[Netsec] SANS NewsBites Vol. 13 Num. 89 : Mac App Store Will Require Sandboxing Support; FBI Says Using Fake Cell Tower is OK; The Significance of Naming China/Russia; Supreme Court to Hear GPS Tracking Forth Amendment Case

[The SANS Institute]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**************************************************************************

SANS NewsBites              November 8, 2011              Vol. 13, Num. 89

**************************************************************************

TOP OF THE NEWS

  Mac App Store Will Require Sandboxing Support as of March 1, 2012

  FBI Says Using Fake Cell Tower is Within Their Purview

  The Significance of Naming Names

  US Supreme Court to Hear GPS Tracking Forth Amendment Case

THE REST OF THE WEEK'S NEWS

    Dutch Telecom KPN Halts SSL Certificate Issuing

    Browser Makers Revoke Trust for Malaysian Intermediate CA SSL Certificates

    BPI Asks BT to Block Pirate Bay

    Cyber Atlantic 2011 Exercise Aimed at US/EU Collaboration

    Microsoft Issues Workaround for Kernel Flaw Exploited by Duqu

    Researchers Find Holes in Prison SCADA Systems

    DoJ Withdraws Proposed Changes to FOIA Rules



************************** Sponsored By Corero  *************************



White Paper: "DDoS Attacks:  Coming to a Network Near You."  DDoS

attacks can inflict disastrous loss of revenue and reputation to

organizations doing business on the Internet.   This paper, written by

network security analyst, Richard Stiennon, explains the newest attacks

and how to mitigate the risk with DDoS Defense technology from Corero

Network Security.  http://www.sans.org/info/90911



**************************************************************************

TRAINING UPDATE

- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011

5 courses.  Bonus evening presentations include The Worst Mistakes in

Cloud Computing Security; Offensive Countermeasures; and Watching the

Wire at Home

http://www.sans.org/san-francisco-2011/

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011

Pre-Summit Courses November 26-30, 2011

Post-Summit Courses December 3-4, 2011

Gain the most current information regarding SCADA and Control System

threats and learn how to best prepare to defend against them.

http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011

7 courses.  Bonus evening presentations include Effective Methods for

Implementing the 20 Critical Security Controls; and Assessing

Deception: Are They Lying to You?

http://www.sans.org/san-antonio-2011/

- --SANS London 2011, London, UK, December 3-12, 2011

18 courses.  Bonus evening presentations include IPv6 Challenges for

Intrusion Detection and Understanding How Attackers Bypass Network and

Content Restrictions.

http://www.sans.org/london-2011/

- --Incident Detection & Log Management Summit, Washington DC,

December 7-8, 2011

Learn the latest techniques to detect breaches and intrusions!

http://www.sans.org/incident-detection-summit-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011

27 courses.  Bonus evening presentations include Emerging Trends in

Data Law and Investigations, and Critical Infrastructure Control

Systems Cybersecurity.

http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012

11 courses.  Bonus evening presentations include Advanced VoIP Pen

Testing: Current Threats and Methods; and Helping Small Businesses

with Security.

http://www.sans.org/security-east-2012/

- --Looking for training in your own community?

http:sans.org/community/ Save on On-Demand training (30 full

courses) - See samples at

http://www.sans.org/ondemand/discounts.php#current

Plus Sydney, Tokyo, Perth and Atlanta all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

**************************************************************************



TOP OF THE NEWS

 --Mac App Store Will Require Sandboxing Support as of March 1, 2012

(November 3 & 7, 2011)

Starting next March, applications submitted to be sold through Apple's

Mac App Store must support Apple sandboxing. The deadline, which was

announced in June, was initially slated for this month. Sandboxing has

been voluntary until now. Some developers say that the requirement is

going to prevent them from incorporating certain features into their

applications.

http://news.cnet.com/8301-1009_3-57318099-83/what-apples-sandboxing-means-for-developers-and-users/

http://news.techworld.com/applications/3316380/developers-fear-app-store-sandboxing-to-strip-out-useful-features/

[Editor's Note (Pescatore): Given the success of mobile platforms like

the RIM Blackberry and the Apple iPhone/iPad, where one vendor controls

both the hardware and the software, there is a major opportunity to move

away from the old types of malware that plagued the PC. If doing so

breaks some features, that's a good thing - users are willing to lose a

few features to not have to worry about applications blowing up in their

faces every time they click on something.]



 --FBI Says Using Fake Cell Tower is Within Their Purview

(November 3, 2011)

Federal authorities maintain that their use of a fake Verizon cell phone

tower to conduct surveillance on a suspect can be considered a

legitimate search under the Fourth Amendment. The spoofed tower device,

known colloquially as a stingray, was used in a case involving an

alleged identity thief. Stingrays conduct a man-in-the-middle attack,

intercepting crucial mobile device data before transmitting it to a

legitimate cell phone tower. An affidavit submitted by the FBI's

tracking technology unit says that the stingray harvests only the

equivalent of header data, and thus does not require a search warrant.

