SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #67

August 23, 2011

The NSA just released a useful guide called "Best Practices for Securing
Your Home Network" that goes beyond home networks and wireless to cover
email and traveling with mobile devices and more. It's worth making
copies and distributing to your co-workers and employees. What makes
it particularly useful is that it reflects the real-world knowledge of
the NSA Blue Teams and Red Teams. On the back page are references to
five additional guides: Social Networking, Defense Against Drive By
Downloads, Defense Against Malicious E-mail Attachments, Mac OSX 10.6
Hardening Tips, and Data Execution Prevention. You'll find it at the NSA
web site:
http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf

Alan

---

TOP OF THE NEWS

Flaws Found in AES
Firm Fined $50,000 For Collecting Children's Personal Information
German State Bans Agencies From Using Facebook 'Like' Button
UK Government to Meet With Social Network Providers

THE REST OF THE WEEK'S NEWS

British Man Arrested Over Repeated Attacks Against Facebook
Security Breach at Yale Exposes 43,000 People's Data
Hong Kong Police Arrest Man For DDoS Attacks Against Stock Exchange
Investigation Exposes Unauthorized Internal Access at Immigration Agency
Audit Finds Holes in TSA Wireless Security
US Defense Contractor Breached by Anonymous and LulzSec

---

************************** Sponsored By Splunk ***************************

Are you listening to your data? It's trying to tell you something. Only Splunk can turn petabytes of your real-time and historical machine data into powerful security insights. With Splunk software catch bad actors, block cyber threats, detect zero-day viruses and advanced persistent threats. Give your data a voice with Splunk.

http://www.sans.org/info/85014

**************************************************************************

TRAINING UPDATE

- -- The National Security Architecture Workshop, DC, Aug. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Flaws Found in AES (August 18, 2011)

Researchers in the Belgium Katholieke Universiteit Leuven and Microsoft revealed they have found weaknesses in the Advanced Encryption Standard (AES). The AES encryption algorithm is widely used to secure online transactions and wireless networks. While researchers claim the attack can recover an AES secret key four times faster than previously thought, they also highlight that the complexity of the attack means it is not currently practical. However, the research is significant in that a *possible* serious flaw in the AES algorithm has been identified, but not yet substantiated by the cryptographic community.
-http://www.computerworld.com/s/article/9219297/AES_proved_vulnerable_by_Microsof
t_researchers
-http://www.net-security.org/secworld.php?id=11474
-http://threatpost.com/en_us/blogs/new-attack-finds-aes-private-keys-several-time
s-faster-brute-force-081911
[Editor's Comment (Murray): Since no claim as to the strength of AES has ever been made, this is simply a mathematical claim that the work factor for discovering a key is about five times lower than a brute force attack. While this is a significant analysis, worthy of a paper, perhaps even a headline, an attack using this information, begun at the Big Bang, would not have completed yet. Kudos to the analysts.
(Northcutt): A practical related key attack on 10 rounds of AES was published in 2009. This is entirely new. When you find a flaw in a crypto algorithm many researchers jump in and try to improve on the attack. We should expect guidance from NIST to increase the number of rounds, currently 14:
-http://www.schneier.com/blog/archives/2009/07/another_new_aes.html]

Firm Fined $50,000 For Collecting Children's Personal Information (August 22, 2011)

The Federal Trade Commission has fined W3 Innovations, a mobile applications development firm, US $50,000 for violating the Children's Online Privacy Protection Act (COPPA). The FTC alleged the company gathered the email addresses of up to 50,000 children under the age of 13 who downloaded and used mobile apps developed for the iPhone and iTouch without their parents' consent. The FTC also alleged the firm allowed children to post personal information on message boards and blogs and did not have a privacy policy on its website. "The FTC's COPPA rule requires parental notice and consent before collecting children's personal information online, whether through a website or a mobile app", said FTC Chairman Jon Leibowitz.
-http://www.infosecurity-us.com/view/20194/ftc-fines-firm-50000-for-collecting-ch
ildrens-personal-information/
-http://www.bellinghamherald.com/2011/08/22/2150947/mobile-apps-developer-accused
.html
-http://www.scmagazineus.com/ftc-fines-childrens-app-maker-50k-for-privacy-violat
ion/article/209707/
[Editor's Note (Pescatore): The FTC just keeps chugging along, enforcing privacy and security regulations without needing new agencies, new laws, new committees. I'd like to see the GAO do one of their reports on this, lots of good lessons to be learned about the FTC does it.
(Paller): I agree that the FTC is a model for effective government intervention without overburdening industry. But Pescatore's suggestion that a GAO report would be helpful is probably not correct. GAO would likely report that the FTC failed to look at every aspect of security in every company, that it didn't look at the business recovery plan documentation, and that it missed some weak passwords. In other words, it would find silly, irrelevant faults instead of clearly pointing out the effectiveness of the program that would help make security better. ]

