SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #30

April 17, 2009

TOP OF THE NEWS

Trojan in Pirated Mac Software Helped Create First Mac Botnet
Verizon Business's 2009 Data Breach Investigations Report
US Sentencing Commission Rejects Notion That Proxies are Evidence of Sophistication

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES
Pirate Bay Verdict In: Guilty
Two Indicted in Login Credential Theft and Abuse Case
Man Arrested for Stealing Proprietary Source Code
Five Arrested in Romania in Connection with Data Theft Scheme
College Student Earns Prison Sentence in Failed Grade Changing Scheme
GOVERNMENT SYSTEMS AND HOMELAND SECURITY
Western Australia State Government IT Systems' Security Found Wanting
POLICY AND LEGISLATION
Texas and NC Legislators Address Computer Forensic Specialist Licensing Question
UPDATES AND PATCHES
Oracle's Quarterly Patch Release Includes 43 Fixes
Microsoft's April Security Update Comprises Eight Bulletins
MISCELLANEOUS
Amazon Won't Allow Phorm to Scan its Pages
Cyber Thieves Profits Falling - Too Much Success

---

********************* Sponsored By Sourcefire, Inc. *********************

Your Network Security Isn't Good Enough Anymore Today's threats-and networks-are dynamic. Unfortunately most network security systems are not.

Join Martin Roesch, Founder and CTO of Sourcefire(R) and Creator of SnortR, in a series of seminars, as he shows why network security must include full network visibility, relevant context, and automated impact assessment to be effective.

More information http://www.sourcefire.com/news/webinars/

*************************************************************************

TRAINING UPDATE

- - Toronto 5/5-5/13 (15 courses) http://www.sans.org/toronto09/event.php
- - SANSFIRE in Baltimore 6/13-6/20 (24 long courses, 12 short courses) http://www.sans.org/sansfire09/event.php
- - New Orleans 5/5-5/10 (6 courses) http://www.sans.org/securityeast09/event.php
- - Washington DC (Tyson's Corner) 4/14-4/22 (5 long courses and 8 short courses) http://www.sans.org/tysonscorner09/event.php
- -- Plus San Diego, Amsterdam and more, too. See www.sans.org
- - Log Management Summit in Washington 4/5-4/7 http://www.sans.org/logmgtsummit09/
- - Looking for training in your own community? http://sans.org/community/
For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Trojan in Pirated Mac Software Helped Create First Mac Botnet (April 15, 2009)

Malware embedded in pirated versions of Apple's iWork and Adobe Photoshop CS4 for Mac that were available over a peer-to-peer network in January is responsible for what appears to be the first known Mac botnet. The zombie network attempted to launch a distributed denial-of-service (DDoS) attack against an unidentified website. The malware had spread to several thousand computers before it was identified.
-http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html
-http://blogs.zdnet.com/security/?p=3157
[Editor's Note (Honan, Schultz): Looks like the Mac platform is an increasingly fruitful target for cyber criminals.]

Verizon Business's 2009 Data Breach Investigations Report (April 14 & 16, 2009)

According to Verizon Business's "2009 Data Breach Investigations Report," the number of records compromised in the breaches it examined in the last year is greater than the totals of the four previous years combined. Of those breaches detailed in the report, 90 percent have ties to organized crime rings. Only one third of the incidents Verizon investigated were publicly disclosed. Attacks now target personal identification numbers (PINs) along with other payment card account information. Eighty seven percent of the security breaches occurred on systems that were not compliant with the Payment Card Industry Data Security Standard (PCI DSS) at the time of the incident. Approximately 75 percent of the breaches investigated were launched from external sources. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=6202
-http://www.securityfocus.com/brief/947
-http://fcw.com/Articles/2009/04/16/Verizon-Organized-crime-behind-data-breaches.
aspx
-http://www.theregister.co.uk/2009/04/16/pin_security_breach_survey/
-http://www.washingtonpost.com/wp-dyn/content/article/2009/04/15/AR2009041501196_
pf.html
-http://blog.wired.com/27bstroke6/2009/04/pins.html
-http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
[Editor's Note (Weatherford): Good report with a couple of interesting take-aways. First, taking into account the perfidious nature of statistics in general, we've read for years that somewhere between zero and 100% of data breaches were the result of the "insider threat." That makes a good quote but not much else. This report confirms from the survey group that 74% of all breaches are caused by external sources. Second, there has been a lot of discussion lately about PCI and that it may not be the silver bullet for preventing breaches. Maybe, maybe not but this report found that over 80% of organizations who had a payment card breach were either not compliant with PCI or had never been audited. Read the report for a complete description.]

