InfoSec News

After Oracle and Hewlett-Packard enjoyed a long and fruitful partnership in enterprise IT, it's hard to find anything that hasn't gone wrong with their relationship over the past two years.
Semiconductor company Microsemi has issued a statement denying that one of its products, a popular silicon chip called ProASIC3, has a backdoor built into it.
Cable sports giant ESPN offers a mobile app that lets you watch live sports and shows on your iPhone or iPad no matter where you happen to be. The app is called WatchESPN. And I would certainly love to, if I could get the app to dependably stream video.
The European Union is considering sweeping new data protection laws that would mandate many organizations in Europe formally appoint a Data Protection Officer (DPO). To get ahead of the potential high demand for qualified candidates, organizations should consider defining their needs now.
June is off to a rocky in the markets for technology companies as shares slump in the wake of troubling economic reports, though cooler heads appear to have confidence in the sector for the long term.
Oracle has pledged to appeal a judge's ruling Thursday that Java APIs cited in its lawsuit against Google weren't subject to copyright protection, but legal scholars and attorneys not associated with the case expressed mixed opinions whether that would be successful.
Microsoft's recently available Windows 8 Release Preview has a few interesting tweaks but still seems caught between its tablet and PC interfaces.
Twitter may not be gaining new U.S. users as fast as it used to, but the users it has are much more engaged, according to a a report from the Pew Internet and American Life Project.

Security experts have warned about the potential problems caused by military cyberstrikes. Experts say cyberwarfare is difficult to plan and worse, it puts innocent people at risk.

Stuxnet was part of a secret joint U.S.-Israeli cyberattack operation which began with approval by the Bush Administration and continued with the nod from the Obama White House, according to a detailed account of the attack written by David Sanger in a report published today in the New York Times.

To put the pieces of the Stuxnet puzzle together, Sanger conducted interviews with unnamed sources involved with the Stuxnet operation dubbed “Olympic Games.”  While it confirms a lot of speculation about the nation-states behind the Stuxnet worm, it also raises a lot of questions about cyberwarfare and its use by a sitting president. Should members of Congress have been notified of the operation? Were any U.S. citizens put at risk?

Even well planned military cyberstrikes go wrong

A 2009 study by the nonprofit research firm RAND Corp. urged the United States not to invest in offensive cyberweapons. It is too difficult to predict the outcome of an attack, making strategic planning a guessing game, according to the report’s author, Martin C. Libicki. “Predicting what an attack can do requires knowing how the system and its operators will respond to signs of dysfunction and knowing the behavior of processes and systems associated with the system being attacked,” Libicki wrote. Indeed, according to the Times story, Stuxnet clearly caused some disruption, but it was anyone’s guess as to how far it set back Iran’s nuclear program.

Even worse, Sanger’s account of the operation detailed a major coding error that enabled the offensive malware to escape into the wild. This led to its detection and analysis by antimalware vendors. Indeed there were facilities in the United States using the Siemens systems that the worm could have sought out. While the threat was minimal - Stuxnet still would have to get through the buffer zone isolating a facility from the Internet - those quoted in Sanger’s story said it was easy to get through the Iranian facility’s buffer zone using a simple thumb drive. I’ve heard of penetration testers using this trick to great success: dropping thumb drives in areas throughout a targeted organization to see if any curious employees would insert the device into their computer.  ”It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand,” according to an unnamed official referring to how Stuxnet was planted at the underground uranium enrichment site in Natanz, Iran.

If that’s the case then the operation certainly could have put U.S. citizens at risk right here on our own soil. It also has the potential to fan the flames of retaliation or similar offensive cyberwarefare operations from our adversaries. We’ve already encountered reports that government agencies and even critical infrastructure facilities, such as power plants have been penetrated in some way.

Network security luminary Marcus Ranum, CSO of Tenable Network Security, told SearchSecurity about his concern over militarized cyberspace and even outlined the problem caused by the Stuxnet-like strikes.

Critical infrastructure protection

I wrote about a 2010 report by the Center for Strategic and International Studies (CSIS), which consisted of a global survey of more than 600 IT pros at critical infrastructure facilities. The main finding was that systems that run power plants, manage the distribution of hazardous chemicals and help monitor water treatment plants are in a dire need of stronger safeguards. The survey found that those facilities are under a constant barrage of attacks. A U.S.-China Economic Review Commission report last October cited a significant attack targeting U.S. Satellites. The examples go on and on.

But the problem goes beyond the potential threat to power plants and oil and chemical refineries. Earlier this year researchers demonstrated a theoretical attack targeting the systems that control the locking mechanisms at a prison. Imagine the chaos that would cause if cybercriminals were to target the prison system.

There is plenty of recognition of the seriousness of the problem, but very little transparency of where the nation stands on protecting critical assets, said Andy Purdy, chief cybersecurity strategist at CSC, and a member of the team that developed the U.S. National Strategy to Secure Cyberspace in 2003. In an interview I had with Purdy at the 2012 RSA Conference, Purdy cited some progress, but admitted that the lack of transparency leaves very little information for authorities to track the progress the nation is making in protecting critical systems. Purdy cited substantial federal funding being invested into SCADA system security, the progress of the Industrial Control Systems CERT and several plans and reports outlining the role of the public and private sector in protecting critical systems, digital identities for Internet users and the role ISPs should play in controlling customers with compromised systems.

Perhaps security luminary Dan Geer is thinking ahead to disaster recovery after a cyberstrike. He speaks incessantly at security conferences and summits about the need for system redundancy and manual processes to help lessen the disruption and chaos when Internet connected systems fail.  Not only do we need redundant systems and manual processes, but we need skilled people who know how they function, Geer says.

Stuxnet details conclusion

The details about the planning operation behind Stuxnet should be a reminder that military action, whether physical or digital, needs to be thoroughly vetted or else innocent citizens could be inadvertently put at risk. It should be a call to action for stricter oversight of the security of critical infrastructure both publicly or privately owned. It’s amazing to me that despite all of the increased rhetoric about better protecting the nation’s critical infrastructure there has been very little evidence of progress. Just words.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

As a quick follow on to last weeks feature Country Report, today we'll take a look at the Country list page at https://isc.sans.edu/country.html. This page lists country, region and total reports by date with option to limit by port number. Also, this links to Region Report at https://isc.sans.edu/regionreport.html for overall reports per region with date and port criteria.


Usage text at the top explains a few points of the page and here's the details

Choose the date for data you want to display on the page then click Update. Default is the current day.
Enter port number if you want to restrict then click Update.
Click column header to sort by column. Click again to reverse sort order.

Country: result linked to https://isc.sans.edu/countryreport.html for details
Region: Limit to a specific region by choosing from drop-down and clicking Update. Click the region abbreviation to go to Region Report page which gives total reports per region with similar criteria options.
Reports: Total reports for country row based on date/port criteria

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft said on Friday that it would kick off a Windows 8 upgrade program tomorrow, giving buyers of new Windows 7 PCs the chance to grab a copy of the not-yet-released operating system for $15.
Now that Microsoft has shipped the Release Preview for Windows 8, you may wondering whether to try it out. Here's what you need to know to do so.
Moodle Multiple Information Disclosure and Security Bypass Vulnerabilities
Moodle CVE-2012-2367 Security Bypass Vulnerability
Facebook has been suffering from intermittent outages since Thursday night and a hacker group is taking responsibility. Facebook says it hasn't been attacked, however.
Verizon Communications Friday said it has agreed to acquire Hughes Telematics for $612 million.
Web analytics company Net Applications today changed its May numbers from those posted overnight, and now has Google's Chrome still in third place, albeit barely behind Mozilla's Firefox.
The Bluetooth functionality of the Flame cyberespionage malware could potentially be used to pinpoint the physical location of infected devices and allow local attackers to extract data if they get in close proximity to the victims, according to security researchers from antivirus vendors Symantec and Kaspersky Lab.
the Internet Society has declared this coming Wednesday, June 6th, IPv6 Day [1]. We had a similar IPv6 day last year, but this year things will be a bit different. First of all, like last year, numerous large web sites declared their participation in IPv6 day.
As of June 6th, participating web sites will be reachable via IPv6, and they will remain reachable via IPv6 beyond June 6th. Last years IPv6 day was different in that it only lasted one day, and IPv6 connectivity was disabled the next day. Last year was more of a trial run and based on it's success, it was decided to maintain IPv6 connectivity beyond IPv6 day this year.
So what does this all mean? First of all, the web sites in question will still be reachable via IPv4. However, if you do have some form of IPv6 connectivity, you will likely use IPv6 to reach them (see my Happy Eyeballs video about some of the odd issues that may arise .https://isc.sans.edu/ipv6videos/HappyEyeBalls/index.html )
If you are using an IPv6 tunnel, or in particular if your operating system decides to auto-configure a tunnel, you may see some degradation in speed and reliability. It is time to get a native IPv6 connection. I know most of you can't get it. But this is another problem... Teredo connections will not be used if IPv4 connectivity is available.
Get ready to secure your IPv6 network. Right now, IPv6 is a blind spot to many detective controls. Don't consider IPv6 a threat. Use it as an opportunity. There are a lot of neat things you can do in IPv6 to secure your network better. But get on it and learn about it now.
In the end, we do need IPv6. IPv4 was designed as a research network for the 70s/80s. It has outlived its purpose. The current global business network we call the Internet can not continue to run and grow much. Already, we are running into issues not just with address utilization, but also with routing efficiency, integration of modern networking paradigms like mobility, modern hardware opportunities that make IPv4 inefficient. I consider it like the DC power grid as a nice starter network that helped us get going, but in the end, AC was the way to go to actually create large efficient power grids that jump started so many great innovations.
We do also have a special summit coming up: The Security Impact of IPv6. See http://isc.sans.edu/ipv6 .

