SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIII - Issue #9
February 01, 2011
TOP OF THE NEWS
Legislators to Reintroduce Cyber Security LegislationGoogle in Settlement Negotiations With Conn. AG
Data Disclosure Flaw in Newest Google Android OS
THE REST OF THE WEEK'S NEWS
High School Competition Launched To Fill Pipeline of Skilled Cyber ProsMicrosoft Issues Temporary Fix for Windows IE Flaw
London and US Stock Exchanges Investigating Possible Cyber Attacks
SourceForge Bolsters Security in Wake of Attack
Online Dating Site Breach
Hotz to Challenge Equipment Seizure Order in Sony PS3 Hacking Case
Opera 11.01 Fixes Remote Code Injection Flaw
FBI Executes Search Warrants in Connection with WikiLeaks Support Attacks
*************************** Sponsored By SANS ***************************
New Whitepaper in the SANS Reading Room: Securing Energy Control Systems from Terrorists and Cyberwarriors, by SCADA security expert, Jonathan Pollet: http://www.sans.org/info/69798 Please also listen to our associated webcast here: http://www.sans.org/info/69803
*************************************************************************
TRAINING UPDATE
- -- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training. http://www.sans.org/north-american-scada-2011/
- -- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module http://www.sans.org/phoenix-2011/
- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security http://www.sans.org/appsec-2011/
- -- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security http://www.sans.org/sans-2011/
- -- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March: http://www.sans.org/security-training/combating-malware-enterprise-1482-mid
- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011 http://www.sans.org/sydney-scada-2011/
- -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Bangalore, Singapore, Wellington and Barcelona all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
****************************************************************************
TOP OF THE NEWS
Legislators to Reintroduce Cyber Security Legislation (January 28 & 29, 2011)
US Lawmakers have indicated their intent to re-introduce cyber security legislation in the current Congress. Among the bills being reconsidered is one that gives the President what some have dubbed the Internet kill switch. It would not authorize the President to shut down the Internet, but would grant the authority to demand that certain elements of critical national infrastructure be disconnected from the Internet in the event of an emergency. For example, if a cyber attack appeared imminent, the President could order the system that controls floodgates at the Hoover dam to disconnect from the Internet. The idea has met with opposition from civil liberties groups. Questions include how the government would know a cyber attack is imminent. The proposed legislation has raised concerns in light of Egyptian President Hosni Mubarak's recent move to sever Internet connections across his entire country in an attempt to quell protests and dissent.-http://thehill.com/blogs/hillicon-valley/technology/141081-democrats-reopen-cybe
rsecurity-debate
-http://www.wired.com/threatlevel/2011/01/kill-switch-legislation/s
-http://www.msnbc.msn.com/id/41311880/ns/technology_and_science-security/
-http://www.scmagazineuk.com/egypt-severs-internet-connectivity-to-leave-it-in-a-
black-hole/article/195160/
[Editor's Note (Schultz): Internet connectivity has in many ways become a critical national infrastructure security issue. Whether we like it or not, someone needs the authority to make decisions concerning continuing or severing Internet connectivity. My chief concern is that much of the public's opinion concerning who has the power to make such decisions seems to depend more upon preference of political party than anything else.
