SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #44

June 05, 2009

TOP OF THE NEWS

Merrick Bank vs. Savvis Could Affect "Liability Dynamic"
Judge Grants FTC Request for Temporary Restraining Order to Shut Down ISP
Government Agencies Will Work with ICANN to Secure Internet

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
NIST Releases Final Draft of Recommended Security Controls Document
DHS Names Three Cyber Security Officials
Nominee Says DHS Will Retain Cyber Security Role
UPDATES AND PATCHES
Microsoft and Adobe to Release Security Updates Next Week
RIM Issues Fix for BlackBerry PDF Vulnerability
DATA LOSS, EXPOSURE & BREACHES
Virginia Notifying Those Affected by Prescription Database Breach
Aviva Acknowledges Data Security Breach
ATTACKS & ACTIVE EXPLOITS
Trojans Found Embedded in ATMs
Phishers Target Outlook Users
MISCELLANEOUS
Sears Settles FTC Complaint Regarding Customer Internet Data Collection
Chinese Censors Blocking Tiananmen Anniversary Coverage

---

********************** Sponsored By Q1 Labs *****************************

Gartner Critical Capabilities for SIEM Technology GET YOUR FREE COPY, COMPLIMENTS OF Q1 LABS CLICK HERE:
http://www.sans.org/info/44388

Gartner just named Q1 Labs to the Leaders Quadrant of their SIEM Magic Quadrant. This Gartner report examines the major vendors of security infrastructure products and services, along with their key offerings, differentiators, and strategies. Find out how their research assesses various SIEM products by looking at five critical capabilities including:
* Log Management; * Compliance Reporting; * Security Event Management;
* User and Resource Access Monitoring; * Deployment/Support Simplicity.

*************************************************************************

TRAINING UPDATE

- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensics Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Merrick Bank vs. Savvis Could Affect "Liability Dynamic" (June 3, 2009)

The lawsuit brought by Merrick Bank against Savvis raised important issues about compliance and liability. Merrick, a merchant bank, is suing Savvis because Savvis's certification of CardSystems as compliant with Visa CISP (a compliance standard that predates the Payment Card Industry Data Security Standard, or PCI-DSS) was faulty, causing Merrick to lose US $16 million after CardSystems suffered a data security breach. Merrick is alleging negligence and negligent misrepresentation. The case could "force increased scrutiny (of) largely self-regulated credit-card security practices," and raises the specter of government-imposed regulation. One article also points out that to generate an accurate report, auditors rely on honesty and cooperation from the people at the entity being audited.
-http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-me
rrick-bank-complaint/
-http://www.wired.com/threatlevel/2009/06/auditor_sued/
-http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-data-breach-ep
idemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_content=a
pi&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws
[Editor's Note (Schultz): The last sentence in this news item may be the key to understanding what happened in this case. Otherwise, it is difficult to understand how an auditor might overlook something as glaring as credit card data stored in cleartext. ]

Judge Grants FTC Request for Temporary Restraining Order to Shut Down ISP (June 4, 2009)

A federal judge has issued a restraining order that shut down an Internet service provider (ISP) suspected of hosting spammers and other cyber criminals. Pricewert, also known as Triple Fiber Network (3FN.net), APS Telecom and APX Telecom, allegedly solicited the business of spammers, malware distributors, pornographers and others; its upstream providers and data centers have cut off the ISP's servers from the Internet. The injunction was issued as a result of a complaint brought by the US Federal Trade Commission (FTC). The action is significant because it "is the first time the FTC has used its Congressional mandate to protect US consumers to sever a service provider suspected of illegal activity." The order also freezes the company's assets; a hearing is scheduled for June 15.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9133966
-http://voices.washingtonpost.com/securityfix/2009/06/ftc_sues_shuts_down_n_calif
_we.html?hpid=sec-tech
-http://www.wired.com/threatlevel/2009/06/feds-shutter-black-hat-isp/
-http://www.theregister.co.uk/2009/06/04/3fn_shut_down/
-http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articl
eID=217701956
-http://www.ftc.gov/os/caselist/0923148/0906043fncmpt.pdf
-http://www.wired.com/images_blogs/threatlevel/2009/06/judgeorder.pdf
[Editor's Note (Northcutt): Really nice use of FTC power to stop deceptive business practice. From what I have been reading the bad guys are relocating fast. We should see a reduction in SPAM for a short period of time (week?), but if this serves as deterrence, at least in the USA for ISPs that know they have bad eggs, it might do some real good. You can see their former website in Google's cache or the Internet Archive:
-http://web.archive.org/web/20080210154708/http://www.3fn.net/]

