SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #59

July 28, 2009

TOP OF THE NEWS

US Cyber Challenge Announced
Leahy Introduces US Data Security Legislation
Summary Judgment in Downloading Undermines Defense
Network Solutions Data Breach

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
UK ISP Reverses Course on Hasty Anti-Piracy Measures
Guilty Plea in Movie Uploading Case
UPDATES AND PATCHES
Adobe Promises Patches for Flash, Reader, and Acrobat By End of Week
Microsoft Out-of-Cycle Patches Affect Internet Explorer and Visual Studio
DATA BREACHES, LOSS & EXPOSURE
Alico Breach Believed to be Connected to Credit Card Fraud
SPYWARE, SPAM & PHISHING
Twitter Weeds Out Spam Accounts
MISCELLANEOUS
Post-Transaction Marketers Drawing Shoppers' Ire

---

*********** Sponsored By RSA, The Security Division of EMC ***********

"How RSA envision(R) Delivers an Industry's Best ROI" https://www.sans.org/info/46523
This White Paper examines the Return on Investment (ROI) that a quality Security Information & Event Management (SIEM) solution can deliver to an organization.

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition https://www.sans.org/ns2009
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days https://www.sans.org/info/43118
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/spring09.php
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

US Cyber Challenge Seeks Top Cyber Security Potential (July 27, 2009)

A consortium of government and private organizations have established the US Cyber Challenge, an initiative that seeks to find 10,000 people with the potential to become the cyber security leaders of the future. The program will identify individuals who demonstrate skills that will allow them to the top of the cyber security talent pool through three national competitions: the CyberPatriot Defense Competition, the DC3 Digital Forensics Competition, and the NetWars Capture the Flag Competition. The field will be winnowed down, and those who demonstrate skill in the challenges are invited to attend cyber camps at colleges around the country and participate in other national challenges. Those who demonstrate extraordinary talent and skill will be eligible to compete for scholarships and internships. Members of the consortium include the the Center for Strategic and International Studies (CSIS), US Department of Defense Cyber Crime Center, the Air Force Association, and the SANS Institute. The state of Delaware has announced a state-wide competition. Senator Liebreman met with the young winner of the first round of NetWars. Home Page:
-http://csis.org/uscc
-http://www.computerworld.com/s/article/9135944/U.S._seeks_top_guns_for_cybersecu
rity_?source=rss_security
-http://gcn.com/articles/2009/07/27/web-cyber-challenge.aspx
-http://www.nextgov.com/nextgov/ng_20090727_2075.php?oref=topstory
Senator Carper's Statement:
-http://carper.senate.gov/press/record.cfm?id=316227
Senator Lieberman:
-http://hsgac.senate.gov/public/index.cfm?FuseAction=Press.MajorityNews&Conte
ntRecord_id=be51788d-5056-8059-7620-33563f966a7bhttp://www.technologyreview.com/
web/23066/
[Editor's Note (Schultz): This is a fascinating idea. We need more innovation of this nature in the information security arena. My only concern is that individuals who engage in computer crime and other sordid activity will have a huge advantage in the capture the flag competition. We don't want or need such individuals in our arena. ]

Leahy Introduces US Data Security Legislation (July 22 & 24, 2009)

US Senator Patrick Leahy (D-Vt.) has introduced a bill that would require companies that retain consumers' personal data to establish and implement programs to protect that information. The Personal Data Privacy and Security Act would also require that companies must notify affected individuals in the event of a data security breach. This is the third time Leahy has introduced this legislation.
-http://www.scmagazineus.com/Leahy-for-third-time-submits-federal-data-security-l
aw/article/140604/
-http://leahy.senate.gov/press/200907/072209b.html
[Editor's Note (Schultz): This legislation is long overdue. If passed, it will make a huge difference concerning organizations' practices concerning safeguarding personally identifiable information. (Pescatore): While there are good things about this bill, the language of this bill says that companies can request exemption from disclosure by notifying the US Secret Service of a risk assessment showing low risk of fraud within 45 days of the breach. This is both a huge loophole and an administrative nightmare. ]

Summary Judgment in Downloading Undermines Defense (July 27, 2009)

