SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #70

September 03, 2010

TOP OF THE NEWS

Judge Says FBI Must Obtain Warrant Before Requesting Suspect's Cell Phone Location Data
Connecticut Insurance Dept. Imposes Strict New Data Breach Rules
Rootkit Infects 64-bit Windows

THE REST OF THE WEEK'S NEWS

EC Backs Off From Data Sharing Plan With Israel
India Wants RIM and Other Communications Companies to Place Servers in the Country
Establish Clearinghouse for ISP Security and Privacy Metrics
China Now Requires Identification for Cell Phone and SIM Card Purchases
Heartland Will Pay Discover US $5 Million for Breach Costs
Microsoft Issues Tool to Protect Users from DLL Flaw Attacks
Ten Arrested for Alleged Involvement in Ransomware Scam
ACH Thieves Steal Funds From Iowa Diocese, Virginia College

---

******************* Sponsored By Palo Alto Networks ****************

NSS Labs have completed in-depth IPS testing of Palo Alto Networks' next-gen firewall. Our solution was tested against 1,179 live exploits. Key results: * Highest IPS block rate in recent history (93.4%) * 100% resistance to IPS evasion techniques * Simple configuration * Provided all the above at 15% over datasheet performance Full Report: http://www.sans.org/info/64393

*********************************************************************

TRAINING UPDATE

New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 41 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************************************************

---

TOP OF THE NEWS

Judge Says FBI Must Obtain Warrant Before Requesting Suspect's Cell Phone Location Data (August 31, 2010)

A federal magistrate in New York has ruled that government investigators must obtain a warrant before using cell phone information to track a suspect's location. Magistrate Judge James Orenstein's ruling comes close on the heels of an appeals court decision that a suspect's rights were violated when federal investigators used a surreptitiously attached GPS device on his car to track his whereabouts. The prosecutors in the case Orenstein heard cites a precedent of a 1983 case that ruled that tracking individuals' alocations outside the home is the equivalent of physical surveillance, but Judge Orenstein said he "believe
[s ]
that magistrate judges presented with ex parte requests for authority to deploy various forms of warrantless location-tracking must carefully re-examine the constitutionality of such investigative techniques, and that it is no longer enough to dismiss the need for such analysis by relying on" precedents.
-http://www.theregister.co.uk/2010/08/31/cellphone_data_protected/
-http://regmedia.co.uk/2010/08/31/orenstein_csi_ruling.pdf

Connecticut Insurance Dept. Imposes Strict New Data Breach Rules (August 30, 2010)

A new policy introduced by the Connecticut state insurance department requires all insurance companies conducting business in Connecticut to report data breaches to state authorities within five calendar days. The new policy applies to both paper and electronic records and applies whether or not the compromised data are encrypted. The rule supersedes rules in the HITECH Act which require that breaches of health insurance information be reported within 60 days and does not require companies to report breaches of encrypted data. Connecticut is gaining a reputation for being hard on healthcare data breaches; state Attorney General Richard Blumenthal recently became the first attorney general to sue a company for violating HIPAA. While the new policy applies to health maintenance organizations, preferred provider organizations and other health insurers, property and casualty insurers and medical discount plans, physicians and hospitals are not subject to the requirements. Under the new policy, organizations do not have the option of deciding whether or not the extent of the breach merits notification; all breaches are subject to notification.
-http://www.govinfosecurity.com/articles.php?art_id=2880&rf=2010-09-01-eg

Rootkit Infects 64-bit Windows (August 26, 27 & 30, 2010)

Researchers have detected a variant of the TDL3 rootkit that is capable of infecting 64-bit Windows installations. TDL3, also known as Alureon, was the culprit behind a rash of Windows crashes that occurred after users installed a particular Windows patch earlier this year. Microsoft released a new version of the patch that detected whether the rootkit was there and offered help in removing the malware from users' computers. The significance of the rootkit infecting 64-bit windows is that the 64-bit versions are considered to be more secure than 32-bit versions. The new version of this particular rootkit has been detected in the wild.
-http://www.esecurityplanet.com/features/article.php/3900936/New-64-Bit-Windows-R
ootkit-Already-In-The-Wild.htm
-http://www.dslreports.com/forum/r24720761-1st-x64compatible-kernel-mode-rootkit-
infection-in-the-wild
-http://blog.emagined.com/2010/08/30/what-next-a-64-bit-windows-rootkit/
[Editor's Note (Schultz): This is a very significant and negative development. 64-bit Windows systems have until the most recent version of TDL3 been resistant to rootkit infections, primarily because of two Windows OS protections: 1. A digital signature check prevents malicious drivers from getting into kernel memory, and 2. Windows Kernel Patch Protection keeps kernel mode drivers from making changes in the Windows kernel. The fact that this rootkit can bypass these two protections means that Pandora's Box has just been opened with respect to malware in 64-bit Windows systems.]

