Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XI - Issue #14

February 20, 2009

The age of cyber law suits and cyber liability has started in earnest. Today's top story about the two suits against RBS, on top of the Heartland disclosures and the $20 million VA paid "to avoid any further litigation" come together to persuade plaintiff attorneys that the cyber sphere is a "target rich environment" for law suits - even nuisance law suits. This trend may be aggravated by a sharp slowdown in other areas of the law. Since security probably will never be perfect, what is needed is a minimum standard of due care that agencies, companies, and courts can use to determine how much and what kind of investment in security is "enough." The announcement coming Monday, Feb. 23, by the Center for Strategic and International Studies (CSIS) and key government agencies may be the critical first step toward that minimum standard. Even if it doesn't solve the legal problem, it almost certainly will revolutionize federal cybersecurity practice and will spill over to the defense industrial base, and banks and commercial organizations almost immediately. Look for a flurry of articles Monday morning for details. [For press only, email for embargoed details and a pointer to the press teleconference.]


RBS Faces Second Class Action Lawsuit
USAF Cracking Down on Bases With Lax Internet Security
Reports of Cyber Incidents on the Rise


Alleged VoIP Scam Mastermind Indicted
Prosecutors Drop Some Charges in Pirate Bay Case
Government Travel Reservation Site Suffers Redirect Attack
CVS Caremark Settles FTC and HHS Charges Over Unprotected Data
Facebook Working to Clarify Terms of Use Policy
Wyndham Hotel Customer Data Compromised
Exploit Targets Known IE7 Remote Code Execution Flaw
Small Businesses Want Centralized Cyber Incident Reporting Organization

******************** Sponsored By Log Management Summit *****************

Join Storage, Security and Database professionals at the Log Management Summit April 6-7. Get help in selecting and implementing the right log management tools to ensure you meet regulatory requirements and improve security as well as improve operational efficiency.



- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world. lots of evening sessions:
- - Looking for training in your own Community?
For a list of all upcoming events, on-line and live:



RBS Faces Second Class Action Lawsuit (February 18, 2009)

A Philadelphia law firm has filed a class action lawsuit against RBS WorldPay following revelations that cyber criminals infiltrated the RBS computer system and stole information that was used to make US $9 million worth of fraudulent withdrawals from ATMs. The lawsuit seeks US $200 million in damages. RBS says customers will not be liable for fraudulent transactions made on their accounts. This is the second lawsuit filed against RBS in as many months; a suit filed in January alleges the bank misled investors when it issued shares in the US in 2007.
[Editor's Note (Ranum): Internet security lawsuits: the new asbestos.
(Northcutt): RBS has offered one year of credit monitoring, the suit demands 6 or 7 years. ]

USAF Cracking Down on Bases With Lax Internet Security (February 18, 2009)

The United States Air Force is reportedly cutting off Internet access at bases where network security policies are not being strictly followed. Troops are already limited in what they are permitted to access on the internet - for instance, they may not visit any site that has the word "blog" in its URL. Throughout the Defense Department, troops are prohibited from accessing YouTube, MySpace and other social networking sites.
[Editor's Note (Pescatore): Where policies match missions needs, punishing users who violate policy is a good thing. But when mission policies say "you need to do this to get the job done" and security policy says "don't do that" then the problem is the policy and the lack of security controls to make business operations safe.
(Schultz): I am a fervent blog writer whose primary aim is to raise awareness of information security issues (see
As such, I am truly disappointed that the U.S. Air Force is blocking access to any site with "blog" in its URL. Equating blog access with a lack of Internet security is simply foolish.
(Northcutt): The blog blocking thing has been going on for about a year. I feel two ways about this. First this is a bit like security theater, troops, would not even be able to read the wired magazine blog about this because it would be blocked and the source document is on a pay per view site. On the other hand, I applaud the US Air Force for taking action. I have heard Hord Tipton, now the CEO of ISC2, recount the story of being CIO of the Department of Interior when they were ordered off the Internet. It really got their attention and I suspect that will happen with some of the Air Force bases. It also brings up something I have been thinking about a lot lately, maybe we give too many employees powerful computers and access to the Internet. Maybe it is time to really start thinking about thin client technology before we implement the cloud.
(Weatherford): While these measures may seem draconian to some and even absurd to others, we should remember that what they are talking about is the military's unclassified NIPRNet network. The very same network that's been publicly identified as being repeatedly compromised and having vast amounts of "unclassified" information accessed and stolen. The same network that runs the military procurement and delivery supply chain, contains the personal information of all Sailors, Soldiers, Airmen, and Marines, and all of the other "unclassified combat support" functions of the military. ]

