|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue May 04 2010 - 14:16:19 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The window is closing on eligibility for this year's NAVY cyber ROTC
scholarships and for places in the three cyber camps this summer. These
are INCREDIBLE opportunities for young people who are talented in cyber
security. The camps will give college kids visibility and opportunity.
The scholarships will give people who are accepted to university, or who
are already freshmen or sophomores, full scholarships and jobs. The
first year of any program is always the easiest to get in, so if you
know cyber-security talented college kids (or those heading for college
in the fall) tell them to go visit uscyberchallenge.org so they don't
miss this opportunity.
Alan
*************************************************************************
SANS NewsBites May 4, 2010 Vol. 12, Num. 35
*************************************************************************
TOP OF THE NEWS
Treasury Department Web Sites Redirect Visitors to Malicious Sites
Chinese Government Requires Disclosure of Encryption Keys Prior to
Product Purchase
Appeals Court Upholds Ruling Allowing Disclosure of Suspected
Copyright Violators' Identities
USAF eMail Security Exercise has Unforeseen Consequences
THE REST OF THE WEEK'S NEWS
Opera Updates Browser to Fix Severe Vulnerability
Summit Aims to Foster International Discussion on Cyber Threats
Kernell Guilty on Two of Four Charges in Palin eMail Intrusion Case
Wiretaps Up 26 Percent in 2009
US Has Highest Data Breach Costs
Contractor Gets Five Years for Automated Clearing House Credit Union Thefts
Microsoft Suggests Workaround for SharePoint XSS Vulnerability
FEEDBACK ON HEALTH DATA SECURITY
**************** Sponsored By Trusted Computer Solutions ****************
Is your IT organization struggling to keep your enterprise servers
compliant with DISA STIGs or other security policies? Could your
organization pass a surprise security audit today? Security Blanket(r)
performs fast, consistent, and repeatable operating system hardening to
industry security settings in minutes, not days. Audit ready, all the
time! Try Security Blanket for FREE.
http://www.sans.org/info/58673
*************************************************************************
TRAINING UPDATE
- -- SANS Security West 2010, San Diego, May 7-15, 2010
23 courses. Bonus evening presentations include Killer Bee:
Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/
- -- SANSFIRE 2010, Baltimore, June 6-14, 2010
38 courses. Bonus evening presentations include Software Security
Street Fighting Style and The Verizon Data Breach Investigations
Report
http://www.sans.org/sansfire-2010/
- -- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010
8 courses.
http://www.sans.org/secure-amsterdam-2010/
- -- SANS Rocky Mountain 2010, Denver, July 12-17, 2010
8 courses. Bonus evening presentations include Hiding in Plain Sight:
Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/
- -- SANS Boston 2010, August 2-8, 2010
11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/
- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010
39 courses.
http://www.sans.org/network-security-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Geneva, Toronto, Singapore and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Treasury Department Web Sites Redirect Visitors to Malicious Sites
(May 3, 2010)
Several US Treasury Department web sites are redirecting visitors to
other sites that try to install malware on their computers. The attack
uses an embedded iframe in three Treasury web sites that invokes scripts
from another site. The malware affects only computers that have not
previously visited Treasury web sites. Evidence suggests that the
attacks are related to the infections several weeks ago of sites hosted
by Network Solutions. The affected treasury sites are all hosted by
Network Solutions, and the owner of record of the malicious sites used
in the attack is the same as the owner of record for the sites used in
the previous attacks.
http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/
[Editor's Note (Pescatore): Government websites tend to have a higher
than average level of security, but it is mainly because there are very
few government web sites doing any kind of complex commerce or any
actual transactions at all. They are mostly information publishing
sites, where vulnerabilities are relatively easy to discover - if you
are looking for them.
