From: The SANS Institute (NewsBitessans.org)
Date: Fri Oct 31 2008 - 12:42:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SCADA and Process Control Security - Some Good News for a Change.
American utilities have made a 180 degree turn in the past five months
- - no longer trying to claim that their control systems are "safe from
cyber attacks." As a result, oversight organizations (like NERC, North
American Energy Reliability Corporation) have stepped up to help them
measure the effectiveness of their security using the right metrics, and
are reaching for consensus on what must be done to secure the systems
and how utilities can be sure they have done the right things. Many of
the utilities that have already demonstrated how to make their security
more effective are getting together in Orlando in early February to
share the lessons they learned. The February "Summit" is open to
utilities, government agencies, control systems vendors, and the service
providers who help secure those systems. Registration and preliminary
program information is at http://sans.org/scada09_summit/

Speaking of "the right metrics" for measuring security," this paragraph
is for our US government and government contractor readers. There seems
to be a growing chorus saying that government inspectors general (IGs)
are not measuring the effectiveness of (attack-based) security controls,
and, since IGs are the trusted "watchers," the massive failures of
federal cyber security may be substantially attributed to IG reliance
on non-technical, "checklist" audits. The Government Accountability
Office (GAO) has testified repeatedly that security assessments are NOT
measuring effectiveness. Is there specific evidence that supports the
position that IGs are measuring the wrong things? Email
apallersans.org with evidence either way. Your responses will be
absolutely confidential.

                                Alan
*************************************************************************
SANS NewsBites October 31, 2008 Vol. 10, Num. 86
*************************************************************************
TOP OF THE NEWS
  UK Government Data Breaches Raise Concerns About Proposed Database
  Appeals Court Upholds Decision, Reversing Case That Allowed-Business
     Method Patents
  Court Rules Running Hashes Constitutes Fourth Amendment Search
  Study Finds Security Policy Adherence Problems
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES, CONVICTIONS & SENTENCES
    Tenenbaum Indicted in New York
    Cyber Saboteur Gets Six Months in Prison
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    Commission Will Draw Up Cyber Security Advice for Next President
  UPDATES AND PATCHES
    Opera 9.62 Addresses Critical Hole in Browser
  STANDARDS
    NIST Releases Documents on Key Management, Security in System
       Development Life Cycle and HIPAA Rule Implementation
  STATISTICS, STUDIES & SURVEYS
    RSA Wireless Security Study
  MISCELLANEOUS
    ICANN Tells EstDomains its Registrar Accreditation Will be Revoked
    New Zealand Police Want Mandatory Registration for Pre-Paid Cell
       Phone Purchases

************************* Sponsored By CA *******************************

How can your organization utilize identity management technologies to
cost-effectively manage and control user identities and demonstrate
security compliance? Information provided in this IDC whitepaper can be
used to guide your efforts on how to optimize and improve identity
management deployments to make them more efficient. Learn more at
http://www.sans.org/info/34829
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --UK Government Data Breaches Raise Concerns About Proposed Database
(October 29, 2008)
According to statistics released by the UK Information Commissioner's
Office (ICO), the public sector reported 176 data breaches last year,
while the private sector reported 80. Of those in the public sector,
75 were at NHS and other health-related organizations, 28 in central
government and 26 in local government. Information Commissioner Richard
Thomas expressed "alarm that despite high profile data losses, the
threat of enforcement action, a plethora of reports on data handling and
clear ICO guidance, the flow of data breaches and sloppy information
handling continues." Thomas called on company executives to take
responsibility for the personal data their companies hold instead of
leaving it to the IT departments. He also used the figures to
underscore his push for caution in creating large databases of personal
information.
http://news.bbc.co.uk/2/hi/uk_news/politics/7697093.stm
http://www.silicon.com/silicon/research/specialreports/agenda-setters-2008/ceos-told---take-responsibility-for-toxic-data-39330308.htm
http://www.nzherald.co.nz/compute/news/article.cfm?c_id=1501832&objectid=10539909
[Editor's Note (Honan): Having attended that keynote speech, it was
interesting to note that despite his concerns about the numbers of data
breaches Mr. Thomas feels that there is no need to introduce mandatory
breach disclosure laws into the UK. His concerns focused on adding
additional burden on businesses and causing "breach fatigue" amongst the
public if they get too many notices. Is this not ignoring the fact that
companies should be better protecting people's data in the first place
so they need not get these notifications?]

