*********** Sponsored By Sourcefire, Inc. ***********
Best of Open Source Security (BOSS) Conference February 8-10, 2009 Flamingo-Las Vegas Be sure to register the first IT security conference dedicated to promoting open source security (OSS) technologies and the commercial products that embrace them. This long overdue conference will bring together passionate OSS advocates and vendors under the same roof to share ideas and experiences. For more information, visit http://www.sans.org/info/33933">http://www.sans.org/info/33933
Proposed Legislation Would Restrict US Border Searches of Electronic Devices (September 30 & October 2, 2008)
US legislators have introduced a bill that would rein in the broad power that the Department of Homeland Security (DHS) has granted border control agents in seizing and searching travelers' laptops and other electronic devices. The Travelers' Privacy Protection Act would require that DHS establish reasonable suspicion of wrongdoing before searching US residents' devices; it would also require that DHS have probable cause and a court order or a warrant to hold a device for more than 24 hours. There would be restrictions placed on the sharing of information gathered through the searches and DHS would be required to report to Congress on its border searches. -http://news.cnet.com/8301-13578_3-10055020-38.html -http://www.securityfocus.com/brief/832 [Editor's Note (Schultz): Allowing DHS border patrol agents virtually unlimited power in seizing, searching, and keeping laptops translates to unreasonable search and seizure as well as infringement of privacy. If it signed into law, the proposed legislation will go far in reining in some of these excesses. ]
Estonia's Cyber Security Policy (October 3, 2008)
A year-and-a-half after suffering coordinated denial-of-service attacks against its government and commercial computer systems, Estonia has released a national cyber security strategy that includes details about the attacks and offers recommendations for preventing attacks in the future and for a global stance toward cyber security. The report identifies four "policy fronts": "application of a graduated system of security measures in Estonia; development of Estonia's expertise in and high awareness of information security to the highest standard of excellence; development of an appropriate regulatory and legal framework to support the secure and seamless operability of information systems; (and) promoting international cooperation aimed at strengthening global cyber security." -http://www.zdnetasia.com/news/security/0,39044215,62046785,00.htm -http://www.mod.gov.ee/static/sisu/files/Estonian_Cyber_Security_Strategy.pdf
Skype Acknowledges Message Filtering and Retention in China (October 3 & 6, 2008)
************************* SPONSORED LINK ******************************
1) Visit the SANS Buyers Guide for updated listings and useful information when selecting the latest in IT security technologies. http://www.sans.org/info/33938
US Financial Crisis Ripe Pickings for Scammers (October 2, 2008)
The mergers and acquisitions of banks resulting from the US financial crisis have provided new opportunities for online scam artists. Attacks have been seen in which the customers of a bank are asked to provide account information and other personal details to the bank's new owner for verification purposes. Banks would not ask for such information online; it would be done through paper mail. -http://news.cnet.com/8301-1009_3-10057180-83.html?part=rss&subj=news&tag =2547-1009_3-0-20s
DATA LOSS & EXPOSURE
T-Mobile Acknowledges 2006 Loss of Customer Data (October 4 & 6, 2008)
Stolen Laptop Holds Irish Health Service Executive Employee Data (October 3, 2008)
A laptop stolen in Dublin, Ireland on September 17 contains personally identifiable information of several thousand Health Service Executive (HSE) staff. The compromised data include names, salaries and staff numbers; the data were not encrypted. Just weeks ago, several HSE data storage devices, including a laptop, a Blackberry and a data disk, were stolen from a medical officer's home. After that theft, HSE committed to encrypt all digital media storage devices that contain personal and medical data within one month. -http://www.scmagazineuk.com/Irish-HSE-hit-by-laptop-theft/article/118714/
Virgin Media Ordered to Encrypt Portable Media Devices to Protect Customer Data (September 30, 2008)
The UK Information Commissioner's office has ordered Virgin Media to encrypt all portable media that hold data. An unencrypted CD lost in May 2008 contained personally identifiable data of approximately 3,000 people. The CD had been provided to Virgin Media by Carphone Warehouse; the people whose data were on the CD had expressed interest in signing up for Virgin Media services. The compromised data include names, addresses, and some bank account information. The data loss constitutes a violation of the UK's Data Protection Act. -http://www.silicon.com/research/specialreports/fulldisclosure/0,3800014102,39296 160,00.htm?r=1 [Editor's Note (Pelgrin): The whole issue of hand-me-down equipment is of real concern. One hears too frequently that old computers and other hardware are given to charity groups, schools or left out with the trash. There is need to raise the awareness of all the personal, private and sensitive data that may be stored on most hardware devices. Therefore, caution must be applied when giving away or disposing of computers and electronic storage media. This is crucial if we are to help prevent the inadvertent disclosure of information that often occurs because of inadequate cleansing and disposal of computers and electronic storage media. ]
Two Indicted in Botnet Attack Case (October 3 & 6, 2008)
Reported Data Breaches in US on the Rise (October 6, 2008)
According to statistics compiled by the Identity Theft Resource Center, there have been 516 reported consumer data breaches in the first nine months of 2008, exposing 30 million records; in 2007, the total number of reported breaches was 446. Extrapolated from the numbers so far this year, the total number of reported breaches in 2008 could top 680. Eighty percent of the breaches involved digital media; the remaining 20 percent involved data recorded on paper. Of the incidents this year, 36 percent occurred at businesses, 21 percent occurred at educational institutions, and 16 percent on military or federal government systems. Twenty percent of the reported braches were due to lost or stolen digital media storage devices, 17 percent were due to insider theft and 13 percent were exposed through hacking. -http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2008_e xpo.html
Most Hotel Internet Connections for Guests are Not Adequately Secured (October 3, 2008)
A study from the Cornell University School of Hotel Administration found that most hotels do not take adequate security precautions on the Internet connections they provide for their customers. The study compiles data from 147 written survey responses and from visits to 46 hotels. Twenty percent of the hotel networks use simple hub topologies, making them unsecured networks. Most of the other hotel networks channel guest traffic through switches or routers, which are more secure than hubs, but still make users susceptible to man-in-the-middle attacks. The researchers recommend that the hotels set up Virtual Local Area Networks (VLANs) to best protect guests from Internet threats. -http://www.gcn.com/online/vol1_no1/47290-1.html?topic=security -http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html [Editor's Note (Veltsos): This report points out that the Hotel industry has been asleep at the wheel when it comes to providing a minimum level of security for its guests: 18% of the hotels visited had not separated the hotel's business network from that used by guests; most hotels' wireless and network infrastructures exposed guests to unnecessary risks due to unencrypted wireless traffic and poorly managed network devices. The study concludes with a number of basic recommendations for hotel network security (e.g. use VLANs) and for hotel guests (e.g. use a firewall and a VPN). (Northcutt): The report is free, but you have to register. I am a bit confused though, we are trying to buy hubs for one of our classes this week and they are hard to find. How do hotel networks find enough hubs? The report does say "antiquated hub technology", but what do they do when one breaks? I wrote a related paper on ISPs, such as the ones hotels use tracking user behavior presumably for marketing purposes: -http://www.sans.edu/resources/securitylab/superclick_privacy.php]
Mifare Classic RFID Vulnerability Research Published (October 6, 2008)
A research paper detailing a security vulnerability in the Mifare Classic RFID chip has been published. The research, which was conducted by Professor Bart Jacobs and his colleagues at Radboud University in Holland, was set to be published earlier this year, but NXP, the company that manufactures the Mifare Classic chip, sought an injunction to delay the paper's dissemination to allow customers time to make changes to their security systems. The chip is used in prepaid transportation system cards in London, Boston and Holland and is also used to restrict access to some buildings. -http://news.bbc.co.uk/2/hi/programmes/click_online/7655292.stm -http://www.theregister.co.uk/2008/10/06/mifare_hack_finally_published/
Cool Jobs in Information Security (October 7, 2008)
We have also marked the jobs where the "top guns" in security are often found or are seasoned. These are the best and brightest technical security experts - the people who can take apart an exploit and see how it works, find flaws in communications protocols, see an attack as it is forming on the wire, identify the faintest evidence of malicious code and root out the infection, find evidence of criminal activity even when it is carefully hidden, plan and execute an attack that bypasses conventional and even sophisticated defenses, design a network that can block known attack vectors, and more. Without these "top guns" no nation or industry can hope to have effective protection. Their jobs are highlighted in the survey to identify the areas of most critical need for any nation or industry that takes security seriously.
************************************************************************* The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books -M. Cook, Arrowhead International