(Paller): The agency was directly following NIST guidance. Two and a
half years after PCI required application security testing, and more
than a year after a DHS web site tried to infect visitors' machines,
NIST added the relevant control to 800-53. However, without explanation,
NIST told agencies they did not have to apply that control for low risk
systems. It is low risk systems at DHS and now Treasury that are
infecting visitors' computers. This error reflects a fundamental lack
of understanding of cyber threat at NIST. Only NSA, DHS, and the NIC-JTF
have that knowledge. That the US House Science Committee in Congress
continues to demand that NIST write security regulations for areas it
doesn't understand demonstrates a level of disregard for national
security that is breathtaking.]
--Chinese Government Requires Disclosure of Encryption Keys Prior to
Product Purchase
(April 29 & 30, 2010)
As of May 1, vendors of certain products who wish to continue doing
business with government agencies in China are required to disclose
specifics of the encryption technologies their products use. The
requirements affect 13 technologies, including firewalls, routers,
smartcards, database security tools, anti-spam products and intrusion
detection products. Before these products can be sold to the Chinese
government, they must be tested and certified by the country's
Certification and Accreditation Administration (CNCA). There are
concerns that the requirement would allow proprietary information to be
leaked to Chinese competitors and that other countries may be wary of
doing business with companies that disclose this sort of information to
the Chinese government.
http://www.nytimes.com/2010/05/01/business/global/01yuan.html?src=busln
http://www.computerworld.com/s/article/9176138/New_China_encryption_rule_could_pose_headaches_for_U.S._vendors?taxonomyId=145
http://www.theregister.co.uk/2010/04/29/china_security_know_how_rules/
[Editor's Note (Pescatore): Of course, the US Federal Government and
many EU governments have requirements that certain products have to be
certified under the National Infrastructure Assurance Program or Common
Criteria evaluation regime, and standards like FIPS 140-2 for crypto
code, and vendors have to give the testing labs all kinds of sensitive
information and actual code to go through the testing. Now, under the
Common Criteria evaluation scheme the labs are private firms but they
are certified by government agencies. The real difference is that most
of the rest of the world agreed to a *Common Criteria* evaluation regime
with a lot of transparency. China is going in the exact opposite
direction and vendors will face a lot of risk.]
--Appeals Court Upholds Ruling Allowing Disclosure of Suspected
Copyright Violators' Identities
(April 29, 2010)
The 2nd US Circuit Court of Appeals has upheld a ruling that allows the
recording industry and other digital entertainment copyright holders to
uncover the identities of users believed to be violating copyright law
by sharing content through peer-to-peer (P2P) networks. The suit was
brought by a student at the State University of New York (SUNY) at
Albany seeking to stop a judge's order that his identity be turned over
to the Recording Industry Association of America (RIAA) after the
organization claimed it detected illegal filesharing activity on an IP
address associated with the student.
http://www.wired.com/threatlevel/2010/04/unmasking-copyright-scofflaws/
--USAF eMail Security Exercise has Unforeseen Consequences
(April 29, 2010)
As part of a planned security test examining how they would respond to
phishing messages, airmen at Andersen Air Force Base in Guam received
email messages telling them that Transformers 3 would be filming at the
base. The messages said that the production was seeking airmen to serve
as extras on the shoot and provided a link to a site that asked them for
personal information. Many of the message recipients supplied the
information to the website. Some airmen were excited enough about the
prospect of being an extra in the film that they posted the information
on the Internet. The news spread and caught the attention of local
media, forcing the security testers to send out clarification that the
messages had been part of a test.
http://www.computerworld.com/s/article/9176155/US_Air_Force_phishing_test_transforms_into_a_problem
[Editor's Comment (Northcutt): This is a hard problem. It is pretty
clear that security awareness alone is not effective. So you try
inoculation, actually phishing, but in a controlled way. However, this
is not the only time this has gone awry. In one company, they just
ignored subsequent emails from the security department. Very clever
phish though, I am sure people were excited about the opportunity to
work around Megan Fox/ Mikaela Banes. Turns out the bloggers were
picking up the post from "Supershaggy" to ComicBookMovies.com pretty
fast.