US Sentencing Commission Rejects Notion That Proxies are Evidence of Sophistication (April 15, 2009)

The US Sentencing Commission has rejected a proposal that could have increased prison sentences for those found guilty of committing computer crimes with the use of proxy servers. The proposal called for designating the use of proxies as a sophisticated technique and the use of proxies in the commission of cyber crime therefore worthy of more stringent punishment. Civil liberties advocates opposed the amendment on the grounds that proxies are widely used, often for legitimate purposes, and the language of the proposal was vague - it did not make clear that the penalties were meant solely for criminals convicted of cyber crimes and not the use of proxies in general.
-http://arstechnica.com/tech-policy/news/2009/04/us-sentencing-guidelines-wont-pu
nish-online-proxy-use.ars
-http://www.google.com/hostednews/ap/article/ALeqM5gOnXxJrRQW4p8xPFXKy9UfgO0I1gD9
7J70OG0
[Editor's Note (Schultz): So many sophisticated attack methods exist that singling out the use of proxy servers in the commission of a computer crime simply does not make sense.]

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Pirate Bay Verdict In: Guilty (April 17, 2009)

A court on Stockholm has found four men guilty of breaking Swedish copyright law for their involvement with the Pirate Bay website. Gottfrid Svartholm Warg, Peter Sunde, Fredrik Neij and Carl Lundstrom were each sentenced to one year in prison and ordered to pay 30 million kronor (US $3.55 million) to various media companies. Lundstrom provided financing for the site and the other three were administrators. They plan to appeal the verdict.
-http://www.theglobeandmail.com/servlet/story/RTGAM.20090417.wpiratebay0417/BNSto
ry/Technology/home

Two Indicted in Login Credential Theft and Abuse Case (April 16, 2009)

Two programmers have been indicted in Seoul, South Korea for breaking into websites and stealing personal information belonging to 2.3 million people. Between January 2008 and February 2009, the two allegedly broke into more than 100 websites searching for user names and passwords, hoping that at least some of the users would use the same login information for Naver, a popular Internet search portal in South Korea. About 150,000 of the stolen sets of credentials allowed access to Naver accounts, which the pair allegedly used to post spam messages.
-http://joongangdaily.joins.com/article/view.asp?aid=2903657

Man Arrested for Stealing Proprietary Source Code (April 14, 2009)

The FBI arrested Yan Zhu, also known as Westerly Zhu, for allegedly providing proprietary source code to the Chinese government. Zhu is a Chinese citizen who is in the US on a work visa. He faces charges of theft of trade secrets, conspiracy, wire fraud and theft of honest services. Zhu's employer, a US company based in Mercer County, NJ, has not been identified. Zhu allegedly emailed a database and more than 2,000 pages of source code from his employer to accomplices in China; those accomplices allegedly sold the software to the Chinese government.
-http://www.informationweek.com/news/security/government/showArticle.jhtml?articl
eID=216500695&subS
[Editor's Note (Northcutt): At some point these events need to transition from individual losses of data to a persistent pattern. Wake me up when the U.S. Government figures this out.
(Honan): This sort of crime gets very little attention from the media yet it is increasing and in the current economic climate could potentially have significant impacts on the affected companies and indeed their countries' economies. Indeed, the UK Government issued a warning to high tech industries
-http://news.zdnet.co.uk/security/0,1000000189,39291239,00.htm
about these type of attacks. If you work for a company that would be an attractive target you should review your security controls and ensure you have the appropriate logging, monitoring and egress filtering in place to prevent a similar breach in your organization. ]

Five Arrested in Romania in Connection with Data Theft Scheme (April 14, 2009)

Romanian authorities and the FBI worked together on a data theft case that culminated in the arrest of five people in this country. The five allegedly broke into US pharmaceutical Companies' websites and installed keylogging software which was used to steal credit card information. The card data were used to commit fraud resulting in US $800,000 in losses. All five suspects will face charges of unauthorized access to a computer system, intercepting electronic data, performing fraudulent financial operations through electronic payment methods and money laundering.
-http://www.scmagazineus.com/Pharmacy-hackers-busted-in-Romania/article/130627/
-http://news.softpedia.com/news/U-S-Pharmacy-Hackers-Arrested-in-Romania-109330.s
html
[Editor's Note (Weatherford): This should instill some confidence that law enforcement organizations from different countries are collaborating better and with tangible results.]

