SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #81

October 11, 2011

TOP OF THE NEWS

US Military Drone Cockpit Computers Infected With Malware
AmEx Site Exposing Data
Calif. Governor Vetoes Bill That Would Have Required Warrant to Search Mobile Phones

THE REST OF THE WEEK'S NEWS

DOJ Used Secret Court Order to Obtain Data in WikiLeaks Investigation
Chaos Computer Club Says German Government Using Trojan to Snoop on Citizens
Royal Navy Halts Military Exercise-Related GPS Jamming in Scotland
Michigan to Develop Cyber Command Center
Judge Approves TD Ameritrade Breach Settlement
Chrome Extension Allows Cross-Platform Remote Desktop Access
Charges Brought Against 111 in Huge Identity Fraud Ring

---

**************** Sponsored By SANS' Analyst Papers **********************

Announcing THREE New SANS Analyst Papers in the SANS Reading Room!

http://www.sans.org/info/88424

- - Adding Enterprise Access Management to Identity Management by SANS Analyst, J. Michael Butler

- - Integrating Security into Development, No Pain Required by SANS Analyst and course author, Dave Shackleford

- - Oracle Database Firewall Review--Part I of a series of reviews on Oracle security products by SANS Oracle expert, Tanya Baccam

**************************************************************************

TRAINING UPDATE

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Sydney, Tokyo, and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

************************ Sponsored Links: *******************************

1) Sign up today for Ask The Expert Webcast: How Attackers Exploit Modern, Secure Wireless Networks FEATURING: Joshua Wright and Jesse Frankel. Go to: http://www.sans.org/info/88429

****************************************************************************

---

TOP OF THE NEWS

US Military Drone Cockpit Computers Infected With Malware (October 7, 2011)

Malware has infected the cockpit computers of US Predator and Reaper drone aircraft. The infection was first detected several weeks ago, but overseas missions have continued. There have been several attempts to remove the malware from computers at Creech Air Force Base in Nevada, but so far they have not succeeded. The malware has keystroke-logging capabilities and has spread to both classified and unclassified computers. Drone aircraft have been used in reconnaissance and attack missions in recent wars. This is not the first time data security issues have been reported with the aircraft. Many of the drones in use do not encrypt the video images they send. Two years ago, many hours of drone footage was discovered on laptops that belonged to Iraqi insurgents.
-http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet

AmEx Site Exposing Data (October 7, 2011)

A cross-site scripting vulnerability detected in the American Express website exposes customer login data, which could be used to conduct phishing attacks. The flaw exists in a debugging function that is accessible over the Internet. The researcher who found the issue did not report the problem to American Express because the company did not have information for contacting them about security issues on their home page. American Express has removed the page in question and issued a statement saying that customer data were not at risk.
-http://www.h-online.com/security/news/item/Developer-function-enables-phishing-a
t-American-Express-1356513.html
-http://www.theregister.co.uk/2011/10/07/amex_website_security_snafu/
[Editor's Note (Liston): This is an issue that is near and dear to my heart. If you're going to have a presence on the Internet, it is INCUMBENT upon you to provide a working means for someone to contact you in the event that something to do with that presence goes whacky. DO NOT hide contact information. DO NOT make the person trying to contact you jump through stupid hoops -- the burden of maintaining the integrity of your site/server/system should be on YOU, not on the person trying to help you out. I just finished attempting to contact over 50 organizations about a security issue, and it was horribly time consuming and depressing; I'm almost positive that few if any of the emails I sent will actually be seen. If your brick-and-mortar storefront catches fire someone can get in touch with you... can you say the same thing about your "virtual" storefront?]

Calif. Governor Vetoes Bill That Would Have Required Warrant to Search Mobile Phones (October 10, 2011)

California Governor Jerry Brown has vetoed a bill that would have required law enforcement officers to obtain search warrants from a court before searching mobile devices in suspects' possession at the time of their arrests. Brown's message accompanying the veto cited a recent California Supreme Court decision that upheld warrantless searches of people who were arrested, writing, "The courts are better suited to resolve the complex and case-specific issues relating to constitutional search-and-seizure protections."
-http://www.wired.com/threatlevel/2011/10/warrantless-phone-searches/
-http://gov.ca.gov/docs/SB_914_Veto_Message.pdf
[Editor's Note (Liston): Yes, the courts are "better suited to resolving the complex and case-specific issues." That's why judges are the ones who issue search warrants - and why they're entrusted with ONLY Issuing them when searches will not violate citizen's rights.
(Murray): Involving the courts early is what this law was about. Involving them after the damage is done is not helpful. The courts are sufficiently tame that getting a warrant does not interfere with investigation. ]

---

THE REST OF THE WEEK'S NEWS

DOJ Used Secret Court Order to Obtain Data in WikiLeaks Investigation (October 10, 2011)