 --Appeals Court Upholds Decision, Reversing Case That Allowed
Business Method Patents
(October 30, 2008)
The United States Court of Appeals for the Federal Circuit this week
ruled nine to three to uphold a lower court decision that could reverse
the landmark State Street Bank vs. Signature Financial Group case. That
case, decided in 1998, found that business methods for computer commerce
were patentable, and led to successful applications for patents for
Amazon.com's "1-Click" checkout and Priceline.com's "name your own
price" and various other tools.
http://bits.blogs.nytimes.com/2008/10/30/federal-court-kills-patents-on-business-methods/?pagemode=prints
http://www.groklaw.net/article.php?story=20081030150903555
http://blogs.wsj.com/law/2008/10/30/court-reverses-position-on-business-methods-patents-in-bilski-case/?mod=googlenews_wsjs
http://www.groklaw.net/pdf/07-1130.pdfs

 --Court Rules Running Hashes Constitutes Fourth Amendment Search
(October 29, 2008)
A US District Court has ruled that running hash values on a computer
constitutes a Fourth Amendment search (meaning a warrant would have been
needed to allow the evidence to be used in court). The ruling
suppresses evidence found by police on Robert Crist's computer. Because
Crist had fallen behind on his rent, his landlord hired people to move
his belongings to the curb. A friend of the movers picked up his
laptop, and when Crist discovered the pile of his property outside, he
reported his computer stolen. Crist's friend allegedly found images of
child pornography on the machine and called the police, who then ran
hashes on the machine to determine if it contained files known to be
child pornography. The decision will likely be appealed.
http://volokh.com/archives/archive_2008_10_26-2008_11_01.shtml#1225159904
http://arstechnica.com/news.ars/post/20081029-court-rules-hash-analysis-is-a-fourth-amendment-search.html
[Editor's Note (Schultz): This ruling reinforces the message that cyber
lawyer Mark Rasch constantly conveys, namely that the law and common
sense often do not dovetail with each other.
(Northcutt): This is the second time recently kiddie porn has been the
basis of a major court decision, the other was:
http://lists.sans.org/pipermail/list/2007-December/026802.html
Anyway, this is a very complex case, when I first read it I thought it
was open and shut, but Crist had no expectation his property would be
transferred to another person, so while the issue of crypto hashes as
art of search and seizure is important, my guess is this is too muddy
to establish strong case law. And we still have the issue of reliability
of hashes to consider: http://en.wikipedia.org/wiki/Hash_collision ]

 --Study Finds Security Policy Adherence Problems
(October 28 & 29, 2008)
A Cisco-commissioned study found that employees at businesses in 10
countries around the world are often unaware of their companies'
security polices, or the employees ignore the policies because they
hinder productivity. When surveyed about whether their companies had
security policies, there was a 20 to 30 percent gap between responses
from IT professionals and other employees. When asked why security
policies are violated, IT professionals pointed to ignorance, while
other employees said it was because the policies made it more difficult
for them to do their jobs. The study surveyed more than 2,000 employees
and IT professionals at companies in the US, the UK, France, Germany,
Italy, Japan, China, India, Australia and Brazil.
http://www.eweek.com/c/a/Security/Cisco-Study-Highlights-Common-Failures-of-Enterprise-Security-Policies/
http://www.computerworld.com.au/index.php/id;1866823251;fp;4;fpid;78268965

************************* SPONSORED LINK ******************************
1) Sign up for SANS Webcast: Keeping Trusted Endpoints Honest: Using
IDS/IPS for Post-Connect NAC Tuesday, November 4, 2008 at 1:00 PM EST
Sponsored By StillSecure
http://www.sans.org/info/34834
*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
 --Tenenbaum Indicted in New York
(October 29 & 30, 2008)
Ehud Tenenbaum has been indicted in New York on charges of access device
fraud and conspiracy to commit access device fraud. The indictment
alleges that Tenenbaum "did knowingly and with intent to defraud effect
transactions with one or more access devices issued to another person
or persons." Last month, Tenenbaum and three accomplices were arrested
in Canada for allegedly breaking into computer systems to increase
limits on prepaid debit and credit cards and using those cards to
withdraw US $1.7 million. In 1998, Tenenbaum broke into unclassified
computer systems at the Pentagon in what was then called "the most
organized and systematic attack to date" on US defense department
computers.
http://www.theregister.co.uk/2008/10/30/analyzer_hacker_indictment/
http://blog.wired.com/27bstroke6/2008/10/israeli-hacker.html

 --Cyber Saboteur Gets Six Months in Prison
(October 28, 2008)
A federal judge has sentenced contract systems administrator Priyavrat
Patel to six months in prison for deliberately sabotaging three servers
at his former employer's business. Patel will also serve three years
of supervised release, the first six months of which will be in home
confinement, and pay US $120,000 in restitution. Patel was upset over
having been fired from his contract position at Connecticut tool
manufacturer Pratt-Read; he removed critical boot-up files from the
three servers, forcing them to use paper documentation for two weeks
while the problem was cleaned up. Patel had accessed the servers from
his home in late November 2007.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9118362&source=rss_topic17
http://newhaven.fbi.gov/dojpressrel/2008/nh102808b.htm

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --Commission Will Draw Up Cyber Security Advice for Next President
(October 28, 2008)
The Commission on Cyber Security for the 44th Presidency is developing
a body of advice for the next president, some of which may not be in
concert with President Bush's Cyber Initiative. Commission co-chair
Rep. Jim Langevin (D-R.I.) points out that while the Cyber Initiative
is a "good start," the commission's findings draw from an array of
experts in their fields. One of the more controversial recommendations
is to move the lead for cyber security from its present location at the
Department of Homeland Security (DHS) to a position in the White House.
http://www.gcn.com/online/vol1_no1/47459-1.html?page=1

