SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #23

March 23, 2010

The best show in Washington Wednesday afternoon will be at the Rayburn House Office Building at 2 PM. If all goes well, you may witness the beginning of the end of the era of compliance that so damaged federal information security and the practice of security. The complete rewrite of FISMA will be introduced and debated. Real possibility of fireworks. If you report on, or work in federal information security, you won't want to miss this House Subcommittee hearing. If you are not in DC, you can watch on the web.

Alan

---

TOP OF THE NEWS

Russian Police Arrest Alleged Ringleader in RBS WorldPay ATM Fraud Case
Google Will Redirect Chinese Users to Uncensored Hong Kong Site
Appeals Court Says Threats on Web Site are Not Protected Speech
Judge Approves Facebook Beacon Settlement

THE REST OF THE WEEK'S NEWS

TJX Mastermind Gonzalez Could Face 25 Years in Prison
Data Security Concerns Persist in IRS IT Systems
Concerns About Chinese Researchers' Paper on Power Grid Vulnerabilities are Overblown
Russia to Tighten .ru Domain Registration Requirements
Russian Investment Company Working With SEC to Find Stock Scam Artist

---

************************* Sponsored By Microsoft ***********************
Protect Your Data Using Encryption in Microsoft SQL Server (Level 300) In this webcast, Il-Sung Lee, Senior Program Manager, Microsoft Corporation will provide an in-depth description of new encryption features in Microsoft SQL Server 2008 and discuss the key uses, strengths, and weaknesses associated with each encryption technology, including Transparent Data Encryption (TDE) and Extensible Key Management (EKM).
http://www.sans.org/info/57184
*************************************************************************

TRAINING UPDATE

-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, June 6-14, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dubai, Geneva, Toronto, Singapore and Amsterdam all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Russian Police Arrest Alleged Ringleader in RBS WorldPay ATM Fraud Case (March 22, 2010)

Police in Russia have arrested Viktor Pleshchuk, who is believed to be the mastermind behind an ATM scheme that netted thieves US $9.5 million from RBS WorldPay accounts. Pleshchuk and three other men were indicted in the US last fall. The group of cyber thieves allegedly gained access to an RBS WorldPay system, stole payroll debit card information and reverse engineered the associated personal information numbers (PINs). They also allegedly accessed an associated database in which they altered the available funds and daily withdrawal limits on the compromised accounts. With cloned cards, people in 280 cities around the world made withdrawals from more than 2,000 ATMs in a 12-hour period.
-http://www.wired.com/threatlevel/2010/03/alleged-rbs-hacker-arrested
-http://edition.cnn.com/2010/BUSINESS/03/22/moscow.cybercrime.ft/
-http://www.securecomputing.net.au/News/170201,russia-and-us-working-together-to-
shut-down-stock-hacker.aspx

Google Will Redirect Chinese Users to Uncensored Hong Kong Site (March 22, 2010)

Google will stop censoring Internet search results for its Chinese users. Instead, users will be redirected to Google's Hong Kong-based search engine. Although Google has been negotiating with the Chinese government about unfiltered search results, the government there "has been crystal clear ... that self-censorship is a non-negotiable legal requirement." Hong Kong is an administrative region of China, but has its own economic and political systems. Therefore, the search engine is under Hong Kong's jurisdiction. Google plans to keep its Chinese research and development and sales teams.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/03/22/AR2010032202041.
html
-http://www.informationweek.com/news/software/open_source/showArticle.jhtml?artic
leID=224000379
-http://www.nytimes.com/2010/03/23/technology/23google.html?hp
-http://www.securecomputing.net.au/News/170153,google-reportedly-planning-april-s
hutdown-in-china.aspx
UPDATE FROM BRIAN HONAN: China has responded quickly to Google's actions and is now blocking access to Google.com.hk
-http://www.techradar.com/news/internet/the-great-firewall-of-china-blocks-google
-com-hk-678781?src=rss&attr=all.

This is an interesting page on Google's site to see what China is blocking:
-http://www.google.com/prc/report.html

Appeals Court Says Threats on Web Site are Not Protected Speech (March 19, 2010)

A California appeals court has ruled that threats made about a teenager on a website are not considered protected speech; the ruling allows a suit against those who posted the comments charging them with defamation and hate crimes to proceed. A dissenting judge wrote that the ruling "alters the legal landscape to the severe detriment of First Amendment rights."
-http://www.wired.com/threatlevel/2010/03/cyberbullying-not-protected/

Judge Approves Facebook Beacon Settlement (March 17 & 18, 2010)

A federal judge has approved a settlement of a class action lawsuit against Facebook regarding its now defunct behavioral tracking technology Beacon. The lawsuit was filed in August 2008. Beacon monitored Facebook members' online shopping habits and posted the information for their online friends to see. Facebook will pay US $9.5 million into a trust to establish a foundation that will fund online privacy efforts.
-http://www.computerworld.com/s/article/9173298/Judge_approves_Facebook_s_settlem
ent_offer_in_Beacon_case?taxonomyId=146
-http://articles.latimes.com/2010/mar/18/business/la-fi-facebook18-2010mar18
-http://www.wired.com/threatlevel/2010/03/facebook-beacon-2/?utm_source=feedburne
r&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3
+%28Top+Stories+2%29%29

---

*************************** Sponsored Links ***************************
1) SIEM 2.0 VIEW Demo http://www.sans.org/info/57189 of SC Magazine's Best Buy and Innovator of the Year.

