Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: The SANS Institute (NewsBitessans.org)
Date: Tue Mar 19 2013 - 12:47:13 CDT
-----BEGIN PGP SIGNED MESSAGE-----
SANS NewsBites March 18, 2013 Vol. 15, Num. 022
TOP OF THE NEWS
Federal Judge Rules National Security Letters are Unconstitutional
Reuters Journalist Indicted for Allegedly Allowing Hackers Into Former
Thieves Hack Casino Surveillance System to Carry Out AU $32 Million Cheat
THE REST OF THE WEEK'S NEWS
Brian Krebs Targeted in SWAT Attack
Supreme Court Declines to Hear Jammie Thomas-Rasset Filesharing Appeal
iPad Data Hacker Gets 41-Month Prison Sentence
Microsoft Pushes Out Windows 7 SP1
DHS Cybersecurity Chief Resigns
Two Charged in Subway Sandwich Shop Point-Of-Sale Terminal Hacks
GSA Contractor Database May Have Exposed User Data
Apple's Latest OS X Update Includes Fix for Java Web Start Flaw
************************** SPONSORED BY Bit9 *******************************
WHITEPAPER - Advanced Threat Landscape: What Your Organizations Need to
Know - In the wake of the numerous server data breaches reported, it is
clear that traditional signature-based blacklisting security strategies
are inadequate in addressing today's sophisticated cyber threats.
Industry Analyst Frost and Sullivan examine today's advanced threat
landscape and recommends that organizations adopt a new approach to
server security that is based on trust.
Download Today http://www.sans.org/info/127402
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! -
The Recon-ng Framework.
- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Offensive Countermeasures, Active Defenses,
and Internet Tough Guys; and Tactical SecOps: A Guide to Precision
Security Operations. http://www.sans.org/event/cyber-guardian-2013
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
- -- Secure Canberra 2013 Canberra, Australia March 18-March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer
Forensic Investigations - Windows In-Depth.
Bonus evening session: Patching Your Employees' Brains.
- -- Critical Security Controls International Summit London, UK April 26-May 2 2013
Including SEC566: Implementing and Auditing the 20 Critical Security
Controls led by Dr. Eric Cole.
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Five
dedicated pen test training courses led by five SANS world-class
- -- Looking for training in your own community?
- -- Save on On-Demand training (30 full courses) - See samples at
Plus Abu Dhabi, New Delhi, Seoul, Bangalore, and Johannesburg, all in
the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--Federal Judge Rules National Security Letters are Unconstitutional
(March 15, 2013)
A federal judge in California has ruled that national security letters
(NSLs) are unconstitutional. Judge Susan Illston ruled the gag order
that accompanies NSLs violates the First Amendment; the gag order
prohibits recipients from even acknowledging that they have received the
request for information. The FBI uses NSLs to obtain information on US
citizens without a court order. The only requirement for obtaining a NSL
is a supervisor's certification that the information that is being
sought is relevant to a national security investigation. The case in
which Judge Illston made the ruling involves an unnamed
telecommunications company that received a NSL in 2011 and challenged
both the letter's authority and the legitimacy of its accompanying gag
order, both of which are permissible challenges under the law. The
Justice Department then countersued the company for violating the law
by challenging its authority.
--Reuters Journalist Indicted for Allegedly Allowing Hackers Into
Former Employers' System
(March 15, 2013)
Reuters journalist and deputy social media editor Matthew Keys has been
indicted for allegedly providing a hacker affiliated with the Anonymous
group access to the Tribune Co.'s servers in 2010. Keys previously
worked for a Tribune television station in Sacramento, but had lost his
job several months before the incident. Keys allegedly provided an
Anonymous member with a user name and password to access Tribune
servers; several stories were defaced. The indictment charges Keys with
conspiracy to cause damage to a protected computer, transmission of
malicious code, and attempted transmission of malicious code. Keys has
been suspended from his position at Reuters. If convicted on all
charges, Keys' faces a maximum of 25 years in prison and a fine of US
$750,000. Some say that the penalties are too severe.
(Please note The New York Times requires a paid subscription)
[Editor's Note (Honan): A good example of why a formal leaving policy
for staff, especially those that are disgruntled in anyway, should
include properly and immediately securing their account and changing
passwords on other sensitive accounts.]
