Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #75

September 20, 2011


NEWS FLASH: SSL/TLS Compromised. BEAST (Browser Exploit Against SSL/TLS)
will be fully detailed later this week in Argentina.
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

If your home is in DC/Maryland/Virginia, and you didn't get this
morning's email inviting you to Thursday's breakfast (where four senior
folks from DoD will share the lessons they have learned implementing
game changers for fighting back against targeted attacks and APT), that
means your surface mail address in SANS database is wrong.

Every subscriber, everywhere, whose surface mail address is wrong in
SANS database misses invitations to cool things going on in their area
and should update their address, but today there is an even better
reason for everyone around the US and Europe to update your address: The
new SANS Poster coming out in 75 days is the most important one we have
done in 4 years on both APT defense and on the new security careers. It
will be mailed by surface post in the US and Europe. Please update your
address today at the https://portal portal.sans.org
Alan

PS Thursday's breakfast is now full, but you can get more in-depth
stories of all three game changers at the National Cybersecurity
Innovation Conference on Oct 11-12 across from the Pentagon.
http://www.sans.org/ncic-2011/

TOP OF THE NEWS

DigiNotar Barred From Issuing Qualified Certificates; Existing Signatures Invalidated
More SCADA Flaws Disclosed
National Lab CIO Talks About Lessons Learned From Zero-Day Attack
Appeals Court Reinstates Hefty Filesharing Verdict Against Joel Tenenbaum
Filesharing Verdict Against Joel Tenenbaum

THE REST OF THE WEEK'S NEWS

DoD Plans to Expand Cyber Threat Information Sharing Program
Microsoft Updates Patch That Blocks DigiNotar Certificates
Sony's New TOS Agreement Limits Users to Binding Arbitration
Oracle PatchesVulnerability in HTTP Server
75-Month Prison Sentence for Fraud
Ethiopian Journalist Fled Country After Being Identified in Leaked Cable


*********************** Sponsored By MANDIANT **********************

Want to keep up with all things MANDIANT? Follow us on Twitter via @mandiant http://www.sans.org/info/87209. You'll get info on our events, webinars and more!

**************************************************************************

TRAINING UPDATE

-- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

-- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 26 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

TOP OF THE NEWS

DigiNotar Barred From Issuing Qualified Certificates; Existing Signatures Invalidated (September 15 & 16, 2011)

Dutch certificate authority DigiNotar can no longer issue qualified certificates and must revoke those that have already been issued. OPTA, the Dutch telecommunications regulator, issued the instructions, saying that certificates issued by DigiNotar, which suffered a security breach earlier this summer, cannot "be guaranteed to be trustworthy." The attackers appear to have issued more than 500 fraudulent certificates, most of which were server certificates. The ban affects about 4,200 qualified certificates, which are used for digital signatures. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=11590
-http://www.h-online.com/security/news/item/Telecommunications-regulator-bars-Dig
iNotar-from-issuing-certificates-1344786.html

-http://www.net-security.org/secworld.php?id=11629
[Editor's Note (Honan): DigiNotar has now filed for bankruptcy. A prime example of the cost of poor security.
-http://www.net-security.org/secworld.php?id=11652]

More SCADA Flaws Disclosed (September 16 & 19, 2011)

An Italian researcher has disclosed 13 vulnerabilities in a variety of supervisory control and data acquisition (SCADA) products. The same man, Luigi Auriemma, disclosed 34 flaws in SCADA products in March. The US Department of Homeland Security (DHS) has released security advisories in response to the latest set of flaws, which was released with proof-of-concept exploit code.
-http://www.computerworld.com/s/article/9220099/Researcher_discloses_zero_day_fla
ws_in_SCADA_systems?taxonomyId=17

-http://www.h-online.com/security/news/item/More-vulnerabilities-found-in-SCADA-s
ystems-1345820.html

-http://www.v3.co.uk/v3-uk/security-watchdog-blog/2110153/zero-day-scada-flaws-di
scovery-raises-spectre-stuxnet

-http://www.darkreading.com/blog/231601549/0-day-scada-exploits-released-publicly
-exposed-servers-at-risk.html

National Lab CIO Talks About Lessons Learned From Zero-Day Attack (September 19, 2011)

In July, Pacific Northwest National Laboratory (PNNL) was the target of two cyber attacks that prompted the lab to remove its network from the Internet to avoid further damage. PNNL CIO Jerry Johnson spoke about the attacks at a conference in California earlier this month and shared a list of seven lessons gleaned from his experience: multi-level security environments are dangerous; purge legacy technologies; monitor cyber security events 24/7; maintain a core forensics capability; include a senior project manager in the response team; know who to call for help and don't wait to make the call; and have an emergency communications continuity plan.
-http://www.informationweek.com/news/security/attacks/231601692

Appeals Court Reinstates Hefty Filesharing Verdict Against Joel Tenenbaum (September 16 & 18, 2011)

The 1st US Circuit Court of appeals has reinstated a US $675,000 illegal filesharing verdict against Joel Tenenbaum. A jury in the original case awarded the large verdict, but the judge in the case found the amount "unconstitutionally excessive" and reduced it to US $67,500. The verdict was for making 30 songs available over a peer-to-peer filesharing network. The Appeals Court said that US District Judge Nancy Gertner should have reduced the verdict under "remittitur." The plaintiffs could accept the remittitur or receive a new trial. The Appeal Court noted that their decision was procedurally appropriate, but added that, "This case raises concerns about application of the Copyright Act which Congress may wish to examine."
-http://www.wired.com/threatlevel/2011/09/file-sharing-verdict-reinstated/
-http://arstechnica.com/tech-policy/news/2011/09/joel-tenenbaum-owes-the-riaa-675
000again.ars

[Editor's Note (Schultz): Major credit goes to anyone who understands the wording in this ruling.]


