|
NETSEC Archives Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 97 : Card Skimming: Four Indicted and Others Found at the Lucky Supermarket Chain; Federal Cloud Computing Security Standard Released
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**************************************************************************
SANS NewsBites December 9, 2011 Vol. 13, Num. 97
**************************************************************************
TOP OF THE NEWS
Four Indicted in Connection With Skimming Ring
Card Skimmers Found at the Lucky Supermarket Chain
Federal Cloud Computing Security Standard Released
THE REST OF THE WEEK'S NEWS
Download.com President Apologizes for Bundling Installer with Nmap
White House Identifies Cyber Security R&D Priorities
Bradley Manning Defense Team Points to Army's Neglect of Warning Signs
Microsoft Will Issue Fixes for 20 Flaws on December 13
UK Criminal Records Bureau to Allow Online Checking
Tech Industry Groups Speak Out Against SOPA
RIM Update to Prevent PlayBook Jailbreaking Broken Within Hours
Michigan Appellate Court to Decide if Man Can be Charged For
Snooping on Wife's eMail
Adobe Working on Out-of-Cycle Patch for Flaw in Windows Versions
of Reader and Acrobat
DARPA Backing Huge Anomaly Detection System to Identify Insider Threats
US Copyright Considering DMCA Exceptions
****************************** Sponsored HP ****************************
Is your organization's defense perimeter broken? Recent statistics show
that a majority of security vulnerabilities are caused by security flaws
in application and web software. Learn how you can prevent these
security vulnerabilities by downloading the NEW whitepaper from HP
Enterprise Security - Next Generation Application Monitoring: Combining
Application Security Monitoring and SIEM
http://www.sans.org/info/93339
**************************************************************************
TRAINING UPDATE
- --SANS CDI 2011, Washington, DC, December 9-16, 2011
27 courses. Bonus evening presentations include Emerging Trends in
Data Law and Investigations, and Critical Infrastructure Control
Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/
- --SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses. Bonus evening presentations include Advanced VoIP Pen
Testing: Current Threats and Methods; and Helping Small Businesses
with Security.
http://www.sans.org/security-east-2012/
- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012
gain the most current information regarding SCADA and Control System
threats and learn how to best prepare to defend against them. Hear
what works and what doesn't from peer organizations. Network with top
individuals in the field of SCADA security. Return from the summit
with solutions that you can immediately put to use in your
organization.
Pre-Summit courses: January 21-25, 2012
Summit: January 26-27, 2012
Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/
- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012
6 courses. Bonus evening presentations include Who Do You Trust? SSL
and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/
- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012
7 courses. Bonus evening presentations include Desktop Betrayal:
Exploiting Clients Through the Features They Demand; and Windows
Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/
- --SANS Singapore 2012, Singapore, Singapore March 5-17, 2012
5 courses.
http://www.sans.org/singapore-2012/
- --Looking for training in your own community?
http:sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Perth, Atlanta, Bangalore, and Stuttgart, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
**************************************************************************
TOP OF THE NEWS
--Four Indicted in Connection With Skimming Ring
(December 8, 2011)
Four people have been indicted on charges stemming from their alleged
involvement with a scheme in which payment card data were stolen
remotely from point-of-sale systems at a number of US business
establishments. The four, all from Romania, are charged with conspiracy
to commit computer fraud, wire fraud, and access device fraud. Two were
arrested when they entered the US in August 2011, one is in custody in
Romania, and one is still at large. The scheme allegedly affected more
than 80,000 payment card users and ran up millions of dollars in
unauthorized purchases. The group allegedly scanned the Internet for
vulnerable point-of-sale systems, cracked the passwords, and installed
keystroke-logging software on the systems.
http://www.computerworld.com/s/article/9222520/Four_charged_with_hacking_point_of_sale_computers?taxonomyId=17
--Card Skimmers Found at the Lucky Supermarket Chain
(December 7, 2011)
Lucky Supermarkets has acknowledged that hackers have tempered with
payment card readers in self-checkout lanes at more than 20 stores in
California. It is not known how many customers may be affected, but
Lucky and its parent company, Save Mart Supermarkets, are urging
customers to check their credit and debit card accounts. Card readers
at more than 200 stores are also being checked for tampering.
http://www.wired.com/threatlevel/2011/12/hackers-skim-lucky-supermarket/
http://news.cnet.com/8301-1009_3-57338480-83/lucky-supermarkets-credit-card-scam-getting-worse/
http://www.mercurynews.com/breaking-news/ci_19480051
[Editor's Note (Murray): While having served us well for fifty years for
dispensing cash, mag-stripe and PIN are not safe for retail payments.
