Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 24 : SSL Security Breached

  • From: The SANS Institute
  • Date: Fri Mar 25 14:45:18 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**************************************************************************
SANS NewsBites                March 25, 2011             Vol. 13, Num. 024
**************************************************************************
TOP OF THE NEWS    
  SSL Security Compromised
  Managing Effects of RSA SecurID Breach
  Attack Code Targets SCADA Systems
THE REST OF THE WEEK'S NEWS 
    European Commission Targeted in Cyber Attack
    Facebook Traffic on AT&T Servers Detoured Through China
    Possible Explanation for Gmail Troubles in China
    Mozilla Releases Firefox 4
    Senator Wants Clarity on US Government's Authority to Track Mobile Data
    Apple Issues OS X Security Updates
    Former Student Pleads Guilty in Grade Hacking Case
    Two-Year Sentence for Stealing Virtual Gaming Chips
***************************************************************** 
TRAINING UPDATE
 -- The National Cybersecurity Innovation Conference,
April 18-19, 2011
User-to-user conference featuring outstanding examples of continuous
monitoring and security in the cloud.
http://www.sans.org/cyber-security-innovations-2011/
 -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011
11 courses.  Bonus evening presentations include Cyberwar or Business
as Usual?  The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/
 -- SANS Security West 2011, San Diego, CA, May 3-12, 2011
23 courses.  Bonus evening presentations include The Emerging Security
Threat Panel Discussion; and Emerging Trends in Data Law and
Investigation http://www.sans.org/security-west-2011/
 -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney,
Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/
 -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011
8 courses.  http://www.sans.org/cyber-guardian-2011/
 -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
7 courses.  Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/
 -- Looking for training in your own community?
http://sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current Plus Barcelona,
Amsterdam, Brisbane and London all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

********************  Sponsored by Tripwire, Inc. *************************

New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths,
May 17, 1PM EDT Learn what holds organizations back from implementing
continuous monitoring and where to get started. Featuring Eugene E.
Schultz and Steve Johnston.

http://www.sans.org/info/73838

****************************************************************************
TOP OF THE NEWS
 --SSL Security Compromised 
(March 23, 2011)
Attackers compromised a partner of SSL certificate authority, Comodo and
issued themselves fraudulent SSL certificates.  The certificates vouch
for a site's authenticity, and would have allowed the thieves to set up
sites that fool visitors into believing they have reached major Internet
presences, like Google, Microsoft and Skype.  Comodo has revoked the
stolen certificates.
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10603
http://isc.sans.edu/diary.html?storyid=10600
http://www.eweek.com/c/a/Security/Fake-SSL-Certificate-Incident-Highlights-Flaws-in-DNS-Comodo-CEO-440985/
http://news.cnet.com/8301-31921_3-20046588-281.html 
[Editor's Note (Pescatore): The SSL certificate industry has long needed
to invest in stronger external review of registration processes, as
proven by this incident and others before it.
(Ullrich): SSL is based on trust. However, in a race to the bottom on
pricing, certificate authorities no longer are able to rally the
resources to sufficiently secure the SSL infrastructure they manage. It
is sad that all it took to compromise the system was a single password,
not two factor authentication. This comes just at a time when we finally
see large sites like Facebook, Google, Microsoft and Twitter
implementing site-wide SSL as an option.]

 --Managing Effects of RSA SecurID Breach
(March 23, 2011)
A Department of Homeland Security (DHS) spokesperson said that DHS is
working with RSA to secure networks accessible through that company's
SecurID two-factor authentication technology, following RSA's disclosure
of a security breach that compromised "certain information" about
SecurID.   RSA has contracts with numerous federal government agencies.
RSA has published a bulletin detailing what steps companies can take to
protect their information.
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10564
http://www.washingtonpost.com/world/us_agencies_respond_to_cyberattack_on_information_security_firm/2011/03/23/ABDhjoKB_story.html?wprss=rss_homepage
[Editor's Note: (Paller): One of the largest defense contractors has
stopped the use of RSA tokens by its senior staff.  They replaced the
tokens with another manufacturer's solution. I asked whether the move
had been planned for a long time. The answer was, "No. We did it because
of the breach."]

