6 days to save $250 for SANS Crystal City 2014 - ends August 6

SANS NewsBites - Volume: XI, Issue: 66

*************************************************************************
SANS NewsBites                     August 21, 2009                    Volume: XI, Issue: 66
*************************************************************************
TOP OF THE NEWS

  FTC Rule Expands Health Data Breach Notification Responsibility to Web Based Entities
  New Gonzalez Indictment Throws Wrench in Plea Agreement
  Dept. of Agriculture Agency Bans All Browsers but IE

THE REST OF THE WEEK'S NEWS

  LEGAL ISSUES
   Google Ordered to Disclose Blogger's Identity
   Missouri Woman First to be Charged Under New Cyber Bullying Law
   Clear Ordered Not To Sell Traveler Data
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
   Police Investigating Leak of Unreleased Music Tracks
  DATA BREACHES
   Radisson Breach
  SPYWARE, SPAM & PHISHING
   Spam Claims to be Recruiting Users to Participate in DDoS
  STUDIES AND STATISTICS
   Employers Blocking Social Networking Sites More Often
  MISCELLANEOUS
   Webhost and Mobile Carrier Drop Mitnick Due to Attacks on His Accounts
   West African Undersea Cable Repaired; Six Others Near Taiwan Damaged By Storm


*************************** Sponsored By Bit9 ***************************

Webinar: SANS' Chris Brenton on a World Without Malware
August 27th; 2:00pm EDT

Register for this FREE webinar to hear Chris Brenton address how to eliminate malware and close the security gap that threatens our nation's infrastructure. Topics include:
- - What makes systems vulnerable
- - Why we are losing the malware battle
- - How to win the war

https://www.sans.org/info/47533

*************************************************************************

TRAINING UPDATE

- - SANS Network Security, San Diego Sept. 14-22; the Fall's biggest security training conference-- 20 full length courses and 16 short courses plus a big exhibition
https://www.sans.org/ns2009
- - SANS Virginia Beach August 28 - Sept. 4. 11 full-length courses plus short courses:
https://www.sans.org/vabeach09/
- - The Virtualization and Cloud Security Summit on August 17-18 in Washington; courses in the following days
https://www.sans.org/info/43118
- - Looking for training in your own community?
https://sans.org/community/
- - Save on On-Demand training (30 full courses) - See samples at
https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live:
http://www.sans.org

*************************************************************************

TOP OF THE NEWS

FTC Rule Expands Health Data Breach Notification Responsibility to Web-Based Entities (August 18, 2009)
The US Federal Trade Commission has issued a final rule on health care breach notification. The rule will require web-based businesses that store or manage health care information to notify customers in the event of a data security breach. Such entities are often not bound by the requirements of the Health Insurance Portability and Accountability Act (HIPAA); this rule addresses that discrepancy.
-http://www.darkreading.com/security/government/showArticle.jhtml?articleID=21940
0484


[Editor's Note (Pescatore): If my kids grow up to be government agencies, I hope they turn out to be the FTC. Any government agency is my kind of government agency when they issues press releases with headlines like "FTC Says Mortgage Broker Broke Data Security Laws: Dumpster Wrong Place for Consumers' Personal Information." ]


New Gonzalez Indictment Throws Wrench in Plea Agreement (August 17, 19 & 20, 2009)
Albert Gonzalez was on the verge of reaching a plea agreement with federal prosecutors regarding charges in a number of hacking cases when he was indicted again by federal prosecutors in New Jersey in connection with a number of high profile data security breaches, including those at Hannaford Bros. and Heartland Payment Systems. Gonzalez had been awaiting trial to face charges he stole data for hundreds of millions of credit card accounts and was close to a deal that would have had him serve about 20 years in prison. That deal was scuttled because of the new charges. In related news, it was disclosed this week that the Heartland data breach was conducted, at least in part, through SQL injection attacks.
-http://www.theregister.co.uk/2009/08/20/albert_gonzalez_attorney/
-http://bits.blogs.nytimes.com/2009/08/19/accused-hackers-lawyer-criticizes-feder
al-prosecutors/?ref=technology

-http://www.computerworld.com/s/article/9136836/Hacking_kingpin_negotiating_plea_
deal_with_feds?source=rss_security

-http://www.wired.com/threatlevel/2009/08/tjx-hacker-plea/
-http://www.csoonline.com/article/print/499964
-http://www.cybercrime.gov/gonzalezIndic.pdf


