The role of the CISO is changing. On Monday at Gartner's Information Security Summit, one of the main-tent sessions will address just how it is changing. I am looking for real-world examples to help make the session even better -- please share - anonymity is promised. Email firstname.lastname@example.org by Saturday at 5 PM EDT.
************************************************************************* SANS NewsBites June 26, 2009 Volume: XI, Issue: 50 *************************************************************************
********************** Sponsored By HP (SPI Dynamics) *******************
Tool Talk Webcast: HP Tackles Cloud Application Security
In this webcast, participants will learn about: * The three most common delivery platforms for Cloud computing, IaaS, PaaS and SaaS. * How to manage application keys and handle sensitive information for each platform. * How the delivery platforms impact the software development lifecycle * How we expect hackers to approach cloud applications * How HP can help you secure cloud applications http://www.sans.org/info/45193
[Editor's Note (Weatherford): It's a simple concept. The US Government calls it Need To Know (NTK) and they manage access to information based upon the concept. Until it becomes a universal maxim (see Security Maxims below), these type of unauthorized access incidents will continue. ]
Five Guilty Pleas in Stock Manipulation Spam Case (June 25, 2009)
Five people have pleaded guilty to charges related to a spam scheme that artificially inflated the price of Chinese penny stocks. The email messages contained false or misleading information that prompted some recipients to purchase the stocks, thus driving up their price; the defendants then sold shares of the stock at a profit. The spam was sent using a variety of techniques aimed at evading spam filters. Alan M. Ralsky and Scott K. Bradley pleaded guilty to charges of conspiracy to commit wire fraud, mail fraud, and violation of the CAN-SPAM Act. John S. Bown, William C. Neil and James E. Fite all pleaded guilty to similar charges. All five will be sentenced in October, when they will face sentences of between two years and 87 months. Others were involved in the scheme as well; some have already entered their pleas, while others' cases are still pending. -http://www.cybercrime.gov/ralskyPlea.pdf -http://www.scmagazineus.com/Guilty-plea-for-Detroit-spam-king/article/138915/
Hard Drive Purchased in Ghana Contains US Military Contractor Data (June 24 & 25, 2009)
Conference on Cyberwarfare Attendees Discuss Pros and Cons of Proactive Attacks (June 21, 2009)
People attending the Conference in Cyber Warfare in Tallinn, Estonia discussed the merits and drawbacks of conducting proactive cyber attacks. Two PhD students at the University of Bonn (Germany) have collected enough information about a quartet of established botnets that they say they could "successfully attack and dismantle the malicious networks." Two unnamed US government officials said that it is time to start creating policy that would allow for offensive cyber attacks. A scientist with the Defence Research and Development Organization at India's Ministry of Defence opined that multilateral development of cyber defense capabilities could create a situation similar to nuclear detente. But it is seldom possible to say with certainty who is behind a cyber attack. Booz Allen Hamilton consultant Ned Moran observed that "No single analogy tells the whole story." -http://www.csoonline.com/article/495520/Cyberwar_Is_Offense_the_New_Defense_
Payment Card Industry Security Standards Council Seeks Input (June 24 & 25, 2009)
[Editor's Note (Pescatore): The PCI Security Standards Council is having an external audit firm look at potential new technologies to be mandated in the PCI DSS requirements but doesn't appear to be looking at the overall PCI audit process, a review that is badly needed. To its credit, the Council is holding some town meetings to get input along with this feedback. The National Retail Foundation has already provided recommendations, including a very important one: make it easier for merchants to never have to store the card data in the first place. Reducing vulnerability should be the goal, not mandating more ways to protect data that might not need to be stored in the first place. (Schultz): A great percentage of those who whine about having to conform to the PCI-DSS standard is comprised of individuals from organizations that fail to appreciate the value of information security in the first place. One of the greatest benefits of the PCI-DSS standard is that it forces such organizations to improve their level of security to the point that they will be substantially less likely to suffer data security breaches involving credit card information. Without having to conform to PCI-DSS, data security breaches in these organizations would for all practical purposes be inevitable. ]
Customers Worry About Defunct Registered Traveler Program Data Security (June 23, 2009)
Customers of the suddenly-defunct Verified Identity Pass (VIP) registered air travel service Clear have expressed concern about the security of the data they provided to the company. Membership in the Clear service allowed customers to navigate security at US airports more quickly than most other travelers. The company blamed its hasty decision to cease operation on its inability to "negotiate a settlement" with its main creditor. VIP issued a statement assuring customers that their data are being protected as required by Transportation Security Administration (TSA) standards and that it would "take appropriate steps" to destroy the collected data, but did not provide any specific information about the method it would use. Customers had provided the company with a virtual treasure trove of personal data, including Social Security numbers (SSNs), credit card numbers, driver's license numbers, iris scans and fingerprints. In a move already proving unpopular, the company said that because of its current financial situation, customers who have signed up for the US $199 a year service would not receive refunds. The company has more than 260,000 customers. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo nomyName=security&articleId=9134739&taxonomyId=17&intsrc=kc_top -http://www.washingtonpost.com/wp-dyn/content/article/2009/06/23/AR2009062303454. html
[Editor's Note (Pescatore): I think the failure of the service was more a business plan problem: not enough value at too high a price. But, the "your personal data is safe but we can't tell you how attitude" is a good reason on its own to run screaming from the service. (Honan): If your organization has outsourced data handling to a third party now is the time to discuss with them how they protect that data and how they intend to handle YOUR data in the event they have to cease business. (Weatherford): Now some people might be inclined to think that because of the visibility associated with the program, the Clear program would surely take appropriate measures to ensure that all of their former customer information is properly protected until completely destroyed. However, like the statement that "we're reasonably sure no information was exposed" following a data breach, the comment from Clear that they will "take appropriate steps" to delete the information collected for the Clear service leaves me a little uneasy, especially since there doesn't appear to be a lot of communication from the company to their former customers. The asset fire sales during the dot com bust come to mind. ]
[Editor's Note (Pescatore): Another example of sensitive data that never needed to be stored in the first place. There are no shortages of data-masking applications to turn live data into safe test data. Not to mention that an employee laptop without stored data encryption is like a manhole without a cover. ]
Green Dam Exploit Posted to Internet (June 25, 2009)
An exploit for a buffer overflow in the controversial Green Dam Youth Escort filtering software has been released in the wild. The exploit affects Green Dam 3.17. The Chinese government has mandated that all PCs sold in or shipped to that country come with Green Dam pre-installed. The software has generated criticism among technology and security experts because it could be used by the government to restrict access to information and could be exploited by attackers for malicious purposes. -http://news.cnet.com/8301-1009_3-10272926-83.html?part=rss&subj=news&tag =2547-1009_3-0-20
TJX Agrees to $9.75 Million Settlement (June 23, 2009)
Smile ruefully in recognition at this list of security maxims, including "The Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it." They may not be true, but they are funny. -http://www.ne.anl.gov/capabilities/vat/seals/maxims.html
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/