SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #45

June 09, 2009

TOP OF THE NEWS

Guilty Plea in Brokerage Account Trojan Scam
Attack on Web Hosting Provider Knocks Out 100,000 Sites

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Four Detained In Connection With Attack on Chinese DNS Provider
LEGAL ISSUES
No Bias in Pirate Bay Convictions
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
DEFCON/Black Hat Founder Among New Members of Homeland Security Advisory Council
POLICY AND LEGISLATION
Sweden's Pirate Party Wins European Parliament Seat
DATA PROTECTION & PRIVACY
UK Information Commissioner Publishes Updated Data Privacy Handbook
Japanese Online Marketplace Rakuten Selling Customer Data to Some Vendors
Wisconsin DOT Officials Sued for Alleged Violation of Driver's Privacy Protection Act
UPDATES AND PATCHES
Adobe's First Quarterly Security Update Slated for Tuesday
DATA BREACHES & COMPROMISES
T-Mobile Looking Into Data Theft Claims
MISCELLANEOUS
China to Require Anti-Pornography on PCs Sold Domestically

---

***************** Sponsored By IBM Rational AppScan ********************

Improving the security of web applications starts by building software securely. IBM Rational AppScan is a suite of Web application vulnerability scanners that include dynamic and static analysis capabilities. Now you can engage more testers earlier in the development cycle. Try it for yourself. Download and evaluation copy of IBM Rational AppScan Developer Edition.
http://www.sans.org/info/44593

*************************************************************************

TRAINING UPDATE

- - The Forensics Summit starts in four weeks on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php:">http://www.sans.org/forensics09_summit/event.php: Computer Forensic and E-discovery Essentials
Computer Forensics, Investigation, and Response
Advanced Filesystem Recovery and Memory Forensics
Drive and Data Recovery Forensics
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - National Forensics Summit, July 6-14 http://www.sans.org/forensics09_summit/
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Guilty Plea in Brokerage Account Trojan Scam (June 5 & 6, 2009)

Alexey Mineev has pleaded guilty to one count of conspiracy to defraud the US and one count of money laundering for his role in a scam that stole thousands of dollars from online brokerage accounts. The indictment, which named two other men in addition to Mineev, alleged that the group had installed keystroke logging programs onto targeted computers and used them to steal brokerage account login credentials. They then allegedly transferred money from the compromised accounts to bank accounts they had established for the purpose of the scheme and then wired that money to Russia. Mineev could be sentenced to up-to-two years in prison and ordered to pay a fine of US $40,000. His plea agreement also stipulates that he will repay US $112,000 that he received from his part in the scheme. Charges are still pending against Aleksey Volynskiy, and the third man named in the indictment, Alexander Bobnev, has not yet been apprehended. Mineev and Volynskiy are both naturalized US citizens; Bobnev is Russian.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9134041
-http://www.theregister.co.uk/2009/06/05/money_mule_cops_plea/
-http://www.scmagazineus.com/Defendant-pleads-guilty-in-brokerage-keylogger-case/
article/138180/
-http://www.networkworld.com/news/2009/060609-man-made-112000-in-bank.html

Attack on Web Hosting Provider Knocks Out 100,000 Sites (June 8, 2009)

An attack on UK web hosting provider Vaserv has reportedly destroyed data for about 100,000 websites. The attackers appear to have exploited a zero-day vulnerability in a virtualization application called HyperVM. The flaw allowed the intruders to gain root access to the system, allowing them to "execute sensitive Unix commands..., including 'rm-rf,' which forces a recursive delete of all files." Half of Vaserv's customers had contracted for service that did not include data backup.
-http://www.theregister.co.uk/2009/06/08/webhost_attack/
-http://www.thewhir.com/web-hosting-news/060809_Web_Host_Hack_Deletes_100k_Sites
-http://www.vaserv.com/
[Editor's Note (Schultz): One hundred thousand Web sites is no trivial number. I would be willing to bet that most of the owners of these sites were clueless regarding the risks of associated with the combination of Web hosting and virtualized environments.
(Northcutt): This seems to be a new trend, being destructive. And of course some of those sites will not have backups and will be lost forever. I could preach if you do not have backups you deserve what happens to you, but it is wrong to destroy. I do think stories like this need to be shown to legislators and that we need to strengthen the legal penalties for destroying data. If we start reading stories about people being sentenced to life in prison for destroying data, that will be deterrence. Otherwise, I think you will see more of this. And woe be un to thee that seeketh the cloud and doesn't factor in bomb proof backups. ]

