[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Netsec] SANS NewsBites Vol. 13 Num. 38 : White House Cyber Plan Hits The High Points, Catalyst for Rapid Congressional Action



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The new White House cybersecurity plan (the first story in this issue)
is a catalyst for rapid Congressional action to make the laws more
responsive to current threats. Because the White House did an admirable
job of meeting the goals of both Democrats and Republicans, there is a
good chance for comprehensive legislation being passed this calendar
year.  The new initiative will be particularly welcomed by federal and
contractor organizations that were frustrated by the waste of time and
money demanded by the paper reporting demanded under the old FISMA
legislation.

                                      Alan

**************************************************************************
SANS NewsBites                  May 14, 2011             Vol. 13, Num. 038
**************************************************************************
TOP OF THE NEWS    
  White House Reveals Cyber Security Plan
  Proposed Anti-Piracy Bill Increases Government Authority
  ICS-CERT Warns of Vulnerability in SCADA Products
THE REST OF THE WEEK'S NEWS 
    Flash Update Allows Simpler Management of Flash Cookies
    Is Bypassing Chrome Sandbox a Flash Issue or a Chrome Issue?
    DoJ Wants Providers to Store Location Data
    Microsoft Patches Flaws in Windows Internet Name Server and PowerPoint
    ACS:Law Attorney Fined for Violation of Data Protection Laws
    Michaels Breach Affects Customers Across the Country
    Three Year Prison Sentence for Attempted ATM Scheme
***************************************************************** 
TRAINING UPDATE
- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011
8 courses.  Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker and State of the Hack: Stuxnet.
8 courses.  http://www.sans.org/cyber-guardian-2011/
- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
7 courses.  Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/
- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011
40 courses.  Bonus evening presentations include Ninja developers:
Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/
- -- SANS Boston 2011, Boston, MA, August 8-15, 2011
12 courses.  Bonus evening presentations include Cost Effectively
Implementing PCI through the Critical Controls; and More Practical
Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/
- -- SANS Virginia Beach 2011, August 22- September 2, 2011
11 courses.   Bonus evening presentations include SANS Hacklab;
Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/
- -- Looking for training in your own community?
http://sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current Plus Barcelona,
London, Austin, and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

********************** SPONSORED BY MANDIANT **************************

Be part of something more!  MANDIANT is building a world-class threat
detection and response organization and needs a few good men and women
to join the Product Development and Professional Services teams in our
DC, New York, Los Angeles and San Francisco offices.  Check out open
positions online at http://www.sans.org/info/77404

****************************************************************************

TOP OF THE NEWS
 --White House Reveals Cyber Security Plan
(May 12, 2011)
A cyber security plan proposed by the Obama administration aims to
protect individual privacy, federal computer networks and elements of
national critical infrastructure.  The proposal includes more stringent
penalties for cyber criminals; mandatory data breach reporting for
organizations; placing the responsibility for defending federal agency
networks from attack in the hands of the Department of Homeland Security
(DHS); and improving protection for elements of the country's critical
infrastructure.  It also would establish guidelines for the government
to help companies that suffer cyber incidents, and for information
sharing about threats among businesses and state and local governments.
http://content.usatoday.com/communities/theoval/post/2011/05/obama-team-unveils-new-cybersecurity-plan/1
http://www.csmonitor.com/USA/Politics/2011/0512/White-House-proposes-national-standards-for-cybersecurity
http://whitehouse.blogs.cnn.com/2011/05/12/white-house-lays-out-cyber-security-proposal/
http://www.informationweek.com/news/government/security/229500148

 --Proposed Anti-Piracy Bill Increases Government Authority
(May 12, 2011)
Legislation introduced in the US Senate would increase the government's
authority to disrupt the availability of and close down websites that
are "dedicated to [copyright] infringing activities." The Protect IP
Act, sponsored by 11 senators, would grant the government the power to
bring lawsuits against the websites and obtain court orders prohibiting
search engines from returning the sites in their results.
http://www.wired.com/threatlevel/2011/05/protect-act/
http://news.cnet.com/8301-13578_3-20062419-38.html

 --ICS-CERT Warns of Vulnerability in SCADA Products
(May 11 & 12, 2011)
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
has issued an advisory warning of a stack overflow vulnerability in
Iconics Genesis32 and VizBiz supervisory control and data acquisition
(SCADA) products. The flaw lies in an ActiveX control, GenVersion.dll.
It could be exploited to allow remote code execution.
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10873
http://www.us-cert.gov/control_systems/pdf/ICSA-11-131-01.pdf
http://www.theregister.co.uk/2011/05/12/critical_iconics_scada_bug/
http://www.v3.co.uk/v3-uk/news/2070468/government-brings-memories-stuxnet-warning-scada-attacks
http://www.scmagazineus.com/industrial-control-systems-at-risk-ics-cert-warns/article/202673/

**************************  SPONSORED LINK  ********************************
1) REGISTER NOW for the upcoming SANS Webcast: Security of Applications:
It Takes a Village Featuring Dave Shackleford and Brad Arkin
Tuesday, May 24th  Start Time: 1:00 PM ET (1700 UTC/GMT)
Sponsored by: Adobe Systems, Inc.
http://www.sans.org/info/77409
****************************************************************************

THE REST OF THE WEEK'S NEWS
 --Flash Update Allows Simpler Management of Flash Cookies
(May 12, 2011)
Adobe has released an update for Flash Player to address a number of
security issues and give users a more manageable way to control web
tracking.  Flash Player 10.3 allows users to manage Flash cookies either
through a new control panel or in browser privacy settings.  Flash
cookies, also known as Local Stored Objects, have made the news several
times in the last few years when researchers noted that they were being
used to track users' online behavior and that they have been difficult
to remove.
Internet Storm Ceter: http://isc.sans.edu/diary.html?storyid=10876
http://www.computerworld.com/s/article/9216670/Adobe_Flash_update_puts_users_in_charge_of_privacy?taxonomyId=17
[Editor's Note (Ranum): "Do it wrong then incrementally try to get it
right" is a much more expensive design process than "think about getting
it right the first time."  Adobe's painful lessons about the reality of
security should serve as an object lesson to any business that develops
software.]

