SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #94

December 01, 2009

TOP OF THE NEWS

Pub Sued for Patron's Illegal Downloading on Wi-Fi Hotspot
Administration Seeks Reversal of Cyber Evidence Gathering Decision

THE REST OF THE WEEK'S NEWS

Online Banking Thieves Find a New Way to Manipulate ACH Transactions
Alleged RuneScape Account Thief Arrested
Microsoft Looking Into Black Screen Problem
Zeus Trojan Spreading Through Drive-by Download
Royal Navy Investigating Loss of USB Stick
Restaurants Suing Point-of-Sale Vendor After Customer Cards Compromised
UK Home Secretary Denies McKinnon's Extradition Appeal
Alleged Filesharers in UK to Receive Warning Letters
Payment Card Data Thieves Target Machine in Downtown Auckland
Former United Way Employee Sentenced for Computer Damage
BSA Temporarily Doubles Maximum Reward for Information About Illegal Software
EXTRAS: Is The Cyber Threat To The Critical Infrastructure Real?
EXTRAS: NIST 800-37 Ends the Era of Federal Certification & Accreditation - Excellent Beginnings - One More Step To Go.

---

************ Sponsored By Lightwave Communications Inc. *****************

SecureAware: The only Effective, Intuitive, Automated GRC Solution with Exceptional ROI!

SecureAware from Lightwave Security is the only Governance, Risk and Compliance solution platform which can be deployed rapidly and effectively. You can begin effectively managing security and compliance risks in a matter of hours, not days or weeks as with other solutions. Best of all, Return On Investment is Second to None!

https://www.sans.org/info/51458

*************************************************************************

TRAINING UPDATE

Two cool new items:

(1) SANS India - India's leading industries recently awakening to the fact that cybersecurity is a survival skill and asked SANS to bring its courses over. If you live in India or have ties to the country, we'd love your help in making sure the right courses are offered and for the right folks.

Email Suresh at SMustapha@sans.org.

The current test plan is posted at

https://www.sans.org/info/51273

(2) Effective presentation class being tested in Washington

https://www.sans.org/security-training/technical-communication-and-presentation-
skills-security-professionals-1422-mid

-- SANS CDI, Washington DC, December 11-18 24 courses, bonus evening presentations, including Future Trends in Network Security
https://www.sans.org/cyber-defense-initiative-2009
-- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
-- SANS AppSec 2010, San Francisco, January 29-February 5, 2010
https://www.sans.org/appsec-2010/
-- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
-- SANS 2010, Orlando, March 6 - March 15, 2010
https://www.sans.org/sans-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Ottawa, Tokyo and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Pub Sued for Patron's Illegal Downloading on Wi-Fi Hotspot (November 27, 2009)

In a case believed to be the first of its kind, a UK pub has been fined GBP 8,000 (US $13,000) because someone used its Wi-Fi hotspot to download copyrighted content. If the UK's Digital Economy Bill goes into effect, similar cases could conceivably be prevented. That bill defines Wi-Fi hotspots as "public communications services," and says that users are responsible for the activity on the connection, not the connection's provider. The bill is proving controversial, as it would require Internet service providers (ISPs) to monitor customers' use of their networks.
-http://news.zdnet.co.uk/communications/0,1000000085,39909136,00.htm?tag=mncol;tx
t
-http://www.eweekeurope.co.uk/news/wi-fi-security--home-nets-are-wide-open--pub-g
ets--8000-fine-2613
-http://www.v3.co.uk/v3/news/2254180/pub-fined-customer-uses-wi
[Editor's Note (Pescatore): Could you fine the pub if someone used a payphone in the pub (OK, just pretend for a second that payphones still exist) to make a threatening phone call?

(Schultz): This case is the first of its kind only in that it involves an undefended wireless network. It is not novel from the standpoint that it in effect amounts to another downstream liability case.

