3 Days left to Save $400 on SANS DFIR Summit

SANS NewsBites - Volume: XIII, Issue: 36

*************************************************************************
SANS NewsBites                     May 06, 2011                    Volume: XIII, Issue: 36
*************************************************************************
TOP OF THE NEWS

  Apple iOS Update Addresses Location Data Issues
  Boeing Whistleblowers Not Entitled to Protection
  Mozilla Questions Government's Request to Ban Firefox Plug-In

THE REST OF THE WEEK'S NEWS

  Google Supports Opposition to California Do Not Track Bill
  May's Patch Tuesday to Address Three Vulnerabilities
  Two Companies Settle FTC Charges
  FBI Responds to Audit Report Critical of its Cyber Security Expertise

DEVELOPMENTS IN SONY BREACH

  SOE Intrusion Discovered During PSN Breach Investigation
  New York AG Subpoenas Sony Regarding How it Represented Site Security
  Sony Calls in Forensic Experts
  Sony Declines to Testify at House Subcommittee Hearing on Breach
  Legislation but Offers More Details in Letter to Legislators


*****************************************************************

TRAINING UPDATE

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.
http://www.sans.org/cyber-guardian-2011/

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; and It's Time to Rethink Everything: A Governance, Risk & Compliance Primer
http://www.sans.org/virginia-beach-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************** SPONSORED BY SANS ***********

Announcing New SANS Reading Room Papers! 1. The highly-anticipated SANS 7th Annual Log Management Survey Report is now available in the SANS Reading Room here: http://www.sans.org/info/76964

2. A new survey on network security and resiliency is available in the SANS Reading Room here: http://www.sans.org/info/76969

****************************************************************************


TOP OF THE NEWS

Apple iOS Update Addresses Location Data Issues (May 4 & 5, 2011)
Apple has released iOS 4.3.3 to address three flaws associated with location information in iPhones, iPads and iPods. The update reduces the amount of location stored to one week's worth. It also alters the operating system so that it will not back up the cache to computers while synching devices. Finally, the update deletes the cache from devices when users disable Location Services in iOS Settings. The update was released just a week after Apple said it would fix the problems. Apple says that the next major update for iOS will include encryption for location information on devices running the operating system.
-http://www.bbc.co.uk/news/technology-13292313
-http://www.computerworld.com/s/article/9216421/Apple_releases_iOS_4.3.3_to_patch
_location_bugs?taxonomyId=17

-http://www.theregister.co.uk/2011/05/04/apple_updates_ios_to_addresss_location_t
racking_database_cache/



Boeing Whistleblowers Not Entitled to Protection (May 3 & 4, 2011)
A federal appeals court has said that two Boeing internal auditors who leaked documents that raised questions about cyber security measures at the company to a Seattle newspaper are not entitled to whistleblower protection. Boeing fired Matthew Neumann and Nicholas Tides after the leak was traced to them. The auditors maintained that they were protected by the Sarbanes-Oxley Act, which aims to protect shareholders from fraud. The court said that the Act protects people who give information to the authorities, not to the media.
-http://www.wired.com/threatlevel/2011/05/whistleblower-firings/
-http://www.latimes.com/news/local/la-me-whistleblowers-20110504,0,5715520.story


Mozilla Questions Government's Request to Ban Firefox Plug-In (May 5, 2011)
Mozilla has refused a request from the US Department of Homeland Security (DHS) that it ban a Firefox plug-in called MafiaaFire. The plug-in in question allows users to visit sites whose domain names have been seized by the US government. MafiaaFire redirects users to new sites that offer the same content as those whose domain names have been seized, but are beyond the reach of the government. The government says the extension violates its seizure orders. Mozilla has asked why it should comply with the request and has yet to receive a reply from the government.
-http://www.wired.com/threatlevel/2011/05/firefox-add-on-redirect/
-http://arstechnica.com/tech-policy/news/2011/05/mozilla-resists-us-govt-request-
to-nuke-mafiaafire-add-on.ars

-http://www.theregister.co.uk/2011/05/05/mozilla_firefox_addon_survives/
-http://www.computerworld.com/s/article/9216453/Mozilla_defies_DHS_will_not_remov
e_Mafiaa_Fire_add_on?taxonomyId=17





THE REST OF THE WEEK'S NEWS

Google Supports Opposition to California Do Not Track Bill (May 5, 2011)
Google has joined a number of other groups in opposing proposed legislation in California that would grant consumers the right to prevent companies from tracking, retaining or selling data about their online activity. The Bill passed the State Senate Judiciary Committee; it now goes before the Appropriations Committee before moving to the Senate and State Assembly. Those opposing the legislation say it places undue burden on businesses conducting online commerce.
-http://www.pcworld.com/article/227212/californias_do_not_track_law_takes_a_step_
forward.html

-http://www.theregister.co.uk/2011/05/05/google_backs_do_not_track_opposition/


May's Patch Tuesday to Address Three Vulnerabilities (May 5, 2011)
On Tuesday, May 10, Microsoft will release two security bulletins to address a total of three vulnerabilities in Microsoft Windows and Microsoft Office. Both bulletins address flaws that allow remote code execution. The first bulletin will address one critical flaw in Windows; the other is rated important and will address two flaws in Office.
-http://www.microsoft.com/technet/security/Bulletin/MS11-may.mspx
-http://news.cnet.com/8301-27080_3-20060140-245.html?tag=mncol;title
-http://www.computerworld.com/s/article/9216448/Microsoft_plans_critical_update_t
o_Windows_Server_next_week?taxonomyId=17