College Student Earns Prison Sentence in Failed Grade Changing Scheme (April 14 & 15, 2009)

A Florida college student has been sentenced to nearly two years in prison for his part in a failed scheme to change his own grades and those of others on the Florida A & M University computer network. Christopher Jacquette and two accomplices installed keystroke loggers on university computers, stole login credentials and used them to access accounts that allowed them to change grades. The trio's activities left enough digital footprints to allow auditors to identify them. The three also used their unauthorized access to change some people's residency status to reduce the amount of their fees. Jacquette must also serve three years of supervised release following completion of his prison term. One of the other defendants, Lawrence Secrease, has pleaded guilty and a jury convicted the third, Marcus Barrington. Neither has been sentenced.
-http://www.theregister.co.uk/2009/04/14/student_hacker_sentenced/
-http://www.miamiherald.com/news/florida/AP/story/999992.html
-http://www.geek.com/articles/news/student-sentenced-to-jail-for-hacking-universi
ty-grades-20090415/

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

Western Australia State Government IT Systems' Security Found Wanting (April 15, 2009)

A report from Western Australia's Auditor General Colin Murphy says the state government's IT systems have serious security shortcomings. The report takes a detailed look at five unidentified agencies, all of which collect sensitive personal information about residents. In the report, Murphy says that there are "fundamental weaknesses in all of the key areas of information security at the agencies examined," and that other agencies exhibit problems as well. Among the security concerns listed in the report are a lack of IT security policies; accounts remaining active after employees have left the agencies; a failure to install security patches and updates; and use of default passwords.
-http://www.zdnetasia.com/news/security/0,39044215,62053172,00.htm
[Editor's Note (Honan): These findings tie in closely with an interesting fact from the Verizon Business's 2009 Data Breach Investigations Report (see "Top of the News") that "87 percent of breaches could have been avoided through the implementation of simple or intermediate controls". ]

POLICY AND LEGISLATION

Texas and NC Legislators Address Computer Forensic Specialist Licensing Question (April 2009)

Proposed legislation in Texas would require that computer forensic specialists keep on file statements of ownership for computers they examine; those working for their own employers would be exempt from the requirement. The bill, H.B. 2564, was left pending in committee. In North Carolina, proposed legislation appears to provide for licensing forensic investigators separately.
-http://sansforensics.wordpress.com/2009/04/14/texas-pi-licensing-amendment/
-http://www.legis.state.tx.us/tlodocs/81R/billtext/pdf/HB02564I.pdf
-http://www.legis.state.tx.us/BillLookup/History.aspx?LegSess=81R&Bill=HB2564
-http://sansforensics.wordpress.com/2009/04/06/digital-forensics-professionals-mi
ght-be-required-to-become-private-investigators-via-new-licensing-amendments-in-
north-carolina/

UPDATES AND PATCHES

Oracle's Quarterly Patch Release Includes 43 Fixes (April 15 & 16, 2009)

Oracle's most recent quarterly patch release includes 43 fixes for vulnerabilities in a variety of products, including Oracle database versions 9i, 10g and 11G, Oracle Application Server, Oracle E-Business Suite, PeopleSoft Enterprise Human Resources Management System and Oracle WebLogic Server and Portal. The most critical flaws could allow attackers to gain control of vulnerable systems. Oracle's next security update is scheduled for July 14, 2009. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=6196
-http://gcn.com/Articles/2009/04/16/Oracle-vulnerabilities.aspx
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9131663&source=rss_topic17
-http://www.h-online.com/security/Oracle-publishes-43-security-updates--/news/113
068
-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr20
09.html

Microsoft's April Security Update Comprises Eight Bulletins (April 15, 2009)

On Tuesday, April 14, Microsoft released eight security bulletins to address 23 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer (IE), and Microsoft Forefront Edge Security. The flaws could be exploited to allow denial-of-service conditions, remote code execution and privilege elevation. Six of the flaws have already been actively exploited, including a much-talked about flaw in Excel. The bulletins do not include a fix for a zero-day PowerPoint vulnerability that has been exploited since March.
-http://www.theregister.co.uk/2009/04/15/ms_patch_tuesday_april/
-http://news.cnet.com/8301-1009_3-10219179-83.html?part=rss&subj=news&tag
=2547-1009_3-0-20
-https://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx
-http://isc.sans.org/diary.html?storyid=6193

MISCELLANEOUS

Amazon Won't Allow Phorm to Scan its Pages (April 15 & 16, 2009)

Amazon UK has announced that it will not allow Phorm, the targeted online advertising technology, to scan its websites for content to use in its personalized advertisements. Phorm scans the keywords on sites users visit and uses the information to create ads that are likely to appeal to specific users. Phorm has generated controversy since it was first revealed that BT piloted the technology without notifying users several years ago. The Open Rights Group has asked well-known websites, including Amazon, AOL, Microsoft, eBay and YouTube, to opt out of participating in Phorm. Amazon UK is the first to do so.
-http://news.bbc.co.uk/2/hi/technology/7999635.stm
-http://www.siliconrepublic.com/news/article/12755/new-media/amazon-hits-back-at-
online-advertising-parasite-phorm
-http://software.silicon.com/security/0,39024655,39419576,00.htm

Cyber Thieves Profits Falling - Too Much Success

Interesting analysis by Brian Krebs at WashingtonPost.com shows that so much credit card and banking data has been stolen that prices are dropping and thieves are making less money.
-http://voices.washingtonpost.com/securityfix/2009/04/glut_of_stolen_banking_data
_tr.html

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/