German State Bans Agencies From Using Facebook 'Like' Button (August 19, 2011)

The German federal state of Schleswig-Holstein has issued a ban on state agencies using Facebook fan pages and has also ordered them to remove "like" buttons from their websites. The order comes after the Data Protection Commissioner for the state found that the use of Facebook fan pages and the "like" button leads to illegal profiling of individuals, contravening German and European privacy laws. The issue relates to how the data relating to fan pages visits and the use of the like button are transferred outside of the EU to servers in the United States. State agencies have until the end of September to comply with the new requirements; if they fail to do so they could face fines. Facebook denies it is in breach of any German or EU privacy law.
-http://www.zdnet.co.uk/news/compliance/2011/08/22/german-state-bans-facebook-pag
es-like-buttons-40093735/
-http://www.pcmag.com/article2/0,2817,2391440,00.asp
-http://edition.cnn.com/2011/TECH/social.media/08/19/facebook.germany.like/index.
html
-http://www.zdnet.com/blog/facebook/germany-facebook-like-button-violates-privacy
-laws/2837
[Editor's Note (Schultz): Expect this kind of story to become more commonplace in the near future. European privacy statutes and the openness that participation in social networking calls for are orthogonal. ]

UK Government to Meet With Social Network Providers (August 19, 2011)

Following the series of recent riots and other acts of civil unrest in England the UK's Home Secretary has asked to meet with major social network providers. The meeting is due to take place on Thursday the 25th of August. Social networks came under scrutiny after it was discovered individuals used them to organize riots and to incite others to riot. The UK's Prime Minister, David Cameron, created controversy when he said the UK government will look at ways of limiting access to social networking and messaging services in the event of any future civil disorder. Facebook has welcomed the opportunity to meet with the UK government to discuss the issues. Twitter and BlackBerry maker RIM have also confirmed attendance; the BlackBerry Messenger (BBM) service was reportedly widely used in organizing the riots. Meanwhile, an 18-year old Scottish man has been arrested for comments allegedly made on a social networking site that incited others to riot.
-http://www.bbc.co.uk/news/technology-14587502
-http://thenextweb.com/uk/2011/08/22/confirmed-twitter-will-meet-with-the-uk-gove
rnment-for-riot-talks/
-http://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-14608134
[Editor's Note (Schultz): This issue is likely to not only become increasingly commonplace, but also to have more and more significance. Access to mobile devices and the content they deliver constitutes free speech, yet these devices are being increasingly used to stir up crowds (sometimes for the better, sometimes for the worse). ]

---

*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/85019

2) NEW Analyst Paper in the SANS Reading Room, "Optimized Network Monitoring for Real-World Threats," by Dave Shackleford. http://www.sans.org/info/85024

3) Do not miss SANS Ask the Expert: Leveraging SSL to Battle Emerging Security Threats. Sign up at: http://www.sans.org/info/85029

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

British Man Arrested Over Repeated Attacks Against Facebook (August 18, 2011)

Glenn Steven Mangham, a 25-year old student from York, England, was arrested on five charges under the UK Computer Misuse Act for allegedly trying to break into servers belonging to the Facebook social network. After appearing briefly before Judge Nicholas Evans in Westminster magistrates' court, Mangham was released on bail on condition he surrenders any devices capable of accessing the Internet and does not use the Internet while the case is pending. Facebook says that none of its users' personal data was compromised in the alleged attacks and that "we have been working with Scotland Yard and the FBI as we take any attempt to hack our internal systems extremely seriously"
-http://www.theregister.co.uk/2011/08/18/facebook_hacking_suspect/
-http://www.net-security.org/secworld.php?id=11491
-http://www.pcadvisor.co.uk/news/security/3298077/25-year-old-brit-in-court-for-a
ttempting-to-hack-facebook/
-http://www.telegraph.co.uk/technology/facebook/8708392/Student-hacker-penetrated
-Facebook.html

Security Breach at Yale Exposes 43,000 People's Data (August 18, 2011)

