SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #43

June 01, 2010

TOP OF THE NEWS

UK Communications Regulator Publishes Draft Anti-Piracy Code for ISPs
Necessary Cyber Security Measures Taking Back Seat to Short-Term Economic Gains
FTC Asks Google Not to Destroy Collected Wi-Fi Data

THE REST OF THE WEEK'S NEWS

Three Indicted in Huge Scareware Scheme
Database Holds 44 Million Stolen Online Gaming Credentials
Online Thieves Steal Over US $100,000 from Utah Credit Union
Adobe Considers Move to Monthly Patches
Legislators to Re-Examine Communications Act and Role of FCC in Broadband
PlainsCapital Bank and Hillary Machinery Settle Suit Over Security Breach and Theft
Judgment Against ISP for "Groundless" Spam Allegations

---

*********** Sponsored By BreakingPoint ***********
What is Resiliency and why is it Important to Network Security? Does your organization measure the impact of security threats, blended traffic and extreme load on the overall performance, security and stability of network devices and systems? Take our SANS network resiliency survey and help us find out if organizations have security resiliency on their radars. Complete the survey and be entered in a drawing for a $250 American Express Gift Certificate! Results will be announced in our June 30 SANS Analysts Webcast, 1PM EST.

http://www.sans.org/info/60043
*************************************************************************

TRAINING UPDATE
-- SANSFIRE 2010, Baltimore, June 6-14, 2010 36 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses
http://www.sans.org/virginia-beach-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Amsterdam, Kuala Lumpur, Canberra and Portland all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

UK Communications Regulator Publishes Draft Anti-Piracy Code for ISPs (May 28, 2010)

UK communications regulator Ofcom has published a 74-page draft code of practice that would require large ISPs in the UK to compile lists of customers who violate copyright laws. The ISPs would keep track of who has violated the laws and how many times they have violated the laws. Users suspected of illegal filesharing would receive three warnings before any action can be taken. Anonymized lists will be available to movie and music studios, which can then decide if they want to pursue legal action against infringers; they can seek the users' identities with a court order. The code would initially affect only those ISPs with 400,000 or more subscribers. The code was mandated under the new Digital Economy Act that was passed earlier this year; Ofcom will take comments on the draft document through July 30, 2010.
-http://news.bbc.co.uk/2/hi/technology/10183820.stm
-http://www.scmagazineuk.com/isps-with-fewer-than-400000-subscribers-will-not-be-
initally-covered-by-the-draft-ofcom-code-of-conduct-on-online-copyright-infringe
ment/article/171229/
-http://www.guardian.co.uk/technology/2010/may/28/digital-economy-act-isps-data
-http://www.ofcom.org.uk/consumer/2010/05/draft-code-of-practice-to-reduce-online
-copyright-infringement/
-http://www.ofcom.org.uk/consult/condocs/copyright-infringement/condoc.pdf

Necessary Cyber Security Measures Taking Back Seat to Short-Term Economic Gains (May 29, 2010)

Melissa Hathaway and Jack Goldsmith take the current administration and legislators to task for failing to implement necessary measures to protect the computers systems on which the country is becoming ever-more dependent. Hathaway and Goldsmith say that the "long-term trend of grabbing economic gains from information technology advances and ignoring their security costs has reached a crisis point," and are concerned that nothing concrete will be done until "some component of our economy is destroyed by a catastrophic cyber event." Hathaway is a senior adviser at the Belfer Center of Harvard University's Kennedy School of Government; she directed the current administration's Cyberspace Policy Review in 2009. Goldsmith is a Harvard Law School professor and served as an assistant attorney general in the George W. Bush administration.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/05/28/AR2010052803698.
html

FTC Asks Google Not to Destroy Collected Wi-Fi Data (May 28, 2010)

The Federal Trade Commission (FTC) has asked Google not to destroy any of the documents about data it collected from unsecured Wi-Fi networks in 33 countries while trolling for images for its Street View feature. Google maintains the 600 gigabytes of "fragmentary data" were collected inadvertently. Google has already destroyed data collected in Denmark, Ireland and Austria after the countries requested that action. Google has yet to surrender the information to regulators in any of the countries.
-http://www.latimes.com/business/la-fi-google-20100528,0,4596451.story

---

**************************** Sponsored Link: ***************************
Solera Networks donates network forensics appliances to cyber security training programs. Get yours! http://www.sans.org/info/60073
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Three Indicted in Huge Scareware Scheme (May 28 & 31, 2010)

