The first story today appears to be about US government computing, but it is immediately vital to every organization that finds it difficult to install security patches quickly. The story describes a formal deadline for federal agencies and all application vendors to ensure their systems and applications are fully compatible with the federal desktop core configuration (FDCC). Agencies that led the way with FDCC are already saving many tens of millions of dollars while radically improving security and reducing patching time by more than 90%. You can take advantage of this development by requiring any company selling you software, or building software for you, to "certify their software works with the FDCC," just as the federal government is doing. There has never been a better chance to begin to fix the patching problem. You can find more about the FDCC at http://fdcc.nist.gov/ including the June 30, 2007 White House memo requiring all software vendors to deliver FDCC-compatible software if they run on Windows systems. The software vendors have done it for the US government; it is no added effort to do it for you, as well.
PS If you bought anyone a digital picture frame for Christmas, the Best Buy story may be illuminating.
************************************************************************* SANS NewsBites January 29, 2008 Volume: X, Issue: 8 *************************************************************************
********************* Sponsored By Palo Alto Networks *******************
What would you do if Internet applications you couldn't see were penetrating your firewall right now? How would you even know? What would you do if you did know? What exactly are these applications? And what is their security risk to your network? Now you can get answers to all these questions. Watch and learn! http://www.sans.org/info/23138
Feb. 1 is Deadline for Federal Desktop Configuration Compliance (January 24 & 25, 2008)
On Friday, February 1, US government agencies must submit to the US Office of Management and Budget (OMB) lists of all desktops running Windows XP and Vista and the number of those that are Federal Desktop Core Configuration (FDCC) compliant; if some machines are not compliant, OMB "want [s ] to know how far off [they ] are." On that same day, the national Institute of Standards and Technology (NIST) will release a list of validated scanners that check to see if PCs are in compliance with FDCC. All of the validated scanners on the list use the Security Content Automation Protocol (SCAP) as required by the Office of Management and Budget (OMB). The list from NIST neither mandates nor endorses the products; it merely validates that SCAP has been correctly implemented. There are several items that must be checked manually - 15 in Vista and two in XP. The FDCC eliminates desktop users' administrative rights, disables vulnerable services, and uses the most secure versions of Windows components such as Internet Explorer. -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor y.id=45735 -http://www.fcw.com/online/news/151428-1.html?type=pf -http://www.darkreading.com/document.asp?doc_id=144080&f_src=darkreading_info rmationweek [Editor's Note (Paller): The US Air Force was the first to test the FDCC and learned three things: (1) a very small number of applications are negatively impacted - usually only those that demand every user has administrative rights, (2) that security patches were able to be installed in 72 hours or less vs. more than seven weeks before FDCC, and (3) the user experience is significantly improved because there are far fewer mysterious problems that are difficult for the help desk to diagnose. They also learned that costs are radically reduced - in patch testing and help desk services. So the FDCC reduces costs while improving security. (Ullrich): A decent standard and automated validation are a good combination for improved security. ]
Bush Grants Intelligence Agencies Authority to Monitor Government Computer Systems (January 26, 2008)
A classified presidential directive signed earlier this month reportedly gives US intelligence agencies the power to monitor computer networks at all federal agencies. The move is believed to be a response to increasing attacks against government networks. A task force "will coordinate efforts to identify the source of cyber-attacks against government systems." The Department of Homeland Security (DHS) will focus on protecting networks, while the Pentagon will turn its attention toward developing counterattack strategies. The new initiative has met with some concerns. According to the chairman of the House Homeland Security Committee, Rep. Bennie Thompson (D-Miss.), "Agencies designed to gather intelligence on foreign entities should not be in charge of monitoring our computer systems here at home." Others have pointed out that the exclusion of the private sector from the program ignores an important source of cyber attack data. -http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503261. html?wpisrc=rss_technology [Editor's Note (Northcutt): What do you say? They clearly need help, but the Department of Homeland Security is a major player in this and they just got hacked in a major way. How are they going to help the rest of government? It would have been smarter and cheaper to get some GIAC certified intrusion analysts on the detection systems and some people with operating system hardening credentials to work on the OS builds. -http://www.washingtonpost.com/wp-dyn/content/article/2007/09/23/AR2007092301471. html]
French Securities Trader Used Co-Workers' Access Codes (January 26 & 28, 2008)
