SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #89

November 08, 2011

TOP OF THE NEWS

Mac App Store Will Require Sandboxing Support as of March 1, 2012
FBI Says Using Fake Cell Tower is Within Their Purview
The Significance of Naming Names
US Supreme Court to Hear GPS Tracking Forth Amendment Case

THE REST OF THE WEEK'S NEWS

Dutch Telecom KPN Halts SSL Certificate Issuing
Browser Makers Revoke Trust for Malaysian Intermediate CA SSL Certificates
BPI Asks BT to Block Pirate Bay
Cyber Atlantic 2011 Exercise Aimed at US/EU Collaboration
Microsoft Issues Workaround for Kernel Flaw Exploited by Duqu
Researchers Find Holes in Prison SCADA Systems
DoJ Withdraws Proposed Changes to FOIA Rules

---

************************** Sponsored By Corero *************************

White Paper: "DDoS Attacks: Coming to a Network Near You." DDoS attacks can inflict disastrous loss of revenue and reputation to organizations doing business on the Internet. This paper, written by network security analyst, Richard Stiennon, explains the newest attacks and how to mitigate the risk with DDoS Defense technology from Corero Network Security. http://www.sans.org/info/90911

**************************************************************************

TRAINING UPDATE

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 5 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

- --Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Sydney, Tokyo, Perth and Atlanta all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

---

TOP OF THE NEWS

Mac App Store Will Require Sandboxing Support as of March 1, 2012 (November 3 & 7, 2011)

Starting next March, applications submitted to be sold through Apple's Mac App Store must support Apple sandboxing. The deadline, which was announced in June, was initially slated for this month. Sandboxing has been voluntary until now. Some developers say that the requirement is going to prevent them from incorporating certain features into their applications.
-http://news.cnet.com/8301-1009_3-57318099-83/what-apples-sandboxing-means-for-de
velopers-and-users/
-http://news.techworld.com/applications/3316380/developers-fear-app-store-sandbox
ing-to-strip-out-useful-features/
[Editor's Note (Pescatore): Given the success of mobile platforms like the RIM Blackberry and the Apple iPhone/iPad, where one vendor controls both the hardware and the software, there is a major opportunity to move away from the old types of malware that plagued the PC. If doing so breaks some features, that's a good thing - users are willing to lose a few features to not have to worry about applications blowing up in their faces every time they click on something. ]

FBI Says Using Fake Cell Tower is Within Their Purview (November 3, 2011)

Federal authorities maintain that their use of a fake Verizon cell phone tower to conduct surveillance on a suspect can be considered a legitimate search under the Fourth Amendment. The spoofed tower device, known colloquially as a stingray, was used in a case involving an alleged identity thief. Stingrays conduct a man-in-the-middle attack, intercepting crucial mobile device data before transmitting it to a legitimate cell phone tower. An affidavit submitted by the FBI's tracking technology unit says that the stingray harvests only the equivalent of header data, and thus does not require a search warrant. The affidavit goes on to say that the stingray also collects the data from other devices in the same general location as the target, and that FBI policy requires that all data stored in the tool are purged once an operation has concluded.
-http://www.wired.com/threatlevel/2011/11/feds-fake-cell-phone-tower/

The Significance of Naming Names (November 7, 2011)

The report released last week by the Office of the National Counterintelligence Executive "mark
[ed ]
the first time the United States government has unequivocally stated, in emphatic and highly publicized fashion, that China and Russia are responsible for a pervasive electronic campaign to steal American intellectual property, trade secrets, negotiating strategies, and sensitive military technology." Journalist Shane Harris writes that "the release of this report may turn out to be the Internet's iron Curtain moment," comparing its effect to that of Winston Churchill's 1946 address.
-http://www.washingtonian.com/blogarticles/people/capitalcomment/21474.html
[Editor's Note (Pescatore): Actually, many *are* trying to equate this to the Iron Curtain/Cold War, hoping that the same types of budgets and spending will occur through overhype. This focus leads to $5,000 coffeepots, not higher levels of security.
(Northcutt): I tried to read this, but it wanted me to subscribe to the Washingtonian magazine first. Here is a USA Today version:
-http://www.usatoday.com/news/washington/story/2011-11-03/china-russia-cybersecur
ity/51065010/1
I do not think this will become an Iron Curtain moment:
-http://www.historyguide.org/europe/churchill.html]

US Supreme Court to Hear GPS Tracking Forth Amendment Case (November 7, 2011)

