SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #94

December 02, 2008

SANS 2009 Annual Conference and Training Program will be held in Orlando in early March. It includes the largest selection of SANS courses ever held, and all taught by our top rated teachers. SANS 2009 also includes the largest security tools expo and extensive networking programs through evening sessions, lunch & learns, and more. This is the one program for which you need to register early because courses fill up quicker than for any other training conference. http://www.sans.org/sans2009
Alan

---

TOP OF THE NEWS

Classified US Systems Breached: Attacks on US War Zone Computers Prompts Security Crackdown
UK Government Will Not Establish Breach Notification Law for Private Sector
MySpace Suicide Case Verdict: Three Misdemeanor Convictions

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS
Arrests and Charges in Home Equity Line of Credit Thefts
POLICY AND LEGISLATION
EU Council's Five-Year Plan to Tackle Cyber Crime Includes Remote Searches
MALWARE
London Hospitals' Computer Systems Almost Back to Normal
Srizbi Bots Seek Alternate Command-and-Control Servers
ACTIVE EXPLOITS, WORMS & VIRUSES
Worm Actively Exploiting Vulnerability Addressed in MS08-067
ATTACKS
Cyber Thieves Hit Massachusetts Town Banks Accounts
MISCELLANEOUS
Group Raises Privacy Concerns About RFID Chips in Identification Docs at Borders
World Bank CIO Duties Change Hands in Wake of Attacks
Iran Executes IT Specialist for Spying for Israel

---

************************** Sponsored By CA ******************************

Server Resource Protection: A Critical Element of IT Security.
Protecting server resources from internal and external access abuse and attacks is critical to maintaining a strong security posture. Incessant threats and attacks on enterprise security continue to challenge IT. A recent $7 billion French banking fraud case clearly illustrates the problem at hand. This IDC whitepaper analyzes common vulnerabilities in protecting server resources. Learn more http://www.sans.org/info/36058

*************************************************************************

TRAINING UPDATE

- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools expo; lots of evening sessions: http://www.sans.org/cdi08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Classified US Systems Breached: Attacks on US War Zone Computers Prompts Security Crackdown (November 28, 2008)

The Los Angeles Times is reporting that the US Department of Defense's decision to ban the use of USB drives and other removable data storage devices was prompted by a significant attack on combat zone computers and the US Central Command that oversees Iraq and Afghanistan. The attack is believed to have originated in Russia. While no specific details about the attack were provided, it is known that at least one highly protected classified network was affected.
-http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6
441140.story

UK Government Will Not Establish Breach Notification Law for Private Sector (November 26 & December 1, 2008)

Last week, the UK government announced in a report that it will allow the Information Commissioner's Office (ICO) to impose increased fines for "deliberate or reckless loss of data," but stopped short of calling for a law, instead allowing the ICO to establish rules for breach disclosure. The "Response to the Data Sharing Review Report" says that private sector organizations should disclose data breaches "as a matter of good practice," and that the Information Commissioner's office (ICO) should consider whether or not such organizations did disclose breaches when taking enforcement action against the company. Public sector organizations are already subject to requirements that they report any data security incidents to the ICO.
-http://news.zdnet.co.uk/itmanagement/0,1000000308,39563446,00.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=330437&source=rss_topic17
[Editor's Note (Pescatore): This report makes some erroneous conclusions based on another study done by a policy group in a law firm that says breach notifications don't have an impact on security. I think being forced to tell customers "we have screwed you" with all the attendant press coverage has had a major impact of boards of directors paying attention to security - orders of magnitude more than reporting regimes like GLB and Sarbanese Oxley.
(Honan): This is a disappointing development and one I hope will be rectified sooner rather than later. The UK may have no choice but to introduce breach disclosure laws if the EU decide to issue such a directive, as has been recommended by ENISA
-http://www.csoonline.com/article/376817/Security_Agency_Calls_For_EU_Laws_on_Bre
ach_Disclosure]

MySpace Suicide Case Verdict: Three Misdemeanor Convictions (November 26 & 28, 2008)

