LAST CHANCE to save $600 Off Online Courses

SANS NewsBites - Volume: XIV, Issue: 71

*************************************************************************
SANS NewsBites                     September 04, 2012                    Volume: XIV, Issue: 71
*************************************************************************
TOP OF THE NEWS

  Hackers Claim File Containing iOS Device IDs is Evidence of FBI Tracking Project
  LinkedIn Passwords Stolen and Cracked; Change Yours Now
  US Legislators Invite Chinese Telecom Executives to Committee Hearing on Spy Threats
  New Vulnerability Found in Updated Java

THE REST OF THE WEEK'S NEWS

  Pirate Bay Co-Founder Arrested in Cambodia on Swedish Warrant
  Inmates Allegedly Accessed Corrections Information Systems From Prison Computers
  Federal Appeals Court Upholds Injunction Against ivi
  Researchers Find Spyware Being Used by Police in Countries Around the World
  Lawyer Seeks En Banc Panel to Rehear Warrantless Wiretapping Appeal
  Guide to Middle East Malware
  Mahdi is Spreading; Wiper may Have Ties to Duqu and Stuxnet
  Chrome Update Addresses Nine Vulnerabilities


*********************** Sponsored By Lancope ****************************
Complimentary ebook: "NETFLOW SECURITY MONITORING FOR DUMMIES". From risks posed by APTs, BYOD, malicious insiders, virtualization and IT consumerization, there are many trends accelerating the adoption of NetFlow/IPFIX as a security technology. Learn how to successfully leverage NetFlow/IPFIX to improve your organization's security controls and yield actionable security intelligence. Download now -
http://www.sans.org/info/112752
*************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012
**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job! https://itsac.g2planet.com/itsac2012/

- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 4 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 44 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 7 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --SANS London 2012 London, UK November 26-zdecember 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Dubai, San Diego, Johannesburg, Seoul, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

Hackers Claim File Containing iOS Device IDs is Evidence of FBI Tracking Project (September 4, 2012)
Hackers have posted a document to Pastebin that they claim contains unique identification codes for one million iOS devices that were obtained when the laptop of an FBI agent was compromised earlier this year. The attackers claim to have obtained a file that contains Unique Device Identifiers (UDIDs), usernames, and push notification tokens for 12 million devices. They also claim that the file contains some names and associated mobile phone numbers. The attackers are suggesting that the presence of such a document indicates that the FBI may be tracking iOS devices.
-http://www.zdnet.com/fbi-hack-yielded-12-million-iphone-and-ipad-ids-anonymous-c
laims-7000003668/

-http://www.theregister.co.uk/2012/09/04/antisec_hackers_fbi_laptop_hack/
[Editor's Note (Ullrcih): At this point, it can't be confirmed that the leak indeed originated at the FBI. It could as well come from Apple, one of the phone companies or a large app developer collecting the identifiers. The UDID uniquely identifies each iOS device and can not be changed. The "openfeint" database can be used to link user activity to some of these UDID and the UDIDs published appear to be genuine. ]


LinkedIn Passwords Stolen and Cracked; Change Yours Now (September 4, 2012)
More than 6.4 million LinkedIn passwords have leaked to the Web after an apparent hack. Though some login details are encrypted, all users are advised to change their passwords.
-http://www.zdnet.com/blog/btl/6-46-million-linkedin-passwords-leaked-online/7929
0



US Legislators Invite Chinese Telecom Executives to Committee Hearing on Spy Threats (September 3, 2012)
A US House of Representatives Select Committee has invited executives from Chinese telecommunications companies ZTE Corp and Huawei to participate in hearings in October regarding investigations into allegations of Chinese spy threats against the US telecommunications infrastructure. ZTE has confirmed that it will participate, but Huawei has not yet publicly responded.
-http://www.theregister.co.uk/2012/09/03/huaweu_zte_in_us_spotlight/
[Editor's Note (Murray): The Chinese, the French, the British, and others, buy from us, sell to us, invest in our businesses, accept our investment, buy our bonds, and spy on us. It is called "trade." Our systems leak. We have the NSA and the CIA.
(Honan): Huawei today released a white paper today on cyber security in which it calls for greater international cooperation. It will be interesting to see if it cooperates with the committee
-http://www.huawei.com/en/about-huawei/newsroom/press-release/hw-187387-securityw
hitepaper.htm
]


