********************** Sponsored By Symark Software *********************
Security and compliance go hand-in-hand. How can you meet compliance requirements and guard against unauthorized access or theft of data? Learn how PowerBroker, the most widely used solution for systems administration and controlling Unix/Linux root privileges, helps you meet data privacy and compliance requirements. Download the FREE White Paper "PowerBroker vs. sudo." http://www.sans.org/info/2786
SECURITY TRAINING UPDATE: Several of the hands-on immersion security training courses at SANS 2007 (San Diego, March 29 - April 4) are starting to fill up. If you want a place, register early. You'll also save hundreds of dollars if you do it in the next few weeks. Full Schedule (53 courses): http://www.sans.org/sans2007/event.php
Revised Civil Procedure Rules Mean Companies Need to Retain More Digital Data (4 January 2007)
The revised Federal Rules of Civil Procedure, which took effect on December 1, 2006, broaden the types of electronic information that organizations may be asked to produce in court during the discovery phase of a trial. The new types of digital information include voice mail systems, flash drives and IM archives. This will place a burden on organizations to retain the data in the event it is needed in a legal case. Section V, Depositions and Discovery, Rule 34 of the Federal Rules of Civil Procedure reads, in part, "Any party may serve on any other party a request to produce and permit the party making the request, or someone acting on the requestor's behalf, to inspect, copy, test or sample any designated documents or electronically stored information - including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained ..." -http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo nomyName=security&articleId=9007162&taxonomyId=17&intsrc=kc_top -http://www.law.cornell.edu/rules/frcp/Rule34.htm [Editor's Note (Honan): As the legal profession has become more aware of the wealth of information available to them in electronic format, e-discovery is becoming a major issue for organisations and in particular those who manage that information. As with all policies, processes and procedures it is best that you develop one now while you (arguably) have the time rather than make it up in response to an e-discovery request. Make sure to include how to deal with personal electronic devices such as PDAs and pen drives - hint best to prohibit their use in a corporate environment in the first place. ]
Cisco to Provide CVSS Scores in Advisories (4 January 2007)
The Cisco Product Security Incident Response Team (PSIRT) plans to start including severity scores along with their security advisories. Cisco hopes the system will help users prioritize their patch management based on their particular environments. The severity score will be calculated according to the Common Vulnerability Scoring System (CVSS). Cisco will provide the base and temporal CVSS scores for vulnerabilities in all future advisories. -http://www.vnunet.com/vnunet/news/2171804/cisco-signs-security-reporting
AIB Corporate and Business Customers Get Security Devices (5 January 2007)
AIB (the leading Irish banking and insurance company) has begun providing business and corporate online banking customers in Ireland and the UK with alphanumeric Digipass 550 transaction signature devices to help guard against fraudulent transactions. AIB is the first bank in the world to use these particular devices. The devices provide customers with one-time passcodes, e-signatures and host authentication to help ensure banking transaction security. -http://www.siliconrepublic.com/news/news.nv?storyid=single7574
Two Charged with Accessing Traffic Center Computers, Disabling Signals (8 & 6 January 2007)
Two Los Angeles transportation engineers have entered not guilty pleas to criminal charges for allegedly gaining unauthorized access to Los Angeles' traffic center computers. The two allegedly disconnected traffic signals at four busy intersections shortly before a labor union strike on August 21, 2006. The men have been released on their own recognizance on the conditions that they not access city computers or enter Department of Transportation facilities unless accompanied by their lawyers. One of the men is accused of one count of unauthorized access of a computer and identity theft; the other is accused of one count of unauthorized access of a computer and four counts of unauthorized disruption or denial of computer services. The actions did not cause any accidents, but it took the city days to get the traffic control system back to normal. -http://cbs2.com/local/local_story_008145026.html -http://www.latimes.com/news/local/politics/cal/la-me-trafficlights6jan06,1,17767 56.story?coll=la-news-politics-california [Editor's Note (Skoudis): Sometimes, people think of computer security as a glorified video game, downplaying its importance. But, at the interstitial points of computer networks and the Real World illustrated by this story, we can see how serious computer security can be. This is a good story to use for illustrating to management personnel how vital it is for us all to protect our computer networks from intruders. (Schmidt): This is an instance where "penalty enhancements" if convicted should be applied. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. ]
Teen Faces Fine, Jail Time for Allegedly Running File Sharing Site (5 January 2007)
A 16-year-old Norwegian boy who allegedly ran a file-sharing hub could face up to 60 days in jail and a fine of NOK4,000 (US$630). The teen allegedly used the Direct Connect P2P file sharing program to help make more than 150,000 songs, 7,000 movies and 20,000 video clips available for free downloading. His parents could also face a substantial fine to compensate those in the music and film industries for lost revenue. -http://www.theregister.co.uk/2007/01/05/norwegian_filesharer_charged/print.html [Guest Editor Note (Giannoulis): An article discussing the management of P2P traffic using off the shelf network hardware has been posted on the Leadership Laboratory: -http://www.sans.edu/resources/leadershiplab/controllingp2p.php
(Grefer): To put things in perspective, the average income in Norway is approx. US$45,000. ]
Singapore Man Faces Charges for Unauthorized Wireless Access and Making Threat (5 January 2007)
VA Legislators to Introduce Data Breach Bill (7 January 2007)
Virginia state legislators plan to introduce a data security breach bill when the State Assembly convenes on Wednesday, January 10. The proposed legislation would require government and private agencies to notify individuals whenever their personal information has been accessed without authorization or stolen. The law would give state agencies one year to implement tightened database security. -http://www.wtopnews.com/index.php?nid=600&sid=1025457 [Editor's Note (Schmidt): I am sure the legislators are well meaning and looking to protect the public but trying to comply with 50 plus state data breach laws is a nightmare. If there is not consistency and harmonization of these laws we will be swamped in notifications until we are numb to them. One of the few times where federal preemption might be in order. While not a popular concept it would be much easier to comply with IF crafted properly. ]
SPYWARE, SPAM & PHISHING
Phishers Target UK Taxpayers (8, 4 & 3 January 2007)
File Sharing Program Blamed for Data Leaks (9 January 2007)
Between fiscal 2002 and the end of October 2006, there were 27 incidents in which members of Japan's Ground Self-Defense Force inadvertently exposed information through the Winny file-sharing program. Four additional incidents have been reported in FY 2006. In some cases, sensitive information was exposed. -http://www.yomiuri.co.jp/dy/national/20070109TDY01004.htm
[Editor's Note (Honan): According to the article the 27 leaks were from the personal computers belonging to members of the Japanese Ground Self-Defense Force. It strikes me that the bigger issue here is not the leaks via the Winny software but more so what was the leaked information doing on personal computers in the first place and what control re in place to prevent this happening again? ]
Acrobat Reader Flaw Allows Access to Hard Drive; Adobe to Release Patches This Week (8 & 5 January 2007)
Fix Available for OpenOffice Flaw (5 & 4 January 2007)
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/