Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 11 Num. 92 : New House Science & Technology Committee Bill May Do More Harm Than Good
- From: The SANS Institute
- Date: Fri Nov 20 13:03:43 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites November 20, 2009 Vol. 11, Num. 92
*************************************************************************
TOP OF THE NEWS
House Science & Technology Committee Passes Cybersecurity Enhancement
Act
NSA Helping to Harden Operating Systems
Proposed Legislation Prohibits P2P Use in Government and Contractor
Computers
THE REST OF THE WEEK'S NEWS
Lost Hard Drive Holds Seven Years of Health Net Patient Data
Three Charged in Comcast Redirect Attack
One Year Prison Sentence for Scientology DDoS
Banks Reissuing Credit Cards Following Report of Breach at Spanish
Payment Company
Secondhand ATMs Pose Security Risk
UK Police Charge Two in Connection With Zeus Trojan
T-Mobile Customer Records Stolen and Sold
Microsoft Suit Involving Former Employee Settled, All matters
Resolved
Man Pleads Guilty in ATM Skimming Case
****************** Sponsored By Absolute Software Corp. *****************
Laptop Data Security Webinar
In this webinar, Jack Heine, Research VP, Gartner, and David Holyoak,
CIO of accounting firm Grant Thornton, discuss how to facilitate
mobility while minimizing the risk of data exposure. These leading
experts discuss the limitations of encryption and the critical layer of
security provided by web-based tracking and anti-theft capabilities.
http://www.sans.org/info/51049
*************************************************************************
TRAINING UPDATE
-- SANS London, UK, November 28-December 6,
16 courses, bonus evening sessions: Hex Factor, Forensics Mini Summit and more
http://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18,
24 courses, bonus evening presentations, including Future Trends in
Network Security
http://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations: Top 7 Trends in Incident
Response and Computer Forensics, Advanced Forensic Techniques and more
http://www.sans.org/security-east-2010/
-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
http://www.sans.org/appsec-2010/
-- SANS Phoenix, February 14 -February 20, 2010
http://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - March 15, 2010
http://www.sans.org/sans-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Geneva, Tokyo and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
--House Science & Technology Committee Passes Cybersecurity Enhancement Act
(November 19, 2009)
The US House Committee on Science and Technology has passed the
Cybersecurity Enhancement Act of 2009, which "is based on the concept
that in order to improve the security of our networked systems ... the
federal government must work in concert with the private sector,"
according to committee chairman Bart Gordon (D-Illinois). The
legislation incorporates elements of two bills that were approved by
House subcommittees earlier this year. It will require the National
Institute of Standards and Technology (NIST) to take the lead in the
US's involvement in the development of international cyber security
standards and it will require federal agencies to establish strategic
long-term cyber security research and development plans. The bill also
incorporates recommendations made in the 60-day Cyberspace Policy
Review.
http://www.scmagazineus.com/house-committee-passes-cyber-rd-standards-bill/article/158110/
http://thomas.loc.gov/cgi-bin/bdquery/z?d111:HR4061:/
[Editor's Note (Paller): This well-meaning bill breaks the first law of
cybersecurity - that offense must inform defense. By giving NIST added
responsibilities without ensuring the federal agencies that understand
offense (especially US-CERT and NSA's VAO and DoD's DC3) shape the
guidance that NIST publishes, the Science and Technology Committee is
asking the Congress to extending the dismal record that such NIST-only
guidance has had, and puts the nation's systems at substantially greater
risk.
(Schultz): I must admit that I am astounded that NIST has so much in
recent years assumed the proverbial driver's seat in US government
information security related issues.
(Pescatore): At first glance, mostly just reinforces NIST's position,
helps drive the SCAP efforts, and a few cats and dogs around other R&D
efforts. However, odd things often get jammed into to the details as
bills like these proceed.
