Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 36 : Apple iOS Update Addresses Location Data Issues

  • From: The SANS Institute
  • Date: Fri May 06 14:07:37 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**************************************************************************
SANS NewsBites                  May 6, 2011              Vol. 13, Num. 036
**************************************************************************
TOP OF THE NEWS    
  Apple iOS Update Addresses Location Data Issues
  Boeing Whistleblowers Not Entitled to Protection
  Mozilla Questions Government's Request to Ban Firefox Plug-In 
THE REST OF THE WEEK'S NEWS 
    Google Supports Opposition to California Do Not Track Bill
    May's Patch Tuesday to Address Three Vulnerabilities
    Two Companies Settle FTC Charges
    FBI Responds to Audit Report Critical of its Cyber Security Expertise
DEVELOPMENTS IN SONY BREACH
    SOE Intrusion Discovered During PSN Breach Investigation
    New York AG Subpoenas Sony Regarding How it Represented Site Security
    Sony Calls in Forensic Experts
    Sony Declines to Testify at House Subcommittee Hearing on Breach
       Legislation but Offers More Details in Letter to Legislators

***************************************************************** 
TRAINING UPDATE
- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011
23 courses.  Bonus evening presentations include The Emerging Security
Threat Panel Discussion; and Emerging Trends in Data Law and
Investigation http://www.sans.org/security-west-2011/
- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011
8 courses.  Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker and State of the Hack: Stuxnet.
8 courses.  http://www.sans.org/cyber-guardian-2011/
- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
7 courses.  Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/
- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011
40 courses.  Bonus evening presentations include Ninja developers:
Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/
- -- SANS Boston 2011, Boston, MA, August 8-15, 2011
12 courses.  Bonus evening presentations include Cost Effectively
Implementing PCI through the Critical Controls; and More Practical
Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/
- -- SANS Virginia Beach 2011, August 22- September 2, 2011
11 courses.   Bonus evening presentations include SANS Hacklab; and
It's Time to Rethink Everything: A Governance, Risk & Compliance
Primer
http://www.sans.org/virginia-beach-2011/
- -- Looking for training in your own community?
http://sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current Plus Barcelona,
Amsterdam, Brisbane, London and Austin all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

********************** SPONSORED BY SANS ***********

Announcing New SANS Reading Room Papers!
1.  The highly-anticipated SANS 7th Annual Log Management Survey Report
is now available in the SANS Reading Room here:
http://www.sans.org/info/76964

2. A new survey on network security and resiliency is available in the
SANS Reading Room here: http://www.sans.org/info/76969

****************************************************************************

TOP OF THE NEWS
 --Apple iOS Update Addresses Location Data Issues
(May 4 & 5, 2011)
Apple has released iOS 4.3.3 to address three flaws associated with
location information in iPhones, iPads and iPods.  The update reduces
the amount of location stored to one week's worth.  It also alters the
operating system so that it will not back up the cache to computers
while synching devices.  Finally, the update deletes the cache from
devices when users disable Location Services in iOS Settings.  The
update was released just a week after Apple said it would fix the
problems.  Apple says that the next major update for iOS will include
encryption for location information on devices running the operating
system.
http://www.bbc.co.uk/news/technology-13292313
http://www.computerworld.com/s/article/9216421/Apple_releases_iOS_4.3.3_to_patch_location_bugs?taxonomyId=17
http://www.theregister.co.uk/2011/05/04/apple_updates_ios_to_addresss_location_tracking_database_cache/

 --Boeing Whistleblowers Not Entitled to Protection
(May 3 & 4, 2011)
A federal appeals court has said that two Boeing internal auditors who
leaked documents that raised questions about cyber security measures at
the company to a Seattle newspaper are not entitled to whistleblower
protection.  Boeing fired Matthew Neumann and Nicholas Tides after the
leak was traced to them.  The auditors maintained that they were
protected by the Sarbanes-Oxley Act, which aims to protect shareholders
from fraud.  The court said that the Act protects people who give
information to the authorities, not to the media.
http://www.wired.com/threatlevel/2011/05/whistleblower-firings/
http://www.latimes.com/news/local/la-me-whistleblowers-20110504,0,5715520.story