New Vulnerability Found in Updated Java (August 30 & 31, & September 3, 2012)
Shortly after Oracle rushed out an emergency fix for three zero-day vulnerabilities in Java SE 7 late last week, researchers found another critical flaw that affects the patched version of Java. This vulnerability can be exploited to escape the Java sandbox and allow arbitrary code execution. Some security professionals are advising users to turn off or even uninstall the Java plug-in from their browsers. The SANS Internet Storm Center has received reports of phishers exploiting the flaw in Java in email messages that pretend to be change notifications to Microsoft's Services Agreement.
-http://www.theregister.co.uk/2012/08/30/oracle_issues_java_0day_patch/
-http://arstechnica.com/security/2012/08/oracle-patches-critical-java-bugs/
-http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/
-http://www.computerworld.com/s/article/9230812/Researchers_find_critical_vulnera
bility_in_Java_7_patch_hours_after_release?taxonomyId=17

-http://arstechnica.com/security/2012/08/critical-bug-discovered-in-newest-java/
-http://news.cnet.com/8301-1009_3-57504640-83/new-vulnerabilities-found-in-latest
-java-update/

-http://www.computerworld.com/s/article/9230858/Rogue_Microsoft_Services_Agreemen
t_emails_lead_to_latest_Java_exploit?taxonomyId=244

-http://isc.sans.edu/diary.html?storyid=14020



************************** Sponsored Links: ****************************
1) Analyst Webcast! A Review of McAfee's Solutions for Securing Physical and Virtualized Servers in the Data Center http://www.sans.org/info/112757. Thursday, September 6, 1 PM EDT

2) Simplifying Identity Management: SANS Product Review of Oracle Identity Governance Solutions by Senior SANS Analyst, Dave Shackleford Thursday, September 27, 2012, 9 am Pacific/12 Noon Eastern. http://www.sans.org/info/112762
***************************************************************************

THE REST OF THE WEEK'S NEWS

Pirate Bay Co-Founder Arrested in Cambodia on Swedish Warrant (September 2 & 3, 2012)
Pirate Bay co-founder Gottfrid Svartholm Warg has been arrested in Cambodia and is being held at the request of Swedish law enforcement authorities. An international warrant had been issued for Warg's arrest after he failed to appear to begin his one-year prison sentence for copyright violations. Warg and his three Pirate Bay co-founders maintain the site operates within the law. Cambodia does not have an extradition treaty with Sweden.
-http://www.bbc.co.uk/news/world-asia-19457334
-http://www.pcworld.com/businesscenter/article/261831/pirate_bay_cofounder_arrest
ed_in_cambodia.html



Inmates Allegedly Accessed Corrections Information Systems From Prison Computers (August 31, 2012)
Prison inmates in New Hampshire managed to gain access to the Corrections Information System (CORIS) and may have been able to view personal information and alter data, including sentencing, parole, and release dates. Inmates' computer use is supervised by one guard and one civilian. The issue was detected in late August after a prison staffer noticed that there was a cable connecting a computer used by inmates to one used by staff members. It is not known whether sensitive data were actually accessed or altered. New Hampshire police are investigating. About 24 inmates have access to computers on a closed network at the prison. Those computers have been off limits since the breach was discovered.
-http://www.sfgate.com/news/article/NH-police-investigate-breach-of-prison-comput
ers-3830866.php

-http://www.nbcnews.com/technology/gadgetbox/inmates-hacked-prisons-record-system
-974227



Federal Appeals Court Upholds Injunction Against ivi (August 28 & 31, 2012)
A US federal appeals court in New York has ruled that ivi Inc. is not a cable system and therefore not entitled to protections granted cable companies under the Copyright Act. ivi is a service that was launched in 2010 and offered streaming broadcast television programs from several major US television markets to US users for US $5 a month. ivi argued that it meets the requirements to be considered a cable company under Section 111 of the Copyright Act and is therefore permitted to "perform plaintiffs' programing" while it makes licensing payments. The service was blocked last year by a lower court judge. The appeals court's upholding of the ruling means that only a decision in its favor from the US Supreme Court could revive ivi.
-http://www.wired.com/threatlevel/2012/08/broadcasters-defeat-tv-streaming-servic
e/

