SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #22
March 16, 2012
TOP OF THE NEWS
Unnamed Company Challenges National Security Letter Gag OrderLawsuit Alleges Mobile Apps Violate User Privacy
New Attack Dupes Carriers To Defeat Out-Of-Band Authentication Of Bank Customers
Symantec Warns Of Trojan That Can Elevate The Privileges Of A Win7 Process Without The User's Knowledge Or Permission
FBI Wants Google to Unlock Suspect's Android Phone
THE REST OF THE WEEK'S NEWS
Microsoft Patches Critical Remote Desktop Protocol FlawMozilla Updates Firefox, Plans to Add Silent Updates in June
Cyber Security Legislation and FOIA Exemptions
Commerce Secretary Supports Pending Cyber Security Legislation in Senate
BlueCross BlueShield of Tennessee to Pay US $1.5 Million for HIPAA Violations
Credit Card Info Stolen From Stratfor Site Used in US $700,000 of Fraudulent Charges
******************** SPONSORED BY F5 Networks, Inc. *********************
IMPROVE FEDERAL INFORMATION ACCESS SECURITY Federal agencies can control who has access to systems and information while ensuring IT services and remotely-hosted applications remain readily available to valid users. Learn how by reading "Improving Federal Information Access Security with FIPS-Certified Solutions" (November 2011), an IDC Government Insights paper sponsored by F5. http://www.sans.org/info/101714
**************************************************************************
TRAINING UPDATE
--SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/
--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/
--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 12 courses.
http://www.sans.org/secure-amsterdam-2012/
--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/
--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/
--Looking for training in your own community?
http://www.sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Abu Dhabi, Johannesburg, Brisbane, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************
TOP OF THE NEWS
Unnamed Company Challenges National Security Letter Gag Order (March 14, 2012)
An unnamed US technology firm has reportedly refused to comply with an FBI order to turn over information about company customers. The type of request, known as a National Security Letter (NSL), demands that the company never disclose its existence. The company told the FBI that it wished to inform the target of the letter that the FBI had requested the data. NSLs have rarely been challenged in court despite roughly 300,000 of the secretive requests having been served in the last 10 years. In this case, the government has filed a request for a court order that would force the company to abide by the terms of the demand.-http://www.wired.com/threatlevel/2012/03/mystery-nsl/
[Editor's Comment (Northcutt): Since 9/11 the FBI has issued 273,000+ no due process National Security Letters under the reasoning that they "may" impact national security. You'll find related articles at:
-http://www.aclu.org/national-security-technology-and-liberty/national-security-l
etters
-http://epic.org/privacy/nsl/
-http://www.washingtonpost.com/wp-dyn/content/article/2007/03/22/AR2007032201882.
html]
Lawsuit Alleges Mobile Apps Violate User Privacy (March 15, 2012)
A lawsuit filed in the US District Court for the Western District of Texas charges 18 companies with distributing and selling applications that invade users' privacy. The companies named in the suit include Facebook, Apple, and Twitter. The lawsuit alleges that the apps in question harvest information from smartphone users' address books without the users' knowledge. The suit seeks a permanent injunction against collecting the data and calls for the companies to destroy all the personal data they have collected with the apps.-http://www.computerworld.com/s/article/9225219/18_firms_sued_for_using_privacy_i
nvading_mobile_apps?taxonomyId=17
[Editor's Note (Pescatore): Last month the FTC weighed in with some warnings to mobile app developers. We are seeing both on the privacy *and* the security side of mobile applications a need for more transparency and better practices around limiting data access. ]
New Attack Dupes Carriers To Defeat Out-Of-Band Authentication Of Bank Customers (March 15, 2012)
In the latest twist on defeating one-time passwords used to authenticate Internet banking transactions, cyber criminals appear to be impersonating owners of mobile devices and reporting them stolen so they can obtain a SIM card that will allow them to conduct financial transactions. The attack is a "social engineering" attack in which the carrier is duped into issuing a credential to a rogue. Some banks use one-time passwords send to customers' mobile devices to authenticate transactions. The attackers have been using variants of the Gozi Trojan horse program to trick users into exposing their mobile devices' international mobile equipment identity (IMEI) numbers to obtain the new SIM cards.-http://www.computerworld.com/s/article/9225226/In_new_attack_on_mobile_handsets_
fraudsters_target_one_time_passwords?taxonomyId=17
Symantec Warns Of Trojan That Can Elevate The Privileges Of A Win7 Process Without The User's Knowledge Or Permission (March 15, 2012)
Symantec has issued a warning about a Trojan horse program that is capable of infecting both 32- and 64-bit versions of Windows 7. The malware can allow attackers to elevate privileges of restricted processes.-http://www.v3.co.uk/v3-uk/news/2159725/symantec-warns-bit-windows-trojans
FBI Wants Google to Unlock Suspect's Android Phone (March 14, 2012)
The FBI is seeking a court order to force Google to help it crack the pattern lock on a suspect's Android phone. The FBI also wants Google to provide the suspect's email and Internet searches, GPS location data, text messages and websites visited. The FBI attempted to break the pattern lock, which locks up the device after a certain number of incorrect attempts; the user's Google email address and password must be used to unlock it.-http://www.wired.com/threatlevel/2012/03/fbi-android-phone-lock/
-http://arstechnica.com/tech-policy/news/2012/03/fbi-stumped-by-pimps-androids-pa
ttern-lock-serves-warrant-on-google.ars
-http://paranoia.dubfire.net/2012/03/fbi-seeks-warrant-to-force-google-to.html
-http://www.v3.co.uk/v3-uk/the-frontline-blog/2159673/androids-pattern-lock-secur
ity-confounds-fbi-forensics-team
*********************** SPONSORED LINKS: *****************************
1) Nearly 90 % of organizations are not fully aware of what personal devices are accessing what company resources! Register for the SANS Mobile Security Survey and be among the first to receive full results in a paper written by SANS mobility expert, Kevin Johnson. http://www.sans.org/info/101719
2) New Analyst Paper in the SANS Reading Room! Review of NetIQ Sentinel 7 for Security Information and Event Management, by senior SANS analyst, Jerry Shenk. http://www.sans.org/info/101724 For a full index of SANS Analyst papers, go here: http://www.sans.org/reading_room/analysts_program/
************************************************************************
THE REST OF THE WEEK'S NEWS
Microsoft Patches Critical Remote Desktop Protocol Flaw (March 13 & 14, 2012)
Microsoft is urging users to apply a fix released Tuesday, March 13, for a critical vulnerability in the Remote Desktop Protocol (RDP). Microsoft says hackers are likely to release an exploit for the flaw within the next month. In all, Microsoft patched seven vulnerabilities in its monthly security update.-http://www.infoworld.com/t/windows-security/microsoft-urges-firms-focus-severe-r
dp-flaw-188693
-http://www.computerworld.com/s/article/9225160/Experts_sound_worm_alarm_for_crit
ical_Windows_bug?taxonomyId=85
-http://krebsonsecurity.com/2012/03/rdp-flaws-lead-microsofts-march-patch-batch/
-http://www.h-online.com/security/news/item/Microsoft-closes-critical-RDP-hole-in
-Windows-1471581.html
-http://www.darkreading.com/vulnerability-management/167901026/security/applicati
on-security/232602627/microsoft-flaw-demonstrates-dangers-of-remote-desktop-acce
ss.html
UPDATE: ISC infocon went yellow over the release of exploit code.
-https://isc.sans.edu/diary/INFOCON+Yellow+-+Microsoft+RDP+-+MS12-020/12805
Mozilla Updates Firefox, Plans to Add Silent Updates in June (March 14 & 15, 2012)
Mozilla has released security updates for Firefox 11, Thunderbird 11 and SeaMonkey 2.8. There are also fixes for legacy versions of the Firefox and Thunderbird. Five of the vulnerabilities addressed by the update affect all three products and are rated critical. Mozilla has said that it will have silent updates for Firefox ready for Firefox 13, which is scheduled to be released on June 5, 2012. Google Chrome is presently the only browser that uses automatic, in-the-background updates; the feature has been part of the browser since its introduction in September 2008.-http://www.computerworld.com/s/article/9225235/Mozilla_will_start_Firefox_silent
_updates_in_June?taxonomyId=17
Cyber Security Legislation and FOIA Exemptions (March 13, 2012)
The US Senate Judiciary Committee heard testimony on March 13 regarding Freedom of Information Act (FOIA) exemptions in proposed cyber security legislation. Witnesses on both sides of the argument underscored the importance of finding a balance: allowing companies broad exemptions from disclosure of information could threaten public safety, while restricting exemptions could discourage companies from sharing threat and vulnerability information.-http://gcn.com/articles/2012/03/13/cybersecurity-vs-foia-protecting-sensitive-da
ta.aspx
-http://www.fiercegovernmentit.com/story/cybersecurity-bills-could-create-foia-ex
emptions-broad-effects/2012-03-13
Commerce Secretary Supports Pending Cyber Security Legislation in Senate (March 9, 2012)
Commerce Secretary John Bryson is urging legislators to act quickly to pass effective cyber security legislation.-http://www.feinstein.senate.gov/public/index.cfm/2012/3/the-new-face-of-corporat
e-espionage-politico
BlueCross BlueShield of Tennessee to Pay US $1.5 Million for HIPAA Violations (March 13, 2012)
BlueCross BlueShield of Tennessee has agreed to pay US $1.5 million in fines to the US Department of Health and Human Services (HHS) for violations of the Health Insurance Portability and Accountability Act (HIPAA) related to a 2009 data breach. The breach has already cost BlueCross BlueShield nearly US $17 million for investigation, mitigation, and notification. In October 2009, an intruder stole 57 hard drives from a training facility; the devices held unencrypted information of one million people.-http://www.computerworld.com/s/article/9225170/Tennessee_insurer_to_pay_1.5_mill
ion_for_breach_related_violations?taxonomyId=17
[Editor's Note (Murray): HIPAA has not made health insurance "portable" or "accountable." Patients routinely waive their rights under HIPAA as a quid pro quo for care. ]
Credit Card Info Stolen From Stratfor Site Used in US $700,000 of Fraudulent Charges (March 12, 2012)
The FBI alleges that more than US $700,000 in fraudulent charges were made using credit card information stolen from Stratfor last year. The hackers posted 860,000 email addresses and 75,000 unencrypted credit card numbers after the intrusion.-http://news.cnet.com/8301-1009_3-57395944-83/fbi-says-$700k-charged-in-anonymous
-stratfor-attack/
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/