SANS NewsBites - Volume: XIV, Issue: 67


At GFIRST today, the 1500 attendees got a first look at the new
Consensus 20 Critical Security Controls and many signed up for the
international consortium run by Tony Sager (recently head of VAO at NSA)
that will ensure all known threat data is reflected in the consensus.
Large companies and government agencies are eligible for inclusion. To
apply for a place in the consortium overseeing contributing to the
authority of the 20 Critical Controls, send your organization's and your
personal qualifications to tsager@sans.org.

Alan

*************************************************************************
SANS NewsBites                     August 21, 2012                    Volume: XIV, Issue: 67
*************************************************************************
TOP OF THE NEWS

  Android Trojan Infects 500,000 Devices
  NIST Seeking Military Android App Testing Tools

THE REST OF THE WEEK'S NEWS

  DNSChanger IP Address Blocks Reallocated
  US Magistrate Says Video Privacy Law Applies to Digital Content
  UK Information Commissioner Investigating Tesco Website Security
  Public Interest Groups Challenge AT&T's Plan to Restrict FaceTime Use On Network
  Pirate Party member Challenging Germany's Pre-Paid SIM Card ID Requirement
  iOS Messaging Vulnerability
  Judge Rejects Facebook Sponsored Stories Proposed Lawsuit Settlement
  Microsoft Windows 8 RTM Shows Do Not Track Default Setting Notifications
  Cyber Thieves Steal Half a Million Australian Credit Card Numbers

BONUS

  ACLU Lawsuit


*************************** Sponsored By Bit9 ****************************
Webcast: Privilege Management: With today's advanced threats is removing the rights just plain wrong? Join 9 time Microsoft MVP and freelance author Brien Posey discuss with Bit9 the limitations of privilege management and other security controls within Windows 8. Learn what you can do to address these limitations with a positive security model. REGISTER TODAY
http://www.sans.org/info/112159
**************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012 **Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job!
https://itsac.g2planet.com/itsac2012/

- - --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

- - --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers? http://www.sans.org/virginia-beach-2012/ - - --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- - --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 4 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- - --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- - --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 44 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- - --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 7 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- - --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- - --SANS Seattle 2012 Seattle, WA October 14-19, 2012 6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- - --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- - --Looking for training in your own community?
http://www.sans.org/community/

- - - - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Dubai, San Diego, Johannesburg, Seoul, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************

TOP OF THE NEWS

Android Trojan Infects 500,000 Devices (August 20, 2012)
A Trojan horse program for Androids has infected 500,000 devices; most of the infections are in China. The malware, known as SMSZombie, travels as wallpaper applications. It exploits flaws in China Mobile's mobile payment system to make unauthorized payments; it also steals bankcard and other financial transaction information. SMSZombie also takes steps to make it difficult for users to remove the malware from their devices.
-http://www.theregister.co.uk/2012/08/20/android_smszombie/


NIST Seeking Military Android App Testing Tools (August 17, 2012)
The US National Institute of Standards and Technology (NIST) has posed a solicitation seeking software-testing tools to conduct vulnerability analysis and security scanning for Android applications used by the Pentagon.
-http://www.nextgov.com/mobile/2012/08/nist-seeks-vulnerability-analysis-military
-android-apps/57505/?oref=ng-channelriver

-https://www.fbo.gov/index?s=opportunity&mode=form&id=78d1292724c29afd53f
35f995e4a8658&tab=core&_cview=0




************************** Sponsored Links: ****************************
1) Tripwire's Michael Thelander, Tuesday, August 28, 1 PM EDT. http://www.sans.org/info/112164
2) Analyst Webcast! When Breaches Happen: 5 Questions to Prepare For, featuring senior SANS Analyst Dave Shackleford and Solera CTO Joe Levy. http://www.sans.org/info/112169 Wed., August 29, 1 PM EDT
3) Time is Running Out to take the SANS 2nd Survey on BYOD Security Policy and WIN Cash Prizes! http://www.sans.org/info/112174
***************************************************************************

THE REST OF THE WEEK'S NEWS

DNSChanger IP Address Blocks Reallocated (August 20, 2012)
Two IP address blocks that were used by the perpetrators of the DNSChanger malware have been reallocated. The addresses were under the control of the FBI and the Internet Systems Consortium (ISC) from the time they were seized in November 2011 until July 2012. While the European IP address authority RIPE NCC that reassigned them believes it has been long enough to reallocate the addresses, some members of the DNSChanger Working Group believe it is too soon. Infected computers that have not been wiped of DNSChanger could still be pointing to those addresses. The issue would also cause problems for the new owners of the addresses. Whoever has control of those address blocks also has the potential to control computers still infected with DNSChanger.
-http://www.h-online.com/security/news/item/Former-DNSChanger-addresses-out-in-th
e-wild-again-1670648.html

