SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #1

January 05, 2010

The hottest security skills employers are seeking for 2010:

1. Red teaming/penetration testing (systems/networks and applications)
2. Forensics
3. Security essentials
4. Reverse engineering malware
5. Auditing networks and systems (hands-on testing)
6. Intrusion detection
7. Security management and leadership
8. Securing virtual systems
9. CISSP certification

Plus: Effective presentation skills for security professionalsNot surprisingly you'll find the highest rated courses in the world oneach of these topics in New Orleans (January), Orlando (March), and SanDiego (May). See: http://www.sans.org

Alan

Please note two free ISACA presentations for those of you in New Orleans next week:

Wednesday Jan 13 6:00-9:00pm
- COINS program for Security Leadership given by Stephen Northcutt
Friday Jan 15 6:30-9:30 pm - HackLab given by John Strand, SANS instructor

---

TOP OF THE NEWS

ABA Recommends Using Dedicated PC for Online Banking
New Zealand Law Enforcement and Intelligence Agents Get Increased Surveillance Powers
French Anti-Piracy Law Now in Effect

THE REST OF THE WEEK'S NEWS

Pentagon's Planned Cyber Command Faces Questions From Lawmakers
Lawmakers and Consumer and Industry Groups Respond to HHS Interim Breach Notification Rule
Indiana Fugitive Found Through Online Game
TSA Withdraws Subpoenas Against Bloggers
McAfee Report Predicts Top Threats and Trends for 2010
Gonzalez Pleads Guilty
TJX Sniffer Author Sentenced
Chinese Matchmaking Site Data Stolen

---

******************* Sponsored By Relational Wizards *********************

RDC Software presents an Encryption Wizard for Oracle whitepaper. Read how this unique tool is helping organizations meet CISP, HIPAA and PCI compliance standards through encryption techniques that protect data at rest, with faster performance than Oracle's own Transparent Data Encryption (TDE) solution.

https://www.sans.org/info/52893

*************************************************************************

TRAINING UPDATE

- -- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations: Top 7 Trends in Incident Response and Computer Forensics, Advanced Forensic Techniques and more
https://www.sans.org/security-east-2010/
- -- SANS AppSec 2010, San Francisco, January 29-February 5, 2010 8 courses, bonus evening presentations, including Social Zombies: Your Friends Want to Eat Your Brains
https://www.sans.org/appsec-2010/
- -- SANS Phoenix, February 14 -February 20, 2010
https://www.sans.org/phoenix-2010/
- -- SANS 2010, Orlando, March 6 - March 15, 2010
38 courses and bonus evening presentations, including Software Security Street Fighting Style
https://www.sans.org/sans-2010/
- -- SANS Northern Virginia Bootcamp 2010, April 6-13
https://www.sans.org/reston-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses)
- See samples at https://www.sans.org/ondemand/
Plus Tokyo, Bangalore, Oslo and Dublin all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

ABA Recommends Using Dedicated PC for Online Banking (January 1 & 4, 2010)

The American Bankers' Association (ABA) issued guidance to small and mid-sized businesses regarding how to protect themselves from the growing problem of unauthorized Automated Clearing House (ACH) transactions. Of special note is the recommendation that businesses use a dedicated PC that is never used for email or web browsing to conduct online banking transactions.
-http://content.usatoday.com/communities/technologylive/post/2010/01/online-banki
ng-precaution-for-small-and-mid-sized-businesses-draws-attention-/1?loc=intersti
tialskip
-http://www.upi.com/Top_News/US/2010/01/01/Businesses-warned-about-online-banking
/UPI-81761262329630/
[Editor's Note (Schultz): The ABA's advice is sound. Once a perpetrator owns a PC, the game is over, so having a dedicated PC that is not exposed to the multitude of risks to which other, multi-function PCs are is a very wise thing to do. In the case of users, having different physical machines for different function is usually not practical, but virtualization (which, by the way, is by no means any kind of security panacea) at least makes it possible to have different virtual machines that can be used for different functions.

