SANS NewsBites - Volume: XIII, Issue: 71

*************************************************************************
SANS NewsBites                     September 06, 2011                    Volume: XIII, Issue: 71
*************************************************************************
TOP OF THE NEWS

  DNS Attack Affects Prominent Websites
  DigiNotar Certificates Blocked Following Breach
  UK Police May Get Authority to Shut Down Domains Without Court Order
  Pakistani Directive Requires ISPs to Block Encrypted Communications

THE REST OF THE WEEK'S NEWS

  Former Employee Erased Payroll Files
  Police Accompanied Apple Investigators in Search for Missing iPhone Prototype
  DHS warns of Attacks Planned by Anonymous
  Alleged Anonymous Members Plead Not Guilty to PayPal DDoS Attack Charges
  WikiLeaks Suing Newspaper Over Cable Leak
  Microsoft Facing Lawsuit Over Windows Phone 7 Location Data Collection


************************ Sponsored By Zscaler **************************

ONLINE WEBCAST with GARTNER: WHY ADVANCED THREAT PROTECTION IS BETTER DONE IN THE CLOUD Are you doing enough to manage your security risks in today's Web 2.0 World? Join Peter Firstbrook of GARTNER who will detail why cloud security is better for advanced threat protection. Sept 8 at 10am PST / 1pm EST
http://www.sans.org/info/86259

**************************************************************************

TRAINING UPDATE

- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

- -- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --SANS San Antonio 2011, San Antonia, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************


TOP OF THE NEWS

DNS Attack Affects Prominent Websites (September 4 & 5, 2011)
An attack on Domain Name System (DNS) service providers NetNames and Ascio has affected as many as 200 prominent websites, including those of the Daily Telegraph, UPS and Vodafone. Users attempting to visit those sites were redirected to a site set up by the attackers. The perpetrators are believed to be the same group that launched similar attacks against Korean websites in August. They launched their attacks by targeting DNS service providers. Many of the websites restored service as soon as they learned of the problem, but because web traffic relies on the DNS system, returning to normal could take up to three days. Internet Storm Center:
-http://isc.sans.edu/diary/Several+Sites+Defaced/11503

-http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/
-http://www.zdnet.com/blog/btl/dns-hack-hits-200-major-websites-vodafone-ups-acer
-microsoft-sites-affected/57294

-http://www.bbc.co.uk/news/technology-14786524
-http://www.telegraph.co.uk/technology/news/8741597/Major-websites-hijacked-by-Tu
rkish-hackers.html

-http://www.computerworld.com/s/article/9219728/Turkish_hackers_strike_websites_w
ith_DNS_hack?taxonomyId=17

[Editor's Note (Ullrich): Big surprise, at the root of it all appears to be a SQL injection vulnerability. So sad that simple preventable vulnerabilities keep haunting us. In this case, the victim sites did nothing wrong other then using another companies vulnerable web application to manage their DNS.
(Honan: This attack and the one on DigiNotar highlight how fragile, insecure and unsuitable the Internet is for conducting the type of transactions we are using it for. Putting security solutions as add-ons to the infrastructure is not working. We need a fundamental rebuild of the security architecture we are using and we need it now!]


DigiNotar Certificates Blocked Following Breach (September 3 & 5, 2011)
The number of certificates issued as a result of a security breach at Dutch certificate authority DigiNotar is growing; the latest official estimate has the figure at 531. The breach had prompted Mozilla to take measures so "that all DigiNotar certificates will be untrusted by Mozilla products," which includes the Firefox browser. The most recent version of Google's Chrome browser also places DigiNotar certificates on a permanent block list. There is evidence that the stolen certificates were being used to spy on people in Iran. The sites for which fraudulent certificates were issued include MI6, the CIA, Microsoft, Facebook and Twitter. Microsoft said that the forged certificate cannot be used to force malware through Windows Update. Internet Strorm Center:
-http://isc.sans.edu/diary/DigiNotar+audit+-+intermediate+report+available/11512
-http://isc.sans.edu/diary.html?storyid=11500
-http://www.h-online.com/security/news/item/DigiNotar-attackers-got-over-500-cert
ificates-1337007.html

-http://www.theregister.co.uk/2011/09/03/diginotar_game_over/
-http://www.bbc.co.uk/news/technology-14789763
-http://www.computerworld.com/s/article/9219729/Microsoft_Stolen_SSL_certs_can_t_
be_used_to_install_malware_via_Windows_Update?taxonomyId=17

[Editor's Note (Ullrich): In particular the intermediate audit report not only shows how deeply DigiNotar was penetrated, but also how little attention they apparently paid to logs.
(Honan: The external consultants, Fox IT, who conducted the audit into this incident have published their findings and it makes for very sad reading. The findings show issues that contributed to the breach include out of date anti-virus software, unpatched software, poor log management, weak passwords and a network which did not have sensitive systems segregated from others. This report is a must read for security professionals on how not to secure an environment.
-http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/digin
otar-public-report-version-1.html
]


UK Police May Get Authority to Shut Down Domains Without Court Order (September 2, 2011)
Law enforcement authorities in the UK may gain the power to suspend Internet domain names without a court order if they suspect the domains are being used for illegal purposes. A proposed rule would allow police the expanded authority when "the urgent suspension of the domain name is necessary to prevent serious and immediate consumer harm." Prior to the takedown, police would have to file a declaration with Nominet, which manages the .uk registry, that the action is "proportionate, necessary and urgent," but would not need to get court approval.
-http://www.theregister.co.uk/2011/09/02/cops_to_get_dot_uk_takedown_powers/


