SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #97

December 09, 2011

TOP OF THE NEWS

Four Indicted in Connection With Skimming Ring
Card Skimmers Found at the Lucky Supermarket Chain
Federal Cloud Computing Security Standard Released

THE REST OF THE WEEK'S NEWS

Download.com President Apologizes for Bundling Installer with Nmap
White House Identifies Cyber Security R&D Priorities
Bradley Manning Defense Team Points to Army's Neglect of Warning Signs
Microsoft Will Issue Fixes for 20 Flaws on December 13
UK Criminal Records Bureau to Allow Online Checking
Tech Industry Groups Speak Out Against SOPA
RIM Update to Prevent PlayBook Jailbreaking Broken Within Hours
Michigan Appellate Court to Decide if Man Can be Charged For Snooping on Wife's eMail
Adobe Working on Out-of-Cycle Patch for Flaw in Windows Versions of Reader and Acrobat
DARPA Backing Huge Anomaly Detection System to Identify Insider Threats
US Copyright Considering DMCA Exceptions

---

****************************** Sponsored HP ****************************

Is your organization's defense perimeter broken? Recent statistics show that a majority of security vulnerabilities are caused by security flaws in application and web software. Learn how you can prevent these security vulnerabilities by downloading the NEW whitepaper from HP Enterprise Security - Next Generation Application Monitoring: Combining Application Security Monitoring and SIEM

http://www.sans.org/info/93339

**************************************************************************

TRAINING UPDATE

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --SANS Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses.
http://www.sans.org/singapore-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Perth, Atlanta, Bangalore, and Stuttgart, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************************************************************

---

TOP OF THE NEWS

Four Indicted in Connection With Skimming Ring (December 8, 2011)

Four people have been indicted on charges stemming from their alleged involvement with a scheme in which payment card data were stolen remotely from point-of-sale systems at a number of US business establishments. The four, all from Romania, are charged with conspiracy to commit computer fraud, wire fraud, and access device fraud. Two were arrested when they entered the US in August 2011, one is in custody in Romania, and one is still at large. The scheme allegedly affected more than 80,000 payment card users and ran up millions of dollars in unauthorized purchases. The group allegedly scanned the Internet for vulnerable point-of-sale systems, cracked the passwords, and installed keystroke-logging software on the systems.
-http://www.computerworld.com/s/article/9222520/Four_charged_with_hacking_point_o
f_sale_computers?taxonomyId=17

Card Skimmers Found at the Lucky Supermarket Chain (December 7, 2011)

Lucky Supermarkets has acknowledged that hackers have tempered with payment card readers in self-checkout lanes at more than 20 stores in California. It is not known how many customers may be affected, but Lucky and its parent company, Save Mart Supermarkets, are urging customers to check their credit and debit card accounts. Card readers at more than 200 stores are also being checked for tampering.
-http://www.wired.com/threatlevel/2011/12/hackers-skim-lucky-supermarket/
-http://news.cnet.com/8301-1009_3-57338480-83/lucky-supermarkets-credit-card-scam
-getting-worse/
-http://www.mercurynews.com/breaking-news/ci_19480051
[Editor's Note (Murray): While having served us well for fifty years for dispensing cash, mag-stripe and PIN are not safe for retail payments. We have known this for more than a decade. The public should not have to know that using one's PIN at a point of sale is not safe. Is it going to require legislation to get the payment card industry to fix this? Where are the EMV cards? ]

Federal Cloud Computing Security Standard Released (December 8, 2011)

The Federal Risk and Authorization Management Program (FedRAMP) "establishes a set of baseline security and privacy standards that all cloud service providers will need to meet in order to sell their products to government agencies." FedRAMP will give agencies standard procurement language to use when requesting proposals for cloud services.
-http://www.computerworld.com/s/article/9222525/Feds_launch_cloud_security_standa
rds_program?taxonomyId=17
-http://www.federaltimes.com/article/20111208/IT03/112080302/
[Editor's Note (Murray): If the contract does not specify it, you are not likely to get it. While the devil is in the details, since identifying and expressing our requirements is difficult, this could be very helpful.
(Paller): It could be helpful, but there are cloud vendors and federal agencies poised to use FedRAMP to "paper over" massive security weaknesses in configurations (they deliver Best-Buy quality configurations rather than safe configurations) and paper continuous monitoring instead of automated measurement and mitigation. The FedRAMP authors know explicitly about both these risks. If they follow through and stop the vendors from exploiting FedRAMP to deliver infection-prone systems, they will have earned the gratitude of the entire government. We'll know in about 90 days whether what they have done is deserving of kudos.
(Honan): Europeans considering cloud services may find the ENISA (the European Network and Information Security Agency) guide to "Cloud Computing Risk Assessment" useful
-http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assess
ment]

---

THE REST OF THE WEEK'S NEWS

Download.com President Apologizes for Bundling Installer with Nmap (December 8, 2011)

