SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #91

November 18, 2008

TOP OF THE NEWS

Virus Shuts Down Three UK Hospitals
FTC Seeks to Ban Sale of RemoteSpy Keylogger Spyware
CMA Changes Criminalize DDoS Attacks and Attack Tools

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
Law Professor Will Take on RIAA
ARRESTS, CHARGES & CONVICTIONS
Palin Yahoo eMail Hack Trial Pushed Back to May 2009
Burmese Blogger Sentenced to 10 Years in Prison
German Man Resists Job Interview Sting
SPAM, PHISHING & ONLINE SCAMS
Phishing Scheme Pretends to be Cyber Scam Warning From US Federal Reserve
UPDATES AND PATCHES
Apple Releases Safari Update; Users Complain of Crashes
Google Fixes Chrome File Stealing Hole
DATA LOSS & EXPOSURE
Stolen Laptop Not Encrypted Despite Security Policy
ATTACKS
Spyware Infiltrates International Monetary Fund Computers

---

******************** Sponsored By Sourcefire, Inc. **********************

Best of Open Source Security (BOSS) Conference 2009
February 8-10, 2009 at the Flamingo in Las Vegas. Content-rich agenda around open source security (OSS). Come join others passionate about OSS and share ideas and experiences. Sponsors include Sourcefire, Nokia, Symantec, ArcSight, Crossbeam Systems, and others. Sourcefire Users Summit will be running simultaneously. Early-bird registration now in effect.
http://www.sans.org/info/35394

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Virus Shuts Down Three UK Hospitals (November 18, 2008)

A computer virus has shut down the computer systems at Barts in the City, the Royal London Hospital in Whitechapel and The London Chest Hospital in Bethnal Green. The engineers worked through the night but failed to fix the problem.
-http://news.bbc.co.uk/2/hi/uk_news/england/london/7735502.stm
-http://www.scmagazineuk.com/London-hospitals-struck-down-by-virus/article/121133
/

FTC Seeks to Ban Sale of RemoteSpy Keylogger Spyware (November 17, 2008)

A US District Court in Florida has granted a request from the US Federal Trade Commission (FTC) for a temporary restraining order preventing the sale of RemoteSpy keylogger spyware while its case against CyberSpy Software is pending. The FTC filed a complaint against CyberSpy earlier this month seeking a permanent ban of the sale of the product and alleging four violations of the FTC Act: Unfair Sale of Spyware; Unfair Collection and Disclosure of Consumers' Personal Information; Means and Instrumentalities to Install Spyware and access Consumers' Personal Information; and Means and Instrumentalities to Engage in Deception.
-http://news.cnet.com/8301-13578_3-10099123-38.html?part=rss&subj=news&ta
g=2547-1009_3-0-20
-http://ftc.gov/os/caselist/0823160/081105cyberspycmplt.pdf
[Editor's Note (Schultz): The FTC may be fighting a losing cause. Keylogger software is already freely available on the Internet; the fact that it is now also available as commercial software is really hardly noteworthy. ]

CMA Changes Criminalize DDoS Attacks and Attack Tools (November 14, 2008)

Changes to the UK's Computer Misuse Act (CMA) criminalizing DDoS attacks and distributed attack tools have finally taken effect in England and Wales. Changes to the CMA were first suggested six years ago, and actual changes were made in 2006. Scotland adopted the changes in October 2007, but England and Wales did not enact the changes until October 2008; there had been some concern that the wording of the changes could inhibit research. The changes include increased penalties for the newly clarified offenses. The impetus to effect the changes to CMA can be traced at least in part to a case in which prosecutors were unable to charge a teenager who had launched a DDoS attack against his former employer because the judge ruled that the employer's computer system was designed to receive email. The teen pleaded guilty to charges brought after the High Court ruled that the earlier decision had been made in error.
-http://www.theregister.co.uk/2008/11/14/dos_criminalised/

---

************************* SPONSORED LINK ******************************

1) Free, Downloadable, Log and Compliance Management Solution from Q1 Labs. Get QRadar SLIM Free Edition http://www.sans.org/info/35399
2) "USB Auditing, Encryption, and Control -> Award-Winning USB Security Software -> Download Now" http://www.sans.org/info/35404
3) SANS @Home SEC401 Security Essentials is being offered starting December 10th, 2008. @HOME is areat way to get the needed essential, up-to-the-minute knowledge and skills required for effective performance. If you are given the responsibility for securing systems, get more information here and register at http://www.sans.org/info/32138 "I found the @home sessions with Seth Misenar much easier to fit my professional and personal schedule. Having three hours of class one night a week with seven days to review the content in between was priceless." --Nikki Allen-Cain, First Bankers Trust Co"

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

Law Professor Will Take on RIAA (November 17 & 18, 2008)

Harvard Law School professor Charles Nesson has taken on the case of a Boston University graduate student who has been targeted by a lawsuit from the Recording Industry Association of America (RIAA). Nesson's argument focuses on the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999, which he says is unconstitutional because it allows the RIAA, a private organization, "Carry out civil enforcement of a criminal law."
-http://news.smh.com.au/technology/law-professor-fires-back-at-songswapping-lawsu
its-20081117-687q.html
-http://www.boston.com/lifestyle/articles/2008/11/18/billion_dollar_charlie_vs_th
e_riaa/

ARRESTS, CHARGES & CONVICTIONS

Palin Yahoo eMail Hack Trial Pushed Back to May 2009 (November 17, 2008)

David Kernell, the Tennessee college student accused of breaking into Alaska Governor Sarah Palin's Yahoo! email account, will face trial in May 2009. The trial had originally been scheduled to start in December, but according to the motion to push back the trial's start date, "because of the nature of the case, significant forensic evaluation is required." Both sides said they need additional time for discovery. If Kernell is convicted, he could face a five year prison sentence followed by three years of supervised release in addition to a US $250,000 fine. In October, Kernell pleaded not guilty and was released on his own recognizance. While he awaits trial, he may not own a computer and may use the Internet only for email and college coursework.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9120559&source=rss_topic17

Burmese Blogger Sentenced to 10 Years in Prison (November 12, 2008)

A Burmese blogger was sentenced to 20 years and six months in prison for crimes against public tranquility and video and electronics laws offenses. Nay Myo Kyaw, who writes under the alias Nay Phone Latt, was arrested as part of a crackdown on dissidents. The lawyer who represented Nay Phone Latt and poet Saw Wai, who was sentenced to two years in prison for publishing a love poem that also served as an acrostic critical of Burma's dictator, also received a prison sentence for contempt of court.
-http://www.timesonline.co.uk/tol/news/world/asia/article5129509.ece
[Editor's Note (Pescatore): I guess the freedom of speech tradeoff is worth it. Progressive societies allow criticism of the government but have to put up with the Paris Hiltons and the like polluting "public tranquility"...]

German Man Resists Job Interview Sting (November 12 & 14, 2008)

A German man who admitted in a telephone interview to having figured out how to break into the network at computer game developer Valve evaded arrest by not taking the bait of a follow-up interview on American soil. Valve initiated contact with Axel Gembe after evidence pointed to his having a role in the leak of Half Life 2 source code prior to the game's release. While the ruse had worked several years before with a pair of Russian hackers, Axel Gembe declined the invitation. He was charged in Germany and sentenced to probation. In October, Gembe was named in a new indictment in a different case; the indictment alleges he created malware known as Agobot, which was used in the Echouafni case to attack the retail websites of his business rivals. Echouafni has fled the country and is believed to be in Morocco. He had allegedly hired Paul Ashley to manage the distributed denial-of-service (DDoS) attacks; Ashley has already completed a two-year prison term for his role in the attacks.
-http://blog.wired.com/27bstroke6/2008/11/valve-tricked-h.html
-http://www.theregister.co.uk/2008/11/14/half_life_sting/

SPAM, PHISHING & ONLINE SCAMS

Phishing Scheme Pretends to be Cyber Scam Warning From US Federal Reserve (November 14, 2008)