Pakistani Directive Requires ISPs to Block Encrypted Communications (September 1 & 2, 2011)
According to a memo from the Pakistan Telecommunication Authority, Internet service providers (ISPs) in that country are required to block encrypted communications that are sent over virtual private networks (VPNs). The memo, leaked by a Pakistani ISP, served as a reminder of the policy and notice that the "directive has not been followed in true letter and spirit." The policy's stated intent is to prevent militants from communications over channels that cannot be monitored. Entities can apply for special exemptions.
-http://www.technologyreview.com/communications/38497/?p1=A3&a=f
-http://news.idg.no/cw/art.cfm?id=74C34253-1A64-67EA-E4CEB90904270565
-http://www.guardian.co.uk/world/2011/aug/30/pakistan-bans-encryption-software?IN
TCMP=SRCH




*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/86264

****************************************************************************


THE REST OF THE WEEK'S NEWS

Former Employee Erased Payroll Files (September 5, 2011)
David Palmer, a former IT administrator at McLane Advanced Technologies in Texas, has pleaded guilty to charges of computer intrusion. After his firing, Palmer accessed his former employer's computer system and erased payroll files belonging to one of its customers, a military contractor called Lone Star Plastics. Court records indicate that Palmer told investigators that his intent was "to create general havoc and disorder for McLane." Palmer was able to gain access to the system after he was fired through a backdoor he had set up prior to leaving the company. He accessed the system though a Wi-Fi network at an area restaurant.
-http://news.techworld.com/security/3301315/ex-employee-hacks-us-military-contrac
tors-computer-systems/

[Editor's Note (Schultz): This sad story should once again remind information security professionals of the recent statistic that the majority of insider attacks are initiated remotely by former employees. Shutting off all access avenues of people who are being terminated or leaving an organization is *that* important. ]


Police Accompanied Apple Investigators in Search for Missing iPhone Prototype (September 2 & 3, 2011)
Police in San Francisco, California say they assisted Apple in an investigation into a missing iPhone 5 prototype. The device was reportedly left in a bar. The iPhone's GPS signal was reportedly traced to a man's home, and he admitted to having been at the same establishment where the device was lost, but said that he did not have the phone. The man's home was then searched by two people he believed were members of the police department, but it now appears they were Apple employees; police officers waited outside the home while the search was conducted. The device was not found.
-http://blogs.sfweekly.com/thesnitch/2011/09/iphone_5_apple_police.php
-http://edition.cnn.com/2011/TECH/mobile/09/02/iphone.5.prototype/index.html
-http://www.zdnet.com/blog/btl/lost-iphone-5-saga-sf-police-say-they-assisted-app
le-on-investigation/57276?tag=mantle_skin;content



DHS warns of Attacks Planned by Anonymous (September 2 & 4, 2011)
The US Department of Homeland Security (DHS) has issued a bulletin warning of attacks planned by members of the loosely organized hacking collective known as Anonymous. The bulletin comes from the DHS National Cybersecurity and Communications Integration Center (NCCIC) and specifically warns companies in the financial sector to be attentive to the possibility that Anonymous could try to solicit the sympathies of unhappy employees.
-http://www.computerworld.com/s/article/9219711/DHS_warns_of_planned_Anonymous_at
tacks

-http://www.eweek.com/c/a/Security/DHS-Warns-of-Anonymous-CyberAttack-Tools-Plann
ed-Mass-Protests-392974/



Alleged Anonymous Members Plead Not Guilty to PayPal DDoS Attack Charges (September 1 & 2, 2011)
Fourteen people have pleaded not guilty to charges of conspiracy and computer hacking in US federal court in San Jose, California. The charges are related to the December 2010 distributed denial-of-service (DDoS) attack against PayPal. The attack was allegedly launched by members of Anonymous in retaliation for PayPal's decision to stop processing donations to WikiLeaks. The 14 people were arrested in July; if they are convicted, they face prison time and hefty fines.
-http://news.cnet.com/8301-31921_3-20100790-281/alleged-anonymous-members-plead-n
ot-guilty/?tag=mncol;1n

-http://www.scmagazineus.com/alleged-anonymous-14-plead-innocent-to-paypal-ddos/a
rticle/211199/

[Editor's Note (Honan): Regardless of who is to blame for the leak, this story is a good example of how crucial it is to formally agree operational security roles and responsibilities when two organisations share sensitive information. ]


WikiLeaks Suing Newspaper Over Cable Leak (September 1, 2011)
WikiLeaks says it plans to sue The Guardian newspaper over the leak of thousands of unredacted US State Department diplomatic cables. According to a statement from WikiLeaks, "a Guardian journalist has negligently disclosed top secret WikiLeaks' decryption passwords to" an archive containing the cables.
-http://www.informationweek.com/news/security/attacks/231600630


Microsoft Facing Lawsuit Over Windows Phone 7 Location Data Collection (September 1, 2011)
A complaint filed in district court in Seattle alleges that Microsoft's Windows Phone 7 tracks users' locations without permission. The complaint alleges that Microsoft is attempting to map the locations of cell towers, wireless routers, mobile phones and computers to support its location-based advertising service, and that the company is using the Windows Phone camera application to gather the information. The first time users open the camera application, they are asked for permission to log their location. Users' responses are ignored when the application is opened subsequently.
-http://www.informationweek.com/news/security/privacy/231600657


************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/