are starting to realize that the absence of
such statutes greatly increases the probability that identity fraud will
occur after such breaches occur.
(Honan): Despite tough data protection laws within the EU there is a
growing recognition that data disclosure laws are required to ensure
companies protect customer data entrusted to them. The Irish Data
Protection Commissioner recently highlighted this issue claiming that
Ireland may soon introduce such legislation
http://www6.lexisnexis.com/publisher/EndUser?Action=UserDisplayFullDocument&orgId=574&topicId=100019547&docId=l:799237316&isSearch=true ]
*********************** Sponsored By Sourcefire, Inc. *******************
Cornell University Intrusion Prevention System (IPS) Case Study
Weill Cornell Medical College has to secure the records of more than
750,000 unique patients annually. Cornell uses a special system to
assess risks and evaluate IT systems at any given time. Learn why
Cornell chose the Sourcefire 3D(tm) System to see everything running on
its network in real time.
http://www.sans.org/info/29323
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
with many bonus sessions and a big exhibition of security products:
http://www.sans.org/info/26774
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Microsoft Urges Users to Stop Using Safari Until Fix is
Available for Flaw
(May 30 & 31 & June 2, 2008)
Microsoft's security team has issued an advisory recommending that users
refrain using Apple's Safari web browser on Windows until a fix is
available for a vulnerability that allows attackers to download and
execute files without user interaction. The problem is due to a
combination of the default download location in Safari and the way
Windows desktop manages executables. The flaw affects all supported
versions of Windows XP and Vista with Safari installed.
http://www.securityfocus.com/brief/746
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091638&source=rss_topic17
http://www.theregister.co.uk/2008/05/31/microsoft_warns_against_apple_safari/print.html
http://www.microsoft.com/technet/security/advisory/953818.mspx
[Editor's Note (Grefer): Microsoft's Security Advisory clearly states
under "Mitigating Factors: Customers who have changed the default
location where Safari downloads content to the local drive are not
affected by this blended threat." To do so, go to Edit > Preferences >
General > Save downloaded files to (and pick a new location).]
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Canadian Law Clinic Files Complaint Against Facebook
(May 30 & June 2, 2008)
The Canadian Internet Policy and Public Interest Clinic (CIPPIC) has
filed a complaint alleging that the social networking site Facebook
violated numerous aspects of the Canadian Personal Information
Protection and Electronic Documents Act. The complaint alleges that
Facebook failed to let users know how their information is shared with
third parties and failed to obtain permission to disclose information.
Facebook maintains that the complaint missed the mark, as nearly all
Facebook data are willingly shared by users. Facebook has said it "will
continue ongoing efforts to educate users and the public around privacy
controls on Facebook."
http://www.csoonline.com/article/376765/Privacy_Complaint_Filed_Against_Facebook
[Editor's Note (Pescatore): The definition of "willingly shared" in
advertising-supported sites is often quite different from what many
people understand. Facebook's out-of-the-box privacy settings are a
confusing mix of what can and cannot be shared with Friends or Networks
and Friends. Now, it may not be confusing to people who use Facebook to
share everything with Friends and whatever Networks are, but for anyone
who is aghast at the idea of calling hundreds of people "friends," the
sharing of too much information happens by default.]
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--Walter Reed Patient Data Exposed
(June 2, 2008)
Walter Reed Army Medical Center has acknowledged that personally
identifiable information of approximately 1,000 patients was
inadvertently exposed on the Internet. Officials at Walter Reed learned
of the breach on May 21 from a data mining company that was doing work
for another client. When the company found a file containing the
patient data, they contacted Walter Reed. The compromised data include
names, Social Security numbers (SSNs) and other information, but no
medical records. Walter Reed is in the process of notifying affected
patients.
http://www.insidebayarea.com/argus/localnews/ci_9456913
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--More BNY Mellon Backup Tapes Lost
(June 2, 2008)
Bank of New York Mellon has acknowledged the loss of more customer
records. Backup tapes lost on April 29 contain 4.5 million customer
records from approximately 47 companies, including Disney and Eastman
Kodak. Those affected by the breach are believed to be shareholders
rather than commercial customers. BNY Mellon is still dealing with the
loss of another set of backup tapes in late February. Both tapes were
in the possession of couriers when they were lost; BNY Mellon has
terminated its business relationship with one of the couriers. BNY
Mellon says it has instituted a new policy requiring data on storage
devices to be encrypted and limiting the amount of confidential data
held on tape drives.
