SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #63
August 10, 2010
Test your information security skills and knowledge and see how you
rank with other info sec pros by playing in two free, online Security
Treasure Hunt Challenges. Each takes 1 to 2 hours to complete.
In the first challenge, you'll get to analyze a target website to
identify vulnerabilities and tactics for securing against attack. The
second challenge involves an analysis of digital forensics evidence
associated with a USB thumb drive. If you are interested (or know
someone interested) in web security and/or digital forensics, register
now for free at www.securitytreasurehunt.com.
Alan
TOP OF THE NEWS
Legislators Seek Answers About Website Data CollectionRIM to Place Three Servers in Saudi Arabia
Computer Repair Engineer Gets Nine Months for Snooping
THE REST OF THE WEEK'S NEWS
Judge Permanently Stops Operation of Phony Domain Name RegistrarAlleged RBS WorldPay Attack Mastermind Extradited to US
Soggy Electronic Devices Could Hold Information About Harris-Moore Accomplices
Childs Draws Four Year Sentence
Firefox 4 Will Incorporate Silent Updates
Hong Kong Executive Resigns Over Sale of Customer Data
Appeals Court Says No to Long-Term GPS Monitoring Without a Warrant
Data Breach Legislation Introduced in Senate
Windows Kernel Flaw
******************** Sponsored by BreakingPoint ******************
In case you missed it... Check out the archived Analyst webcast: Measuring Network Performance, Security and Stability Under Hostile Conditions: SANS Network Security Survey Results
http://www.sans.org/info/63368
********************************************************************
TRAINING UPDATE - - -- SANS Virginia Beach 2010, August 27-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
http://www.sans.org/virginia-beach-2010/
- - -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/
- - -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/
- - - -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/chicago-2010/night.php
- - -- SANS San Francisco 2010, November 5-12, 2010 7 courses
http://www.sans.org/san-francisco-2010/
- - -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/
- - -- Looking for training in your own community?
http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
Legislators Seek Answers About Website Data Collection (August 5, 2010)
US Representatives Ed Markey (D-Massachusetts) and Joe Barton (R-Texas) have sent letters to 15 major websites seeking detailed information on the amount of user information they retain and what they do with the information. Specifically, the legislators want to know what information the sites collect; how they use that information for tracking; whether the sites sell the information, and how much money they make selling the information. Their concern was raised by a recent report in the Wall Street Journal about data privacy practices. Both legislators are senior members of the House Energy and Commerce Committee, which hopes to push through privacy legislation this year.-http://www.computerworld.com/s/article/9180209/Lawmakers_question_data_collectio
n_at_major_sites?taxonomyId=84
RIM to Place Three Servers in Saudi Arabia (August 6 & 9, 2010)
BlackBerry parent company Research in Motion (RIM) will put three servers in Saudi Arabia and allow them to be under the jurisdiction of the government there. The action is likely to make unnecessary a planned ban on BlackBerry devices in that country. Authorities plan to test the servers to ensure the accessibility meets with their requirements. Lebanon has said that it plans to start talks with RIM to allow Lebanese security agencies to monitor communications conducted through the BlackBerry network.-http://www.theregister.co.uk/2010/08/09/rim_saudi_arabia/
-http://abcnews.go.com/Business/wireStory?id=11361312
-http://www.bloomberg.com/news/2010-08-09/research-in-motion-saudis-reportedly-re
ach-messaging-agreement-u-s-says.html
-http://news.techworld.com/mobile-wireless/3234550/lebanon-also-looks-at-encrypte
d-blackberry-services/
[Editor's Note: (Honan): It also looks like the German government is not feeling comfortable about the use of Blackberrys and/or Iphones for government ministers
-https://red002.mail.emea.microsoftonline.com/owa/auth/logon.aspx?replaceCurrent=
1&url=https%3a%2f%2fred002.mail.emea.microsoftonline.com%2fowa%2f]
Computer Repair Engineer Gets Nine Months for Snooping (August 6 & 9, 2010)
Grzegorz Zachodni was sentenced to nine months in prison for attempted fraud. Zachodni, a computer repair engineer, was caught in a sting operation. A laptop computer was brought into the shop with the complaint about a memory problem, but it was rigged to film the person doing the repairs and log all files accessed. Zachodni was caught looking at personal pictures and attempting to use a password he had found in a file to access an online bank account. The webcam footage also shows Zachodni downloading account login details and two photographs from the laptop onto a flash drive.-http://www.finextra.com/news/fullstory.aspx?newsitemid=21680
-http://www.techwatch.co.uk/2010/08/09/laptop-repair-hacker-caught-out-by-sky/
-http://www.theregister.co.uk/2010/08/09/corrupt_comp_repair_tech_jailed/
-http://news.sky.com/skynews/Home/UK-News/Laptop-Hacker-Grzegorz-Zachodni-Caught-
By-Sky-News-Hacking-Into-Laptop-Sentenced-To-Nine-Months/Article/201008115678323
?lpos=UK_News_Carousel_Region_2&lid=ARTICLE_15678323_Laptop_Hacker%3A_Grzego
rz_Zachodni_Caught_By_Sky_News_Hacking_Into_Laptop_Sentenced_To_Nine_Months
[Editor's Note (Northcutt): Computer repair shops have always concerned me, this can't be the only event. ]
**************************** SPONSORED LINKS **************************
AccelOps: Replace Cisco CS-MARS from the original MARS creators. See what SC Magazine & MARSblog reviews say about
AccelOps. A Better SIEM-Beyond SIEM. New competitive trade-up program.
