Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 79 : DHS to Hire 1,000 Cyber Security Specialists
- From: The SANS Institute
- Date: Tue Oct 06 14:16:28 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ooops. The Security Automation Conference I told you about last time
does have a small fee. Sorry for the error. Definitely worth going.
http://scap.nist.gov/events
Alan
************************************************************************
SANS NewsBites October 6, 2009 Vol. 11, Num. 79
************************************************************************
TOP OF THE NEWS
CIO Council to Develop Outcome-Based Security Metrics
Amazon.com Agrees to Pay US $150,000 to Settle Kindle eBook Removal Lawsuit
US Dept. of Homeland Security to Hire 1,000 Cyber Security Specialists
THE REST OF THE WEEK'S NEWS
RIM Issues Update to Fix Security Certificate Flaw in BlackBerry Handset Software
Null-Prefix Certificate Could be Used to Exploit Vulnerability in Browsers
Missing Hard Drive Contains US Military Veterans' Records
Google Apologized for Temporarily Removing Pirate Bay From Search Results
Windows LiveID Credentials Posted on Internet
Careless Security Practices Result in Dropped Charges Against Former Employee
California Joins Cyber Security Challenge
Australian Energy Supplier Computer Network Infected
Injunction Served Over Twitter
*************************** Sponsored By CA ****************************
Role Management and Identity Compliance
Todays challenges facing role management and identity compliance
initiatives Gain some useful insights, hints and tips regarding many of
todays challenges facing role management and identity compliance
initiatives, as well as practical approaches to reducing the required
investment and increase the value of these efforts. This paper will help
you answer all these questions and more.....
http://www.sans.org/info/49223
************************************************************************
TRAINING UPDATE
-- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
-- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
-- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
-- SANS Sydney, Nov.9-14
http://sans.org/sydney09/
-- SANS London, UK, Nov.28-Dec. 9,
http://sans.org/london09/
-- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
http://www.sans.org/security-east-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Tokyo, Dubai, Hong Kong, and Vancouver, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--CIO Council to Develop Outcome-Based Security Metrics
(October 2 & 5, 2009)
The US Chief Information Officer Council has established a Security
Metrics Taskforce that has been given the objective of developing "new
metrics for information security performance for federal agencies that
are focused on outcomes." The metrics are expected to be complete by
the end of this calendar year. Federal CIO Vivek Kundra noted in a blog
post that "FISMA metrics need to be rationalized to focus on outcomes
over compliance."
http://www.federalnewsradio.com/?nid=35&sid=1777068
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=220301050
http://it.usaspending.gov/?q=content/blog
--Amazon.com Agrees to Pay US $150,000 to Settle Kindle eBook Removal Lawsuit
(October 1 & 2, 2009)
Amazon.com has agreed to a settlement that would have the company pay
US $150,000 to a Michigan high school student who sued the company after
his copy of 1984 was deleted from his Kindle reading device without
notice. In June of this year, Amazon deleted copies of 1984 and Animal
Farm from users' devices after learning that the entity that had made
the e-books available did not have proper authorization to do so.
Justin D. Gawronski sued Amazon, in part because when the file was
deleted from his Kindle, he lost annotations he had been making as part
of his summer homework for an Advanced Placement class. The settlement
also mandates that Amazon will not delete e-book files from users'
Kindles unless the user agrees, the user seeks a refund or the payment
does not clear, a court orders that the file be deleted, or the deletion
is deemed necessary to protect users from malware. In September, Amazon
offered to return the books to customers' Kindles along with any
annotations that had been made or give them credit at Amazon.com or a
check.
http://www.informationweek.com/news/internet/ebusiness/showArticle.jhtml?articleID=220300915
http://www.msnbc.msn.com/id/33130484/ns/technology_and_science-tech_and_gadgets/
--US Dept. of Homeland Security to Hire 1,000 Cyber Security Specialists
(October 1, 2 & 5, 2009)
The US Department of Homeland Security has announced that it plans to
hire up to 1,000 cyber security experts over the next three years. The
positions will be available at different agencies throughout the
department. DHS Secretary Janet Napolitano noted that "Cyber security
is one of our most urgent priorities." DHS is seeking experts in areas
of cyber risk and strategic analysis; cyber incident response;
vulnerability detection; and network and systems engineering.
http://voices.washingtonpost.com/securityfix/2009/10/dhs_seeking_1000_cyber_securit.html
http://www.scmagazineus.com/DHS-to-hire-up-to-1000-cybersecurity-experts/article/151208/
http://www.cnn.com/2009/POLITICS/10/02/dhs.cybersecurity.jobs/
http://news.zdnet.co.uk/security/0,1000000189,39789648,00.htm
[Editor's Note (Schultz): This should be interesting. Given the US
government's dismal track record in efficiency, I wonder how long it
will take to hire 1000 cyber security specialists. At the same time,
however, DHS should be given credit for realizing its dire need for
cyber security specialists. ]
************************ Sponsored Links: ****************************
1) Register Today and receive 10% off for SANS vLive course SEC542, Web
App Penetration Testing and Ethical Hacking, November 2nd - November
9th. Please use the code @Risk542 when registering.