A new phishing attack is spreading in the guise of a scam warning from the US Federal Reserve. The message directs recipients to a web page that appears to provide details about the scam and attempts to download a PDF file that contains a variety of malware, including software that could be used to make infected computers part of a botnet. Of particular interest in this attack is "that the botnet uses a Secure Sockets layer connection to send and receive encrypted information between the botnet server and infected machines." The phishing message itself contains several blatant clues that it is not to be trusted: the English grammar is poor and it does not attempt to hide the fact that it is leading users to an outside URL.
-http://www.vnu.co.uk/vnunet/news/2230518/federal-reserve-spam-attack
[Editor's Note (Skoudis): While the grammar is laughable now, the bad guys will certainly hone this scam given the market turmoil and consumer's worries. Watch for this one to become far more lethal in the near future. ]

UPDATES AND PATCHES

Apple Releases Safari Update; Users Complain of Crashes (November 14 & 17, 2008)

The newest version of Apple's Safari web browser now has anti-phishing protection. Safari 3.2 also includes fixes for 11 security flaws. Most of the vulnerabilities affect the Windows version of Safari, but some affect the Mac OS X version as well. Most of the flaws were labeled arbitrary code execution vulnerabilities. Users have been reporting that the newest version of the browser is causing frequent crashes.
-http://www.networkworld.com/news/2008/111408-apple-plays-catch-up-adds-anti-frau
d.html?code=nlsecuritynewsal170182
-http://www.theregister.co.uk/2008/11/17/safari_3_2_update_grumbles/

Google Fixes Chrome File Stealing Hole (November 14, 2008)

Google has patched a flaw in its Chrome browser that could be exploited to steal files from vulnerable machines. The majority of users have not had the fix pushed out to their computers; it is addressed in a developer-only version of the open source browser. Users can reset their browsers so they receive all released updates. Chrome 0.4.154.18 also adds new features, including a bookmark manager and a reworked pop-up blocker.
-http://www.networkworld.com/news/2008/111408-google-patches-chrome-file-stealing
.html?code=nlsecuritynewsal170179
[Editor's Note (Skoudis): Given the recent Google Chrome and Apple Safari for Windows problems, I think you can make a very good argument for not relying on a browser for your main web surfing until it has aged a bit, giving the vendor time to work out the most egregious security flaws. How much time? My gut says about a year is needed before a browser becomes reasonably (but not perfectly) scrubbed. Until then, have fun playing with these shiny new toys on an experimental box. ]

DATA LOSS & EXPOSURE

Stolen Laptop Not Encrypted Despite Security Policy (November 14, 2008)

The data on a North Carolina Department of Health and Human Services laptop computer stolen in October were not encrypted, despite a department security policy that required encryption of sensitive information. The computer holds personally identifiable data, including Social Security numbers (SSNs), of more than 85,000 individuals. At least one other NC DHHS laptop holding sensitive data was reported stolen this year, and two other laptops reported stolen may also hold personal information. The state's chief information officer says that "failure to encrypt the hard drive on the laptop was a violation of State Security Standards. Additionally, DHHS may have been in violation of other standards regarding due diligence in safeguarding information." A September 9, 2008 memo requires that any laptops employees planned to remove from their offices must be encrypted by November 1, 2008.
-http://www.newsobserver.com/news/story/1294350.html
[Editor's Note (Skoudis): Even if the data were encrypted, an attacker may still be able to get access to it by cold-booting the machine, cracking the user's password, or other bypass techniques. I think as laptop crypto is deployed more regularly, we'll see breach disclosure rates go down. But, the bad guys will still be compromising sensitive data using various attack techniques. The public just won't know as much about it without the notification. ]

ATTACKS

Spyware Infiltrates International Monetary Fund Computers (November 14, 2008)

Attackers broke into the International Monetary Fund's (IMF) computer system earlier this month. As a precaution, the IMF temporarily cut off its connection to the World Bank; according to reports earlier this fall, the World Bank's computer system had been under attack over several months. IMF officials became aware of spyware was spreading through its computer system on November 7; an IMF spokesperson said he was not aware of a system lockdown related to the incident. Anonymous sources, however, maintain that there was a computer lockdown on November 7.
-http://www.foxnews.com/story/0,2933,452348,00.html

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/