Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 74
- From: The SANS Institute
- Date: Fri Sep 18 14:55:24 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Companies and government agencies face a critical shortage of
cybersecurity experts with sufficient hard skills to defend their
systems, and military organizations have a similar shortage of people
who can fight and win in cyberspace. The coolest initiative aiming
at increasing the pipeline of these super-talented people is the US
Cyber Challenge. A session at Tim O'Reilly's Gov 2.0 had an interview
with the winner of one of an early round of NetWars. The video clip is
illuminating (and funny) and useful for motivating very talented kids
you want to get engaged in cyber security. http://blip.tv/file/2610813
Alan
*************************************************************************
SANS NewsBites September 15, 2009 Vol. 11, Num. 73
*************************************************************************
TOP OF THE NEWS
SANS Report: Top Cyber Security Risks Underestimated By
Industry/Government
HHS Harm Standard Offers HIPAA-Covered Entities Breach
Notification Loophole
Trend Micro Study Finds Malware Often Remains For Months
French Legislators Approve Revamped Three-Strikes Anti-Piracy Bill
THE REST OF TH EWEEK'S NEWS
IETF Publishes Draft Document on Botnet Remediation
Firefox Outdated Flash Notification Leads 10 Million to Update
Spyware Intended for Girlfriend Ended Up on Hospital Network
Sears Ordered to Destroy Collected Customer Data
Former Inmate Pleads Guilty to Stealing Prison Worker Data
TIGTA Audit Reports Find IRS Has Made Security Improvements
Heartland CEO Pushes for End-to-End Encryption
****************** Sponsored By IBM Rational AppScan  ************************
IBM Security Management Solutions
Avoid costly compliance requirement fines. Prepare at the Service
Management Resource Center. http://www.sans.org/info/48707
*************************************************************************
TRAINING UPDATE
- - -- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
- - -- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
- - -- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
- - -- SANS London, UK, Nov.28-Dec. 9,
http://sans.org/london09/
- - -- SANS Sydney, Nov.9-14
http://sans.org/sydney09/
- - -- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Tokyo, Dubai, Hong Kong, and Vancouver, all in the
next 90 days. For a list of all upcoming events, on-line and live:
www.sans.org
*************************************************************************
TOP OF THE NEWS
--SANS Report: Top Cyber Security Risks Underestimated By Industry/Government
(September 16, 2009)
The SANS Institute's Top Cyber Risks Report found that two types
of vulnerabilities are responsible for the majority of attacks.
Unpatched flaws in popular programs like Adobe Reader and Flash
Player and unpatched flaws on legitimate web pages can be, and often
are exploited to infect vulnerable computers and use them to commit
further cyber crimes. The report also found that organizations
usually take twice as long to patch web applications as they do for
flaws in operating systems.
http://www.sans.org/top-cyber-security-risks/
http://blogs.usatoday.com/technologylive/2009/09/cyberattackers-focus-on-web-applications.html
http://www.csoonline.com/article/502096/SANS_Security_Ignores_the_Two_Biggest_Cyber_Risks
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=220000292
http://www.scmagazineuk.com/Businesses-fail-to-understand-threats-and-fail-to-keep-patches-updated/article/149030/
http://isc.sans.org/diary.html?storyid=7129
--HHS Harm Standard Offers HIPAA-Covered Entities Breach Notification Loophole
(September 16 & 17, 2009)
New rules from the US Department of Health and Human Services (HHS)
exempt organizations that are subject to HIPAA from notifying consumers
of data security breaches if they use encryption or data destruction
or if the incident does not meet the harm standard described in the
new rules. The rules describe the standard by asking the entities
to determine if the breach poses a "significant risk of financial,
reputational or other harm to [an] individual." If the harm standard
is not met, entities are not required to notify affected individuals
even if they do not employ encryption.
http://www.theregister.co.uk/2009/09/17/healthcare_breach_disclosure/
http://www.eweek.com/c/a/Health-Care-IT/Health-IT-Data-Breaches-No-Harm-No-Foul-293398/
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
[Editor's Note (Liston): Ok... let me get this straight: I screw up
and let someone steal your data. Then *I* (an acknowledged screw-up)
get to decide if my screw-up poses any harm to you!?!? What could
possibly go wrong with that? Next up: rapists, murderers, and felons
get to decide if they're ready to be released from prison...]
