From: The SANS Institute (NewsBitessans.org)
Date: Tue Nov 18 2008 - 12:48:03 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites November 18, 2008 Vol. 10, Num. 91
*************************************************************************
TOP OF THE NEWS
  Virus Shuts Down Three UK Hospitals
  FTC Seeks to Ban Sale of RemoteSpy Keylogger Spyware
  CMA Changes Criminalize DDoS Attacks and Attack Tools
THE REST OF THE WEEK'S NEWS
  LEGAL ISSUES
    Law Professor Will Take on RIAA
  ARRESTS, CHARGES & CONVICTIONS
    Palin Yahoo eMail Hack Trial Pushed Back to May 2009
    Burmese Blogger Sentenced to 10 Years in Prison
    German Man Resists Job Interview Sting
  POLICY AND LEGISLATIO
  SPAM, PHISHING & ONLINE SCAMS
    Phishing Scheme Pretends to be Cyber Scam Warning From US
  Federal Reserve
  UPDATES AND PATCHES
    Apple Releases Safari Update; Users Complain of Crashes
    Google Fixes Chrome File Stealing Hole
  DATA LOSS & EXPOSURE
    Stolen Laptop Not Encrypted Despite Security Policy
  ATTACKS
    Spyware Infiltrates International Monetary Fund Computers

******************** Sponsored By Sourcefire, Inc. **********************

Best of Open Source Security (BOSS) Conference 2009

February 8-10, 2009 at the Flamingo in Las Vegas. Content-rich agenda
around open source security (OSS). Come join others passionate about
OSS and share ideas and experiences. Sponsors include Sourcefire,
Nokia, Symantec, ArcSight, Crossbeam Systems, and others. Sourcefire
Users Summit will be running simultaneously. Early-bird registration
now in effect.
http://www.sans.org/info/35394
*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools
expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Orlando SANS SCADA Security Summit http://www.sans.org/scada09_summit
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Virus Shuts Down Three UK Hospitals
(November 18, 2008)
A computer virus has shut down the computer systems at Barts in the
City, the Royal London Hospital in Whitechapel and The London Chest
Hospital in Bethnal Green. The engineers worked through the night but
failed to fix the problem.
http://news.bbc.co.uk/2/hi/uk_news/england/london/7735502.stm
http://www.scmagazineuk.com/London-hospitals-struck-down-by-virus/article/121133/

 --FTC Seeks to Ban Sale of RemoteSpy Keylogger Spyware
(November 17, 2008)
A US District Court in Florida has granted a request from the US Federal
Trade Commission (FTC) for a temporary restraining order preventing the
sale of RemoteSpy keylogger spyware while its case against CyberSpy
Software is pending. The FTC filed a complaint against CyberSpy earlier
this month seeking a permanent ban of the sale of the product and
alleging four violations of the FTC Act: Unfair Sale of Spyware; Unfair
Collection and Disclosure of Consumers' Personal Information; Means and
Instrumentalities to Install Spyware and access Consumers' Personal
Information; and Means and Instrumentalities to Engage in Deception.
http://news.cnet.com/8301-13578_3-10099123-38.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://ftc.gov/os/caselist/0823160/081105cyberspycmplt.pdf
[Editor's Note (Schultz): The FTC may be fighting a losing cause.
Keylogger software is already freely available on the Internet; the fact
that it is now also available as commercial software is really hardly
noteworthy.]

 --CMA Changes Criminalize DDoS Attacks and Attack Tools
(November 14, 2008)
Changes to the UK's Computer Misuse Act (CMA) criminalizing DDoS attacks
and distributed attack tools have finally taken effect in England and
Wales. Changes to the CMA were first suggested six years ago, and
actual changes were made in 2006. Scotland adopted the changes in
October 2007, but England and Wales did not enact the changes until
October 2008; there had been some concern that the wording of the
changes could inhibit research. The changes include increased penalties
for the newly clarified offenses. The impetus to effect the changes to
CMA can be traced at least in part to a case in which prosecutors were
unable to charge a teenager who had launched a DDoS attack against his
former employer because the judge ruled that the employer's computer
system was designed to receive email. The teen pleaded guilty to
charges brought after the High Court ruled that the earlier decision had
been made in error.
http://www.theregister.co.uk/2008/11/14/dos_criminalised/

************************* SPONSORED LINK ******************************
1) Free, Downloadable, Log and Compliance Management Solution from Q1
Labs. Get QRadar SLIM Free Edition http://www.sans.org/info/35399

