SANS NewsBites - Volume: XIII, Issue: 85


In the second story, about the Australian security innovation, there is
a potential "silver bullet" that is gaining rapid traction around the
world.
Alan

*************************************************************************
SANS NewsBites                     October 25, 2011                    Volume: XIII, Issue: 85
*************************************************************************
TOP OF THE NEWS

  Hundreds of Organizations Targeted in Attack That Hit RSA Australian
  Defence Signals Directorate Wins National Cybersecurity Innovation Award
  Critical Infrastructure Needs New, Secure Internet
  Chinese Ambassador Calls for Internet "Traffic Rules" at UN

THE REST OF THE WEEK'S NEWS

  Anonymous Targets Child Pornography Sites
  XML Encryption Flaw
  Guilty Plea in Superbowl Feed Manipulation Case
  Study Says Comcast is No Longer Selectively Throttling BitTorrent Traffic
  Technique Ties Skype IP Addresses to P2P File Sharing Activity
  Tech Companies and Civil Liberty Groups Push to Revamp Outdated Privacy Law
  FCC Warns Retailers Against Selling Signal Jammers in US


*********** Sponsored By Raytheon Trusted Computer Solutions ***********

Hardening operating systems to DISA STIG, PCI, or SANS CAG recommendations can be confusing and time consuming. Automate the assessment, lock down, and baselining of your systems with Security Blanket, for consistent and predictable results. **Now supporting 'targeted' SELinux policy for Red Hat Enterprise Linux. Learn more by registering for a free demonstration today!

http://www.sans.org/info/89369

**************************************************************************

TRAINING UPDATE

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --SANS London 2011, London, UK, December 3-12, 2011 17 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Sydney, Tokyo and Perth all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************


TOP OF THE NEWS

Hundreds of Organizations Targeted in Attack That Hit RSA (October 24, 2011)
The attack that hit RSA earlier this year appears to have hit computer systems at other organizations as well. Information obtained from an undisclosed source suggests that at least 760 other organizations were compromised in the same set of attacks. The organizations listed have computer systems that were found to be checking in for instructions with the same infrastructure that was used in the RSA attack. Some of those listed are Internet service providers (ISPs) and are probably listed because subscribers were infected. Some of those on the list are anti-virus companies and may appear on the list because they deliberately infected systems with malware in an attempt to reverse-engineer. The attack used more than 300 command and control networks located primarily in China and South Korea.
-https://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/


Australian Defence Signals Directorate Wins National Cybersecurity Innovation Award (October 24, 2011)
The Australian Defence Signals Directorate (DSD) is the winner of a 2011 US National Cybersecurity Innovation Award. A DSD team analyzed all reported targeted cyber intrusions launched against civilian and military government systems to determine what measures would have prevented their spread. The team identified a total of 35 controls that would prove valuable, but honed in on four, dubbed "the sweet spot," that must be implemented at all governmental organizations to protect them from targeted attacks. Additional controls will also improve security postures, but these four must be in place first. The award honors Steve Mcleod and Chris Brookes, who led the DSD team that developed the list of controls, and Dr. Ian Watt for "advocating that all cabinet agencies in Australia should implement the four controls and making sure they are doing it."
-http://www.sacbee.com/2011/10/24/4003892/australian-defence-signals-directorate.
html

-http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

[Editor's Note (Paller): The senior leadership response to the 4 key controls has been extraordinary. And the results in the agencies that have implemented them are just what is needed in responding to targeted intrusions. This is a great way for security people to become security heroes, and auditors who are not checking for these four being fully implemented should refund their salaries because they are looking at the wrong things. ]


Critical Infrastructure Needs New, Secure Internet (October 21 & 24, 2011)
FBI executive assistant director Shawn Henry said that the country's critical infrastructure needs a new, separate, and secure Internet to protect it from terrorists. Speaking to conference attendees in Baltimore, Henry said that the only way to ensure security is to create a new Internet that does not allow for anonymity and only those who are known and trusted will have access. The FBI is also promoting the idea of taking sensitive information offline completely.
-http://www.executivegov.com/2011/10/fbis-shawn-henry-proposes-alternate-internet
-to-secure-critical-infrastructures/

