SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #27

April 03, 2012

TOP OF THE NEWS

Global Payments Breach Affects 1.5 Million Payment Card Accounts
After Supreme Court Throws Out GPS Tracking Data, Prosecutors Plan to Use Cell-Phone Location Data in Retrial
ACLU: Many US Police Departments Use Warrantless Cell Phone Tracking

THE REST OF THE WEEK'S NEWS

Pastebin.com to Focus on Faster Takedown of Sensitive Data
Malware Variant Exploits Unpatched Flaw in Java for Apple Macintosh OS X
Al Qaeda Websites Offline For More Than a Week
Man Seeks Order to Preserve Megaupload Data
Ukrainian Authorities Seize Virus Writers' Forum's Servers
US Intelligence Smartphone Pilot
Google Releases Chrome 18
Kelihos Botnet Still Active After Takedown

---

************************ Sponsored By Zscaler ***************************
WEBCAST: RALCORP SWITCHES FROM APPLIANCES TO CLOUD SECURITY
Join Charles Jacks, Lead IT Architect at RalCorp, and Phil Hochmuth, Research Director at IDC, for this 1-hour webcast to learn why Ralcorp, a food-manufacturing giant with $4.3 billion in annual sales, switched to cloud-delivered security. APRIL 24 at 10am PST/ 1pm EST http://www.sans.org/info/102964
**************************************************************************
TRAINING UPDATE
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.
http://www.sans.org/secure-amsterdam-2012/

--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses.
http://www.sans.org/canberra-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Brisbane, Jakarta, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

---

TOP OF THE NEWS

Global Payments Breach Affects 1.5 Million Payment Card Accounts (April 2, 2012)

As many as 1.5 million credit card accounts have been compromised due to a security breach at the system of card payment processor Global Payments. The breach is likely to affect both Visa and MasterCard accounts. Investigations into the matter are underway. The breach appears to have occurred between January 21 and February 25, 2012. Global Payments has not provided much specific information about the breach. Reports suggest that fraudulent activity has already been detected on roughly 800 of the compromised accounts. Visa has rescinded its seal of approval for Global Payments.
-http://www.h-online.com/security/news/item/Global-Payments-loses-up-to-1-5-milli
on-credit-card-records-in-data-theft-1498448.html
-http://www.wired.com/threatlevel/2012/04/global-payments-breach/
-http://krebsonsecurity.com/2012/04/global-payments-1-5mm-cards-exported/
-http://www.bbc.co.uk/news/technology-17569336
-http://www.scmagazine.com/visa-expels-global-payments-following-15m-card-breach/
article/234865/
-http://www.globalpaymentsinc.com/DataProtection.html
[Editor's Note (Murray): This is not a CardServices or a Homeland scale event. The cards compromised were numbered in the hundreds of thousands rather than the tens of millions. While Global Payments lost their "preferred" designation, they did not lose the right to process. The banks are aware of the cards compromised and have or will issue new cards. They have disabled the cards for use at ATMs. Consumers that have not seen a fraudulent transaction already are not likely to see one. There is almost no impact on merchants {though it would be nice to think they would resist the use of otherwise blank cards with only a mag-stripe}. The financial loss to Global Payments will equal about one quarter's profits. While its stock has declined about twenty percent, it is not likely to go out of business. All that said, given the continued use of mag-stripe and PIN in the retail payment system, consumers should use on-line services to reconcile the charges to their accounts at least weekly. While EMV cards will not protect the issuers from "card not present" fraud, they will help protect the consumer against these seemingly inevitable mass compromises. ]

After Supreme Court Throws Out GPS Tracking Data, Prosecutors Plan to Use Cell-Phone Location Data in Retrial (March 31, 2012)

Following a US Supreme Court ruling that probable-cause warrants are required prior to attaching GPS tracking devices to suspects' vehicles, federal prosecutors are now seeking to use location data gathered about cell-phone use. That decision was revealed in a filing in pre-trial proceedings of alleged Washington, DC-area drug dealer Antoine Jones's retrial. Jones's legal team plans to argue that the cell-tower location information violates their client's Fourth Amendment rights. Jones's life sentence was reversed with the January Supreme Court ruling on GPS data collected without a valid warrant. The evidence in Jones's case that was harvested from a GPS device attached to his car has been suppressed as a result.
-http://www.wired.com/threatlevel/2012/03/feds-move-to-cell-site-data/

ACLU: Many US Police Departments Use Warrantless Cell Phone Tracking (April 2, 2012)

According to the American Civil Liberties Union, (ACLU) many police departments in the US track cell-phone locations without warrants. In some cases, the tracking was conducted in emergencies, for example, to find a missing person. The ACLU requested the information from law enforcement agencies; more than 200 responded. In most cases, the tracking information was sought from phone companies, but in some jurisdictions, law enforcement has acquired their own tracking technology.
-http://www.nextgov.com/nextgov/ng_20120402_7520.php?oref=topnews
[Editor's Note (Murray): While even this can be abused, using existing records to, for example, find a missing person, is a far cry from tagging suspects to further an investigation. Warrants are easy to get and are our only defense against an over-zealous state. Exceptions should be rare and the admission of such evidence obtained without a warrant should be even rarer.]

---

************************** Sponsored Links: **************************
1) Cloud Innovators Webinar: PhoneFactor Solves Cloud Strong Auth Challenges http://www.sans.org/info/102969
2) Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud. Don't take our word. Try it yourself! For a limited time, download here: http://www.sans.org/info/102974
3) SolarWinds(R) Log and Event Manager for operations, compliance and security is powerful, easy and affordable! http://www.sans.org/info/102979
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Pastebin.com to Focus on Faster Takedown of Sensitive Data (April 2, 2012)

Pastebin.com owner Jeroen Vader plans to implement stricter monitoring of the content posted on the site to prevent the broadcast of sensitive information. The site plans to hire new employees to focus on the endeavor. Until now, the site had a flagging system to identify the information. The site has requested that users not post lists of passwords, stolen source code, or personal data, but the request is often ignored. Members of Anonymous often use the site to post data they have stolen.
-http://www.bbc.co.uk/news/technology-17544311
-http://www.h-online.com/security/news/item/Pastebin-com-arms-itself-against-misu
se-1498988.html
-http://www.v3.co.uk/v3-uk/news/2165411/pastebin-tackle-anonymous-lulzsec-hackers
-sensitive-dumps

Malware Variant Exploits Unpatched Flaw in Java for Apple Macintosh OS X (April 2, 2012)

A variant of the Flashback Trojan horse program, Flashback.K, is infecting Mac computers through an unpatched critical vulnerability in Java for Mac OS X. The malware has been detected in the wild. The issue lies in Java; Oracle patched the flaw in February, but Apple has yet to push a fix out to OS X. Experts recommend that Apple users disable the Java client until a fix is released. Flashback, which was apparently developed specifically to target Mac computers, first appeared in September 2011, disguised as an Adobe Flash Player update. Apple stopped bundling Java in its operating system by default with OS X 10.7, or Lion, but users are still able to download it. Apple has a history of lagging behind Windows and Linux in releasing Java updates.
-http://arstechnica.com/apple/news/2012/04/mac-trojan-exploits-unpatched-java-vul
nerability-no-password-needed.ars?
-http://www.computerworld.com/s/article/9225757/Unpatched_Java_bug_infects_Macs_w
ith_Flashback_malware?taxonomyId=17
-http://www.theregister.co.uk/2012/04/02/flashback_mac_malware/
-http://www.scmagazine.com/flashback-trojan-targets-mac-computers/article/234877/
-http://reviews.cnet.com/8301-13727_7-57408383-263/flashback-malware-evolves-to-e
xploit-unpatched-java-vulnerabilities/

Al Qaeda Websites Offline For More Than a Week (April 2, 2012)

Several prominent Al Qaeda websites have been unavailable for more than a week, leading to speculation that they were targeted in a cyber attack. This is their longest outage in the eight years since they went online. There have been no public claims of responsibility for the outages. Some Al Qaeda sites are still online.
-http://www.washingtonpost.com/world/national-security/al-qaedas-online-forums-go
-dark-for-extended-period/2012/04/02/gIQAfd4xqS_story.html

Man Seeks Order to Preserve Megaupload Data (March 30, 2012)

A man represented by the Electronic Frontier Foundation (EFF) is asking a US District Judge to order that the 25 petabytes of data that authorities seized earlier this year in connection with Megaupload be preserved. Kyle Goodwin operates OhioSportsNet, which films and streams high school athletic events; he wants access to his content that is stored on the Megaupload network. Earlier in March, the Motion Picture Association of America (MPAA) asked Megaupload server host Carpathia to retain all the data because they could be used as evidence in copyright infringement lawsuits. Federal authorities say that they have copied what they require and that Carpathia does not need to retain the 25 million GB of Megaupload data that it is currently storing at a cost of US $9,000 a day. Carpathia has asked a judge to relieve it of the need to retain the data and the accompanying expense. Megaupload has asked that some of its frozen assets be released to pay Carpathia for storing the data.
-http://www.wired.com/threatlevel/2012/03/megaupload-seized-content/

Ukrainian Authorities Seize Virus Writers' Forum's Servers (March 29 & 30, 2012)

Authorities in Ukraine have seized servers that belong to the VX Heavens forum, for allegedly developing and planning to sell malware. VX Heavens has been around for many years and was a forum where people allegedly shared advice of writing malware. It was focused on "old-school" virus writing, which pre-dates the malware-for-profit model that prevails today. The servers were seized on March 23. VX Heavens calls itself a vault of information.
-http://www.computerworld.com/s/article/9225693/Ukraine_shuts_down_forum_for_malw
are_writers?taxonomyId=17
-http://www.theregister.co.uk/2012/03/29/vxer_hub_takedown/
-http://arstechnica.com/business/news/2012/03/ukrainian-police-shut-down-forum-fo
r-malware-writers.ars?clicked=related_right

US Intelligence Smartphone Pilot (March 29, 2012)

As part of a pilot program, about 100 US government intelligence professionals are using Android smartphones that allow them to conduct secret conversations over a commercial cellular network. The pilot program involves NSA Red Team hackers who will attempt to break into the secured communications. There will also be assessments regarding the security measures' effects on the quality of the sound on the calls and the frequency of dropped or lagging calls. One of the issues that will need to be addressed in the future is that the walls of US intelligence facilities are constructed to prevent wireless electromagnetic signals from getting through, rendering the devices unusable inside the buildings. The program is called Project Fishbowl.
-http://www.defensenews.com/article/20120329/C4ISR02/303290008/Cover-Story-Top-Se
cret-Goes-Mobile?odyssey=nav|head
[Editor's Note (Murray); One should not infer anything about Android security from the fact that a nation state can (or cannot) instantiate a secure application on it. ]

Google Releases Chrome 18 (March 29, 2012)

Google has released Chrome version 18, which addresses nine security flaws in earlier versions of its browser. Google released the stable version of Chrome 17 on February 8. Google paid a total of $4,000 to six researchers for information about six of the flaws; Google also paid US $8,000 to four researchers who disclosed flaws prior to the final release of Chrome 18. Chrome 18 includes Adobe Flash Player 11.2.
-http://www.computerworld.com/s/article/9225680/Google_ships_Chrome_18_patches_bu
gs_and_boosts_hardware_acceleration?taxonomyId=85

Kelihos Botnet Still Active After Takedown (March 29, 2012)

Despite an attempted shutdown last week, the Kelihos botnet appears to be still active. Within a day after an announcement from a group of researchers that Kelihos had been knocked offline, others were reporting evidence of the botnet's activity. The researchers poisoned the botnet with their own code, redirecting infected machines to their own sinkhole server instead of the botnet's command-and-control servers. Some of the researchers maintain that the activity is part of a new variant of the botnet, not the one targeted in the takedown.
-http://www.theregister.co.uk/2012/03/29/kelhios_bot_not_dead_yet/
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
232700540/it-s-already-baaack-kelihos-botnet-rebounds-with-new-variant.html
[Editor's Comment (Northcutt): This story keeps reminding me of the "Why won't you die" scene in Vendetta. There is more to this story than technology, the Dave Dittrich Honeynet blog post with a FAQ on Kelios references a code of conduct for these types of activities that often involve extraordinary intervention:
-https://www.honeynet.org/node/836
-http://www.youtube.com/watch?v=LGGPufySwZ4]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/