SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #79

October 05, 2010

TOP OF THE NEWS

UK Facing Legal Action from EC Over Inadequate Privacy Protection
Court Grants BT Adjournment to Halt Requests for Customer Data
Alleged Brains Behind International Fraud Case Arrested in Ukraine
BlackBerry Grants Indian Government Access to Messenger Service

THE REST OF THE WEEK'S NEWS

Comcast to Roll Out Bot Notification Service
Cyber Thieves Attempt to Steal US $600,000 From New Jersey Town
Anti-Virus Sites Fix Cross-Site Scripting Holes
Iran Authorities Make Arrests in Connection with Stuxnet
Cyber Security Researcher Named MacArthur Fellow
T-Mobile Settles Short Code Case Out of Court
DNS Root Server Outage
Researchers Develop Attack Recovery System

---

******************** Sponsored By BigFix, Inc. ********************** REGISTER NOW for the upcoming webcast: Establishing real-time continuous visibility and control over all of your network endpoints in days WHEN: Thursday, October 7, 2010 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Mark Ehr and Nate Howe http://www.sans.org/info/65388 Sponsored By: BigFix http://www.bigfix.com/ ********************************************************************* TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

-- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

-- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

-- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments and Future Trends in Network Security
http://www.sans.org/security-east-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, San Antonio, Geneva, Bangalore, and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *********************************************************************

---

TOP OF THE NEWS

UK Facing Legal Action from EC Over Inadequate Privacy Protection (September 30 & October 1, 2010)

The European Commission said it would initiate legal action against the UK for failing to implement adequate online data privacy rules and for allowing ISPs to use behavioral advertising. EU rules require that EU member states "ensure the confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance," and that ISPs must obtain consumer consent before gathering data for targeted advertising. The UK has not amended its data protection laws to comply with EU law. UK law punishes intentional interception, but allows communication interception when the interceptor "has reasonable grounds for believing" that users have consented. The legal action was spurred by reports that UK ISP BT had run online behavioral advertising pilot programs without notifying customers.
-http://www.guardian.co.uk/technology/2010/oct/01/eu-online-privacy
-http://euobserver.com/9/30935

Court Grants BT Adjournment to Halt Requests for Customer Data (October 4, 2010)

The UK High Court has granted a request from Internet service provider (ISP) BT to freeze new and existing applications for customer information. Law firms have been filing requests for information identifying computer users suspected of illegal filesharing. Last week, law firm ACS:Law was hit with a distributed denial-of-service (DDoS) attack launched by a group that opposes action taken against filesharers. When ACS:Law tried to restore its website after the attack, it accidentally exposed unencrypted sensitive personal information it had received from ISPs. BT said it would challenge the requests for information until it sees evidence that the allegations have "some basis." BT also wants to ensure that the data it provides to firms like ACS:Law are adequately protected.
-http://www.bbc.co.uk/news/technology-11467347
-http://www.guardian.co.uk/technology/2010/oct/04/intellectual-property-data-prot
ection
[Editor's Note (Schultz): Here is a new and intriguing issue--an ISP has been successful in obtaining a favorable court ruling such that the ISP does not have to supply information to a requester because the latter has not exercised due diligence in protecting customer information. Stay tuned re. this one. ]

Alleged Brains Behind International Fraud Case Arrested in Ukraine (October 1 & 2, 2010)

Five people have been detained in Ukraine in connection with online bank fraud in which US $70 million was stolen from the bank accounts of US small and mid-sized businesses, municipalities and other organizations over the last year-and-a-half. The five people in Ukraine have been described as the "coders and exploiters," or the brains behind the operation. They are believed to have crafted custom versions of the ZeuS Trojan horse program that were used to harvest information used in the online thefts. Last week, 11 people in the UK were charged in connection with cyber thefts using ZeuS; in the US, 92 people have been charged and 39 arrested. The arrests in Ukraine were the result of a joint effort by the SBU (Ukraine's police force), the FBI, police in the Netherlands and the UK Metropolitan Police Service.
-http://krebsonsecurity.com/2010/10/ukraine-detains-5-individuals-tied-to-70-mill
ion-in-ebanking-heists/
-http://www.wired.com/threatlevel/2010/10/zeus-ukraine-arrests/
-http://www.computerworld.com/s/article/9189158/Update_Ukranian_police_arrest_5_t
argeting_brains_behind_Zeus_botnet?taxonomyId=85
-http://www.theregister.co.uk/2010/10/01/zeus_kingpin_arrest/
[Editor's Note (Schultz): What has happened here is no small accomplishment. Bringing cybercriminals operating out of Eastern European countries to justice has over the years been hampered by many significant hurdles, of which international cooperation has been foremost. ]

BlackBerry Grants Indian Government Access to Messenger Service (October 1 & 4, 2010)

Blackberry parent company Research in Motion (RIM) has granted India's government access to BlackBerry Messenger service. For now, the access is manual, but government officials say they expect to have automated access by the first of the year. India is also seeking access to encrypted email traffic sent over Blackberry Enterprise Servers, but RIM does not have the ability to grant access to those communications; access must be obtained from the organization sponsoring those servers. If RIM cannot come up with a workable solution for readable email interception by the end of the month, it faces a nationwide ban in India. The same is true in the United Arab Emirates, but there the ban could start as soon as October 11.
-http://www.msnbc.msn.com/id/39463421/ns/technology_and_science-wireless/
-http://www.theregister.co.uk/2010/10/04/rim_india_blackberry/

---

THE REST OF THE WEEK'S NEWS

Comcast to Roll Out Bot Notification Service (October 4, 2010)

