Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 14 Num. 27 : Global Payments Breach Affects 1.5 Million Accounts, After Supreme Court Throws Out GPS Tracking Data, Prosecutors Plan to Use Cell-Phone Location Data in Retrial

  • From: The SANS Institute
  • Date: Tue Apr 03 14:33:53 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**************************************************************************
SANS NewsBites                April 3, 2012              Vol. 14, Num. 027
**************************************************************************
TOP OF THE NEWS
  Global Payments Breach Affects 1.5 Million Payment Card Accounts
  After Supreme Court Throws Out GPS Tracking Data, Prosecutors Plan to
    Use Cell-Phone Location Data in Retrial
  ACLU: Many US Police Departments Use Warrantless Cell Phone Tracking
THE REST OF The WEEK'S NEWS
    Pastebin.com to Focus on Faster Takedown of Sensitive Data
    Malware Variant Exploits Unpatched Flaw in Java for Apple Macintosh
      OS X
    Al Qaeda Websites Offline For More Than a Week
    Man Seeks Order to Preserve Megaupload Data
    Ukrainian Authorities Seize Virus Writers' Forum's Servers
    US Intelligence Smartphone Pilot
    Google Releases Chrome 18
    Kelihos Botnet Still Active After Takedown

************************ Sponsored By Zscaler ***************************

WEBCAST: RALCORP SWITCHES FROM APPLIANCES TO CLOUD SECURITY

Join Charles Jacks, Lead IT Architect at RalCorp, and Phil Hochmuth,
Research Director at IDC, for this 1-hour webcast to learn why Ralcorp,
a food-manufacturing giant with $4.3 billion in annual sales, switched
to cloud-delivered security.
APRIL 24 at 10am PST/ 1pm EST
http://www.sans.org/info/102964

**************************************************************************
TRAINING UPDATE
 --SANS Northern Virginia 2012, Reston, VA  April 15-20, 2012
7 courses.  Bonus evening presentations include Linux Forensics for
Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
 --SANS Cyber Guardian 2012, Baltimore, MD  April 30-May 7, 2012
11 courses.  Bonus evening presentations include Ninja Assessments:
Stealth Security testing for Organizations; and Adjusting Our Defenses
for 2012.
http://www.sans.org/cyber-guardian-2012/
 --SANS AppSec 2012, Las Vegas, NV  April 24-May 1, 2012
Listen to two of the best minds in Application Security, Jeremiah
Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training
by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/
 --SANS Secure Europe 2012, Amsterdam, Netherlands  May 7-19, 2012
10 courses.
http://www.sans.org/secure-amsterdam-2012/
 --SANS Security West 2012, San Diego, CA  May 10-18, 2012
24 courses. Bonus evening presentations include Metametrics - A New
Approach to Information Security Management Metrics; and Malware
Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
 --SANS Toronto 2012, Toronto, ON  May 14-19, 2012
5 courses. Bonus evening presentations include I've Been Geo-Stalked!
Now What? And What Should Keep You Up at Night: The Big Picture and
Emerging Threats.
http://www.sans.org/toronto-2012/
 --SANS Rocky Mountain 2012, Denver, CO  June 4-9, 2012
10 courses. Bonus evening presentations include Adjusting Our Defenses
for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/
 --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding
to crimes and attacks.  Maximize your training by also attending one or
more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/
 --SANS Canberra 2012, Canberra, Australia   July 2-10, 2012
5 courses. 
http://www.sans.org/canberra-2012/
 --Looking for training in your own community?
http: sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Johannesburg, Brisbane, Jakarta, and Malaysia all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

***********************************************************
TOP OF THE NEWS
 --Global Payments Breach Affects 1.5 Million Payment Card Accounts
(April 2, 2012)
As many as 1.5 million credit card accounts have been compromised due
to a security breach at the system of card payment processor Global
Payments. The breach is likely to affect both Visa and MasterCard
accounts. Investigations into the matter are underway. The breach
appears to have occurred between January 21 and February 25, 2012.
Global Payments has not provided much specific information about the
breach. Reports suggest that fraudulent activity has already been
detected on roughly 800 of the compromised accounts. Visa has rescinded
its seal of approval for Global Payments.
http://www.h-online.com/security/news/item/Global-Payments-loses-up-to-1-5-million-credit-card-records-in-data-theft-1498448.html
http://www.wired.com/threatlevel/2012/04/global-payments-breach/
http://krebsonsecurity.com/2012/04/global-payments-1-5mm-cards-exported/
http://www.bbc.co.uk/news/technology-17569336
http://www.scmagazine.com/visa-expels-global-payments-following-15m-card-breach/article/234865/
http://www.globalpaymentsinc.com/DataProtection.html
[Editor's Note (Murray): This is not a CardServices or a Homeland scale
event.  The cards compromised were numbered in the hundreds of thousands
rather than the tens of millions.  While Global Payments lost their
"preferred" designation, they did not lose the right to process.  The
banks are aware of the cards compromised and have or will issue new
cards.  They have disabled the cards for use at ATMs.  Consumers that
have not seen a fraudulent transaction already are not likely to see
one.  There is almost no impact on merchants {though it would be nice
to think they would resist the use of otherwise blank cards with only a
mag-stripe}.  The financial loss to Global Payments will equal about one
quarter's profits.  While its stock has declined about twenty percent,
it is not likely to go out of business.   All that said, given the
continued use of mag-stripe and PIN in the retail payment system,
consumers should use on-line services to reconcile the charges to their
accounts at least weekly. While EMV cards will not protect the issuers
from "card not present" fraud, they will help protect the consumer
against these seemingly inevitable mass compromises.]

