SANS

SANS Consolidated Security News

1. CVE-2011-4041 (Natl. Vulnerability Database)
2. Data breach? Blame your third party's remote access systems (NetworkWorld Security)
3. Trustwave issued a man-in-the-middle certificate (Heise Security News)
4. Avast! Mobile Security (The Register)
5. Bugtraq: security bulletin HPSBMU02736 SSRT100699 rev.2 - HP Business Availability Center (BAC) and Business Service Management (BSM), Remote Unauthorized Access to Sensitive Information (SecurityFocus Vulnerabilities)
6. ISC Feature of the Week: Security Dashboard, (Tue, Feb 7th) (InternetStormCenter)
7. Fresh iPhone Apps for Feb. 7: Hotels by Orbitz, TripLingo Romance Edition, The Hacker, Dream Pethouse (Appolicious) (Yahoo Security)
8. Commerce Dept's Economic Development Administration Suffers Cyber Attack (February 2 & 3, 2012) (SANS Newsbites)
9. "Challenges in Smart Object Security: too many layers, not enough ram" - Michael Richardson (Internet Drafts)
10. Encryption Key To Evolving Data-Centric Security Model (Network Computing Security)

SANS Handler’s Diary

1. Chrome to stop checking Certificate Revocation List (CRL)?, (Wed, Feb 8th) - There was a post on Ars Technica yesterday, that led back to another blog post from Sunday that suggests that Google Chrome will stop doing CRLchecks at some point in the not too distant future. This has led to some interesting debate because the CRLmechanism has largely been ineffective. For a public key infrastructure (PKI) such as HTTPS to work, there must be an effective way of verifying the validity of the certificates. Due to the number of Certificate Authority (CA) breaches in recent years we'd all like a fast and effective method of taking compromised certificates out of play. During the highest profile breaches, all the major browser vendors simply pushed new versions of the browser with the root certificates from the breached CAs removed, in part because the browsers by design fail open (allow the connection)if they are unable to verify the certificate. So, is this a big deal? Is it the right way to go? Is it time to rethink/redesign/replace SSLor HTTPS? What do you think?
   References
   http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars
   http://www.imperialviolet.org/2012/02/05/crlsets.html
   ---------------
   
   Jim Clausing, GIAC GSE #26
   
   jclausing --at-- isc [dot] sans (dot) edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2. ISC StormCast for Wednesday, February 8th 2012 http://isc.sans.edu/podcastdetail.html?id=2311, (Wed, Feb 8th) - (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
3. ISC Feature of the Week: Security Dashboard, (Tue, Feb 7th) - Overview
   
   The ISC Security Dashboard can be found at https://isc.sans.edu/dashboard.html or https://www.dshield.org/dashboard.html and is an ideal tool for viewing summary DShield report data, ISCsite content and related security information all in one place. Some places to use the page could be simply an open browser tab, an embedded web page, a control center monitor and more! Let us know where you use the dashboard in the comments section below.
   
   
   
   Features
   
   The first section on the page contains the current UTC date/time and Refresh options. You can click to Refresh immediately or select to let the page auto-refresh every 5, 10, 20, 30 or 60 minutes. Additionally, when you select an interval, the reload will display a link you can bookmark to easily return to that timed refresh rate.
   Row 1:
   
   Column 1: World Map Country Report from https://isc.sans.edu/countryreport.html
   
   Column 2: Latest Diaries from https://isc.sans.edu/diary.html and the ISC Search box that goes to https://isc.sans.edu/search.html
   
   Column 3: Top 10 Source IPs from https://isc.sans.edu/reports.html#top10source
   
   
   
   Row 2:
   
   DShield live banner, showing Top attacked and port attacked, that links to https://www.dshield.org
   
   
   
   Row 3:
   
   Column 1: Top 10 Ports from https://isc.sans.edu/reports.html#top10ports
   
   Column 2: Latest StormCast from https://isc.sans.edu/podcast.html#stormcast and ISC/DShield Google Groups link/box for subscribing to http://groups.google.com/group/iscdshield
   
   Column 3: Top 10 Rising Ports Trends graph from https://isc.sans.edu/trends.html (NOTE: This graphic has location-sensitive click-able hot spots. Try it out!)
   
