Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 45 : FISMA transformation officially begins; Sony hacked (again); World IPv6 day

  • From: The SANS Institute
  • Date: Tue Jun 07 13:49:43 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The US federal transformation in cybersecurity measurement has now
officially begun.  It matters. See the first story in this issue.
				     Alan

**************************************************************************
SANS NewsBites                  June 7, 2011             Vol. 13, Num. 045
**************************************************************************
TOP OF THE NEWS    
  FISMA Compliance Metrics Focus on Continuous Monitoring
  World IPv6 Day
  Sony Pictures Database Hacked
  Rootkit Now Has Self-Propagation Mechanism
THE REST OF THE WEEK'S NEWS 
    Canadian Judge Blocks Extradition of Alfred-Adekeye to US
    Syria Temporarily Shuts Down Much of Internet
    Adobe Releases Fix for Zero-Day Flash Flaw
    Attackers Steal InfraGard Login Credentials
    Man Arrested for Attempted Facebook Hack
    Attackers Steal Information from Acer Customer Database
    Spear Phishing Attacks Gathered Information Over Many Months
    Chinese Paper Warns That Groundless Accusations Could be Dangerous
    British Intelligence Agency Replaces Online al Qaeda Article with
      Cupcake Recipes

***************************************************************************
TRAINING UPDATE
 -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011
8 courses.  Bonus evening presentations include SANS Hacklab and Why
End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/
 -- SANSFIRE 2011, Washington, DC, July 15-24, 2011
42 courses.  Bonus evening presentations include Ninja Developers:
Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/
 -- SANS Boston 2011, Boston, MA, August 6-15, 2011
13 courses.  Bonus evening presentations include Cost Effectively
Implementing PCI through the Critical Controls; and More Practical
Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/
 -- SANS Virginia Beach 2011, August 22- September 2, 2011
11 courses.   Bonus evening presentations include SANS Hacklab;
Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/
 -- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011
6 courses.   Bonus evening presentations include DNS Sinkhole: Peer
Into Your Network While You Sleep; and I See What You Did There:
Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/
 -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011
44 courses.   Bonus evening presentations include Securing the Kids;
Who is Watching the Watchers?; and Emerging Trends in the Law of
information Security and Investigations
http://www.sans.org/network-security-2011/
 -- Looking for training in your own community?
http://sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Austin, Canberra, Ottawa and Melbourne all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org


********************** SPONSORED BY ForeScout Technologies *****************

ForeScout delivers automated solutions for Network Access Control (NAC),
mobile security, threat prevention and endpoint compliance. Because our
agentless appliance is easy to deploy, use and scale, over 1000 of the
world's most secure enterprises and military installations rely on
ForeScout to enable accessibility while protecting networks and
sensitive data.

http://www.sans.org/info/79348

****************************************************************************


TOP OF THE NEWS
 --FISMA Compliance Metrics Focus on Continuous Monitoring
(June 6, 2011)
New Federal Information Security Management Act (FISMA) compliance
metrics released by the US Department of Homeland Security (DHS) require
agencies to report on their implementation of automated continuous
measurement of critical security risks. The memo stems from 2010
guidance requiring government agencies to begin moving to continuous
security monitoring.
http://www.informationweek.com/news/government/security/230100013
http://www.govinfosecurity.com/articles.php?art_id=3707
http://www.nextgov.com/nextgov/ng_20110606_5245.php?oref=topstory
http://gcn.com/articles/2011/06/06/fisma-reporting-metrics.aspx
http://www.sans.org/critical-security-controls/fisma.pdf
[Editor's Note (Hoelzer): This is an extremely important step.  Federal
CIOs and others have known for a long time that the "Report Card" method
just doesn't work since it completely fails to address the real risks
that a particular agency faces.  A Continuous Monitoring focus means
that FISMA compliance is starting to align with what much of the FISMA
constituency has been saying: Government agencies must have the correct
monitoring systems deployed, they must be monitoring the correct things
and they must be providing meaningful information to inform the
defenders about events and trends.  It is heartening to see FISMA
compliance coming closer into line with the 20 Critical Security
Controls.
(Pescatore): To most federal agencies, the reporting requirements are
increasing much faster than security budgets are increasing.
(Paller): The agencies do not have to continue wasting money on the old
reporting - they continue only because it makes the FISMA contractors
money and because of the Stockholm syndrome (the CIOs and CISOs have
been captives of the paper-compliance fanatics for so long that the
victims cannot believe they are free to use the money to do the right
thing (continuous, automated, daily monitoring).]

