Wireless threats and countermeasures: A free, exhaustive compilation of all wireless vulnerabilities and exploits (WVE) is being compiled by Josh Wright, the best wireless security teacher we've ever seen. It covers WiFi, WiMax & Bluetooth, and is being adopted by the vendor products. You'll find it at www.wve.org. Josh also made a scary YouTube video on Bluetooth ear piece hacking: http://youtube.com/watch?v=1c-jzYAH2gw And Josh created an extraordinary course on pen testing and securing wireless networks, that you can take at home or four cities: SANS @Home (May 1-Nuly 24) www.sans.org/athome/details.php?nid=10714 San Diego (5/11-16) www.sans.org/securitywest08/description.php?tid=1637 Brussels (6/16-21) www.sans.org/securebrussels08/description.php?tid=1637 Washington DC (7/24-29) www.sans.org/sansfire08/description.php?tid=1637 Boston (8/11-16) www.sans.org/boston08/description.php?tid=1637
************************************************************************* SANS NewsBites April 18, 2008 Volume: X, Issue: 31 *************************************************************************
************************ Sponsored By SANS ******************************
Is your organization considering a database security solution? Read SANS latest white paper ("Understanding & Selecting a Database Activity Monitoring Solution") on the growing D.A.M. market and learn what key criteria to consider when selecting products. Authored by independent security consultant Rich Mogull, this report explores how Database Activity Monitoring gives insight into our most sensitive systems in a non-intrusive way, and can evolve into a proactive security defense. It's one of the few tools that can immediately improve security and http://www.sans.org/info/27868
TRAINING UPDATE Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers. - - SANSFire 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774 - - London (6/2-6/7) and Amsterdam (6/16-6/21) http://www.sans.org/secureeurope08 - - San Diego (5/9-5/16) http://www.sans.org/securitywest08 - - Toronto (5/10-5/16) http://www.sans.org/toronto08 - - and in 100 other cites and on line any time: www.sans.org *************************************************************************
TOP OF THE NEWS
PayPal to Ban Unsafe Browsers (April 17, 2008)
PayPal plans to implement a scheme to prevent users from conducting transactions through browsers that do not have anti-phishing technology. The web-based payment company likened conducting transactions on unsafe browsers to selling a car with no seatbelts. The company presently warns users that they are using unsafe browsers, but allows them to access the site. In a future phase of the plan, users will not be permitted to access the site if they are using unsafe browsers. -http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/ [Editor's Note (Pescatore): IE7 and the latest versions of Firefox, et al, have the anti-phishing technology, so this is not that big a deal to PC users. But for many mobile devices it means no PayPal use. PayPal will surely back off. PayPal would be better off re-energizing its efforts in moving PayPal users away from reusable passwords. ]
Man Pleads Guilty in Botnet Wiretapping Case (April 16, 2008)
John Schiefer has pleaded guilty to accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. Schiefer used the computers he infiltrated to create a botnet that he then used to search out other vulnerable systems. He used spybot malware to harvest sensitive information such as account user names and passwords that he then used to steal funds. The case marks the first guilty plea to wiretapping in connection with botnets. Schiefer also provided the purloined information to others who used it to commit fraud. He is scheduled for sentencing on August 20, 2008, when he will face up to 60 years in prison and a fine of up to US $1.75 million. -http://www.cybercrime.gov/schieferPlea.pdf [Editor's Note (Schultz): Let's hope that the judge who sentences him will give Schiefer a sentence that is proportional to the horrendous crime that he committed. ]
Proposed Australian Law Would Allow Some Employers to Intercept Employee Electronic Communications (April 14, 2008)
Proposed legislation in Australia would give employers the power to intercept employees' email and Internet communications without their consent. The powers are part of a law aimed at protecting the country's critical infrastructure from cyber attacks; the law would amend the Telecommunications (Interception) Act. The powers would apply to employers who operate elements of the critical infrastructure; presently, only security agencies have that power. Australian Attorney General Robert McClelland says he has been told that a major cyber attack could cause "far greater economic damage than would ... a physical attack." Civil rights groups are opposed to the proposed expanded powers, saying they could be abused. -http://www.smh.com.au/news/technology/bosses-power-to-check-email/2008/04/13/120 8024990775.html?page=fullpage#contentSwap1 [Editor's Note (Schultz): Allowing employers to monitor employee email and other Internet activity without consent has become a precedent for quite a while ago in the US. What disturbs me about the proposed legislation then is that there appears to be no requirement for employers to pre-warn employees that such activity is occurring, something that ought to be done to help employees be aware that they have no privacy when they are on company-owned computing systems. ]
Latest Major Whaling Attack Uses US District Court Subpoena (April 16 & 17, 2008)
1) PacketMotion delivers unprecedented visibility and real-time control of insider threats. Learn more and first 100 respondents receive a complementary Elsevier book "Insider Threat" - $35 value. http://www.sans.org/info/27873
NIST Releases Draft Info Systems Risk Management Document for Comments (April 16, 2008)
