SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #41

May 26, 2009

TOP OF THE NEWS

International Telecom Union Publishes Cybercrime Legislation Toolkit
French Anti Piracy Law Draws Criticism
Committee Calls for National Cyber Security Coordination Center

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS AND SENTENCES
Bank Employee Draws 39-Month Sentence in Theft Scheme
Guilty Plea on Online Brokerage Account Fraud
LEGAL ISSUES
Judge Quashes Search Warrant in Boston University Case
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Defense Department Looks at Expanding Cyber Threat Data Sharing Model
Missing Hard Drives Also Contain Sensitive Personal Information of RAF Personnel
DATA LOSS & EXPOSURE
NHS Had 140 Data Security Breaches in First Four Months of 2009
ATTACKS & ACTIVE EXPLOITS
Gumblar Responsible for Spike in Drive-By Download Attacks
DDoS Attack Causes Internet Outage in China
MISCELLANEOUS
RBS WorldPay Is Now PCI DSS Compliant

---

*************************** Sponsored By Websense ***********************

How Do Content Security Solutions Stack Up?

Forrester evaluated content security suite vendors, using a 41-criteria evaluation. See which, one, solution they found to be the lone leader.

http://www.sans.org/info/43933

*************************************************************************

TRAINING UPDATE

- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Pen Testing and Web Application Attack Summit - June 1-2 http://www.sans.org/pentesting09_summit
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensics Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

International Telecom Union Publishes Cybercrime Legislation Toolkit (May 24, 2009)

The International Telecommunications Union (ITU) has published a toolkit for cyber crime legislation to provide guidance to countries when developing cyber crime legislation. The group drafting the document drew from existing legislation in several countries, including Australia, Canada, and China. The toolkit "addresses the first of the seven strategic goals of the ITU Global Cybersecurity Agenda," which calls for "elaboration of strategies for the development of a model cyber crime legislation that is globally applicable and interoperable with existing national and regional legislative measures." The document offers sample legislative language, a matrix of cyber crime laws in a variety of countries around the world, and a list of reference materials.
-http://www.h-online.com/security/ITU-calls-for-global-cybersecurity-measures--/n
ews/113360
-http://www.itu.int/ITU-D/cyb/cybersecurity/projects/cyberlaw.html
-http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-toolkit-cybercrime-legislati
on.pdf
[Editor's Note (Honan): For those readers that work in organizations with facilities located globally, the "Matrix of Cybercrime Laws" on page 36 of this report is a very useful resource. ]

French Anti Piracy Law Draws Criticism (May 22, 2009)

France's controversial anti-piracy legislation could see a thousand users lose Internet service every day. The three strikes law establishes a sequence of increasingly harsh attempts to curtail illegal file-sharing. If violators ignore emails and certified letters warning them to stop illegal downloading, they could face losing their Internet connections for a minimum of two months and a maximum of one year. They would be required to maintain subscription payments under the terms of their service contracts. Opponents of the law say it is all but impossible to enforce because it does not give users the right to contest the charges before they lose their Internet connections; the UK Internet Service Providers' Association said last week that "Significant technological advances would be required if these measures are to reach a standard where they would be admissible as evidence in court." The law has also faced opposition in the European Parliament.
-http://www.google.com/hostednews/ap/article/ALeqM5iCQriTF8y-wLaS7VRAG0zzjO6N7gD9
8AMMA80

Committee Calls for National Cyber Security Coordination Center (May 22, 2009)

The National Security Telecommunications Advisory Committee has approved a proposal calling for a national cyber security coordination center. Both the public and the private sectors would be represented at the center, which would provide 24-hour monitoring to allow for real-time warnings about cyber attack that threaten government and critical infrastructure networks.
-http://www.nextgov.com/nextgov/ng_20090522_5667.php
-http://www.ncs.gov/nstac/nstac.html

---

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS AND SENTENCES

Bank Employee Draws 39-Month Sentence in Theft Scheme (May 25, 2009)

A former bank employee has been sentenced to more than three years in jail for attempting to steal GBP 1.2 million (US $1.9 million) from his employers. Ansir Khan exploited his position at the Carter Allen Private Bank in Sheffield, UK, to steal customer account information and shared it with his accomplices. In just over one year, between April 2005 and May 2006, the gang stole more than GBP 700,000 (US $1.1 million). A police raid on Khan's home turned up the stolen information written in code; a detective constable was able to crack the code. Eleven other people were also sentenced for their roles in the scheme.
-http://www.thestar.co.uk/news/Bank-worker39s-theft-plan-foiled.5298549.jp
[Editor's Note (Northcutt): From what I hear on the street, this will not be the last we hear of bank employees stealing/selling customer account information. Contrary to what we read in the press, many bank employees did not get the bonuses they had in the past and apparently on which they were counting. ]

Guilty Plea on Online Brokerage Account Fraud (May 21 & 22, 2009)

Michael Largent of California has pleaded guilty to wire fraud and computer fraud charges for a scheme in which he opened thousands of phony online brokerage accounts and amassed thousands of dollars from the micro-deposits the companies made to test the authenticity of the accounts. Largent conducted his scam between November 2007 and May 2008.
-http://www.pcworld.com/article/165371/guilty_plea_for_man_behind_creative_etrade
_scam.html

LEGAL ISSUES

Judge Quashes Search Warrant in Boston University Case (May 25, 2009)

