IT security is changing this year for four groups: Federal IT executives; IT and security people in the defense industrial base and in the critical infrastructure; the contractors who support them; and the auditors and inspector generals who measure security: The shift to automated, continuous measurement of critical security controls is the biggest change coming in those worlds during the rest of 2009 and 2010. On June 22-23 in Washington, a workshop/short course will cover the "20 Critical Security Controls," how to automate them, and how to measure their effectiveness - including what tools are needed and what tests should be run. There are only about 40 seats. If you want one, register by the middle of next week. http://www.sans.org/dc0609/description.php
Also for federal agencies and their contractors: the US Department of Agriculture is leading the government in focusing on application security as a current threat - changing their contracting and establishing training programs for programmers (both employees and contractors) on secure coding in Java and in other languages. Their training programs are open to other agencies and contractors. Email me if you want info (email@example.com).
BTW allowing programmers who have not proven they can write secure code to build your web and e-gov applications is *the single most critical* security problem you face, because it will embarrass your agency more than any other. Just as an example of what happens to agencies that allow untrained and untested programmers to write code e-gov code: http://www.theregister.co.uk/2009/05/05/virginia_medical_records_extortion/ Alan
************************************************************************* SANS NewsBites May 15, 2009 Volume: XI, Issue: 38 *************************************************************************
BSA Says 41 Percent of Software on PCs Worldwide is Pirated (May 12, 2009)
According to statistics from the Business Software Alliance (BSA), 41 percent of all software installed on PCs worldwide in 2008 was pirated. The resulting financial losses were estimated to be US $53 billion. The level of piracy around the world increased slightly from 38 percent in 2007 to the current figure for 2008 of 41 percent. BSA CEO and president Robert Holleyman said that while the percentage of pirated software is lower in the US than anywhere in the world, it is still a significant problem because more software is sold in the US than anywhere else, which means that "the US has the highest single dollar loss." -http://www.msnbc.msn.com/id/30699735/
Former FBI Agent Gets Probation for Unauthorized Data Access (May 14, 2009)
Former FBI agent Mark Rossini was sentenced to one year of probation for using agency computers to search for information about a Hollywood wiretapping case in which he was not involved. Rossini admitted that he gave the information to a woman he was dating who then gave it to an attorney for Anthony Pellicano, a private investigator who is presently serving a 15-year sentence for wiretapping celebrities' phones for clients. Rossini pleaded guilty to five counts of criminal computer access late last year. He also faces fines amounting to US $5,000. -http://www.nextgov.com/nextgov/ng_20090514_8408.php [Editor's Note (Northcutt): The problem with a hand-slap type sentence at a time when the government is increasing access to private data about citizens, is that it sends the wrong signal. It needs to be clear that abusing lawful access is wrong. And the government needs to implement role-based access control. Far too often, if you have access, you have access to everything. ]
Guilty Plea in Scientology DDoS Case (May 12, 2009)
Dmitriy Guzner has pleaded guilty to charges that he used a botnet to launch a distributed denial-of-service (DDoS) attack against Church of Scientology websites in January 2008. He is scheduled to be sentenced in August; he will face up to a year-and-a-half in prison. Guzman is a member of a group that calls itself Anonymous and is involved in protests against the Church of Scientology. Apart from the DDoS attacks, Anonymous has allegedly made nuisance calls to the Church and staged peaceful protests outside Church facilities. -http://www.theregister.co.uk/2009/05/12/scientology_ddos_attack_plea/
DHS Information Sharing Platform Breached (May 13, 2009)
A US Department of Homeland Security official has acknowledged a security breach of the platform the department uses to share sensitive, unclassified information with state and local authorities. Chief Information Officer for DHS Office of Operations Coordination and Planning Harry McDavid said that the US Computer Emergency Readiness Team detected two intrusions into the Homeland Security Information Network: one in March and one in April. The intruders managed to gain access to the system through an account belonging to a federal employee or contractor. -http://fcw.com/Articles/2009/05/13/Web-DHS-HSIN-intrusion-hack.aspx [Editor's Note (Pescatore): The new secretary of the Department of Energy, Steven Chu, was recently quoted as saying "well-meaning people" in the chief information officer's office and in the procurement and finance offices "whose job it is to protect the Department of Energy" actually hinder what the department can do." I hope he looks at this DHS incident to make sure that DoE increases, vs. decreases, building security into its systems and applications. (Northcutt): ".. gained ACCESS through an account belonging to a federal employee." Maybe we could get a special holiday commissioned, "access control day." ]
DHS IG Report Says Data Centers Need Improvements (May 13, 2009)
A report from DHS Inspector General Richard Skinner said that two DHS data centers were established without adequate protection from physical threats. One of the centers was established on the Mississippi Gulf Coast without considering protection from hurricanes, vibrations from a rocket testing facility just a few miles away, and environmental contamination from its location at a former weapons plant. A site in Clarksville, Virginia was established in close proximity to two 25,000-gallon diesel fuel storage tanks. The data centers are supposed to safeguard information from other data centers and serve as disaster recovery backups for each other, but they lack the necessary interconnecting circuits and redundant hardware. -http://fcw.com/Articles/2009/05/13/DHS-data-centers-at-risks-says-IG.aspx -http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_09-60_Apr09.pdf
UPDATES AND PATCHES
Microsoft Releases Fixes for PowerPoint Flaws in Windows (May 13, 2009)
Adobe Issues Updates for Acrobat and Reader (May 13, 2009)
Apple Issues Security, OS X Update (May 12 & 13, 2009)
University of Toronto Programs Offer Cyber Intelligence Tools to Civil Liberties Groups (May 12, 2009)
The Information Warfare Monitor and Citizen Lab programs were established at the University of Toronto with the goal of providing civil liberties organizations and other similar groups with tools to conduct effective Internet intelligence research in their areas of interest; such tools are normally available only to law enforcement authorities and computer security investigators. The programs have already shown themselves to be effective. Last year, a researcher working for both groups discovered that a Chinese wireless carrier was using a version of Skype to eavesdrop, and this year, the same researcher uncovered a Chinese spy system that has been dubbed Ghostnet. -http://www.nytimes.com/2009/05/12/science/12cyber.html?_r=2&ref=technology&a mp;pagewanted=print
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
SANS provides the best up to date training relating to security issues. The sessions are relevant and well presented with well written manuals. -Ravindranath Goswami, The Power Generation Company of Trinidad and Tobago Ltd.