SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #69

August 31, 2010

TOP OF THE NEWS

BlackBerry Gets Two Month Reprieve in India
Horohorin Indicted in RBS WorldPay Case
Virginia Gov't Agencies Suffer Massive Outage

THE REST OF THE WEEK'S NEWS

DARPA Seeks Proposals for Detecting Insider Threats
Jailed Voting Machine Researcher Out on Bail
Pushdo Botnet Hobbled
Worm Spreads Through IM, Opens Back Door on Infected Machines
BGP Experiment Disrupted Internet Traffic
FTC Will Not Recommend Further Action Against LimeWire
ICO Finds Yorkshire Building Society in Violation of Data Protection Act

---

********************** Sponsored By SANS ************************** SANS introduces three new free whitepaper resources written by Dave Shackleford: - -- McAfee Total Protection for Server Review - http://www.sans.org/info/64228 - -- A Guide to Virtualization Hardening Guides - http://www.sans.org/info/64233 - -- Cloud Security and Compliance in the Cloud: A Primer - http://www.sans.org/info/64238 Visit our reading room often for free resources!
www.sans.org/reading_room

********************************************************************

TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Virginia Beach 2010, August 27-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
http://www.sans.org/virginia-beach-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 41 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, December 10-17, 2010 24 courses.
http://www.sans.org/cyber-defense-initiative-2010/

-- Looking for training in your own community?
http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/index.php

********************************************************

---

TOP OF THE NEWS

BlackBerry Gets Two Month Reprieve in India (August 30, 2010)

Indian authorities have postponed a planned ban on BlackBerry services for 60 days while they study and test a proposal from Blackberry parent company Research in Motion (RIM) to allow security agencies more access to certain Blackberry communications. India has asked for real-time access to encrypted corporate email; RIM says it is impossible to grant the request because they do not have the encryption keys. RIM competitor Nokia has agreed to place a server in India to allow government monitoring of communications.
-http://www.nytimes.com/2010/08/31/technology/31rim.html?ref=technology
-http://money.cnn.com/2010/08/30/technology/blackberry_india/index.htm
-http://www.ft.com/cms/s/0/59b81154-b457-11df-8208-00144feabdc0.html
-http://www.computerworld.com/s/article/9182679/RIM_gets_60_days_reprieve_India_e
valuates_its_BlackBerry_proposals?taxonomyId=17
-http://www.google.com/hostednews/ap/article/ALeqM5it_73CxzMozqkSOODLh2r7aCIlLwD9
HTRNM82

Horohorin Indicted in RBS WorldPay Case (August 30, 2010)

Vladislav Anatolievich Horohorin has been charged with wire fraud and access device fraud for his alleged involvement with an attack on RBS WorldPay. Cyber thieves stole US $9.5 million from the payment card processing company in "the most sophisticated and organized computer fraud attack ever conducted," according to authorities. The group allegedly broke into RBS systems and stole information to clone cards, raised the limits on the cards and with the help of group members around the world, withdrew the money from ATMs in a 12-hour period on November 8, 2008. Horohorin was being held in France awaiting extradition on separate access device fraud charges.
-http://www.wired.com/threatlevel/2010/08/badb-rbs-worldpay-hack/
-http://www.wired.com/images_blogs/threatlevel/2010/08/rbs-supercediing-indictmen
t.pdf
-http://www.theregister.co.uk/2010/08/07/rbs_worldpay_extradition/

Virginia Gov't Agencies Suffer Massive Outage (August 27 & 30, 2010)

A storage area network (SAN) memory card failure at the Virginia Information Technologies Agency (VITA) left at least two dozen agencies without the ability to conduct business. Among the affected agencies are the Department of Motor Vehicles, which was unable to issue driver's licenses, and the Department of Social Services, which was unable to distribute benefits. The data center where the failure occurred is run by Northrop Grumman.
-http://www.computerworld.com/s/article/9182719/Update_Virginia_s_IT_outage_conti
nues_3_agencies_still_affected?taxonomyId=17
-http://hamptonroads.com/2010/08/massive-computer-outage-halts-some-va-agencies
-http://www2.starexponent.com/news/2010/aug/27/state-struggles-computer-failures-
ar-475821/
[Editor's Note (Northcutt): The state of Virginia was an early adopter of blades and virtualization. The advantages and economics are obvious. These outages may prove to be a cautionary tale. With virtualization, you end up with a lot of eggs concentrated in a fairly small basket so that if your continuity of operations plans fail, you go down pretty hard.
(Schultz): This is a perfect example of what can go wrong when cloud services fail. People in general neither recognize the real risk nor plan for loss of availability in cloud services. ]

---

********************* INTERESTING NEW PROGRAM ****************************

How has the threat to control systems changed during the last year? Who are the new attackers? What kind of damage have they already done? What can they do? Find answers to these questions and more at the: SANS 2010 European SCADA Security Summit.
http://www.sans.org/info/64243

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DARPA Seeks Proposals for Detecting Insider Threats (August 30, 2010)

The Defense Advanced Research Projects Agency (DARPA) is seeking proposals for technologies to help detect insider threats quickly. Dubbed the CINDER program, the effort aims to "greatly increase the accuracy, rate and speed of detection
[of insider threats ... and to ]
impede the ability of adversaries to operate undetected within government and military interest networks." Abstract proposals are due by September 17; final versions of the proposals are due by October 22, 2010. DARPA has not drawn a connection between the project and the leak of thousands of military documents through Wikileaks, but the project has been described as being able to "detect a Defense employee or service member who conducts a network search or probes file index systems, and then copies information to their computer."
-http://www.infosecurity-us.com/view/12085/darpa-seeks-assistance-with-insider-th
reats/
-http://www.nextgov.com/nextgov/ng_20100826_5705.php?oref=topnews