Comcast is taking its bot alert service nationwide. Introduced in Denver last year, the service notifies users whose computers have become infected with bot malware. The automated system will also send a service notice to users' browsers so an alert displays when they are using the browser. Users will be directed to Comcast's Constant Guard security web site where they can learn how to clean their computers of any infection and take steps to prevent infection from recurring.
-http://krebsonsecurity.com/2010/10/comcast-pushes-bot-alert-program-nationwide/
-http://news.cnet.com/8301-1009_3-20018168-83.html?tag=nl.e757
[Editor's Note (Northcutt): Pretty nifty, here is the Comcast page on the subject:
-http://security.comcast.net/constantguard/]

Cyber Thieves Attempt to Steal US $600,000 From New Jersey Town (October 4, 2010)

Cyber thieves have attempted to steal US $600,000 from the coffers of the town of Brigantine, New Jersey. Multiple sets of transfers were made to money mules starting around September 28. The city's bank, TD Bank, notified the city financial officers that multiple transfers had been made out of the account; the bank was able to reverse roughly US $400,000 of the transfers and was working on recalling the rest. The incident is being investigated by the FBI, New Jersey State Police, the Brigantine Police Department and TD Bank security.
-http://krebsonsecurity.com/2010/10/hackers-steal-600000-from-brigantine-nj/

Anti-Virus Sites Fix Cross-Site Scripting Holes (October 4, 2010)

Anti-virus companies Symantec, Eset and Panda Security have fixed cross-site scripting (XSS) flaws found on their websites. The companies were notified of the flaws by researchers. The vulnerabilities could have been exploited to conduct phishing attacks.
-http://www.theregister.co.uk/2010/10/04/anti_virus_vendor_xss_snafu/

Iran Authorities Make Arrests in Connection with Stuxnet (October 2 & 4, 2010)

Authorities in Iran have arrested an unspecified number of people in connection with the Stuxnet worm. Iran's intelligence minister Heydar Moslehi has called those arrested "nuclear spies." Moslehi also said that his agency is capable of fighting cyber attacks. Iranian authorities also said that a delay in starting up the Bushehr nuclear power plant was due to a leak in a storage pool, not because of Stuxnet. There has been speculation that malware, which targets certain supervisory control and data acquisition (SCADA) software systems, was designed to infiltrate and sabotage systems at Iranian nuclear facilities.
-http://www.nytimes.com/2010/10/03/world/middleeast/03iran.html?partner=rss&e
mc=rss
-http://www.washingtonpost.com/wp-dyn/content/article/2010/10/04/AR2010100401254.
html
-http://www.computerworld.com/s/article/9189218/Iran_arrests_spies_after_Stuxnet_
attacks_on_nuclear_program?taxonomyId=17
-http://www.theregister.co.uk/2010/10/04/stuxnet_conspiracy_theories/
-http://news.yahoo.com/s/ap/20101002/ap_on_hi_te/ml_iran_cyber_attacks

Cyber Security Researcher Named MacArthur Fellow (October 2, 2010)

University of California-Berkeley computer security researcher Dawn Song has been named a MacArthur Fellow. The honor comes with an unrestricted US $500,000 grant. "Rather than identifying errors in programming logic that lead to specific security breaches, Song investigates the underlying patterns of computer system behavior that often apply across whole classes of security vulnerability."
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=227600050
-http://www.macfound.org/site/c.lkLXJ8MQKrH/b.6241285/k.E229/Dawn_Song.htm
-http://sanfrancisco.bizjournals.com/sanfrancisco/stories/2010/09/27/daily28.html
-http://bitblaze.cs.berkeley.edu/

T-Mobile Settles Short Code Case Out of Court (October 1, 2010)

A lawsuit brought by a texting service against T-Mobile has been settled out of court. While the terms of the settlement have not been disclosed, the settlement does not resolve the question of whether wireless communication providers are subject to the same "must carry" rules that govern wired providers. The texting service, EZ Texting, said that T-Mobile blocked its clients after the service sent out messages pertaining to medical marijuana. EZ Texting provides short code services, which allow phone users to receive information by texting words to certain numbers. T-Mobile maintained that it had the right to require pre-approval of short-texting services offered over its network, and that EZ Texting failed to obtain approval.
-http://www.wired.com/threatlevel/2010/10/text-flap-settlement/

DNS Root Server Outage (October 1, 2 & 3, 2010)

The H DNS root server, which is operated by the US Army Research lab, was down for more than 18 hours last week. The problem was caused by fallen utility poles cutting fiber and flooding from a tropical storm.
-http://isc.sans.edu/diary.html?storyid=9655
-https://lists.dns-oarc.net/pipermail/dns-operations/2010-October/006142.html
-http://tech.slashdot.org/story/10/10/02/1233235/Army-DNS-ROOT-Server-Down-For-18
-Hours

Researchers Develop Attack Recovery System (September 30, 2010)

Researchers at MIT's Computer Science and Artificial Intelligence Laboratory have developed a system that will help administrators recover from intrusions. In general, recovering from an attack means rolling back a system to the last clean backup. The system, called RETRO, allows administrators to specify the intruders' malicious actions that they want undone while preserving legitimate activity on the machine. The researchers plan to present a paper on the system at the USENIX Symposium on Operating Systems Design and Implementation in Vancouver, British Columbia (October 4-6, 2010).
-http://www.computerworld.com/s/article/9189083/MIT_system_helps_companies_recove
r_from_network_intrusion?taxonomyId=145

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/