Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 96 : Senator Wyden Fights PIPA; Swiss Downplay Filesharing Concerns; x Australian DSD Provides Step-by-Step Guidance for implementing the Controls that Stop Targeted Intrusions

  • From: The SANS Institute
  • Date: Tue Dec 06 15:42:46 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**************************************************************************
SANS NewsBites              December 6, 2011              Vol. 13, Num. 96
**************************************************************************
TOP OF THE NEWS
  Senator Wyden Proposes Conversation About Alternative to PIPA
  Swiss Federal Council Downplays Filesharing Concerns
  Australian Defence Signals Directorate's (DSD) Finds Sweet Spot For
    Stopping Targeted Intrusions
THE REST OF THE WEEK'S NEWS
    4,000+ Sites Affected by SQL Injection Attack
    Carrier IQ Facing Lawsuits Over Tracking Software
    Carrier IQ Put Under the Microscope in Europe
    Carrier IQ Execs Speaks Out
    MIT Researchers Consider US Power Grid Security
    Proposed New European Data Directive To Impose Fines
    BART Cell Service Blocking Policy Gains FCC's Attention
    Yahoo Messenger Vulnerability Allows Spamming
    US Military Cyber Security Education and Training is Evolving to
      Meet Current Needs

************************* Sponsored By Bit9 *****************************

FREE Webcast 12/7:  Application Whitelisting 101

It sounds simple:  Application Whitelisting ensures only authorized
software runs. But success requires an adaptable approach. Learn how the
largest of enterprises - including 30 of the Fortune 100 - use this
flexible, powerful solution to protect against advanced threats. FREE
webcast 12/7 @ 9am and 2pm Eastern.

http://www.sans.org/info/92979
**************************************************************************
TRAINING UPDATE
 --Incident Detection & Log Management Summit, Washington DC,
December 7-8, 2011
Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/
 --SANS CDI 2011, Washington, DC, December 9-16, 2011
27 courses.  Bonus evening presentations include Emerging Trends in
Data Law and Investigations, and Critical Infrastructure Control
Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/
 --SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses.  Bonus evening presentations include Advanced VoIP Pen
Testing: Current Threats and Methods; and Helping Small Businesses
with Security.
http://www.sans.org/security-east-2012/
 --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012
6 courses.  Bonus evening presentations include Who Do You Trust? SSL
and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/
 --SANS Phoenix 2012, Phoenix, AZ  February 13-18, 2012
7 courses.  Bonus evening presentations include Desktop Betrayal:
Exploiting Clients Through the Features They Demand; and Windows
Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/
 --SANS Singapore 2012, Singapore, Singapore  March 5-17, 2012
5 courses.
http://www.sans.org/singapore-2012/
 --Looking for training in your own community?
http:sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Perth, Atlanta, Bangalore, and Stuttgart, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
**************************************************************************

TOP OF THE NEWS
 --Senator Wyden Proposes Conversation About Alternative to PIPA
(December 2, 2011)
US Senator Ron Wyden (D-Oregon), is gathering legislators from across
the political spectrum to discuss alternatives to the draconian takedown
measures proposed by the Protect IP Act (PIPA).  He has already promised
a filibuster if bill the should make it to the Senate Floor. PIPA bears
similarities to the House's Stop Online Piracy Act (SOPA), which has met
with a significant public outcry), Senator Wyden hopes to convince the
International Trade Commission, which already oversees issues of
material property, to expand its purview to include digital property as
well.
http://www.wired.com/threatlevel/2011/12/internet-blacklist-alternative/all/1
http://www.wired.com/images_blogs/threatlevel/2011/12/itcdraftwyden.pdf
 
 --Swiss Federal Council Downplays Filesharing Concerns
(December 5, 2011)
A report from Switzerland's Federal Council, compiled at the request of
the country's legislature, says that illegal filesharing is not a
significant problem. The report rejects three proposals aimed at
combating the issue: a three-strikes plan, similar to that codified in
France; Internet filtering; and a collective licensing plan that would
allow unlimited filesharing for a fee. The report says that consumers
still spend money on entertainment products, and that filesharing is a
concern only for "large foreign production companies," which need to
adapt their business models to include consumer behavior instead of
trying to push for legislation that seeks to maintain an outdated
system.
http://arstechnica.com/tech-policy/news/2011/12/swiss-government-file-sharing-no-big-deal-some-downloading-still-ok.ars
http://www.eweekeurope.co.uk/news/swiss-government-rules-downloading-to-remain-legal-48351
[Editor's Note (Murray): Legislation is a blunt tool.  It almost always
has unintended consequences.  Nothing is so difficult to remedy as bad
legislation.  Legislation should be used late, cautiously, and only
after all other measures have been tried.  ]

