SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #54

July 09, 2013

TOP OF THE NEWS

Vulnerabilities in Emergency Alert Systems
EPIC Asks US Supreme Court to Halt NSA's Broad Collection of Phone Records
Dark Seoul Attacks are Part of Larger Cyberespionage Operation

THE REST OF THE WEEK'S NEWS

US-Made Internet Monitoring Tools Detected on Networks in Sudan, Iran, and Syria
Japan's Nintendo Fan Site Data Compromised
Cryptocat Fixes Encryption Flaw
Judge Orders US Government to Release Documents About Aaron Swartz
European Parliament Demands Information on PRISM
Updated COPPA Rules Now in Effect
Microsoft's July Security Update Includes Six Critical Bulletins
UK ICO Has "Serious Questions" About Google's Privacy Policy

---

************************* SPONSORED BY Bit9 *****************************
New Whitepaper: IT security threats have advanced across a spectrum of sophistication and scale yet defenses continue to fail. The evolution of defense has produced fragmentation among security tools that keeps them from working together to deliver more effective response. Learn how to close gaps and eliminate blind spots at servers/endpoints that are often the target of attacks.

http://www.sans.org/info/134457
***************************************************************************
TRAINING UPDATE

-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.


--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


-- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/special

Plus Canberra, Austin, Bangkok and Melbourne all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Vulnerabilities in Emergency Alert Systems (July 8, 2013)

Late last month, the US Computer Emergency Response Team (CERT) issued a vulnerability note about vulnerabilities in certain Emergency Alert System decoders, devices used to interrupt television and radio broadcasts. The flaws could be exploited to gain control of the systems and broadcast phony warnings. The flaws include a private root SSH key distributed in publicly available firmware images. There have been reports in the past several years of attacks on such systems on the local level. Some of the vendors have already issued fixes for the issues, according to the CERT advisory.
-http://www.wired.com/threatlevel/2013/07/eas-holes/
-http://www.kb.cert.org/vuls/id/662676

EPIC Asks US Supreme Court to Halt NSA's Broad Collection of Phone Records (July 8, 2013)

The Electronic Privacy Information Center (EPIC) has petitioned the Supreme Court of the United States (SCOTUS) to halt the National Security Agency's (NSA's) collection of phone record metadata. EPIC's reasoning for going directly to SCOTUS is that it cannot appeal to the Foreign Intelligence Surveillance Court and there is no other court with the authority to vacate that court's orders. Section 215 of the Patriot Act allows the Foreign Intelligence Surveillance Court to authorize warrants in cases where the government shows that the information sought is relevant to an authorized investigation. EPIC also argues that all phone records cannot be relevant to an investigation.
-http://www.wired.com/threatlevel/2013/07/scotus-nsa-spying/
-http://arstechnica.com/tech-policy/2013/07/supreme-court-asked-to-halt-nsa-phone
-surveillance/
Petition:
-https://epic.org/EPIC-FISC-Mandamus-Petition.pdf

Dark Seoul Attacks are Part of Larger Cyberespionage Operation (July 8, 2013)

According to a study from McAfee Labs, the attacks launched against computers in South Korea in March, known as Dark Seoul, were part of a larger cyberespionage operation that is seeking military secrets. The scheme, dubbed "Operation Troy," in a nod to references to the ancient city in the malware's code, dates back to at least 2009. McAfee began investigating in March after attacks wiped data from computers at South Korean banks and television networks. Those behind the attacks are also targeting South Korean and US military data; the group uses malware that finds and uploads information about US/South Korean joint military exercises.
-http://www.bbc.co.uk/news/technology-23227543
-http://arstechnica.com/security/2013/07/hard-drive-wiping-malware-that-hit-s-kor
ea-tied-to-military-espionage/
-http://www.cbsnews.com/8301-202_162-57592604/hackers-targeting-u.s-south-korea-a
re-after-military-secrets-cybersecurity-experts-say/

---

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/134462

2) REPORT: Business-tested, Gartner-approved: WhiteHat named a Leader in Application Security Testing in New Magic Quadrant Report http://www.sans.org/info/134467
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

