SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #52

July 03, 2009

TOP OF THE NEWS

Unified Cyber Security Command Raises Questions About Nature of Cyber Warfare
MySpace Hoax Conviction Overturned
Irish ISP Faces Legal Action Over Refusal to Adopt Anti Piracy Measure

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Hospital Security Guard Broke Into Facility Computers and Was Planning Attack
Alleged Rolling Stone Hacker Arrested
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
TSA Asked About Plans to Protect Registered Traveler Data
POLICY AND LEGISLATION
Green Dam Enforcement Postponed
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
New Owners of Pirate Bay Plan Legitimate Filesharing
DATA PROTECTION & PRIVACY
Online Advertisers Publish Voluntary Data Privacy and Security Guidelines
VULNERABILITIES
Apple Working on Patch for iPhone SMS Vulnerability
ATTACKS & ACTIVE EXPLOITS
Kentucky County Government bank Account Targeted by Internet Thieves
Zbot Server Shut Down
MISCELLANEOUS
ATM Hack Presentation Cancelled

---

*************************************************************************

TRAINING UPDATE

- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Forensics Summit starts on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php:
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days http://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Unified Cyber Security Command Raises Questions About Nature of Cyber Warfare (July 2, 2009)

The announcement of the planned unified cyber security command raises a number of important questions about the scope of the organization and how it meshes with other government agencies. It also brings the government face to face with the thorny questions surrounding cyber warfare; a recent National Research Council study noted that "an unclassified and authoritative statement of joint (military) doctrine for the use of computer network attack is unavailable and it is fair to say that current doctrine on this matter is still evolving." While the Geneva Convention requires that all combatants be identifiable, cyber space makes it all too easy for attackers to conceal their identities.
-http://washingtontimes.com/news/2009/jul/02/us-takes-aim-at-cyberwarfare/

MySpace Hoax Conviction Overturned (July 2, 2009)

A federal judge has overturned the conviction of Lori Drew, the Missouri woman who perpetrated a MySpace hoax that ended in the suicide of a 13-year-old neighbor girl. In November, Drew was convicted of three counts of illegally accessing a protected computer. US District Judge George H. Wu's decision is tentative pending the filing of his written ruling, which is expected next week. Judge Wu expressed concern that if Drew's conviction of violating MySpace terms of service would "criminalize what would be a breach of contract."
-http://latimesblogs.latimes.com/lanow/2009/07/myspace-sentencing.html
-http://www.ktla.com/news/landing/ktla-myspace-suicide,0,1166066.story
-http://www.nytimes.com/2009/07/03/us/03bully.html?ref=global-home
-http://www.washingtonpost.com/wp-dyn/content/article/2009/07/02/AR2009070200718.
html
-http://www.wired.com/threatlevel/2009/07/drew_court/
[Editor's Note (Northcutt): Once again the law is trying to catch up with technology. At first blush it would seem that this falls under Title 18 1030 of the US Code, "Fraud and related activity in connection with computers", but how do you define a protected computer if she is using her own? I expect this one will be appealed and go up a level.
-http://www.law.cornell.edu/uscode/18/1030.html]

Irish ISP Faces Legal Action Over Refusal to Adopt Anti Piracy Measure (June 30, 2009)

Irish Internet service provider (ISP) UPC is facing legal action over its refusal to adopt a three strikes policy to deter illegal downloaders. The Irish Recorded Music Association (IRMA) reached an agreement with ISP Eircomm to establish a three strikes policy and informed other Irish ISPs that they must follow Eircomm's lead or face legal action. "UPC has made its position clear from the outset - it will not agree to a request that goes beyond what is currently provided under existing legislation."
-http://www.siliconrepublic.com/news/article/13320/comms/upc-confirms-illegal-dow
nload-court-hearing-against-big-four-next-week

---

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES

Hospital Security Guard Broke Into Facility Computers and Was Planning Attack (June 30, July 1 & 2, 2009)

