SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIII - Issue #32
April 22, 2011
Every summer, Internet Storm Center Analysts come from around the US and
the world to speak at SANSFIRE in Washington, DC where they discuss the
new attack patterns that are emerging and other lessons they have
learned. The 1,000 delegates get a unique, insider's look at what's
actually going on in new attacks. And this year's SANSFIRE (July 15-24)
also allows attendees to compete in the new NetWars competition and to
see an exhibition of cool security products. That's all in addition to
35 of SANS most in-demand immersion courses including Reverse
Engineering, Security Essentials, Forensics, Pen Testing, Secure Coding,
Incident Handling and Hacker Exploits as well as legal courses and
auditing courses, and management course and other technical courses.
http://www.sans.org/sansfire-2011/
TOP OF THE NEWS
Apple and Google Collect Subscriber Location DataiPhone Software Collects and Stores User Location Data
DOJ Wants Warrantless GPS Tracking Authority
Cyber Security at Critical Infrastructure Systems Not keeping Pace with Attacks
THE REST OF THE WEEK'S NEWS
Adobe Patches Critical Flaw in ReaderGuilty Plea in Carder Case
Two Fired in Wake of Texas Breach
Guilty Plea in Phony Software Sales Case
Was Arrest of Former Cisco Employee Orchestrated?
Oak Ridge Attack
Verizon 2011 Data Breach Investigations Report
CLARIFICATION
(Federal Reserve)*****************************************************************
TRAINING UPDATE
-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/
-- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.
http://www.sans.org/cyber-guardian-2011/
-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/
-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/
-- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/
-- Looking for training in your own community?
http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************** SPONSORED BY Oracle *******************************
REGISTER NOW for the upcoming webcasts with Oracle: Thursday, 4/28/11 at 1:00pm EDT Transparent Data Encryption for Oracle Databases https://www.sans.org/webcasts/transparent-data-encryption-oracle-databases-94063 and don't miss RSA Attacked: "Strong" Authentication Is Not The Solution, Wednesday, 5/4/11 at 1:00pm EDT
http://www.sans.org/info/76454
****************************************************************************
TOP OF THE NEWS
Apple and Google Collect Subscriber Location Data (Update) (April 22, 2011)
iPhones and Android phones regularly transmit their locations to Apple and Google, including unique telephone identifiers. The data is sent multple times per hour.-http://online.wsj.com/article/SB10001424052748703983704576277101723453610.html?l
oc=interstitialskip
iPhone Software Collects and Stores User Location Data (April 20, 2011)
Researchers have found that iPhones running iOS4 track and retain user location data. The unencrypted information is stored on the devices and on computers through the iOS device backup system in iTunes. The data are stored without users' permission. There is no evidence that the information is being sent to Apple; it appears to remain in the possession of the user. Another researcher discovered the issue last year, but his work remained largely in forensic circles and was not publicized. The two researchers who just released their information have also released a tool that generates a visual representation of the stored information.-http://www.informationweek.com/news/security/privacy/229401960
-http://news.cnet.com/8301-13579_3-20055885-37.html?tag=mncol;title
[Editor's Comment (Northcutt) Oh good heavens, it is so wrong to gather subscriber location data without permission. To illustrate, in 2009, Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his GPS phone data and then folks created a graphic showing his travels. It is very compelling. By the way, I keep GPS turned off on my phone most of the time:
-http://www.zeit.de/datenschutz/malte-spitz-data-retention]
DOJ Wants Warrantless GPS Tracking Authority (April 19, 2011)
The Justice Department wants the US Supreme Court to overturn an August 2010 lower court ruling that reversed the conviction and sentence of a drug dealer whose vehicle was tracked for a month through GPS without a warrant. DOJ wants the authority to place GPS tracking devices on suspects' cars without warrants. Three other circuit courts of appeals have said that law enforcement authorities do not need warrants to use the devices, which have become more prevalent in investigations. A 1983 Supreme Court decision allowed the use of a tracking beacon placed on a container without a warrant. The circuit court that overturned the drug dealer's conviction said that the difference in the cases is that the 1983 case involved tracking someone from one place to another, while the GPS devices provide continuous monitoring and noted that it "illustrates how the sequence of a person's movements may reveal more that the individual movements of which it is composed."-http://www.wired.com/threatlevel/2011/04/scotus-gps-monitoring/
Cyber Security at Critical Infrastructure Systems Not keeping Pace with Attacks (April 18, 2011)
A report commissioned by McAfee and written with the Center for Strategic and International Studies (CSIS) notes that attacks against systems at companies that run elements of critical infrastructure are on the rise. The report, "In the Dark: Crucial Industries Confront Cyberattacks," notes that many of these companies are deploying new technologies without taking adequate measures to protect their cyber assets from attack. The report compiles data from responses to an electronic survey of 200 IT security executives in the power, oil, gas and water sectors in 14 countries. Nearly half of the electricity sector respondents said they had found Stuxnet on their systems. A quarter of all respondents said their companies had been targeted by extortion attempts either through cyber attacks or with the threat of cyber attacks.-http://www.informationweek.com/news/government/security/229401858
