|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Jul 15 2008 - 12:42:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A note for anyone who uses the NIST Special Publication 800-53 document
as guidance for evaluation or auditing. NIST's new assessment guide,
SP 800-53A, provides an essential starting point for consistent,
reliable testing of security of government and contractor systems and
applications. It can be found at
http://csrc.nist.gov/publications/nistpubs/800-53A/SP800-53A-final-sz.pdf.
To enable it to meet its full potential for up-to-date, reliable,
repeatable, and comparable security evaluations, a follow-on project is
being launched called the SP800-53 Consensus Audit Guide (CAG) project.
The CAG will integrate up-to-date threat information from NSA, US CERT,
the National Cyber Security Center, and Internet Storm Center, and
define specific repeatable measures to test each control that can be
shown to reduce the risk posed by the important threats. With Federal
CIO and CISO Council approval, the CAG can become a guide that auditors
can use, as well as the guide that CIOs can use to measure their own
security so they know in advance what the audits will find. A council
is being formed of experienced security auditors to prepare the first
draft for public comment. If you have extensive security audit
experience (Red and Blue Team skills are especially valuable here)
please email me (apallersans.org) with a short summary of your current
position, your relevant experience and a statement of why you would like
to be considered for membership on the CAG Council.
Alan
*************************************************************************
SANS NewsBites July 15, 2008 Vol. 10, Num. 55
*************************************************************************
TOP OF THE NEWS
OMB Reports Progress on the Trusted Internet Connection Initiative
Lawsuit Filed Challenging FISA Act
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Chinese Man Found Guilty of Hacking Red Cross Website
Former HP Executive Pleads Guilty to Passing IBM Trade Secrets
Former Analyst at Certegy Sentenced to Over 4 Years in Prison
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple's iPhone 2.0 Software Update Includes 13 Security Fixes
Homer Simpson Spreading Malware to AIM Users.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Army Laptop Recovered
STATISTICS, STUDIES & SURVEYS
NIST Release Draft Paper on Mobile Computing Security.
PRIVACY & DATA PROTECTION
UK Councils Sell Voters' Addresses
Printer Tracking Technology Raises Privacy Concerns.
******************* Sponsored By Palo Alto Networks *********************
A Firewall Won Interop 2008 Grand Prize? How can that be? Firewalls
haven't changed much in 15 years. Until now! Get to know next generation
firewall solutions from Palo Alto Networks, and you'll discover why we
won the Interop 2008 Best of Show Grand Prize. Start by learning about
patent-pending App-ID technology, our secret sauce!
http://www.sans.org/info/30739
*************************************************************************
TRAINING UPDATE
- - Wash. DC (7/22-7/31) (SANSFIRE 2008) http://www.sans.org/sansfire08
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - Virginia Beach (8/21-8/29): http://www.sans.org/vabeach08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--OMB Reports Progress on the Trusted Internet Connection Initiative.
(July 10, 2008)
According to the Office of Management and Budget government agencies are
making progress in reducing the number of internet gateways serving the
federal government under the Trusted Internet Connection (TIC)
initiative. The TIC is due for completion towards the end of 2009 with
the target being there will be less than 100 gateways to the internet.
These gateways will be provided by the agencies themselves or by the
services of TIC Access Providers. When the initiative started in
January there were 4,300 external connections to the Internet. By May
this number had reduced to 2,758. Agencies in the initiative will also
deploy Einstein technology to continuously monitor traffic at the
trusted internet gateways.
http://www.fcw.com/online/news/153102-1.html
http://www.gcn.com/online/vol1_no1/46634-1.html
[Editor's Note (Schultz): I wonder if OMB considered the potential
consequences of having fewer gateways on susceptibility to denial of
service-related attacks.]
--Lawsuit Filed Challenging FISA Act.
(July 11, 2008)
A number of civil liberties groups, including the American Civil
Liberties Union (ACLU) and Amnesty International, have filed a lawsuit
challenging the newly signed law, the Foreign Intelligence Surveillance
Act (FISA) Amendments Act. FISA allows for warrantless surveillance of
telecommunications and immunity from subsequent lawsuits served against
the telecommunications companies facilitating the surveillance. The
lawsuit claims that FISA breaches the Fourth Amendment of the U.S.
Constitution, which prevents the government from unreasonable searches
and seizures. Supporters of the law claim it is a vital weapon in the
fight against terrorism.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9109198
http://arstechnica.com/news.ars/post/20080710-aclu-others-greets-bush-fisa-bill-signing-with-new-lawsuit.html
[Editor's Note (Northcutt): There has not been enough terrorist activity
on US soil to support the systematic reduction in civil liberties that
have happened in the past eight years. The deaths in the 9/11 attack,
while horrific, are a drop in the bucket compared to deaths from cancer
or in motor vehicles. This law will allow the government to spy on
citizens. What kind of America are we leaving to our children?]
