Next Wednesday is the deadline for early registration discounts for SANSFIRE 2008 (July 22-31) - the only Washington DC program where seats are still available (but not many) for the new Penetration Testing courses. Also Security Essentials, CISSP Prep, Hacker Techniques, Forensics, Auditing and 21 other courses: http://www.sans.org/sansfire08 Alan
************************************************************************* SANS NewsBites June 06, 2008 Volume: X, Issue: 45 *************************************************************************
Number of Identity Theft Reports Unaffected by Breach Notification Laws (June 5, 2008)
A study conducted by researchers at Carnegie Mellon University found that data breach notification laws in the US have not reduced the number of reported cases of identity theft. The research was based on data supplied by the Federal Trade Commission (FTC). Forty-three states have enacted data breach notification laws over the last five years, but according to a state-by-state analysis, they have had no effect on reports of identity theft made to the FTC. Gartner's Avivah Litan notes that while reports of data breaches are becoming more prevalent in the news, the laws have prompted some organizations to focus on compliance instead of security, so that they may pass an audit, but not be in step with the spirit of the law. Researchers acknowledge that their data sample is incomplete and based on a self-selecting population. -http://www.csoonline.com/article/383313/Researchers_Notification_Laws_Not_Loweri ng_ID_Theft -http://www.theregister.co.uk/2008/06/05/breach_disclosure_effects/print.html [Editor's Note (Paller): What a silly study. It measures the wrong outcome. What matters about data breach notification is what it does to the quality of defenses. As many security officers will testify, mandatory data breach notification has been the catalyst that allowed them to implement far better defenses. Gartner's John Pescatore said it best (in NewsBites earlier this week): "turns out that the power of bad press is very impressive." (Schultz): From a scientific perspective, this study is badly flawed. Unfortunately, many players in the information security community have not had much scientific training, and are thus, unfortunately, likely to accept the results of and conclusions from this study at face value. Additionally, Litan's comments are unsupported by scientific data. Consequently, I urge readers to interpret all statements in this news item as speculative, not factual. (Kreitner): I'm hoping to live long enough to see greater realization that pursuing compliance as an end in itself is hypocrisy. Instead, I'd like to see us track trends in security outcomes in terms of frequency and impact of security incidents and then work back upstream in the process chain to correlate those incidents with use or non-use of various security practices. Only then will we have a rational basis for informing our security. ]
UC Irvine Students' Tax Returns Filed Fraudulently; United Healthcare Identified as Source of Data Leak (June 2 & 4, 2008)
United Healthcare has been pinpointed as the source of the data leak that exposed personally identifiable information of 1,132 University of California Irvine (UCI) graduate students. The breach affects UCI graduate students who used the UCI Graduate Student Health Insurance program. The breach came to light in February, 2008 when a number of students attempted to file their tax returns electronically only to be informed by the IRS that their returns had already been filed and their refunds collected. All 155 people who experienced the problem used the aforementioned healthcare program; the breach affects students enrolled in the program for the 2006-2007 academic year. -http://www.newuniversity.org/main/article?slug=identity_thefts_traced_to156 -http://www.csoonline.com/article/381513/UnitedHealthcare_Data_Breach_Leads_To_ID _Theft [Editor's Note (Northcutt): The worst thing about this kind of security flaw is that it messes with people's lives. ]
********************** SPONSORED LINK *********************************
1) Upcoming SANS webcast on June 17 at 1pm EDT. Tool Talk Webcast: A Million Little Pieces: Detecting Fraudulent Transactions, Register Today. http://www.sans.org/info/29434
[Editor's Note (Northcutt): The cost of monitoring software is so very low, this cannot be excused. P2P really does not have a place at work, we need to get serious and start taking some of the lowest hanging fruit off the table, else the Internet (due to the state of the endpoints ) can truly considered to be broken. (Veltsos): For those in law enforcement or government, the free tool P2P Marshall will detect the use of P2P clients and report which files were shared. -http://p2pmarshal.atc-nycorp.com/index.html (Kreitner): Rather than this sort of plea from management which probably does little to change behavior, I much prefer the approach the US Air Force has taken with over 500,000 of its Windows desktops: remove local admin rights from normal users to restrict installation of software not included in the enterprise standard software image for that platform. It's about stabilizing the technology by putting up an electric fence to control who can change what. (Grefer): A screenshot is available at -http://security.blogs.techtarget.com/files/2008/06/walterreed.JPG]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