 --Mozilla Questions Government's Request to Ban Firefox Plug-In
(May 5, 2011)
Mozilla has refused a request from the US Department of Homeland
Security (DHS) that it ban a Firefox plug-in called MafiaaFire.  The
plug-in in question allows users to visit sites whose domain names have
been seized by the US government.  MafiaaFire redirects users to new
sites that offer the same content as those whose domain names have been
seized, but are beyond the reach of the government.  The government says
the extension violates its seizure orders.  Mozilla has asked why it
should comply with the request and has yet to receive a reply from the
government.
http://www.wired.com/threatlevel/2011/05/firefox-add-on-redirect/
http://arstechnica.com/tech-policy/news/2011/05/mozilla-resists-us-govt-request-to-nuke-mafiaafire-add-on.ars
http://www.theregister.co.uk/2011/05/05/mozilla_firefox_addon_survives/
http://www.computerworld.com/s/article/9216453/Mozilla_defies_DHS_will_not_remove_Mafiaa_Fire_add_on?taxonomyId=17

****************************************************************************

THE REST OF THE WEEK'S NEWS
 --Google Supports Opposition to California Do Not Track Bill
(May 5, 2011)
Google has joined a number of other groups in opposing proposed
legislation in California that would grant consumers the right to
prevent companies from tracking, retaining or selling data about their
online activity.  The Bill passed the State Senate Judiciary Committee;
it now goes before the Appropriations Committee before moving to the
Senate and State Assembly.  Those opposing the legislation say it places
undue burden on businesses conducting online commerce.
http://www.pcworld.com/article/227212/californias_do_not_track_law_takes_a_step_forward.html
http://www.theregister.co.uk/2011/05/05/google_backs_do_not_track_opposition/

 --May's Patch Tuesday to Address Three Vulnerabilities
(May 5, 2011)
On Tuesday, May 10, Microsoft will release two security bulletins to
address a total of three vulnerabilities in Microsoft Windows and
Microsoft Office.  Both bulletins address flaws that allow remote code
execution.  The first bulletin will address one critical flaw in
Windows; the other is rated important and will address two flaws in
Office.
http://www.microsoft.com/technet/security/Bulletin/MS11-may.mspx
http://news.cnet.com/8301-27080_3-20060140-245.html?tag=mncol;title
http://www.computerworld.com/s/article/9216448/Microsoft_plans_critical_update_to_Windows_Server_next_week?taxonomyId=17
http://www.scmagazineus.com/microsoft-readying-fixes-for-windows-office-flaws/article/202200/

 --Two Companies Settle FTC Charges
(May 4, 2011)
The US Federal Trade Commission (FTC) said that two companies have
settled changes the Commission brought against them for failing to
implement adequate security controls to protect sensitive information.
Ceridian, a payroll services provider, and Lookout Services, which
provides immigration services software, both falsely claimed to offer
adequate protection. Both companies experienced breaches that exposed
sensitive personal information of consumers. The settlement agreements
call for the companies to obtain third-party security audits every two
years for the next 20 years.
http://www.informationweek.com/news/security/attacks/229402828
[Editor's Note (Schultz): Having to undergo a security audit every two
years borders on being a joke. Having to instead submit snapshots of
information (such as syslog output from critical servers) that reveals
the security state of these companies every month, something that is
more in accordance with the relatively new continuous monitoring
initiatative within the U.S. government, would be far better.]

 --FBI Responds to Audit Report Critical of its Cyber Security Expertise
(May 3, 2011)
Steven Chabinsky, who is the deputy assistant director of the FBI's
cyber division, disputes conclusions drawn in a recently released audit
report that the FBI lacks sufficient cyber security investigation
skills.  Chabinsky says that the information gathered is out of date as
the audit in question began in 2008.  The FBI's approach to cyber crime
has changed within the last two years with the addition of a new
training program that incorporates real-world experience.  The FBI's
cyber unit and the National Cyber Investigative Joint Task Force
(NCIJTF), which is led by the FBI and which coordinates intelligence and
investigations across 18 agencies, have both received praise for the
results of their efforts.
http://www.informationweek.com/news/security/government/229402636
[Editor's Comment (Northcutt): What I would like to see is an audit of
the Office of the Inspector General to determine how qualified they are
to assess a government agency's cyber capabilities!  No agency has a
more well trained cyber-law enforcement team than the FBI? None! The FBI
has been taking cyber workforce development very seriously for years,
starting even before the military.]