************************* Sponsored Link: *****************************
1) Join your peers and other professionals to learn about Virtualization
Security issues at the Virtualization Security Summit August 7-8.
http://www.sans.org/info/30744
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Chinese Man Found Guilty of Hacking Red Cross Website
(July 14, 2008)
Yang Litao, a 23 year old Chinese man, was found guilty on Friday by a
court in the eastern Jiangsu province of hacking into a Red Cross
website. The website was set up to raise funds in the aftermath of the
May 12th earthquake in the Sichuan province which left nearly 90,000
people dead. Using credentials stolen from the website administrator,
Litao altered the website redirecting users to donate money into his own
bank account. He also installed malware on the site resulting in it
being offline for over 24 hours while Red Cross staff dealt with the
infection. Chinese authorities were able to arrest Litao before any of
the donations reached his bank account.
http://www.smh.com.au/news/web/chinese-man-jailed-for-red-cross-hack/2008/07/13/1215887425855.html
http://www.theregister.co.uk/2008/07/14/china_red_cross_scammer_jailed/
[Editor's Note (Northcutt): Litao may have made a significant mistake.
I am no expert in China, but I remembered reading, "Hacking in China
carries the death penalty," says Professor Neil Barrett, of the Royal
Military College at Shrivenham." So I dug up the link:
http://www.guardian.co.uk/politics/2006/jan/19/technology.security ]
--Former HP Executive Pleads Guilty to Passing IBM Trade Secrets.
(July 12, 2008)
Atul Malhotra pleaded guilty before the San Jose District Court to one
count of theft of trade secrets. His sentencing is scheduled for
October 29th where he could face up to 10 years in jail and a fine of
up to US $250,000. While as a director in IBM's global services
department, Malhotra received a report containing "Trade Secret"
information on IBM's calibration metrics. Each page in the report was
marked "IBM Confidential". In May 2006, two months after receiving the
report, Malhotra moved to Hewlett Packard as vice president of imaging
and printing services. In late July of that year Malhotra sent an email
to a HP senior vice president with an attachment containing the IBM
calibration metrics document. He also sent the same document to another
HP senior vice president. Upon discovering the nature of the document,
HP reported the incident to both IBM and law enforcement. According to
a HP statement ""The activity with which Malhotra is charged was in
direct violation of clear HP policies, including HP Standards of
Business Conduct,"
http://news.smh.com.au/technology/fmr-hp-exec-pleads-guilty-in-trade-secrets-case-20080712-3dx2.html
http://www.vnunet.com/vnunet/news/2221481/hp-exec-pleads-guilt-ibm-theft
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9109578&source=NLT_SEC&nlid=38
[Editor's Note (Northcutt) I know the bad press over Kevin Hunsaker and
pretexting sullied HP's reputation, but talk to any long time employee
and you'll learn that this is a company that tries hard to do the right
thing. I have included a link as a pretexting reminder and also HP's own
Ethics page. They did the right thing here and are to be commended!
http://www.theregister.co.uk/2006/10/05/hp_hunsaker/
http://www.hp.com/hpinfo/globalcitizenship/ethics/ ]
--Former Analyst at Certegy Sentenced to Over 4 Years in Prison
(July 14, 2008) A man has been sentenced to four years and nine months
in jail and fined US $3.2 million for his part in the theft of 8.4
million consumer records from Certegy Check Services. William G.
Sullivan, who worked as an analyst for Certergy, exceeded his authorized
computer access to steal personal banking details (bank account data or
credit/debit card data) of over 5.3 million customers. Sullivan then
sold that information to his co-conspirators for US $580,000. He claimed
he took part in the scheme because he had no retirement plan and his
wife was not working.
http://tampabay.bizjournals.com/tampabay/stories/2008/07/07/daily59.html
http://www2.tbo.com/content/2008/jul/10/ex-certegy-analyst-gets-prison-sale-consumers-data/
[Editor's Note (Pescatore): There are also reports that the Cisco VPN
client on the iPhone gets interrupted if a voice call or SMS message
comes into the phone when the VPN is running. This means the VPN will
not get used much.]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Apple's iPhone 2.0 Software Update Includes 13 Security Fixes
(July 14, 2008)
The latest version of Apple's iPhone software, released on July 11,
contains 13 security fixes. The fixes include 8 that address
vulnerabilities in the Safari web browser, 1 in CFNetwork, 1 on the
Kernel, and 3 in Webkit. Also included in the update are two security
features aimed at the corporate market. One is the ability to remotely
wipe data from the iPhone should it become lost or stolen, the other
enforces complex passwords for users. Some users reported the update
resulted in their iPhone becoming inoperable due to a problem with the
Apple iTunes update validation.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=208808686
http://www.scmagazineuk.com/As-businesses-weigh-adoption-new-iPhone-plugs-13-flaws/article/112370/
--Homer Simpson Spreading Malware to AIM Users.
