|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue Aug 04 2009 - 12:40:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Good news on adoption of the 20 Critical Controls (CAG) - see the first
story. The next step is to change HIPPAA and GLB to allow them to use
the 20 Critical Controls as a minimum standard of due care.
Alan
*************************************************************************
SANS NewsBites August 4, 2009 Vol. 11, Num. 61
*************************************************************************
TOP OF THE NEWS
NIST Issues Final Version of SP 800-53; Enables Rapid Adoption of the
Twenty Critical Controls (Consensus Audit Guidelines)
DoD Revisiting Social Media Policy
Contractor Repays Government for Inadequate Security
THE REST OF THE WEEKS NEWS
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Hathaway to Step Down
ARRESTS, INDICTMENTS & SENTENCES
Man Faces Felony Charges for Allegedly Stealing and Reselling
Domain Name
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Boston Univ. Student Fined US $675,000 for Filesharing
UPDATES AND PATCHES
Adobe Issues Critical Updates for Reader and Acrobat
Apple Issues Fix for SMS Vulnerability
DATA BREACHES, LOSS & EXPOSURE
Data Security Breach Compromised Personal Data of 27,000 US Commerce
Dept. Employees
MALWARE
Twitter Filtering Some Malicious Links
MISCELLANEOUS
Suspicious ATMs at DefCon
************************* Sponsored By Oracle ***************************
FREE Database Security Resource Kit
Learn how Oracle can help you address data privacy, insider threats, and
regulatory compliance. Request your free resource kit with technical
white papers, step-by-step tutorials, as well as analyst reports, expert
webcasts, and a self-assessment tool to get you started today.
http://www.sans.org/info/46929
*************************************************************************
TRAINING UPDATE
- - SANS Network Security, San Diego Sept. 14-22;
the Fall's biggest security training conference-- 20 full length
courses and 16 short courses plus a big exhibition
http://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus
short courses: http://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in
Washington; courses in the following days
http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Atlanta, Canberra, Cairo, Stockholm, Dubai, Dublin & Rome all in
the next 90 days. For a list of all upcoming events, on-line and live:
www.sans.org
*************************************************************************
TOP OF THE NEWS
--NIST Issues Final Version of SP 800-53; Enables Rapid Adoption of the
Twenty Critical Controls (Consensus Audit Guidelines)
(August 3, 2009)
The National Institute of Standards and Technology (NIST) has published
the final version of SP 800-53, Revision 3, "Recommended Security
Controls for Federal Information Systems and Organizations." The
document is the first major revision of guidelines for implementing the
Federal Security Management Act (FISMA) since 2005. Among the changes
in this updated version are "A simplified, six-step Risk Management
Framework; Recommendations for prioritizing security controls during
implementation or deployment; and Guidance on using the Risk Management
Framework for legacy information systems and for external information
system services providers." The new version of 800-53 solves three
fatal problems in the old version - calling for common controls (rather
than system by system controls), continuous monitoring (rather than
periodic certifications), and prioritizing controls (rather than asking
IGs to test everything). Those are the three drivers for the 20
Critical Controls (CAG). In at least five agencies, contractors that
previously did 800-53 evaluations are being re-assessed on their ability
to implement and measure the effectiveness of the 20 Critical Controls
in those agencies. One Cabinet-level Department has proven that
implementing the 20 Critical Controls with continuous monitoring reduced
the overall risk by 84% across all departmental systems world-wide.
http://gcn.com/Articles/2009/08/03/NIST-release-of-800-53-rev-3-080309.aspx
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf
[Editor's Note (Paller): This is very good news. John Gilligan reports
that a new version of the 20 Critical Controls document will be released
next week with a table, put in the document at NIST's request, showing
how the 20 Critical Controls are a proper subset of the priority one
controls in the revised 800-53. A course on implementing and testing
the 20 Critical Controls will be run in San Diego next month and in
Chicago in October https://rr.sans.org/ns2009/description.php?tid=3467.]
