SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #77

September 29, 2009

TOP OF THE NEWS

Judge Orders Google to Deactivate Account
Court Upholds Decision to Revoke Bottle Domains' Registrar Accreditation
House Subcommittee Approves Cyber Security R&D Bill Amendment

THE REST OF THE WEEK'S NEWS

Cyber Criminals Targeting Foreign Journalists in China
Reddit Fixes Cross-Site Scripting Hole
Inmate Tapped to Help With Computer Program Accessed Hard Drive
US-CERT Warns of Spam Pretending to be From IRS
UNC Notifying Mammography Research Project Participants of Data Breach
FBI Investigating Cyber Theft of School District Funds
Plea Deal for DOD Intelligence Analyst

---

--Judge Orders Google to Deactivate Account (September 24 & 28, 2009)%%%% A US District Court Judge in California has ordered Google to deactivate the Gmail account of a user who was accidentally sent confidential bank information. An employee of Wyoming-based Rocky Mountain Bank sent the data to the account in error; the data include names, Social Security Numbers (SSNs) and loan information of more than 1,300 bank customers. Upon recognizing the mistake, the bank sent another email to the same address, requesting that the recipient destroy the previous email and contact Rocky Mountain Bank. After receiving no reply, the bank asked Google for information about the account holder. Google said that it would not surrender any information without a court order. The judge's order is controversial because it appears to violate the account holder's First Amendment rights. Additionally, deactivating an individual's Gmail account could have far-reaching effects. http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=11426
4 http://www.theregister.co.uk/2009/09/28/google_rocky_mountain_bank_suit_rollls_o
n/ [Editor's Note (Northcutt): I had to read this, drink a cup of hot tea, and read it again to comprehend how significant this case is. Please take the time to read the story. There are a couple of issues here. One is that the legal system follows technology by some number of years. Looking backward five years, you can sort of see Judge Ware's point of view, "It is just an email account, the person can get another one." Looking forward two or three years, in the words of Charlene Li, "In the future, two pieces of information will identify you, your email address and your mobile phone number". Bottom line, Judge Ware made a bad call.]
--Court Upholds Decision to Revoke Bottle Domains' Registrar Accreditation (September 26 & 28, 2009)%%%% Last week, an Australian court upheld a decision made by the Australian Domain Name Administrator (auDA) to terminate domain registrar Bottle Domains' accreditation after the company failed to disclose a data security breach that occurred in 2007. That issue was unearthed when information from the Bottle Domains database was stolen and sold on the Internet. The court noted Bottle Domains' "extraordinary indifference to the effect of credit card fraud on its victims." Company owner Nicholas Bolton appears to have "acknowledged that it was his consistent position that no warning should be given to registrants concerning the possible misuse of their credit card details until further information was received from the (Australian Federal Police)." The compromised data include credit card details of 25,000 Bottle Domains customers. http://www.securecomputing.net.au/News/156951,court-slams-bottle-domains-lax-sec
urity.aspx http://www.businessday.com.au/business/second-blow-for-bolton-as-company-is-bann
ed-20090925-g696.html [Editor's Note (Pescatore): Registrars really should be held to higher security standards, both of their infrastructure and of their practices in validating customers' identity. The .org domain has been doing good work, good to see auDA take a tough stand.
(Schultz): For better or worse, domain registrars and ISPs that do not cooperate with law enforcement and other investigations are ultimately bound to suffer the fate that auDA did.]
--House Subcommittee Approves Cyber Security R&D Bill Amendment (September 25, 2009)%%%% A US House subcommittee has approved legislation aimed at bolstering the Cybersecurity Research and Development Act. If the proposed law is enacted, federal agencies would be required to submit long term research and development plans that are "based on an assessment of cybersecurity risk." The bill now goes to the House Committee on Science and Technology. http://www.scmagazineus.com/House-subcommittee-passes-cybersecurity-RD-bill/arti
cle/149714/

---

TOP OF THE NEWS

Judge Orders Google to Deactivate Account (September 24 & 28, 2009)