[Editor's Comment (Northcutt): Not sure I think connecting the Hoover dam floodgates to the Internet is all that good of an idea. In terms of Egypt, I thought the SayNow/Google Speak2Tweet application was nifty, hearing people in Egypt share what is on their hearts was very powerful:
-http://googleblog.blogspot.com/2011/01/some-weekend-work-that-will-hopefully.htm
l]
Google in Settlement Negotiations With Conn. AG (January 28 & 29, 2011)
Google has entered settlement negotiations with the office of Connecticut's Attorney General that will, for now, keep the Street View case out of court. Last year, then-Connecticut AG Richard Blumenthal issued a Civil Investigative Demand, much like a subpoena, requiring Google to turn over data inadvertently collected while gathering Street View images and information; Google rejected that demand. As part of the settlement, Google will acknowledge that the inadvertently collected information includes partial and complete emails and addresses of requested web pages. Current Connecticut AG George Jepsen says that if talks deteriorate, he will file a lawsuit. (Blumenthal is now a US Senator.)-http://latimesblogs.latimes.com/technology/2011/01/google-reaches-deal-with-conn
ecticut-in-wi-fi-probe.html
-http://www.nbcconnecticut.com/news/local-beat/Connecticut-Google-Make-Progress-i
n-StreetView-Prying-Battle-114816079.html
-http://www.eweek.com/c/a/Security/Google-Connecticut-Avoid-Court-for-Street-View
-Data-Grab-177064/
-http://www.theregister.co.uk/2011/01/29/google_connecticut_aggreement/
Data Disclosure Flaw in Newest Google Android OS (January 28 & 29, 2011)
A North Carolina State University researcher has detected a vulnerability in the Google Android operating system that could be exploited to allow attackers to read and upload any files on the device's memory card, which could include banking data and saved voicemails. A similar flaw was found in earlier versions of the OS and was believed to have been addressed in version 2.3, known as Gingerbread.-http://www.darkreading.com/insider-threat/167801100/security/vulnerabilities/229
200006/data-leak-flaw-found-in-newest-version-of-google-android.html
-http://www.theregister.co.uk/2011/01/29/android_data_disclosure_bug/
*************************** Sponsored Links: *****************************
1) Join us for our annual winter break in the Arizona desert. SANS Phoenix 2011 February 25! http://www.sans.org/info/67408
2) The most intense computer training experience available anywhere! SANS Northern Virginia begins April 15! http://www.sans.org/info/69748
************************************************************************************
THE REST OF THE WEEK'S NEWS
High School Competition Launched To Fill Pipeline of Skilled Cyber Pros (January 30, 2011)
Five states and the US Cyber Challenge have jointly launched the Cyber Foundations competition where high school students can learn the three foundation topics most important to success in cyber security. They compete for gift certificates and scholarships and recognition from Governors and members of Congress.-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/02/01/prweb8099021.DTL
-http://www.scmagazineus.com/competition-seeks-teenage-cyber-warriors/article/195
373/
More info:
-http://www.uscyberchallenge.org
Senator Carper's announcement:
-http://business-video.tmcnet.com/news/2011/01/31/5280070.htm
Direct access to competition details:
-https://www.sans.org/cyber-foundations/
Microsoft Issues Temporary Fix for Windows IE Flaw (January 31, 2011)
Microsoft has issued an advisory warning of a critical flaw in Windows that affects all currently supported versions of Internet Explorer (IE). Microsoft has issued a temporary workaround for users so they can protect their computers until a more permanent fix is available. The flaw could be exploited to take control of vulnerable computers or to steal information. While the flaw itself resides in the Windows MHTML handler, it affects the way IE hands certain documents and web pages.-http://www.bbc.co.uk/news/technology-12325139
-http://www.theregister.co.uk/2011/01/31/london_stock_exchange_attack/
-http://www.scmagazineuk.com/microsoft-warns-of-internet-explorer-xss-flaw-in-all
-versions-of-windows/article/195310/
-http://news.cnet.com/8301-10805_3-20030132-75.html?tag=mncol;title
-http://blogs.technet.com/b/msrc/archive/2011/01/28/microsoft-releases-security-a
dvisory-2501696.aspx
London and US Stock Exchanges Investigating Possible Cyber Attacks (January 31, 2011)
The London Times is reporting that last year, the London Stock Exchange (LSE) and an unspecified US stock exchange were targeted by attackers intent on disrupting financial markets. The LSE is investigating an attack at its headquarters last year; the US exchange has attributed an attack on its system to Russia. A May 6, 2010 flash crash (a large, short-lived decline in prices) saw the Dow Jones Industrial Average plummet 1,000 points in one day. A similar event occurred at LSE in August 2010. LSE systems are not Internet-based.-http://www.v3.co.uk/v3/news/2274505/london-stock-exchange-cyber
