From: The SANS Institute (NewsBitessans.org)
Date: Fri Oct 02 2009 - 12:12:37 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*One of the two best free government security conferences in the
Washington area starts in less than four weeks. I understand there are
only about 220 seats left so if you want one, register in the next week
or so at *http://scap.nist.gov/events*. Bring a couple of co-workers
because youll want to be in several sessions at the same time. It is the
Security Automation Conference developed by NSA and NIST, and it is
where youll see the future of government security automation automation
that will quickly spread to the defense industrial base and the critical
infrastructure and banks. There are tracks on risks and mitigations in
cloud computing, network monitoring/auditing/logging, DoD
infrastructure/tools/trends and S-CAP (the security interoperability
standard that will become mandatory shortly). The conference is Oct
27-28 (if your time is short youll get maximum value if you come from
noon Oct 27 through the full day on Oct 28). There are also workshops
Oct 26 and 29; not SANS courses but a couple look useful. And it is all
free at the Baltimore Convention Center.

Registration *http://scap.nist.gov/events**

************************************************************************
SANS NewsBites October 2, 2009 Vol. 11, Num. 78
************************************************************************
TOP OF THE NEWS
  US Army Data Leaked Through P2P Networks
  Survey: US Consumers Do Not Want Behavioral Advertising
  Court Vacates TRO Against Google; Misdirected eMail Was Never Opened

THE REST OF THE WEEK'S NEWS
  PayChoice Breach
  Spammers Break Facebook CAPTCHA
  BT Resisting BPI's Demand to Act on List of Suspect IP Addresses
  Peer-to-Peer Legislation Passes in Committee
  Express Scripts Notifies 700,000 of Data Security Breach
  Microsoft Security Essentials Not Available to Pirates
  Two Men Extradited to Face Charges in Phishing Case
  URLZone Trojan

Google Case Guest Editor Analysis: William Hugh Murray

********************** Sponsored By Q1 Labs ***************************

** THE SECURITY MANAGEMENT EVOLUTION: WHATS NEXT? **

GET THE WHITE PAPER NOW: http://www.sans.org/info/49204

Respected industry analyst firm Enterprise Strategy Group (ESG) provides
a unique perspective on the evolution of security information and event
management (SIEM) solutions from niche firewall log analyzers to highly
strategic security management solutions. How can organizations like
yours identify and leverage the newest, most sophisticated tools in the
next phase of the Evolution?
*************************************************************************
TRAINING UPDATE
- -- SANS Chicago North Shore, Oct. 26-Nov. 2,
http://www.sans.org/chicago09/
- -- SCADA Security Summit, Stockholm, Oct. 27-30,
http://www.sans.org/euscada09_summit/
- -- SANS San Francisco, November 9-14,
http://www.sans.org/sanfrancisco09
- -- SANS Sydney, Nov.9-14
http://sans.org/sydney09/
- -- SANS London, UK, Nov.28-Dec. 9,
http://sans.org/london09/
- -- SANS CDI, Washington DC, Dec. 11-18,
http://www.sans.org/cyber-defense-initiative-2009
- -- SANS Security East 2010, New Orleans, January 10-18, 2010
19 courses, bonus evening presentations
http://www.sans.org/security-east-2010/
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/spring09.php
Plus Tokyo, Dubai, Hong Kong, and Vancouver, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*************************************************************************
TOP OF THE NEWS
 --US Army Data Leaked Through P2P Networks
(October 2, 2009)
The Washington Post reports that personal data of US soldiers are being
leaked through peer-to-peer (P2P) file-sharing programs. The data are
being downloaded by users in China, Pakistan and other countries. The
information includes Social Security numbers, blood types and names of
family members. P2P software has been banned by the Army since 2003 and
by the Pentagon since 2004. An Army Special operations Command
spokesperson said the leak was an isolated incident and that those
responsible had been punished.
http://www.washingtonpost.com/wp-dyn/content/article/2009/10/01/AR2009100104947_pf.html

