TeamSHATTER

Utah Governor Fires Tech Director, Brings In Cyber Security Czar

Tim Whitman — Thu, 17 May 2012 15:12:32 +0000

Gov. Gary Herbert apologized to the 780,000 victims of the health data security breach on Tuesday.

To restore the public’s trust, he announced Tuesday that he fired Department of Technology Services director Stephen Fletcher and hired an ombudsman to shepherd victims through the process of protecting their identities and credit.

“The people of Utah rightly believe that the government will protect them, their families, and their personal data. When they interface with us that is in fact our charge,” Herbert said at an afternoon news conference, adding that one of his family members was among those whose information was compromised.

Click for complete article >>

More Data Breach Fallout, Expense For Utah Department Of Health

Tim Whitman — Thu, 17 May 2012 13:07:28 +0000

The state of Utah is hiring a public relations firm to handle “crisis communications” in the wake of a health data breach that put the personal information of 780,000 people at risk.

The contract will be short-lived and will cost between $100,000 and $200,000, according to a solicitation published on May 11.

It calls for building a communications plan to “rebuild trust with the public, specifically those who were directly impacted by the breach and those who rely on the [Utah Department of Health] for critical health services.”

Click for complete article >>

Contractor Allegedly Steals Database, Passes On To Others To Sell

Tim Whitman — Wed, 16 May 2012 13:25:55 +0000

Former Social Affairs Ministry contractor allegedly stole database, passed it to haredi charity, from where it was sold abroad.

The Tel Aviv district attorney on Sunday charged six people, including a computer programmer formerly employed as a Welfare and Social Services Ministry contractor, in connection with a massive data theft that exposed the personal details of millions of Israelis.

According to the indictment, filed in the Tel Aviv District Court, 55-year-old Shalom Bilik had access to the population registry database as part of his contract computer maintenance work in the Welfare and Social Services Ministry’s information systems department. In 2005- 2006, during his time at the ministry, Bilik began to make copies of the population registry data and sold it, the indictment said.

Click for complete article >>

When You Do Not Know Where Your Data Is…

Tim Whitman — Tue, 15 May 2012 13:03:06 +0000

In its fifth year of publication, the Data Breach Investigation Report (DBIR) by Verizon spans 855 data breaches across 174 million stolen records. Mark Goudie, Managing Principal, Asia-Pacific – Investigative Response, Verizon Business, talked to Jasmine Desai about the latest security threats and solutions for the same

Click for complete article >>

Hey Facebook: Forget The Winklevoss Twins – Data Security Adversaries Are On The Way

Josh Shaul — Mon, 14 May 2012 13:15:26 +0000

As you folks over at Facebook prepare to make your initial public offering, before you switch gears to planning your IPO parties and stock-option fueled vacations, take a moment to consider data security. After all, Facebook is nothing without data – volumes and volumes of it. And all that data needs to remain available, accessible, private (sometimes), and authentic, 24 hours a day, from now until…forever.

Over the last few years, millions of people have entrusted Facebook with everything from their little moments to their life stories. Now, investors are preparing to entrust Facebook with more than $10 billion in cash, giving the company limitless resources to find new ways to turn data into profits. With the new ownership coming in, and all that money being bet on the ability to turn data into cash, it seems like a good time to make sure the proverbial house is in order. And if you’re not Facebook right now, celebrate their success by going through this same process on your own systems – it’ll be good for you.

Get your data security review started with an updated inventory of databases and file servers on the network. Make sure you go sniffing around to find and catalog all of those systems. It’s the ones that fall through the cracks that are likely to come back to bite you later. Get yourselves some software that will go out and actively probe all the nooks and crannies of your network to find all the data stores that are out there. If you find systems on the network that you don’t use or don’t need – get rid of them!

With your fresh inventory in hand, you can turn your attention to looking for vulnerabilities and misconfigurations on each and every system. You’re looking for default logins, missing patches, weak passwords, and disabled security features that make it easy for someone to gain unauthorized access or disrupt operations. The issues you find in this phase ideally should be fixed, but that’s much easier said than done – so get ready to implement compensating controls.

Before you get into those compensating controls, there is one more issue to look into – user roles and privileges. It’s imperative for you to ensure that access to data is granted on a need-to-know basis, and that only those whose job requires access to a system are given that access. This means identifying who your admins and power users really are, eliminating any access rights that don’t belong. It also means documenting any privileges that should never be exercised, but can’t be revoked, so their use can be closely audited.

Which brings us back to those compensating controls. You may find yourself in need of quite a few of them. Missing a few patches? No problem – as long as you’re monitoring for exploits of those unpatched vulnerabilities. Applications require several insecure database settings? No need to panic – just watch the database 24×7 and make sure nobody abuses it. Got DBAs (those pesky built-in segregation of duties violations that come with each database)? Of course you do, we all do. And they’re usually very nice and quite harmless – but you still need to track everything they do with our data. A daily dose of real-time activity monitoring for your data stores will take care of all this business in one shot.

That’s all it takes. Inventory. Vulnerability and configuration scanning. User rights review. Activity monitoring. Four basic steps to keep all those billions of dollars of data safe and secure. Congratulations and best of luck.

Latest DBMS Security Patch Levels – Updated

Alex Rothacker — Fri, 11 May 2012 18:00:00 +0000

TeamSHATTER keeps you up to date with the latest DBMS Security Patch levels to ensure you are protected with the latest security fixes.