Lori Drew, the Missouri woman who perpetrated an Internet hoax that prompted a 13-year old neighbor to kill herself, was convicted of three misdemeanor offenses of accessing computers without authorization; a federal jury acquitted Drew of three felony counts of accessing computers without authorization to inflict emotional harm. The misdemeanor offenses are each punishable by up to one year in prison and a fine of US $100,000. If she had been convicted of the additional charges, Drew could have faced 20 years in prison. Drew was tried under the US Computer Fraud and Abuse Act for violating the MySpace terms of agreement by establishing a phony identity and harassing another MySpace member. The case was tried in Los Angeles because that is where MySpace servers are housed; there was no applicable Missouri law that could be used to prosecute Drew.
-http://www.msnbc.msn.com/id/27928608/
-http://www.securityfocus.com/brief/863
-http://www.washingtonpost.com/wp-dyn/content/article/2008/11/26/AR2008112600629_
pf.html
[Editor's Note (Schultz): This is an extremely important ruling. I was disappointed that Drew evaded more serious charges. At the same time, however, the fact that she was tried and convicted on the basis that she accessed computers without authorization because she used a false MySpace identity sets a precedent for extending the scope of the Computer Fraud and Abuse Act well beyond cases in which individuals have simply broken into systems. ]

---

************************* SPONSORED LINK ******************************

1) "USB Security Software -> Auditing, Encryption, and Control -> Download Now" http://www.sans.org/info/36063

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Arrests and Charges in Home Equity Line of Credit Thefts (November 28, 2008)

Four people have been arrested and an additional three have pleaded guilty to charges stemming from activities of an identity theft. The group stole more than US $12 million by illegally accessing untapped home equity lines of credit. The thieves used documents available online for a fee to find the necessary information, then contacted the financial institutions and asked them to wire large chunks of the available credit to banks in Canada and Asia. In some cases, they changed the victims' home phone numbers to lines they controlled so they could answer the calls verifying the transfer requests.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/11/27/AR2008112702027_
pf.html
-http://www.cybercrime.gov/polkCharge.pdf
-http://www.cybercrime.gov/matthewsPlea.pdf

POLICY AND LEGISLATION

EU Council's Five-Year Plan to Tackle Cyber Crime Includes Remote Searches (December 1, 2008)

The EU Council of Ministers has approved a five year plan to tackle cyber crime. Among the tactics proposed are remote searches of computers suspected of being used in criminal activity; the investigations will be coordinated by Europol. The plan also aims to improve information sharing among European law enforcement agencies of member nations and private companies to help prosecute criminals. Europol has been granted 300,000 Euros (US $379,000) to develop a system to consolidate crime reports and issue warnings about emergent threats.
-http://www.theregister.co.uk/2008/12/01/eu_cybercrime_strategy/
-http://news.bbc.co.uk/2/hi/technology/7758127.stm
[Editor's Note (Schultz): Given the complexity of the problem with which Europol is faced, 300,000 Euros worth of funding seems like a pittance.
(Honan): Given that the EU Council of Ministers has only granted _300,000 to Interpol to develop this system one wonders how serious they actually are taking the issue of cyber crime. ]

MALWARE

London Hospitals' Computer Systems Almost Back to Normal (December 1, 2008)

Two weeks after the Mytob worm caused computer networks at three London hospitals to be shut down, things are nearly back to normal. St. Bartholomew's, the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green together make up the Barts and the London NHS Trust, which said in a statement last week that 97 percent of the computers have been scanned and are malware-free. The infection prompted a disaster recovery plan that quarantined the Trust's PCs. The source of the infection is still unknown.
-http://www.theregister.co.uk/2008/12/01/barts_malware_infection_clean_up/

Srizbi Bots Seek Alternate Command-and-Control Servers (November 26 & 27, 2008)

The Srizbi botnet, which was disabled by the shutdown of web hosting company McColo several weeks ago, appeared to be back online early last week. Srizbi includes an algorithm that attempts to establish new domain names that the malware could contact for instructions should the initial connection be severed. The botnet suffered another setback when the Estonian Internet service provider (ISP) that had hosted its command and control servers for a short period of time also cut off service to those servers. Srizbi is estimated to comprise more than 450,000 PCs, and it is believed that half of all spam generated worldwide comes through the Srizbi botnet. The reason Srizbi was kept at bay for several weeks was that researchers reverse engineered the Srizbi code and figured out what domains the bots would be searching for, then created and seized them so the bot masters could not regain control of the army of infected machines.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9121758&source=rss_topic17
-http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/
[Editor's Note (Pesactore): The bot client strategies for finding command and control centers has gotten increasingly devious. New techniques used mechanisms that are very similar to old style spycraft, the cyber equivalent of spy numbers stations and chalk Xs on mailboxes. The needed security breakthrough here is being able to tell automated actions from user-driven actions from the network, rather than relying on blocking communications to command and control centers.]