   
   
   Row 4: Select Security News feeds
   
   
   
   Row 5:
   
   Column 1: Latest sans_isc tweets from https://twitter.com/sans_isc
   
   Column 2: Select SANS Reading Room Papers from http://www.sans.org/reading_room
   
   Column 3: Twitter list of tweets from ISC Handlers
   
   
   
   Planned future improvements include html5 update which will allow blocks to be re-ordered and block location preferences saved to your ISC profile.
   
   
   
   Let us know in the section below where you use, or are planning to use, the dashboard or if there's content you think would be a valuable addition to this page or send us any questions or comments in the contact form https://isc.sans.edu/contact.html
   
   
   
   --
   
   Adam Swanger, Web Developer (GWEB)
   
   Internet Storm Center (http://isc.sans.edu) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
4. ISC StormCast for Tuesday, February 7th 2012 http://isc.sans.edu/podcastdetail.html?id=2308, (Tue, Feb 7th) - (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
5. Secure E-Mail Access, (Tue, Feb 7th) - Recently attacks by the not so sophisticated persistent threat focused on e-mail security. In many cases, e-mail credentials were either brute forced, or retrieved from compromised databases (in some of these cases, password re-use was a contributing factor).
   During Wednesday's threat update webcast, I would like to do a segment focusing on e-mail security, and was wondering what our readers do to secure e-mail. Some of the challenges I see:
   - the use of cloud based e-mail services like gmail.
   
   - mobile access to e-mail
   
   - access to e-mail from multiple devices
   
   - e-mail encryption and authentication (PGP/S-Mime)
   
   - e-mail forwarding security (if someone has e-mail forwarded to a personal e-mail address)
   Please let me know if you have any novel ideas to address these problems that I should cover, or if you would like me to cover any additional questions.
   ------
   
   Johannes B. Ullrich, Ph.D.
   
   SANS Technology Institute
   
   Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
6. Book Review: Practical Packet Analysis, 2nd ed, (Tue, Feb 7th) - A few months ago, the good folks at No Starch Press sent me a review copy of Chris Sanders' book Practical Packet Analysis, Using Wireshark to Solve Real-world Problems, 2nd Edition. While this isn't something we normally do here, since it has been a rather slow day at the Internet Storm Center, I thought this would be a great opportunity to share a short review of the book. As many of our regular readers are probably aware, I tend to use command-line tools such as tcpdump, snort, tshark, scapy, or even Perl to perform packet analysis. I prefer the command-line tools because when possible I like to script my analysis and GUI tools don't lend themselves to that.
   This book (actually, starting with the 1st edition) was one that had been on my list of books I wanted to read for quite some time, but I had never gotten around to buying it, so I jumped at this opportunity when it presented itself. I really wanted to love the book, but wasn't quite able to get there. if aimed at experienced networking folks, why bother with explaining the OSI model again). Even so, I did like the book. Starting with chapter 8 is where I think the book really becomes worthwhile. I especially like the idea of using real-world scenarios (even if sometimes a bit contrived) to teach the features of a tool. This is often one of the best ways to teach new techniques or concepts. I learned some new tricks for both wireshark and tshark which itself would have made it worth the price to me. I'm not going to give it stars or anything, but I do recommend this book to folks that aren't wireshark experts (and even those who have plenty of wireshark experience may pick up a new trick or two).
   ---------------
   
   Jim Clausing, GIAC GSE #26
   
   jclausing --at-- isc [dot] sans (dot) edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
7. ISC StormCast for Monday, February 6th 2012 http://isc.sans.edu/podcastdetail.html?id=2305, (Mon, Feb 6th) - (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
8. Cybersecurity Legislation Components, (Sun, Feb 5th) - As many of us have seen in the media recently, the United States and other world governments are deeply entrenched in discussions over proposed cybersecurity legislation. There are many different flavors of legislation currently being discussed by governments across the globe, of which I dont intend to cover here. In the US it appears the government has finally started to address cybersecurity issues that have been discussed in this forum for years. One piece of the legislation currently being discussed is a proposal sponsored by Rep. Dan Lungren (R-Calif.) is House Resolution 3674 - the Promoting and Enhancing Cybersecurity and Information Sharing Enhancement Act of 2011 or PrECISE. The thrust of the bill is to amend the current Homeland Security Act of 2002 which will give additional authority to the USGovernment in the national cybersecurity effort.
   
