SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XI - Issue #47
June 16, 2009
TOP OF THE NEWSSmart Meters are Full of Holes
European Commission Wants Stiffer Cyber Crime Penalties
Spam King Could Face Jail Time for Violating Facebook Restraining Order
Virgin and Universal Reach Fee-Based Download Arrangement
THE REST OF THE WEEK'S NEWSARRESTS, INDICTMENTS & SENTENCES
Arrests and Indictments in International Phone Hacking Scheme
Ten Arrested in Music Downloading Scam
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Legislators' Proposal Would Revise Real ID Act
Israeli Government Sites Attacked in January
Illinois State Agency Missing 52 Computers
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Jammie Thomas-Rasset Downloading Case Back in Court
UPDATES AND PATCHES
Mozilla Updates Firefox to Version 3.0.11
ATTACKS & ACTIVE EXPLOITS
Student Arrested for Accessing School System Without Authorization -- Again
STUDIES AND STATISTICS
Survey: Admins Exploit Privileges to Access Sensitive Data
************************ Sponsored By Symantec *************************
Data Loss During Downsizing
According to a research study conducted by the Ponemon Institute, more than half of ex-employees admit to stealing company data. Download this report to view survey results and to see how you can protect your organization from being so vulnerable.
Download report at http://www.sans.org/info/44784
- - The Forensics Summit starts in four weeks on July 9, and has four courses http://www.sans.org/forensics09_summit/event.php:
Computer Forensic and E-discovery Essentials
Computer Forensics, Investigation, and Response
Advanced Filesystem Recovery and Memory Forensics
Drive and Data Recovery Forensics
- - Rocky Mountain SANS, July 7-13 (6 full-length hands-on courses) http://www.sans.org/rockymnt2009/event.php
- - SANS Boston, Aug 2-9 (6 full-length hands-on courses) https://www.sans.org/boston09/index.php
Looking for training in your own community? http://sans.org/community/ Save 25% on all On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php Plus Amsterdam, London, Dubai, Riyahd, Cairo, Melbourne, Canberra, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
Smart Meters are Full of Holes (June 12, 2009)"Smart" electricity meters currently being installed at homes and businesses in the US are full of vulnerabilities that could place the country's power grid in peril. The researcher who found the flaws plans to demonstrate them at the Black Hat security conference next month. The meters allow two-way communication between the electricity users and the power plants supplying their energy. They were designed to make power use more efficient. Most of the devices do not use encryption and do not require authentication before installing software updates or cutting customers off from the grid.
[Editor's Note (Pescatore): If the first generation of this technology follows past patterns, the security model was likely focused on making sure customers couldn't tamper with the usage meter and not so much on making sure the technology was truly secure. ]
European Commission Wants Stiffer Cyber Crime Penalties (June 15, 2009)Convicted cyber criminals could face harsher penalties in the European Union if the European Commission gets its way. The EC would like to have jail time for cyber crimes increased to as much as five years; currently the maximum sentence is three years, which officials say is not stringent enough. New laws would harmonize sentencing guidelines among member nations. The EC also hopes to establish a reporting system that would facilitate sharing of cyber attack information.
[Editor's Note (Honan): The criminals are sharing information on how to attack systems, networks and organizations, it is about time we do the same to defend those systems. ]
Spam King Could Face Jail Time for Violating Facebook Restraining Order (June 12, 2009)A federal judge has referred Sanford Wallace to the US Attorney General's Office for criminal proceedings for allegedly defying an order that prohibited him from accessing Facebook. Wallace, who has been dubbed the "spam king," could face jail time for his alleged activities. Facebook filed a lawsuit against Wallace and two others earlier this year for using the site to send spam and phishing emails; a judge issued a temporary restraining order barring them from accessing the social networking site.
Virgin and Universal Reach Fee-Based Download Arrangement (June 15, 2009)Virgin Media UK broadband customers who pay a monthly fee will be able to download or stream unlimited MP3 files, thanks to a deal struck by Virgin and Universal. The arrangements includes a promise from Virgin to step up monitoring of file-sharing networks to prevent unauthorized downloads. The arrangement is expected to be in place by the end of the year; the monthly fee has not yet been determined, though there are likely to be varying levels of service available. Virgin is talking with other music companies about adding their catalogs to its service.
THE REST OF THE WEEK'S NEWS
ARRESTS, INDICTMENTS & SENTENCES
Arrests and Indictments in International Phone Hacking Scheme (June 12 & 15, 2009)Three people have been indicted and five arrested in connection with an international phone service hacking scheme. The group allegedly broke into IT systems at more than 2,500 companies around the world and stole codes used to route the companies' phone calls through telecommunications systems. The five people were arrested in Italy; the three indicted in the US include Mahmoud Nusier, Paul Michael Kwan, and Nancy Gomez, all of whom currently reside in the Philippines. The three allegedly hacked into the systems; they were allegedly paid a fee by call center operators in Italy for each system they compromised. The alleged activity in the case took place between October 2005 and December 2008. Proceeds from the scheme may have been used to fund terrorist groups in Southeast Asia. It appears that the perpetrators were able to access the systems because the default passwords had not been reset.
[Editor's Note (Pescatore): With IP telephony, most of the security hype tends to focus on eavesdropping but this type of theft of service by compromising the digital PBX is the more near term threat.
