Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #49

June 22, 2010

TOP OF THE NEWS

Efforts Underway to Train Students to Become Effective Cyber Security Professionals
Study: Board Members Increasingly Distanced from Cyber Security Governance
World Cup Data Networks Protected by Quantum Encryption

THE REST OF THE WEEK'S NEWS

Judge in Filesharing Case Appoints Special Master to Help Parties Negotiate Settlement
Conn. AG Will Lead Multi-State Investigation Into Google Data Collection
French Data Protection Authority Finds Passwords and email Text in Google's Data
NY Gov.'s Consolidation Proposals Would Merge Homeland Security and Cyber Security
InfoSec Budgets Stable or Rising at Many Financial Institutions
Virginia Beach Schools Experience Data Breach
FCC Seeks Comments on Broadband Regulatory Proposals
20-Month Jail Sentence for Spate of Cyber Crimes
Dell Computers May Ship With Google Android OS


********************* Sponsored By ArcSight, Inc. ***********************
REGISTER NOW for the upcoming webcast: Making the Case for SIEM
http://www.sans.org/info/60823
Sponsored By: ArcSight http://www.arcsight.com/
Featuring Aarij M. Khan
*************************************************************************

TRAINING UPDATE
-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security
http://www.sans.org/virginia-beach-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Amsterdam, Washington DC, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

TOP OF THE NEWS

Efforts Underway to Train Students to Become Effective Cyber Security Professionals (June 21, 2010)

Organizations across the U.S. are making a concerted effort to build a strong pool of cyber security professionals. This year, the Collegiate Cyber Defense Competition drew teams from 83 colleges and universities; in 2005, just five schools provided teams. The US Cyber Challenge brings in promising high school students with the intent of "building the pipeline that will produce our future cyber guardians." The drive has reached even grade schoolers; two school districts in Maryland have launched a pilot "information assurance" career track program.
-http://www.usatoday.com/money/industries/technology/2010-06-21-cybersecurity21_S
T_N.htm

Study: Board Members Increasingly Distanced from Cyber Security Governance (June 21, 2010)

The 2010 Governance of Enterprise Security Study found that board involvement in security governance has declined. The report, from Carnegie Mellon University's CyLab, found that board members at Fortune 1000 companies are becoming increasingly distanced from decisions regarding information security and privacy. A survey of 66 board members and senior executives found that none ranked computer and data security as a top priority of the board, although 56 percent of respondents did say that risk management improvement is a top priority. Sixty-five percent of respondents said their boards do not review their organizations' cyber security incident insurance coverage. On a brighter note, respondents indicated that IT experience and risk and security experience are important criteria to consider when recruiting new board members. The report offers 10 suggestions for "improv
[ing ]
organizations' security posture and reduc
[ing ]
risk," including the recommendation that boards have IT governance expertise represented in their membership.
-http://www.scmagazineus.com/senior-leaders-becoming-disconnected-from-security/a
rticle/172950/

-http://www.govinfosecurity.com/articles.php?art_id=2669
-http://www.govinfosecurity.com/external/boards-report.pdf
[Editor's Note (Schultz): It appears that the CyLab researchers have overlooked the fact that survival, not security, has been the overall theme of many companies since the global economic recession set in almost two years ago. ]

World Cup Data Networks Protected by Quantum Encryption (June 21, 2010)

The data networks being used at the World Cup Soccer Tournament are being protected with quantum cryptography. This type of encryption is thought to be in use by government intelligence agencies and military organizations. Proponents claim the technology "ensure
[s ]
not only the confidentiality but the integrity."
[Editor's Note (Pescatore); I'll betcha the password protecting the quantum encryption system is "vuVuZela!!"
(Northcutt): I think they must mean Quantum Key Distribution and it absolutely unbreakable . . . oh, whoops, there was that report from University of Toronto discussing how to attack Quantum Key Distribution."
-http://www.foxnews.com/scitech/2010/06/21/world-cup-security-uses-physics-thwart
-hackers/

-http://www.technologyreview.com/blog/arxiv/25189/
-http://physicsworld.com/cws/article/news/42667
-http://www.physics.utoronto.ca/news_repository/commercial-quantum-cryptography-s
ystem-hacked
]


**************************** Sponsored Links: **************************
1) RETHINKING PROVISIONING: New security and identity management requirements? Get a roadmap for success. Watch webcast! http://www.sans.org/info/60828

2) SPLUNK FOR SECURITY! Free Software Download. With Splunk you can monitor data streams in real time, index, search and analyze historical IT data from a single location in real time.
* See incidents and attacks as they occur
* Monitor application SLAs in real time
* Correlate and analyze events on streaming data
* Track live transactions and online activity
http://www.sans.org/info/60833

3) IBM's end-to-end security approach helps you safeguard code, identify vulnerabilities, spot malware and block attacks. http://www.sans.org/info/60838
*************************************************************************

THE REST OF THE WEEK'S NEWS

Judge in Filesharing Case Appoints Special Master to Help Parties Negotiate Settlement (June 21, 2010)

