|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Tue May 13 2008 - 17:15:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As government leaders in Washington and London leak more and more facts
about how big the cyber threat really is against commercial and
government enterprises, and how much critical information is being
stolen every day, demand for safe, effective, thorough penetration
testing is skyrocketing. Pen testers (and their customers) who heard
about Ed Skoudis' new in-depth, hands-on penetration testing course
wrote asking whether there is a SANS certification for pen testers.
There is but we didn't have feedback. Test results are now in, and
here's what the people are saying about how the new GPEN certification
is different from tools-base certifications:
"Finally an up-to-date certification that focuses on penetration
testing as a methodology vs. merely knowing a few tools. The GIAC
GPEN is a breath of fresh air for real world pen testers." (Justin
Kallhoff, Infogressive, Inc.)
"The GPEN certification measures the appropriate mix of methodology,
tools, and techniques that a professional security tester should
know. Not having taken the course, nor read the book, I was able to
pass the exam based solely on penetration testing field experience.
This is indicative to me of its relevance to the profession."
(Adrien de Beaupre, Manager, Vulnerability Assessment and
Penetration Testing, Bell Canada Professional Services)
"SANS new Penetration Testing and Ethical Hacking Course was the
best and most focused training I've been to at SANS. It should be
required training for anyone wanting to be a professional
penetration tester. In that one course I learned how to set the
correct scope of the test and then test completely, safely and
securely." (Rick Smith)
Many of the top pen testers are getting together with Ed in Las Vegas
in two weeks for discussions of the newest attack methods and to attend
Ed's course: http://www.sans.org/info/22104
If you have more than 10 pen testers and want to get into the
invitation-only program offering discounts on the course and
certification, send an email to mbrownsans.org.
If you already have the skills and want to challenge for the GPEN you
can get more data here www.giac.org/certifications/security/gpen.php.
Alan
*************************************************************************
SANS NewsBites May 13, 2008 Vol. 10, Num. 38
*************************************************************************
TOP OF THE NEWS
Proposed Legislation Mandates Tougher Cybersecurity Standards at DHS
Revised British Banking Code Could Place Fraud Liability on Customers
New Law Will Allow UK ICO to Impose Big Fines for Reckless Data Disclosure
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Three Arrested in Dave & Buster's Data Theft
Two Arrested in Connection with California Debit Card Skimming Scheme
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
West Point Wins NSA Cyber Defense Exercise
POLICY & LEGISLATION
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Another Data Security Breach for Pfizer
Sensitive Hong Kong Immigration Dept. Document Leaked Through
Filesharing Network
STANDARDS & BEST PRACTICES
Many Won't Meet Deadline for PCI-DSS Web App Security Compliance
STATISTICS, STUDIES & SURVEYS
Irish Data Protection Commissioner Issues Annual Report
MISCELLANEOUS
Back to My Mac and PhotoBooth Used to Identify Thieves
Engineer Recovers Data From Space Shuttle Columbia Hard Drive
LIST OF UPCOMING FREE SANS WEBCASTS
********************* Sponsored By Sourcefire, Inc. *********************
SC Magazine Names Snort(r) "Best Network Security."
Learn how Snort is the engine powering the Sourcefire 3D(tm) System.
This IPS is different from others because it shows you everything
running on your network in real time. It also gives you context for
your security events. Know more real threats. No more wild goose
chases. Call 1.800.917.4134 today.
http://www.sans.org/info/28934
*************************************************************************
TRAINING UPDATE
Where can you find the newest Penetration Testing techniques,
Application Pen Testing, Hacker Exploits, Secure Web Application
Development, Security Essentials, Forensics, Wireless, Auditing, both
new Pen Testing courses, CISSP, and SANS' other top-rated courses plus
evening sessions with Internet Storm Center handlers.
- - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program
with many bonus sessions and a big exhibition of security products:
http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) and Brussels (6/16-6/21)
http://www.sans.org/secureeurope08
- - Denver (6/7-6/13) http://www.sans.org/rockymnt2008/
- - Singapore (6/30-7/5) http://www.sans.org/singapore08/
- - Boston (8/9-8/16) http://www.sans.org/boston08/
- - and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
--Proposed Legislation Mandates Tougher Cybersecurity Standards at DHS
(May 8 & 9, 2008)
US Congressman Jim Langevin (D-RI) has introduced the Homeland Security
Network Defense and Accountability Act of 2008 (HR 5983). The bill would
require the Department of Homeland Security (DHS) to establish more
stringent qualifications for cybersecurity positions, including that of
CIO. The bill would also address a "fundamental flaw" in the Federal
Information Security Management Act (FISMA) that requires agencies to
certify and accredit their systems to comply with certain requirements,
but does not mandate effective and current vulnerability testing. DHS
will be required to test its networks and those of its contractors
rigorously against vulnerabilities used in known cyberattacks. DHS will
receive information on the attacks to look for from the National
Security Agency (NSA), other government agencies, and private sector
organizations. If the bill passes, it would take effect immediately.
