SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #86

October 28, 2011

TOP OF THE NEWS

EFF Says At least Four Certificate Authorities Have Been Breached Since June
BT Must Start Blocking Newzbin 2 Within Two Weeks

THE REST OF THE WEEK'S NEWS

Hacker Tool Launches DoS Attack Against SSL Server With One Laptop
Duqu May Not Be as Closely Linked to Stuxnet as First Thought
Attack Manipulates insulin Pump Settings
Microsoft Settles With Czech Hosting Defendant
US Government is Providing Banks With Cyber Threat Information
Hackers Interfered with US Satellites
Nasdaq Breach May Have Been Worse Than Initially Thought
Proposed Legislation Would Broaden US Government's Authority to Blacklist Piracy Websites
Data Security Rules May Prevent LAPD From Migrating to Cloud Services

---

*********************** Sponsored by Cisco Systems ***********************

Webcast: Context-Aware Security for a BYOD Environment
November 8, 2011, 1 p.m. ET
Join Cisco (Pat Calhoun, VP/GM) and IDC (Chris Christiansen, VP) to discuss security for Bring Your Own Device (BYOD). Topics include primary BYOD security considerations, Cisco's SecureX approach for BYOD and the latest on Cisco AnyConnect, TrustSec for VXI, and IDFW. Visit http://www.sans.org/info/89469

*************************************************************************

TRAINING UPDATE

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 5 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Sydney, Tokyo and Perth all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************

---

TOP OF THE NEWS

EFF Says At least Four Certificate Authorities Have Been Breached Since June (October 27, 2011)

According to research from the Electronic Frontier Foundation (EFF), at least four certificate authorities have been compromised since June 2011. The information was gathered by examining publicly available documents that are required to be completed whenever secure sockets layer (SSL) certificate is revoked. There are more than 600 authorities. The breadth of the situation raises questions about the long term security of the technology. EFF Technology Projects Director Peter Eckersley wrote in a blog that, "as currently implemented, the Web's security protocols may be good enough to protect against attackers with limited time and motivation, but they are inadequate for a world in which geopolitical and business contests are increasingly being played out through attacks against the security of computer systems".
-http://www.theregister.co.uk/2011/10/27/ssl_certificate_authorities_hacked/
-https://www.eff.org/deeplinks/2011/10/how-secure-https-today
[Editor's Note (Liston): The entire SSL Certificate system is founded on the faulty premise that we should trust a corporation simply because they claim to be trustworthy. These companies have taken on a huge responsibility as a part of their business model, and have simply not taken the kinds of precautions one should take when voluntarily positioning oneself as the basket containing all the chickens.
(Murray): We do not have to have a perfect system of key management but vendors who want to offer services in the security space have to have good security. Their brands are essential to their viability and they are very fragile. ]

BT Must Start Blocking Newzbin 2 Within Two Weeks (October 26, 2011)

A UK High Court judge has given British Internet service provider (ISP) BT two weeks to implement a plan to block Newzbin2, a membership-only site known for making pirated content available. The ruling is the result of a lawsuit brought by US movie companies. The judge decided that BT was aware of the copyright infringement activity occurring on Newzbin2 and had ruled in July that the company must prevent its customers from being able to access that site. The judge also ruled that "the costs of implementing the order should be borne by BT."
-http://www.zdnet.co.uk/news/compliance/2011/10/26/bt-given-two-weeks-to-block-ne
wzbin2-40094286/
-http://www.bbc.co.uk/news/technology-15459005
[Editor's Note (Murray): Seems to me that BT is a victim here. They are being made responsible for the criminal activity of others. They are being forced to do something both expensive and ineffective. The Internet routes around censorship. How much damage are the rest of us supposed to endure because the publishers cannot figure out how to offer their products at a price both profitable to them and not so high as to create a black market?
(Liston): This all sounded somewhat reasonable up until the last sentence. If the movie companies expect ISPs to block access to sites at their behest, then they really should be footing the bill. They own the copyright, they benefit financially from its protection, so expecting a disinterested third-party to cover the costs of implementing a block on infringing websites seems a bit over the top. ]

