SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #87

November 02, 2007

TOP OF THE NEWS

Mass. AG Releases Cyber Crime Plan
Consumer Groups Call For Do Not Track List
FTC Calls for Power to Fine Spyware Purveyors

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Woman Pleads Guilty in QVC Fraud Case
Microsoft Software Scammers Sentenced
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Naval Personnel BlackBerry Security Features Enhanced
Victoria, Australia Police Abused Database Privileges
POLICY & LEGISLATION
UK Ministers Reject Committee's Internet Security Suggestions
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mac OS X Trojan Reported
Malware Infected Spam Pretends to Come From FTC
MISCELLANEOUS
DOJ Whistleblower eMail Addresses Accidentally Exposed
Ivan Arce Interview
LIST OF UPCOMING FREE SANS WEBCASTS

---

******************** Sponsored By Sunbelt Software ********************

How many machines on your network are infected with malware?

Imagine a new hybrid technology that merges the 'system cleaning' properties of traditional antispyware products with the efficiency of powerful antivirus-based technology. It's available with Sunbelt Counterspy Enterprise.

Find out how many machines on your network are infected now! Download the free trial now!
http://www.sans.org/info/18862

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
- - Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php

*************************************************************************

---

TOP OF THE NEWS

Mass. AG Releases Cyber Crime Plan (October 31, 2007)

The Office of the Massachusetts Attorney General has released the Massachusetts Strategic Plan for Cyber Crime. The plan is based on information gathered from a survey of law enforcement employees and a meeting with law enforcement officials. The plan's six priorities are to "Deliver law enforcement training; support and enhance cyber crime prevention and information sharing activities; develop and promote common operating procedures and standards; examine statewide digital forensic evidence processing requirements; secure funding for cyber crime programs; amend jurisdictional and substantive law."
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=45318
-http://www.mass.gov/Cago/docs/press/2007_10_25_cyber_crime_plan_attachment1.pdf
[Editor's Note (Shpantzer): In my previous research into law enforcement's forays into digital forensics, one of the most problematic issues is the police career ladder that continually transfers an officer to different roles, without allowing for long-term specialization. A three year rotation of a digital forensics specialist into robbery investigation, for example, does not help an officer retain credibility on the witness stand in a computer crime case. One of the senior officers interviewed suggested a career track similar to that of the Army's Warrant Officer program, allowing for specialists to develop skills and competencies in the long term.]

Consumer Groups Call For Do Not Track List (November 1 & 2, 2007)

Consumer protection and privacy groups have proposed the creation of a "Do Not Track" list, similar to the "Do Not Call" list, which would allow individuals to say whether or not companies may track their web surfing. The plan would require advertisers that place cookies on users' computers to register all associated servers with the Federal Trade Commission (FTC). Internet companies want to know what sites users visit so they can target advertisements to those consumers. Interactive Advertising Bureau chief Randall Rothenberg opposes the idea; he is critical of legislation hindering industry innovation and is in favor of self-regulation. The proposal will be discussed at an FTC two-day public forum that began on Thursday, November 1. FTC commissioner Jon Leibowitz says the agency will exert more control over online advertising. Speaking at the forum on Thursday, Leibowitz said, "People should have dominion over their computers. The current 'don't ask, don't tell' in online tracking and profiling has to end."
-http://www.washingtonpost.com/wp-dyn/content/article/2007/10/31/AR2007103101000_
pf.html
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2007/11/01/BUL2T462K.DTL&
;type=business
-http://news.bbc.co.uk/2/hi/technology/7072653.stm
-http://www.nytimes.com/2007/11/02/technology/001cnd-ftc.html?ei=5088&en=f562
c58488150ad5&ex=135165600
[Editor's Note (Pescatore): The concept of mirroring "Do Not Call" on the Internet makes sense but having advertisers register with a government agency certainly does not. There are other parts of the world implementing "Opt In" approaches - the industry should look at those to propose a self regulation approach, it is long overdue. It is really a no-brainer - most people continue to show that they will opt-in if it is a way to keep free web content free. If they don't opt-in, the services might carry a cost - that is the essential trade-off.
(Schultz): Leibowitz is 100 percent correct. The fact that one can inject a program into another person's computer without any consent whatsoever is infathomable. Legislation against spyware should have been passed in the US a long time ago. ]

