Cool new gift to the security community from the folks at the Internet Storm Center: a daily summary of information security events as a 5-10 minute "stormcast". See: isc.sans.org/podcast.html , or search iTunes for "Stormcast". Each Stormcast is made available between 0 and 3am GMT so it is ready for many readers for a morning commute)
The sleeper story of the year is the first one. The CAG will revolutionize first federal and defense industrial base cyber security, then security product procurement, and then (very quickly) banking security and critical infrastructure security. If you work in any place with data that really matters, test your current controls against what is published in the CAG (don't check whether you have policies, rather use the measures of effectiveness in the CAG to test the quality of your controls.) For consultants, the biggest new business opportunities will go to the large consulting companies who are first to make the transition from FISMA reporting or ISO auditing to CAG implementation and testing.
************************************************************************* SANS NewsBites February 24, 2009 Volume: XI, Issue: 15 *************************************************************************
************************* Sponsored By Q1 Labs **************************
Leverage Log Management to Boost Your Enterprise IT Security: Collect and manage event logs from your entire IT infrastructure; Effectively reduce and prioritize millions of network and security events; Quickly and easily search and report on events in real time and over an extended period of time. A COMPLIMENTARY WHITE PAPER FOR SANS READERS: https://www.sans.org/info/38964
- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/ - - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org
Proposed Legislation Would Require Retention of Internet Use Data for Two Years (February 20, 2009)
US legislators have introduced a bill that would require extensive logging of Internet use. The proposed legislation aims to help police with investigations. All ISPs and wireless access point operators would be required to retain logs of users' activity for a minimum of two years. The law would apply not only to large ISPs, but also to private homes that have wireless access points or wired routers that use the Dynamic Host Configuration Protocol as well as small businesses, libraries, schools and government agencies. -http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html?eref=rss_tec h [Editor's Note (Northcutt): That is really nifty, an economic stimulus package for disk drive manufacturers! Seriously, this is a dumb idea, fraught with problems, how are we going to collect that volume of information, then how do we protect it and what do we do when it is misused. (Ranum): Absurd. Basically, they are proposing to require extensive logging of usage patterns for every single internet access point in the US. It amounts to an enormous unfunded mandate to home users, cybercafes, airport wireless terminals, hotels, etc. The malefactors targeted by this law - presumably child porn traders and terrorists and whatnot - would be able to easily hide their actions anyway. (Ullrich): At the ISC, this issue has been the focus of our reader comments this week. I would like to quote one of them, provided by Jerry Rose: "This is like the difference between policies and procedures. The law needs to be like policies. It must be worded to stand the test of time - independent of changing technologies. Procedures must change often in order to keep up with technological changes. This would be represented by the method of prosecution of a defendant. ]
Another Payment Processor Security Breach (February 23, 2009)
Starbucks Facing Lawsuit Over Laptop Theft (February 23, 2009)
A Starbucks employee has filed a class action lawsuit against the company in response to a data security breach that occurred on October 2008. A laptop containing the names, addresses and Social Security numbers (SSNs) of approximately 97,000 Starbucks employees was stolen last fall; the suit alleges fraud and negligence, and seeks an extension of the one year of credit monitoring the company offered as well as unspecified damages and assurances that Starbucks will be required to undergo regular third party security audits. -http://www.networkworld.com/news/2009/022309-starbucks-sued-after-laptop-data.ht ml
POLICY AND LEGISLATION
Pending NZ Copyright Law Put On Hold (February 20 & 23, 2009)
US-CERT Warns of Proxy Server Flaw (February 23, 2009)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning about an architectural flaw in some proxy servers that could be exploited by attackers to connect "to any website or resource the proxy can connect to," including Intranets that should be off limits. Several dozen products have been updated; administrators should ensure they have installed the most recent versions to secure their networks. -http://www.kb.cert.org/vuls/id/435052 -http://www.theregister.co.uk/2009/02/23/serious_proxy_server_flaw/
DATA BREACHES, LOSS & EXPOSURE
Three Breaches at Univ. of Florida Gainesville in as Many Months (February 22, 2009)
The University of Florida in Gainesville has reportedly experienced three data security breaches in a three month period. The most recent incident involved a server that allowed faculty to host online course material and exposed personally identifiable information of 97,200 faculty, staff and students who were active at the university between 1996 and 2009. A breach in January of this year involved an LDAP Directory Server configuration error and exposed personally identifiable information of about 100 people. Finally, in November 2008, an intrusion compromised personally identifiable information of more than 330,000 current and former College of Dentistry patients who had been seen at the school since 1990. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo nomyName=knowledge_center&articleId=9128398&taxonomyId=1&intsrc=kc_t op
Unauthorized Patch Posted for Adobe Flaw (February 23, 2009)
STUDIES AND STATISTICS
More Than Half of Former Employees Took Company Data (February 23, 2009)
The Ponemon Institute interviewed 945 US adults who had been laid-off, fired, or changed jobs within the last year and found that more than half took company information with them when they left their former positions. The rationales for taking the data included help getting another job, help starting their own business, or simple revenge. All of the participants in the survey had access to proprietary information, including customer data, employee information, financial reports, software tools and confidential business documents. The survey also found that just 15 percent of the companies examined the paper and/or electronic documents their former employees took with them when they left. -http://news.bbc.co.uk/2/hi/technology/7902989.stm -http://www.theregister.co.uk/2009/02/23/insider_threat_survey/ -http://news.cnet.com/8301-1009_3-10170006-83.html?part=rss&subj=news&tag =2547-1009_3-0-20 [Editor's Note (Schultz): What the Ponemon Institute's study did not show is just how bad ex-employee activity can get after a company folds. I have heard numerous accounts about computer crimes (including brazen thefts of servers) by ex-employees that ostensibly occurred after High Tower Software collapsed. Sadly, despite all the reported illegal activity, no complaints have been filed with law enforcement, nor has anyone been charged with any crime.]
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/