Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #83

October 18, 2011


The BlackBerry Outage is the top story today because it marks the
beginning of the transformation in government and industry from
supporting only the BlackBerry platform to supporting all three.
Managing the security of a plethora of mobile platforms is going to be
a top priority of CIOs for months to come. See the Editor's Note after
that first story.
Alan

TOP OF THE NEWS

RIM Offering Apps and Support to Compensate for Three-Day BlackBerry Outage
SEC Guidelines for Cyber Breach and Risk Disclosure
Judge: Police Need Permission to Request Location Data

THE REST OF THE WEEK'S NEWS

US Officials Considered Cyber Attack on Libyan Radar System
Alleged LulzSec Member Pleads Not Guilty
NoScript Extension Now Available for Firefox for Android and Maemo
Cyber Attacker Targeting Japanese Defense Companies
Prison Sentence for Bringing Skimming Equipment Into UK
US $4.9 Billion Lawsuit Filed Over TRICARE Data Breach
Customers Can Opt Out of Verizon's New Tracking Policy


************************ Sponsored By Cisco Systems **********************

Webcast: Context-Aware Security for a BYOD Environment
November 8, 2011, 1 p.m. ET|| Join Cisco (Pat Calhoun, VP/GM) and IDC (Chris Christiansen, VP) to discuss security for Bring Your Own Device (BYOD). Topics include primary BYOD security considerations, Cisco's SecureX approach for BYOD and the latest on Cisco AnyConnect, TrustSec for VXI, and IDFW.

http://www.sans.org/info/88874

**************************************************************************

TRAINING UPDATE

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --SANS London 2011, London, UK, December 3-12, 2011 17 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Sydney, Tokyo and Perth all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************************************

TOP OF THE NEWS

RIM Offering Apps and Support to Compensate for Three-Day BlackBerry Outage (October 17, 2011)

In the wake of a three day service outage last week, BlackBerry parent company Research in Motion (RIM) is offering compensation to its customers: consumers will receive free applications and enterprise customers will receive one month of free support.
-http://www.computerworld.com/s/article/9220900/RIM_offers_free_apps_support_foll
owing_outages?taxonomyId=83

-http://edition.cnn.com/2011/10/17/tech/mobile/blackberry-free-apps/index.html
[Editor's Note (Paller): This outage marks the beginning of the death throes for BlackBerry's long-held domination of corporate mobile IT. Since availability is one of the three pillars of security, security pros no longer can say that BlackBerry offers better security. A promising and fully implemented model of effective enterprise mobile security covering iPhones, iPads, and Android devices was presented at last week's National Cybersecurity Innovation Awards ceremony (press releases will come out over the next two weeks about the winners). The enterprise mobile security solution be written up and briefed in a webcast in the next week or two. We'll announce the time at the top of NewsBites next week.)

SEC Guidelines for Cyber Breach and Risk Disclosure (October 13 & 14, 2011)

The US Securities and Exchange Commission (SEC) has issued guidelines designed to help companies figure out when they need to disclose cyber attacks and security risks. According to the guidelines, publicly traded companies must disclose significant cyber thefts and attacks; they must also report when they are at material risk of an attack.
-http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
-http://www.washingtonpost.com/world/national-security/cybersecurity-sec-outlines
-requirement-that-companies-report-data-breaches/2011/10/14/gIQArGjskL_story.htm
l

-http://www.informationweek.com/news/government/policy/231900861
-http://www.scmagazineus.com/sec-updates-disclosure-rules-to-include-breaches/art
icle/214404/

-http://news.cnet.com/8301-1009_3-20120196-83/sec-orders-disclosure-of-potential-
security-breaches/?tag=txt;title

-http://www.computerworld.com/s/article/9220922/Breach_reporting_Now_companies_ha
ve_to_do_it

Judge: Police Need Permission to Request Location Data (October 14 & 15, 2011)

The chief judge of the US District Court in Washington, DC, has said that law enforcement officers need to obtain permission, but do not need to obtain a warrant, to demand that mobile phone service providers surrender information that shows where a suspect used a particular mobile device. The order from Federal Judge Royce Lamberth overrides a lower court ruling that required police to have a warrant before requesting the data. Judge Lamberth said that police would have to explain to a judge how the information they are seeking is relevant to the investigation.
-http://www.msnbc.msn.com/id/44908876/ns/technology_and_science-security/#.Tpx-QH
LZV8E

-http://www.theregister.co.uk/2011/10/15/warrantless_cellphone_tracking_ok/
[Editor's Note (Murray): The implication is that the police need not show probable cause. "Permission" of a court is usually called a "warrant" and implies a showing of probable cause. I can understand that investigators want anything that they can get. To them, the Fourth Amendment is simply a hurdle to be surmounted. We expect more of the courts. These abusive investigative techniques transfer the state's burden to prove guilt to the citizen to prove innocence.
(Paller): I disagree; there is wisdom and balance in Judge Lamberth's decision. ]


*********************** SPONSORED LINK: **********************************

1) Now Available ONDEMAND, SANS Ask The Expert Webcast: How Attackers Exploit Modern, Secure Wireless Networks FEATURING: Joshua Wright and Jesse Frankel. Please go to: http://www.sans.org/info/88879

****************************************************************************

THE REST OF THE WEEK'S NEWS

US Officials Considered Cyber Attack on Libyan Radar System (October 17, 2011)