http://www.heise-online.co.uk/security/New-York-Mellon-Bank-loses-millions-of-customer-records--/news/110844
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9092178&taxonomyId=17&intsrc=kc_top
--MediaDefender Accused of SYN Flood Attack on Revision3 Network
(May 30, 2008)
In late May, video-content creation firm Revision3 came under a SYN
flood attack that prevented the company from sending email, displaying
advertisements on its website and serving video content to site
visitors. It was three days before Revision3 had a reliable Internet
connection. The attack apparently came from MediaDefender, an
independent anti-piracy company. MediaDefender had discovered that a
vulnerability allowed miscreants to post pirated copies of content on
Revision3's BitTorrent directory. Rather than notify Revision3 of the
problem, MediaDefender instead posted phony listings in an attempt to
find out who was trafficking in pirated content. Revision3 made some
changes to prevent other people from listing content on its server, and
MediaDefender kept trying to access the files, which ultimately
overwhelmed Revision3's network.
http://www.securityfocus.com/news/11521/1
[Editor's Comment (Northcutt): Nicely written article and this may help
set a precedent. MediaDefender's web site is not flashy, this might be
a fairly innocent mistake, if I was Revision3, I would be working hard
to preserve every log and bit of data:
http://www.mediadefender.com/index.html ]
--Stolen USB Stick with Patient Data Recovered
(May 30, 2008)
Police in New Glasgow, Nova Scotia have recovered a stolen USB stick
that contains sensitive personal formation of approximately 150 children
and adolescents who have received mental health treatment in Pictou
County. Although someone has admitted to stealing the device, no
charges are expected to be filed. Officials have begun notifying
affected patients, and are conducting an investigation, as health
district policy forbids having such data on a device if they are not
encrypted.
http://www.cbc.ca/health/story/2008/05/30/pictou-device.html
MISCELLANEOUS
--Belgian University Integrates Secure Coding in Computer Science & Engineering Courses
(May 2008)
DistriNet, the security research group of the Department of Computer
Science at the Katholieke Universiteit Leuven is moving to enhance the
security curriculum of students by including secure coding in computing
and engineering courses and to exchange teaching practices in the field
of secure programming. They are partnering with SANS Secure Software
Institute to provide easy access for European companies to SANS-SSI
knowledge and certification.
http://distrinet.cs.kuleuven.be/news/2008/2008-05-09%20SANSandDistriNetUnite.jsp
--Philly Anchor's Computer Seized in Unauthorized eMail Access Case
(June 2, 2008)
A Philadelphia news anchor is off the air following an FBI raid at his
home prompted by allegations that someone had been accessing private
emails of his former co-anchor. Authorities seized a computer and other
related equipment from Larry Mendte's home. The allegations of
unauthorized access came from former co-anchor Alycia Lane, who was
fired in January. Information from her private emails was somehow being
leaked to the media. Lane's lawyer said the emails were allegedly
intercepted while she was getting ready to sue her former employer for
wrongful termination.
http://www.mcall.com/news/local/all-mendte0602-cnap,0,7848208.story
http://www.chicagotribune.com/news/local/chi-larry-mendte-080602,0,5803960.story
--Google Complies with Street View Take Down Requests
(June 1 & 2, 2008)
The private community of North Oaks, Minnesota sent Google a letter in
January demanding that it take down Street View images of its
neighborhoods. The roads in North Oaks are privately owned, meaning
that whoever obtained the images did so by trespassing on private
property. Google complied with the town's request. Google has faced
other complaints about the Street View service. Earlier this year, a
Pittsburgh couple sued Google when images of their home appeared on
Street View; they maintained that a sign designating a private road was
ignored. Google has removed the images in question and has filed a
motion to dismiss the lawsuit, which seeks damages.
http://news.cnet.com/8301-10784_3-9956753-7.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=208401631
[Editor's Note (Pescatore): This is really another example of "willingly
sharing" information. The next wave of issues will be around location
info - mobile phone carriers know where we are, and will we find out we
have all been "willingly" sharing that info? ]
--Attack on Russian Nuclear Info Sites Likely a Rumor
(June 2, 2008)
The reported coordinated attacks Russia's ASKRO nuclear incident
notification system may be nothing more that a system overload from
users responding to rumors of an incident planted on various blogs.
