SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #73

September 13, 2013

TOP OF THE NEWS

US Government May Be Using Border Searches to Circumvent Fourth Amendment Protections
Latest Java Update Includes Whitelisting Feature
Microsoft Fixes 47 Flaws, Pulls Problematic Stability Fix for Outlook 2013
Adobe Releases Security Updates for Flash, Shockwave, and Other Products

THE REST OF THE WEEK'S NEWS

Vodafone Germany Database Breached
Kimsuky Cyberespionage Campaign Targets South Korean Think Tanks
Three-Year Prison Sentence for Hacking Police Web Sites
Lavabit Owner Appealing Surveillance Order
Judge Dismisses Class Action Lawsuit in Barnes & Noble Skimming Case
New Variant of Tibet OS X Malware Detected
Federal Appeals Court Denies Google's Bid to Dismiss Street View Lawsuit
US Federal Regulators Say Banks Need to Keep a Close Eye on Vendor Security

---

*********************** Sponsored By Symantec ***************************
Symantec Intelligence Report: June 2013 The monthly intelligence report, provides the latest analysis of cyber security threats, trends, and insights from the Symantec intelligence team concerning malware, spam, and other potentially harmful business risks. Learn more.
http://www.sans.org/info/139225
***************************************************************************
TRAINING UPDATE

-- Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


-- Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


-- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- SANS London 2013 London, UK November 16-25, 2013 17 courses.
http://www.sans.org/event/london-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


- - -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Chicago, and Ft. Lauderdale all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

US Government May Be Using Border Searches to Circumvent Fourth Amendment Protections (September 10, 2013)

Documents recently released regarding the seizure of a laptop and other electronic media devices by border US agents suggest that the US Department of Homeland Security (DHS) may be using "travel alerts" to get a look at data for which they would not otherwise be granted a warrant. The documents relate to the case of David House, a Massachusetts man who had befriended Bradley Manning, now known as Chelsea Manning. Federal officials wondered whether House knew anything about a batch of documents that Manning had shared with WikiLeaks but which had not yet been published. House was placed on a "travel list," and when he returned from a vacation in Mexico in 2010, federal agents seized his laptop, camera, flash drive and cell phone. The laptop was held for seven weeks, and a year after the incident, US agents said that House had done nothing wrong and they promised to destroy all copies of data made from his devices. The federal records were surrendered after a two-year battle with the ACLU, which sued the government on House's behalf. The ACLU maintains that "the settlement documents demonstrate that the seizure of House's computer was unrelated to border security or customs enforcement. It was simply an opportunity to conduct a suspicionless search that no court would ever have approved inside the country."
-http://www.zdnet.com/no-warrant-no-problem-us-govt-uses-travel-alerts-for-warran
tless-electronics-search-7000020487/
-http://www.nbcnews.com/technology/feds-target-us-travelers-seize-laptops-border-
new-files-reveal-8C11118663
-http://www.theatlanticwire.com/politics/2013/09/how-us-government-uses-border-cr
ossing-avoid-privacy-restrictions/69251/

Latest Java Update Includes Whitelisting Feature (September 12, 2013)

A Java update released on Tuesday, September 12, includes whitelisting capabilities. Known as the "Deployment Rule Set," the feature in Java 7 Update 40 allows companies to decide which Java applets are permitted to run on endpoint machines. While this is a welcome change, many companies are unable to upgrade to new versions of Java because of compatibility issues. One study showed that of companies running Java, 80 percent are running versions of Java 6, for which Oracle ended support earlier this year.
-http://www.computerworld.com/s/article/9242374/Oracle_finally_adds_whitelisting_
capabilities_to_Java?taxonomyId=17
-http://www.theregister.co.uk/2013/09/10/java_flash_security_snapshot/
-http://arstechnica.com/security/2013/09/security-of-java-takes-a-dangerous-turn-
for-the-worse-experts-say/
[Editor's Note (Ullrich): It is important to note that the more stringent signature checking may lead to problems, in particular with Java applets delivered by "ancient" embedded devices.
-https://isc.sans.edu/forums/diary/Java+and+Old+Hash+Algorithms/16571]

Microsoft Fixes 47 Flaws, Pulls Problematic Stability Fix for Outlook 2013 (September 10 & 11, 2013)

