SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIII - Issue #67
August 23, 2011
The NSA just released a useful guide called "Best Practices for Securing
Your Home Network" that goes beyond home networks and wireless to cover
email and traveling with mobile devices and more. It's worth making
copies and distributing to your co-workers and employees. What makes
it particularly useful is that it reflects the real-world knowledge of
the NSA Blue Teams and Red Teams. On the back page are references to
five additional guides: Social Networking, Defense Against Drive By
Downloads, Defense Against Malicious E-mail Attachments, Mac OSX 10.6
Hardening Tips, and Data Execution Prevention. You'll find it at the NSA
TOP OF THE NEWSFlaws Found in AES
Firm Fined $50,000 For Collecting Children's Personal Information
German State Bans Agencies From Using Facebook 'Like' Button
UK Government to Meet With Social Network Providers
THE REST OF THE WEEK'S NEWSBritish Man Arrested Over Repeated Attacks Against Facebook
Security Breach at Yale Exposes 43,000 People's Data
Hong Kong Police Arrest Man For DDoS Attacks Against Stock Exchange
Investigation Exposes Unauthorized Internal Access at Immigration Agency
Audit Finds Holes in TSA Wireless Security
US Defense Contractor Breached by Anonymous and LulzSec
************************** Sponsored By Splunk ***************************
Are you listening to your data? It's trying to tell you something. Only Splunk can turn petabytes of your real-time and historical machine data into powerful security insights. With Splunk software catch bad actors, block cyber threats, detect zero-day viruses and advanced persistent threats. Give your data a voice with Splunk.
- -- The National Security Architecture Workshop, DC, Aug. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
- --Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
Flaws Found in AES (August 18, 2011)Researchers in the Belgium Katholieke Universiteit Leuven and Microsoft revealed they have found weaknesses in the Advanced Encryption Standard (AES). The AES encryption algorithm is widely used to secure online transactions and wireless networks. While researchers claim the attack can recover an AES secret key four times faster than previously thought, they also highlight that the complexity of the attack means it is not currently practical. However, the research is significant in that a *possible* serious flaw in the AES algorithm has been identified, but not yet substantiated by the cryptographic community.
[Editor's Comment (Murray): Since no claim as to the strength of AES has ever been made, this is simply a mathematical claim that the work factor for discovering a key is about five times lower than a brute force attack. While this is a significant analysis, worthy of a paper, perhaps even a headline, an attack using this information, begun at the Big Bang, would not have completed yet. Kudos to the analysts.
(Northcutt): A practical related key attack on 10 rounds of AES was published in 2009. This is entirely new. When you find a flaw in a crypto algorithm many researchers jump in and try to improve on the attack. We should expect guidance from NIST to increase the number of rounds, currently 14:
[Editor's Note (Pescatore): The FTC just keeps chugging along, enforcing privacy and security regulations without needing new agencies, new laws, new committees. I'd like to see the GAO do one of their reports on this, lots of good lessons to be learned about the FTC does it.
(Paller): I agree that the FTC is a model for effective government intervention without overburdening industry. But Pescatore's suggestion that a GAO report would be helpful is probably not correct. GAO would likely report that the FTC failed to look at every aspect of security in every company, that it didn't look at the business recovery plan documentation, and that it missed some weak passwords. In other words, it would find silly, irrelevant faults instead of clearly pointing out the effectiveness of the program that would help make security better. ]
German State Bans Agencies From Using Facebook 'Like' Button (August 19, 2011)The German federal state of Schleswig-Holstein has issued a ban on state agencies using Facebook fan pages and has also ordered them to remove "like" buttons from their websites. The order comes after the Data Protection Commissioner for the state found that the use of Facebook fan pages and the "like" button leads to illegal profiling of individuals, contravening German and European privacy laws. The issue relates to how the data relating to fan pages visits and the use of the like button are transferred outside of the EU to servers in the United States. State agencies have until the end of September to comply with the new requirements; if they fail to do so they could face fines. Facebook denies it is in breach of any German or EU privacy law.
[Editor's Note (Schultz): Expect this kind of story to become more commonplace in the near future. European privacy statutes and the openness that participation in social networking calls for are orthogonal. ]
UK Government to Meet With Social Network Providers (August 19, 2011)Following the series of recent riots and other acts of civil unrest in England the UK's Home Secretary has asked to meet with major social network providers. The meeting is due to take place on Thursday the 25th of August. Social networks came under scrutiny after it was discovered individuals used them to organize riots and to incite others to riot. The UK's Prime Minister, David Cameron, created controversy when he said the UK government will look at ways of limiting access to social networking and messaging services in the event of any future civil disorder. Facebook has welcomed the opportunity to meet with the UK government to discuss the issues. Twitter and BlackBerry maker RIM have also confirmed attendance; the BlackBerry Messenger (BBM) service was reportedly widely used in organizing the riots. Meanwhile, an 18-year old Scottish man has been arrested for comments allegedly made on a social networking site that incited others to riot.