-http://www.cso.com.au/article/433502/new_hijack_threat_emerges_dns_changer_victi
ms/#closeme



US Magistrate Says Video Privacy Law Applies to Digital Content (August 20, 2012)
A US federal magistrate has ruled that information collected about which videos people watch online is protected under US privacy law, possibly putting Hulu on the spot for sharing users' viewing habits with third parties. US Magistrate Laurel Beeler ruled that the Video Privacy Protection Act of 1988 applies to Hulu. Hulu argued, unsuccessfully, that the law applies only to video rental stores not video streaming services. Beeler wrote that, despite Hulu's assertion that the VPPA does not specifically cover digital distribution, "Given Congress's concern with protecting consumers' privacy in an evolving technological world, the court rejects that argument."
-http://www.wired.com/threatlevel/2012/08/hulu-dinged-in-privacy-lawsuit/


UK Information Commissioner Investigating Tesco Website Security (August 20, 2012)
The UK Information Commissioner's Office (ICO) is investigating Tesco for alleged inadequate security practices. The retail company allegedly stores its website login and password data unhashed and unsalted. Some of the site's pages do not use HTTPS, and the company emails users' passwords in plaintext. Some have noted that it is unusual for the ICO to become involved when a breach has not occurred.
-http://www.scmagazineuk.com/ico-to-investigate-tesco-following-data-security-cla
ims/article/255238/

-http://www.bbc.com/news/technology-19316825
[Editor's Note (Honan): Tesco has repeatedly said they employ "robust security" but have not addressed the specific concerns brought to their attention, either by those who identified the issues or by the press. ]


Public Interest Groups Challenge AT&T's Plan to Restrict FaceTime Use On Network (August 19, 2012)
Two public interest groups are calling out AT&T for its plan to allow only customers who sign up for the company's new Mobile Share plan to use Apple's FaceTime application over its network. Free Press and Public Knowledge say the plan violates the US Federal Communications Commission's (FCC) net neutrality rules. iOS 6, the most recent version of Apple's operating system for iPhone, allows the use of FaceTime over mobile networks. AT&T subscribers currently can use FaceTime only if they are connected to a Wi-Fi network. They will have to sign up for AT&T's Mobile Share if they want to use it over the company's cellular network. The FCC's rules place restrictions on mobile providers blocking competing applications on their networks.
-http://thehill.com/blogs/hillicon-valley/technology/244273-advocacy-groups-say-a
tats-facetime-plans-violate-fcc-rules

[Editor's Note (Murray): AT&T and Verizon consented to the "net neutrality" rules on the condition that they would apply only to the wired side, where there is no problem, but would exclude the wireless side, where the problem is. While they may have only delayed the battle, they were ready to fight it then and they will fight it now. They are both "lawyering up." ]


Pirate Party member Challenging Germany's Pre-Paid SIM Card ID Requirement (August 19, 2012)
A member of the Pirate Party in Germany has appealed a ruling from a German Federal Constitutional Court that says it is legal to require proper identification from people who are setting up prepaid SIM cards. Patrick Breyer and his lawyer maintain that anonymous communication is protected under the European Convention on Human Rights. Anonymous prepaid SIM cards are illegal in Denmark and France, but Breyer and his lawyer say that the law is ineffective because identification is easy to forge and people can buy prepaid phones in other countries.
-http://arstechnica.com/tech-policy/2012/08/pirate-party-appeals-german-ban-on-an
onymous-sim-card-activation/



iOS Messaging Vulnerability (August 17 & 20, 2012)
A vulnerability in Apple's iOS could be exploited to allow attackers to send messages that appear to come form another sender. The issue lies in the way Apple handles the SMS gateway. People can specify a "reply to" number other than their own, so that replies could be sent to someone other than the sender. The flaw could be exploited though phishing attacks. The problem has existed since the inception of iOS and still exists in the beta version of OS 6. iPhones display only the reply-to number and do not keep track of the originating number. A tool that exploits the vulnerability has been released.
-http://www.v3.co.uk/v3-uk/news/2199851/security-researcher-discovers-serious-mes
saging-flaw-in-apple-ios

-http://www.scmagazine.com/iphone-sms-spoofing-tool-released/article/255323/
-http://news.cnet.com/8301-17938_105-57495710-1/iphone-sms-vulnerable-according-t
o-researcher/

Apple has suggested using iMessage as a "work-around" to the SMS vulnerability issue.
-http://www.informationweek.com/security/mobile/apple-suggests-imessage-as-sms-bu
g-work-/240005818



