ISDPodcast Episode 282 for December 20, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Varun Sharma.
Announcements:
SANS Cyber Defense Initiative 2010
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Wednesday, February 23, 2011 – Wednesday, April 27, 2011
Use the Discount Code: isdpod15 for a 15% discount.
Appalachian Institute of Digital Evidence (AIDE):
AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV
When: February 17 – 18, 2011
http://aide.marshall.edu/default.htm
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
News/WTF?: http://www.h-online.com/security/news/item/Over-500-patches-for-SAP-1153061.htmlSAP released a huge number of so-called Security Notes. An e-mail sent to SAP customers speaks euphemistically of “a significant number of security notes”, it’s rumoured there are 525 of these notes.According to the email, the “volume of fixes” was due to the use of new tools and methods in the quality assurance process. The vulnerabilities range from directory traversal via cross-site scripting, to SQL injection. However, most of the patches can be added through a “technical upgrade” to the new product release “SAP Business Suite 7 Innovations 2010″. This then leaves only a handful of patches to be added manually. Details of the vulnerabilities and the patches have not been made public and are only available to customers with ID and password access to the Service Market Place on SAP sites.
News: http://www.mirror.co.uk/news/politics/2010/12/16/nuclear-security-urgently-reviewed-after-sellafield-is-found-to-be-vulnerable-to-terrorists-115875-22786725/
Nuclear power plant security is being urgently reviewed after Sellafield was found to be vulnerable to a terrorist attack. Special forces carrying out “red team exercises” to test security at high-profile targets are thought to have exposed flaws. A £118million bunker capable of storing enough material to build thousands of nuclear bombs has just been built at the Cumbrian plant.
The policing watchdog, in consultation with MI5, will now carry out a review to boost protection of the site, to prevent a “terrorist spectacular”. But the findings will only be circulated among a group of police chiefs, ministers and spooks. An al-Qaeda cell caught plotting to blow up jets in 2006 also had nuclear sites on its hit-list. A Government spokesman yesterday declined to comment “on security”.
Rick: Sellafield was the location of the “lost” USB stick back in October. Since it contained “details of a proposed workforce transfer and information suggesting International Atomic Energy technicians visiting the site were not sufficiently briefed regarding health and safety regulations”, one has to wonder if that was the catalyst for the review?
News: http://www.pcworld.com/article/214196/bank_of_america_cuts_services_for_wikileaks.html
Bank of America has joined the growing list of financial and technology companies that have cut off services to WikiLeaks, a move that comes amid speculation that the whistleblower site is preparing to release information about the bank.
“Bank of America joins in the actions previously announced by MasterCard, PayPal, Visa Europe and others and will not process transactions of any type that we have reason to believe are intended for WikiLeaks,” the bank said in a statement issued Friday. “This decision is based upon our reasonable belief that WikiLeaks may be engaged in activities that are, among other things, inconsistent with our internal policies for processing payments,” the bank said.
The reaction from WikiLeaks, which on November 28 sparked global controversy by presenting a cache of 250,000 leaked U.S. embassy cables, was swift. “Does your business do business with Bank of America?” said a twitter message from WikiLeaks late Friday. “Our advise is to place your funds somewhere safer.”
News: http://www.staradvertiser.com/news/hawaiinews/20101216_New_corps_mission_to_parry_cyberthreat.html
Their ranks include snoops and sleuths who cull intelligence obtained from submarines, ships and aircraft, monitor foreign computer traffic, and work with super-secret organizations such as the National Security Agency in Kunia.
There are 2,800 Navy intelligence, information warfare, information/network management, cryptologists and oceanography personnel on Oahu, and 176 received recognition yesterday for accomplishment in a relatively new cadre — the Information Dominance Corps. The group received prestigious warfare qualification pins on the fantail of the battleship Missouri in recognition of their certification — and elevation in importance on the 21st-century battlefield.
In May, Navy Vice Adm. David Dorsett said in a report that command and control, networking, data collection and intelligence would be elevated to a “main battery” in the Navy arsenal.
“Cyberthreat” is the new military buzzword, and Adm. Robert Willard, head of U.S. Pacific Command at Camp Smith, warned in testimony to the House Armed Services Committee in March that “U.S. military and government computer systems continue to be the target of intrusions that appear to have originated from within the PRC (People’s Republic of China).”
News: http://www.dewitt-ee.com/articles/2010/12/15/news/doc4d08eed477f4f744440444.txt
Arkansas County, Arkansas has spent a great deal of time in the past year improving computer security and data back-up plans. This turned out to be worthwhile for a number of reasons, including that this is just what state auditors were looking for.
In its regular meeting, the Arkansas County Quorum Court approved the state audit report for 2009 and heard from elected officials about what they were doing to address the report’s findings. Several of the findings had to do with computer security issues. Arkansas County Judge Glenn “Sonny” Cox pointed out that most of the issues had already been addressed, but had to be reported since the report covered 2009.
Both the Sheriff’s Department and the Circuit Clerk’s office received findings that there were insufficient safeguards on their password systems; specifically, employees were not prompted to change passwords periodically; they were not locked out after three unsuccessful log-ons, and passwords were not sufficiently complex. However, both Sheriff Allen Cheek and Circuit Clerk Sarah Merchant told justices that their offices have received new software that has corrected these problems.
Cox said password security has been much discussed at meeting of county judges, since there is “a lot of mischief going on.” He emphasized that only one or maybe two people should have the master list of passwords. He also cautioned employees never to give their passwords to any of their co-workers.