-http://news.cnet.com/8301-27080_3-20055091-245.html?tag=mncol;title
-http://www.mcafee.com/us/resources/reports/rp-critical-infrastructure-protection
********************** Sponsored Links: ***********************************
1) Don't Miss It! The 7th Annual Log Management Survey Webcasts Part I & II Part I, Monday, 4/25/11 at 1:00 PM EDT http://www.sans.org/info/76459 Sponsored By: ArcSight, LogLogic, LogRhythm, Splunk & Trustwave
Part II, Tuesday, 4/26/11 at 1:00 PM EDT http://www.sans.org/info/76464 Sponsored By: ArcSight, LogLogic, LogRhythm, Splunk & Trustwave
****************************************************************************
THE REST OF THE WEEK'S NEWS
Adobe Patches Critical Flaw in Reader (April 21, 2011)
Adobe issued a patch for a critical flaw in its Reader and Acrobat products ahead of schedule. While a patch for the flaw in Flash Player was made available on April 15, Adobe said it would have the fix available for Reader the week of April 25. Adobe says that the flaw is being actively exploited against Flash Player, Reader and Acrobat. The updates for Reader and Acrobat also fix another critical flaw in both products that is not presently being exploited.-http://www.computerworld.com/s/article/9216062/Adobe_patches_Reader_bug_early_as
_PDF_attacks_begin?taxonomyId=17
-http://www.adobe.com/support/security/bulletins/apsb11-08.html
Guilty Plea in Carder Case (April 21, 2011)
Rogelio Hackett Jr., from Lithonia, Georgia, has pleaded guilty to access device fraud and aggravated identity theft for his role in a scheme that racked up US $36 million in fraudulent charges using stolen credit card data. Hackett was arrested in 2009 for selling the stolen information online. A search of his home at the time turned up credit card data for more than 675,000 accounts.-http://www.wired.com/threatlevel/2011/04/rogelio-hackett-guilty/
-http://www.pcworld.com/businesscenter/article/225898/us_man_pleads_guilty_to_366
_million_worth_of_id_theft.html
Two Fired in Wake of Texas Breach (April 20, 2011)
An accidental leak of personal data has cost the heads of information security and of innovation and technology and two other employees their jobs at the Texas State Comptroller's office. The Social Security numbers (SSNs) and other sensitive data of more than 3.2 Texas residents was inadvertently exposed on a publicly available website for more than 10 months. The data were sent to the comptroller's office from other state agencies and were supposed to have been encrypted, but were not. The data were then placed on a publicly accessible server.-http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_
breach?taxonomyId=17
Guilty Plea in Phony Software Sales Case (April 20, 2011)
Jacinda Jones, from Ypsilanti, Michigan, has pleaded guilty to willful copyright infringement for selling counterfeit software over the Internet. Jones sold more than 7,000 copies of pirated software between July 2008 and January 2010. The companies affected by the sales include Microsoft, Adobe, and Symantec. The software had a retail value of more than US $2 million.-http://www.csoonline.com/article/680058/us-woman-pleads-guilty-to-selling-counte
rfeit-software
-http://www.freep.com/article/20110420/NEWS05/110420058/Ypsilanti-woman-pleads-se
lling-counterfeit-software?odyssey=nav|head
Was Arrest of Former Cisco Employee Orchestrated? (April 20, 2011)
An executive at Multiven, a company that provides third-party service and support for networking equipment, says that the arrest of Multiven founder Peter Alfred-Adekeye may have been orchestrated to "force a settlement of Multiven's antitrust lawsuit against Cisco." Alfred-Adekeye is a former Cisco Systems engineer who was arrested in May 2010 for allegedly breaking into the company's computer systems for purposes of commercial advantage. Multiven is an independent provider of service and support for networking equipment; the company sued Cisco in 2008 for antitrust violations.-http://www.theregister.co.uk/2011/04/20/cisco_engineer_hacking_arrest/
-http://www.computerworld.com/s/article/9216018/Cisco_accused_of_orchestrating_en
gineer_s_arrest?taxonomyId=17
Oak Ridge Attack (April 19 & 20, 2011)
The US Department of Energy's (DOE) Oak Ridge National Laboratory in Tennessee has shut down email systems and employee Internet access following the discovery of a cyber attack last week. The attack, which some have called an Advanced Persistent Threat (APT), appears to have targeted Oak Ridge and several other national laboratories in the US. The protective measures were taken after an investigation indicated that the attackers were trying to steal technical data. Investigators believe that they stole less than 1GB of data before the attack was thwarted. The attack gained its initial foothold on the laboratory system through spear phishing messages that appeared to come from the HR department regarding employee benefit changes. When the recipients clicked on the provided link, malware was downloaded to their systems. More than 10 percent of the employees who received the message said they clicked on the link; just two of those machines became infected with malware that lay dormant for a week before it started harvesting and sending data to a remote server. Lab deputy director Thomas Zacharia says that "one of[the ]
core competencies at the lab is cyber security research."
