SANS NewsBites - Volume: X, Issue: 7


Ooops: A lot more people than we expected have signed up for the Penetration Testing Summit (Las Vegas -March 17-18). More than 75% so far are actual penetration testers, but the Summit will be even more valuable to security managers who buy penetration testing, because they will learn what works and what doesn't. Without this knowledge they are at the mercy of testers with often out-of-date processes and tools. Please let the person who oversees penetration testing in your organization know about this program so he/she can get a seat before it fills up. Ed Skoudis has put together an impressively up-to-the-minute program for this Summit.
http://www.sans.org/pentesting08_summit/

One of the very popular new areas on SANS' website is Stephen Northcutt's Thought Leadership interview series. We would love your feedback on it - other people to interview - ways to make it better. In the latest installment. Stephen interviews Pari Networks' Kishore Kumar on the convergence and challenges in managing network operations/configuration, security assessments/remediation and regulatory/corporate compliance.
http://www.sans.edu/resources/securitylab/pari_networks_kumar.php
Email comments to Stephen@sans.edu
Alan

*************************************************************************
SANS NewsBites                     January 25, 2008                    Volume: X, Issue: 7
*************************************************************************
TOP OF THE NEWS

   UK Gov Policy Forbids Taking Unencrypted Laptops and Drives Away From Offices
   Man Arrested in Connection with Estonian Cyber Attacks
   White House Wants Immunity for Telecoms in Government Surveillance Cases

THE REST OF THE WEEK'S NEWS

  LEGAL MATTERS
   Harada Trojan Writers Charged with Copyright Violations
  HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
   DoE IG Looks to Unify Cyber Security Practices
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   Flaw in Firefox Exposes System Information
   Microsoft Adds Small Business Server to List of Products Affected by TCP/IP Flaws
   MSN Trojan Adapts Language to Dupe Users
   Vulnerability in HP Virtual Rooms
  ATTACKS, INTRUSIONS, DATA THEFT & LOSS
   OmniAmerican Bank Customer Data Stolen, Used Fraudulently
   Employee Arrested for Deleting Employer's Files
   UK Ministry of Justice Data on Missing CDs
  MISCELLANEOUS
   Futures Trader at French Bank Causes Billions in Losses
  GUEST EDITOR CRAIG WRIGHT ON CRYPTO KEY APPEAL
  LIST OF UPCOMING FREE SANS WEBCASTS


HP (SPI Dynamics) *******************

Are you vulnerable to a SQL Injection attack? SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems! Download this HP Software white paper and learn how to protect your applications today.
http://www.sans.org/info/22909

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Las Vegas (3/17 - 3/18) Penetration Testing Summit:
(an ultra cool program) http://www.sans.org/pentesting08_summit
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - SANS 2008 (4/18-4/25) In Orlando SANS' biggest program with myriad bonus sessions: http://www.sans.org/sans2008
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

TOP OF THE NEWS

UK Gov Policy Forbids Taking Unencrypted Laptops and Drives Away From Offices (January 22 & 23, 2008)
UK Cabinet Secretary Sir Gus O'Donnell has sent an email to top civil servants informing them of a new policy that prohibits laptops and hard drives containing sensitive data from being taken out of government buildings unless the devices are encrypted. The notification comes in the wake of revelations that a number of Ministry of Defence (MoD) laptops containing unencrypted sensitive data have been stolen. In a related story, Defence Secretary Des Brown outlined the steps his department has already taken in the wake of the laptop thefts as well as actions that are underway to prevent further data loss.
-http://www.personneltoday.com/articles/2008/01/22/44056/laptops-containing-prote
cted-data-banned-from-leaving-public-sector-offices.html

-http://www.vnunet.com/vnunet/news/2207901/whitehall-locks-laptops
-http://software.silicon.com/security/0,39024655,39169759,00.htm
-http://www.mod.uk/DefenceInternet/DefenceNews/DefencePolicyAndBusiness/BrowneAnn
ouncesReviewOnModInformationSecurity.htm

[Editor's Note (Pescatore): This is the typical type of backwards thinking that gets everyone in trouble. The Agency or IT organization should put encryption software on all laptops and portable devices, rather than buying users portable devices and then saying "we know they are portable, and we know we gave them to you in an unsafe condition, so don't carry them around" Don't give users laptops unless you are configuring them with encryption software, endpoint protection etc - would you give delivery drivers trucks made of balsa wood and issue policy that says "Don't drive in traffic"???
(Honan): The recent data losses were reportedly due to junior members of staff not abiding to policy. Simply implementing another policy without effective tools, controls and training to ensure compliance with the policy will ultimately result in the policy being ignored and another data breach occurring. ]


Man Arrested in Connection with Estonian Cyber Attacks (January 24, 2008)
Dmitri Galushkevich, an Estonian, has been fined 17,500 krooni (EUR 1118 or USD 1650) for his role in last spring's distributed denial of service (DDoS) attacks that targeted web sites of the country's banks, schools and government agencies. The attacks were launched in response to Estonia's relocation of a WWII Soviet-era memorial in Tallinn, the country's capital, which also prompted rioting by ethnic Russians in Estonia. Police are still trying to track down others involved in the attacks, but most are believed to be outside Estonia.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9058758&source=rss_topic17

-http://www.news.com/8301-10789_3-9857492-57.html?part=rss&subj=news&tag=
2547-1_3-0-20

-http://news.smh.com.au/estonia-convicts-first-cyberwar-hacker-prosecutors/200801
24-1nro.html

[Editor's Note (Schultz): The Estonian DDoS attacks caused massive disruption and financial loss. The guilty person's fine is in contrast so small that it is laughable. Courts are going to have to hand out fines (and sentences) that are more proportional to the size of each crime if such rulings are going to be more of a deterrent to computer criminals.
(Liston): The Estonian Minister of Wrist Slapping also warned that when they catch the other attackers he will likely be sending them all a sternly worded letter... ]


White House Wants Immunity for Telecoms in Government Surveillance Cases (January 24, 2008)
Telecommunications companies that help federal investigations with Network surveillance will be granted liability protection, if the White House has its way. A White House news release says that granting the companies "liability protection is critical to the ongoing effort to protect the nation from another catastrophic attack." The concern is that without liability protection, telecoms would be reluctant to help the government with its surveillance requests. The companies would not be required to make sure the government's requests are legal.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205918006
[Editor's Note (Ranum): The rule of law means nothing if the king can grant immunity to those he has asked to break the law in his behalf.
(Liston): The only reason to want immunity is if you're worried something is going to come back to haunt you. The underlying message here is that the Telcos don't trust that what the Government is doing is proper or legal. Doesn't that say something very important?
(Paller): I don't think this is about the rule of law or about acting illegally. It is about the difficulty of interpreting personal privacy rights. Fascinating studies show that individuals often place wildly different values on their personal privacy, based on the context. With that level of uncertainty, if government asks a company to process information about individuals, that government must protect the processor from lawsuits based on umbrage someone takes or the distrust someone feels for government. The long term solution is to get Congress to establish an unequivocal definition of privacy rights and the government's rights with respect to processing personal information; I don't see it happening. ]



************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at
http://www.sans.org/info/22914

2) Complimentary White Paper: Beyond NetFlow, JFlow, and SFlow: Harnessing Application-aware Flow Information to Improve Network Security
http://www.sans.org/info/22919

3) FREE Webcast "Deliver Quality of Service (QoS) Using the Diffserv Model" to improve network application availability and overall network productivity.
http://www.sans.org/info/22924

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS


Harada Trojan Writers Charged with Copyright Violations (January 24, 2008)
Police in Japan have arrested three people who allegedly created a Trojan horse program known as Harada and distributed it over the Winny filesharing network. There are no applicable cyber crime laws in Japan, so the three were arrested for copyright violations; the Trojan allegedly used images of a known anime character to lure users into downloading the Trojan, which erases MP3 and movie files from infected machines.
-http://www.news.com/8301-10789_3-9857568-57.html
-http://www.theregister.co.uk/2008/01/24/japanese_vxer_arrests/print.html
[Editor's Note (Skoudis): This sounds like the cyber equivalent of going after Al Capone for tax evasion. I'm sure we'll see more clever applications of older legal concepts in cyber crime prosecution in the near future.
(Liston): When the best violation of law you can come up with for a distributing a Trojan that deletes files is "Copyright Violation," some might see that as a wake-up call for some new legislation. ]


HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY


DoE IG Looks to Unify Cyber Security Practices (January 22, 2008)
In fiscal 2006, the US Department of Energy (DoE) experienced 132 security breaches serious enough to be reported to law enforcement agencies. That marked a 22 percent increase over the figure for the previous year. The 69 organizations within the department use a variety of incident reporting formats, and important data about the attacks are not always stored. A report from DoE Inspector General (IG) Gregory Friedman recommends that all organizations within DoE use a common cyber incident management strategy; that cyber security policies are consistently developed and revised across the department; and DoE cyber security incidents response be tested and evaluated.
-http://www.fcw.com/online/news/151398-1.html?type=pf
[Editor's Note (Kreitner): When we have a commercial airliner incident, an NTSB team is deployed to the accident scene to conduct a thorough investigation with a causality and feedback-for-improvement orientation, so that lessons learned about the cause of the incident can be fed back into aircraft design and airline operations to reduce the probability of recurrence of an incident from the same cause. Federal cybersecurity policy guidance in the National Infrastructure Protection Plan and the supporting IT Sector Specific Plan could use strengthening by way of a commitment to the same methodology. Most current cybersecurity policy guidance relating to incidents focuses mainly on recovery/reconstitution. Although that focus is important, I fear much valuable learning from incidents is not occurring, or when it is, not being shared widely enough. ]


WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


Flaw in Firefox Exposes System Information (January 23 & 24, 2008)
A security flaw in Firefox's user interface, known as Chrome, could allow attackers to scope out vulnerable systems to plan a more potent attack. "Users are only at risk if they have one of the 'flat' packaged add-ons installed." Authors of Download Statusbar and Greasemonkey, two extensions that use the flat file format, have updated them so that they cannot be exploited through the flaw. There is no fix currently available, but Firefox developers are reportedly working on a patch. In addition, users who have installed NoScript will be protected from attacks that exploit this vulnerability.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9058560&source=rss_topic17

-http://www.theregister.co.uk/2008/01/24/firefox_data_leakage_bug/print.html


Microsoft Adds Small Business Server to List of Products Affected by TCP/IP Flaws (January 23 & 24, 2008)
Microsoft has updated its Security Bulletin MS08-001 to include Windows Small Business Server 2003 Service Pack 2 as an affected product. The bulletin, which was originally released on January 8, addresses remote code execution vulnerabilities in Windows TCP/IP. The flaw could be exploited to launch a worm attack. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3884
-http://isc.sans.org/diary.html?storyid=3819
Press:
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9058759&source=rss_topic17

-http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx
[Editor's Note (Frantzen): If you use the tools provided by Microsoft the fix should already be applied if you allow it. This is more an update of the documentation. ]


MSN Trojan Adapts Language to Dupe Users (January 23, 2008)
A Trojan horse program spreading through MSN messenger changes the language of the message lure to match the language of the operating system of the targeted computer. The message tries to get users to visit maliciously crafted sites. The message pretends to be directing recipients to MySpace or Facebook pages.
-http://www.channelregister.co.uk/2008/01/23/polyglot_msn_worm/print.html


Vulnerability in HP Virtual Rooms (January 22, 2008)
A vulnerability in HP Virtual Rooms could be exploited to infect the PCs of users of the virtual meeting host website. The flaw is a boundary error in the HPVirtualRooms14.dll ActiveX control, which is used to install HP Virtual Rooms on users' PCs. The flaw could be exploited to allow execution of arbitrary code.
-http://www.theregister.co.uk/2008/01/22/hp_virtual_rooms_security_bug/print.html
-http://securitywatch.eweek.com/browsers/highly_critical_bug_haunts_hp_virtual_ro
oms_1.html

-http://secunia.com/advisories/28595/


ATTACKS, INTRUSIONS, DATA THEFT & LOSS


OmniAmerican Bank Customer Data Stolen, Used Fraudulently (January 24, 2008)
OmniAmerican Bank president Tim Carter has acknowledged that attackers broke into the bank's computer system and stole sensitive customer account data. Armed with the information, they created phony debit cards, established new PINs, and used the phony cards to make cash withdrawals from ATMs in Eastern Europe, the UK, Canada, and the US. Fewer than 100 accounts were affected by the data theft and subsequent fraud. Carter said that no depositor will lose money. Once the Fort Worth, Texas-based bank learned of the fraud, it put limits on certain card transactions and limited ATM withdrawals to within Texas.
-http://www.star-telegram.com/business/story/429367.html


Employee Arrested for Deleting Employer's Files (January 22 & 24, 2008)
A woman who suspected she was going to be fired from her job at an architectural firm has been accused of deleting seven years' worth of blueprints and drawings estimated to be worth US $2.5 million. Marie Lupe Cooley is the only person besides her boss who has full access to the files on the system. She has been arrested and charged with causing damage to computer files in excess of US $1,000, which is a felony. The owner of the firm says he was able to recover the files with the help of a consultant. The woman believed she was going to lose her job because she read a job description in the help wanted section of a paper that matched her duties and contained her employer's email address. However, her employer's wife was seeking an assistant for her business.
-http://www.foxnews.com/story/0,2933,325285,00.html
-http://news.jacksonville.com/justin/2008/01/22/help-wanted-ad-plus-paranoia-plus
-spite-equals-sabotage/

-http://www.channelregister.co.uk/2008/01/24/disgruntled_employee_silent_rampage/
[Editor's Note (Kreitner): This scenario illustrates the need for broad application of the separation of duties principle--not granting any one person access to both online files and the backups of those files? (Liston): $2.5 million worth of data and no off-site backup? Perhaps the firm should put Marie's replacement in charge of setting that up. ]


UK Ministry of Justice Data on Missing CDs (January 23, 2008)
The UK Ministry of Justice is the latest Department to report a data loss. Four CDs sent by mail contain information about 55 defendants in magistrate court cases who had failed to turn up for their court dates. The disks may also hold information about crime victims and witnesses. The information was on the disks because the Ministry of Justice is investigating claims that magistrates were dropping cases when defendants failed to show. The disks were mailed in mid-December but never arrived at their intended destination.
-http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=5098
17&in_page_id=1770



MISCELLANEOUS


Futures Trader at French Bank Causes Billions in Losses (January 24, 2008)
A futures trader at the French bank Societe Generale allegedly bypassed established computer control systems to generate fictitious financial transactions that caused 4.9 billion Euros (US $7.2 billion) in losses for the bank. The bank has lodged a complaint against Jerome Kerviel with French prosecutors. The complaint against him alleges falsification of banking records, fraudulent use of the falsified records, and computer fraud. He began working at Socit Gnrale in August 2000. There will also be an investigation at the bank to determine how the alleged perpetrator circumvented established internal controls.
-http://online.wsj.com/article/SB120115814649013033.html?mod=djemalertNEWS
[Editor's Note (Pescatore): This is a nice example of the authorized user doing authorized stuff to commit pretty impressive fraud. The patterns of activity seem to be similar in many of these large fraud cases - case-based reasoning systems have been effective in other environments in detecting such patterns but a lot of work still needs to be done to apply such techniques to internal transactions.
(Honan): This is a prime example of how trusted insiders can circumvent controls and cause damage. Ensure you regularly review and check the effectiveness of your internal controls.
(Northcutt): The really chilling statement is that this trader, Kerviel, had intimate knowledge of the bank's controls which allowed him to avoid them. Apparently, the loss of his father took him over the edge:
-http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/01/25/bcnkerviel325.
xml
]


GUEST EDITOR CRAIG WRIGHT ON CRYPTO KEY APPEAL
Northcutt: Since so many of us depend on crypto keys for so many things, I asked Craig Wright GIAC GSE, an academic attorney in Australia, and a guy who really knows security -- he holds almost every GIAC certification -- to weigh in. Needless to say, NewsBites does not offer legal advice, but we strive to give you the information to prepare you to ask your legal departments the right questions. I think this story impacts all of us in two dimensions: the crypto key we use for our personal stuff and the cryptography we use in our organizations. In either case, the argument for strong passphrases keeps getting more persuasive for a number of reasons. Here is the original NewsBites story:

Federal Government Appeals Judge's Decryption Key Decision (January 16, 2008) The federal government has appealed a decision by a judge in Vermont that has prevented a man from divulging the password necessary to decrypt his computer. Magistrate Judge Jerome J. Niedermeier said that to force an individual to enter the password into his computer is a violation of the Fifth Amendment, which grants protection from self-incrimination. The case involves a Canadian citizen with legal residency in the US whose computer was found to contain child pornography. The computer was seized, but the government has been unable to access data in drive Z because it is protected by PGP encryption. (please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503663_
pf.html

-http://www.heise-security.co.uk/news/101935

Guest Editor Comment (Wright): The US Federal Government decision to appeal the Vermont "Decryption Key Decision" of Judge Niedermeier (January 16, 2008) really hinges on two issues, the key and the passphrase. PGP drive encryption is protected using a private key and a passphrase protects the key. These are both issues that are analogous to existing case law.