Last updated 5/11/2012

Edition	Latest Patch	Release Date	Comments
Database 11g R2 Database 11g R1 Database 10g R2 Database 10g R1	Critical Patch Update April 2012	April17^th 2012
Database 9i	Critical Patch Update July 2010	July 13^th 2010	Out of support. This was the final patch for 9i.

Reference:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Next CPU is due July17^th 2012

MySQL

Edition

Latest Version

Release Date

Comments

MySQL 5.5

5.5.24

May 7^th 2012

MySQL 5.1

5.1.62

March 21^st 2012

MySQL 5.0

5.0.96

March 21^st 2012

On extended support. Active Support ended on Dec. 31 2009

Reference:
http://dev.mysql.com/doc/index.html

Microsoft SQL Server

Edition	Latest Version	Release Date	Comments
SQL Server 2008 R2	Service Pack 1 v10.50.2500.0	July 11th 2011
SQL Server 2008	Service Pack 3 (v10.00.5500.00)	October 6^th 2011
SQL Server 2005	Service Pack 4 + Q2494123 (v9.00.5292)	June 14^th 2011	Mainstream Support ended on Apr. 12^th 2011
SQL Server 2000	Service Pack 4 + Q941203 (v8.00.2273)	September 26^th 2008	Mainstream Support ended on Apr. 8^th 2008

References:
http://support.microsoft.com/ph/14917
http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspxIBM DB2 LUW

Edition	Latest Fix Pack	Release Date	Comments
DB2 9.8	Fix Pack 4	August 2^nd2011
DB2 9.7	Fix Pack 5	October 28^th2011
DB2 9.5	Fix Pack 9	March 6^th2012
DB2 9.1	Fix Pack 11	November 15^th2011	Support ended on April 30^th2012
DB2 8.2	Fix Pack 18	August 14^th2009	Support ended on Apr 30^th2009. This is the final Fix Pack.

Reference:
http://www-01.ibm.com/support/docview.wss?rs=71&uid=swg27007053

IBM Lotus Domino

Edition	Latest Fix Pack	Release Date	Comments
8.5.3 MR	Fix Pack 1	March 23^th2012
8.5.2 MR	Fix Pack 4	December 2nd 2011	Upgrade to 8.5.3
8.5.1 MR	Fix Pack 5	October 19^th2010	Upgrade to 8.5.3
8.5	Fix Pack 1	July 29^th2009	Upgrade to 8.5.3
8.0.2 MR	Fix Pack 6	July 26^th2010
7.0.4 MR	Fix Pack 2	June 30^th2010	Support ended on April 30^th2011
6.5.6 MR	Fix Pack 3	April 24^th2008	Support ended on April 30^th2010

Reference: http://www-01.ibm.com/support/docview.wss?uid=swg27010592

Sybase ASE

Edition	Latest Patch	Release Date	Comments
ASE 15.5	ESD #5	December 22^nd2011
ASE 15	ESD #4	September 17^th2010	For installations with JRE installed, install Henry Patch
ASE 12.5.4	ESD #10	November 20^th2009

Reference: http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise/technicalsupport

Oracle CPUs

UNCC Breach Was Caused By Misconfiguration Due To Human Error

Tim Whitman — Fri, 11 May 2012 17:09:00 +0000

More disturbing information came out Thursday about UNC Charlotte’s online security breach, where hundreds of thousands of social security numbers were compromised. Now, university officials say they know how the exposure happened.

“You get scared because your information might be stolen, like credit card number maybe. It’s really scary,” said a UNCC student.

Students and staff were told in February that some 350,000 of them could have had their social security numbers and financial information exposed on the internet.

Click for complete article >>

Threatpost NOW! Video: Security Issues Critical To The End User

Tim Whitman — Wed, 09 May 2012 20:34:11 +0000

In this video, Dennis Fisher, editor-in-chief of Threatpost, speaks with Josh Shaul of Application Security, Inc. and Jack Daniel of Tenable Network Security. This candid discuss revolves around end-user security, where breaches occur and how organizations can fix these problems without causing havoc to their enterprise networks.

Click here to watch the video >>

Who’s To Blame For Oracle Database Security Woes? Look In The Mirror

Tim Whitman — Tue, 08 May 2012 13:50:30 +0000

Since it was first disclosed, I’ve been talking to lots of folks about the Oracle “TNS poison” vulnerability that’s out there.

Mostly, the talk has been focused on understanding the risks and implementing appropriate workarounds. But there seems to almost always come a time in the conversation when someone asks, “How can this be?”

It’s stunning to consider that Oracle sat on this issue for so long. It’s a critical vulnerability that fully compromises any Oracle database. It’s easy to exploit, requires no authentication, and it’s almost undetectable using built-in database features. But through the years and through a major database release, it remained unfixed and under wraps.

Click for complete article >>

The Evolving Role Of A CISO

Tim Whitman — Mon, 07 May 2012 18:02:18 +0000

Senior executives in charge of security are finding their roles changing not only as they deal with the growing rates of data breaches and hacker attacks but also by the increasing interest from CEOs and others in the safety of their companies’ most valuable information, according to a survey from IBM.

As a result, chief information security officers (CISOs) are becoming a more significant presence in corporate boardrooms with a greater input into strategy, and also are shifting more toward risk management than simply reacting to one security incident after another, IBM’s Center for Applied Insights found in its study “Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment.”

Click for complete article >>