A US District Court Judge in California has ordered Google to deactivate the Gmail account of a user who was accidentally sent confidential bank information. An employee of Wyoming-based Rocky Mountain Bank sent the data to the account in error; the data include names, Social Security Numbers (SSNs) and loan information of more than 1,300 bank customers. Upon recognizing the mistake, the bank sent another email to the same address, requesting that the recipient destroy the previous email and contact Rocky Mountain Bank. After receiving no reply, the bank asked Google for information about the account holder. Google said that it would not surrender any information without a court order. The judge's order is controversial because it appears to violate the account holder's First Amendment rights. Additionally, deactivating an individual's Gmail account could have far-reaching effects.
-http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=11426
4
-http://www.theregister.co.uk/2009/09/28/google_rocky_mountain_bank_suit_rollls_o
n/
[Editor's Note (Northcutt): I had to read this, drink a cup of hot tea, and read it again to comprehend how significant this case is. Please take the time to read the story. There are a couple of issues here. One is that the legal system follows technology by some number of years. Looking backward five years, you can sort of see Judge Ware's point of view, "It is just an email account, the person can get another one." Looking forward two or three years, in the words of Charlene Li, "In the future, two pieces of information will identify you, your email address and your mobile phone number". Bottom line, Judge Ware made a bad call. ]

Court Upholds Decision to Revoke Bottle Domains' Registrar Accreditation (September 26 & 28, 2009)

Last week, an Australian court upheld a decision made by the Australian Domain Name Administrator (auDA) to terminate domain registrar Bottle Domains' accreditation after the company failed to disclose a data security breach that occurred in 2007. That issue was unearthed when information from the Bottle Domains database was stolen and sold on the Internet. The court noted Bottle Domains' "extraordinary indifference to the effect of credit card fraud on its victims." Company owner Nicholas Bolton appears to have "acknowledged that it was his consistent position that no warning should be given to registrants concerning the possible misuse of their credit card details until further information was received from the
[Australian Federal Police ]
." The compromised data include credit card details of 25,000 Bottle Domains customers.
-http://www.securecomputing.net.au/News/156951,court-slams-bottle-domains-lax-sec
urity.aspx
-http://www.businessday.com.au/business/second-blow-for-bolton-as-company-is-bann
ed-20090925-g696.html
[Editor's Note (Pescatore): Registrars really should be held to higher security standards, both of their infrastructure and of their practices in validating customers' identity. The .org domain has been doing good work, good to see auDA take a tough stand.
(Schultz): For better or worse, domain registrars and ISPs that do not cooperate with law enforcement and other investigations are ultimately bound to suffer the fate that auDA did. ]

House Subcommittee Approves Cyber Security R&D Bill Amendment (September 25, 2009)

A US House subcommittee has approved legislation aimed at bolstering the Cybersecurity Research and Development Act. If the proposed law is enacted, federal agencies would be required to submit long term research and development plans that are "based on an assessment of cybersecurity risk." The bill now goes to the House Committee on Science and Technology.
-http://www.scmagazineus.com/House-subcommittee-passes-cybersecurity-RD-bill/arti
cle/149714/

---

************************ Sponsored Links: ****************************

1) IBM Security Management & Compliance Solutions - In the US nearly 114,000 regulations have been introduced since 1981.Learn more at the Service Management Resource Center.

https://www.sans.org/info/49154

2) WEBCAST: Defending against Web 2.0 and Browser Hacks & Attacks. Can SaaS Web Security Deliver Higher Protection & Lower Cost? Keynote by Peter Firstbrook of Gartner

https://www.sans.org/info/49159

3) Register today for an upcoming Novell sponsored SANS web cast on 10/6 titled, Ask The Expert: Offense and Defense: Better Correlation.

https://www.sans.org/info/49164

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyber Criminals Targeting Foreign Journalists in China (September 28, 2009)

Cyber attackers have been targeting foreign journalists in China with malicious email. The English messages are well-written and are accompanied by a PDF attachment that contains malicious code. The emails appear to be from various news outlets' economics editors. The information contained in the body of the email message appears legitimate; the contacts listed are real people who are professionally involved in the issues described in the message.
-http://www.infowar-monitor.net/2009/09/targeted-malware-attack-on-foreign-corres
pondents-based-in-china/
-http://www.theglobeandmail.com/news/national/foreign-journalists-in-china-target
-of-computer-attack/article1303450/
[Editor's Note (Northcutt): Pssst, this has been going on for years. We call it spear phishing. One thing to consider is posting some incorrect information on Twitter etc, so you can see if that is the source of the information collection. (Schultz): Interestingly, the kinds of attacks described in this news item are the same kinds of attacks (ostensibly originating from China) that have been haunting the US and UK governments for years. ]

Reddit Fixes Cross-Site Scripting Hole (September 28, 2009)