Government Agencies Will Work with ICANN to Secure Internet (June 4, 2009)

The US Department of Commerce's National Telecommunications and Information Administration and the National Institute of Standards and Technology (NIST) will ask ICANN (The Internet Corporation for Assigned Names and Numbers) for help in deploying DNSSEC "at the authoritative root zone of the Internet" by the end of the year.
-http://www.theregister.co.uk/2009/06/04/dnssec_coming/
-http://www.nextgov.com/nextgov/ng_20090604_5533.php
[Editor's Note (Pescatore): This is a great example of how the government can take actions to actually increase the security of cyberspace. We need more of this and less of government strategies that focus on more ways to collect statistics about successful attacks. (Northcutt): The BIG news in DNSSEC is that the .org domain has been signed. Congratulations to the Public Interest Registry!
-http://blog.pir.org/?p=349
-http://gcn.com/articles/2009/06/03/dnssec-for-dot-org-domain.aspx]

---

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

NIST Releases Final Draft of Recommended Security Controls Document (June 4, 2009)

NIST has released the final public draft of Special Publication 800-53, Revision 3: Recommended Security Controls for Federal Information Systems and Organizations. NIST calls the draft "historic in nature (because) for the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems." NIST is accepting public comment on the document though July 1, 2009.
-http://gcn.com/Articles/2009/06/04/Cybersecurity-NIST-final-draft-SP-800-53.aspx
-http://csrc.nist.gov/publications/drafts/800-53/800-53-rev3-FPD-clean.pdf

DHS Names Three Cyber Security Officials (June 2, 2009)

While President Obama has yet to name the first White House Cyber Security Coordinator, DHS Secretary Janet Napolitano has named Philip Reitinger to be director of the National Cybersecurity Center (NCSC). In addition to his new responsibilities, Reitinger will continue to serve as deputy undersecretary of the DHS's National Protection and Programs Directorate (NPPD). Also named to cyber security positions within DHS are Bruce McConnell, who will be a senior adviser to Reitinger in his capacity at NPPD, and Greg Schaffer, who will be assistant secretary for cybersecurity and communications.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9133855
-http://fcw.com/articles/2009/06/02/web-dhs-cyber-officials.aspx

Nominee Says DHS Will Retain Cyber Security Role (June 2 & 3, 2009)

Rand Beers, the nominee for Undersecretary of DHS's NPPD, said he was told by deputy national security adviser John Brennan that the yet-to-be-named cyber security coordinator will not diminish DHS's central role in federal cyber security operations. Beers told the Senate's Homeland Security and Governmental Affairs Committee that "there was no realignment of roles and missions of the department, and it is the view in the White House that DHS will continue to play an absolutely essential role in the protection of America's cyber infrastructure."
-http://www.techweb.com/article/showArticle?articleID=217701655§ion=News
-http://fcw.com/Articles/2009/06/02/Web-Beers-confirmation-hearing.aspx
-http://www.hstoday.us/content/view/8767/149/

UPDATES AND PATCHES

Microsoft and Adobe to Release Security Updates Next Week (June 4, 2009)

Microsoft will issue 10 security bulletins on Tuesday, June 9. The bulletins will address vulnerabilities in Windows, Internet Explorer (IE), Word, Excel and Microsoft Office. Six of the 10 bulletins have maximum severity ratings of critical; the update for IE is critical on all versions of Windows, including Vista. The advance notice made no mention of patches for Mac users; last month, Microsoft issued a fix for a vulnerability in PowerPoint for Windows, but not for Mac. It appears that the DirectX vulnerability that Microsoft recently acknowledged will not be addressed next week, either. On the same day, Adobe plans to release updates for Acrobat and Reader versions 7.x, 8.x, and 9.x for both Windows and Mac.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9133969
-http://news.cnet.com/8301-1009_3-10257400-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx

RIM Issues Fix for BlackBerry PDF Vulnerability (June 3 & 4, 2009)

Research in Motion (RIM) has issued a patch for the Blackberry to address a vulnerability described in a security warning last week. The flaw could be exploited to gain control of vulnerable servers by tricking users into opening maliciously crafted PDF files. The attackers could then use the compromised server to steal company information or send spam.
-http://www.msnbc.msn.com/id/31091902/
-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2009/06/03/urnidgns852573C40069
3880002575CA007DFD8C.DTL
-http://www.informationweek.com/news/mobility/security/showArticle.jhtml?articleI
D=217701910
-http://www.reuters.com/article/newsOne/idUSTRE55269N20090603