2) Join your peers and other professionals at the first European Forensics & Incident Response Summit April 19-20. http://www.sans.org/info/57194

3) SANS Inquires... Which information security products, services and providers would you like to hear more about? Answer a short 3 question survey and be automatically entered to win a $50 Amazon gift card. http://www.sans.org/info/57199
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

TJX Mastermind Gonzalez Could Face 25 Years in Prison (March 19 & 22, 2010)

Albert Gonzalez, the man who has been convicted of masterminding cyber attacks on computer networks at TJX, Hannaford Bros., Heartland Payment Systems and others, could be facing 25 years in prison if federal prosecutors have their way. "The sentences would be the longest ever imposed in an identity theft case and among the longest imposed for a financial crime." Gonzalez once worked as an informant For the US Secret Service, earning US $75,000 a year.
-http://www.wired.com/threatlevel/2010/03/gonzalez-gov-memo/
-http://www.wired.com/threatlevel/2010/03/gonzalez-salary/
-http://www.wired.com/images_blogs/threatlevel/2010/03/gonzalez_gov_sent_memo.pdf

[Editor's Note (Northcutt): It seems sensible to me to make stealing 45 million identities a more serious crime than selling marijuana, not that I support either. When you steal identities you hurt so many innocent people. When you sell Marijuana, the damage, if any, occurs in the lungs and brains of the people that willingly used the drug. Yet, in the time I have spent in the prison system (considerable, and not as an inmate; thank you for asking) and also serving as a NewsBites editor watching the stories go by, it appears to me that in the past people received stiffer sentences marijuana sales than for identity theft. I believe both should be illegal, but that identity theft is the more harmful crime. Nothing against Mr. Gonzalez, but if he is sentenced to a serious number of years, it could send a signal to the criminals of the world there is a downside to identity theft. ]

Data Security Concerns Persist in IRS IT Systems (March 20 & 22, 2010)

According to a report from the Government Accountability Office (GAO), the US Internal Revenue Service (IRS) has yet to address 69 percent of the information security problems the GAO identified in a report last year. Areas of concern include the use of weak passwords, failure to restrict access permissions, and failure to encrypt login data. The report also noted that the IRS lacks an effective disaster recovery procedure.
-http://www.nextgov.com/nextgov/ng_20100322_2474.php?oref=topnews
-http://www.govinfosecurity.com/articles.php?art_id=2323
-http://www.gao.gov/new.items/d10355.pdf

[Editor's Note (Pescatore): Most of the major deficiencies found fall in the change/configuration management and access control areas. These are the same areas where corporate security programs fall short, as well. A big part of the problem is the walk not matching the talk: policies on change management and access control that were written in mainframe days don't match today's realities. The controls certainly need to be modernized, but the policies also need to be updated.
(Ranum): It ought to be clear to anyone by now that getting failing grades in the government has no negative consequences for agencies budgets or management's careers. There will be no improvement as long as people shrug their shoulders about failure.
(Paller): Although I agree with Marcus Ranum that there will be little improvement in government IT security without accountability, evidence is mounting that the GAO security audits have been missing most or all of the important security issues. If, as early data shows, the GAO auditors are being directed to look at the wrong indicators, it is quite possible to have an exemplary security program and still get a damning audit report. Before we decide the IRS is guilty of neglecting its cyber security duties, let's make sure the agency got a fair trial. ]

Concerns About Chinese Researchers' Paper on Power Grid Vulnerabilities are Overblown (March 20, 2010)

Recent focus on the threat of cyber attacks from China has created a politically charged atmosphere. While there are legitimate concerns about the threat, the topic has become so fraught with suspicion that the mention of cyber vulnerabilities and China in the same sentence can cause people to jump to inaccurate conclusions. Wang Jianwei, a Chinese graduate engineering student at Dalian University of Technology, and his professor published a paper last year titled "Cascade-Based Attack Vulnerability on the US Power Grid." Earlier this month, military strategist the House Foreign Affairs Committee was told that the paper described "how to attack a small US power grid sub-network in a way that would cause a cascading failure of the entire US west-coast power grid." However, a reading of the paper confirms Wang's assertion that his "goal is to find a solution to make the network safer and better protected" and that his work could not be used to launch an attack on the power grid.
-http://www.nytimes.com/2010/03/21/world/asia/21grid.html
-http://www.internationalrelations.house.gov/111/wor031010.pdf
[Editor's Note (Pescatore): Dollars to donuts that the next major cascading power outage will be due to environmental or physical causes, or operator error, not due to cyber attack. ]

Russia to Tighten .ru Domain Registration Requirements (March 19 & 22, 2010)

As of April 1, 2010, Russia will require people registering an .ru domain to provide a copy of their passport. Businesses will be required to provide legal registration papers. Currently, domains can be established with no verification of identity, which has attracted those setting up domains for use in cyber scams and other criminal activity.
-http://www.computerworld.com/s/article/9173778/To_fight_scammers_Russia_cracks_d
own_on_.ru_domain?taxonomyId=17
-http://thefrontline.v3.co.uk/2010/03/russian-domain.html

Russian Investment Company Working With SEC to Find Stock Scam Artist (March 19 & 20, 2010)

An investment company that was identified as being responsible for a pump-and-dump stock scheme says that it was mistakenly identified as the culprit; instead, one of the firm's clients was behind the scheme, which netted him more than US $255,000. Last week, a US federal judge granted a Securities and Exchange Commission (SEC) request to freeze the assets of BroCo investments. BroCo says that the account used to make some of the trades in question was opened on behalf of one of their clients. BroCo is cooperating with the ongoing investigation.
-http://news.cnet.com/8301-27080_3-20000806-245.htmls
-http://www.v3.co.uk/v3/news/2259869/russians-sec-working-together

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/