UPDATES AND PATCHES
 --Opera 9.62 Addresses Critical Hole in Browser
(October 30, 2008)
Opera has released version 9.62 of its flagship browser to address a
critical arbitrary code execution in the "history search" page that was
disclosed late last week. The update also fixes a cross-site scripting
vulnerability in the browser's links panel. The release of opera 9.62
follows that of Opera 9.61 by one week.
http://www.heise-online.co.uk/security/Opera-closes-critical-hole-in-web-browser--/news/111831
http://www.scmagazineus.com/Opera-Software-fixes-flaw-with-browser-version-962/article/120214/
http://www.opera.com/support/search/view/906/
http://www.opera.com/support/search/view/907/

STANDARDS
 --NIST Releases Documents on Key Management, Security in System
 Development Life Cycle and HIPAA Rule Implementation
(October 27, 2008)
The National Institute of Standards and Technology (NIST) has released
three documents. Special Publication 800-57, "Recommendation for Key
Management Part 3: Application Specific Key Management Guidance," is a
draft document aimed at helping "system administrators and system
installers adequately secure applications based on product availability
and organizational needs and to support organizational decisions about
future procurements." Comments on the draft document will be accepted
through January 16, 2009. Special Publication 800-64, "Security
Considerations in the System Development Life Cycle," is a document in
its final form that "has been developed to assist federal government
agencies in integrating essential IT security steps into their
established IT system development life cycle." Special Publication
800-66, "An Introductory Resource Guide for Implementing the Health
Insurance Portability and Accountability Act (HIPAA) Security Rule,"
also in its final form.
http://www.gcn.com/online/vol1_no1/47450-1.html?topic=security
http://csrc.nist.gov/publications/drafts/800-57-part3/Draft_SP800-57-Part3_Recommendationforkeymanagement.pdf
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

STATISTICS, STUDIES & SURVEYS
 --RSA Wireless Security Study
(October 27 & 28, 2008)
RSA's seventh annual wireless security survey looked at wireless
networks in London, New York and Paris. Most corporate access points
in the three cities are using some form of encryption. In New York, 97
percent of access points are protected by encryption; in Paris, 94
percent are encrypted; and in London, 80 percent are encrypted.
Homeowners with wireless access points appear to be more careful than
companies; the percentages of wireless home networks with encryption in
Paris, New York and London are 98 percent, 97 percent and 90 percent,
respectively.
http://www.theregister.co.uk/2008/10/28/rsa_wireless_security_survey/
http://www.eweek.com/c/a/Security/RSA-Wireless-Security-Making-Headway-Though-Vulnerabilities-Remain/

MISCELLANEOUS
 --ICANN Tells EstDomains its Registrar Accreditation Will be Revoked
(October 29 & 30, 2008)
The Internet Corporation for Assigned Names and Numbers (ICANN) says
that EstDomains' registrar accreditation will be revoked on November 12.
EstDomains is a domain name registrar that is known to register shady
domains used in the commission of cybercrime. The reason given for the
revocation is that company president Vladimir Tsastsin was convicted in
an Estonian court on credit card fraud charges. Many domain names
registered by EstDomains have been used in spam, phishing, malware
spreading and drug sale schemes. US network provider Intercage also
ended its contract with EstDomains when it was faced with termination
of service from its upstream providers for similar reasons.
Update: The revocation has been temporarily stayed while ICANN hears
EstDomains' response to the charges against Tsastsin.
http://www.theregister.co.uk/2008/10/29/estdomains_gets_deaccredited/
http://www.vnunet.com/vnunet/news/2229394/estdomains-fighting-life
http://www.securityfocus.com/brief/847
The letter explaining the ICANN point of view:
http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf
The reply from EstDomains to ICANN:
http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf
[Guest Editor's Note (Frantzen): Should ICANN go forward with this, the
281,000 domains under care of EstDomains wil need to be migrated
according to established procedure.
http://www.icann.org/processes/registrars/de-accredited-registrar-transition-procedure-01oct08.pdf]

 --New Zealand Police Want Mandatory Registration for Pre-Paid
Cell Phone Purchases
(October 28 & 29, 2008)
Police in New Zealand have called for mandatory registration for people
buying prepaid cell phones. There has been concern that criminals use
the phones, which presently require no information to purchase, to
communicate with each other in untraceable ways. The president of the
Auckland Council for Civil Liberties says the change would be intrusive,
and that lost and/or stolen phones then used for criminal activity could
draw legitimate owners into the morass of investigations.
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10539844
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10539719

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board. Will
Pelgrin is Chief Information Security Officer of New York State, chair
of the Multi-State Information Sharing and Analysis Center and co-chair
of the National ISAC Council.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkkLOToACgkQ+LUG5KFpTkbXbgCaArAc6SBO1u45X9gj1aDbUgFx
qe0AmwYcCc/S+0mCG3SBJEJDRvY15nkv
=VxGi
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]