SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #58

July 23, 2013

Expert commentary on the new Senate bill: The U.S. Senate's recently announced draft cybersecurity bill drew a strong reaction from NewsBites editor Shawn Henry who served as Assistant Executive Director of the FBI overseeing both the Criminal and Cyber Divisions.

"As someone who has been 'behind the curtain' and watched these deliberations from the inside over the past seven years, this is frustrating. As a private citizen and a taxpayer, it's frightening. I understand how hard a problem this is and I recognize the competing interests, but some things are of such concern we must step outside our comfort zone and make meaningful decisions, regardless of the political fallout.

"I've been in briefings and hearings with these Senators; they say they understand the threat, and how important this issue is. They supported and funded the Comprehensive National Security Initiative (CNCI), which was developed under the Bush administration in 2007 and adopted by the Obama administration in May 2009; it was a substantive plan to address many of these issues. Yet here we sit more than six years later, arguably in a worse place than we were in, and we're still talking about 'voluntary guidelines' and studying vulnerabilities? ARE YOU KIDDING ME?! I imagine our adversaries are drinking a toast to this."

---

TOP OF THE NEWS

Apple Developer Site Hacked
Foreign Intelligence Surveillance Court Renews NSA's Authority to Gather Phone Metadata
US Justice Dept. Says NSA Snooping Does Not Violate Constitutional Rights
NSA Adopts Procedures to Protect Data on its Networks

THE REST OF THE WEEK'S NEWS

SIM Card Vulnerability Affects Millions of Devices
Critics Say UK Prime Minister's Web Filtering Plan is Misguided
Study Finds Many Organizations are Running Old, Vulnerable Versions of Java
Ubuntu Forums Data Breach Exposed Member Data
Judge Allows Amicus Briefs in Motion to Dismiss FTC Lawsuit Against Wyndham
New Jersey Supreme Court Rules Warrants Necessary for Phone Location Data Access

---

*************************** SPONSORED By Bit9 ***************************
Live Webcast: Combat Advanced Threats with Next-Generation Threat Prevention. Modern cyberattacks span multiple technologies, existing simultaneously in the network as well as on the endpoint. Join this webinar to learn best practices for integrating next-generation network and endpoint security solutions so you can detect, prevent and respond to advanced cyberattacks.

Register Today! http://www.sans.org/info/135767
***************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

- --Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


- -- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangkok, Melbourne, Bangalore, and Baltimore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Apple Developer Site Hacked (July 22, 2013)

Apple has acknowledged that its developer site was hacked last week. The site has been unavailable since Thursday, July 18. Some users have reported receiving password reset email messages, which suggests that information was stolen and being misused. Apple is conducting a complete overhaul of the site. Internet Storm Center:
-https://isc.sans.edu/diary/Apple+Developer+Site+Breach/16210
-http://www.computerworld.com/s/article/9240928/Apple_confirms_hack_of_its_develo
per_website?taxonomyId=17
-http://www.scmagazine.com//hackers-attempt-to-steal-data-of-apple-developer-site
-members/article/303922/
-http://www.zdnet.com/amid-extended-apple-developer-site-downtime-users-report-un
authorized-password-reset-emails-7000018333/
-http://arstechnica.com/apple/2013/07/apple-blames-days-long-developer-center-out
age-on-intruder/

Foreign Intelligence Surveillance Court Renews NSA's Authority to Gather Phone Metadata (July 22, 2013)

The US Foreign Intelligence Surveillance Court has renewed its order granting the National Security Agency (NSA) authority to collect metadata from telecommunications companies. The decision to renew the program was made "in light of the significant and continuing public interest in the telephony metadata collection program." The order does not allow access to content of phone calls or the identity of subscribers.
-http://www.computerworld.com/s/article/9240931/U.S._court_renews_permission_to_N
SA_to_collect_phone_metadata?taxonomyId=17
-http://www.zdnet.com/foreign-intelligence-surveillance-court-asserts-authority-o
ver-phone-records-7000018323/
-http://arstechnica.com/tech-policy/2013/07/snowden-be-damned-government-renews-u
s-call-record-order/

US Justice Dept. Says NSA Snooping Does Not Violate Constitutional Rights (July 19, 2013)