We have known this for more than a decade. The public should not have
to know that using one's PIN at a point of sale is not safe. Is it
going to require legislation to get the payment card industry to fix
this? Where are the EMV cards? ]
--Federal Cloud Computing Security Standard Released
(December 8, 2011)
The Federal Risk and Authorization Management Program (FedRAMP)
"establishes a set of baseline security and privacy standards that all
cloud service providers will need to meet in order to sell their
products to government agencies." FedRAMP will give agencies standard
procurement language to use when requesting proposals for cloud
services.
http://www.computerworld.com/s/article/9222525/Feds_launch_cloud_security_standards_program?taxonomyId=17
http://www.federaltimes.com/article/20111208/IT03/112080302/
[Editor's Note (Murray): If the contract does not specify it, you are
not likely to get it. While the devil is in the details, since
identifying and expressing our requirements is difficult, this could be
very helpful.
(Paller): It could be helpful, but there are cloud vendors and federal
agencies poised to use FedRAMP to "paper over" massive security
weaknesses in configurations (they deliver Best-Buy quality
configurations rather than safe configurations) and paper continuous
monitoring instead of automated measurement and mitigation. The FedRAMP
authors know explicitly about both these risks. If they follow through
and stop the vendors from exploiting FedRAMP to deliver infection-prone
systems, they will have earned the gratitude of the entire government.
We'll know in about 90 days whether what they have done is deserving of
kudos.
(Honan): Europeans considering cloud services may find the ENISA (the
European Network and Information Security Agency) guide to "Cloud
Computing Risk Assessment" useful
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment]
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Download.com President Apologizes for Bundling Installer with Nmap
(December 8, 2011)
The president of Download.com has apologized for bundling Nmap open
source network scanning software with an installer that changed
browsers' home pages and default search engine. Nmap developer Gordon
Lyon said that the bundling violated the Nmap distribution license. The
installer in question has been removed.
http://www.h-online.com/security/news/item/Download-com-apologises-for-bundling-1392501.html
http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/
http://www.cso.com.au/article/409633/cnet_de-trojans_nmap_outrage_continues/
--White House Identifies Cyber Security R&D Priorities
(December 8, 2011)
The White House has issued a roadmap of its cyber security research and
development (R&D) priorities. The outline from the Office of Science and
Technology Policy divides the priorities into four areas: Inducing
Change; Developing Scientific Foundations; Maximizing Research Impact;
and Accelerating Transition to Practice. The R&D roadmap is based on the
2009 review of the state of cyber security in the US.
http://www.eweek.com/c/a/Security/White-House-Releases-CyberSecurity-RD-Program-Priorities-182063/
http://www.informationweek.com/news/government/security/232300107
http://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_rd_strategic_plan_2011.pdf
--Bradley Manning Defense Team Points to Army's Neglect of Warning Signs
(December 8, 2011)
Bradley Manning's defense team hopes to show that the US Army neglected
signs that Manning posed a threat. Fifteen people have been disciplined
in connection with Bradley Manning's leaks of sensitive military and
state department documents to WikiLeaks, including a non-commissioned
officer who was demoted for dereliction of duty. Psychological
profiling can be helpful in identifying employees who pose a greater
risk of inside attacks. Bradley Manning exhibited a number of warning
signs, including physical fights, dress code violations, but he was
still permitted access to sensitive data. One witness they plan to call
is a psychologist who had previously recommended that Manning be removed
from his duties.
http://www.wired.com/threatlevel/2011/12/army-disciplined-15/
http://www.politico.com/blogs/joshgerstein/1211/Army_disciplined_15_over_Bradley_Manning_and_Wikileaks.html
http://www.informationweek.com/news/security/vulnerabilities/232300158
[Editor's Note (Honan): The internal threat continues to be very
important. Some excellent guides to identifying the internal threat:
one by CERT/CC http://www.cert.org/insider_threat/.