--DoD Revisiting Social Media Policy
(July 31 & August 3, 2009)
US Strategic Command is reviewing the safety of social media like
Facebook, MySpace and Twitter to help reevaluate Defense Department
(DoD) policy regarding their use. The primary concerns are attackers
using the sites to get malware on DoD networks, and employees posting
too much personal information online. Social media sites were once
banned from DoD networks, but earlier this summer, the US Army ordered
that all US bases must allow access to Facebook.
http://fcw.com/articles/2009/08/03/dod-rethinking-social-media-access.aspx
http://gcn.com/Articles/2009/07/31/DOD-ban-social-media-security-issues.aspx
http://www.scmagazineus.com/DoD-might-reblock-Facebook-Twitter/article/141103/
[Editor's Note (Pescatore): It wasn't all that long ago when this same
article came out saying "DoD Revisiting Internet Access Policy" and then
"DoD Revisiting Blackberry Use Policy" and then "DoD Revisiting WLAN Use
Policy" dot dot dot. If human beings start to use a technology,
businesses and government agencies that employ human beings will
inevitably move from blocking to containing to securing that
technology.]
--Contractor Repays Government for Inadequate Security
(July 25, 2009)
A US government contractor has repaid US $1.3 million of a US $5.4
million Pentagon contract after investigators found that the company's
cyber security was inadequate and that a subcontractor's computer system
was infiltrated through an Internet address based in China. The
intruder gained "total access to the root network." Apptis Inc.'s
contract involved "software maintenance, updates and testing for a
Military Health System program."
http://www.washingtontimes.com/news/2009/jul/25/contractor-returns-money-to-pentagon/
[Editor's Note (Ranum): When the decision is made to contract out a
capability "in order to save costs" there should be a public
after-action assessment of the cost-consequences of that choice. I
suspect that a vast number of outsourcing projects look like savings on
paper but actually are financial black holes that haven't fully
developed yet.]
**************************** SPONSORED LINK******************************
1) WEBCAST: How Browser Exploits Lead to Web 2.0 Hacking with keynote
from IDC
http://www.sans.org/info/46934
*************************************************************************
THE REST OF THE WEEK'S NEWS
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
--Hathaway to Step Down
(August 3, 2009)
Acting cyber security coordinator Melissa Hathaway has announced that
she will step down from that position later this month for personal
reasons. Hathaway, who conducted the 60-day cyber security review for
President Obama earlier this year, had been considered to be a top
contender for the as-yet unfilled permanent post. A White House
spokesperson said that the reason the post remains unfilled is that the
president has been occupied with "other pressing matters." Some former
White House officials have wondered if people are reluctant to take on
a job that requires answering to two bosses (the National Security and
National Economic Council advisers) and has "no authority over the
departments and agencies with regard to budget and operations." There
are some in the security field who say that the position should not be
filled at all.
http://blogs.usatoday.com/ondeadline/2009/08/white-house-cyber-czar-quits.html
http://online.wsj.com/article/SB124932480886002237.html?mod=googlenews_wsj
http://www.computerworld.com/s/article/9136207/Report_Hathaway_resigns_as_acting_cybersecurity_czar?taxonomyId=1
http://www.wired.com/dangerroom/2009/08/white-house-cyber-czar-resigns-good-riddance/
[Editor's Note (Paller): Another example of the gracious leadership of
Ms. Hathaway. By leaving she provides quiet but effective pressure on
the White House senior staff to announce the new Cyber Czar.]
ARRESTS, INDICTMENTS & SENTENCES
--Man Faces Felony Charges for Allegedly Stealing and Reselling
Domain Name
(August 3, 2009)
A New Jersey man has been arrested and charged with theft by unlawful
taking or deception, identity theft and computer theft for allegedly
stealing the domain name P2P.com and selling it to a California man for
US $111,000. Daniel Goncalves will be the first person to be prosecuted
for domain name theft. The domain name was registered with GoDaddy.com.
http://www.msnbc.msn.com/id/32270824/ns/technology_and_science-tech_and_gadgets/
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Boston Univ. Student Fined US $675,000 for Filesharing
(July 31 & August 3, 2009)
Boston University student Joel Tenenbaum has been fined US $675,000 for
illegally downloading 30 songs and making them available to others. The
jury found Tenenbaum guilty of willful copyright infringement and
imposed a US $22,500 fine for each song, significantly less than the
maximum allowable fine of US $150,000 per song. Tenenbaum's defense was
dealt a major blow when the judge in the case issued a pre-trial ruling
that disallowed Tenenbaum's planned "fair use" argument. Tenenbaum has
asked that people not make donations to help him, saying he will declare
bankruptcy if his appeal is unsuccessful. Money already donated will
be paid to his legal team, many of whom worked for no pay.