 --After Supreme Court Throws Out GPS Tracking Data, Prosecutors Plan
    to Use Cell-Phone Location Data in Retrial
(March 31, 2012)
Following a US Supreme Court ruling that probable-cause warrants are
required prior to attaching GPS tracking devices to suspects' vehicles,
federal prosecutors are now seeking to use location data gathered about
cell-phone use. That decision was revealed in a filing in pre-trial
proceedings of alleged Washington, DC-area drug dealer Antoine Jones's
retrial. Jones's legal team plans to argue that the cell-tower location
information violates their client's Fourth Amendment rights. Jones's
life sentence was reversed with the January Supreme Court ruling on GPS
data collected without a valid warrant. The evidence in Jones's case
that was harvested from a GPS device attached to his car has been
suppressed as a result.
http://www.wired.com/threatlevel/2012/03/feds-move-to-cell-site-data/

 --ACLU: Many US Police Departments Use Warrantless Cell Phone Tracking
(April 2, 2012)
According to the American Civil Liberties Union, (ACLU) many police
departments in the US track cell-phone locations without warrants. In
some cases, the tracking was conducted in emergencies, for example, to
find a missing person. The ACLU requested the information from law
enforcement agencies; more than 200 responded. In most cases, the
tracking information was sought from phone companies, but in some
jurisdictions, law enforcement has acquired their own tracking
technology.
http://www.nextgov.com/nextgov/ng_20120402_7520.php?oref=topnews
[Editor's Note (Murray): While even this can be abused, using existing
records to, for example, find a missing person, is a far cry from
tagging suspects to further an investigation.  Warrants are easy to get
and are our only defense against an over-zealous state. Exceptions
should be rare and the admission of such evidence obtained without a
warrant should be even rarer. ]

************************** Sponsored Links:  **************************
1) Cloud Innovators Webinar: PhoneFactor Solves Cloud Strong Auth Challenges
http://www.sans.org/info/102969 

2) Manage your Big Data with the most scalable log & security
intelligence platform for the Enterprise & Cloud.  Don't take our word.
Try it yourself! For a limited time, download here:
http://www.sans.org/info/102974

3) SolarWinds(R) Log and Event Manager for operations, compliance and
security is powerful, easy and affordable!
http://www.sans.org/info/102979
************************************************************************

THE REST OF THE WEEK'S NEWS
 --Pastebin.com to Focus on Faster Takedown of Sensitive Data
(April 2, 2012)
Pastebin.com owner Jeroen Vader plans to implement stricter monitoring
of the content posted on the site to prevent the broadcast of sensitive
information. The site plans to hire new employees to focus on the
endeavor. Until now, the site had a flagging system to identify the
information. The site has requested that users not post lists of
passwords, stolen source code, or personal data, but the request is
often ignored. Members of Anonymous often use the site to post data they
have stolen.
http://www.bbc.co.uk/news/technology-17544311
http://www.h-online.com/security/news/item/Pastebin-com-arms-itself-against-misuse-1498988.html
http://www.v3.co.uk/v3-uk/news/2165411/pastebin-tackle-anonymous-lulzsec-hackers-sensitive-dumps

 --Malware Variant Exploits Unpatched Flaw in Java for Apple Macintosh OS X
(April 2, 2012)
A variant of the Flashback Trojan horse program, Flashback.K, is
infecting Mac computers through an unpatched critical vulnerability in
Java for Mac OS X. The malware has been detected in the wild. The issue
lies in Java; Oracle patched the flaw in February, but Apple has yet to
push a fix out to OS X. Experts recommend that Apple users disable the
Java client until a fix is released. Flashback, which was apparently
developed specifically to target Mac computers, first appeared in
September 2011, disguised as an Adobe Flash Player update. Apple stopped
bundling Java in its operating system by default with OS X 10.7, or
Lion, but users are still able to download it. Apple has a history of
lagging behind Windows and Linux in releasing Java updates.
http://arstechnica.com/apple/news/2012/04/mac-trojan-exploits-unpatched-java-vulnerability-no-password-needed.ars?
http://www.computerworld.com/s/article/9225757/Unpatched_Java_bug_infects_Macs_with_Flashback_malware?taxonomyId=17
http://www.theregister.co.uk/2012/04/02/flashback_mac_malware/
http://www.scmagazine.com/flashback-trojan-targets-mac-computers/article/234877/
http://reviews.cnet.com/8301-13727_7-57408383-263/flashback-malware-evolves-to-exploit-unpatched-java-vulnerabilities/

