SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #85

October 27, 2009

Two new approaches to hard problems in security:

1. Nuclear research labs, operated for the US Department of Energy, have long been the crucibles that create computer security advances later adopted by many other organizations. Two of the labs recently demonstrated a solution to the important problem of enabling and motivating system administrators to find evidence of malicious action on their networks. This has become an important challenge because perimeters are routinely being breached, and attackers are roaming through networks for weeks or months without discovery. The labs' new approach is a unique training program for system and network admins that teaches them how to discover evidence of intruders and provides tools that they can put to work immediately. It's the first security program that is tuned to their interests. Participating sysadmins seem to like it. Here are a few of their comments:

*** "This is training that is long overdue." "Fantastic."

*** "Lets us see what kind of stuff we are up against, and what tools are available to fight back."

*** "Provides a great overview of tools, strategy, cooperation, and the future. Focuses on what you can do right now without needing more training or expensive tools."

Government agencies and defense contractors with 50 or more sysadmins can participate in the national roll-out for this program and help ensure it meets the needs of the defense industrial base and government agencies. Email mbrown@sans.org for scheduling information.

2. Converting compliance to security. The Consensus Audit Guidelines (Critical Controls) are being updated with specific tests you can run to determine how well you have automated each of them, and benchmark your performance. At the same time the user community has identified and vetted security tools that automate each of the critical controls. The list of tools that work and the new tests will be unveiled at the Critical Controls Summit in Washington on November 12-13 run by Government Computer News and Federal Computer Week.

http://www.20critcontrols.com

Alan

---

TOP OF THE NEWS

Cyber Thieves Stole US $40 Million from Small and Mid-Sized Businesses
Chamber of Commerce Press Release Hoax Prompts DMCA Takedown Notice
Operation Eagle Claw Aims to Thwart Nigerian eMail Scammers
DHS Info-Sharing Program Needs to Meet Privacy Standards

THE REST OF THE WEEK'S NEWS

Swiss Foreign Ministry Computer Network Breached
Missing CDs Hold Medical Patient Data
Guardian Breach Exposes Job Hunters' Personal Information
US $14.6 Million Fine in Australian Text Message Scam Case
ATM Hacker Gets Probation
Social Networking Sites Provide Data Thieves With Plenty of Raw Material
Man Sentenced to Nearly Four-and-a-Half Years in Prison for Selling Pirated Software
NIST Postpones Proposed IT Lab Reorganization
New Gmail Feature Helps Avoid Some Misdirected Messages

---

************************ Sponsored By Cenzic ****************************

Website HealthCare Reform is Coming...

Watch Out Nov 9, 2009. Sign up now to be first in line.

https://www.sans.org/info/50019

*************************************************************************

TRAINING UPDATE

-- SANS Middle East, October 31-November 11
https://www.sans.org/middleeast09/
-- SANS San Francisco, November 9-14
https://www.sans.org/sanfrancisco09
-- SANS Sydney, November 9-14
https://sans.org/sydney09/
-- SANS Hong Kong, November 9-14
https://www.sans.org/hong-kong-forensics-2009/
-- SANS Vancouver, November 14-19
https://www.sans.org/vancouver09/
-- SANS London, UK, November 28-December 9
https://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand
Plus Oslo, New Delhi, Geneva and Qatar all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Cyber Thieves Stole US $40 Million from Small and Mid-Sized Businesses (October 26, 2009)

The FBI says that since 2004, cyber thieves believed to be based in Eastern Europe have stolen US $40 million from small and mid-sized US businesses. The thieves use spam to infect the companies' computers with malware that steals online banking credentials, then transfer funds in amounts below the US $10,000 threshold that triggers alerts. The FBI is acknowledging the trend in the hope that companies become aware of the threat and put security safeguards in place. For instance, companies can protect themselves from cyber thieves by conducting online banking transactions on dedicated, locked-down machines. Larger banks have adopted anti-fraud technology to detect anomalous transaction patterns. The companies hardest hit by the fraud, meaning those least likely to recover funds, often use small and regional banks that lack the fraud detection mechanisms of the larger institutions. In some cases, very small banks have prevented fraudulent transactions because they know their customers personally and are alert to behavior that seems out of the character.
-http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.
html

Chamber of Commerce Press Release Hoax Prompts DMCA Takedown Notice (October 23, 2009)

California Internet service provider (ISP) Hurricane Electric has complied with a Digital Millennium Copyright Act (DMCA) takedown notice to remove a phony press release that was designed to appear as if it came from the US Chamber of Commerce. The press release and an accompanying staged press conference were components of a hoax carried out by a group known as The Yes Men in which they falsely announced, that the US Chamber of Commerce has reversed its position on greenhouse gas emission reduction legislation. The takedown notice did not come in time to prevent the story from leaking to major media outlets. The phony press release is still visible on the Internet on a new host; the Chamber of Commerce is mulling over whether or not to seek another takedown notice.
-http://www.wired.com/threatlevel/2009/10/fake-pressrelease-flap/
-http://www.theregister.co.uk/2009/10/26/yes_men_hoax_and_the_dmca/
original takedown notice:
-http://www.eff.org/files/chamber-dmca-notice.pdf
[Editor's Note (Ranum): Is this an appropriate use of DMCA? I thought that DMCA was for copyright protection - not a general "we don't like what is on the web - take it down" law. What is the difference between a phony press release and a parody and how can a court objectively make a determination of such? ]

Operation Eagle Claw Aims to Thwart Nigerian eMail Scammers (October 23, 2009)

An initiative dubbed "Operation Eagle Claw" aims to move "Nigeria out of the top ten list of countries with the highest incidence of fraudulent emails," according to Farida Waziri, chairwoman of the country's Economic and Financial Crimes Commission. Though not yet 100 percent operational, Eagle Claw has resulted in 18 arrests and the closure of more than 800 websites linked to fraud. The initiative involves scanning all email. Police are working with Microsoft to calibrate the technology used to scan the email.
-http://www.msnbc.msn.com/id/33448866/ns/technology_and_science-security/
-http://www.theregister.co.uk/2009/10/23/nigeria_police_success/
-http://news.bbc.co.uk/2/hi/africa/8322316.stm
-http://arstechnica.com/tech-policy/news/2009/10/nigeria-actually-arrests-shuts-d
own-online-scammers.ars

DHS Info-Sharing Program Needs to Meet Privacy Standards (October 23, 2009)

The Department of Homeland Security Appropriations Act 2010 (H.R. 2892) bars the department from using funds to operate the National Immigration Information Sharing Operation (NIISO) until the project is certified to be in compliance with privacy and civil liberties laws. For the program to be deemed for operational funding, NIISO must be certified by the DHS secretary; that certification must then be reviewed by the comptroller general. Of particular concern is the potential for inaccurate data in NIISO's system and the misuse of data in the system.
-http://www.nextgov.com/nextgov/ng_20091023_8381.php
-http://www.washingtonwatch.com/bills/show/111_HR_2892.html

---

************************ Sponsored Links: ****************************

1) DON'T MISS the upcoming webcast: Making Database Security an IT Security Priority

https://www.sans.org/info/50024

2) REGISTER NOW for the upcoming webcast: Tool Talk Webcast: Network Control Meets Endpoint Security

Sponsored by: BigFix & ForeScout

https://www.sans.org/info/50029

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Swiss Foreign Ministry Computer Network Breached (October 26, 2009)

The Swiss Foreign Ministry says that attackers penetrated its computer system with the intent of stealing data from the network. As soon as it became aware of the intrusion, the ministry severed the connection between its network and the Internet; the system remained offline for several days. The source of the attack and the amount of data stolen has not yet been determined.
-http://www.msnbc.msn.com/id/33482676/ns/technology_and_science-security/
-http://www.google.com/hostednews/afp/article/ALeqM5hgxAGXMxiw5_iBql1wtSs8BEuEBQ

Missing CDs Hold Medical Patient Data (October 26, 2009)

Personally identifiable information of 68,000 members of a CalOptima, California Medicaid managed health care plan, has been compromised after several unencrypted CDs sent through certified mail did not arrive at their destination. The data include names, addresses, medical procedure and diagnosis codes and some Social Security numbers (SSNs). The disks were being sent from a vendor to CalOptima. The company plans to notify those affected by the breach once it has worked out a credit monitoring offer.
-http://www.computerworld.com/s/article/9139913/CalOptima_says_data_on_68_000_mem
bers_may_be_compromised
-http://www.healthdatamanagement.com/news/breach-39246-1.html

Guardian Breach Exposes Job Hunters' Personal Information (October 25 & 26, 2009)

The Guardian newspaper has notified 500,000 people that their personal information was compromised during a "deliberate and sophisticated" attack on the paper's jobs website. The affected data were submitted by users as part of job applications. Approximately 10,330,000 people use the site each year. The Guardian said the system was secured as of Saturday, October 24. Scotland Yard is investigating the incident.
-http://www.h-online.com/security/news/item/Guardian-Jobs-web-site-compromised-83
9188.html
-http://www.theregister.co.uk/2009/10/26/guardian_jobs_data/
-http://news.bbc.co.uk/2/hi/uk_news/8324630.stm
-http://www.v3.co.uk/v3/news/2251964/hackers-hit-guardian-jobs-site
-http://www.pcworld.com/businesscenter/article/174330/guardian_jobs_site_falls_vi
ctim_to_sophisticated_hack.html

US $14.6 Million Fine in Australian Text Message Scam Case (October 23, 2009)