-http://www.google.com/hostednews/ap/article/ALeqM5gaNalQ-2_nO0nDy6FaeF0hYa1EmA?d
ocId=390fd39ef9214a6ca6059d3abfaad04b

[Editor's Note: Multiple Newsbites editors expressed skepticism about the feasibility of such a plan. The need is so great, however that it makes sense to explore the possibility. A useful contribution to that exploration was the keynote presentation at a National Science Foundation Cyber Security Principal Investigator's meeting in which Microsoft Research's Butler Manson spoke on Accountability and Freedom: He talked about Red and Green internets. The Red one is what we have now the Green one has "locks good enough that bad guys break in rarely and bad guys get caught and punished enough to be deterred." Even if perfection is not possible, perhaps a much more secure "green Internet" would be worthy of consideration. ]


Chinese Ambassador Calls for Internet "Traffic Rules" at UN (October 21, 2011)
In an address to the First Committee of the United Nations General Assembly on Information and Cyberspace Security, China's ambassador for disarmament affairs, Wang Qun, called for the creation of comprehensive traffic rules for the Internet. Ambassador Wang Qun noted that "maintaining information and cyberspace security is maintaining the security of the whole international community, not just that of one country," and said that "the UN is the most appropriate forum for the formulation of such norm and rules."
-http://www.chinadaily.com.cn/usa/china/2011-10/21/content_13944760.htm
Text of the address:
-http://www.china-un.org/eng/hyyfy/t869445.htm
[Editor's Note (Ranum): This has the potential to be a great step forward. It would also be nice if they proposed some frameworks for attribution and jurisdiction so that if there are future state-sponsored cyberterror attacks like Stuxnet the UN can levy sanctions once they have been attributed. ]



*********************** SPONSORED LINKS: *********************************

1) Sign up for SANS ToolTalk Webcast: Secure Development and Test Environments with Oracle Data Masking sponsored by Oracle. Go to http://www.sans.org/info/89374

2) Complimentary Forrester Webinar & Research: "See, Know, Act: Advancing Network Visibility, Analysis & Protection with NetFlow" http://www.sans.org/info/89414

***************************************************************************


THE REST OF THE WEEK'S NEWS

Anonymous Targets Child Pornography Sites (October 24, 2011)
Members of the Anonymous hacking collective temporarily disabled a number of websites that host or facilitate sharing of child pornography. Operation Darknet, as Anonymous is calling it, has taken down Freedom Hosting, which it says, leaves more than 40 offending websites without service. The group also leaked a user database of nearly 1,600 people who are purportedly active members of one of the darknet sites. Anonymous said it was able to keep Freedom Hosting offline for 30 hours before running out of bandwidth. Anonymous has faced criticism for its vigilante actions, because they could have interfered with ongoing official investigations.
-http://www.informationweek.com/news/security/attacks/231901499
-http://www.bbc.co.uk/news/technology-15428203
[Editor's Note (Liston): While it's tempting to believe that this is a productive use of Anonymous' "exuberance," having some history trying to shut one of these sites down, I can tell you that without law enforcement involvement, it just becomes a giant game of whack-a-mole. Anonymous gets points for style on this one, but I don't think they'll accomplish anything lasting and may actually end up hindering investigations that could produce long-term results. ]


XML Encryption Flaw (October 23 & 24, 2011)
Researchers from Ruhr University of Bochum in Germany have created a proof-of-concept attack that breaks XML encryption, a standard that permits secure communication between web services. The researchers want the World Wide Web Consortium to change the standard because there currently is no available fix for the issue.
-http://www.informationweek.com/news/security/vulnerabilities/231901532
[Editor's Note (Liston): The attack is somewhat similar to the "padding oracle attack" against encrypted HTTP cookies from last year. Fortunately, XML encryption isn't as widely used. ]


