SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #92

November 21, 2008

TOP OF THE NEWS

US Dept. of Defense Bars Use of Removable Data Storage Devices to Halt Worm's Spread
McColo Shutdown Hurt Some Botnets
Healthcare Workers in UK and US Not Taking Adequate Security Precautions with Data
Canadian Telecom Regulator Says Bell Canada's Traffic Throttling OK

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Teen Hacker Admits Wrongdoing
College Student Charged in Alleged eMail Hacking and Attempted Extortion
POLICY AND LEGISLATION
Mass. Data Protection Regulation Compliance Deadline Pushed Back Five Months
UK Information Commissioner Seeks Authority to Impose Increased Fines
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Australian ISP Sued for Allegedly Allowing Illegal Filesharing
DATA LOSS & EXPOSURE
British National Party Membership List Posted to Internet
ATTACKS
IT Staff Still Working to Address Malware on London Hospital Systems
STUDIES AND STATISTICS
Survey: Many Irish eCommerce Websites Lack Strong Data Protection

---

******* Sponsored By SANS Process Control & SCADA Security Summit ******

Technology leaders from more than 200 utilities, manufacturers, and other control systems users are meeting in Orlando to get early access to recently discovered proof of critical vulnerabilities in new metering systems, in serial communications, and other previously trusted technologies, AND on what they can do now to protect their control systems. They'll also learn from Public Utility Commissioners what it takes to get security expenditures into the rate base, and what works in CIP auditing and compliance. Also at the Summit: free classes funded by DHS, and paid SANS hands-on, in-depth courses on hacker exploits, penetration testing, security management and more. This is the annual meeting where, in 2008, the CIA first disclosed they had data on multi-city power outages caused by remote hackers. If you work in security of control systems, don't miss this meeting; Orlando, early February: http://www.sans.org/info/35719

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

US Dept. of Defense Bars Use of Removable Data Storage Devices to Halt Worm's Spread (November 19, 2008)

To halt the spread of a worm through US Department of Defense computer systems, the commander of US Strategic Command has banned the use of all removable data storage devices, including USB drives, CDs and flash media cards. The ban affects both secret and unclassified networks. The malware infecting the computers is called Agent.btz, a variant of the SillyFDC worm. It spreads by copying itself onto USB drives and other removable data storage devices and infecting the next device they are attached to. Devices that are the personal property of employees or that are not authorized will not ever be permitted to be used on department computers; some department USB drives may be approved after they have been properly vetted. Internet Storm Center Diary:
-http://isc.sans.org/diary.html?storyid=5384
-http://blog.wired.com/defense/2008/11/army-bans-usb-d.html
[Editor's Note (Pescatore): Agent.btz has been on anti-malware blacklists since late June. Whatever the DoD desktops are using for anti-malware protection should be looked at before mass bans of portable media are put in place. ]

McColo Shutdown Hurt Some Botnets (November 18, 2008)

The shutdown last week of web hosting company McColo resulted in the disabling of an estimated 500,000 PCs infected with bot malware. The computers themselves still work, but the malware that had been placed on them can no longer communicate with command-and-control servers. McColo's upstream service providers disconnected the hosting company at the behest of researchers who said the company's services were enabling significant amount of cybercrime. When McColo went offline, two major botnets, Srizbi and Rustock, were put out of action as well. Rustock is unlikely to recover the lost bots, as they have no backup plan coded into the malware; Srizbi's bots, however, are instructed to check other domains names if they cannot connect to the primary server.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=Security&articleId=9120727&taxonomyId=17&pageNumber=1
[Editor's Note (Honan): Earlier this year, the Dutch police used a botnet that they had busted to warn victims that their PCs were infected. It would be interesting to see if the same technique can be used again to warn these victims Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=5333
-http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?new
sid=10427]

Healthcare Workers in UK and US Not Taking Adequate Security Precautions with Data (November 20, 2008)

