********************** Sponsored By Q1 Labs *****************************
** DID YOU MISS THE JULY 1 DEADLINE? **
Meeting the NERC CIP Compliance Challenge
All public and private energy companies that connect to the bulk power system must comply with this regulation by July 1, 2009, or face potential fines and penalties. If you're responsible for network and security management at a utility company, you will want to join this webinar to learn about a cost-effective security management solution that provides extensive log and threat management capabilities to substantially reduce the risk of network-based threats and cyber-terrorism. REGISTER FOR THE WEBINAR NOW: http://www.sans.org/info/45824
************************************************************************* TRAINING UPDATE
David S. Patton pleaded guilty to aiding and abetting violation of the CAN-SPAM Act for developing a tool used by a prolific spammer, Alan Ralsky. Patton could face up to six years in prison and has agreed to forfeit more than US $50,000 he made from selling his Nexus and Proxy Scanner tools. Nexus can be used to create email messages with phony headers; Proxy Scanner, as its name suggests, sends the unsolicited email through compromised proxies. Patton's case stems from a pump-and-dump scheme that was orchestrated by Alan Ralsky, who is facing a prison sentence of up to seven years. -http://www.theregister.co.uk/2009/07/08/zombie_tool_charges/ -http://www.cybercrime.gov/pattonPlea.pdf
Not Guilty Plea in Pump-and-Dump Scheme (July 7, 2009)
Jaisankar Marimuthu has pleaded not guilty to charges related to his alleged role in a pump-and-dump scheme. Marimuthu, who is from India, was extradited to the US from Hong Kong last month. Thirugnanam Ramanathan has already pleaded guilty to fraud charges in connection with the scheme; a third man, Chockalingam Ramanathan remains at large. The three allegedly broke into online brokerage accounts and created new, fraudulent accounts through which they purchased and sold stocks to manipulate their prices. -http://www.computerworld.com/s/article/9135275/US_authorities_extradite_Indian_o n_hacking_charges?taxonomyId=17
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Revised Anti-Piracy Bill Adopted in French Legislature (July 9, 2009)
French legislators have adopted a revised version of a controversial Internet piracy bill. An earlier version of the bill that would have allowed a new state agency to cut off Internet access for habitual illegal downloaders was blocked due to concerns about its constitutionality. The new version grants that power to the courts. People believed to be downloading content in violation of copyright law would receive two warnings; if they persist in their activities, the case would be referred to a judge who could impose a ban on Internet access, a fine of up to 300,000 euros (US $420,600) or a two-year jail sentence. People who allow others to use their Internet connections for illegal downloading could face a 1,500 euro (US $2,100) fine and a one-month Internet suspension. -http://news.smh.com.au/breaking-news-technology/french-senate-adopts-rejigged-in ternet-piracy-bill-20090709-ddjt.html
DATA PROTECTION & PRIVACY
Talk Talk Pulls Out of Phorm Deal (July 8 & 9, 2009)
MasterCard Prohibits Remote Key Injection Technology in Certain Cases (July 8 & 9, 2009)
There are unconfirmed reports that MasterCard has decided not to allow some merchants to use remote key injection (RKI) technology "to install new encryption keys on point-of-sale (POS) systems." The alternative is to install new encryption keys manually, which would consume significantly greater resources. Subsequent reports indicate that MasterCard will not allow the use of RKI technology with POS terminals that are not compliant with the Payment Card Industry Data Security Standards (PCI DSS). -http://www.scmagazineus.com/MasterCard-will-not-permit-automated-encryption-upgr ade/article/139803/ -http://www.computerworld.com/s/article/9135316/MasterCard_halts_remote_POS_secur ity_upgrades?source=rss_security [Editor's Note (Pescatore): I remember when the Slammer and Blaster worms hit ATM machines running Windows, it turned out that ATMs couldn't be patched on the network - a technician had to physically visit each machine to install the patch. Yet, the malware could spread over the network. Relying on manual processes to stay ahead of threats doesn't work, but if the reality is that they want to accelerate update to PIN Entry Device certified PoS devices and will only require manual key injection for older devices, I can see why they are doing this. But, lots of pitfalls here if only Mastercard takes this approach. ]
Thoughts on Naming Executables By Mark Eggleston A malware executable by any other name?
As part of good HIPS or endpoint protection, do you block known malware executables? For example, allowing video.exe to run in your environment is asking for trouble. A simple web search should yield the names of software .exe's for vendors to avoid using in their products. Nonetheless, we see more and more legit executables named after known malware making it difficult to block such malware. Often other workarounds must be used to allow horribly named (but legit) exe's.
The way I see it, if the industry can implore vendors to write secure code, getting them to name their executables intelligently certainly sounds feasible. If nothing else a good checklist item as part of good development - maybe even part of a "certified" partner criteria.
********************************************************************** The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/