(Northcutt): Not the easiest reading. Near as I can tell, this is to
kick off a plan within 12 months. Goals include automated checklist,
international standards, a private public partnership, serious money in
research grants and improvement of identity management while improving
the number of females and minorities working in the field. All sounds
good, hopefully the money is not given to the usual suspects and some
real work gets done.
(Ranum): Cybersecurity is not so much a "Research and Development"
problem as it is a "Stop and Clutch the Bleeding" issue.]
--NSA Helping to Harden Operating Systems
(November 7, 18 & 19, 2009)
In testimony before the Senate Subcommittee on Terrorism and Homeland
Security, National Security Agency (NSA) information assurance director
Richard Schaeffer said that his agency helped Microsoft harden Windows
7 and that it is also helping Apple, Sun Microsystems, and Red Hat with
similar endeavors. The NSA's involvement in the development process has
led to speculation that backdoors will be built into the software to
allow communications monitoring and interception. The NSA refutes those
claims and says it is helping develop security guidelines and
checklists. Schaeffer also said that agencies can protect their systems
against 80 percent of known cyber attacks by following three steps:
implementing best security practices, configuring networks properly, and
monitoring networks effectively.
http://www.theregister.co.uk/2009/11/19/nsa_enhanced_windows7_security/
http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development?source=rss_security
http://www.h-online.com/security/news/item/NSA-helps-Apple-Sun-and-Red-Hat-harden-their-systems-863889.html
http://fcw.com/Articles/2009/11/17/NSA-3-steps--better-cybersecurity.aspx
[Editor's Note (Pescatore): Ah, conspiracy theories. NSA and other
government agencies have been involved in developing "gold"
configuration definitions for standard software and network hardware
products for a long time, along with the IT industry. Hardening in this
case means better configuration and minimization of unneeded services.]
--Proposed Legislation Prohibits P2P Use in Government and Contractor
Computers
(November 17 & 18, 2009)
A bill introduced in the US House of Representatives would prohibit the
use of peer-to-peer (P2P) filesharing technology in government computers
and those used by government contractors except in cases where its use
has been officially approved. The Secure Federal File Sharing Act would
also require the Office of Management and Budget (OMB) to publish
P2P-use guidance and would prohibit personal use of P2P software on
government networks. The legislation comes in the wake of last month's
revelation that a confidential House Ethics Committee document was
inadvertently leaked through P2P software.
http://www.computerworld.com/s/article/9141099/Bill_would_restrict_P2P_use_on_government_networks_?source=rss_security
http://www.msnbc.msn.com/id/34001958/ns/technology_and_science-security/
http://www.washingtonpost.com/wp-dyn/content/article/2009/11/17/AR2009111703841.html
http://thomas.loc.gov/cgi-bin/bdquery/z?d111:H.R.4098:
[Editor's Note (Pescatore): I predicted this would be the knee-jerk
silly reaction to the Ethics document leak. It is like back in 2001 when
some legislators proposed making buffer overflows illegal. There was
already policy saying users shouldn't do this - a law against it
wouldn't have changed anything. The issue is the lack of configuration
management of the government PCs.
(Honan): I really don't see the benefits legislating against P2P use
will bring. Its usage is already against most Government agencies'
policies. More policies and laws don't stop people doing things they
shouldn't, catching them and punishing them does. ]
************************ Sponsored Links: ****************************
1) Learn about the unique benefits of archiving email in the cloud. Get
the white paper!
http://www.sans.org/info/51054
***********************************************************************
THE REST OF THE WEEK'S NEWS
--Lost Hard Drive Holds Seven Years of Health Net Patient Data
(November 19, 2009)
A hard drive containing personal and medical information of 1.5 million
Health Net customers was lost in May, but the loss was not disclosed
until earlier this week. The drive contains unencrypted Social
Security numbers and medical information dating back to 2002; the breach
affects customers in Arizona, Connecticut, New Jersey, and New York.
