SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #35

September 03, 2003

TOP OF THE NEWS

MSBlast Suspect Arrested and Appears Before Magistrate
MSBlast's Effect on the Blackout
RIAA Using Digital Fingerprints to Track Illegally Traded Files
JAP Removes Backdoor Pending Appeal Outcome
ISPs Will Scan e-Mail Attachments

THE REST OF THE WEEK'S NEWS

Worm Authors are Seldom Prosecuted
Worm Outbreaks Raise Issue of Government Regulation
Overly Broad e-Mail Subpoena Violates Computer Crime Laws
Accountant Acquitted of Tax Evasion; Claims Virus Was Responsible for Errors
Malware Detection Will Move to Servers
CCIA Critical of DHS Decision to Use Microsoft Products
NetGear Routers Cause Inadvertent DoS on U of Wisconsin NTP Server
Sobig Variant Not Significant

SANS READING ROOM NEW PAPER OF THE WEEK

Home Security Patch Options For Corporate Security Managers

---

******** This Issue Sponsored by VeriSign - The Value of Trust ********
FREE E-COMMERCE SECURITY GUIDE
Is your e-business built on a strong, secure foundation? Find out with
VeriSign's FREE White Paper, "Building an E-Commerce Trust
Infrastructure."
Learn how to authenticate your site to customers, secure your web
servers with 128-Bit SSL encryption, and accept secure payments online.
Click here: http://www.verisign.com/cgi-bin/go.cgi?a=n20390138280057000
***********************************************************************

---

TOP OF THE NEWS

MSBlast Suspect Arrested and Appears Before Magistrate (29/30 August/1 September 2003)

Jeffrey Lee Parson, an 18 year old from Hopkins Minnesota, appeared before a magistrate judge in Minnesota but did not enter a plea. He has admitted being the author of a variant of the Blaster worm that spread in August. He was released without bail, ordered to house arrest and prohibited from accessing the Internet. If he is convicted, he could face a $250,000 fine and a ten year prison sentence.
-http://www.washingtonpost.com/ac2/wp-dyn/A2306-2003Aug29?language=printer
-http://www.wired.com/news/print/0,1294,60236,00.html
-http://www.msnbc.com/news/958852.asp?0dm=C217T
-http://www.usatoday.com/money/industries/technology/2003-09-01-blaster-cover_x.h
tm

MSBlast's Effect on the Blackout (29 August 2003)

The MSBlast worm apparently slowed some communications lines that connect data centers used to manage the power grid, abetting the "cascading effect" of the blackout that hit the north-east, mid-west and parts of Canada last month. The worm didn't harm the systems, but did slow down the speed at which networks communicated. A Bush administration advisor said that the worm also "hampered efforts to ... restore power in a timely manner."
-http://www.computerworld.com/printthis/2003/0,4814,84510,00.html

RIAA Using Digital Fingerprints to Track Illegally Traded Files (27/28 August 2003)

Recently released court papers show that the Recording Industry Association of America (RIAA) is tracking down people who illegally trade copyrighted material on the Internet through the use of digital fingerprints. The RIAA says it can use that information to tell whether the songs were recorded from legally purchased CDs or traded illegally on the Internet. The case involves a New York woman who is fighting the RIAA's attempt to discover her identity.
-http://www.washingtonpost.com/ac2/wp-dyn/A58140-2003Aug28?language=printer
-http://www.msnbc.com/news/958219.asp
[Editor's Note (Grefer): According to a recent discussion on SlashDot, the RIAA employs MD5 hashes for their digital fingerprinting. For more information see discussion at
-http://slashdot.org/comments.pl?sid=03/08/28/1217214
as well as the article that triggered it:
-http://story.news.yahoo.com/news?
tmpl=story&cid=529&ncid=529&e=6&u=/ap/20030827/ap_en_mu/downloading_music ]

JAP Removes Backdoor Pending Appeal Outcome (28 August 2003)

The operators of the Java Anonymous Proxy (JAP) service, which last week acknowledged that it was "backdoored" by court order, has appealed the court's ruling. The service does not need to log attempts to access a certain IP address for German police until a decision on the appeal has been reached. The group that runs JAP had been criticized for not acknowledging the existence of the backdoor until a user pointed it out.
-http://www.theregister.co.uk/content/6/32533.html

