Last Day to Save $250 on SANS Chicago 2014

SANS NewsBites - Volume: XIV, Issue: 86

*************************************************************************
SANS NewsBites                     October 26, 2012                    Volume: XIV, Issue: 86
*************************************************************************
TOP OF THE NEWS

  Judge Dismisses Most of Plaintiffs' Arguments in Complaint Over Sony PSN Breach
  FTC Settles With Web Analytics Company Over Improper Harvesting and Use of User Data

THE REST OF THE WEEK'S NEWS

  US Copyright Office Rules on DMCA Exemptions
  CERT Urges Organizations to Replace eMail Signing Keys Smaller Than 1,024 Bits
  Huawei Provides Australian Government with Complete Access to Source Code and Hardware
  Barnes & Noble Removes PIN Pads After Learning of Breach
  Facebook Donates Funds Seized From Spammers to Cybercrime Research Facility
  Adobe Updates Shockwave
  Privacy Rights Groups Wary of Copyright Alert System
  Megaupload Customer Seeking to Have Documents Related to January Raid Unsealed

CONTROL SYSTEMS SECURITY STORIES

  Offense has the advantage - if you make it your political priority


****************************************************************************
TRAINING UPDATE
--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

--SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses.
http://www.sans.org/event/sydney-2012

--SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

--SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

--SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

--SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun.
http://www.sans.org/event/security-east-2013

--North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
http://www.sans.org/event/north-american-scada-2013

--Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Johannesburg, Seoul, Tokyo, Barcelona, and Cairo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

Judge Dismisses Most of Plaintiffs' Arguments in Complaint Over Sony PSN Breach (October 23 & 24, 2012)
A US District Court judge in California has dismissed the bulk of a class-action complaint brought against Sony over the April 2011 PlayStation Network (PSN) data security breach that affected more than 75 million customer accounts. The lawsuit sought restitution for lost access to Netflix and other paid services while PSN was down for more than a month. Judge Anthony J. Battaglia noted that Sony's terms of service state that "no warranty is given about the quality, functionality, availability, or performance of Sony Online Services, or any content or service offered on or through Sony Online Services," and that PSN's privacy policy states that "there is no such thing as perfect security
[and that Sony ]
cannot ensure or warrant the security of any information transmitted" to the company through PSN. Plaintiffs have until November 9, 2012, to amend and resubmit their complaints.
-http://arstechnica.com/gaming/2012/10/judge-sony-didnt-promise-perfect-security-
isnt-liable-for-psn-hack/

-http://www.scmagazine.com/judge-dismisses-brunt-of-sony-breach-lawsuit/article/2
65026/

-http://news.cnet.com/8301-1023_3-57538716-93/sony-psn-hacking-lawsuit-dismissed-
by-judge/

[Editor's Note (Pescatore): Since software still really can't be considered an engineering discipline, software does not come with a warrantee and systems built from software don't either. However, there are still due diligence standards for commercial enterprises when they take customer's money, there are "attractive nuisance" kinds of liability approaches, etc. I'm sure class action suit lawyers will continue to cause Sony to be paying millions to defense lawyers - further increasing the vast amount more this incident will cost them than it would have ever cost to be secure enough (even if not "perfect") in the first place. ]


FTC Settles With Web Analytics Company Over Improper Harvesting and Use of User Data (October 22 & 23, 2012)
The US Federal Trade Commission (FTC) has reached a settlement with web analytics company Compete over allegations that it collected consumers' private information without permission. Compete gathers browsing behavior data and uses it to create reports which it then sells to clients. The complaint also alleged that the data, which included financial account information and Social Security numbers (SSNs), were not adequately protected. The FTC said that Compete's claims that it was interested only in which sites were visited and that personally identifiable information would be removed were "false and deceptive." Compete has agreed to obtain explicit consent from users before gathering browsing data. It will also delete or remove identifying information from the data it has already collected. The company will provide users with directions for removing its software from their computers.
-http://www.theregister.co.uk/2012/10/23/web_tracker_settles_with_ftc/
-http://arstechnica.com/tech-policy/2012/10/web-tracking-firm-settles-charges-it-
collected-passwords-financial-data/

-http://www.ftc.gov/opa/2012/10/compete.shtm



*************************** Sponsored Links: ******************************
1) Take the SANS Application Security Survey and be entered to win a $300 American Express Card! http://www.sans.org/info/115795
2) SANS Webcast: Why Deception Matters in Today's Web Attacks. With John Bumgarner & David Koretz. Nov 8, 2012. http://www.sans.org/info/115800
3) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/115805
****************************************************************************

