From: The SANS Institute (NewsBitessans.org)
Date: Fri Aug 28 2009 - 13:04:12 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites August 28, 2009 Vol. 11, Num. 68
*************************************************************************
TOP OF THE NEWS
  Appeals Court Says Plain View Doctrine Does Not Apply to Electronic
     Searches
  Proposal Would Require UK ISPs to Suspend Internet Connections of
     Habitual Copyright Violators
  More Insider Security Incidents Are Accidental Than Deliberate
  Pay for Cyber Security Certifications Exceed All Others;
     Certain Skills In High Demand
THE REST OF THE WEEKS NEWS
  ARRESTS, INDICTMENTS & SENTENCES
    Gonzalez Reportedly in Plea Talks with Government
    Tenenbaum Pleads Guilty to Fraud
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    FBI Investigating Mysterious Laptop Deliveries
    Lost USB Stick Contains Nearly Three Times as Many Records as
  First Reported
    DHS to Conduct Cyber Storm III Drill in September 2010
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Judge Orders Torrent Site to Remove Links to Copyrighted Material
  VULNERABILITIES
    Cross-Site Scripting Flaw in Twitter
  UPDATES AND PATCHES
    Google Addresses Serious Flaws in Chrome Update
  STUDIES AND STATISTICS
    National Search for The Best Security Awareness Videos

******************** Sponsored By HP (SPI Dynamics) *********************

Today's security challenges: Hundreds of applications. Few security
experts. Looming compliance deadlines. Tight budgets. Join HP & security
experts from around the world for a virtual conference on Sept. 29-30.
We'll discuss these challenges in the context of emerging Web 2.0 &
Cloud technologies. "HP Functionality, Performance & Security Testing
in today's application realities." Register Now.
http://www.sans.org/info/47899
*************************************************************************
TRAINING UPDATE
- - SANS Network Security, San Diego Sept. 14-22;
     the Fall's biggest security training conference-- 20 full length
     courses and 16 short courses plus a big exhibition
         http://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus
     short courses: http://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in
       Washington; courses in the following days
       http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
       http://www.sans.org/ondemand/spring09.php
Plus Atlanta, Canberra, Cairo, Stockholm, Dubai, Dublin & Rome all in
the next 90 days. For a list of all upcoming events, on-line and live:
www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Appeals Court Says Plain View Doctrine Does Not Apply to Electronic Searches
(August 27, 2009)
A federal appeals court has ruled that the so-called "plain view
doctrine," under which evidence may be seized if it is within plain view
during a legitimate search, does not apply to electronic searches. At
issue are records pertaining to a government investigation of a company
suspecting of providing illegal steroids to professional baseball
players. Investigators had obtained a warrant to search computers at
Comprehensive Drug Testing, Inc. for records of 10 specific players.
Instead, the investigators seized and examined records of hundreds of
other players and other individuals. In the opinion, Chief Judge Alex
Kozinski observed that the government ignored caveats in the warrant and
should not be permitted to "benefit from its own wrongdoing." Judge
Kozinski also said that if the government's argument prevailed, its
prosecutors would be impelled to seize more information than they need.
"The process of segregating electronic data that is seizable from that
which is not must not become a vehicle for the government to gain access
to data which it has no probable cause to collect."
http://www.computerworld.com/s/article/9137209/Court_ruling_limits_electronic_searches?source=rss_security
http://www.ca9.uscourts.gov/datastore/opinions/2009/08/26/05-10067eb.pdf
[Editor's Note (Schultz): This is an extremely significant ruling, one
that is likely to set a precedent in electronic data searches for years
to come.]