Opening arguments are set to begin on Tuesday, July 28 in the filesharing case against a Boston University student. Joel Tenenbaum's defense rested on his assertion of fair use, a defense rejected by US District Judge Nancy Gertner on Monday morning when she granted RIAA"s request for summary judgment on the issue of fair use. The Recording Industry Association of America (RIAA) is suing Tenenbaum for 30 recordings he allegedly made available for downloading through the Kazaa filesharing network; he faces up to US $150,000 for each recording if he is found guilty of making available for illegal download. The RIAA says it detected a total of about 800 songs in Tenenbaum's open share folder in 2004. The RIAA has said it is moving away from suing illegal downloaders, instead looking to partner with ISPs to help stem the practice.
-http://www.wired.com/threatlevel/2009/07/riaa-file-sharing-trial-starting/
-http://arstechnica.com/tech-policy/news/2009/07/judge-rejects-fair-use-defense-a
s-tenenbaum-p2p-trial-begins.ars

Network Solutions Data Breach (July 24, 25 & 27, 2009)

More than 4,000 e-commerce websites hosted by Network Solutions had their credit card sales transactions compromised in a data security breach. The data were stolen between March 12 and June 8 of this year. Nearly 574,000 people are affected by the breach. Network Solutions has offered to notify affected customers on behalf of the e-merchants. Network Solutions was reportedly compliant with the Payment Card Industry Data Security Standard (PCI DSS) prior to the breach; the company's last assessment was conducted in October 2008. Network Solutions found suspicious code on servers hosting the websites; the company has notified law enforcement and is investigating the breach.
-http://voices.washingtonpost.com/securityfix/2009/07/network_solutions_hack_comp
rom.html
-http://www.h-online.com/security/Half-a-million-customers-credit-card-data-stole
n-from-Network-Solutions--/news/113851
-http://www.scmagazineus.com/Network-Solutions-was-PCI-compliant-before-breach/ar
ticle/140642/
-http://www.computerworld.com/s/article/9135905/Network_Solutions_warns_merchants
_after_hack?taxonomyId=17
-http://news.cnet.com/8301-27080_3-10296817-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.theregister.co.uk/2009/07/25/network_solutions_ecommerce_breach/

---

*************************** SPONSORED LINKS******************************

1) WEBCAST: How Browser Exploits Lead to Web 2.0 Hacking with keynote from IDC http://www.sans.org/info/46528
2) Be sure to register for the upcoming webcast: Six Things you Need to Consider Before Buying a Log Management Tool. http://www.sans.org/info/46533
3) ***NEW*** SANS Free Vendor Audio Casts! Visit the SANS Reading Room and click on the Free Vendor Audio Casts link. http://www.sans.org/info/46538

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK ISP Reverses Course on Hasty Anti-Piracy Measures (July 24 & 27, 2009)

UK Internet service provider (ISP) Karoo has changed its tune regarding Internet piracy. The ISP, which is the only broadband provider available in the city of Hull, was cutting off service to users suspected of illegal downloading. The customers had been required to sign a document acknowledging their guilt before their service was restored. Karoo has now adopted a three-strikes policy.
-http://news.idg.no/cw/art.cfm?id=BC875991-1A64-67EA-E4E3E660B0E8EFC9
-http://www.theregister.co.uk/2009/07/24/karoo_p2p_policy_change/
-http://www.v3.co.uk/v3/news/2246722/pirates-suffer-hull-breach
-http://www.theregister.co.uk/2009/07/24/karoo_p2p/

Guilty Plea in Movie Uploading Case (July 22 & 23, 2009)

A California man has pleaded guilty to uploading a copyrighted work being prepared for commercial distribution. Owen Moody uploaded a pirated copy of Slumdog Millionaire to the Internet. Moody found the file on a website where someone else had uploaded it from a screener copy of the movie; screeners are copies of films sent to members of the Academy of Motion Picture Arts and Sciences for consideration as award nominees. Moody faces a maximum penalty of three years in prison and a US $250,000 fine.
-http://www.cybercrime.gov/moodyPlea.pdf
-http://www3.signonsandiego.com/stories/2009/jul/23/man-pleads-guilty-pirating-sl
umdog/

Adobe Promises Patches for Flash, Reader, and Acrobat By End of Week (July 23, 24 & 27, 2009)

