From: The SANS Institute (NewsBitessans.org)
Date: Fri Nov 21 2008 - 15:07:16 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites November 21, 2008 Vol. 10, Num. 92
*************************************************************************
TOP OF THE NEWS
  US Dept. of Defense Bars Use of Removable Data Storage Devices to Halt
     Worm's Spread
  McColo Shutdown Hurt Some Botnets
  Healthcare Workers in UK and US Not Taking Adequate Security
     Precautions with Data
  Canadian Telecom Regulator Says Bell Canada's Traffic Throttling OK
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES & CONVICTIONS
    Teen Hacker Admits Wrongdoing
    College Student Charged in Alleged eMail Hacking and Attempted
       Extortion
  POLICY AND LEGISLATION
    Mass. Data Protection Regulation Compliance Deadline Pushed Back Five
      Months
    UK Information Commissioner Seeks Authority to Impose Increased Fines
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Australian ISP Sued for Allegedly Allowing Illegal Filesharing
  DATA LOSS & EXPOSURE
    British National Party Membership List Posted to Internet
  ATTACKS
    IT Staff Still Working to Address Malware on London Hospital Systems
    Survey: Many Irish eCommerce Websites Lack Strong Data Protection

******* Sponsored By SANS Process Control & SCADA Security Summit ******

Technology leaders from more than 200 utilities, manufacturers, and
other control systems users are meeting in Orlando to get early access
to recently discovered proof of critical vulnerabilities in new metering
systems, in serial communications, and other previously trusted
technologies, AND on what they can do now to protect their control
systems. They'll also learn from Public Utility Commissioners what it
takes to get security expenditures into the rate base, and what works
in CIP auditing and compliance. Also at the Summit: free classes funded
by DHS, and paid SANS hands-on, in-depth courses on hacker exploits,
penetration testing, security management and more. This is the annual
meeting where, in 2008, the CIA first disclosed they had data on
multi-city power outages caused by remote hackers. If you work in
security of control systems, don't miss this meeting; Orlando, early
February: http://www.sans.org/info/35719

*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington (12/10-12/16) 30 courses; big security tools
expo; lots of evening sessions: http://www.sans.org/ cdi08/
- - London (12/1-12/9) http://sans.org/london08/
- - Las Vegas (1/24-2/01) http://sans.org/securitywest09/
- - Looking for training in your own Community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --US Dept. of Defense Bars Use of Removable Data Storage Devices to Halt Worm's Spread
(November 19, 2008)
To halt the spread of a worm through US Department of Defense computer
systems, the commander of US Strategic Command has banned the use of all
removable data storage devices, including USB drives, CDs and flash
media cards. The ban affects both secret and unclassified networks.
The malware infecting the computers is called Agent.btz, a variant of
the SillyFDC worm. It spreads by copying itself onto USB drives and
other removable data storage devices and infecting the next device they
are attached to. Devices that are the personal property of employees
or that are not authorized will not ever be permitted to be used on
department computers; some department USB drives may be approved after
they have been properly vetted.
Internet Storm Center Diary: http://isc.sans.org/diary.html?storyid=5384
http://blog.wired.com/defense/2008/11/army-bans-usb-d.html
[Editor's Note (Pescatore): Agent.btz has been on anti-malware
blacklists since late June. Whatever the DoD desktops are using for
anti-malware protection should be looked at before mass bans of portable
media are put in place.]

 --McColo Shutdown Hurt Some Botnets
(November 18, 2008)
The shutdown last week of web hosting company McColo resulted in the
disabling of an estimated 500,000 PCs infected with bot malware. The
computers themselves still work, but the malware that had been placed
on them can no longer communicate with command-and-control servers.
McColo's upstream service providers disconnected the hosting company at
the behest of researchers who said the company's services were enabling
significant amount of cybercrime. When McColo went offline, two major
botnets, Srizbi and Rustock, were put out of action as well. Rustock
is unlikely to recover the lost bots, as they have no backup plan coded
into the malware; Srizbi's bots, however, are instructed to check other
domains names if they cannot connect to the primary server.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9120727&taxonomyId=17&pageNumber=1
[Editor's Note (Honan): Earlier this year, the Dutch police used a
botnet that they had busted to warn victims that their PCs were
infected. It would be interesting to see if the same technique can be
used again to warn these victims
Internet Storm Center:
http://isc.sans.org/diary.html?storyid=5333
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=10427]