 --Al Qaeda Websites Offline For More Than a Week
(April 2, 2012)
Several prominent Al Qaeda websites have been unavailable for more than
a week, leading to speculation that they were targeted in a cyber
attack. This is their longest outage in the eight years since they went
online. There have been no public claims of responsibility for the
outages. Some Al Qaeda sites are still online.
http://www.washingtonpost.com/world/national-security/al-qaedas-online-forums-go-dark-for-extended-period/2012/04/02/gIQAfd4xqS_story.html 

 --Man Seeks Order to Preserve Megaupload Data
(March 30, 2012)
A man represented by the Electronic Frontier Foundation (EFF) is asking
a US District Judge to order that the 25 petabytes of data that
authorities seized earlier this year in connection with Megaupload be
preserved. Kyle Goodwin operates OhioSportsNet, which films and streams
high school athletic events; he wants access to his content that is
stored on the Megaupload network. Earlier in March, the Motion Picture
Association of America (MPAA) asked Megaupload server host Carpathia to
retain all the data because they could be used as evidence in copyright
infringement lawsuits. Federal authorities say that they have copied
what they require and that Carpathia does not need to retain the 25
million GB of Megaupload data that it is currently storing at a cost of
US $9,000 a day. Carpathia has asked a judge to relieve it of the need
to retain the data and the accompanying expense. Megaupload has asked
that some of its frozen assets be released to pay Carpathia for storing
the data.
http://www.wired.com/threatlevel/2012/03/megaupload-seized-content/

 --Ukrainian Authorities Seize Virus Writers' Forum's Servers
(March 29 & 30, 2012)
Authorities in Ukraine have seized servers that belong to the VX Heavens
forum, for allegedly developing and planning to sell malware. VX Heavens
has been around for many years and was a forum where people allegedly
shared advice of writing malware. It was focused on "old-school" virus
writing, which pre-dates the malware-for-profit model that prevails
today. The servers were seized on March 23. VX Heavens calls itself a
vault of information.
http://www.computerworld.com/s/article/9225693/Ukraine_shuts_down_forum_for_malware_writers?taxonomyId=17
http://www.theregister.co.uk/2012/03/29/vxer_hub_takedown/
http://arstechnica.com/business/news/2012/03/ukrainian-police-shut-down-forum-for-malware-writers.ars?clicked=related_right

 --US Intelligence Smartphone Pilot
(March 29, 2012)
As part of a pilot program, about 100 US government intelligence
professionals are using Android smartphones that allow them to conduct
secret conversations over a commercial cellular network. The pilot
program involves NSA Red Team hackers who will attempt to break into the
secured communications. There will also be assessments regarding the
security measures' effects on the quality of the sound on the calls and
the frequency of dropped or lagging calls. One of the issues that will
need to be addressed in the future is that the walls of US intelligence
facilities are constructed to prevent wireless electromagnetic signals
from getting through, rendering the devices unusable inside the
buildings. The program is called Project Fishbowl.
http://www.defensenews.com/article/20120329/C4ISR02/303290008/Cover-Story-Top-Secret-Goes-Mobile?odyssey=nav|head
[Editor's Note (Murray); One should not infer anything about Android
security from the fact that a nation state can (or cannot) instantiate
a secure application on it.]

 --Google Releases Chrome 18
(March 29, 2012)
Google has released Chrome version 18, which addresses nine security
flaws in earlier versions of its browser. Google released the stable
version of Chrome 17 on February 8. Google paid a total of $4,000 to six
researchers for information about six of the flaws; Google also paid US
$8,000 to four researchers who disclosed flaws prior to the final
release of Chrome 18. Chrome 18 includes Adobe Flash Player 11.2.
http://www.computerworld.com/s/article/9225680/Google_ships_Chrome_18_patches_bugs_and_boosts_hardware_acceleration?taxonomyId=85

 --Kelihos Botnet Still Active After Takedown
(March 29, 2012)
Despite an attempted shutdown last week, the Kelihos botnet appears to
be still active. Within a day after an announcement from a group of
researchers that Kelihos had been knocked offline, others were reporting
evidence of the botnet's activity. The researchers poisoned the botnet
with their own code, redirecting infected machines to their own sinkhole
server instead of the botnet's command-and-control servers. Some of the
researchers maintain that the activity is part of a new variant of the
botnet, not the one targeted in the takedown.
http://www.theregister.co.uk/2012/03/29/kelhios_bot_not_dead_yet/
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232700540/it-s-already-baaack-kelihos-botnet-rebounds-with-new-variant.html
[Editor's Comment (Northcutt): This story keeps reminding me of the "Why
won't you die" scene in Vendetta. There is more to this story than
technology, the Dave Dittrich Honeynet blog post with a FAQ on Kelios
references a code of conduct for these types of activities that often
involve extraordinary intervention:
https://www.honeynet.org/node/836
http://www.youtube.com/watch?v=LGGPufySwZ4 ]

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk97MYYACgkQ+LUG5KFpTkajGQCfTyB9fRl+uP+Beazp0MQzr4HI
CcMAniwKgi9fkTVzHrFfAaHj640fDBir
=CHrX
-----END PGP SIGNATURE-----



Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.