SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIII - Issue #2
January 07, 2011
SCADA Security After Stuxnet: We just posted the program for the
US/Canada SCADA Security Summit (Orlando at the end of February).
Several unique and valuable sessions including a LOT of information that
can be put to work immediately. Examples: what DHS found when it
investigated cybersceurity in a dozen utilities, what the FBI and RCMP
are doing to combat cyber crime in control systems, the annual NERC
Cybersecurity Compliance update by NERC's CSO, the most important and
useful research projects in SCADA security, what was learned from the
Stuxnet attacks, and the newest techniques in pen testing for control
systems. You can also attend a hands-on 5-day SCADA security in-depth
course just before the conference.
Here's the agenda: http://www.sans.org/north-american-scada-2011/agenda.php
And the conference page: http://www.sans.org/north-american-scada-2011/
TOP OF THE NEWSFederal Agencies Must Submit Classified Data Management Reports by End of Month
Calif. Supreme Court Says Police Can Search Cell Phones Without Warrants
THE REST OF THE WEEK'S NEWSApple Updates Mac OS X, Launches Mac App Store
Microsoft's January Security Update to Address Three Vulnerabilities
Microsoft Warns of Flaw in Windows Graphics Rendering Engine
Investigation Heats Up in Calif. Gas Station Skimming Scheme
iTunes Accounts for Sale on Chinese Auction Site
Thieves in South Africa Stealing SIM Cards From Hi Tech Traffic Lights
Man Arrested for Intent to Defraud Had Bragged About Breaking Into Pop Star's Gmail
US Cracks Down on Vietnam-based Cybercrime Ring
***************** Sponsored By SANS SCADA White Paper *****************
New Whitepaper in the SANS Reading Room: Securing Energy Control Systems from Terrorists and Cyberwarriors, by SCADA security expert, Jonathan Pollet: http://www.sans.org/info/68648 You may also listen to our associated webcast here: http://www.sans.org/info/68653 P.S. Jonathan is one of the featured speakers at the SCADA Security Summit in Orlando
New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
-- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
-- Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus Atlanta, Bangalore, Wellington, Singapore and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************
TOP OF THE NEWS
Federal Agencies Must Submit Classified Data Management Reports by End of Month (January 5 & 6, 2011)US federal agencies have three weeks to submit reports to the White House on how they manage and protect national security data. Shortly after the first of the stolen diplomatic cables appeared on WikiLeaks, the White House issued a memo directing all agencies to assess their procedures for ensuring the security of information that has been designated classified. A January 3, 2011 memo from the Office of Management and Budget (OMB) provides compliance guidance for the agencies and includes questions about what agencies are doing to prevent unauthorized information disclosures by disgruntled employees. Agencies have until January 28 to submit internal assessments outlines in the first memo and answer questions in the January 3 memo.
[Editor's Note (Pescatore): The current administration has spent two years pushing government agencies to classify less, make more data publicly available, etc. The OMB memo uses the phrase "in the post-Wikileaks era" as if Wikileaks, rather than the leaks, is the problem. The overemphasis of "need to share" at the expense of "need to know" was a major contributor to government agencies not deploying stronger data security processes and controls. ]
Calif. Supreme Court Says Police Can Search Cell Phones Without Warrants (January 4, 2011)The California Supreme Court has ruled that police can, without a warrant, search the cell phones of people who have been arrested and use the information they find as evidence. The case involves a man who bought drugs from a police informant. Following his arrest, police searched Gregory Diaz's cell phone and found text messages implicating him in another deal. Diaz and his legal team maintained his Fourth Amendment rights had been violated, but the court said his cell phone was part of his personal effects, like clothing.
[Editor's Note (Schultz): I hope that this ruling does not set a legal precedent. Mobile devices generally contain a great deal of highly personal information and thus should not be seized without legal authorization. Furthermore, warrentless searches are more characteristic of authoritarian regimes than they are of democracies. ]
********************** Sponsored Link: ******************************
1) How can you create more secure applications? Attending SANS AppSec 2011 http://www.sans.org/info/68658 , March 7 - 14, 2011 in San Francisco, California! ***********************************************************************
THE REST OF THE WEEK'S NEWS
Apple Updates Mac OS X, Launches Mac App Store (January 6, 2011)Apple has released a major update for its Mac operating system. Mac OS X 10.6.6 offers improvements in stability, compatibility and security, including a fix for a man-in-the-middle attack that could force an application to quit or possibly allow the execution of arbitrary code. Apple has also updated Mac OS X Server to version 10.6.6. Of particular note in this update is that it coincides with the launch of the Mac App Store; the updated operating system supports the Mac App Store. Internet Storm Center:
[Editor's Note (Pescatore): It would be nice to see Apple raise the bar with the Mac App Store and make security/privacy testing a much stronger focus.