On Tuesday, September 10, Microsoft issued 13 security bulletins to patch a total of 47 vulnerabilities. The updates address security flaws in Windows, Office, Internet Explorer and SharePoint Server. Four of the bulletins are rated critical; the rest are rated important. Microsoft has pulled a non-security, stability and performance update for Outlook 2013 following reports that it blanked the folder pane.
-https://technet.microsoft.com/en-us/security/bulletin/ms13-sep
-http://www.scmagazine.com/microsoft-delivers-13-patches-for-47-flaws-including-c
ritical-outlook-bug/article/311089/
Internet Storm Center:
-https://isc.sans.edu/diary/Reboot+Wednesday%3A+Yesterday%27s+Patch+Tuesday+After
math/16556
-https://isc.sans.edu/diary/Microsoft+September+2013+Black+Tuesday+Overview/16538
[Editor's Note (Pescatore): This week had one of the vulnerability-est Vulnerability Tuesdays in a long time, with all the Windows, Adobe and Oracle patches hitting on the same day, with lots of remote execution vulnerabilities that are high priority to patch and some active attacks already out. Since many are finalizing 2014 budgets, make sure you will have capacity next year to deal with both the patching and shielding servers that can't be patched quickly at this rate. ]

Adobe Releases Security Updates for Flash, Shockwave, and Other Products (September 10, 2013)

Adobe has issued security updates for Flash, Shockwave, Acrobat, Reader, and AIR. Adobe has classified the Flash and Shockwave updates as having the highest priority as they address a flaw that is being actively exploited in the wild.
-http://www.zdnet.com/update-flash-shockwave-asap-adobe-also-patches-acrobat-and-
reader-7000020486/
-http://krebsonsecurity.com/2013/09/adobe-microsoft-push-critical-security-fixes-
2/
Internet Storm Center:
-https://isc.sans.edu/diary/Adobe+September+2013+Black+Tuesday+Overview/16535
[Editor's Note (Pescatore): Fall is my favorite season: nice changes from summer's heat coming; but one thing stays constant: patching my PCs for Adobe and Oracle Java critical vulnerabilities with active exploits. ]

---

*************************** Sponsored Links: ******************************
1) Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure. http://www.sans.org/info/139230

2) Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation. http://www.sans.org/info/139235

3) Analyst Webcast: John Pescatore Analyst Webcast - Actionable Tools for Convincing Management to Fund Application Security. Thursday, September 19, 2013 at 1:00 PM EDT. http://www.sans.org/info/139240
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Vodafone Germany Database Breached (September 12, 2013)

Someone broke into an internal server at Vodafone Germany and compromised the personal information of two million customers from a company database. The information includes bank account numbers. The company says it has identified a suspect and conducted a search. The suspect is reportedly someone who was working for the company. The breach affects customers in Germany only.
-http://www.bbc.co.uk/news/technology-24063621
-http://www.zdnet.com/vodafone-germany-confirms-insider-data-theft-two-million-cu
stomers-affected-7000020609/
-http://www.theregister.co.uk/2013/09/12/vodafone_germany_breach/
-http://www.scmagazine.com/millions-in-germany-have-data-compromised-in-vodafone-
hack/article/311347/

Kimsuky Cyberespionage Campaign Targets South Korean Think Tanks (September 11 & 12, 2013)

Cyberespionage attacks against South Korean national security international affairs research organizations may emanate from North Korea. The attacks hit South Korea's ministry of unification and several think tanks in the country's capital. The attacks, which have been named Kimsuky, were first noticed on April 3, 2013. The attackers are believed to have gained initial foothold through spear phishing.
-http://www.computerworld.com.sg/resource/security/cyberspies-attack-key-south-ko
rean-institutions-north-korean-hackers-suspected/
-http://www.theguardian.com/technology/2013/sep/11/north-korean-hackers-cyber-esp
ionage
-http://www.v3.co.uk/v3-uk/news/2294070/north-korean-hackers-snoop-on-south-korea
n-military-with-kimsuky-trojan
-http://www.computerworld.com/s/article/9242336/South_Korean_systems_attacked_Nor
th_Korean_hackers_suspected?taxonomyId=17

