If you work in the federal cyber security space, or in any organization subject to FISMA regulation, the first story in Top of the News reports the most sweeping changes in FISMA regulation since the law was written. Huge opportunities for contractors who get on board fast. End of the road for contractors who try to keep producing paper reports.
The two most important meetings on pen testing are both happening in June in the Baltimore area. If you have a security clearance and you are actively using pen testing for the military, try to get a seat at NSA's ReBl [Red Blue] symposium. NSA is the most respected government knowledge source for penetration testing and vulnerability assessment, and they have done a great job of sharing that knowledge. At ReBl the top government researchers share what they are learning. In the same city (Baltimore) on June 14-15 (just before ReBl) is the workshop where the most advanced new techniques are discussed in an unclassified setting. It's called the Pen Testing Summit. See: http://www.sans.org/pen-testing-summit-2010/
**************** Sponsored By Trusted Computer Solutions **************** Are your IT systems exposed because your operating systems are not sufficiently locked down? Let Security Blanket create a secure foundation by ensuring systems are automatically and consistently hardened to industry standards such as DISA STIGs, and SANS CAG Top 20 Critical Controls. Security Blanket has got you covered. Try it out for FREE today! http://www.sans.org/info/58318 *************************************************************************
TRAINING UPDATE -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World http://www.sans.org/security-west-2010/
-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report http://www.sans.org/sansfire-2010/
-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat http://www.sans.org/rocky-mountain-2010/
Google Attackers Reportedly Stole Single Sign-On Source Code (April 19 & 21, 2010)
The cyber attacks on Google's corporate systems disclosed in January apparently targeted a password system, according to an unidentified person with knowledge of the internal investigation. The system, code-named Gaia, controls users' access to the majority of Google's web services. The Single Sign-On system, as it is now known, allows users to sign in once to access many services. The attackers appear to have been after the software, not user passwords. Google has been bolstering the security of its systems in the wake of the attacks. The attackers appear to have made their initial foothold in Google systems through an employee in China using Microsoft Messenger. From there, the intruders maneuvered their way into a Google software repository used by the company's development team. The theft could spell long-term liability problems for Google. -http://www.nytimes.com/2010/04/20/technology/20google.html?src=me&ref=techno logy -http://content.usatoday.com/communities/technologylive/post/2010/04/liability-is sues-raised-over-google-gaia-system-hack-/1
Researchers' GSM Network Exploits Pull Sensitive Information on Cell Phone Users (April 22, 2010)
Researchers Nick DePetrillo and Don Bailey have found a way to use weaknesses in GSM mobile networks to discover most US cell phone users' phone numbers, listen to their voice mail and track the location of almost any GSM-enabled devices in the world. Their technique involves tricking the GSM caller ID system into providing a virtual phone book of all cell phone numbers. The technique is not illegal, nor does it breach terms of service agreements. DePetrillo and Bailey presented their findings at a recent conference in Boston. -http://www.theregister.co.uk/2010/04/22/gsm_info_disclosure_hack/ -http://news.cnet.com/8301-27080_3-20002986-245.html [Editor's Note (Skoudis): This is indeed a startling flaw. The more researchers peel back the curtain on mobile phone security, the worse it looks. I was working at Bellcore when a lot of this stuff was deployed in the early and mid 1990's. I remember major security efforts then were targeted at preventing bad guys from listening to cell phone calls. But, the infrastructure was never built to stop data leakage and other attacks. ]
**************************** Sponsored Links: *************************** 1) Just added: 2 bonus sessions at this year's SANS Security Architecture Summit April 24th -26th in Las Vegas. http://www.sans.org/info/58323
2) The 2010 SANS What Works in Penetration Testing & Vulnerability Assessment Summit features an agenda loaded with brand-new talks from the best penetration testers and vulnerability assessment leaders in the world. http://www.sans.org/info/58328
3) Save $350 on the SANS Forensics and Incident Response Summit when you book by May, 26 2010. http://www.sans.org/info/58333 *************************************************************************
THE REST OF THE WEEK'S NEWS
McAfee Anti-Virus Update False Positive Causes Endless Boot Loop for XP SP3 Users (April 21 & 22, 2010)
Microsoft Working on Third Fix for Cross-Site Scripting Filter (April 20 & 21, 2010)