Judge Rejects Facebook Sponsored Stories Proposed Lawsuit Settlement (August 18, 2012)
A US District Court judge in California has rejected the proposed settlement of a lawsuit brought against Facebook over its Sponsored Stories feature. The lawsuit was filed by five Facebook users and is seeking class action status on behalf of as many as 100 million users; it alleges that Facebook violated users' rights by using their images in Sponsored Stories. The settlement would allow adults to limit how their images are used in Sponsored Stories; minors would be able to opt out altogether. The settlement would have Facebook change its Statement of Rights and Responsibilities and provide users with more information about how their names and pictures are used with Sponsored Stories. The settlement would also give users more control over their data. The proposed settlement would have Facebook pay US $10 million to Internet privacy organizations and to pay attorney's fees of up to US $10 million. Judge Richard Seeborg said he had "serious concerns" about the settlement, asking why Facebook should not be asked to pay US $100 million, because it seemed as though the legal team was making money on the case, but the users they were representing were not receiving much in return.
-http://www.wired.com/threatlevel/2012/08/facebook-settlement-rejected/
-http://www.computerworld.com/s/article/9230378/U.S._judge_rejects_settlement_in_
Facebook_Sponsored_Stories_case?taxonomyId=17



Microsoft Windows 8 RTM Shows Do Not Track Default Setting Notifications (August 17, 2012)
Microsoft has made available Windows 8 RTM (release to manufacturers), which provides details of how users will be informed of the default Do Not Track (DNT) setting for Internet Explorer 10 (IE10). The option will be automatic if users select the default settings while performing the initial operating system (OS) setup. However, to assuage critics of the plan, users will have the opportunity to change the DNT setting even when they select the default settings. The DNT option in Internet Explorer is one of seven pieces of information that Windows setup requests. Choosing "Use express settings" gives users Microsoft's default settings, including the DNT being switched on. Users will have the option of changing the DNT settings through the Customize setup option. Users can also change the setting later through the IE10 Internet Options dialog box. This article includes screenshots of the Windows 8 setup. When E10 is released, there will also be a version for Windows 7; users will see a notice telling them that DNT is switched on in the new browser and will also offer a link for more information.
-http://www.computerworld.com/s/article/9230362/Windows_8_setup_shows_Do_Not_Trac
k_options?taxonomyId=17

[Editor's Note: (Honan): Microsoft should be commended for taking this step to turn DNT on by default. I recently installed the Collusion plug in for Chrome and it is scary to see how many websites try to track your online activities. ]


Cyber Thieves Steal Half a Million Australian Credit Card Numbers (August 17, 2012)
A cyberattack has resulted in the theft of 500,000 credit card numbers in Australia. The incident occurred at an unnamed business in Australia and appears to be the work of hackers located in Eastern Europe. They allegedly placed keystroke loggers on point-of-sale (POS) terminals and remotely downloaded the information. The unnamed company was using default passwords on the POS terminals and stored transaction data unsecured. The thieves appear to have used an unsecured Microsoft Remote Desktop Protocol (RDP) to harvest the data. The people behind the attack are believed to be the same ones that conducted a similar attack in the US on Subway sandwich restaurants. Police are investigating the incident.
-http://www.wired.com/threatlevel/2012/08/500k-credit-cards-stolen/


BONUS

Last edition Stephen Northcutt asked readers if they would send further information about the ACLU lawsuit. Thanks to Thelma, David and Janis for the help. This is a lawsuit following an ignored FOIA request for FBI surveillance and tracking policy following the Supreme Court decision that the government could not use GPS devices on cars without a court order. Here is the complaint in all its glorious legalese:
-http://www.wired.com/images_blogs/threatlevel/2012/08/FBI-GPS-Tracking-Memos-FOI
A-Complaint.pdf

The following links are the ACLU perspective:
-http://www.aclu.org/blog/technology-and-liberty/aclu-sues-fbi-new-gps-tracking-m
emos

-http://www.aclu.org/technology-and-liberty/aclu-foia-request-fbi-memos-re-united
-states-v-jones-gps-tracking-case

-http://www.aclu.org/blog/technology-and-liberty/need-warrant-gps-tracking-still-
not-settled

-http://www.aclu.org/technology-and-liberty/united-states-v-pineda-moreno-aclu-am
icus-brief

-http://www.aclu.org/blog/technology-and-liberty-national-security/aclu-seeks-fbi
-guidance-memos-gps-tracking

Here are a couple of the better articles on the topic:
-http://www.wired.com/threatlevel/2012/08/aclu-sues-fbi-over-gps-memos/
-http://arstechnica.com/tech-policy/2012/08/aclu-to-fbi-tell-the-public-how-you-i
nterpret-gps-tracking-ruling/



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/