ACTIVE EXPLOITS, WORMS & VIRUSES

Worm Actively Exploiting Vulnerability Addressed in MS08-067 (November 26 & 27 & December 1, 2008)

Researchers at Microsoft have noted a recent spike in attacks exploiting the vulnerability patched in the company's MS08-067 bulletin, which was released as an out-of-cycle fix in late October 2008. The remote code execution flaw lies in the RPC (remote procedure call) functions of the Server Service. One of the culprits is a worm called Conficker.A; infections have been reported in corporate environments and by "several hundred" home users as well. Once this particular worm infects a computer, it "patches the vulnerable API in memory" so other malware cannot take control of the machine. The worm appears to be creating a sizeable botnet.
-http://www.theregister.co.uk/2008/11/26/conficker_attacks_windows/s
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9121660&source=rss_topic17s
-http://news.cnet.com/8301-1009_3-10109080-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.securityfocus.com/brief/862
-http://www.heise-online.co.uk/security/Windows-worm-infection-accelerates--/news
/112077
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9121958&source=rss_topic17
-http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
-http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspxs

ATTACKS

Cyber Thieves Hit Massachusetts Town Banks Accounts (November 26, 2008)

A computer at the Sandwich, Massachusetts treasurer's office was infected with keystroke-logging software, allowing attackers to harvest access credentials that they used to steal approximately US $50,000 from town bank accounts. The cyber thieves transferred the stolen funds to accounts in Florida and Georgia. Sandwich Police Chief Michael J. Miller plans to ask the FBI to help with the investigation. Law enforcement authorities in Florida have questioned a man who opened one of the accounts; he said he had answered an ad that offered payment for opening an account. After the thieves transferred the money to that account, he was allegedly to wire it to Russia. The thieves were careful to keep the amounts transferred under US $10,000, the threshold that triggers FBI notification.
-http://www.boston.com/news/local/massachusetts/articles/2008/11/26/sandwich_lose
s_nearly_50k_to_hacker/

MISCELLANEOUS

Group Raises Privacy Concerns About RFID Chips in Identification Docs at Borders (December 1, 2008)

The Association of Corporate Travel Executives (ACTE) wants the US to stop using a system that reads RFID tags in government issued identification documents at border crossings, pending a review of the security issues the system poses. ACTE is concerned specifically with the possibility that people could eavesdrop on the RFID chips at the border or even at other locations. Presently, the only information contained in the chips is a unique identification number, but there is concern that this number alone is enough to track an individual's travel. A paper published last summer examined security concerns raised by the use of RFID tags in passport cards and driver's licenses.
-http://www.theregister.co.uk/2008/12/01/rfid_scanning_under_fire/
-http://www.rsa.com/rsalabs/node.asp?id=3557

World Bank CIO Duties Change Hands in Wake of Attacks (November 26 & 27, 2008)

The World Bank has made some personnel changes following attacks on the organization's computer systems last summer. World Bank Vice President and Chief Information Officer Guy-Pierre De Poerck has been relieved of duties; they are now in the hands of Head of General Services Robert Van Pulley. A World Bank spokesperson did not say if the shift in responsibilities indicated that De Poerck was being blamed for the attacks. The World Bank has also commissioned "a comprehensive external review" of its information systems.
-http://www.ft.com/cms/s/0/f0b4e6ac-bc9e-11dd-9efc-0000779fd18c.html
-http://www.foxnews.com/story/0,2933,458085,00.html

Iran Executes IT Specialist for Spying for Israel (November 22, 25 & 30, 2008)

Last month, Iran executed an Iranian IT specialist after he confessed to working for the Israeli intelligence service, Mossad. Ali Ashtari traveled overseas to purchase equipment, including computers, necessary for Iran's nuclear program. Ashtari allegedly allowed the equipment to be altered so that Mossad could keep tabs on and even interfere with Iranian weapons development. Iran claims to have broken another Mossad spy ring and plans to seek the death penalty for those suspects as well.
-http://www.timesonline.co.uk/tol/news/world/middle_east/article5258057.ece
-http://www.nytimes.com/2008/11/26/world/middleeast/26iran.html?ref=world
-http://latimesblogs.latimes.com/babylonbeyond/2008/11/an-iranian-busi.html

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/