The US Justice Department's (DOJ) obtained secret court orders to gain to information about the accounts of former WikiLeaks spokesman Jacob Appelbaum from Google and Internet service provider (ISP) Sonic.net. The orders were obtained earlier this year and were only recently unsealed. Google was ordered to divulge the IP address Appelbaum used to access his Gmail account and the IP addresses of everyone with whom he communicated as far back as November 1, 2009. Sonic says it fought the order, but ultimately lost.
-http://www.wired.com/threatlevel/2011/10/doj-wikileaks-probe/
-http://news.cnet.com/8301-31921_3-20117919-281/justice-department-ramps-up-wikil
eaks-e-mail-probe/

Chaos Computer Club Says German Government Using Trojan to Snoop on Citizens (October 10, 2011)

The Chaos Computer Club (CCC) in Germany says it has found a Trojan horse program that it claims the government is using to snoop on citizens. The Bundestrojaner (Federal Trojan), a tool called Quellen-TKU, is allegedly being used to intercept VoIP communications in unencrypted form. A German government spokesperson acknowledged that federal and state authorities in the country have access to the software and said that government agencies must abide by legal guidelines if they choose to use it. CCC says that Quellen-TKU has vulnerabilities and may violate German constitutional law. Quellen-TKU also has the power to activate computer microphones and cameras.
-http://www.computerworld.com/s/article/9220677/German_government_s_Skype_spying_
tool_has_holes_hackers_say?taxonomyId=17
-http://news.cnet.com/8301-1009_3-20118194-83/hackers-say-german-officials-used-b
ackdoor-trojan/?tag=txt;title
-http://www.h-online.com/security/news/item/CCC-cracks-government-trojan-1357755.
html
-http://www.v3.co.uk/v3-uk/news/2115927/hacking-pins-info-stealing-trojan-german

Royal Navy Halts Military Exercise-Related GPS Jamming in Scotland (October 10 & 11, 2011)

Scottish fishermen found themselves without the use of their GPS devices during a European military exercise that jammed GPS signals. The Royal Navy had issued warnings that GPS would be unavailable in some parts of Scotland during the exercise, but some fishermen said they first they heard of it was when their devices went offline late last week. The Joint Warrior exercise is staged twice a year; there were no complaints during April's exercise. The jamming for the October exercise has been suspended in response to the complaints. The Scottish military and government say they took appropriate steps, and pointed a finger at the Ministry of Defence, which was responsible for disseminating the information. The exercise runs through October 17.
-http://www.bbc.co.uk/news/uk-scotland-highlands-islands-15242835
-http://news.scotsman.com/glasgow/Nato-exercise-ends-GPS-jamming.6850987.jp

Michigan to Develop Cyber Command Center (October 10, 2011)

The Michigan Cyber Initiative calls for the development of a Cyber Command Center to respond to cyber events. The center will be directed by the Michigan State Police as a component of the state's Emergency Operations Center and will build on the Michigan Intelligence Operations Center, which is responsible for threat detection and monitoring. The staff will be responsible for restoring computer systems that have come under attack and help ensure that networks are secure.
-http://www.govtech.com/policy-management/Michigan-Plans-Cyber-Defense-Squads.htm
l

Judge Approves TD Ameritrade Breach Settlement (October 10, 2011)

A final settlement in the TD Ameritrade data security breach case has been approved by a US District Court judge in California. The breach of a database in 2007 exposed personally identifiable information of 6.3 million customers of the financial services company. An earlier version of the settlement was scrapped because it did not provide "discernible" compensation for the plaintiffs. The final settlement allows customers whose information was used fraudulently to collect between US $50 and US $2,500; TD Ameritrade will pay out between US $1.5 million and US $6.5 million.
-http://www.scmagazineus.com/td-ameritrade-settles-lawsuit-over-major-breach/arti
cle/214042/

Chrome Extension Allows Cross-Platform Remote Desktop Access (October 8 & 9, 2011)

Developers have released a Chrome extension that allows users to remotely manipulate a desktop on a different computer. The beta version of Chrome Remote Desktop was released late last week. The extension is cross-platform, so users can connect machines running different operating systems. The current version of Chrome Remote Desktop requires users to grant permission every time it is activated. Once activated, the program can access all data on the remote computer.
-http://news.cnet.com/8301-30685_3-20117619-264/chrome-extension-enables-remote-c
omputer-control/
-http://www.pcworld.com/article/241555/google_releases_chrome_desktopsharing_feat
ure.html

Charges Brought Against 111 in Huge Identity Fraud Ring (October 7, 8 & 10, 2011)

Law enforcement authorities in the US have charged 111 people with various offenses for their alleged roles in what is being called the largest identity fraud ring bust in history. The group allegedly stole more than US $13 million in less than 18 months. The stolen credit card information came from skimmers, carder forums and other suppliers of purloined data. Authorities have arrested 86 people; 25 are not yet in custody. The gang also allegedly manufactured cloned payment cards using the stolen information and used the cards to make fraudulent purchases of expensive items which were then resold. The ring operated out of Long Island City, NY, but had international ties.
-http://www.computerworld.com/s/article/9220655/111_arrested_in_massive_ID_theft_
bust?taxonomyId=82
-http://www.bbc.co.uk/news/15227169
-http://www.informationweek.com/news/security/attacks/231900438

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/