SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #22

March 18, 2013

TOP OF THE NEWS

Federal Judge Rules National Security Letters are Unconstitutional
Reuters Journalist Indicted for Allegedly Allowing Hackers Into Former Employers' System
Thieves Hack Casino Surveillance System to Carry Out AU $32 Million Cheat

THE REST OF THE WEEK'S NEWS

Brian Krebs Targeted in SWAT Attack
Supreme Court Declines to Hear Jammie Thomas-Rasset Filesharing Appeal
iPad Data Hacker Gets 41-Month Prison Sentence
Microsoft Pushes Out Windows 7 SP1
DHS Cybersecurity Chief Resigns
Two Charged in Subway Sandwich Shop Point-Of-Sale Terminal Hacks
GSA Contractor Database May Have Exposed User Data
Apple's Latest OS X Update Includes Fix for Java Web Start Flaw

---

************************** SPONSORED BY Bit9 *******************************
WHITEPAPER - Advanced Threat Landscape: What Your Organizations Need to Know - In the wake of the numerous server data breaches reported, it is clear that traditional signature-based blacklisting security strategies are inadequate in addressing today's sophisticated cyber threats. Industry Analyst Frost and Sullivan examine today's advanced threat landscape and recommends that organizations adopt a new approach to server security that is based on trust.
Download Today http://www.sans.org/info/127402
****************************************************************************

TRAINING UPDATE


- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.

http://www.sans.org/event/monterey-2013


- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.

http://www.sans.org/event/northern-virginia-2013


- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.

http://www.sans.org/event/cyber-guardian-2013


- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.

http://www.sans.org/event/security-west-2013


- -- Secure Canberra 2013 Canberra, Australia March 18-March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth. Bonus evening session: Patching Your Employees' Brains.

https://www.sans.org/event/secure-canberra-2013


- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.

http://www.sans.org/event/critical-security-controls-international-summit


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.

http://www.sans.org/event/pentest-berlin-2013



- -- Looking for training in your own community?

http://www.sans.org/community/



- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Abu Dhabi, New Delhi, Seoul, Bangalore, and Johannesburg, all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Federal Judge Rules National Security Letters are Unconstitutional (March 15, 2013)

A federal judge in California has ruled that national security letters (NSLs) are unconstitutional. Judge Susan Illston ruled the gag order that accompanies NSLs violates the First Amendment; the gag order prohibits recipients from even acknowledging that they have received the request for information. The FBI uses NSLs to obtain information on US citizens without a court order. The only requirement for obtaining a NSL is a supervisor's certification that the information that is being sought is relevant to a national security investigation. The case in which Judge Illston made the ruling involves an unnamed telecommunications company that received a NSL in 2011 and challenged both the letter's authority and the legitimacy of its accompanying gag order, both of which are permissible challenges under the law. The Justice Department then countersued the company for violating the law by challenging its authority.
-http://www.washingtonpost.com/world/national-security/fbi-survillance-tool-is-ru
led-unconstitutional/2013/03/15/d4796396-8db9-11e2-9f54-f3fdd70acad2_story.html
-http://www.wired.com/threatlevel/2013/03/nsl-found-unconstitutional/
-http://www.forbes.com/sites/andygreenberg/2013/03/15/heres-the-judges-order-bann
ing-the-fbis-secret-requests-for-companies-user-data/
-http://www.scribd.com/doc/130615238/NSL-Ban

Reuters Journalist Indicted for Allegedly Allowing Hackers Into Former Employers' System (March 15, 2013)