Australia's Federal Court has fined two organizations and three individuals a total of AU $15.8 million (US $14.5 million) for violating the country's Spam Act. The lawsuit was brought by the Australian Communications and Media Authority against Mobilegate Ltd, Winning Bid Pty Ltd, Simon Anthony Owen, Tarek Andreas Salcedo, and Glenn Christopher Maughan for allegedly sending unsolicited and misleading text messages. The scam perpetrators placed phony profiles on dating websites to gather mobile phone numbers, which were then used to lure victims into using high-priced chat services.
-http://www.abc.net.au/news/stories/2009/10/23/2722971.htm
-http://www.australianit.news.com.au/story/0,25197,26250790-15306,00.html

ATM Hacker Gets Probation (October 23, 2009)

Australian pizza parlor worker and erstwhile hacker Brian Sommer will not be sent to jail for his role in stealing AU $30,000 (US $27,430) from ATM machines. Instead, Sommer was sentenced to two years probation, ordered to complete 100 hours of community service and to pay a fine of AU $23,000 (US $21,000). Sommer allegedly used information from ATM repair manuals available for download on the Internet to tinker with the machines' settings and steal the money. The crime was traced back to Sommer because he used his own ATM card and those of family members to make the fraudulent withdrawals. Two accomplices were sentenced to six months probation in December 2007.
-http://www.theregister.co.uk/2009/10/23/oz_atm_hacker/
-http://www.finextra.com/fullstory.asp?id=20648

Social Networking Sites Provide Data Thieves With Plenty of Raw Material (October 21 & 23, 2009)

The growing use of social networking sites is proving to be ripe pickings for identity thieves. On its own, the data may seem innocuous, but it can be cross-referenced with other data to provide potential data thieves with enough information to open credit card accounts or obtain birth certificates. There are also programs available on the Internet that automate the process of collecting and cross-referencing data.
-http://www.irishtimes.com/newspaper/finance/2009/1023/1224257281899.html
-http://www.infosecurity-magazine.com/view/4696/rsa-europe-identity-theft-is-too-
easy-and-can-even-be-automated-says-it-security-expert/
[Editor's Note (Pescatore): This is as much a problem with the lax verification processes by the credit card issuers as is too much data being exposed in social networks. ]


(Hoelzer): This will continue to be an evolving problem. On the one hand people are trying to both market themselves and connect with friends, most of whom don't give much thought to the information that they post. On the other we have the identity thieves who are involved in all-out information warfare. How do you raise awareness when people - -want- to share sensitive information in unwise ways? ]

Man Sentenced to Nearly Four-and-a-Half Years in Prison for Selling Pirated Software (October 22 & 23, 2009)

Gregory William Fair has been sentenced to 41 months in prison for selling pirated software over the Internet. Between 2001 and 2007, Fair sold phony software worth an estimated US $1 million on Internet auction site eBay. Fair has also been ordered to pay US $743,098 in restitution and to forfeit four expensive cars and US $144,000 cash seized from a safe deposit box and a residence. Earlier this year, Fair pleaded guilty to one count of criminal copyright infringement and one count of mail fraud.
-http://www.computerworld.com/s/article/9139823/Virginia_man_to_serve_prison_term
_for_selling_counterfeit_software?source=rss_security
-http://www.usdoj.gov/opa/pr/2009/October/09-crm-1141.html

NIST Postpones Proposed IT Lab Reorganization (October 22 & 23, 2009)

The National Institute of Standards and Technology (NIST) announced last week that "based on the feedback (they) continue to receive," a planned reorganization of its Information Technology Laboratory has been postponed. The impetus for reorganizing the lab comes from the rapidly changing IT environment and concerns that its present structure may no longer best serve the lab's purpose. The IT Lab was created in 1996, and its responsibilities include producing standard encryption algorithms, cyber security requirement compliance guidance, and standards for government IT use. One of the proposed changes would be to move the lab's Computer Security Division director to the IT lab director's office.
-http://gcn.com/Articles/2009/10/23/NIST-IT-lab-reorg-delayed.aspx
-http://www.federalnewsradio.com/?nid=35&sid=1792114

New Gmail Feature Helps Avoid Some Misdirected Messages (October 21 & 24, 2009)

Gmail has introduced a new optional feature designed to help prevent sending email to unintended recipients. Dubbed "Got the Wrong Bob?," the feature warns users if they have included a contact not usually associated with the group of recipients to whom they are sending email. Including unintended recipients often occurs because of the auto-complete function, which can fill in contact names after only the first several letters are typed. The feature works only for emails sent to groups; if the message has one intended recipient, users still need to double check that they have entered the correct address.
-http://www.nytimes.com/2009/10/22/technology/personaltech/22askk-003.html
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article6888051.ece
[Editor's Note (Pescatore): Cool. Now please add a few more features: (1) Making it very, very hard to do a Reply All;
(2) Upon seeing the word "attached" in an outgoing email message that does *not* have an attachment, ask the sender if they meant to attach something;
(3) Reinstate the 4 line .sig restrictions we had 15 years ago and automatically delete any email with an HTML .sig.;
(4) Make it even harder to do a Reply All. ]

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit:

http://portal.sans.org/