SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #92

November 20, 2009

TOP OF THE NEWS

House Science & Technology Committee Passes Cybersecurity Enhancement Act
NSA Helping to Harden Operating Systems
Proposed Legislation Prohibits P2P Use in Government and Contractor Computers

THE REST OF THE WEEK'S NEWS

Lost Hard Drive Holds Seven Years of Health Net Patient Data
Three Charged in Comcast Redirect Attack
One Year Prison Sentence for Scientology DDoS
Banks Reissuing Credit Cards Following Report of Breach at Spanish Payment Company
Secondhand ATMs Pose Security Risk
UK Police Charge Two in Connection With Zeus Trojan
T-Mobile Customer Records Stolen and Sold
Microsoft Suit Involving Former Employee Settled, All matters Resolved
Man Pleads Guilty in ATM Skimming Case

---

****************** Sponsored By Absolute Software Corp. *****************

Laptop Data Security Webinar

In this webinar, Jack Heine, Research VP, Gartner, and David Holyoak, CIO of accounting firm Grant Thornton, discuss how to facilitate mobility while minimizing the risk of data exposure. These leading experts discuss the limitations of encryption and the critical layer of security provided by web-based tracking and anti-theft capabilities.

https://www.sans.org/info/51049

*************************************************************************

TRAINING UPDATE

-- SANS London, UK, November 28-December 6
16 courses, bonus evening sessions: Hex Factor, Forensics Mini Summit and more
https://sans.org/london09/
-- SANS CDI, Washington DC, December 11-18
24 courses, bonus evening presentations, including Future Trends in Network Security
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
-- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - March 15, 2010
https://www.sans.org/sans-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Geneva, Tokyo and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

House Science & Technology Committee Passes Cybersecurity Enhancement Act (November 19, 2009)

The US House Committee on Science and Technology has passed the Cybersecurity Enhancement Act of 2009, which "is based on the concept that in order to improve the security of our networked systems ... the federal government must work in concert with the private sector," according to committee chairman Bart Gordon (D-Illinois). The legislation incorporates elements of two bills that were approved by House subcommittees earlier this year. It will require the National Institute of Standards and Technology (NIST) to take the lead in the US's involvement in the development of international cyber security standards and it will require federal agencies to establish strategic long-term cyber security research and development plans. The bill also incorporates recommendations made in the 60-day Cyberspace Policy Review.
-http://www.scmagazineus.com/house-committee-passes-cyber-rd-standards-bill/artic
le/158110/
-http://thomas.loc.gov/cgi-bin/bdquery/z?d111:HR4061:/
[Editor's Note (Paller): This well-meaning bill breaks the first law of cybersecurity - that offense must inform defense. By giving NIST added responsibilities without ensuring the federal agencies that understand offense (especially US-CERT and NSA's VAO and DoD's DC3) shape the guidance that NIST publishes, the Science and Technology Committee is asking the Congress to extending the dismal record that such NIST-only guidance has had, and puts the nation's systems at substantially greater risk.

(Schultz): I must admit that I am astounded that NIST has so much in recent years assumed the proverbial driver's seat in US government information security related issues.

(Pescatore): At first glance, mostly just reinforces NIST's position, helps drive the SCAP efforts, and a few cats and dogs around other R&D efforts. However, odd things often get jammed into to the details as bills like these proceed.

(Northcutt): Not the easiest reading. Near as I can tell, this is to kick off a plan within 12 months. Goals include automated checklist, international standards, a private public partnership, serious money in research grants and improvement of identity management while improving the number of females and minorities working in the field. All sounds good, hopefully the money is not given to the usual suspects and some real work gets done.

(Ranum): Cybersecurity is not so much a "Research and Development" problem as it is a "Stop and Clutch the Bleeding" issue. ]

NSA Helping to Harden Operating Systems (November 7, 18 & 19, 2009)

In testimony before the Senate Subcommittee on Terrorism and Homeland Security, National Security Agency (NSA) information assurance director Richard Schaeffer said that his agency helped Microsoft harden Windows 7 and that it is also helping Apple, Sun Microsystems, and Red Hat with similar endeavors. The NSA's involvement in the development process has led to speculation that backdoors will be built into the software to allow communications monitoring and interception. The NSA refutes those claims and says it is helping develop security guidelines and checklists. Schaeffer also said that agencies can protect their systems against 80 percent of known cyber attacks by following three steps: implementing best security practices, configuring networks properly, and monitoring networks effectively.
-http://www.theregister.co.uk/2009/11/19/nsa_enhanced_windows7_security/
-http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_develop
ment?source=rss_security
-http://www.h-online.com/security/news/item/NSA-helps-Apple-Sun-and-Red-Hat-harde
n-their-systems-863889.html
-http://fcw.com/Articles/2009/11/17/NSA-3-steps--better-cybersecurity.aspx
[Editor's Note (Pescatore): Ah, conspiracy theories. NSA and other government agencies have been involved in developing "gold" configuration definitions for standard software and network hardware products for a long time, along with the IT industry. Hardening in this case means better configuration and minimization of unneeded services. ]

Proposed Legislation Prohibits P2P Use in Government and Contractor Computers (November 17 & 18, 2009)

A bill introduced in the US House of Representatives would prohibit the use of peer-to-peer (P2P) filesharing technology in government computers and those used by government contractors except in cases where its use has been officially approved. The Secure Federal File Sharing Act would also require the Office of Management and Budget (OMB) to publish P2P-use guidance and would prohibit personal use of P2P software on government networks. The legislation comes in the wake of last month's revelation that a confidential House Ethics Committee document was inadvertently leaked through P2P software.
-http://www.computerworld.com/s/article/9141099/Bill_would_restrict_P2P_use_on_go
vernment_networks_?source=rss_security
-http://www.msnbc.msn.com/id/34001958/ns/technology_and_science-security/
-http://www.washingtonpost.com/wp-dyn/content/article/2009/11/17/AR2009111703841.
html
-http://thomas.loc.gov/cgi-bin/bdquery/z?d111:H.R.4098:
[Editor's Note (Pescatore): I predicted this would be the knee-jerk silly reaction to the Ethics document leak. It is like back in 2001 when some legislators proposed making buffer overflows illegal. There was already policy saying users shouldn't do this - a law against it wouldn't have changed anything. The issue is the lack of configuration management of the government PCs.

(Honan): I really don't see the benefits legislating against P2P use will bring. Its usage is already against most Government agencies' policies. More policies and laws don't stop people doing things they shouldn't, catching them and punishing them does.]

---

********************* Sponsored Links: ****************************

1) Learn about the unique benefits of archiving email in the cloud. Get the white paper!

https://www.sans.org/info/51054

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Lost Hard Drive Holds Seven Years of Health Net Patient Data (November 19, 2009)

A hard drive containing personal and medical information of 1.5 million Health Net customers was lost in May, but the loss was not disclosed until earlier this week. The drive contains unencrypted Social Security numbers and medical information dating back to 2002; the breach affects customers in Arizona, Connecticut, New Jersey, and New York. Connecticut Attorney general Richard Blumenthal is investigating why the company waited six months to disclose the device's loss. Health Net, which is based in California, is also investigating the incident. The company will send out breach notification letters to affected customers the week of November 30.
-http://www.wired.com/threatlevel/2009/11/healthnet
-http://www.courant.com/health/hc-healthbreach1119.artnov19,0,1798384.story
-http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374839,00.h
tml
-http://www.computerworld.com/s/article/9141172/Health_Net_says_1.5M_medical_reco
rds_lost_in_data_breach?source=rss_security
-http://healthnet.tekgroup.com/press_kits.cfm?presskit_id=13

Three Charged in Comcast Redirect Attack (November 19, 2009)

Three men have been charged in connection with a redirection attack on Comcast's website. Christopher Allen Lewis, James Robert Black Jr., and Michael Paul Nebel allegedly redirected traffic headed for Comcast's site to another site under their control in May 2008. Comcast claims a loss of US $128,000 as a result of the attack. The three men are allegedly members of a hacker gang and live in different states: Lewis is from Delaware, Black is from Washington, and Nebel is from Michigan.
-http://www.wired.com/threatlevel/2009/11/comcast-hack/
-http://www.seattlepi.com/local/6420ap_pa_comcast_site_hacked.html?source=mypi
-http://www.philly.com/philly/business/technology/20091119_3_charged_with_hacking
_Comcast_site.html
-http://www.pcworld.com/businesscenter/article/182715/three_indicted_for_comcast_
hack_last_year.html

One Year Prison Sentence for Scientology DDoS (November 18 & 19, 2009)

A 19-year old man from New Jersey has been sentenced to one year in federal prison for his role in a distributed denial-of-service DDoS attack against the Church of Scientology website that took place in January 2008. Dmitriy Guzner will also have two years of probation following his release and he has been ordered to pay US $37,500 in compensation. Guzner had pleaded guilty to one count of unauthorized impairment of a protected computer earlier this year. Another man, Brian Thomas Mettenbrink, has been indicted in connection with the case.
-http://www.theregister.co.uk/2009/11/19/scientology_ddos_teen_jailed/
-http://www.nj.com/news/local/index.ssf/2009/11/verona_teen_sentenced_to_a_yea.ht
ml

Banks Reissuing Credit Cards Following Report of Breach at Spanish Payment Company (November 18 & 19, 2009)

