The nation state threat, both military and commercial, has leaked out in small ways since September 2005, has now been fully confirmed by the US Director of National Intelligence. I've included the summary at the end of the news stories. Sobering. He would not make it public if the threat were not becoming critical. If you needed a reason to upgrade your defenses, this is it. Alan
************************************************************************* SANS NewsBites February 08, 2008 Volume: X, Issue: 11 *************************************************************************
************** Sponsored By RSA, The Security Division of EMC ***********
Download 3 new White Papers on Best Practices for Comprehensive Security and Event Management. Download these today and use them as a guide when reviewing your compliance and security operations requirements - and when developing best practices to maximize the success of compliance and security initiatives.
Higher Education Funding Bill Tied to Anti-Piracy Efforts (February 7, 2008)
A provision of the College Opportunity and Affordability Act, which was approved this week by the US House of Representatives, requires colleges and universities that participate in federal financial aid programs to develop and implement plans to enforce antipiracy rules, either through subscription services or "technology-based deterrents to prevent" piracy. The bill will have to be reconciled with a different Senate higher education funding bill before a final version is drafted for the president's signature. -http://www.news.com/8301-10784_3-9867146-7.html?part=rss&subj=news&tag=2 547-1_3-0-20 -http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.04137: [Editor's Note (Schultz): To have college funding tied to anti-piracy enforcement is an intriguing approach. Many other anti-piracy approaches in colleges and universities that have been tried have failed. I suspect, however, that this particular approach has a high chance of succeeding given the great need for funding in higher education. ]
[Editor's Note (Ullrich): It's not clear why universities are singled out like this. Universities are already exposed to a huge workload in responding to copyright requests and should be allowed to decide if the problem is large enough to require a technical solution. ]
Lawsuit Will Seek Clarification on Electronic Device Searches (February 7, 2008)
The Electronic Frontier Foundation (EFF) and the Asia Law Caucus plan to file a lawsuit this week that would force the US government to reveal its border search policies, including policy regarding copying electronic content from devices and seizing such devices. The lawsuit was prompted by a number of cases in which travelers' laptop computers, cell phones, MP3 players and other electronic devices were searched. The searches carried out on the devices go beyond looking at items being transported; according to an Asian Law Caucus attorney, "the government is going well beyond its traditional role of looking for contraband and really is looking into the content of people's thoughts and ideas and their lawful political activities." If the searches were conducted within the country, they would require warrants and probable cause. Some companies have changed their policies to require travelers not to have company information on laptop computers. Instead, these people must access company data over the Internet. -http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763_ pf.html [Editor's Note (Ullrich): Various countries have laws that prohibit certain data or software from being imported and exported. I kind of like the note at the end that some companies no longer allow travelers to carry any company data in and out of the country. This policy will protect users from lost laptops as well as from searches by non-US customs services. However, it does require a safe way to access the data remotely. ]
Spammer Fined US $2.5 Million (February 4 & 6, 2008)
Taiwanese Piracy Gang Gets Jail Time (February 4, 2008)
Members of a software piracy group in Taiwan have been sentenced to prison. Maximus Technology is believed to be responsible for selling counterfeit software worth approximately US $900 million. Maximus owner Huang Jer-Sheng received a four-year prison sentence; three co-defendants received sentences ranging from 18 months to three years. Counterfeit copies of more than 20 different Microsoft software products in seven languages were produced and sold. -http://www.channelregister.co.uk/2008/02/04/microsoft_counterfeiters_do_taiwan_j ailtime/print.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Will Issue 12 Security Bulletins on Tuesday (February 7, 2008)
According to Microsoft Security Bulletin Advance Notification, the company will release 12 security bulletins on Tuesday, February 12. Seven of those have a maximum severity rating of critical, and of those, four address code execution flaws in Microsoft Office. Also in the mix is a cumulative update for Internet Explorer that addresses flaws that could allow drive-by malware attacks. Other products receiving critical fixes are Windows, VBScript, and JScript. -http://www.eweek.com/index2.php?option=content&task=view&id=46242&po p=1&hide_ads=1&page=0&hide_js=1 [Editor's Note (Ullrich): With all the focus on Microsoft patches, don't forget that several other popular software packages had security updates last week. ]
Mozilla Releases Firefox Update (February 7, 2008)
The US information infrastructure-including telecommunications and computer networks and systems, and the data that reside on them-is critical to virtually every aspect of modern life. Therefore, threats to our IT infrastructure are an important focus of the Intelligence Community. As government, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology has moved overseas, our vulnerabilities will continue to grow.
