******** Sponsored By SANS Log Management Summit at SANSFIRE ************
Washington DC, July 12-14, 2006
More than 15 users will be sharing surprising stories about how their log management systems caught insider criminals, stopped the spread of worms and more. The Summit is the only place you can learn how to deploy log management for maximum impact. Don't miss it. You get a big discount if you are also attending classes at SANSFIRE. Registration information:
SANSFIRE: http://www.sans.org/sansfire06 Log Management Summit: http://www.sans.org/logmgtsummit06
SECURITY TRAINING UPDATE FOR JUNE and JULY, 2006
Washington DC: 18 tracks
Denver: 6 tracks
London: 5 tracks
Toronto: 4 tracks
Plus 10 other cities and live-online programs you can take from your home.
See http://sans.org/ for course schedule registration
DSS Resumes Processing Some Clearance Applications, Draws Ire of Legislators (19/17 May 2006)
Although the Defense Security Service (DSS) has resumed processing certain security clearance applications, US legislators are angry that the shutdown occurred at all. Officials have been ordered to develop a plan within six months to permanently solve the clearance-processing problem. Clay Johnson, acting director of the Office of Management and Budget (OMB), acknowledged that not informing Congress about the lack of necessary funds and impending processing halt was "a mistake." -http://www.fcw.com/article94594-05-19-06-Print -http://www.fcw.com/article94560-05-17-06-Web [Editor's Note (Pescatore): What is really needed is a review to determine if the clearance process actually provides any security value, and if security clearances are being required for positions that really don't need them. A knee jerk reaction to just throw more money to pay for more background investigations just perpetuates long time problems in the entire process. (Weatherford): I wonder if this temporary shutdown was simply a way for DSS to cry for help and get the government's attention. This has been a problem for years. Maybe now they will get the funding required to eliminate the backlog. (Shpantzer): The situation is so bad that some technical staffing companies providing cleared employees to the government actually put the cart before the horse: They find cleared people first, then train them up to technical requirements... If that's not scary, I don't know what is. (Paller): The "clearance first" policies of many agencies has led them to make people who have never secured a system responsible for telling people how to secure systems. In other agencies, contractors with abominable delivery records are being kept on, over the objections of those who take security seriously, because the ineffective contractors have people with clearances. ]
Update to UK's CMA Could Prohibit Flaw Disclosure and Network Monitoring Tools (19 May 2006)
While the UK's Police and Justice Bill will update the country's Computer Misuse Act (CMA) to allow prosecution for denial-of- service attacks and other cyber crimes that were not on the radar when it became law, there is some concern that it could also allow individuals to be prosecuted for disclosing details about flaws that have not yet been patched or making network monitoring tools available. The House of Commons recently passed the Police and Justice Bill; the House of Lords will consider the bill in the next several months. -http://news.zdnet.co.uk/business/legal/0,39020651,39270045,00.htm [Editor's Note (Honan): Legislators need to be careful they focus the legislation on the intent of the individual rather than the tools held by that person. After all a screwdriver is a useful tool to help me fix items around the house but can also be used to break into someone else's home. ]
Trojan Exploits Unpatched MS Word Hole (22/19 May 2006)
A Department of Veterans Affairs employee who took electronic data home without authorization has been placed on administrative leave following a burglary at his home during which the data were stolen. The employee was not authorized to take the files home; the FBI, local law enforcement agents and the VA's inspector general are investigating the incident. The data include the Social Security numbers, names and birthdates of all US veterans who have served in the military and have been discharged since 1975, an estimated 26.5 million US veterans. There is no evidence the data have been used. The VA is taking steps to inform veterans of the data security breach and has established a web site and a toll free number to address veterans' concerns. -http://www.usatoday.com/tech/news/2006-05-22-vadisk_x.htm -http://www.gcn.com/online/vol1_no1/40840-1.html?topic=security (Please note this site requires free registration) -http://www.washingtonpost.com/wp-dyn/content/article/2006/05/22/AR2006052200709_ pf.html -http://www.msnbc.msn.com/id/12916803/ [Editor's Note ( Northcutt): I happen to be a veteran so I used this as an opportunity for field research. To get the toll free number you need to go to -http://www.firstgov.gov/veteransinfo.shtml and the phone number, 1-800-333-4636 is at the very bottom of the article. When I called, there was a recorded message with the same information as the web site. Eventually, I got a person. I explained that I was a veteran and I wanted to validate the accuracy of the data they had recorded for me. Note that is a basic OECD privacy principle. Joshua, after a one minute pause, tried to send me back to www.firstgov.gov. I don't wish to appear as mean or cynical, but I am concerned. More than a couple veterans have suffered injuries due to their time in service and might be particularly vulnerable to identity attacks. If there is someone from the VA or the government with authority, I am happy to volunteer to participate on, or even lead a testing team to ensure the processes in place to help veterans actually work. Right now they don't. (Multiple): If the employee was not authorized to take the data home then he should not have been able to do so. Simply having a policy statement prohibiting certain courses of action does not guarantee the statement will be adhered to nor that the data will be secured. Controls and mechanisms need to be implemented to support and manage compliance to policy statements and maintain the integrity of the resources being secured. ]
1) ALERT: How do you protect what you can't see? Stop protecting while blind. Gain network visibility now. Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."
Three Sentenced for Music Piracy Activity (19 May 2006)
Three men have been sentenced for their roles in groups that post pre-release music to the Internet. George S. Hayes pleaded guilty to one count of copyright infringement and was sentenced to 15 months in jail. Aaron O. Jones and Derek A. Borchardt pleaded guilty to one felony count of conspiracy to commit copyright infringement. Jones received a sentence of six months in jail followed by six months of home confinement; Borchardt was sentenced to six months home confinement. A fourth man, Matthew Howard, will be sentenced next week. The men were caught through the efforts of the FBI's ongoing Operation FastLink, which targets piracy groups. -http://www.infoworld.com/article/06/05/19/78530_HNwarez3_1.html -http://www.australianit.news.com.au/articles/0,7204,19215726%5E15318%5E%5Enbv%5E ,00.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Alleged Software Pirate Settles Microsoft Civil Suit (22/19 May 2006)
Ohio University Revamps Computer Services After Three Breaches (21 May 2006)
A series of attacks on Ohio University servers has prompted a reorganization of the school's computer services department. While the attacks were only recently disclosed, at least one of the servers may have been accessible to intruders for more than a year. This particular server holds the Social Security numbers of more than 137,000 individuals. Ohio University was alerted to the breach when the FBI discovered that one of the servers was being controlled remotely. A technician has been placed on paid administrative leave. -http://news.com.com/2102-7349_3-6074739.html?tag=st.util.print
Data Security Breach at Retailer Affects Texas Bank's Customers (19 May 2006)
About 100 customers of Texas-based Frost Bank were victims of cyber thieves who stole debit card data from an unnamed retailer and used it to commit identity fraud. Frost Bank is notifying all 9,300 affected customers and informing them they will have all stolen money restored to their accounts. Visa USA has acknowledged that it was alerted to the data theft and that it notified the institutions that issued the affected cards. -http://www.mysanantonio.com/business/stories/MYSA051906.01E.frosttheft.216bbd06. html
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely
recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.
Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Roland Grefer is an independent language consultant based in Clearwater,
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit