SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #33

April 24, 2012

A new release of a browser would not normally merit placement at "Top
of the News," in NewsBites security updates, but the discipline on
applications that Firefox 12 establishes has long been needed in
browsers. It is the most promising path rapid (automated) implementation
of important security patches. See John Pescatore's comment after the
first story, for more detail. The operating system providers should be
next, particularly on mobile devices, with Apple's iPhone in the lead.

Alan

---

TOP OF THE NEWS

Firefox 12 Due on April 24
Federal Judge Rules Warrantless GPS Data Admissible Under "Good Faith" Exception
Iran Acknowledges Malware Attack on Oil Ministry

THE REST OF THE WEEK'S NEWS

Executive Order Allows Sanctions for Using Technology for Human Rights Abuses
FBI Seizure of Server in Bomb Threat Case Called Heavy-Handed
WordPress Gets Security Update
Office for Mac 2011 Upgrade Causing Problems in Outlook Database
Optical Scan Vote Counting System Gave Erroneous Election Results
College Student Arrested in Alleged Student Government Election Hack
Conflicting Reports About Number of Flashback Infections
TSA Testing New Document Authentication System

---

************************ SPONSORED BY Firemon ********************************
Every security pro faces the same challenge each morning - "what to do first?" Upcoming infrastructure upgrades, the latest breach headlines, and urgent requests for system access compete for attention every day. How can you and your team be the most effective? Special Webcast: Highway Congestion, Risk Prevention & Business Unit Requests: How Effective Security Engineers Get It Done: Thursday, April 26th 1:00 EDT
http://www.sans.org/info/103909
**************************************************************************
TRAINING UPDATE
--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.
http://www.sans.org/secure-amsterdam-2012/

--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- - - --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

--Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies.
http://www.sans.org/vulnerability-summit-2012/

--SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems.
http://www.sans.org/scada-sec-training-2012/

- - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

---

TOP OF THE NEWS

Mozilla Releases Firefox 12 (April 23, 2012)

Firefox 12 is now available. The newest version of the browser incorporates an element of its planned silent updates. Users of Windows Vista and Windows 7 will notice that after the initial installation of the newest version of Firefox, the updates will no longer trigger the user account control prompt, which requires users to agree when programs are installed. The final components necessary for silent updating will appear in Firefox 13 or 14, which are slated to ship on June 5 and July 17, respectively. April 24 also marks Mozilla's retirement of Firefox 3.6; users who have not already updated will find themselves automatically updated to Firefox 12.
-http://www.computerworld.com/s/article/9226463/Firefox_skirts_Windows_security_f
eature_to_make_silent_updates_happen?taxonomyId=17
[Editor's Note (Pescatore): It is probably time for this to be the norm for client side applications, from two perspectives: (1) faster security updates; and (2) considerable pain to applications that are written to browser specific features that could break in such upgrades. One of the reasons IE6 was used long after much less vulnerable versions of the Internet Explorer browser were out is that lots of apps were written poorly and would only work with IE6. ]

Federal Judge Rules Warrantless GPS Data Admissible Under "Good Faith" Exception (April 20, 2012)

A federal judge in Iowa has ruled that evidence gathered with GPS tracking devices installed on suspects' vehicles without warrants may be used in the prosecution of an alleged drug trafficker. The evidence is admissible, says US District Judge Mark Bennett, because the agents who used the devices were acting in good faith, basing the legality of their action on an 8th US Circuit Court of Appeals precedent that allowed the warrantless use of GPS tracking devices on suspects' vehicles. The ruling means that in certain jurisdictions, law enforcement can invoke the "good faith exception" for evidence gathered with the devices prior to the US Supreme Court's ruling in the Antoine Jones case. Even the Jones decision is vague on certain points. It could be interpreted to allow warrantless GPS tracking when there is reasonable suspicion or probable cause that the vehicle is being used in illegal activity.
-http://www.wired.com/threatlevel/2012/04/dea-use-of-gps-tracker/
-http://www.wired.com/images_blogs/threatlevel/2012/04/Amaya-ruling.pdf

Iran Acknowledges Malware Attack on Oil Ministry (April 23, 2012)

A malware attack over the weekend on Iran's oil ministry and the country's national oil company forced the organizations to disconnect their systems from the Internet. The ministry website was back online on Monday, April 23. The attack affected the ministry's main website and internal communications system. An oil ministry spokesperson said that site user data was stolen in the attack.
-http://www.bbc.co.uk/news/technology-17811565
-http://www.guardian.co.uk/world/2012/apr/23/iranian-oil-ministry-cyber-attack?ne
wsfeed=true
-http://worldnews.msnbc.msn.com/_news/2012/04/23/11350331-suspected-cyber-attack-
hits-iranian-oil-network
-http://www.computerworld.com/s/article/9226469/Iran_confirms_cyberattacks_agains
t_oil_facilities?taxonomyId=17

---

*************************** Sponsored Links: *************************
1) New Analyst paper in the SANS Reading Room: A Review of Oracle Entitlement Server, by SANS Oracle Security expert, Tanya Baccam. Paper: http://www.sans.org/info/103914
2) Learning from Logs: SANS 8th Log and Event Management Survey, part II http://www.sans.org/info/103919 Thursday, May 3, 1 PM EDT
3) Sorting Through the Noise: SANS 8th Log and Event Management Survey, part I http://www.sans.org/info/103929 Tuesday May 1, 1 PM EDT
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Executive Order Allows Sanctions for Using Technology for Human Rights Abuses (April 23, 2012)

President Obama has announced sanctions against Syria and Iran "and those who abet them, for using technologies to monitor, target, and track its citizens for violence." The sanctions include visa bans and financial restrictions. The sanctions arise from an executive order that specifically mentions the use of technology for human rights abuses.
-http://www.bbc.co.uk/news/world-us-canada-17817520
-http://www.washingtonpost.com/politics/obama-announces-sanctions-for-tech-used-i
n-human-rights-abuses-in-iran-and-syria/2012/04/23/gIQAOGm3bT_story.html

FBI Seizure of Server in Bomb Threat Case Called Heavy-Handed (April 19, 20, & 21, 2012)

The FBI has seized an anonymizing server from a facility in New York. The server belongs to the European Counter Network (ECN) and was in a data center run by Riseup Networks and May First/People Link. The server's seizure is reportedly linked to the investigation into recent bomb threats at the University of Pittsburgh. The seizure resulted in a number of other projects hosted on the same server being taken offline as well. The providers say that the server is unlikely to provide law enforcement authorities with any useful information in the investigation. The FBI is concerned with the Mixmaster remailer that was hosted on the server. Privacy rights groups have been critical of the FBI's actions in this case, saying they have gone too far.
-http://www.h-online.com/security/news/item/FBI-seizes-US-anonymisation-server-15
44886.html
-http://www.theregister.co.uk/2012/04/19/mixmaster_servers_seized/
-http://www.informationweek.com/news/security/government/232900643
-http://www.wired.com/threatlevel/2012/04/fbi-seizes-server/
-http://www.csoonline.com/article/704640/fbi-seizes-anonymizing-server-in-bomb-th
reat-probe?source=CSONLE_nlt_newswatch_2012-04-20

WordPress Gets Security Update (April 23, 2012)

The developers of WordPress have issued a security update for the blogging tool to address vulnerabilities in three external file upload libraries as well as in the main software. WordPress did not say how many flaws the update addresses beyond acknowledging that the figure is in the double digits. WordPress has been exploited to launch cyber attacks; users are urged to upgrade to WordPress 3.3.2 as soon as possible.
-http://www.h-online.com/security/news/item/WordPress-fixes-file-upload-security-
problems-1545416.html
-http://www.zdnet.com/blog/security/wordpress-332-is-out/11678?tag=mantle_skin;co
ntent
-http://www.pcworld.com/businesscenter/article/254291/wordpress_security_update_p
atches_external_libraries_several_vulnerabilities.html

Office for Mac 2011 Upgrade Causing Problems in Outlook Database (April 23, 2012)

Microsoft has stopped pushing out an upgrade for Office for Mac 2011 from its servers following reports that the update has corrupted the Outlook database on some computers. The update, office for Mac 2011 Service Pack 2 (SP2) was released on April 12. Users can still manually download SP2 through Microsoft AutoUpdate. Microsoft is investigating the problem.
-http://www.zdnet.com/blog/apple/office-for-mac-2011-sp2-update-creating-database
-issues-for-some-outlook-users/12806
-http://www.computerworld.com/s/article/9226445/Microsoft_yanks_Office_for_Mac_20
11_upgrade?taxonomyId=17

Optical Scan Vote Counting System Gave Erroneous Election Results (April 23, 2012)

An optical-scan vote counting system in Florida reportedly returned incorrect results for a municipal election in March. The Dominion Voting Sequoia Voting Systems device awarded seats on the Wellington Village Council to people who did not have the necessary votes; a post-election audit found that the results were erroneous. The software was apparently configured in a manner that did not match the paper ballots, so votes were recorded for the wrong candidates.
-http://www.computerworld.com/s/article/9226410/E_voting_System_Declares_Wrong_Wi
nners_in_Fla.?taxonomyId=17

College Student Arrested in Alleged Student Government Election Hack (April 18, 19, & 21, 2012)

A college student in California was arrested in March for alleged election fraud, unlawful access to a computer, and identity theft. Matt Weaver was running for president of student government at California State University, San Marcos. School authorities detected suspicious activity on school computers that was ultimately traced back to Weaver. He was found in possession of a password-stealing device while working on a school computer. Weaver allegedly stole 700 students' user IDs and passwords and used them to change the election results. The FBI is investigating.
-http://www.technolog.msnbc.msn.com/technology/technolog/fbi-suspects-student-can
didate-hacking-his-own-election-726362
-http://www.10news.com/news/30913744/detail.html

Conflicting Reports About Number of Flashback Infections (April 20 & 23, 2012)

Dr. Web, The Russian security company that was the first to report the broad infection of Mac computers by the Flashback Trojan horse program, says that the number of infected computers is not shrinking and that the figure is still somewhere around 650,000. IN fact, says Dr. Web, computers are continuing to become infected. Symantec's Liam O'Murchu confirmed Dr. Web's figures. Earlier last week, Symantec had said that the number of infected machines had fallen to 142,000 and Kaspersky's estimate was even lower: just 30,000 infected machines. Dr. Web explains the discrepancies in part by noting that part of the attackers' operation involves putting infected machines "on hold." There are reports of a new variant of Flashback spreading in the wild.
-http://www.computerworld.com/s/article/9226429/Flashback_botnet_not_shrinking_hu
ge_numbers_of_Macs_still_infected_?taxonomyId=17
-http://www.technolog.msnbc.msn.com/technology/technolog/infected-mac-network-may
-be-expanding-not-shrinking-726903
-http://www.h-online.com/security/news/item/Kaspersky-Number-of-Macs-infected-by-
Flashback-drops-to-30-000-Update-1544589.htmls
New Flashback Variant:
-http://securitywatch.pcmag.com/none/296979-new-flashback-variant-spotted-in-the-
wild

TSA Testing New Document Authentication System (April 20, 2012)

The US Transportation Security Administration (TSA) is testing a new system to authenticate travel documents. The Credential Authentication Technology/Boarding Pass Scanning System (CAT/BPSS) aims to detect fake boarding passes and photo identification documents. It also collects and displays travelers' ID photographs, but once the document are authenticated, the data are deleted from the system.
-http://www.informationweek.com/news/government/security/232900686
[Editor's Comment (Northcutt): What, exactly, does "deleted" mean? (Murray): The last time I went through TSA, I was almost detained because the computer recognized me. The agent was surprised to find that I was on the new pre-screen list. I resisted identifying myself to TSA for this system. They finally did what I have contended all along that they should do; base it on the airline's frequent flyer program. American Airlines even allows me to eat with metal cutlery. ]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/