---

************************ Sponsored Links: *****************************

1) Complete Firewall Security Audits in 25% of the time with Tufin. Learn how and get your free shirt.
http://www.sans.org/info/44598

2) Full-Disk Encryption means never having to say you're sorry! Find out why http://www.sans.org/info/44603

3) SANS Vendor Demo Spotlight: Absolute Software Computrace - Track, manage & secure your organizations mobile assets and data. http://www.sans.org/info/44608

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES

Four Detained In Connection With Attack on Chinese DNS Provider (June 3, 2009)

Four people have been detained by Chinese police in connection with a distributed denial-of-service (DDoS) attack that interfered with Internet access in several provinces on May 19, 2009. The attack targeted Chinese DNS (domain name system) provider and domain registrar DNSPod. The attack appears to have been prompted by competition between unauthorized online gaming service providers. The attack caused cascading Internet problems because DNSPod's servers are also used by Chinese video-streaming service Baofeng.
-http://www.china.org.cn/china/news/2009-06/03/content_17878401.htm

LEGAL ISSUES

No Bias in Pirate Bay Convictions (June 8 & 9, 2009)

The Stockholm District Court of Appeals has ruled that the judge who found the four co-founders of Pirate Bay guilty of copyright infringement was not biased. Attorneys for the defendants had alleged that the judge's affiliations with pro-copyright organizations impeded his neutrality. The district court disagreed, saying that "the memberships (in the organizations) are simply a measure to gain increased knowledge of copyright legislation issues and are not therefore grounds to establish bias." The decision was announced a day after Sweden's Pirate Party won a seat in the European parliament (see story below.)
-http://www.wired.com/threatlevel/2009/06/stockholm-court-pirate-bay-judge-unbias
ed/
-http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=105773
90

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

DEFCON/Black Hat Founder Among New Members of Homeland Security Advisory Council (June 8, 2009)

Among the 16 members of the Homeland Security Advisory council sworn in on Friday, June 5 is DEFCON and Black Hat security conference founder Jeff Moss. Other council members include former CIA director William Webster, former FBI director Louis Freeh, and Associate Director for the Naval Postgraduate School Center for Homeland Defense and Security Ellen Gordon. Moss expressed surprise that he was selected for the position, but said he is "fantastically honored and excited to contribute." Moss has worked as a director at Secure Computing Corporation and in the Information System Security division of Ernst & Young.
-http://www.informationweek.com/news/showArticle.jhtml?articleID=217800173
-http://www.h-online.com/security/Hacker-joins-US-Government-s-Homeland-Security-
Advisory-Council--/news/113472
-http://www.zdnetasia.com/news/security/0,39044215,62054755,00.htm
-http://www.dhs.gov/xinfoshare/committees/editorial_0858.shtm
[Editor's Note (Northcutt): Hat tip to Jeff Moss. He has technical knowledge; knows business. I am glad to see this! ]

POLICY AND LEGISLATION

Sweden's Pirate Party Wins European Parliament Seat (June 8, 2009)

The Pirate Party has won one of Sweden's 18 seats in the recent elections to the European Parliament. The Pirate Party was established in 2006 in response to Swedish legislation that made file sharing a crime. The party aims to reform European copyright law, abolish the European patent system, eliminate digital rights management (DRM), and allow file-sharing on the Internet. The party's visibility increased following the trial of the four men in the Pirate Bay case; they were each sentenced to one year in prison for enabling file sharing.
-http://www.cnn.com/2009/WORLD/europe/06/08/pirate.party.eu.win/index.html
-http://news.bbc.co.uk/2/hi/technology/8089102.stm
[Editor's Note (Pescatore): This makes me wonder: since the US Federal Government is now a major shareholder in many banks and car companies, who will they appoint to the various Boards of Directors? Will they use that power to make BoD's emphasize security more? ]

DATA PROTECTION & PRIVACY

UK Information Commissioner Publishes Updated Data Privacy Handbook (June 5 & 8, 2009)

The UK Information Commissioner's Office (ICO) has issued an updated version of the Privacy Impact Assessment Handbook. The purpose of the handbook is to help organizations understand the impact new systems and technology will have on data privacy before they are implemented and avoid costly, time-consuming after-the-fact fixes for data leaks and other situations that may find them out of compliance with data protection laws.
-http://www.vnunet.com/computing/news/2243618/ico-issues-privacy-guidance
-http://www.theregister.co.uk/2009/06/08/ico_privacy/
-http://www.ico.gov.uk/upload/documents/library/data_protection/practical_applica
tion/privacy_impact_assessment_overview.pdf
-http://www.ico.gov.uk/upload/documents/pia_handbook_html_v2/index.html

