SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #67

August 25, 2009

The first story in Top of the News this week is one of the biggest untold stories in security; friends inside the financial institutions tell me the losses are already over $1 million a week and growing very fast. An interesting part of the story is that the banks are not covering the losses for commercial depositors. Companies are failing;
jobs are being lost because of these attacks.

If you are planning to move to Windows 7 (like almost everyone else) give your system admins and security folks a head start by attending the new six-day Securing Windows course (SEC505). It has been fully updated for Windows 7 and Server 2008-R2.
http://tinyurl.com/ltem5o



Alan

---

TOP OF THE NEWS

Cyber Criminals Targeting Smaller US Firms; Get Millions
Revealed Blogger Suing Google
ISP Drops The Pirate Bay to Avoid Fine

THE REST OF THE WEEK'S NEWS

ARRESTS, INDICTMENTS & SENTENCES
Eight Indicted in AT&T/T-Mobile Goods and Services Theft
LEGAL ISSUES
Judge Dismisses All But One of the Charges Against San Francisco City Network Administrator
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Agencies Must Now Submit FISMA Data Over Internet
DHS Warns of Malicious Spoofed eMail
Former NIST Officials Concerned About Proposed IT Lab Reorganization
DATA PROTECTION & PRIVACY
ISP Gives Same Default Password to All Subscribers
VULNERABILITIES
Microsoft Suspends Hotmail Attach-Photo Feature
Ameriprise Fixes Cross-Site Scripting Vulnerabilities
UPDATES AND PATCHES
Mozilla Fixes SSL Vulnerability in Thunderbird
Cisco Issues Update to Address Firewall Services Module Software Flaw
ATTACKS & ACTIVE EXPLOITS
London Hospital Cleans Up Conficker Infection

---

*************************** Sponsored By Bit9 ***************************

Webinar: SANS' Chris Brenton on a World Without Malware
August 27th; 2:00pm EDT

Register for this FREE webinar to hear Chris Brenton address how to eliminate malware and close the security gap that threatens our nation's infrastructure. Topics include:
- - What makes systems vulnerable
- - Why we are losing the malware battle
- - How to win the war

https://www.sans.org/info/47533

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition
https://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses:
https://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days
https://www.sans.org/info/43118
- - Looking for training in your own community?
https://sans.org/community/
- - Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live:
http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Cyber Criminals Targeting Smaller US Firms; Get Millions (August 25, 2009)

Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.
html?hpid=topnews
[Guest Editor's Note (Rob Lee): We are seeing a lot of these. There are three contributing reasons they are growing so fast:
(1) Low threat of arrest in these "safe havens,"
(2) High payout for the crime, and
(3) Victim sharing data on these attacks has been minimal. The attacks are amazingly simple and the amount of money taken is large. The firms do not know how to protect themselves. In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards. Small businesses are being affected greatly by poor security practices. It isn't a risk issue. It is a survival one. ]

Revealed Blogger Suing Google (August 24, 2009)

Rosemary Port, the blogger whose identity was revealed last week by a court order, says she will sue Google for failing to protect her privacy. Port is seeking US $15 million. Vogue model Liskula Cohen won an order seeking the identity of the blogger who made defamatory comments about her. According to Google, Blogger.com users must agree to a privacy policy that allows their identities to be revealed if demanded by legal action. Port thinks Cohen is responsible for the sudden high profile of the case; before Cohen won the order to uncover Port's identity, Port's blog had a very low volume of traffic.
-http://business.timesonline.co.uk/tol/business/industry_sectors/technology/artic
le6807682.ece
-http://news.cnet.com/8301-17852_3-10315998-71.html

ISP Drops The Pirate Bay to Avoid Fine (August 24, 2009)

Internet service provider (ISP) Black Internet has cut off service to The Pirate Bay website to avoid fines. A district court decision in Stockholm last week imposed a 500,000 Swedish kronor (US $71,000) fine for each day users can access copyright protected content through the site. The Pirate Bay was able to find another provider, although access is erratic. The court order is a result of legal action taken by a group of copyright holders; The Pirate Bay is scheduled to be sold to the Global Gaming Factory, a Swedish company.
-http://www.computerworld.com/s/article/9137051/The_Pirate_Bay_down_after_ISP_cut
s_its_connection?source=rss_security
-http://www.wired.com/threatlevel/2009/08/court-sends-pirate-bay-to-davy-jones-lo
cker/
-http://www.theregister.co.uk/2009/08/24/swedish_court_orders_black_internet_shut
_down_tpb/