Reuters journalist and deputy social media editor Matthew Keys has been indicted for allegedly providing a hacker affiliated with the Anonymous group access to the Tribune Co.'s servers in 2010. Keys previously worked for a Tribune television station in Sacramento, but had lost his job several months before the incident. Keys allegedly provided an Anonymous member with a user name and password to access Tribune servers; several stories were defaced. The indictment charges Keys with conspiracy to cause damage to a protected computer, transmission of malicious code, and attempted transmission of malicious code. Keys has been suspended from his position at Reuters. If convicted on all charges, Keys' faces a maximum of 25 years in prison and a fine of US $750,000. Some say that the penalties are too severe.
-http://latimesblogs.latimes.com/lanow/2013/03/matthew-keys-attorneys-hes-target-
of-draconian-computer-laws.html
-http://www.nextgov.com/cybersecurity/2013/03/one-act-cyber-vandalism-worth-25-ye
ars-jail/61890/?oref=ng-channelriver
-http://www.nytimes.com/2013/03/18/technology/outcry-over-computer-crime-indictme
nt-of-matthew-keys.html?pagewanted=all
">http://www.nytimes.com/2013/03/18/technology/outcry-over-computer-crime-indictme
nt-of-matthew-keys.html?pagewanted=all
-http://uk.reuters.com/article/2013/03/15/us-thomsonreuters-keys-idUKBRE92D1CM201
30315
-http://big.assets.huffingtonpost.com/MatthewKeysIndictment.pdf
(Please note The New York Times requires a paid subscription)
-http://www.nytimes.com/2013/03/18/technology/outcry-over-computer-crime-indictme
nt-of-matthew-keys.html?pagewanted=all
">http://www.nytimes.com/2013/03/18/technology/outcry-over-computer-crime-indictme
nt-of-matthew-keys.html?pagewanted=all
[Editor's Note (Honan): A good example of why a formal leaving policy for staff, especially those that are disgruntled in anyway, should include properly and immediately securing their account and changing passwords on other sensitive accounts. ]

Thieves Hack Casino Surveillance System to Carry Out AU $32 Million Cheat (March 14,15, & 18, 2013)

In a scheme reminiscent of the movie Ocean's 11, a group of people gained access to a Melbourne, Australia casino's surveillance system and used it to view players cards in a high stakes poker game played in a private room. The scammers fed the information to an accomplice who won AU $32 million (US $33 million). The gambler, who is known to win and lose large sums of money, has been banned from the casino and is believed to have returned to his home country.
-http://www.theregister.co.uk/2013/03/15/cctv_hack_casino_poker/
-http://www.crn.com.au/News/336797,cctv-hack-leaves-crown-casino-32-million-down.
aspx
-http://www.heraldsun.com.au/news/law-order/crown-casino-hi-tech-scam-nets-32-mil
lion/story-fnat79vb-1226597666337
[Editor's Note (Pescatore): A timely reminder to the security community that continuous monitoring systems are very attractive targets for attackers. ]

---

*************************** Sponsored Links: ******************************
1) Analyst Webcast: Secure Configuration in Action Featuring new deployment information from the City of Oregon. http://www.sans.org/info/127407

2) Analyst Webcast: NAC Applied to SANS Critical Security Controls Wednesday, April 03, 2013 at 1:00 PM EDT (1700 UTC/GMT)Featuring: G. Mark Hardy and Scott Gordon. http://www.sans.org/info/127412

3) Join Palo Alto Networks threat webinar discussing APT1 and latest techniques malware uses to hide from traditional security. http://www.sans.org/info/127417
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Brian Krebs Targeted in SWAT Attack (March 15, 2013)

Late last week, security journalist Brian Krebs was the target of SWATting; hackers placed an emergency phone call and made it appear to come from Krebs's mobile phone. The call described a dangerous situation that caused the police to send a team of heavily armed officers to his home. Earlier the same day, Krebs's website was targeted by a denial-of-service attack. Around the same time, a company that protects his website from attacks received a letter - determined to be phony - that appeared to come from the FBI, claiming that Krebs's site was hosting illegal content and should be shut down. The multi-pronged attack on Krebs may be related to a story he published about an organization that sells access to other people's credit reports. The following morning, Ars Technica journalist Dan Goodin reported Krebs's ordeal on that site. Shortly after the story appeared, that site was hit with a denial-of-service attack that appeared to come from the same source as the attack on Krebs's site.
-http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/
-http://arstechnica.com/security/2013/03/security-reporter-tells-ars-about-hacked
-911-call-that-sent-swat-team-to-his-house/
-http://www.washingtonpost.com/blogs/the-state-of-nova/post/swating-the-seamy-und
erweb-and-award-winning-fairfax-cybercrime-journalist-brian-krebs/2013/03/18/9bb
15742-8f87-11e2-bdea-e32ad90da239_blog.html
[Editor's Note (Hinan): Brian Krebs has an interesting update to the story where he claims to talk to the individual alleged to be behind the attack. A thought struck me as I read the encounter, we need to not only be better at providing people with skills in computer security but we also must ensure there is a strong focus on how to use those skills in an ethical manner and not abuse them for gain, petty revenge or individual gain.
-http://krebsonsecurity.com/2013/03/the-obscurest-epoch-is-today/]

Supreme Court Declines to Hear Jammie Thomas-Rasset Filesharing Appeal (March 18, 2013)

The US Supreme Court has declined to hear a petition from Jammie Thomas-Rasset, the Minnesota woman who was the first person to legally challenge a filesharing case brought by the Recording Industry Association of America (RIAA). Thomas-Rasset's case dates back to 2007. The Supreme Court has declined to hear other filesharing cases. Thomas-Rasset's appeal argued that the Copyright Act, which allows damages of up to US $150,000 for each infringement, is excessive and unconstitutional.
-http://www.wired.com/threatlevel/2013/03/scotus-jammie-thomas-rasset/

iPad Data Hacker Gets 41-Month Prison Sentence (March 18, 2013)

Andrew Auernheimer has been sentenced to 41 months in prison. Auernheimer and his accomplice, Daniel Spitler, found a way to obtain personal data of iPad owners through a publicly accessible website. When the iPad was introduced in April 2010, AT&T provided Internet access for some users, but to set up an account, users had to provide AT&T with personal information, including their email addresses. Auernheimer and Spitler wrote an automated script to gather email addresses and SIM card numbers of 120,000 iPad owners. In November 2012, Auernheimer was found guilty of identity fraud and conspiracy to access a computer without authorization. Auernheimer is appealing the verdict and the Electronic Frontier Foundation (EFF) has joined his defense.
-http://www.wired.com/threatlevel/2013/03/att-hacker-gets-3-years/
-http://www.theregister.co.uk/2013/03/18/auernheimer_ipad_hack_prison/
-http://www.computerworld.com/s/article/9237685/Judge_ignores_leniency_plea_hands
_AT_T_hacker_a_41_month_sentence?taxonomyId=17
[Editor's Note (Honan): This sentence has unfortunately made a martyr out of an individual who appears to have conducted some questionable research and will also discourage many others from coming forward with their findings.
(Paller): What seems to be missing is a place/group, where researchers can take their findings, that has enough clout to make change happen or to disclose it with authority. A trusted group like that would separate the "researchers" who are criminals from the researchers who are actually trying to help.]

Microsoft Pushes Out Windows 7 SP1 (March 18, 2013)

Due to the approaching expiration of support for Windows 7 RTM (release to manufacturing), Microsoft will start pushing out Windows 7 Service Pack 1 (SP1) on March 19. Microsoft will no longer support Windows 7 RTM after April 8, 2013; support for Windows 7 SP1 will continue through January 13, 2015. SP1 first became available in February 2011. It will be pushed out only to those users whose machines are not managed with Microsoft management tools.
-http://www.zdnet.com/microsoft-to-push-windows-7-service-pack-1-to-users-startin
g-march-19-7000012769/
[Editor's Note (Pescatore): This seems so quaint, pushing out giant "Service Packs." - sort of like how funny it was when an excited Steve Martin exclaimed "The new phone book is here, I'm somebody now!" Windows 8 will be joining the Apple IOS and Google Android generations of operating systems in having App Store mechanisms with continuous updates and patching (nice Computerworld piece at
-http://www.computerworld.com/s/article/9237599/Security_pros_pan_and_praise_Micr
osoft_s_plans_on_updating_Modern_apps_in_Windows_8_RT)
Mobile devices are already changing how we need to think about image and version control, app security and compatibility, etc. Windows 7 will be the last hurrah for the old ways on the desktop. ]

DHS Cybersecurity Chief Resigns (March 15, 17, & 18, 2013)

Mark Weatherford, who has served for the past 16 months as the US Department of Homeland Security's (DHS's) first cybersecurity chief, has resigned, effective April 12, 2013. Weatherford will join a private consulting firm on May 1. Bruce McConnell, DHS senior counsel for cybersecurity, will step in as interim deputy undersecretary for cybersecurity when Weatherford leaves on April 12. Rand Beers, undersecretary for DHS's National Protection and Programs Directorate, said of Weatherford," Mark is a living testament to the DHS mantra that cybersecurity is a shared responsibility. Because of his vision, we now have stronger coordination and clearer alignment with
[other ]
agencies."
-http://www.nextgov.com/cybersecurity/2013/03/dhs-cyber-czar-mark-weatherford-ste
p-down/61922/?oref=ng-channeltopstory
-http://fcw.com/articles/2013/03/18/mcconnell-weatherford-dhs.aspx
-http://www.scmagazine.com/head-of-cyber-security-at-dhs-resigns/article/284646/