Earlier this year, US officials considered launching a cyber attack against Libyan computer networks to disrupt early-warning radar systems that detect incoming aircraft. The plan was ultimately dropped due to concerns that it would establish a precedent for other countries to employ similar action. Other stumbling blocks included a lack of clarity about whether the president had the authority to approve the attack without first notifying Congress, and whether there was adequate time to conduct necessary reconnaissance and write the targeted attack code.
-http://www.wired.com/threatlevel/2011/10/us-considered-hacking-libya/

Alleged LulzSec Member Pleads Not Guilty (October 17, 2011)

Cody Kretsinger, an alleged member of the LulzSec underground hacking group, has pleaded not guilty to charges of conspiracy and unauthorized impairment of a protected computer. The charges stem from the massive attack on Sony Pictures Entertainment earlier this year. The indictment charges Kretsinger with using an SQL injection attack to steal confidential data from Sony's computer systems.
-http://www.reuters.com/article/2011/10/17/us-sony-hacker-idUSTRE79G5L120111017
The trial date has been set for the 13th of December.
-http://www.guardian.co.uk/technology/2011/oct/18/lulzsec-alleged-recursion-hacke
r-trial

NoScript Extension Now Available for Firefox for Android and Maemo (October 17, 2011)

There is now a NoScript extension available for Firefox for Android and Maemo operating systems. The mobile version of the extension has many of the same features as the desktop version. Users can blacklist sites and can set up JavaScript rendering so that it will not play until the user clicks on an icon. The extension helps protect users from cross-site scripting and clickjacking attacks.
-http://news.cnet.com/8301-1009_3-20121517-83/noscript-now-locks-down-loose-javas
cript-on-android/?tag=mncol;txt

-http://www.computerworld.com/s/article/9220904/NoScript_security_tool_released_f
or_Android_Maemo?taxonomyId=77

[Editor's Note (Honan): As more and more people are now using their smartphones for browsing the web it is good to see such a good security tool as NoScript becoming available for this platform. Hopefully, other tools will follow suit. However it is sad to see that despite the decades of trying to play security catch up on the desktop platform we are starting to play the same game on the smartphone platform. ]

Cyber Attacker Targeting Japanese Defense Companies (October 16, 2011)

A cyber thief appears to have stolen information from the Society of Japanese Aerospace Companies (SJAC) that was subsequently used to launch a phishing attack against Kawasaki Heavy Industries Ltd. The text of the message that accompanied the malicious attachment was similar to an email that had been sent to other officials several hours earlier. The email appeared to come from an SJAC executive. A similar attack was launched against Mitsubishi Heavy Industries. Both Kawasaki and Mitsubishi are members of SJAC.
-http://www.yomiuri.co.jp/dy/national/T111015002242.htm

Prison Sentence for Bringing Skimming Equipment Into UK (October 14 & 17, 2011)

A German man has been sentenced to three years in prison for bringing card skimming technology into the UK. Thomas Beeckmann was arrested at Victoria Station in London in June; investigators say he was carrying sophisticated skimming equipment, some of which would allow users to retrieve data captured by skimmers though Bluetooth technology from a distance of 100 meters. Beeckmann's sentence includes time for refusing to divulge his laptop encryption password to law enforcement officials as well as for possessing skimming equipment.
-http://www.bbc.co.uk/news/technology-15312057
-http://www.h-online.com/security/news/item/Sentenced-German-engineer-modified-ca
rd-terminals-for-criminal-gangs-1362217.html

US $4.9 Billion Lawsuit Filed Over TRICARE Data Breach (October 13 & 14, 2011)

A class action lawsuit filed against TRICARE Health Management is seeking US $4.9 billion in damages as a result of a recently disclosed data security breach. Unencrypted backup tapes containing personally identifiable information of 4.9 million TRICARE beneficiaries were stolen from a parked car of an employee of a TRICARE business associate, Science Applications International Corp. (SAIC). The lawsuit names TRICARE, the US Department of Defense and Defense secretary Leon Panetta as defendants; SAIC was not named as a defendant. The tapes contained Social Security numbers (SSNs), names and certain health data, in addition to other personal information. The lawsuit seeks US $1,000 compensation for each victim and alleges that TRICARE violated the Privacy Act of 1974 and the Federal Administrative Procedures Act.
-http://www.nextgov.com/nextgov/ng_20111013_6702.php?oref=topnews
-http://www.govinfosecurity.com/articles.php?art_id=4158
[Editor's comment (Murray): This kind of negligence will further discourage the conversion to electronic healthcare records when most of the real leakage is from paper records and provider gossip about patients. Electronic healthcare records promise improved accuracy, efficiency, discipline, and control.
(Northcutt): According to Privacyrights.org, this is not the first or even second breach of records:
-https://www.privacyrights.org/data-breach]

Customers Can Opt Out of Verizon's New Tracking Policy (October 13 & 17, 2011)

Changes to Verizon Wireless's privacy policy mean that customers will have to opt out if they want to keep their browsing and location data from being logged and sold. The company will sell only anonymized data, but will use the data internally to provide targeted advertisements. The information could be used by third parties who want to send targeted advertising to certain demographic groups based on the information Verizon has. All users will receive advertisements, but those who participate will find them more relevant to their interests as described by their browsing and location data. Verizon will log sites visited, apps used and device location as well as information about the type of devices customers use.
-http://latimesblogs.latimes.com/technology/2011/10/verizon-now-tracking-web-brow
sing-habits-to-target-mobile-ads.html

-http://www.theregister.co.uk/2011/10/17/verizon_privacy/
-http://technolog.msnbc.msn.com/_news/2011/10/14/8322935-verizon-wireless-now-tra
cking-sharing-sites-you-visit

[Editor's Note (Murray): When service providers want to use information about the customer or use for a purpose which benefits them but not the customer, the rule should be "opt in." ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/