Congressman Langevin chairs the House Homeland Security Subcommittee on
Emerging Threats, Cybersecurity and Science and Technology.
http://homeland.house.gov/press/index.asp?ID=369
http://www.nextgov.com/nextgov/ng_20080509_6170.php
[Editor's Note (Paller): This bill shows insights into the problems that
have been plaguing federal systems, that earlier laws largely glossed
over. Chairman Langevin is making a major mark in Washington both in
cyber security and in health care. He won the top award for Excellence
in the Field of Public Policy at the RSA conference this year. His
ability to work well with both republicans and democrats and his
willingness to share the credit for big successes marks him as one of
the members to watch in coming years.]
--Revised British Banking Code Could Place Fraud Liability on Customers
(May 5, 2008)
The recently revised British Banking Code permits banks to place
liability for fraud on customers if they have not taken adequate
security precautions to protect their information. The measure has been
criticized for lacking fundamental, concrete information about how to
secure systems because "many customers have not been educated to
maintain a high enough level of vigilance when it comes to security."
Research from Gartner reveals that 37 percent of survey participants did
not know how their accounts were used to commit fraud, and another 19
percent blame the breaches on retailers, government agencies, or other
third parties. Section 12.11 of the revised code says, "If you act
without reasonable care and this causes losses, you may be responsible
for them." Reasonable care includes but is not limited to keeping PINs
and other account details secret, using current anti-virus and
anti-spyware software and a personal firewall, and accessing online
banking sites by typing the address into browsers.
http://www.securitypark.co.uk/security_article261598.html
http://www.bba.org.uk/bba/jsp/polopoly.jsp?d=348&a=13157&artpage=all
--New Law Will Allow UK ICO to Impose Big Fines for Reckless
Data Disclosure
(May 12, 2008)
The United Kingdom's Information Commissioner's Office (ICO) will have
the authority to impose "substantial" fines on anyone who "intentionally
or recklessly disclose[s] information [or] repeatedly and negligently"
allows exposure of personal data. MPs approved an amendment to the
Criminal Justice and Immigration Act creating the new civil offense.
The bill received Royal Assent on May 9, but it is not known when the
new law will take effect.
http://www.silicon.com/publicsector/0,3800010403,39216158,00.htm
http://www.scmagazine.com/uk/news/article/808512/privacy-watchdog-welcomes-tough-data-laws/
http://www.vnunet.com/vnunet/news/2216374/fines-data-protection-breaches
[Editor's Note (Schultz): A federal statute of this nature is
desperately needed in the US. Why such legislation has not been proposed
and passed is disgraceful.]
********************** Sponsored Links: *******************************
1) Application Security Managers will be sharing best practices in a
meeting in Las Vegas in two weeks:
http://www.sans.org/info/24609
2) Special Lancope Webcast: 'Virtualization: Are You Ready for the
Network and Security Implications?' Register Now!
http://www.sans.org/info/28939
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
--Three Arrested in Dave & Buster's Data Theft
(May 12, 2008)
Three men have been arrested in connection with attacks on cash register
terminals at Dave & Busters restaurants in the US. Two of the men,
Maksym Yastremskiy of Ukraine and Aleksandr Suvorov of Estonia,
allegedly broke into 11 cash register terminals, placed packet sniffers
on the systems and stole credit card details; they allegedly sold the
information to other people who used it to make fraudulent purchases.
The sniffers captured data as they were being sent from the
point-of-sale server through the system at corporate HQ to the data
processor's system. A third man, Albert Gonzalez of Miami, is being
charged with wire fraud conspiracy. According to the indictment, losses
incurred from data theft at one restaurant alone totaled more than US
$600,000.
http://theusdaily.com/articles/viewarticle.jsp?id=383646&type=home
--Two Arrested in Connection with California Debit Card Skimming Scheme
(May 10, 2008)
Police in Orange County, CA have arrested two men believed to be
involved in the theft of debit card information from shoppers at
Lunardi's Supermarket in Los Gatos, CA. The account information was
stolen with the use of a skimmer, a device that is placed on the regular
card-reading machine. The two men had in their possession two of the
222 account numbers stolen from the store as well as US $70,000 in cash.
