SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #38

May 13, 2011

The new White House cybersecurity plan (the first story in this issue)
is a catalyst for rapid Congressional action to make the laws more
responsive to current threats. Because the White House did an admirable
job of meeting the goals of both Democrats and Republicans, there is a
good chance for comprehensive legislation being passed this calendar
year. The new initiative will be particularly welcomed by federal and
contractor organizations that were frustrated by the waste of time and
money demanded by the paper reporting demanded under the old FISMA
legislation.

Alan

---

TOP OF THE NEWS

White House Reveals Cyber Security Plan
Proposed Anti-Piracy Bill Increases Government Authority
ICS-CERT Warns of Vulnerability in SCADA Products

THE REST OF THE WEEK'S NEWS

Flash Update Allows Simpler Management of Flash Cookies
Is Bypassing Chrome Sandbox a Flash Issue or a Chrome Issue?
DoJ Wants Providers to Store Location Data
Microsoft Patches Flaws in Windows Internet Name Server and PowerPoint
ACS:Law Attorney Fined for Violation of Data Protection Laws
Michaels Breach Affects Customers Across the Country
Three Year Prison Sentence for Attempted ATM Scheme

---

*****************************************************************

TRAINING UPDATE

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.
http://www.sans.org/cyber-guardian-2011/

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, London, Austin, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************** SPONSORED BY MANDIANT **************************

Be part of something more! MANDIANT is building a world-class threat detection and response organization and needs a few good men and women to join the Product Development and Professional Services teams in our DC, New York, Los Angeles and San Francisco offices. Check out open positions online at http://www.sans.org/info/77404

****************************************************************************

---

TOP OF THE NEWS

White House Reveals Cyber Security Plan (May 12, 2011)

A cyber security plan proposed by the Obama administration aims to protect individual privacy, federal computer networks and elements of national critical infrastructure. The proposal includes more stringent penalties for cyber criminals; mandatory data breach reporting for organizations; placing the responsibility for defending federal agency networks from attack in the hands of the Department of Homeland Security (DHS); and improving protection for elements of the country's critical infrastructure. It also would establish guidelines for the government to help companies that suffer cyber incidents, and for information sharing about threats among businesses and state and local governments.
-http://content.usatoday.com/communities/theoval/post/2011/05/obama-team-unveils-
new-cybersecurity-plan/1
-http://www.csmonitor.com/USA/Politics/2011/0512/White-House-proposes-national-st
andards-for-cybersecurity
-http://whitehouse.blogs.cnn.com/2011/05/12/white-house-lays-out-cyber-security-p
roposal/
-http://www.informationweek.com/news/government/security/229500148

Proposed Anti-Piracy Bill Increases Government Authority (May 12, 2011)

Legislation introduced in the US Senate would increase the government's authority to disrupt the availability of and close down websites that are "dedicated to
[copyright ]
infringing activities." The Protect IP Act, sponsored by 11 senators, would grant the government the power to bring lawsuits against the websites and obtain court orders prohibiting search engines from returning the sites in their results.
-http://www.wired.com/threatlevel/2011/05/protect-act/
-http://news.cnet.com/8301-13578_3-20062419-38.html

ICS-CERT Warns of Vulnerability in SCADA Products (May 11 & 12, 2011)

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory warning of a stack overflow vulnerability in Iconics Genesis32 and VizBiz supervisory control and data acquisition (SCADA) products. The flaw lies in an ActiveX control, GenVersion.dll. It could be exploited to allow remote code execution. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10873
-http://www.us-cert.gov/control_systems/pdf/ICSA-11-131-01.pdf
-http://www.theregister.co.uk/2011/05/12/critical_iconics_scada_bug/
-http://www.v3.co.uk/v3-uk/news/2070468/government-brings-memories-stuxnet-warnin
g-scada-attacks
-http://www.scmagazineus.com/industrial-control-systems-at-risk-ics-cert-warns/ar
ticle/202673/

---

************************** SPONSORED LINK ********************************

1) REGISTER NOW for the upcoming SANS Webcast: Security of Applications: It Takes a Village Featuring Dave Shackleford and Brad Arkin Tuesday, May 24th Start Time: 1:00 PM ET (1700 UTC/GMT) Sponsored by: Adobe Systems, Inc. http://www.sans.org/info/77409

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Flash Update Allows Simpler Management of Flash Cookies (May 12, 2011)

Adobe has released an update for Flash Player to address a number of security issues and give users a more manageable way to control web tracking. Flash Player 10.3 allows users to manage Flash cookies either through a new control panel or in browser privacy settings. Flash cookies, also known as Local Stored Objects, have made the news several times in the last few years when researchers noted that they were being used to track users' online behavior and that they have been difficult to remove. Internet Storm Ceter:
-http://isc.sans.edu/diary.html?storyid=10876
-http://www.computerworld.com/s/article/9216670/Adobe_Flash_update_puts_users_in_
charge_of_privacy?taxonomyId=17
[Editor's Note (Ranum): "Do it wrong then incrementally try to get it right" is a much more expensive design process than "think about getting it right the first time." Adobe's painful lessons about the reality of security should serve as an object lesson to any business that develops software. ]

