From: The SANS Institute (NewsBitessans.org)
Date: Fri May 19 2006 - 13:01:10 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Google Fraud story that leads this issue is another example of the
great investigative work done by the folks at the Internet Storm Center.
(isc.sans.org).

Help us help you! SANS is running a survey to help us map your job
titles, tasks and the skills needed to accomplish those tasks. We do
this to ensure our courseware is relevant and focused on the tasks you
need to accomplish. We began the survey with the advisory board, then
improved it using feedback from the attendees at SANS 2006. We will also
select three of the completed surveys at random and send an Apple iPod
nano along as our way of saying thanks. To take the survey visit:
https://survey.sans.org

                                     Alan
*************************************************************************
SANS NewsBites May 19, 2006 Vol. 8, Num. 40
*************************************************************************

TOP OF THE NEWS
  Google Fraud: Botnets Used to Steal Money From Google Advertisers
       Spyware Infections Up 50 Percent Over Last Year
  Lenovo Computers Reportedly to be Used for Only Unclassified Data
  Payment Card Industry Security Standard Changes May Allow Alternatives
       to Encryption

THE REST OF THE WEEK'S NEWS
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    DISA Offers Free Anti-Spyware Software to All Gov Employees
  POLICY & LEGISLATION
    UK May Activate Provision Forcing Disclosure of Encryption Keys
    New York's Anti-Phishing Act Heads to Governor
  SPYWARE, SPAM & PHISHING
    Blue Security Shuts Down Anti-Spam Service
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    People Selling Pirated Software on eBay Sued
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    UK ISP Fixes Hole That Compromised User Information
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Malware Infestation Leaks Japanese Power Plant Data
  MORE DATA ON GOOGLE FRAUD

********************** Sponsored By SANS WhatWorks **********************

Download free Vendor White Papers on a wide range of security topics -
- From the SANS WhatWorks Project

http://www.sans.org/info.php?id=1168
*************************************************************************
SECURITY TRAINING UPDATE FOR JUNE and JULY, 2006
Washington DC: 18 tracks
Denver: 6 tracks
London: 5 tracks
Toronto: 4 tracks
Plus 10 other cities and live-online programs you can take from your home.
See http://sans.org/ for course schedule registration
*************************************************************************

TOP OF THE NEWS

 --Google Fraud: Botnets Used to Steal Money From Google Advertisers
(15 May 2006)
The SANS Internet Storm Center (ISC) has released evidence showing
botnets are being used to defraud advertisers using Google Adword, a
pay-per-click advertising system. Advertisers pay Google for each click;
Google in turn pays a substantial amount of that revenue to publishers
who run banners for the advertisers. Unscrupulous publishers work with
the botmasters to generate high volumes of clicks and ultimately
revenue. The botmasters get a share of this as well. ISC uncovered
evidence of a botnet with 115 bots, each of which was clicking on sites
up to 15 times a day, keeping them under the detection system's radar.
http://www.theregister.co.uk/2006/05/15/google_adword_scam/print.html
http://isc.sans.org/diary.php?storyid=1334
[Guest Editor's Note ( Ullrich): Several years ago, one of the first bot
discovered and analyzed by Internet Storm Center was the "Leaves Worm",
which pretty much followed the same scheme. In many ways the Leaves worm
was a precursor of things to come. One nice thing about Leaves was that
the author was eventually arrested by following the money trail.
Editor's Note (Pescatore): Back when newspaper advertising, and then
radio advertising, and then TV advertising started up, there were
fraudulent claims of how many people were actually viewing the ads and
that lead to subscription audit bureaus and radio/TV ratings services.
Those same types of audit services, which carry cost for the medium
carrying the advertising, are needed for Internet advertising but paying
that cost is being resisted.
(Northcutt): The following story, on spyware growth, is an important
element of the Google Fraud story - all that spyware infestation helps
enables Google Fraud. I've added some extra information about Google
Fraud at the end of this issue.]

 --Spyware Infections Up 50 Percent Over Last Year
(17 May 2006)
According to the annual Websense WebWork survey, the number of
organizations reporting their systems have been infected with spyware
is up nearly 50 percent. Seventeen percent of companies with more than
100 employees reported their networks have been infiltrated by spyware,
such as keystroke loggers. One likely reason for the increase in
spyware infestations is the increasing availability of spyware toolkits
on the Internet. The study also says that 44 percent of IT decision
makers do not believe their employees can distinguish phishing sites
from legitimate ones.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39360278-39000005c
[Editor's Note ((Boeckman): I would say that poor security in the
default configuration for Windows XP has far more to do with the spyware
problem then the availability of spyware toolkits.]

 --Lenovo Computers Reportedly to be Used for Only Unclassified Data
(18 May 2006)
The US State Department will use Chinese-made Lenovo computers only for
unclassified data, according to an unidentified aide to Virginia
legislator Frank Wolf. The State Department was criticized when, in
March of this year, it purchased a number of computers from China's
Lenovo Group Ltd. due to concerns that the machines could contain
embedded software that could be controlled remotely. Mr. Wolf, whose
House appropriations subcommittee funds the State Department, said, "It
is no secret that the United States is a principal target of Chinese
intelligence services."
http://www.washingtontimes.com/world/20060518-104316-9737r.htm
http://www.eweek.com/print_article2/0,1217,a=178660,00.asp
[Editor's Note (Pescatore): Well, actually Windows includes software
that allows it to be controlled remotely, as do many other pieces of
software coming from American software vendors. I think it is a good
thing to be suspicious about the software you are using but xenophobia
is a two way street - don't just start being suspicious when the
hardware comes from another country, always be suspicious.
(Ranum): Quick Quiz: name ONE computer that is entirely made in the US.
Yeah, I didn't think so either.]

 --Payment Card Industry Security Standard Changes May Allow
    Alternatives to Encryption
(16 May 2006)
The Payment Card Industry Data Security Standard will be updated this
summer to address evolving concerns about application-level attacks and
merchants' difficulties with complying with the requirement of
encrypting all stored customer data. One of the new requirements, which
should be in effect by the middle of 2008, will be to conduct
vulnerability scans on payment software. In addition, merchants will
be offered alternatives to encrypting stored consumer data, such as
access controls and extra firewalls. There is some concern that
allowing merchants the option of not encrypting consumer data will lead
to more security problems.
http://news.com.com/2102-1029_3-6072594.html?tag=st.util.print
[Editor's Note (Pescatore): Changing the Payment Application Best
Practices standards to require application vulnerability testing (vs.
just checking that a code review process exists) is a good thing. The
Payment Card Industry has moved very slowly on improving the PCI
program, they need to make sure these changes take more than baby steps
in moving things forward.
(Schultz): I wouldn't even try to equate access controls and extra
firewalls to encryption. One nice thing about encrypting data is that
even if access controls, firewalls, and other countermeasures do not
work, an attacker who gains access to sensitive information finds it
useless if it is encrypted with strong encryption.]

*************************** Sponsored Links: ****************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and
assess your spyware risk exposure. http://www.sans.org/info.php?id=1169

*************************************************************************

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --DISA Offers Free Anti-Spyware Software to All Gov Employees
(13 May 2006)
The Defense Information Systems Agency (DISA) has licensed anti-spyware
software for all US government employees and armed forces personnel to
use on their home computers. The free software is seen as, one measure
to protect government systems from malware as many employees bring work
home. The employees can download the software directly to their home
computers, or they can take home a CD containing the software; it will
update automatically.
http://www.news.navy.mil/search/display.asp?story_id=23639

POLICY & LEGISLATION
 --UK May Activate Provision Forcing Disclosure of Encryption Keys
(18 May 2006)
The UK Home Office is considering the possibility of activating powers
in Part Three of the Regulation of Investigatory Powers Act (RIPA) that
could be used to force organizations and individuals to surrender
decryption keys to the government upon request. RIPA came into power
in 2000, but Part Three has not been in force. Those who do not comply
with the government requests under RIPA Part Three could face up to two
years in prison. Anti-terrorism legislation imposes a maximum five-year
sentence for failure to comply. Part Three also has a provision that
could be enforced to make people decrypt their data. Some have
expressed concern that with a law allowing police to demand encryption
keys, international banks are unlikely to bring their business to the
UK; furthermore, terrorists tend not to use keys for large amounts of
data, but "on a one-to-one basis" instead, so that forcing people to
decrypt the data would be a more fruitful and less damaging tactic.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020375t-10000025c

 --New York's Anti-Phishing Act Heads to Governor
(17 May 2006)
The New York State legislature has approved the Anti-Phishing Act of
2006. If Governor George Pataki signs the bill into law, it would allow
the New York attorney general, industries and non-profit groups to bring
civil actions against phishers.
http://www.bizjournals.com/albany/stories/2006/05/15/daily32.html?from_rss=1

SPYWARE, SPAM & PHISHING
 --Blue Security Shuts Down Anti-Spam Service
(18/17/16 May 2006)
Blue Security has stopped its anti-spam activity after coming under
attack from spammers unhappy with the company's practices. Blue
Security offered a service called Blue Frog that takes a variety of
steps to remove people's names from spammers' lists. The spammers were
getting inundated with email requesting that names be removed from their
lists and in retaliation launched a distributed denial of service (DDoS)
attack against Blue Security. The spammers also began sending
threatening messages to people who were using Blue Security's Blue Frog
anti-spam service. Blue Security's decision to close Blue Frog was made
to head off "an ever-escalating cyber war."
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39360570-39000005c
http://news.bbc.co.uk/2/hi/technology/4990622.stm
http://www.wired.com/news/technology/1,70913-0.html
[Editor's Note): Well, this certainly puts to rest the spammers' claims
that they are just "exercising their rights to send Email" -- after all,
Blue's users were just "exercising their rights to complain." Now the
spammers' true colors are obvious: you have no rights as far as they are
concerned.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --People Selling Pirated Software on eBay Sued
(17 May 2006)
Three lawsuits filed in Los Angeles federal court target five
individuals who allegedly offered pirated software for sale on eBay.
The Software & Information Industry Association (SIIA) is spearheading
an effort to crack down on people selling pirated software by purchasing
their goods in on line auctions and suing them without warning.
http://www.smh.com.au/news/breaking/companies-crack-down-on-ebay-pirates/2006/05/17/1147545358529.html
http://www.allheadlinenews.com/articles/7003615232

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --UK ISP Fixes Hole That Compromised User Information
(18 May 2006)
Wanadoo, a European Internet service provider (ISP), has fixed an index
browsing flaw that allowed people to access user account information.
Intruders could have viewed users screen names, real names, passwords,
email addresses and other data without any sort of authentication.
http://www.theregister.co.uk/2006/05/18/wanadoo_security_flap/

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Malware Infestation Leaks Japanese Power Plant Data
(18/17/15 May 2006)
A malware infection is being blamed for the leak of sensitive Japanese
power plant information onto the Internet. The information includes key
facility location and operation procedures for the Chubu Electric Power
Company's thermal power plant in Owase, Mie Prefecture; some employee
data were also compromised. A sub-contractor's use of file sharing
software is suspected to have caused the malware infection.
http://search.japantimes.co.jp/cgi-bin/nn20060515a3.html
http://www.vnunet.com/vnunet/news/2156317/virus-leaks-power-station-info
http://www.theregister.co.uk/2006/05/17/japan_power_plant_virus_leak/print.html
[Editor's Note [Pescatore): Allowing unmanaged PCs (like contractor PCs)
to connect to your network carries many dangers, but more and more
enterprises are doing more and more in-sourcing, so this is growing.
Network access control - checking for dangerous, vulnerable or
non-compliant PCs before they have full connectivity is a good strategy
for dealing with this. ]

MORE DATA ON THE WAVE OF GOOGLE CHEATING

This is certainly not a new issue as Johannes Ullrich points out in his
guest editor's note. A lot of money at stake and this organized
cheating may affect how legitimate organizations are able to advertise
if illegitimate operators cannot be stopped or controlled. So we want
to provide you with additional information.
First, this is the story we ran in SANS NewsBites, March 10, 2006,
Volume: 8, Issue: 20:
Google Settles Fraudulent Clicks Suit (9/8 March 2006)
Google will pay as much as US$90 million to settle a lawsuit brought by
advertisers who allege the company overcharged them for phony sales
referrals generated by "click fraud." The settlement applies to all
companies that advertised on Google over the past four years. Google has
offered to provide the companies with credit for the fraudulent clicks
since 2002. Google will also pay legal costs. The court has not yet
approved the settlement, however.
- -http://www.theage.com.au/news/breaking/google-to-settle-click-fraud-case/2006/03
/09/1141701611014.html
- -http://news.com.com/2102-1030_3-6047717.html?tag=st.util.print
- -http://internetweek.cmp.com/showArticle.jhtml?articleID=181502179

Here is the current status of that lawsuit, the lawsuit will probably
not be resolved until July at the earliest:
http://www.betanews.com/article/Google_Click_Fraud_Settlement_Hits_Snag/1147446514

And the Pollard and Khorrami web site is shown here. As you can see, if
they are successful, a 90 million dollar lawsuit could balloon into far
more than that:
http://www.clickfraud-legal-center.com/

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent language consultant based in Clearwater,
Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

- ---end---

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEbevd+LUG5KFpTkYRAsz2AKCQdTXEG5XrinADT6KHGjV99sPJxwCfRnS6
zBTFx+gcfKASYp0xFkPdYCQ=
=jK+p
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]