The National Institute for Standards and Technology (NIST) has released the second public draft of Special Publication 800-39, "Managing Risk from Information Systems: An Organizational Perspective." NIST is accepting public comment on the document through April 30. The new draft includes considerable revisions based on comments on the previous draft. NIST expects to publish a draft revision of Special Publication 800-30, "Risk Management Guide for IT Systems," in July. -http://www.gcn.com/online/vol1_no1/46131-1.html?topic=security&CMP=OTC-RSS -http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf [Editor's Note (Pescatore): This is not a bad document but the reality is while risk management frameworks haven't really changed since the mainframe days (there are only so many ways you can say Categorize/Select/Implement/Assess/Authorize/Monitor), the actual processes and mechanisms that business have to use to protect rapidly changing business processes, that depend on a rapidly changing technology infrastructure, against a rapidly changing threat have to change constantly. So, it is always good to have defined and consistent risk management processes as a starting point, but just think of all the financial institutions that have just melted down, even though they had huge, formal risk management processes. The rubber meets the road in actually protecting critical business systems and information. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Firefox and Safari Browsers Updated (April 16 & 17, 2008)
Data Breach Can Cost a Business Customers (April 15 & 17, 2008)
A study from the Ponemon Institute found that nearly one-third of people who were notified of a data security breach affecting their personal information no longer conduct business with the company that suffered the breach. Fifty-five percent of respondents said they had been notified of more than one breach of their personal data in the last two years; eight percent had received four or more breach notifications. Sixty-three percent of respondents said their notification letters offered no information about steps to take to protect their data. More than half of the respondents said they were notified of breaches more than a month after the fact. Just two percent of respondents said they had been victims of identity fraud as a result of a data breach. -http://www.darkreading.com/document.asp?doc_id=151378 -http://www.marketwire.com/mw/release.do?id=844160 [Editor's Note (Schultz) Finally! Evidence exists that the risk of data security breaches needs to be taken more seriously by businesses because if not, they are likely to lose a substantial portion of customers whose data were compromised. (Paller): As in all scientific research, confirmation of these results must be found before relying upon them. However, if they hold true, they are quite important. Reasons the research needs confirmation: potential bias in the responders' self selection and potential mis-informaion in answers. If they were angry, they might have been more likely to respond, and angry people sometimes say they stopped using a service when they meant they wanted to stop but the convenience costs of stopping were too high. ]
Ships Responsible for Undersea Cable Damage Located With Satellite Imagery (April 7 & 14, 2008)
SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole This month's topic: DLP WHEN: Tuesday, April 22, 2008 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Dr. Eric Cole -http://www.sans.org/info/25528
Cyber security is all about reducing risk to critical assets. Protecting and controlling data flow is a critical part of an organizations security arsenal. Therefore data loss prevention would seem like a perfect solution for reducing risk. However, just because a product is called a data loss prevention solution, does not necessarily mean that it properly reduces risk. Before purchasing or deploying a solution it is critical to understand the key risks you are trying to reduce and make sure the solution is the most cost effective way to reduce risk. This talk will provide insight into what product features are most valuable and which solutions should be avoided. To accomplish this it will provide a detail understanding of the landscape and the best way to protect data at an organization. Register now for this free webcast!
While Log Management investments have primarily focused on compliance, the right platform can be used for much more - security monitoring, forensics analysis and IT operations. However, to effectively address these use cases log management solutions must offer a broader set of platform capabilities. It's not just about compliance - it's about analysis optimized data collection, simplicity of ad hoc searches, flexibility of reporting, personalized dashboards, real time correlation alerts and more. Most importantly it's about unleashing the value of logs to a broader set of constituents within the enterprise.
Events from security and monitoring devices fire off an unmanageable number of alarms with no way of telling how they're related, or how they impact performance. As networks converge their video, voice and data traffic over IP networks, these alarms will only increase, while providing less visibility into what set them off. This Webcast discusses what will be needed of security monitoring tools as these data, voice, video convergence becomes ubiquitous.
This Webcast will describe an approach that will enable your organization to detect and stop designer malware, zero-day attacks, and non-signature-based threats to improve overall network visibility, and to detect the leakage and exfiltration of valuable corporate data. We will employ specific technical case studies and demonstrations to highlight the value of such an approach.
*** Tool Talk Webcast: Staying on Top of the SANS Top 20 with CORE IMPACT WHEN: Tuesday, April 29, 2008 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Alex Horan -http://www.sans.org/info/25539 Sponsored By: Core Security
The 2007 "SANS Top 20 Internet Security Risks" report makes it clear that attackers can now circumvent many traditional countermeasures, so simply implementing countermeasures is no longer enough. In fact, short of experiencing a breach, the only way to really know your security posture is by continually testing the defenses you've worked so hard to put in place.
*** SANS Special Webcast: The Little Hybrid Web Worm That Could WHEN: Wednesday, April 30, 2008 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Billy Hoffman -http://www.sans.org/info/24614 Sponsored By: HP
This webcast examines the possibility of hybrid web worms which use several methods to overcome the limitations of current web worms. Specifically the authors examine how a hybrid web worm: mutates itself to evade defenses; updates itself with new attack vectors while in the wild; and finds and exploits targets regardless of whether they are client web browsers or web servers.
Be sure to check out the following FREE SANS archived webcasts:
Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURING: Brian Mehlman -http://www.sans.org/info/22979 Sponsored By: Q1 Labs