The affidavit goes on to say that the stingray also collects the data

from other devices in the same general location as the target, and that

FBI policy requires that all data stored in the tool are purged once an

operation has concluded.

http://www.wired.com/threatlevel/2011/11/feds-fake-cell-phone-tower/



 --The Significance of Naming Names

(November 7, 2011)

The report released last week by the Office of the National

Counterintelligence Executive "mark[ed] the first time the United States

government has unequivocally stated, in emphatic and highly publicized

fashion, that China and Russia are responsible for a pervasive

electronic campaign to steal American intellectual property, trade

secrets, negotiating strategies, and sensitive military technology."

Journalist Shane Harris writes that "the release of this report may turn

out to be the Internet's iron Curtain moment," comparing its effect to

that of Winston Churchill's 1946 address.

http://www.washingtonian.com/blogarticles/people/capitalcomment/21474.html

[Editor's Note (Pescatore): Actually, many *are* trying to equate this

to the Iron Curtain/Cold War, hoping that the same types of budgets and

spending will occur through overhype. This focus leads to $5,000

coffeepots, not higher levels of security.

(Northcutt): I tried to read this, but it wanted me to subscribe to the

Washingtonian magazine first. Here is a USA Today version:

http://www.usatoday.com/news/washington/story/2011-11-03/china-russia-cybersecurity/51065010/1

I do not think this will become an Iron Curtain moment:

http://www.historyguide.org/europe/churchill.html]



 --US Supreme Court to Hear GPS Tracking Forth Amendment Case

(November 7, 2011)

The US Supreme Court will hear arguments on Tuesday, November 8, in a

case regarding the authority of law enforcement officers to

surreptitiously place a GPS device on a vehicle to track a suspect's

movements without obtaining a probable cause warrant from a judge. The

government has argued in court briefs that "a person has no reasonable

expectation of privacy in his movements from one place to another." The

specifics of the case involve Antoine Jones, who was convicted and

sentenced to life in prison for dealing cocaine. Police had tracked

Jones for a month through a device they had affixed to his car.  Jones'

conviction and sentence were overturned by the US Court of Appeals for

the District of Columbia, which said that the tracking was tantamount

to an illegal search that violated Jones' Fourth Amendment rights.

Other federal appeals courts have ruled that a warrant is not needed for

GPS tracking. The Justice Department views GPS devices as being

equivalent to the beeper devices that were used to track vehicles

decades ago. The man who is credited for inventing the GPS has written

an amicus brief, saying that the two devices are very different.

http://www.wired.com/threatlevel/2011/11/gps-tracking-flourishes/all/1

[Editor's Note (Liston): Generally, I tend to always land on the "Fourth

Amendment" side in these types of cases. However, in this situation, I

really don't see how GPS surveillance is doing anything more than simply

replacing an officer being assigned to follow a suspect, something for

which a warrant is not required.]



***********************  SPONSORED LINK:  **********************************

1) Now Available ONDEMAND, Analyst Webcast: Integrating Security into

Development, No Pain Required. FEATURING: Dave Shackleford and Karl

Snider. Go to http://www.sans.org/info/90916

****************************************************************************



THE REST OF THE WEEK'S NEWS

 --Dutch Telecom KPN Halts SSL Certificate Issuing

(November 4, 6 & 7, 2011)

A Dutch telecommunications company has ceased issuing SSL certificates

after discovering that the site through which the certificates are

purchased had been compromised. A KPN spokesperson said that the

certificate generating infrastructure appears not to have been affected,

but an investigation has been launched. It appears that attackers may

have placed tools used to launch distributed denial-of-service (DDoS)

attacks on a KPN server; the attack may have taken place four years ago.

KPN is the Netherlands' largest telecommunications company.

http://www.computerworld.com/s/article/9221551/KPN_stops_issuing_SSL_certificates_after_possible_breach?taxonomyId=17

http://www.v3.co.uk/v3-uk/news/2123056/dutch-certificate-authority-kpn-suspends-ssl-certs-breach

http://www.h-online.com/security/news/item/Certificate-issuing-stopped-at-KPN-after-server-break-in-discovered-1372339.html

http://www.theregister.co.uk/2011/11/04/ssl_still_hopelessly_broken/

[Editor's Note (Murray):  If a 512 bit RSA Key is the weak link in your

security, you are very secure indeed.  We use bigger keys because we

can, not because we need them.  Take security advice from cryptographers

only after you act on their medical advice.