In all, US $225,000 has been stolen from the debit card users in the
case.
http://www.mercurynews.com/valley/ci_9216246
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
--West Point Wins NSA Cyber Defense Exercise
(May 10, 2008)
For the second year in a row, West Point took top honors in the National
Security Agency's (NSA) Cyber Defense Exercise, the training competition
for seven US military academies. Cadets at West Point, the US army
university, fended off SQL attacks and then realized that the relatively
obvious attack was masking a more insidious one - NSA "bad guys" placed
a kernel-level rootkit on West Point's network. NSA provided some basic
requirements for structuring the networks to be used in the exercise,
but participants also had leeway to customize their networks; they were
not, however, permitted to attack each other's networks.
http://www.wired.com/print/politics/security/news/2008/05/nsa_cyberwargames
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
--Another Data Security Breach for Pfizer
(May 12, 2008)
Pfizer Inc. has suffered another data security breach, the sixth since
May 2007. A company laptop and flash drive stolen about a month ago
contain personally identifiable information of approximately 13,000
employees. The data include names, addresses, employee ID numbers, job
descriptions and salaries, but no Social Security number (SSNs).
http://www.theday.com/re.aspx?re=712c0410-ee9a-47a8-b08d-c7a71a713a5e
--Sensitive Hong Kong Immigration Dept. Document Leaked Through
Filesharing Network
(May 9, 2008)
A Hong Kong immigration department watch list was leaked to the Internet
through a filesharing program. The breach occurred when a new
immigration officer took home some classified files without
authorization and used them on a home computer, which contained the
filesharing software. The work files were inadvertently distributed.
The compromised data include a list of names for officers to look out
for as well as travel history records.
http://www.topnews.in/classified-hong-kong-watch-list-leaked-internet-240641
STANDARDS & BEST PRACTICES
--Many Won't Meet Deadline for PCI-DSS Web App Security Compliance
(May 12, 2008)
Most retailers will not meet the June 30 deadline for complying with new
Payment Card Industry Data Security Standard (PCI-DSS) requirements for
securing web applications. Companies can achieve compliance with either
a specialized firewall or web application software code review, which
entails finding vulnerabilities and fixing them. Many retailers appear
to be opting for firewalls, which are "quick fixes," according to
Gartner analyst Aviva Litan. "Application firewalls are a reactive
measure. You have a lot of vulnerable applications that still need to
be fixed," she added, and noted that scanning for vulnerabilities and
fixing them should take precedence over firewalls, and that firewalls
should be used in addition to scanning, not instead of it.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9085038&source=rss_topic17
STATISTICS, STUDIES & SURVEYS
--Irish Data Protection Commissioner Issues Annual Report
(May 8, 2008)
According to the recently released Irish Data Protection Commissioner's
annual report, the number of new complaint investigations in 2007 was
1,037, up from 658 in 2006. The increase is due in large part to an
escalating number of complaints about unsolicited text messages,
according to Data Protection Commissioner Billy Hawkes; 38 percent of
all complaints received were in regard to text messages. More than 350
cases initiated by the DPC's Office are now in the courts.
Interestingly, a blogger managed to access the report through the DPC
Office's website before it was released.
http://www.ireland.com/newspaper/breaking/2008/0508/breaking57.htm
http://www.siliconrepublic.com/news/news.nv?storyid=single10966
[Editor's Note (Honan): this report makes good reading, in particular
the case studies are useful to help prevent you make the same mistakes.
While the DPC welcomes the increase in breaches reported to him, they
only amount to 11 reports highlighting the need for mandatory breach
disclosure laws in Ireland and the EU.]
MISCELLANEOUS
--Back to My Mac and PhotoBooth Used to Identify Thieves
(May 10, 2008)
Police were able to track down a pair of thieves after the owner of a
stolen laptop computer used the "Back to My Mac" service to gain access
to the computer when the thieves used it to surf the Internet, and then
took pictures of the suspects using PhotoBooth, a standard software on
new Apple laptops. One of the woman's roommates recognized one of the
men from the photo as a guest at a recent party. The two men were
arrested and police recovered two laptops, two flat screen televisions,
two iPods, and other electronic and related items.
http://www.nytimes.com/2008/05/10/nyregion/10laptop.html?_r=1&oref=slogin&partner=rssnyt&emc=rss&pagewanted=print
http://www.smh.com.au/news/technology/mac-thief-caught-on-webcam/2008/05/12/1210444306538.html
--Engineer Recovers Data From Space Shuttle Columbia Hard Drive
(May 9 & 12, 2008)
Engineer Jon Edwards describes how he recovered data from a disk drive
that melted and fell to earth when the US Space Shuttle Columbia
disintegrated on re-entry on February 1, 2003. According to Edwards,
"When we got it, it was two hunks of metal stuck together. We couldn't
even tell it was a hard drive. It was burned and the edges were
melted." Edwards was successful with this particular drive because the
platters on which the data were stored were not warped, and any damage
they sustained was on a part of the disk where no data were written; the
astronauts were running DOS, which does not scatter data on drives.
