|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Sep 05 2008 - 14:37:07 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
An especially interesting issue - especially the Top of the News
section. But the story under UPDATES and PATCHES about VMWare
vulnerabilities also deserves a close read. You can use it to help
catalyze your testing of whether your virtual systems are as actively
patched as your operating systems.
Alan
*************************************************************************
SANS NewsBites September 5, 2008 Vol. 10, Num. 70
*************************************************************************
TOP OF THE NEWS
ABA Resoundingly Says No PI Licenses For Computer Forensics
Judges Question Constitutionality of Gag Orders Accompanying National
Security Letters
Former Professor Convicted of Arms Export Control Act Violations
UK Consumer Groups Calls on European Commission to Require Companies to
Make Data Breaches Public
Researchers Develop Heartbeat-Based Encryption for Implanted Medical
Devices
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
Guilty Verdict in Filesharing Case Prompted by Evidence Tampering
VULNERABILITIES
Chrome Gets Some Dents
UPDATES AND PATCHES
September's Patch Tuesday Will Include Four Critical Bulletins
VMware Issues Fixes for Multiple Vulnerabilities
STUDIES AND STATISTICS
Zombie Networks Growing
MISCELLANEOUS
Privacy Notices are Too Complicated
Smart Phones Pose New Challenges for Digital Forensic Investigators
Surveillance Cameras a Boon to Crime Fighting in Newark
*********** Sponsored By SANS SCADA Security Summit *******************
Hear about the most critical vulnerabilities in Control Systems and the
findings from the National SCADA Test Bed and Control Systems Security
Project from a national laboratory. Also register for Control Systems
Cyber Security Training. SANS Process Control and SCADA Summit September
8-9 - Amsterdam, NL.
http://www.sans.org/info/32819
*************************************************************************
TRAINING UPDATE
- - NETWORK SECURITY 2008: Las Vegas (9/28-10/6) 50 courses; big tools
expo; lots of evening sessions: http://www.sans.org/ns2008)
- - Chicago (9/3-9/10) http://www.sans.org/chicago08 AUDIT & COMPLIANCE
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--ABA Resoundingly Says No PI Licenses For Computer Forensics
(August 28, 2008)
At its annual meeting in August, the American Bar Association spoke
strongly to the states on the inadvisability of requiring those who
perform computer forensics services to obtain a private investigators
license.
http://ridethelightning.senseient.com/2008/08/aba-resoundingl.html
--Judges Question Constitutionality of Gag Orders Accompanying National Security Letters
(August 28, 2008)
A panel of three judges from the US Second Circuit Court of Appeals
heard arguments in a case involving the constitutionality of gag orders
that often accompany National Security Letters sent by the FBI.
Recipients of the letters, which seek information pertaining to
investigations, are prohibited from making their receipt public. The
case is before the court because the US government is appealing a lower
court ruling that said the gag order violated the constitutional
guarantee of free speech. The original case was brought by the American
Civil Liberties union (ACLU) on behalf of a small, unnamed internet
service provider.
http://www.reuters.com/article/topNews/idUSN2750234720080827?feedType=RSS&feedName=topNews&rpc=22&sp=true
--Former Professor Convicted of Arms Export Control Act Violations
(September 3 & 4, 2008)
University of Tennessee Professor Emeritus J. Reece Roth has been
convicted on 18 charges of violating the Arms Export Control Act for
sharing restricted technology with students from Iran and China. Roth
allowed two graduate assistants access to data about a US Air Force
defense project involving "plasma-based guidance systems for the wings
of unmanned vehicles." Roth also was accused of taking reports and
related studies in his laptop to China during a lecture tour in 2006,
and having one report e-mailed to him there through a Chinese
professor's Internet connection. He could technically be sentenced to a
maximum of 10 years for each of 16 violations and a maximum of five
years for the other two, but it is likely he will receive a considerably
shorter sentence, "including the possibility of probation."
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/03/AR2008090303228_pf.html
http://tnjn.com/2008/sep/03/federal-jury-convicts-retired-/
http://www.guardian.co.uk/world/feedarticle/7772069
http://www.knoxnews.com/news/2008/sep/04/roth-case-may-be-lesson/
--UK Consumer Groups Calls on European Commission to Require
Companies to Make Data Breaches Public
(September 2 & 3, 2008)
The UK's National Consumer Council (NCC) and other European consumer
organizations have called upon the European Commission to introduce a
law that would require companies that suffer data security breaches to
acknowledge the incidents publicly. The measure's proponents say it
would make companies employ stronger security measures to protect
customer data. The NCC also wants the UK Information Commissioner's
Office to have increased powers, such as imposing fines for negligence
related to data security breaches. The ICO has pointed out that
determining the appropriate threshold for reporting breaches could be
tricky; if every minor incident receives coverage, people could become
inured to their presence and stop paying attention.
http://www.out-law.com/page-9400
http://news.zdnet.co.uk/security/0,1000000189,39483398,00.htm
http://www.ncc.org.uk/about_ncc/index.php
[Editor's Note (Schultz): The ICO's position is one that would in effect
create yet another "big brother" entity, something that would not be in
the best interests of individuals who are potential victims of data
security breaches. It would give authorities the power to withhold
notifications about data security breaches on the grounds that the
public could potentially be overwhelmed. Why not instead make all
information available, but provide mechanisms that make it possible for
individuals to create their own information filters if they so desire?]