The US Supreme Court will hear arguments on Tuesday, November 8, in a case regarding the authority of law enforcement officers to surreptitiously place a GPS device on a vehicle to track a suspect's movements without obtaining a probable cause warrant from a judge. The government has argued in court briefs that "a person has no reasonable expectation of privacy in his movements from one place to another." The specifics of the case involve Antoine Jones, who was convicted and sentenced to life in prison for dealing cocaine. Police had tracked Jones for a month through a device they had affixed to his car. Jones' conviction and sentence were overturned by the US Court of Appeals for the District of Columbia, which said that the tracking was tantamount to an illegal search that violated Jones' Fourth Amendment rights. Other federal appeals courts have ruled that a warrant is not needed for GPS tracking. The Justice Department views GPS devices as being equivalent to the beeper devices that were used to track vehicles decades ago. The man who is credited for inventing the GPS has written an amicus brief, saying that the two devices are very different.
-http://www.wired.com/threatlevel/2011/11/gps-tracking-flourishes/all/1
[Editor's Note (Liston): Generally, I tend to always land on the "Fourth Amendment" side in these types of cases. However, in this situation, I really don't see how GPS surveillance is doing anything more than simply replacing an officer being assigned to follow a suspect, something for which a warrant is not required. ]

---

*********************** SPONSORED LINK: **********************************

1) Now Available ONDEMAND, Analyst Webcast: Integrating Security into Development, No Pain Required. FEATURING: Dave Shackleford and Karl Snider. Go to http://www.sans.org/info/90916

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Dutch Telecom KPN Halts SSL Certificate Issuing (November 4, 6 & 7, 2011)

A Dutch telecommunications company has ceased issuing SSL certificates after discovering that the site through which the certificates are purchased had been compromised. A KPN spokesperson said that the certificate generating infrastructure appears not to have been affected, but an investigation has been launched. It appears that attackers may have placed tools used to launch distributed denial-of-service (DDoS) attacks on a KPN server; the attack may have taken place four years ago. KPN is the Netherlands' largest telecommunications company.
-http://www.computerworld.com/s/article/9221551/KPN_stops_issuing_SSL_certificate
s_after_possible_breach?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2123056/dutch-certificate-authority-kpn-suspends-
ssl-certs-breach
-http://www.h-online.com/security/news/item/Certificate-issuing-stopped-at-KPN-af
ter-server-break-in-discovered-1372339.html
-http://www.theregister.co.uk/2011/11/04/ssl_still_hopelessly_broken/
[Editor's Note (Murray): If a 512 bit RSA Key is the weak link in your security, you are very secure indeed. We use bigger keys because we can, not because we need them. Take security advice from cryptographers only after you act on their medical advice.
(Honan): A Certificate Authority that has been compromised for 4 years and another that is issuing insecure certificates clearly demonstrate that the trust model we currently rely on is in need of an urgent and major overhaul. We need to have better standards of security that CAs must adhere to and be independently verified or we need to quickly look at alternative solutions. ]

Browser Makers Revoke Trust for Malaysian Intermediate CA SSL Certificates (November 4, 2011)

Mozilla, Microsoft, and Google, whose browsers account for the lion's share of those used, are revoking trust in all SSL certificates issued by Malaysian intermediate certificate authority (CA) Digicert. The decision was made because Digicert issued 22 certificates with weak 512-bit keys, missing certificate extensions, and missing revocation information. Digicert received an intermediate CA certificate in July 2010; that certificate was issued by Texas-based Entrust. It should be noted that Digicert, the Malaysian company, is not associated with Utah-based CA DigiCert.
-http://www.computerworld.com/s/article/9221488/Mozilla_Microsoft_withdraw_trust_
in_Malaysian_intermediate_CA?taxonomyId=17
-http://www.theregister.co.uk/2011/11/03/certificate_authority_banished/

BPI Asks BT to Block Pirate Bay (November 4 & 7, 2011)

Following close on the heels of the movie industry's success in getting BT to block users' access to Newzbin 2, the music industry trade group BPI has sent a letter to BP asking it to block users' access to The Pirate Bay. The letter asks BT to block The Pirate Bay voluntarily within two weeks or face legal action. BT is likely to comply with the request only if it is backed up with a court order. BT started blocking Newzbin 2 to comply with a court order. BT was supposed to have begun blocking access to the site by November 2; while the company said it had the technology in place and planned to comply with the order, the site was reportedly still available "over a standard BT DNS-based broadband link."
-http://www.v3.co.uk/v3-uk/news/2123050/bpi-bt-block-pirate-bay-holders-flex-musc
les
-http://www.eweekeurope.co.uk/news/bt-asked-to-ban-pirate-bay-after-failed-ban-on
-newzbin-44967
-http://www.bbc.co.uk/news/technology-15598438