 --Proposal Would Require UK ISPs to Suspend Internet Connections of
    Habitual Copyright Violators
(August 25 & 26, 2009)
The UK government is considering establishing a policy that would
require Internet service providers (ISPs) to suspend the Internet
service of customers who are downloading copyrighted material in
violation of copyright law. Earlier versions of the proposals
recommended a graduated response to subscribers found to be violating
copyright laws; under those recommendations, subscribers would be
notified that their activity was illegal, and if they persisted, their
Internet connection would be slowed. The added disincentive of
suspending subscriber's Internet connections was proposed when copyright
holders complained that the earlier version did not go far enough. The
proposal would need to be approved by British Parliament before it takes
effect. UK ISP Talk Talk says the new proposal probably "breach[es]
fundamental rights." Other ISPs are unhappy about the possibility as
well.
http://www.computerworld.com/s/article/9137169/British_proposal_to_cut_Web_access_to_copyright_infringers_draws_protest
http://www.msnbc.msn.com/id/32551437/ns/technology_and_science-security/
http://www.timesonline.co.uk/tol/news/politics/article6809329.ece
http://news.bbc.co.uk/2/hi/technology/8219652.stm

 --More Insider Security Incidents Are Accidental Than Deliberate
(August 25 & 27, 2009)
According to research from RSA, more security incidents arise from
incompetence than from malicious insider attacks. Although security
spending is focused more on stemming the threat of deliberate insider
attacks than on preventing accidental breaches, 52 percent of the 400
survey respondents said they perceived insider incidents as accidental;
just 19 percent perceived them to be deliberate.
http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/
http://news.bbc.co.uk/2/hi/technology/8215467.stm
[Editor's Note (Schultz): The results of the RSA study dovetail nicely
with the results of similar studies conducted earlier. A tenable
hypothesis is that individuals who are unhappy or angry at work tend to
exert less effort, making them more mistake-prone.
(Hoelzer): Finally a main stream report of what we in the trenches have
been trying to tell business for years. We'll have to see if this
allows businesses to approach risk and controls more appropriately.
(Honan: I have always been sceptical about the high percentage of
attacks attributed to insiders. I recommend that you analyse your own
security incident data to see how many security incidents were
accidental, how many were due to insiders being duped by external
parties and how many were deliberate insider attacks. Having that type
of data would be invaluable in developing your security awareness
programmes. ]

 --Pay for Cyber Security Certifications Exceed All Others; Certain
    Skills In High Demand
(July 26, 2009)
While pay for all certifications fell by more than four percent in the
second quarter of 2009, pay for security certifications rose two
percent, according to the Foote Partners Quarterly IT Pay Update, which
aggregates information provided by 84,000 IT professionals at 2,000
employers. The difference is even greater over the past six months.
Because employers use compensation strategically and tactically to
attract and retain critical talent, this variance shows the increasing
importance employers are placing on cyber security skills. In fact, the
Foote Partners updated Hot List of the certifications most in demand
showed six of the top ten certifications were security certifications
including the number one rated CERT: GIAC Certified Incident Handler.
A surprising finding is that neither CISSP nor CISM showed up on the Hot
List that included 24 certifications in all. Instead the Hot
Certifications were the very technical security certs from GIAC and
Checkpoint and Cisco. Moreover, although CISSP certification is still
ranked number three on the list of highest paid certifications, GIAC
Security Leadership and GIAC Security Engineer certifications passed
CISSP for the first time. In an interview with Bank Information
Security, David Foote reports a surge in demand for security people with
strong technical skills including incident analysis and handling, IDS,
firewalls, forensics, and vulnerability analysis.
http://www.footepartners.com/FooteNewsRelease_July2009ITlabortrends_072609V2.pdf
[Editor's Note (Honan): While technical skills are critical to implementing effective
security controls we should not forget that security professionals need to
hone the softer skills of communication (both verbal and oral), people
skills and developing policies and procedures. ]

************************** Sponsored Links: ***************************
1) Very cool summit on data leakage protection - probably the best that
has ever been run. Agenda at
http://www.sans.org/data-leakage-prevention-2009/agenda.php

2) Register today for SANS vLive course, Audit 423: SANS(r) +S(tm)(tm)
Training for the CISA(r) Certification Exam and receive 10% discount.
http://www.sans.org/info/47904