Two Charged in Subway Sandwich Shop Point-Of-Sale Terminal Hacks (March 15 & 17, 2013)

Two men have been charged in connection with a scheme to fraudulently load US $40,000 onto Subway sandwich shop gift cards. Shahin Abdollahi and Jeffrey Thomas Wilkinson allegedly used the cards to make purchases and also sold them over the Internet. Abdollahi owned a Subway franchise from 2005 to 2008, and then he operated a business that sold point-of-sale (POS) terminals to Subway restaurants across the country. Some of the POS terminals he sold had a remote desktop tool loaded onto them. Abdollahi and Wilkinson are charged with conspiracy to commit computer intrusion and wire fraud. The men were indicted on March 6, 2013, in US District Court in Massachusetts.
-http://news.cnet.com/8301-1009_3-57574791-83/two-charged-in-theft-of-$40k-from-h
acked-subway-keypads/
-http://www.computerworld.com/s/article/9237638/Two_charged_with_gift_card_hackin
g_scheme?taxonomyId=17
[Editor's Note (Pescatore): Between this kind of thing and the use of default passwords in remote access software, there was a huge wave of targeted attacks that siphoned millions of credit cards from fast food chain IT systems in the 2006 - 2010 timeframe. Notice this is a very good example of why supply chain integrity is *not* just a problem when the vendor is from China or off-shore. ]

GSA Contractor Database May Have Exposed User Data (March 16, 2013)

The US federal government's General Services Administration (GSA) has issued a statement acknowledging a "security vulnerability" in its System for Award Management (SAM) database that could have been exploited by system users to view other users' data. SAM contains government contractor registration records with banking information, financial details, and codes for accessing information about past performance. A GSA spokesperson said that all SAM users have been notified about the security issue. The database contains details of about 600,000 companies. GSA learned of the flaw on March 8 and fixed it by March 10. The spokesperson did not provide details about the vulnerability, so it is not known if the data were exposed through deliberate actions, such as exploiting an SQL vulnerability, or through an inadvertent situation, such as an unapplied patch or a password management error.
-http://www.nextgov.com/cybersecurity/2013/03/gsa-database-may-have-leaked-contra
ctor-banking-and-proprietary-information/61921/?oref=ng-channelriver
-http://www.gsa.gov/portal/content/167855

Apple's Latest OS X Update Includes Fix for Java Web Start Flaw (March 15, 2013)

Apple has released an update for OS X, Mountain Lion 10.8.3, to address 21 security flaws, 11 of which could be exploited to allow remote code execution. The update also includes fixes to several stability issues. One of the vulnerabilities fixed in the update could be exploited to launch a Java Web Start application even when the Java plug-in is disabled. The Java Web Start patch is available for OS X Lion and Lion Server versions 10.7 to 10.7.5, and OS X Mountain Lion versions 10.8 to 10.8.2. The last security update for Mountain Lion was released in September 2012. The update also includes the most recent version of Apple's Safari browser, version 6.0.3.
-http://www.scmagazine.com/apple-updates-mountain-lion-os-includes-java-web-start
-
fix/article/284647/
-http://arstechnica.com/security/2013/03/apple-purges-os-x-flaw-that-let-java-app
s-run-when-plugin-was-disabled/
-http://www.informationweek.com/security/vulnerabilities/apple-os-x-update-fixes-
21-vulnerabiliti/240150898
-http://www.h-online.com/security/news/item/Apple-ships-fixes-for-new-Java-Web-St
art-hole-1824127.html
">http://www.h-online.com/security/news/item/Apple-ships-fixes-for-new-Java-Web-St
art-hole-1824127.html
-http://www.h-online.com/security/news/item/Apple-ships-fixes-for-new-Java-Web-St
art-hole-1824127.html
">http://www.h-online.com/security/news/item/Apple-ships-fixes-for-new-Java-Web-St
art-hole-1824127.html
-http://www.theregister.co.uk/2013/03/15/os_x_mountain_lion_v10_8_3/
-http://support.apple.com/kb/HT5672

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/