SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #88

November 04, 2014

TOP OF THE NEWS

Judge Says Police Can Demand Suspect Unlock Phone with Fingerprint
FCC May be Partially Reclassifying Broadband ISPs as Common Carriers
Google and Mozilla will Disable Support for SSL 3.0 in Next Versions of Browsers
Mac OS Yosemite Saves Documents to iCloud by Default

THE REST OF THE WEEK'S NEWS

Attackers Stealing and Selling Rewards Points
Microsoft Phasing Out Windows 7 and Windows 8
Researchers' AirHopper Technique Uses Radio Signals to Jump the Air Gap
New Version of Adobe eReader Collects Less Data
Warg Gets Three-and-a-Half Years in Prison
Facebook Sets Up Tor Connection
Flash Redirect Attack Affects Thousands of Sites

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************** Sponsored By Bit9 + Carbon Black ***********************
Download the eGuide: 5 Steps to Reduce the Complexity of PCI Assessments. Make your PCI assessment process smoother and more efficient. Download now!
http://www.sans.org/info/170902
***************************************************************************
TRAINING UPDATE

--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


--SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


--Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more
http://www.sans.org/online-security-training/specials


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Sydney, Tokyo, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Judge Says Police Can Demand Suspect Unlock Phone with Fingerprint (October 31, 2014)

A Circuit Court judge in Virginia has ruled that police can demand a suspect unlock a smartphone phone with a fingerprint, but also ruled that a person cannot be compelled to divulge the passcode for the device. If the device requires both a fingerprint and the passcode, the passcode protection prevails. "The ruling ... draws into relief the legal difference between a person's identity and their knowledge."
-http://www.zdnet.com/virginia-police-can-now-force-you-to-unlock-your-smartphone
-with-your-fingerprint-7000035293/
-http://arstechnica.com/tech-policy/2014/10/virginia-judge-police-can-demand-a-su
spect-unlock-a-phone-with-a-fingerprint/
[Editor's Note (Pescatore): courts over the years have consistently ruled that individuals must disclose the combination for combination locks under appropriate conditions. Hard to see that passcodes won't end up considered the same. The fingerprint side of things seems trickier, probably years more of legal rulings in equal and opposite directions on that one. ]

FCC May be Partially Reclassifying Broadband ISPs as Common Carriers (October 30, 2014)

Reports suggest that the US Federal Communications Commission (FCC) may soon partially reclassify broadband Internet service providers as common carriers, which means the FCC would have the authority "to police any deals between content companies and broadband providers." The reclassification would affect the service that ISPs offer content providers.
-http://arstechnica.com/business/2014/10/fcc-reportedly-close-to-reclassifying-is
ps-as-common-carriers/
[Editor's Note (Pescatore): From a security point of view, common carrier status is a mixed bag. ISPs have largely claimed that status to justify why they continue to happily deliver easily identified spam, malware and denial of service attacks to their paying customers. The FCC legally classifying the "backend" services as Common Carrier services might clearly say the retail (delivery) end is *not* and open up liability claims for delivery of dangerous content, but the Communications Decency Act and the Digital Millennium Copyright Act gave ISPs loads of cover for avoiding that liability. On the back end, Common Carrier status comes with FCC ability to regulate, the FCC *could* force ISPs to filter more but the pace of regulation never, ever keeps up with the pace of technology or threats.
(Murray): Hopefully cooler heads will prevail here. Regulating the Internet as a common carrier in the name of net neutrality ranks right up there with destroying a village in order to protect it. The discussion of net neutrality is about discriminatory behavior that has rarely been shown to exist and which transparency, accountability, and competition might well solve in any case. "Common Carrier" regulation was intended to regulate what was then seen to be a "natural monopoly," an idea long since given up. We no longer even regulate railroads that way. There must be a more measured remedy here than turning the clock back eighty years and shackling the most dynamic part of our economy with stifling regulation designed to solve a very different problem. ]

Google and Mozilla will Disable Support for SSL 3.0 in Next Versions of Browsers (November 1, 2014)