THE REST OF THE WEEK'S NEWS

US Copyright Office Rules on DMCA Exemptions (October 25, 2012)
Every three years, the US Copyright Office entertains requests for exceptions to the Digital Millennium Copyright Act (DMCA). Those that are granted are valid for three years. Earlier this week, the US Copyright Office rejected proposals that would have legalized people copying their DVDs for personal use and jailbreaking gaming consoles so that they can run software other than that provided by the manufacturer. The group did renew its approval for jailbreaking smartphones, but denied the same permission for tablet devices.
-http://www.wired.com/threatlevel/2012/10/dmca-exemptions-rejected/
-http://arstechnica.com/tech-policy/2012/10/jailbreaking-now-legal-under-dmca-for
-smartphones-but-not-tablets/

[Editor's Note (Pescatore): Good example of how laws that try to directly address technology almost invariably end up in hopeless messes. Soon there could be a DMCA ruling that it is OK to "jailbreak" the computer in my station wagon but not in my pickup truck. ]


CERT Urges Organizations to Replace eMail Signing Keys Smaller Than 1,024 Bits (October 24 & 25, 2012)
Several prominent companies have fixed a cryptographic security issue in their email systems that allowed attackers to create spoofed messages. The issue lies in DomainKeys Identified Mail (DKIM) keys of less than 1,024 bits. DKIM provides digital signatures for email that verifies the domain name through which it is sent. Microsoft, Yahoo, and Google have all addressed the issue in their systems. US-CERT has issued a vulnerability note about the problem that recommends replacing all RSA signing keys with fewer than 1,024 bits.
-http://www.zdnet.com/google-yahoo-and-microsoft-fix-email-security-flaw-70000063
79/

-http://www.computerworld.com/s/article/9232876/Google_Microsoft_and_Yahoo_fix_se
rious_email_weakness?taxonomyId=245

-http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/
-http://www.theregister.co.uk/2012/10/24/uscert_dkim_spoofing_flaw/
US-CERT Vulnerability Note:
-http://www.kb.cert.org/vuls/id/268267
[Editor's Note (Murray): Crypto is the one security mechanism that is stronger than we need for it to be. Code signing keys may have a very long life, so strength is more important. E-mail has a short life and few rely heavily on the cryptographic signing. Moreover, such attacks as we see are against the systems protecting the keys, not the keys themselves. Short e-mail signing keys are a vulnerability without a threat. While the fix is cheap, there is no urgency.]


Huawei Provides Australian Government with Complete Access to Source Code and Hardware (October 24, 2012)
Chinese technology company Huawei is giving the Australian government "complete and unrestricted access" to its source code and hardware in the hope of quelling concerns that its products contain backdoors and other hidden features. Australia excluded Huawei from bidding on providing equipment for the country's national broadband network. While Huawei has provided equipment for the UK's national broadband networks, the company is facing a more hostile environment in the US: a Congressional report urged US companies to refrain from using Huawei and ZTE products due to concerns that the companies may have close ties with the Chinese government.
-http://afr.com/p/technology/huawei_calls_for_cyber_checks_Ou5n2zX1vtxO0fRolDZ9NJ
-http://www.nextgov.com/cybersecurity/2012/10/huawei-offers-australian-government
-unrestricted-access-gear-software-code/58979/?oref=ng-channelriver

-http://arstechnica.com/tech-policy/2012/10/huawei-worried-about-cyber-espionage-
backdoors-you-can-look-at-our-code/

-http://www.bbc.co.uk/news/business-20053511
-http://news.cnet.com/8301-1009_3-57538843-83/huawei-offers-australia-unrestricte
d-access-to-hardware-source-code/

-http://www.h-online.com/security/news/item/Huawei-offers-Australia-source-code-a
ccess-1735921.html



Barnes & Noble Removes PIN Pads After Learning of Breach (October 24, 2012)
Barnes & Noble has removed PIN pads from all of its US stores after learning that more than 60 of the devices in eight states showed evidence of tampering. Customers who have used debit cards on the PIN pads in the stores are urged to change their numbers. Customers who used credit cards should check their statements for unauthorized transactions. The breach was detected in September, and affected just one PIN pad in each of 63 stores. The attackers had placed code on the point-of-sale (POS) devices to harvest the data.
-http://www.computerworld.com/s/article/9232837/Barnes_Noble_halts_use_of_PIN_pad
_devices_after_data_breach?taxonomyId=82

-http://www.wired.com/threatlevel/2012/10/barnes-and-noble-pos-hack/
[Editor's Note (Murray): Proper operation of POS devices will not compensate for the fundamental vulnerability that mag-stripe and PIN is vulnerable to replay in the point-of-sale application.]