(Honan): This case highlights the current threat posed by terrorism to computer systems worldwide. It is not to take these systems down but to raise money. The funds generated by compromising bits and bytes go to purchasing bullets and bombs. ]
Ten Arrested in Music Downloading Scam (June 10 & 12, 2009)UK police have arrested 10 people in connection with a scheme in which they downloaded their own music from iTunes and Amazon thousands of times, paying for the downloads with stolen credit cards. All told, the gang spent approximately US $750,000 on the downloads; they made US $300,000 from royalties paid by the sites. The suspects are likely to face charges of conspiracy to commit fraud and money laundering.
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Legislators' Proposal Would Revise Real ID Act (June 15, 2009)US legislators have proposed a revision to the Real ID Act of 2005, a controversial law aimed at tightening security in the wake of the September 11 attacks. Real ID required states to issue new, more secure driver's license and identification cards by 2017; citizens would be required to present them to enter certain buildings and to board airplanes. Some states balked at the cost of implementing the measure, and civil liberties groups decried Real ID's assault on privacy. The proposed revision, known as Pass ID, would still require that state-issued licenses include a digital photograph and signature of the holder and a bar code and that the licensing agencies store copies of the supporting documents used to obtain the license. States would still be required to verify the identities of people applying for licenses by checking databases at the State Department, Social Security and federal immigration. Critics of the proposed revision say it takes the teeth out of Real ID because it eliminates the requirement that birth certificates, Social Security numbers and other credentials be authenticated with the authority that issued them, instead requiring only that they be validated.
[Editor's Note (Schultz): The proposals to changes in this legislation are perfectly understandable. The events of 9/11 had a profound effect on security-related legislation, but given the absence of catastrophic events in the US since then, there should be little wonder that some of the 9/11-inspired legislation is being dumped or watered down. ]
Israeli Government Sites Attacked in January (June 15, 2009)The Israeli government says that the country's Internet infrastructure was attacked in January during the Gaza Strip military offensive. The attack, which came from half a million computers, took out government websites for an hour or so. Officials say the attack bears resemblance to that launched on Georgian sites last summer, leading some to speculation that the attack was conducted by people in the former Soviet Union and possible paid for by Hamas or Hezbollah.
Illinois State Agency Missing 52 Computers (June 11, 2009)Reports from Illinois state auditors indicate that the Department of Financial and Professional Regulation cannot account for 52 computers. The department is responsible for regulating the banking and insurance industries as well as several professions, including accounting, medicine, and engineering. The agency cannot say if the missing computers held confidential information. The machines may have been transferred to other agencies, but there are no records indicating such transfers.
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Jammie Thomas-Rasset Downloading Case Back in Court (June 12, 2009)Jammie Thomas-Rasset is about to have her day in court - again. In October 2007, a jury found Thomas-Rasset guilty of copyright infringement for illegally downloading music; she was ordered to pay US $9,250 for each of 24 songs she is alleged to have downloaded for a total of US $222,000. In September 2008, the presiding judge overturned the verdict and ordered a new trial, saying that his instructions to the jury regarding what action constituted copyright infringement had been unclear. At issue is whether or not merely making music available for distribution constitutes copyright infringement. Members of Thomas-Rasset's legal team have asked that the court suppress evidence against their client that had been gathered by MediaSentry because the company's practices violated state and federal wiretap acts.
UPDATES AND PATCHES
Mozilla Updates Firefox to Version 3.0.11 (June 12, 20090Mozilla has released Firefox version 3.0.11; the updated version of the company's browser fixes eleven security flaws present in version 3.0.10, four of which were rated critical. Those four vulnerabilities include privilege escalation, arbitrary code execution, a race condition, and crashes with evidence of memory corruption. Mozilla's SeaMonkey and Thunderbird products are also affected by the vulnerabilities; updated versions of both are expected to be available soon.
ATTACKS & ACTIVE EXPLOITS
Student Arrested for Accessing School System Without Authorization - Again (June 12 & 14, 2009)A Shenendehowa (NY) High School student has been arrested for breaking into the school's computer system. The teen was also caught breaking into the system last fall; he accessed information about a school bus driver and posted it on a web site. The more recent incident involved an attempt to lock teachers out of the system so they could not enter grades. The student, who is a sophomore, has been charged with unauthorized use of a computer and third degree identity theft. He was allegedly using another student's login credentials at the time of the incident; he had been prohibited from using the system after the incident in the fall.
[Editor's Note (Ranum): Hacking systems - the thrill of the illicit, penetration, and the (slight) chance of getting caught - is a very self-reinforcing behavior. It's a paradoxical form of adrenaline addiction: the attacker is hooked on the rush, but sociopathically hides behind the safety of anonymity. It's not hard to see why a lot of hackers find it very hard to quit once they get started. ]
STUDIES AND STATISTICS
Survey: Admins Exploit Privileges to Access Sensitive Data (June 10 & 11, 2009)A survey of 400 IT administrators found that more than one-third abuse their administrative rights to access sensitive information about employees, customers and their companies for personal use. The information accessed includes salary data and board meeting minutes. The survey also found that the percentage of administrators who would take proprietary information with them if they left their present positions increased significantly over last year's figures; six times as many respondents said they would take financial information if they left their firms; four times as many said they would take executives' passwords and R&D plans.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/