Don't Miss the Best Specials of the Year with Online Training! Learn More!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #40

May 19, 2006

The Google Fraud story that leads this issue is another example of the
great investigative work done by the folks at the Internet Storm Center.

Help us help you! SANS is running a survey to help us map your job
titles, tasks and the skills needed to accomplish those tasks. We do
this to ensure our courseware is relevant and focused on the tasks you
need to accomplish. We began the survey with the advisory board, then
improved it using feedback from the attendees at SANS 2006. We will also
select three of the completed surveys at random and send an Apple iPod
nano along as our way of saying thanks. To take the survey visit:



Google Fraud: Botnets Used to Steal Money From Google Advertisers
Spyware Infections Up 50 Percent Over Last Year
Lenovo Computers Reportedly to be Used for Only Unclassified Data
Payment Card Industry Security Standard Changes May Allow Alternatives to Encryption


DISA Offers Free Anti-Spyware Software to All Gov Employees
UK May Activate Provision Forcing Disclosure of Encryption Keys
New York's Anti-Phishing Act Heads to Governor
Blue Security Shuts Down Anti-Spam Service
People Selling Pirated Software on eBay Sued
UK ISP Fixes Hole That Compromised User Information
Malware Infestation Leaks Japanese Power Plant Data

********************** Sponsored By SANS WhatWorks **********************

Download free Vendor White Papers on a wide range of security topics -
- From the SANS WhatWorks Project


Washington DC: 18 tracks
Denver: 6 tracks
London: 5 tracks
Toronto: 4 tracks
Plus 10 other cities and live-online programs you can take from your home.
See for course schedule registration



Google Fraud: Botnets Used to Steal Money From Google Advertisers (15 May 2006)

The SANS Internet Storm Center (ISC) has released evidence showing botnets are being used to defraud advertisers using Google Adword, a pay-per-click advertising system. Advertisers pay Google for each click; Google in turn pays a substantial amount of that revenue to publishers who run banners for the advertisers. Unscrupulous publishers work with the botmasters to generate high volumes of clicks and ultimately revenue. The botmasters get a share of this as well. ISC uncovered evidence of a botnet with 115 bots, each of which was clicking on sites up to 15 times a day, keeping them under the detection system's radar.
[Guest Editor's Note (Ullrich): Several years ago, one of the first bot discovered and analyzed by Internet Storm Center was the "Leaves Worm", which pretty much followed the same scheme. In many ways the Leaves worm was a precursor of things to come. One nice thing about Leaves was that the author was eventually arrested by following the money trail.
Editor's Note (Pescatore): Back when newspaper advertising, and then radio advertising, and then TV advertising started up, there were fraudulent claims of how many people were actually viewing the ads and that lead to subscription audit bureaus and radio/TV ratings services. Those same types of audit services, which carry cost for the medium carrying the advertising, are needed for Internet advertising but paying that cost is being resisted.
(Northcutt): The following story, on spyware growth, is an important element of the Google Fraud story - all that spyware infestation helps enables Google Fraud. I've added some extra information about Google Fraud at the end of this issue. ]

Spyware Infections Up 50 Percent Over Last Year (17 May 2006)

According to the annual Websense Web@Work survey, the number of organizations reporting their systems have been infected with spyware is up nearly 50 percent. Seventeen percent of companies with more than 100 employees reported their networks have been infiltrated by spyware, such as keystroke loggers. One likely reason for the increase in spyware infestations is the increasing availability of spyware toolkits on the Internet. The study also says that 44 percent of IT decision makers do not believe their employees can distinguish phishing sites from legitimate ones.
[Editor's Note (Boeckman): I would say that poor security in the default configuration for Windows XP has far more to do with the spyware problem then the availability of spyware toolkits. ]

Lenovo Computers Reportedly to be Used for Only Unclassified Data (18 May 2006)

The US State Department will use Chinese-made Lenovo computers only for unclassified data, according to an unidentified aide to Virginia legislator Frank Wolf. The State Department was criticized when, in March of this year, it purchased a number of computers from China's Lenovo Group Ltd. due to concerns that the machines could contain embedded software that could be controlled remotely. Mr. Wolf, whose House appropriations subcommittee funds the State Department, said, "It is no secret that the United States is a principal target of Chinese intelligence services."
[Editor's Note (Pescatore): Well, actually Windows includes software that allows it to be controlled remotely, as do many other pieces of software coming from American software vendors. I think it is a good thing to be suspicious about the software you are using but xenophobia is a two way street - don't just start being suspicious when the hardware comes from another country, always be suspicious.
(Ranum): Quick Quiz: name ONE computer that is entirely made in the US. Yeah, I didn't think so either. ]

Payment Card Industry Security Standard Changes May Allow Alternatives to Encryption (16 May 2006)

The Payment Card Industry Data Security Standard will be updated this summer to address evolving concerns about application-level attacks and merchants' difficulties with complying with the requirement of encrypting all stored customer data. One of the new requirements, which should be in effect by the middle of 2008, will be to conduct vulnerability scans on payment software. In addition, merchants will be offered alternatives to encrypting stored consumer data, such as access controls and extra firewalls. There is some concern that allowing merchants the option of not encrypting consumer data will lead to more security problems.
[Editor's Note (Pescatore): Changing the Payment Application Best Practices standards to require application vulnerability testing (vs. just checking that a code review process exists) is a good thing. The Payment Card Industry has moved very slowly on improving the PCI program, they need to make sure these changes take more than baby steps in moving things forward.
(Schultz): I wouldn't even try to equate access controls and extra firewalls to encryption. One nice thing about encrypting data is that even if access controls, firewalls, and other countermeasures do not work, an attacker who gains access to sensitive information finds it useless if it is encrypted with strong encryption. ]

*************************** Sponsored Links: ****************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and assess your spyware risk exposure.