(Northcutt): It is neat being at SANS London 2009 and seeing a NewsBites edition with so much UK information. This story about the pub being sued is really important. It has the potential of drastically limiting the number of open hot spots. Infosec professionals on both sides of the pond in organizations that offer or allow free hotspots should take notice and bring it up with corporate counsel. ]

Administration Seeks Reversal of Cyber Evidence Gathering Decision (November 25, 2009)

US Solicitor General Elena Kagan and officials at the Justice Department are seeking the reversal of a federal appeals court decision that limits the governments' cyber search-and-seizure power. In August, the court ruled that federal prosecutors exceeded their authority when, while holding a warrant for drug testing results of 10 professional baseball players, they seized the test results of 104 players. The decision provided guidelines for gathering cyber evidence in such a way as to protect Fourth Amendment rights limiting the to taking only the data for which it holds a warrant instead of copying everything on a computer's hard drive. If that is not possible, an independent third party must gather the information under the court's supervision and provide only that information for which a warrant has been obtained. The current administration maintains that the ruling has brought some computer evidence searches to a standstill.
-http://www.wired.com/threatlevel/2009/11/obama-wants-computer-privacy-ruling-ove
rturned/

---

************************ Sponsored Links: ****************************

1) Learn about the unique benefits of archiving email in the cloud. Get the white paper!

https://www.sans.org/info/51463

2) SANS FREE Audio Cast: Which is Better: White Box or Black Box Testing? Featuring Ryan Berg, Senior Architect Security Research for IBM, Sponsored by Ounce Labs

https://www.sans.org/info/51468

3) REGISTER NOW for the upcoming webcast: Content-Aware SIEM with Anton Chuvakin

https://www.sans.org/info/51478

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Online Banking Thieves Find a New Way to Manipulate ACH Transactions (November 30, 2009)

In a new spin on the growing problem of thieves abusing the automated clearing house (ACH) system to steal funds from small- to-mid-sized businesses, thieves who are unable to obtain all the necessary login information of their targets' accounts have turned instead to pulling funds from their targets to accounts they have already fully compromised. They then send the stolen funds out from the compromised accounts in increments of less than US $10,000. These schemes affect both the companies from which the funds are pulled and the companies whose compromised accounts are used for funds transfers. One such company in Ohio has had its account frozen and the company owner cannot access his own funds.
-http://voices.washingtonpost.com/securityfix/2009/11/hackers_hit_wash_dc_firm_fo
r_1.html

Alleged RuneScape Account Thief Arrested (November 30, 2009)

Police in the UK have arrested a man for allegedly stealing RuneScape virtual characters and their possessions. RuneScape is a massive online adventure game. The man allegedly used phishing messages to gain other players' RuneScape account login credentials. Players have been known to sell virtual objects for hundreds or even thousands of pounds; while RuneScape rules prohibit the practice, there are no laws preventing players from selling the goods. A physical arrest for a virtual theft of a virtual object seems quiet appropriate to Mark Gerhard, chief executive of Jagex Games, which launched RuneScape. Gerhard said "Players invest years of effort into developing their RuneScape character, so the theft of a RuneScape account shouldn't be treated differently to the theft of any other valuable possessions."
-http://technology.timesonline.co.uk/tol/news/tech_and_web/gadgets_and_gaming/vir
tual_worlds/article6937026.ece
-http://news.bbc.co.uk/2/hi/technology/8386003.stm

Microsoft Looking Into Black Screen Problem (November 30, 2009)

Microsoft is investigating reports that security updates it released in November are causing black screens on some users' computers. The updates allegedly change Access Control List (SCL) entries in the registry. The problem appears to affect computers running Windows 7, Vista and XP.
-http://www.computerworld.com/s/article/9141594/Microsoft_investigates_Windows_bl
ack_screen_of_death_?source=rss_security
-http://www.theregister.co.uk/2009/11/30/prevx_microsoft_black_screen/
-http://news.techworld.com/security/3207759/microsoft-patch-causes-pc-death/
-http://news.cnet.com/8301-13860_3-10406369-56.html

Zeus Trojan Spreading Through Drive-by Download (November 30, 2009)

The Zeus or Zbot Trojan horse program is now spreading through drive-by download. Recently detected spam purporting to come from the US Internal Revenue Service regarding tax refunds provides users with a link to what the message claims is a "tax refund request form." If users click on the provided link, they are taken to a site that attempts to download the malware to their computers without any additional user interaction. Previously, the messages that attempted to spread Zeus asked recipients to download specific items. The IRS has issued a notice warning that it does not send unsolicited email regarding tax accounts.
-http://www.scmagazineus.com/zeus-spreading-through-drive-by-download/article/158
691/