http://www.comicbookmovie.com/fansites/scoops/news/?a=17457 ]
**************************** Sponsored Links: **************************
1) SIEM 2.0 - VIEW Demo of SC Magazine's Best Buy and Innovator of the
Year. http://www.sans.org/info/58683
2) Register for the SANS Penetration Testing & Vulnerability Assessment
Summit before May, 5 2010 and save $350. http://www.sans.org/info/58688
3) Save $350 on the SANS Forensics and Incident Response Summit when you
book by May, 26 2010. http://www.sans.org/info/58693
*************************************************************************
THE REST OF THE WEEK'S NEWS
--Opera Updates Browser to Fix Severe Vulnerability
(April 30 & May 3, 2010)
Opera has released an update to address an "extremely severe"
vulnerability in the Mac and Windows versions of its browser. The flaw
lies in a script that handles document files and could be exploited to
inject and run code on vulnerable computers. Users need only visit
specially crafted web pages for the exploit to be effective. Users are
urged to update to Opera version 10.53.
http://www.h-online.com/security/news/item/Opera-closes-extremely-severe-hole-991217.html
http://www.securecomputing.net.au/News/173549,opera-posts-security-update-for-apple-and-windows.aspx
--Summit Aims to Foster International Discussion on Cyber Threats
(May 2 & 3, 2010)
This week welcomes more than 400 government officials and executives
from countries around the world who will meet in Dallas for the
Worldwide Cybersecurity Summit. One of the goals of the meeting is to
encourage officials to talk to each other about how to fight common
cyber threats and develop ways to work together across geo-political
borders. The event is organized by the EastWest Institute think tank.
http://www.businessweek.com/ap/financialnews/D9FFB5G80.htm
http://www.msnbc.msn.com/id/36903710/ns/technology_and_science-security/
http://www.dallasnews.com/sharedcontent/dws/bus/stories/050210dnbuscybersecurity.470ad32.html
--Kernell Guilty on Two of Four Charges in Palin eMail Intrusion Case
(April 30, 2010)
Former University of Tennessee student David Kernell has been found
guilty on two of four counts in a case regarding his having broken into
Sarah Palin's Yahoo mail account. The jury deliberated for four days
before finding Kernell guilty of obstruction of justice and misdemeanor
computer intrusion. Kernell was acquitted of a fraud charge and the
jury was deadlocked on a charge of identity theft, for which he could
be retried. Using publicly available information, Kernell broke into
Palin's Yahoo mail account during the former Alaska governor's
vice-presidential candidacy. Kernell was convicted of the obstruction
of justice felony charge because he deleted evidence from his hard
drive. Kernell could face up to 20 years in prison.
http://www.wired.com/threatlevel/2010/04/kernell-guilty/
http://news.bbc.co.uk/2/hi/americas/8655569.stm
http://www.theregister.co.uk/2010/04/30/palin_jury_convicts/
http://www.computerworld.com/s/article/9176183/Jury_convicts_Palin_e_mail_hacker?taxonomyId=17
--Wiretaps Up 26 Percent in 2009
(April 30, 2010)
Between 2008 and 2009, the number of wiretaps authorized by US state and
federal judges rose 26 percent. No wiretap requests were refused. In
2009, there were 2,379 criminal wiretaps authorized, the vast majority
of which were for mobile phones in drug cases. Each authorized wiretap
captured communications of an average of 133 individuals; just 19
percent of the communications captured were incriminating. Each tap
lasted an average of 42 days. In 2009, information gathered from the
wiretaps led to 4,537 arrests and 678 convictions. Investigators came
across just one instance of encrypted communications in the 2009
wiretaps, and were able to obtain plaintext versions of those messages.