 --Survey: US Consumers Do Not Want Behavioral Advertising
(September 30 & October 1, 2009)
A study conducted jointly by the University of Pennsylvania and the
University of California, Berkeley Center for Law and Technology found
that US Internet users object to behavioral advertising. Sixty-six
percent of respondents do not want advertising targeted to their
perceived interests. Nearly 70 percent of respondents said there should
be a law granting Internet users the right to know exactly what
information is collected from them online. Ninety-two percent said they
would be in favor of a law that would require websites and advertising
companies to delete all information held about consumers at the
consumers' request.
http://www.computerweekly.com/Articles/2009/09/30/237924/us-web-users-say-no-to-online-tracking-by-advertisers.htm
http://www.theregister.co.uk/2009/10/01/behavioural_advertising_no_thanks/
http://news.smh.com.au/breaking-news-technology/most-americans-dislike-behavioral-advertising-survey-20091001-gda4.html
Editor's Note (Pescatore): Look, on radio and TV we all get behavioral
advertising all the time. The commercials during Desperate Housewives
aren't for 2 ton pickup trucks, and the ones during the Ultimate
Fighting Championships aren't for Manolo Blahnik shoes. The real issue
is information being collected without the user's prior knowledge and
consent - that should change. I know - we could call it "opt-in"!]

 --Court Vacates TRO Against Google; Misdirected eMail Was Never Opened
(September 29 & 30, 2009)
A court has granted a joint motion to dismiss a case brought by Rocky
Mountain Bank against Google. The bank originally filed suit seeking
to compel Google to provide information about a Gmail account holder who
had been inadvertently sent confidential bank information. On Friday,
September 25, the bank obtained a temporary restraining order (TRO) that
demanded Google deactivate the unknown user's account, delete the
message that had been sent in error, disclose whether or not the account
was active and if it was, disclose the account holder's identity. It
now appears that the message was never opened; it has been deleted and
the Gmail account has been reactivated.
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=220300364
http://www.theregister.co.uk/2009/09/30/rocky_mountain_google_case_fini/
http://news.cnet.com/8301-27080_3-10363663-245.html?part=rss&subj=news&tag=2547-1009_3-0-20
[Editor's Note (Schultz): In these perilous political times,
overreaction abounds, and legal issuesinvolving Internet service
providers seem to be no exception to the rule.]

************************ Sponsored Links: ****************************
1) Register Today and receive 10% off for SANS vLive course SEC542, Web
App Penetration Testing and Ethical Hacking, November 2nd - November
9th. Please use the code Risk542 when registering.
http://www.sans.org/info/49209

2) Register today for an upcoming Novell sponsored SANS web cast on 10/6
titled, Ask The Expert: Offense and Defense: Better Correlation.
http://www.sans.org/info/49214
***********************************************************************

THE REST OF THE WEEK'S NEWS
 --PayChoice Breach
(October 1, 2009)
The payroll processing company PayChoice has notified its customers that
attackers stole login information and passwords of customers and have
been using such information in attempts to get more sensitive
information from these customers. Some companies that use the PayChoice
payroll processing system have received malicious emails telling them
they needed to download a web browser plug-in to ensure uninterrupted
service to the PayChoice payroll services portal. The plug-in was
actually malware that stole user names and passwords. The email
messages included information specific to each organization that
received them. PayChoice is investigating the breach.
http://voices.washingtonpost.com/securityfix/2009/09/hackers_breach_payroll_giant_t.html
http://www.wired.com/threatlevel/2009/10/paychoice-breached/
http://www.computerworld.com/s/article/9138788/Large_online_payroll_service_hacked?source=rss_security
http://news.cnet.com/8301-27080_3-10365830-245.html?part=rss&subj=news&tag=2547-1009_3-0-20

 --Spammers Break Facebook CAPTCHA
(October 1, 2009)
Malware purveyors have managed to break the Facebook CAPTCHA (completely
automated public Turing test to tell computers and humans apart),
allowing them to automate the creation of Facebook pages. The malicious
pages are being used to send links to malicious websites that promote
scareware. The pages all have the same photograph, but have different
user names. Facebook is taking steps to identify the rogue pages and
disable them.
http://www.computerworld.com/s/article/9138780/Facebook_Captchas_broken_?source=rss_security

