SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume X - Issue #78
October 03, 2008
The Twenty Best Jobs in Cyber Security
Tens of thousands of young people are now considering careers in cyber security and wondering about the types of jobs they can expect. To help motivate the best and brightest to do the hard work needed to qualify for this career field, we are publishing a booklet about the best careers in cyber security. On Tuesday we'll turn on a global survey to rate the good jobs but we want to make sure the ones in the survey are a comprehensive set of the ones people like. If you know of a great job title in security (examples already on the list: vulnerability researcher, application penetration tester, security auditor, security maven in the developer organization), send it to us by Monday noon with a job title and a sentence or two about why it is a cool job. Send to apaller@sans.org with subject cool jobs.
Alan
TOP OF THE NEWS
Schwarzenegger Vetoes Data Protection Act (Again)Irish Justice Minister Wants Mandatory Data Loss Reporting
DHS to Proceed With Spy-Satellite Surveillance Program Despite Privacy Concerns
THE REST OF THE WEEK'S NEWS
LEGAL ISSUESCourt Says Woman May Sue County Clerk Over Identity Theft
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
NIST Issues Three IT Security Documents
Camera Purchased on eBay Contains Sensitive MI6 Information
Malicious Code Detected on South Korean Military Contractor Systems
DATA PROTECTION & PRIVACY
Chinese Skype Users Under Surveillance
VULNERABILITIES
Denial-of-Service Vulnerability Found in TCP Stack
US-CERT Issues Warning on Clickjacking
DATA LOSS & EXPOSURE
Insurance Brokers' Data Exposed
MISCELLANEOUS
Remote Tracking Software Used to Find Alleged Laptop Thief
***************************** Sponsored By CA ***************************
How can your organization utilize identity management technologies to cost-effectively manage and control user identities and demonstrate security compliance? Information provided in this IDC whitepaper can be used to guide your efforts on how to optimize and improve identity management deployments to make them more efficient. Learn more at http://www.sans.org/info/33884
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************
TOP OF THE NEWS
Schwarzenegger Vetoes Data Protection Act (Again) (October 2, 2008)
California Governor Arnold Schwarzenegger has vetoed the Consumer Data Protection Act. The bill, which was overwhelmingly approved by both the State assembly and the state Senate, would have required companies doing business in the state to put in place specific security measures to protect customer data. It would also have required the companies to provide more details about data breaches involving credit and debit cards to affected individuals. Schwarzenegger said he vetoed the legislation because "the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers." He also opposed the notion of requiring specific security measures, because companies would then be locked into those measures by the law and implementing new protections as new threats arise could prove problematic. Governor Schwarzenegger vetoed a similar bill last year.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9116078&intsrc=hm_list
-http://gov.ca.gov/pdf/press/AB1656_Jones_Veto_Message.pdf
[Editor's Note (Schultz): The most recent survey of Californians' opinion of Gov. Schwarzenegger that I have seen indicated that 69 percent of those surveyed disapproved of the way he has conducted himself in office. There should be little wonder why. His veto of the California Data Protection Act is only the most recent of a series of his shooting down legislative initiatives that would have greatly benefited California residents.