--Trend Micro Study Finds Malware Often Remains For Months
(September 15 & 16, 2009)
A study from Trend Micro found that malware sticks around on
computers it infects. Of 100 million IP addresses studied, 80 percent
that had been infected remained infected 30 days later; fifty percent
remained infected 10 months later. The reason for the long latency
periods is that often the malware does not do anything to attract
attention, such as consuming system resources. Many of the infected
machines are part of botnets, meaning they receive regular updates,
which may also help the malware evade detection.
http://www.scmagazineus.com/Study-Malware-persists-on-compromised-machines/article/149089/
http://www.theregister.co.uk/2009/09/15/malware_persistence/
http://blog.trendmicro.com/the-internet-infestation-how-bad-is-it-really/
[Editor's Note (Liston): Well, duh! I don't find this surprising
in the least. Anymore, malware has a business model... and nothing
interferes with that model more than having your malware *removed*.]
--French Legislators Approve Revamped Three-Strikes Anti-Piracy Bill
(September 15 & 16, 2009)
By a 285 to 225 vote, French legislators have approved a law
that would put in place a system that could be employed to cut off
Internet access of persistent illegal downloaders. A similar bill was
passed earlier this year, but its constitutionality was successfully
challenged. The law would allow a new anti-piracy agency, Hadopi,
to sever users' Internet connections, but would require an order from
a judge. Violators would face maximum penalties of a 300,000 Euro
fine and two years in jail; penalties for families whose children
download are less stringent. The law would also require that people
with wi-fi connections prevent those connections from being abused.
The legislation was approved by the legislature's lower house; it
now goes before the upper house.
http://news.bbc.co.uk/2/hi/technology/8257720.stm
http://euobserver.com/9/28673
http://news.zdnet.co.uk/internet/0,1000000097,39753515,00.htm
************************ Sponsored Links: *******************************
1) View new Top Layer Security Intrusion Prevention System Demo
and learn about Free IPS Program
http://www.sans.org/info/48712
***********************************************************************
THE REST OF THE WEEK'S NEWS
--IETF Publishes Draft Document on Botnet Remediation
(September 15 & 17, 2009)
The Internet Engineering Task Force (IETF) has published a draft
standard for Internet service providers (ISPs) regarding how to clean
up botnet infestations. The document describes how to detect botnets
and identify affected computers; how to notify subscribers whose
computers have been compromised; and how to direct the subscribers to
clean the malware from their machines. The standards do not address
how botnet clean-up efforts would be paid for, nor do they address
possible redress for subscribers who refuse to clean the malware from
their computers.
http://www.theregister.co.uk/2009/09/17/ietf_botnet_clean_up/
http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03
[Editor's Note (Liston): Having run various incarnations of
tarpit and honeypot sensors over the years, I've notified hundreds of
companies and individuals that their machines were behaving badly on
the Internet. Based on that, I can tell you that this is an incredibly
difficult, time consuming, frustrating, and thankless task. While
I applaud the IETF's efforts, I also know that what this standard
fails to address, cost and redress, are what will eventually doom
this effort to failure.]
--Firefox Outdated Flash Notification Leads 10 Million to Update
(September 17, 2009)
Approximately 10 million Firefox users have followed the link
provided by the newest release of Firefox that allows them to update
the version of Adobe Flash running on their computers. Firefox version
3.5.3 alerts users if they are running outdated versions of Flash.
An estimated 75 percent of Firefox users are believed to be running
outdated versions of Flash.
http://www.scmagazineus.com/Firefox-finds-users-interested-in-updating-Flash-Player/article/149172/
http://www.computerworld.com/s/article/9138207/Firefox_s_Flash_check_drives_10M_to_Adobe_s_download?source=rss_security
--Spyware Intended for Girlfriend Ended Up on Hospital Network
(September 17, 2009)
An Ohio man will plead guilty to federal charges after spyware he
sent to a woman ended up on a hospital computer system. Scott Graham
intended the spyware to be installed on the computer of a woman with
whom he had been in a relationship, but instead, she opened the email
at work, infecting the computer systems at Akron Children's Hospital.
The spyware sent more than 1,000 screen shots to Graham's email;
the stolen data included confidential patient information and email
and financial data of four other hospital employees. Graham will
plead guilty to one count of illegally intercepting electronic
communications and will pay US $33,000 in damages to the hospital.
He will face a maximum prison sentence of five years.
http://www.computerworld.com/s/article/9138208/Misdirected_spyware_infects_Ohio_hospital?source=rss_security
[Editor's Note (Liston): While Mr. Graham is getting a well deserved
trip to the woodshed, what about the hospital? Aren't they culpable
in the least? What failures on their part allowed an employee to
access personal email and *install* (I'm familiar with this particular
programming gem, and no, it doesn't auto-install...) spyware on their
systems? (Schultz): This by all appearances is yet another case in
point of inadequate information security practices in hospitals. This
hospital should have mandated the use of end point security software
that would have detected the spyware and kept it from being installed
in the first place.
