SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #7

January 27, 2009

TOP OF THE NEWS

No stories are important enough to put in Top Of The News this week

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES
UK Judges Will Review Home Secretary's McKinnon Extradition Decision
COURT CASES
Former Employee Admits Deleting Information From Government Computer System
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Digital Britain Report Expected by Week's End
440 MoD Data Storage Devices Lost or Stolen in 2008
Thrift Shop MP3 Player Contains US Military Data
NSW Government Reports Data Breach
Alabama Bail Bond Companies Accessing Sheriff's Database Without Authorization
SPAM, PHISHING & ONLINE SCAMS
Spam Levels Expected to Reach Pre-McColo Takedown Levels Soon
DATA LOSS & EXPOSURE
Monster.com Reports Another Data Security Breach
Lost Disk with British Council Staff Data Was Encrypted
ATTACKS & ACTIVE EXPLOITS
Law Enforcement May Have Suspect in Heartland Data Breach Case

---

******************** Sponsored By Palo Alto Networks ********************

Reduce Cost and Complexity of PCI Compliance with Network Segmentation. Join Forrester Research for a live webinar that will show you how organizations are using network segmentation with strict user and application control policies to significantly reduce the cost and complexity of PCI compliance, and protect customer data. Don't miss this. Register now to attend.
https://www.sans.org/info/37958

*************************************************************************

TRAINING UPDATE

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/
- - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

UK Judges Will Review Home Secretary's McKinnon Extradition Decision (January 23, 2009)

Judges in the UK have agreed to review the McKinnon extradition decision made by the UK Home Secretary. The decision is separate from McKinnon's effort to be tried in the UK under the Computer Misuse Act. Instead, McKinnon's legal team requested the review because they believe the Home Secretary's decision was made without taking McKinnon's recent diagnosis of Asperger's syndrome into account.
-http://www.theregister.co.uk/2009/01/23/mckinnon_extradition_review/
-http://news.bbc.co.uk/2/hi/uk_news/7846442.stm
[Editor's Note (Schultz): McKinnon's antics border on being downright theatrical, and the actions and decisions by the UK government with respect to his case only make matters worse. After all the publicity he has gotten, at some point in time (whether or not he eventually goes to prison) McKinnon will lamentably be a much in demand speaker in the information security arena. ]

COURT CASES

Former Employee Admits Deleting Information From Government Computer System (January 26, 2009)

Anthony McIntosh has admitted he caused AU $1 million (US $661,360) worth of damage by breaking in to the Northern Territory Government computer systems and deleting information. McIntosh had worked as a contractor on the government systems before leaving his position last April under less than ideal circumstances. Last May, McIntosh admits, he broke into several government computer systems and deleted profiles of more than 10,000 public servants. McIntosh accessed the system with a former colleague's password.
-http://www.theregister.co.uk/2009/01/26/rogue_contractor_nt_gov_hacking/

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Digital Britain Report Expected by Week's End (January 26, 2009)

The Digital Britain report, a publication that examines issues in Britain's Digital economy, is slated to be published by the end of the month, a week after the date it was originally expected. The report will cover such topics as Internet security, broadband development and digital radio. Some are expecting that the report will establish minimum broadband speeds and require service providers to offer universal coverage. In an interview with The Times, UK Intellectual Property Minister David Lammy said that Internet service providers (ISPs) would not be required to cut off service to users who repeatedly violate copyright laws by illegal file sharing.
-http://news.bbc.co.uk/2/hi/technology/7848028.stm
-http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/music/article5
586761.ece

440 MoD Data Storage Devices Lost or Stolen in 2008 (January 26, 2008)

The UK Ministry of Defence (MoD) says that during 2008, 440 desktop computers, laptops, hard drives and memory sticks were lost or stolen. This brings the total number of devices reported missing in the last five years to over 1,640. Despite new cyber security rules established last summer, 2008 marked the highest number of missing devices since 2003. The lost devices contained personal information, including bank details, driver's license and passport numbers of nearly half of those serving in the armed forces. All persons known to be affected by the breach have been contacted and cautioned to keep a close watch on their account activity.
-http://www.theherald.co.uk/news/other/display.var.2484537.0.MoD_admits_440_compu
ter_data_devices_have_been_lost_or_stolen_in_the_past_year.php

Thrift Shop MP3 Player Contains US Military Data (January 26, 2009)

An MP3 player purchased at an Oklahoma thrift store was found to contain US Army files. The man who bought the device, who is from New Zealand, paid NZ $18 (US $9.50) for the device. When he connected it to his computer, he found it contained 60 files that include names and personal information of US soldiers, information about equipment at various bases and a mission briefing. The files containing a warning that the release of the information they hold is prohibited by federal law. In November, the US Department of defense banned the use of portable data storage devices.
-http://news.theage.com.au/breaking-news-world/nz-man-finds-us-army-files-on-mp3-
player-20090126-7pxt.html
-http://tvnz.co.nz/view/page/413551/2453415