Google plans to disable support for SSL 3.0 in the next version of its Chrome browser. When Google researchers disclosed the POODLE vulnerability in SSL 3.0 last month, they released a patch for servers, but if browsers no longer support the protocol, the risk of exploits drops considerably. Mozilla plans to disable support for SSL 3.0 in Firefox 34. Microsoft has released a "Fixit" tool that allows users to disable SSL 3.0; Apple has not blocked SSL 3.0, but has disabled cipher block chaining, which underlies the POODLE flaw.
-http://www.eweek.com/security/google-takes-new-steps-to-block-poodle-flaw.html

Mac OS Yosemite Saves Documents to iCloud by Default (November 3, 2014)

The newest version of Mac OS X, Yosemite, automatically saves files to iCloud, even if those files are never actually saved on the device where they are created. The point of the feature is that users can access documents from any Apple device. However, there is no warning that the program will do this. The autosave feature can be disabled.
-http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensitive-doc
s-to-icloud-without-warning/
[Editor's Note (Murray): Must have seemed like a really good idea at the time. God please save us from programmers who cannot check inputs but who can implement all kinds of gratuitous functionality.
(Honan): This is a good example of why Privacy by Design and conducting Privacy Impact Analysis (PIA) is so important when developing or adding new features to a system. As our online lives become more and more intertwined this will become even more important. ]

---

**************************** SPONSORED LINKS ******************************
1) Did you miss the Data Center Server Security webcast? Find the archived webcast & whitepaper here: http://www.sans.org/info/170647

2) Build bridges between Security and Development. Register for this webinar on Secure Agile featuring Adrian Lane of Securosis and Chris Eng of Veracode. http://www.sans.org/info/170907

3) The Evolution of IDS: Why Context is Key Wednesday, November 05 at 1:00 PM EST (18:00:00 UTC) Joe Schreiber, AlienVault and Dave Shackleford, SANS. http://www.sans.org/info/170662
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Attackers Stealing and Selling Rewards Points (November 3, 2014)

Thieves have been targeting rewards points programs offered by hotels and other organizations. Often, the online management systems for the programs lack adequate security. One man discovered that 250,000 Hilton Honors points he has accrued through use of a credit card had been used by thieves, who managed to access the account online, change the associated email addresses, and even use the associated credit card to make additional charges. Hilton allows two methods of account access: username and password, or member number and four-digit PIN. Brian Krebs discovered that there are online forums where rewards points are being offered for sale at fractions of their value.
-http://krebsonsecurity.com/2014/11/thieves-cash-out-rewards-points-accounts/

Microsoft Phasing Out Windows 7 and Windows 8 (November 3, 2014)

Microsoft has stopped selling retail copies of most versions of Windows 7 and Windows 8. The default operating system sold until Windows 10 is released late next year is Windows 8.1 Users who want to run Windows 7 can in some circumstances downgrade from Windows 8.1 to Windows 7 Professional. Just over half of Windows users are now running Windows 7.
-http://www.zdnet.com/going-so-soon-microsoft-ends-retail-sales-of-windows-8-7000
035347/
-http://www.bbc.com/news/technology-29880144
[Editor's Note (Pescatore): Security patch support for Windows 7 will continue through January 2020. By then, every enterprise should plan on all living with/supporting auto update of security patches for all user devices - PCs, tablets, smartphones, wearables, whatever else users are demanding to use by 2020. Once a month patching is a relic of the old Windows/PC homogeneity/monopoly era, which is over and never coming back. ]

Researchers' AirHopper Technique Uses Radio Signals to Jump the Air Gap (November 3, 2014)

Researchers in Israel have published an academic paper detailing a method of eavesdropping on air-gapped computers. The technique, dubbed AirHopper, uses a radio signal. It depends on a system already having been compromised for exfiltration. AirHopper is a refinement of a technique that has been known for nearly 30 years.
-http://arstechnica.com/security/2014/11/researchers-bridge-air-gap-by-turning-mo
nitors-into-fm-radios/
-http://www.wired.com/2014/11/airhopper-hack/

New Version of Adobe eReader Collects Less Data (November 2, 2014)