A survey of 1,000 healthcare workers in the UK and the US found that more than one-third store sensitive patient data on portable data storage devices, including laptop computers, Blackberrys and USB sticks. One-fifth of respondents said they stored data on their personal devices to transport the information. One-third of those responding said they use passwords as the only form of data protection. Six percent of UK respondents said they use no data protection at all; in the US, that figure is 18 percent. Of the UK workers, 56 percent use strong data protection methods, including encryption, two-factor authentication, biometrics and smart cards. Among US respondents, just 23 percent use strong data protection methods.
-http://www.vnunet.com/vnunet/news/2230989/healthcare-workers-putting

Canadian Telecom Regulator Says Bell Canada's Traffic Throttling OK (November 20, 2008)

The Canadian Radio-television and Telecommunications Commission (CRTC) has denied a complaint filed by the Canadian Association of Internet Providers (CAIP) asking that CRTC stop Bell Canada from throttling certain types of Internet traffic. Bell Canada admits that it has slowed traffic from peer-to-peer (P2P) filesharing websites during peak Internet traffic hours. The company also acknowledged that it uses deep packet inspection. CRTC said that "CAIP has not demonstrated that Bell Canada's methodology for determining congestion in the network is inappropriate." The finding contrasts with recent similar issues in the US involving Comcast's use of selective traffic throttling.
-http://www.pcmag.com/article2/0,2817,2335133,00.asp
-http://www.theglobeandmail.com/servlet/story/RTGAM.20081120.wcrtc1120/BNStory/Te
chnology/?cid=al_gam_nletter_techweekly

---

************************* SPONSORED LINK ******************************

"SANS @Home SEC401 Security Essentials is being offered starting December 10th, 2008. @HOME is areat way to get the needed essential, up-to-the-minute knowledge and skills required for effective performance. If you are given the responsibility for securing systems, get more information here and register at http://www.sans.org/info/32138 ." "I found the @home sessions with Seth Misenar much easier to fit my professional and personal schedule. Having three hours of class one night a week with seven days to review the content in between was priceless." --Nikki Allen-Cain, First Bankers Trust Co"

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Teen Hacker Admits Wrongdoing (November 18 & 19, 2008)

A teenage hacker from Massachusetts, who uses the online name "Dshocker," has pleaded guilty to charges of computer intrusion, interstate threats and wire fraud. According to prosecutors, the 16-year-old, who was unnamed in accordance with federal law, broke into multiple computer systems, recruited computers into botnets, spoofed emergency phone calls to elicit SWAT responses, and made fraudulent purchases with stolen credit card information. The defendant has agreed to an 11-month sentence to be served at a juvenile detention facility, although he has not yet been formally sentenced. If he had been tried as an adult, he could have faced up to 10 years in prison, five years of supervised release and a US $250,000 fine.
-http://www.theregister.co.uk/2008/11/19/dshocker_pleads_guilty/
-http://www.cybercrime.gov/dshockerPlea.pdf

College Student Charged in Alleged eMail Hacking and Attempted Extortion (November 17, 2008)

A Kentucky college student has been charged with identity theft and unlawful access to a computer for allegedly breaking into other students' email accounts at the University of the Cumberlands and using the access and information to blackmail them. Sungkook Kim allegedly threatened to divulge the contents of certain messages unless the students complied with his demands. He also allegedly placed spyware on computers at the college library to harvest the information necessary to access the email accounts and used someone else's wireless router to send the threatening messages.
-http://www.kentucky.com/181/story/595802.html
[Editor's Note (Northcutt): Sounds like a "security awareness tip of the day" moment. Using public computers is dangerous; the odds are high that your details will be collected. In addition, the folks with whom you communicate will likely have their email addresses harvested. Here are a couple links for further and supporting information:
-http://www.linuxfortravelers.com/the-risks-of-using-public-computers
-http://blogs.techrepublic.com.com/10things/?p=322]

POLICY AND LEGISLATION

Mass. Data Protection Regulation Compliance Deadline Pushed Back Five Months (November 14 & 20, 2008)