Japanese Online Marketplace Rakuten Selling Customer Data to Some Vendors (June 6, 2009)

The operator of Japanese online retail site Rakuten Ichiba has been accused of selling customers' personal information. Following data theft by an employee in 2005, Rakuten said it stopped providing the information to all vendors on its site, but has continued to sell the information to vendors that meet specific criteria. The data are shared so the companies can process card payments themselves instead of paying fees to have Rakuten handle the transactions.
-http://mdn.mainichi.jp/mdnnews/news/20090606p2a00m0na015000c.html
-http://www.yomiuri.co.jp/dy/national/20090606TDY01304.htm

Wisconsin DOT Officials Sued for Alleged Violation of Driver's Privacy Protection Act (June 4, 2009)

Three Wisconsin women are suing state Department of Transportation (DOT) officials for allegedly selling drivers' personal information. The data were allegedly sold to Shadowsoft, which then sold the information to PublicData, which in turn offered the data for sale on the Internet. The women are seeking to have the lawsuit certified for class action. The suit alleges that as many as a dozen Wisconsin DOT officials violated the federal Driver's Privacy Protection Act.
-http://www.madison.com/wsj/home/local/453748

UPDATES AND PATCHES

Adobe's First Quarterly Security Update Slated for Tuesday (June 5, 6 & 8, 2009)

Adobe is scheduled to release its first scheduled quarterly security update on Tuesday June 9, 2009. This update will address critical flaws in Adobe Reader and Adobe Acrobat versions 7.x, 8.x and 9.x. The company will make a fix available for Windows and Mac versions of the programs; fixes for Unix versions will be issued at a later date. Adobe's decision to move to scheduled updates was prompted by recent complaints that the company was dragging its feet in addressing security flaws.
-http://www.theregister.co.uk/2009/06/06/adobe_quarterly_patch_release/
-http://www.h-online.com/security/Adobe-s-first-patch-Tuesday-approaches--/news/1
13467
-http://www.scmagazineuk.com/Adobe-to-begin-its-regular-patching-schedule-from-Tu
esday/article/138121/
[Editor's Note (Northcutt): Good news. A scheduled release means they can build in testing time like Microsoft does. Looks like we are starting to see some leadership in the software world coming from the big houses. ]

DATA BREACHES & COMPROMISES

T-Mobile Looking Into Data Theft Claims (June 8, 2009)

T-Mobile is investigating reports that cyber criminals have stolen data from the company's internal servers. The self-proclaimed data thieves said in a recent post on the Full Disclosure mailing list that they had tried, unsuccessfully, to sell the data to T-Mobile competitors. The allegedly compromised data include "databases, confidential documents, scripts and programs from (T-Mobile) servers, (and) financial documents." Many have voiced skepticism about the claims.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9134090&taxonomyId=17&intsrc=kc_top
-http://news.cnet.com/8301-1009_3-10259487-83.html
-http://voices.washingtonpost.com/securityfix/2009/06/t-mobile_investigating_data
_br.html?wprss=securityfix
-http://blogs.usatoday.com/technologylive/2009/06/tmobile-mum-on-hacker-claim.htm
l?loc=interstitialskip
[Editor's Note (Honan): If what the hackers say is true then it is heartening to see that T-Mobile's competitors did not buy the data and that business ethics is not something of the past. ]

MISCELLANEOUS

China to Require Anti-Pornography on PCs Sold Domestically (June 8 & 9, 2009)

As of July 1, 2009, the Chinese government will require PCs sold in that country to come with pre-installed pornography-blocking software. The software, which is called Green Dam Youth Escort, could potentially be used to block other content as well, allowing the Chinese government to exercise even greater control over what information its citizens can access. Parents can modify the software to block content from which they want their children shielded, and the software can be uninstalled.
-http://online.wsj.com/article/SB124450534684996071.html
-http://www.usatoday.com/tech/news/2009-06-08-china-pc_N.htm
-http://www.informationweek.com/news/internet/policy/showArticle.jhtml?articleID=
217800108
-http://rconversation.blogs.com/rconversation/2009/06/original-government-documen
t-ordering-green-dam-software-installation.html

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/