Connecticut Attorney general Richard Blumenthal is investigating why the
company waited six months to disclose the device's loss. Health Net,
which is based in California, is also investigating the incident. The
company will send out breach notification letters to affected customers
the week of November 30.
http://www.wired.com/threatlevel/2009/11/healthnet
http://www.courant.com/health/hc-healthbreach1119.artnov19,0,1798384.story
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374839,00.html
http://www.computerworld.com/s/article/9141172/Health_Net_says_1.5M_medical_records_lost_in_data_breach?source=rss_security
http://healthnet.tekgroup.com/press_kits.cfm?presskit_id=13
--Three Charged in Comcast Redirect Attack
(November 19, 2009)
Three men have been charged in connection with a redirection attack on
Comcast's website. Christopher Allen Lewis, James Robert Black Jr., and
Michael Paul Nebel allegedly redirected traffic headed for Comcast's
site to another site under their control in May 2008. Comcast claims a
loss of US $128,000 as a result of the attack. The three men are
allegedly members of a hacker gang and live in different states: Lewis
is from Delaware, Black is from Washington, and Nebel is from Michigan.
http://www.wired.com/threatlevel/2009/11/comcast-hack/
http://www.seattlepi.com/local/6420ap_pa_comcast_site_hacked.html?source=mypi
http://www.philly.com/philly/business/technology/20091119_3_charged_with_hacking_Comcast_site.html
http://www.pcworld.com/businesscenter/article/182715/three_indicted_for_comcast_hack_last_year.html
--One Year Prison Sentence for Scientology DDoS
(November 18 & 19, 2009)
A 19-year old man from New Jersey has been sentenced to one year in
federal prison for his role in a distributed denial-of-service DDoS
attack against the Church of Scientology website that took place in
January 2008. Dmitriy Guzner will also have two years of probation
following his release and he has been ordered to pay US $37,500 in
compensation. Guzner had pleaded guilty to one count of unauthorized
impairment of a protected computer earlier this year. Another man,
Brian Thomas Mettenbrink, has been indicted in connection with the case.
http://www.theregister.co.uk/2009/11/19/scientology_ddos_teen_jailed/
http://www.nj.com/news/local/index.ssf/2009/11/verona_teen_sentenced_to_a_yea.html
--Banks Reissuing Credit Cards Following Report of Breach at Spanish
Payment Company
(November 18 & 19, 2009)
A German bank has recalled 60,000 credit cards after learning that the
card numbers may have been compromised in a security breach at a Spanish
payment company. The German Central Credit Card Commission says the
recall is precautionary. Other German banks have recalled cards as
well; in all, more than 100,000 German credit cards were recalled. The
banks were alerted to the breach by Visa and MasterCard. People who
have traveled to Spain recently and used credit cards there are urged
to check their statements carefully. Banks in the Czech Republic have
begun blocking cards in light of the breach, which is likely to affect
citizens of other countries as well.
http://www.theregister.co.uk/2009/11/19/spanish_card_payment_breach/
http://news.bbc.co.uk/2/hi/business/8365828.stm
http://www.forbes.com/feeds/ap/2009/11/18/business-eu-germany-credit-cards_7136133.html
http://aktualne.centrum.cz/czechnews/clanek.phtml?id=653423
--Secondhand ATMs Pose Security Risk
(November 18, 2009)
A security consultant who purchased an ATM secondhand through Craigslist
found that it still held a log of hundreds of transaction details.
Hundreds of the cash machines are sold second hand through online
sources such as eBay and Craigslist. The US has no restrictions on who
may own or operate an ATM; thieves could conceivably set up their own
machines loaded with skimmers and other data detection technology. A
cash machine with a skimmer attached was set up in the lobby of the
Defcon security conference in Las Vegas last summer.
http://www.theregister.co.uk/2009/11/18/second_hand_atm_fraud_risk/
[Editor's Note (Northcutt): Dude! You can't be serious, you put your
debit card in a cash machine at Defcon? Or is it wiser to say any casino
in Vegas that is not being watched by a security camera? I have been
thinking about this for a while and we have created a checking account
only for debit card use. We limit how much we put in that account, but
have another account with the same bank with more money that can do an
online transfer to the debit card checking account. This way, my maximum
loss should be limited. I am working with Bank of America because they
have so many ATMs, but my research says that Wells Fargo is also pretty
flexible for online banking needs.
