SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #77
September 25, 2012
THE U.S. NATIONAL HIGH SCHOOL CYBER COMPETITION
Know a talented high school student or a high school with talented kids?
Get them to sign up in the next two weeks for Cyber Foundations -
SANS-quality tutorials and then three quizzes where they will win
scholarships and recognition (from Governors and Senators) that will
help them stand out in the competition for college placement - like
sports stars. Information at
Virginia Governor's Cup: http://www.technology.virginia.gov/CyberChallenge/index.cfm
TOP OF THE NEWSFERC Establishes Cybersecurity Office
THE REST OF THE WEEK'S NEWSPolicy Limits Hotmail Passwords to 16 Characters
NZ Prime Minister Requests Inquiry Into Allegations of Unlawful Interception of Communications in Megaupload Case
Appeals Court Approves Facebook Beacon Settlement
Apple Issues OS X and Safari Updates
China Allegedly Launched Attacks on Japanese Sites Over Land Dispute
Majority of US Government Agencies Will Not Meet IPv6 Deadline
Iran Denies Responsibility for Attacks on US Bank Websites
Iran Blocks Google Services, Launches Domestic Internet Network
Facebook Suspends Use of Facial Recognition Tool in EU
Air Force Chief of Staff Says Pentagon Lacks Clear Instructions About Cybersecurity
Microsoft Patches Zero-Day IE Flaw and Flash Vulnerability in IE 10
******************** Sponsored By Palo Alto Networks ********************
The Palo Alto Networks Ignite Conference promises to be the network security event of the year - November 12-14, 2012 at the Las Vegas Wynn. Learn how to safely enable your business with over 30 educational sessions, user driven content, on-site CNSE certification, hands-on Expert Lab and networking opportunities with your peers. Learn more at:
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring.
**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job!
--SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 6 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
--SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
--SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
--SANS Baltimore 2012 Baltimore, MD October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
--SANS Sydney 2012 Sydney, Australia November 12-20, 2012 6 courses.
--SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
--SANS London 2012 London November 26-December 3, 2012 16 courses.
--SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations. http://www.sans.org/event/cyber-defense-initiative-2012 --Looking for training in your own community?
--Save on On-Demand training (30 full courses) - See samples at
Plus Dubai, Bangalore, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
FERC Establishes Cybersecurity Office (September 20 & 24, 2012)The Federal Energy Regulatory Commission (FERC) has established a new office that is focused on the cybersecurity and possible physical threats to energy facilities. The Office of Energy Infrastructure Security (OEIS) will aid FERC by identifying and developing solutions to cyber and physical risks to the facilities. OEIS will also "offer assistance, expertise, and advice to other federal and state agencies, jurisdictional utilities, and Congress." The office will coordinate with other agencies and industry representatives, and "will conduct outreach with private sector owners, users, and operators of the energy delivery systems."
************************* Sponsored Links: ********************
1) Active Forensics: Continuous Network Monitoring for In-Progress Attacks. White paper on detecting in-progress cyber attacks. http://www.sans.org/info/113832
2) SANS Analyst Webcast: Peek into Oracle Identity Governance Solutions reviewed by Senior SANS Analyst, Dave Shackleford Thursday, September 27, 2012, at a SPECIAL TIME of 9 am Pacific/12 Noon Eastern.
THE REST OF THE WEEK'S NEWS
Policy Limits Hotmail Passwords to 16 Characters (September 24, 2012)It has recently been revealed that unbeknownst to most Hotmail users, their account passwords have been limited to 16 characters, regardless of whether or not they have chosen longer passwords. A security researcher recently received an error message when he typed in his 30-character Hotmail password; he had never before received the message, and was able to access his account by entering just the first 16 characters of the password. Kaspersky Lab's Costin Raiu wrote that "To pull off this trick with older passwords, Microsoft has two choices: Store fill plaintext passwords in their
[database and ]
compare the first 16
only, or calculate the hash only on the first 16
ignore the rest. A Microsoft representative has acknowledged that "16 characters has been the limit for years now," and noted that "uniqueness is more important than length."
[Editor's Note (Ullrich): Sad... one simple way for users to memorize unique password is the use of "pass phrases". Maybe Microsoft should consider two factor authentication like its competitor GMail. But usually, limiting the password length to 16 characters is not a result of only hashing the first 16 characters. Instead, it is usually a good indicator that the passwords are stored in the clear. ]
NZ Prime Minister Requests Inquiry Into Allegations of Unlawful Interception of Communications in Megaupload Case (September 23 & 24, 2012)New Zealand Prime Minister John Key says that certain communications regarding Kim Dotcom were obtained "without statutory authority," prompting Mr. Key to request an inquiry into "circumstances of unlawful interception of communications of certain individuals." The investigation will look at allegations of unlawful interception of communications of Dotcom and other Megaupload employees by New Zealand's Government Communications Security Bureau (GCSB). US authorities appear to be fighting an uphill battle in efforts to extradite Dotcom, CEO of Megaupload. Earlier this year, a New Zealand court ruled that a warrant used in a raid on Dotcom's residence was illegal, and has also said that Dotcom should be permitted to view evidence the US has on which to base the extradition hearing.
