******************* Sponsored By IBM Rational AppScan ******************
Improving the security of web applications starts by building software securely. IBM Rational AppScan is a suite of Web application vulnerability scanners that include dynamic and static analysis capabilities. Now you can engage more testers earlier in the development cycle. Try it for yourself. Download and evaluation copy of IBM Rational AppScan Developer Edition. http://www.sans.org/info/40233
Application Security Best Practices: A New Maturity Model for Building Security In (March 9 & 10, 2009)
The Building Security in Maturity Model (BSIMM) is "a set of best practices developed by Citigal and Fortify" that draws together data from nine software security initiatives to help software developers build more secure products. The model "breaks down" the best practices into 12 areas, including strategy and metrics, security features and design and configuration and vulnerability management. -http://www.csoonline.com/article/print/483716 -http://www.scmagazineuk.com/Secrets-of-the-providers-detailed-in-new-report/arti cle/128448/ -http://blogs.wsj.com/digits/2009/03/04/new-effort-hopes-to-improve-software-secu rity/ -http://bsi-mm.com/ [Editor's Note (Pescatore): Good stuff, but the real value is in the listed best practices and being able to see which are common practice and which are best practice, vs. the idea of maturity levels. (Paller): John Pesactore is exactly right (as usual). The value here is in the common, best practices that can instruct other organizations that want to learn from these leaders. We talked at length with two of the biggest participants to better understand what they have learned about security education for programmers. They explained that security awareness training was not helpful at all unless it was complemented by actual secure coding training often including the use of libraries that make secure coding easy. ]
BBC Criticized for Acquiring Control of and Using Botnet in Report (March 12, 2009)
College Student Faces Additional Charges in Palin eMail Break-in Case (March 9 & 10, 2009)
David Kernell, the Tennessee college student who allegedly broke into Governor Sarah Palin's Yahoo! mail account has pleaded not guilty to three new felony charges. Kernell now faces charges of intentional access without authorization; fraud; unlawful electronic transmission of material outside the state; and attempts to conceal records to impede an FBI investigation. If he is found guilty on all counts, Kernell could face up to 20 years in prison and a fine of up to US $250,000. -http://www.theregister.co.uk/2009/03/09/palin_hacker_recharged/ -http://www.vnunet.com/vnunet/news/2238234/student-pleads-guilty-sarah [Editor's Note (Schultz): I hate to think of someone going to prison for 20 years as the result of a cyberprank, yet at the same time the events surrounding this story point directly to the risks individuals incur when they engage in unauthorized computing activity. (Skoudis): Given this story and the one about Senator Coleman below, both associated with politics, we seem to have entered the age of hacking for political advantage by embarrassing an adversary or drying up their contributions through a breach. You know, ironically, I fully accept the militarization of cyber space, but somehow the politicization of the hack just doesn't sit well with me. If this continues and grows, having our politics distorted by breaches would be a scary thing. ]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Russian Youth Group Member Boasts of Role in 2007 Estonian DDoS Attacks (March 11 & 12, 2009)
Soldiers' Info May Have Been Compromised (March 12, 2009)
The US Army is notifying approximately 1,600 soldiers that their personal information may have been compromised during a database security breach. The incident affects soldiers who registered with and/or participated in the service's Operation Tribute to Freedom, which allows soldiers to share their stories publicly. The compromised data include names, email correspondence, addresses, awards received and dates of deployment and return. -http://fcw.com/Articles/2009/03/12/Army-breach.aspx
Wikileaks eMails Sen. Coleman Campaign Donors About Data Leak (March 11 & 12, 2009)
Sprint Notifies Some Customers That Their Account Data Were Compromised (March 11, 2009)
Sprint has sent letters to several thousand customers warning them that their account information was sold or shared without their permission. The breach occurred several months ago when a Sprint employee accessed the account information. The employee, who appears to have given the information to a third party, has been fired. The compromised data include names, addresses, wireless phone numbers, account numbers and answers to security questions. Affected customers were urged to contact customer service and change their personal identification numbers and security questions. -http://voices.washingtonpost.com/securityfix/2009/03/sprint_employee_stole_custo mer.html
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/