*********** Sponsored By RSA, The Security Division of EMC ***********
"How RSA envision(R) Delivers an Industry's Best ROI" https://www.sans.org/info/46523 This White Paper examines the Return on Investment (ROI) that a quality Security Information & Event Management (SIEM) solution can deliver to an organization.
Leahy Introduces US Data Security Legislation (July 22 & 24, 2009)
US Senator Patrick Leahy (D-Vt.) has introduced a bill that would require companies that retain consumers' personal data to establish and implement programs to protect that information. The Personal Data Privacy and Security Act would also require that companies must notify affected individuals in the event of a data security breach. This is the third time Leahy has introduced this legislation. -http://www.scmagazineus.com/Leahy-for-third-time-submits-federal-data-security-l aw/article/140604/ -http://leahy.senate.gov/press/200907/072209b.html [Editor's Note (Schultz): This legislation is long overdue. If passed, it will make a huge difference concerning organizations' practices concerning safeguarding personally identifiable information. (Pescatore): While there are good things about this bill, the language of this bill says that companies can request exemption from disclosure by notifying the US Secret Service of a risk assessment showing low risk of fraud within 45 days of the breach. This is both a huge loophole and an administrative nightmare. ]
Summary Judgment in Downloading Undermines Defense (July 27, 2009)
Opening arguments are set to begin on Tuesday, July 28 in the filesharing case against a Boston University student. Joel Tenenbaum's defense rested on his assertion of fair use, a defense rejected by US District Judge Nancy Gertner on Monday morning when she granted RIAA"s request for summary judgment on the issue of fair use. The Recording Industry Association of America (RIAA) is suing Tenenbaum for 30 recordings he allegedly made available for downloading through the Kazaa filesharing network; he faces up to US $150,000 for each recording if he is found guilty of making available for illegal download. The RIAA says it detected a total of about 800 songs in Tenenbaum's open share folder in 2004. The RIAA has said it is moving away from suing illegal downloaders, instead looking to partner with ISPs to help stem the practice. -http://www.wired.com/threatlevel/2009/07/riaa-file-sharing-trial-starting/ -http://arstechnica.com/tech-policy/news/2009/07/judge-rejects-fair-use-defense-a s-tenenbaum-p2p-trial-begins.ars
Network Solutions Data Breach (July 24, 25 & 27, 2009)
Guilty Plea in Movie Uploading Case (July 22 & 23, 2009)
A California man has pleaded guilty to uploading a copyrighted work being prepared for commercial distribution. Owen Moody uploaded a pirated copy of Slumdog Millionaire to the Internet. Moody found the file on a website where someone else had uploaded it from a screener copy of the movie; screeners are copies of films sent to members of the Academy of Motion Picture Arts and Sciences for consideration as award nominees. Moody faces a maximum penalty of three years in prison and a US $250,000 fine. -http://www.cybercrime.gov/moodyPlea.pdf -http://www3.signonsandiego.com/stories/2009/jul/23/man-pleads-guilty-pirating-sl umdog/
Adobe Promises Patches for Flash, Reader, and Acrobat By End of Week (July 23, 24 & 27, 2009)
Thousands of people who have shopped at certain online retailers have found unexpected charges on their credit card statements. The culprits are companies that operate web loyalty programs. The offer to try the service for a brief period of time pops up during the purchase process. It may ask for a seemingly innocuous piece of information such as an email - many online shoppers have junk email addresses - to get past the page. What is not so obvious is the agreement, buried in fine print, that allows these third parties access to shoppers' credit card information; the companies apparently pay the retailers a fee for access to this information. The companies, which include Vertrue, WebLoyalty and Affinion, maintain that their actions are all Legal. However, the fact that the offers appear during the checkout process, which can be frustrating under the best of circumstances, suggests the companies are aware that "consumers don't want their products." -http://news.cnet.com/8301-1023_3-10293633-93.html?tag=nl.e703
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/