*************************** Sponsored By Bit9 ***************************
Webinar: SANS' Chris Brenton on a World Without Malware August 27th; 2:00pm EDT
Register for this FREE webinar to hear Chris Brenton address how to eliminate malware and close the security gap that threatens our nation's infrastructure. Topics include: - - What makes systems vulnerable - - Why we are losing the malware battle - - How to win the war
FTC Rule Expands Health Data Breach Notification Responsibility to Web-Based Entities (August 18, 2009)
The US Federal Trade Commission has issued a final rule on health care breach notification. The rule will require web-based businesses that store or manage health care information to notify customers in the event of a data security breach. Such entities are often not bound by the requirements of the Health Insurance Portability and Accountability Act (HIPAA); this rule addresses that discrepancy. -http://www.darkreading.com/security/government/showArticle.jhtml?articleID=21940 0484
[Editor's Note (Pescatore): If my kids grow up to be government agencies, I hope they turn out to be the FTC. Any government agency is my kind of government agency when they issues press releases with headlines like "FTC Says Mortgage Broker Broke Data Security Laws: Dumpster Wrong Place for Consumers' Personal Information." ]
New Gonzalez Indictment Throws Wrench in Plea Agreement (August 17, 19 & 20, 2009)
[Editor's Note (Schmidt): Two points on this story: 1) This type of case has many parallels to a traditional drug case in working informants with the exception that it is even more difficult to monitor what the informant is doing that is of a criminal nature. 2) If true, that this was accomplished using a SQL injection attack, it shows once again how this type of hack should have been prevented by checking for basic and well known vulnerabilities and fixing them. ]
Dept. of Agriculture Agency Bans All Browsers but IE (August 19, 2009)
The US Department of Agriculture's Cooperative State Research, Education and Extension Service (CSREES) has banned the use of all browsers but Internet Explorer (IE). The memo announcing the policy, which applies only to CSREES computers, states that "In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations." FDCC does not require agencies to ban the use of non-IE browsers. Some employees say they were told that third party browsers had allowed breaches. In addition, IE settings can be managed centrally, while other browsers' settings need to be managed locally. -http://www.nextgov.com/nextgov/ng_20090819_3426.php?oref=topstory [Editor's Note (Schultz): Not all that many years ago there were so many vulnerabilities in IE that this browser fell into disfavor within the information security community. Over time people realized that IE had about the same number of vulnerabilities as did Firefox, something that caused the hysteria over IE to subside. Now the Department of Agriculture (which, by the way, has a much less than stellar record when it comes to security breaches) requires that IE be used. How things change. Also, Microsoft must get a special sense of satisfaction over this victory for IE. ]
THE REST OF THE WEEK'S NEWS
Google Ordered to Disclose Blogger's Identity (August 20, 2009)
In a landmark case, a New York court ordered Google to provide information leading to the identity of a blogger who posted defamatory comments about Canadian model Liskula Cohen. The blog was removed from Google's Blogger.com in March, but Cohen pursued the case to determine the blogger's identity. After the court made its ruling, Google surrendered email addresses and IP addresses associated with the blogger. -http://news.smh.com.au/breaking-news-technology/canadian-model-unmasks-blog-torm entor-20090820-er0x.html [Editor's Note (Pescatore): The phone companies have to disclose the same type of information about a caller who makes threatening calls. ]
Missouri Woman First to be Charged Under New Cyber Bullying Law (August 18, 2009)
A 40-year-old Missouri woman has been charged with felony cyber bullying for allegedly posting photographs and personal information of a teenager to the Casual Encounters section of Craigslist. Elizabeth A. Thrasher is the first person to be charged under a new law that was enacted after cyber bullying incident several years ago that ended with the suicide of a 13-year old girl. Missouri at that time had no law under which to charge the cyber bully. The new law took effect last year. -http://www.theregister.co.uk/2009/08/18/cyberbullying_charges/
[Editor's Comment (Northcutt): Mostly I think the new world order where everyone with a cell phone camera and a laptop is a reporter and everyone with a blog is a publisher is a good thing. But the press has had years to develop a code of ethics balancing the people's right to know with responsible journalism (the first link below is the code of ethics). In the related story in NewsBites about Liskula Cohen as a Vogue cover girl is a public figure, but calling her a "ho" and a "skank" is at least in poor taste, however such language may in fact be protected by the courts. Now Elizabeth A. Thrasher goes a step further; posting pictures, cell phone, email and employer to the Casual Encounters section of Craigslist apparently because she had an argument with the girl's mother. Because Missouri has explicitly passed cyber bullying laws, it is unlikely that she can claim protected speech. Lori Drew, the lady that was behind the cyber bully activity that led to the death of Megan Meier is probably going to go free because this legislation was passed after Megan's death. It is sad that we need cyber bully legislation, but apparently we do.
Clear Ordered Not To Sell Traveler Data (August 19 & 20, 2009)
A federal court judge in Manhattan has ordered Clear not to sell, transfer, or disclose customer data it collected as part of its airport security expediting service. The company shut down operations in June due to cash flow issues. The company said on its website shortly thereafter that it was seeking to sell the data to another company that would provide similar services, but the judge has nixed that plan; former customers now suing Clear for fees they had already paid are likely to win their suit because the contract they signed said the company would not sell their data. The company has also been ordered to save all pertinent documents. Clear founder Steven Brill is not party to the suit filed by Clear customers because Clear parent company Verified Identity Pass (VIP) creditors asked him to step down in May; he has filed a suit against VIP seeking severance pay. Also competing for whatever assets VIP has left are the company's investors. -http://www.wired.com/epicenter/2009/08/defunct-airport-fast-pass-company-banned- from-selling-customer-biometrics/ -http://news.idg.no/cw/art.cfm?id=37662EF5-1A64-67EA-E4CE3F08FAF4EFCF
[Editor's Note (Honan): The United States needs to implement federal privacy laws similar to the EU's Data Protection Directive to ensure companies cannot trade their clients' personal information without prior consent and to negate the need for other similar cases going to court. ]
Police Investigating Leak of Unreleased Music Tracks (August 19 & 20, 2009)
Webhost and Mobile Carrier Drop Mitnick Due to Attacks on His Accounts (August 19, 2009)
AT&T has informed Kevin Mitnick that it no longer wants him as a customer; it seems that his status as a "celebrity hacker" makes his account an inviting target for script kiddies and the cellular provider no longer wants to direct its resources toward protecting his account from attacks. AT&T made the decision to boot Mitnick after he hired legal representation to complain that his private information was not being adequately protected. Several weeks ago, Mitnick's webhost, HostedHere.net, notified him that it was ending their business relationship. The webhost described Mitnick as "a high profile target." -http://www.theregister.co.uk/2009/08/19/att_dumps_kevin_mitnick/
West African Undersea Cable Repaired; Six Others Near Taiwan Damaged By Storm (August 18 & 19, 2009)
A damaged section of the undersea SAT-3 cable that provides Internet service to portions of West Africa has been repaired. Nigeria experienced significant outages; Niger and Benin were affected as well. SAT-3 is the only fiber optic cable serving West Africa. In a separate story, six undersea fiber optic cables damaged by a typhoon near Taiwan earlier this month are expected to be repaired by mid-September. The cables carry Internet traffic between the US, North Asia, Taiwan, China, Hong Kong and sections of Southeast Asia. -http://news.bbc.co.uk/2/hi/technology/8206728.stm -http://mis-asia.com/news/articles/damaged-undersea-internet-cables-to-be-fixed-s oon
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors. -Christoper O'Keefe, CPC