 --Attack Code Targets SCADA Systems
(March 22 & 23, 2011)
The US Computer Emergency Readiness Team (US-CERT) has issued four
alerts regarding a series of vulnerabilities in Supervisory Control and
Data Acquisition (SCADA) software widely used in industrial facilities.
The affected systems are made by Siemens, Iconics, 7-Technologies and
DATAC.  All of the products have flaws that are remotely exploitable.
Exploit code for 34 flaws in a variety of SCADA systems has been
released.  Experts examining the code say the vulnerabilities could be
exploited to crash systems or steal data because they target operator
viewing platforms.  Nonetheless, gaining a foothold in the systems could
allow attacker to probe further and potentially access the parts of the
system that affect critical processes.
http://www.theregister.co.uk/2011/03/22/scada_exploits_released/
http://www.computerworld.com/s/article/9214990/SCADA_vulnerabilities_prompt_U.S._government_warning?taxonomyId=17
http://news.cnet.com/8301-27080_3-20045926-245.html
http://www.wired.com/threatlevel/2011/03/scada-vulnerabilities/
http://www.msnbc.msn.com/id/42237805/ns/technology_and_science-security/
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-01.pdf
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-03.pdf
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-04.pdf

***************************  Sponsored Link:  ******************************

1) Interested in being part of the solution to fill the critical gap in
the nation's cyber security workforce?  Sponsor a student scholarship
for the next round of the next Cyber Quests (http://uscc.cyberquests.org/)
competition starting April 18th.  For more information on how you can
help, contact Renee N. McLaughlin at renee.mclaughlin@xxxxxxxxxxxxxx.

****************************************************************************

THE REST OF THE WEEK'S NEWS
 --European Commission Targeted in Cyber Attack
(March 23 & 24, 2011)
The European Commission says that its network and that of the European
External Action Service were broken into shortly before a summit of EU
leaders in Brussels to discuss military action in Libya, the debt crisis
and nuclear safety issues.  Staff members were notified that they could
no longer remotely access their email.  A number of EU websites were
unavailable as well.  Sources have compared the attack to that recently
launched against the French Finance Ministry, which preceded the G20
summit in Paris.
http://www.theregister.co.uk/2011/03/24/eu_cyber_attack/
http://www.bbc.co.uk/news/world-europe-12840941
http://www.v3.co.uk/v3-uk/news/2037059/european-commission-cyber-attack
http://www.scmagazineuk.com/european-commission-announces-that-it-was-hit-by-targeted-attack-as-cyber-espionage-campaign-continues/article/199030/

 --Facebook Traffic on AT&T Servers Detoured Through China
(March 24, 2011)
Internet traffic from AT&T servers bound for Facebook detoured through
servers in China and South Korea, according to researcher Barrett Lyon.
Lyon discovered the traffic's path using traceroute.  In his blog, Lyon
calls the detour a routing mistake, and notes that the incident raises
a number of questions, including whether the events constitute a privacy
breach, whether Facebook should have notified users that their
information was being sent over a network that might not be trustworthy,
and whether Facebook should enable SSL by default on all accounts.
http://www.blyon.com/hey-att-customers-your-facebook-data-went-to-china-and-korea-this-morning/
http://www.computerworld.com/s/article/9215029/AT_T_Facebook_traffic_takes_a_loop_through_China?source=CTWNLE_nlt_pm_2011-03-24
[Editor's Note (Pescatore): The recent compromise of Comodo SSL
certificates points out that SSL is far from a panacea. The CA Browser
Forum needs to invest in and focus on making SSL more than just
eyewash.]