(Northcutt): A moderately powered laptop can be had for $500 - 600 that would be plenty for online transactions. But it would be better to use a locked down computer that restricted the box to the online banking site. This may also be an opportunity for the various endpoint whitelist vendors to come up with a special purpose version of their tools. By the way, if anyone is running MS Windows SteadyState could you drop me a note and let me know how well it is or is not working for you?
-http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx]



[Guest Comment (Tim Rosenberg): Perhaps the ABA could suggest putting Faronics' Deep Freeze on the PC dedicated to online banking. It boots the system into read only mode but is transparent to the end user. That way, if someone did forget and use the system for something other than online banking he system would probably prevent malware from being installed. Hacker for Charity is using this software to protect their system configurations on cybercafe and training center systems in Uganda.

-http://www.faronics.com/html/deepfreeze.asp
-http://www.hackersforcharity.org/]

New Zealand Law Enforcement and Intelligence Agents Get Increased Surveillance Powers (January 3, 2010)

Police and Security Intelligence Service agents in New Zealand now have expanded powers of surveillance over citizens' online activity. All mobile phone calls and texts, email and Internet activity, including chatting and social networking, can be now monitored anywhere in the country. Officers must still obtain warrants for information gathering, but phone, email and internet activity can now be addressed with a single warrant. The changes were deemed necessary because criminals are turning to new technology to communicate. Documents obtained by a news source suggest that the changes were made not because of domestic needs, but because of pressure from the US for standardized surveillance capabilities around the world. Technology for monitoring the activity has been installed.
-http://www.stuff.co.nz/national/3203448/NZs-cyber-spies-win-new-powers

French Anti-Piracy Law Now in Effect (January 1, 2010)

France's new Internet anti-piracy law took effect on January 1. Internet users who download music in violation of copyright laws will first receive email warnings. If they continue to violate the law, they will then receive written warnings. If they persist in illegal filesharing activity after both warnings, they will be required to appear before a judge who will have the authority to fine the individual or suspend the individual's Internet access.
-http://news.bbc.co.uk/2/hi/europe/8436745.stm

---

THE REST OF THE WEEK'S NEWS

Pentagon's Planned Cyber Command Faces Questions From Lawmakers (January 3, 2010)

Efforts to establish the Pentagon's computer network defense command have been slowed by congressional concerns about privacy and clarity about the command's mission. A major concern is how the command will "mesh" with existing agencies and organizations, particularly the National Security Agency (NSA). The command was originally slated to launch on October 1, 2009.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/01/02/AR2010010201903_
pf.html

Lawmakers and Consumer and Industry Groups Respond to HHS Interim Breach Notification Rule (December 31, 2009)

Health industry representatives and members of the US Congress have sent letters of comment to US Department of Health and Human Services (HHS) Secretary Kathleen Sebelius regarding her agency's interim final rule regarding data breaches of protected health information. The rule allows organizations in possession of protected health information (PHI) to decide not to notify patients of a breach if the organization determines that it presents no significant risk of harm. Leaders of the House Ways and Means and Energy Committees strongly urged the removal of the substantial harm standard as did consumer advocacy group Consumer Watchdog. The American Hospital Association praised the inclusion of a "risk threshold" in the rule and suggested including identification of "other situations in which inadvertent use and disclosure does not compromise PHI and warrant a breach notification."
-http://www.information-management.com/news/data_breach_security-10016802-1.html?
zkPrintable=true
[Editor' Note (Pescatore): Just think: all those banks we bailed out had judged that their investments did not present any "significant risk." The power of breach disclosure laws has been "if you lose control of information people trusted you to keep safe, you have to tell them." Allowing risk loopholes just means people will be notified only after their information is misused, not before.

