****************** Sponsored By Absolute Software Corp. *****************
Laptop Data Security Webinar
In this webinar, Jack Heine, Research VP, Gartner, and David Holyoak, CIO of accounting firm Grant Thornton, discuss how to facilitate mobility while minimizing the risk of data exposure. These leading experts discuss the limitations of encryption and the critical layer of security provided by web-based tracking and anti-theft capabilities.
The US House Committee on Science and Technology has passed the Cybersecurity Enhancement Act of 2009, which "is based on the concept that in order to improve the security of our networked systems ... the federal government must work in concert with the private sector," according to committee chairman Bart Gordon (D-Illinois). The legislation incorporates elements of two bills that were approved by House subcommittees earlier this year. It will require the National Institute of Standards and Technology (NIST) to take the lead in the US's involvement in the development of international cyber security standards and it will require federal agencies to establish strategic long-term cyber security research and development plans. The bill also incorporates recommendations made in the 60-day Cyberspace Policy Review. -http://www.scmagazineus.com/house-committee-passes-cyber-rd-standards-bill/artic le/158110/ -http://thomas.loc.gov/cgi-bin/bdquery/z?d111:HR4061:/ [Editor's Note (Paller): This well-meaning bill breaks the first law of cybersecurity - that offense must inform defense. By giving NIST added responsibilities without ensuring the federal agencies that understand offense (especially US-CERT and NSA's VAO and DoD's DC3) shape the guidance that NIST publishes, the Science and Technology Committee is asking the Congress to extending the dismal record that such NIST-only guidance has had, and puts the nation's systems at substantially greater risk.
(Schultz): I must admit that I am astounded that NIST has so much in recent years assumed the proverbial driver's seat in US government information security related issues.
(Pescatore): At first glance, mostly just reinforces NIST's position, helps drive the SCAP efforts, and a few cats and dogs around other R&D efforts. However, odd things often get jammed into to the details as bills like these proceed.
(Northcutt): Not the easiest reading. Near as I can tell, this is to kick off a plan within 12 months. Goals include automated checklist, international standards, a private public partnership, serious money in research grants and improvement of identity management while improving the number of females and minorities working in the field. All sounds good, hopefully the money is not given to the usual suspects and some real work gets done.
(Ranum): Cybersecurity is not so much a "Research and Development" problem as it is a "Stop and Clutch the Bleeding" issue. ]
NSA Helping to Harden Operating Systems (November 7, 18 & 19, 2009)
(Honan): I really don't see the benefits legislating against P2P use will bring. Its usage is already against most Government agencies' policies. More policies and laws don't stop people doing things they shouldn't, catching them and punishing them does.]
A security consultant who purchased an ATM secondhand through Craigslist found that it still held a log of hundreds of transaction details. Hundreds of the cash machines are sold second hand through online sources such as eBay and Craigslist. The US has no restrictions on who may own or operate an ATM; thieves could conceivably set up their own machines loaded with skimmers and other data detection technology. A cash machine with a skimmer attached was set up in the lobby of the Defcon security conference in Las Vegas last summer. -http://www.theregister.co.uk/2009/11/18/second_hand_atm_fraud_risk/ [Editor's Note (Northcutt): Dude! You can't be serious, you put your debit card in a cash machine at Defcon? Or is it wiser to say any casino in Vegas that is not being watched by a security camera? I have been thinking about this for a while and we have created a checking account only for debit card use. We limit how much we put in that account, but have another account with the same bank with more money that can do an online transfer to the debit card checking account. This way, my maximum loss should be limited. I am working with Bank of America because they have so many ATMs, but my research says that Wells Fargo is also pretty flexible for online banking needs. -http://www.wired.com/threatlevel/2009/08/malicious-atm-catches-hackers/ -http://blogs.zdnet.com/security/?p=3843 By the way, I have lost the link to the internal memo that was sent by the manager to Riviera hotel employees for what to and what not to do or report during Defcon, if anyone has that, please shoot it to me.]
UK Police Charge Two in Connection With Zeus Trojan (November 18, 2009)
Man Pleads Guilty in ATM Skimming Case (November 16 & 17, 2009)
Victor Vasile Constantin has pleaded guilty to charges of bank fraud and identity theft for his role in an ATM skimming scheme. Constantin installed skimming devices on ATMs in Fairfield county Connecticut to steal information encoded on ATM cards' magnetic stripes. He also installed cameras that allowed him to record the associated account passwords. Over the course of three months, Constantin stole about US $150,000 from accounts of Bank of America customer accounts. He faces up to 32 years in prison. -http://www.theregister.co.uk/2009/11/17/bank_of_america_skimming_plea/ -http://www.connpost.com/ci_13801630
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/