The president of Download.com has apologized for bundling Nmap open source network scanning software with an installer that changed browsers' home pages and default search engine. Nmap developer Gordon Lyon said that the bundling violated the Nmap distribution license. The installer in question has been removed.
-http://www.h-online.com/security/news/item/Download-com-apologises-for-bundling-
1392501.html
-http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/
-http://www.cso.com.au/article/409633/cnet_de-trojans_nmap_outrage_continues/

White House Identifies Cyber Security R&D Priorities (December 8, 2011)

The White House has issued a roadmap of its cyber security research and development (R&D) priorities. The outline from the Office of Science and Technology Policy divides the priorities into four areas: Inducing Change; Developing Scientific Foundations; Maximizing Research Impact; and Accelerating Transition to Practice. The R&D roadmap is based on the 2009 review of the state of cyber security in the US.
-http://www.eweek.com/c/a/Security/White-House-Releases-CyberSecurity-RD-Program-
Priorities-182063/
-http://www.informationweek.com/news/government/security/232300107
-http://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_
rd_strategic_plan_2011.pdf

Bradley Manning Defense Team Points to Army's Neglect of Warning Signs (December 8, 2011)

Bradley Manning's defense team hopes to show that the US Army neglected signs that Manning posed a threat. Fifteen people have been disciplined in connection with Bradley Manning's leaks of sensitive military and state department documents to WikiLeaks, including a non-commissioned officer who was demoted for dereliction of duty. Psychological profiling can be helpful in identifying employees who pose a greater risk of inside attacks. Bradley Manning exhibited a number of warning signs, including physical fights, dress code violations, but he was still permitted access to sensitive data. One witness they plan to call is a psychologist who had previously recommended that Manning be removed from his duties.
-http://www.wired.com/threatlevel/2011/12/army-disciplined-15/
-http://www.politico.com/blogs/joshgerstein/1211/Army_disciplined_15_over_Bradley
_Manning_and_Wikileaks.html
-http://www.informationweek.com/news/security/vulnerabilities/232300158
[Editor's Note (Honan): The internal threat continues to be very important. Some excellent guides to identifying the internal threat: one by CERT/CC
-http://www.cert.org/insider_threat/.
And one by Darkreading with some useful stats and insights
-http://www.darkreading.com/insider-threat/167801100/security/vulnerabilities/232
300211/the-art-of-profiling-cybercriminals.html]

Microsoft Will Issue Fixes for 20 Flaws on December 13 (December 8, 2011)

On Tuesday, December 13, Microsoft will release fixes for 20 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player. The flaws to be addressed include one in the Windows kernel that has been exploited by the Duqu Trojan and another in the SSL 3.0 TLS that garnered publicity several months ago with the release of the BEAST hacking tool. Three of 14 bulletins scheduled for release have been rated critical; the other 11 are rated important.
-http://www.computerworld.com/s/article/9222530/Update_Microsoft_plans_20_patches
_next_week_will_fix_Duqu_and_BEAST_bugs?taxonomyId=17
-http://www.scmagazineus.com/three-critical-patches-to-be-in-microsoft-security-u
pdate/article/218609/
-http://blogs.technet.com/b/msrc/archive/2011/12/08/news-from-mapp-and-advance-no
tification-service-for-the-december-2011-bulletin-release.aspx
-http://technet.microsoft.com/en-us/security/bulletin/ms11-dec

UK Criminal Records Bureau to Allow Online Checking (December 6 & 7, 2011)

The UK's Criminal Records Bureau will launch an online a service that will allow employers to conduct background checks on job applicants. Home Minister Lynne Featherstone said the plan was introduced as a way to reduce bureaucracy; checks are conducted on those who apply to work with vulnerable people. Previously, they have had to apply for a new certificate each time they applied for a position.
-http://www.guardian.co.uk/government-computing-network/2011/dec/07/crb-checks-on
line
-http://www.nursingtimes.net/nursing-practice/clinical-specialisms/management/min
isters-agree-to-tighten-criminal-checks-on-overseas-nhs-staff/5038858.article

Tech Industry Groups Speak Out Against SOPA

(December 7, 2011) Technology industry groups have written letters to US legislative leaders, asking them to reconsider the Stop Online Piracy Act (SOPA). The letter, which is from the Consumer Electronics Association, the Information Technology Industry Council, TechAmerica and others, warns that passage of the bill as it stands will have unforeseen consequences that could have a detrimental effect on the country's digital economy.
-http://thehill.com/blogs/hillicon-valley/technology/197953-tech-groups-ask-congr
ess-to-slow-down-sopa

RIM Update to Prevent PlayBook Jailbreaking Broken Within Hours (December 7, 2011)