Microsoft is working on another fix for a vulnerability in the cross-site scripting (XSS) filter in Internet Explorer 8 (IE 8). Ironically, the filter could be exploited to allow XSS attacks on sites that are not otherwise vulnerable. Microsoft has fixed the filter twice this year already, but those fixes have been shown to allow injected threats. The new fix is scheduled for June. The fact that a feature designed to protect users from attacks has been fixed twice already because it has presented additional vectors of attack raises questions about whether the feature should be removed from IE 8. Microsoft's David Ross believes that the protection offered against standard XSS attacks outweighs the dangers posed by the vulnerabilities in the filter. -http://www.theregister.co.uk/2010/04/20/microsoft_ie_xss_fix/ -http://www.h-online.com/security/news/item/Microsoft-to-fix-further-vulnerabilit ies-in-IE-8-XSS-filter-982864.html [Editor's Note (Skoudis): I'm glad that Microsoft finally incorporated an XSS script filter in IE. But, I was playing with it in the lab about a month ago, sending all kinds of malicious scripts to it. I found that it was actually hard to get it to trigger on any of my malicious scripts. I wasn't even _trying_ to evade it, but it took some really blatant attacks before it actually engaged. ]
20 Critical Security Controls Informs State Dept's Successful Security Risk Reduction Program (April 20, 2010)
The US State Department's cyberspace monitoring strategy was designed with the 20 "Critical Controls in mind," says the department's Chief Information Security Officer John Streufert. Streufert's team analyzed 1,700 unclassified attacks from the 11 months prior to 2009 for connections to the controls and found they applied. The team then turned to penetration testing and found that 80 percent of attacks deemed successful exploited known vulnerabilities. He then automated monitoring of the key controls, highlighted every office in State that was doing well and badly, motivating them to improve security, and reduced risk by over 90% across all offices around the world. -http://cybersecurityreport.nextgov.com/2010/04/state_dept_success_revealed.php [Editor's Note (Paller): An interactive guide to the tools that automate the 20 Critical Security Controls can be found at -http://www.sans.org/critical-security-controls/interactive.php If a tool is there, it plays an important role in automating one or more of the 20 critical controls. ]
Google Looking Into Increased Pharmaceutical Spam Through Gmail (April 20, 2010)
Google is investigating reports that some Gmail accounts have been hijacked and used to send pharmaceutical-touting spam. The accounts appear to have been accessed through Gmail's mobile interface. There has been some speculation among users about a possible bug in the mobile interface, but Google says that its "investigations has not given any indication of a bug in Gmail, either in the mobile interface or otherwise." Users who believe their Gmail accounts have been compromised are urged to change their passwords and to follow advice found at -http://www.google.com/help/security/. The spam attack does not appear to be connected to the Gaia code attack. One woman whose entire contact list was spammed said the messages were sent from a mobile connection in Serbia. -http://www.computerworld.com/s/article/9175857/Drug_dealing_spammers_hit_Gmail_a ccounts?source=rss_news
Mozilla Disabling Java Deployment Toolkit to Protect Users From Attacks (April 20, 2010)
Two Arrested In Connection with Fraud-Enabling Site (April 19, 2010)
Two men have been arrested in Eastern Europe in connection with a website that peddled services to aid identity thieves. Dmitry Naskovets and Sergey Semashko were both arrested on April 15 -- Naskovets in the Czech Republic and Semashko in Belarus. According to Naskovets's indictment, the two men allegedly launched the website, CallService.biz, in Lithuania in 2007. The site offered services of people who spoke fluent English and German to help people with their fraud schemes - sometime financial institutions require telephone authorizations to authorize transactions. The site allegedly helped more than 2,000 people commit more than 5,000 fraudulent transactions. The FBI has seized the website. US authorities are seeking to extradite Naskovets, and Semashko is facing charges in Belarus. -http://www.wired.com/threatlevel/2010/04/callservicebiz/ -http://newyork.fbi.gov/dojpressrel/pressrel10/nyfo041910b.htm
Discarded Copiers Hold Sensitive Data on Hard Drives (April 15, 2010)
A CBS news investigation found that the hard drives of four digital copy machines purchased second hand at a New Jersey warehouse contained treasure troves of personally identifiable information, including police files on domestic violence and sex crimes; copies of pay stubs and checks; and sensitive medical information such as test results, prescriptions and diagnoses. Each machine cost approximately US $300. A survey conducted by Sharp two years ago indicated that 60 percent of Americans do not know that copiers store images on their hard drives. -http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml [Editor's Note (Northcutt): This has been the hot topic of the GIAC Advisory board for today. Anything with a hard drive can be scoured for information even if you believe the drive is damaged, it should be cleared, degaussed or destroyed. ]
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
SANS is the ultimate security training program, bar none. It is the most intensive and informative security conference available. It's a must have for infosec professionals. -Aaron Despain, TriWest Healthcare Alliance