Appeals Court Approves Facebook Beacon Settlement (September 21, 2012)In a split decision, a US federal appeals court has approved a US $9.5 million settlement in a class action lawsuit brought against Facebook over its Beacon program, which kept track of and posted information about what users purchased from Blockbuster, Overstock, and other sites. The lawsuit alleged that Beacon violated federal wiretap and video rental privacy laws. Under the terms of the settlement, Facebook admits to no wrongdoing, but does agree to put money in a so-called digital trust fund, which would provide grants to organizations studying online privacy issues. Some of those being represented by the lawsuit maintained that the award was too small and that Facebook should not have a seat on the board of the digital trust fund. In a separate case involving Facebook's "Sponsored Stories" feature, a US District Court judge in San Francisco rejected a settlement that would have had Facebook pay US $10 million to charity and US $10 million to cover attorneys' costs. He is the judge who approved the Beacon settlement.
Apple Issues OS X and Safari Updates (September 21, 2012)Apple has issued updates for Mac OS X 10.6, 10.7 and 10.8. The updates, Mac OS X 10.7.5 and 10.8.2, and Security Update 2012-004 for Mac OS X 10.6.8, address a number of issues, including information disclosure vulnerabilities, denial-of-service problems, memory corruption flaws, and buffer overflow vulnerabilities. The updates include new versions of Apache, BIND DNS server, PHP, International Components for Unicode, QuickTime media player, and other components. The update for Mac OS X 7 includes Gatekeeper, a feature present on OSX 8 that rejects applications that have not been signed with valid Apple-issued Developer IDs. The setting can be changed. Apple has also updated its Safari browser to version 6.0.1 to address a number of information disclosure flaws.
China Allegedly Launched Attacks on Japanese Sites Over Land Dispute (September 20 & 21, 2012)Chinese hackers have apparently launched attacks on Japanese websites, prompted by a dispute over Japan's purchase of the Senkaku or Diaoyu Islands earlier this month from private owners. The distributed denial-of-service (DDoS) attacks have targeted Japanese government and university websites as well as those of some banks and utilities. Some sites were defaced. An editorial in one Chinese newspaper claimed that the Senkaku Islands "have belonged to China since ancient times."
Majority of US Government Agencies Will Not Meet IPv6 Deadline (September 20 & 24, 2012)Statistics from the National Institute of Standards and Technology (NIST) indicate that more than half of US government agencies have not yet made the transition to IPv6; the deadline for enabling the new protocol on public-facing websites and other services in September 30, 2012. The deadline for internal networks and applications is September 30, 2014. Nearly 60 percent of 1,517 government domains tested earlier this month showed no progress in transitioning to IPv6. Thirty-four percent showed some progress, and just eight percent had IPv6 operational.
[Editor's Note (Ullrich): Many US government agencies don't see an urgent need to adopt IPv6 due to the large number of unused IPv4 allocations available to these agencies. What is however often overlooked is that this is a great opportunity to lead and stimulate IPv6 adoption in the private sector. US networks complacent about IPv6 adoption may soon become disconnected legacy network islands connected to legacy customers missing out on new opportunities like emerging mobile network technologies. ]
Iran Denies Responsibility for Attacks on US Bank Websites (September 21 & 24, 2012)Iran has refuted allegations that it is behind cyberattacks on US banks. Websites of Citigroup, Bank of America, and JP Morgan Chase were hit with DDoS attacks. They were allegedly launched to retaliate for sanctions imposed that were aimed at thwarting Iran's nuclear program.
Iran Blocks Google Services, Launches Domestic Internet Network (September 24, 2012)The Iranian government has started blocking Google services in that country. Iran also has begun its launch of a "national information network." Facebook and Twitter are already blocked as are sites that express anti-government points of view. A government deputy minister has said that the government will limit citizens to a "domestic Internet network." In this situation, virtual private networks (VPNs) will not be effective.
Facebook Suspends Use of Facial Recognition Tool in EU (September 21 & 24, 2012)Facebook has suspended the use of its facial recognition tool in Europe. The feature suggests users who could be tagged in photographs posted to the site. Facebook says that the feature has been turned off for new EU users and that "templates for existing users will be deleted by 15 October." The decision was made in response to recommendations from the Irish Data Protection Commissioner. In addition, Germany has demanded that Facebook disable the service and destroy its associated database.
Air Force Chief of Staff Says Pentagon Lacks Clear Instructions About Cybersecurity (September 21, 2012)US Air Force chief of staff General Mark Welsh is concerned that the Pentagon is planning cybersecurity spending without having "a coordinated plan on how defense agencies should deal with threats to sensitive networks." General Welsh said that he does not know of a clearly delineated set of requirements from US Cyber Command about the type of expertise in which they need to be training employees. He also said that he has not received clear rules of engagement. He's called the approach to cybersecurity a "black hole."
Microsoft Patches Zero-Day IE Flaw and Flash Vulnerability in IE 10 (September 21, 22, & 24, 2012)Microsoft has issued a patch to fix a zero-day flaw in Internet Explorer (IE) that is being actively exploited. The flaw in question affects IE 6, 7, 8, and 9 on nearly every Windows operating system; it does not affect IE 10 or certain versions of Windows Server. The patch addresses a total of five remote code execution vulnerabilities; the other four flaws had not yet been disclosed. Microsoft has released a separate patch to address problems in the Flash Player component of IE 10 running on Windows 8 and Windows Server 2012.
Fix for Flash Issue in IE 10:
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/