-http://advancedtrading.com/exchanges/229200103
-http://www.finextra.com/news/Fullstory.aspx?newsitemid=22217
[Editor's Note (Paller): Claims that systems are not Internet-based are misleading. We learned this when Slammer disabled Bank of America's ATMs.The folks at BofA and other banks had repeatedly claimed their ATMs were not "Internet-based." The problem is that computer devices share the network with Internet-active systems, and it's too easy for malware to jump to any connected device. If the LSE systems do not share routers with Internet connected devices, their maintenance people wouldn't be able to get their work done. ]
SourceForge Bolsters Security in Wake of Attack (January 31, 2011)
SourceForge is taking steps to enhance website security following an attack that may have compromised users' passwords. SourceForge hosts more than 260,000 open source software development projects. The breach was detected on January 26; the discovery that an SSH daemon had been modified to sniff passwords led to the organization to invalidate all user account passwords as a precaution. SourceForge also temporarily disabled CVS, ishell, file uploads and project web updates. Source code is being reviewed to ensure that the attackers did not corrupt any of the projects.-http://www.computerworld.com/s/article/9207241/After_attack_SourceForge_speeds_m
ove_to_new_security_model?taxonomyId=17
-http://www.theregister.co.uk/2011/01/31/sorceforge_hack_response/
Online Dating Site Breach (January 31, 2011)
An attack on online dating site PlentyOfFish.com compromised the passwords of nearly 30 million accounts. Site founder Markus Frind's public response to the breach accused an Argentine hacker of being behind the attack and suggested that cyber security journalist Brian Krebs was also involved in some way. Frind has since made clear in his blog that Krebs was not involved. Krebs notes that the PlentyOfFish database has serious security problems and that the company stores user passwords in plaintext.-http://krebsonsecurity.com/2011/01/plentyoffish-com-hacked-blames-messenger/
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=229200124&subSection=Security
-http://www.pcmag.com/article2/0,2817,2379001,00.asp
-http://www.net-security.org/secworld.php?id=10514
Hotz to Challenge Equipment Seizure Order in Sony PS3 Hacking Case (January 30, 2011)
The New Jersey man facing a court order for the seizure of his computer equipment is challenging the demand. George Hotz published code on the Internet that allowed people to jailbreak their Sony PlayStation 3 consoles. The temporary restraining order issued by a California judge requires Hotz to surrender his computer equipment. Hotz has already complied with the judge's ruling that he remove the jailbreaking code from the internet. The judge also ruled that Hotz "retrieve[code ]
which he has previously delivered or communicated," a demand his lawyer has called impossible.
-http://www.wired.com/threatlevel/2011/01/hacker-challenging-sony/
Opera 11.01 Fixes Remote Code Injection Flaw (January 28, 2011)
Opera has updated its flagship browser to address a remote code injection vulnerability. The flaw is due to problems with the handling of large form inputs. Opera has released updated versions of the browser for Mac, Unix and Windows; version 11.01 also addresses a number of other security issues.-http://www.theregister.co.uk/2011/01/28/opera_11_security_update/
-http://www.infosecurity-us.com/view/15499/opera-browser-update-fixes-five-vulner
abilities/
FBI Executes Search Warrants in Connection with WikiLeaks Support Attacks (January 27 & 28, 2011)
The FBI served more than 40 warrants last week in connection with an investigation into distributed denial-of-service (DDoS) attacks allegedly conducted by members of a loosely organized hacking group known as Anonymous. Authorities in the UK arrested five people in connection with the attacks as well. The group targeted organizations that severed financial services to WikiLeaks in the wake of the release of tens of thousands of US diplomatic cables. Two teenagers, one in France and one in the Netherlands, have also been arrested in connection with the attacks. Authorities were able to identify computers used to launch the attacks against Visa, MasterCard and PayPal because the open source tool they used in the attacks does not hide the IP address of the machine.-http://www.theregister.co.uk/2011/01/28/fbi_crackdown_on_anonymous/
-http://www.computerworld.com/s/article/9206838/FBI_executes_40_search_warrants_i
n_quest_for_Anonymous_?taxonomyId=17
************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Corporation (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/