The judge in the Jammie Thomas/RIAA filesharing case has ordered that both parties work with a special master to negotiate a settlement. The first trial, in 2007, ended with a US $222,000 judgment against Thomas. US District Judge Michael J. Davis declared a mistrial because of faulty instructions to the jury, and a new trial awarded the RIAA US $1.92 million. Judge Davis reduced that to US $54,000, saying that damage awards "must bear some relation to actual damages." The RIAA made a settlement offer that Thomas rejected in January; the RIAA then challenged the judge's decision to reduce damages. The parties are expected to engage in settlement proceedings by July 16, 2010. Thomas's attorney does not believe a settlement is likely.
-http://news.cnet.com/8301-31001_3-20008366-261.html
-http://www.wired.com/threatlevel/2010/06/filesharing-groundhog-day/
-http://www.scribd.com/doc/33247217/Order-appointing-special-master-in-Capitol-v-
Thomas-Rasset

[Editor's Note (Liston): One would think the fact that three wildly different judgments (ranging from $54K to $1.92M) have been entered in this case raises serious questions about how these amounts are calculated. While I don't condone copyright infringement, the fact that the Copyright Act allows juries to award up to $150,000 for each separate instance of infringement is completely divorced from the reality of the financial impact these incidents represent. ]

Conn. AG Will Lead Multi-State Investigation Into Google Data Collection (June 21, 2010)

Connecticut Attorney General Richard Blumenthal has said that attorneys general from more than 30 states have expressed interest in joining an investigation into Google's collection of personal information over unsecured Wi-Fi networks. Google is also facing investigations in a number of European countries. In a press release, Blumenthal noted that Google "must provide a complete and comprehensive explanation of how this unauthorized data collection happened, why the information was kept if collection was inadvertent and what action will prevent a recurrence." The investigation will look into whether laws have been broken, and also consider "whether changes to state and federal statutes may be necessary."
-http://www.computerworld.com/s/article/9178361/States_launch_joint_probe_of_Goog
le_Wi_Fi_snooping?taxonomyId=17

-http://www.msnbc.msn.com/id/37829529/ns/technology_and_science-security/
-http://www.ct.gov/ag/cwp/view.asp?Q=461862&A=3869
[Editor's Note (Liston): If your neighbors are having an argument, yelling at the top of their lungs, is it illegal to listen? Is it impolite? Personally, I don't see that Google's "impolite" actions rise to being "illegal." ]

French Data Protection Authority Finds Passwords and eMail Text in Google's Data (June 18 & 21, 2010)

French data protection authority French National Commission on Computing and Liberty (CNIL) reports that Google collected passwords and email messages while gathering images for its Street View feature. CNIL's preliminary study included examination of some of the collected data collected in France. The study is being conducted to decide whether to prosecute Google for breach of privacy. Google was gathering information about Wi-Fi hotspots to improve location-based services.
-http://www.theregister.co.uk/2010/06/18/google_street_view_cars_wifi_data_includ
es_emails_and_passwords/

-http://news.bbc.co.uk/2/hi/technology/10364073.stm
-http://www.computerworld.com/s/article/9178220/Google_Wi_Fi_data_grab_snared_pas
swords_e_mail_?taxonomyId=17

[Editor's Note (Honan): This story is a classic example of how technology deployed without due consideration to local or regional legal and privacy regulations can backfire on an organisation. Just because you can do something with technology does not mean that you should, before deploying technology always make sure you are working within the local regulations. ]

NY Gov.'s Consolidation Proposals Would Merge Homeland Security and Cyber Security (June 18, 2010)

In an effort to trim excess spending from his state's budget, NY Governor David Paterson has added measures to his budget bill that would consolidate some state agencies. Among the proposed mergers is the creation of the Division of Homeland Security and Emergency Services, which would incorporate the office of Homeland Security, the Office of Cyber Security and Critical Infrastructure Coordination and three other agencies. The proposed merger would save the state US $1.5 million annually. NY Cyber Security Office director William F. Pelgrin has long advocated the importance and value of his agency working with the Office of Homeland Security.
-http://www.govinfosecurity.com/articles.php?art_id=2666
-http://polhudson.lohudblogs.com/2010/06/18/paterson-seeks-government-consolidati
ons/

InfoSec Budgets Stable or Rising at Many Financial Institutions (June 18, 2010)

Financial organizations around the world are reporting stable or even increasing information security budgets, according to Deloitte's annual survey of security spending and priorities at financial institutions. Fifty-six percent of respondents said their information security budgets had increased. The percentage of respondents who reported insufficient budgets as a barrier to effective information security fell from 56 percent in 2009 to 36 percent in 2010. The security priorities most cited by respondents are identity and access management; data protection; security infrastructure improvement; regulatory and legislative compliance; and compliance remediation. This marks the first year in the survey's seven year history that information security compliance ranked among the top five priorities; this is likely driven by regulators stepping up compliance enforcement.
-http://www.scmagazineus.com/security-budgets-stable-or-increasing-at-financial-f
irms/article/172793/