 --BT Resisting BPI's Demand to Act on List of Suspect IP Addresses
(September 30, 2009)
The British Phonographic Industry (BPI) has provided UK Internet service
provider (ISP) BT with the IP addresses of 100,000 BT customers the BPI
suspects of illegal filesharing. BT has not yet taken any action. BPI
is unhappy with BT's inaction; the ISP maintains it has no formal
agreement with the BPI regarding suspected piracy. BT ran a 12-week
test program in July 2008 during which it sent warning letters to
suspected copyright infringers. A BT spokesperson said that
investigating each allegation of filesharing would not only prove
costly, but would also violate customers' privacy rights.
http://www.networkworld.com/news/2009/093009-bpi-alerts-bt-to-100000.html
http://www.nma.co.uk/bt-hits-back-at-bpi-digital-piracy-claims/3004958.article

 --Peer-to-Peer Legislation Passes in Committee
(September 29 & 30 & October 1, 2009)
The House Energy and Commerce Committee this week approved a bill aimed
at protecting users from inadvertently sharing information meant to stay
private. The Informed P2P User Act would require file-sharing providers
such as Limewire to offer "clear and conspicuous" notification to users
before allowing files on their computers available for sharing. The
programs would also be prohibited from surreptitiously installing
software on users' computers and cannot be structured to prevent their
removal from users' computers. Companies that do not follow the rules
would be in violation of Federal Trade Commission Act unfair and
deceptive trade practices rules.
http://blog.internetnews.com/kcorbin/2009/09/p2p-security-bill-clears-house.html
http://www.computerworld.com/s/article/9138659/Lawmakers_eye_bill_to_make_P2P_file_sharing_safer?taxonomyId=84
http://arstechnica.com/tech-policy/news/2009/10/informed-p2p-user-act-to-clamp-down-on-filesharing-software.ars
[Editor's Note (Schultz): This legislation is long overdue, but better
late than never.
(Pescatore): Only focusing on peer to peer file sharing is a bad tactic
here. Why not just say "all software must obtain clear consent from the
user before installing and before causing any data to exit their PC."
We could call it "opt-in"!]

 --Express Scripts Notifies 700,000 of Data Security Breach
(September 30, 2009)
Pharmacy benefits management company Express Scripts says that
approximately 700,000 people have been notified that their personally
identifiable information was compromised following a data security
breach in 2008. The company learned of the breach when the data thief
attempted to extort money in exchange for not exposing the information
on the Internet. The initial extortion demand contained information of
75 patients; the recent set of letters was sent in response to a larger
file of information that was sent to a law firm.
http://online.wsj.com/article/BT-CO-20090930-717098.html
http://www.computerworld.com/s/article/9138723/Express_Scripts_700_000_notified_after_extortion

 --Microsoft Security Essentials Not Available to Pirates
(September 30, 2009)
Users running unlicensed or improperly licensed copies of Microsoft
Windows will not be able to install the company's newly-released
Security Essentials antivirus software. To install the software, users
will be required to validate their copies of Windows operating systems.
Microsoft does allow users running pirated copies of Windows to download
Internet Explorer 8 (IE 8), touted as the company's most secure browser
yet. Microsoft also allows patches to be downloaded to pirated copies
of Windows through Windows Update. There are other free anti-virus
alternatives available, but the patches are available only from
Microsoft.
http://www.computerworld.com/s/article/9138705/Microsoft_blackballs_pirates_from_getting_free_Security_Essentials_software?source=rss_security

 --Two Men Extradited to Face Charges in Phishing Case
(September 30, 2009)
Two Romanian men have been extradited to the US to face charges in
connection with phishing schemes that targeted customers of PayPal,
Citibank and other financial institutions. Petru Bogdan Belbita, Cornel
Ionut Tonita and with five other men were charged in January 2007 in
connection with the phishing schemes. One of the men has already
pleaded guilty to conspiracy to commit fraud and has been sentenced to
50 months in prison. Belbita and Tonita have both entered not guilty
pleas to charges of conspiracy to commit fraud in connection with access
devices, conspiracy to commit bank fraud, and aggravated identity theft.
If they are convicted of all charges, each faces 37 years in prison and
a US $1.5 million fine.
http://www.theregister.co.uk/2009/09/30/romanian_phishers_extradited/
http://www.scmagazineus.com/Two-accused-Romanian-phishers-plead-innocent/article/151052/

 --URLZone Trojan
(September 29 & 30, 2009)
New, sophisticated malware is making it harder to detect some fraudulent
online bank transactions. The URLZone Trojan horse program communicates
with a command server to find out precisely how much money to take from
the accounts it is plundering to evade detection and where to send the
money; the Trojan also alters users' online bank statements so the
fraudulent transactions do not show up. The Trojan exploits a
vulnerability in Firefox, Opera, Internet Explorer 6, IE 7, and IE 8.
http://www.darkreading.com/database_security/security/client/showArticle.jhtml?articleID=220300592&subSection=End+user/client+security
http://www.scmagazineus.com/URLZone-touted-as-most-sophisticated-banking-trojan-yet/article/151096/
http://news.cnet.com/8301-27080_3-10363836-245.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.wired.com/threatlevel/2009/09/rogue-bank-statements/

Google Case Guest Editor Analysis: William Hugh Murray
The five most beautiful words in the English language are, "Congress
shall make no law...." However, within that Constitutional limitation,
the courts are charged with sorting out private and public interests
within the facts and the law. Judges like to point out that they do not
get to choose either the facts or the law. This is a set of facts that
none should want to decide, even with more specific and applicable
contract or legislative provisions and better precedents.

The bank is in a very weak position. Admittedly, they need to try to
show "best efforts" but the horses are already out of the barn. They
have no relationship with Google or Google's user; no contract or other
claim, beyond "what nice people would do," to which they can appeal.

Google's policy is to require paper to give them a presumptive defense
if the account holder sues them. Since the account is an accommodation,
and under Google's terms of use, the success of any such suit is
questionable in any case. Google does have an express commitment to its
user but it is unlikely that it is enforceable. Google is also trying
to protect the brand. Note that Google knows whether or not their user
has seen or downloaded the file.

A well intended and behaved user would have acknowledged the bank's
communication. While I am sure that I could dream one up, it is hard
to find a legitimate interest that this user has in refusing to
acknowledge the bank's communication. Nice people do not try to turn
the innocent errors of others to their own advantage.

In general, courts issue subpoenas and other orders only when there is
a civil suit, or probable cause to believe that a crime has been
committed. Let us assume that the bank has filed a civil suit of some
sort (Contract? Tort? Neither seems obvious.) against Google et. al.
and an order is issued. Google can appeal the order. This is not a
secret Federal order. Even if they comply, if the user's interest is,
as you suggest, identity, the action can be reversed. If, on the other
hand, it is anonymity, damage to the user may be permanent. Then,
depending upon the actual damages that can be shown, one might not want
to be Google or the bank. Punitive damages are another matter. I think
that Google is trying to protect the right of its user and the bank is
putting the privacy of their many customers ahead of the privacy of one
of Google's customers. I expect and suspect that a jury would be
sympathetic to them rather than to a user who insisted upon his interest
at the expense of many others.

Finally, the right that Google is defending is the right of its user to
be rude, the right to anonymity, not to free speech or political speech,
and not to one's name, public or private. Said another way, of all the
interests of Google or their customer, they are defending the least
compelling one.

[This is a case where, whatever one thinks of the decision, there is a
court involved. It is not warrantless eavesdropping, not National
Security Letters (215 Orders)." This is not "safe harbor" for banks
that proactively curry favor by snitching on their customers. This is
not warrantless seizure of laptops as contraband (fishing expeditions)
by customs agents. These unilateral abuses of Federal executive
authority are now routine and beneath our notice or comment, much less
our resistance. They never see a court. (As I write this, I am
listening to House hearings on the re-authorization of the USA PATRIOT
Act. "Catching a terrorist" justifies anything.") I am now ready to
consent to almost anything in return for there being judicial
jurisdiction and oversight.]

I do not think that we have to worry that this order will establish any
precedent at all. It will not establish a precedent that puts the
rights of the negligent or their victims ahead of those of innocent
third parties. While it is already far too easy to get ISPs to identify
their users, this case is not likely to make it any easier and has some
hope of making it harder.

**********************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint,
where he leads the Digital Vaccine and ThreatLinQ groups. His group
develops protection filters to address vulnerabilities, viruses, worms,
Trojans, P2P, spyware, and other applications for use in TippingPoint's
Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security
Forum (ISF) and author who has served as CSO for Microsoft and eBay and
as Vice-Chair of the President's Critical Infrastructure Protection
Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and is the incoming President of the InfraGard National
Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of
the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkrGJXwACgkQ+LUG5KFpTkbzWACfcu4/kAT2VlSuE2Trzqu1jAKK
qmkAnj8paJYkkP5ZmMBXFb7mwQFOZ+Y+
=kDdA
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]