SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #2

January 09, 2009

Three nice notes:
1. Useful Career Development Briefing ideas: 12 Laws of IT Security
Power
When: Wednesday, January 14, Price: Free
Who: Stephen Northcutt, president of the SANS Technology Institute
What: The widely acclaimed talk on keys to positioning yourself for a
successful year in 2009.
Where: https://www.sans.org/webcasts/show.php?webcastid=92234 .

2. If you are planning to attend the SCADA Security Summit in Orlando,
and found the hotel offering only $500 rooms, we have a $189 rate at
http://www.sans.org/scada09_summit/location.php

3. For press only (everyone else will hear about it on Monday)
One of the biggest security announcements of the year will be made by
MITRE and Microsoft and Symantec and NSA and DHS and SANS and SAFECode
and Aspect and OWASP and 30 other organizations. It will change
software procurement, software testing, and programmer education.
There's a press teleconference Monday at 11 AM EST. We have to give them
the names of each person who will be on the call tonight (Friday) by 5
PM (if you don't get this in time, we'll still try to get you in). Email
apaller@sans.org if you are a full time press person who has written
about cybersecurity, and you want to call in.
Alan

---

TOP OF THE NEWS

Senator Feinstein Introduces Consumer Data Protection Legislation
Congressman Calls for Mandatory Cyber Security Briefings for Legislators
New Encryption Requirements for Gas Pump PIN Pads

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Turkish Court Jails TJX Suspect for 30 Years on Unrelated Charges
Database Admin Sentenced for Breaking into Former Employer's System
SPAM, PHISHING & ONLINE SCAMS
Spammers Spoof HM Revenue & Customs
VULNERABILITIES
Worm Exploits Flaw Addressed in October Out-of-Cycle Microsoft Security Bulletin
UPDATES AND PATCHES
Microsoft's January Security Update to Have Just One Bulletin
DATA LOSS & EXPOSURE
CheckFree to Notify 6 Million Potentially Affected by DNS Attack
ATTACKS
Attackers Use Cloak of Breaking News Stories to Spread Trojan
Teen Admits Twitter Hack
STUDIES AND STATISTICS
Reported Breaches Up Nearly 50 Percent

---

****************** Sponsored By Log Management Summit ********************

Calling all practitioners: Take part in the SANS 5th Annual Log Management Survey: A Leading Source for Actionable Data on Key Issues and Trends. Please take a moment to complete our survey here: https://www.sans.org/info/36998 The results will be released during the SANS WhatWorks Log Management and Analysis Summit held in Washington April 6-7

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Senator Feinstein Introduces Consumer Data Protection Legislation (January 7, 2009)

Senator Dianne Feinstein (D-Calif.) has introduced two pieces of legislation aimed at protecting consumer data. The first bill would require companies to notify consumers promptly of breaches involving their personal data. The companies would also be required to report breaches to the US Secret Service in certain instances, including breaches of databases that belong to the federal government or that involve national security or law enforcement. The second bill would make it illegal for organizations to sell, or display in public, individuals' Social Security numbers (SSNs) or to print them on government checks without their consent. Organizations would also face restrictions on when they can ask for customers' SSNs.
-http://www.nextgov.com/nextgov/ng_20090107_1108.php
-http://feinstein.senate.gov/public/index.cfm?FuseAction=NewsRoom.PressReleases&a
mp;ContentRecord_id=ae11aafd-f076-aceb-2cb1-528cb682c4db
[Editor's Note (Schultz): Sen. Feinstein has initiated similar legislation previously, but her efforts were unsuccessful. Given the results of the 2008 national elections, there is now a high probability that this proposed legislation will pass. ]

Congressman Calls for Mandatory Cyber Security Briefings for Legislators (January 5 & 6, 2009)