Edwards was able to recover 99 percent of the data. Edwards did not have
the same luck with two other drives salvaged from Columbia's wreckage.
http://www.msnbc.msn.com/id/24542368/?news=newsclip_MSNBC_May_08
http://www.informationweek.com/news/storage/disaster_recovery/showArticle.jhtml?articleID=207602714
UPCOMING SANS WEBCAST SCHEDULE
Internet Storm Center Webcast: Threat Update
WHEN: Wednesday, May 14, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
http://www.sans.org/info/27109
Sponsored By: Core Security http://www.coresecurity.com/
The SANS Internet Storm Center (ISC) uses advanced data correlation and
visualization techniques to analyze data collected from thousands of
sensors in over sixty countries. Experienced analysts constantly monitor
the Storm Center data feeds searching for trends and anomalies in order
to identify potential threats. When a threat is identified, the team
immediately begins an intensive investigation to gauge the threat's
severity and impact. This monthly webcast discusses recent threats
observed by the Internet Storm Center, and discusses new software
vulnerabilities or system exposures that were disclosed over the past
month. The general format is about 30 minutes of presentation by senior
ISC staff, followed by a question and answer period.
***
Security Inside the Perimeter: Confronting the Gap Between Talking About
the Threat and Doing Something About it
WHEN: Thursday, May 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Paul Smith
http://www.sans.org/info/27114
Sponsored By: PacketMotion http://www.packetmotion.com/
Most security and IT professionals agree that the corporate network
"perimeter" is no longer viable due to laptops, tunneling applications,
VPNs and wireless, etc. But network security conventional wisdom is
still very perimeter oriented. Why the inconsistency? Perhaps people
really don't think the problem is that significant and the risk is not
that high. Or maybe they do think it's a real problem, but hesitate to
act because of cost, complexity, and risk to application availability.
This webinar will review the key aspects of this inconsistency and offer
solutions to better manage the "inside risk."
***
WHEN: Tuesday, May 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rush Carskadden
http://www.sans.org/info/27119
Sponsored By: Cisco Systems http://www.cisco.com/
Effective mitigation of application-layer threats requires defeating
attempts to obfuscate malicious headers and payloads. However, active
evasion protections can introduce misleading results in the testing of
a network IPS. This session will present well-known and recent
obfuscation techniques, methods for their mitigation and prevention, and
guidelines for effective testing.
***
SANS Special Webcast: Understanding and Selecting a Database Activity
Monitoring Solution
WHEN: Wednesday, May 21, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Rich Mogull
http://www.sans.org/info/27124
Sponsored by the Following:
Guardium http://www.guardium.com/
Imperva http://www.imperva.com/
Secerno http://www.secerno.com/
Setrigo http://www.sentrigo.com/
Tizor http://www.tizor.com/
Thanks to increasing compliance requirements and growing security
threats, enterprises must adopt new strategies and techniques to protect
their databases. Security and database administrators are charged with
protecting these essential corporate assets, but are challenged to
improve security and auditing in the least intrusive way possible.
Database Activity Monitoring is emerging as a powerful tool to ensure
compliance while detecting, and sometimes preventing, database attacks
and internal abuse. In this webcast independent consultant Rich Mogull
will review the inner workings of Database Activity Monitoring,
highlight key features, and present a three step selection process.
***
Ask the Expert: Enterprise Incident Management with Security Monitoring
**** Previously scheduled for Thursday, May 8, 2008****
WHEN: Thursday, May 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Adrien de Beaupre and A.N. Ananth
http://www.sans.org/info/27104
Sponsored By: Prism MicroSystems
Some of the issues revolving around log management include privacy,
storage requirements, and meeting regulatory or legislative
requirements. Finally, integration of LM into an organization's overall
security dashboard will be the focus of this presentation.
*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security
Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
http://www.sans.org/info/22979
Sponsored By: Q1 Labs
SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
https://www.sans.org/webcasts/show.php?webcastid=91884
********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore
(MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkgqCHoACgkQ+LUG5KFpTkZrewCfcDKabANyp0qVqxRHEXymlJS1
BdkAoIUNgt5dueLLmQcUcN0zFaJgrZn2
=8zs9
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]