Officials from Russia's state nuclear corporation said the downed sites
were part of a two-pronged attack - the rumors and then the unavailable
sites - but no evidence has emerged to support the claim of a deliberate
attack.
http://www.theregister.co.uk/2008/06/02/russian_emergency_nuke_site_autopsy/print.html
[Editor's Note (Northcutt): Really hard to find the truth on this one
and Kathy Bradford and I have been sending links back and forth. Don
Jackson from SecureWorks has done the best job I think of sorting though
the clutter. His work can be found here:
http://www.donjackson.org/articles/did-hackers-take-russian-nuclear-sites-of
fline.pdf
Also, some of the reports claim this caused so much fear, people
ingested iodine to thwart the effects of radiation. Whew, iodine is one
of those things where a little is good and more is not.
http://medical-dictionary.thefreedictionary.com/iodine+poisoning ]
--FUD Watch Column Launched
(May 21, 2008)
CSO Senior Editor Bill Brenner is launching a FUD Watch column. With
the help of input from readers, Brenner will attempt to differentiate
legitimate cyber security threats from those mired in hyperbole, as well
as highlight threats that deserve more exposure than they are presently
getting.
http://www.csoonline.com/article/363613?source=nlt_csoupdate
--The Twenty Coolest Jobs In Cyber Security (Research Project)
The 18 Coolest Jobs In Security
Here is a very preliminary list of the cyber security jobs that people
have told us are often "wonderful," either because of the impact it can
have, the kudos it gets, or the challenge (or a combination).
When you have reviewed the list below, please send us answer one of
these two questions (if appropriate):
1. If you think another job should be added, tell us what it is and why
it is cool.
2. If you have one of these jobs, please tell us what formal education,
courses, certifications, experience, and personal/professional skills
you would look for in a person you were hiring to help you do that job
today. They don't have to have followed your path - how would they
prepare if they wanted this job over the next decade?
Email your answers to rscolasans.org with subject Cool Careers
Network and System Security
1. System and Network Penetration Tester (Red Team member)
2. System and Network Assessor (Blue Team member) or PCI Assessor
3. Security-Skilled System and Network Administrator
4. Security Architect/Engineer
5. Firewall/IPS Administrator
6. Security Operations Center Analyst (Intrusion Detection/Log/SIEM Analyst)
7. Incident Handler
8. Cyber Forensics Analyst
9. Deep Dive Specialist (the people who find evidence of infections in
systems that may have been compromised)
10. Technical Director and Deputy CISO
11. CISO
12. Security Auditor
13. Chief Security Auditor
Application Security
14. Application Penetration Tester
15. Security Maven in the Application Developer Organization
16. Vulnerability Researcher
Law Enforcement
17. Cyber Crime Investigator/Forensics Expert
18. Sworn Law Enforcement Officer Specializing in Cyber Crime
19. Prosecutor Specializing in Cyber Crime
(There are only 19, we are looking to you to tell us what's missing)
UPCOMING SANS WEBCAST SCHEDULE:
SANS Special Webcast: Fourth Annual Log Management Survey
WHEN: Thursday, June 5, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk and Anton Chuvakin
http://www.sans.org/info/28709
Sponsored By: LogLogic http://www.loglogic.com/
The fourth annual Log Management Survey will compare and contrast how
respondents use their log data, their challenges, and what they hope to
derive out of their log data in the future.
SANS Special Webcast: Testing; vulnerabilities, defenses and configuration
WHEN: Tuesday, June 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Jerry Shenk
http://www.sans.org/info/28714
Sponsored By: Core Security http://www.coresecurity.com/
This webinar will arm you with all the necessary plans for using
penetration testing to investigate your organization's vulnerabilities,
defenses and configurations - including lab testing your processes - to
help you understand what the finished product should look like.
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/28719
This monthly webcast discusses recent threats observed by the Internet
Storm Center, and discusses new software vulnerabilities or system
exposures that were disclosed over the past month. The general format
is about 30 minutes of presentation by senior ISC staff, followed by a
question and answer period.
Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent Transactions
WHEN: Tuesday, June 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Brian Contos
http://www.sans.org/info/28729
Sponsored By: ArcSight http://www.arcsight.com/
Today's business is digital across the board, relying on digital
processes, communications, assets, and commerce. This has spawned a
massive increase in fraud. We read about it nearly every week, and in
almost every case, the problem seems obvious in hindsight. Societe
Generale, with $7 billion in trading fraud, is the current poster child.
Too often, fraud could have been detected and stopped if only someone
noticed the connection between several activities, each of which was
fine in isolation. Taken together, however, they paint a picture of
fraud.
SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform
WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT)
FEATURING: Stephen Northcutt and Dan Teal
https://www.sans.org/webcasts/show.php?webcastid=91963
Sponsored By: CoreTrace http://www.coretrace.com/
Join SANS President Stephen Northcutt as he reviews the key features in
endpoint security that really matter, how to shop for the best products,
and why implementing defense in depth on your organization's endpoint
is a best practice.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkhFdTMACgkQ+LUG5KFpTkZjDACggnJ0BQyeL+quxvQGOsPcfUni
uqsAn1uKjIUne9vL44TsM3qeKBlJOFEZ
=rloX
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]