Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 67 : Flaws Found in AES; Firm Fined $50,000 For Collecting Children's Personal Information; German State Bans Facebook 'Like' Button

  • From: The SANS Institute
  • Date: Tue Aug 23 16:31:16 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The NSA just released a useful guide called "Best Practices for Securing
Your Home Network" that goes beyond home networks and wireless to cover
email and traveling with mobile devices and more.  It's worth making
copies and distributing to your co-workers and employees.  What makes
it particularly useful is that it reflects the real-world knowledge of
the NSA Blue Teams and Red Teams. On the back page are references to
five additional guides: Social Networking, Defense Against Drive By
Downloads, Defense Against Malicious E-mail Attachments, Mac OSX 10.6
Hardening Tips, and Data Execution Prevention. You'll find it at the NSA
web site:
http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf

                                    Alan

**************************************************************************
SANS NewsBites                 August 23, 2011            Vol. 13, Num. 67
**************************************************************************
TOP OF THE NEWS    
  Flaws Found in AES 
  Firm Fined $50,000 For Collecting Children's Personal Information
  German State Bans Agencies From Using Facebook 'Like' Button
  UK Government to Meet With Social Network Providers
THE REST OF THE WEEK'S NEWS 
    British Man Arrested Over Repeated Attacks Against Facebook 
    Security Breach at Yale Exposes 43,000 People's Data
    Hong Kong Police Arrest Man For DDoS Attacks Against Stock Exchange
    Investigation Exposes Unauthorized Internal Access at Immigration Agency
    Audit Finds Holes in TSA Wireless Security
    US Defense Contractor Breached by Anonymous and LulzSec

************************** Sponsored By Splunk ***************************

Are you listening to your data? It's trying to tell you something. Only
Splunk can turn petabytes of your real-time and historical machine data
into powerful security insights. With Splunk software catch bad actors,
block cyber threats, detect zero-day viruses and advanced persistent
threats. Give your data a voice with Splunk.

http://www.sans.org/info/85014

**************************************************************************
TRAINING UPDATE
- -- The National Security Architecture Workshop, DC, Aug. 29-30,2011
2-day workshop discussing techniques to ensure security is considered
in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/
- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011
6 courses.  Bonus evening presentations include DNS Sinkhole: Peer
Into Your Network While You Sleep; and I See What You Did There:
Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/
- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011
45 courses.  Bonus evening presentations include Securing the Kids;
Who is Watching the Watchers?; and Emerging Trends in the Law of
Information Security and Investigations
http://www.sans.org/network-security-2011/
- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011
3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile
Security training
http://www.sans.org/ncic-2011/
- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011
6 courses.  Bonus evening presentations include Computer Forensics in
the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/
- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011
5 courses.  Bonus evening presentations include Future Trends in
Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/
- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011
6 courses.  Bonus evening presentations include The Worst Mistakes in
Cloud Computing Security; Offensive Countermeasures; and Watching the
Wire at Home
http://www.sans.org/san-francisco-2011/
- --Looking for training in your own community?
http:sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

****************************************************************************
TOP OF THE NEWS
 --Flaws Found in AES 
(August 18, 2011)
Researchers in the Belgium Katholieke Universiteit Leuven and Microsoft
revealed they have found weaknesses in the Advanced Encryption Standard
(AES).  The AES encryption algorithm is widely used to secure online
transactions and wireless networks.  While researchers claim the attack
can recover an AES secret key four times faster than previously thought,
they also highlight that the complexity of the attack means it is not
currently practical.  However, the research is significant in that a
*possible* serious flaw in the AES algorithm has been identified, but
not yet substantiated by the cryptographic community.
http://www.computerworld.com/s/article/9219297/AES_proved_vulnerable_by_Microsoft_researchers
http://www.net-security.org/secworld.php?id=11474
http://threatpost.com/en_us/blogs/new-attack-finds-aes-private-keys-several-times-faster-brute-force-081911
[Editor's Comment (Murray): Since no claim as to the strength of AES has
ever been made, this is simply a mathematical claim that the work factor
for discovering a key is about five times lower than a brute force
attack.  While this is a significant analysis, worthy of a paper,
perhaps even a headline, an attack using this information, begun at the
Big Bang, would not have completed yet.  Kudos to the analysts.
(Northcutt): A practical related key attack on 10 rounds of AES was
published in 2009. This is entirely new. When you find a flaw in a
crypto algorithm many researchers jump in and try to improve on the
attack. We should expect guidance from NIST to increase the number of
rounds, currently 14:
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html ]