FTC Calls for Power to Fine Spyware Purveyors (October 30, 2007)

The FTC wants the authority to impose fines on spyware purveyors. Presently, the FTC can collect only profits and money to compensate victims. Without the threat of fines looming over their heads, spyware distributors are unlikely to be discouraged from their activity. The Spy Act, a bill passed by the House of Representatives but presently stalled in the Senate, would give the FTC the authority to impose civil fines on companies that put spyware on consumers' computers.
-http://www.theregister.co.uk/2007/10/30/ftc_spyware_sanctions/print.html
-http://www.pcworld.com/article/id,139072-c,proposedlaws/article.html

---

************************* Sponsored Links: ***************************

1) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.
http://www.sans.org/info/18867

2) Over 450 security professional participated in the 2007 Web Security Leadership Survey. Get the results at http://www.sans.org/info/18872

3) Come to Orlando and hear about DLP tools from your peers - Data Leakage Summit December 3-4.
http://www.sans.org/info/18877

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Woman Pleads Guilty in QVC Fraud Case (October 30, 2007)

A woman has pleaded guilty to wire fraud for exploiting a flaw in the QVC home shopping network website that allowed her to receive merchandise at no cost. Quantina Moore-Perry discovered that if she placed an order and then cancelled it immediately, the goods would still ship but she would not be charged. Moore-Perry will forfeit US $412,000 she made selling the merchandise on eBay.
-http://www.theregister.co.uk/2007/10/30/website_fraud_guilty_plea/print.html
[Editor's Note (Northcutt): Must be some sort of plea bargain, there is very little information to be had. The indictment is here, but it is the same information as all the stories:
-http://www.usdoj.gov/usao/pae/News/Pr/2007/jul/mooreperry.html
-http://www.usdoj.gov/usao/pae/News/Pr/2007/jul/mooreperry.pdf
(Skoudis): This sounds like a race condition in the border between their technical implementation and physical business process. There are a huge number of these kinds of issues, which are very hard to find. If you have some spare time, you may want to brainstorm the hand-offs between technology and people in your organization to look for this kind of problem -- whether a quickly revoked transaction in your technology will truly be yanked back by the business process. (Shpantzer): Here we see the most basic application security overlooked on a multi-billion dollar e-commerce site. ]

Microsoft Software Scammers Sentenced (October 25 & 26, 2007)

Four people convicted of reselling discounted versions of Microsoft software for educators at a profit have received their sentences. Mirza and Sameena Ali were each sentenced to five years in prison for conspiracy, mail fraud, wire fraud, and money laundering. They were also ordered to pay fines in excess of US $25 million. Keith Griffen, who was found guilty on nine counts of conspiracy, was sentenced to two years and nine months and must pay a US $20 million fine. A fourth person was sentenced to probation and ordered to perform community service.
-http://www.channelregister.co.uk/2007/10/26/ms_scammers_sentenced/print.html
-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/1
0/25/Scammers-get-jail-time

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Naval Personnel BlackBerry Security Features Enhanced (November 1, 2007)

Navy-Marine Corps Intranet administrators have deployed new, stronger security settings for BlackBerry devices used by Navy and Marine Corps personnel. The changes in the settings were made to protect against unauthorized access and to disable certain features and services that could compromise security, such as IM services and the GPS tracking feature. Users were notified of the changes, which were made via updates on the Navy's BlackBerry Enterprise Server.
-http://www.gcn.com/online/vol1_no1/45301-1.html
[Editor's Note (Pescatore): A lot of consumer-grade mobile devices do not support the necessary types of security policy, let alone group security management, that the military and others have been able to roll out. There is a lot of pressure to allow employee use of those consumer PDAs and smart-phones - if you can't implement and enforce security policy on the device, you have to have a strong content monitoring/data leak prevention capability to make sure you know what information is ending up on those devices. (Ullrich): This is a good move. In particular the tracking function is a double edged sword. While it's "nice to know" where everybody is, it's scary if some competitor / adversary knows where your people are. However, the Blackberries will still be traceable, using cell phone towers for triangulation. Just the precision is not as good as with GPS. ]