 --Australian Defence Signals Directorate's (DSD) Finds 4 Controls Stop
    Targeted Intrusions
 (November 2011)
In October, the Australian Defence Signals Directorate received a US
national Cybersecurity Innovation Award for identifying and implementing
(across the Australian civilian and military agencies) four security
controls that could defeat more than 85 percent of targeted cyber
intrusions. The four controls top a list of 35 strategies, but unlike
any other government initiative, the Australians say "do the top 4
controls first" and then decide which of the other controls to
implement. This is the first strategy for mitigating targeted attacks
that resonates with top executives inside and outside government.  The
DSD just published new documents explaining exactly how to implement the
four controls in the "Sweet Spot."
http://www.dsd.gov.au/publications/Implementing_Top_4_for_Windows.pdf
http://www.dsd.gov.au/publications/Assessing_Security_Vulnerabilities_and_Patches.pdf
https://www.sans.org/press/australian-defence-signals-directorate-national-cybersecurity-award.php

****************************************************************************

THE REST OF THE WEEK'S NEWS
 --4,000+ Sites Affected by SQL Injection Attack
(December 5, 2011)
A massive SQL injection attack appears to have infected more than 4,000
websites. Data gathered by the Internet Storm Center indicate that the
sites have been injected with a string that is inserted into several
tables. Users who visit the infected sites are being redirected to other
sites that attempt to place rogue anti-virus programs and other malware
on their machines.
http://www.scmagazineuk.com/sql-injection-attack-infects-more-than-4000-websites/article/218104/
http://www.scmagazine.com.au/News/282150,new-mass-sql-injection-attack-could-be-forming.aspx
http://isc.sans.edu/diary.html?storyid=12127
[Editor's Note (Murray): This attack, like many others, exploits
unchecked inputs in the application and the practice of relying upon
such applications to protect the database.  Parsing inputs is difficult;
use the OWASP Enterprise Security API and libraries.  Use the access
controls in the database manager.  One should prefer the controls
closest to the data and most reliable. ]

 --Carrier IQ Facing Lawsuits Over Tracking Software
(December 5, 2011)
A class action lawsuit filed over the use of Carrier IQ tracking
software names eight companies: four handset makers, three wireless
service carriers, and Carrier IQ itself. The suit alleges violations of
the Federal Wiretap Act, the Stored Electronic Communications Act, and
the Federal Computer Fraud and Abuse Act. The carriers and handset
makers named in the suit have all admitted that they use Carrier IQ's
software; the carriers say they use the software for network diagnostic
purposes only, and the handset makers say they allowed the software on
the phones at the request of the carriers. At least two other lawsuits
have been filed over the use of Carrier IQ. Apple has already announced
plans for an iPhone update that will remove Carrier IQ from its
handsets.
http://www.computerworld.com/s/article/9222424/8_companies_hit_with_lawsuit_over_Carrier_IQ_software?taxonomyId=17
http://news.cnet.com/8301-1009_3-57335851-83/carrier-iq-faces-lawsuits-lawmaker-seeks-ftc-probe/
[Editor's Note (Pescatore): This is sort of like suing your neighbor's
dog when it does its business in your yard, when you should be suing
your neighbor. The carriers install CarrierIQs software on the phones
and collect the data and determine how much data is collected and what
is done with it. The carriers are also the ones who have not made this
explicit to the users of the phone. CarrierIQ shouldn't be demonized
over this, any more than GPS chip vendors would be for having GPS chips
in phones.]

 --Carrier IQ Put Under the Microscope in Europe
(December 5, 2011)
Regulators in several European countries have begun looking into Carrier
IQ's behind-the-scenes tracking software. The Bavarian State Office for
Data Protection wants to ensure that people are aware of how their data
are used and has sent a letter to Apple asking about its use of the
product. The UK's Information Commissioner's Office (ICO) is also
concerned about carriers complying with the country's Data Protection
Act. France's privacy regulator CNIL is also looking into Carrier IQ.
http://www.computerworld.com/s/article/9222411/European_regulators_start_investigating_Carrier_IQ?taxonomyId=208
http://www.businessweek.com/news/2011-12-05/apple-questioned-in-germany-as-carrier-iq-use-probed-in-europe.html

 --Carrier IQ Execs Speaks Out
(December 2, 2011)
Executives at Carrier IQ say their monitoring software gathers
information about web usage, as well as when, where and to what numbers
calls are made and text messages are sent, but does not log all
keystrokes, which is one of the claims made by an Android developer who
has been a vocal critic of the software. The executives also noted that
downloaded data are encrypted while being transferred to the company's
servers.
http://www.wired.com/threatlevel/2011/12/carrier-iq-data-vacuum/
This story provides an overview of the Carrier IQ situation:
http://www.informationweek.com/news/security/mobile/232200654