Jerome Kerviel, the French futures trader who created US $7.14 billion in losses for his employer Societe Generale, apparently stole fellow employees' computer access codes and sent fraudulent email to perpetrate his scheme. Kerviel allegedly evaded detection because he had spent five years working on the bank's trading systems. He also allegedly hacked into the system to hide his electronic tracks, turning off electronic warning systems that could have alerted the bank to anomalous trading patterns. Kerviel's resume indicates that his computer skills were not particularly advanced, which suggests either that Societe Generale's security systems were not what they should be, or that Kerviel had an accomplice. -http://www.washingtonpost.com/wp-dyn/content/article/2008/01/28/AR2008012800901_ pf.html -http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/01/25/nsocgen225.xml -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205918671 [Editor's Note (Schultz): The magnitude of this incident and the losses involved are difficult to fathom. Additionally, I would not expect many if any simple causes for this incident because many interacting causes (some security related, others not related to security at all) are likely to be identified. ]
2) Complimentary White Paper: Beyond NetFlow, JFlow, and SFlow: Harnessing Application-aware Flow Information to Improve Network Security http://www.sans.org/info/23148
*************** COOL NEW RESOURCE FOR SECURITY INSIGHT *****************
One of the very popular new areas on SANS' website is Stephen Northcutt's Thought Leadership interview series. We would love your feedback on it - other people to interview - ways to make it better. In the latest installment. Stephen interviews Pari Networks' Kishore Kumar on the convergence and challenges in managing network operations/configuration, security assessments/remediation and regulatory/corporate compliance. http://www.sans.edu/resources/securitylab/pari_networks_kumar.php
ChoicePoint Will Pay US $10 Million to Settle Lawsuit (January 24 & 27, 2008)
ChoicePoint will pay US $10 million to settle a class action lawsuit brought against the data aggregator after thieves stole personally identifiable information of more than 160,000 people in 2004. The thieves pretended to be small business owners to gain access to the information in ChoicePoint's database. In addition, the Securities and Exchange Commission (SEC) has concluded an investigation into the sale of stock by ChoicePoint's CEO and COO, but did not recommend any action be taken against the two. Two years ago, ChoicePoint agreed to pay US $15 million to settle Federal Trade Commission (FTC) charges of privacy rights violations. -http://www.ajc.com/metro/content/business/stories/2008/01/24/choice_0125.html -http://www.consumeraffairs.com/news04/2008/01/choicepoint_settle.html [Editor's Note (Pescatore): The $25M in fines and legal judgments is probably about equal to the other direct costs ChoicePoint had to spend to deal with this incident. Last year ChoicePoint's CISO gave a great presentation on lessons learned, especially about how business processes need to be considered as part of the security equation. (Schultz): This is just one of many recent examples of the types and amounts of financial costs associated with data security breaches. Just when a company finishes settling a legal case growing out of a data security breach with one plaintiff, another comes on the scene to file additional legal action. (Cole) Keep a copy of this story on files so you can answer your executives' questions about the "value of security." ]
Singapore Police Arrest Seven for Computer Law Violations (January 24, 2008)
Authorities in Singapore have filed charges against seven former Citibank employees for violations of the country's computer misuse act and computer secrecy law. The seven allegedly took private bank client information from Citibank with them when they left the company to work at UBS, a Citibank competitor. They face a total of 1,223 charges for allegedly accessing Citibank computers without authority and making copies of client data. The charges mark the culmination of a one-year investigation by the Singapore police commercial affairs division. The seven have been suspended from their jobs at UBS pending the resolution of the case. If they are convicted, they could be sentenced to up to 20 years in jail and fined as much as S$125,000 (US $88,000). -http://www.ft.com/cms/s/0/83d71216-caab-11dc-a960-000077b07658,dwp_uuid=e8477cc4 -c820-11db-b0dc-000b5df10621.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Prosecutor Will File Charges Against Pirate Bay Operators (January 28, 2008)
A Swedish public prosecutor plans to file charges of accessory and conspiracy to break copyright law this week against the operators of the Pirate Bay website. The prosecutor maintains that Pirate Bay operators are acting as accessories to crimes; the operators say they have no control over the content that people choose to download. If the operators are found guilty, they could face fines or up to two years in prison. Pirate Bay servers contain no pirated content; instead, the site acts as a directory to locations of torrent files on the Internet. What Pirate Bay does make available on its site is the BitTorrent protocol, which allows users to download large files. -http://www.smh.com.au/news/web/pirate-bay-facing-copyright-charges/2008/01/28/12 01369001873.html
IFPI Says Losses in CD Sales Outweigh Gains from Online Music Sales (January 25, 2008)
Stolen Computer Holds Marks & Spencer Employee Data (January 25, 2008)
A laptop computer stolen from the home of a Marks & Spencer contractor contains pension plan information for approximately 26,000 of the UK-based retail store's employees. The computer was stolen in April 2007 and no employees have reported problems due to the data loss. The data on the computer were not encrypted; the Information Commissioner's Office (ICO) found M&S to have breached the Data Protection Act when it did not take steps to ensure the safety of employee data. The ICO has ordered M&S to ensure that all its laptop hard drives are encrypted by April 2008 or face criminal charges. -http://news.bbc.co.uk/2/hi/business/7209154.stm -http://software.silicon.com/security/0,39024655,39169821,00.htm [Editor's Note (Honan): This sanction is something that all organisations should take heed as it sends a strong and clear message as to what the ICO expects from organisations to whom personal data has been entrusted to. ]
