****************** Sponsored By ArcSight, Inc. **************************
Complimentary Whitepaper: Mitigating Fraud with the ArcSight SIEM Platform, 2008 Detecting, investigating and responding to fraudulent transactions from within and outside an organization is an essential function of business operations. Unfortunately, most organizations have inadequate solutions in place to deter fraudsters and lack the support tools for fraud investigators to quickly identify fraud and respond to the threats effectively. This whitepaper will outline the requirements for an effective fraud mitigation solution. http://www.sans.org/info/34249">http://www.sans.org/info/34249
FBI Sting: DarkMarket Carder Forum Yields Big Criminal Roundup (October 14 & 16, 2008)
Documents obtained by a German public radio station show that the DarkMarket carder forum was actually a US FBI sting operation. The site was used as a haven to buy and sell card information, other financial account data and devices used to make cloned cards. The site operated for nearly two years and helped gather intelligence that led to at least 56 arrests and prevented the loss of millions of dollars to fraud. The FBI ran the sting operation in cooperation with the UK's Serious Organized Crime Agency (SOCA) and authorities in Turkey and Germany. -http://www.theregister.co.uk/2008/10/14/darkmarket_sting/ -http://news.bbc.co.uk/2/hi/uk_news/7675191.stm -http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy Name=security&articleId=9117361&taxonomyId=17&intsrc=kc_top [Editor's Note (Paller): Another great example of how good the FBI cyber crime program really is. They make cyber criminals work a lot harder and take a lot more risk. What can be more important? There are three key differences between the FBI and other agencies responsible for cyber security: Priorities (they focus on the most important attacks)); Proactive (they use innovative investigative techniques to infiltrate groups during their activity, rather than merely reacting after the fact); and partnerships (where the partners in the private sector and in foreign law enforcement are people who can actually get things done.) ]
DHS Criticized Again Over Lack of Cyber Attack Preparedness (October 13, 2008)
Chairman of the US House Homeland Security Committee Rep. Bennie Thompson (D-Miss.) says the US Department of Homeland Security (DHS) has not taken necessary steps to prepare for major cyber attacks. DHS was to have completed eight planning scenarios and accompanying documents regarding preparation for different vectors of attack, including cyber attacks as the foundation of the National Response Framework. Rep. Thompson has asked DHS to submit a schedule for completion of the scenarios and associated documents by October 23. Just weeks ago, the DHS was criticized by the Commission of Cyber Security for the 44th Presidency regarding its lack of preparedness for fighting cyber attacks; the Commission recommended placing the locus of national cyber security somewhere else. DHS has refuted the Commission's allegations, saying that "a reorganization of roles and responsibilities is the worst thing that could be done to improve our nation's security posture against very real and increasingly sophisticated cyberthreats." -http://www.fcw.com/online/news/154055-1.html -http://news.cnet.com/8301-10787_3-10048033-60.html [Editor's Note (Pescatore): There is a lot of political maneuvering going on, pretty much standard operating procedure for an administration change. The major problem is that information security is a very big business and there are major competing interests in government to control budgets - but also in private industry to influence potential spending. The real bottom line is *no* government agency is going to ever actually drive protection of the thousands of businesses connected to the Internet any more than any government agency can protect the wired or wireless telephone system - - or the economy. Thinking there can be a centralized solution to a totally distributed problem is like sending battleships after terrorists. However, there are proven mechanisms for how government and industry can cooperate for the good of the whole. Ten years ago Presidential Decision Directive 63 laid out what is still the best roadmap for the role government can play in all this - but since it didn't try to create new empires or new pork barrel opportunities it has largely been ignored. (Northcutt): Timing is everything and this comes just after the Air Force is having second thoughts about their Cyber Command. The US has not prioritized security and this will probably bite us: -http://blog.wired.com/defense/2008/08/air-force-suspe.html]
State Data Encryption Laws Starting to Take Effect (October 16, 2008)
A law that took effect this month in Nevada requires that all businesses encrypt electronically transmitted customer data. While Nevada's encryption law is the first to take effect, other states are starting to enact similar laws. A Massachusetts law that will take effect in January 2009 will require businesses that collect information about Massachusetts residents to encrypt sensitive data stored on laptops and other portable electronic devices. Businesses are subject to the state laws if they have customers or otherwise conduct business operations within those states. -http://online.wsj.com/article/SB122411532152538495.html [Editor's Note (Schultz): I predict that Nevada's law requiring encryption of transmitted customer information will (like California SB1386) serve as a huge impetus for passing similar legislation in other states. ]
Common Cause Report Says Some US States Need to Do More to Ensure Voting Accuracy (October 16, 2008)
A study released by Common Cause warns that "On November 4, 2008, voting machines will fail somewhere in the United States in one or more jurisdictions in the country. Unfortunately, we don't know where. For this reason, it is imperative that every state prepare for system failure. [States are urged to ] take steps necessary to insure that inevitable voting machine problems do not undermine either the individual right to vote or our ability to count each vote cast." The report examined laws, regulations and procedures regarding voting systems in four areas: provisions for machine repairs and availability of paper ballots; requirements for ballot accounting and vote reconciliation; use of a voter verifiable paper record; and post election audits of those verifiable paper records. Six states received high ratings in all categories; 10 states received low ratings in three of four categories. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9117347 -http://www.brennancenter.org/content/resource/is_america_ready_to_vote
Fortify Report Examines Reliability of Voting Systems (October 15, 2008)
U.S. Intelligence Officials Increasingly Worried That Hackers Could Wreak Havoc On The Financial System (October 17, 2008)
Today's National Journal, Shane Harris has a timely article illuminating examples of cyber security events that have caused significant problems for financial institutions, an dthe worries US intelligence officials are expressing. In closing, he quotes the Tom Kellerman, one of the first to shine a light on this problem, saying, "The reality is, we've been building our vaults out of wood in cyberspace for too long." -http://www.shaneharris.net/2008/10/toxic-information.html
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Ministry of Defence Now Says Lost Drive Holds Data on 1.7 Million People (October 14, 2008)
The UK Ministry of Defence (MoD) has revised its estimate of the number of individuals affected by the loss of a hard drive from 100,000 to 1.7 million. Those who had made an initial inquiry about serving in the armed forces would have just their names and phone numbers on the drive, but those who had applied had provided information that includes next of kin and passport and national insurance numbers, driver's license information and banking data. The drive is believed to be unencrypted. -http://www.theregister.co.uk/2008/10/14/mod_bigger_loss/ -http://www.vnunet.com/vnunet/news/2228142/mod-loss-total-hit-million
Security Suite Vendors Question Secunia Study (October 15, 2008)
Makers of antivirus products and security suites are calling into question the validity of a recent study from Secunia. The study tested a dozen security suites against "300 exploits targeting vulnerabilities in various high-end, high-profile programs" and found the highest scoring suite caught just 64 of the 300 exploits. Some of the companies whose products were tested say that just one aspect of their products was examined. Others whose products were not included called the study a publicity stunt. -http://www.darkreading.com/document.asp?doc_id=166027 -http://www.theregister.co.uk/2008/10/15/secunia_tests_backlash/ [Editor's Note (Skoudis): Designing a thorough and fair test regimen is quite difficult, and running the suite of tests against increasingly complex products is very time consuming and expensive. Matt Carpenter and I did this in 2007 for seven endpoint security products, and it consumed two months of our time. Whenever you see a test report of security products, make sure you look carefully at the description of the test methodology and testbed to determine what they measured and how. No test suite is perfect, but some better reflect operational environments than others. ]
Police Buy Computer Tracking Service Licenses for Students and Other Residents (October 15, 2008)
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/