SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #83

October 20, 2009

TOP OF THE NEWS

ChoicePoint to Pay US $275,000 to Settle FTC Complaint Over Second Data Breach
UK ISP Demonstration Aims to Reveal Problems with Proposal to Cut Filesharers' Connections

THE REST OF THE WEEK'S NEWS

Scareware Locks Apps on Infected PCs
UK Police Granted Right to Retain Data on Old Convictions
South Korean Chemical Accident Response Information System Breached
Oracle's Quarterly Critical Patch Update Scheduled for October 20
Former Ford Engineer Arrested for Alleged Theft of Trade Secrets
GAO Report Finds Security Weaknesses at NASA
ENISA Names New Director
Postini Delivery Problems Vex Users

---

*********************** Sponsored By NetWitness *************************

NetWitness provides patented and award winning, next generation security solutions that help government and private organizations discover, prioritize and remediate complex IT risks. NetWitness solutions concurrently solve a wide variety of information security problems including: advanced persistent threat management; sensitive data discovery and data leakage detection; malware activity discovery; insider threat management; policy and controls verification and e-discovery.

https://www.sans.org/info/49768

*************************************************************************

TRAINING UPDATE

-- SANS Chicago North Shore, Oct. 26-Nov. 2
https://www.sans.org/chicago09/
-- SCADA Security Summit, Stockholm, Oct. 27-30
https://www.sans.org/euscada09_summit/
-- SANS Middle East, October 31-November 11
https://www.sans.org/middleeast09/
-- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
-- SANS Sydney, Nov.9-14
https://sans.org/sydney09/
-- SANS London, UK, Nov.28-Dec. 9
https://sans.org/london09/
-- SANS CDI, Washington DC, Dec. 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

ChoicePoint to Pay US $275,000 to Settle FTC Complaint Over Second Data Breach (October 19, 2009)

Data broker ChoicePoint has agreed to pay US $275,000 in fines to settle a US Federal Trade Commission (FTC) complaint stemming from an April 2008 data security breach. The complaint maintains that ChoicePoint did not abide by the terms of an earlier settlement to resolve issues related to a 2004 breach; that settlement required ChoicePoint to establish comprehensive cyber security measures to protect consumers' data, and imposed US $15 million in penalties and compensation. The earlier breach affected more than 160,000 people and resulted in at least 800 instances of identity fraud; the April 2008 breach affected 13,750 people.
-http://www.pcworld.com/article/173902/choicepoint_to_pay_fine_for_second_data_br
each.html
-http://voices.washingtonpost.com/securityfix/2009/10/choicepoint_breach_exposed_
137.html
[Editor's Note (Schultz): Making requisite changes in corporate information technology, operations and other areas to adequately mitigate data security risks is not something that can be done quickly or easily. Perhaps then it is just that ChoicePoint has escaped with not all that large a fine after its latest data security breach.]

UK ISP Demonstration Aims to Reveal Problems with Proposal to Cut Filesharers' Connections (October 16, 2009)

UK Internet service provider (ISP) TalkTalk staged a demonstration of how easily owners of wireless connections could be wrongly accused of illegal filesharing. A TalkTalk security expert found 23 unsecured wireless connections in a residential neighborhood, and with the owners' permission, used those connections to download music. The files he downloaded were downloaded legally. TalkTalk hopes to demonstrate that the government's proposed plan to cut off Internet access to those who share files in violation of copyright law could end up punishing innocent people. The British Phonographic Industry (BPI) maintains that it will educate users before cutting them off, and that their information-gathering tools are sophisticated enough to prevent innocent people from being cut off.
-http://news.bbc.co.uk/2/hi/technology/8305379.stm
-http://news.zdnet.co.uk/security/0,1000000189,39812831,00.htm

---

************************ Sponsored Links: ****************************

1) Register Today and receive 10% off for SANS vLive course SEC542, Web App Penetration Testing and Ethical Hacking, November 2nd - November 9th. Please use the code @Risk542 when registering.

https://www.sans.org/info/49773

2) Learn network- and host-centric methods to detect intruders at the Incident Detection Summit December 9-10.

https://www.sans.org/info/49778

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Scareware Locks Apps on Infected PCs (October 15 & 19, 2009)

A new variant of scareware has been detected that not only inundates users with exhortations to purchase phony antivirus software called "Total Security 2009," but that also locks users out of nearly all applications until they purchase the disreputable product. Once their PCs are infected with the malware, the only program users can open is Internet Explorer, so they can navigate to the site and make a purchase.
-http://blogs.usatoday.com/technologylive/2009/10/new-twist-on-scareware-locks-up
-your-pc.html
-http://www.pcworld.com/article/173765/a_rogue_demands_a_ransom.html

UK Police Granted Right to Retain Data on Old Convictions (October 19, 2009)

A UK court of appeals has ruled that police may retain data on previous criminal convictions, even if those convictions are minor ones and are many years old. The lower court ruling came about when individuals sued to have records of old convictions purged from records. One of the cases involved the theft of a 99p (US $1.62) package of meat in 1984 for which the individual was fined GBP 15 (US $24.60).
-http://news.bbc.co.uk/2/hi/uk_news/8314032.stm

South Korean Chemical Accident Response Information System Breached (October 19, 2009)