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple released a nice document with details about iOS 5 security features. The document is NOT a hardening guide. Instead, it provides more insight into the iOS architecture and sandboxing feature, as well as lists of available security features.
This document should be read by anybody working on an iOS hardening guide to better judge the risks associated with iOS and various settings within iOS. One problem with standard hardening guides is that some of them may be too restrictive for your environment, and you should always customize them to your needs. The Apple documents will allow you to make more intelligent choices as to what hardening features to apply.

(A google search for iOS hardening guide will lead to a large number of relevant hardening guides you can use as a starting point for your own).


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
While some online services are stepping up their efforts to protect private user data from government requests, there is plenty room for improvement, the Electronic Frontier Foundation said.
Dolly Drive launched in 2010 as a crazy idea: why not back up your Mac with Time Machine over the Internet?! The firm proved over time that it wasn't as odd an idea as it first seemed. It's a rather simple solution that hides the underlying management complexity. Its software simulates a disk that Mac OS X believes is a networked volume available for Time Machine backups. Apple's backup processes handle transfers and restores.
President Barack Obama ordered the Stuxnet cyberattacks on Iran in an effort to slow the country's development of a nuclear program, according to a report in The New York Times.
Adobe's professional audio editing application, Audition, was first introduced to Mac users with Adobe Creative Suite 5.5. Prior to that, Adobe offered Soundbooth, a less powerful audio editor. Windows users, however, have long had access to Audition (and to its predecessor, Cool Edit Pro, which was acquired by Adobe in 2003).
[Ask the iTunes Guy is a regular column in which we answer your questions on everything iTunes related. If there's something you'd like to know, send an email to the iTunes Guy for consideration.]
Google has asked European Union regulators to investigate alleged collusion between Nokia, Microsoft and so-called patent trolls.
Apple has won a battle over the standard for a smaller SIM card, use of which would leave more room for other components in future phone designs.
Oracle Java SE CVE-2012-0504 Remote Java Runtime Environment Vulnerability
Samsung Electronics has acquired Nanoradio, a Swedish company that develops energy-efficient chipsets for Wi-Fi, it said on Friday.
Google on Thursday began helping users in China navigate the country's strict censorship systems by highlighting search terms that will likely result in page errors, as part of an update to the company's search engine. But the new feature could be arriving too late to help the search giant improve its presence in the country, according to one analyst.
Kyocera is demonstrating a new mobile phone that uses vibrations in its screen to transmit sound to the ear, in place of the traditional receiver speaker.
Google's Chrome passed Mozilla's Firefox in May to become the world's second-most-popular browser, according to data released today by Web analytics company Net Applications.
IT interns brought innovation to NASA's Jet Propulsion Lab, the White House and We Energies. Here's how to inspire similar results from your summer crew.
The Gateway FX6860 is one of the first Ivy Bridge systems to hit the market. Although the processor is mainly meant for mobile units, it can also increase desktop performance.
U.S. Sen. Chuck Grassley (R-Iowa) says a program that allows foreign students to work here for up to 29 months may be hurting U.S. workers and risking national security.
Opinion appears sharply divided on whether the government and law enforcement should have unchecked authority to initiate a localized or citywide wireless service shutdown for public safety purposes.
Internet Storm Center Infocon Status