SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #26

April 03, 2009

Two interesting gatherings:
1. Where can you find...
"Outstanding, practical information concerning the entire realm of penetration testing - from technical how-to's, to vendor perspectives, to social engineering and lessons learned. There is no other forum I've found to get all this in one place!" (Keith Fowler, E.ON US) SANS Pen Testing and Web Application Attack Summit, June 1-2. http://www.sans.org/pentesting09_summit/

2. The financial sector is assisting the federal sector (at a workshop in Washington on April 29) in sharing lessons learned and defining requirements for software security tools (white box, black box and app firewalls) and services. If you are involved in software security, you'll want to be there both to learn what the big organizations have learned and to have your voice heard in shaping requirements for future acquisition of these tools. Attendees will also hear from the leader of the DoD project that is evaluating and comparing nearly all the application security testing tools. Oh, and Jeremiah Grossman - the best web app security guy we have seen will help attendees see what is coming next.
http://www.sans.org/appsec09_summit/
Alan

---

TOP OF THE NEWS

New Senate Bill Proposes Mandatory Security Standards and Certifications
EU Calls For Development of Strategy to Protect European Cyber Space
Congress Investigates Effectiveness of PCI DSS

THE REST OF THE WEEK'S NEWS

DATA PROTECTION & PRIVACY
Snooping Workers Fired by Kaiser Permanente
EU Warns Internet Companies to Better Protect Customers' Privacy
MALWARE
Conficker Fails to Live Up to Hype
SPAM
Reports Show Spam Returns to Pre-McColo Levels
CHARGES & CONVICTIONS
Convicted Trojan Writer Facing New Hacking Charges
ATTACKS & ACTIVE EXPLOITS
Major Web Services Victims of DDOS Attack
STUDIES AND STATISTICS
Cyber Crime Complaints Jump 33% in 2008
DATA LOSS & EXPOSURE
Stolen Laptop Contains Details on Thousands of Students
COOL TRAINING EVENTS
Penetration Testing Summit
Application Security Summit

---

*********** Sponsored By RSA, The Security Division of EMC ***********

"Security Operations 2.0: What does this mean for you?" Forrester and RSA On-Demand Webcast:

Webcast reviews the following topics:
* Why are more and more companies putting a greater emphasis on building a security operations center or function?

* What should your top priorities be to build the most effective security operations?

* How can the latest release of RSA enVision(R) platform help you use security to meet your ongoing business objective?

To listen to the replay: http://www.sans.org/info/42094

*************************************************************************

TRAINING UPDATE

- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFire in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- -- Plus San Diego, Amsterdam and more, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

New Senate Bill Proposes Mandatory Security Standards and Certifications (1st April 2009)

A new bill, sponsored by Senators John D. Rockefeller IV and Olympia J Snowe, would see the introduction of a new cyber security czar, the National Cybersecurity Advisor, who would report directly to the White House. Included in the bill is the granting of authority to the National Cybersecurity Advisor to isolate computer networks that are part of the critical network infrastructure, including those in the private sector, should there be a cyber attack. The bill would also see the introduction of mandatory security standards, developed by the National Institute of Standards and Technology, applied to both private and public sector organizations that control parts of the critical network infrastructure. Included in the bill is the proposal that a licensing and certification program be introduced for cyber security professionals.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684.
html
-http://fcw.com/Articles/2009/04/01/Web-cybersecurity-bill.aspx
-http://www.vnunet.com/vnunet/news/2239646/plans-national-cybersecurity
-http://lastwatchdog.com/senate-bill-mandates-strong-federal-role-internet/
[Editor's Note (Schultz): Like it or not, mandatory security standards are inevitable in the US at some point in time. Without them, the US will continue to have too many weak links in its critical computing infrastructure.
(Northcutt): This is a fairly ambitious bill. We need to be aware of it and decide what parts we want to support, which parts might need more discussion. This seems to be a first step at professionalization for security workers as well.]