--Thieves Hack Casino Surveillance System to Carry Out AU $32 Million Cheat
(March 14,15, & 18, 2013)
In a scheme reminiscent of the movie Ocean's 11, a group of people
gained access to a Melbourne, Australia casino's surveillance system and
used it to view players cards in a high stakes poker game played in a
private room. The scammers fed the information to an accomplice who won
AU $32 million (US $33 million). The gambler, who is known to win and
lose large sums of money, has been banned from the casino and is
believed to have returned to his home country.
[Editor's Note (Pescatore): A timely reminder to the security community
that continuous monitoring systems are very attractive targets for
*************************** Sponsored Links: ******************************
1) Analyst Webcast: Secure Configuration in Action Featuring new
deployment information from the City of Oregon.
2) Analyst Webcast: NAC Applied to SANS Critical Security Controls
Wednesday, April 03, 2013 at 1:00 PM EDT (1700 UTC/GMT)Featuring: G.
Mark Hardy and Scott Gordon. http://www.sans.org/info/127412
3) Join Palo Alto Networks threat webinar discussing APT1 and latest
techniques malware uses to hide from traditional security.
THE REST OF THE WEEK'S NEWS
--Brian Krebs Targeted in SWAT Attack
(March 15, 2013)
Late last week, security journalist Brian Krebs was the target of
SWATting; hackers placed an emergency phone call and made it appear to
come from Krebs's mobile phone. The call described a dangerous situation
that caused the police to send a team of heavily armed officers to his
home. Earlier the same day, Krebs's website was targeted by a
denial-of-service attack. Around the same time, a company that protects
his website from attacks received a letter - determined to be phony -
that appeared to come from the FBI, claiming that Krebs's site was
hosting illegal content and should be shut down. The multi-pronged
attack on Krebs may be related to a story he published about an
organization that sells access to other people's credit reports. The
following morning, Ars Technica journalist Dan Goodin reported Krebs's
ordeal on that site. Shortly after the story appeared, that site was hit
with a denial-of-service attack that appeared to come from the same
source as the attack on Krebs's site.
[Editor's Note (Hinan): Brian Krebs has an interesting update to the
story where he claims to talk to the individual alleged to be behind the
attack. A thought struck me as I read the encounter, we need to not
only be better at providing people with skills in computer security but
we also must ensure there is a strong focus on how to use those skills
in an ethical manner and not abuse them for gain, petty revenge or
--Supreme Court Declines to Hear Jammie Thomas-Rasset Filesharing Appeal
(March 18, 2013)
The US Supreme Court has declined to hear a petition from Jammie
Thomas-Rasset, the Minnesota woman who was the first person to legally
challenge a filesharing case brought by the Recording Industry
Association of America (RIAA). Thomas-Rasset's case dates back to 2007.
The Supreme Court has declined to hear other filesharing cases.
Thomas-Rasset's appeal argued that the Copyright Act, which allows
damages of up to US $150,000 for each infringement, is excessive and
--iPad Data Hacker Gets 41-Month Prison Sentence
(March 18, 2013)
Andrew Auernheimer has been sentenced to 41 months in prison.
Auernheimer and his accomplice, Daniel Spitler, found a way to obtain
personal data of iPad owners through a publicly accessible website. When
the iPad was introduced in April 2010, AT&T provided Internet access for
some users, but to set up an account, users had to provide AT&T with
personal information, including their email addresses. Auernheimer and
Spitler wrote an automated script to gather email addresses and SIM card
numbers of 120,000 iPad owners. In November 2012, Auernheimer was found
guilty of identity fraud and conspiracy to access a computer without
authorization. Auernheimer is appealing the verdict and the Electronic
Frontier Foundation (EFF) has joined his defense.
[Editor's Note (Honan): This sentence has unfortunately made a martyr
out of an individual who appears to have conducted some questionable
research and will also discourage many others from coming forward with
(Paller): What seems to be missing is a place/group, where researchers
can take their findings, that has enough clout to make change happen or
to disclose it with authority. A trusted group like that would separate
the "researchers" who are criminals from the researchers who are
actually trying to help. ]
--Microsoft Pushes Out Windows 7 SP1
(March 18, 2013)
Due to the approaching expiration of support for Windows 7 RTM (release
to manufacturing), Microsoft will start pushing out Windows 7 Service
Pack 1 (SP1) on March 19. Microsoft will no longer support Windows 7 RTM
after April 8, 2013; support for Windows 7 SP1 will continue through
January 13, 2015. SP1 first became available in February 2011. It will
be pushed out only to those users whose machines are not managed with
Microsoft management tools.