In a letter to Speaker of the House Nancy Pelosi (D-Calif.) and other congressional leaders, US Representative Frank Wolf (R-Va.) proposes establishing a rule requiring US lawmakers to attend briefings about cyber security as it relates to the computers in their offices and the sensitive data they hold. Last year, Wolf said that computers in his office have been infiltrated by attackers that some believe are located in the People's Republic of China; computers in seven other congressional offices as well as in several committee offices were also compromised. Wolf is concerned that his colleagues are not aware that information on their computers could potentially be accessed by malicious outsiders. In September 2008, the Republican Conference and the Democratic Caucus offered classified briefings for legislators, but few attended. Specifically, Wolf would like the mandatory briefings to address "threats to House information security, threats to information security when members travel abroad, and measures being taken (to) secure House computer networks and electronic devices.
-http://www.nextgov.com/nextgov/ng_20090106_1446.php
-http://techdailydose.nationaljournal.com/Cybersecurity%20Letter%20to%20leadershi
p.pdf
[Editor's Note (Pescatore): The House and Senate have very active information security teams but they face a tough problem - the users (senators/representatives and staffs) are all divas who don't need to listen to centralized IT or security. Not uncommon in business or universities, too but really magnified there. I don't think briefings are the answer - unless the politicians and staff want to give briefings about how they will support changes in their own practices to make things more secure.
-http://enisa.europa.eu/doc/pdf/deliverables/obtaining_support_and_funding_from_s
enior_management.pdf
(Schultz): Mandatory security briefings for US legislators superficially seems like an excellent idea. If lessons learned from mandating that senior managers in corporations and other organization attend security briefings s apply, however, I doubt that requiring attendance at Congressional security briefings will do much good. The higher up in an organization someone is, the more difficult it is to force that person to attend an information security-related meeting, let alone to get that person to pay attention if and when that person actually attends the meeting. ]

New Encryption Requirements for Gas Pump PIN Pads (January 7, 2009)

As of January 1, 2009, Visa is requiring new gas pumps installed in the US that accept debit cards as a form of payment to be equipped with a PIN pad that supports Triple DES encryption to protect customers from fraud due to card skimming. By July 1, 2010, gas station owners must upgrade all their pumps that accept debit card payments to support Triple DES; an estimated 1.4 million pumps will need upgrades. In addition to these upgrades, gas station owners must also ensure that the point-of-sale systems on their pumps comply with a separate payment application security standard that has been adopted by the PCI (payment card industry) council. Upgrades alone can cost between US 1,800 and US $2,000 for each card reader; some owners may face the necessity of installing entirely new pumps to comply with the requirements.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9125261&source=rss_topic17
[Editor's Note (Ullrich): It is important to realize that PCI applies to ALL credit card transactions, not just web based purchases. Frequently in-store terminals are overlooked and not secured sufficiently. ]

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Turkish Court Jails TJX Suspect for 30 Years on Unrelated Charges (January 8, 2009)

Maksym Yastremskiy, a Ukranian man associated with the TJX data breach, has been sentenced to 30 years in prison on unrelated charges by a court in Turkey. Yastremskiy was found guilty of breaking into computer systems at a dozen Turkish banks and using the access to commit fraud. He was also fined US $23,200. Last August, he was charged in the US with trafficking in stolen credit card information from several breaches, including the TJX breach. The US has filed extradition papers, but extradition is not automatic.
-http://www.theregister.co.uk/2009/01/08/hacker_30yr_jail_stretch_turkey/

Database Admin Sentenced for Breaking into Former Employer's System (January 7, 2009)

A man who worked as a database administrator for an unnamed British company has been sentenced to three months in jail, suspended for two years, and fined GBP 3,200 (US $4,858) for breaking into his former employer's computer system to install spyware and delete messages. Julius Oladiran worked for the company for just three weeks before being asked to leave after it became apparent to management that his resume contained false information. Oladiran admitted he made a false statement and gained unauthorized access to computer information.
-http://www.theregister.co.uk/2009/01/07/it_admin_sentenced/
-http://www.thisiscroydontoday.co.uk/latestnews/Sacked-Croydon-hacker-spied-colle
agues-e-mails/article-594293-detail/article.html
[Editor's Note (Honan): This story has a number of key points that we should take on board. The link to the second article on this story reveals this individual's actions caused his company to go out of business and that he previously served 6 months in jail for writing fraudulent cheques. So not only does this story demonstrate the impact inadequate security can have on a company it also highlights that in the current economic climate and the resulting increase in people looking for work, more people will be tempted to lie on their CVs so they can land a job. Therefore it is even more important to ensure potential employees', especially those with access to sensitive systems/roles, qualifications, job references and background are thoroughly checked.]