 --Healthcare Workers in UK and US Not Taking Adequate Security
Precautions with Data
(November 20, 2008)
A survey of 1,000 healthcare workers in the UK and the US found that
more than one-third store sensitive patient data on portable data
storage devices, including laptop computers, Blackberrys and USB sticks.
One-fifth of respondents said they stored data on their personal devices
to transport the information. One-third of those responding said they
use passwords as the only form of data protection. Six percent of UK
respondents said they use no data protection at all; in the US, that
figure is 18 percent. Of the UK workers, 56 percent use strong data
protection methods, including encryption, two-factor authentication,
biometrics and smart cards. Among US respondents, just 23 percent use
strong data protection methods.
http://www.vnunet.com/vnunet/news/2230989/healthcare-workers-putting

 --Canadian Telecom Regulator Says Bell Canada's Traffic Throttling OK
(November 20, 2008)
The Canadian Radio-television and Telecommunications Commission (CRTC)
has denied a complaint filed by the Canadian Association of Internet
Providers (CAIP) asking that CRTC stop Bell Canada from throttling
certain types of Internet traffic. Bell Canada admits that it has
slowed traffic from peer-to-peer (P2P) filesharing websites during peak
Internet traffic hours. The company also acknowledged that it uses deep
packet inspection. CRTC said that "CAIP has not demonstrated that Bell
Canada's methodology for determining congestion in the network is
inappropriate." The finding contrasts with recent similar issues in the
US involving Comcast's use of selective traffic throttling.
http://www.pcmag.com/article2/0,2817,2335133,00.asp
http://www.theglobeandmail.com/servlet/story/RTGAM.20081120.wcrtc1120/BNStory/Technology/?cid=al_gam_nletter_techweekly

************************* SPONSORED LINK ******************************

"SANS Home SEC401 Security Essentials is being offered starting
December 10th, 2008. HOME is areat way to get the needed essential,
up-to-the-minute knowledge and skills required for effective
performance. If you are given the responsibility for securing systems,
get more information here and register at http://www.sans.org/info/32138
." "I found the home sessions with Seth Misenar much easier to fit my
professional and personal schedule. Having three hours of class one
night a week with seven days to review the content in between was
priceless." --Nikki Allen-Cain, First Bankers Trust Co"

*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
 --Teen Hacker Admits Wrongdoing
(November 18 & 19, 2008)
A teenage hacker from Massachusetts, who uses the online name
"Dshocker," has pleaded guilty to charges of computer intrusion,
interstate threats and wire fraud. According to prosecutors, the
16-year-old, who was unnamed in accordance with federal law, broke into
multiple computer systems, recruited computers into botnets, spoofed
emergency phone calls to elicit SWAT responses, and made fraudulent
purchases with stolen credit card information. The defendant has agreed
to an 11-month sentence to be served at a juvenile detention facility,
although he has not yet been formally sentenced. If he had been tried
as an adult, he could have faced up to 10 years in prison, five years
of supervised release and a US $250,000 fine.
http://www.theregister.co.uk/2008/11/19/dshocker_pleads_guilty/
http://www.cybercrime.gov/dshockerPlea.pdf

 --College Student Charged in Alleged eMail Hacking and Attempted Extortion
(November 17, 2008)
A Kentucky college student has been charged with identity theft and
unlawful access to a computer for allegedly breaking into other
students' email accounts at the University of the Cumberlands and using
the access and information to blackmail them. Sungkook Kim allegedly
threatened to divulge the contents of certain messages unless the
students complied with his demands. He also allegedly placed spyware
on computers at the college library to harvest the information necessary
to access the email accounts and used someone else's wireless router to
send the threatening messages.
http://www.kentucky.com/181/story/595802.html
[Editor's Note (Northcutt): Sounds like a "security awareness tip of the
day" moment. Using public computers is dangerous; the odds are high
that your details will be collected. In addition, the folks with whom
you communicate will likely have their email addresses harvested. Here
are a couple links for further and supporting information:
http://www.linuxfortravelers.com/the-risks-of-using-public-computers
http://blogs.techrepublic.com.com/10things/?p=322 ]