Virginia Notifying Those Affected by Prescription Database Breach (June 4, 2009)

The state of Virginia is notifying 530,000 people by mail that their Social Security numbers (SSNs) may have been compromised in a computer security breach. In late April of this year, an intruder gained access to the state's Prescription Monitoring Program system. The database was created to detect and thwart drug abuse in Virginia. The breach also affected approximately 1,400 registered database users, largely pharmacists and physicians. The records include patients' names, addresses, dates of birth, names of prescribed drugs, and physician and pharmacist information. Some records also contained nine-digit patient identification numbers, which could be SSNs.
-http://hamptonroads.com/2009/06/officials-hacker-may-have-stolen-social-security
-numbers

Aviva Acknowledges Data Security Breach (June 3, 2009)

Insurance company Aviva, formerly known as Norwich Union, has notified the New Hampshire Attorney General of a breach that exposed sensitive customer information. Aviva blames a virus infection for the data exposure, which affects approximately 550 records. Compromised data include names, addresses and SSNs. The hardware infected by the malware has been disconnected, and affected customers are being notified by mail.
-http://www.theregister.co.uk/2009/06/03/aviva_data_breach/

ATTACKS & ACTIVE EXPLOITS

Trojans Found Embedded in ATMs (June 3 & 4, 2009)

Researchers have found a group of Trojan horse programs that have been embedded in automatic teller machines (ATMs) in Eastern Europe. The programs collect magnetic stripe data and PINs for cards used at the machines; the malware has been updated at least 16 times in the last 18 months. The malware also lets those behind the scam manipulate the ATMs with controller cards and use the machines to print out the stolen information, restore a machines' log files to their pre-malware state, or uninstall the malware. The controller card can also be used to make the machine dispense all the cash it holds. The software requires manual installation, suggesting the likelihood of insider help. ISC:
-http://isc.sans.org/diary.html?storyid=6508
-http://www.theregister.co.uk/2009/06/03/atm_trojans/
-http://news.cnet.com/8301-1009_3-10257277-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
[Editor's Note (Pescatore): In the ATM world, there is a need for the local bank to be able to customize what gets displayed on the ATM screen. That means local access will happen - but access and change controls need to be applied. Many ATM manufacturers have added third party products to lock down the kernel and only allow changes to display content and the like. It really is not that hard to do but sounds like it wasn't done here. ]

Phishers Target Outlook Users (June 3, 2009)

Reports are emerging of a phishing attack that targets Microsoft Outlook users. The scam messages are spoofed so they appear to come from Microsoft, and ask users to reconfigure Outlook on their computers; the provided link requests user names, passwords and mail server information. The data give the phishers full access to users' accounts, so they can read email messages and use the account of which they gained control to send spam.
-http://news.cnet.com/8301-1009_3-10256261-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.theregister.co.uk/2009/06/03/outlook_social_eng_scam/
-http://www.h-online.com/security/Microsoft-Outlook-users-targeted-in-phishing-at
tack--/news/113457

MISCELLANEOUS

Sears Settles FTC Complaint Regarding Customer Internet Data Collection (June 4, 2009)

Sears has settled charges brought by the US Federal Trade Commission (FTC) regarding the company's failure to accurately describe the amount of information gathered by tracking software. Sears offered the customers US $10 to participate in "My SHC Community;" those who agreed were asked to download software that they were told would gather information about their "online browsing." The FTC charges allege that the software also monitored secure sessions, such as online banking, e-shopping cart contents, drug prescription information and information about web-based email the users sent. Under the terms of the settlement, Sears would cease collecting data with the software and would destroy all the data it has already collected. The settlement also calls for Sears to "clearly and prominently disclose the types of data (their software) will monitor, record, or transmit."
-http://www.ftc.gov/opa/2009/06/sears.shtm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9133965

Chinese Censors Blocking Tiananmen Anniversary Coverage (June 2, 2009)

Censors in China are apparently blocking access to Twitter, Flickr, Hotmail and Microsoft's live.com in an effort to prevent citizens from seeing user-posted media coverage of the approaching 20th anniversary of the Tiananmen Square military crackdown. Several weeks ago, Chinese authorities blocked access to all videos on YouTube and there are reports that stories on BBC World news that mention the event have been blacked out. Some sites hosting China-based bloggers have been blocked as well.
-http://www.nytimes.com/2009/06/03/world/asia/03china.html?_r=1
-http://www.wired.com/threatlevel/2009/06/cfp-china/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/