Victoria, Australia Police Abused Database Privileges (October 30, 2007)

According to a report from the Commissioner for Law Enforcement Data Security, police in Victoria, Australia have misused the Law Enforcement Assistance Program (LEAP) database at least 26 times in the last year; 16 additional incidents are under investigation. The commissioner's post was created in 2005 after growing concerns about privacy violations and abuse of the LEAP database. In several cases, files containing information about hundreds of individuals were sent to people requesting their own information. The database is slated for replacement.
-http://www.thewest.com.au/aapstory.aspx?StoryName=432134

POLICY & LEGISLATION

UK Ministers Reject Committee's Internet Security Suggestions (October 30 & 31, 2007)

The UK House of Lords Science and Technology Committee has called the government's response to its report on combating cyber crime "a huge disappointment." The committee's August report made several recommendations to address the problem of cyber crime in the UK, including creating a data security breach notification law, and providing incentives for companies that trade online to bolster their data security. The report also recommends rethinking fraud-reporting policy established earlier this year; that policy encourages the public to report credit card fraud to their banks rather than to law enforcement. The government dismissed virtually every recommendation made in the report.
-http://news.bbc.co.uk/2/hi/uk_news/politics/7069597.stm
-http://www.theregister.co.uk/2007/10/30/ukgov_cybercrime_response/print.html
-http://www.heise-security.co.uk/news/98212
-http://www.finextra.com/fullstory.asp?id=17663
-http://www.cio.co.uk/concern/security/news/index.cfm?articleid=2183&pagtype=
allchantopdate
[Editor's Note (Northcutt): I expect we will see an increase in cyber-crime against UK citizens as the story's punch line is the government's primary response is to hide their head in the sand. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Mac OS X Trojan Reported (October 31 & November 1, 2007)

There are reports of an in-the-wild Trojan horse program that targets Mac OS X systems. Users are encouraged to visit malware-serving sites through spam messages in Mac forums. The Trojan, which pretends to be a QuickTime plug-in, can hijack users' search results, sending them to websites the attackers want them to visit. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3595
-http://www.scmagazineus.com/Trojan-targets-Mac-users/article/58290/
-http://www.eweek.com/article2/0,1895,2210900,00.asp
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9044998&source=rss_topic17
-http://www.theregister.co.uk/2007/10/31/in_the_wild_osx_trojan/print.html
[Editor's Note (Ullrich): While this trojan has not led to widespread infections, it nicely illustrates that OS X is becoming a target with more widespread deployment. The particular attack is not using any particular OS X vulnerability but is a direct adaption of a trick commonly used to get Windows users to willingly install malware.
(Honan): This is not the first piece of malware aimed at the MAC platform, however what is significant is that this appears to be the first piece of malware written by professional criminals and targeted specifically at MAC users. With this increase in interest by criminals MAC users can expect a lot more malware to come their way in the future. ]

Malware Infected Spam Pretends to Come From FTC (October 29, 30 & 31 2007)

The US Federal Trade Commission (FTC) has warned that fraudulent emails presently circulating appear to come from the FTC; the emails contain links and an attachment that can lead to malware being installed on users' computers. The emails appear to come from frauddep@ftc.gov; the return path and reply to fields are spoofed as well. The message contains multiple grammatical errors and misspelled words. US-CERT has issued an alert about the phony FTC emails.
-http://www.ftc.gov/opa/2007/10/bogus.shtm
-http://www.us-cert.gov/cas/alerts/SA07-303A.html
-http://www.gcn.com/online/vol1_no1/45321-1.html?topic=security&CMP=OTC-RSS
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202603073

