SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XI - Issue #78

October 02, 2009

*One of the two best free government security conferences in the Washington area starts in less than four weeks. I understand there are only about 220 seats left so if you want one, register in the next week or so at *http://scap.nist.gov/events*.

Bring a couple of co-workers because youll want to be in several sessions at the same time. It is the Security Automation Conference developed by NSA and NIST, and it is where youll see the future of government security automation automation that will quickly spread to the defense industrial base and the critical infrastructure and banks. There are tracks on risks and mitigations in cloud computing, network monitoring/auditing/logging, DoD infrastructure/tools/trends and S-CAP (the security interoperability standard that will become mandatory shortly).

The conference is Oct 27-28 (if your time is short youll get maximum value if you come from noon Oct 27 through the full day on Oct 28). There are also workshops Oct 26 and 29; not SANS courses but a couple look useful. And it is all free at the Baltimore Convention Center.

Registration

https://scap.nist.gov/events

---

TOP OF THE NEWS

US Army Data Leaked Through P2P Networks
Survey: US Consumers Do Not Want Behavioral Advertising
Court Vacates TRO Against Google; Misdirected eMail Was Never Opened

THE REST OF THE WEEK'S NEWS

PayChoice Breach
Spammers Break Facebook CAPTCHA
BT Resisting BPI's Demand to Act on List of Suspect IP Addresses
Peer-to-Peer Legislation Passes in Committee
Express Scripts Notifies 700,000 of Data Security Breach
Microsoft Security Essentials Not Available to Pirates
Two Men Extradited to Face Charges in Phishing Case
URLZone Trojan
Google Case Guest Editor Analysis: William Hugh Murray

---

********************** Sponsored By Q1 Labs ***************************

** THE SECURITY MANAGEMENT EVOLUTION: WHATS NEXT? **

GET THE WHITE PAPER NOW:

https://www.sans.org/info/49204

Respected industry analyst firm Enterprise Strategy Group (ESG) provides a unique perspective on the evolution of security information and event management (SIEM) solutions from niche firewall log analyzers to highly strategic security management solutions. How can organizations like yours identify and leverage the newest, most sophisticated tools in the next phase of the Evolution?

************************************************************************* TRAINING UPDATE***************************************

- -- SANS Chicago North Shore, Oct. 26-Nov. 2,
https://www.sans.org/chicago09/
- -- SCADA Security Summit, Stockholm, Oct. 27-30,
https://www.sans.org/euscada09_summit/
- -- SANS San Francisco, November 9-14,
https://www.sans.org/sanfrancisco09
- -- SANS Sydney, Nov.9-14
https://sans.org/sydney09/
- -- SANS London, UK, Nov.28-Dec. 9,
https://sans.org/london09/
- -- SANS CDI, Washington DC, Dec. 11-18,
https://www.sans.org/cyber-defense-initiative-2009
- -- SANS Security East 2010, New Orleans, January 10-18, 2010 19 courses, bonus evening presentations
https://www.sans.org/security-east-2010/
Looking for training in your own community?
https://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
https://www.sans.org/ondemand/
For a list of all upcoming events, on-line and live: http://www.sans.org

*************************************************************************

---

TOP OF THE NEWS

US Army Data Leaked Through P2P Networks (October 2, 2009)

The Washington Post reports that personal data of US soldiers are being leaked through peer-to-peer (P2P) file-sharing programs. The data are being downloaded by users in China, Pakistan and other countries. The information includes Social Security numbers, blood types and names of family members. P2P software has been banned by the Army since 2003 and by the Pentagon since 2004. An Army Special operations Command spokesperson said the leak was an isolated incident and that those responsible had been punished.
-http://www.washingtonpost.com/wp-dyn/content/article/2009/10/01/AR2009100104947_
pf.html

Survey: US Consumers Do Not Want Behavioral Advertising (September 30 & October 1, 2009)