*************************************************
DEVELOPMENTS IN SONY BREACH
 --SOE Intrusion Discovered During PSN Breach Investigation
(May 5, 2011)
Sony expects to have portions of the PlayStation Network (PSN) available
sometime this week, but has not said when it expects Sony Online
Entertainment (SOE) services to be restored.  Sony said that the attack
on SOE was discovered during the investigation of the PSN breach.
http://www.washingtonpost.com/blogs/faster-forward/post/sony-online-entertainment-details-attack-but-no-timeline-for-service-restoration/2011/05/04/AFTcHIxF_blog.html

 --New York AG Subpoenas Sony Regarding How it Represented Site Security
(May 4, 2011)
New York Attorney general Eric Schneiderman has subpoenaed Sony
regarding the PSN and SOE breaches and the way it represented the
network's security to customers.  Sony has apologized for the breaches
and is cooperating with investigations.  The subpoena seeks information
about what Sony told customers about the network's security.
http://www.bloomberg.com/news/2011-05-04/sony-said-to-be-subpoenaed-by-new-york-over-data-breaches-1-.html

 --Sony Calls in Forensic Experts
(May 4 & 5, 2011)
Sony has called in the expertise of three security forensic specialty
teams to investigate breaches that compromised personal information of
more than 100 million Sony customers.  Some of the investigators were
brought in on April 22, days before Sony publicly acknowledged that data
had been compromised.  Sony said that the intruders compromised at least
10 servers.  The FBI is conducting its own investigation.
http://www.informationweek.com/news/security/attacks/229402895
http://www.bbc.co.uk/news/business-13276490
http://www.guardian.co.uk/technology/2011/may/04/sony-playstation-network-hack-investigators

 --Sony Declines to Testify at House Subcommittee Hearing on Breach
    Legislation but Offers More Details in Letter to Legislators
(May 3, 4 & 5, 2011)
Members of the House Committee on Energy and Commerce Subcommittee on
Commerce, Manufacturing and Trade expressed frustration that Sony and
Epsilon declined invitations to testify about breaches that compromised
personal data of tens of millions of people. Subcommittee chair
Representative Mary Bono Mack (R-Calif.) said Sony should have told
customers about the breach that affected millions of users sooner and
called the company's efforts "half-hearted, half-baked."  Sony used a
blog as the first form of notification.  Sony defended the delay in
notification by saying they wanted to wait until they had more
information about the incident.  In the letter, Sony says it did not
notice the attack on PSN because it was distracted by a series of
distributed denial-of-service (DDoS) attacks launched against several
different Sony divisions.  Sony says those attacks were launched by the
loosely organized hacker collective known as Anonymous in protest of
Sony's prosecution of George Hotz.  Anonymous has said it was not
involved in the attacks on PSN and SOE.  The letter went on to describe
what the company is doing to resolve the problems.
http://www.eweek.com/c/a/Security/Sony-Data-Breach-Was-Camouflaged-by-Anonymous-DDoS-Attack-807651/
Sony's letter: http://republicans.energycommerce.house.gov/Media/file/Letters/112th/050411Hirai.pdf
http://www.washingtonpost.com/blogs/post-tech/post/house-panel-blast-sony-on-data-breaches/2011/05/04/AF2UFxoF_blog.html
http://www.usatoday.com/tech/news/2011-05-04-sony-breach-congress_n.htm
http://www.scmagazineus.com/sony-breach-prompts-house-data-theft-hearing/article/202061/
http://www.infosecurity-us.com/view/17798/sony-admits-to-week-delay-in-notifying-public-about-data-breach


************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk3EI8gACgkQ+LUG5KFpTkZfsgCaAlqUBlOv5WAzjXIFokVuiI6h
MOIAoJdUG7jXu7lU5gIciOOAY3DuKYrx
=i4RS
-----END PGP SIGNATURE-----




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.