Yale University notified about 43,000 staff, students and alumni that their personal data, including their names and Social Security numbers, were publicly available on a FTP server. The breach occurred when the sensitive personal data stored on the FTP server became publicly available after Google made changes in September 2010 regarding how its search engine indexes and finds FTP servers. Yale personnel were not aware of this change and discovered the breach in June of this year. The breach impacts anyone affiliated with Yale University in 1999. Yale has "secured" the file and Google has confirmed it no longer stores the data.
-http://www.yaledailynews.com/news/2011/aug/17/yale-affiliates-ssns-were-searchab
le-google/
-http://www.computerworld.com/s/article/9219369/Yale_warns_43_000_about_10_month_
long_data_breach
-http://www.cnbc.com/id/44206510/Yale_Security_Breach_Reveals_Data_About_Students
_and_Staff
[Editor's Note (Pescatore): I think if Google found the files, they were *always* publicly available and never secured properly. Not a good idea to rely on security through "Google said it won't do this." ]

Hong Kong Police Arrest Man For DDoS Attacks Against Stock Exchange (August 19, 2011)

Police in Hong Kong arrested a 29-year old man in relation to a series of Distributed Denial of Service attacks against the website of the Hong Kong stock exchange. The attacks resulted in the trading of shares in seven companies being halted. Companies that were impacted included the banking giant HSBC and Cathay Pacific Airlines. Hong Kong stock exchange representatives said that other systems were not affected.
-http://www.straitstimes.com/BreakingNews/Asia/Story/STIStory_703848.html
-http://www.bangkokpost.com/tech/computer/252582/hong-kong-arrests-man-over-stock
-exchange-hacking
-http://www.v3.co.uk/v3-uk/news/2103480/hong-kong-police-arrest-ddos-attack-stock
-exchange
[Editor's Note (Pescatore): We learned long ago that data centers without electricity were just big, expensive paperweights so we have uninterruptible power supplies. Data centers without Internet connectivity are big expensive paperweights that consume electricity - DDoS protection should have the same place in business continuity planning that UPSs have. ]

Investigation Exposes Unauthorized Internal Access at Immigration Agency (August 18, 2011)

An investigation has revealed numerous security breaches by internal personnel at the Bureau of U.S. Citizenship and Immigration Services. The investigation focused on the bureau's Texas Service Center and discovered security violations including abuse of system privileges, sabotage of audit logs and unauthorized access to managers' e-mail and other confidential documents. Investigators also found hacking tools installed on a number of computer systems.
-http://fcw.com/articles/2011/08/19/agg-uscis-internal-hacking.aspx
-http://www.nextgov.com/nextgov/ng_20110818_1087.php

Audit Finds Holes in TSA Wireless Security (August 22, 2011)

An audit of the systems at the headquarters of the Transportation Security Administration (TSA) by the Department of Homeland Security's Inspector General (IG) discovered a number of security weaknesses in its wireless networks. The audit found a number of high risk vulnerabilities in Microsoft Windows XP laptops and the BlackBerry Enterprise Servers (BES) used to support BlackBerry devices. The audit also found the TSA had not complied with the baseline configuration controls required by the DHS for wireless devices and systems, including issues "regarding the disabling of unused router interfaces and a disallowed service" and that there were "high-risk vulnerabilities involving patch and configuration controls". In response to the audit, the TSA said it has already implemented corrective measures to the issues raised.
-http://www.infosecurity-us.com/view/20238/tsa-probed-for-wireless-security-lapse
s/
-http://www.hstoday.us/industry-news/general/single-article/tsa-improves-wireless
-cybersecurity-after-ig-audit/bfbb824d3c2fac205ac7abcfe8fd2988.html

US Defense Contractor Breached by Anonymous and LulzSec (August 19, 2011)

Individuals claiming to be part of Anonymous and LulzSec claimed to have breached the security of the computer systems of Vanguard Defense Industries, a US Defense Contractor that manufactures the unmanned ShadowHawk drones. In a posting to the Pastebin website, groups claim to have published 1GB of confidential emails belonging to the Vanguard senior vice president Richard T Garcia. Garcia is also a board member of InfraGard and is a former assistant director of the Los Angeles FBI office. A spokesperson for Anonymous said ""We are doing this not only to cause embarrassment and disruption to Vanguard Defense Industries, but to send a strong message to the hacker community. White hat sellouts, law enforcement collaborators, and military contractors beware we're coming for your mail spools, bash history files, and confidential documents."
-http://www.v3.co.uk/v3-uk/news/2103171/anonymous-lulzsec-hit-drone-maker-hack
-http://www.washingtonpost.com/world/americas/texas-based-vanguard-defense-indust
ries-official-hacked-by-anonymous-ceo-says-damage-limited/2011/08/19/gIQAY7htPJ_
story.html
-http://www.theinquirer.net/inquirer/news/2103000/antisec-hackers-hit-fbi-affilia
te

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/