DISA Offers Free Anti-Spyware Software to All Gov Employees (13 May 2006)

The Defense Information Systems Agency (DISA) has licensed anti-spyware software for all US government employees and armed forces personnel to use on their home computers. The free software is seen as, one measure to protect government systems from malware as many employees bring work home. The employees can download the software directly to their home computers, or they can take home a CD containing the software; it will update automatically.


UK May Activate Provision Forcing Disclosure of Encryption Keys (18 May 2006)

The UK Home Office is considering the possibility of activating powers in Part Three of the Regulation of Investigatory Powers Act (RIPA) that could be used to force organizations and individuals to surrender decryption keys to the government upon request. RIPA came into power in 2000, but Part Three has not been in force. Those who do not comply with the government requests under RIPA Part Three could face up to two years in prison. Anti-terrorism legislation imposes a maximum five-year sentence for failure to comply. Part Three also has a provision that could be enforced to make people decrypt their data. Some have expressed concern that with a law allowing police to demand encryption keys, international banks are unlikely to bring their business to the UK; furthermore, terrorists tend not to use keys for large amounts of data, but "on a one-to-one basis" instead, so that forcing people to decrypt the data would be a more fruitful and less damaging tactic.

New York's Anti-Phishing Act Heads to Governor (17 May 2006)

The New York State legislature has approved the Anti-Phishing Act of 2006. If Governor George Pataki signs the bill into law, it would allow the New York attorney general, industries and non-profit groups to bring civil actions against phishers.


Blue Security Shuts Down Anti-Spam Service (18/17/16 May 2006)

Blue Security has stopped its anti-spam activity after coming under attack from spammers unhappy with the company's practices. Blue Security offered a service called Blue Frog that takes a variety of steps to remove people's names from spammers' lists. The spammers were getting inundated with email requesting that names be removed from their lists and in retaliation launched a distributed denial of service (DDoS) attack against Blue Security. The spammers also began sending threatening messages to people who were using Blue Security's Blue Frog anti-spam service. Blue Security's decision to close Blue Frog was made to head off "an ever-escalating cyber war."
[Editor's Note: Well, this certainly puts to rest the spammers' claims that they are just "exercising their rights to send Email" -- after all, Blue's users were just "exercising their rights to complain." Now the spammers' true colors are obvious: you have no rights as far as they are concerned. ]


People Selling Pirated Software on eBay Sued (17 May 2006)

Three lawsuits filed in Los Angeles federal court target five individuals who allegedly offered pirated software for sale on eBay. The Software & Information Industry Association (SIIA) is spearheading an effort to crack down on people selling pirated software by purchasing their goods in on line auctions and suing them without warning.



UK ISP Fixes Hole That Compromised User Information (18 May 2006)

Wanadoo, a European Internet service provider (ISP), has fixed an index browsing flaw that allowed people to access user account information. Intruders could have viewed users screen names, real names, passwords, email addresses and other data without any sort of authentication.


Malware Infestation Leaks Japanese Power Plant Data (18/17/15 May 2006)

A malware infection is being blamed for the leak of sensitive Japanese power plant information onto the Internet. The information includes key facility location and operation procedures for the Chubu Electric Power Company's thermal power plant in Owase, Mie Prefecture; some employee data were also compromised. A sub-contractor's use of file sharing software is suspected to have caused the malware infection.
[Editor's Note (Pescatore): Allowing unmanaged PCs (like contractor PCs) to connect to your network carries many dangers, but more and more enterprises are doing more and more in-sourcing, so this is growing. Network access control - checking for dangerous, vulnerable or non-compliant PCs before they have full connectivity is a good strategy for dealing with this.]


This is certainly not a new issue as Johannes Ullrich points out in his guest editor's note. A lot of money is at stake and this organized cheating may affect how legitimate organizations are able to advertise if illegitimate operators cannot be stopped or controlled. So we want to provide you with additional information.
First, this is the story we ran in SANS NewsBites, March 10, 2006, Volume: 8, Issue: 20:
Google Settles Fraudulent Clicks Suit (9/8 March 2006)
Google will pay as much as US$90 million to settle a lawsuit brought by advertisers who allege the company overcharged them for phony sales referrals generated by "click fraud." The settlement applies to all companies that advertised on Google over the past four years. Google has offered to provide the companies with credit for the fraudulent clicks since 2002. Google will also pay legal costs. The court has not yet approved the settlement, however.


Here is the current status of that lawsuit, the lawsuit will probably not be resolved until July at the earliest:

And the Pollard and Khorrami web site is shown here. As you can see, if they are successful, a 90 million dollar lawsuit could balloon into far more than that:

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College,

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,

Roland Grefer is an independent language consultant based in Clearwater,

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit