SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #73

September 13, 2011

Cybersecurity Innovation Winners - You Are Invited
The winners of the 2011 National Cybersecurity Innovation Awards have
been chosen; they will be recognized and will present the lessons they
learned at the NCIC in October. These winners targeted the advanced
persistent threat (with remarkable results) and cloud security and
mobile security and developing security skills. These are extraordinary
people doing remarkable things and the NCIC is probably the only chance
you'll have to learn what they did and what they learned along the way.
The top cyber officials from both NSA-IAD and DHS have agreed to keynote
the program. Probably the most valuable time any security manger or
security architect can spend this fall because it will save you months
of looking for ways to improve security while cutting costs and give you
the cover to get the innovations implemented at your organization. In
light of the new OMB memorandum on how federal CIOs will be measured,
that type of innovation is central to CIO success.

Register at http://www.sans.org/ncic-2011/
Alan

---

TOP OF THE NEWS

Senator Introduces Data Protection Legislation
GlobalSign to Resume Issuing New SSL Certificates
Linux Foundation Breach Likely Related to Kernel.org Breach in August

THE REST OF THE WEEK'S NEWS

British Telcom and International Government Programmers Win Secure Coding Contest
Woman May Sue Toyota Over Scary Ad Campaign
Microsoft Pulls App Over Data Privacy Concerns
Vending Machine Company Point-of-Sale Breach Affects 40,000
Fourteen-Year Sentence in Stolen Credit Card Case
Certificate Hacker Claims He Can Issue Fake Microsoft Updates
Apple Updates OS X Trusted Root List to Exclude DigiNotar
Draft Text of Microsoft Security Bulletins Inadvertently Posted for Short Time
Five Indicted in Connection with Website Offering Pirated Content

---

****************** Sponsored By Tufin Technologies *********************

Are you implementing SANS 20 Critical Security Controls? Tufin Security Suite automates firewall configuration change management and auditing so you can support the Critical Controls quickly and easily, while cutting costs by as much as 50%.

http://www.sans.org/info/86779

**************************************************************************

TRAINING UPDATE

- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

- -- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonia, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --Looking for training in your own community?
http://:www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Senator Introduces Data Protection Legislation (September 12, 2011)

Senator Richard Blumenthal (D-Connecticut) has introduced legislation that would require organizations with more than 10,000 customers to adopt guidelines that will ensure make that customer data are securely stored. The Personal Data Protection and Breach Accountability Act would also require organizations to notify customers "without reasonable delay" when their personal information has been compromised. Violations could result in significant fines. The bill would allow customers to sue companies that do not take adequate steps to protect their information.
-http://www.scmagazineus.com/new-senate-bill-aims-to-prevent-deter-data-breaches/
article/211858/
-http://www.msnbc.msn.com/id/44491737/ns/technology_and_science-security/#.Tm6bme
zQp8E
[Editor's Note (Hoelzer): This could prove to be critical legislation for consumers. Outside of organizations covered by the GLBA privacy rule, HIPAA, FERPA and some industry adopted standards like the PCI DSS, there is currently very little oversight when it comes to the handling of private consumer data. Unless consumers mount individual or class action claims for negligence as a result of the lack of due care, there's no real accountability. The lesson for businesses may be that if you don't fix the problem yourself you may find the problem legislated, which generally isn't good for anyone!
(Schultz): I fear that this proposed legislation will have little chance of success. Strong opposition based on the claim that this kind of legislation would be excessively costly to businesses is bound to surface.
(Ranum): If you read SANS NewsBites, as I do, you'll no doubt have noticed that the underlying cause of data leakage is not that it's "securely stored" it's that it's duplicated into too many people's hands - - people who proceed to copy it to a thumb drive or laptop which is then lost. The problem is not securing a copy of the data; it's securing data against copying.
(Murray): I agree with MJR; the pendulum needs to swing back in the direction of "need to know" and "least privilege." For the same reasons that copying has become so easy, we really do not need it. ]

GlobalSign to Resume Issuing New SSL Certificates (September 12, 2011)

Belgian certificate authority GlobalSign plans to resume issuing certificates on Tuesday, September 13. GlobalSign temporarily ceased issuing new SSL certificates after an attacker claimed to have infiltrated that company's system. A successful attack against Dutch certificate authority DigiNotar resulted in at least 531 fraudulent certificates being issued. GlobalSign is still investigating the alleged attacker's claims. It is conducting an internal audit and has brought in a third-party consultant to review its systems as well. GlobalSign has acknowledged that an "isolated" server was compromised.
-http://www.bbc.co.uk/news/technology-14879998
-http://www.computerworld.com/s/article/9219914/GlobalSign_set_to_reopen_Tuesday_
despite_web_server_hack?taxonomyId=17
-http://www.theregister.co.uk/2011/09/12/globalsign_security_breach/
-http://www.globalsign.com/company/press/090611-security-response.html

