SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #51

June 30, 2009

SANS Network Security 2009 has opened for registration. September 14-22 in San Diego. 26 full length courses and 12 short courses. The largest security training event of the fall. Schedule at http://www.sans.org/ns2009/event.php

---

TOP OF THE NEWS

Britain Faces Cyber Threats From China and Russia
General Alexander Outlines Plans for Cyber Command

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Max Ray Butler Pleads Guilty
Admitted Swatter Draws 135 Month Prison Sentence
LEGAL ISSUES
FTC Reaches Settlement with Man in Scareware Case
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
UK Ministry of Defence Blocks Access to Wikileaks
DATA PROTECTION & PRIVACY
VIP's Clear May Sell Registered Traveler Data to Another Provider
ATTACKS & ACTIVE EXPLOITS
Software Company Under Targeted Attack
Stolen FTP Login Information Found on Server
MISCELLANEOUS
Google Briefly Mistakes Spike in Michael Jackson Searches for Attack
Former DHS Cyber Security Chief Beckstrom Chosen to Head ICANN

---

************************* Sponsored By Symantec *************************

Ponemon Report: Data Loss During Downsizing According to a research study conducted by the Ponemon Institute, more than half of ex-employees admit to stealing company data. Download this report to view survey results and to see how you can protect your organization from being so vulnerable. Download report at http://www.sans.org/info/45258

************************* TRAINING UPDATE ***************************

- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Forensics Summit starts on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php:
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days
http://www.sans.org/info/43118 Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Britain Faces Cyber Threats From China and Russia (June 25,26 & 29, 2009)

British Security Minister Lord West says that Britain faces cyber threats from China, Russia and Al-Qaeda. Of particular concern is the possibility that attackers could gain access to systems that control Britain's utilities, financial systems and government and military networks. The new Cyber Security Operations Centre was created to draw together the expertise of the MI5, the GCHQ listening post in Cheltenham and the Metropolitan Police. Lord West has also said that the government has and would in the future hire former hackers to help protect critical systems from attacks. Britain also plans to develop cyber warfare strategies.
-http://www.theregister.co.uk/2009/06/29/cyberminister_gaffe/
-http://news.bbc.co.uk/2/hi/uk_news/politics/8118729.stm
-http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/5634820/Al-Qaeda
-China-and-Russia-pose-cyber-war-threat-to-Britain-warns-Lord-West.html
-http://www.smh.com.au/technology/security/britain-hires-hacker-to-held-defend-th
e-realm-20090626-czbw.html

[Editor's Note (Schultz): Personnel screening is one of the most important control measures in information security. Hiring computer criminals to perform information security tasks in effect means that personnel screening is unimportant, because there is no way that the overwhelming preponderance of these people could pass a background check.
(Honan): Governments consulting criminals on how to protect our critical information systems is an insult to the true hard working professionals in the information security industry.
(Paller): I think it makes sense to tap into the pipeline of young people who may have broken a law but who actually want to use their skills to help their country. Yes there is danger there; but there is danger throughout cyberspace. If we don't find and employ the best of these people, we lose twice - they don't help us and they do help others whom we might not like. ]

General Alexander Outlines Plans for Cyber Command - and Cyber Education (June 26, 2009)

Lt. General Keith Alexander, the person most likely to be chosen to head the new US Cyber Command, told a large audience in Washington that "We've got to have a common block of training for all people operate in cyberspace-for our defenders, our operators, our exploiters and our attackers," Alexander was clear that getting DoD's networks better secured is the command's foremost mission.
-http://www.federalnewsradio.com/index.php?nid=35&sid=1705302

---

************************** Sponsored Links: ***************************

InstantSecurityPolicy.com - Professional IT Security Policies, created and delivered online with innovative wizard, free samples available http://www.sans.org/info/45263

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Max Ray Butler Pleads Guilty (June 29, 2009)

Known computer criminal Max Ray Butler, a.k.a. Max Vision, has pleaded guilty to federal wire fraud charges. Butler admitted to stealing 1.8 million credit card numbers and using them to conduct US $86 million worth of fraudulent transactions. In 2001, Butler was sentenced to 18 months in prison for an attack that closed security holes in Pentagon systems, but left backdoors so he could still access those systems. In prison, Butler met other criminals and became involved in the credit card scheme after his release. He also staged a takeover of carder forums, underground Internet groups where cyber criminals traded stolen credit card information. Butler could face up to 60 years in prison for the new charges.
-http://www.wired.com/threatlevel/2009/06/butler_court/
-http://www.pittsburghlive.com/x/pittsburghtrib/news/breaking/s_631556.html

Admitted Swatter Draws 135 Month Prison Sentence (June 29, 2009)

Matthew Weigman has been sentenced to 135 months in prison for hacking phone systems and harassing a Verizon investigator. Weigman participated in phone system hacks that caused SWAT teams to descend on the homes of unsuspecting people. He pleaded guilty earlier this year to conspiracy to retaliate against a witness, victim or informant, to conspiracy to commit device fraud and for taking action against an investigator from Verizon who informed the FBI of Weigman's illegal activities.
-http://www.theregister.co.uk/2009/06/29/phone_phreaker_sentence/
-http://www.wired.com/threatlevel/2009/06/blind_hacker/

