SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #37

May 12, 2009

TOP OF THE NEWS

EU Commissioners Call For Expanding Consumer Protection Laws to Software
FBI to Station Cyber Crime Agent in Estonia

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
Court Approves Ameritrade Class Action Suit Settlement
Court Upholds Felony Hacking Conviction
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
US Military Intent on Increasing Interest in Cyber Warfare Career Paths
VULNERABILITIES
Vulnerability in Windows 7 Release Candidate
UPDATES AND PATCHES
Microsoft to Test Windows 7 Update Process on May 12
DATA THEFT, LOSS & EXPOSURE
Skimmers Used in ATM Thefts
UC-Berkeley Data Breach Affects 160,000 Individuals
Johns Hopkins Hospital Notified 10,000 Patients of Possible Data Breach
SPAM, PHISHING & ONLINE SCAMS
Scammers Target Economic Stimulus Payment Recipients

---

************************** Sponsored By CA *****************************

Web-Based Security for Business Enablement

While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more...
http://www.sans.org/info/43473

*************************************************************************

TRAINING UPDATE

- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2 http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensiscs Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/
Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

EU Commissioners Call For Expanding Consumer Protection Laws to Software (May 9, 2009)

European Union Commissioners Viviane Reding and Meglena Kuneva have proposed that the EU Sales and Guarantee Directive, which applies to physical products, be extended "to cover licensing agreements of products like software" as well. The directive requires that products carry a two-year guarantee. Kuneva said that the change would give customers a broader choice and software companies would be held to a higher standard of accountability. Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance disagreed, saying that it would in fact limit consumers' choices. He said that "creators of digital goods cannot predict with a high degree of certainty both the product's anticipated uses and its potential performance," and that it could lead to decreased interoperability between products if manufacturers decide to limit how much of their code could be accessible to third-party developers.
-http://news.cnet.com/8301-1001_3-10237212-92.html
[Editor's Note (Honan): In 2007 the UK government rejected calls to bring similar laws into place
-http://www.cio.co.uk/news/2183/lords-fume-as-government-rejects-e-crime-threat/I
t
is interesting to see that the EU is considering various new laws in relation to computer security and which all member states will eventually have to implement regardless of their own views.
(Pescatore): Knee jerk reaction is "finally!" but since software engineering is still really an oxymoron, the major initial effect of this type of thing would simply be even longer/even smaller type End User Licensing Agreements, with every CD-ROM having large stickers saying "Do not use your computer in the shower". However, some movement towards software manufacturers having to bear the cost of safety defects in their products is needed and inevitable. ]

FBI to Station Cyber Crime Agent in Estonia (May 11, 2009)

The Federal Bureau of Investigation plans to station a cyber crime expert in Estonia. This marks the first time the FBI has placed an agent outside of the US whose sole focus is cyber crime. Estonia suffered attacks on government and business computer systems two years ago; the country is known to have a strong commitment to fighting cyber crime. The FBI may also work with the NATO cyber defense center in Estonia.
-http://www.msnbc.msn.com/id/30683801/

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

Court Approves Ameritrade Class Action Suit Settlement (May 11, 2009)

Formal notice of a class action lawsuit settlement agreement involving Ameritrade customers whose data were exposed in a security breach will be published later this week. The settlement affects more than six million current and former customers of the online brokerage who used the company's services through mid-September 2007. Ameritrade has agreed to pay US $1.9 million in legal fees and one year of anti-spam protection for those affected by the breach.
-http://www.google.com/hostednews/ap/article/ALeqM5hzyBpjAg_K7d3DpBGZhmRwQiZMVwD9
847NCO0

Court Upholds Felony Hacking Conviction (May 7, 2009)

An Ohio man's felony hacking conviction was upheld in appellate court late last month. Richard Wolf had been found guilty of unauthorized access for using his work computer to upload nude pictures of himself to an adult web site. Mark Rasch, a former federal computer crime prosecutor, said the felony conviction is a misuse of the law, which was designed to prevent people who already have access to a specific computer system from accessing data outside the scope of their authority. Rasch said in this case the law is being interpreted too broadly. Wolf's attorney, David Carto, noted that his client's employer had not published an internal Internet usage policy.
-http://www.wired.com/threatlevel/2009/05/court-upholds-hacking-conviction-of-man
-for-uploading-porn-pics-from-work-computer/
-http://darkreading.com/blog/archives/2009/05/porn_led_to_con.html
-http://www.wired.com/images_blogs/threatlevel/2009/05/ohio-v-richard-wolf.pdf
[Editor's Note (Honan): This is a prime example of why Acceptable Usage Policies are so important. Time taken to develop well written policies which clearly state the roles, responsibilities and penalties for both the employer and the employee can save on time spent in court.
(Ranum): We have a rich tradition in the US of abusing laws by interpreting them extremely broadly. I suspect most NewsBites readers would expect that "hacking" applies to bypassing a system's security, when security exists, rather than violating an acceptable use policy whether it was published or not. ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

US Military Intent on Increasing Interest in Cyber Warfare Career Paths (May 11, 2009)