(Northcutt): I wonder if this will impact his relationship with
his girlfriend? Before you spy on someone you are in a relationship
with consider:
http://marriage.about.com/od/trustissues/a/spying.htm
http://www.articlesbase.com/marriage-articles/cheating-spouse-stories-is-it-legal-to-spy-69732.html
http://www.kissmegoodnight.com/dating-advice-and-tips/my_girlfriend_is_spying.shtml ]]
--Sears Ordered to Destroy Collected Customer Data
(September 16, 2009)
The US Federal Trade Commission (FTC) has ordered Sears to destroy
customer data it collected with online tracking software. Sears paid
customers to participate in a research project that monitored their
browsing activity, but the company was not forthcoming about exactly
what information was to be collected. The software collected data from
third party websites, including online banking sessions, prescription
drug purchases and data about web-based email messages.
http://www.theregister.co.uk/2009/09/16/sears_to_destroy_tracking_software_data/
http://www.ftc.gov/os/caselist/0823099/090604searsdo.pdf
--Former Inmate Pleads Guilty to Stealing Prison Worker Data
(September 16, 2009)
Former prison inmate Francis G. Janosko has pleaded guilty to one
charge of intentional damage to a protected computer for breaking into
a prison computer system and accessing personal information of more
than 1,100 prison employees. In return for his guilty plea, aggravated
identity theft charges against Janosko were dropped. The breach
occurred while Janosko was serving time for a parole violation.
The compromised data include names, addresses and Social security
numbers (SSNs). The computer he used was supposed to be limited to
legal research use.
http://www.theregister.co.uk/2009/09/16/prison_computer_hack_guilty_plea/
http://www.patriotledger.com/news/x1554702936/Former-inmate-pleads-guilty-to-hacking-prison-computer-system
-- TIGTA Audit Reports Find IRS Has Made Security Improvements
(September 15. 2009)
The Treasury Inspector general for tax administration (TIGTA)
has released two audit reports regarding the US Internal Revenue
Service's (IRS) attention to security issues raised in earlier reports.
The first report finds that the IRS has installed encryption technology
on 99 percent of its laptop computers; the action was taken in
response to the results of a March 2007 audit. Other actions taken
to mitigate concerns about lack of protection of sensitive data on
electronic media include encrypting data transferred to flash drives
and other removable storage devices. The new report also indicates
that the IRS needs to improve security incident tracking processes.
A second audit report released on Monday, September 14 found that
10 of 16 security issues that affect the IRS customer account data
engine indentified in an earlier audit report have been resolved.
http://www.nextgov.com/nextgov/ng_20090915_8372.php
http://www.treas.gov/tigta/auditreports/2009reports/200920120fr.pdf
http://www.treas.gov/tigta/auditreports/2009reports/200920100fr.pdf
--Heartland CEO Pushes for End-to-End Encryption
(September 14 & 15, 2009)
Heartland Payment Systems CEO Robert Carr told a US Senate committee
that the payment card industry needs to adopt end-to-end encryption
to protect consumers, financial institutions and payment processors
from payment card fraud. Heartland acknowledged a data breach
earlier this year that exposed millions of payment card accounts.
Heartland is also installing tamper-resistant point-of-sale terminals
at its retailers. Lawmakers also questioned Carr about why it took
the company 18 months to figure out that payment card information was
being stolen. The Smart Card Alliance says that end-to-end encryption
is not the answer to protecting card data, and is instead calling for
"contactless chips with dynamic cryptograms."
http://www.networkworld.com/news/2009/091409-heartland-ceo-credit-card-encryption.html
http://www.darkreading.com/database_security/security/encryption/showArticle.jhtml?articleID=220000501&subSection=Encryption
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection
and prevention. He was also the co-founder and original project manager
of the Department of Energy's Computer Incident Advisory Capability
(CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked
in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently
serves as President of the SANS Technology Institute, a post graduate
level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet
Storm Center and Dean of the Faculty of the graduate school at the
SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at
TippingPoint, where he leads the Digital Vaccine and ThreatLinQ
groups. His group develops protection filters to address
vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other
applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information
Security Forum (ISF) and author who has served as CSO for Microsoft
and eBay and as Vice-Chair of the President's Critical Infrastructure
Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and
he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center
(NIPC) at the FBI and is the incoming President of the InfraGard
National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the
information security field who have held a top management position in
a Fortune 50 company (Alcoa). He is leading SANS' global initiative
to improve application security.
David Hoelzer is the director of research & principal examiner
for Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security
Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and
is widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center
for Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFKs83b+LUG5KFpTkYRAvohAKCQ4NxdujD4eg7fkSKNu7PNCmjcWACeOlqF
eXS6KfAeIu0tkgJgdEaajMA=
=reXi
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