(Honan): Apparently many application developers did not follow Apple's advice on how to validate receipts for their applications in the App Store which results in the Apps being downloaded for free. See
(Northcutt): Supposedly, someone has already defeated the MAC Store Digital Rights Management system:
Microsoft's January Security Update to Address Three Vulnerabilities (January 6, 2011)Microsoft will issue two security bulletins on Tuesday, January 11 to fix three vulnerabilities. Both bulletins will address flaws in Windows; one is rated critical and one is rated important. The critical bulletin will address flaws that affect all currently supported versions of Windows. The important bulletin will address a vulnerability in Windows Vista SP 1 and SP 2, and Windows Vista x64 SP 1 and SP 2. The security updates will not address two recently disclosed issues - one in Internet Explorer and another in the Windows Graphics Rendering Engine.
Microsoft Warns of Flaw in Windows Graphics Rendering Engine (January 4 & 5, 2011)Microsoft has issued a security advisory warning of a vulnerability in the Windows Graphics Rendering Engine that could be exploited to execute arbitrary code with the rights of the logged-on user. An attack could potentially be launched by getting users to view maliciously crafted images. The flaw affects Windows Vista, XP and Windows Server 2003. Windows 7 and Windows Server 2008 do not appear to be affected. To protect vulnerable computers until an official patch is released, Microsoft has offered a "FixIt" tool.
Investigation Heats Up in Calif. Gas Station Skimming Scheme (January 6, 2011)At least 282 people have been victimized by credit card fraud after using their payment cards at a gas station in Sierra Madre, about 18 miles northeast of Los Angeles, California. The cumulative total of fraudulent transactions is at least US $82,000. The station where the card information is believed to have been stolen closed after Christmas. Authorities are attempting to question the store's owner, Evgeny K. Yakimenko, as a person of interest in the case. The US Secret Service is now assisting in the investigation. Authorities have released a security photo of a man who used one of the cloned cards at an ATM.
iTunes Accounts for Sale on Chinese Auction Site (January 6, 2011)A Chinese news reporter has found iTunes accounts for sale on TaoBao, the Chinese equivalent of eBay. About 50,000 accounts appear to be available; their price varies from 15 cents to US $30. Some iTunes users integrate payment information into their accounts.
[Editor's Comment (Northcutt): Well, I wanted to see this one for myself. With the Google Chrome translate feature, I was able to find the iTunes accounts for sale. Was not able to figure out who the "dispensers" are, but they want you to start downloading with a goal of being finished within 12 hours of receiving the account. As the translate function says, "it is best to start 12 hours to download! So much the better! Many customers are doing"
(Honan): As someone who set up iTunes on a relative's PC over the holidays so they could use their new iPod, I was surprised that part of the account creation process with iTunes was to include credit card details. I guess this case highlights the risk in gathering and retaining unnecessary and sensitive data. Remember if you don't store the data you don't have to secure it. ]
Thieves in South Africa Stealing SIM Cards From Hi Tech Traffic Lights (January 6, 2011)Thieves in Johannesburg, South Africa have been stealing SIM cards from traffic lights and using them to make millions of rand worth of mobile phone calls. (1 million rand = USD $147,000.) The Johannesburg Road Agency has been stuck paying the fraudulent charges. More than two-thirds of the 600 high tech traffic lights have been stripped of their SIM cards by the thieves in the last two months.
[Editor's Comment (Northcutt): Looks like an inside job. Not all of the traffic lights have SIM cards; they apparently knew which ones to hit. This leaves the intersection in a dangerous mode, as the robotic light is non-functional. Reminds me of the MIRT (Mobile Infrared Transmitter) stuff from years ago where you could turn the lights to green. Then they started making some of controllers 418 MHZ Surface Acoustic Wave RF. We covered the story of the two engineers (Mr. Murillo and Mr. Patel) in San Francisco who shut down the traffic lights at critical intersections. And the YouTube Droid video is clearly fake, but if they keep putting SIM cards in traffic lights, history indicates it is only a matter or time.
Man Arrested for Intent to Defraud Had Bragged About Breaking Into Pop Star's Gmail (January 5, 2011)Federal law enforcement agents have arrested Joshua Holly, charging him with unauthorized possession of 200 credit card numbers with intent to defraud. Holly bragged several years ago that he had broken into Miley Cyrus's Gmail account and stolen photographs, some of which he later posted to the Internet. Authorities raided his home in October 2008 to gather evidence in that case, but instead found evidence resulting in the charges recently brought against him.
US Cracks Down on Vietnam-based Cybercrime Ring (January 3, 4 & 5, 2011)Federal investigators raided the homes of two Vietnamese exchange students in Minnesota who are suspected of being part of a cyber crime ring. Tram Vo and Khoi Van allegedly advertised video games, software and Apple gift cards and other items on eBay. When customers purchased one of their items, the pair would allegedly buy the item directly from the manufacturer with stolen credit card information and have it shipped to the buyer. The money from their eBay sales went to a PayPal account, but was quickly transferred out to other accounts, so by the time the original card holder complained about fraudulent charges, the funds were inaccessible. The pair allegedly used more than 180 eBay accounts and 360 PayPal accounts set up in other people's names. The students are believed to be part of a larger cyber crime ring based in Vietnam. No criminal charges appear to have been filed against the students.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/