Reports of Cyber Incidents on the Rise (February 17, 2009)

The number of cyber security incidents at federal civilian agencies reported to the US Department of Homeland Security's US-CERT has tripled since 2006. In fiscal 2008, 18,050 incidents were reported, compared with 12,986 in fiscal 2007 and 5,144 in fiscal 2006. Agencies are required to report cyber security incidents under the Federal Information Security Management Act (FISMA); such incidents include unauthorized access, denial of service, malicious code, improper use, scans, probes and attempted unauthorized access. The significant increase over the last several years can be attributed to both an increase in malware and a heightened awareness of and ability to detect incidents.
[Editor's Note (Pescatore): The number of agencies monitoring and reporting incidents to US-CERT has increased faster than that rate of incident growth.
(Schultz): The number of reported incidents here is ridiculously low, too low to be credible. As such, the reported increase in the number of incidents is interesting to note, but not necessarily believable. (Skoudis): Although improved reporting isn't a firm sign that there are more incidents, it does help the government better understand what it faces. With more data from better reporting, defenses can be better tuned to the actual attack vectors being hurled at agencies.
(Ranum): In the past it has proven very difficult to get a decent picture of attack rates and incident rates, due to reporting failures or disagreement as to what constitutes an "attack" or "incident." While reports like this are interesting to hear about, they should not be taken particularly seriously. "Attempted unauthorized access" covers a gigantic range of possibilities. My guess is that this is just pre-positioning for more alms-begging for a handout of budget dollars. ]

********************* SPONSORED LINKS *********************************

1) Join your peers at the Penetration Testing and Ethical Hacking Summit - - Las Vegas June 1-2.




Alleged VoIP Scam Mastermind Indicted (February 18, 2009)

A federal grand jury has indicted Edwin Pena for breaking into the computer networks of voice over Internet protocol (VoIP) service providers. Pena was originally arrested in June 2006 on charges that he and an accomplice broke into the networks and resold the VoIP services. Pena fled the country several weeks later and was recently apprehended in Mexico, where he is still being held. Pena's alleged accomplice, Robert Moore, pleaded guilty to conspiracy to commit computer fraud in 2007 and is currently serving a two-year federal prison sentence. Investigators allege that Pena masterminded the scheme and that Moore was the one who broke into the systems.


Prosecutors Drop Some Charges in Pirate Bay Case (February 17, 2009)

On the second day of the trial in Stockholm, the Pirate Bay defense team was pleased to learn that half of the charges originally brought against the founders of the website have been dropped. Prosecutors maintain they aim to simplify their task by dropping the charges that deal with "assisting copyright infringement" and focusing instead on charges of "assisting making available copyright material." Pirate Bay does not host content on its website; instead, it provides links to others that allow users to download movies, music and other digital content.


Government Travel Reservation Site Suffers Redirect Attack (February 18 & 19, 2009)

The website is currently offline due to a redirect attack. Earlier this month, attackers altered the website so that it directed visitors to another URL, which in turn downloaded malware onto their computers. The website is used by a number of US government agencies to make travel reservations and to reimburse employees for travel expenses through direct deposit, meaning that the site retains some employees' bank account information. The attack has been reported to the US Computer Emergency Readiness Team (US-CERT). The site has been offline for more than a week.