The US government has responded to a series of lawsuits challenging the NSA's authority to snoop on phone records, saying that the intelligence agency's activity cannot be challenged in court. The Obama administration maintains that the actions do not violate citizens' constitutional rights and are conducted in the "public interest."
-http://www.wired.com/threatlevel/2013/07/spygate-snooping-standing/
US DOJ Filing:
-http://www.wired.com/images_blogs/threatlevel/2013/07/nsaacluresponse.pdf

NSA Adopts Procedures to Protect Data on its Networks (July 18, 2013)

New rules adopted by the National Security Agency (NSA) aim to protect the top-secret data stored on its networks. A "two-man rule" requires that two systems administrators to work together when accessing systems containing highly classified data. The system is based on a similar procedure used in the handling of nuclear weapons. The NSA also plans to implement strong encryption for its most sensitive data. (Please note: The New York Times requires a paid subscription.)
-http://www.nytimes.com/2013/07/19/us/military-to-deploy-units-devoted-to-cyber-o
perations.html?src=recg

---

************************* Sponsored Links: *****************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/135772

2) GARTNER REPORT: WhiteHat Security named a Leader in Application Security Testing in New Magic Quadrant Report http://www.sans.org/info/135777

3) Tool Talk Webcast: Thursday, July 25, 2013 at 1:00 PM EDT. Security Visibility in Under An Hour with AlienVault USM Featuring: Christopher Meile. http://www.sans.org/info/135782
**************************************************************************

---

THE REST OF THE WEEK'S NEWS

SIM Card Vulnerability Affects Millions of Devices (July 22, 2013)

Researchers say that they have found a vulnerability that can be exploited to hack SIM cards remotely. The method leaves no evidence, and there is "no way of preventing it or even noticing it," according to Karsten Nohl, founder of Security Research Labs. Hackers could exploit the flaw to download software to compromised devices, locate the devices, send texts and make calls. In addition, attackers could access all stored data, including financial account information. The vulnerability lies in mobile carriers' use of the outdated Data Encryption Standard (DES) technology for over-the-air Short Message Service transmission. The United Nations' International telecommunications Union has issued a warning about the vulnerability.
-http://www.reuters.com/article/2013/07/21/net-us-mobile-hacking-idUSBRE96K04N201
30721
-http://www.scmagazine.com//hundreds-of-millions-at-risk-from-sim-card-vulnerabil
ity/article/304013/
-http://arstechnica.com/security/2013/07/crypto-flaw-makes-millions-of-smartphone
s-susceptible-to-hijacking/
-http://www.theregister.co.uk/2013/07/22/mobile_gsm_sim_card_crypto_crack/
-http://www.computerworld.com/s/article/9240927/SIM_cards_vulnerable_to_hacking_s
ays_researcher?taxonomyId=17
-http://www.nbcnews.com/technology/un-group-issue-warning-about-mobile-phone-hack
ing-6C10699399

Critics Say UK Prime Minister's Web Filtering Plan is Misguided (July 22, 2013)

UK Prime Minister David Cameron's plan to make Internet service providers (ISPs) and search engines filter pornography is seen by some as misguided. Open Rights Group executive director Jim Killock notes that "banning search terms seems unlikely to combat the serious activity, which is independent of search engines." And technology journalist Simon Bisson writes, "What the UK government should be concentrating on is an effort to break the financial ties that hold the darknets together. Finding who holds the purse strings is a complex task, but it's a technique that has been proven to work time and time again. And perhaps it should also be noted that it's an approach that's well within the capabilities of the powerful surveillance tools that government security agencies have put in place ... to combat terrorism."
-http://www.zdnet.com/the-key-to-cleaning-up-the-internet-is-tackling-the-darknet
s-not-letting-censorship-in-by-the-back-door-7000018339/
-http://www.bbc.co.uk/news/uk-23401076
-http://crave.cnet.co.uk/software/online-porn-to-be-blocked-in-the-uk-unless-you-
opt-in-50011774/
-http://www.computerworld.com/s/article/9240937/U.K._Prime_Minister_warns_Interne
t_companies_to_ban_child_abuse_search_terms?taxonomyId=17
Draft of Cameron's Speech:
-https://www.gov.uk/government/speeches/the-internet-and-pornography-prime-minist
er-calls-for-action
[Editor's Note (Honan): To clarify the proposal from the UK Government is to by default for ISPs to block all websites containing pornography. In order to access such material the customer would have to opt-in. It appears that already Mr Cameron realises there will be lots of issues with this approach
-http://www.independent.co.uk/news/uk/politics/online-porn-ban-david-cameron-retr
eats-in-war-on-internet-porn-admitting-there-will-be-problems-down-the-line-amid
-debate-over-censorship-8726991.html]