 --Firm Fined $50,000 For Collecting Children's Personal Information
(August 22, 2011)
The Federal Trade Commission has fined W3 Innovations, a mobile
applications development firm, US $50,000 for violating the Children's
Online Privacy Protection Act (COPPA).  The FTC alleged the company
gathered the email addresses of up to 50,000 children under the age of
13 who downloaded and used mobile apps developed for the iPhone and
iTouch without their parents' consent.  The FTC also alleged the firm
allowed children to post personal information on message boards and
blogs and did not have a privacy policy on its website.  "The FTC's
COPPA rule requires parental notice and consent before collecting
children's personal information online, whether through a website or a
mobile app", said FTC Chairman Jon Leibowitz.
http://www.infosecurity-us.com/view/20194/ftc-fines-firm-50000-for-collecting-childrens-personal-information/
http://www.bellinghamherald.com/2011/08/22/2150947/mobile-apps-developer-accused.html
http://www.scmagazineus.com/ftc-fines-childrens-app-maker-50k-for-privacy-violation/article/209707/
[Editor's Note (Pescatore): The FTC just keeps chugging along, enforcing
privacy and security regulations without needing new agencies, new laws,
new committees. I'd like to see the GAO do one of their reports on this,
lots of good lessons to be learned about the FTC does it.
(Paller): I agree that the FTC is a model for effective government
intervention without overburdening industry.  But Pescatore's suggestion
that a GAO report would be helpful is probably not correct. GAO would
likely report that the FTC failed to look at every aspect of security
in every company, that it didn't look at the business recovery plan
documentation, and that it missed some weak passwords. In other words,
it would find silly, irrelevant faults instead of clearly pointing out
the effectiveness of the program that would help make security better.]

 --German State Bans Agencies From Using Facebook 'Like' Button
(August 19, 2011)
The German federal state of Schleswig-Holstein has issued a ban on state
agencies using Facebook fan pages and has also ordered them to remove
"like" buttons from their websites.  The order comes after the Data
Protection Commissioner for the state found that the use of Facebook fan
pages and the "like" button leads to illegal profiling of individuals,
contravening German and European privacy laws.  The issue relates to how
the data relating to fan pages visits and the use of the like button are
transferred outside of the EU to servers in the United States.  State
agencies have until the end of September to comply with the new
requirements; if they fail to do so they could face fines.  Facebook
denies it is in breach of any German or EU privacy law.
http://www.zdnet.co.uk/news/compliance/2011/08/22/german-state-bans-facebook-pages-like-buttons-40093735/
http://www.pcmag.com/article2/0,2817,2391440,00.asp
http://edition.cnn.com/2011/TECH/social.media/08/19/facebook.germany.like/index.html
http://www.zdnet.com/blog/facebook/germany-facebook-like-button-violates-privacy-laws/2837
[Editor's Note (Schultz): Expect this kind of story to become more
commonplace in the near future. European privacy statutes and the
openness that participation in social networking calls for are
orthogonal.]