A study conducted jointly by the University of Pennsylvania and the University of California, Berkeley Center for Law and Technology found that US Internet users object to behavioral advertising. Sixty-six percent of respondents do not want advertising targeted to their perceived interests. Nearly 70 percent of respondents said there should be a law granting Internet users the right to know exactly what information is collected from them online. Ninety-two percent said they would be in favor of a law that would require websites and advertising companies to delete all information held about consumers at the consumers' request.
-http://www.computerweekly.com/Articles/2009/09/30/237924/us-web-users-say-no-to-
online-tracking-by-advertisers.htm
-http://www.theregister.co.uk/2009/10/01/behavioural_advertising_no_thanks/
-http://news.smh.com.au/breaking-news-technology/most-americans-dislike-behaviora
l-advertising-survey-20091001-gda4.html
Editor's Note (Pescatore): Look, on radio and TV we all get behavioral advertising all the time. The commercials during Desperate Housewives aren't for 2 ton pickup trucks, and the ones during the Ultimate Fighting Championships aren't for Manolo Blahnik shoes. The real issue is information being collected without the user's prior knowledge and consent - that should change. I know - we could call it "opt-in"! ]

Court Vacates TRO Against Google; Misdirected eMail Was Never Opened (September 29 & 30, 2009)

A court has granted a joint motion to dismiss a case brought by Rocky Mountain Bank against Google. The bank originally filed suit seeking to compel Google to provide information about a Gmail account holder who had been inadvertently sent confidential bank information. On Friday, September 25, the bank obtained a temporary restraining order (TRO) that demanded Google deactivate the unknown user's account, delete the message that had been sent in error, disclose whether or not the account was active and if it was, disclose the account holder's identity. It now appears that the message was never opened; it has been deleted and the Gmail account has been reactivated.
-http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=
220300364
-http://www.theregister.co.uk/2009/09/30/rocky_mountain_google_case_fini/
-http://news.cnet.com/8301-27080_3-10363663-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
[Editor's Note (Schultz): In these perilous political times, overreaction abounds, and legal issuesinvolving Internet service providers seem to be no exception to the rule. ]

---

************************ Sponsored Links: ****************************

1) Register Today and receive 10% off for SANS vLive course SEC542, Web App Penetration Testing and Ethical Hacking, November 2nd - November 9th. Please use the code @Risk542 when registering.

https://www.sans.org/info/49209

2) Register today for an upcoming Novell sponsored SANS web cast on 10/6 titled, Ask The Expert: Offense and Defense: Better Correlation.

https://www.sans.org/info/49214

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

PayChoice Breach (October 1, 2009)

The payroll processing company PayChoice has notified its customers that attackers stole login information and passwords of customers and have been using such information in attempts to get more sensitive information from these customers. Some companies that use the PayChoice payroll processing system have received malicious emails telling them they needed to download a web browser plug-in to ensure uninterrupted service to the PayChoice payroll services portal. The plug-in was actually malware that stole user names and passwords. The email messages included information specific to each organization that received them. PayChoice is investigating the breach.
-http://voices.washingtonpost.com/securityfix/2009/09/hackers_breach_payroll_gian
t_t.html
-http://www.wired.com/threatlevel/2009/10/paychoice-breached/
-http://www.computerworld.com/s/article/9138788/Large_online_payroll_service_hack
ed?source=rss_security
-http://news.cnet.com/8301-27080_3-10365830-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20

Spammers Break Facebook CAPTCHA (October 1, 2009)

Malware purveyors have managed to break the Facebook CAPTCHA (completely automated public Turing test to tell computers and humans apart), allowing them to automate the creation of Facebook pages. The malicious pages are being used to send links to malicious websites that promote scareware. The pages all have the same photograph, but have different user names. Facebook is taking steps to identify the rogue pages and disable them.
-http://www.computerworld.com/s/article/9138780/Facebook_Captchas_broken_?source=
rss_security

BT Resisting BPI's Demand to Act on List of Suspect IP Addresses (September 30, 2009)