http://www.wired.com/threatlevel/2009/08/malicious-atm-catches-hackers/
http://blogs.zdnet.com/security/?p=3843
By the way, I have lost the link to the internal memo that was sent by
the manager to Riviera hotel employees for what to and what not to do
or report during Defcon, if anyone has that, please shoot it to me. ]
--UK Police Charge Two in Connection With Zeus Trojan
(November 18, 2009)
Police in the UK have charged two people in connection with using the
Zeus Trojan horse program. The man and the woman have been charged with
violating the 1990 Computer Misuse Act and the 2006 Fraud Act. The Zeus
Trojan, also known as Zbot, is estimated to have infected tens of
thousands of computers worldwide. The malware harvests users' online
banking account information and other sensitive data and uploads them
to servers controlled by cyber thieves. Zeus can also be used to
conduct distributed denial-of-service attacks. Infected machines become
part of a botnet.
http://www.scmagazineus.com/uk-police-charge-pair-with-connection-to-zeus-trojan/article/158011/
http://www.theregister.co.uk/2009/11/18/zeus_trojan_arrests/
http://www.computerworld.com/s/article/9141092/UK_police_reveal_arrests_over_Zeus_banking_malware?source=rss_security
--T-Mobile Customer Records Stolen and Sold
(November 17 & 18, 2009)
T-Mobile has acknowledged that an employee stole customer records and
sold them to data brokers who in turn sold the information to T-Mobile
competitors. The breach affects millions of T-Mobile customers. The
information included contract expiration dates, which the rival
companies used to target consumers at a time when they might be enticed
to switch to another provider. The incident was disclosed by the UK
Information Commissioner's Office (ICO). T-Mobile was surprised that
the ICO chose to make the case public, because they had been "asked to
keep this issue confidential for legal reasons." The individual who is
suspected of stealing the information no longer works for T-Mobile.
http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=221900209
http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy
http://www.scmagazineuk.com/t-mobile-criticised-by-information-commissioner-after-it-is-discovered-for-passing-on-customer-details-to-third-parties/article/157940/
http://news.bbc.co.uk/2/hi/uk_news/8364421.stm
--Microsoft Suit Involving Former Employee Settled, All Matters Resolved
(November 17, 2009)
A settlement has been reached in a case brought by Microsoft against
former employee Miki Mullor. All matters between the parties have been
resolved. The lawsuit involved allegations of patent infringement and
theft of trade secrets. The terms of the settlement have not been made
public and neither party has admitted to any wrongdoing.
http://www.pcworld.com/article/182372/microsoft_settles_employee_spying_case.html
http://news.cnet.com/8301-1001_3-10399850-92.html
http://blog.seattlepi.com/microsoft/archives/185435.asp?from=blog_last3
--Man Pleads Guilty in ATM Skimming Case
(November 16 & 17, 2009)
Victor Vasile Constantin has pleaded guilty to charges of bank fraud and
identity theft for his role in an ATM skimming scheme. Constantin
installed skimming devices on ATMs in Fairfield county Connecticut to
steal information encoded on ATM cards' magnetic stripes. He also
installed cameras that allowed him to record the associated account
passwords. Over the course of three months, Constantin stole about US
$150,000 from accounts of Bank of America customer accounts. He faces
up to 32 years in prison.
http://www.theregister.co.uk/2009/11/17/bank_of_america_skimming_plea/
http://www.connpost.com/ci_13801630
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAksGyOIACgkQ+LUG5KFpTkaVegCaA2s5rdBncFlx1hvJFPs8FIpb
aVsAn0K4a0xiwhqNGDGMDITZo1uGZ9ZF
=Heok
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