 --UK Government to Meet With Social Network Providers
(August 19, 2011)
Following the series of recent riots and other acts of civil unrest in
England the UK's Home Secretary has asked to meet with major social
network providers.  The meeting is due to take place on Thursday the
25th of August.  Social networks came under scrutiny after it was
discovered individuals used them to organize riots and to incite others
to riot.  The UK's Prime Minister, David Cameron, created controversy
when he said the UK government will look at ways of limiting access to
social networking and messaging services in the event of any future
civil disorder.  Facebook has welcomed the opportunity to meet with the
UK government to discuss the issues.  Twitter and BlackBerry maker RIM
have also confirmed attendance; the BlackBerry Messenger (BBM) service
was reportedly widely used in organizing the riots. Meanwhile, an
18-year old Scottish man has been arrested for comments allegedly made
on a social networking site that incited others to riot.
http://www.bbc.co.uk/news/technology-14587502
http://thenextweb.com/uk/2011/08/22/confirmed-twitter-will-meet-with-the-uk-government-for-riot-talks/
http://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-14608134
[Editor's Note (Schultz): This issue is likely to not only become
increasingly commonplace, but also to have more and more significance.
Access to mobile devices and the content they deliver constitutes free
speech, yet these devices are being increasingly used to stir up crowds
(sometimes for the better, sometimes for the worse).]

***************************  SPONSORED LINKS  ******************************
1) Trade in your current NAC solution for ForeScout CounterACT Virtual
Appliance today! Limited time promotional offer.
http://www.sans.org/info/85019

2) NEW Analyst Paper in the SANS Reading Room, "Optimized Network
Monitoring for Real-World Threats,"  by Dave Shackleford.
http://www.sans.org/info/85024

3) Do not miss SANS Ask the Expert: Leveraging SSL to Battle Emerging
Security Threats. Sign up at: http://www.sans.org/info/85029
****************************************************************************

THE REST OF THE WEEK'S NEWS 
 --British Man Arrested Over Repeated Attacks Against Facebook
(August 18, 2011)
Glenn Steven Mangham, a 25-year old student from York, England, was
arrested on five charges under the UK Computer Misuse Act for allegedly
trying to break into servers belonging to the Facebook social network.
After appearing briefly before Judge Nicholas Evans in Westminster
magistrates' court, Mangham was released on bail on condition he
surrenders any devices capable of accessing the Internet and does not
use the Internet while the case is pending.  Facebook says that none of
its users' personal data was compromised in the alleged attacks and that
"we have been working with Scotland Yard and the FBI as we take any
attempt to hack our internal systems extremely seriously"
http://www.theregister.co.uk/2011/08/18/facebook_hacking_suspect/
http://www.net-security.org/secworld.php?id=11491
http://www.pcadvisor.co.uk/news/security/3298077/25-year-old-brit-in-court-for-attempting-to-hack-facebook/
http://www.telegraph.co.uk/technology/facebook/8708392/Student-hacker-penetrated-Facebook.html

 --Security Breach at Yale Exposes 43,000 People's Data
(August 18, 2011)
Yale University notified about 43,000 staff, students and alumni that
their personal data, including their names and Social Security numbers,
were publicly available on a FTP server.  The breach occurred when the
sensitive personal data stored on the FTP server became publicly
available after Google made changes in September 2010 regarding how its
search engine indexes and finds FTP servers.  Yale personnel were not
aware of this change and discovered the breach in June of this year.
The breach impacts anyone affiliated with Yale University in 1999.  Yale
has "secured" the file and Google has confirmed it no longer stores the
data.
http://www.yaledailynews.com/news/2011/aug/17/yale-affiliates-ssns-were-searchable-google/
http://www.computerworld.com/s/article/9219369/Yale_warns_43_000_about_10_month_long_data_breach
http://www.cnbc.com/id/44206510/Yale_Security_Breach_Reveals_Data_About_Students_and_Staff
[Editor's Note (Pescatore): I think if Google found the files, they were
*always* publicly available and never secured properly. Not a good idea
to rely on security through "Google said it won't do this."]

