********************** Sponsored By Tufin Technologies ******************
Slash Costs with Automated Firewall Security Audits
For security executives and administrators, Tufin SecureTrack is the key to fast, accurate firewall audits. Lean how you can reduce opex and increase network security by automating manual, repetitive firewall administration tasks and optimizing rulebases to improve performance.
Learn more - click for a free Tufin Polo shirt and a chance to win an Apple iPod Touch. http://www.sans.org/info/42684 *************************************************************************
Cyber spies have stolen tens of terabytes of design data on the US's most expensive costliest weapons system -- the $300 billion Joint Strike Fighte project. Similar breaches have been found in the Air Force's Air Traffic Control System. The attacks began as far back as 2007 and continued into 2008. The spies encrypted the data that they stole, making it difficult for investigators to know exactly what data was taken. The fact that fighter data was lost to cyber spies was first disclosed by U.S. counterintelligence chief Joel Brenner. Brenner also expressed concern about spies taking control of air traffic control systems, saying there could come a time when "a fighter pilot can not trust his radar." -http://online.wsj.com/article/SB124027491029837401.html
British Council Violated Data Protection Act, Says Information Commissioner's Office (April 17 & 20, 2009)
Dept. of Health and Human Services Issues Electronic Health Record Data Security Guidance (April 20, 2009)
The US Department of Health and Human Services has released a document offering guidance on protecting electronic health record data. The document says that electronic medical data must be rendered "unusable, unreadable or indecipherable" to those who do not have the authority to view them, and recommends encryption and destruction as acceptable methods of meeting those requirements. The document is tied to two sets of breach notification regulations required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the economic stimulus bill. One set of notification guidelines will be issued by HHS, and the second will be issued by the Federal Trade Commission for entities not covered by the Health Insurance Portability and Accountability Act (HIPAA). Organizations that comply with the guidelines set forth in the document will not be held to breach notification requirements. HHS will accept public comments on the document through May 21, 2009. -http://fcw.com/Articles/2009/04/20/HHS-releases-guidance-on-securing-electronic- health-data.aspx -http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf -http://www.nextgov.com/nextgov/ng_20090420_8620.php -http://govhealthit.com/articles/2009/04/20/health-it-privacy-guidelines.aspx [Editor's Note (Pescatore): The real key is enforcing existing regulations around personal health information vs. any real need for new regulations. (Liston): I completely disagree with giving these companies a free pass from breach notification simply because they checked the "we encrypt" box on some form. Doing encryption is easy... doing encryption well is hard. Also, encrypting data-at-rest and data-in-motion is wonderful, but what if a breach targets data-in-use? ]
Newly Released Documents Shed (a Bit) More Light on FBI's Spyware (April 16, 2009)
Documents obtained under the Freedom of Information Act (FOIA) indicate that the FBI has used technology known as a computer and Internet protocol address verifier, or CIPAV, in a number of cases over the last seven years. CIPAV is spyware that is placed on target computers to gather specific information and send it back to an FBI server. The public became aware of CIPAV in 2007 when it was used to track down the source of a bomb threat against a high school in Washington State. The documents do not detail CIPAV's capabilities, but an affidavit in the Washington case indicates that the information it collects includes the machine's IP and MAC addresses; open ports; programs running on the machine; current logged-in user name and last-visited URL. CIPAV is of particular use to the FBI because it is able to trace even suspects who use proxy servers and other anonymization techniques. -http://blog.wired.com/27bstroke6/2009/04/fbi-spyware-pro.html
NSA Wiretaps Have Exceeded Limits (April 15, 2009)
US government officials said that the National Security Agency's (NSA) domestic wiretaps have gone beyond established legal limits. The problems were detected during a periodic Justice Department review of NSA activities; officials at DoJ "took comprehensive steps to correct the situation and bring the program into compliance." Last July, legislators passed and then-president Bush signed into law the Foreign Intelligence Surveillance Act (FISA), which gave NSA the authority to conduct wiretaps without warrants against foreign terror and espionage suspects. -http://www.nytimes.com/2009/04/16/us/16nsa.html?pagewanted=print -http://www.securityfocus.com/brief/949 [Editor's Note (Schultz): This news item shows just how important President Obama's efforts to get the US government back to operating in accordance with the US Constitution are. ]
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Guilty Plea in Pirated Software Case (April 17, 2009)
Administrators are being urged to protect their networks from a new wave of Secure Shell (SSH) attacks. The brute force attacks try to crack user names and passwords to gain access to servers. Advice for lessening the likelihood of an attack includes creating complicated usernames and passwords, moving SSH off port 22, and monitoring logs for suspicious activity. This story was first reported by the SANS Internet Storm Center: -http://isc.sans.org/diary.html?storyid=6214 -http://www.vnunet.com/vnunet/news/2240614/ssh-server-attacks-resurface [Editor's Note (Schultz): Two of these three recommendations seem sound to me. Moving ssh off of tcp port 22 seems like a "security by obscurity" measure to me, however. Experienced attackers do not need much time to recognize ssh traffic, regardless of the destination port. (Liston): I recommend disabling password authentication entirely and allowing only PublicKey authentication. I run an SSH honeypot and I can indeed corroborate a huge uptick in PW brute-forcing attacks, most of which are coming from previously compromised machines. Over the past month, I've had over 26,500 separate login attempts from 42 different attacking IPs, using 16,500 different username/pw combinations (10,000 different passwords have been tried for "root"). I've also spent a great deal of personal time lately tracking down the right person inside companies, who SHOULD KNOW BETTER, to tell them that they're running an 0wned box. Monitor both your inbound AND outbound traffic for any spike in SSH connects... these attacks aren't subtle in the least. ]
Baker College Wins Cyber Defense Competition (April 20, 2009)
A team of eight students from Baker College in Flint, Michigan took top honors at the National Collegiate Cyber Defense Competition, held April 17-19 in San Antonio, Texas. The contest requires the teams to keep fictional business networks secure and operational while under hostile attack. In 2005, just five teams competed; this year's competition drew 65 teams that were winnowed down at regional competitions prior to last weekend's event. -http://sev.prnewswire.com/high-tech-security/20090420/DC0144520042009-1.html
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
SANS is second to none! In my opinion there is no other security training organization that provides the depth of technical knowledge and breadth of subjects at reasonable costs! -Joseph Cosgriff, NC State University