Royal Navy Investigating Loss of USB Stick (November 29 & 30, 2009)

The Royal Navy is investigating the loss of a USB stick containing sensitive information. The device was found in a car park, or parking lot, in Belfast, Northern Ireland; the finder offered to sell it to a newspaper, which declined the offer, and it was then turned over to police. The USB drive holds information about Royal Navy personnel, Royal Navy operations in the UK and locations of Royal Navy officers. The investigators hope to discover the device's last known user and determine whether any of the data was copied.
-http://www.guardian.co.uk/uk/2009/nov/29/navy-investigate-security-northern-irel
and
-http://www.scmagazineuk.com/lost-royal-navy-memory-stick-reportedly-contained-in
formation-on-manoeuvres-and-uk-personnel/article/158595/
[Editor's Note (Hoelzer): We still haven't learned how to protect ourselves from the user. Entering or exiting a SCIF (Sensitive Compartmented Information Facility), chances are that a USB key would be caught and seized regardless of what was on it. What kind of information leak will it take before we really get serious about this kind of thing? Epoxy in the USB ports only seems extreme when you haven't had a loss. ]

Restaurants Suing Point-of-Sale Vendor After Customer Cards Compromised (November 27 & 30, 2009)

Seven restaurants in Louisiana and Mississippi are suing point-of-sale vendor radiant for failing to provide adequate security precautions. The case involves a payment processing program called Aloha that allegedly stored magnetic stripe data in violation of the Payment Card Industry Data Security Standards (PCI DSS). Hundreds of the restaurants' customers had their personal information stolen as a result. An attorney associated with the lawsuit said a US Secret Service investigation found that Computer World, which is a radiant distributor, violated PCI DSS.
-http://www.securecomputing.net.au/News/161651,restaurants-file-lawsuit-against-p
ayment-terminal-vendor-after-identity-theft.aspx
-http://www.ajc.com/business/radiant-systems-sued-over-215910.html
[Editor's Note (Hoelzer): A great example of a very common problem! Likely Radiant has a wonderful product, but who installed it and how closely did they follow the security recommendations of Radiant and the overall guidance of PCI/DSS? Suing people is fine but as a business we should know if our "stuff" is configured correctly. This is what SAQ (Self-Assessment Questionnaires) are all about and there's help for completing them.
-http://www.sans.org/info/35454]

UK Home Secretary Denies McKinnon's Extradition Appeal (November 27 & 30, 2009)

UK Home Secretary Alan Johnson has denied alleged hacker Gary McKinnon's appeal to avoid extradition to the US. McKinnon's family and legal team maintained that "his life is at stake." Due to his having been diagnosed with Asperger's Syndrome, his extradition could prove "disastrous;" his "extremely fragile mental state," his lawyers said could put him at risk of psychosis or suicide. McKinnon's lawyers have until December 2 to file a judicial review of Johnson's decision; he can also appeal to the European Court of Human Rights.
-http://www.scmagazineus.com/british-minister-denies-mckinnon-extradition-appeal/
article/158678/
-http://news.bbc.co.uk/2/hi/uk_news/8382066.stm
-http://www.timesonline.co.uk/tol/news/uk/article6934133.ece

Alleged Filesharers in UK to Receive Warning Letters (November 27, 2009)

ACS:Law Solicitors plans to send letters to as many as 15,000 alleged filesharers warning them that they are suspected of illegal activity. Those who receive the letters will be offered the opportunity to settle the charges out of court for several hundred pounds; if they go to court, they could be ordered to pay thousands of pounds in damages. The tactic has been described by one lawyer as "having very little to do with protecting the rights of the copyright holder ... (and) ... more to do with making money from alleging copyright infringements on a massive scale."
-http://news.bbc.co.uk/2/hi/technology/8381097.stm
-http://www.v3.co.uk/v3/news/2254106/bt-customers-caught-illegally

Payment Card Data Thieves Target Machine in Downtown Auckland (November 26 & 27, 2009)

Payment card fraudsters appear to have compromised payment machines at an Auckland, New Zealand car park to allow them to steal payment card account information. The breach is believed to affect more than 100,000 payment cards, and reports of payment card fraud are surfacing. Some members of the gang behind the theft are believed to be in the US, as some of the compromised cards were used to make purchases at a store in Phoenix, Arizona. It has not yet been determined if the thieves used skimmers or if they broke into the system to obtain the data. Westpac Bank and the Auckland City Council are investigating the breach.
-http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10611976
-http://computerworld.co.nz/news.nsf/scrt/7E178E15FC9F7306CC25767A000E4A3E

Former United Way Employee Sentenced for Computer Damage (November 24 & 27, 2009)

Luis Robert Altamirano has been sentenced to 18 months in federal prison for damaging the computer system of United Way of Miami-Dade. Altamirano had been employed by the charitable organization as a computer specialist from July until December 2007. He accessed the system without authorization a year after his departure and deleted files and disabled the organization's voicemail system. Altamirano will also serve three years of supervised release following the completion of his sentence, and he has been ordered to pay US $50,000 in restitution.
-http://miami.fbi.gov/dojpressrel/pressrel09/mm112409.htm
-http://news.softpedia.com/news/Charity-Hacker-Jailed-for-One-and-a-Half-Years-12
8255.shtml

BSA Temporarily Doubles Maximum Reward for Information About Illegal Software (November 24 & 25, 2009)

The Business Software Alliance (BSA) has increased its maximum reward for reporting unlicensed software use in London. Individuals can now receive up to GBP 20,000 (US $32,800) for reporting illegal software use. A BSA spokesperson expects that due to the economic situation, employees will be more willing to turn in employers that are using unlicensed copies of software. A survey indicates that up to 70 percent of employees would turn in their employers for "improper business practices." The increased reward is in effect through the end of the year, when the reward will revert to its prior level of GBP 10,000 (US $16,400).
-http://www.scmagazineuk.com/business-software-alliance-increases-reward-for-repo
rting-software-piracy/article/158478/
-http://www.channelweb.co.uk/crn/news/2253892/bsa-doubles-whistleblower
-http://www.itpro.co.uk/618076/bsa-doubles-piracy-reward-ahead-of-christmas
[Editor's Note (Schultz): I disagree with the BSA's reasoning. In these current adverse economic times, employees are doing everything they can to hang on to their jobs. Turning in one's employee for a cash reward thus just doesn't make sense. ]

EXTRAS: Is The Cyber Threat To The Critical Infrastructure Real?

A study is underway of public attitudes and data on the importance of cyber threat to the critical infrastructure. It compares US and UK attitudes. Participants include owners and operators of critical infrastructure, government agencies, and other large US industries. If you work for any of those in the US, you are invited to participate:
-http://www.surveymonkey.com/s.aspx?sm=FkP_2bdzchX9doD_2fA6IFw5JQ_3d_3d_

EXTRAS: NIST 800-37 Ends the Era of Federal Certification & Accreditation

- Excellent Beginnings - One More Step To Go.
-http://csrc.nist.gov/publications/PubsDrafts.html#800-37_Rev1
The new draft of NIST's Special Publication 800-37 published two weeks ago is open for review. John Gilligan who serve as CIO of both the Energy Department and of the US Air Force and who was the President's Transition Team Lead for IT and IT Security in the Department of Defense has written a brief analysis that illuminates the one key problem that the new document could easily solve, but doesn't. We have included Gilligan's complete analysis here. If you concur with his findings please let the NIST people before December 15 at sec-cert@nist.gov. If you feel like sharing, we'd love to see your suggestions as well at NIST80037@sans.org.

Comments on NIST Draft of SP 800-37 Final Public Draft, by John Gilligan

(November 28, 2009)

Background: In many agencies, certification and accreditation efforts become very costly and are often operationally disruptive. In a recent stakeholder study for the AF CIO, the high cost and delays associated with certification and accreditation was deemed the number one irritant among senior leadership.