STATE AND NON-STATE CYBER CAPABILITIES Our information infrastructure-including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries- increasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year.
We assess that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection. Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector. Terrorist groups-including al-Qa'ida, HAMAS, and Hizballah-have expressed the desire to use cyber means to target the United States. Criminal elements continue to show growing sophistication in technical capability and targeting, and today operate a pervasive, mature on-line service economy in illicit cyber capabilities and services available to anyone willing to pay.
Each of these actors has different levels of skill and different intentions; therefore, we must develop flexible capabilities to counter each. It is no longer sufficient for the US Government to discover cyber intrusions in its networks, clean up the damage, and take legal or political steps to deter further intrusions. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.
At the President's direction, an interagency group reviewed the cyber threat to the US and identified options regarding how best to integrate US Government defensive cyber capabilities; how best to optimize, coordinate and de-conflict cyber activities; and how to better employ cyber resources to maximize performance. This tasking was fulfilled with the January 2008 issuance of NSPD-54/HSPD-23, which directs a comprehensive national cybersecurity initiative. These actions will help to deter hostile action in cyber space by making it harder to penetrate our networks.
LIST OF UPCOMING FREE SANS WEBCASTS
WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKERS: Alan Paller and Gregory Henry -http://www.sans.org/info/22939
Sponsored By: Sourcefire
A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.
Ask the Expert: You've Collected the Logs, Now What? Reducing Risk through Integrated Log Management, Database Monitoring and Real-time Event Management WHEN: Thursday, February 14, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Dave Shackleford -http://www.sans.org/info/23528
Sponsored By: netForensics
So you've collected event logs from security devices and other critical systems and stored them away - great. Check the compliance box. Now what?
Logs are important... but only if you are doing something with them.
They provide valuable, credible, accurate information about what is going on in your inter-connected environment. But if your logs are not being analyzed regularly and in real-time, how can you tell if data isn't seeping out of your databases and other critical applications? Manually glancing through logs may be enough to "check the box" for compliance purposes, but it is definitely not enough to detect data theft or other malicious activity.
SANS Special Webcast: Beyond Security Basics: Emerging Defensive Strategies You Shouldn't Miss WHEN: Tuesday, February 19, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: John Strand -http://www.sans.org/info/22954
Sponsored By: Core Security
Still think that locking down root access to operating systems is the cornerstone of security, or that your perimeter can't be tunneled under?
Please join John Strand, certified SANS instructor and security consultant with Argotek, for this free webcast.
Ask the Expert: Security Needs a New Paradigm WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth -http://www.sans.org/info/22959
Sponsored By: Prism MicroSystems
In this webcast, we'll discuss the reasoning behind a "whitelist" approach, how change monitoring can complement logging and event monitoring in your security program, and common system changes that may indicate malicious activity.
Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Brian Contos -http://www.sans.org/info/22964
Sponsored By: ArcSight
Recently there has been substantial media hype surrounding cyber attacks against critical infrastructure: oil and gas, power and energy, chemical, etc. Few disagree that systems controlling critical infrastructure make valuable targets for a wide range of attackers and pursuits; but the FUD sometimes shadows the facts. So rather than debate the threat level, this webcast will focus on empirical findings derived from multiple, federally funded research projects. These collaborative projects have brought together federal agencies, academia, control system vendors, IT security vendors like ArcSight, and industry representatives to research and test practical cyber incident prevention, detection and response.
SANS Special Webcast: How to Win Friends and Influence People (for Penetration Testers) WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURING: Lenny Zeltser -http://www.sans.org/info/22984
Sponsored By: Core Security
The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin.
Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security.
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/