SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #17

March 02, 2010

TOP OF THE NEWS

Schmidt to Announce Declassification of Cybersecurity Initiative
Pentagon Will Allow Social Networking on Non-Classified Networks
Appeals Court Raises Fine in Filesharing Case
Senate Cyber Security Bill Aims to Establish Cohesive Emergency Response Plan

THE REST OF THE WEEK'S NEWS

Alleged Ticket Scammers Indicted
Microsoft Looking Into Zero-Day Flaw in VBScript and Windows Help
Legal Action Against Waledac Whets Microsoft's Appetite for Botnets
DarkMarket Founder Sentenced
Wyndham Hotels Acknowledges Third Breach in a Year
ControlScan Settles With FTC Over Charges it Misled Customers
Crown Prosecution Service Considering Legal Action Over BT's Secret Phorm Trial

---

*************************** Sponsored By Microsoft *********************
Volume 7 of the Microsoft(R) Security Intelligence Report: An in-depth perspective on malicious and unwanted software, software exploits, security breaches and vulnerabilities including data derived from more than 450 million computers worldwide and some of the busiest services on the Internet, such as Windows Live Hotmail and Bing. Get the Full Report including strategies, mitigations, and countermeasures. http://www.sans.org/info/55704
*************************************************************************

TRAINING UPDATE - -- SANS 2010, Orlando, March 6 - March 15, 2010 38 courses and bonus evening presentations, including Software Security Street Fighting Style
http://www.sans.org/sans-2010/

- -- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

- -- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

- -- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

- -- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

- -- SANS Boston 2010, June 6-14, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dublin, Dubai, Geneva, Toronto and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Schmidt to Announce Declassification of Cybersecurity Initiative (March 1, 2010)

White House Internet security adviser Howard Schmidt is expected to announce the declassification of portions of the Comprehensive National Cybersecurity Initiative today, March 2, 2010 at the opening of the RSA Conference in San Francisco. The directive was created during the Bush administration to protect public and private IT networks. The declassification effort aims to demonstrate the administration's commitment to transparency. Schmidt also plans to speak to the importance of developing partnerships "among government, industry and the American public."
-http://www.nytimes.com/2010/03/02/science/02cyber.html?ref=todayspaper
-http://blogs.govinfosecurity.com/posts.php?postID=467

Pentagon Will Allow Social Networking on Non-Classified Networks (February 26 & 27, 2010)

A new Pentagon policy will allow all personnel to use social networking sites like Facebook and Twitter on non-classified networks. DoD deputy CIO Dave Wennergren noted in an interview that "service members
[are ]
using these tools to ... do their jobs better and even to collaborate with mission partners and people outside the organization." The policy is the result of a seven-month review in which the risks of using the emerging tools were weighed against their benefits. The policy will be the same throughout all departments.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/02/26/AR2010022606091.
html
-http://www.msnbc.msn.com/id/35611063/ns/technology_and_science-security/
-http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleI
D=223100879&cid=RSSfeed_IWK_News

[Editor's Note (Northcutt): Overall, a step forward, I expect they will have to modify their policies over time to handle things like: 1stlt @CharlieBravo, way to bring #FIRE on position. Can you give us another run 1.2 clicks east of previous? TY #Marja Please RT.
(Shultz): The good news here is that the Pentagon appears to have carefully weighed the costs versus the benefits. ]

Appeals Court Raises Fine in Filesharing Case (February 26, 2010)

A US federal appeals court has ordered Whitney Harper, now 22 and a senior at Texas Tech University, to pay US $27,750 for 37 music files she shared when she was in high school. The ruling overturns a lower court decision that imposed a fine of US $200 for each song, or US $7,400. Harper and her attorney maintain she did not know that she was breaking the law when she shared the music over Limewire. The lower penalty was decided when the lower court agreed that she was an "innocent infringer" under US copyright law. The appeals court noted that the "innocent offender" defense is invalid because the CDs from which the music was shared contained copyright notices. Harper's attorney is considering appealing to the US Supreme Court.
-http://www.wired.com/threatlevel/2010/02/former-teen-cheerleader-dinged-27750-fo
r-infringing-37-songs/
-http://arstechnica.com/tech-policy/news/2010/03/judges-you-cant-claim-innocence-
of-musical-copyrights.ars