   
   I want to highlight some of the ideas being presented in this bill and how they are going to be a huge win for the cyber security community. These are just a few of the items being discussed, but these will pay huge dividends in the security effort.
   
   
   
   The coordination and sharing of information between the civilian and government agencies is one of the topics some of the bills being considered address, and is a critical component in the cybersecurity effort. As it is written in PrECISE SEC. 2. Sec.226 (2) foster the development, in conjunction with other governmental entities and the private sector, of essential information security technologies and capabilities for protecting Federal systems and critical infrastructure information systems, including comprehensive protective capabilities and other technological solutions. Organizations that have previously developed implementation strategies for information systems have a leg up on organizations that have not. The Black Hat community has excelled at this type of sharing, and has been an excellent vehicle for their efforts. They are not impeded by corporate policy, federal guidelines, or other governing regulations.
   
   
   
   The silos of information that exist in the enterprise today have also led to silos of security information. The production, collection, and correlation of that information is often difficult because different vendor technologies, implemented at different stages, lead to disparate systems. PrECISE SEC. 2, Sec 226 Para. (3) states the need to acquire, integrate, and facilitate the adoption of new cybersecurity technologies and practices in a technologically and vendor-neutral manner to keep pace with emerging terrorist and other cybersecurity threats. There are many great minds and methods to approach this, and the solution will not be easy. It is a critical solution that needs to be addressed.
   
   
   
   User awareness and education is critical for every aspect of information security. With the increase of reliance on technology throughout, the importance of user education increases accordingly. PrECISE SEC. 2, Sec 226 Para.(6) states and
   
   -(C) training opportunities to support the development of an effective national cybersecurity workforce and educational paths to cybersecurity professions
   User education and awareness training, coupled with the information sharing efforts mentioned in Para. (2) will go a long way towards improving the overall security of the information and systems we use every day.
   
   
   I am excited to see the governments taking cybersecurity seriously, and hope the politicians can produce something that is useable and applicable to the world today. The implementation of some of the ideas discussed in this bill will be a huge undertaking, and needs to be done.As a society we have moved beyond the point where cybersecurity is merely desirable by the people who rely on technology. it is a fundamental need, and in some instances, desperately.
   Tony Carothers
   tony d0t carothers at g_mail (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
9. Apple Security Advisory 2012-001 v1.1, (Sat, Feb 4th) - Earlier today, Apple announced v 1.1 of the Security update 2012-001. The advisory announced the availability of Security Update for Mac OSX10.6.8 that addresses a compatibility issue, and the removal of security fixes that were present in original update for Snow Leopard. I am not confident why Apple removed security fixes from the original release, but maybe one of our readers can help us understand the issues behind the ImageIOsecurity fix removal.
   Below is the security advisory and we will link to the advisory once it is available on Apple's website.
   
   APPLE-SA-2012-02-03-1 Security Update 2012-001 v1.1
   
   
   
   Security Update 2012-001 v1.1 is now available
   
   for Mac OS X v10.6.8 systems to address a compatibility
   
   issue.
   
   
   
   Version 1.1 of this update removes the ImageIO security
   
   fixes released in Security Update 2012-001.
   
   
   
   OS X Lion systems are not affected by this change.
   
   
   
   Update #1:
   Apple Support shows there were 3 different issues which were corrected in ImageIO in the original Security Update information located at http://support.apple.com/kb/HT5130.
   Elsewhere, it appears that there are a number of users of OS XLion which had problems after applying the original update as reported in Apple Support forums, 9to5Mac, and thevarguy.com. The Security Advisory only mentions OS X Snow Leopard, so I am not sure that the two issues are related or just coincidental. Stay tuned for more information.
   Update #2:
   Secunia has a very nice list of details in the update from yesterday. More information is located at http://secunia.com/advisories/47843/. No real information on why the ImageIO updates were removed.
   
   ----
   Guy Bruneau Scott Fendley (ISC Handler On Duty) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

All SANS related items, feeds and articles are the property/copyright of SANS or the original author. This site is in no way affiliated with/or endorsed by SANS.