 --World IPv6 Day
(June 3, 2011)
On Wednesday, June 8, web sites around the world will test the IPv6
standard, which will ultimately allow many more IP addresses than IPv4
with faster connectivity. Among the organizations participating in World
IPv6 Day are Microsoft, Google, Yahoo and Facebook. The test runs from
8PM EST on June 7 until 7:59PM EST on June 8. The event is designed to
allow network engineers to see how well the new protocol works on a
large scale and to identify technical problems like misconfigured
systems. The event is also aimed at raising awareness of IPv6
deployment, which is necessary because the Internet is running out of
IPv4 address space. IPv6 is not compatible with IPv4, which means web
sites will need to upgrade network equipment and software.
http://www.networkworld.com/news/2011/060311-ipv6-day.htmls
[Editor's Note (Pescatore): There are a variety of ways enterprises and
carriers will run both v4 and v6 during what will be a lengthy
transition period.  Need to make sure these kinds of tests are used to
look for weaknesses within and between those mechanisms.
(Ullrich): This is a wakeup call for everybody who doesn't have an IPv6
integration plan in place yet.  If you think you don't need one, because
you have enough IP space for your network, ask your current and future
customers if they have any IPv6 plans. Our monthly ISC threat update,
which happens to fall on IPv6 day, will cover IPv6 security.
(Honan): Users that have not implemented IPv6 will probably experience
slow responses from some sites during World IPv6 day as their connection
is dropped from IPv6 to IPv4.  It will be a good idea to have your
support desk and incident response teams pre-warned and up to date about
IPv6 day in order to deal with the increase in calls they may receive
from users experiencing "strange" results when accessing the Internet
and certain websites.  Some useful resources to point users at include
the RIPE IPv6 Eye Chart http://ipv6eyechart.ripe.net/ and also
http://www.test-ipv6.com/ to test your IPv6 connectivity.]

 --Sony Pictures Database Hacked
(June 3, 2011)
Attackers have targeted Sony once again, this time using an SQL
injection attack to steal user records and admin details, including
passwords and music codes, from Sony Pictures. The attackers claiming
responsibility for the attack are the same who claimed to be behind a
recent attack on the US Public Broadcasting Service (PBS) website in
which a phony news story was posted. The group claims that none of the
information they took was encrypted. The breach reportedly affects more
than one million SonyPictures.com users.
Internet Storm Center: https://isc.sans.edu/diary.html?storyid=10996
http://www.informationweek.com/news/security/attacks/229900111
http://www.scmagazineus.com/hacker-group-raids-sony-pictures-in-latest-breach/article/204379/

 --Rootkit Now Has Self-Propagation Mechanism
(June 3 & 6, 2011)
A researcher says that the TDSS rootkit, also known as Alureon and TDL4,
now has a self-propagation mechanism that lets it spread to other
computers using two different methods. The malware is now able to infect
both removable media drives and over local area networks (LANs).
http://www.theregister.co.uk/2011/06/03/tdss_self_propagation_powers/
http://www.infosecurity-magazine.com/view/18439/advanced-worm-uses-builtin-dhcp-server-to-propagate-/

***************************  SPONSORED LINKS  ******************************
1) Logs Don't Lie. What do yours say? Find out when you download
ArcSight Logger for FREE.  http://www.sans.org/info/79353

2) Download the Symantec Endpoint Protection 12 Beta for unrivaled
security and blazing performance.  http://www.sans.org/info/79358