---

*********************** SPONSORED LINKS: *********************************

1) Sponsored by Zscaler: ONLINE WEBCAST with FORRESTER: DEFENDING THE ENTERPRISE AFTER THE MOBILE DEVICE INVASION. 11/3 10am PST http://www.sans.org/info/89474

2) Now Available ONDEMAND, Analyst Webcast: Integrating Security into Development, No Pain Required. FEATURING: Dave Shackleford and Karl Snider. Go to http://www.sans.org/info/89479

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hacker Tool Launches DoS Attack Against SSL Server With One Laptop (October 25, 2011)

A group called The Hackers Choice has released a tool that can launch a denial-of-service attack against an HTTPS web server with just one laptop over a DSL connection. The tool exploits the SSL renegotiation feature to overwhelm the server. The Hackers Choice members recommend disabling SSL renegotiation. One of the members points to a series of issues with SSL that have become evident over the past few years, including a very high percentage of SSL-based sites that are not properly configured and the problems inherent in "giving hundreds of commercial companies (so-called Certificate Authorities) a master key to ALL SSL traffic."
-http://www.darkreading.com/authentication/167901072/security/vulnerabilities/231
901641/index.html?itc=edit_stub
-http://www.h-online.com/security/news/item/New-denial-of-service-tool-knocks-out
-encrypting-servers-1366564.html

Duqu May Not Be as Closely Linked to Stuxnet as First Thought (October 26 & 27, 2011)

Computers infected with Duqu malware have been detected in Iran and Sudan. Some researchers are saying that Duqu is related to Stuxnet, which was used to sabotage centrifuges at a nuclear facility in Iran. The Iranian systems infected with Duqu do not appear to be related to the country's nuclear program. Each instantiation of Duqu that has been found is unique, which makes it harder to detect. Others are now finding evidence that Duqu may not be so closely related. Researchers from Dell say that while Stuxnet and Duqu use similar injection techniques, there are also many differences between the two.
-http://arstechnica.com/business/news/2011/10/spotted-in-iran-trojan-duqu-may-not
-be-son-of-stuxnet-after-all.ars
-http://www.networkworld.com/news/2011/102611-duqu-incidents-detected-in-iran-252
435.html?hpg1=bn
Editor's Note: The "private key used for signing
[some ]
Duqu files was stolen from a Symantec customer," not from Symantec itself, as we wrote in last Friday's NewsBites. Please see this link for more clarification:
-http://www.symantec.com/connect/blogs/duqu-protect-your-private-keys

Attack Manipulates Insulin Pump Settings (October 27, 2011)

A researcher who last year developed a method of taking control of ATMs so they would dispense cash at his behest has now devised an attack that allows him to take control of certain wireless insulin pumps. The attack could be used to deliver incorrect doses of insulin to patients. The pumps in question, which are made by Medtronic, contain radio transmitters that allow doctors and patients to make adjustments. With specialized equipment, the attack could be conducted at a distance of up to 300 feet and does not require the attacker to know the device's serial number. The pumps at present do not use encryption while transmitting information.
-http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/

Microsoft Settles With Czech Hosting Defendant (October 27, 2011)

Microsoft has agreed to ask the judge to dismiss a lawsuit against Czech Republic company it had accused of hosting command and control servers for the Kelihos botnet. An attorney with Microsoft's digital crimes unit said that "Microsoft has reached a settlement with defendants Dominique Alexander Piatti and his company, dotFREE Group SRO. ... We believe that neither he nor his business were involved in controlling the subdomains used
[by Kelihos, ... but that ]
the controllers of Kelihos leveraged the subdomain services offered by Mr. Piatti's cz.cc domain." The settlement includes a provision that Piatti delete or transfer all subdomains used in connection with Kelihos. Piatti will also work with Microsoft to develop methods for preventing the abuse of dotFREE subdomains in the future. Microsoft's case will proceed against 22 John Doe defendants.
-http://www.scmagazineus.com/microsoft-drops-botnet-suit-asks-former-defendant-fo
r-help/article/215367/
-http://www.theregister.co.uk/2011/10/27/dotfree_off_the_hook/
-http://www.computerworld.com/s/article/9221250/Microsoft_clears_Czech_firm_in_Ke
lihos_botnet_case?taxonomyId=17
-http://blogs.technet.com/b/microsoft_blog/archive/2011/10/26/microsoft-reaches-s
ettlement-with-piatti-dotfree-group-in-kelihos-case.aspx