3) Be sure to register NOW for the Tool Talk Webcast: The Future of SIM
and Log Management - Becoming a Part of the Mainstream, IT Operations
and Service Delivery.
http://www.sans.org/info/47909
***********************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, INDICTMENTS & SENTENCES
 --Gonzalez Reportedly in Plea Talks with Government
(August 27, 2009)
An unnamed source says that accused hacker Albert Gonzalez is in plea
talks with the US government. Gonzalez was allegedly involved in a
number of data security breaches, including those at Heartland Payment
Systems and Hannaford Bros. In all more than 170 million credit and
debit card accounts were compromised.
http://www.msnbc.msn.com/id/32586024/ns/technology_and_science-security/

 --Tenenbaum Pleads Guilty to Fraud
(August 26 & 27, 2009)
Ehud Tenenbaum has pleaded guilty to one count of bank card fraud for
his role in break-ins in which more than US $10 million was stolen. He
was arrested in Canada in 2008 in connection with another scheme, but
before he was prosecuted there, the US extradited Tenenbaum to face
charges in this case. He will face up to 15 years in prison when he is
sentenced in November. More than a decade ago, Tenenbaum made headlines
for hacking into computer networks at the Pentagon and NASA.
http://www.wired.com/threatlevel/2009/08/analyzer/
http://www.scmagazineus.com/Hacker-pleads-guilty-in-massive-bank-fraud-case/article/147363/
http://www.theregister.co.uk/2009/08/26/analyzer_hacker_guilty_plea/
[Editor's Note (Northcutt): Suppose he gets the max, 15 years, at the
pace technology is changing when he gets out, it will be a Rip Van
Winkle experience. In fact Rip slept for 20 years in 1819 time, that
would be what??? 500 "twitter" years in our time?]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --FBI Investigating Mysterious Laptop Deliveries
(August 27, 2009)
The FBI is investigating the origin of five Hewlett-Packard laptops sent
to West Virginia Governor Joe Manchin earlier this month. Other laptops
had been anonymously ordered for other officials in 10 states in all;
four were delivered, and six were intercepted. The laptops sent to
Governor Manchin are now being held by state police as evidence.
Officials in Vermont and Wyoming have received mysterious laptop
deliveries as well. Some officials are concerned that the machines may
be infected with malware; it is also possible that they are part of a
fraud operation.
http://www.computerworld.com/s/article/9137208/FBI_investigating_mystery_laptops_sent_to_governors?source=rss_security
[Editor's Note (Hoelzer): This is one of the only stories to send chills
down my spine in recent memory. First, what a great way to execute an
attack; second, how many laptops have been received by who knows whom
and already been put into play? ]

 --Lost USB Stick Contains Nearly Three Times as Many Records as
First Reported
(August 26 & 27, 2009)
The UK Home Office has acknowledged that there were more data on a lost
USB stick than was previously declared. The memory device, lost by PA
Consulting, held 377,000 records, nearly three times the number reported
earlier. The additional 250,000 records hold information about the Drug
Intervention Programme. The remaining records contain information about
prisoners and those with criminal offenses. The device has not been
found.
http://news.zdnet.co.uk/security/0,1000000189,39730190,00.htm
http://www.v3.co.uk/v3/news/2248501/home-office-loss-revised

 --DHS to Conduct Cyber Storm III Drill in September 2010
(August 26, 2009)
The US Department of Homeland Security (DHS) plans to conduct a
large-scale cyber security drill in September 2010 to test the Obama
administration's proposed national cyber response plan. Two earlier
drills took place in February 2006 and March 2008. The first exercise,
Cyber Storm I, focused on the abilities of various sectors of the
national infrastructure to recover from Internet outages. Cyber Storm
II focused on the Internet as an attack vector for malware and other
cyber attacks. DHS would like to see Cyber Storm III address policy
issues, including information sharing and clearly defining roles and
responsibilities. "One objective of Cyber Storm III is to harmonize the
various alert level systems used in government and the private sector
so that all stakeholders at least speak the same language." The impact
of the exercise will be measured by follow-through; many of the
recommendations derived from the last two drills have not been
implemented.
http://www.nextgov.com/nextgov/ng_20090826_9168.php