[Editor's Note (Schultz): If the survey results are valid, they would suggest that now is a prime time for information security managers to capitalize upon opportunities.
(Honan): Two interesting points from the survey that I took away. Firstly, given the hype surrounding cloud computing it is interesting to note that there is little or no mention of security concerns relating to Cloud computing. Secondly, the report states "The alignment of security and business objectives is lacking". This comment combined with the study from Cylab highlighting that board members are increasingly distanced from Cyber Security governance (see other item in this issue of NewsBites) indicates that as a profession, we still have a long way to go to prove our value to business and we need to learn how better to engage with senior management. The survey is available at
-http://www.deloitte.com/assets/Dcom-Canada/Local%20Assets/Documents/ERS/dtt_fsi_
2010_global_security_survey_060810.pdf

and makes interesting reading. ]

Virginia Beach Schools Experience Data Breach (June 18, 2010)

Parents of students who attend certain Virginia Beach public schools have been notified that their and their children's personal information may have been compromised. An Ocean Lakes High School student opened a file containing the names, addresses and social Security numbers (SSNs) of approximately 16,000 students who attend various schools within the district. The file also includes parent names, student class schedules, birth dates and student identification numbers. The breach occurred in early May, but notification was delayed until the police investigation was complete. The student who accessed the information has not been criminally charged, but has been disciplined by the school.
-http://hamptonroads.com/2010/06/beach-schools-report-computer-security-breach?ci
d=ltst

-http://www.vbschools.com/announcements/ComputerSecurityLetter.pdf
-http://www.vbschools.com/announcements/SecurityLetter.asp
[Editor's Note (Liston): Reading between the lines of the news coverage, it sounds like the ACLs on the file were incorrectly set. While the student who accessed the information should be punished, whoever put a file containing PII in an insecure location should be fired. ]

FCC Seeks Comments on Broadband Regulatory Proposals (June 17 & 18, 2010)

The US Federal Communications Commission (FCC) is seeking comments on three proposals regarding broadband regulation. The FCC was dealt a blow in April when a federal court of appeals ruled that it had exceeded its authority when it ordered Comcast to stop throttling BitTorrent traffic on its network. The first of the proposed plans would change nothing about the FCC's ability to regulate broadband; the second would reclassify broadband as a telecommunications service, subject to stringent regulatory requirements; and the third, favored by FCC chairman Julius Genachowski, would reclassify broadband as a telecommunications service, but relax certain restrictions that the reclassification would impose. The proposals would supersede an older commission ruling that classifies broadband as a lightly regulated information service. Genachowski said the FCC has no intention of regulating Internet content or broadband service pricing.
-http://news.bbc.co.uk/2/hi/technology/8745078.stm
-http://www.nytimes.com/2010/06/18/business/18fcc.html?partner=rss&emc=rss
-http://www.eweek.com/c/a/Enterprise-Networking/FCC-Prepares-For-Broadband-Regula
tion-Inquiry-to-Joy-of-Google-Amazon-338075/

-http://blog.broadband.gov/?entryId=509180

20-Month Jail Sentence for Spate of Cyber Crimes (June 17 & 18, 2010)

An East Sussex (UK) man has been sentenced to 20 months in jail for a series of computer crimes. Alistair Peckover pleaded guilty to two counts of fraud and admitted to more than 50 additional offenses. Peckover broke into online betting sites and email accounts and stole information that he used to obtain credit cards and open bank and gaming accounts. Last year, Peckover received a suspended sentence for breaking into an online betting site.
-http://www.theregister.co.uk/2010/06/18/hacker_jailed/
-http://www.google.com/hostednews/ukpress/article/ALeqM5h0V8bpbLWHtCuEAuVJC52Br2i
42g

Dell Computers May Ship With Google Android OS (June 21, 2010)

Earlier this month, news reports appeared saying that Google was requiring special permission for its employees to use PCs with Microsoft Operating Systems and Office. Today, Dell is apparently announcing they are going to ship systems with the Android OS and the expectation that users will use Google's cloud based office platform.
-http://www.informationweek.com/news/software/showArticle.jhtml?articleID=2253001
70

-http://www.informationweek.com/news/software/open_source/showArticle.jhtml?artic
leID=225200725

-http://www.examiner.com/x-45919-Reno-Gadgets-Examiner~y2010m6d21-Dell-may-fire-f
irst-shot-in-Google-vs-Microsoft-Battle

-http://www.dailyfinance.com/story/dell-google-chrome-microsoft/19524202/
[Editor's Comment (Northcutt): That one caught me by surprise and today was slated to work on emerging trends, what irony. I have spent the past few hours installing and working with Chrome and Google Docs and translating back and forth between MS Office. At least for simple stuff it seems to work. I understand, however, that the current version of Google Docs cannot function offline. If anyone works for a company that has transitioned to Google Docs, I would love to hear from you (stephen@sans.edu). ]


**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/