UPDATE: The ISP Black Internet has been victim of a DDOS attack following its cutting off of the Pirate Bay
-http://www.scmagazineuk.com/Former-The-Pirate-Bay-ISP-suffers-sabotage-attack/ar
ticle/147225/

---

************************** Sponsored Links: ***************************

1) ***NEW*** SANS Free Vendor Audio Casts! Visit the SANS Reading Room and click on the Free Vendor Audio Casts link.
https://www.sans.org/info/47669

2) Be sure to register NOW for the Tool Talk Webcast: The Future of SIM and Log Management - Becoming a Part of the Mainstream, IT Operations and Service Delivery.

https://www.sans.org/info/47674

3) In case you missed it...SANS Analyst Webcast: Top Ten Virtualization Security Mistakes and How to Avoid Them.

https://www.sans.org/info/47679

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Eight Indicted in AT&T/T-Mobile Goods and Services Theft (August 21, 2009)

Eight people have been indicted in connection with a scheme in which US $22 million worth of devices and services were stolen from AT&T and T-Mobile over four years. Two of the eight worked as authorized cell phone dealers, allowing them access to databases from which they allegedly stole customer names and personally identifiable information that was used to order new wireless devices. They allegedly managed to divert the devices so they were delivered to themselves, then allegedly sold them.
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=7003
-http://www.theregister.co.uk/2009/08/21/att_tmobile_id_theft_indictment/

Judge Dismisses All But One of the Charges Against San Francisco City Network Administrator (August 23, 2009)

A San Francisco Superior Court Judge has dismissed all but one of the charges against former city network administrator Terry Childs. Childs has been in custody since July 2008 for allegedly taking control of a city computer network and locking city workers out of accessing the system. Judge Kevin McCarthy dismissed three tampering charges against Childs, leaving him to face only denying city authorities access to the network.
-http://news.cnet.com/8301-1009_3-10315708-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20

[Editor's Note (Northcutt): This is a story we must not forget. The data custodian locked the data owner out of access to their own data. You have heard it from me a thousand times, but the two words that define this situation are "access control." ]

Agencies Must Now Submit FISMA Data Over Internet (August 20 & 24, 2009)

A memo from the Office of Management and Budget (OMB) requires all US government agencies to submit Federal Information Security Management Act (FISMA) compliance reports through an online tool. The new requirement is being touted as a time saver, but some are skeptical. An unnamed former federal CIO questioned the value of the change because it is "automating a business process without considering whether the process is effective or efficient in the first place."
-http://www.nextgov.com/nextgov/ng_20090824_1492.php?oref=topstory
-http://www.whitehouse.gov/omb/assets/memoranda_fy2009/m09-29.pdf

DHS Warns of Malicious Spoofed eMail (August 24, 2009)

The US Department of Homeland Security (DHS) has warned of malicious email messages that appear to be from the DHS Division of Intelligence. The emails actually come from addresses in Latvia and Russia and contain links to malware designed to steal passwords. The messages were sent to US Defense Department officials and state and local government officials starting in June.
-http://www.nextgov.com/nextgov/ng_20090824_7279.php?oref=topnews

Former NIST Officials Concerned About Proposed IT Lab Reorganization (August 21, 2009)

Former National institute of Standards and Technology (NIST) officials have written a letter expressing their concern with NIST's proposal to reorganize its IT Laboratory. Dr. Dennis Branstad, Dr. Stuart Katzke, F. Lynn McNulty and Miles E. Smid wrote that they "believe it is a mistake to diminish NIST's computer security program at a time when external support for the program is at an all-time high and when cybersecurity is of vital importance to the economic well-being and security of our nation." According to a NIST statement, "the proposed reorganization would not include any reduction in force, or major changes in the lab's core competencies."
-http://gcn.com/Articles/2009/08/24/Update-2-NIST-IT-Lab-reorganization.aspx?p=1

[Editor's Note (Schultz): I strongly agree with the former NIST officials. NIST has been incredible in producing valuable security-related standards and guidelines. Why tamper with what is working so well?
(Paller): It is not clear whether the NIST reorganization is a good idea, but it is absolutely clear that the current system is deeply flawed - spewing out thousands of pages of documents written by consultants who then hire on at other federal agencies to write additional reports that purport to decipher and apply the nearly useless guidance. Senior federal officials have just begun holding up NIST Special Publications and saying "This is what we DON'T need." Recall the fable of the emperor's new clothes, when a child with nothing to gain or lose from telling the truth cried out "look, the emperor is naked." ]

