SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #76

September 23, 2011

TOP OF THE NEWS

Researchers to Demonstrate Flaw in Browser Security Protocol
Senate Judiciary Committee Approves Three Cyber Security Bills
California Legislators Approve Bill Requiring Warrant to Search Mobile Devices
Lawsuit Challenging Warrantless Wiretapping May Proceed

THE REST OF THE WEEK'S NEWS

Report: Location-Based Tracking Should Require Warrants
Three Indicted for Wardriving Scheme in Seattle
Man Arrested in Connection with Sony Pictures Entertainment Data Theft
Adobe Releases Out-of-Cycle Patch for Flash
Malware Found on Japanese Military Contractor's Computers
Cyber Thieves Used 3-D Printer to Manufacture Skimmer Overlays

---

***************** Sponsored By Tufin Technologies ***********************

Are you implementing SANS 20 Critical Security Controls? Tufin Security Suite automates firewall configuration change management and auditing so you can support the Critical Controls quickly and easily, while cutting costs by as much as 50%. Link to http://www.sans.org/info/87344

**************************************************************************

TRAINING UPDATE

- -- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 26 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Researchers to Demonstrate Flaw in Browser Security Protocol (September 19, 20 & 21, 2011)

A pair of researchers has cracked a ubiquitous browser encryption protocol. Thai Duong and Juliano Rizzo have found a vulnerability in versions 1.0 and earlier of transport layer security (TLS), the technology that used to enable secure sockets layer (SSL). The vulnerability also exists in SSL version 3. The flaw can be exploited to decrypt information flowing between a web server and a user's browser. The researchers plan to demonstrate their findings with a tool they call BEAST (browser exploit against SSL/TLS) at a conference in Argentina. Opera has already released a patch for the flaw, and Google has added a fix to its most recent developer version of Chrome.
-http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
-http://informationweek.com/news/security/vulnerabilities/231601759
-http://news.cnet.com/8301-30685_3-20108633-264/researchers-to-detail-hole-in-web
-encryption/
-http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/
[Editor's Note (Pescatore): This vulnerability has been known about for a long time but browsers/servers have been slow to push out fixes since so many browser-based apps break. This should serve to push those upgrades forward, just the way Dan Kaminsky's DNS cache poisoning exposure in 2008 gave a push to finally fixing some well known DNS vulnerabilities and helped accelerate movement to DNSSEC. ]

Senate Judiciary Committee Approves Three Cyber Security Bills (September 22, 2011)

The US Senate Judiciary Committee has approved a bill that would establish a national standard for data breach notification and impose harsh penalties for damaging computers that are part of the country's critical infrastructure. The committee also passed two other bills dealing with cyber security issues.
-http://www.bloomberg.com/news/2011-09-22/senate-panel-approves-bill-aimed-at-thw
arting-computer-attacks.html
-http://www.nextgov.com/nextgov/ng_20110922_3133.php?oref=topnews

California Legislators Approve Bill Requiring Warrant to Search Mobile Devices (September 21, 2011)

The California state legislature has passed a bill that would require law enforcement agents to obtain a warrant before searching the mobile devices of people who are arrested. The law enforcement agents would be required to obtain warrants when they have probable cause to believe that the phone in question contains pertinent evidence. The law also contains a section that bars the state and others from subpoenaing journalists' unpublished notes and other sensitive, work-related information. If the governor signs the bill into law, it would override a January 2011 California Supreme Court ruling.
-http://edition.cnn.com/2011/09/20/tech/mobile/california-phone-search-law/index.
html
[Editor's Note (Schultz): Mobile device-related legislation is rare. It will be interesting to discover what, if any, difference this proposed legislation will make if it is passed. (Murray): A law implementing common sense to overcome a very unwise ruling by a court. While it is true that mobile computing devices may contain evidence, they will contain irrelevant but sensitive personal information. Any evidence will not go away while the police demonstrate probable cause. ]

Lawsuit Challenging Warrantless Wiretapping May Proceed (September 21, 2011)

The 2nd US Circuit Court of Appeals has ruled that a lawsuit challenging the constitutionality of a federal law that allows warrantless wiretapping may proceed. The plaintiffs, a coalition of groups and attorneys concerned with civil liberties, are challenging the 2008 Foreign Intelligence Surveillance Act (FISA). The government maintains that the plaintiffs lack the necessary legal standing to bring the suit.
-http://www.wired.com/threatlevel/2011/09/fisa-amendment-challenge/
-http://www.ca2.uscourts.gov/decisions/isysquery/4f6522c7-1cdf-4a9f-b1de-10d9db18
396f/1/doc/09-4112_complete_enbanc_opn.pdf#xml=http://www.ca2.uscourts.gov/decis
ions/isysquery/4f6522c7-1cdf-4a9f-b1de-10d9db18396f/1/hilite/

---

*************************** SPONSORED LINKS ******************************

1) Protecting Federal Systems and Advanced Persistent Threats, featuring security expert and speaker, G. Mark Hardy, September 28, 1 PM EST. http://www.sans.org/info/87349

2) SANS Analyst Webcast September 29, 1 PM EST: Integrating Security into Development Cycles, No Pain Required, featuring Senior SANS Analyst Dave Shackleford and IBM Rational's Karl Snyder. http://www.sans.org/info/87354

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Report: Location-Based Tracking Should Require Warrants (September 21, 2011)

A report from the Constitution Project's Liberty and Security Committee says that law enforcement agents should have to obtain warrants based on probable cause before using location-based tracking. The report also urges legislators to amend the Electronic Communications and Privacy Act (ECPA) to require probable cause warrants before cell phone location data can be accessed.
-http://www.computerworld.com/s/article/9220185/Group_urges_U.S._to_require_warra
nts_for_location_based_tracking?taxonomyId=17

Three Indicted for Wardriving Scheme in Seattle (September 21 & 22, 2011)

Three people have been indicted in Seattle, Washington in connection with a scheme that involved wardriving and physical break-ins to install malware on computer systems of area businesses. Joshuah Allen Witt, Brad Eugene Lowe and John Earl Griffin have been charged with damaging computers, access device fraud, aggravated identity theft and several other offenses. The group allegedly stole financial information and tampered with payroll systems to cause payments to be sent to accounts they had established. The three appear to have been ingenious in covering their tracks; in some cases, they were able to eavesdrop on exchanges the victimized businesses had with law enforcement agents. Some employees of the victimized companies found that their automatically deposited paychecks had been rerouted to a bank in North Dakota. The fraudulent transactions that the alleged thieves conducted with the stolen money were traced to several different IP addresses, but it turned out that they had been breaking into people's wireless systems to access the internet.
-http://www.latimes.com/news/nationworld/nation/la-na-wardrivers-20110922,0,31447
33.story
-http://www.msnbc.msn.com/id/44626303/ns/technology_and_science-security/#.Tntguu
zQp8E
-http://www.seattlepi.com/local/article/Wi-Fi-hackings-a-warning-to-wireless-user
s-2182467.php
-http://www.justice.gov/usao/waw/press/2011/sep/wittlowegriffin.html

Man Arrested in Connection with Sony Pictures Entertainment Data Theft (September 22, 2011)

A Phoenix man has been arrested in connection with the theft of data from Sony Pictures Entertainment. Cody Andrew Kretsinger was indicted on charges of conspiracy and unauthorized impairment of a protected computer. The federal indictment alleges that Kretsinger and accomplices exploited vulnerabilities in Sony systems through an SQL injection attack. It also alleges that Kretsinger erased the hard drive of the machine with which he allegedly conducted the attack. The breach referred to in this case is one of several Sony suffered earlier this year. Kretsinger is believed to be a member of LulzSec, an offshoot of the Anonymous hacking collective.
-http://news.cnet.com/8301-1009_3-20110264-83/alleged-lulzsec-member-arrested-in-
sony-breach/?tag=mncol;txt
-http://www.wired.com/threatlevel/2011/09/sony-hack-arrest/
-http://www.wired.com/images_blogs/threatlevel/2011/09/Cody-Andrew-Kretsinger-Ind
ictment.pdf

Adobe Releases Out-of-Cycle Patch for Flash (September 21 & 22, 2011)

Adobe has released an out-of-cycle patch for several vulnerabilities in Flash Player. The newest version of Flash is 10.3.183.10 for desktop operating systems and 10.3.186.7 for Android. One of the flaws, a cross-site scripting vulnerability, is already being actively exploited. The update also addresses five other vulnerabilities.
-http://www.adobe.com/support/security/bulletins/apsb11-26.html
-http://www.h-online.com/security/news/item/Adobe-publishes-emergency-patch-to-fi
x-critical-Flash-vulnerabilities-1348193.html
-http://www.computerworld.com/s/article/9220186/Adobe_patches_Flash_bug_hackers_a
re_already_exploiting?taxonomyId=17
-http://www.theregister.co.uk/2011/09/21/emergency_adobe_flash_update/
-http://www.scmagazineus.com/flash-to-get-update-for-zero-day-bug/article/212515/
[Editor's Note (Murray): This really is not news. The news, if any, would be if a week went by when Adobe published no patches. ]

Malware Found on Japanese Military Contractor's Computers (September 21 & 22, 2011)

Malware has been detected on at least 80 computers at Mitsubishi Heavy Industries (MHI), a Japanese military weapons contractor. The attackers appear to have been targeting information about missiles, submarines and nuclear power plants. One report said that the company's systems were infiltrated through a spear phishing attack. MHI says that Stuxnet was not among the malware found on their systems.
-http://www.scmagazineuk.com/mitsubishi-heavy-industries-attack-puts-japans-defen
ce-contractors-on-alert/article/212468/s/
-http://www.yomiuri.co.jp/dy/editorial/T110921004622.htm
-http://www.eweek.com/c/a/Security/Mitsubishi-Heavy-Network-Most-Likey-Compromise
d-by-SpearPhishing-Attack-335314/s

Cyber Thieves Used 3-D Printer to Manufacture Skimmer Overlays (September 20, 2011)

Brian Krebs reports that a group of cyber thieves used 3-D printers to replicate payment card skimming devices. The scheme netted the thieves more than US $400,000. For skimmers not to raise suspicion, the overlay devices need to blend in seamlessly with the existing hardware. Earlier this year, four men were indicted in federal court in connection with the skimming scheme in which a portion of their profits was used to purchase a 3-D printer. The printer builds three-dimensional models from two-dimensional computer images by applying layer after layer of specially engineered powder that is spread, heated and hardened until the object is rendered in 3-D.
-http://krebsonsecurity.com/2011/09/gang-used-3d-printers-for-atm-skimmers/
-http://krebsonsecurity.com/wp-content/uploads/2011/09/skimindictment.pdfs
-http://krebsonsecurity.com/wp-content/uploads/2011/09/skimmercomplaint.pdf
[Editor's Note (Murray): Technology keeps driving down the cost of counterfeiting. ]

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/