 --MIT Researchers Consider US Power Grid Security
(December 5, 2011)
Researchers from the Massachusetts Institute of Technology (MIT) say the
cyber security of the US power grid should be managed by a single entity
rather than perpetuate the current situation, in which it is overseen
by a patchwork of federal, state and local authorities. In their report,
The Future of the Electric Grid, the researchers say that the various
organizations involved in maintaining the grid are not working together.
Specifically, the report says that the "lack of a single operational
entity with responsibility for grid cyber security preparedness as well
as response and recovery creates a security vulnerability in a highly
interconnected electric power system comprising generation,
transmission, and distribution." Existing cyber security standards apply
to "the bulk power system and not the distribution system."
http://www.msnbc.msn.com/id/45555394/ns/technology_and_science-security/
http://news.cnet.com/8301-13506_3-57336531-17/should-homeland-security-control-the-electrical-grid-maybe/
http://web.mit.edu/mitei/research/studies/the-electric-grid-2011.shtml

 --Proposed New European Data Directive To Impose Fines
(December 5, 2011)
The new European Data Protection Directive could impose considerable
fines on organizations that run afoul of European data protection laws.
Even companies that are headquartered in the US would be subject to the
requirements. The directive also imposes mandatory data breach
disclosure on all organizations in the public and private sectors.
http://www.zdnet.com/blog/london/massive-fines-planned-in-european-data-breach-crackdown/1278?tag=search-results-rivers;item0
http://www.scmagazineuk.com/data-protection-directive-changes-will-be-ineffective/article/218102/
[Editor's Note (Honan): Given the recent spate of security breaches it
should come as no surprise that the proposed new European Data Directive
will include mandatory breach disclosures.  However, it could be 2-4
years before this new Data Directive is ratified into local law for each
member state.  It should be worth noting that mandatory breach
disclosure is already in place for telecoms operators and Internet
service providers under the current ePrivacy Directive and in Ireland
the Data Protection Commissioner has introduced a Personal Data Security
Breach Code of Practice
http://www.dataprotection.ie/docs/7/7/10_-_Data_Security_Breach_Code_of_Practice/1082.htm ]

 --BART Cell Service Blocking Policy Gains FCC's Attention
(December 2, 2011)
The US Federal Communications Commission (FCC) plans to look into the
"Cell Service Interruption Policy" recently established by the Bay Area
Rapid Transit (BART) system. Earlier this year, BART made the decision
to block cell phone service at several stations during protests prompted
by the fatal shooting of some passengers by BART police. The move met
with public outcry and criticism. BART's new policy says that transit
district will do the same thing again if "extraordinary circumstances"
occur. The language of the new policy allows BART to impose cell service
blocking "when it determines that there is strong evidence of imminent
unlawful activity that threatens the safety of ... passengers."
http://arstechnica.com/tech-policy/news/2011/12/fcc-to-probe-san-francisco-subway-cell-phone-interruption-policy.ars
http://news.cnet.com/8301-1009_3-57336075-83/fcc-to-review-sf-subway-cell-service-shutdown-rules/

 --Yahoo Messenger Vulnerability Allows Spamming
(December 2, 2011)
A vulnerability in Yahoo Messenger that can be exploited to change
users' status messages can also be used to send spam messages to other
users. The flaw lies in the way Yahoo Messenger's file transfer
application programming interface (API) processes malformed requests.
The exploit does not require any action from users. Until a fix is
available, Yahoo Messenger users can protect themselves by configuring
the application to ignore users who are not in their Messenger lists,
although attacks are still possible through known contacts that become
infected.
http://www.computerworld.com/s/article/9222360/Yahoo_Messenger_flaw_enables_spamming_through_other_people_s_status_messages?taxonomyId=85

 --US Military Cyber Security Education and Training is Evolving to Meet
    Current Needs
(November 18, 2011)
Understanding the need for a dynamic cyber security education and
training strategy, the US military is pursuing new models for training
troops for cyber warfare. Collaboration is increasing, both between
branches of the military and with industry partners. Each branch of the
military has developed cyber security education and training that it
tailored for its needs. The US Naval Academy requires all midshipmen to
participate in cyber education, and all Marines must take courses every
year to update their cyber security knowledge. The Air Force has
collaborated with SANS to use NetWars in its training program, and the
Army has teamed with a number of technology companies to help train and
certify soldiers.
http://fcw.com/Articles/2011/11/28/FEAT-Military-cyber-training.aspx


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk7edYoACgkQ+LUG5KFpTkYi+gCghZyMMB437xzWjSemmL4w8tuo
AkkAoINoMFW0yqYE6oRzIIrjoEkPa3Pf
=R7VZ
-----END PGP SIGNATURE-----



Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.