Three-Year Prison Sentence for Hacking Police Web Sites (September 12, 2013)

An Ohio man has been sentenced to three years in federal prison for hacking into police department websites in Utah, New York, and California. The actions of John Anthony Borell III reportedly caused thousands of dollars in damage; the Utah police force site was down for nearly three months. Borell has also been ordered to pay US $227,000 in damages.
-http://news.cnet.com/8301-1009_3-57602761-83/hacker-sentenced-to-three-years-for
-breaching-police-sites/
-http://hosted.ap.org/dynamic/stories/U/US_HACKED_ANONYMOUS?SITE=AP&SECTION=H
OME&TEMPLATE=DEFAULT&CTIME=2013-09-12-16-38-13
[Editor's Note (Honan): If an attack takes your site offline for several months then you need to seriously look at your incident response remediation techniques and also your business continuity plan. ]

Lavabit Owner Appealing Surveillance Order (September 11, 2013)

Lavabit owner Ladar Levison has appealed the secret surveillance order received from the US government that prompted him to shutter his business in August. The details have been placed under seal. The surveillance order forbids Levison from disclosing what the government has asked of him or who its target was.
-http://www.wired.com/threatlevel/2013/09/lavabit-appeal/

Judge Dismisses Class Action Lawsuit in Barnes & Noble Skimming Case (September 11, 2013)

A federal judge in Illinois has dismissed a class-action lawsuit filed against Barnes & Noble over skimming attacks on the stores' point-of-sale PIN pads. Judge John Darrah granted the dismissal because the plaintiffs had not demonstrated loss or injury from the incident.
-http://www.scmagazine.com/in-barnes-noble-skimming-case-federal-judge-dismisses-
plaintiffs-class-action-suit/article/311262/

New Variant of Tibet OS X Malware Detected (September 11, 2013)

A new variant of the Tibet malware targeting OS X systems has been found. The variant exploits a known Java vulnerability to install a backdoor that allows attackers to steal files from infected computers.
-http://news.cnet.com/8301-1009_3-57602431-83/new-tibet-malware-variant-found-for
-os-x/

Federal Appeals Court Denies Google's Bid to Dismiss Street View Lawsuit (September 10 & 11, 2013)

The US 9th Circuit Court of Appeals has ruled that Google's inadvertent harvesting of users' personal information from unprotected Wi-Fi routers while collecting data for Street View is not exempt from the Wiretap Act and that the company may be held liable for civil damages. Google had sought to have the lawsuit dismissed, arguing that transmissions over Wi-Fi networks are "readily accessible to the general public."
-http://www.wired.com/threatlevel/2013/09/googles-wifi-wiretapping/
-http://arstechnica.com/tech-policy/2013/09/appeals-court-rules-google-must-stand
-trial-for-wi-fi-data-scandal/
-http://www.computerworld.com/s/article/9242317/Court_rejects_Google_appeal_in_St
reet_View_lawsuit?taxonomyId=17
-http://www.zdnet.com/google-loses-appeal-in-landmark-street-view-ruling-70000205
33/
-http://www.bbc.co.uk/news/technology-24047235

US Federal Regulators Say Banks Need to Keep a Close Eye on Vendor Security (September 9, 2013)

Federal banking regulators are advising financial institutions to pay close attention to security provided by their vendors. Regulators routinely examine certain vendors, particularly "those that have contracts with banks for core banking services or that provide services covered under the Bank Service Act." The regulators recommend that the banks request reports on these examinations. Some have questioned why examiners do not more readily share information about security issues they discover. Regulators are prohibited from disclosing the findings of vendor examinations except in the case of severe security problems.
-http://www.bankinfosecurity.com/fdic-improve-vendor-management-a-6053
[Editor's Note (Pescatore): Shouldn't this be a given, just as banks always do thorough credit checking before giving out loans or mortgages? Ooops - never mind.
(Henry): There have been an increasing number of attacks against the "supply chain"...the organizations businesses do business with. Law firms, consultancies, accounting firms, and other service providers are being increasingly targeted by adversaries who often see them as the "weak link" in the chain. Additionally, many of these organizations aggregate sensitive information on behalf of many clients, so the data stolen is not only in greater volume, but also of higher value. ]

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/