A security guard at a Dallas, Texas hospital has been arrested for allegedly plotting a distributed denial-of-service (DDoS) attack that was to be launched on July 4. Jesse William McGraw allegedly broke into computers at the hospital where he worked and installed malware to aid the planned attack. The compromised computers include those that control the facility's heating, ventilation and air conditioning (HVAC) system and several PCs that contained patient information. McGraw allegedly posted pictures and videos of his activity to the Internet, seeking help with the planned attack.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9135089
-http://www.theregister.co.uk/2009/07/01/hospital_hacker_arrested/
-http://dallas.fbi.gov/dojpressrel/pressrel09/dl063009.htm
[Editor's Note (Northcutt): How many times have I read a story like this and had the simple comment: "access control".
(Honan): Wesley McGrew the gentleman who helped catch this alleged criminal has published a series of excellent posts on his blog, including videos of the accused carrying out his alleged attack. Highly recommended reading for all
-http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-syste
ms-incident-at-carrell-clinic-part-1/
-http://www.mcgrewsecurity.com/2009/07/02/ghostexodus-part2/
(Schmidt): This is a good reminder about the physical security of our systems and how we pay a lot of attention to the "cyber" aspect of security but do not often focus on the protection of the assets. Phone closets, wiring closets, shared server rooms need to be part of a comprehensive information security program. One area that is often overlooked is leased office space where common access to these "closets" is common.
(Skoudis): There's an interesting near-collision of names here. McGraw is the alleged bad guy, whereas security researcher Wesley McGrew is the good guy, who did fantastic information gathering and technical analysis in support of this case. Wesley's work here is an inspiration, and a reminder for infosec pros about why and how to use our skills and position for good. My hat's off to you, Wesley! ]

Alleged Rolling Stone Hacker Arrested (June 30 & July 2, 2009)

Federal law enforcement agents have arrested Bruce Raisley of Monaca, Pennsylvania for allegedly launching distributed denial-of-service (DDoS) attacks against numerous websites, including that of Rolling Stone magazine. Raisley has been charged with intentionally causing damage to a protected computer. The motivation for the attacks appears to be revenge for stories that painted unflattering pictures of Raisley.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=cybercrime_and_hacking&articleId=9135003&taxonomyId=82&ints
rc=kc_top
-http://www.theregister.co.uk/2009/06/30/suspected_rolling_stone_ddos/
-http://www.securecomputing.net.au/News/149038,rolling-stone-magazine-hacker-arre
sted.aspx

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

TSA Asked About Plans to Protect Registered Traveler Data (July 1, 2009)

US legislators want to know what steps the Transportation Security Administration (TSA) is taking to secure the personal information collected by a now-defunct registered traveler company. The Clear service offered by Verified Identity Pass Inc. charged customers US $199 a year to participate in a service that gave them expedited service in security lines at about 20 major US airports. Customers had to supply Clear with a significant amount of sensitive personal information, including fingerprints, iris scans, driver's license numbers and passport numbers. While registered traveler programs are operated by private companies, the TSA sets requirements for operation. In a letter dated June 25, 2009, Representative Bennie Thomas (D-Miss.), chairman of the House Homeland Security Committee, expressed concern about the security of the collected data and asked the TSA to describe its plans to secure the data.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9135064
-http://fcw.com/Articles/2009/07/06/WEEK-Registered-Traveler-Personal-Information
.aspx

POLICY AND LEGISLATION

Green Dam Enforcement Postponed (June 30, 2009)

China's Ministry of Industry and Information Technology has announced that the mandate to have Green Dam on all PCs sold in or shipped to that country has been postponed. Originally, all new computers were to have come with the filtering software as of July 1, but the deadline was been extended to give companies time to comply and to allow the Chinese government to install the software on school and cyber cafe PCs, according to the ministry. The Green Dam-Youth Escort software has met with criticism for potential violations of free trade agreements, and civil rights activists say it could be used to block more content than just pornography, its stated intent.
-http://www.nytimes.com/2009/07/01/technology/01china.html?_r=1
-http://news.cnet.com/8301-13578_3-10275778-38.html?part=rss&subj=news&ta
g=2547-1009_3-0-20
-http://news.bbc.co.uk/2/hi/asia-pacific/8126832.stm

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

New Owners of Pirate Bay Plan Legitimate Filesharing (July 1, 2009)

The Pirate Bay peer-to-peer filesharing website has been sold, and its new owners plan "to introduce models that ensure content providers and copyright owners get paid for content that is downloaded via the site." Global Gaming Factory X paid 60 million kronor (US $7.7 million) for The Pirate Bay. Earlier this year, the site's four founders were found guilty of abetting copyright law; they were ordered to pay a fine of 30 million kronor (US $3.9 million) and each sentenced to one year in prison.
-http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=105818
05
-http://www.theregister.co.uk/2009/07/01/pirate_bay_accounts_deleted/
-http://news.bbc.co.uk/2/hi/technology/8128551.stm

DATA PROTECTION & PRIVACY

Online Advertisers Publish Voluntary Data Privacy and Security Guidelines (July 2, 2009)