A German bank has recalled 60,000 credit cards after learning that the card numbers may have been compromised in a security breach at a Spanish payment company. The German Central Credit Card Commission says the recall is precautionary. Other German banks have recalled cards as well; in all, more than 100,000 German credit cards were recalled. The banks were alerted to the breach by Visa and MasterCard. People who have traveled to Spain recently and used credit cards there are urged to check their statements carefully. Banks in the Czech Republic have begun blocking cards in light of the breach, which is likely to affect citizens of other countries as well.
-http://www.theregister.co.uk/2009/11/19/spanish_card_payment_breach/
-http://news.bbc.co.uk/2/hi/business/8365828.stm
-http://www.forbes.com/feeds/ap/2009/11/18/business-eu-germany-credit-cards_71361
33.html
-http://aktualne.centrum.cz/czechnews/clanek.phtml?id=653423

Secondhand ATMs Pose Security Risk (November 18, 2009)

A security consultant who purchased an ATM secondhand through Craigslist found that it still held a log of hundreds of transaction details. Hundreds of the cash machines are sold second hand through online sources such as eBay and Craigslist. The US has no restrictions on who may own or operate an ATM; thieves could conceivably set up their own machines loaded with skimmers and other data detection technology. A cash machine with a skimmer attached was set up in the lobby of the Defcon security conference in Las Vegas last summer.
-http://www.theregister.co.uk/2009/11/18/second_hand_atm_fraud_risk/
[Editor's Note (Northcutt): Dude! You can't be serious, you put your debit card in a cash machine at Defcon? Or is it wiser to say any casino in Vegas that is not being watched by a security camera? I have been thinking about this for a while and we have created a checking account only for debit card use. We limit how much we put in that account, but have another account with the same bank with more money that can do an online transfer to the debit card checking account. This way, my maximum loss should be limited. I am working with Bank of America because they have so many ATMs, but my research says that Wells Fargo is also pretty flexible for online banking needs.
-http://www.wired.com/threatlevel/2009/08/malicious-atm-catches-hackers/
-http://blogs.zdnet.com/security/?p=3843
By the way, I have lost the link to the internal memo that was sent by the manager to Riviera hotel employees for what to and what not to do or report during Defcon, if anyone has that, please shoot it to me.]

UK Police Charge Two in Connection With Zeus Trojan (November 18, 2009)

Police in the UK have charged two people in connection with using the Zeus Trojan horse program. The man and the woman have been charged with violating the 1990 Computer Misuse Act and the 2006 Fraud Act. The Zeus Trojan, also known as Zbot, is estimated to have infected tens of thousands of computers worldwide. The malware harvests users' online banking account information and other sensitive data and uploads them to servers controlled by cyber thieves. Zeus can also be used to conduct distributed denial-of-service attacks. Infected machines become part of a botnet.
-http://www.scmagazineus.com/uk-police-charge-pair-with-connection-to-zeus-trojan
/article/158011/
-http://www.theregister.co.uk/2009/11/18/zeus_trojan_arrests/
-http://www.computerworld.com/s/article/9141092/UK_police_reveal_arrests_over_Zeu
s_banking_malware?source=rss_security

T-Mobile Customer Records Stolen and Sold (November 17 & 18, 2009)

T-Mobile has acknowledged that an employee stole customer records and sold them to data brokers who in turn sold the information to T-Mobile competitors. The breach affects millions of T-Mobile customers. The information included contract expiration dates, which the rival companies used to target consumers at a time when they might be enticed to switch to another provider. The incident was disclosed by the UK Information Commissioner's Office (ICO). T-Mobile was surprised that the ICO chose to make the case public, because they had been "asked to keep this issue confidential for legal reasons." The individual who is suspected of stealing the information no longer works for T-Mobile.
-http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?
articleID=221900209
-http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy
-http://www.scmagazineuk.com/t-mobile-criticised-by-information-commissioner-afte
r-it-is-discovered-for-passing-on-customer-details-to-third-parties/article/1579
40/
-http://news.bbc.co.uk/2/hi/uk_news/8364421.stm

Microsoft Suit Involving Former Employee Settled, All Matters Resolved (November 17, 2009)

A settlement has been reached in a case brought by Microsoft against former employee Miki Mullor. All matters between the parties have been resolved. The lawsuit involved allegations of patent infringement and theft of trade secrets. The terms of the settlement have not been made public and neither party has admitted to any wrongdoing.
-http://www.pcworld.com/article/182372/microsoft_settles_employee_spying_case.htm
l
-http://news.cnet.com/8301-1001_3-10399850-92.html
-http://blog.seattlepi.com/microsoft/archives/185435.asp?from=blog_last3

Man Pleads Guilty in ATM Skimming Case (November 16 & 17, 2009)

Victor Vasile Constantin has pleaded guilty to charges of bank fraud and identity theft for his role in an ATM skimming scheme. Constantin installed skimming devices on ATMs in Fairfield county Connecticut to steal information encoded on ATM cards' magnetic stripes. He also installed cameras that allowed him to record the associated account passwords. Over the course of three months, Constantin stole about US $150,000 from accounts of Bank of America customer accounts. He faces up to 32 years in prison.
-http://www.theregister.co.uk/2009/11/17/bank_of_america_skimming_plea/
-http://www.connpost.com/ci_13801630

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/