*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/87214

2) SANS Analyst Webcast September 29, 1 PM EST: Integrating Security into Development Cycles, No Pain Required, featuring Senior SANS Analyst Dave Shackleford and IBM Rational's Karl Snyder. http://www.sans.org/info/87219

3) Protecting Federal Systems and Advanced Persistent Threats, featuring security expert and speaker, G. Mark Hardy, September 28, 1 PM EST: http://www.sans.org/info/87224

****************************************************************************

THE REST OF THE WEEK'S NEWS

DoD Plans to Expand Cyber Threat Information Sharing Program (September 19, 2011)

The US Department of Defense expects to expand a pilot cyber threat information sharing program that included about 20 companies "from the defense industrial base." The test program successfully thwarted hundreds of attacks at those organizations between May 9 and September 15. DoD plans to expand the number of organizations participating in the program and make the program permanent.
-http://www.nextgov.com/nextgov/ng_20110919_6730.php?oref=topnews

Microsoft Updates Patch That Blocks DigiNotar Certificates (September 19, 2011)

Microsoft has released a new version of an update for Windows XP and Windows Server 2003 to more thoroughly address the risks posed by DigiNotar certificates. Users who do not have Automatic Updates activated may not have been adequately protected prior to the re-release of KB2616676, which "revokes the trust of
[a specific list of ]
DigiNotar root certificates." Internet Storm Center:
-https://isc.sans.edu/diary/MS+Security+Advisory+Update+-+Fraudulent+DigiNotar+Ce
rtificates/11608

-http://support.microsoft.com/kb/2616676
-http://www.computerworld.com/s/article/9220121/Microsoft_fixes_SSL_kill_switch_b
looper?taxonomyId=17

-http://securitywatch.pcmag.com/hacking/287958-one-more-diginotar-related-windows
-update-for-xp-and-server-2003

Sony's New TOS Agreement Limits Users to Binding Arbitration (September 16 & 19, 2011)

Sony has amended its terms of service (TOS) and user agreement so that users no longer have the right to file class-action lawsuits against the company. Sony was the target of numerous lawsuits following a series of data security breaches that compromised the personal information of more than 100 million online gaming and media accounts. According to the revised TOS agreement, users must pursue binding arbitration, presided over by someone Sony chooses. Users may file lawsuits only when arbitration is unable to resolve the issue in a timely manner. Sony users must agree to the terms before signing on to their online accounts. They have 30 days to opt out of the agreement by sending a paper letter to Sony.
-http://www.bbc.co.uk/news/technology-14948701
-http://www.theregister.co.uk/2011/09/16/sony_bars_class_action_suits/
-http://www.wired.com/threatlevel/2011/09/sony-terms-of-service-hack/
Updated TOS (21 pages):
-http://www.wired.com/images_blogs/threatlevel/2011/09/Sony-PSN-TERMS_OF_SERVICE_
AGREEMENT.pdf

Oracle Patches Vulnerability in HTTP Server (September 16, 2011)

Oracle has issued an out-of-cycle patch for a flaw in its HTTP Server products that could be exploited to crash vulnerable servers. The flaw affects products based on Apache 2.0 and 2.2. Oracle is scheduled to release its next quarterly patch update on October 18, but decided to fix this vulnerability ahead of time because of its "criticality ... and ease of exploitation." The vulnerability was first disclosed on the Full Disclosure mailing list on August 31. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=11602

-http://www.scmagazineus.com/oracle-patches-apache-killer-flaw-in-http-server/art
icle/212181/

75-Month Prison Sentence for Fraud (September 16, 2011)

Rene Quimby has been sentenced to more than six years in prison for harvesting personal information belonging to US service members through peer-to-peer (P2P) networks and using it to commit fraud. Quimby pleaded guilty to charges of fraud and identity theft in May. He stole information from the Army and Air Force Exchange Services (AAFES), which operates retail stores on US military bases. In a file he downloaded through a P2P network, he found a service member's AAFES account username and password. He then found a database of members' account information, and with the help of some social engineering, was able to obtain enough information to use the accounts to make purchases. Quimby had the items sent to addresses other than his own, and then sold the merchandise. He was also ordered to pay more than US $210,000 in restitution.
-http://www.computerworld.com/s/article/9220078/Man_stole_data_from_U.S._service_
members_via_P2P?taxonomyId=17

Ethiopian Journalist Fled Country After Being Identified in Leaked Cable (September 15, 2011)

As a consequence of the leaked US State department cables, an Ethiopian journalist fled the country rather than accede to demands from police there to divulge one of his sources. After finding Argaw Ashine's name mentioned in one of the leaked and unredacted WikiLeaks cables, Ethiopian government authorities interrogated him, demanding that he reveal the identity of one of his sources. The source mentioned in the document had allegedly told Ashine that the Ethiopian government planned to charge journalists under anti-terrorism laws. Ashine was given 24 hours to comply with the government's demands; instead, he fled the country.
-http://www.wired.com/threatlevel/2011/09/ethiopian-journalist-flees/
-http://www.cpj.org/2011/09/ethiopian-journalist-idd-in-wikileaks-cable-flees.php


************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/