US Government is Providing Banks With Cyber Threat Information (October 26, 2011)

The National Security Agency (NSA) is helping US banks in their efforts to protect their computer systems from intrusions and other attacks. The FBI has also been providing banks with warnings about specific threats. Officials are concerned about the increasing sophistication of attacks launched against financial institutions.
-http://www.reuters.com/article/2011/10/26/us-cybersecurity-banks-idUSTRE79P5E020
111026

Hackers Interfered with US Satellites (October 27, 2011)

Attackers managed to interfere with two US government satellites four times in 2007 and 2008, according to a draft of the annual report of the US-China Economic and Security Review Commission. The targeted satellites are used in climate and terrain data gathering. The report did not offer specifics about the satellite intrusions, but did say that access was gained through the Svalbard Satellite Station in Spitsbergen, Norway. The report is scheduled for release in November 2011.
-http://www.businessweek.com/news/2011-10-27/chinese-military-suspected-in-hacker
-attacks-on-u-s-satellites.html

Nasdaq Breach May Have Been Worse Than Initially Thought (October 25, 2011)

The breach that compromised data on a Nasdaq server that was acknowledged earlier this year appears to be more serious that first thought. Two people with access to information about the investigation into the incident say that although trading servers were not directly attacked, the attackers did manage to infect sensitive systems with malware. Nasdaq OMX group acknowledged in February 2011 that its servers had come under attack, and that some servers associated with the Directors Desk collaboration and communications tool contained suspicious files. The attack was said to have occurred in October 2010 and that the files were removed immediately. Nasdaq was asked by federal law enforcement authorities to delay breach notification so as not to interfere with the investigation. The investigation is likely to find evidence that the attackers exploited flaws in web applications; that "virtual insider trading occurred;" and that the platform for the attack was Directors Desk.
-http://www.informationweek.com/news/security/attacks/231901580
[Editor's Note (Liston): Liston's Law of Data Breaches: They're ALWAYS worse than you thought initially. ]

Proposed Legislation Would Broaden US Government's Authority to Blacklist Piracy Websites (October 26, 2011)

Legislators in the US House of Representatives have introduced a bill that would increase the government's authority to shut down web sites that offer products that violate copyright and trademark laws. The proposed legislation would allow the Justice Department to obtain court orders requiring ISPs in the US to stop resolving DNS for the offending websites; the sites could still be accessible outside the US. The bill would also allow the government to order search engines to remove certain websites from their results. The US attorney general would also be granted the authority to block distribution of workarounds to allow access to blacklisted sites.
-http://www.wired.com/threatlevel/2011/10/feds-to-blacklist-piracy-sites-under-ho
use-proposal/
-http://judiciary.house.gov/hearings/pdf/112%20HR%203261.pdf

Data Security Rules May Prevent LAPD From Migrating to Cloud Services (October 26, 2011)

The Los Angeles Police Department's (LAPD) plan to migrate to Google Apps has been put on hold indefinitely because of FBI security rules. According to FBI Criminal Justice Information Services security policies, state and local law enforcement agencies have to maintain "management control" over criminal justice data security. All Los Angeles City employees are using Google Apps except for law enforcement.
-http://www.nextgov.com/nextgov/ng_20111026_6213.php?oref=topstory
[Editor's note (Liston): Sometimes, maintaining the confidentiality, integrity, and availability of sensitive/critical information is going to be in direct conflict with doing things easier and cheaper. What I find newsworthy in this piece isn't that the FBI rules block this migration, but that someone at the LAPD actually thought it was a good idea to begin with.
(Honan): This case highlights one of the compliance concerns relating to cloud computing and how important it is to clearly understand all your legal and regulatory obligations when engaging with a cloud provider. This challenge is exasperated by the ease people can sign up for cloud services simply by using a credit card. It would be prudent to engage with your accounts department to monitor company credit card statements for subscriptions to cloud services so you can ensure all such services are compliant.

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/