(Honan): A Certificate Authority that has been compromised for 4 years

and another that is issuing insecure certificates clearly demonstrate

that the trust model we currently rely on is in need of an urgent and

major overhaul.  We need to have better standards of security that CAs

must adhere to and be independently verified or we need to quickly look

at alternative solutions.]



 --Browser Makers Revoke Trust for Malaysian Intermediate CA SSL Certificates

(November 4, 2011)

Mozilla, Microsoft, and Google, whose browsers account for the lion's

share of those used, are revoking trust in all SSL certificates issued

by Malaysian intermediate certificate authority (CA) Digicert. The

decision was made because Digicert issued 22 certificates with weak

512-bit keys, missing certificate extensions, and missing revocation

information. Digicert received an intermediate CA certificate in July

2010; that certificate was issued by Texas-based Entrust. It should be

noted that Digicert, the Malaysian company, is not associated with

Utah-based CA DigiCert.

http://www.computerworld.com/s/article/9221488/Mozilla_Microsoft_withdraw_trust_in_Malaysian_intermediate_CA?taxonomyId=17

http://www.theregister.co.uk/2011/11/03/certificate_authority_banished/



 --BPI Asks BT to Block Pirate Bay

(November 4 & 7, 2011)

Following close on the heels of the movie industry's success in getting

BT to block users' access to Newzbin 2, the music industry trade group

BPI has sent a letter to BP asking it to block users' access to The

Pirate Bay. The letter asks BT to block The Pirate Bay voluntarily

within two weeks or face legal action. BT is likely to comply with the

request only if it is backed up with a court order. BT started blocking

Newzbin 2 to comply with a court order. BT was supposed to have begun

blocking access to the site by November 2; while the company said it had

the technology in place and planned to comply with the order, the site

was reportedly still available "over a standard BT DNS-based broadband

link."

http://www.v3.co.uk/v3-uk/news/2123050/bpi-bt-block-pirate-bay-holders-flex-muscles

http://www.eweekeurope.co.uk/news/bt-asked-to-ban-pirate-bay-after-failed-ban-on-newzbin-44967

http://www.bbc.co.uk/news/technology-15598438



 --Cyber Atlantic 2011 Exercise Aimed at US/EU Collaboration

(November 3 & 4, 2011)

The Cyber Atlantic 2011 Exercise was conducted on November 3. The event

involved the EU and the US and helped both improve their international

cyber incident response capabilities and their collaborative efforts.

The exercise incorporated two attack scenarios.  In the first, attackers

tried to steal and post secret data from EU members' cyber security

agencies. The second scenario involved the compromise of a supervisory

control and data acquisition (SCADA) system that controlled European

wind turbines. The exercise was orchestrated by the European Network and

Information Security Agency (ENISA).

http://www.informationweek.com/news/government/security/231902416

http://www.zdnet.co.uk/news/security-threats/2011/11/03/eu-and-us-team-up-for-cybersecurity-exercise-40094358/

http://www.theregister.co.uk/2011/11/04/joint_us_europe_cyber_war_drill/

http://www.enisa.europa.eu/media/press-releases/first-joint-eu-us-cyber-security-exercise-conducted-today-3rd-nov.-2011



 --Microsoft Issues Workaround for Kernel Flaw Exploited by Duqu

(November 3 & 4, 2011)

Microsoft has issued a temporary workaround for a critical privilege

elevation vulnerability in the Win32k TrueType font-parsing engine that

is being exploited by the Duqu Trojan. The flaw affects all versions of

Windows from XP through Windows 7. Successful exploitation of the flaw

could allow attackers to "run arbitrary code in kernel mode." The

workaround involves disabling support for embedded TrueType fonts.

Microsoft plans to issue a patch for the flaw as soon as possible.

http://news.cnet.com/8301-1009_3-57318309-83/microsoft-issues-temporary-fix-for-critical-windows-hole/

http://www.informationweek.com/news/security/vulnerabilities/231902375

http://www.scmagazineus.com/microsoft-issues-workaround-for-duqu-malware/article/216027/

http://www.computerworld.com/s/article/9221516/Microsoft_releases_manual_fix_for_Duqu_zero_day?taxonomyId=17

http://www.h-online.com/security/news/item/Microsoft-releases-Duqu-bot-workaround-1372093.html

http://krebsonsecurity.com/2011/11/microsoft-issues-stopgap-fix-for-duqu-flaw/

http://www.theregister.co.uk/2011/11/04/duqu_vuln_fix/

http://support.microsoft.com/kb/2639658



 --Researchers Find Holes in Prison SCADA Systems

(November 7, 2011)