--Researchers Develop Heartbeat-Based Encryption for Implanted Medical Devices
(September 4, 2008)
Researchers from the Chinese University of Hong Kong have developed a
method of encrypting implanted medical device signals that uses the
patient's own heartbeat pattern as the encryption key. Because of minor
fluctuations in people's heartbeats, an attacker could not record a
heartbeat and use it at a later date.
http://www.heise-online.co.uk/security/Chinese-resarchers-use-heartbeats-against-implant-hacking--/news/111463
http://technology.newscientist.com/article/dn14648-heartbeat-patterns-could-keep-wireless-implants-secure.html?DCMP=ILC-hmts&nsref=news2_head_dn14648
************************** SPONSORED LINKS: *****************************
1) Attend the Forensics and Incident Response Summit October 13-14 in
Las Vegas to learn about the latest tools and techniques.
http://www.sans.org/info/32824
2) Free Content: SANS Analyst Program Whitepaper "Data Leakage
Landscape" sponsored by Utimaco & Trend Micro
http://www.sans.org/info/32829
3) Search IT security vendors by Defensive Wall categories in the SANS
Buyers Guide for INFOSEC Professionals!
http://www.sans.org/info/32834
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
--Guilty Verdict in Filesharing Case Prompted by Evidence Tampering
(September 2, 2008)
A man in Arizona has been ordered to pay US $40,850 for copyright
infringement. Jeffrey Howell had been set to stand trial for placing
songs in a shared folder of the Kazaa filesharing program. However, the
case will not go to trial because the judge agreed with the plaintiff's
request for a verdict on the grounds that the defendant had tampered
with and destroyed evidence. Howell formatted his computer's hard disk,
ran a data deletion program and reinstalled the operating system even
after he had been served the complaint against him.
http://www.heise.de/english/newsticker/news/115321
http://latimesblogs.latimes.com/technology/2008/09/riaa-file-shari.html
[Editor's Note (Honan): Use this as impetus to ensure your e-discovery
process communicates clearly to all employees what they can and cannot
do with the data on their machines once you have been served with an
e-discovery notice. ]
VULNERABILITIES
--Chrome Gets Some Dents
(September 3, 2008)
People have already begun to find vulnerabilities in the beta version
of Google Chrome, the company's new web browser. In one scenario
involving a flaw in the WebKit engine and another in Java, users could
be tricked into downloading executable files. In another scenario, the
browser could be crashed when users click on maliciously crafted links.
Proof-of-concept code has been posted for both vulnerabilities.
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=210300297
http://www.scmagazineus.com/Google-Chrome-flaws-come-soon-after-browser-release/article/116251/
http://www.heise-online.co.uk/security/Google-Chrome-beta-comes-with-security-holes--/news/111458
[Editor's Note (Pescatore): Let's see: by my math, if you multiply the
security level of consumer-grade software times the security level of
beta code, you get a whole mess of vulnerabilities that will be easily
exploited. That said, I would love to see more competition in the
browser world drive browsers to simpler code bases with more focus on
security as the top feature, vs. trying to bundle in email clients and
all kinds of other stuff.
(Schultz): For a nice, unbiased view of Chrome security, visit
http://www.high-tower.com/blogs/bolcer/]
UPDATES AND PATCHES
--September's Patch Tuesday Will Include Four Critical Bulletins
(September 4, 2008)
Microsoft will issue four security bulletins on Tuesday, September 9.
The bulletins will address vulnerabilities in Microsoft Windows,
Microsoft Office and Windows Media Player and Media Encoder. All four
bulletins have been given severity ratings of critical because each will
fix at least one remote execution flaw.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114116&source=rss_topic17
http://www.networkworld.com/news/2008/090408-microsoft-to-release-four-critical.html?hpg1=bn
http://www.scmagazineus.com/Microsoft-readies-four-patches-in-end-of-summer-update/article/116299/
--VMware Issues Fixes for Multiple Vulnerabilities
(September 2, 2008)
VMware has issued patches to address at least 16 vulnerabilities in a
number of its products, including VMware Workstation, VMware Player,
VMware ACE, VMware Server and VMware ESX. The US Computer Emergency
Readiness Team (US-CERT) has also issued a warning about the flaws that
could be exploited to "execute arbitrary code, cause a denial-of-service
condition, access the system with elevated privileges, or obtain
sensitive information."