 --Possible Explanation for Gmail Troubles in China
(March 24, 2011)
Security experts have suggested allegations that China has been
interfering in Gmail service could be explained by the use of
"transparent proxies."  These intermediary servers intercept and relay
messages and are capable of making changes to the intercepted messages
before sending them on to their destinations.  Some companies use
transparent proxies to filter employees' Internet access.  Governments
are increasingly using them to identify and censor dissidents.  Using
HTTPS could thwart these man-in-the-middle attacks.
http://www.technologyreview.com/web/37074

 --Mozilla Releases Firefox 4
(March 23, 2011)
Mozilla has released Firefox 4; the updated browser includes a number
of new security features.  Content Security Policy (CSP), which is
enabled by default, helps stop cross-site scripting (XSS), data
injection and other web-based attacks.  CSP allows sites to let the
browser know what information is legitimate.  Firefox 4 also lets users
automatically connect to websites through secure connections with the
HTTP Strict-Transport Security (HSTS) feature.  Firefox 4 also allows
users to opt out of behavioral tracking.
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=10594
http://www.scmagazineus.com/firefox-4-includes-new-feature-for-thwarting-web-attacks/article/198992/

 --Senator Wants Clarity on US Government's Authority to Track Mobile Data
(March 23, 2011)
Senator Ron Wyden (D-Oregon) has proposed a bill that would require the
government to obtain warrants before using geo-location information to
track individuals.  The bill specifies exceptions emergencies, including
when someone's life or safety is in danger, when there are immediate
risks of danger to others, activities that threaten national security,
or activity indicative of organized crime.  Critics of the bill say the
exceptions are so narrow that federal law enforcement agents might be
wary of ever using geo-location information to track people.
http://www.nextgov.com/nextgov/ng_20110323_8085.php

 --Apple Issues OS X Security Updates
(March 22, 2011)
On Tuesday, March 22, Apple released an update for Mac OS X 10.5 and an
update for Mac OS X 10.6 to version 10.6.7.  The releases fix many of
the same vulnerabilities, including one that was used to break into an
iPhone at a hacking contest at a recent conference.  Forty-five of the
56 flaws addressed in the update could be exploited to allow arbitrary
code execution, and nearly a quarter of the flaws could be exploited in
drive-by attacks.
http://www.theregister.co.uk/2011/03/22/apple_mac_malware_update/
http://www.scmagazineus.com/apple-issues-slew-of-patches/article/198899/
http://www.eweek.com/c/a/Security/Apple-Fixes-Pwn2Own-Bug-in-Mac-OS-X-1067-iOS-431-Expected-Soon-647647/
http://www.computerworld.com/s/article/9214903/Update_Apple_patches_Pwn2Own_bug_55_others_in_Mac_OS?taxonomyId=85
http://support.apple.com/kb/HT4581

 --Former Student Pleads Guilty in Grade Hacking Case
(March 22, 2011)
Former high school student Omar Khan has pleaded guilty to five felony
counts for breaking into school computers and changing his grades.
Prosecutors say Khan "installed spyware devices on the computers of
several teachers and school administrators," and used the malware to
steal passwords.  Khan changed his own grades and those of a dozen other
students.  Khan was sentenced to 30 days in jail and ordered to pay US
$15,000 in restitution.  He and his co-conspirator, Tanvir Singh, were
arrested three years ago in connection with the incident.  Singh pleaded
guilty in September 2008 and was sentenced to three years of probation
and 200 hours of community service.
http://www.networkworld.com/news/2011/032211-student-used-spyware-to-steal.html?source=nww_rss
http://www.ocregister.com/news/khan-293077-lavacot-years.html?cb=1300806929

 --Two-Year Sentence for Stealing Virtual Gaming Chips
(March 22, 2011)
A UK man has been sentenced to two years in jail for stealing virtual
gaming chips.  Ashley Mitchell pleaded guilty to charges of hacking and
theft for stealing and reselling chips used in games from Zynga.
Mitchell stole 400 billion gaming credits and resold a third of them,
earning about GBP 53,000 (US $85,000).  Ashley managed to gain access
to Zynga's systems and assume the identities of two employees.
http://www.theregister.co.uk/2011/03/22/poker_chip_hacker_jailed/
http://www.bbc.co.uk/news/uk-england-devon-12791483

************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk2M2JoACgkQ+LUG5KFpTkb9UACggkRiI876HTw67ije2zkDqzoU
UBsAn1F/iDxEZbar+hfbChuLLyY3Edio
=5djW
-----END PGP SIGNATURE-----




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.