[Editor's Note (Schmidt): Two points on this story:
1) This type of case has many parallels to a traditional drug case in working informants with the exception that it is even more difficult to monitor what the informant is doing that is of a criminal nature.
2) If true, that this was accomplished using a SQL injection attack, it shows once again how this type of hack should have been prevented by checking for basic and well known vulnerabilities and fixing them. ]


Dept. of Agriculture Agency Bans All Browsers but IE (August 19, 2009)
The US Department of Agriculture's Cooperative State Research, Education and Extension Service (CSREES) has banned the use of all browsers but Internet Explorer (IE). The memo announcing the policy, which applies only to CSREES computers, states that "In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations." FDCC does not require agencies to ban the use of non-IE browsers. Some employees say they were told that third party browsers had allowed breaches. In addition, IE settings can be managed centrally, while other browsers' settings need to be managed locally.
-http://www.nextgov.com/nextgov/ng_20090819_3426.php?oref=topstory
[Editor's Note (Schultz): Not all that many years ago there were so many vulnerabilities in IE that this browser fell into disfavor within the information security community. Over time people realized that IE had about the same number of vulnerabilities as did Firefox, something that caused the hysteria over IE to subside. Now the Department of Agriculture (which, by the way, has a much less than stellar record when it comes to security breaches) requires that IE be used. How things change. Also, Microsoft must get a special sense of satisfaction over this victory for IE. ]




THE REST OF THE WEEK'S NEWS

Google Ordered to Disclose Blogger's Identity (August 20, 2009)
In a landmark case, a New York court ordered Google to provide information leading to the identity of a blogger who posted defamatory comments about Canadian model Liskula Cohen. The blog was removed from Google's Blogger.com in March, but Cohen pursued the case to determine the blogger's identity. After the court made its ruling, Google surrendered email addresses and IP addresses associated with the blogger.
-http://news.smh.com.au/breaking-news-technology/canadian-model-unmasks-blog-torm
entor-20090820-er0x.html

[Editor's Note (Pescatore): The phone companies have to disclose the same type of information about a caller who makes threatening calls. ]


Missouri Woman First to be Charged Under New Cyber Bullying Law (August 18, 2009)
A 40-year-old Missouri woman has been charged with felony cyber bullying for allegedly posting photographs and personal information of a teenager to the Casual Encounters section of Craigslist. Elizabeth A. Thrasher is the first person to be charged under a new law that was enacted after cyber bullying incident several years ago that ended with the suicide of a 13-year old girl. Missouri at that time had no law under which to charge the cyber bully. The new law took effect last year.
-http://www.theregister.co.uk/2009/08/18/cyberbullying_charges/

[Editor's Comment (Northcutt): Mostly I think the new world order where everyone with a cell phone camera and a laptop is a reporter and everyone with a blog is a publisher is a good thing. But the press has had years to develop a code of ethics balancing the people's right to know with responsible journalism (the first link below is the code of ethics). In the related story in NewsBites about Liskula Cohen as a Vogue cover girl is a public figure, but calling her a "ho" and a "skank" is at least in poor taste, however such language may in fact be protected by the courts. Now Elizabeth A. Thrasher goes a step further; posting pictures, cell phone, email and employer to the Casual Encounters section of Craigslist apparently because she had an argument with the girl's mother. Because Missouri has explicitly passed cyber bullying laws, it is unlikely that she can claim protected speech. Lori Drew, the lady that was behind the cyber bully activity that led to the death of Megan Meier is probably going to go free because this legislation was passed after Megan's death. It is sad that we need cyber bully legislation, but apparently we do.

-http://www.spj.org/ethicscode.asp
-http://goldsea.com/811/25hoax.html
-http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article6802494
.ece

-http://www.meganmeierfoundation.org/
-http://www.nydailynews.com/news/2009/08/19/2009-08-19_court_tells_model_liskula_
cohen_identity_of_blogger_that_called_her_a_skank_she_.html
]


Clear Ordered Not To Sell Traveler Data (August 19 & 20, 2009)
A federal court judge in Manhattan has ordered Clear not to sell, transfer, or disclose customer data it collected as part of its airport security expediting service. The company shut down operations in June due to cash flow issues. The company said on its website shortly thereafter that it was seeking to sell the data to another company that would provide similar services, but the judge has nixed that plan; former customers now suing Clear for fees they had already paid are likely to win their suit because the contract they signed said the company would not sell their data. The company has also been ordered to save all pertinent documents. Clear founder Steven Brill is not party to the suit filed by Clear customers because Clear parent company Verified Identity Pass (VIP) creditors asked him to step down in May; he has filed a suit against VIP seeking severance pay. Also competing for whatever assets VIP has left are the company's investors.
-http://www.wired.com/epicenter/2009/08/defunct-airport-fast-pass-company-banned-
from-selling-customer-biometrics/