And one by Darkreading with some useful stats and insights
http://www.darkreading.com/insider-threat/167801100/security/vulnerabilities/232300211/the-art-of-profiling-cybercriminals.html]
--Microsoft Will Issue Fixes for 20 Flaws on December 13
(December 8, 2011)
On Tuesday, December 13, Microsoft will release fixes for 20
vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows
Media Player. The flaws to be addressed include one in the Windows
kernel that has been exploited by the Duqu Trojan and another in the SSL
3.0 TLS that garnered publicity several months ago with the release of
the BEAST hacking tool. Three of 14 bulletins scheduled for release have
been rated critical; the other 11 are rated important.
http://www.computerworld.com/s/article/9222530/Update_Microsoft_plans_20_patches_next_week_will_fix_Duqu_and_BEAST_bugs?taxonomyId=17
http://www.scmagazineus.com/three-critical-patches-to-be-in-microsoft-security-update/article/218609/
http://blogs.technet.com/b/msrc/archive/2011/12/08/news-from-mapp-and-advance-notification-service-for-the-december-2011-bulletin-release.aspx
http://technet.microsoft.com/en-us/security/bulletin/ms11-dec
--UK Criminal Records Bureau to Allow Online Checking
(December 6 & 7, 2011)
The UK's Criminal Records Bureau will launch an online a service that
will allow employers to conduct background checks on job applicants.
Home Minister Lynne Featherstone said the plan was introduced as a way
to reduce bureaucracy; checks are conducted on those who apply to work
with vulnerable people. Previously, they have had to apply for a new
certificate each time they applied for a position.
http://www.guardian.co.uk/government-computing-network/2011/dec/07/crb-checks-online
http://www.nursingtimes.net/nursing-practice/clinical-specialisms/management/ministers-agree-to-tighten-criminal-checks-on-overseas-nhs-staff/5038858.article
--Tech Industry Groups Speak Out Against SOPA
(December 7, 2011)
Technology industry groups have written letters to US legislative
leaders, asking them to reconsider the Stop Online Piracy Act (SOPA).
The letter, which is from the Consumer Electronics Association, the
Information Technology Industry Council, TechAmerica and others, warns
that passage of the bill as it stands will have unforeseen consequences
that could have a detrimental effect on the country's digital economy.
http://thehill.com/blogs/hillicon-valley/technology/197953-tech-groups-ask-congress-to-slow-down-sopa
--RIM Update to Prevent PlayBook Jailbreaking Broken Within Hours
(December 7, 2011)
Research in Motion (RIM) issued an update to prevent BlackBerry PlayBook
tablets from being jailbroken by the recently released Dingleberry
Playbook tool. The update was broken just hours after its release,
meaning users can now once again use it to gain root access to their
devices. Those responsible for the tool have published a guide
explaining exactly how to jailbreak PlayBooks.
http://www.informationweek.com/news/security/attacks/232300081
http://www.eweek.com/c/a/Security/Hackers-Update-PlayBook-Jailbreak-Tool-After-RIM-Closes-Security-Flaw-814044/
http://www.theregister.co.uk/2011/12/07/blackberry_playbook_jailbreak_release/
--Michigan Appellate Court to Decide if Man Can be Charged For Snooping
on Wife's eMail
(December 7, 2011)
The Michigan Court of Appeals is considering whether a man who accessed
his then-wife's Gmail account can be charged under a state hacking law.
Leon Walker's attorneys are challenging a felony charge against their
client which was made after he gained access to Clara Walker's Gmail
account to find out if she was having an affair. Walker's attorneys
maintain the state law was designed to target identity thieves and
intellectual property theft. They are asking the appellate court to
throw out the charges. While one of the judges said that walker's
activity seems to be right under the law's purview, a defense attorney
said that if his client could be charged for looking at his wife's
email, parents could be charged for looking at their children's online
activity. A written opinion is expected next year. If this bid is not
successful, Walker and his attorneys plan to take the matter to the
Michigan Supreme Court. The law under which he is being charged was
enacted in 1979.
http://www.usatoday.com/news/nation/story/2011-12-07/email-hacking-cheating/51698546/1
--Adobe Working on Out-of-Cycle Patch for Flaw in Windows Versions of
Reader and Acrobat
(December 6 & 7, 2011)
Adobe says it is working on a fix for a vulnerability in Acrobat and
Reader that is being actively exploited in targeted attacks. The flaw
is being exploited to crash the applications and take control of
vulnerable computers. Adobe is working on a patch for versions 9.X for
Windows-based systems only because that is the platform targeted in the
attacks. Adobe expects to release the out-of-cycle patch early next
week. Fixes for other versions of the programs will be released on
schedule in January 2012. The flaw itself exists in versions 10.1.1 and
earlier. The flaw is a memory corruption vulnerability in the way
Universal 3D files are processed. The protected mode in X versions of
the programs stops the execution of exploit code. The flaw is being
exploited through malicious PDF files that have been sent to several
different organizations, including some US defense contractors.
Lockheed Martin has acknowledged that it was targeted in an attack but
the attackers were not successful in accessing the company's computer
network.
http://www.darkreading.com/insider-threat/167801100/security/application-security/232300055/new-zero-day-adobe-attack-under-way.html
http://www.theregister.co.uk/2011/12/06/adobe_reader_attacks/
http://news.cnet.com/8301-1009_3-57337844-83/adobe-warns-of-attacks-using-reader-on-windows/
http://krebsonsecurity.com/2011/12/attackers-hit-new-adobe-reader-acrobat-flaw/
http://www.h-online.com/security/news/item/New-Adobe-Reader-zero-day-in-the-wild-1391441.html
http://www.scmagazineuk.com/adobe-to-release-emergency-patch-for-critical-vulnerability-in-reader-and-acrobat/article/218288/
http://www.eweek.com/c/a/Security/Adobe-ZeroDay-Exploit-Targeted-Defense-Contractors-383203/
http://www.scmagazineus.com/lockheed-martin-hit-but-not-breached-with-adobe-zero-day/article/218603/
--DARPA Backing Huge Anomaly Detection System to Identify Insider Threats
(December 6, 2011)
DARPA (the Defense Advanced Research Projects Agency) is backing a
research project that will be capable of analyzing as many as 250
million messages a day to search for anomalies that could help identify
insider threats. Five organizations are working on the prototype Anomaly
Detection at Multiple Scales (ADAMS) system. The system will be used
only on internal systems with users' consent; they will know that their
communications are being scanned.
http://gcn.com/articles/2011/12/06/darpa-prodigal-email-monitoring-insider-threats.aspx?admgarea=TC_SECCYBERSSEC
http://blogs.computerworld.com/19382/sifting_through_petabytes_prodigal_monitoring_for_lone_wolf_insider_threats
--US Copyright Considering DMCA Exceptions
(December 5 & 6, 2011)
The US Copyright Office is considering two requests to amend the Digital
Millennium Copyright Act (DMCA). The first, made by Public Knowledge,
seeks to legalize technology that would allow people who purchase
encrypted DVDs of movies to copy those movies to their personal
media-playing devices and make back-up copies of the movies. The second
is a request from the Electronic Frontier Foundation (EFF) to allow
users to jailbreak Xbox gaming consoles. The change sought in the second
case would eliminate federal prosecution of and civil lawsuits against
individuals who jailbreak legally purchased devices, but still allow for
federal prosecution of people "who bundle 'mod kits' with pirated
games."
http://www.wired.com/threatlevel/2011/12/dmca-exemption-requests/
http://www.eweekeurope.co.uk/news/eff-demands-legal-protection-for-jailbreaks-48519
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk7iReoACgkQ+LUG5KFpTkY5fACcCPKZHFSoY6llVjJJzIalKjQF
ws8An0UckQxk3+5WvAqqsP1/hAat3VJl
=kMph
-----END PGP SIGNATURE-----
|