http://www.computerworld.com/s/article/9136159/Tenenbaum_hit_with_675_000_fine_for_music_piracy?taxonomyId=17
http://news.bbc.co.uk/2/hi/technology/8177285.stm
http://www.msnbc.msn.com/id/32236444/ns/technology_and_science-security/
UPDATES AND PATCHES
--Adobe Issues Critical Updates for Reader and Acrobat
(August 3, 2009)
Adobe has released updates for Reader and Acrobat on Windows, Mac, and
Unix to address critical flaws related to Flash content. The
vulnerabilities are being actively exploited. Users are encouraged to
update to Adobe Reader 9.1.3 as soon as possible. Those already running
Reader version 9.x can update to 9.1.3 with the automatic update
function. Users who download Reader for Windows from the Adobe site
should be aware that the version they receive is 9.1. If they download
that version, they will still need to update to version 9.1.3. Windows
and Mac users will need to download completely new versions of Adobe
Acrobat.
http://www.h-online.com/security/Adobe-patches-vulnerability-in-Reader-and-Acrobat--/news/113910
[Editor's Note (Northcutt): I think organizations should avoid Adobe if
possible. Adobe security appears to be out of control, and using their
products seems to put your organization at risk. Try to minimize your
attack surface. Limit the use of Adobe products whenever you can.]
--Apple Issues Fix for SMS Vulnerability
(July 31, August 1 & 3, 2009)
Apple has fixed a vulnerability that affects iPhones and other devices
just one day after it was disclosed at the Black Hat security
conference. The SMS (short message service) memory corruption flaw
could be exploited to create a denial-of-service condition, rendering a
device unable to connect to the Internet, or even to take control of the
vulnerable device.
http://www.theregister.co.uk/2009/07/31/iphone_sms_vulnerability_patch/
http://www.scmagazineus.com/Apple-patches-iPhone-text-message-vulnerability/article/141078/
http://www.h-online.com/security/Apple-closes-hole-in-iPhone-SMS--/news/113904
DATA BREACHES, LOSS & EXPOSURE
--Data Security Breach Compromised Personal Data of 27,000 US
Commerce Dept. Employees
(August 3, 2009)
According to a letter sent to employees of the US Commerce Department,
a National Finance Center employee sent an unencrypted Excel spreadsheet
containing employees' personal information to a co-worker via email.
The compromised information includes names and Social Security numbers
(SSNs). The event occurred in mid-July. The Commerce Department is
working out details of an agreement with a private company to monitor
for potential cases of identity fraud and affected employees have been
advised to set up alerts with credit agencies.
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/03/AR2009080302013_pf.html
MALWARE
--Twitter Filtering Some Malicious Links
(August 3, 2009)
Twitter has begun notifying users when they post links to known
malicious websites. No formal announcement has been made, but
researchers have noticed the change and applaud Twitter's decision.
While the filtering is a step in the right direction, malicious URLs
that were shortened or lacked the www subdomain were not caught.
http://www.scmagazineus.com/Researchers-laud-Twitter-alerts-on-bad-links/article/141114/
http://www.theregister.co.uk/2009/08/03/twitter_applies_malware_filter/
http://blogs.wsj.com/digits/2009/08/03/twitter-begins-filtering-links/
http://www.computerworld.com/s/article/9136213/Twitter_now_blocking_bad_URLs_but_imperfectly?source=rss_security
Apparently Twitter is using Google's blacklist of suspected phishing and
malware pages.
http://www.itpro.co.uk/613498/twitter-using-google-blacklist-to-filter-malicious-links
MISCELLANEOUS
--Suspicious ATMs at DefCon
(August 2 & 3, 2009)
The US Secret Service is investigating several automatic teller machines
(ATMs) discovered in Las Vegas at the DefCon security conference. When
cardholders attempted to make withdrawals, the machines allegedly
debited their accounts, but did not dispense cash. Hotel staff declined
to shut down the machines choosing instead to hang "out of order" signs
on them. Another suspicious incident involving ATMs at the conference
involved a machine that some people determined had a PC hidden inside.
Law enforcement was notified and that machine was removed.
http://www.theregister.co.uk/2009/08/03/fake_atm_scam_busted_at_defcom/
http://www.computerworld.com/s/article/9136184/Security_analyst_Las_Vegas_ATMs_may_have_malware?source=rss_security
http://www.computerworld.com/s/article/9136179/Fake_ATM_doesn_t_last_long_at_hacker_meet?source=rss_security
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkp4a5kACgkQ+LUG5KFpTkbKIACeP+C2R1urN5RyAPzxFPMdylBY
6ygAoI0UiPiaPN3hJw2PGYiQmDgfrnGc
=FwXw
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]