A judge in Boston has ordered that computer equipment and other items be returned to a Boston University student because investigators failed to demonstrate probable cause that Riccardo Calixte had committed a crime. The order comes in response to Calixte's "request that the warrant be 'quashed,' that the property be returned, and that any evidence flowing from the search and seizure be repressed." The judge granted the order to quash the warrant and ordered that Calixte's belongings be returned to him, but denied the request to suppress evidence.
-http://www.securityfocus.com/brief/967
-http://www.eff.org/deeplinks/2009/05/mass-sjc-tosses-calixte-warrant
-http://www.eff.org/files/filenode/inresearchBC/SJCcalixteorder.pdf
[Editor's Note (Northcutt): Thank you, Judge Botsford! We have no way of knowing Calixte is innocent, but that was a trumped up warrant. And of course everyone's favorite part of the story is the black screen with white font (linux) that used command line commands. Clearly all command line users are haxors!]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Defense Department Looks at Expanding Cyber Threat Data Sharing Model (May 25, 2009)

For the last two years, the US Defense Department Cyber Crime Center has acted at the hub for cyber threat information sharing between DoD and more than two dozen major US defense contractors. The DoD is now looking at establishing similar arrangements with other industries that make up the country's critical infrastructure. The pilot program with the defense contractors has highlighted the problems that lurk behind the goal of improved response to industry cyber threats: intelligence and law enforcement agencies are disinclined to share classified data, and the private companies are disinclined to share information about intrusions because of both customer privacy concerns and potential damage to their reputations.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/05/24/AR2009052402140_
pf.html

Missing Hard Drives Also Contain Sensitive Personal Information of RAF Personnel (May 24, 2009)

A memo obtained through the Britain's Freedom of Information legislation reveals that three hard drives reported missing from an RAF facility in September 2008 contained more than banking information, as was initially reported. The drives, which were not encrypted, also contain sensitive personal information about approximately 500 staff regarding criminal convictions, extramarital affairs, and drug use. There is concern that the information could be used to blackmail those involved.
-http://www.guardian.co.uk/uk/2009/may/24/raf-military-files-stolen-blackmail

DATA LOSS & EXPOSURE

NHS Had 140 Data Security Breaches in First Four Months of 2009 (May 25, 2009)

The UK Department of Health said that 140 data security breaches were reported by NHS in the first four months of this year alone. The breaches included lost and stolen laptop computers, lost memory sticks, and passwords taped to encrypted disks. Fourteen NHS bodies have faced Information Commissioner action because of the data breaches.
-http://www.google.com/hostednews/ukpress/article/ALeqM5hUfcxXOGVQByCicf-mUGxYXWe
c5w
-http://www.independent.co.uk/news/uk/politics/nhs-loses-thousands-of-medical-rec
ords-1690398.html

ATTACKS & ACTIVE EXPLOITS

Gumblar Responsible for Spike in Drive-By Download Attacks (May 22 & 25, 2009)

The US Computer Emergency Readiness Team (US-CERT) has issued a warning about a significant spike in drive-by download attacks. The malware involved is known by several names: Gumblar, Martuz and JSRepair. First, attackers install a piece of malware on websites with the use of stolen FTP credentials. When users visit those booby-trapped sites, a second piece of malware redirects them to another site that will infect their computers. Once the malware is on users' computers, it seeks out and steals FTP credentials, installs phony security programs, and redirects certain Google searches to sites that could also prove harmful. There are also reports that the attack disables security software installed on infected machines. The reason the malware is so pervasive is that it uses dynamically generated JavaScript, so it is not the same from one site to another.
-http://www.securityfocus.com/brief/966
-http://www.securecomputing.net.au/News/145685,experts-offer-tips-to-deal-with-gu
mblar-malware.aspx
-http://www.siliconrepublic.com/news/article/13025/cio/new-worm-to-rival-conficke
r
-http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating
[Editor's Note (Northcutt): If you are somewhat handy, you might want to consider adding a defensive host table to your desktop system. Then, at least, if your browser is redirected to a known bad web site it is rendered as 127.0.0.1. Not perfect, but better than nothing. I get mine from the site below, if you know a better site, drop me a note:
-http://someonewhocares.org/hosts/]

DDoS Attack Causes Internet Outage in China (May 21 & 22, 2009)

A distributed denial-of-service (DDoS) attack on a Chinese domain registrar caused connectivity problems in several of the country's provinces last week. The attack on the DNS servers at DNSPod prompted network operators to block access to the registrar's Internet protocol (IP) address, which in turn caused a domain name system failure of Baofeng.com, a popular Chinese music player provider. Service was back to normal several hours after the attack began.
-http://www.pcworld.com/businesscenter/article/165319/dns_attack_downs_internet_i
n_parts_of_china.html
-http://www.shanghaidaily.com/sp/article/2009/200905/20090521/article_401635.htm
-http://www.chinatechnews.com/2009/05/22/9824-dnspod-reports-hacking-to-chinese-p
ublic-security-organ/

MISCELLANEOUS

RBS WorldPay Is Now PCI DSS Compliant (May 21, 2009)

RBS WorldPay is now certified under Payment Card Industry Data Security Standard version 1.2. RBS WorldPay and Heartland Payment Systems were both bumped from the list of PCI DSS compliant entities after each disclosed that it had suffered a significant data breach. Heartland regained compliance certification earlier this month. The attack on RBS WorldPay, disclosed late last year, compromised personal information of approximately 1.5 million payment card holders; many of the compromised records included Social Security numbers (SSNs). The stolen data were used to conduct a tightly-orchestrated scam in which money was withdrawn from ATMs.
-http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci13
56987,00.html

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/