(Veltsos): In his comments accompanying the veto, Governor Schwarzenegger acknowledged the need to protect personal information as being "increasingly critical" but noted that "by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state." This logic is flawed - following a security incident, one simply cannot prove that unencrypted information was not stolen. This veto also leaves Minnesota as the sole state with a law penalizing merchants for data breaches, the Plastic Card Security Act of 2007.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9020923]
Irish Justice Minister Wants Mandatory Data Loss Reporting (October 2, 2008)
Irish Justice Minister Dermot Ahern may mandate reporting the loss or theft of any device that holds personally identifiable information. The requirement would apply to government departments and state agencies as well as banks and other organizations. Mr. Ahern wants to implement mandatory prompt reporting of such incidents to the Data Protection Commissioner; the public would be notified in serious cases. In the last year alone, 35 government laptop computers and other data storage devices have been lost or stolen. Labor Party Spokesperson for Education and Science Ruairi Quinn TD has expressed concern and disbelief that just three of 15 government departments have encrypted their IT systems.-http://www.irishtimes.com/newspaper/ireland/2008/1002/1222815460443.html
-http://www.siliconrepublic.com/news/article/11538/cio/lack-of-encryption-in-gove
rnment-departments-riles-quinn
DHS to Proceed With Spy-Satellite Surveillance Program Despite Privacy Concerns (October 1, 2008)
The US Department of Homeland Security (DHS) plans to go ahead with the first phase of a satellite surveillance program called the National Applications Office (NAO) despite concerns that NAO may not comply with privacy laws. Through NAO, US government officials at the federal, state and local levels gain access to data gathered by spy satellites to help them with emergency response and domestic security issues. A recent report from the Government Accountability Office (GAO) says that there is no "assurance that NAO operations will comply with applicable laws and privacy and civil liberties standards."-http://online.wsj.com/article/SB122282336428992785.html?mod=googlenews_wsj
************************* SPONSORED LINK *******************************
1) 2-Day Training Class Hosted by the FISMA Center FISMA 101: Certification & Accreditation Concepts November 13-14, 2008 Columbia, Maryland http://www.sans.org/info/33889
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
Court Says Woman May Sue County Clerk Over Identity Theft (September 30, 2008)
An Ohio appeals court has reversed a lower court decision that dismissed an identity theft lawsuit brought against the Hamilton County clerk of courts, allowing Cynthia Lambert the right to proceed with her lawsuit. Lambert had sued the clerk, Greg Hartmann, after her identity was used fraudulently following the posting of an image of a 2003 speeding ticket that contained personally identifiable information, including her Social Security number (SSN), online. Someone using a phony driver's license under Lambert's assumed identity made purchases totaling more than US $20,000. The driver's license number used by the data thief differed from Lambert's actual license number by one digit, the same error made by the recording officer at the time the ticket was written.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115900&source=rss_topic17
[Editor's Note (Schultz): The best solution for reducing data security breaches is holding those who were negligent in defending against them responsible for damages incurred. To its credit, the Ohio appeals court in this story has acted accordingly. ]
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
NIST Issues Three IT Security Documents (October 2, 2008)
The US National Institute of Standards and Technology (NIST) has released three documents that offer guidance on issues of information security. SP 800-121, Guide to Bluetooth Security, provides recommendations for securing implementations of Bluetooth technology. SP 800-115, Technical Guide to Information Security Testing and Assessment, offers guidance for designing and conducting security tests, analyzing the data generated by those tests, and implementing solutions to detected problems. Both documents are in final form. SP 800-82, Guide to Industrial Control Systems (ICS) Security, is a draft document providing recommendations for securing Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and other system configurations. Public comment on this document will be accepted through November 30, 2008.-http://www.gcn.com/online/vol1_no1/47273-1.html?topic=security
-http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf
-http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
-http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
Camera Purchased on eBay Contains Sensitive MI6 Information (September 30, 2008)
A man from Hemel Hempstead, England who purchased a camera from eBay for GBP 17 (US $30) found it contained data from MI6, the British Secret Intelligence Service, including pictures of rocket launchers, log-in information for an encrypted Secret Service remote computer network and detailed information about terrorist cells. The man notified police, who initially did not take him seriously. However, several days later, Special Branch officers went to the man's home and seized the camera and his computer. He was also told not to speak to the media. MI6 is trying to determine the identity of the agent responsible for the leak. In a separate case, the civil servant who left top secret documents on a train will be charged with violations of the Official Secrets Act.-http://www.theregister.co.uk/2008/09/30/mi6_camera_sold_ebay/
-http://www.washingtonpost.com/wp-dyn/content/article/2008/09/30/AR2008093000994_
pf.html
-http://blogs.computerworld.com/mi6_camera_for_auction_on_ebay
[Editor's Note (Northcutt): We keep assuming that people do data deletion when they surplus items, but we don't check. I bring this up in the class I teach, Security Leadership Essentials, and can tell I am not connecting with the students. Policy only works if someone takes the compliance role seriously and tests for compliance. ]
Malicious Code Detected on South Korean Military Contractor Systems (September 29 & October 1, 2008)
Malicious code has been detected on the computer systems of two companies that provide weapons and vessels to the South Korean military. LIGNex1, which manufactures guided missiles, discovered the code in March, 2008; Hyundai Heavy Industries, a naval vessel manufacturer, found the code last month. The National Security Research institute believes the people responsible for the code's presence likely used it to steal information.-http://english.chosun.com/w21data/html/news/200809/200809290015.html
-http://www.scmagazineuk.com/South-Korean-defence-suppliers-uncover-malicious-cod
e/article/118477/
[Editor's Note (Veltsos): Government and defense contractors are prime targets due to the sensitive nature of the data that they are entrusted with; extra vigilance is required as attackers may use custom-built malware to obtain military-grade secrets.