Linux Foundation Breach Likely Related to Kernel.org Breach in August (September 12, 2011)

The Linux Foundation is advising all users to change their passwords following a data security breach. LinuxFoundation.org, Linux.com and all associated subdomains were offline; visitors instead are seeing messages that the September 8 security breach is likely related to the late August compromise of kernel.org. The affected systems are undergoing auditing. The Linux Foundation message says that it is "in the process of restoring services in a secure manner as quickly as possible." Users are being advised that all passwords and SSH keys they have used on the site should be considered compromised.
-http://www.informationweek.com/news/security/attacks/231601225
-http://www.eweek.com/c/a/Security/Linux-Foundation-Linuxcom-Hacked-in-Kernelcom-
Breach-504793/
-http://www.v3.co.uk/v3-uk/news/2108450/linux-sites-security-breach
-http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/86784

2) SANS Analyst Webcast September 29, 1 PM EST: Integrating Security into Development Cycles, No Pain Required, featuring Senior SANS Analyst Dave Shackleford and IBM Rational's Karl Snyder. http://www.sans.org/info/86789

3) Protecting Federal Systems and Advanced Persistent Threats, featuring security expert and speaker, G. Mark Hardy, September 28, 1 PM EST http://www.sans.org/info/86794

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

British Telcom and International Government Agency Programmers Win Secure Coding Contest

Two winners were announced yesterday, in SANS' international secure coding competition. A total of 130 people from 11 countries competed. The winners received iPad2s and a real sense of accomplishment. The second round of the competition (Java only) will be held at JavaOne and a third will be open to all Java and .NET programmers. In addition any company or agency with at least 50 programmers may have their programmers measure their skills using the same assessment, at no cost. Email Mark for more info. mprocino@sans.org

Woman May Sue Toyota Over Scary Ad Campaign (September 9 & 12, 2011)

A lawsuit filed by a woman who was unwittingly a target in a Toyota Matrix advertising campaign may proceed. Amber Duick filed the lawsuit in 2009 after she was targeted in an ad campaign designed to "punk" people. A friend signed her up without her knowledge, and she began receiving alarming emails from a stranger who appeared to have access to some of her personal information, including her home address. The advertising company behind the campaign went so far as to create social networking pages for the fictional characters used in the stunt. Toyota sought to have the case dismissed, claiming that Duick had clicked on an online terms-of-service agreement that allowed the company to send the emails and provided for arbitration as a means of resolving any disputes that arose. But a California appellate judge ruled that Duick was induced to click on the agreement under false pretenses, which made the provisions invalid. The court's ruling found that the defendants, which include Toyota, the advertising company responsible for the campaign and 50 associated individuals, "misrepresented and concealed (whether intentionally or not) the true nature of the conduct to which Duick was to be subjected."
-http://www.wired.com/threatlevel/2011/09/toyota-punkd/
-http://www.businessinsider.com/toyota-gets-taken-to-court-for-a-pr-prank-gone-te
rribly-wrong-2011-9
-http://www.wired.com/images_blogs/threatlevel/2011/09/Duick-v.-Toyota.pdf
[Editor's Comment (Northcutt): Sounds like Toyota has hired the think-outside-the-box team from Sony. Only thing missing is installing a root kit on Duick's computer to monitor her keystrokes. I hope the lawsuit is successful and it has many zeros attached to the judgment. ]

Microsoft Pulls App Over Data Privacy Concerns (September 12, 2011)

Microsoft has pulled an app from its Windows Phone marketplace over concerns about user privacy. The AVG Mobilation for Windows Phone 7 sends users' location data to an AVG server. The application is designed, in part, to help users locate lost phones, so this in itself is not surprising, but the app sends the phone's serial number and other personal and device information along with device position data. AVG launched the application last week; it was created to detect and remove malware on Windows Phones. The company says users have the option of disabling the geotracking feature. It was also observed that there does not appear to be any malware reported on Windows Phones, bringing into question the need for an antivirus app.
-http://www.h-online.com/security/news/item/Microsoft-removes-anti-virus-app-from
-Windows-Phone-marketplace-1341231.html
-http://news.cnet.com/8301-1009_3-20104813-83/avg-defends-mobile-app-after-remova
l-by-microsoft/?tag=mncol;title