A fix for the zero-day flaw in Adobe Flash, Reader and Acrobat will be available at the end of this week. The flaw is being actively exploited. Users are urged to apply workarounds suggested in the Adobe advisory and in the alert from US-CERT until the patches are available. Due to the serious nature of the vulnerability, the fixes will be released out of Adobe's normal quarterly patch release. Adobe expects to have the Flash patch available by Thursday, July 30, and the patches for Reader and Acrobat the following day. ISC:
-http://isc.sans.org/diary.html?storyid=6847
-http://www.adobe.com/support/security/advisories/apsa09-03.html
-http://www.us-cert.gov/cas/techalerts/TA09-204A.html
-http://www.usatoday.com/tech/news/computersecurity/2009-07-26-adobe-hackers_N.ht
m
-http://www.theregister.co.uk/2009/07/24/adobe_flash_patch_pre_alert/
-http://news.cnet.com/8301-27080_3-10294212-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20

Microsoft Out-of-Cycle Patches Affect Internet Explorer and Visual Studio (July 24 & 25, 2009)

Microsoft plans to issue two out-of-cycle fixes on Tuesday, July 28. The emergency patches will address a critical vulnerability in Internet Explorer (IE) and an important vulnerability in the Visual Studio developer suite; the fixes are related. The flaws could be exploited to execute rogue code remotely. Both fixes will require reboots. Microsoft's normal practice is to issue security updates on the second Tuesday of each month. ISC:
-http://isc.sans.org/diary.html?storyid=6859
-http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
-http://www.theregister.co.uk/2009/07/25/microsoft_emergency_patches/
-http://voices.washingtonpost.com/securityfix/2009/07/microsoft_to_issue_emergenc
y_p.html
-http://www.scmagazineus.com/Microsoft-set-to-deliver-two-emergency-updates-Tuesd
ay/article/140616/
-http://www.computerworld.com/s/article/9135918/Microsoft_rushes_clutch_patch_for
_deep_bug_in_Windows_third_party_apps?source=rss_security
-http://www.h-online.com/security/Unscheduled-patches-for-Microsoft-IE-and-Visual
-Studio--/news/113846
-http://news.cnet.com/8301-27080_3-10295592-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
[Editor's Note (Northcutt): Every once in a while a security manager asks me whether installing out-of-cycle patches is urgent. The short answer is, yes. Microsoft won't issue an out of cycle patch without a very good reason. ]

Alico Breach Believed to be Connected to Credit Card Fraud (July 27 & 28, 2009)

A data security breach at insurance company Alico Japan has exposed credit card information related to as many as 130,000 insurance contracts. The breach is believed to be responsible for 2,200 instances of credit card fraud. Alico said it would incur the cost of any losses suffered by customers as a result of the breach.
-http://www.japantoday.com/category/crime/view/alico-japan-reports-2200-cases-of-
possible-credit-card-fraud-due-to-data-leakage
-http://www.straitstimes.com/Breaking%2BNews/Asia/Story/STIStory_408744.html

Twitter Weeds Out Spam Accounts (July 24, 2009)

Last week, Twitter purged accounts believed to have been created for the purpose of spamming, leaving some Twitterers with significant decreases in their number of followers. While some expressed frustration that legitimate followers had been removed, others were glad to see the spammers gone.
-http://blogs.wsj.com/digits/2009/07/24/did-you-lose-followers-today/
-http://www.itproportal.com/portal/news/article/2009/7/24/twitter-closes-thousand
s-spam-accounts-massive-cull-operation/
[Editor's Note (Northcutt): So much for the law of attraction! I lost about sixty followers and think it is overall a good thing that Twitter has done. ]

Post-Transaction Marketers Drawing Shoppers' Ire (July 24, 2009)

Thousands of people who have shopped at certain online retailers have found unexpected charges on their credit card statements. The culprits are companies that operate web loyalty programs. The offer to try the service for a brief period of time pops up during the purchase process. It may ask for a seemingly innocuous piece of information such as an email - many online shoppers have junk email addresses - to get past the page. What is not so obvious is the agreement, buried in fine print, that allows these third parties access to shoppers' credit card information; the companies apparently pay the retailers a fee for access to this information. The companies, which include Vertrue, WebLoyalty and Affinion, maintain that their actions are all Legal. However, the fact that the offers appear during the checkout process, which can be frustrating under the best of circumstances, suggests the companies are aware that "consumers don't want their products."
-http://news.cnet.com/8301-1023_3-10293633-93.html?tag=nl.e703

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/