EU Calls For Development of Strategy to Protect European Cyber Space (31st March 2009)

The European Commission has called for the development of a strategy to protect Europe from disruption to critical networks resulting from cyber attacks or natural disasters. The EC highlights that the region is becoming more and more dependent on the continuous availability of IT and communications systems for supporting electronic commerce and for playing a crucial role in the management of other critical services such as transportation and the supply of food, energy and water. The strategy highlights the cyber attacks against Estonia and calls for a minimum standard of preparedness that organizations in the public and private sector in all member states should reach in order to ensure the overall security of the region.
-http://www.theregister.co.uk/2009/03/31/eu_cyberattack_strategy/
-http://www.vnunet.com/vnunet/news/2239455/eu-pledges-protect-cyber

Congress Investigates Effectiveness of PCI DSS (31st April 2009)

Following recent breaches which resulted in compromised credit card details, such as the Heartland Payments System breach, the US House of Representative's Committee on Homeland Security questioned the effectiveness of the Payment Card Industry Data Security Standards (PCI DSS). Robert Russo, director of the PCI DSS Council said "I have no doubt that compliance to PCI standards are the best line of defense. We have never found a breached entity to be in full compliance at the time of breach." Representatives from the retailers expressed concerns that PCI DSS was developed by the credit card industry to shift the responsibility for security breaches involving credit card data to retailers rather than actually preventing breaches and cited the high cost of implementing and complying with the standard. Commenting on the debate Rep. Ben Ray Lujan, D-N.M., compared the PCI DSS Council to the fire service declaring a home's fire safety systems inadequate after a fire and stated "It seems to me that the system we have today, we can all agree, from different sides, it's not working."
-http://news.cnet.com/8301-13578_3-10208827-38.html?part=rss&subj=news&ta
g=2547-1_3-0-20
-http://www.forbes.com/2009/03/31/visa-mastercard-security-technology-security-vi
sa.html

---

THE REST OF THE WEEK'S NEWS

DATA PROTECTION & PRIVACY

Snooping Workers Fired by Kaiser Permanente (31st March 2009)

A Kaiser Permanente hospital in Los Angeles has sacked fifteen employees and reprimanded eight others for unauthorized access to the medical records of Nadya Suleman, the Californian woman who gave birth to octuplets in January of this year. The hospital discovered the breaches after increasing its network monitoring procedures in response to the growing public interest following the birth of the octuplets.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9130827
[Editor's Note (Northcutt): A continuing problem, 20 workers fired for accessing pro football player Richard Collier after he was admitted for gunshot wounds OCT 2008:
-http://www.news4jax.com/news/17859733/detail.html
DEC 2008 Lawanda Jackson sold medical records of Britney Spears and Farrah Fawcett to the National Inquirer:
-http://www.chinadaily.com.cn/world/2008-12/02/content_7260960.htm
OCT 2007, some 40 staffers accessed George Clooney's records and some of that was leaked to the media:
-http://www.efluxmedia.com/news_Leaking_George_Clooneys_Medical_Records_Leads_to_
Suspension_09488.html
I point all of this out to illustrate that random employees have just too much access, and now the government wants to digitize everyone's medical records. They'd best fix the system first. ]

EU Warns Internet Companies to Better Protect Customers' Privacy (31st March 2009)

The European Union's Consumer Affairs Commissioner, Meglena Kuneva, has warned Internet companies that they need to make better efforts to protect the privacy of their customers or face the introduction of more regulation. The EU is concerned that consumers feel pressured into surrendering their personal details in order to access certain online services, and that data are then being abused by the Internet companies for marketing purposes. Ms Kuneva warned that if the EU does not "see an adequate response" from online companies, then the regulator will not "shy away" from its duty to protect consumers.
-http://news.bbc.co.uk/2/hi/europe/7973634.stm

MALWARE

Conficker Fails to Live Up to Hype (1st April 2009)

Despite various media outlets forecasting untold chaos on April 1st as a result of the Conficker C worm, the day passed with little or no incident. Researchers had predicted that the worm would seek a download on April 1st but were unable to predict what that download would do. Monitoring of infected machines shows that they appear to have contacted an update server, but have done little else. Researchers warn that even though nothing of great note happened on April 1st, the botnet is still active and criminals could use it at some future date.
-http://www.vnunet.com/vnunet/news/2239647/expected-conficker-stays-quiet
-http://gcn.com/articles/2009/03/31/conficker-update.aspx
-http://news.bbc.co.uk/2/hi/technology/7976099.stm
[Editor's Comment (Northcutt): I think the most insightful Conficker April Fools comment was on Twitter: @gattaca: CDC confirms conficker has made the cross species jump to humans. Rate of infection is rising exponentially. In a more down to earth post, Snopes posted a quote of Roger Thompson, "We expect that they have achieved their aim of building a fairly bullet-proof botnet, and will now simply farm it, which means they'll probably harvest credit card numbers, bank accounts and identities from as many victims as possible, and then do it all again," he said."
-http://www.snopes.com/computer/virus/conficker.asp
While it was a dud in the US, expect to see a bit more overseas where illegal OSes could not get the patch. Still, the following Marvin the Martian saying sums it up best:
-http://www.gargaro.com/MaRvInWaVs/boom.wav]