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Judge Orders Torrent Site to Remove Links to Copyrighted Material
(August 26, 2009)
A Dutch court has ruled that Mininova, the self-proclaimed "largest
torrent search engine and directory on the net," must remove links to
copyrighted material within three months or face a fine of as much as
five million euros (US $7.2 million). According to research referenced
by the court, 80 to 90 percent of the files available to Mininova users
are copyrighted material. The court found that "Mininova encourages
users of its platform to make copyrighted material accessible via its
platform" and helps users find copyrighted works they wish to download.
http://news.smh.com.au/breaking-news-technology/dutch-judge-threatens-fines-for-filesharing-website-20090827-ezw9.html
http://www.theregister.co.uk/2009/08/26/mininova_loses_lawsuit/
http://www.msnbc.msn.com/id/32568115/ns/technology_and_science-security/

VULNERABILITIES
 --Cross-Site Scripting Flaw in Twitter
(August 26, 2009)
Twitter has been attempting to fix a cross-site scripting vulnerability
that could be exploited to hijack users' accounts or redirect users to
malicious sites, but attempts thus far have not been successful. The
flaw can be exploited by tricking users into simply viewing a message.
The vulnerability is in an application programming interface (API).
Twitter said it previously fixed the flaw, but the attackers found a way
to circumvent it.
http://www.computerworld.com/s/article/9137164/Twitter_fails_to_fix_massive_cross_site_scripting_bug_researcher_says_?source=rss_security
http://www.theregister.co.uk/2009/08/26/another_twitter_vulnerability/
http://www.h-online.com/security/Twitter-fails-to-block-Cross-Site-Scripting-flaw--/news/114092

UPDATES AND PATCHES
 --Google Addresses Serious Flaws in Chrome Update
(August 26 & 27, 2009)
Google has released version 2.0.172.43 of its chrome browser to address
several vulnerabilities. A severe flaw in the V8 JavaScript engine
could be exploited to execute arbitrary code or read unauthorized
memory. Two flaws in the libxml2 library could be exploited to crash
the browser or execute arbitrary code. Google has also changed the way
Chrome processes SSL certificates; the browser will not connect with
sites using certificates that are signed with the MD2 or MD4 hash
algorithms.
http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.html
http://www.h-online.com/security/Google-closes-three-vulnerabilities-in-Chrome-2--/news/114088
http://www.scmagazineuk.com/Google-releases-high-severity-rated-fixes-for-vulnerabilities-in-Chrome/article/147393/
http://www.theregister.co.uk/2009/08/26/chrome_patch/
http://news.cnet.com/8301-30685_3-10317320-264.html?part=rss&subj=news&tag=2547-1009_3-0-20

STUDIES AND STATISTICS
 --National Search for The Best Security Awareness Videos
(October 28, 2009)
A national competition is being conducted to find the most powerful,
timely, and effective video segments (delivered over the web) for
educating users on current threats and what they need to know to protect
themselves. The nomination period runs until September 10, 2009. If you
have found a video or series of videos that make an important difference
in user behavior, please send a pointer (name of video, contact person,
email, phone, and why you think it is effective) to apallersans.org
with subject: videos. Our goal is to find the best videos and conduct a
global procurement on behalf of the 12,000 organizations that regularly
send students to SANS training. The developers of the video will see a
significant financial reward - far larger than they could earn by trying
to sell directly -- and the user organizations will know they are
getting the best videos at a much lower cost than they could negotiate
as a single entity.

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkqYEfMACgkQ+LUG5KFpTkYuzQCfZXMDYRVgdxVU1F6sNEZpy1Sv
c5QAoKAF9MUDu9U/blBG/vN0uNsswqvm
=Yr8X
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]