SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #24

March 25, 2011

TOP OF THE NEWS

SSL Security Compromised
Managing Effects of RSA SecurID Breach
Attack Code Targets SCADA Systems

THE REST OF THE WEEK'S NEWS

European Commission Targeted in Cyber Attack
Facebook Traffic on AT&T Servers Detoured Through China
Possible Explanation for Gmail Troubles in China
Mozilla Releases Firefox 4
Senator Wants Clarity on US Government's Authority to Track Mobile Data
Apple Issues OS X Security Updates
Former Student Pleads Guilty in Grade Hacking Case
Two-Year Sentence for Stealing Virtual Gaming Chips

---

*****************************************************************

TRAINING UPDATE
-- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security in the cloud.
http://www.sans.org/cyber-security-innovations-2011/

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ******************** Sponsored by Tripwire, Inc. *************************

New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths, May 17, 1PM EDT Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston.
http://www.sans.org/info/73838

****************************************************************************

---

TOP OF THE NEWS

SSL Security Compromised (March 23, 2011)

Attackers compromised a partner of SSL certificate authority, Comodo and issued themselves fraudulent SSL certificates. The certificates vouch for a site's authenticity, and would have allowed the thieves to set up sites that fool visitors into believing they have reached major Internet presences, like Google, Microsoft and Skype. Comodo has revoked the stolen certificates. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10603
-http://isc.sans.edu/diary.html?storyid=10600
-http://www.eweek.com/c/a/Security/Fake-SSL-Certificate-Incident-Highlights-Flaws
-in-DNS-Comodo-CEO-440985/
-http://news.cnet.com/8301-31921_3-20046588-281.html

[Editor's Note (Pescatore): The SSL certificate industry has long needed to invest in stronger external review of registration processes, as proven by this incident and others before it. (Ullrich): SSL is based on trust. However, in a race to the bottom on pricing, certificate authorities no longer are able to rally the resources to sufficiently secure the SSL infrastructure they manage. It is sad that all it took to compromise the system was a single password, not two factor authentication. This comes just at a time when we finally see large sites like Facebook, Google, Microsoft and Twitter implementing site-wide SSL as an option. ]

Managing Effects of RSA SecurID Breach (March 23, 2011)

A Department of Homeland Security (DHS) spokesperson said that DHS is working with RSA to secure networks accessible through that company's SecurID two-factor authentication technology, following RSA's disclosure of a security breach that compromised "certain information" about SecurID. RSA has contracts with numerous federal government agencies. RSA has published a bulletin detailing what steps companies can take to protect their information. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10564
-http://www.washingtonpost.com/world/us_agencies_respond_to_cyberattack_on_inform
ation_security_firm/2011/03/23/ABDhjoKB_story.html?wprss=rss_homepage
[Editor's Note: (Paller): One of the largest defense contractors has stopped the use of RSA tokens by its senior staff. They replaced the tokens with another manufacturer's solution. I asked whether the move had been planned for a long time. The answer was, "No. We did it because of the breach." ]

Attack Code Targets SCADA Systems (March 22 & 23, 2011)

The US Computer Emergency Readiness Team (US-CERT) has issued four alerts regarding a series of vulnerabilities in Supervisory Control and Data Acquisition (SCADA) software widely used in industrial facilities. The affected systems are made by Siemens, Iconics, 7-Technologies and DATAC. All of the products have flaws that are remotely exploitable. Exploit code for 34 flaws in a variety of SCADA systems has been released. Experts examining the code say the vulnerabilities could be exploited to crash systems or steal data because they target operator viewing platforms. Nonetheless, gaining a foothold in the systems could allow attacker to probe further and potentially access the parts of the system that affect critical processes.
-http://www.theregister.co.uk/2011/03/22/scada_exploits_released/
-http://www.computerworld.com/s/article/9214990/SCADA_vulnerabilities_prompt_U.S.
_government_warning?taxonomyId=17
-http://news.cnet.com/8301-27080_3-20045926-245.html
-http://www.wired.com/threatlevel/2011/03/scada-vulnerabilities/
-http://www.msnbc.msn.com/id/42237805/ns/technology_and_science-security/
-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-01.pdf
-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf
-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-03.pdf
-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-04.pdf

---

*************************** Sponsored Link: ******************************

1) Interested in being part of the solution to fill the critical gap in the nation's cyber security workforce? Sponsor a student scholarship for the next round of the next Cyber Quests (http://uscc.cyberquests.org/) competition starting April 18th. For more information on how you can help, contact Renee N. McLaughlin at renee.mclaughlin@cisecurity.org.