-http://thehill.com/blogs/hillicon-valley/technology/246171-federal-appeals-court
-upholds-injunction-against-ivi



Researchers Find Spyware Being Used by Police in Countries Around the World (August 31, 2012)
Researchers have found evidence suggesting that governments in several countries around the world are using spyware sold by UK company Gamma International. The spyware, known as FinSpy, can monitor calls and report back about calls and GPS location; record Skype sessions on PCs; log keystrokes; and take control of cameras and microphones. The researchers found the spyware while investigating email attachments sent to Bahraini activists. FinSpy can infect PCs and "a broad range of smartphones." Gamma's managing director said the company "has never sold their products to Bahrain." Research conducted elsewhere found FinSpy command-and-control servers in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, UAE, as well as one in the US running on Amazon cloud systems. Shortly after the research was published, several of those servers were shut down.
-http://www.theregister.co.uk/2012/08/31/finspy_gamma_polcie_spying/


Lawyer Seeks En Banc Panel to Rehear Warrantless Wiretapping Appeal (August 30, 2012)
A lawyer representing two attorneys whose telephone conversations were illegally wiretapped under the Terrorist Surveillance Program has asked a federal appeals court to reconsider its August 7 decision reversing a lower court ruling that awarded his clients damages and legal fees. The appeals court said in its August decision that the Federal Intelligence Surveillance Act does require court approval to eavesdrop on Americans' communications, but added that citizens do not have the right to sue the government for compensation when that law is breached. Attorney Jon Eisenberg, who represents two attorneys who once worked for the al-Haramain Islamic Foundation, is asking the court to rehear the cases in an 11-judge en banc panel.
-http://www.wired.com/threatlevel/2012/08/warrantless-wiretap-rehearing/
[Editor's Note (Murray): Even where a warrant is required, the only penalty for not getting one is that the fruit cannot be used as evidence in court. No penalty for the officer. No protection for the citizen's privacy.]


Guide to Middle East Malware (August 31, 2012)
Elinor Mills has compiled a guide to industrial control system malware that has been discovered on computers in the Middle East. Saudi Aramco and Qatar's RasGas are the two companies that have most recently reported malware infection. While the malware has not been named in either case, it is probable that Shamoon is involved in at least one of those instances. Mills' list includes descriptions of Shamoon as well as of Stuxnet, Duqu, Gauss, Mahdi, Flame, and Wiper.
-http://news.cnet.com/8301-1009_3-57503949-83/a-whos-who-of-mideast-targeted-malw
are/



Mahdi is Spreading; Wiper May Have Ties to Duqu and Stuxnet (August 30, 2012)
Reports indicate that Mahdi is spreading through the Middle East, and that the malware's developers have altered the code to help it evade detection through security programs. Mahdi monitors email on infected computers and gives attackers remote access to data on those machines. It also has keystroke-logging capabilities and can steal screenshots. One security company has reported 150 new Mahdi infections over a six-week period.
-http://www.nextgov.com/cybersecurity/2012/08/mahdi-spyware-operation-broadens-mi
ddle-east/57761/?oref=ng-channelriver

Researchers say that the Wiper malware bears some characteristics that suggest it could be connected to Stuxnet and Duqu.
-http://www.computerworld.com/s/article/9230777/Wiper_malware_could_be_connected_
to_Stuxnet_and_Duqu_researchers_say?taxonomyId=85



Chrome Update Addresses Nine Vulnerabilities (August 31, 2012)
Google has updated its Chrome browser to version 21.0.1180.89 to address nine security issues and several other non-security items involving Flash, developer tools, and gradient boxes. Three of the flaws addressed in the updated version of Chrome are considered to be high-risk.
-http://www.h-online.com/open/news/item/Chrome-21-update-closes-high-risk-securit
y-holes-1696236.html



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/