[Editor's Note (Pescatore): This seems so quaint, pushing out giant
"Service Packs." - sort of like how funny it was when an excited Steve
Martin exclaimed "The new phone book is here, I'm somebody now!"
Windows 8 will be joining the Apple IOS and Google Android generations
of operating systems in having App Store mechanisms with continuous
updates and patching (nice Computerworld piece at
Mobile devices are already changing how we need to think about image and
version control, app security and compatibility, etc. Windows 7 will be
the last hurrah for the old ways on the desktop.]
--DHS Cybersecurity Chief Resigns
(March 15, 17, & 18, 2013)
Mark Weatherford, who has served for the past 16 months as the US
Department of Homeland Security's (DHS's) first cybersecurity chief, has
resigned, effective April 12, 2013. Weatherford will join a private
consulting firm on May 1. Bruce McConnell, DHS senior counsel for
cybersecurity, will step in as interim deputy undersecretary for
cybersecurity when Weatherford leaves on April 12. Rand Beers,
undersecretary for DHS's National Protection and Programs Directorate,
said of Weatherford," Mark is a living testament to the DHS mantra that
cybersecurity is a shared responsibility. Because of his vision, we now
have stronger coordination and clearer alignment with [other] agencies."
--Two Charged in Subway Sandwich Shop Point-Of-Sale Terminal Hacks
(March 15 & 17, 2013)
Two men have been charged in connection with a scheme to fraudulently
load US $40,000 onto Subway sandwich shop gift cards. Shahin Abdollahi
and Jeffrey Thomas Wilkinson allegedly used the cards to make purchases
and also sold them over the Internet. Abdollahi owned a Subway franchise
from 2005 to 2008, and then he operated a business that sold
point-of-sale (POS) terminals to Subway restaurants across the country.
Some of the POS terminals he sold had a remote desktop tool loaded onto
them. Abdollahi and Wilkinson are charged with conspiracy to commit
computer intrusion and wire fraud. The men were indicted on March 6,
2013, in US District Court in Massachusetts.
[Editor's Note (Pescatore): Between this kind of thing and the use of
default passwords in remote access software, there was a huge wave of
targeted attacks that siphoned millions of credit cards from fast food
chain IT systems in the 2006 - 2010 timeframe. Notice this is a very
good example of why supply chain integrity is *not* just a problem when
the vendor is from China or off-shore.]
--GSA Contractor Database May Have Exposed User Data
(March 16, 2013)
The US federal government's General Services Administration (GSA) has
issued a statement acknowledging a "security vulnerability" in its
System for Award Management (SAM) database that could have been
exploited by system users to view other users' data. SAM contains
government contractor registration records with banking information,
financial details, and codes for accessing information about past
performance. A GSA spokesperson said that all SAM users have been
notified about the security issue. The database contains details of
about 600,000 companies. GSA learned of the flaw on March 8 and fixed
it by March 10. The spokesperson did not provide details about the
vulnerability, so it is not known if the data were exposed through
deliberate actions, such as exploiting an SQL vulnerability, or through
an inadvertent situation, such as an unapplied patch or a password
--Apple's Latest OS X Update Includes Fix for Java Web Start Flaw
(March 15, 2013)
Apple has released an update for OS X, Mountain Lion 10.8.3, to address
21 security flaws, 11 of which could be exploited to allow remote code
execution. The update also includes fixes to several stability issues.
One of the vulnerabilities fixed in the update could be exploited to
launch a Java Web Start application even when the Java plug-in is
disabled. The Java Web Start patch is available for OS X Lion and Lion
Server versions 10.7 to 10.7.5, and OS X Mountain Lion versions 10.8 to
10.8.2. The last security update for Mountain Lion was released in
September 2012. The update also includes the most recent version of
Apple's Safari browser, version 6.0.3.
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----