2) "USB Auditing, Encryption, and Control -> Award-Winning USB Security
Software -> Download Now" http://www.sans.org/info/35404

3) SANS Home SEC401 Security Essentials is being offered starting
December 10th, 2008. HOME is areat way to get the needed essential,
up-to-the-minute knowledge and skills required for effective
performance. If you are given the responsibility for securing systems,
get more information here and register at http://www.sans.org/info/32138
"I found the home sessions with Seth Misenar much easier to fit my
professional and personal schedule. Having three hours of class one
night a week with seven days to review the content in between was
priceless." --Nikki Allen-Cain, First Bankers Trust Co"

*************************************************************************

THE REST OF THE WEEK'S NEWS
LEGAL ISSUES
 --Law Professor Will Take on RIAA
(November 17 & 18, 2008)
Harvard Law School professor Charles Nesson has taken on the case of a
Boston University graduate student who has been targeted by a lawsuit
from the Recording Industry Association of America (RIAA). Nesson's
argument focuses on the Digital Theft Deterrence and Copyright Damages
Improvement Act of 1999, which he says is unconstitutional because it
allows the RIAA, a private organization, "Carry out civil enforcement
of a criminal law."
http://news.smh.com.au/technology/law-professor-fires-back-at-songswapping-lawsuits-20081117-687q.html
http://www.boston.com/lifestyle/articles/2008/11/18/billion_dollar_charlie_vs_the_riaa/

ARRESTS, CHARGES & CONVICTIONS
 --Palin Yahoo eMail Hack Trial Pushed Back to May 2009
(November 17, 2008)
David Kernell, the Tennessee college student accused of breaking into
Alaska Governor Sarah Palin's Yahoo! email account, will face trial in
May 2009. The trial had originally been scheduled to start in December,
but according to the motion to push back the trial's start date,
"because of the nature of the case, significant forensic evaluation is
required." Both sides said they need additional time for discovery. If
Kernell is convicted, he could face a five year prison sentence followed
by three years of supervised release in addition to a US $250,000 fine.
In October, Kernell pleaded not guilty and was released on his own
recognizance. While he awaits trial, he may not own a computer and may
use the Internet only for email and college coursework.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9120559&source=rss_topic17

 --Burmese Blogger Sentenced to 10 Years in Prison
(November 12, 2008)
A Burmese blogger was sentenced to 20 years and six months in prison for
crimes against public tranquility and video and electronics laws
offenses. Nay Myo Kyaw, who writes under the alias Nay Phone Latt, was
arrested as part of a crackdown on dissidents. The lawyer who
represented Nay Phone Latt and poet Saw Wai, who was sentenced to two
years in prison for publishing a love poem that also served as an
acrostic critical of Burma's dictator, also received a prison sentence
for contempt of court.
http://www.timesonline.co.uk/tol/news/world/asia/article5129509.ece
[Editor's Note (Pescatore): I guess the freedom of speech tradeoff is
worth it. Progressive societies allow criticism of the government but
have to put up with the Paris Hiltons and the like polluting "public
tranquility"... ]

 --German Man Resists Job Interview Sting
(November 12 & 14, 2008)
A German man who admitted in a telephone interview to having figured out
how to break into the network at computer game developer Valve evaded
arrest by not taking the bait of a follow-up interview on American soil.
Valve initiated contact with Axel Gembe after evidence pointed to his
having a role in the leak of Half Life 2 source code prior to the game's
release. While the ruse had worked several years before with a pair of
Russian hackers, Axel Gembe declined the invitation. He was charged in
Germany and sentenced to probation. In October, Gembe was named in a
new indictment in a different case; the indictment alleges he created
malware known as Agobot, which was used in the Echouafni case to attack
the retail websites of his business rivals. Echouafni has fled the
country and is believed to be in Morocco. He had allegedly hired Paul
Ashley to manage the distributed denial-of-service (DDoS) attacks;
Ashley has already completed a two-year prison term for his role in the
attacks.
http://blog.wired.com/27bstroke6/2008/11/valve-tricked-h.html
http://www.theregister.co.uk/2008/11/14/half_life_sting/

SPAM, PHISHING & ONLINE SCAMS
 --Phishing Scheme Pretends to be Cyber Scam Warning From US
Federal Reserve
(November 14, 2008)
A new phishing attack is spreading in the guise of a scam warning from
the US Federal Reserve. The message directs recipients to a web page
that appears to provide details about the scam and attempts to download
a PDF file that contains a variety of malware, including software that
could be used to make infected computers part of a botnet. Of
particular interest in this attack is "that the botnet uses a Secure
Sockets layer connection to send and receive encrypted information
between the botnet server and infected machines." The phishing message
itself contains several blatant clues that it is not to be trusted: the
English grammar is poor and it does not attempt to hide the fact that
it is leading users to an outside URL.
http://www.vnu.co.uk/vnunet/news/2230518/federal-reserve-spam-attack
[Editor's Note (Skoudis): While the grammar is laughable now, the bad
guys will certainly hone this scam given the market turmoil and
consumer's worries. Watch for this one to become far more lethal in the
near future.]