3) Sign up NOW for SANS Ask The Expert Webcast: The Rise of Web Malware:
The Impact for Your Website, Social Media, and Ad Networks and How You
Can Protect Your Business on June 16th at 1 PM ET. Sponsored by Dasient.
Go to http://www.sans.org/info/79363

****************************************************************************

THE REST OF THE WEEK'S NEWS
 --Canadian Judge Blocks Extradition of Alfred-Adekeye to US
(June 3 & 6, 2011)
A British Columbia Supreme Court judge has stayed extradition
proceedings against former Cisco employee Peter Alfred-Adekeye.  Justice
Ronald McKinnon did not mince words in an oral decision that said the
point of the extradition demand was to derail an antitrust lawsuit
Alfred-Adekeye had brought against Cisco. That suit alleged that Cisco
forced customers to purchase maintenance contracts to receive security
updates for Cisco products. Cisco filed a countersuit, alleging that
Alfred-Adekeye had gained access to Cisco networks using a former
colleague's login credentials. He was arrested while testifying at a
special hearing in that case that was held in Canada because he had been
denied entry to the US.
http://www.computerworld.com/s/article/9217300/Canada_blocks_extradition_of_Cisco_suspect?taxonomyId=82
http://www.vancouversun.com/news/used+unmitigated+gall+court+jail+exec/4885987/story.html
http://www.salon.com/news/david_sirota/2011/06/06/cisco_law_enforcement

 --Syria Temporarily Shuts Down Much of Internet
(June 6, 2011)
Internet service in Syria has been restored after the government cut off
access to citizens on Friday, June 3 during some of the largest
anti-government protests the country has recently seen. Following the
shutdown, only Syrian government sites remained available in that
country. Internet in Syria was once again available by 7AM local time
the next day. Other Middle Eastern governments have severed Internet
access in an attempt to quell protests.
http://www.zdnet.com/blog/networking/syria-8217s-internet-is-back-up-8230-for-now/1139
http://www.eweekeurope.co.uk/news/syrian-internet-cut-off-during-protests-31009
http://technolog.msnbc.msn.com/_news/2011/06/03/6779700-syrian-government-unplugs-internet-for-much-of-country
[Editor's Note (Schultz): Tyrants know all too well that information is
power and thus that withholding information from the masses is one of
the best ways to keep them enslaved.]

 --Adobe Releases Fix for Zero-Day Flash Flaw
(June 5 & 6, 2011)
Adobe has released an out-of-band fix for a zero-day vulnerability in
its Flash Player. The cross-site scripting (XSS) flaw affects Flash
Player versions 10.3.181.16 and earlier on Windows, Mac, Linux and
Solaris and versions 10.3.185.22 and earlier for Android. A fix has
already been pushed out to address the Flash flaw in Google's Chrome
browser. The flaw could be exploited "to take action on a user's behalf
on any website or webmail provider" by tricking users into clicking on
malicious links in email messages. Adobe is still investigating whether
or not the vulnerability affects Reader and Acrobat. The flaw is
reportedly being actively exploited against Gmail Users.
Internet Storm Center: https://isc.sans.edu/diary.html?storyid=11014 
http://krebsonsecurity.com/2011/06/flash-player-patch-fixes-zero-day-flaw/
http://www.informationweek.com/news/security/app-security/229900192
http://www.h-online.com/security/news/item/Flash-Player-update-closes-zero-day-1255599.html
http://www.adobe.com/support/security/bulletins/apsb11-13.html
http://www.scmagazineus.com/gmail-users-targeted-by-adobe-flash-exploit/article/204617/
http://www.zdnet.com/blog/security/hackers-exploiting-flash-player-xss-vulnerability/8732
[Editor's Note (Honan): Issues such as this zero-day flash flaw
highlight how important security awareness training is in helping users
protect themselves from malicious attacks.  A quick review of many of
the major security breaches show the attack gained a foothold within the
organisation after a user clicked on a link or attachment in an email.
Technical controls can detect and prevent many attacks but always be
aware that the unwary/uneducated user can be exploited to circumvent
these controls.]

