From: The SANS Institute (NewsBitessans.org)
Date: Fri Oct 03 2008 - 15:58:48 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Twenty Best Jobs in Cyber Security
Tens of thousands of young people are now considering careers in
cyber security and wondering about the types of jobs they can expect.
To help motivate the best and brightest to do the hard work needed to
qualify for this career field, we are publishing a booklet about the
best careers in cyber security. On Tuesday we'll turn on a global
survey to rate the good jobs but we want to make sure the ones in
the survey are a comprehensive set of the ones people like. If you
know of a great job title in security (examples already on the list:
vulnerability researcher, application penetration tester, security
auditor, security maven in the developer organization), send it to
us by Monday noon with a job title and a sentence or two about why
it is a cool job. Send to apallersans.org with subject cool jobs.
                                  Alan

*************************************************************************
SANS NewsBites September 26, 2008 Vol. 10, Num. 78
*************************************************************************
TOP OF THE NEWS
  Schwarzenegger Vetoes Data Protection Act (Again)
  Irish Justice Minister Wants Mandatory Data Loss Reporting
  DHS to Proceed With Spy-Satellite Surveillance Program Despite Privacy Concerns
THE REST OF THE WEEK'S NEWS
  LEGAL ISSUES
    Court Says Woman May Sue County Clerk Over Identity Theft
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    NIST Issues Three IT Security Documents
    Camera Purchased on eBay Contains Sensitive MI6 Information
    Malicious Code Detected on South Korean Military Contractor Systems
  DATA PROTECTION & PRIVACY
    Chinese Skype Users Under Surveillance
  VULNERABILITIES
    Denial-of-Service Vulnerability Found in TCP Stack
    US-CERT Issues Warning on Clickjacking
  DATA LOSS & EXPOSURE
    Insurance Brokers' Data Exposed
  MISCELLANEOUS
    Remote Tracking Software Used to Find Alleged Laptop Thief

***************************** Sponsored By CA ***************************

How can your organization utilize identity management technologies to
cost-effectively manage and control user identities and demonstrate
security compliance? Information provided in this IDC whitepaper
can be used to guide your efforts on how to optimize and improve
identity management deployments to make them more efficient. Learn
more at http://www.sans.org/info/33884

*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots
  of evening sessions: http://www.sans.org/cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
  and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Schwarzenegger Vetoes Data Protection Act (Again)
(October 2, 2008)
California Governor Arnold Schwarzenegger has vetoed the Consumer
Data Protection Act. The bill, which was overwhelmingly approved
by both the State assembly and the state Senate, would have required
companies doing business in the state to put in place specific security
measures to protect customer data. It would also have required the
companies to provide more details about data breaches involving credit
and debit cards to affected individuals. Schwarzenegger said he
vetoed the legislation because "the marketplace has already assigned
responsibilities and liabilities that provide for the protection
of consumers." He also opposed the notion of requiring specific
security measures, because companies would then be locked into those
measures by the law and implementing new protections as new threats
arise could prove problematic. Governor Schwarzenegger vetoed a
similar bill last year.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116078&intsrc=hm_list
http://gov.ca.gov/pdf/press/AB1656_Jones_Veto_Message.pdf
[Editor's Note (Schultz): The most recent survey of Californians'
opinion of Gov. Schwarzenegger that I have seen indicated that 69
percent of those surveyed disapproved of the way he has conducted
himself in office. There should be little wonder why. His veto of the
California Data Protection Act is only the most recent of a series
of his shooting down legislative initiatives that would have greatly
benefited California residents.
(Veltsos): In his comments accompanying the veto, Governor
Schwarzenegger acknowledged the need to protect personal information
as being "increasingly critical" but noted that "by requiring
notification even where no information was obtained improperly, this
bill would likely result in significant costs to businesses and to
the state." This logic is flawed - following a security incident,
one simply cannot prove that unencrypted information was not stolen.
This veto also leaves Minnesota as the sole state with a law penalizing
merchants for data breaches, the Plastic Card Security Act of 2007.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9020923 ]

 --Irish Justice Minister Wants Mandatory Data Loss Reporting
(October 2, 2008)
Irish Justice Minister Dermot Ahern may mandate reporting the loss or
theft of any device that holds personally identifiable information. The
requirement would apply to government departments and state agencies as
well as banks and other organizations. Mr. Ahern wants to implement
mandatory prompt reporting of such incidents to the Data Protection
Commissioner; the public would be notified in serious cases. In the
last year alone, 35 government laptop computers and other data
storage devices have been lost or stolen. Labor Party Spokesperson
for Education and Science Ruairi Quinn TD has expressed concern and
disbelief that just three of 15 government departments have encrypted
their IT systems.
http://www.irishtimes.com/newspaper/ireland/2008/1002/1222815460443.html
http://www.siliconrepublic.com/news/article/11538/cio/lack-of-encryption-in-government-departments-riles-quinn