-http://www.scmagazineus.com/microsoft-readying-fixes-for-windows-office-flaws/ar
ticle/202200/



Two Companies Settle FTC Charges (May 4, 2011)
The US Federal Trade Commission (FTC) said that two companies have settled changes the Commission brought against them for failing to implement adequate security controls to protect sensitive information. Ceridian, a payroll services provider, and Lookout Services, which provides immigration services software, both falsely claimed to offer adequate protection. Both companies experienced breaches that exposed sensitive personal information of consumers. The settlement agreements call for the companies to obtain third-party security audits every two years for the next 20 years.
-http://www.informationweek.com/news/security/attacks/229402828
[Editor's Note (Schultz): Having to undergo a security audit every two years borders on being a joke. Having to instead submit snapshots of information (such as syslog output from critical servers) that reveals the security state of these companies every month, something that is more in accordance with the relatively new continuous monitoring initiatative within the U.S. government, would be far better. ]


FBI Responds to Audit Report Critical of its Cyber Security Expertise (May 3, 2011)
Steven Chabinsky, who is the deputy assistant director of the FBI's cyber division, disputes conclusions drawn in a recently released audit report that the FBI lacks sufficient cyber security investigation skills. Chabinsky says that the information gathered is out of date as the audit in question began in 2008. The FBI's approach to cyber crime has changed within the last two years with the addition of a new training program that incorporates real-world experience. The FBI's cyber unit and the National Cyber Investigative Joint Task Force (NCIJTF), which is led by the FBI and which coordinates intelligence and investigations across 18 agencies, have both received praise for the results of their efforts.
-http://www.informationweek.com/news/security/government/229402636
[Editor's Comment (Northcutt): What I would like to see is an audit of the Office of the Inspector General to determine how qualified they are to assess a government agency's cyber capabilities! No agency has a more well trained cyber-law enforcement team than the FBI? None! The FBI has been taking cyber workforce development very seriously for years, starting even before the military. ]


DEVELOPMENTS IN SONY BREACH

SOE Intrusion Discovered During PSN Breach Investigation (May 5, 2011)
Sony expects to have portions of the PlayStation Network (PSN) available sometime this week, but has not said when it expects Sony Online Entertainment (SOE) services to be restored. Sony said that the attack on SOE was discovered during the investigation of the PSN breach.
-http://www.washingtonpost.com/blogs/faster-forward/post/sony-online-entertainmen
t-details-attack-but-no-timeline-for-service-restoration/2011/05/04/AFTcHIxF_blo
g.html



New York AG Subpoenas Sony Regarding How it Represented Site Security (May 4, 2011)
New York Attorney general Eric Schneiderman has subpoenaed Sony regarding the PSN and SOE breaches and the way it represented the network's security to customers. Sony has apologized for the breaches and is cooperating with investigations. The subpoena seeks information about what Sony told customers about the network's security.
-http://www.bloomberg.com/news/2011-05-04/sony-said-to-be-subpoenaed-by-new-york-
over-data-breaches-1-.html



Sony Calls in Forensic Experts (May 4 & 5, 2011)
Sony has called in the expertise of three security forensic specialty teams to investigate breaches that compromised personal information of more than 100 million Sony customers. Some of the investigators were brought in on April 22, days before Sony publicly acknowledged that data had been compromised. Sony said that the intruders compromised at least 10 servers. The FBI is conducting its own investigation.
-http://www.informationweek.com/news/security/attacks/229402895
-http://www.bbc.co.uk/news/business-13276490
-http://www.guardian.co.uk/technology/2011/may/04/sony-playstation-network-hack-i
nvestigators



Sony Declines to Testify at House Subcommittee Hearing on Breach Legislation but Offers More Details in Letter to Legislators (May 3, 4 & 5, 2011)
Members of the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade expressed frustration that Sony and Epsilon declined invitations to testify about breaches that compromised personal data of tens of millions of people. Subcommittee chair Representative Mary Bono Mack (R-Calif.) said Sony should have told customers about the breach that affected millions of users sooner and called the company's efforts "half-hearted, half-baked." Sony used a blog as the first form of notification. Sony defended the delay in notification by saying they wanted to wait until they had more information about the incident. In the letter, Sony says it did not notice the attack on PSN because it was distracted by a series of distributed denial-of-service (DDoS) attacks launched against several different Sony divisions. Sony says those attacks were launched by the loosely organized hacker collective known as Anonymous in protest of Sony's prosecution of George Hotz. Anonymous has said it was not involved in the attacks on PSN and SOE. The letter went on to describe what the company is doing to resolve the problems.
-http://www.eweek.com/c/a/Security/Sony-Data-Breach-Was-Camouflaged-by-Anonymous-
DDoS-Attack-807651/

Sony's letter:
-http://republicans.energycommerce.house.gov/Media/file/Letters/112th/050411Hirai
.pdf

-http://www.washingtonpost.com/blogs/post-tech/post/house-panel-blast-sony-on-dat
a-breaches/2011/05/04/AF2UFxoF_blog.html

-http://www.usatoday.com/tech/news/2011-05-04-sony-breach-congress_n.htm
-http://www.scmagazineus.com/sony-breach-prompts-house-data-theft-hearing/article
/202061/

-http://www.infosecurity-us.com/view/17798/sony-admits-to-week-delay-in-notifying
-public-about-data-breach



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/