 --Attackers Steal InfraGard Login Credentials
(June 6, 2011)
Login credentials belonging to members of InfraGard, an FBI partner
organization, have been stolen and posted to the Internet. InfraGard is
a "public-private partnership devoted to sharing information about
threats to US physical and Internet infrastructure." InfraGard Atlanta
Members Alliance President Paul Farley acknowledged that the
organization's website was compromised. The group claiming
responsibility for the attack said it was launched in retaliation for
the Pentagon's announcement that it is considering classifying certain
cyber attacks as acts of war. The Atlanta InfraGard website has been
shut down as a precaution.
http://www.msnbc.msn.com/id/43293246/ns/technology_and_science-security/
http://www.ajc.com/news/hackers-hit-atlanta-fbi-968059.html
Related Internet Storm Center: https://isc.sans.edu/diary.html?storyid=11011

 --Man Arrested for Attempted Facebook Hack
(June 6, 2011)
Law enforcement authorities have arrested a UK man for allegedly
attempting to break into Facebook. The social networking company is
working with London's Metropolitan Police Service and the FBI to look
into the incident. Facebook says that no user information was
compromised. Details about the incident are vague because the
investigation is ongoing.
http://www.computerworlduk.com/news/security/3284072/man-arrested-in-yorkshire-on-facebook-hacking-charges/

 --Attackers Steal Information from Acer Customer Database
(June 3 & 6, 2011)
Attackers claim to have stolen information from an Acer customer
database. The compromised information appears to include the names,
email addresses and purchase histories of about 40,000 customers. The
attackers also claim to have stolen source code from the computer
manufacturer. The attackers appear to have taken the information by
gaining access to an Acer FTP server.
http://www.computerworld.com/s/article/9217295/Acer_server_in_Europe_reportedly_breached?taxonomyId=82
http://www.theregister.co.uk/2011/06/03/acer_customer_data/
http://www.h-online.com/security/news/item/Acer-inadvertently-releases-40-000-customer-details-1255998.html
http://www.v3.co.uk/v3-uk/security-watchdog-blog/2076219/hacking-claims-breached-acer-s-european-systems

 --Spear Phishing Attacks Gathered Information Over Many Months
(June 3, 2011)
The recently disclosed spear phishing attacks against key government
officials, political activists and journalists in several countries
around the world had been painstakingly planned; the attackers appear
to have been gathering personal information about their targets for as
long as nine months. Google claims to have disrupted the targeted
attacks.
http://www.theregister.co.uk/2011/06/03/gmail_users_stalked_for_months/

 --Chinese Paper Warns That Groundless Accusations Could be Dangerous
(June 6, 2011)
China has warned that Google's insinuation that the Chinese government
is behind the recent spear phishing attacks targeting government
officials' and political activists' Gmail accounts (see story above)
could prove detrimental to Google's business. Google has not directly
accused the Chinese government of being responsible for the attacks, but
did say that they appeared to originate in a Chinese city that houses a
government intelligence agency. The article in China's paper, the
People's Daily, did not specify exactly how the allegations could come
back to haunt Google.
http://www.reuters.com/article/2011/06/06/us-google-china-idUSTRE7550CV20110606
http://news.cnet.com/8301-13506_3-20069245-17/china-paper-blusters-at-google-amid-hacking-affair/?tag=mncol;title

 --British Intelligence Agency Replaces Online al Qaeda Article
with Cupcake Recipes
(June 2, 2011)
The British intelligence agency MI6, along with GCHQ (the UK counterpart
of the US National Security Agency), has broken into an online al Qaeda
publication and replaced instructions for making a bomb with a series
of cupcake recipes. The cyber infiltrators also removed several articles
from the publication.
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html

************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
https://www.sans.org/account


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk3uVc4ACgkQ+LUG5KFpTkYbgwCfXXQV0mXAl+zRLiJqaH5KRZnH
+m8AoJ2HfCSjPKFAtjOd5Xf8GAY1qLif
=SB7r
-----END PGP SIGNATURE-----




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.