NSW Government Reports Data Breach (January 26, 2009)

The New South Wales, Australian government is reporting that cyber criminals have broken into a website, jobs.nsw.gov.au, used to advertise public service jobs. They allegedly accessed information that allowed them to send spam to the database of job seekers, possibly with the intention of spreading malware or stealing sensitive personal information. The site has been offline since last week. Job seekers upload data potential employers would want to see - employment history, dates of birth, addresses and other information. The spammed email is spoofed so that it appears to come from a NSW government web address.
-http://www.smh.com.au/news/technology/security/id-theft-alert-as-job-site-hacked
/2009/01/26/1232818299147.html

Alabama Bail Bond Companies Accessing Sheriff's Database Without Authorization (January 22, 2009)

According to Mobile (Alabama) County Sherriff Sam Cochran, three area bail bond companies have been accessing law enforcement databases to gain an advantage over competitors. Agents at the three companies managed to obtain login credentials that allowed them to access information about inmates' relatives and solicit their business. Search warrants have been served on the three companies, and seven computers were seized. Two of the computers were logged on to the law enforcement website when deputies entered the establishments. Investigators are still trying to determine how the bail bond companies obtained the login information. The investigation was prompted by complaints from other companies. Law enforcement authorities figured out which companies were accessing the database by planting false contact information.
-http://blog.al.com/live/2009/01/mobile_county_sheriff_bail_bon.html

SPAM, PHISHING & ONLINE SCAMS

Spam Levels Expected to Reach Pre-McColo Takedown Levels Soon (January 26, 2009)

Although spam levels dropped sharply after the hosting company McColo was taken offline by its upstream providers two months ago, new botnets and several resilient older ones are once again building the volume of spam. Levels are expected to reach pre-takedown levels in about one month, if the recent trend continues. McColo was disconnected from the Internet by its upstream provider after the provider received information indicating the hosting company had numerous customers involved in cybercrime. McColo's takedown all but demolished the Srizbi botnet and crippled several others, including Rustock. However, new botnets have taken their places, including one called Ozdok or Mega-D that takes screenshots of activity on infected machines and sends them back to a remote server.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9126793&source=rss_topic17
-http://www.securityfocus.com/brief/893
[Editor's Note (Honan): To effectively deal with the spam menace we cannot rely on shutting down hosting providers as quite simply we just move the source of the problem from one place to another. We need coordinated international cooperation from both law enforcement and ISPs to deal with the source of the problem and put spammers in jail.]

DATA LOSS & EXPOSURE

Monster.com Reports Another Data Security Breach (January 23, 24 & 26, 2009)

Monster.com users are being advised to change their passwords after a data security breach on the job hunting website. An intruder stole email addresses, user IDs, passwords and other personal information from the website's database. Monster.com does not collect Social Security numbers (SSNs). While Monster.com posted a warning about the breach last week, the company does not plan to contact the affected customers individually. Monster.com suffered another breach about 18 months ago in which intruders obtained login credentials for companies looking for employees and used that access to peruse the Monster.com applicant database. Monster.com users reported receiving scam email messages after that breach. That same year, Monster.com was hit with an attack that infected some of the site's pages so that they downloaded malware onto visitors' computers.
-http://news.cnet.com/8301-1009_3-10149884-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-http://www.pcworld.com/businesscenter/article/158270/monstercom_reports_theft_of
_user_data.html
-http://www.theregister.co.uk/2009/01/24/latest_monster_security_breach/

Lost Disk with British Council Staff Data Was Encrypted (January 25, 2009)

A disk containing personal employment information of approximately 2,000 members of the British Council staff was lost by a courier company while in transit between the council's payroll supplier and its human resources department. The data on the disk, which include names, national insurance numbers, salary and bank account information, were encrypted.
-http://www.channel4.com/news/articles/science_technology/encrypted+staff+data+di
sc+lost/2910732

ATTACKS & ACTIVE EXPLOITS

Law Enforcement May Have Suspect in Heartland Data Breach Case (January 23, 2009)

Law enforcement authorities have reportedly identified a suspect in the Heartland Payment Systems data breach. The suspect is believed to be located outside the US; the Justice Department is handling the case. The data thief installed sniffer software on Heartland's computer system; the breach was discovered last fall. Heartland chairman and CEO Robert Carr said the problem that led to the compromise of an estimated 100 million credit card transactions might have been found sooner if payment processors shared security information with one another. .
-http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=21290231
6&cid
[Editor's Note (Honan): I hope Mr. Carr will set an example for other payment processors and share with the industry how this breach happened so others can learn from the incident. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescactore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.


Alan Paller is director of research at the SANS Institute


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/