Certification, the technical evaluation of the adequacy of security within a system, has traditionally been done after a system has been developed and tested from a developmental standpoint. That is, certification is an after the fact process. This approach has been encouraged by the certification guidelines from NIST and DoD which describe certification as being performed on a fully developed system. The immediate result of this after the fact certification is a sometimes significant delay in fielding the newly-developed capability as the certification process often continues for a number of weeks or months beyond the completion of the development activities. Another impact of an evaluation after a system is completed is that any changes in a system to improve security come at high cost, and even further delays in fielding.

Typically, the certification process consists of manual reviews by a team (most often comprised of contractors) of the documentation developed during the course of the system development. In some, but not all, cases actual system testing is included as part of the certification process. Rarely is there established criterion for user by the certifiers in determining the adequacy of the technical characteristics of the target system. The certification team is charged evaluating security within the system and identifying residual security risks. Since it is not technically possible to eliminate all security risks, certification teams will always develop recommendations for additional security measures to be added to the system to further reduce risks.

Accreditation is the activity that is done after the completion of certification where residual risks identified by the certifiers are reviewed. If appropriate, the residual risks are accepted by the accrediting official and authorization for use of the system is granted.

In most cases, accreditation is done by a very senior official who relies heavily on the recommendations of the certification process.

The dilemma posed by the timing of accreditation, that is doing accreditation only after certification is fully completed, is that there is no objective standard of acceptability against which acceptable security is measured during certification process. As such, in a typical certification, many security enhancements identified by the certification team often become "required" enhancements. Moreover, as noted earlier, the approach of doing certification after a system implementation is completed results in significant scrap and rework with associated costs as changes to a system are most expensive after the system development is completed.

Said another way, in the absence of clear standards of acceptable security, the objective of the certification process is for the certifiers to identify any and all security enhancements that the certifiers believe could improve security. This typically results in a debate between the users, developers and security team. Due to the complexity of security issues and limited knowledge of attacks, this debate is often decided in favor of the security team even when the accrediting official is involved in the discussion. Quite simply, it is hard culturally and intellectually to counter the potential security exploits described by the certification team.

Revised 800-37: The revised 800-37 contains some significant improvements over prior versions. First, the terms 'certification' and 'accreditation' do not occur in the document. The focus is appropriately on risk management. Moreover, the revised document emphasizes the use of automated tools to evaluate security controls and the need for continuous monitoring. These are very positive steps.

The revised document, however, continues the traditional approach that the evaluation of controls (analogous to certification) is to be performed after a system is fully developed. The result is that the revised document misses the opportunity to fix one of the most problematic areas of certification/risk management-the need to do the evaluation of security risk in parallel to the system development process.

Recommendation: The revised 800-37 should describe that evaluation of security controls are to be done as an integrated part and in parallel with the entire system development life cycle. In this approach, security control requirements would be established as a part of overall system requirements determination (or requirements determination for increments or spirals for programs using iterative, incremental development). Having the accrediting official participate and approve the security requirements at the beginning of the development results in the establishment of a standard for the security evaluation process (formerly called certification). As a part of the integrated development and security evaluation effort the selection of security controls would be done as an integral part of the design process and consistent with the system and security architectures. Reviews of the system design and implementation would also consist of reviews by the security evaluation team of security aspects of these elements. If problems are found, then they would be resolved before the development proceeded thus reducing the potential for costly rework at a later time. During system testing, security controls should also be tested, with the benefit of automated tools to the extent possible. Issues that arise during the process where there is a difference of opinion regarding the need for security enhancements can be forwarded to an appropriate authorizing official for resolution.

Benefits: The result of this type of approach is that by the time operational testing of a system is complete, the evaluation of security controls should also be complete. Since the evaluation team was able to raise issues regarding risks throughout the development process, needed security enhancements should have been accomplished. What is needed by the evaluation team at this point is a summary of their evaluation that identifies residual risks that can be forwarded to the system authorizing official. In this approach, there should be no need for major redesign. In addition, the cost of security control evaluation (formerly certification) should be minimized because the security evaluation team is able to participate in the normal development reviews and testing. Most importantly, systems can be delivered on time.

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/