FTC Reaches Settlement with Man in Scareware Case (June 26, 2009)

James Reno and his company ByteHosting Internet Services have agreed to pay US $1.9 million to settle US Federal Trade Commission (FTC) charges in a scareware scheme. The scam tricked users into believing their machines were infected with malware and urged them to download phony antivirus products. Six other people allegedly involved in the scheme face pending charges from the FTC. The FTC froze about US $117,000 in assets Reno reaped from his illegal activities; that money will be forfeit, but the remainder of the settlement will be suspended because he is unable to pay it.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9134884
-http://www.scmagazineus.com/FTC-settles-with-scareware-defendant-for-19-million/
article/139217/

UK Ministry of Defence Blocks Access to Wikileaks (June 25 & 26, 2009)

The UK Ministry of Defence (MoD) is taking quick action to block access to the Wikileaks website from its computers. The decision was made after MoD learned that sensitive documents had been posted to the site. Some of the leaked documents are manuals used by troops in Iraq.
-http://www.v3.co.uk/v3/news/2244927/mod-blocks-wikileaks
-http://www.guardian.co.uk/uk/2009/jun/25/wikileaks-blocked-ministry-defence

VIP's Clear May Sell Registered Traveler Data to Another Provider (June 26 & 27, 2009)

Verified Identity Pass's (VIP) defunct Registered Traveler program Clear said it could sell the personal information it collected from customers to another provider of expedited airport security services if the government approves of the arrangement. A statement on VIP's website said the company was wiping customer data from its airport kiosks and computers it assigned to employees. Customers will be notified by email when the data are deleted. The only situation in which the information would not be destroyed if it is sold to a company offering a similar program; that company would be required to protect the information "in accordance with the Transportation Security Administration's privacy and security requirements for Registered Traveler programs." Customers had provided Clear with a bevy of personal information, including credit card numbers, fingerprints and iris scans, in return for the promise of a speedy trip through security at about 20 major US airports.
-http://www.theregister.co.uk/2009/06/27/clear_may_sell_data_to_similar_provider/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9134882
[Editor's Note (Weatherford): Wow, who would have thought that these guys would consider trying to sell their customer personal information to another provider? I am shocked! What if those 260,000 customers don't want to participate in another traveler program and don't want the information they provided to Clear given to another company? ]

Software Company Under Targeted Attack (June 29, 2009)

The California software company that says some of its code was used in the Green Dam Internet filtering software without permission is under attack. Solid Oak Software contacted the FBI late last week after it came under a cyber attack that appears to emanate from China. Green Dam filtering software has generated controversy since China mandated that all PCs sold in or shipped to that country have the software pre-installed as of July 1. Solid Oak's head of public relations and marketing Jenna DiPasquale said that a Microsoft representative examined suspicious messages recently received at the company and found evidence of an attack tailored specifically for Solid Oak.
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=218101882

Stolen FTP Login Information Found on Server (June 26 & 29, 2009)

Researchers have discovered a server hosted in China that contains more than 68,000 FTP passwords, including a number for well-known sites such as the BBC, Cisco, Amazon and Bank of America. Some of the login information appears to have been stolen within the last two weeks, which suggests that the data are still valid. Possession of this information could allow attackers to upload malware to the vulnerable sites. The stolen information is being uploaded to the server by the zbot Trojan Horse program.
-http://www.theregister.co.uk/2009/06/26/ftp_malware_hack/
-http://www.eweek.com/c/a/Security/Trojan-Swipes-FTP-Credentials-for-Major-Compan
ies-in-Malware-Attack-340752/

Google Briefly Mistakes Spike in Michael Jackson Searches for Attack (June 28 & 29, 2009)

For a short time last Thursday afternoon, the spike in Internet searches about Michael Jackson following the news of his death caused Google to think that it was the target of a distributed denial-of-service (DDoS) attack. Users searching for more information saw a "We're sorry" page. Google users are generally sent to a page with a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) during suspected DDoS attacks to determine which requests are legitimate. Users looking for news about Jackson affected other online media as well. The Los Angeles Times website crashed shortly after breaking the news of Jackson's death, and Twitter experienced server crashes after the micro-blogging site was overloaded.
-http://www.v3.co.uk/v3/news/2244960/google-mistook-mj-searches-net
-http://www.securityfocus.com/brief/980
-http://www.cnn.com/2009/TECH/06/26/michael.jackson.internet/index.html

Former DHS Cyber Security Chief Beckstrom Chosen to Head ICANN (June 26, 2009)

Former US Department of Homeland Security (DHS) National Cybersecurity Center director Rod Beckstrom has been chosen to take over for Paul Twomey as CEO and president of the Internet Corporation for Assigned Names and Numbers (ICANN) when Twomey steps down at the end of the year. Beckstrom resigned from his DHS position earlier this year.
-http://www.scmagazineus.com/Former-US-cybersecurity-chief-appointed-CEO-of-ICANN
/article/139165/
-http://news.cnet.com/8301-13578_3-10273668-38.html
-http://voices.washingtonpost.com/securityfix/2009/06/ex-dhs_cyber_chief_tapped_a
s_p.html
-http://www.nextgov.com/nextgov/ng_20090629_3655.php
-http://www.theregister.co.uk/2009/06/26/icann_ceo/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/