The British Phonographic Industry (BPI) has provided UK Internet service provider (ISP) BT with the IP addresses of 100,000 BT customers the BPI suspects of illegal filesharing. BT has not yet taken any action. BPI is unhappy with BT's inaction; the ISP maintains it has no formal agreement with the BPI regarding suspected piracy. BT ran a 12-week test program in July 2008 during which it sent warning letters to suspected copyright infringers. A BT spokesperson said that investigating each allegation of filesharing would not only prove costly, but would also violate customers' privacy rights.
-http://www.networkworld.com/news/2009/093009-bpi-alerts-bt-to-100000.html
-http://www.nma.co.uk/bt-hits-back-at-bpi-digital-piracy-claims/3004958.article

Peer-to-Peer Legislation Passes in Committee (September 29 & 30 & October 1, 2009)

The House Energy and Commerce Committee this week approved a bill aimed at protecting users from inadvertently sharing information meant to stay private. The Informed P2P User Act would require file-sharing providers such as Limewire to offer "clear and conspicuous" notification to users before allowing files on their computers available for sharing. The programs would also be prohibited from surreptitiously installing software on users' computers and cannot be structured to prevent their removal from users' computers. Companies that do not follow the rules would be in violation of Federal Trade Commission Act unfair and deceptive trade practices rules.
-http://blog.internetnews.com/kcorbin/2009/09/p2p-security-bill-clears-house.html
-http://www.computerworld.com/s/article/9138659/Lawmakers_eye_bill_to_make_P2P_fi
le_sharing_safer?taxonomyId=84
-http://arstechnica.com/tech-policy/news/2009/10/informed-p2p-user-act-to-clamp-d
own-on-filesharing-software.ars
[Editor's Note (Schultz): This legislation is long overdue, but better late than never.

(Pescatore): Only focusing on peer to peer file sharing is a bad tactic here. Why not just say "all software must obtain clear consent from the user before installing and before causing any data to exit their PC." We could call it "opt-in"! ]

Express Scripts Notifies 700,000 of Data Security Breach (September 30, 2009)

Pharmacy benefits management company Express Scripts says that approximately 700,000 people have been notified that their personally identifiable information was compromised following a data security breach in 2008. The company learned of the breach when the data thief attempted to extort money in exchange for not exposing the information on the Internet. The initial extortion demand contained information of 75 patients; the recent set of letters was sent in response to a larger file of information that was sent to a law firm.
-http://online.wsj.com/article/BT-CO-20090930-717098.html
-http://www.computerworld.com/s/article/9138723/Express_Scripts_700_000_notified_
after_extortion

Microsoft Security Essentials Not Available to Pirates (September 30, 2009)

Users running unlicensed or improperly licensed copies of Microsoft Windows will not be able to install the company's newly-released Security Essentials antivirus software. To install the software, users will be required to validate their copies of Windows operating systems. Microsoft does allow users running pirated copies of Windows to download Internet Explorer 8 (IE 8), touted as the company's most secure browser yet. Microsoft also allows patches to be downloaded to pirated copies of Windows through Windows Update. There are other free anti-virus alternatives available, but the patches are available only from Microsoft.
-http://www.computerworld.com/s/article/9138705/Microsoft_blackballs_pirates_from
_getting_free_Security_Essentials_software?source=rss_security

Two Men Extradited to Face Charges in Phishing Case (September 30, 2009)

Two Romanian men have been extradited to the US to face charges in connection with phishing schemes that targeted customers of PayPal, Citibank and other financial institutions. Petru Bogdan Belbita, Cornel Ionut Tonita and with five other men were charged in January 2007 in connection with the phishing schemes. One of the men has already pleaded guilty to conspiracy to commit fraud and has been sentenced to 50 months in prison. Belbita and Tonita have both entered not guilty pleas to charges of conspiracy to commit fraud in connection with access devices, conspiracy to commit bank fraud, and aggravated identity theft. If they are convicted of all charges, each faces 37 years in prison and a US $1.5 million fine.
-http://www.theregister.co.uk/2009/09/30/romanian_phishers_extradited/
-http://www.scmagazineus.com/Two-accused-Romanian-phishers-plead-innocent/article
/151052/