Is Bypassing Chrome Sandbox a Flash Issue or a Chrome Issue? (May 11 & 12, 2011)

Reports earlier this week said that a French security company had discovered a way to bypass Chrome's sandbox. Google engineers do not dispute the fact that the flaw exists, but they say that it resides not in Chrome, but in Adobe Flash, which is supported by the browser.
-http://www.informationweek.com/news/security/attacks/229500086
-http://gcn.com/articles/2011/05/11/ecg-google-engineers-blame-adobe-for-chrome-h
ack.aspx?admgarea=TC_SECCYBERSSEC

DoJ Wants Providers to Store Location Data (May 10 & 11, 2011)

The US Department of Justice wants wireless carriers to retain location data to be used in criminal investigations where that information would be crucial to solving the crime. Deputy Assistant Attorney General for the criminal division Jason Weinstein made the request at a hearing of the Senate Judiciary Committee Subcommittee of Privacy, Technology and the Law, which was called over concerns about iPhones storing location data without users' permission.
-http://www.informationweek.com/news/government/security/229500071
-http://news.cnet.com/8301-31921_3-20061472-281.html

Microsoft Patches Flaws in Windows Internet Name Server and PowerPoint (May 10 & 11, 2011)

On Tuesday, May 10, Microsoft released two security bulletins to address three vulnerabilities, one in Windows and two in Office. The first patches a flaw in Windows Internet Name Server that could be exploited to allow remote code execution. The second update addresses a pair of flaws in Microsoft PowerPoint that could also be exploited to allow remote code execution. Microsoft has not yet released a fix for the vulnerabilities in Mac Office. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10855
-http://www.microsoft.com/technet/security/Bulletin/MS11-may.mspx
-http://www.informationweek.com/news/windows/security/229500013
-http://www.zdnet.com/blog/bott/patch-tuesday-updates-fix-a-trio-of-windows-7-sp1
-glitches/3286
-http://www.computerworld.com/s/article/9216620/Microsoft_leaves_Mac_Office_users
_in_the_lurch_says_researcher?taxonomyId=123

ACS:Law Attorney Fined for Violation of Data Protection Laws (May 10, 2011)

The UK Information Commissioner's Office (ICO) has fined ACS:Law GBP 1,000 (US $1,627) for failing to adhere to data protection laws. The company gained notoriety for accusing people of illegal filesharing based on their IP addresses. None of the cases ever came to court, and some questioned whether or not ACS:Law had the authority to bring the lawsuits in the first place. The company has ceased operations and would have been fined considerably more, but the judge in the case chose to fine Andrew Crossley as an individual rather than the company. The fine is being imposed because of a breach that was an after-effect of a distributed denial-of-service attack launched against the firm's website.
-http://www.theregister.co.uk/2011/05/10/acslaw_ico_fine/
-http://www.bbc.co.uk/news/technology-13358896
[Editor's Note (Schultz): Here we go again--a minuscule fine for an egregious offense. ]

Michaels Breach Affects Customers Across the Country (May 10, 2011)

Craft store chain Michaels now says that point of sale terminals at stores across the country have been tampered with, compromising customers' financial information. The thieves appear to have been after payment card data. The issue first arose in the Chicago area, but the company now says that compromised payment terminals have been found at stores across the US. Michaels discovered the situation after they were informed by authorities that fraudulent payment card transactions had been traced to cards used at certain of its stores. An official statement from Michaels says that fewer than 90 PIN pads were found to have been affected.
-http://krebsonsecurity.com/2011/05/breach-at-michaels-stores-extends-nationwide/
-http://demandware.edgesuite.net/aaeo_prd/on/demandware.static/Sites-Michaels-Sit
e/Sites-Michaels-Library/default/v1305118810137/documents/press-releases/051011-
Michaels-Shares-New-Information-In-Pin-Pad-Tampering-Investigation-NOTICES.pdf
[Editor's Note (Northcutt): This is a horrific problem. By inserting themselves in the supply chain, and impacting the PIN pad, they make the retailer contribute to a data breach even when the retailer has no lapse in security procedure. Krebs points out this happened to a grocer as well:
-http://www.computerworld.com/s/article/9189982/Aldi_data_breach_shows_payment_te
rminal_holes]

Three Year Prison Sentence for Attempted ATM Scheme (May 9, 2011)

Thor Alexander Morris has been sentenced to three years in prison for his attempt to steal up to US $200,000 from automatic teller machines in Texas. Morris's plan started coming apart after he contacted someone seeking help in locating ATMs with known vulnerabilities; the contact, an ex-con, provided information about Morris's request to federal authorities. Morris's plan involved reprogramming the ATMs to dispense $20 bills in place of US $1 bills.
-http://www.theregister.co.uk/2011/05/09/atm_hacker_sentenced/
-http://www.itnews.com.au/News/257067,atm-hacker-gets-three-years-prison.aspx

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/