Jailed Voting Machine Researcher Out on Bail (August 29 & 30, 2010)

Hari Prasad, the Indian researcher who was arrested for allegedly stealing an electronic voting machine, has been released on bail. Prasad maintains that an insider at the Election Commission provided him with the machine and that he returned it several days later, after demonstrating how the machine could be manipulated to alter the outcome of elections. Prasad and his colleagues published a paper on their findings in April. The magistrate hearing the case noted that there was "no offense ... disclosed with Hari Prasad's arrest," and asked the Election Commission to either admit or disprove Prasad's claims about the machine's vulnerabilities. Prasad has refused to name the person who gave him the machine. India's Election Commission has said that it had offered to let Prasad demonstrate the machines' vulnerabilities, but Prasad maintains that a meeting last year was hastily halted after he began pointing out the machines' faults.
-http://www.theregister.co.uk/2010/08/30/indian_evoting_critic_jailed/
-http://www.computerworld.com/s/article/9182578/Indian_e_voting_researcher_releas
ed_on_bail?taxonomyId=17

Pushdo Botnet Hobbled (August 27, 2010)

Eight hosting providers that had been supporting command and control servers for the Pushdo botnet have cooperated with efforts to take down the machines. In all, nearly 20 of 30 identified servers were taken down. Pushdo is believed to be responsible for about 10 percent of spam sent worldwide. Once the command and control servers were taken down, spam levels dropped, but experts caution that it is only a matter of time before the botnet operators find new hosting providers.
-http://krebsonsecurity.com/2010/08/researchers-kneecap-pushdo-spam-botnet/
-http://www.theregister.co.uk/2010/08/27/pushdo_botnet_crippled/
-http://www.scmagazineus.com/spam-volume-plunges-in-wake-of-pushdo-takedown/artic
le/177687/

Worm Spreads Through IM, Opens Back Door on Infected Machines (August 27, 2010)

The Zeroll worm spreads through various instant messaging (IM) clients, tailoring the language of the accompanying message to the country in which the computer appears to be to increase its chances of spreading. Once the Zeroll worm has infected a computer, it searches for IM client contact lists and sends itself out again. It also has a backdoor capability that allows attackers to take control of infected machines. Four variants of the worm have been detected so far. Users' machines become infected when they click on a link in a message that claims to be a picture, but really downloads malware onto their computers.
-http://www.v3.co.uk/v3/news/2268885/kaspersky-lab-spots-breed-im
-http://www.scmagazineuk.com/kaspersky-lab-warns-of-advanced-instant-messenger-th
reat/article/177649/

BGP Experiment Disrupted Internet Traffic (August 27, 2010)

An experiment involving the Border Gateway Protocol (BGP) went awry last week, disrupting one to two percent of Internet traffic for about half an hour on Friday, August 27 at 9:00 am Greenwich Mean Time. BGP tells routers how to route traffic. The experiment was conducted by RIPE NCC (Reseaux IP Europeens Network Coordination Centre) and researchers from Duke University. Certain Cisco routers took the BGP data, corrupted them and sent them on, which caused the confusion. Cisco has fixed an issue in its Internetwork Operating System (IOS) that caused the problems during the test. The incident underscores the fragility of BGP.
-http://www.computerworld.com/s/article/9182558/Research_experiment_disrupts_Inte
rnet_for_some?taxonomyId=17
-http://www.computerworld.com/s/article/9182778/Cisco_patches_bug_that_crashed_1_
of_Internet?taxonomyId=16
-http://www.infoworld.com/t/telecom/breaking-the-internet-in-one-easy-step-773

FTC Will Not Recommend Further Action Against LimeWire (August 26, 2010)

In a letter to LimeWire CEO George Searle, US Federal Trade Commission (FTC) Associate Director Mary Koelbel Engle said that following an investigation, no further action will be taken against the company. While Engle expressed concern that some versions of LimeWire filesharing software put users at risk of inadvertently sharing personal information, the agency realizes that LimeWire cannot force updates, that there is a lot of attrition from older, vulnerable versions of the software, and that the newer versions do have "safeguards against inadvertent sharing of sensitive, personal documents." The FTC is still concerned that some people are using unsecure versions and do not know how to protect their information and expects LimeWire to urge users to upgrade. LimeWire is facing legal action from music publishers, and the company and its chairman Mark Gorton were found liable for enabling copyright violation on a large scale.
-http://www.computerworld.com/s/article/9182100/FTC_drops_P2P_file_sharing_probe_
of_LimeWire?taxonomyId=84
-http://ca.reuters.com/article/technologyNews/idCATRE67Q07620100827
-http://www.ftc.gov/os/closings/100919limewireletter.pdf

ICO Finds Yorkshire Building Society in Violation of Data Protection Act (August 26, 2010)

The UK Information Commissioner's Office (ICO) has found the Yorkshire Building Society to be in violation of the UK's Data Protection Act. A laptop that belonged to the Chelsea Building Society, which recently merged with the Yorkshire Building Society, was stolen from an office in Cheltenham. The unencrypted computer contained a large portion of the Chelsea Building Society database. While the computer was recovered less than two days after it was stolen, it appeared that whoever was in possession of the machine had tried unsuccessfully to access the data. The computer belonged to an employee who worked at home and did not need all the information on the computer to do the work. Yorkshire Building Society chief executive Iain Cornish has agreed to make changes to guard against data breaches in the future. Among the changes are encrypting all portable devices and limiting employees access to information that they need to complete their work.
-http://www.zdnet.co.uk/news/security/2010/08/26/nhs-trust-and-building-society-g
uilty-of-data-breaches-40089932/
-http://www.scmagazineuk.com/major-retail-chain-and-building-society-found-to-be-
in-breach-of-the-data-protection-act/article/177554/

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/