[Editor's Note (Schultz): This issue is likely to not only become increasingly commonplace, but also to have more and more significance. Access to mobile devices and the content they deliver constitutes free speech, yet these devices are being increasingly used to stir up crowds (sometimes for the better, sometimes for the worse). ]
*************************** SPONSORED LINKS ******************************
1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/85019
2) NEW Analyst Paper in the SANS Reading Room, "Optimized Network Monitoring for Real-World Threats," by Dave Shackleford. http://www.sans.org/info/85024
3) Do not miss SANS Ask the Expert: Leveraging SSL to Battle Emerging Security Threats. Sign up at: http://www.sans.org/info/85029
THE REST OF THE WEEK'S NEWS
British Man Arrested Over Repeated Attacks Against Facebook (August 18, 2011)Glenn Steven Mangham, a 25-year old student from York, England, was arrested on five charges under the UK Computer Misuse Act for allegedly trying to break into servers belonging to the Facebook social network. After appearing briefly before Judge Nicholas Evans in Westminster magistrates' court, Mangham was released on bail on condition he surrenders any devices capable of accessing the Internet and does not use the Internet while the case is pending. Facebook says that none of its users' personal data was compromised in the alleged attacks and that "we have been working with Scotland Yard and the FBI as we take any attempt to hack our internal systems extremely seriously"
Security Breach at Yale Exposes 43,000 People's Data (August 18, 2011)Yale University notified about 43,000 staff, students and alumni that their personal data, including their names and Social Security numbers, were publicly available on a FTP server. The breach occurred when the sensitive personal data stored on the FTP server became publicly available after Google made changes in September 2010 regarding how its search engine indexes and finds FTP servers. Yale personnel were not aware of this change and discovered the breach in June of this year. The breach impacts anyone affiliated with Yale University in 1999. Yale has "secured" the file and Google has confirmed it no longer stores the data.
[Editor's Note (Pescatore): I think if Google found the files, they were *always* publicly available and never secured properly. Not a good idea to rely on security through "Google said it won't do this." ]
Hong Kong Police Arrest Man For DDoS Attacks Against Stock Exchange (August 19, 2011)Police in Hong Kong arrested a 29-year old man in relation to a series of Distributed Denial of Service attacks against the website of the Hong Kong stock exchange. The attacks resulted in the trading of shares in seven companies being halted. Companies that were impacted included the banking giant HSBC and Cathay Pacific Airlines. Hong Kong stock exchange representatives said that other systems were not affected.
[Editor's Note (Pescatore): We learned long ago that data centers without electricity were just big, expensive paperweights so we have uninterruptible power supplies. Data centers without Internet connectivity are big expensive paperweights that consume electricity - DDoS protection should have the same place in business continuity planning that UPSs have. ]
Investigation Exposes Unauthorized Internal Access at Immigration Agency (August 18, 2011)An investigation has revealed numerous security breaches by internal personnel at the Bureau of U.S. Citizenship and Immigration Services. The investigation focused on the bureau's Texas Service Center and discovered security violations including abuse of system privileges, sabotage of audit logs and unauthorized access to managers' e-mail and other confidential documents. Investigators also found hacking tools installed on a number of computer systems.
Audit Finds Holes in TSA Wireless Security (August 22, 2011)An audit of the systems at the headquarters of the Transportation Security Administration (TSA) by the Department of Homeland Security's Inspector General (IG) discovered a number of security weaknesses in its wireless networks. The audit found a number of high risk vulnerabilities in Microsoft Windows XP laptops and the BlackBerry Enterprise Servers (BES) used to support BlackBerry devices. The audit also found the TSA had not complied with the baseline configuration controls required by the DHS for wireless devices and systems, including issues "regarding the disabling of unused router interfaces and a disallowed service" and that there were "high-risk vulnerabilities involving patch and configuration controls". In response to the audit, the TSA said it has already implemented corrective measures to the issues raised.
US Defense Contractor Breached by Anonymous and LulzSec (August 19, 2011)Individuals claiming to be part of Anonymous and LulzSec claimed to have breached the security of the computer systems of Vanguard Defense Industries, a US Defense Contractor that manufactures the unmanned ShadowHawk drones. In a posting to the Pastebin website, groups claim to have published 1GB of confidential emails belonging to the Vanguard senior vice president Richard T Garcia. Garcia is also a board member of InfraGard and is a former assistant director of the Los Angeles FBI office. A spokesperson for Anonymous said ""We are doing this not only to cause embarrassment and disruption to Vanguard Defense Industries, but to send a strong message to the hacker community. White hat sellouts, law enforcement collaborators, and military contractors beware we're coming for your mail spools, bash history files, and confidential documents."
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/