According to three researchers, some control systems used at federal

prisons are vulnerable to hijacking, potentially granting outsiders the

ability to gain remote control over industrial control systems and

programmable logic controllers allowing them to gain control of cell

door mechanisms and internal communications. The attack was demonstrated

at a conference in Miami late last month. The researchers provided their

findings to prison authorities at the state and federal levels and the

Department of Homeland Security (DHS) has confirmed those findings. The

researchers found that some systems that were not supposed to be

connected to the Internet in fact did have Internet connections, and

those that did not have Internet connections could become infected with

malware like Stuxnet brought in on a flash drive.  Bill Brenner points

out that "this isn't a new threat," and ponders where the balance can

be struck between crying wolf and making sure problems are addressed.

http://arstechnica.com/business/news/2011/11/vulnerabilities-give-hackers-ability-to-open-prison-cells-from-afar.ars

http://blogs.csoonline.com/1794/hacking_the_prison_useless_fiction_or_necessary_fud

[Editor's Note (Murray): Imagine what our security might look like if

we could harness the energy of these NVPs to work on solutions instead

of spending their time identifying obscure, but sensational,

vulnerabilities.]



 --DoJ Withdraws Proposed Changes to FOIA Rules

(November 3 & 4, 2011)

The US Department of Justice has withdrawn a proposal to revise the

Freedom of Information Act (FOIA) rules that would have codified lying

to the public about the existence of certain documents. The DoJ's

proposed changes would have allowed the government to tell entities

requesting documents that the documents do not exist if the agencies

feel they should be withheld. The government already has the authority

to invoke the "Glomar response," which allows them to "neither confirm

nor deny" the existence of the requested documents.

http://www.wired.com/threatlevel/2011/11/feds-drop-plan-to-lie/

http://www.theregister.co.uk/2011/11/04/department_of_justice_agrees_not_to_lie/

http://www.npr.org/blogs/thetwo-way/2011/11/04/142024547/justice-dept-drops-non-disclosure-proposal-for-foia-requests

[Editor's Note (Liston): All this time and energy wasted, and they

could've just gone and asked my mom.  I remember having some rather

pointed conversations about similar topics when I was a child.  DOJ:

Just so you know, my mom wouldn't really approve of the Glomar response

either...]



************************************************************************

The Editorial Board of SANS NewsBites



John Pescatore is Vice President at Gartner Inc.; he has worked in

computer and network security since 1978.



Stephen Northcutt founded the GIAC certification and is President of

STI, The Premier Skills-Based Cyber Security Graduate School,

www.sans.edu.



Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm

Center and Dean of the Faculty of the graduate school at the SANS

Technology Institute.



Ed Skoudis is co-founder of InGuardians, a security research and

consulting firm, and author and lead instructor of the SANS Hacker

Exploits and Incident Handling course.



William Hugh Murray is an executive consultant and trainer in

Information Assurance and Associate Professor at the Naval Postgraduate

School.



Rob Lee is the curriculum lead instructor for the SANS Institute's

computer forensic courses (computer-forensics.sans.org) and a Director

at the incident response company Mandiant.



Rohit Dhamankar is a security professional currently involved in

independent security research.



Tom Liston is a Senior Security Consultant and Malware Analyst for

InGuardians, a handler for the SANS Institute's Internet Storm Center,

and co-author of the book Counter Hack Reloaded.



Dr. Eric Cole is an instructor, author and fellow with The SANS

Institute. He has written five books, including Insider Threat and he

is a founder with Secure Anchor Consulting.



Ron Dick directed the National Infrastructure Protection Center (NIPC)

at the FBI and served as President of the InfraGard National

Members Alliance - with more than 22,000 members.



Mason Brown is one of a very small number of people in the information

security field who have held a top management position in a Fortune 50

company (Alcoa).  He is leading SANS' global initiative to improve

application security.



David Hoelzer is the director of research & principal examiner for

Enclave Forensics and a senior fellow with the SANS Technology

Institute.



Mark Weatherford, Chief Security Officer, North American Electric

Reliability Corporation (NERC).



Alan Paller is director of research at the SANS Institute.



Marcus J. Ranum built the first firewall for the White House and is

widely recognized as a security products designer and industry

innovator.



Clint Kreitner is the founding President and CEO of The Center for

Internet Security.



Brian Honan is an independent security consultant based in Dublin, Ireland.



David Turley is SANS infrastructure manager and serves as production

manager and final editor on SANS NewsBites.



Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

http://portal.sans.org/





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk65iOMACgkQ+LUG5KFpTkaPJQCeLHlVu7qWiMtolTyRzBPc0nq1
wBIAn3HFCOYcPNa+mbC8pacNHG8xti7q
=qs3b
-----END PGP SIGNATURE-----