*************************** Sponsored By CA *****************************
Web-Based Security for Business Enablement While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more... https://www.sans.org/info/38738
- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world with lots of evening sessions: http://www.sans.org/ - - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org
Canadian Judge Rules Internet Users Have "No Reasonable Expectation of Privacy" (February 13, 2009)
A judge in Canada has ruled that Internet users have "no reasonable expectation of privacy" regarding records kept by their Internet service providers (ISPs). The ruling was made in the course of a child pornography case in which law enforcement officers asked an ISP to provide subscriber information for an IP address that was allegedly used to access the content. Bell Canada provided the information without a warrant. Most Canadian ISPs require warrants before they will provide subscriber names, except in the case of child pornography. Privacy advocates are concerned the ruling could set a precedent that would put individuals' entire surfing history at the disposal of law enforcement authorities without the need for warrants. They maintain the judge operated under the faulty assumption that the information obtained from the ISP is similar to what could be found in a telephone directory. -http://www.nationalpost.com/news/story.html?id=1283120 -http://www.montrealgazette.com/news/Police+have+access+your+online+history/12861 93/story.html [Editor's Note (Northcutt): The ever dwindling right to privacy. Keep in mind that ISPs want to collect information on user's surfing etc., so they can sell that data to marketing firms. Be sure to check out the related FTC story elsewhere in this issue. (Hoelzer): This topic will become more and more interesting legally since in many jurisdictions governments are requiring that certain records be kept; while the intent is good the potential for abuse toward individuals unfriendly to a particular political point of view could result in the end. For example, consider the story out of the UK this week moving to consolidate this type of data into top tier providers for easier access and monitoring by government. ]
Three Arrests in Heartland Breach Case (February 13, 2009)
1) Need to meet PCI DSS v1.2 Compliance Requirements? - Download Configuresoft's FREE Compliance Checker for PCI DSS v1.2 http://www.sans.org/info/38743 2) Come see the best tools for your pen test toolbox at the Penetration Testing and Ethical Hacking Summit June 1-2 Las Vegas. See what works. http://www.sans.org/info/38748
Pirate Bay Trial Begins in Stockholm (February 13 & 16, 2009)
The Swedish trial of the founders of the Pirate Bay website has begun. Pirate Bay contains links that allows site members to download copies of music, movie and television program files; the site's founders are being sued by a group of media companies. The defendants, Frederik Neij, Gottfrid Svartholm Warg, Peter Sunde and Carl Lundstrom, maintain that they have not done anything illegal because the content in question is not hosted on their servers. The four are facing charges of accessory and conspiracy to break copyright law. The lawsuit is seeking 120 million kronor (US $14 million) in damages and interest. The site has an estimated 25 million users. If the men are convicted, they could face sentences of up to two years in prison and fines of as much as US $180,000. -http://news.bbc.co.uk/2/hi/technology/7892073.stm -http://blog.wired.com/27bstroke6/2009/02/pirate.html -http://www.msnbc.msn.com/id/29223839/
ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Two of Three Tenenbaum's Alleged Accomplices Cleared of Charges (February 11, 2009)
Two of the three people arrested along with Ehud Tenenbaum in Canada last September for their alleged involvement in a fraud scheme have been cleared of charges, although no reason was given for the decision. Tenenbaum and three others were arrested last fall for allegedly breaking into the computer system of Direct Cash Management, a company that sells prepaid debit and credit cards. The system was accessed through an SQL injection attack. Limits on some accounts were changed, and all told, those involved in the scheme stole CN $1.8 million (US $1.4 million). Tenenbaum gained notoriety in the late 1990s for his role in several intrusions into US government computer systems. He is currently free on CN $30,000 (US $24,000) bond, but the US is seeking to extradite him to face other charges. Tenenbaum's girlfriend, Priscilla Mastrangelo, still faces charges. -http://blog.wired.com/27bstroke6/2009/02/the-analyzers-a.html
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
US State Department Employees Use Biometrics to Access Network (February 11, 2009)
Mass. Extends Data Protection Compliance Deadline Again (February 13, 2009)
Massachusetts officials have once again extended the deadline for compliance with the state's stringent data security regulations. Organizations now have until January 1, 2010 to ensure that any personal data they retain that belong to Massachusetts residents are protected in a number of ways, including encrypting data while they are being transmitted over public networks or stored on devices that can be carried from one location to another and limiting the amount of information they retain. The decision to extend the deadline was based in part on the current economic climate as well as the need to allow companies ample time to make the necessary changes to their systems. State regulators have also pared back their demands that third-parties with access to the data be required to demonstrate that they were compliant with the requirements as well. Originally, the compliance deadline was January 1, 2009; last November, the date was pushed back to May 1, 2009, and last week, it was once again extended. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9127961&intsrc=news_ts_head [Editor's Note (Hoelzer): There are sometimes excellent reasons to extend deadlines. When it comes to compliance requirements, however, my experience tells me that extending the deadline simply leads to businesses choosing to do nothing until the deadline again draws near. ]
Forrester Report Indicates IT Security Spending is Up Slightly (February 16, 2009)
A survey from Forrester Research says that the percentage of IT operating budgets devoted to security is increasing, from 11.7 percent in 2008 to 12.6 percent in 2009. Fully half of the security budgets are earmarked for staffing and upgrades to existing technology. The report, "The State of Enterprise IT Security: 2008 to 2009", surveyed nearly 950 IT and security managers in Europe and North America. -http://computerworld.co.nz/news.nsf/scrt/F53EE9A6133F149FCC25755C0010AEFC
Italian Police Say Criminals Turning to VoIP to Avoid Wiretaps (February 14 & 16, 2009)
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books -M. Cook, Arrowhead International