MISCELLANEOUS

DOJ Whistleblower eMail Addresses Accidentally Exposed (October 29 & 30, 2007)

Human error exposed the email addresses of approximately 150 US Justice Department (DOJ) employees who had used a House Judiciary Committee website to submit tips about "alleged politicization" at DOJ. The House Judiciary Committee has been looking into the firings of US attorneys. A message sent to all those submitting tips accidentally included everyone's email addresses in the "to" field rather than the "BCC" field; some of those addresses include pieces of the individuals' real names. The list also included the public email address of Vice President Dick Cheney.
-http://www.securitypronews.com/news/securitynews/spn-45-20071029HouseCommitteeSc
rewsUpWhistleblowerEmail.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9044638&source=NLT_AM&nlid=1

[Editor's Note (Skoudis): This is such a common occurrence, and at best causes embarrassment, and at worse could jeopardize livelihoods. We all know we have to be careful, but human error is a constant problem. The problem could be significantly reduced if e-mail client software vendors very clearly separated in their GUI the CC and BCC lines, with visual clues to indicate which is which. Also, it would be helpful to have a little check-box configuration that, when enabled, would prompt me if I've just clicked send on a message with more than a dozen recipients in the "To" and "CC" boxes, just to make sure that I didn't mean to have them in the BCC. ]

Ivan Arce Interview (October 26, 2007)

Stephen Northcutt interviews Ivan Arce, CTO of CORE Security, about the recent update to their product to include web application testing. The interview covers the latest web attack techniques as well as Ivan's security philosophy.
-http://www1.sans.edu/resources/securitylab/ivan_arce_core.php
[Editor's Note (This is a really good interview. Ivan Arce is brilliant, and his analysis of what's important right now as well as his view of emerging trends in the infosec space are a must-read.):]

LIST OF UPCOMING FREE SANS WEBCASTS

Tool Talk Webcast: NEW - Web Application Pen Testing with CORE IMPACT
WHEN: Tuesday, November 6, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Anthony Alves
-http://www.sans.org/info/18562
Sponsored By: Core Security Technologies

Core Security Technologies introduces new capabilities for web application penetration testing with CORE IMPACT v7.5. The new release allows security professionals to leverage the product's automated Rapid Penetration Test methodology to identify exposed web applications and interact with backend data - just as an attacker could.

Ask the Expert Webcast: Don't Bring A Knife To a Gunfight! - How threats are easily infiltrating most security deployments
WHEN: Wednesday, November 7, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford, Paul Henry, and Andrew Stevens
-http://www.sans.org/info/18567
Sponsored By: Secure Computing

In this webcast, learn about some of the newest threats spotted in the wild, and why most of today's network firewalls won't be effective at preventing newer attacks.

Tool Talk Webcast: Be a Perfect 10: Nail the PCI Requirement
WHEN: Tuesday, November 13, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Anderson
-http://www.sans.org/info/18577
Sponsored By: ArcSight

Track and monitor all access to network resources and cardholder data. It seems simple enough, but PCI requirement 10 can often get organizations into audit trouble. Your customers' card data gets stored, processed and transmitted at many other points besides devices on your corporate network. Log data from all these points needs to be collected and managed to build a strong foundation for your PCI compliance program. Do you even know where this data resides?

Internet Storm Center: Threat Update
WHEN: Wednesday, November 14, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and Mike Yaffe
-http://www.sans.org/info/18582
Sponsored By: Core Security Technologies

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert Webcast: Preventing Data Breaches: Protecting Critical Data through Database Compliance Monitoring
WHEN: Thursday, November 15, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
-http://www.sans.org/info/18587
Sponsored By: netForensics

Traditional defenses have proven to be less than effective at protecting your data where it lives - your valuable databases and applications. Although network and host-based security technologies can detect and prevent many common attacks, they often miss more sophisticated penetration attempts such as electronic fraud, insider theft and sabotage, and unauthorized access.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/