Best Buy Recalls Infected Digital Picture Frames (January 25 & 28, 2008)
DC City Workers Fired for Surfing Porn Sites (January 23 & 25, 2008)
Nine Washington DC municipal workers have been fired for surfing pornographic websites during work hours. Washington DC chief technology officer Vivek Kundra says figures indicate that each employee looked at approximately 20,000 pornographic images last year. The information was gathered from records of web use generated by content filtering tools. An additional 32 employees who viewed pornographic images more than 2,000 times will be reprimanded or suspended. Filtering software was installed on 10,000 city computers; the city has purchased 20,000 additional copies to track activity on all city PCs. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9059219&source=rss_topic17 -http://www.vnunet.com/vnunet/news/2208112/government-workers-fired [Editor's Note (Pescatore): So, policy said "don't go to porno sites" but no URL blocking was used to enforce the policy? Or it was OK as long as you went to fewer than 2,000 sites in a year?? I think we learned way back in the telephone days to block access to 900 numbers, not spend admin time counting up how long everyone spend on prohibited calls. (Northcutt): 20,000 images would be about 160 hours of viewing at 30 seconds to download and look at a picture. One over achiever downloaded 48,001 images; he is probably filing for disability for repetitive motion injury. This is a management failure. If one employee has to be terminated, it may be an employee behavior problem. If a lot of employees have to be terminated or disciplined, it is a management failure. In my class, we cover this; content filtering is not exactly a new idea. If you do not have content filtering, get it, it will pay for itself. -http://www.epolicyinstitute.com/training/index.html -http://www.sans.org/training/description.php?mid=62]
Computer Security Events that Changed History (or Didn't) (January 2008)
CSO Online's list of "the top eight events that changed the course of computer security history (and two that didn't)" runs the gamut from the Cap'n Crunch whistle and the Morris worm to Titan Rain and the Storm Worm. The events were selected "because of their legislative impact or technical sophistication, ... the media attention they received, and ... the focus they brought to important security issues." Interestingly, the two events that didn't change history are the VA data theft and the TJX breach. Although they had the potential to force changes in data protection laws and regulations and encourage more widespread adoption of security standards, neither of these things has happened. -http://www2.csoonline.com/exclusives/column.html?CID=33495 [Editor's Note (Northcutt): Short article, but good to remind us of the dates and names of some of the really big events. A bit more elbow grease and this could have been an excellent read. ]
LIST OF UPCOMING FREE SANS WEBCASTS
WhatWorks in Firewalls and Anti-Malware Gateways: Flexible Firewalling at Harris Corporation WHEN: Wednesday, January 30, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKERS: Alan Paller and Ronda Henning -http://www.sans.org/info/21659 Sponsored By: Secure Computing
The company that handles information security for major broadcast networks and such government agencies as the FAA, needed a very robust, very secure and very flexible firewall platform that could be tailored and customized to address both new and ancient legacy protocols and applications. Denial of service was a significant concern for Harris Corp. clients so the company turned to a solution that provided a highly available and high performance firewall.
How many organizations really understand their data privacy rules well enough to know where and how to protect their regulated data with proper audit? What are their perceptions of data privacy regulations, and how are they integrating compliance into their data management practices, starting at the database? These and other questions will be answered when, on Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.
We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.
Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common? Answer: They were all milestones in the evolution of hacking and information security.
Please join Dave Shackleford, CTO at the Center for Internet Security and SANS certified instructor, for a look at the evolution of hacking and hackers. You'll hear Dave's take on lessons learned from hacking milestones, including: The early days of phone phreaks and bulletin boards The growth of hacker gangs and 2600: The Hacker Quarterly The 75-cent accounting error that led to an international crime investigation Bill Cheswick's evening with "Berferd" The first malware and Trojan horse programs At the same time, Dave will give his predictions for the coming year of hacking - and discuss which hacker movies are most realistic (if any)!
WhatWorks Webcast: WhatWorks in Intrusion Detection and Prevention: Improving Network Visibility at GraceKennedy WHEN: Tuesday, February 12, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKERS: Alan Paller and Gregory Henry -http://www.sans.org/info/22559 Sponsored By: Sourcefire
A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Dr. Eric Cole -http://www.sans.org/info/20057 Sponsored By: Core Security
The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.
SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005 WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Jerry Shenk -http://www.sans.org/info/20052 Sponsored By: NIKSUN
How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/