http://blogs.zdnet.com/security/?p=1839
http://news.zdnet.co.uk/security/0,1000000189,39483860,00.htm
http://lists.vmware.com/pipermail/security-announce/2008/000033.html
http://www.us-cert.gov/current/#vmware_releases_security_announcement
STUDIES AND STATISTICS
--Zombie Networks Growing
(September 4, 3008)
According to statistics gathered by The Shadowserver Foundation, more
than 450,000 personal computers are now part of zombie networks; three
months ago, the number was just over 100,000. The Shadowserver
Foundation believes the increase is due to the rising number of sites
that have been manipulated to infect users' machines through SQL
injection attacks. While the number of compromised machines is rising,
the number of command and control (C&C) servers is falling. The
Shadowserver foundation is a group of volunteers from the professional
security world.
http://news.bbc.co.uk/2/hi/technology/7596676.stm
http://www.heise-online.co.uk/security/Botnets-quadruple-in-size--/news/111465
http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCount90-Days#toc1
[Editor's Note (Schultz): Given the statistics released in the past, I
suspect that 450,000 bot-infected computers is a gross underestimate.]
MISCELLANEOUS
--Privacy Notices are Too Complicated
(September 4, 2008)
Internet Service Providers' (ISP) privacy notices would benefit from
simplified language, according to free-lance writer Erik Sherman.
Sherman ran the privacy policies of 23 ISPs through three different
readability schemes. Of the policies, the simplest is Yahoo's, which
requires the equivalent of a high school education; the most
complicated, from Insight Communications, requires approximately 21
years of education, the equivalent of five years of graduate school. For
the sake of comparison, Time magazine requires a ninth grade (US)
reading level and the Atlantic Monthly requires a reading level
commensurate with that of a college graduate. Several years ago, the
US Securities and Exchange Commission (SEC) required that proxy
statements about the compensation packages for executives of publicly
held companies be in readable English, or what translates to a
ninth-grade education.
http://industry.bnet.com/technology/1000391/privacy-policies-are-great-for-phds/
--Smart Phones Pose New Challenges for Digital Forensic Investigators
(September 3, 2008)
Keith Foggon, who heads the UK's Serious Fraud Office's digital
forensics unit, says that the increased use of mobile devices has
created additional problems for those gathering digital forensic
evidence. Criminals can remotely wipe out evidence on smart phones. The
unit addresses this problem by isolating confiscated devices immediately
and not reconnecting them to their networks. However, because of the
rapid evolution of mobile devices, tools are not always readily
available to help investigators access all the information the devices
hold.
http://news.zdnet.co.uk/security/0,1000000189,39483848,00.htm
[Editors' Note (Schultz and Veltsos): Mr. Foggon's statements seem to
indicate that he is not familiar with Paraben Forensics' line of mobile
device forensics tools.
http://www.paraben-forensics.com/catalog/product_info.php?cPath=26&products_id=173]
--Surveillance Cameras a Boon to Crime Fighting in Newark
(August 25, 2008)
Newark (NJ) Mayor Cory booker has deployed 111 surveillance cameras
around the city as part of his goal to drastically reduce the rate of
violent crime. The cameras are strategically placed in areas known to
experience greater levels of crime. Some privacy advocates have
expressed concern with the idea of public surveillance, saying, "The
costs are high, and the benefits in terms of law enforcement are low."
Newark's program has impressed organizations enough that they are moving
facilities into Newark, where the rents are half what they are in nearby
Manhattan. Murders in the city are down 40 percent over last year and
shootings are down 19 percent. More than 100 arrests have been made
based on videotaped evidence. The city has worked with the American
Civil Liberties Union (ACLU) to establish parameters to protect
citizens' privacy, including not allowing cameras to look inside
people's homes and storing the recorded images for no more than 30 days.
http://www.businessweek.com/print/technology/content/aug2008/tc20080822_240216.htm
[Editor's Comment (Northcutt): We live in an age where criminals pull
the wiring out of streetlights to sell the copper to buy drugs, putting
citizens at risk. What is done outside, on the streets, is public record
and law enforcement has both the right, and arguably, responsibility,
to monitor.
(Veltsos): Newark with its 111 cameras and 280,000 people (4 cameras per
1,000 people) is a long way from London which boasts 71 cameras per
1,000 people. Interesting debate on CCTV - Panacea or Problem at
http://www.securitymanagement.com/article/cctv-panacea-or-problem-004444]
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjBhh8ACgkQ+LUG5KFpTkYFkwCfc6vgBlRyr9+28DKhQP5yesj/
71EAoJyJ7qYnrzuYQwW2i9efwfMrioRl
=T9od
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]