Three men have been indicted for allegedly running a scareware scheme that took in more than US $100 million. The trio allegedly established phony Internet advertising agencies to get their infected ads onto websites. The code hidden in the ads redirected users' browsers to maliciously crafted websites where they were greeted with pop-up windows telling them their computers were infected with malware and that they needed to purchase software to fix the problems. The phony anti-virus software cost between US $30 and US $70. The US Federal Trade Commission (FTC) filed similar charges against operators of the same companies in 2008. Shaileshkumar P. Jain, Bjorn Daniel Sundin and James Reno are all facing charges of wire fraud, computer fraud, and conspiracy to commit computer fraud.
-http://chicago.fbi.gov/dojpressrel/pressrel10/cg052710.htm
-http://www.theregister.co.uk/2010/05/28/scarware_scam_charges/
-http://www.computerworld.com/s/article/9177498/CEO_of_firm_that_made_100_million
_selling_scareware_was_a_fugitive?taxonomyId=17
-http://www.h-online.com/security/news/item/US-authorities-file-charges-against-t
hree-scareware-authors-1011679.html
-http://www.scmagazineus.com/masterminds-of-far-reaching-scareware-scam-charged/a
rticle/171255/
-http://www.securecomputing.net.au/News/176408,three-people-indicted-in-100m-scar
eware-operation.aspx
Text of indictment:
-http://lastwatchdog.com/wp/wp-content/uploads/100527_Reno_indictment.pdf
[Editor's Comment (Northcutt): I do not like what I am about to say, but I do not see an alternative. As you read the related story about online gaming credentials, and combine that information with many other disclosures, you will see that we are losing ground to the point that it is highly probable that everyone reading this note has had their personal details stolen. The only thing saving us from direct attack is that there are more stolen identities than the crooks have had time to exploit, so far. Even if you run NoScript, keep up to date with patches, etc, when you purchase something using a credit card and that merchant doesn't have enough security AND that merchant stores your credentials, your details end up in these massive databases that will soon have specialized search. The MOST important thing we can do *right* now is increase the penalties for hacking past a certain dollar amount, or for possessing more than a certain number of credentials. Conviction would lead to prison sentence so long and in such a high security prison that it creates a real deterrence. One tiny tip for you, when I make a purchase online and the site makes me create an account, I deliberately list some incorrect information. For instance, I never use my actual birthday; I consistently use one of three fake birthdays. I will also mark the wrong sex etc. Make them have to work harder to mine the information from the vast sea they have collected. ]

Database Holds 44 Million Stolen Online Gaming Credentials (May 27 & 28, 2010)

Researchers at Symantec have found a 17 GB trove of stolen login credentials for gaming accounts and websites. The thieves have apparently written a Trojan horse program called Trojan.Loginck that can check stolen account information for validity. The credentials sell for between US $6 and US $28,000 apiece depending on the level of the game reached by the account's legitimate owner.
-http://www.theregister.co.uk/2010/05/28/symantec_gaming_hack_cache/
-http://www.scmagazineus.com/44-million-stolen-gaming-credentials-discovered/arti
cle/171128/
-http://darkreading.com/security/attacks/showArticle.jhtml?articleID=225200458&am
p;subSection=Attacks/breaches

Online Thieves Steal Over US $100,000 from Utah Credit Union (May 27, 2010)

Treasury Credit Union in Salt Lake City, Utah has lost at least US $100,000 to online theft. The thieves made 70 or more transfers from the credit union starting on May 20, 2010. The majority of the fraudulent transfers were for less than US $5,000; the funds were sent to money mules' accounts. Some larger transfers were sent to small business accounts at commercial banks. Some of the money mules apparently decided to come clean. The thieves gained access to the bank's computer network with login credentials stolen from a credit union employee whose computer was infected with a Trojan horse program.
-http://krebsonsecurity.com/2010/05/cyber-thieves-rob-treasury-credit-union/

Adobe Considers Move to Monthly Patches (May 27, 28 & 30, 2010)