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

European Commission Targeted in Cyber Attack (March 23 & 24, 2011)

The European Commission says that its network and that of the European External Action Service were broken into shortly before a summit of EU leaders in Brussels to discuss military action in Libya, the debt crisis and nuclear safety issues. Staff members were notified that they could no longer remotely access their email. A number of EU websites were unavailable as well. Sources have compared the attack to that recently launched against the French Finance Ministry, which preceded the G20 summit in Paris.
-http://www.theregister.co.uk/2011/03/24/eu_cyber_attack/
-http://www.bbc.co.uk/news/world-europe-12840941
-http://www.v3.co.uk/v3-uk/news/2037059/european-commission-cyber-attack
-http://www.scmagazineuk.com/european-commission-announces-that-it-was-hit-by-tar
geted-attack-as-cyber-espionage-campaign-continues/article/199030/

Facebook Traffic on AT&T Servers Detoured Through China (March 24, 2011)

Internet traffic from AT&T servers bound for Facebook detoured through servers in China and South Korea, according to researcher Barrett Lyon. Lyon discovered the traffic's path using traceroute. In his blog, Lyon calls the detour a routing mistake, and notes that the incident raises a number of questions, including whether the events constitute a privacy breach, whether Facebook should have notified users that their information was being sent over a network that might not be trustworthy, and whether Facebook should enable SSL by default on all accounts.
-http://www.blyon.com/hey-att-customers-your-facebook-data-went-to-china-and-kore
a-this-morning/
-http://www.computerworld.com/s/article/9215029/AT_T_Facebook_traffic_takes_a_loo
p_through_China?source=CTWNLE_nlt_pm_2011-03-24
[Editor's Note (Pescatore): The recent compromise of Comodo SSL certificates points out that SSL is far from a panacea. The CA Browser Forum needs to invest in and focus on making SSL more than just eyewash. ]

Possible Explanation for Gmail Troubles in China (March 24, 2011)

Security experts have suggested allegations that China has been interfering in Gmail service could be explained by the use of "transparent proxies." These intermediary servers intercept and relay messages and are capable of making changes to the intercepted messages before sending them on to their destinations. Some companies use transparent proxies to filter employees' Internet access. Governments are increasingly using them to identify and censor dissidents. Using HTTPS could thwart these man-in-the-middle attacks.
-http://www.technologyreview.com/web/37074

Mozilla Releases Firefox 4 (March 23, 2011)

Mozilla has released Firefox 4; the updated browser includes a number of new security features. Content Security Policy (CSP), which is enabled by default, helps stop cross-site scripting (XSS), data injection and other web-based attacks. CSP allows sites to let the browser know what information is legitimate. Firefox 4 also lets users automatically connect to websites through secure connections with the HTTP Strict-Transport Security (HSTS) feature. Firefox 4 also allows users to opt out of behavioral tracking. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10594
-http://www.scmagazineus.com/firefox-4-includes-new-feature-for-thwarting-web-att
acks/article/198992/

Senator Wants Clarity on US Government's Authority to Track Mobile Data (March 23, 2011)

Senator Ron Wyden (D-Oregon) has proposed a bill that would require the government to obtain warrants before using geo-location information to track individuals. The bill specifies exceptions emergencies, including when someone's life or safety is in danger, when there are immediate risks of danger to others, activities that threaten national security, or activity indicative of organized crime. Critics of the bill say the exceptions are so narrow that federal law enforcement agents might be wary of ever using geo-location information to track people.
-http://www.nextgov.com/nextgov/ng_20110323_8085.php

Apple Issues OS X Security Updates (March 22, 2011)

On Tuesday, March 22, Apple released an update for Mac OS X 10.5 and an update for Mac OS X 10.6 to version 10.6.7. The releases fix many of the same vulnerabilities, including one that was used to break into an iPhone at a hacking contest at a recent conference. Forty-five of the 56 flaws addressed in the update could be exploited to allow arbitrary code execution, and nearly a quarter of the flaws could be exploited in drive-by attacks.
-http://www.theregister.co.uk/2011/03/22/apple_mac_malware_update/
-http://www.scmagazineus.com/apple-issues-slew-of-patches/article/198899/
-http://www.eweek.com/c/a/Security/Apple-Fixes-Pwn2Own-Bug-in-Mac-OS-X-1067-iOS-4
31-Expected-Soon-647647/
-http://www.computerworld.com/s/article/9214903/Update_Apple_patches_Pwn2Own_bug_
55_others_in_Mac_OS?taxonomyId=85
-http://support.apple.com/kb/HT4581

Former Student Pleads Guilty in Grade Hacking Case (March 22, 2011)

Former high school student Omar Khan has pleaded guilty to five felony counts for breaking into school computers and changing his grades. Prosecutors say Khan "installed spyware devices on the computers of several teachers and school administrators," and used the malware to steal passwords. Khan changed his own grades and those of a dozen other students. Khan was sentenced to 30 days in jail and ordered to pay US $15,000 in restitution. He and his co-conspirator, Tanvir Singh, were arrested three years ago in connection with the incident. Singh pleaded guilty in September 2008 and was sentenced to three years of probation and 200 hours of community service.
-http://www.networkworld.com/news/2011/032211-student-used-spyware-to-steal.html?
source=nww_rss
-http://www.ocregister.com/news/khan-293077-lavacot-years.html?cb=1300806929

Two-Year Sentence for Stealing Virtual Gaming Chips (March 22, 2011)

A UK man has been sentenced to two years in jail for stealing virtual gaming chips. Ashley Mitchell pleaded guilty to charges of hacking and theft for stealing and reselling chips used in games from Zynga. Mitchell stole 400 billion gaming credits and resold a third of them, earning about GBP 53,000 (US $85,000). Ashley managed to gain access to Zynga's systems and assume the identities of two employees.
-http://www.theregister.co.uk/2011/03/22/poker_chip_hacker_jailed/
-http://www.bbc.co.uk/news/uk-england-devon-12791483

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/