Online advertisers have established the Self-Regulatory Principles for Online Behavioral Advertising. The guidelines are voluntary, but if advertisers adhere to them, they will be less likely to face government regulation. The seven principles are Education, Transparency, Consumer Control, Data Security, Material Changes to Existing Online Behavioral Advertising Policies and Practices, Sensitive Data, and Accountability.
-http://www.usatoday.com/tech/2009-07-01-ads-online-privacy_N.htm
-http://www.iab.net/media/file/ven-principles-07-01-09.pdf
[Editor's Note (Pescatore): There is a statement in the guidelines under Consumer Consent that says "Service Providers should not collect and use data for Online Behavioral Advertising purposes without Consent" If that equates to requiring opt-in before collection, that's a good thing. But much of the rest just sounds like there will be a series of links that will have to be traversed for any consumer to figure out how to stop such collection. ]

VULNERABILITIES

Apple Working on Patch for iPhone SMS Vulnerability (July 2, 2009)

Apple computer is reportedly working on a fix for a vulnerability in the way iPhones parse text messages received through SMS, or Short Message Service. While the details of the flaw have not been released, it could be exploited to install and execute arbitrary code remotely. This means attackers could determine the location of the phone with GPS, turn on the phone's microphone feature, or recruit the device into a botnet. Apple expects to release a fix for the flaw before the Black Hat Security Conference later this month, where additional details about the vulnerability will be discussed.
-http://www.networkworld.com/news/2009/070209-apple-patching-serious-sms-vulnerab
ility.html
-http://www.theregister.co.uk/2009/07/02/critical_iphone_sms_bug/
[Editor's Note (Pescatore): How about working on fixes to the development and QA processes that continue to allow such major vulnerabilities to be in shipping code?
(Skoudis): This is a big concern, because the iPhone and other smart phones are the ultimate spying devices. If I compromise your phone, I can get real-time updates on where you are (via GPS), the sounds around you (the microphone), what your phone can see (the still or video camera), whether you are walking (the accelerometer), your recent e-mails, your contacts... In a sense, you are completely owned, in a more privacy-invasive fashion than occurs with the compromise of your PC.
(Schultz): Lamentably, the iPhone is leading the way when it comes to vulnerabilities in smart phones. I would love to buy one, but the fact that this product is so vulnerability-riddled keeps me from doing so. ]

ATTACKS & ACTIVE EXPLOITS

Kentucky County Government bank Account Targeted by Internet Thieves (July 1, 2009)

Hackers are believed to have stolen more than US $400,000 from the bank account of Bullitt County, Kentucky. The intruders gained access to the Bullitt County computer network with a stolen user name and password, and transferred the funds out of the county's account and into other accounts around the country. US $45,000 has been recovered. The attackers are believed to be based in the Ukraine and have cohorts in the US. An undisclosed source says the cyber thieves used the Zbot Trojan Horse program in their attack. The malware allowed the attackers not only to steal login information, but also to connect to the bank through the user's own connection, so the session would not look suspicious to the bank.
-http://www.wave3.com/Global/story.asp?S=10629488
-http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii
.html?wprss=securityfix
[Editor's Note (Skoudis): I remember the debates of a couple of years ago, when we wondered when cyber crime cases and thefts would exceed non-cyber cases. Now, I'm wondering why any thief even bothers with non-cyber cases at all. ]

Zbot Server Shut Down (July 1, 2009)

A server that was being used to help distribute the Zbot Trojan Horse program has been shut down. The server, located in the Cayman Islands, sent information to computers already infected with Zbot that allowed them to infiltrate websites and infect them with drive-by malware. Once the server in the Caymans Islands was disabled, no new sites were infected with the malware, but the attackers are more than likely moving their operations onto another server.
-http://www.scmagazineus.com/Malicious-server-used-to-propagate-Zbot-shut-down/ar
ticle/139411/

MISCELLANEOUS

ATM Hack Presentation Cancelled (June 30 & July 1, 2009)

A presentation on ATM hacking planned for the upcoming Black Hat Security Conference has been cancelled. The decision was made to allow the unnamed ATM manufacturer time to address the vulnerability. The presenter had planned to talk about both local and remote attacks on the machines and demonstrate techniques on an unprotected model. The subject is timely; last month, researchers discovered malware hidden on ATMs in Russia that allowed the attackers to gather card information without the use of a skimming device, and even in some cases, force the ATM to eject all the cash it contains.
-http://www.h-online.com/security/Cash-machine-cracking-presentation-cancelled--/
news/113657
-http://www.theregister.co.uk/2009/06/30/atm_talk_canceled/
-http://www.securityfocus.com/brief/981
-http://news.cnet.com/8301-1009_3-10277284-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.scmagazineus.com/Juniper-pulls-researchers-Black-Hat-ATM-talk/article
/139402/
[Editor's Note (Skoudis): The annual tradition of a cancelled controversial talk continues. I wonder if there is some kind of betting pool in Las Vegas for which technology will be associated with the cancelled talks for the 2010 Black Hat conference. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/