The statistics do not include terrorism-related wiretaps or wiretaps
conducted through the National Security Agency's warrantless wiretapping
program.
http://www.wired.com/threatlevel/2010/04/wiretapping/
--US Has Highest Data Breach Costs
(April 30, 2010)
According to a study released by the Ponemon Institute, the cost
associated with data breaches is higher in the US than in any other
country. Overall, breach costs were higher in countries that have
notification laws. The breach cost incurred by organizations in the US
is 43 percent higher than the worldwide average. The average cost of a
data breach per record is US $142 worldwide; the average cost of a data
breach per record in the US is US $204. Last year, Germany passed a law
that requires breach notification; costs associated with breaches there
are the second highest in the world at US $177 per record. The cost per
record in the UK is US $98; only public sector organizations and
financial institutions are required to disclose data breaches. The
highest overall cost associated with breaches was lost business. The
study was sponsored by PGP.
http://www.scmagazineus.com/us-organizations-face-the-highest-data-breach-costs/article/169160/
[Editor's Note (Lee): The incredibly high cost of data breach incidents
have backfired and resulted in many companies choosing to remain silent
even though breach laws exist. In addition, victims are less willing
to involve law enforcement if they intend to keep the event closely
held. Even in business schools, the question of notification has been
raised as a case study for future executives.
(Schultz): Why do the conclusions of this "research institute's"
research so often coincide with the wishes of the sponsors' marketing
organizations?]
--Contractor Gets Five Years for Automated Clearing House Credit Union Thefts
(April 29 & 30, 2010)
Zeldon Thomas Morris has been sentenced to more than five years in
prison for stealing US $2 million from banks while working as an IT
administrator. Morris was a third-party contractor hired to help
several credit unions upgrade their systems; because of his position,
he was granted unrestricted local and remote access to their networks.
Morris abused his position to conduct several Automated Clearing House
(ACH) transactions, depositing the withdrawn funds into accounts he
owned. By using phony or already used ACH "racing numbers," his
activity went undetected. Morris was caught after his business partner
alerted one of the credit unions of unusually large deposits being made
to a joint business account. In addition to prison time, Morris was
ordered to pay more than US $1.8 million in restitution and forfeit
personal property.
http://www.theregister.co.uk/2010/04/30/it_consultant_sentenced/
http://www.computerworld.com/s/article/9176154/IT_contractor_gets_five_years_for_2M_credit_union_theft?taxonomyId=82
[Editor's Note (Northcutt): Short sentence; he was facing 30 years.
http://www.deseretnews.com/article/1,5143,705296414,00.html]
--Microsoft Suggests Workaround for SharePoint XSS Vulnerability
(April 30, 2010)
Microsoft has issued a warning about a zero-day cross-site scripting
(XSS) vulnerability in SharePoint products. For the attack to work,
users must be manipulated into clicking on a maliciously crafted link.
The flaw can be exploited to steal information from vulnerable servers.
Microsoft is suggesting that until a fix is ready, users apply an
interim workaround that involves disabling the SharePoint help system.
Microsoft is also recommending that users run Internet Explorer 8 (IE
8), because it contains a XSS filter. Administrators will need to
change the browser's settings to turn on the filter for the Local
Intranet security zone.
http://www.h-online.com/security/news/item/Microsoft-issues-warning-about-XSS-hole-in-SharePoint-990812.html
http://www.computerworld.com/s/article/9176174/Microsoft_issues_work_around_advice_for_SharePoint_zero_day?taxonomyId=85s
FEEDBACK ON HEALTH DATA SECURITY
In the last edition of NewsBites Stephen Northcutt asked for insights
into the state of health care medical records security. Here is a
summary of what we have learned from your responses. We thank you for
sharing your insights with us:
* In health care access and availability trump access control, they are
in the business of saving lives
* Most modern medical records system include some access control
monitoring capability
* The majority of the people that wrote in are concerned there are
insufficient controls in place especially as records are exchanged
between organizations
* Two responders are considering the use of the FairWarning applicance
* One responder suggests considering the work of the HITRUST Alliance
* One responder suggests Iatric
* One responder suggests Varonis DatVantage
* One responder is considering the use of ArcSight for additional oversight
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of
the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkvgbhMACgkQ+LUG5KFpTkZJxwCdHyRryUuPK90X4UgBtP9RGPVH
7bkAn2yjupg9b8RwG1mB73ZIf50XQ8Gr
=+0lv
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]