 --DHS to Proceed With Spy-Satellite Surveillance Program Despite
Privacy Concerns
(October 1, 2008)
The US Department of Homeland Security (DHS) plans to go ahead with
the first phase of a satellite surveillance program called the National
Applications Office (NAO) despite concerns that NAO may not comply with
privacy laws. Through NAO, US government officials at the federal,
state and local levels gain access to data gathered by spy satellites
to help them with emergency response and domestic security issues.
A recent report from the Government Accountability Office (GAO) says
that there is no "assurance that NAO operations will comply with
applicable laws and privacy and civil liberties standards."
http://online.wsj.com/article/SB122282336428992785.html?mod=googlenews_wsj

************************* SPONSORED LINK *******************************
1) 2-Day Training Class Hosted by the FISMA Center FISMA 101:
Certification & Accreditation Concepts November 13-14, 2008 Columbia,
Maryland http://www.sans.org/info/33889
*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
 --Court Says Woman May Sue County Clerk Over Identity Theft
(September 30, 2008)
An Ohio appeals court has reversed a lower court decision that
dismissed an identity theft lawsuit brought against the Hamilton County
clerk of courts, allowing Cynthia Lambert the right to proceed with her
lawsuit. Lambert had sued the clerk, Greg Hartmann, after her identity
was used fraudulently following the posting of an image of a 2003
speeding ticket that contained personally identifiable information,
including her Social Security number (SSN), online. Someone using a
phony driver's license under Lambert's assumed identity made purchases
totaling more than US $20,000. The driver's license number used by
the data thief differed from Lambert's actual license number by one
digit, the same error made by the recording officer at the time the
ticket was written.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115900&source=rss_topic17
[Editor's Note (Schultz): The best solution for reducing data security
breaches is holding those who were negligent in defending against
them responsible for damages incurred. To its credit, the Ohio appeals
court in this story has acted accordingly.]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --NIST Issues Three IT Security Documents
(October 2, 2008)
The US National Institute of Standards and Technology (NIST)
has released three documents that offer guidance on issues of
information security. SP 800-121, Guide to Bluetooth Security,
provides recommendations for securing implementations of Bluetooth
technology. SP 800-115, Technical Guide to Information Security Testing
and Assessment, offers guidance for designing and conducting security
tests, analyzing the data generated by those tests, and implementing
solutions to detected problems. Both documents are in final form.
SP 800-82, Guide to Industrial Control Systems (ICS) Security, is a
draft document providing recommendations for securing Supervisory
Control and Data Acquisition (SCADA) systems, Distributed Control
Systems (DCS) and other system configurations. Public comment on
this document will be accepted through November 30, 2008.
http://www.gcn.com/online/vol1_no1/47273-1.html?topic=security
http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

 --Camera Purchased on eBay Contains Sensitive MI6 Information
(September 30, 2008)
A man from Hemel Hempstead, England who purchased a camera from eBay
for GBP 17 (US $30) found it contained data from MI6, the British
Secret Intelligence Service, including pictures of rocket launchers,
log-in information for an encrypted Secret Service remote computer
network and detailed information about terrorist cells. The man
notified police, who initially did not take him seriously. However,
several days later, Special Branch officers went to the man's home and
seized the camera and his computer. He was also told not to speak
to the media. MI6 is trying to determine the identity of the agent
responsible for the leak. In a separate case, the civil servant who
left top secret documents on a train will be charged with violations
of the Official Secrets Act.
http://www.theregister.co.uk/2008/09/30/mi6_camera_sold_ebay/
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/30/AR2008093000994_pf.html
http://blogs.computerworld.com/mi6_camera_for_auction_on_ebay
[Editor's Note (Northcutt): We keep assuming that people do data
deletion when they surplus items, but we don't check. I bring this up
in the class I teach, Security Leadership Essentials, and can tell
I am not connecting with the students. Policy only works if someone
takes the compliance role seriously and tests for compliance.]