Facebook Donates Funds Seized From Spammers to Cybercrime Research Facility (October 24, 2012)
Facebook has donated US $250,000 seized from spammers to an academic organization focused on fighting cybercrime. The University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research will use the funds to expand its facility. The Center has helped researchers with the Koobface and DNSChanger attacks.
-http://www.theregister.co.uk/2012/10/24/facebook_uab_research_donation/


Adobe Updates Shockwave (October 23 & 24, 2012)
Adobe has released an updated version of Shockwave to address half a dozen critical security issues. Five of the flaws are buffer overflows; the sixth is an out-of-bounds array vulnerability. Updates are available for Windows and Mac operating systems; users are urged to update to version 11.6.8.638. Journalist Brian Krebs recommends that users check to see if Shockwave is even installed on their computers; if it is not, the update page will prompt users to download Shockwave, but if users have been living without it, they probably don't need it. Krebs also recommends that if users do choose to download Shockwave, they should look carefully for pre-checked extras.
-http://www.theregister.co.uk/2012/10/24/adobe_shockwave_update/
-http://www.computerworld.com/s/article/9232827/Adobe_patches_six_critical_flaws_
in_Shockwave_Player?taxonomyId=244

-http://krebsonsecurity.com/2012/10/adobe-ships-critical-fixes-for-shockwave-play
er/

-http://www.h-online.com/security/news/item/Adobe-fixes-critical-Shockwave-vulner
abilities-1735371.html



Privacy Rights Groups Wary of Copyright Alert System (October 23 & 24, 2012)
Privacy rights groups plan to keep a close eye on a new system that will have US Internet service providers (ISPs) warning customers whose activity is believed to be violating copyright law. The Copyright Alert System (CAS) does not provide for cutting off users' Internet access as a consequence of illegal filesharing, but throttling Internet speeds is a possibility. Time Warner Cable, one of the participating ISPs, said that it might temporarily suspend customers' accounts as part of its implementation of CAS. Content owners will be responsible for monitoring filesharing networks to identify alleged illegal filesharers. If CAS is true to its stated purpose of educating users, then it could be a good thing, but there are concerns that it could turn into a system to punish users.
-http://www.computerworld.com/s/article/9232779/Rights_groups_wary_as_ISPs_roll_o
ut_Copyright_Alert_System?taxonomyId=84

-http://www.cnn.com/2012/10/18/tech/web/copyright-alert-system/index.html
-http://www.scmagazine.com/isps-can-slow-or-suspend-web-use-under-anti-piracy-pro
gram/article/264734/

[Editor's Note (Murray): A business model that transfers the cost of its security to its customers and third parties, is fundamentally broken.]


Megaupload Customer Seeking to Have Documents Related to January Raid Unsealed (October 23, 2012)
Kyle Goodwin, an Ohio man who has been unable to access his legitimate files on Megaupload's seized servers, is asking a federal judge in Virginia to unseal documents, including search warrants, related to the January 2012 raid that resulted in the servers' seizure. The Electronic Frontier Foundation (EFF), which is representing Goodwin, says Goodwin needs the records to establish his case for the return of the content stored on the servers.
-http://arstechnica.com/tech-policy/2012/10/innocent-megaupload-user-asks-court-t
o-release-secret-raid-documents/

-https://www.eff.org/sites/default/files/filenode/Motion_to_Unseal_FINAL.pdf
[Editor's Note (Honan): Mr Goodwin's unfortunate experience should serve as a lesson to any business moving their data or systems into the cloud. When migrating to the cloud make sure you update your business continuity plan to take into account the scenario where you cloud provider is no longer available due to system failure, going out of business or suffering a disaster themselves. ]


CONTROL SYSTEMS SECURITY STORIES

CONTROL SYSTEMS SECURITY STORIES
Offense has the advantage - if you make it your political priority. Langner persuasively points out that U.S. cyber capabilities are heavily weighted towards offense, and not so subtly fingers this strategy as ill-founded for protecting critical infrastructure. A national strategy that favors the O-side is exactly what asymmetric actors want to see.
-http://www.langner.com/en/2012/10/17/offense-has-the-advantage-%E2%80%93-if-you-
make-it-your-political-priority/

[Editor's Note (Assante): Cyber defense investments are a large part of the USG overall spending on cyber. ICS security programs sponsored by DHS and DOE are important contributors to progress, but the real investment needs to occur at the ICS owner-level. The focus of our collective investments matter and Ralph points out the need for skilled people. We are holding the 8th annual SANS SCADA and Process Control Security Summit this February in Orlando with the goal of equipping more cybersecurity professionals and engineers to defend ICS. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/