UPDATES AND PATCHES
 --Apple Releases Safari Update; Users Complain of Crashes
(November 14 & 17, 20080
The newest version of Apple's Safari web browser now has anti-phishing
protection. Safari 3.2 also includes fixes for 11 security flaws. Most
of the vulnerabilities affect the Windows version of Safari, but some
affect the Mac OS X version as well. Most of the flaws were labeled
arbitrary code execution vulnerabilities. Users have been reporting
that the newest version of the browser is causing frequent crashes.
http://www.networkworld.com/news/2008/111408-apple-plays-catch-up-adds-anti-fraud.html?code=nlsecuritynewsal170182
http://www.theregister.co.uk/2008/11/17/safari_3_2_update_grumbles/

 --Google Fixes Chrome File Stealing Hole
(November 14, 2008)
Google has patched a flaw in its Chrome browser that could be exploited
to steal files from vulnerable machines. The majority of users have not
had the fix pushed out to their computers; it is addressed in a
developer-only version of the open source browser. Users can reset their
browsers so they receive all released updates. Chrome 0.4.154.18 also
adds new features, including a bookmark manager and a reworked pop-up
blocker.
http://www.networkworld.com/news/2008/111408-google-patches-chrome-file-stealing.html?code=nlsecuritynewsal170179
[Editor's Note (Skoudis): Given the recent Google Chrome and Apple
Safari for Windows problems, I think you can make a very good argument
for not relying on a browser for your main web surfing until it has aged
a bit, giving the vendor time to work out the most egregious security
flaws. How much time? My gut says about a year is needed before a
browser becomes reasonably (but not perfectly) scrubbed. Until then,
have fun playing with these shiny new toys on an experimental box.]

DATA LOSS & EXPOSURE
 --Stolen Laptop Not Encrypted Despite Security Policy
(November 14, 2008)
The data on a North Carolina Department of Health and Human Services
laptop computer stolen in October were not encrypted, despite a
department security policy that required encryption of sensitive
information. The computer holds personally identifiable data, including
Social Security numbers (SSNs), of more than 85,000 individuals. At
least one other NC DHHS laptop holding sensitive data was reported
stolen this year, and two other laptops reported stolen may also hold
personal information. The state's chief information officer says that
"failure to encrypt the hard drive on the laptop was a violation of
State Security Standards. Additionally, DHHS may have been in violation
of other standards regarding due diligence in safeguarding information."
A September 9, 2008 memo requires that any laptops employees planned to
remove from their offices must be encrypted by November 1, 2008.
http://www.newsobserver.com/news/story/1294350.html
[Editor's Note (Skoudis): Even if the data were encrypted, an attacker
may still be able to get access to it by cold-booting the machine,
cracking the user's password, or other bypass techniques. I think as
laptop crypto is deployed more regularly, we'll see breach disclosure
rates go down. But, the bad guys will still be compromising sensitive
data using various attack techniques. The public just won't know as
much about it without the notification.]

ATTACKS
 --Spyware Infiltrates International Monetary Fund Computers
(November 14, 2008)
Attackers broke into the International Monetary Fund's (IMF) computer
system earlier this month. As a precaution, the IMF temporarily cut off
its connection to the World Bank; according to reports earlier this
fall, the World Bank's computer system had been under attack over
several months. IMF officials became aware of spyware was spreading
through its computer system on November 7; an IMF spokesperson said he
was not aware of a system lockdown related to the incident. Anonymous
sources, however, maintain that there was a computer lockdown on
November 7.
http://www.foxnews.com/story/0,2933,452348,00.html

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEUEARECAAYFAkki/8MACgkQ+LUG5KFpTkaGJgCfVMpXHExTpP11qA2ebpr4aD9e
W/0AmPk9P6vKYAcz1cqh1CriHIPbA44=
=iWpi
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]