URLZone Trojan (September 29 & 30, 2009)

New, sophisticated malware is making it harder to detect some fraudulent online bank transactions. The URLZone Trojan horse program communicates with a command server to find out precisely how much money to take from the accounts it is plundering to evade detection and where to send the money; the Trojan also alters users' online bank statements so the fraudulent transactions do not show up. The Trojan exploits a vulnerability in Firefox, Opera, Internet Explorer 6, IE 7, and IE 8.
-http://www.darkreading.com/database_security/security/client/showArticle.jhtml?a
rticleID=220300592&subSection=End+user/client+security
-http://www.scmagazineus.com/URLZone-touted-as-most-sophisticated-banking-trojan-
yet/article/151096/
-http://news.cnet.com/8301-27080_3-10363836-245.html?part=rss&subj=news&t
ag=2547-1009_3-0-20
-http://www.wired.com/threatlevel/2009/09/rogue-bank-statements/

Google Case Guest Editor Analysis: William Hugh Murray

The five most beautiful words in the English language are, "Congress shall make no law...." However, within that Constitutional limitation, the courts are charged with sorting out private and public interests within the facts and the law. Judges like to point out that they do not get to choose either the facts or the law. This is a set of facts that none should want to decide, even with more specific and applicable contract or legislative provisions and better precedents.

The bank is in a very weak position. Admittedly, they need to try to show "best efforts" but the horses are already out of the barn. They have no relationship with Google or Google's user; no contract or other claim, beyond "what nice people would do," to which they can appeal.

Google's policy is to require paper to give them a presumptive defense if the account holder sues them. Since the account is an accommodation, and under Google's terms of use, the success of any such suit is questionable in any case. Google does have an express commitment to its user but it is unlikely that it is enforceable. Google is also trying to protect the brand. Note that Google knows whether or not their user has seen or downloaded the file.

A well intended and behaved user would have acknowledged the bank's communication. While I am sure that I could dream one up, it is hard to find a legitimate interest that this user has in refusing to acknowledge the bank's communication. Nice people do not try to turn the innocent errors of others to their own advantage.

In general, courts issue subpoenas and other orders only when there is a civil suit, or probable cause to believe that a crime has been committed. Let us assume that the bank has filed a civil suit of some sort (Contract? Tort? Neither seems obvious.) against Google et. al. and an order is issued. Google can appeal the order. This is not a secret Federal order. Even if they comply, if the user's interest is, as you suggest, identity, the action can be reversed. If, on the other hand, it is anonymity, damage to the user may be permanent. Then, depending upon the actual damages that can be shown, one might not want to be Google or the bank. Punitive damages are another matter. I think that Google is trying to protect the right of its user and the bank is putting the privacy of their many customers ahead of the privacy of one of Google's customers. I expect and suspect that a jury would be sympathetic to them rather than to a user who insisted upon his interest at the expense of many others.

Finally, the right that Google is defending is the right of its user to be rude, the right to anonymity, not to free speech or political speech, and not to one's name, public or private. Said another way, of all the interests of Google or their customer, they are defending the least compelling one.

[This is a case where, whatever one thinks of the decision, there is a court involved. It is not warrantless eavesdropping, not National Security Letters (215 Orders)." This is not "safe harbor" for banks that proactively curry favor by snitching on their customers. This is not warrantless seizure of laptops as contraband (fishing expeditions) by customs agents. These unilateral abuses of Federal executive authority are now routine and beneath our notice or comment, much less our resistance. They never see a court. (As I write this, I am listening to House hearings on the re-authorization of the USA PATRIOT Act. "Catching a terrorist" justifies anything.") I am now ready to consent to almost anything in return for there being judicial jurisdiction and oversight. ]


I do not think that we have to worry that this order will establish any precedent at all. It will not establish a precedent that puts the rights of the negligent or their victims ahead of those of innocent third parties. While it is already far too easy to get ISPs to identify their users, this case is not likely to make it any easier and has some hope of making it harder.

---

**********************************************************************
The Editorial Board of SANS NewsBites



Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/