SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #45
June 05, 2012
Google will announce a massive worldwide deployment of IPv6 today or
tomorrow. They are not the first; fully 60% of large organizations are
at some stage of making similar deployments. Many of the newcomers are
hoping to learn from the experience of the pioneers. If you have already
implemented IPv6 we are hoping you might share your experience. Or if
you are planning for deployment, share stumbling blocks you foresee? If
you are willing to share with others in the community, pleas email
Jennifer Santiago at jsantiago@sans.org.
And if you have felt at all challenged to explain cybersecurity to
family and others who may not be technologists, the first story in this
issue is about a phenomenal article and video that the Washington Post
has done. The Post editors decided that cybersecurity was so important
that the political class and the general public really needed to
understand it. This article is the first of a series that is already
clearing the fog through which most people look at cybersecurity.
Alan
TOP OF THE NEWS
To Defend Cyberspace, We Must First Understand ItFake Identities Used to Register Flame-Related Domains
Microsoft Revokes Three Digital Certificates After Flame Hijack
THE REST OF THE WEEK'S NEWS
Tiny Banker TrojanApple Releases iOS Security Guide
Microsoft Releases Public Preview of Windows 8
Google Warns Users in China About Blocked Terms
WHMCS Target of DDoS Attack
New Jersey Legislation Aims to Prevent Inadvertent Data Leaks
ANSWERS TO SAFE ONLINE BANKING SURVEY
In our last edition we asked for suggestions of technology for safe online banking. Here is a summary of what we received************************* SPONSORED BY Bit9 ******************************
It only takes 15 minutes for your domain controllers to be compromised by an advanced threat. When it comes to protecting your core IP, why not start with your highest value critical servers? Download Bit9's latest Threat Advisor and learn how you can protect your domain controllers from the Advanced Persistent Threat.
http://www.sans.org/info/106515
**************************************************************************
TRAINING UPDATE
--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/
--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/
--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/
--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/
--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/
--Looking for training in your own community?
http://www.sans.org/community/
--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Malaysia, Bangkok, Boston, and San Antonio all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************************
TOP OF THE NEWS
To Defend Cyberspace, We Must First Understand It (June 2, 2012)
The video accompanying this article describes the chasm between the complexity of cyberspace and our ability to defend it. Mark Weatherford, Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) at DHS, notes that while the hackers only have to get it right once, we have to be careful all the time. And former CIA director George Tenet said, "We have built our future upon a capability that we have not learned how to protect." The article describes Charlie Miller's and Dionysus Blazakis's efforts to find a zero-day flaw in the iPhone for a contest alongside a brief history of our efforts to understand the "unthinkable complexity" of cyberspace.-http://www.washingtonpost.com/investigations/understanding-cyberspace-is-key-to-
defending-against-digital-attacks/2012/06/02/gJQAsIr19U_story.html
Fake Identities Used to Register Flame-Related Domains (June 4, 2012)
Researchers say that the recently detected Flame espionage malware appears to have been designed to steal technical drawings from Iran. The attackers also appear to have used several fake identities to register scores of domain names that were used to distribute Flame. The registrations through the phony identities date back to 2008, suggesting that Flame has been around for quite some time. Initial analysis indicates that Flame seeks AutoCad drawings and PDF and text files; its targets appear to be largely in Iran, with some targets in other Middle Eastern countries. Flame is no longer active.-http://www.wired.com/threatlevel/2012/06/flame-command-and-control/
-http://www.bbc.co.uk/news/technology-18324234
-http://news.cnet.com/8301-1009_3-57446652-83/flame-malware-network-based-on-shad
owy-domains-fake-names/
Microsoft Revokes Three Digital Certificates After Flame Hijack (June 4, 2012)
After learning that the malware writers responsible for Flame managed to sign their work with Microsoft's digital signature, the company revoked three of its own digital certificates. The update adding the certificates to the revocation list was pushed out over the weekend and affected all versions of Windows, including the Windows Release 8 preview. Due to a flaw in Microsoft's terminal services licensing certificate authority, the malware writers were able to generate fraudulent digital certificates. Microsoft has also modified the terminal Services licensing service so that it does not issue code-signing certificates.-http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breach
es/240001452/flame-burns-microsoft-with-digital-certificate-hack.html
-http://www.computerworld.com/s/article/9227716/Microsoft_throws_kill_switch_on_o
wn_certificates_after_Flame_hijack?taxonomyId=82
-http://krebsonsecurity.com/2012/06/flame-malware-prompts-microsoft-patch/
THE REST OF THE WEEK'S NEWS
Tiny Banker Trojan (June 4, 2012)
The recently detected Tiny Banker Trojan horse program, known as Tinba, buries itself in browsers on infected computers and steals online banking data. The malware alters the way online banking websites appear to users on their computer screens and attempts to circumvent authentication measures; its techniques bear some similarity to those of ZeuS. Tinba is notably small, weighing in at just 20KB.-http://www.theregister.co.uk/2012/06/04/small_banking_trojan/
-http://www.h-online.com/security/news/item/Tiny-banking-trojan-can-do-a-lot-of-d
amage-1588948.html
Apple Releases iOS Security Guide (June 1 & 4, 2012)
Apple has released a detailed guide to iOS security, an unexpected move for a company with a reputation for playing security issues close to the chest. (iOS is the operating system used on the iPhone, iPad, and iTouch.) The guide addresses system architecture, encryption, data protection, and network security. It also provides more information about Apple's use of ASLR, or address space layout randomization to thwart exploits and help prevent memory corruption. Apple quietly released the guide several weeks ago.-http://www.theregister.co.uk/2012/06/04/ios_security_guide/
-http://www.scmagazine.com/apple-goes-public-with-ios-security-features/article/2
43935/
-http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf
[Editor's Note (Honan): This is a welcome move from Apple, in particular as more and more iOS devices are becoming widely used in enterprise environments. Another excellent resource on iOS security is the "iOS Hardening Configuration Guide" published by the Australian Defence Signals Directorate,
-http://www.dsd.gov.au/publications/iOS_Hardening_Guide.pdf
(Murray): iOS has proven to be surprisingly robust for a consumer operating system. While clearly vulnerable to its owner, it seems remarkably resistant to network attacks, and, with help from the Apple Store, to process-to-process interference. While government and industry prefer Android, it is the clear choice for the non-technical consumer. One can make a case that that is the most vulnerable population.]