Research in Motion (RIM) issued an update to prevent BlackBerry PlayBook tablets from being jailbroken by the recently released Dingleberry Playbook tool. The update was broken just hours after its release, meaning users can now once again use it to gain root access to their devices. Those responsible for the tool have published a guide explaining exactly how to jailbreak PlayBooks.
-http://www.informationweek.com/news/security/attacks/232300081
-http://www.eweek.com/c/a/Security/Hackers-Update-PlayBook-Jailbreak-Tool-After-R
IM-Closes-Security-Flaw-814044/
-http://www.theregister.co.uk/2011/12/07/blackberry_playbook_jailbreak_release/

Michigan Appellate Court to Decide if Man Can be Charged For Snooping on Wife's eMail (December 7, 2011)

The Michigan Court of Appeals is considering whether a man who accessed his then-wife's Gmail account can be charged under a state hacking law. Leon Walker's attorneys are challenging a felony charge against their client which was made after he gained access to Clara Walker's Gmail account to find out if she was having an affair. Walker's attorneys maintain the state law was designed to target identity thieves and intellectual property theft. They are asking the appellate court to throw out the charges. While one of the judges said that walker's activity seems to be right under the law's purview, a defense attorney said that if his client could be charged for looking at his wife's email, parents could be charged for looking at their children's online activity. A written opinion is expected next year. If this bid is not successful, Walker and his attorneys plan to take the matter to the Michigan Supreme Court. The law under which he is being charged was enacted in 1979.
-http://www.usatoday.com/news/nation/story/2011-12-07/email-hacking-cheating/5169
8546/1

Adobe Working on Out-of-Cycle Patch for Flaw in Windows Versions of Reader and Acrobat (December 6 & 7, 2011)

Adobe says it is working on a fix for a vulnerability in Acrobat and Reader that is being actively exploited in targeted attacks. The flaw is being exploited to crash the applications and take control of vulnerable computers. Adobe is working on a patch for versions 9.X for Windows-based systems only because that is the platform targeted in the attacks. Adobe expects to release the out-of-cycle patch early next week. Fixes for other versions of the programs will be released on schedule in January 2012. The flaw itself exists in versions 10.1.1 and earlier. The flaw is a memory corruption vulnerability in the way Universal 3D files are processed. The protected mode in X versions of the programs stops the execution of exploit code. The flaw is being exploited through malicious PDF files that have been sent to several different organizations, including some US defense contractors. Lockheed Martin has acknowledged that it was targeted in an attack but the attackers were not successful in accessing the company's computer network.
-http://www.darkreading.com/insider-threat/167801100/security/application-securit
y/232300055/new-zero-day-adobe-attack-under-way.html
-http://www.theregister.co.uk/2011/12/06/adobe_reader_attacks/
-http://news.cnet.com/8301-1009_3-57337844-83/adobe-warns-of-attacks-using-reader
-on-windows/
-http://krebsonsecurity.com/2011/12/attackers-hit-new-adobe-reader-acrobat-flaw/
-http://www.h-online.com/security/news/item/New-Adobe-Reader-zero-day-in-the-wild
-1391441.html
-http://www.scmagazineuk.com/adobe-to-release-emergency-patch-for-critical-vulner
ability-in-reader-and-acrobat/article/218288/
-http://www.eweek.com/c/a/Security/Adobe-ZeroDay-Exploit-Targeted-Defense-Contrac
tors-383203/
-http://www.scmagazineus.com/lockheed-martin-hit-but-not-breached-with-adobe-zero
-day/article/218603/

DARPA Backing Huge Anomaly Detection System to Identify Insider Threats (December 6, 2011)

DARPA (the Defense Advanced Research Projects Agency) is backing a research project that will be capable of analyzing as many as 250 million messages a day to search for anomalies that could help identify insider threats. Five organizations are working on the prototype Anomaly Detection at Multiple Scales (ADAMS) system. The system will be used only on internal systems with users' consent; they will know that their communications are being scanned.
-http://gcn.com/articles/2011/12/06/darpa-prodigal-email-monitoring-insider-threa
ts.aspx?admgarea=TC_SECCYBERSSEC
-http://blogs.computerworld.com/19382/sifting_through_petabytes_prodigal_monitori
ng_for_lone_wolf_insider_threats

US Copyright Considering DMCA Exceptions (December 5 & 6, 2011)

The US Copyright Office is considering two requests to amend the Digital Millennium Copyright Act (DMCA). The first, made by Public Knowledge, seeks to legalize technology that would allow people who purchase encrypted DVDs of movies to copy those movies to their personal media-playing devices and make back-up copies of the movies. The second is a request from the Electronic Frontier Foundation (EFF) to allow users to jailbreak Xbox gaming consoles. The change sought in the second case would eliminate federal prosecution of and civil lawsuits against individuals who jailbreak legally purchased devices, but still allow for federal prosecution of people "who bundle 'mod kits' with pirated games."
-http://www.wired.com/threatlevel/2011/12/dmca-exemption-requests/
-http://www.eweekeurope.co.uk/news/eff-demands-legal-protection-for-jailbreaks-48
519

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/