Administrators of the Reddit social news aggregator site have fixed a cross-site scripting (XSS) security hole that was being exploited to post spam comments to Reddit threads. The attack took advantage of "the fact that Reddit wasn't filtering out JavaScript in certain instances when (a user) was hovering (the) mouse over text." Administrators are also deleting the rogue postings.
-http://www.theregister.co.uk/2009/09/28/reddit_xss_worm/
-http://www.h-online.com/security/Reddit-Attacked-by-XSS-Exploit--/news/114337
-http://www.f-secure.com/weblog/archives/00001777.html

Inmate Tapped to Help With Computer Program Accessed Hard Drive (September 27, 2009)

Prison officials at Ranby Prison in Nottinghamshire, UK who wanted to create an internal television station at the facility asked an inmate to help create a program to facilitate the process. The man, Douglas Havard, was serving a six year jail sentence for his role in a phishing scheme that stole an estimated GBP 6.5 million (US $10.4 million). He allegedly accessed the computer system hard drive while left unattended and created a labyrinth of passwords that locked others out of the system. A Prison System spokesperson said Havard "was not able to access records of any other prisoners." Havard is a US citizen serving time in a UK prison.
-http://www.mirror.co.uk/news/top-stories/2009/09/27/conputer-meltdown-115875-217
03149/
Story from June 2005 about Havard's original sentence:
-http://www.spamdailynews.com/publish/Doug_Havard_jailed_for_6_years_over_identit
y_theft_crimes.asp
[Editor's Note (Schmidt): This makes about as much sense as asking a child molester to watch your kids while you run to the store. We will see more of these incidents as people put cyber criminals in positions of access, based on their "perceived" technical expertise. Maybe they should have him sign a non-disclosure agreement. ]

US-CERT Warns of Spam Pretending to be From IRS (September 25 & 28, 2009)

The US Computer Emergency Readiness team (US-CERT) has issued an alert warning of a spam attack in which the messages are spoofed to appear to come from the US Internal Revenue Service (IRS) regarding underreported income. The messages encourage the recipients to open an attachment or click on a link to view their tax statement, but the attachment contains malware and the link leads to a malicious website. The IRS warns people not to open attachments in emails claiming to be from the agency. The malware used in this attack is the Zeus Trojan horse program, which is difficult to detect. Zeus is used to help cyber criminals steal money from bank accounts.
-http://www.computerworld.com/s/article/9138527/IRS_scam_now_world_s_biggest_e_ma
il_virus_problem?source=CTWNLE_nlt_dailyam_2009-09-28
-http://voices.washingtonpost.com/securityfix/2009/09/irs_scam_e-mail_could_be_co
stl.html
-http://www.us-cert.gov/current/#malicious_code_spreading_via_irs

UNC Notifying Mammography Research Project Participants of Data Breach (September 25, 2009)

The University of North Carolina at Chapel Hill (UNC) is notifying 163,000 women whose personal information was exposed in a computer security breach. The compromised server at the UNC School of Medicine contains data collected as part of a mammography research project, and received data from 31 sites across the state. The breach was discovered over the summer, but may have occurred as long ago as 2007. Once the breach was detected, the server was taken offline.
-http://www.computerworld.com/s/article/9138529/UNC_data_breach_exposes_163_000_S
SNs?source=rss_security
-http://www.charlotteobserver.com/local/story/967722.html

FBI Investigating Cyber Theft of School District Funds (September 25 & 28, 2009)

The FBI is looking into a series of cyber attacks across the country including several at public school districts in Illinois. The attacks may involve malware known as Clampi that is sued to steal bank account login data. The attackers stole $350,000 from Crystal Lake District 47's bank account over the summer.
-http://www.nwherald.com/articles/2009/09/24/r_81bg6yrarwyi8zmka9p1q/index.xml
-http://www.computerworld.com/s/article/9138636/School_boards_hit_with_cash_steal
ing_Trojan?source=rss_security

Plea Deal for DOD Intelligence Analyst (September 24, 2009)

A US Defense Department intelligence analyst has agreed to a plea deal that clears him of charges of felony hacking. Brian Keith Montgomery, who held top secret clearance in connection with his work at the National Geospatial-Intelligence Agency, saw a message regarding an unrelated, classified anti-terrorism operation. He logged into a system associated with the operation twice using a password he had obtained from a classified message that he was authorized to access. Authorities maintain that by logging into the system, Montgomery damaged a terrorism investigation and "caused harm to the US Army and the FBI." Montgomery pleaded guilty to a lesser charge of exceeding authorized access to a computer.
-http://www.wired.com/threatlevel/2009/09/montgomery_plea/

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/