Microsoft Releases Public Preview of Windows 8 (June 1 & 4, 2012)
Last week, Microsoft released the first public preview of its next operating system, Windows 8. The new operating system includes built-in anti-virus software, Windows Defender, which is activated only when it detects that the computer is not being protected by another anti-virus program. Microsoft is calling Windows 8 the most significant interface redesign since the introduction of Windows 95. Windows 8 was developed to help bring Microsoft operating system to smartphones and touchscreen devices. The new operating system also comes with Internet Explorer 10, the most recent version of Microsoft's browser, which will have do-not-track technology enabled by default.-http://www.computerworld.com/s/article/9227707/Windows_8_s_built_in_AV_to_be_sec
urity_of_last_resort?taxonomyId=17
Google Warns Users in China About Blocked Terms (June 1, 2012)
Google is now warning users in China when they enter search terms that could return blocked results, and suggesting other terms to use instead. China has reportedly been stepping up its search filtering over the past few weeks to the extent that some searches for restaurants, tourist attractions, and university information failed to return pertinent results.-http://articles.timesofindia.indiatimes.com/2012-06-01/internet/31958571_1_analy
sys-international-baidu-android
WHMCS Target of DDoS Attack (June 1, 2012)
WHMCS, the company that was targeted by cyber criminals who stole data and posted it online, is now being targeted by a distributed denial-of-service (DDoS) attack. The company recently released a patch for a zero-day SQL injection vulnerability that allowed attackers to gain access to systems at web hosting companies that use WHMCS's services. The attack, which occurred last month, was made largely with the help of social engineering tactics and does not appear to be related to the recently patched flaw. The attack last week took action that made WHMCS's site unavailable for a number of hours. The server they targeted hosted the company's main website and supported customer installations of its technology.-http://www.theregister.co.uk/2012/06/01/whmcs_ddos_follows_patching/
New Jersey Legislation Aims to Prevent Inadvertent Data Leaks (May 29 & June 1, 2012)
New Jersey state legislators have passed a bill that would require data stored by copy machines and scanners be deleted. The bill requires that the devices' hard drives be wiped before they are discarded. The bill places the responsibility of ensuring that the data are destroyed on the owners and lessees of digital copy machines. It would also require the device manufacturers to include instructions for how to destroy the records on the hard drive, or how to arrange to have them destroyed. Violators could face fines of up to US $5,000.-http://www.infosecurity-magazine.com/view/26127/new-jersey-assembly-passes-bill-
requiring-deletion-of-copier-data
-http://www.courierpostonline.com/article/20120529/NEWS02/120529003/1007/news02
[Editor's Note (Murray): Given the low and falling cost of secondary storage, we should encourage its destruction in preference to any attempts to salvage it. We should also encourage the use of full-disk encryption. That said, while the proposed legislation seems ill-designed, it seems harmless enough.]
ANSWERS TO SAFE ONLINE BANKING SURVEY
One writer suggested Ironkey is a bit pricey and suggested I view his blogpost:-http://shpantzer.blogspot.com/2012/02/verification-to-claims-made-in-security.ht
ml
Another mentioned Trusteer's Rapport as an option, some banks make it available to customers for tree. Several people suggested Linux live CDs, put the CD in the drive, reboot, do your banking, remove the CD. Another reader shared they have this problem solved in Germany, it's called "Chip-TAN".
-http://en.wikipedia.org/wiki/Transaction_authentication_number#ciTAN_or_ChipTAN
There is a picture of it at
-http://upload.wikimedia.org/wikipedia/commons/thumb/f/fa/SmartTAN_optic-Gadget.j
pg/220px-SmartTAN_optic-Gadget.jpg
Several people point out that probably any technology can be defeated, but if it makes the attackers work hard and forces the use of defense specific attacks it is probably a win.
-http://shpantzer.blogspot.com/2012/02/verification-to-claims-made-in-security.ht
ml
Another mentioned Trusteer's Rapport as an option, some banks make it available to customers for tree. Several people suggested Linux live CDs, put the CD in the drive, reboot, do your banking, remove the CD. Another reader shared they have this problem solved in Germany, it's called "Chip-TAN".
-http://en.wikipedia.org/wiki/Transaction_authentication_number#ciTAN_or_ChipTAN
There is a picture of it at
-http://upload.wikimedia.org/wikipedia/commons/thumb/f/fa/SmartTAN_optic-Gadget.j
pg/220px-SmartTAN_optic-Gadget.jpg
Several people point out that probably any technology can be defeated, but if it makes the attackers work hard and forces the use of defense specific attacks it is probably a win.
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/