 --Is Bypassing Chrome Sandbox a Flash Issue or a Chrome Issue?
(May 11 & 12, 2011)
Reports earlier this week said that a French security company had
discovered a way to bypass Chrome's sandbox.   Google engineers do not
dispute the fact that the flaw exists, but they say that it resides not
in Chrome, but in Adobe Flash, which is supported by the browser.
http://www.informationweek.com/news/security/attacks/229500086
http://gcn.com/articles/2011/05/11/ecg-google-engineers-blame-adobe-for-chrome-hack.aspx?admgarea=TC_SECCYBERSSEC

 --DoJ Wants Providers to Store Location Data
(May 10 & 11, 2011)
The US Department of Justice wants wireless carriers to retain location
data to be used in criminal investigations where that information would
be crucial to solving the crime. Deputy Assistant Attorney General for
the criminal division Jason Weinstein made the request at a hearing of
the Senate Judiciary Committee Subcommittee of Privacy, Technology and
the Law, which was called over concerns about iPhones storing location
data without users' permission.
http://www.informationweek.com/news/government/security/229500071
http://news.cnet.com/8301-31921_3-20061472-281.html

 --Microsoft Patches Flaws in Windows Internet Name Server and PowerPoint
(May 10 & 11, 2011)
On Tuesday, May 10, Microsoft released two security bulletins to address
three vulnerabilities, one in Windows and two in Office.  The first
patches a flaw in Windows Internet Name Server that could be exploited
to allow remote code execution.  The second update addresses a pair of
flaws in Microsoft PowerPoint that could also be exploited to allow
remote code execution.  Microsoft has not yet released a fix for the
vulnerabilities in Mac Office.
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10855
http://www.microsoft.com/technet/security/Bulletin/MS11-may.mspx
http://www.informationweek.com/news/windows/security/229500013
http://www.zdnet.com/blog/bott/patch-tuesday-updates-fix-a-trio-of-windows-7-sp1-glitches/3286
http://www.computerworld.com/s/article/9216620/Microsoft_leaves_Mac_Office_users_in_the_lurch_says_researcher?taxonomyId=123

 --ACS:Law Attorney Fined for Violation of Data Protection Laws
(May 10, 2011)
The UK Information Commissioner's Office (ICO) has fined ACS:Law GBP
1,000 (US $1,627) for failing to adhere to data protection laws.  The
company gained notoriety for accusing people of illegal filesharing
based on their IP addresses.  None of the cases ever came to court, and
some questioned whether or not ACS:Law had the authority to bring the
lawsuits in the first place.  The company has ceased operations and
would have been fined considerably more, but the judge in the case chose
to fine Andrew Crossley as an individual rather than the company. The
fine is being imposed because of a breach that was an after-effect of a
distributed denial-of-service attack launched against the firm's
website.
http://www.theregister.co.uk/2011/05/10/acslaw_ico_fine/
http://www.bbc.co.uk/news/technology-13358896
[Editor's Note (Schultz): Here we go again--a minuscule fine for an
egregious offense.]

 --Michaels Breach Affects Customers Across the Country
(May 10, 2011)
Craft store chain Michaels now says that point of sale terminals at
stores across the country have been tampered with, compromising
customers' financial information.  The thieves appear to have been after
payment card data.  The issue first arose in the Chicago area, but the
company now says that compromised payment terminals have been found at
stores across the US.  Michaels discovered the situation after they were
informed by authorities that fraudulent payment card transactions had
been traced to cards used at certain of its stores.  An official
statement from Michaels says that fewer than 90 PIN pads were found to
have been affected.
http://krebsonsecurity.com/2011/05/breach-at-michaels-stores-extends-nationwide/
http://demandware.edgesuite.net/aaeo_prd/on/demandware.static/Sites-Michaels-Site/Sites-Michaels-Library/default/v1305118810137/documents/press-releases/051011-Michaels-Shares-New-Information-In-Pin-Pad-Tampering-Investigation-NOTICES.pdf
[Editor's Note (Northcutt): This is a horrific problem. By inserting
themselves in the supply chain, and impacting the PIN pad, they make the
retailer contribute to a data breach even when the retailer has no lapse
in security procedure. Krebs points out this happened to a grocer as
well:
http://www.computerworld.com/s/article/9189982/Aldi_data_breach_shows_payment_terminal_holes ]

 --Three Year Prison Sentence for Attempted ATM Scheme
(May 9, 2011)
Thor Alexander Morris has been sentenced to three years in prison for
his attempt to steal up to US $200,000 from automatic teller machines
in Texas.  Morris's plan started coming apart after he contacted someone
seeking help in locating ATMs with known vulnerabilities; the contact,
an ex-con, provided information about Morris's request to federal
authorities.  Morris's plan involved reprogramming the ATMs to dispense
$20 bills in place of US $1 bills.
http://www.theregister.co.uk/2011/05/09/atm_hacker_sentenced/
http://www.itnews.com.au/News/257067,atm-hacker-gets-three-years-prison.aspx

************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk3NbMgACgkQ+LUG5KFpTkYx4wCgj7nPbMvhYUUl2gW7kwvxLqdH
wDoAn190RQyH0/ItoXfgPxsMZA29XkLx
=6IjT
-----END PGP SIGNATURE-----