-http://news.idg.no/cw/art.cfm?id=37662EF5-1A64-67EA-E4CE3F08FAF4EFCF


[Editor's Note (Honan): The United States needs to implement federal privacy laws similar to the EU's Data Protection Directive to ensure companies cannot trade their clients' personal information without prior consent and to negate the need for other similar cases going to court. ]


Police Investigating Leak of Unreleased Music Tracks (August 19 & 20, 2009)
The police have been called in to help record company Syco and the International Federation of the Phonographic Industry (IFPI) figure out who leaked three unreleased songs by Leona Lewis to the Internet. Syco is run by music promoter and television talent show judge Simon Cowell. The stolen tracks were made for a new album that is slated for a November release. Music thieves have also stolen and released songs by Alexandra Burke.
-http://www.smh.com.au/technology/technology-news/hackers-bleed-leona-lewis-duet-
online-20090820-er52.html

-http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/music/article6
802172.ece



Radisson Breach (August 19, 2009)
Radisson Hotels and resorts has posted an open letter to its guests, informing them "that between November 2008 and May 2009, the computer systems of some Radisson hotels in the US and Canada were accessed without authorization." The compromised data include names, and credit card numbers and expiration dates. Radisson learned of the breach after hearing about fraudulent activity from credit card companies and processors.
-http://www.radisson.com/openletter/openletter.html
-http://www.computerworld.com/s/article/9136851/Radisson_Hotels_Data_breach_affec
ted_limited_number_of_sites_guests?source=rss_security

-http://www.eweek.com/c/a/Security/Radisson-Reports-Computer-Systems-Breached-353
879/?kc=rss



Spam Claims to be Recruiting Users to Participate in DDoS (August 19, 2009)
Spammers have started to exploit the heated opinions surrounding healthcare reform in the US. A new batch of spam messages point recipients to a site where they are encouraged to download a software tool that can purportedly be used to help launch a distributed denial-of-service (DDoS) attack against the White House web site. The users are urged to visit the site often for updates. While it is unclear whether the download is actually a DDoS tool, it is evidently some sort of malware.
-http://www.theregister.co.uk/2009/08/19/obama_ddos_tool_ruse/
-http://www.scmagazineus.com/Spammers-seeking-volunteers-to-DDoS-White-House/arti
cle/146807/



Employers Blocking Social Networking Sites More Often (August 19 & 20, 2009)
According to research from ScanSafe, companies are increasingly blocking social networking sites. Seventy-six percent of the company's customers block sites like Facebook, a 20 percent increase over the last six months. Fifty-eight percent block access to webmail, 52 percent block access to shopping sites, and 51 percent block access to sports sites. Social networking sites can expose companies to malware and can also drain employees' productivity.
-http://www.v3.co.uk/v3/news/2248091/companies-blocking-social
-http://www.scmagazineuk.com/Employers-block-more-social-networking-sites-than-sh
opping-or-pornography/article/146866/



Webhost and Mobile Carrier Drop Mitnick Due to Attacks on His Accounts (August 19, 2009)
AT&T has informed Kevin Mitnick that it no longer wants him as a customer; it seems that his status as a "celebrity hacker" makes his account an inviting target for script kiddies and the cellular provider no longer wants to direct its resources toward protecting his account from attacks. AT&T made the decision to boot Mitnick after he hired legal representation to complain that his private information was not being adequately protected. Several weeks ago, Mitnick's webhost, HostedHere.net, notified him that it was ending their business relationship. The webhost described Mitnick as "a high profile target."
-http://www.theregister.co.uk/2009/08/19/att_dumps_kevin_mitnick/


West African Undersea Cable Repaired; Six Others Near Taiwan Damaged By Storm (August 18 & 19, 2009)
A damaged section of the undersea SAT-3 cable that provides Internet service to portions of West Africa has been repaired. Nigeria experienced significant outages; Niger and Benin were affected as well. SAT-3 is the only fiber optic cable serving West Africa. In a separate story, six undersea fiber optic cables damaged by a typhoon near Taiwan earlier this month are expected to be repaired by mid-September. The cables carry Internet traffic between the US, North Asia, Taiwan, China, Hong Kong and sections of Southeast Asia.
-http://news.bbc.co.uk/2/hi/technology/8206728.stm
-http://mis-asia.com/news/articles/damaged-undersea-internet-cables-to-be-fixed-s
oon



**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/