 --Hong Kong Police Arrest Man For DDoS Attacks Against Stock Exchange
(August 19, 2011)
Police in Hong Kong arrested a 29-year old man in relation to a series
of Distributed Denial of Service attacks against the website of the Hong
Kong stock exchange.  The attacks resulted in the trading of shares in
seven companies being halted.  Companies that were impacted included the
banking giant HSBC and Cathay Pacific Airlines. Hong Kong stock exchange
representatives said that other systems were not affected.
http://www.straitstimes.com/BreakingNews/Asia/Story/STIStory_703848.html
http://www.bangkokpost.com/tech/computer/252582/hong-kong-arrests-man-over-stock-exchange-hacking
http://www.v3.co.uk/v3-uk/news/2103480/hong-kong-police-arrest-ddos-attack-stock-exchange
[Editor's Note (Pescatore): We learned long ago that data centers
without electricity were just big, expensive paperweights so we have
uninterruptible power supplies. Data centers without Internet
connectivity are big expensive paperweights that consume electricity -
DDoS protection should have the same place in business continuity
planning that UPSs have.]

 --Investigation Exposes Unauthorized Internal Access at Immigration Agency
(August 18, 2011)
An investigation has revealed numerous security breaches by internal
personnel at the Bureau of U.S. Citizenship and Immigration Services.
The investigation focused on the bureau's Texas Service Center and
discovered security violations including abuse of system privileges,
sabotage of audit logs and unauthorized access to managers' e-mail and
other confidential documents. Investigators also found hacking tools
installed on a number of computer systems.
http://fcw.com/articles/2011/08/19/agg-uscis-internal-hacking.aspx
http://www.nextgov.com/nextgov/ng_20110818_1087.php

 --Audit Finds Holes in TSA Wireless Security
(August 22, 2011)
An audit of the systems at the headquarters of the Transportation
Security Administration (TSA) by the Department of Homeland Security's
Inspector General (IG) discovered a number of security weaknesses in its
wireless networks.  The audit found a number of high risk
vulnerabilities in Microsoft Windows XP laptops and the BlackBerry
Enterprise Servers (BES) used to support BlackBerry devices.  The audit
also found the TSA had not complied with the baseline configuration
controls required by the DHS for wireless devices and systems, including
issues "regarding the disabling of unused router interfaces and a
disallowed service" and that there were "high-risk vulnerabilities
involving patch and configuration controls".  In response to the audit,
the TSA said it has already implemented corrective measures to the
issues raised.
http://www.infosecurity-us.com/view/20238/tsa-probed-for-wireless-security-lapses/
http://www.hstoday.us/industry-news/general/single-article/tsa-improves-wireless-cybersecurity-after-ig-audit/bfbb824d3c2fac205ac7abcfe8fd2988.html

 --US Defense Contractor Breached by Anonymous and LulzSec
(August 19, 2011)
Individuals claiming to be part of Anonymous and LulzSec claimed to have
breached the security of the computer systems of Vanguard Defense
Industries, a US Defense Contractor that manufactures the unmanned
ShadowHawk drones.  In a posting to the Pastebin website, groups claim
to have published 1GB of confidential emails belonging to the Vanguard
senior vice president Richard T Garcia.  Garcia is also a board member
of InfraGard and is a former assistant director of the Los Angeles FBI
office.  A spokesperson for Anonymous said ""We are doing this not only
to cause embarrassment and disruption to Vanguard Defense Industries,
but to send a strong message to the hacker community. White hat
sellouts, law enforcement collaborators, and military contractors beware
we're coming for your mail spools, bash history files, and confidential
documents."
http://www.v3.co.uk/v3-uk/news/2103171/anonymous-lulzsec-hit-drone-maker-hack
http://www.washingtonpost.com/world/americas/texas-based-vanguard-defense-industries-official-hacked-by-anonymous-ceo-says-damage-limited/2011/08/19/gIQAY7htPJ_story.html
http://www.theinquirer.net/inquirer/news/2103000/antisec-hackers-hit-fbi-affiliate

************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk5T8CIACgkQ+LUG5KFpTkbKUACfZGF09eBuGnGMKl8R7cdGBcWi
xXUAn3cTzWEx1j9DhAUprOKymr2j2/G8
=p0wh
-----END PGP SIGNATURE-----




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.