Senate Cyber Security Bill Aims to Establish Cohesive Emergency Response Plan (February 26, 2010)

A bill currently under consideration in the US Senate spells out how the nation's critical IT infrastructure would be protected during a nationwide cyber attack. The legislation from Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) would require federal agencies to establish emergency response plans for cyber attacks. It would give the President the power to invoke those plans if and when such an attack occurs. Rockefeller and Snowe both say that current cyber security measures are not cohesive enough to provide adequate protection.
-http://thehill.com/blogs/hillicon-valley/technology/83961-forthcoming-cybersecur
ity-bill-to-give-president-new-powers-in-cyberattack-emergencies

[Editor's Note (Pescatore): Earlier versions of this bill were a mishmash of initiatives, most of which would have made little difference. If the latest version focuses more on *realistic* Internet incident response plans *and* capabilities at federal agencies, great idea. ]

---

*************************** Sponsored Links ***************************
1) Register for Department of Homeland Security Control Systems Cyber Security Trainings. SANS Process Control and SCADA Summit March 29-30. http://www.sans.org/info/55709

2) SANS Inquires... Which information security products, services and providers would you like to hear more about? Answer a short 3 question survey and be automatically entered to win a $50 Amazon gift card. http://www.sans.org/info/55714

3) Attend an Online Demo of iPrism Web Filter and Get a $20 Amazon Giftcard! http://www.sans.org/info/55719
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Alleged Ticket Scammers Indicted (March 1, 2010)

Four men have been indicted in a ticket resale scheme that involved bots and made the defendants more than US $25 million over an eight year period. The group, named Wiseguys Tickets and Seats of San Francisco, managed to thwart systems designed to prevent automated ticket purchasing and buy large blocks of premium tickets to popular concerts and sporting events. The men named in the indictment are Kenneth Lowson, Kristofer Kirsch, Joel Stevenson, and Faisal Nahdi. All are charged with unauthorized computer access and wire fraud. The indictment also provides the initials of three people in Bulgaria who allegedly did contract work for the operation. The indictment alleges that Lowson and Kirsch obtained inside information about methods legitimate ticket sellers used to prevent automated purchases; they also allegedly stole some source code. The group developed bots that monitored ticket sellers' sites and would jump into action as soon as tickets for targeted events went on sale; the bots defeated CAPTCHA challenges and jumped to the front of queues. The bots completed the purchase pages with credit card information provided by brokers.
-http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
-http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.
pdf

[Editor's Nte (Pescatore): This will be an interesting test if software written to thwart CAPTCHA systems is really illegal or fraudulent. It is like if you put a cat/dog door in your garage door, could it really be illegal for rats to use it? ]

Microsoft Looking Into Zero-Day Flaw in VBScript and Windows Help (February 28 & March 1, 2010)

Microsoft is investigating reports of a zero-day flaw in Visual Basic Scripting (VBScript) and Windows Help that could be exploited to place malware on Windows XP and Server 2003 computers running Internet Explorer (IE) versions 7 and 8. The flaw could allow attackers to take control of vulnerable computers. Proof-of-concept exploit code has been released. Microsoft has offered several workarounds for the problem, including not pressing the F1 key when prompted to do so by a web site and restricting access to the Windows help system.
-http://www.computerworld.com/s/article/9163298/New_zero_day_involves_IE_puts_Win
dows_XP_users_at_risk
-http://www.h-online.com/security/news/item/Zero-day-exploit-for-Internet-Explore
r-943603.html
-http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/
-http://news.cnet.com/8301-27080_3-10461853-245.html
-http://www.microsoft.com/technet/security/advisory/981169.mspx

Legal Action Against Waledac Whets Microsoft's Appetite for Botnets (February 28, 2010)

Microsoft plans to use the same legal measures it obtained to disable the Waledac botnet to target other botnets. Microsoft obtained a court order to cut off Waledac's command and control servers off from the Internet. While the action has not stopped Waledac in its tracks, the effort "shows it can be done." Microsoft reportedly has five other botnets in mind; the names of the botnets were not given. Microsoft chose to target Waledac first because all of its command and control domains were registered with the same domain registrar.
-http://www.computerworld.com/s/article/9163238/Microsoft_to_target_other_botnets
_with_legal_weapon

DarkMarket Founder Sentenced (February 26 & March 1, 2010)

Renukanth Subramaniam has been sentenced to nearly five years in prison for establishing the DarkMarket underground carder forum. DarkMarket served as a virtual clearinghouse for people to buy and sell stolen payment card and bank account information as well as training and equipment necessary to commit financial crimes. The enterprise met its demise after an FBI agent infiltrated the group in 2008. In all, 60 people were arrested around the world in connection with DarkMarket, which has been called "Facebook for fraudsters." Another man, John McHugh, was sentenced to two years prison for conspiracy to defraud; McHugh manufactured phony cards from stolen information and sold them through DarkMarket.
-http://www.theregister.co.uk/2010/03/01/darkmarket_founder_jailed/
-http://news.bbc.co.uk/2/hi/uk_news/8539680.stm

Wyndham Hotels Acknowledges Third Breach in a Year (February 26 & March 1, 2010)

Wyndham Hotels & Resorts has acknowledged that attackers gained access to their computer systems and stole customer data. This is the third data breach for Wyndham in the last year. The most recent breach took place sometime between October 2009 and January 2010. The stolen data included information from the magnetic stripes of customers' credit cards. Wyndham has not yet notified affected customers of the breach.
-http://www.computerworld.com/s/article/9163041/Wyndham_hotels_hacked_again
-http://www.scmagazineuk.com/wyndham-hotel-group-hacked-over-three-month-period-t
o-leave-customer-credit-card-data-compromised/article/164743/

[Editor's Note (Northcutt): Normally as a business, you would keep the minimum PII on a customer to reduce your PCI exposure. However, that is apparently not how it works in the hotel industry. I include a link to a Microsoft Case Study of the Hard Rock Casino. If you have a moment, read it over and then put on your attacker thinking cap, if you could penetrate deep into those databases you would go far beyond my name, social and credit card number, very far indeed:
-http://www.microsoft.com/casestudies/ServeFileResource.aspx?204065]

ControlScan Settles With FTC Over Charges it Misled Customers (February 25, 2010)

ControlScan has agreed to settle Federal Trade Commission (FTC) charges of misleading customers about how it verified their privacy and security practices. The FTC alleges that ControlScan provided verification seals to websites, but performed "little or no verification" that their practices were protecting site visitors' privacy and security. In addition, the complaint alleges that ControlScan did not perform daily reviews of the sites carrying its seal despite the seal displaying a current date. According to the terms of the settlement, ControlScan is prohibited from misrepresenting its services. In a separate agreement with the FTC, ControlScan founder and CEO Richard Stanton will forfeit U$102,000 in profits from the company.
-http://darkreading.com/securityservices/security/privacy/showArticle.jhtml?artic
leID=223100772&subSection=Privacy
-http://www.ftc.gov/os/caselist/0723165/index.shtm

Crown Prosecution Service Considering Legal Action Over BT's Secret Phorm Trial (February 25, 2010)

The UK's Crown Prosecution Service is considering taking legal action against BT regarding trials of Phorm targeted advertising in which BT customers were not informed their browsing was being tracked. The secret Phorm trial, conducted in 2006, monitored the online behavior of 18,000 broadband lines without informing or obtaining consent from customers.
-http://www.theregister.co.uk/2010/02/25/bt_cps/

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/