SPAM, PHISHING & ONLINE SCAMS

Spammers Spoof HM Revenue & Customs (January 6 & 8, 2009)

UK's HM Revenue & Customs (HMRC) is warning UK taxpayers of a phishing scheme targeting people who are scrambling to meet an end-of-the month tax deadline. The fraudulent messages, which are spoofed so they appear to come from HMRC, tell recipients that they are due a tax refund and request bank or credit card account information so the refund can be paid. Several sites associated with the scheme have already been taken down. Some scammers are phoning taxpayers with similar claims. HMRC will contact taxpayers by letter only.
-http://www.theregister.co.uk/2009/01/08/hmrc_tax_refund_scam/
-http://www.vnunet.com/vnunet/news/2233380/uk-tax-office-hit-phishers

VULNERABILITIES

Worm Exploits Flaw Addressed in October Out-of-Cycle Microsoft Security Bulletin (January 7, 2008)

Some businesses that have not yet applied the out-of-cycle Microsoft's patch (MS08-067) issued in October have found their systems infected with a worm that uses a dictionary attack to crack user passwords; user accounts are locked out of Active Directory while the worm is trying to find their passwords. A removal tool is available, and users are urged to apply the patch as soon as possible.
-http://news.zdnet.co.uk/security/0,1000000189,39588634,00.htm
-http://www.heise-online.co.uk/security/Microsoft-Customers-play-Russian-roulette
-with-their-systems--/news/112370

UPDATES AND PATCHES

Microsoft's January Security Update to Have Just One Bulletin (January 8, 2008)

According to Microsoft Security Bulletin Advance Notification, the company plans to issue just one security bulletin on Tuesday, January 13. The critical update affects all currently supported versions of Windows. The threat is more severe for older versions of the operating system; the rating of the vulnerability in the bulletin for Windows Vista and Windows Server 2008 is moderate, two steps down from the critical rating for Windows 2000, Windows XP and Windows Server 2003.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9125418&source=rss_topic17
-http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx

DATA LOSS & EXPOSURE

CheckFree to Notify 6 Million Potentially Affected by DNS Attack (January 6, 2008)

CheckFree has begun notifying more than 5 million people that they may have been redirected to a site hosting malware if they used CheckFree's services between 12:35 am and 10:10 am on December 2, 2008. CheckFree is an electronic bill paying service that is used by some banks. In some cases, people would not know they were using CheckFree; it would seem to them as though they were using a service provided by their own banks. People who used the service during that period were redirected to a server in the Ukraine that attempted to install password-stealing malware on their computers. The attackers managed to log into Network Solutions, CheckFree's Internet domain registrar, and change the DNS settings to conduct the redirect attack.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9125078

ATTACKS

Attackers Use Cloak of Breaking News Stories to Spread Trojan (January 8, 2009)

Attackers have been sending messages that purport to be CNN news updates about the situation in Gaza, but that could lead to recipients' computers becoming infected with malware. The messages direct recipients to what appears to be a CNN website where they are told they need to update to Adobe Acrobat 10. What actually gets downloaded is an "SSL stealer" Trojan horse program that listens for traffic to and from financial services' systems.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9125422&source=rss_topic17

Teen Admits Twitter Hack (January 6, 2009)

A teenage hacker has admitted in an IM interview with Wired that last weekend he gained access to the Twitter admin system with the use of a brute force password attack; the Twitter system did not lock out further attempts to access the account after a number of failed tries. He then offered access to Twitter accounts on an underground forum; as a result, several high-profile accounts were used to send bogus messages. The attacker did not use a proxy to conduct his brute-force dictionary attack. In a separate but related story, the incident has prompted Twitter to conduct a "full security review" of its network. The admin hack came just days after a phishing attack on Twitter users that attempted to get them to divulge their login credentials.
-http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9125239&intsrc=hm_list
[Editor's Note (Pescatore): Now, to me, Twitter having passwords is like requiring passwords for graffiti scribbling on highway signs. But if you are going to have passwords, there are a few no-brainers (like retry lockout, minimum length, etc) that you should include or don't bother.]

STUDIES AND STATISTICS

Reported Breaches Up Nearly 50 Percent (January 6, 2009)

According to statistics gathered by the Identity Theft Resource Center, there were 656 data breaches reported by businesses, schools and governments in 2008, up from 446 in 2007, an increase of nearly 50 percent. Breaches at businesses accounted for 37 percent of the total, while breaches at schools accounted for 20 percent. The percentage of breaches involving current and former employees more than doubled to 16 percent in 2008. The top cause of breaches was human error, which includes lost or stolen laptops and data storage devices, and inadvertent exposure of data.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/01/05/AR2009010503046_
pf.html
-http://www.techweb.com/article/showArticle?articleID=212700890

---

*************************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescactore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/