June's Patch Tuesday Will Offer Seven Microsoft Security Bulletins (June 5, 2008)
Sun Microsystems Releases Fixes for Six Vulnerabilities (June 4, 2008)
Sun Microsystems has released a software update and workarounds for half a dozen vulnerabilities in versions 4.0.2 and earlier of its Sun Java System Active Server Pages. The vulnerabilities could be exploited to let attackers log on, gain root access, look at and delete files and execute arbitrary code. -http://www.gcn.com/online/vol1_no1/46395-1.html?topic=security&CMP=OTC-RSS
A laptop stolen on May 15 from an AT&T employee's car contains unencrypted "AT&T management compensation information, including names, Social Security numbers (SSNs), and [some ] salary and bonus information." Affected employees were notified eight days after the theft. The breach affects people throughout the US. -http://www.networkworld.com/community/node/28453
Stolen Computer Holds Canadian Farmers' Data (June 5, 2008)
A laptop stolen from a programmer working for the Canadian Canola Growers Association contains personally identifiable information of approximately 32,000 Canadian farmers. The compromised data include bank account numbers and social insurance numbers of farmers who have applied for Agriculture Canada's advance payment programs. Those affected by the breach have been notified by letter. Security measures on the stolen laptop include strong password protection and a biometric fingerprint reader. -http://www.cbc.ca/canada/manitoba/story/2008/06/05/canola-information.html [Editor's Note (Veltsos): Sometimes, knowing a little about security can be more dangerous than not knowing at all. The General Manager of the organization was quoted as saying that the strong password and the fingerprint reader would prohibit anyone else from accessing the data on the laptop. ]
BT's Secret Phorm Trial Caused Some Browsers to Crash (June 5, 2008)
Study Tracked People by Cell Phone for Six Months (June 4, 2008)
A study of 100,000 people's movements based on cell phone use found that nearly 75 percent stayed within a 10-mile radius of home over the course of six months. The study was conducted by Northeastern University in Boston without participants' knowledge in an unnamed European country; in the US, such a study would be illegal. The locations were noted whenever the people sent or received a phone call or text message. Precise locations were not known; locations were tracked through the nearest cell phone tower. The information gathered about people's travel patterns could be used to help design transportation systems or predict the spread of disease. -http://news.bbc.co.uk/2/hi/science/nature/7433128.stm -http://www.msnbc.msn.com/id/24969880/ Details and related material,: -http://www.iop.org/EJ/article/1751-8121/41/22/224015/a8_22_224015.pdf
China's Golden Shield Surveillance Society (May 29, 2008)
China is using people tracking technology developed in the US in its "Golden Shield" high tech surveillance and censorship program, creating a culture in which the government can track every move people make with closed circuit TV cameras and high level facial recognition technology. There are questions about whether or not the export of those technologies violates a law passed shortly after Tiananmen Square that forbids US companies to sell products in China that enable "crime control or detection." The technologies are also used to manipulate difficult situations, like the March protests in Tibet, so those opposing governmental positions look bad, while the government appears benign. -http://www.rollingstone.com/politics/story/20797485/chinas_allseeing_eye/print
This webinar will arm you with all the necessary plans for using penetration testing to investigate your organization's vulnerabilities, defenses and configurations - including lab testing your processes - to help you understand what the finished product should look like.
Internet Storm Center Webcast: Threat Update WHEN: Wednesday, June 11, 2008 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Johannes Ullrich -http://www.sans.org/info/28719
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
Today's business is digital across the board, relying on digital processes, communications, assets, and commerce. This has spawned a massive increase in fraud. We read about it nearly every week, and in almost every case, the problem seems obvious in hindsight. Societe Generale, with $7 billion in trading fraud, is the current poster child. Too often, fraud could have been detected and stopped if only someone noticed the connection between several activities, each of which was fine in isolation. Taken together, however, they paint a picture of fraud.
Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/