SPAM

Reports Show Spam Returns to Pre-McColo Levels (1st April 2009)

A recent report from Google claims that the volume of spam has returned to the same levels they were in November 2008 before the shutdown of the notorious US based hosting provider McColo. Following complaints in November that McColo was hosting servers for some of the world's biggest spam operators, upstream providers severed their connections to the hosting company. As a result spam levels dropped dramatically. However, since then the levels of spam have increased slowly, with Google noting the increasing amount of spam with malware attached.
-http://www.theregister.co.uk/2009/04/01/spam_trends/
-http://www.siliconrepublic.com/news/article/12628/cio/spammers-make-complete-rec
overy-from-mccolo-takedown
-http://voices.washingtonpost.com/securityfix/2009/04/google_spam_levels_back_to_
pre.html?wprss=securityfix

CHARGES & CONVICTIONS

Convicted Trojan Writer Facing New Hacking Charges (31st March 2009)

A 25 year old man, Van T Dinh, who was convicted in 2004 for 13 months for creating a Trojan to steal login credentials to a stock trading system, is now facing two charges of hacking into an online currency exchange service and allegedly attempting to transfer US $110,000 into an account that was under his control. Dinh is also accused of allegedly trying to transfer an additional US $140,000 into another account. The alleged hacking incidents took place in December 2008. The FBI traced the transaction attempts to a house Dinh shares with his mother in Pennsylvania
-http://www.theregister.co.uk/2009/03/31/trading_hack_charges/

ATTACKS & ACTIVE EXPLOITS

Major Web Services Victims of DDOS Attack (2nd April 2009)

A number of major web services companies had their services disrupted as a result of a DDOS attack targeting a DNS service provider and a domain registrar. The DNS provider NeuStar was the victim of a DDOS attack on the morning of Tuesday the 31st of March which resulted in a disruption of service to companies such as Salesforce.com, IMDB.com and Amazon's store and its S3 cloud computing service. On Wednesday evening Register.com, a domain registrar and web hosting company, fell victim to a DDOS attack against its DNS servers resulting in its customers' domains not resolving.
-http://www.networkworld.com/news/2009/033109-ultradns-service-attacked.html
-http://www.theregister.co.uk/2009/04/01/ultradns_ddos/
-http://www.scmagazineus.com/DDoS-attacks-hit-major-web-services/article/130060/

STUDIES AND STATISTICS

Cyber Crime Complaints Jump 33% in 2008 (2nd April 2009)

Consumer complaints to the Internet Crime Complaint Centre (IC3), a joint venture between the FBI and the National White Collar Crime Center, rose by more than 33% in 2008 over the previous year. The biggest cause for complaint was the non-delivery of goods and/or payments. The average dollar loss per complaint was US $931 while the average loss from 419 Advance fee scams was US $1,650. The IC3 received more than 275,284 complaints in 2008 with only 72,940 of those complaints passed onto US law enforcement agencies for prosecution.
-http://voices.washingtonpost.com/securityfix/2009/04/fbi_internet_fraud_rates_ro
se.html?wprss=securityfix
-http://news.bbc.co.uk/2/hi/americas/7973886.stm

DATA LOSS & EXPOSURE

Stolen Laptop Contains Details on Thousands of Students (2nd April 2009)

In the United Kingdom, a computer containing personal data on 33,000 pupils has been stolen from the offices of Wigan Council's Children and Young People's Services. Burglars broke into the offices and stole a number of laptops, one of which contained a database with the details of the 33,000 students on it. The data, which were password protected but not encrypted, includes details such as pupils' names, dates of birth and ethnicity. Police are investigating the burglary which has also been reported to the UK Information Commissioner's Office.
-http://www.leighjournal.co.uk/news/4255670.Stolen_laptop_contains_pupils__data/

COOL TRAINING EVENTS

Penetration Testing Summit

Where else can you find the best speakers from other hacker conferences all at one program: HD Moore on the future of Metasploit; Joshua Wright on evolving wireless attacks; Jeremiah Grossman on the Top Ten Web Hacking Techniques; Robert "rSnake" Hansen on web app vulnerabilities; Paul Asadoorian on late-breaking pen test techniques; Larry Pesce on using document metadata in pen tests; Jason Ostrum on VoIP pen testing; Ed Skoudis on secrets of pen testing?
The Summit is June 1 and 2 in Las Vegas. Registration information is here:
-http://www.sans.org/pentesting09_summit/

Application Security Summit - April 9 - Washington DC.

Learn from actual users which application security tools and processes work best and participate in establishing requirements that may be used for large scale procurement of these tools across government.
-http://www.sans.org/appsec09_summit/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/