“Another employee could use your password to steal,” Cox warned. “You can say you didn’t do it, but the computer would say you did.”
News: http://www.zdnet.co.uk/news/security-threats/2010/12/16/size-of-ddos-group-doesnt-matter-security-agency-says-40091193/
The number of people needed to launch a successful denial-of-service attack has been overestimated by the press, according to the European Network and Information Security Agency.
Attacks such as those by pro-Wikileaks groups need significantly fewer participants than has been reported, the European Network and Information Security Agency (Enisa) said on Tuesday. Visa was taken down by a distributed denial-of-service (DDoS) attack from roughly 500 machines, Ulf Bergstrom, Enisa’s spokesman, told ZDNet UK on Thursday.
“An attack can be constituted by much fewer machines [than was thought], and that is quite concerning and quite an important point to make,” Bergstrom said.
DDoS attacks against Wikileaks, Visa, PayPal and various government sites all demonstrated that “size doesn’t matter: the number of computers used in the attacks was relatively small (in the hundreds). Some press reports claim over six times the real number, which is indicative of the unreliability of information about botnets”, Enisa wrote in a statement on Wednesday.
News: http://www.darkreading.com/insider-threat/167801100/security/client-security/228800755/compliance-means-getting-a-handle-on-insider-threats.html
[Excerpted from "Compliance From The Inside Out," a new report posted this week on Dark Reading's Insider Threat Tech Center.]
When you talk about security and compliance, you typically think about protecting the organization from external attackers who want to steal sensitive corporate information. But in many cases, the reason companies
fare poorly with audits has nothing to do with those bad guys but, rather, with internal threats.
Small wonder. These are, after all, people we trust (there’s a reason Dante put traitors at the lowest depths of hell). But the facts tell us we are at high risk from internal attack. Studies conducted jointly by CERT and the U.S. Secret Service show about half the companies responding have experienced at least one insider incident, and about a third of all electronic crimes were committed by insiders.
What’s more, the definition of “insider” is expanding beyond “employee” — insiders include contractors, temporary workers, vendors, clients and everyone else with trusted access to company resources. The internal threat is real, and auditors take it seriously. They consider risk regardless of source, so they evaluate controls against internal as well as external threats.
To build the proper internal controls to meet these auditors’ requirements, you must consider the nature of insider threats, the regulatory hot buttons that auditors look for, and strategies to minimize risk and protect your assets.
News: http://www.infosecurity-us.com/view/14761/california-agency-loses-medical-records-in-the-mailA magnetic tape containing unencrypted sensitive personal and medical information for up to 2550 facility residents, employees, and health care workers at 600 southern California nursing care facilities was lost in the mail, according to the California Department of Public Health (CDPH).The information on the lost tape includes: social security numbers for CDPH employees, facility residents, and health care workers; employee e-mails; investigative reports; and the names of residents and some information on their medical diagnosis, the agency said in a statement.Kevin Reilly, the CDPH chief deputy director for policy and programs, was quoted by the HealthLeaders Media website as saying, “This is definitely the largest breach of confidential and private information we’ve had at the Department of Public Health.”The incident occurred when a CDPH field office in West Covina, Calif., sent a magnetic tape in the mail to the central office in Sacramento as part of the procedure for backing up its computer data.On September 27, 2010, the central office received the envelope, which was unsealed and empty. CDPH reported the breach to the state’s Office of Information Security and began an investigation of the incident.On November 23, 2010, CDPH completed compiling the list of individuals whose medical or other personal information may have been compromised as a result of the lost tape.The CDPH said it is notifying those affected by the data breach and advising them how to protect themselves from identity theft. “At this point, there is no evidence that unauthorized parties have acquired or accessed personal information”, the agency said.
News: https://www.infosecisland.com/blogview/10379-Obstacles-May-Hinder-Anonymous-DDoS-Prosecutions.htmlThe international nature of the distributed denial of service (DDoS) attacks against the websites of companies including Visa, MasterCard and PayPal may be make it difficult if not impossible to prosecute the pro-WikiLeaks members of the group Anonymous.The level of effort and resources needed to gather evidence, identify suspects, issue warrants, carry out arrests, and arrange extraditions before prosecution can even occur may make the likelihood multiple legal actions in the matter cost prohibitive.It may also mean that efforts will be focused mostly on the Anonymous leadership hierarchy, while lesser participants escape repercussions.Another obstacle might arise in applying the Computer Fraud and Abuse Act to the DDoS attacks.Although the language in the statute is extremely broad, the government would still need to shoe that:there was a transmission of a program, information, code, or command that intentionally causes damage without authorization, to a protected computer, and thatthe act caused losses in excess of $5,000 over a one-year periodPublic relations spin efforts by the companies targeted had them downplaying the impact of the DDoS attacks, which may be presented as evidence by the defense in the event charges are pursued.U.S. Attorney General Eric Holder stated last week that he was “looking into” the viability of prosecutions. Former Justice Department Attorney David Goldstone said, “the government may give it less of a priority. They may treat it as graffiti.”
News: http://www.theregister.co.uk/2010/12/20/assange_lawyers_angry_over_leaked_police_files/
Lawyers for Julian Assange are “angry” and “concerned” that someone leaked confidential Swedish police files detailing the rape allegations against the WikiLeaks founder, according to a report citing conversations with his legal team, and the team intends to launch a formal complaint with the Swedish authorities.
It’s unclear whether they see the irony.