ISP Gives Same Default Password to All Subscribers (August 24, 2009)

A European ISP has been assigning the same default password to all new subscribers every month. While the password changes each month, subscribers of the Dutch branch of Tele2 who sign up for service in the same month all have the same password; when users login for the first time, they are asked if they want to change their password, but they are not required to change it. The passwords have also been easy to guess. The company is considering making it mandatory for subscribers to change their default passwords.
-http://www.scmagazineuk.com/ISP-criticised-for-distributing-the-same-password-to
-all-new-users-with-no-firm-instruction-to-change-it/article/147136/

Microsoft Suspends Hotmail Attach-Photo Feature (August 21, 2009)

Microsoft has temporarily suspended the Attach-Photo feature in Hotmail because of security issues. The problem lies in the way the feature interacts with Internet Explorer (IE). Hotmail users can still attach photos to their messages through other methods. Attach-Photo was disabled in late July; Microsoft plans to restore the feature by the end of September. Users complained because they were not notified that the feature would be removed.
-http://www.theregister.co.uk/2009/08/21/hotmail_attach_photo_pulled/
-http://www.computerworld.com/s/article/9136958/Microsoft_Hotmail_users_angry_ove
r_pulled_photo_feature?source=rss_news

Ameriprise Fixes Cross-Site Scripting Vulnerabilities (August 20, 2009)

A number of cross site scripting (XSS) flaws on the website of Ameriprise Financial could have been exploited to steal sensitive information from customers. The flaws allowed attackers to intersperse malicious content with legitimate Ameriprise site content and to steal users' cookies. When alerted to the flaws, an Ameriprise executive said "It's an important point to note that none of our client data can be exposed by this." Ameriprise fixed the flaws less than two hours after being notified by The Register.
-http://www.theregister.co.uk/2009/08/20/ameriprise_website_vulnerabilities/

Mozilla Fixes SSL Vulnerability in Thunderbird (August 21, 2009)

Mozilla has issued an update for its Thunderbird email client to address a flaw that could be exploited by phishers. Thunderbird version 2.0.0.23 addresses a vulnerability in the way SSL certificates are processed. Mozilla fixed the same vulnerability in Firefox several weeks ago.
-http://www.h-online.com/security/Thunderbird-2-0-0-23-fixes-SSL-vulnerability--/
news/114053
-http://www.mozillamessaging.com/en-US/thunderbird/2.0.0.23/releasenotes/
-http://www.mozilla.org/security/announce/2009/mfsa2009-42.html

Cisco Issues Update to Address Firewall Services Module Software Flaw (August 19, 21 & 22, 2009)

Cisco has issued a security update to address a vulnerability in a number of its routers and network switches. The flaw could be exploited to cause a denial-of-service condition and crash vulnerable devices. The problem appears to lie in Cisco's Firewall Services Module (FWSM) software. There are no reports of active exploits. The flaw affects catalyst 6500 series switches and Cisco 7600 series routers with FWSM. Versions 2.x, 3.x and 4.x of the SWFM software are affected.
-http://www.v3.co.uk/v3/news/2248236/cisco-warns-vulnerabilities
-http://www.h-online.com/security/Deadly-pings-for-Cisco-routers-and-switches--/n
ews/114058
-http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml

London Hospital Cleans Up Conficker Infection (August 21 & 24, 2009)

Whipps Cross University Hospital NHS Trust in London has acknowledged that about five percent of its computers were infected with Conficker earlier this month. Only administrative systems were affected and all have been cleaned of the malware. Patient care was not affected. Several other London-area hospitals' computer networks also experienced malware infections late last year.
-http://www.theregister.co.uk/2009/08/24/nhs_hospital_conficker/
-http://www.guardian-series.co.uk/news/4558982.WHIPPS_CROSS__Hospital_hit_by_comp
uter_virus/

[Editor's Note (Schultz): The fact that so many hospitals have not bothered to patch their Windows systems for a vulnerability that surfaced way back last October shows that they are not exercising due care in information security. If they do not exercise due care in security, chances are they are also deficient in other important areas. Potential patients of these hospitals should thus think twice before staying in them--surely better alternatives exist. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/