Adobe is considering moving to a monthly security update cycle for Reader and Acrobat. Currently, Adobe issues Reader and Acrobat updates every three months. Adobe is likely feeling pressure for more frequent updates because of the growing number of vulnerabilities in its products that are being disclosed and actively exploited. Adobe is also looking at releasing regular security updates for Flash and Shockwave. Adobe recently introduced an automated update feature that makes it easier for users to ensure they are running the most current versions of Reader and Acrobat. Curiously, the links for downloading Adobe software from the company's website do not lead to the most current versions. Users must download the available version and then update it.
-http://www.h-online.com/security/news/item/Adobe-considers-shorter-update-cycles
-1009131.html
-http://arstechnica.com/security/news/2010/05/adobe-considers-monthly-patches-to-
improve-security.ars
-http://www.pcworld.com/businesscenter/article/197450/adobe_considers_more_freque
nt_patch_schedule.html
-http://www.informationweek.com/blog/main/archives/2010/05/adobe_contempla.html
[Editor's Note (Schultz): Over the years Adobe has improved considerably regarding its responsiveness to disclosed vulnerabilities in its products, particularly Adobe Reader. Moving to a monthly security update cycle would constitute yet another big step forward. ]

Legislators to Re-Examine Communications Act and Role of FCC in Broadband (May 24 & 28, 2010)

US legislators plan to hold meetings in June to look at how the Telecommunications Act needs to be updated to clarify the FCC's enforcement scope and authority over broadband Internet service. The decision was prompted at least in part by a federal appeals court ruling earlier this spring that found the Federal Communications Commission (FCC) had overreached its authority when it used the Telecommunications Act to impose sanctions on Comcast for throttling Internet traffic. The FCC then said it would reclassify broadband Internet service from an information service to a telecommunications service, which would give the FCC more authority to ensure net neutrality and introduce its national broadband plan. The decision to revisit the law, last revised in 1996, has met with approval from telecommunications companies and consumer groups alike. The FCC has received letters from legislators on both sides of the aisle expressing "strong reservations about the course the commission is presently taking with respect to the regulation of broadband access services."
-http://www.nytimes.com/2010/05/25/technology/25broadband.html?partner=rss&em
c=rss
-http://news.cnet.com/8301-30686_3-20006332-266.html
-http://voices.washingtonpost.com/posttech/2010/05/when_the_federal_communication
.html
-http://voices.washingtonpost.com/posttech/2010/05/key_dem_lawmakers_call_for_rew
.html

PlainsCapital Bank and Hillary Machinery Settle Suit Over Security Breach and Theft (May 25, 2010)

An unusual case regarding unauthorized funds transfers from a Texas bank has been settled. Cyber thieves made more than US $800,000 in fraudulent transfers from the PlainsCapital Bank account of Plano-based Hillary Machinery. About US $600,000 was recovered, and Hillary asked that the bank repay the balance. Hillary also wrote a letter to the bank saying that the theft occurred because PlainsCapital did not take adequate security precautions. The bank then sued Hillary; the lawsuit sought certification from the court that it had taken adequate security measures. Hillary filed a countersuit, alleging that the bank did not have adequate security measures in place and that it should have noticed the transactions were anomalous. Details of the settlement have not been released.
-http://www.computerworld.com/s/article/9177322/Bank_customer_settle_suit_over_80
0_000_cybertheft?taxonomyId=82
[Editor's Note (Schultz): PlainsCapital Bank has "asked the court to certify that reasonable computer security measures were in place when the breach occurred." I wonder what the court will decide regarding what is "reasonable?" It could possibly be passing an ISO/IEC 27001/2 or Gramm-Leach-Bliley audit, showing that the bank followed NIST SP 800-053 in its risk management practices, or something else.
(Paller): Using unreliable (multiple assessors reach conflicting conclusions) benchmarks like ISO 27001/2 or NIST 800-53 would be a travesty. Until we can measure security consistently and reliably (as the State Department is doing and now five other Federal agencies are starting to do) we should avoid at all costs the concept of "safe harbor." ]

Judgment Against ISP for "Groundless" Spam Allegations (May 22 & 25, 2010)

A small California Internet service provider (ISP) that was awarded US $2.6 million in a spam lawsuit several weeks ago has been hit with a US $807,000 judgment for filing "groundless claims" against Azoogle.com. Asis Internet Services has filed more than 20 lawsuits against different defendants alleging spam abuse. In this particular case, the judge found that Asis continued with the case against Azoogle without evidence that Azoogle was responsible for the spam in question. The amount awarded Azoogle is to cover the company's attorney's fees.
-http://www.theregister.co.uk/2010/05/25/spam_judgment/
-http://www.circleid.com/posts/20100522_can_spam_plaintiff_slammed_800k_attorney_
fee_asis_v_optin_global/

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/