SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #100

December 18, 2012

TOP OF THE NEWS

Android Kernel Vulnerability Affects Samsung Devices
SMS-Stealing Apps Found on Google Play

THE REST OF THE WEEK'S NEWS

No Cloud Products Approved Under FedRamp
Iran's CERT-CC Warns of New Data-Wiping Malware
Celebrity eMail Hacker Draws 10-Year Prison Sentence
Jumping the Gap: Accessing Sealed Networks
UK Government Will Not Force ISPs to Filter Content at Network Level
UK Will Not Prosecute McKinnon
Microsoft Says It Is Working on Fix for Mouse Cursor Issue in IE
Former PI Sentenced to 3 Months in HP Pretexting Case
Senate Judiciary Committee Approves Bill to Ban "Stalking" Apps

---

************************* SPONSORED BY Lancope *************************
FREE eBOOK: NetFlow Security Monitoring for Dummies. Learn how organization's leverage flow data to detect the full spectrum of network and security issues - from advanced persistent threats to data loss to insider attacks.

DOWNLOAD eBOOK - http://www.sans.org/info/119455 ****************************************************************************
TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III. http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications. http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster. http://www.sans.org/event/sans-2013

- --Looking for training in your own community? http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials
Plus Anaheim, New Delhi, Scottsdale, Brussels, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Android Kernel Vulnerability Affects Samsung Devices (December 17, 2012)

A critical flaw in the Android kernel in Samsung smartphones could be exploited to steal data from the devices. The vulnerability affects a number of devices, including the Galaxy S2, S3 Note 2 and Note 10.1.
-http://arstechnica.com/security/2012/12/developer-warns-of-critical-vulnerabilit
y-in-many-samsung-smartphones/
-http://www.zdnet.com/kernel-vulnerability-places-samsung-devices-at-risk-7000008
862/
-http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/
-http://news.cnet.com/8301-1009_3-57559495-83/suspected-security-hole-found-in-ma
ny-samsung-devices/
-http://www.computerworld.com/s/article/9234778/Samsung_devices_vulnerable_to_dan
gerous_Android_exploit?taxonomyId=17
[Editor's Note (Murray): Android is simply one more example of the preference of the market for openness, generality, flexibility, and backward compatibility to security. Security, in the abstract, ranks high as a requirement except for everything else.

SMS-Stealing Apps Found on Google Play (December 14, 2012)

A number of suspicious apps have been found on Google Play. The apps in question are designed to steal mobile transaction authentication numbers (mTANs) that banks send to customers' phones via SMS as an added layer of authentication security. The malicious apps appear to have been uploaded to Google Play by a cybercrime gang known for using the Carberp malware to target Russian bank customers.
-http://www.computerworld.com/s/article/9234737/SMS_stealing_apps_uploaded_to_Goo
gle_Play_by_Carberp_banking_malware_gang?taxonomyId=17

---

************************* Sponsored Link: ********************************
1) Whitepaper: Enhancing Security Through a Trust-Based Approach - Advanced Threats Require Advanced Weapons. Learn More http://www.sans.org/info/119460
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

No Cloud Products Approved Under FedRamp (December 17, 2012)

The number of cloud services approved under the US General Services Administration's (GSA's) FedRamp program remains the same: zero. The Federal Risk and Authorization Management Program was designed to certify products so government agencies could use them right away. Officials say they expect "the first authorizations
[will ]
come at the end of the year/January 2013."
-http://www.nextgov.com/cloud-computing/2012/12/gsa-has-yet-approve-any-cloud-pro
ducts-under-fedramp/60217/?oref=ng-HPtopstory
[Editor's Note (Pescatore): As a reference point, the ISO cloud security standard effort (ISO 27017) is still in draft. As long as FedRAMP is taking, in this case the US federal government is actually leading the charge in a complex standards problem. That said, just as compliance does not equal security for traditional systems - the same is true, and then some, for use of cloud-based capabilities. The real issue is that enterprise (and government) security controls and processes have to change to securely use cloud services.
(Murray): I heard a panel of government modernization experts on C-SPAN today. They observed that the government always ends up doing those things that it at first says that it cannot or will not. Use of the cloud was specifically included in the idea. ]

Iran's CERT-CC Warns of New Data-Wiping Malware (December 17, 2012)

Iran's Computer Emergency Response Team Coordination Center (CERT-CC) has issued an advisory warning of malware called Batchwiper, which wipes clean drive partitions that start with letters D through I. It also removes file stored on the desktop of the user logged in when the malware executes. Batchwiper remains active even after infected computers are rebooted because it adds a registry entry. It is programmed to execute on certain dates; the next scheduled date is December 21.
-http://arstechnica.com/security/2012/12/iranian-computers-attacked-by-new-malici
ous-data-wiper-program/

Celebrity eMail Hacker Draws 10-Year Prison Sentence (December 17, 2012)

A US District Judge has sentenced a Florida man to 10 years in prison for hacking into celebrities' email accounts. Christopher Chaney stole private photos from his victims and posted them online. Chaney pleaded guilty to charges of hacking and wiretapping. He also changed some email account settings so that he was automatically forwarded copies of all messages the celebrities received.
-http://www.wired.com/threatlevel/2012/12/scarlett-johansson-hacker/
-http://latimesblogs.latimes.com/lanow/2012/12/hollywood-hacker-scarlett-johansso
n-sentenced.html

Jumping the Gap: Accessing Sealed Networks (December 16 & 17, 2012)