Cyber Atlantic 2011 Exercise Aimed at US/EU Collaboration (November 3 & 4, 2011)

The Cyber Atlantic 2011 Exercise was conducted on November 3. The event involved the EU and the US and helped both improve their international cyber incident response capabilities and their collaborative efforts. The exercise incorporated two attack scenarios. In the first, attackers tried to steal and post secret data from EU members' cyber security agencies. The second scenario involved the compromise of a supervisory control and data acquisition (SCADA) system that controlled European wind turbines. The exercise was orchestrated by the European Network and Information Security Agency (ENISA).
-http://www.informationweek.com/news/government/security/231902416
-http://www.zdnet.co.uk/news/security-threats/2011/11/03/eu-and-us-team-up-for-cy
bersecurity-exercise-40094358/
-http://www.theregister.co.uk/2011/11/04/joint_us_europe_cyber_war_drill/
-http://www.enisa.europa.eu/media/press-releases/first-joint-eu-us-cyber-security
-exercise-conducted-today-3rd-nov.-2011

Microsoft Issues Workaround for Kernel Flaw Exploited by Duqu (November 3 & 4, 2011)

Microsoft has issued a temporary workaround for a critical privilege elevation vulnerability in the Win32k TrueType font-parsing engine that is being exploited by the Duqu Trojan. The flaw affects all versions of Windows from XP through Windows 7. Successful exploitation of the flaw could allow attackers to "run arbitrary code in kernel mode." The workaround involves disabling support for embedded TrueType fonts. Microsoft plans to issue a patch for the flaw as soon as possible.
-http://news.cnet.com/8301-1009_3-57318309-83/microsoft-issues-temporary-fix-for-
critical-windows-hole/
-http://www.informationweek.com/news/security/vulnerabilities/231902375
-http://www.scmagazineus.com/microsoft-issues-workaround-for-duqu-malware/article
/216027/
-http://www.computerworld.com/s/article/9221516/Microsoft_releases_manual_fix_for
_Duqu_zero_day?taxonomyId=17
-http://www.h-online.com/security/news/item/Microsoft-releases-Duqu-bot-workaroun
d-1372093.html
-http://krebsonsecurity.com/2011/11/microsoft-issues-stopgap-fix-for-duqu-flaw/
-http://www.theregister.co.uk/2011/11/04/duqu_vuln_fix/
-http://support.microsoft.com/kb/2639658

Researchers Find Holes in Prison SCADA Systems (November 7, 2011)

According to three researchers, some control systems used at federal prisons are vulnerable to hijacking, potentially granting outsiders the ability to gain remote control over industrial control systems and programmable logic controllers allowing them to gain control of cell door mechanisms and internal communications. The attack was demonstrated at a conference in Miami late last month. The researchers provided their findings to prison authorities at the state and federal levels and the Department of Homeland Security (DHS) has confirmed those findings. The researchers found that some systems that were not supposed to be connected to the Internet in fact did have Internet connections, and those that did not have Internet connections could become infected with malware like Stuxnet brought in on a flash drive. Bill Brenner points out that "this isn't a new threat," and ponders where the balance can be struck between crying wolf and making sure problems are addressed.
-http://arstechnica.com/business/news/2011/11/vulnerabilities-give-hackers-abilit
y-to-open-prison-cells-from-afar.ars
-http://blogs.csoonline.com/1794/hacking_the_prison_useless_fiction_or_necessary_
fud
[Editor's Note (Murray): Imagine what our security might look like if we could harness the energy of these NVPs to work on solutions instead of spending their time identifying obscure, but sensational, vulnerabilities. ]

DoJ Withdraws Proposed Changes to FOIA Rules (November 3 & 4, 2011)

The US Department of Justice has withdrawn a proposal to revise the Freedom of Information Act (FOIA) rules that would have codified lying to the public about the existence of certain documents. The DoJ's proposed changes would have allowed the government to tell entities requesting documents that the documents do not exist if the agencies feel they should be withheld. The government already has the authority to invoke the "Glomar response," which allows them to "neither confirm nor deny" the existence of the requested documents.
-http://www.wired.com/threatlevel/2011/11/feds-drop-plan-to-lie/
-http://www.theregister.co.uk/2011/11/04/department_of_justice_agrees_not_to_lie/
-http://www.npr.org/blogs/thetwo-way/2011/11/04/142024547/justice-dept-drops-non-
disclosure-proposal-for-foia-requests
[Editor's Note (Liston): All this time and energy wasted, and they could've just gone and asked my mom. I remember having some rather pointed conversations about similar topics when I was a child. DOJ: Just so you know, my mom wouldn't really approve of the Glomar response either... ]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/