[Editor's Note (Pescatore): This has been a malware path that hit several agencies, pointing out two problems: GovTrip's lack of web site security and many government agencies' lack of HTTP inbound malware detection. Web security gateways have to move beyond just URL blocking since so many unblocked sites get compromised. ]


CVS Caremark Settles FTC and HHS Charges Over Unprotected Data (February 18, 2009)

CVS Caremark has agreed to settle US Federal Trade Commission (FTC) charges related to inadequate customer and employee data protection. The FTC charged that CVS Caremark violated federal law by not employing "reasonable and appropriate security measures to protect the sensitive financial and medical information." CVS will also pay US $225 million to settle allegations made by the Department of Health and Human Services that it violated the Health Insurance Portability and Accountability Act (HIPAA). The complaints stemmed from reports that CVS pharmacies were tossing items that contained patient names, medications and dosages as well as sensitive financial information into open trash receptacles. Under the terms of the settlement, CVS Caremark must establish and maintain an effective information security program and undergo third party security audits every two years for the next 20 years.
[Editor's Note (Pescatore): The Federal Trade Commission just keeps quietly going along enforcing existing regulations around privacy exposures. I hope they get a good chunk of stimulus funding - that would have a high ROI. ]

Facebook Working to Clarify Terms of Use Policy (February 18 & 19, 2009)

Social networking site Facebook has backed off a change to the language in its terms of service. The revision, made earlier this month, appeared to say that Facebook was giving itself the right to archive for an indefinite period of time content posted by users, even after they have terminated their accounts. Facebook has announced a return to its previous Terms of Use policy while the issue is resolved. A Facebook spokesperson noted that "Facebook does not, nor (has it ever) claimed ownership over people's content."


[Editor's Note (Pescatore): No, Facebook and Google never say they *own* your information. They just want to be able to show it to everyone in world with ads wrapped around it.
(Northcutt): This is a very challenging business problem for all of the free social media sites. The Yahoo/Flickr Terms of service says: "Yahoo! does not claim ownership of Content you submit or make available for inclusion on the Yahoo! Services." You can find that as item 9 in their Terms of Service:


Wyndham Hotel Customer Data Compromised (February 18, 2009)

Attackers broke into the computer system of Wyndham Hotels and Resorts last summer and stole payment card information belonging to thousands of the hotel chains' guests. The point of intrusion was a franchisee's establishment, but the computer there was connected to other Wyndham computers. The breach ultimately compromised information from computer systems of 41 Wyndham properties. The number of people affected by the breach has not been disclosed, but a letter sent to Florida's attorney general indicated that approximately 21,000 residents of that state may have been affected. The stolen information includes, names, card numbers, expirations dates and magnetic stripe data.


Exploit Targets Known IE7 Remote Code Execution Flaw (February 17, 18 & 19, 2009)

Cyber attackers are exploiting a remote code execution vulnerability in Microsoft's Internet Explorer 7 (IE 7) that was addressed in one of the security bulletins (MS09-002) Microsoft issued earlier this month. The malware comes packaged in a Word document; when the document is opened, an ActiveX object directs users' unpatched PCs to a website that installs malware capable of sending stolen data to another web address.

[Editor's Note (Skoudis): There are exploits for this one floating through the wild, and have been for a while. If you haven't gotten this patch applied yet, you need to accelerate your efforts. Oh, and check carefully to see if you've already fallen victim to it through infection by running anti-malware scans of machine. ]


Small Businesses Want Centralized Cyber Incident Reporting Organization (February 19, 2009)

A report from the Federation of Small Businesses says that 54 percent of small businesses have experienced fraud or cyber crime over the last year. Although more than one-third of respondents do not report the incidents to police or to banks because they believe it would not make a difference, 53 percent of those surveyed would like specific information about how and where to report the incidents. Eighty-five percent of respondents said that they would make use of organizations established specifically to gather the information and use it to combat fraud. The average annual cost of cyber crime and fraud to small businesses in the UK is GBP 800 (US $1,140).

[Editor's Note (Paller): Gee, do you think the Federation be willing to run such a centralized reporting organization, if given government funds, to meet the overwhelming desire of small organizations to report cyber attacks? ]

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College,

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit