Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #31

April 20, 2010

Do you know any college kids who are good at cyber security and go to
school in New York, Delaware, or California? If yes they can get an all
expenses paid scholarship to cyber camps this summer that could give
them an inside track to the coolest jobs in the coolest places in cyber
security. Send them to www.uscyberchallenge.org. That's also where you will find
data on how cyber-security-talented high school kids all over the
country can qualify for full four year college scholarships (with summer
internships).

Alan

TOP OF THE NEWS

New and Proposed Data Breach Legislation Around the US
FBI Warrant Sought Google Apps Content in Spam Case
Network Solutions Customers' Websites Infecting Visitors' Computers with Malware

THE REST OF THE WEEK'S NEWS

Amazon Files Lawsuit to Fend Off NC Tax Collector's Data Demands
Windows Kernel Patch Checks for Rootkit First
Gonzalez Accomplice Gets Five-Year Sentence
Pennsylvania School District Laptop Surveillance Case Prompts New Legislation
Third Grader Stole Teacher's Blackboard Login
European Data Protection Supervisor Calls For Built-in Data Wiping Technology
Former NSA Official Indicted for Information Leaks
Russia and US Move Toward Cooperation at Internet Conference


************************** Sponsored By Splunk **************************
DOWNLOAD SPLUNK 4.1 FOR FREE
Real-time Business Needs Real-time IT
* See incidents and attacks as they occur
* Monitor application SLAs in real time
* Correlate and analyze events on streaming data
* Track live transactions and online activity
Do this and more with real-time search in Splunk 4.1.
http://www.sans.org/info/58118
*************************************************************************

TRAINING UPDATE
-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010 8 courses.
http://www.sans.org/secure-amsterdam-2010/

-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Toronto, Singapore, Brisbane, and Kuala Lumpur all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

TOP OF THE NEWS

New and Proposed Data Breach Legislation Around the US (April 13 & 16, 2010)

Mississippi has passed a data breach notification law requiring that businesses and government agencies notify people immediately when their personally identifiable information has been compromised. The law goes into effect on July 1, 2010, and applies to all entities doing business within the state of Mississippi. In California, the state Senate has approved legislation that would update the state's current breach notification law so that notification letters would include specific information about a breach and require that entities suffering breaches that affect 500 or more individuals submit the alert letter to the state attorney general's office. Governor Schwarzenegger vetoed the proposed bill last year, but he is expected to sign it this year. In Washington State, Governor Christine Gregoire signed a law that defines the liabilities of government and business entities for costs incurred by financial institutions arising from payment card breaches.
-http://www.esecurityplanet.com/features/article.php/3876906/Mississippi-Passes-D
ata-Breach-Notification-Law.htm

-http://www.scmagazineus.com/california-senate-again-oks-breach-notification-law-
update/article/168168/

-http://privacylaw.proskauer.com/2010/04/articles/financial-privacy/bellwether-or
-bust-washington-governor-signs-payment-card-data-breach-liability-provisions-in
to-law/

FBI Warrant Sought Google Apps Content in Spam Case (April 16, 2010)

Last August, the FBI served a warrant demanding the email and Google Apps content associated with two men suspected of running a spam campaign. The case is believed to be the first in which a warrant has "benefit
[ted ]
from a suspect's reliance on cloud computing." Among the information obtained from Google Docs was a spreadsheet showing that the men had spammed more than 3 million email addresses in a five-hour period, and a list of 8,000 Yahoo mail accounts allegedly obtained to send the spam. It is easier for law enforcement agencies to access data stored in the cloud than that stored on individuals' own computers. The Stored Communications Act (1986) requires only "reasonable grounds" that the information would be relevant in a criminal investigation to allow to access to stored information; a search warrant requires "probable cause."
-http://www.wired.com/threatlevel/2010/04/cloud-warrant/

Network Solutions Customers' Websites Infecting Visitors' Computers with Malware (April 18 & 19, 2010)

A malware attack is targeting Network Solutions' customers; the issue affects websites running WordPress, Joomla, and regular HTML. The infected sites have been infected with javascript that tries to install malware on site visitors' computers. Less than a week ago, another attack targeted Network Solutions websites running just WordPress. Network Solutions administrators are attempting to remove the malicious code from customers' sites. The company is not releasing technical information about the attack because it could help the perpetrators. Users are urged to change their passwords.
-http://www.theregister.co.uk/2010/04/19/network_solutions_mass_hack/
-http://www.computerworld.com/s/article/9175783/Network_Solutions_sites_hacked_ag
ain

-http://blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-
fix-this/

[Editor's Note (Pescatore): At the heart of the debate about enterprise use of cloud computing services (which is just a form of external hosting) is the need for external service providers to demonstrate that they can keep the shared infrastructure *more* secure than any individual company can do.
(Northcutt): I have been thinking about this all day. As we move to blades and virtualization, the small business that might be able to manage a couple servers of their own is going to have to consider webhosting. An attacker who is able to break in can do tons of damage. And as more small business moves to web hosting the problem gets worse. And, when the virtual servers are compromised, they are used to spread malware so doing business with these smaller companies becomes risky.
-http://krebsonsecurity.com/2010/01/hundreds-of-network-solutions-sites-hacked/
-http://krebsonsecurity.com/2010/04/network-solutions-again-under-siege/
-http://stopmalvertising.com/malvertisements/corpadsinccom-redirecting-network-so
lutions-customers-again
]

THE REST OF THE WEEK'S NEWS

Amazon Files Lawsuit to Fend Off NC Tax Collector's Data Demands (April 19, 2010)

Amazon.com is fighting the North Carolina Department of Revenue's demands that the company supply the names and addresses of its North Carolina customers and what those individuals purchased through the site. Amazon maintains that the demand for information violates customers' privacy and First Amendment rights and has filed a lawsuit asking that a judge find the demand to be illegal. Amazon is not required to collect sales tax within North Carolina because the company does not have offices or warehouses in the state. State tax collectors say that residents are required to pay a "use tax" on anything purchased or received through the mail.
-http://news.cnet.com/8301-13578_3-20002870-38.html
[Editor's Note (Northcutt): This is an important case and a well written article, I encourage you to read it. First, different states have different approach to sales tax. For instance in Virginia I was supposed to track my purchases from out of state and report that on my state tax form. However, in this case I expect this suit will fail. As the article explains, books have special First Amendment protections. And after Supreme Court nominee Robert Bork's video rental records were published in a newspaper they passed the Video Privacy Protection Act of 1988 so I cannot see how North Carolina's suit can succeed.
-http://www.tax.virginia.gov/site.cfm?alias=salesusetax
-http://www.cobar.org/opinions/opinion.cfm?OpinionID=560
-http://epic.org/privacy/vppa/
/

Windows Kernel Patch Checks for Rootkit First (April 16, 2010)

A patch for the Windows kernel released last week will not install on machines that are infected with a rootkit. In February, Microsoft released a kernel patch that caused blue screen errors when it was installed on machines infected with the tdss rootkit. Hoping to avoid the same problem this month, Microsoft customers will get error messages when the update is installed if their machines are infected.
-http://www.theregister.co.uk/2010/04/16/ms_kernel_patch_bypasses_pwned_pcs/
-http://news.bbc.co.uk/2/hi/technology/8624560.stm
[Editor's Note (Pescatore): Good move but even better would be operating systems that make it much, much harder for rootkits to succeed. ]

Gonzalez Accomplice Gets Five-Year Sentence (April 15 & 19, 2010)

The sixth and final of Albert Gonzalez's co-conspirators has been sentenced to prison for his role in the massive credit card theft scheme. Damon Patrick Toey has been sentenced to five years in prison and fined US $100,000. Toey helped Gonzalez use SQL injection attacks to break into retailers' networks, where the group stole payment card information. Toey also helped sell the stolen card information. Although he faced a maximum sentence of 22 years in prison, Toey's cooperation with authorities prompted prosecutors to seek a shorter sentence.
-http://www.wired.com/threatlevel/2010/04/toey_sentence
-http://www.securecomputing.net.au/News/172469,hacker-accomplice-gets-five-years-
prison.aspx

Pennsylvania School District Laptop Surveillance Case Prompts New Legislation (April 16, 18 & 19, 2010)

According to documents filed in a lawsuit against the Lower Merion School District in Pennsylvania, surveillance technology on school-owned laptops was used to capture thousands of images of students in their homes. The technology, called LANRev, was designed to be used to locate missing or stolen computers, but the school district is facing a lawsuit from a student's family that alleges the LANRev software was activated on the computer their son was using at home even though it had not been declared missing or stolen. The captured images include a student asleep in his bed. LANRev was also used to capture screenshots of IM conversations the student had with his friends. A motion filed last week seeks access to the home of the school district's information systems coordinator to image the hard drives of her personal computers. The case has prompted US Senator Arlen Specter (D-Pennsylvania) to introduce legislation that would ban video surveillance.
-http://www.computerworld.com/s/article/9175739/Pa._school_district_snapped_thous
ands_of_student_images_claims_lawyer?taxonomyId=17

-http://www.theregister.co.uk/2010/04/16/secret_student_pics/
-http://www.securecomputing.net.au/News/172400,school-laptop-spying-case-inspires
-new-law.aspx

-http://news.cnet.com/8301-1009_3-20002697-83.html?tag=nl.e757

Third Grader Stole Teacher's Blackboard Login (April 16 & 19, 2010)

A Fairfax County (Virginia) Public Schools third grader has been identified as the source of suspicious changes being made on the school district's Blackboard system, which allows teachers, students and parents to communicate and check on homework assignments and announcements. The nine-year-old did not hack into the system, as was first believed, but found the password in a teacher's desk and accessed the system through that account, which had administrative rights. The student changed other teachers' passwords. The students never had access to grades or other sensitive school data.
-http://www.computerworld.com/s/article/9175699/Police_called_after_9_year_old_st
eals_password?taxonomyId=17

-http://www.theregister.co.uk/2010/04/19/9yr_old_school_hacker/
[Editor's Note (Pescatore): Reusable passwords continue are oh so reusable, unfortunately. How about schools using simple forms of stronger authentication? Of course, the real world isn't actually setting a very high bar here, either.
(Schultz): This story reminds me of a previous one that must now be at least five years old. A six year old girl gained unauthorized access to the UK House of Commons and installed a sniffer on the computer of one of the members of Parliament. Age can no longer be presumed to be any presumed to be a presumption of innocence when security is concerned. ]

European Data Protection Supervisor Calls For Built-in Data Wiping Technology (April 16 & 19, 2010)

European data protection supervisor Peter Hustinx has called for data-wiping technology to be built in to electric and electronic equipment. Hustinx made the suggestion while reviewing the European Commission's proposed revision of the Waste Electrical and Electronic Equipment (WEEE) directive. The data deletion process should be simple and free of charge, said Hustinx. He also wants WEEE to ban the sale of used electronic devices that have not been wiped clean of data. The UK's Data Protection Act requires that organizations delete data from devices before they are disposed of.
-http://www.zdnet.co.uk/news/security-management/2010/04/16/e-waste-law-should-in
clude-data-wiping-says-watchdog-40088661/

-http://www.scmagazineuk.com/equipment-that-contains-data-should-have-a-facility-
to-completely-delete-it-with-built-in-privacy-and-security-safeguards/article/16
8282/

-http://www.computerweekly.com/Articles/2010/04/19/240954/eu-privacy-watchdog-cal
ls-for-built-in-data-deletion.htm

Hustinx's Opinion:
-http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultati
on/Opinions/2010/10-04-14_Opinion_WEEE_EN.pdf

[Editor's Note (Pescatore): Hmmm, should pens only be sold with disappearing ink? Should there be a law requiring all books be cleaned of margin comments and pieces of paper stuck between the pages before being resold? ]

Former NSA Official Indicted for Information Leaks (April 15 & 16, 2010)

Former National Security Agency (NSA) official Thomas A. Drake has been indicted on charges of leaking secrets to the media. He faces 10 felony counts of mishandling classified NSA information and attempting to obstruct authorities' investigations of his alleged actions. Drake allegedly provided journalist Siobhan Gorman with documents and information that led to news stories about mismanaged programs and system failures at NSA. Drake allegedly used cut and paste tools to remove indications that the documents he was allegedly sharing with Gorman were classified; he also allegedly used an encrypted email service. He is also accused of shredding documents and wiping hard drives when he became suspicious that he was being investigated.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/04/15/AR2010041503118_
pf.html

-http://www.theatlantic.com/politics/archive/2010/04/nsa-employee-indicted-for-tr
ailblazer-leaks/39006/

-http://www.wired.com/threatlevel/2010/04/nsa-executive-charged

Russia and US Move Toward Cooperation at Internet Conference (April 14 & 15, 2010)

At a Russian-sponsored conference on Internet security in Garmisch-Partenkirchen, Germany last week, it was clear that Russia and the US have different goals. Russia will not sign the European cybercrime treaty because it would violate Russian sovereignty by allowing foreign law enforcement access to Russian Internet. The US is a strong supporter of the treaty. Russia wants US to sign a treaty saying they won't develop offensive cyberwarfare or attack networks. US will not sign that treaty arguing that law enforcement cooperation should be sufficient. Russia has pointed to its arrests of suspects in the US $10 million Royal Bank of Scotland cyber heist. And both countries agree that "anonymity is the fundamental problem we face in cyber space."
-http://www.nytimes.com/2010/04/16/science/16cyber.html?pagewanted=print
-http://www.technologyreview.com/computing/25074/?a=f


**********************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/