Attackers reportedly obtained a password for South Korea's Chemical Accident Response Information System (CARIS) in March and used it to access the system and steal information about manufacturers of toxic chemicals and about toxic substances. The source of the attack has not been determined.
-http://english.chosun.com/site/data/html_dir/2009/10/19/2009101900826.html
-http://english.chosun.com/site/data/html_dir/2009/10/19/2009101900401.html

Oracle's Quarterly Critical Patch Update Scheduled for October 20 (October 16 & 19, 2009)

On Tuesday, October 20, Oracle will release its scheduled quarterly Critical Patch Update to address 38 vulnerabilities in 21 product lines. Sixteen of the fixes address flaws in Oracle database; of those, six can be exploited remotely without user interaction. Eight fixes address flaws in the Oracle Applications Suite; of those, five can be exploited remotely without user interaction. Oracle's release comes just one week after Microsoft and Adobe released their largest ever scheduled security updates.
-http://www.h-online.com/security/news/item/Oracle-to-patch-38-vulnerabilities-83
2541.html
-http://www.securecomputing.net.au/News/158467,oracle-to-roll-out-huge-patch-upda
te.aspx
-http://www.computerworld.com/s/article/9139500/38_Oracle_security_patches_coming
_next_week?source=rss_security
-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct20
09.html

Former Ford Engineer Arrested for Alleged Theft of Trade Secrets (October 16, 2009)

A former Ford Motor Company engineer has been indicted on charges of theft of trade secrets, attempted theft of trade secrets and unauthorized access to protected computers. Xiang Dong Yu, also known as Mike Yu, was arrested last week as he entered the country at Chicago O'Hare International Airport. Yu worked as a Ford engineer from 1997 to 2007. He allegedly downloaded more than 4,000 documents from Ford computers while still employed by Ford. In December 2006, he accepted a position with Foxconn PCE Industry Inc. in China, but did not tell Ford about his new job until January 2007. A year later, Yu allegedly used the stolen documents in another job search in China. He presently works for a Ford competitor in Beijing.
-http://www.computerworld.com/s/article/9139472/Ex_Ford_engineer_charged_with_tra
de_secret_theft?source=rss_security
-http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml;jses
sionid=JO5GDW2PUKZ4TQE1GHPSKH4ATMY32JVN?articleID=220601211&subSection=Attac
ks/breaches

GAO Report Finds Security Weaknesses at NASA (October 16 & 19, 2009)

According to a report from the Government Accountability Office (GAO), there are weaknesses in NASA's information technology systems that could be exploited to gain unauthorized access to those systems. The controls NASA is implementing under the requirements of the Federal Information Security Management Act (FISMA) are inadequately enforced. The GAO's report gathered information from NASA headquarters in Washington DC, the Goddard Space Flight Center in Maryland, the Jet Propulsion Laboratory in California and several other NASA facilities. The weaknesses noted include failing to require strong passwords, not encrypting password files, failing to restrict user access to least privileges needed, and outdated configuration and patch management.
-http://gcn.com/articles/2009/10/16/nasa-info-security-controls-broken.aspx
-http://www.nextgov.com/nextgov/ng_20091016_8808.php?oref=topnews
-http://www.scmagazineus.com/GAO-NASA-must-fix-cyber-vulnerabilities/article/1557
38/
-http://www.gao.gov/new.items/d104.pdf
[Editor's Note (Pescatore): In many ways, from a security perspective NASA looks more like a private industry firm than a government agency. The different centers at NASA very much act like independent business units with strong local IT management and control. These "BUs" need to collaborate with each other, and externally with private industry, driving a lot more external connectivity than the average government agency. Many of the problems identified by GAO stem from this - NASA needs to make sure that every increase in openness and connectivity is balanced with embedded security controls and monitoring processes. ]

ENISA Names New Director (October 16, 2009)]

Dr. Udo Helmbrecht has been appointed as the new director of the European Network and Information Security Agency (ENISA). Helmbrecht has been president of Germany's Federal Office for Information Security since 2003. He hopes to work closely with other European institutions and member states to improve cyber security. Helmbrecht also aims to establish ENISA as a permanent organization; presently, it has a sunset clause that would see it expire in 2012. (Helmbrecht succeeds Andrea Pirotti in the post of ENISA Director).
-http://www.v3.co.uk/v3/news/2251437/enisa-gets-boss

Postini Delivery Problems Vex Users (October 13, 14 & 15, 2009)

Users of email security and archiving service Postini were frustrated last week when the service began experiencing significant delivery problems. Users were particularly angered by Postini's lack of communication about the problem. Postini was acquired by Google in 2007. The service scans emails for malware. The problem seems to have been caused by a combination of a bad email filter update and "a power-related hardware failure."
-http://www.informationweek.com/news/showArticle.jhtml?articleID=220600859
-http://news.cnet.com/8301-30684_3-10374344-265.html
-http://www.theregister.co.uk/2009/10/15/google_postini_snafu/
-http://www.computerworld.com/s/article/9139316/Postini_trouble_stymies_U.S._e_ma
il_users?taxonomyId=1
[Editor's Note (Pescatore): We used to call the telecommunications infrastructure "the cloud," and we had very high expectations of reliability. We even had required service levels for things like dial tone. Internet-based web services are today's cloud - boy, are they far from achieving dial-tone like reliability. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit:

http://portal.sans.org/