http://www.sans.org/info/49228
2) IN CASE YOU MISSED IT! Check out the webcast: Identity-Aware
Networking Done Right
http://www.sans.org/info/49233
3) Be sure to Register NOW for the Ask the Expert Webcast: Top 10 Ways
to Get the Most Out of Your Log Data
http://www.sans.org/info/49238
***********************************************************************
THE REST OF THE WEEK'S NEWS
--RIM Issues Update to Fix Security Certificate Flaw in BlackBerry
Handset Software
(October 6, 2009)
Research In Motion (RIM) has issued an update to address a security flaw
in the way the BlackBerry reports security certificate mismatches. The
flaw could be exploited to launch a phishing attack. The vulnerability
affects versions 4.5 to 4.7 of the Blackberry software, but not
Blackberry Server or Desktop software.
http://www.securecomputing.net.au/News/157504,rim-posts-blackberry-security-patch.aspx
--Null-Prefix Certificate Could be Used to Exploit Vulnerability in Browsers
(October 5, 2009)
A phony PayPal SSL certificate has been released, making it easy for
cyber criminals to dupe users running Internet Explorer, Google Chrome
or Apple Safari web browsers with man-in-the-middle attacks. The
null-prefix certificate exploits a vulnerability in a Microsoft
library used by all three browsers. The vulnerability was disclosed
in July, but Microsoft has yet to fix it. Mozilla fixed the
vulnerability in its browsers days after the flaw was disclosed.
http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/
--Missing Hard Drive Contains US Military Veterans' Records
(October 1, 2 & 5, 2009)
A hard drive containing personally identifiable information of US
military veterans was sent to a contractor to be repaired without first
being erased. The contractor determined that the drive could not be
repaired and sent it to another company to be recycled. The National
Archives and Records Administration is investigating the breach, which
may affect more than 70 million people. The hard drive contains data
used by a system through which veterans can request copies of their
health records and discharge papers.
http://www.scmagazineuk.com/Lost-hard-drive-could-affect-70-million-US-military-veterans/article/151478/
http://www.darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?articleID=220300906&subSection=Privacy
http://www.wired.com/threatlevel/2009/10/probe-targets-archives-handling-of-data-on-70-million-vets/
[Editor's Note (Ranum): Distributed data is distributed vulnerability.
Accessability from everywhere means leakage everywhere. But, strangely,
whenever one of us "old school" security practitioners says that, the
rejoinder is "data compartmentalization is an impediment to doing
business." Ultimately it will sink in - you either have impediments to
doing business, or you have leaks. ]
--Google Apologized for Temporarily Removing Pirate Bay From Search Results
(October 5, 2009)
Google has issued a public apology for removing The Pirate Bay from its
search results. Google removed Thepiratebay.org in response to a
Digital Millennium Copyright Act (DMCA) takedown request that mistakenly
included the site's address. Takedown notices are used to let companies
know that they are hosting copyrighted material and that they must
remove it or face legal repercussions. The Pirate Bay has been restored
to Google's search index.
http://www.scmagazineuk.com/Google-apologises-to-The-Pirate-Bay-after-removing-it-from-its-search-results/article/151481/
http://www.theregister.co.uk/2009/10/05/google_piratebay/
http://www.pcworld.com/businesscenter/article/173095/google_puts_the_pirate_bay_back_in_its_search_index.html
--Windows LiveID Credentials Posted on Internet
(October 5, 2009)
The leak of more than 10,000 Microsoft Windows Live ID account usernames
and passwords is being blamed on a phishing attack; Microsoft maintains
that the leak "was not a breach of internal Microsoft data." Microsoft
is "help[ing] customers regain control of their accounts," and is
recommending that all customers change their passwords. The stolen
information was posted on a web site over the weekend. Microsoft
Windows Live ID allows users to access Hotmail, Messenger, Xbox LIVE and
other services.