 --Malicious Code Detected on South Korean Military Contractor Systems
(September 29 & October 1, 2008)
Malicious code has been detected on the computer systems of two
companies that provide weapons and vessels to the South Korean
military. LIGNex1, which manufactures guided missiles, discovered
the code in March, 2008; Hyundai Heavy Industries, a naval vessel
manufacturer, found the code last month. The National Security
Research institute believes the people responsible for the code's
presence likely used it to steal information.
http://english.chosun.com/w21data/html/news/200809/200809290015.html
http://www.scmagazineuk.com/South-Korean-defence-suppliers-uncover-malicious-code/article/118477/
[Editor's Note (Veltsos): Government and defense contractors are
prime targets due to the sensitive nature of the data that they are
entrusted with; extra vigilance is required as attackers may use
custom-built malware to obtain military-grade secrets.
http://www.cio-today.com/news/Symantec-Warns-of-Federal-Threats/story.xhtml?story_id=022002NPN6WO
http://www.reuters.com/article/domesticNews/idUSN1638118020070717?sp=true ]

DATA PROTECTION & PRIVACY
 --Chinese Skype Users Under Surveillance
(October 2 & 3, 2008)
Researchers and human rights activists have uncovered a surveillance
program in China that eavesdrops on the communications of Skype, which
operates in China as Tom-Skype. The system looks for certain words
and phrases that could indicate the conversations are addressing
controversial political and social issues, including Falun Gong,
democracy and powdered milk. The researchers discovered the
surveillance system in September when one of the researchers noticed
that each time he typed in a certain word, the message was sent to
a certain Internet address. He found that the messages were bring
stored on Tom Online computers.
http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?partner=rssnyt&emc=rss&pagewanted=print
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116099&source=rss_topic17
http://www.vnunet.com/vnunet/news/2227440/chinese-government-spying-skype
http://news.bbc.co.uk/2/hi/science/nature/7649761.stm

VULNERABILITIES
 --Denial-of-Service Vulnerability Found in TCP Stack
(October 2, 2008)
Swedish researchers have uncovered flaws in the TCP stack that could be
exploited to create denial-of-service conditions. The attack can be
carried out in less than five minutes and exploits the way resources
are allocated after a successful three-way handshake. The problem
was discovered while the researchers were testing a scanning tool.
More information about the issue is expected to be presented at the
T2'08 Information Security Conference later this month in Helsinki.
http://www.securityfocus.com/brief/831
http://news.cnet.com/8301-1009_3-10056759-83.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.heise-online.co.uk/security/Speculation-surrounds-DoS-vulnerability-in-the-TCP-protocol--/news/111651

 --US-CERT Issues Warning on Clickjacking
(September 26 & 29, 2008)
Concerns about clickjacking, a cross-platform browser attack technique,
have prompted the US Computer Emergency Readiness Team (US-CERT)
to issue a warning. Until a fix is available, users can protect
themselves by disabling scripting and plug-ins in their browsers.
The researchers who discovered the clickjacking vulnerability had
planned to present their findings at a conference in September, but
grew concerned about the technique's severity and chose to notify
vendors and allow them time to develop fixes.
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=210604261
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115818&source=rss_topic17
http://www.us-cert.gov/current/index.html#multiple_web_browsers_affected_by

DATA LOSS & EXPOSURE
 --Insurance Brokers' Data Exposed
(September 30, 2008)
Blue Cross & Blue Shield of Louisiana is offering one year of
free credit monitoring to 1,800 insurance brokers whose personally
identifiable information was accidentally exposed. In late September,
the insurance company sent out an email alerting the brokers to
a software upgrade; a document containing all the brokers' phone
numbers, addresses and SSNs was inadvertently attached to the message.
Blue Cross has asked the brokers to delete the data and confirm that
they have done so; the company has made changes to ensure that a
similar error does not occur.
http://www.businessinsurance.com/cgi-bin/news.pl?id=14084

MISCELLANEOUS
 --Remote Tracking Software Used to Find Alleged Laptop Thief
(October 1 & 2, 2008)
A White Plains, NY man used remote tracking software to identify the
person who stole his laptop computer. Jose Caceres's computer was
stolen when he left it on top of his car while carrying items into
his home. His initial attempts at using remote tracking software
to find the culprit yielded little more than the thief's fondness
for pornography, but eventually the suspect typed in his name and
address while registering on a website. Caceres was able to provide
police with adequate information for them to arrest Gabriel Mejia,
who has been charged with grand larceny.
http://www.theregister.co.uk/2008/10/02/laptop_theft_suspect_busted/print.html
http://www.cnn.com/2008/TECH/10/01/laptop.tracker.ap/index.html?eref=rss_tech

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level
IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as
Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune
50 company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFI5oHq+LUG5KFpTkYRAkfAAJ9MCinzbbiCdsfDpv7OjkoCmo/EYQCePqM7
x9AT08OWQvaMP7b/p4y7HOQ=
=cbdg
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]