US-Made Internet Monitoring Tools Detected on Networks in Sudan, Iran, and Syria (July 8, 2013)

Internet-monitoring devices made in the US have been detected on computer networks in Iran and Sudan; their presence is a violation of US sanctions banning sale of technology to those countries. Some of the Blue Coat Systems devices have also been detected on networks in Syria. In that country, the tools have been used to censor websites and monitor communications of people questioning the government there. The tools are designed for web filtering and traffic analysis and can be used to view some encrypted traffic. Blue Coat says it cannot track who is using its products or how they are being used, but acknowledges that it can block devices from receiving company updates. Researchers say that means the company could possibly identify the locations of the devices in use.
-http://www.washingtonpost.com/world/national-security/report-web-monitoring-devi
ces-made-by-us-firm-blue-coat-detected-in-iran-sudan/2013/07/08/09877ad6-e7cf-11
e2-a301-ea5a8116d211_story.html

Japan's Nintendo Fan Site Data Compromised (July 8, 2013)

An attack on Japan's Club Nintendo website compromised nearly 24,000 user accounts. In a brute force attack, more than 15.5 million logins were attempted between June 9 and July 5, 2013. It is possible that the information being used to attempt the logins was taken from another website. The exposed information includes names, email and street addresses, and phone numbers. The site has four million members.
-http://arstechnica.com/security/2013/07/mass-login-attack-on-nintendo-fan-site-h
ijacks-24000-accounts/
-http://www.zdnet.com/club-nintendo-site-hacked-customer-data-exposed-7000017744/
-http://www.theregister.co.uk/2013/07/08/nintendo_brute_force_attack/
-http://www.computerworld.com/s/article/9240613/Nintendo_39_s_fan_site_hit_by_ill
icit_logins_24_000_accounts_accessed?taxonomyId=17
[Editor's Note (Murray): We are seeing one of these compromises every week. One now wants to be very careful about doing business with these sites that do not offer strong authentication.]

Cryptocat Fixes Encryption Flaw (July 8, 2013)

Developers of the open-source instant messenger Cryptocat have acknowledged a security flaw in the application that suggests users' communications were vulnerable to snooping for at least seven months. Several lines of code in the keys used to encrypt group chats were easy to decipher. The flaw has been addressed in Cryptocat 2.0.42, but the developers urge users to upgrade to Cryptocat 2.1.x.
-http://www.zdnet.com/encrypted-im-app-left-vulnerable-to-snooping-for-7-months-7
000017748/
-http://arstechnica.com/security/2013/07/bad-kitty-rooky-mistake-in-cryptocat-cha
t-app-makes-cracking-a-snap/

Judge Orders US Government to Release Documents About Aaron Swartz (July 8, 2013)

A federal judge has ordered the US government to release Secret Service documents about Aaron Swartz. The government must "promptly release to Plaintiff all responsive documents that it has gathered thus far and shall continue to produce additional responsive documents that it locates on a rolling basis," wrote US District Judge Colleen Kollar-Kotelly. The government must immediately start releasing documents it has already processed, and it has until August 5 to answer and produce a timetable for release of the rest of the documents.
-http://www.wired.com/threatlevel/2013/07/swartz-foia/

European Parliament Demands Information on PRISM (July 7 & 8, 2013)

The European Parliament has passed a resolution demanding that the US government provide "full information on PRISM and other such programmes involving data collection." In addition, the European Parliament Civil Liberties Commission has voted to launch an "in-depth inquiry" into privacy and civil rights issues for EU citizens raised by PRISM. The Parliament is calling on member nations to consider putting a hold on counter-terrorism data transfer agreements with the US until the data are better protected.
-http://www.computerworld.com/s/article/9240634/Fallout_from_NSA_surveillance_pro
gram_disclosures_spreads?taxonomyId=17
-http://www.washingtonpost.com/blogs/wonkblog/wp/2013/07/07/european-outrage-abou
t-the-nsa-could-force-us-to-rethink-our-surveillance-laws/
-http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2013-0
322&language=EN
-http://www.europarl.europa.eu/news/en/pressroom/content/20130701IPR14770/html/Pa
rliament-to-launch-in-depth-inquiry-into-US-surveillance-programmes

Updated COPPA Rules Now in Effect (July 5, 2013)

The US Federal Trade Commission's (FTC's) revised rules for the Children's Online Privacy Protection Act of 1998 (COPPA) took effect on July 1, 2013. The law prohibits the collection of personal data from children without first obtaining verifiable parental consent. It also requires websites to have clear and accessible privacy policies, and to ensure the security of information it collects from children under age 13. The updated rules specify that personal information now includes "geolocation information and persistent identifiers that can be used to recognize a user over time and across different websites or online services," and photos, videos, and sound recordings. COPPA applies to smartphone apps as well as websites.
-http://www.informationweek.com/security/privacy/child-privacy-online-ftc-updates
-coppa-r/240157734
COPPA Amendments:
-http://www.ftc.gov/os/fedreg/2013/01/130117coppa.pdf
[Editor's Note (Henry): Interesting. Remove "children" and "parental" and replace with the word "people" and it sounds like it suits everyone's needs...
(Pescatore): Since COPPA applies only if a site has "actual knowledge that they are collecting, using, or disclosing personal information from children under 13" the FTC has promised more information "soon" on better definition of what constitutes "actual knowledge." The FTC also has a "Safe Harbor" program (see
-http://business.ftc.gov/content/safe-harbor-program)
where industry groups can submit their self-regulation guidelines to the FTC for approval.
(Murray): These rules were published in January and drew limited comment. However, they have significant impact. Third parties are complaining because the rules discourage "child directed services" from placing their cookies.]

Microsoft's July Security Update Includes Six Critical Bulletins (July 4, 5, 6, & 8 2013)

On Tuesday, July 9, Microsoft plans to issue seven security bulletins, six of which address remote code execution flaws and are rated critical. The seven bulletins will address flaws in all currently supported versions of Windows and Microsoft Office, as well as Lync, Silverlight, Visual Studio, and Internet Explorer (IE) versions 6 through 10 on Windows 8 and Windows RT. One of the flaws likely to be addressed is a Windows kernel issue that a researcher posted to the Full Disclosure mailing list in early June, once again inciting pointed discussion about responsible disclosure.
-http://technet.microsoft.com/en-us/security/bulletin/ms13-jul
-http://www.eweek.com/security/microsoft-plans-critical-windows-security-patches/
-http://www.v3.co.uk/v3-uk/news/2279824/microsoft-readies-six-critical-security-u
pdates-for-patch-tuesday
-http://www.h-online.com/security/news/item/Microsoft-Patch-Tuesday-to-close-kern
el-hole-1911898.html
-http://www.zdnet.com/julys-patch-tuesday-to-fix-six-critical-windows-office-ie-s
ecurity-vulnerabilities-7000017747/
-http://www.theregister.co.uk/2013/07/05/ms_july_2013_patch_tuesday_prealert/
-http://www.computerworld.com/s/article/9240581/Internet_Explorer_pegged_for_crit
ical_fix_on_Tuesday?taxonomyId=17
[Editor's Note (Shpantzer): Some of these are also on OS X:
-http://technet.microsoft.com/en-us/security/bulletin/ms13-022]

UK ICO Has "Serious Questions" About Google's Privacy Policy (July 4 & 5, 2013)

The UK's Information Commissioner's Office (ICO) has given Google until September 20, 2013 to alter its privacy policy to comply with the UK Data Protection Act, or face "formal enforcement action." The ICO said that Google's current policy "does not provide sufficient information to enable UK users of Google's services to understand how their data will be used across all of the company's products." Privacy watchdogs in other European countries have issued similar warnings.
-http://www.theregister.co.uk/2013/07/05/ico_threatens_to_fine_google_over_privac
y_policy_tweaks/
-http://crave.cnet.co.uk/software/google-must-change-privacy-policy-says-uk-watch
dog-50011656/
-http://www.computerworld.com/s/article/9240584/Google_ordered_to_change_its_priv
acy_policy_in_the_UK?taxonomyId=17
-http://www.bbc.co.uk/news/technology-23187771

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/