---

*********** INTERESTING NEW PROGRAM ON SCADA SECURITY *********************

How has the threat to control systems changed during the last year? Who are the new attackers? What actually happened in the Stuxnet worm attacks? Find answers to these questions and more at the: SANS 2010 European SCADA Security Summit in London next month. The Deputy Director of the United Kingdom's CPNI will kick off the Summit, titled "changing form talk to action" You'll also learn innovative and effective governments and power companies and other industries are doing to counter the threats.
http://www.sans.org/info/64398

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

EC Backs Off From Data Sharing Plan With Israel (September 2, 2010)

The European Commission (EC) has put the brakes on a plan to share information about European Union citizens with Israel in light of issues raised by the Irish government. Assassins allegedly used forged Irish passports in a plot that took the life of a Hamas operative in Dubai. The operation was allegedly carried out by Israeli agents. The EC withdrew a procedure that would recognize Israeli protection standards as being consistent with EU standards. In Israel, manually gathered data are not held to the same level of protection as digital information.
-http://www.rte.ie/news/2010/0902/israel.html

India Wants RIM and Other Communications Companies to Place Servers in the Country (August 31 & September 2, 2010)

India is now asking not only for Blackberry parent company Research in Motion (RIM) to put a server in the country so it can monitor Blackberry communications, but has now asked Google and Skype to provide servers in India as well. The Associated Press is reporting that Indian Home Secretary G.K. Pillai said "people who operate communication services in India should
[install a ]
server in India as well as make available access to law enforcement agencies." India is seeking to access Gmail data, which are encrypted. According to an Indian government press release, "Any communication through the telecom networks should be accessible to the law enforcement agencies and all telecom service providers, including third parties, have to comply with this." In a separate story, a UN official who heads the organization's International Telecommunication Union said that all governments engaged in combating terrorism have the right to request access to RIM customer data.
-http://news.cnet.com/8301-1009_3-20015418-83.html?tag=mncol;title
-http://www.msnbc.msn.com/id/38972720/ns/technology_and_science-security/
-http://www.bbc.co.uk/news/technology-11137647

Establish Clearinghouse for ISP Security and Privacy Metrics (September 1, 2010)

In this editorial, Brian Krebs responds to the Federal Communications Commission's (FCC) request for help in creating a cyber security roadmap. Krebs would like to see the FCC put pressure on Internet service providers (ISPs) to keep their networks clear of malware, spam, and scams. Various organizations across the country are compiling metrics on different aspects of ISPs and hosting providers' "Internet badness." Krebs suggests that "what is needed is a single place that gathers together information from various, trusted sources of reputation data to build a well-rounded and timely picture of which ISPs and hosting providers have the most work to do in cleaning up their networks."
-http://www.csoonline.com/article/608663/krebs-fcc-must-make-isps-crack-down-on-s
pammers-and-malware?source=CSONLE_nlt_update_2010-09-02
[Editor's Note (Liston): Krebs hit the nail squarely on the head. I send an inordinate number of incident reports to ISPs, web hosting providers, companies, and individuals from hits on honeypot systems I run, and oftentimes it seems like I'm yelling at a big brick wall. Any shared resource requires users to act responsibly and in a manner that doesn't interfere with (or endanger) others. If someone recklessly drives an unsafe car on our highways, we don't tolerate it. Why are we so tolerant of bad behavior on the Internet?
(Honan): While this may seem in theory to be a good idea there are many issues that need to be considered. Cybercrime is an international issue so this clearinghouse may only be useful for those providers within the United States. In a number of countries it would be illegal for ISPs to monitor the traffic of their clients. We also need to consider who would manage such a clearing house and what rights to appeal ISPs and providers would have. Those who have been innocent victims of spam blacklists will appreciate the impact an incorrect report can have on their business. ]

China Now Requires Identification for Cell Phone and SIM Card Purchases (September 1, 2010)