The issues come from the courts prior decision that by unlocking the combination lock of a suitcase a defendant consented to a search
[United States v. Cox, 762 F. Supp. 145 (E.D. Tex. 1991) ]
. In the initial search, the Canadian man handed investigators the system unlocked. This in effect mitigated his US 4th Amendment protections. Further, the Supreme Court explicitly stated that their opinion does not apply to private papers, leaving open the question of whether a person could be bound to turn over a journal or diary if there were mere evidence of a crime
[425 U.S. 391 (1976) at 414. ]
and this could be extended to the PC.

At this point the need to do forensic captures on live systems and use memory forensics to find previously entered passphrases is amply demonstrated.

The issue in dispute comes from Doe v. United States
[487 U.S. 201 (1988) ]
. The court determined the issue of a comparison between being compelled to surrender a key to a strongbox containing incriminating documents and being compelled to reveal the combination to a wall safe. It was decided that forcing the combination to the wall safe would be a testimonial act, surrendering the key to a strongbox would not be a testimonial act. As such, the US government can force the surrender of a key, but not the surrender of a combination.

To align this with the current case we can see the private PGP key as being functionally equivalent to the strongbox and the PGP passphrase to be analogous to the wall safe combination. What this in effect means is that the US government investigators have the right to the PGP Private Key but not to the passphrase that protects the key. If the PGP Passphrase is strong, it will resist efforts to crack it. If it is a simple password, the key MAY be enough.

It was stated in Doe v. United States that "A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will. But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe -- by word or deed."
[487 U.S. 201 (1988) at 210 n.9 ]
.

The problems in the case have come from the interchanging use of password and key by the attorney's. The US Government has the right to the private key without the password (or passphrase) but has no right to force the passphrase to the key. A further key point highlighted by this case is the need to train lawyers in the correct use of technical terms.


LIST OF UPCOMING FREE SANS WEBCASTS
WhatWorks in Firewalls and Anti-Malware Gateways: Flexible Firewalling at Harris Corporation
WHEN: Wednesday, January 30, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Ronda Henning
-http://www.sans.org/info/21659
Sponsored By: Secure Computing

The company that handles information security for major broadcast networks and such government agencies as the FAA, needed a very robust, very secure and very flexible firewall platform that could be tailored and customized to address both new and ancient legacy protocols and applications. Denial of service was a significant concern for Harris Corp. clients so the company turned to a solution that provided a highly available and high performance firewall.

SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Barb Filkins
-https://www.sans.org/webcasts/show.php?webcastid=91486
Sponsored By: Lumigent Technologies

How many organizations really understand their data privacy rules well enough to know where and how to protect their regulated data with proper audit?
What are their perceptions of data privacy regulations, and how are they integrating compliance into their data management practices, starting at the database?
These and other questions will be answered when, on Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.

We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.

SANS Special Webcast: A Brief History of Hacking with Dave Shackleford
WHEN: Wednesday, February 6, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
-https://www.sans.org/webcasts/show.php?webcastid=91521
Sponsored By: Core Security

Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common?
Answer: They were all milestones in the evolution of hacking and information security.

Please join Dave Shackleford, CTO at the Center for Internet Security and SANS certified instructor, for a look at the evolution of hacking and hackers. You'll hear Dave's take on lessons learned from hacking milestones, including: The early days of phone phreaks and bulletin boards The growth of hacker gangs and 2600: The Hacker Quarterly The 75-cent accounting error that led to an international crime investigation Bill Cheswick's evening with "Berferd" The first malware and Trojan horse programs At the same time, Dave will give his predictions for the coming year of hacking - and discuss which hacker movies are most realistic (if any)!

WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy
WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Gregory Henry
-http://www.sans.org/info/22559
Sponsored By: Sourcefire

A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.

********************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
-http://www.sans.org/info/20062
Sponsored By: Cezic
-http://www.cenzic.com/

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057
Sponsored By: Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/20052
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.


=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/