The most recent version of Adobe Digital Editions e-reader software appears to collect less user data than in earlier version, which was reportedly sending information about readers' activity back to the company in plaintext. Version 4.0.1 of Digital Editions now collects information only about books that are protected by digital rights management (DRM) software. Adobe said last month that it would stop collecting information on books not protected by DRM and that it would encrypt data sent back to the company.
-http://www.computerworld.com/article/2842243/adobes-e-reader-software-now-collec
ts-less-data.html
[Editor's Note (Pescatore): Maybe Adobe and McAfee will announce that the constant stream of Adobe patches will no longer try to trick users into installing McAfee software? ]

Warg Gets Three-and-a-Half Years in Prison (October 31, & November 1, 2014)

Gottfrid Svartholm Warg has been sentenced to three-and-a-half years in prison for breaking into systems and accessing sensitive data, including police email accounts and Danish social security numbers.
-http://www.theregister.co.uk/2014/11/01/pirate_bay_cofounder_gottfrid_svartholm_
warg_jailed_for_three_and_a_half_years/
-http://www.v3.co.uk/v3-uk/news/2378986/pirate-bay-co-founder-gottfrid-warg-gets-
three-and-half-years-hard-time
-http://www.nbcnews.com/tech/security/pirate-bay-founder-jailed-hacking-danish-da
ta-n238446

Facebook Sets Up Tor Connection (October 31 & November 1, 2014)

Facebook is now accessible users running Tor-enabled browsers. The new connection allows Tor users to communicate with Facebook without surrendering the anonymity Tor provides. Prior to the new arrangement, users trying to access Facebook from Tor would often be prevented from doing so because their browsers would indicate the possibility that accounts were being used fraudulently.
-http://www.scmagazine.com/facebook-launches-tor-friendly-url/article/381059/
-http://www.v3.co.uk/v3-uk/news/2378987/facebook-adds-tor-connection-for-privacy-
minded-users
-http://www.zdnet.com/facebook-sets-up-hidden-service-for-tor-users-7000035308/
-http://arstechnica.com/security/2014/10/facebook-offers-hidden-service-to-tor-us
ers/
[Editor's Note (Honan): This is interesting, not just for the contradiction of a privacy-focused network being used to access a website whose business model is based on users relinquishing their privacy, but also from the point of view that a large mainstream company supports the use of Tor, thereby legitimising Tor for everyday use. Here's hoping others will follow Facebook's lead. ]

Flash Redirect Attack Affects Thousands of Sites (October 31, 2014)

Thousands of websites, including a Carnegie Mellon domain, are infected with Flash malware that redirects users' devices to a page hosting an exploit kit, which attempts to install malware through vulnerabilities detected on the device. Some of the sites were infected as long ago as July.
-http://www.scmagazine.com/flash-redirect-campaign-impacts-carnegie-mellon-page-l
eads-to-angler-ek/article/380599/

---

STORM CENTER TECH CORNER

Exceeding Contactless Transaction Limit with Foreign Currencies
-http://www.ncl.ac.uk/press.office/press.release/item/contactless-cards-fail-to-r
ecognise-foreign-currency

TextSecure Audit finds no significant problems
-https://eprint.iacr.org/2014/904.pdf

VMWare Change Block Tracking problem may lead to corrupt backups
-http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=dis
playKC&externalId=2090639

OpenBSD 5.6 Replaces OpenSSL with LibreSSL
-http://www.openbsd.org/56.html

justsniffer packet capture and analysis tool
-https://isc.sans.edu/forums/diary/justniffer+a+Packet+Analysis+Tool/18907

Bitlocker Keys May be Stored in OneDrive
-http://technet.microsoft.com/en-us/library/dn306081.aspx

LastPass Offering Command Line Client
-http://blog.lastpass.com/2014/10/open-sourced-lastpass-command-line.html

Samsung Reacts to KNOX Flaw by pointing to MyKnow for Note 4 / Galaxy S4
-https://play.google.com/store/apps/details?id=com.sec.enterprise.knox.express

Facebook Provides Tor Access
-https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-
more-secure/1526085754298237

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/