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has extended the compliance deadline for regulations that require companies doing business with Massachusetts residents to use encryption and other strong data security measures to protect residents' personal information. Citing current economic conditions, OCABR extended the deadline from January 1, 2009 to May 1, 2009. The companies have until January 1, 2010 to provide certification from their-party providers that they are in compliance with the data protection requirements of the state's consumer protection laws.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9121018&source=rss_topic17
-http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&
;b=pressrelease&f=081114_IDTheftupdate&csid=Eoca

UK Information Commissioner Seeks Authority to Impose Increased Fines (November 18, 2008)

The UK Information Commissioner's Office (ICO) wants the authority to fine companies up to 10 percent of their revenue for violations of the Data Protection Act, which would match the maximum penalty that can be imposed by the Financial Services Authority on companies that do not comply with financial regulations. Presently, the maximum fine the ICO may impose is GBP 5,000 (US $7,366).
-http://www.growthbusiness.co.uk/news/business-news/814242/fines-likely-for-data-
breaches.thtml
[Editor's Note (Schultz): The level of ICO's current authority is ostensibly not nearly sufficient to deal with cases of negligence in data protection. Increasing this office's level of authority to levy much more substantial fines would thus constitute a step forward in helping combat data security breaches as well as identity theft.
(Dick): I agree with Eugene's comment. I recently learned from executives in the electrical power industry one of the primary driving forces in addressing cyber security issues was the fear of significant fines and penalties from Federal and State regulatory agencies. In short, the power companies could not be allowed to pass on the fines and penalties in their rates. If they pay for it, the business case for investment in improved security becomes easier. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Australian ISP Sued for Allegedly Allowing Illegal Filesharing (November 20, 2008)

A group of film and television companies have sued iiNet, one of the Australia's largest Internet service providers (ISPs), alleging that it allows its users to download television programs and movies in violation of copyright laws. iiNet COO Mark White says his company in no way supports piracy, but that it cannot cut off service to customers simply because the movie industry says they are downloading content illegally. The lawsuit seeks a ruling that iiNet engaged in copyright infringement by failing to stop its users from illegally sharing files; it also seeks an order that would require iiNet to take action to prevent such activity in the future.
-http://www.smh.com.au/news/technology/biztech/film-companies-sue-iinet-for-allow
ing-piracy/2008/11/20/1226770617457.html?page=fullpage#contentSwap1

DATA LOSS & EXPOSURE

British National Party Membership List Posted to Internet (November 19, 2008)

A membership roster of the British National Party (BNP) has been posted to the Internet. The exposed data include names, home addresses, home and mobile phone number and email addresses of approximately 13,500 supporters of the far right political party. Some of those whose information was posted fear they could lose their jobs or be physically attacked. The data appear to have been posted by a disgruntled BNP member. Police have been called in to investigate.
-http://www.guardian.co.uk/politics/2008/nov/19/bnp-names-web-police-security
-http://www.timesonline.co.uk/tol/news/uk/article5183833.ece
[Editor's Note (Honan): In the UK it is a sackable offence for a member of the police force to be also a member of the BNP. ]

ATTACKS

IT Staff Still Working to Address Malware on London Hospital Systems (November 19 & 20, 2008)

IT staff are still working to eradicate the effects of a Mytob worm infection that forced the shutdown of computer systems at three London, UK-area hospitals. The problem appeared to be addressed on Monday evening, but the system crashed on Tuesday. The malware does not appear to have spread to other systems.
-http://www.theregister.co.uk/2008/11/19/hospital_computer_virus_shutdown_update/
-http://software.silicon.com/malware/0,3800003100,39348158,00.htm?r=8

STUDIES AND STATISTICS

Survey: Many Irish eCommerce Websites Lack Strong Data Protection (November 19, 2008)

A Deloitte Enterprise Risk Services survey of more than 100 Irish ecommerce websites found that 65 percent do not employ stringent online payment security measures. Results of the survey indicate that "a significant proportion of websites" are not in compliance with the Payment Card Industry Data Security Standards. More than half of the sites were found to be using weak or legacy encryption, while two percent used no encryption at all.

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/