http://www.sans.org/info/63363
*************************************************************************
THE REST OF THE WEEK'S NEWS
Judge Permanently Stops Operation of Phony Domain Name Registrar (August 9, 2010)
A US District Court Judge has permanently halted operations of a Canadian company that allegedly sent phony invoices to US individuals and businesses implying that they owed the Canadian company money to register their domain names. The invoice recipients were led to believe that they would lose their web addresses if they did not pay. The company also suggested that its services would include search engine optimization, which would send more traffic to their sites. Judge Robert Dow Jr. acted on a complaint from the US Federal Trade Commission (FTC) against Toronto-based Internet Listing Service. The company allegedly collected more than US $4.26 million in fees.-http://www.computerworld.com/s/article/9180461/FTC_halts_domain_name_registratio
n_scam?taxonomyId=17
-http://www.theregister.co.uk/2010/08/09/domain_registration_scam/
-http://www.ftc.gov/opa/2010/08/ils.shtm
Alleged RBS WorldPay Attack Mastermind Extradited to US (August 7 & 9, 2010)
Sergei Tsurikov has been extradited from Estonia to the US. Tsurikov, who is believed to be one of the masterminds behind the RBS WorldPay attack that netted US $9.4 million in a 12-hour period, will face charges of wire fraud, conspiracy to commit wire fraud, computer fraud, conspiracy to commit computer fraud and aggravated identity theft. The scheme was remarkable in its precision and coordination. The gang allegedly broke into the RBS WorldPay payment processing network and used information obtained there to clone payroll debit cards and raise the limit on the amounts that could be withdrawn. The cards were distributed to helpers worldwide, who, in a 12-hour window in November 2008, stole millions of dollars from 2,100 machines. The gang also attempted to destroy data in RBS WorldPay systems to hide their digital tracks.-http://www.scmagazineus.com/estonian-man-extradited-to-us-to-face-hacking-charge
s/article/176569/
-http://www.computerworld.com/s/article/9180340/Alleged_RBS_WorldPay_hacker_extra
dited_to_U.S.?taxonomyId=144
-http://www.theregister.co.uk/2010/08/07/rbs_worldpay_extradition/
Soggy Electronic Devices Could Hold Information About Harris-Moore Accomplices (August 7, 2010)
A laptop computer and what appeared to be an iPod touch that Colton Harris-Moore threw into the water shortly before his arrest in the Bahamas last month could contain information that identifies accomplices. Harris-Moore, also known as the Barefoot Bandit, is believed to be responsible for a two-year string of robberies, including stolen cars and airplanes. The laptop and the iPod were left in the water for five hours and in the possession of Bahamian police for about 30 hours before they returned to the US with Harris-Moore. The amount of information obtained from the devices depends on how they were handled after they were retrieved from the water.-http://seattletimes.nwsource.com/html/localnews/2012565730_coltonlaptop08m.html
[Editor's Note (Northcutt): I hope we can get the scoop on the forensic story. The devices were thrown into salt water and from what I have been reading, the sooner you get them into fresh water, the better your chance of recovering the data. If anyone knows the forensic examiners and is willing to introduce me, and/or if you have experience with data recovery after salt water immersion and are willing to share any insights that would be great. stephen@sans.edu]
Childs Draws Four Year Sentence (August 6 & 7, 2010)
Former San Francisco city network administrator Terry Childs has been sentenced to four years in prison for refusing to turn over network passwords. Childs maintained that the people who wanted the passwords were not qualified to have them. The network ran during the nearly two weeks that Childs held the passwords, but he was still found guilty on one felony count of denying or disrupting computer services to an authorized user. He finally relented and handed the passwords over to San Francisco mayor Gavin Newsom. Childs has already served more than two years in county jail, which will be applied to his sentence. He could be paroled in four to six months.-http://www.businessweek.com/idg/2010-08-07/network-admin-terry-childs-gets-4-yea
r-sentence.html
-http://www.mercurynews.com/breaking-news/ci_15700557?nclick_check=1
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/08/07/BA8F1EQIBQ.DTL
-http://blogs.csoonline.com/1251/terry_childs_gets_four_year_sentence
Firefox 4 Will Incorporate Silent Updates (August 6 & 9, 2010)
The next major release of Firefox will incorporate silent updating. Firefox 4 is scheduled to be released before the end of the year; two beta versions have been released in the last month and a third is planned for next week. The silent update feature will be available for Windows versions of the browser only. The feature will download and install updates without asking users' permission or requiring confirmation. Such interaction will be reserved for major changes, such as updating from version 4 to 4.5 or 5. Users will have the option of changing the silent update feature back to the traditional, interactive format. Google uses silent updating technology for its chrome browser; that automatic updater cannot be turned off. The developers say that automated, silent updates mean more patched systems.-http://www.h-online.com/security/news/item/Firefox-4-to-include-silent-update-sy