The US military has demonstrated a growing awareness of the need to develop effective defense against cyber attacks. Currently, Defense Department cyber war school graduate 80 students a year; budget increases proposed by the Pentagon would quadruple that number over the next two years. US military training academies have participated in war games for the last nine years, competing to see which team does the best job of establishing and maintaining an operable network while under attacks from a National Security Agency (NSA) team. Many of those participating are hoping for assignments at the Army's Network Warfare battalion.
-http://www.nytimes.com/2009/05/11/technology/11cybergames.html?_r=1&partner=
rss&emc=rss
-http://it.slashdot.org/article.pl?sid=09/05/11/1951204

VULNERABILITIES

Vulnerability in Windows 7 Release Candidate (May 11, 2009)

A flaw has been found in the most recent Windows 7 Release Candidate; Microsoft has issued a hotfix for the vulnerability. The flaw affects the 32-bit (x86) English-language version of Windows 7 build 7100. The problem is that "the folder that is created as the root folder of the system drive is missing entries in its security descriptor." This could cause "applications that reference folders under the root" to fail to install or uninstall successfully and "applications that reference these folders may fail."
-http://www.securecomputing.net.au/News/144622,first-windows-7-bug-discovered.asp
x
-http://support.microsoft.com/kb/970789

UPDATES AND PATCHES

Microsoft to Test Windows 7 Update Process on May 12 (May 11, 2009)

Microsoft plans to test the update process for Windows 7 on Tuesday, May 12 by sending out phony patches to PCs running the newest release candidate. As many as 10 updates will be issued; none will contain fixes or new features. Microsoft ran a similar test for Windows 7 update capabilities in February. Users who do not wish to receive the test updates can change the appropriate settings in their Windows Update control panel.
-http://www.vnunet.com/vnunet/news/2242011/microsoft-planning-blank
-http://www.eweek.com/c/a/Windows/Microsoft-Windows-7-to-Update-with-Fake-Patches
-332777/

DATA THEFT, LOSS & EXPOSURE

Skimmers Used in ATM Thefts

Thieves in Staten Island, NY installed devices on ATMs at several branches of Sovereign Bank that allowed them to harvest account access data information. The data were used to steal a total of more than US $500,000 from the accounts of 250 victims. The group used skimmers to gather data from ATM cards and cameras to discover customer's PINs. They used the information to manufacture phony ATM cards. Bank surveillance cameras have captured images of suspects in the case.
-http://www.nydailynews.com/news/ny_crime/2009/05/11/2009-05-11_automated_theft_b
andits_steal_500g_by_rigging_atms_with_pinreading_gizmos.html

UC-Berkeley Data Breach Affects 160,000 Individuals (May 8 & 11, 2009)

A breach of databases at the University of California, Berkeley's health services center compromised personally identifiable information, including Social Security numbers (SSNs), and health insurance data, of more than 160,000 students, alumni and some spouses or parents of students and alumni. Although the attack occurred in October 2008, the breach was detected just last month during performance maintenance. The attackers appear to have exploited an SQL injection flaw in a web application to gain access to several databases on a server. The breach also affected about 3,400 students at Mills College who could receive health care at UC-Berkeley. The attackers appear to have had access to the server for six months.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132737
-http://news.cnet.com/8301-1009_3-10236793-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.msnbc.msn.com/id/30645920/
-http://www.techweb.com/article/showArticle?articleID=217400055§ion=News
-http://www.theregister.co.uk/2009/05/11/calif_uni_hack_alert/
-http://www.mercurynews.com/ci_12326692?IADID=Search-www.mercurynews.com-www.merc
urynews.com
[Editor's Note (Schultz): It is no wonder that once again a major break-in at UC-Berkeley was not discovered until many months after it had occurred. Both UC-Berkeley and Berkeley Lab rely on a very crude and antiquated home-built intrusion detection system. ]

Johns Hopkins Hospital Notified 10,000 Patients of Possible Data Breach (May 11, 2009)

Johns Hopkins Hospital in Baltimore, MD, is notifying more than 10,000 current and former patients that their personal information may have been compromised. Some of the data are believed to have been used to commit fraud; the hospital said in the notification letter that it has fired an employee suspected of committing the fraud. The compromised data include names, SSNs, dates of birth, and medical insurance information, but no information about the patients' medical treatment was exposed.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132860

SPAM, PHISHING & ONLINE SCAMS

Scammers Target Economic Stimulus Payment Recipients (May 11, 2009)

According to a report in The Wall Street Journal, scammers are targeting people who are expecting to receive economic stimulus payments from the US Social Security Administration (SSA) this month. Targets of the scam are receiving email messages that send them to a phony SSA website where they are asked to supply their SSNs, bank account numbers and other information to receive their payments. SSA spokesperson Mark Hinkle says recipients do not need to take any action to receive their payments; they will be mailed or deposited into bank accounts automatically.
-http://www.scmagazineus.com/Social-Security-Administration-spoofed-in-phishing-s
cam/article/136549/
-http://online.wsj.com/article/SB124191414666904049.html?mod=googlenews_wsj

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/