Vending Machine Company Point-of-Sale Breach Affects 40,000 (September 12, 2011)

A vending machine company has acknowledged a data security breach that affects as many as 40,000 people. Wisconsin-based Vacationland Vendors said that an intruder gained access to its point-of-sale systems at several water parks between December 12, 2008 and May 25, 2011. The intruder was able to access the part of the system that processed payment card transactions conducted at Wilderness Resorts water parks in Wisconsin and Tennessee. Vacationland Vendors did not say how it learned of the breach, nor did it say whether or not affected customers have been notified.
-http://www.computerworld.com/s/article/9219945/Vending_machine_company_announces
_major_data_breach?taxonomyId=17
-http://www.jsonline.com/business/129673573.html
-http://www.vacationlandvendors.com/CC%20Notice%20for%20Website.htm

Fourteen-Year Sentence in Stolen Credit Card Case (September 12, 2011)

An Indiana man has been sentenced to 14 years in prison for running a scheme that involved selling cloned payment cards over the Internet. Tony Perez III pleaded guilty to wire fraud and aggravated identity theft in April. While serving a search warrant at Perez's home in June 2010, authorities discovered equipment and supplies that could be used to manufacture credit cards along with stolen data on 21,000 credit card accounts. The credit card numbers found in Perez's home have been linked to more than US $3 million in fraudulent transactions.
-http://www.scmagazineus.com/online-id-thief-sentenced-to-14-years/article/211853
/

Certificate Hacker Claims He Can Issue Fake Microsoft Updates (September 12, 2011)

The man claiming responsibility for attacks on SSL certificate authorities says he has the capability to issue phony Microsoft Windows Updates. In a story last week, Microsoft said that malware could not be pushed out to users through Windows Update. Microsoft also issued an update designating DigiNotar certificates as untrustworthy.
-http://news.cnet.com/8301-1009_3-20104883-83/comodohacker-i-can-issue-fake-windo
ws-updates/?tag=mncol;title
[Editor's Note (Ranum): Parsing carefully: "malware could not be pushed out to users through Windows Update" does not say that malware could not be pushed out to users by a site pretending to be Windows Update via a man-in-the-middle attack. ]

Apple Updates OS X Trusted Root List to Exclude DigiNotar (September 9 & 10, 2011)

Apple has released an update to remove DigiNotar the list of trusted root certificates for the Snow Leopard and Lion versions of Mac OS X. Apple also removed DigiNotar from the list of Extended Validation (EV) certificate authorities and reconfigured default system settings not to trust DigiNotar certificates. Apple has not yet taken steps to remove the certificates from iOS, meaning that iPhones and iPads are still vulnerable to attacks using fraudulent certificates.
-http://www.theregister.co.uk/2011/09/09/apple_purges_diginotar_certificates/
-http://www.h-online.com/security/news/item/Apple-releases-updates-for-DigiNotar-
SSL-debacle-1340601.html
-http://support.apple.com/kb/HT4920

Draft Text of Microsoft Security Bulletins Inadvertently Posted for Short Time (September 9 & 12, 2011)

On Friday, September 9, Microsoft accidentally published the draft text of the five security bulletins slated to be released on Tuesday, September 13. The bulletins contain detailed information about security updates. While the bulletin information was available, the actual updates were not. The draft text of the bulletins was available briefly - - Microsoft removed them within an hour.
-http://arstechnica.com/microsoft/news/2011/09/microsoft-posts-security-bulletins
-four-days-early-scrambles-to-fix-mistake.ars
-http://www.computerworld.com/s/article/9219885/Whoops_Microsoft_leaks_patch_info
_four_days_early?taxonomyId=85
-http://www.theregister.co.uk/2011/09/12/ms_spills_patch_tuesday_low_down/

Five Indicted in Connection with Website Offering Pirated Content (September 9, 2011)

Five people have been indicted for their alleged involvement with NinjaVideo.net, a website that allowed people to download television programs and movies that had not yet been released to DVD. NinjaVideo was operational from February 2008 until it was shut down by authorities in June 2010. The site allowed free access to some digital content. For a US $25 "donation" people could also access a larger repository of films, software and other digital content.
-http://www.computerworld.com/s/article/9219896/Grand_jury_indicts_alleged_video_
download_site_operators?taxonomyId=144

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/