-http://www.theregister.co.uk/2011/04/19/us_lab_security_breach/
-http://www.computerworld.com/s/article/9215962/Oak_Ridge_National_Lab_shuts_down
_Internet_email_after_cyberattack?source=CTWNLE_nlt_dailyam_2011-04-20
-http://www.net-security.org/malware_news.php?id=1700
-http://www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/
[Editor's Note (Schultz): Spear phishing attacks such as the one against ORNL invariably succeed. Users are getting training concerning how to resist such attacks, but the training is not sufficient--it goes in one ear and goes out another. More radical (and possibly somewhat potentially traumatic) training such as inoculation training in which users are sent simulated messages and malware in training labs and loud noises go off if they open one of these messages is needed.]
Verizon 2011 Data Breach Investigations Report (April 18, 2011)
According to Verizon's 2011 Data Breach Investigations Report, the number of data breaches resulting from cyber attacks increased, but the total number of compromised records from breaches decreased. One explanation for the apparent contradiction is that there have been fewer large breaches and more attacks on smaller companies. Ninety-two percent of the attacks were launched by outsiders, an increase of 22 percent over statistic in last year's report. The report notes a shift toward attacks on smaller companies that "haven't taken basic security considerations into account," according to Alex Hutton, principal for research and intelligence at Verizon. Also, the attackers appear to be stealing less information, perhaps in an effort to avoid attention. Physical attacks, like ATM and gas pump skimmers, made the top three methods of data theft for the first time.-http://news.cnet.com/8301-27080_3-20055116-245.html?tag=mncol;title
-http://krebsonsecurity.com/2011/04/are-megabreaches-out-e-thefts-downsized-in-20
10/
-http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-r
eport-2011_en_xg.pdf
On page 6 of the report, Verizon addresses what it calls "scope creep" in the definition of APT. The following article addresses the hype surrounding the APT, and the idea that some companies have been using it as a catch-all explanation for attacks.
-http://www.pcworld.com/businesscenter/article/225541/verizon_advanced_persistant
_threat_is_overblown.htmls
CLARIFICATION
Clarification:
In the April 19 edition of NewsBites, we ran a story about Lin Mun Poo, who recently pleaded guilty to possessing stolen credit and debit card numbers. While many of the stories circulating about this case focused on Lin Moo Poo accessing a computer at the Federal Reserve Bank of Cleveland, we would like to clarify that Lin Moo Poo gained access to just one test PC that was part of "a system that is used to test software and applications with fake data and information. The incident did not involve[the Federal Reserve Bank of Cleveland's ]
live production system." The charges against Lin Moo Poo stem from the large number of stolen credit card numbers found in his possession, and it should be noted that none of the stolen information came from the Federal Reserve Bank of Cleveland. One of Poo's victims was FedComp, a private company that provides data processing software to credit unions, which allowed him to access sensitive data at credit unions across the country.
-http://garwarner.blogspot.com/2010/11/lin-mun-poo-hacker-of-federal-reserve.html
-http://www.networkworld.com/news/2010/111910-hacked-federal-reserve-network-was.
html
************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/