stem-1052756.html
-http://www.computerworld.com/s/article/9180272/Mozilla_plans_to_silently_update_
Firefox?taxonomyId=17
[Editor's Note (Honan): Developers can claim that automated, silent updates "mean more patched systems," but developers need to realize there are reasons for change control processes. Operations people will say that silent updates, if not controlled, can lead to network disruptions and system crashes. Before rolling out this feature I hope Firefox will provide network administrators with a management tool to control how these updates are applied within their environment. ]
Hong Kong Executive Resigns Over Sale of Customer Data (August 6, 2010)
Hong Kong-based Octopus Holdings chief executive Prudence Chan has resigned amid reports that her company sold customers' personal data without their consent. Octopus sells cards that residents of Hong Kong use to pay for riding the subway and buses and to purchase food from certain stores. The data were sold to six companies. The company will donate the HK $44 million (US $5.7 million) it made from the data sale to charity. The breach affects approximately two million customers.-http://www.theregister.co.uk/2010/08/06/octopus_data_sale_scandal/
Appeals Court Says No to Long-Term GPS Monitoring Without a Warrant (August 6, 2010)
The US Court of Appeals for the District of Columbia has ruled that the government may not track suspects for extended periods of time with GPS devices without first obtaining a warrant. The ruling overturns the conviction of a suspected cocaine dealer; law enforcement authorities used a GPS device they installed on the man's car to surreptitiously track his activity for two months. The prosecution argued that a precedent was set in a 1983 case in which police used a tracking beacon to follow a suspect to a secluded location. But the court ruled that a one-time tracking event, much like a police tail, differs greatly from monitoring a suspect's activity over a period of several weeks, because information gleaned from the latter could provide patterns of behavior that were not discernable previously and might reveal more than the police were looking for. "The pattern the Government would document with the GPS data was central to its presentation of the case." The ruling is binding only within that court's jurisdiction.-http://www.wired.com/threatlevel/2010/08/gps-tracking-unconstitutional/
-http://www.theregister.co.uk/2010/08/06/warrantless_gps_surveillance_trounced/
[Editor's Note (Pescatore): Laws evolve slower than technology: back in the 1980's the courts ruled that you didn't need a warrant to install a tracking transmitter on a car as long as you didn't use the subject car's power. If you tied into the car battery, you needed a warrant. But in those days you had to follow the subject with a receiver - there was no GPS technology that would just tell you where he was or where he had been. Very, very different privacy issues if the government can just arbitrarily decide to track where a citizen travels. ]
Data Breach Legislation Introduced in Senate (August 6, 2010)
Two US senators have introduced legislation that would require organizations to notify affected individuals within 60 days of data security breaches. The bill would also require the organizations to develop and implement a plan to protect the data they retain. Other versions of national data breach notification bills have been introduced in both the House and the senate, but not one has ever cleared both chambers. There is no national data breach notification law, although 46 states have their own laws on the books. This most recent bill was introduced by Senators John Rockefeller (D-W.Va.) and Mark Pryor (D-Arkansas).-http://www.scmagazineus.com/rockefeller-pryor-introduce-federal-data-security-la
w/article/176495/
[Editor's Note (Schultz): National legislation concerning required notifications in the event of a data security breach is long overdue. The fact that 46 states have adopted such legislation is overwhelming proof that this legislation is necessary and appropriate.
(Pescatore): There are still a number of these national bills floating around, some that have major loopholes, some that don't. Some require all kinds of new reporting, some don't. Still a long way to go for something that limits both loopholes *and* extraneous reporting. ]
Windows Kernel Flaw (August 6, 7 & 9, 2010)
Microsoft is investigating reports of a kernel-level vulnerability in all versions of Windows. The heap-overflow flaw could be exploited to elevate privileges, crash computers and allow remote code execution. The flaw lies in the "Win32k.sys" device driver and can be exploited through the "GetClipboardData" API (application programming interface).-http://www.theregister.co.uk/2010/08/06/unpatched_windows_kernel_vuln/
-http://www.darkreading.com/vulnerability_management/security/vulnerabilities/sho
wArticle.jhtml?articleID=226600284&cid=RSSfeed_DR_News
-http://www.computerworld.com/s/article/9180338/Microsoft_probes_new_Windows_kern
el_bug?taxonomyId=85
**********************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/