POLICY AND LEGISLATION
 --Mass. Data Protection Regulation Compliance Deadline Pushed Back Five Months
(November 14 & 20, 2008)
The Massachusetts Office of Consumer Affairs and Business Regulation
(OCABR) has extended the compliance deadline for regulations that
require companies doing business with Massachusetts residents to use
encryption and other strong data security measures to protect residents'
personal information. Citing current economic conditions, OCABR
extended the deadline from January 1, 2009 to May 1, 2009. The
companies have until January 1, 2010 to provide certification from
their-party providers that they are in compliance with the data
protection requirements of the state's consumer protection laws.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121018&source=rss_topic17
http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=081114_IDTheftupdate&csid=Eoca

 --UK Information Commissioner Seeks Authority to Impose Increased Fines
(November 18, 2008)
The UK Information Commissioner's Office (ICO) wants the authority to
fine companies up to 10 percent of their revenue for violations of the
Data Protection Act, which would match the maximum penalty that can be
imposed by the Financial Services Authority on companies that do not
comply with financial regulations. Presently, the maximum fine the ICO
may impose is GBP 5,000 (US $7,366).
http://www.growthbusiness.co.uk/news/business-news/814242/fines-likely-for-data-breaches.thtml
[Editor's Note (Schultz): The level of ICO's current authority is
ostensibly not nearly sufficient to deal with cases of negligence in
data protection. Increasing this office's level of authority to levy
much more substantial fines would thus constitute a step forward in
helping combat data security breaches as well as identity theft.
(Dick): I agree with Eugene's comment. I recently learned from
executives in the electrical power industry one of the primary driving
forces in addressing cyber security issues was the fear of significant
fines and penalties from Federal and State regulatory agencies. In
short, the power companies could not be allowed to pass on the fines and
penalties in their rates. If they pay for it, the business case for
investment in improved security becomes easier.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Australian ISP Sued for Allegedly Allowing Illegal Filesharing
(November 20, 2008)
A group of film and television companies have sued iiNet, one of the
Australia's largest Internet service providers (ISPs), alleging that it
allows its users to download television programs and movies in violation
of copyright laws. iiNet COO Mark White says his company in no way
supports piracy, but that it cannot cut off service to customers simply
because the movie industry says they are downloading content illegally.
The lawsuit seeks a ruling that iiNet engaged in copyright infringement
by failing to stop its users from illegally sharing files; it also seeks
an order that would require iiNet to take action to prevent such
activity in the future.
http://www.smh.com.au/news/technology/biztech/film-companies-sue-iinet-for-allowing-piracy/2008/11/20/1226770617457.html?page=fullpage#contentSwap1

DATA LOSS & EXPOSURE
 --British National Party Membership List Posted to Internet
(November 19, 2008)
A membership roster of the British National Party (BNP) has been posted
to the Internet. The exposed data include names, home addresses, home
and mobile phone number and email addresses of approximately 13,500
supporters of the far right political party. Some of those whose
information was posted fear they could lose their jobs or be physically
attacked. The data appear to have been posted by a disgruntled BNP
member. Police have been called in to investigate.
http://www.guardian.co.uk/politics/2008/nov/19/bnp-names-web-police-security
http://www.timesonline.co.uk/tol/news/uk/article5183833.ece
[Editor's Note (Honan): In the UK it is a sackable offence for a member
of the police force to be also a member of the BNP.]

ATTACKS
 --IT Staff Still Working to Address Malware on London Hospital Systems
(November 19 & 20, 2008)
IT staff are still working to eradicate the effects of a Mytob worm
infection that forced the shutdown of computer systems at three London,
UK-area hospitals. The problem appeared to be addressed on Monday
evening, but the system crashed on Tuesday. The malware does not appear
to have spread to other systems.
http://www.theregister.co.uk/2008/11/19/hospital_computer_virus_shutdown_update/
http://software.silicon.com/malware/0,3800003100,39348158,00.htm?r=8

STUDIES AND STATISTICS
 --Survey: Many Irish eCommerce Websites Lack Strong Data Protection
(November 19, 2008)
A Deloitte Enterprise Risk Services survey of more than 100 Irish
ecommerce websites found that 65 percent do not employ stringent online
payment security measures. Results of the survey indicate that "a
significant proportion of websites" are not in compliance with the
Payment Card Industry Data Security Standards. More than half of the
sites were found to be using weak or legacy encryption, while two
percent used no encryption at all.

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at
the FBI and is the incoming President of the InfraGard National Members
Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkknC4oACgkQ+LUG5KFpTkbAfwCgkMiS5blV+kEiuwe7oTQ+qBno
H10AoIwpwH5miOA5EDBlTCfYAbnw1+3p
=rJ+L
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]