As of September 1, people purchasing cell phones or SIM cards in China will need to provide identification, according to a government order. The rule applies to people setting up new accounts; people holding accounts already will eventually be required to provide identification as well. The Chinese government says the new rule is aimed at combating spam, pornography and telecommunications fraud, but it has been observed that it will also expand the government's ability to monitor communications. China is not alone in seeking access to communications data. India has asked BlackBerry to allow the government to monitor BlackBerry communications (see story above) and proposed legislation in the US would require people purchasing prepaid cell phones to provide identification.
-http://www.nytimes.com/2010/09/02/world/asia/02china.html?_r=1&partner=rss&a
mp;emc=rss
-http://www.washingtonpost.com/wp-dyn/content/article/2010/09/01/AR2010090101544.
html
-http://news.cnet.com/8301-27080_3-20015388-245.html?tag=mncol;titles
This article, and the one describing India vs. RIM should give all thinking people pause.
[Editor's Note (Liston): Increasingly, channels for private communication are being openly "tapped" by governments in the name of the "terrorism" bogyman. (Anyone besides me remember when it was the "pedophile" bogyman? That one didn't "sell" quite as well as "terrorism"...) While I certainly don't advocate allowing bad people to do bad things, I believe that there must be other law enforcement avenues that can be explored *before* a government chips away at its citizen's privacy. ]

Heartland Will Pay Discover US $5 Million for Breach Costs (September 1, 2010)

Heartland Payment Systems will pay Discover US $5 million to settle claims related to the data breach that exposed details of millions of payment cards. Heartland acknowledged the breach in January 2009. The settlement "resolves all issues." Heartland has agreed to pay US $60 million to banks that issued Visa cards that were compromised, US $41 million to MasterCard-issuing banks and US $3.6 million to American Express.
-http://www.computerworld.com/s/article/9183259/Discover_to_get_5M_from_Heartland
_for_08_data_breach?taxonomyId=17

Microsoft Issues Tool to Protect Users from DLL Flaw Attacks (September 1, 2010)

Microsoft has released a tool to help users protect their computers from attacks that exploit a flaw in the way certain applications load dynamic link library (DLL) files. The tool will be effective only on machines where a workaround issued by Microsoft last week has been installed.
-http://isc.sans.edu/diary.html?storyid=9445
-http://krebsonsecurity.com/2010/09/ms-fix-shores-up-security-for-windows-users/
-http://www.theregister.co.uk/2010/09/01/microsoft_dll_hijack_fixit/
-http://www.scmagazineus.com/microsoft-releases-new-tool-to-defend-against-dll-at
tack/article/178065/
-http://www.microsoft.com/technet/security/advisory/2269637.mspx

Ten Arrested for Alleged Involvement in Ransomware Scam (August 31 & September 1, 2010)

Police in Russia have arrested 10 people in connection with a ransomware scheme that allegedly brought in US $16 million. The group was allegedly involved with the distribution and deployment of the WinLock Trojan horse program that locked up infected computers and displayed pornography. The gang informed victims that their computers could be unlocked by sending premium rate SMS messages at a cost of about US $10 to US $30.
-http://www.theregister.co.uk/2010/09/01/ransomware_trojan_suspects_cuffed/
-http://www.pcworld.com/businesscenter/article/204577/alleged_ransomware_gang_inv
estigated_by_moscow_police.html

ACH Thieves Steal Funds From Iowa Diocese, Virginia College (August 30 & September 1, 2010)

The Catholic Diocese of Des Moines, Iowa and a University of Virginia satellite campus are two of the latest victims of automated clearinghouse (ACH) fraud. The thieves who stole more than US $600,000 from the diocese employed dozens of money mules; one was told that the funds were being distributed to victims of church sexual abuse. The fraudulent withdrawals occurred between August 13 and 16, 2010. Approximately US $180,000 has been recovered. The University of Virginia's College at Wise found that nearly US $1 million had been transferred in one lump sum to the Agricultural Bank of China. School officials have declined to comment beyond acknowledging that the school is investigating a hacking incident.
-http://krebsonsecurity.com/2010/08/crooks-who-stole-600000-from-catholic-diocese
-said-money-was-for-clergy-sex-abuse-victims/
-http://www.bankinfosecurity.com/articles.php?art_id=2888
-http://krebsonsecurity.com/2010/09/cyber-thieves-steal-nearly-1000000-from-unive
rsity-of-virginia-college/

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/