Guilty Plea in Superbowl Feed Manipulation Case (October 21, 2011)
Frank Tanori Gonzalez has admitted that he manipulated Comcast's computer system to broadcast 37 seconds of a pornographic movie to cable viewers watching the 2009 Superbowl broadcast. Gonzalez worked at Cox Communications as a liaison to Comcast; he accessed the Comcast system without authorization twice; the second time was the Superbowl incident. As part of a plea deal, Gonzalez pleaded guilty to computer tampering; he will pay a US 41,000 fine and serve three years of probation. If he completes the sentence, his conviction will be downgraded from a felony to a misdemeanor.
-http://www.theregister.co.uk/2011/10/21/superbowl_computer_tampering/
-http://azstarnet.com/news/local/crime/marana-man-pleads-guilty-in-super-bowl-por
n-clip-case/article_8e2bb25b-697e-565d-8839-51c29c721bdb.html



Study Says Comcast is No Longer Selectively Throttling BitTorrent Traffic (October 21, 2011)
A new study indicates that Comcast is complying with US Federal Communications Commission (FCC) ruling requiring that it not throttle BitTorrent traffic. Comcast believes that the FCC overstepped its authority in ordering the cessation of selective throttling, but said it would comply with the order and maintains its right to throttle traffic during unusually high periods of congestion. Comcast said it is using a system that throttles traffic of heavy users during unusually high volume times, but does not pick and choose which users get throttled.
-http://www.wired.com/threatlevel/2011/10/bittorrent-throttling-comcast/


Technique Ties Skype IP Addresses to P2P File Sharing Activity (October 21, 2011)
Researchers have found a method of matching Skype users to peer-to-peer networks so that it may become easier to pinpoint who is responsible for sharing files through BitTorrent and other P2P networks. The method involved using a packet sniffer to identify Skype users' IP addresses without their knowledge and seeing whether that same address is associated with files shared over P2P networks.
-http://www.wired.com/threatlevel/2011/10/researchers-identify-skype-user/
-http://www.theregister.co.uk/2011/10/21/skype_bittorrent_stalking/
-http://cis.poly.edu/%7Eross/papers/skypeIMC2011.pdf


Tech Companies and Civil Liberty Groups Push to Revamp Outdated Privacy Law (October 21, 2011)
A number of large US technology companies and civil liberties organizations are lobbying legislators to update the 25-year-old Electronic Communications Privacy Act. When the law was enacted in 1986, most people had never heard of email and mobile phones were largely the stuff of science fiction. In 1986, email was not kept on servers for long periods of time because users downloaded messages to their own computers, so email left on servers for more than six months was considered abandoned. Now email is stored in the cloud in vast quantities for long periods of time, but the law still considers the email that has been there for longer than six months to be "abandoned." If changes are not made, law enforcement officers will continue to have access to citizens' stored communications that are more than six months old without a warrant as long as they assert that the content is relevant to a criminal investigation. The law also allows law enforcement to access all files stored in the cloud for longer than six months without a warrant, even though cloud storage services, like Dropbox, did not exist in 1986. A federal appeals court last year ruled that email stored in the cloud for longer than six months still requires a warrant for access, but the ruling applies only to Kentucky, Michigan, Ohio and Tennessee. The ruling stated that "The Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will wither and perish."
-http://www.wired.com/threatlevel/2011/10/ecpa-turns-twenty-five/
[Editor's Note (Liston and Ranum):. The 4th amendment doesn't need to keep pace with technology; it was clear and unambiguous. The ambiguity was introduced as part of the slow process of circumventing it. ]


FCC Warns Retailers Against Selling Signal Jammers in US (October 24, 2011)
The US Federal Communications Commission (FCC) is warning online sellers to stop offering illegal signal-jamming devices. The devices in question jam Wi-Fi, GPS and cell phone signals and are illegal in the US. FCC Enforcement Bureau Chief Michele Ellison said, "Jamming devices pose significant risks to public safety and can have unintended and sometimes dangerous consequences for consumers and first responders." The devices are occasionally used in theaters, classrooms and churches. Retailers that receive multiple warnings from the FCC over the sale of such devices could face fines of more than US $100,000.
-http://www.computerworld.com/s/article/359439/FCC_to_Retailers_Stop_Selling_Phon
e_Jammers?taxonomyId=17



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/