The US Army's Tactical Electromagnetic Cyber Warfare Demonstrator program aims to develop tools that will allow them to inject data into networks that are sealed off from the Internet. A recent classified planning day for the project, hosted by the Army's Intelligence and Information Warfare Directorate (I2WD) brought together 60 entities for a demonstration.
-http://defensesystems.com/articles/2012/12/17/agg-army-cyber-program-sealed-netw
orks.aspx?admgarea=DS
-http://www.defensenews.com/article/20121216/DEFREG02/312160002/Cyber-8217-s-Next
-Chapter-Penetrating-Sealed-Networks?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE

UK Government Will Not Force ISPs to Filter Content at Network Level (December 14 & 15, 2012)

The UK government will not force telecommunications companies to filter websites at the network level to protect children from viewing inappropriate content. A survey found that just 35 percent of parents were in favor of ISPs blocking content automatically, so instead, the government will recommend that Internet service providers (ISPs) encourage customers to take an active interest in what their children view online and that the ISPs offer parental controls for them to use. The government wants ISPs to establish mechanisms to ensure that the individuals setting parental controls are over 18.
-http://www.bbc.co.uk/news/uk-politics-20738746
-http://www.theregister.co.uk/2012/12/14/government_response_to_consultation_on_o
nline_parental_controls/

UK Will Not Prosecute McKinnon (December 14, 2012)

The UK's Crown Prosecution Service will not pursue charges against Gary McKinnon, who recently avoided extradition to the US to face charges for breaking into computer systems at NASA and other US government agencies. The Crown Prosecution Service said that they would not prosecute McKinnon and that the appropriate venue for his case to be heard is the US. Despite the UK Home Secretary's decision not to extradite McKinnon on grounds of human rights, the US warrant for his extradition is still outstanding.
-http://www.bbc.co.uk/news/uk-20730627
-http://www.zdnet.com/uk/nasa-hacker-gary-mckinnon-will-not-face-prosecution-in-t
he-uk-7000008823/
-http://www.nbcnews.com/technology/technolog/ufo-hacker-wont-be-tried-britain-pen
tagon-nasa-crimes-1C7615010
-http://news.cnet.com/8301-1009_3-57559284-83/nasa-hacker-wont-face-prosecution-i
n-u.k/

Microsoft Says It Is Working on Fix for Mouse Cursor Issue in IE (December 14, 2012)

Microsoft says it is working on a fix for the flaw in Internet Explorer (IE), disclosed last week, that could be exploited to discern the movements of a mouse cursor. This means that attackers could potentially harvest information entered on virtual keyboards, which some banks use in an attempt to protect customers' login credentials from being stolen by keystroke logging malware.
-http://www.computerworld.com/s/article/9234741/Microsoft_We_re_working_to_adjust
_IE_s_mouse_tracking?taxonomyId=17
[Editor's Note (Shpantzer): Defeating virtual keyboards is not new:
-http://shpantzer.blogspot.com/2012/02/verification-to-claims-made-in-security.ht
ml
See youtube link towards the bottom for demo. ]

Former PI Sentenced to 3 Months in HP Pretexting Case (December 13 & 14, 2012)

A former private investigator who was involved in the Hewlett-Packard pretexting scandal has been sentenced to three months in prison. Bryan Wagner pleaded guilty to identity theft and conspiracy in 2007. The chairperson of the company at the time had launched an investigation to determine the source of information leaks that seemed to be coming from the company's board members. Wagner contacted phone companies to obtain the phone records of HP board members, journalists, and their families under false pretenses. Wagner is the only person involved in the scandal to receive a prison sentence. The men who hired Wagner, Joseph and Matthew DePante, each received three years probation.
-http://news.cnet.com/8301-1009_3-57559235-83/hp-pretexting-scandal-ends-with-for
mer-p.i.s-sentencing/
-http://www.wired.com/wiredenterprise/2012/12/wagner-sentencing/
[Editor's Note (Murray): This conviction may make it a little harder to get private investigators to act as cut-outs to avoid accountability for criminal acts. However, a prosecution of the principals might have been both more effective and more just. ]

Senate Judiciary Committee Approves Bill to Ban "Stalking" Apps (December 13 & 14, 2012)

The US Senate Judiciary Committee last week approved legislation last week that would close a legal loophole, which currently allows smartphone apps to send information about users' location to advertisers and other people without notifying the phone's owner. Phone companies are not legally permitted to disclose customers' locations to businesses, but the law does not cover information sent over the Internet. The bill would require companies that sell location tracking applications to obtain consent from the customer before the data are collected or shared and would ban those apps that track users' locations without their knowledge. The requirement would not apply in the case of parents placing tracking software in their children's phones.
-http://www.nbcnews.com/technology/technolog/senate-goes-after-secret-cyberstalki
ng-apps-1C7592290
-http://www.techradar.com/news/software/applications/al-franken-led-bill-outlawin
g-stalking-apps-passes-senate-committee-1119239
[Editor's Comment (Pescatore): This is a good loophole to close, with broad enough language that it makes it clear the user's own their location information and must opt-in to giving it away.
(Northcutt): It is an important loophole to close, especially for the android part of the ecosystem. The links below are two of the classic investigative journalism articles on the topic, but the really scary thing is how much has been suppressed from basic Google searches. Most security researchers agree that Apple's system is safer when it comes to apps. I am a loyal second generation Samsung G3 user BTW, I am just very careful about which apps I load:
-http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
-http://online.wsj.com/article/SB10000872396390443995604578002751421246848.html?m
od=WSJ_article_RecentColumns_WhatTheyKnow]

---

************************************************************************
The Editorial Board of SANS NewsBites


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.


Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/