SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #39

May 17, 2013

TOP OF THE NEWS

Software Security Standards Gaining Traction

THE REST OF THE WEEK'S NEWS

Attorney General Tells Senate Judiciary Committee That Government Should Get Warrants to Access Stored Cloud Content
LulzSec Hackers Sentenced
IRS Sued for Allegedly Stealing Electronic Health Records of 10 Million Individuals
Mozilla Releases Firefox 21
Critical Linux Kernel Flaw Patched, Exploit Code Released
FBI Shares Information About Financial Site DDoS Attacks With Bank Officials
California's Mobile App Privacy Law Test Case Unsuccessful
Microsoft Patch Tuesday Includes Fox for IE8 Zero-Day
Adobe Issues Updates for Multiple Products

---

*********************** SPONSORED BY Veracode ***************************
Special Webcast: "The Intractable Problem of Software Security"- Friday, May 24, 2013 at 1:00 PM EDT. Join Chris Wysopal, Veracode's Co-Founder and CTO, as he discusses the current and future state of appsec. He will dive into the data that drive the predictions detailed in the Veracode's fifth annual State of Software Security Report. This report pulls data from tens of thousands of live application scans performed on the Veracode Platform. http://www.sans.org/info/130972
***************************************************************************
TRAINING UPDATE

- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Software Security Standards Gaining Traction (May 14, 2013)

At a conference earlier this week, Microsoft announced its support for ISO 27034, an international standard that lays out processes and practices for secure software development. On the same day at the same conference, the Software Assurance Forum for Excellence in Code (SAFECode), an organization that promotes secure software development practices, announced the availability of free training modules on secure coding practice for developers. The first portion of the International Organization for Standardization's (ISO's) secure programming techniques document, 27034-1, was released in November 2011. It describes elements of a secure development process, which is useful information for both developers and consumers.
-http://www.eweek.com/security/microsoft-it-industry-push-software-security-stand
ard/
[Editor's Note (Pescatore): I had a long chat at the RSA Conference with Steve Lipner of Microsoft on this. I'm very leery of software development process certification as the end-game in commercial application security. It sort of reminds me of the ISO 9000 wave and all the studies that couldn't really find measurable quality benefits from ISO 9001 certification. I remember a Dartmouth study on 11 years of data from ISO 9000 efforts that did show such certification did have a signaling effect: in a global market where it is hard to judge suppliers, quality certification became a competitive "signal" ("I care enough about quality to spend a lot of money getting certified") that has a positive effect overall because it makes quality a competitive attribute, but it comes at a very high expense. SAS-70 is another cautionary tale that SSAE 16 did attempt to learn from. But, I think the real improvements in software quality from a vulnerability perspective will still require the same efforts that the case studies of actual increases in manufacturing quality almost invariably show: better testing before declaring a product "ready to release to manufacturing" tied to formal processes that feedback upstream to product development to eliminate root causes of recurring faults/vulnerabilities. If process certification fosters/emphasizes that, good value for the expense - but the history of process certification tends invariably to increase overhead and decrease value over time. ]

---

*************************** Sponsored Links: ******************************
1) AlienVault USM delivers complete security visibility in minutes. Download the Free 30-Day Trial. http://www.sans.org/info/130977

2) If you're worried about advanced threats and needing more visibility, attend this upcoming SANS webcast: Security Intelligence in Action: SANS Analyst Dave Shackleford Reviews McAfee's Enterprise Security Manager Wednesday, May 22 at 1 PM EDT http://www.sans.org/info/130982

3) At the Mobile Device Security Summit experts/practitioners detail proven approaches to securing BYOD. Maximize your training. Attend SEC575: Mobile Device Security & Ethical Hacking or SEC579: Virtualization and Private Cloud Security. http://www.sans.org/info/130987
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Attorney General Tells Senate Judiciary Committee That Government Should Get Warrants to Access Stored Cloud Content (May 16, 2013)

US Attorney General Eric Holder told the House Judiciary Committee that he supports requiring that the government obtain a probable-cause warrant to access email and other cloud-stored content. In April, the committee approved proposed legislation that would alter a portion of the 1986 Electronic Communications Privacy Act (ECPA) allowing law enforcement to access content stored in the cloud, unopened, for more than 180 days.
-http://www.wired.com/threatlevel/2013/05/holder-email-warrants/
-http://www.zdnet.com/u-s-attorney-general-government-should-get-a-warrant-before
-email-cloud-storage-snooping-7000015493/
[Editor's Note (Pescatore): I think this will need to be batted back and forth some more times, but treating data stored in the cloud the same as data stored on a local hard drive will inevitably be the end result. However, the geolocation issue will continue to throw sand in the gears.
(Murray): I heard the testimony. Very guarded. While the DoJ will not oppose changes to ECPA, it asserts that it permits warrantless access. They will continue to engage in it until and unless the law is changed. ]

LulzSec Hackers Sentenced (May 16, 2013)

A judge in the UK has sentenced four people for their involvement with attacks on computer systems at Sony, the CIA, the UK's Serious Organised Crime Agency (SOCA) and other organizations. One received a suspended sentence, while the other three received prison sentences ranging from 24 to 32 months. All four are associated with the LulzSec hacking group.
-http://www.theregister.co.uk/2013/05/16/lulzsec_sentencing/
-http://www.bbc.co.uk/news/technology-22552753
-http://news.cnet.com/8301-1009_3-57584774-83/lulzsec-case-in-u.k-brings-sentence
s-for-4-men/

IRS Sued for Allegedly Stealing Electronic Health Records of 10 Million Individuals (May 15, 2013)

A lawsuit filed in California alleges that the US Internal Revenue Service (IRS) violated the Health Insurance Portability and Accountability Act (HIPAA) when it seized electronic health records belonging to 10 million US citizens. The lawsuit, filed by an attorney on behalf of a corporate client identified as John Doe Co., alleges that when the 15 IRS agents raided the company in March 2011, they did not have a search warrant or a subpoena. The seized records include "information about treatment for any kind of medical condition, ... and a wide range of medical matters covering the most intimate and private of concerns." The seized data were in electronic format and were allegedly taken in connection with an investigation into "a tax matter involving a former employee of the company." The lawsuit is seeking monetary damages as well as a court order requiring the IRS to return the records and remove them from their databases.
-http://www.nextgov.com/health/2013/05/lawsuit-says-irs-illegally-seized-60-milli
on-health-records/63179/?oref=ng-HPtopstory
[Editor's Comment (Northcutt): Doubt this will remain "John Doe Co" long! Here is the actual suit:
-http://docs.ismgcorp.com/files/external/IRS_medical_record_case_3_15_13.pdf
The attorney involved, Robert E Barnes, is well known and is a specialist in IRS matters, his website is both interesting and informative:
-http://en.wikipedia.org/wiki/Robert_E._Barnes
-http://www.barneslawllp.com]

Mozilla Releases Firefox 21 (May 15, 2013)

Mozilla has released Firefox 21, which addresses 13 security issues in the previous version of the browser. Firefox 21 also introduces a feature called "Health Report" which lets users see information about the browser's performance, including start-up times, total running time, and crashes, as well as the number of plug-ins, add-ons, and bookmarks. Mozilla has also released Firefox 21 for Android.
-http://www.zdnet.com/firefox-21-release-adds-to-social-api-closes-security-holes
-7000015429/
-http://www.h-online.com/security/news/item/Mozilla-s-Firefox-update-fixes-three-
critical-holes-1863449.html
-http://download.cnet.com/8301-2007_4-57584463-12/firefox-21-adds-a-new-health-re
port/

Critical Linux Kernel Flaw Patched, Exploit Code Released (May 15, 2013)

Last month, developers quietly issued a patch for a vulnerability in the Linux kernel's performance counters subsystem that has been present for more than two years. The flaw could be exploited to give users with restricted accounts root access to vulnerable machines. Earlier this week, exploit code for the flaw was made publicly available, underscoring the vulnerability's severity. The Linux kernel patch issued last month did not specify that it was addressing a critical flaw. Those responsible for systems with untrusted accounts should find out from their distributors when a patch will be available.
-http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-us
ers-even-after-silent-fix/

FBI Shares Information About Financial Site DDoS Attacks With Bank Officials (May 14, 2013)

The FBI recently granted US bank executives and security officers one-day security clearances so that the agency could share cyberthreat information with them. Specifically, the FBI wanted to share classified intelligence about Operation Ababil, the series of distributed denial-of-service (DDoS) attacks that have been targeting US banking and financial websites for the past year. Many of those institutions have expressed frustration at the apparent lack of progress in the case. FBI executive assistant director Richard McFeely said that some sealed indictments have been issued for suspects' arrest, but indicated that those suspects are currently operating in countries that do not have extradition treaties with the US.
-http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-dd
os-attac/240154858
-http://www.zdnet.com/fbi-trains-bank-executives-on-cyberattack-threats-700001533
4/
[Editor's Note (Pescatore): From the perspective of shareholders of those banks, was there really payback in the CEOs, CFOs and CISOs getting classified briefing about the progress of catching the DDoS perpetrators? One day's salary of a large bank CEO goes a long way towards procuring DDoS mitigation services.
(Honan): It is refreshing to see government agencies share information with the private sector. All too often the sharing goes one way with nothing coming back from the government side. ]

California's Mobile App Privacy Law Test Case Unsuccessful (May 14, 2013)

A California Superior Court judge has dismissed a lawsuit brought against Delta Air Lines for allegedly failing to comply with state laws regarding mobile application privacy. The lawsuit, filed by California Attorney General Kamala Harris, alleged that Delta had violated California's Online Privacy Protection Act because it did not disclose how its Fly Delta smartphone app collected and used customer data. Delta argued that the state law is superseded by the Federal Airline Deregulation Act, which says that states may not enforce laws that affect airlines' fares, routes, or services. Delta maintained that its mobile app was a service and Judge Marla Miller agreed.
-http://www.computerworld.com/s/article/9239193/First_California_lawsuit_over_mob
ile_privacy_issues_crashes?taxonomyId=17

Microsoft Patch Tuesday Includes Fix For IE8 Zero-Day (May 14, 2013)

On Tuesday, May 14, Microsoft released 10 security bulletins to address a total of 33 vulnerabilities in various products. Included in this patch of patches is a fix for a zero-day flaw in Internet Explorer 8 (IE8) for which Microsoft issued an advisory less than two weeks ago. Two of the bulletins are rated critical; both address security issues in IE.
-http://www.scmagazine.com/microsoft-mends-33-vulnerabilities-in-patch-tuesday-re
lease-including-internet-explorer-8-zero-day/article/293338/
-http://www.computerworld.com/s/article/9239204/Microsoft_rushes_Internet_Explore
r_8_patch_release?taxonomyId=17
-http://www.zdnet.com/microsoft-fixes-two-critical-ie-security-flaws-including-nu
ke-zero-day-7000015369/

Adobe Issues Updates for Multiple Products (May 14, 2013)

Adobe has issued security updates to address critical flaws in Reader, Acrobat, Flash Player, and ColdFusion. The updates for Reader and Acrobat address a total of 27 vulnerabilities, 24 of which could be exploited to execute arbitrary code. The updates for Flash address 13 vulnerabilities, and a hotfix for ColdFusion addresses two flaws.
-http://www.computerworld.com/s/article/9239199/Adobe_releases_critical_security_
updates_for_Reader_Flash_Player_and_ColdFusion?taxonomyId=17
-http://www.h-online.com/security/news/item/Urgent-security-patches-for-ColdFusio
n-Adobe-Reader-Acrobat-and-Flash-1863234.html
-http://www.zdnet.com/adobe-unleases-critical-patches-for-coldfusion-reader-and-f
lash-7000015414/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/