It appears that this breach extends to other email providers including
Gmail, Yahoo, Hotmail and AOL to name a few.
http://crave.cnet.co.uk/software/0,39029471,49303832,00.htm?s_cid=33
http://news.bbc.co.uk/2/hi/technology/8292299.stm
http://news.cnet.com/8301-17939_109-10368361-2.html
Some analysis of the compromised passwords are available at
http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/
ISC: http://isc.sans.org/diary.html?storyid=7276
http://news.cnet.com/8301-17939_109-10367348-2.html
http://www.computerworld.com/s/article/9138956/Microsoft_confirms_phishers_stole_several_thousand_Hotmail_passwords?source=rss_security
http://www.theregister.co.uk/2009/10/05/hotmail_passwords_leaked/
http://www.scmagazineus.com/Microsoft-acknowledges-Windows-Live-ID-breach/article/151544/
[Editor's Note (Honan): As users tend to use the same password for
multiple accounts, be they personal or business, you should monitor your
organisation's access logs for any unusual behaviour, e.g. remote logins
from foreign IP addresses, and react accordingly. Now may be a good time
to push out that security awareness program on how to select secure
passwords. ]
--Careless Security Practices Result in Dropped Charges Against
Former Employee
(October 3, 2009)
A Deputy Merrimack County (New Hampshire) Attorney has dropped theft and
computer crime charges against a Concord, NH-area Local Government
Center employee. Ruthanne Bradley was arrested last year on charges
that she concealed and altered data on computer backup tapes at her
office. Deputy County Attorney George Waldron said his office would not
seek a grand jury indictment because "the Local Government Center's
careless security practices created a situation where reasonable doubt
exists." The tapes in question were located promptly and were found to
be unharmed. Bradley has maintained her innocence and that the tapes
were simply mislabeled.
http://www.concordmonitor.com/apps/pbcs.dll/article?AID=/20091003/FRONTPAGE/910030315&template=single
[Editor's Note (Ranum): It doesn't sound like these were careless
security practices. Reading between the lines it sounds like an
organization that made a mistake, wrongly accused an employee, and then
decided to "drop the charges" when they realized that they were, in fact
wrong. And apology might be appropriate.
(Honan): This should be used as a case study on how not to conduct an
investigation. Remember incident response is not just about the
technology, it is about the processes and procedures to use to identify
if you have an incident in the first place and then how to gather and
preserve any evidence you will need. ]
--California Joins Cyber Security Challenge
(October 2, 2009)
US Senator Dianne Feinstein (D-Calif.) and the California Office of
Information Security have announced that California will join the US
Cyber Challenge, a program aimed at identifying and nurturing the next
generation of cyber security professionals. The Cyber Challenge
comprises three competitions: the Digital Forensics competition, the
CyberPatriot Defense competition, and the NetWars capture the Flag
Competition. Winners will be invited to attend Cyber camps at
California State University, Sacramento. Delaware and New York
announced their participation in the program earlier this year.
http://feinstein.senate.gov/public/index.cfm?FuseAction=NewsRoom.PressReleases&ContentRecord_id=16b1f25c-5056-8059-766e-dc4dd89f85dd&Region_id=&Issue_id
http://clarke.house.gov/2009/09/rep-yvette-d-clarke-joins-new-york-state-in-us-cyber-challenge-kick-off.shtml
http://carper.senate.gov/press/record.cfm?id=316227
--Australian Energy Supplier Computer Network Infected
(October 1 & 2, 2009)
Malware has infected the computer network at Integral Energy, a major
Australian energy supplier. The "particularly sinister" infection
spreads quickly and has been difficult to remove from infected computers
The company had to rebuild more than 1,000 desktop computers to thwart
the malware's spread. The infection appears not to have affected power
supplies or business data, although it did "spread to the operator
display consoles in the control room." The infected Windows computers
were switched out for Linux boxes. Signatures for this particular
strain of malware have been available since early this year, leading to
speculation that Integral Energy has been lax in updating its antivirus
software.
http://www.smh.com.au/technology/security/sinister-integral-energy-virus-outbreak-a-threat-to-power-grid-20091001-gdrx.html
http://www.theinquirer.net/inquirer/news/1556944/linux-saves-aussie-electricity
http://www.upi.com/Energy_Resources/2009/10/02/Computer-virus-in-Australian-power-grid/UPI-65111254514968/
[Editor's Note (Honan): One would also have to question why do Integral
appear to not have their critical control systems air gapped from their
corporate network? ]
--Injunction Served Over Twitter
(October 2, 2009)
The UK High Court has allowed an injunction to be served via Twitter.
The decision was made because it appeared to be the best way to reach
the individual who was posting comments while posing as Conservative
blogger Donal Blaney. The unknown account owner will receive the writ
the next time the owner visits the site; the writ says that the impostor
should cease the deceptive activity and reveal his or her identity to
the court.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article6858340.ece
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkrLd8YACgkQ+LUG5KFpTka5GwCfVNIIwP1ZC6WDAoJiqYDB02kE
/2cAoJPD8gKGHerm4DAQosh2+j8NKHAu
=3+q5
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