-http://www.cio-today.com/news/Symantec-Warns-of-Federal-Threats/story.xhtml?stor
y_id=022002NPN6WO
-http://www.reuters.com/article/domesticNews/idUSN1638118020070717?sp=true]
DATA PROTECTION & PRIVACY
Chinese Skype Users Under Surveillance (October 2 & 3, 2008)
Researchers and human rights activists have uncovered a surveillance program in China that eavesdrops on the communications of Skype, which operates in China as Tom-Skype. The system looks for certain words and phrases that could indicate the conversations are addressing controversial political and social issues, including Falun Gong, democracy and powdered milk. The researchers discovered the surveillance system in September when one of the researchers noticed that each time he typed in a certain word, the message was sent to a certain Internet address. He found that the messages were bring stored on Tom Online computers.-http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?partner=rssny
t&emc=rss&pagewanted=print
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9116099&source=rss_topic17
-http://www.vnunet.com/vnunet/news/2227440/chinese-government-spying-skype
-http://news.bbc.co.uk/2/hi/science/nature/7649761.stm
VULNERABILITIES
Denial-of-Service Vulnerability Found in TCP Stack (October 2, 2008)
Swedish researchers have uncovered flaws in the TCP stack that could be exploited to create denial-of-service conditions. The attack can be carried out in less than five minutes and exploits the way resources are allocated after a successful three-way handshake. The problem was discovered while the researchers were testing a scanning tool. More information about the issue is expected to be presented at the T2'08 Information Security Conference later this month in Helsinki.-http://www.securityfocus.com/brief/831
-http://news.cnet.com/8301-1009_3-10056759-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.heise-online.co.uk/security/Speculation-surrounds-DoS-vulnerability-i
n-the-TCP-protocol--/news/111651
US-CERT Issues Warning on Clickjacking (September 26 & 29, 2008)
Concerns about clickjacking, a cross-platform browser attack technique, have prompted the US Computer Emergency Readiness Team (US-CERT) to issue a warning. Until a fix is available, users can protect themselves by disabling scripting and plug-ins in their browsers. The researchers who discovered the clickjacking vulnerability had planned to present their findings at a conference in September, but grew concerned about the technique's severity and chose to notify vendors and allow them time to develop fixes.-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=210604261
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9115818&source=rss_topic17
-http://www.us-cert.gov/current/index.html#multiple_web_browsers_affected_by
DATA LOSS & EXPOSURE
Insurance Brokers' Data Exposed (September 30, 2008)
Blue Cross & Blue Shield of Louisiana is offering one year of free credit monitoring to 1,800 insurance brokers whose personally identifiable information was accidentally exposed. In late September, the insurance company sent out an email alerting the brokers to a software upgrade; a document containing all the brokers' phone numbers, addresses and SSNs was inadvertently attached to the message. Blue Cross has asked the brokers to delete the data and confirm that they have done so; the company has made changes to ensure that a similar error does not occur.-http://www.businessinsurance.com/cgi-bin/news.pl?id=14084
MISCELLANEOUS
Remote Tracking Software Used to Find Alleged Laptop Thief (October 1 & 2, 2008)
A White Plains, NY man used remote tracking software to identify the person who stole his laptop computer. Jose Caceres's computer was stolen when he left it on top of his car while carrying items into his home. His initial attempts at using remote tracking software to find the culprit yielded little more than the thief's fondness for pornography, but eventually the suspect typed in his name and address while registering on a website. Caceres was able to provide police with adequate information for them to arrest Gabriel Mejia, who has been charged with grand larceny.-http://www.theregister.co.uk/2008/10/02/laptop_theft_suspect_busted/print.html
-http://www.cnn.com/2008/TECH/10/01/laptop.tracker.ap/index.html?eref=rss_tech
*************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/