Study Finds Many Organizations are Running Old, Vulnerable Versions of Java (July 22, 2013)

According to a study from Bit9, many organizations are running outdated, vulnerable versions of Java. Eight-two percent of organizations were found to be running Java 6, which is considered to be the most vulnerable version. Many organizations have more than 50 different versions of Java installed on their machines. This is due to the fact that the Java installation and update process does not remove older versions of the software. Companies would be well-advised to update to the newest Java release, Java version 7, update 25. Less than one percent of organizations were found to be running this latest version of Java.
-http://www.zdnet.com/failure-to-clean-up-old-java-is-leaving-enterprises-vulnera
ble-to-attack-7000018371/
-https://www.bit9.com/download/reports/Java%20Vulnerabilities%20Write%20Once,%20P
wn%20Anywhere.pdf
[Editor's Note (Honan): Too often companies rely solely on their patching process to address vulnerabilities without verification that the vulnerabilities have been properly addressed. An effective information security management program should have an effective patching process in place and that it is integrated with the vulnerability management process to ensure no vulnerabilities exist post patching.]

Ubuntu Forums Data Breach Exposed Member Data (July 21, 2013)

The Ubuntuforums.org online distribution community is offline while the organization cleans up in the wake of a breach that compromised usernames, passwords, and email addresses. The data were stored in the Ubuntu Forums database as salted hashes. Users who employ the same password across several sites are urged to change those passwords. Of the more than 1.8 million members affected, just about 19,500 are classified as active, which means that most may not learn of the breach. Internet Storm Center:
-https://isc.sans.edu/diary/Ubuntu+Forums+Security+Breach/16201
-http://www.theregister.co.uk/2013/07/21/ubuntu_forums_breached_18_passwords_pinc
hed/
-http://www.zdnet.com/ubuntu-forums-hacked-1-82m-logins-email-addresses-stolen-70
00018336/
-http://arstechnica.com/security/2013/07/hack-exposes-e-mail-addresses-password-d
ata-for-2-million-ubuntu-forum-users/

Judge Allows Amicus Briefs in Motion to Dismiss FTC Lawsuit Against Wyndham (July 19, 2013)

The US Chamber of Commerce and other interested groups have filed amicus briefs supporting Wyndham Worldwide's motion to dismiss a lawsuit brought by the US Federal Trade Commission (FTC). The case is being closely watched as a test of the FTC's authority to impose fines and settlement agreements with companies that suffer breaches of customer data. The FTC's lawsuit accuses Wyndham of deceptive practices for leading customers to believe that their personal data were better protected than they actually were. The motion for dismissal questions FTC's authority to enforce data security standards.
-http://www.computerworld.com/s/article/9240910/Wyndham_lawsuit_tests_FTC_s_data_
security_enforcement_authority?taxonomyId=17
-http://www.bna.com/wyndham-case-threatens-b17179875319/

New Jersey Supreme Court Rules Warrants Necessary for Phone Location Data Access (July 19, 2013)

The Supreme Court of the State of New Jersey has ruled that law enforcement must have warrants to access mobile phone location data. Cellphone users have a reasonable expectation of the privacy of their cellphone location data, and "when people make disclosures to phone companies and other providers to use their services, they are not promoting the release of personal information to others," according to the unanimous ruling.
-http://www.computerworld.com/s/article/9240908/N.J._Supreme_Court_rules_warrants
_needed_for_phone_tracking?taxonomyId=17
-http://www.judiciary.state.nj.us/opinions/supreme/A5311StatevThomasWEarls.pdf

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/