(July 12, 2008)
An email address, chunkylover53aol.com, used by the Homer Simpson
character in a 2003 episode in the cartoon series "The Simpsons," is
being used to spread malware to unsuspecting AIM users. The email
address used in the episode was a real address and employed by the TV
studio to respond to queries from fans of the show. The address became
defunct, but has now resurfaced and is being used to spread a Trojan.
AOL users who have the email address in their buddy list receive a
message with a link promising a web exclusive video of the show. The
link leads to a malicious site which attempts to recruit the computer
into a Botnet controlled by Turkish hackers.
http://www.zdnetasia.com/news/security/0,39044215,62043710,00.htm
http://www.vnunet.com/vnunet/news/2221476/homer-simpson-accused-spreading
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Army Laptop Recovered
(July 11, 2008)
A 17 year old teenager has been arrested in relation to the theft of a
laptop containing personal information on 700 soldiers based at Fort
Lewis, WA. Police recovered the laptop when they arrested the teenager.
The laptop was reported stolen on July 4 from the seat of an Army
employee's Dodge truck. A 500 GB removable hard drive was also taken in
the theft. The employee "appears to have violated Army standards and
policies for protecting personal information and government property"
by leaving the laptop and the removable hard drive overnight in the
vehicle which was unlocked.
http://www.theolympian.com/377/story/504243.html
http://www.thenewstribune.com/news/local/v-printerfriendly/story/409911.html
[Editor's Note (Veltsos): Follow-up: Army CID (Criminal Investigation
Command) found that there had been an unsuccessful attempt to access the
data on the laptop. The external hard drive had not been turned on.
http://www.king5.com/localnews/stories/NW_071108WEBDM_fort_lewis_laptop_KS.45f2812f.html
BTW, the 17-year-old called the police himself, to report a stolen
wallet.]
STATISTICS, STUDIES & SURVEYS
--NIST Release Draft Paper on Mobile Computing Security.
(July 14, 2008)
The US National Institute of Standards and Technology have released a
paper containing draft guidelines on how to address the risks posed by
mobile phones and other portable computing devices. NIST is seeking
comments on the draft before final publication.
http://csrc.nist.gov/publications/drafts/800-124/Draft-SP800-124.pdf
http://www.vnunet.com/vnunet/news/2221548/nist-aims-boost-mobile
http://www.gcn.com/online/vol1_no1/46628-1.html?topic=security
[Editor's Comment (Northcutt): If you have wondered how to make a
difference, this is your chance. Download the document from the link
provided and make at least one substantive comment back to NIST. ]
PRIVACY & DATA PROTECTION
--UK Councils Sell Voters' Addresses
(July 11, 2008)
A report from the UK's Information Commissioner and the Wellcome Trust
has called on the practice whereby local councils sell voter details to
commercial companies to end. Under current legislation councils are
able to sell details of voters held on the electoral roll to commercial
marketing companies for as little as GBP 5, US $10, per 1,000 names.
While individuals can opt out of having their details passed on to third
parties, many fail to do so.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article4317673.ece
http://news.bbc.co.uk/2/hi/uk_news/politics/7500826.stm
--Printer Tracking Technology Raises Privacy Concerns.
(July 14, 2008)
A feature built into many modern laser printers is raising concerns
among civil liberties groups that individuals' privacy may be eroded.
The feature uses technology to print hidden yellow dots that are unique
to the printer onto each page. These dots are invisible to the eye, but
when viewed under a blue LED light they can identify the printer. The
technology is used to track those who attempt to use color laser
printers to create counterfeit money. However, privacy advocates are
concerned that the technology could be misused to track and identify
whistleblowers or dissidents in totalitarian regimes.
http://www.usatoday.com/tech/news/surveillance/2008-07-13-printer_N.htm
[Editor's Note (Skoudis): I find this article fascinating, especially
the comment by the director of the Central Bank Counterfeit Deterrence
Group, who is quoted as saying, "The Secret Service is the only U.S.
body that has the ability to decode the information." Oh, really? Then
what about the EFF document that describes how to decode the dots, which
I found with a simple Google search here:
http://w2.eff.org/Privacy/printers/docucolor. That link even has a
little web app in which you can click on a grid of dots, and it'll
automatically decode the info for you. Are we simply supposed to trust
this assertion of privacy through obscurity?]
*************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkh81osACgkQ+LUG5KFpTkYaOwCfd5MXt+WRAUbQ4YVeJSw3HrxE
iRgAnRAYGJBaDbXxzS0rVHxBVs7Mr6kh
=gO7i
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]