(Schultz): Realistically, how can organizations that have protected health information and that barely know what the words "security risk" mean possibly determine what "significant risk of harm" and "risk threshold" mean? ]

Indiana Fugitive Found Through Online Game (December 31, 2009)

The Howard County, Indiana Sheriff's Department found a fugitive from justice through his penchant for playing the online game World of Warcraft (WoW). Alfred Hightower had fled to Canada to evade a warrant issued for his arrest in 2007. After learning that Hightower is an avid WoW player, Deputy Matt Roberson sent a subpoena to Blizzard Entertainment in Canada, seeking information that would help his office locate Hightower. Because the company is Canadian and Roberson had no jurisdiction there, he did not expect anything to come of it, but several months later, he received data from the company that included Hightower's IP address, account information and history, billing address and online screen name. The information was enough to find Hightower and have him deported to the US, where he is expected to face the 2007 charges.
-http://kokomoperspective.com/news/local_news/article_15a0a546-f574-11de-ab22-001
cc4c03286.html

TSA Withdraws Subpoenas Against Bloggers (December 31, 2009)

The US Transportation Security Administration (TSA) has withdrawn subpoenas served against two bloggers who allegedly posted copies of a TSA security directive issued in the wake of the December 25 attempted attack on an airplane en route to Detroit. The document in question was not classified; some airlines had published sections of it on their websites. TSA agents seized Steven Frischling's laptop to image the hard drive; when it was returned to him, it had "tons of bad sectors" and numerous other problems. A TSA official has promised to help Frischling resolve the computer problems. The other blogger, Christopher Elliott, had planned to challenge the subpoena in federal court before it was withdrawn.
-http://www.wired.com/threatlevel/2009/12/tsa-withdraws-subpoenas/#more-12487
[Editor's Note (Pescatore): Generally, fixing the leaky pipe is a better way to keep your basement dry than issuing subpoenas to the water. ]

McAfee Report Predicts Top Threats and Trends for 2010 (December 29 & 30, 2009)

According to McAfee's 2010 Threat Predictions Report, Adobe Reader and Adobe Flash will be the top targets for malware writers in 2010. Users are not always aware that the applications need updating, and the updates themselves can prove complicated to apply. The report also predicts that the severity of attacks against social networking sites will increase and that Trojans designed to steal banking information will become more sophisticated and harder to detect.
-http://www.theregister.co.uk/2009/12/29/security_predictions_2010/
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=222100263

Gonzalez Pleads Guilty (December 29 & 30, 2009)

Albert Gonzalez has pleaded guilty to charges of conspiracy for his role in the massive data breach that compromised millions of payment card accounts from the networks of Heartland Payment Systems, 7-Eleven, Hannaford Bros. and other retail and financial organizations. The terms of the plea agreement call for a sentence of not less than 17 years and not more than 25 years.
-http://www.cybercrime.gov/gonzalezPlea.pdf
-http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=22210028
3&subSection=Attacks/breaches
-http://www.scmagazineus.com/gonzalez-pleads-guilty-to-heartland-hannaford-7-11-h
ack/article/160355/
-http://news.cnet.com/8301-27080_3-10423008-245.html?tag=mncol
-http://www.theregister.co.uk/2009/12/30/gonzalez_cybercrime_plea/
-http://www.computerworld.com/s/article/9142844/Heartland_hacker_pleads_guilty_in
_third_case?taxonomyId=17

TJX Sniffer Author Sentenced (December 22 & 29, 2009)

One of the people involved in the TJX data breach has been sentenced to two years in prison. Stephen Watt wrote the sniffer program that was used to steal information on millions of credit and debit card accounts. In October 2008, Watt pleaded guilty to fraud and cybercrime offenses. Following completion of his prison term, Watt will serve three years of probation. The former Morgan Stanley software engineer has also been ordered to pay US $171.5 million in restitution.
-http://www.wired.com/threatlevel/2009/12/stephen-watt/
-http://www.theregister.co.uk/2009/12/29/tjx_sniffer_vxer_jailed/

Chinese Matchmaking Site Data Stolen (December 26 & 28, 2009)

A former board member of a Chinese matchmaking website is accused of stealing applicant information and trying to sell it to other companies. In all, about 16,000 people who registered with the site are affected by the alleged data theft. The unnamed individual took the data from the company before he resigned in mid-2006.
-http://news.asiaone.com/News/AsiaOne%2BNews/Crime/Story/A1Story20091226-188083.h
tml

---

**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/