ISPs Will Scan e-Mail Attachments (27 August 2003)

In the wake of the recent worm outbreaks, many Internet service providers (ISPs) plan to filter e-mail, scanning it for suspicious attachments. Some ISPs, like AOL, Comcast and the Microsoft Network, already scan customers' e-mail. The practice is costly and runs the risk of generating false positives and filtering legitimate e-mail. Customers are starting to expect services like this from their ISPs.
-http://www.washingtonpost.com/ac2/wp-dyn/A54406-2003Aug27?language=printer

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Got SecureCRT? Get VShell server for UNIX today.
Download a free trial.
http://www.sans.org/cgi-bin/sanspromo/NB219
(2) Best Practices for Incident Response - Sign up for the
practitioner's guide at
http://www.sans.org/cgi-bin/sanspromo/NB220
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Worm Authors are Seldom Prosecuted (31 August 2003)

Despite the growing prevalence of computer worms, few worm authors are prosecuted, even fewer have gone to prison for their actions, and the penalties have been somewhat light. Tracking down the author of a worm can be difficult because of the anonymous environment of the Internet and because it is relatively easy to hide one's electronic tracks. Under current US federal law, prosecutors must present evidence that the suspect intentionally caused more than $5,000 worth of damage; many worms are not damaging.
-http://www.cnn.com/2003/TECH/internet/08/30/hacker.penalties.ap/index.html
[Editor's Note (Ranum): "Many worms are not damaging"?? HUH? How do you define "damage"? (Schultz) The information from the stated source for this news item is misleading in that damage is from a legal standpoint not measured purely in terms of adverse changes to systems. Damage can also be measured in terms of the time and costs needed to respond to worm infections. ]

Worm Outbreaks Raise Issue of Government Regulation (26/1 September 2003)

The recent large-scale infestations of the MSBlast and Sobig.F worms have once again raised the question of government regulation to hold companies liable for flawed software. Proposals put forth include changing end user license agreements (EULAs), which almost always exempt vendors from liability in the event of software flaws, offering tax incentives for company spending on cyber security and requiring companies to disclose security risks in SEC filings. Though some feel regulation of the Internet would stifle its potential for innovation, many security experts are now in favor of some sort of government regulation to reduce cyber security risks. Microsoft security chief Scott Charney would like to see more users patching their computers, as well as deploying anti-virus software and firewalls. (please note this site requires free registration)
-http://www.nytimes.com/2003/09/01/technology/01NET.html?th=&pagewanted=print
&position=
-http://zdnet.com.com/2102-1104_2-5067873.html?tag=printthis
[Editor's Note (Ranum): It would make more sense to legislate that everyone run antivirus software than to hold vendors liable for holes in their products. Certainly, EULAs go too far in indemnifying vendors - - but a significant cause of virus spread is users who just click on anything that comes into their in-box. (Schultz) It sounds as if Microsoft is once again beating the same old dead horse, trying to blame users for not installing the plethora of patches needed in Windows systems and ignoring the fact that Microsoft-prescribed methods of patch installment don't necessarily work as described.]

Overly Broad e-Mail Subpoena Violates Computer Crime Laws (29 August 2003)

A federal appeals court has ruled that a litigant and his attorney who had an "overly broad" subpoena served on an Internet service provider to gain access to an adversary's e-mails have violated federal anti-hacking laws. The ruling suggests that the issuing the subpoena for all e-mail correspondence to and from everyone in the company is tantamount to computer intrusion.
-http://www.securityfocus.com/news/6837

Accountant Acquitted of Tax Evasion; Claims Virus Was Responsible for Errors (29 August 2003)

Eugene Pitts, an Alabama accountant, was found innocent on nine counts of tax evasion after successfully convincing a jury that a computer virus caused him to underreport his income three years running. The jury reached the innocent verdict despite the fact that the same computer had been used to prepare other clients' returns, none of which appeared to have the same problem.
-http://www.theage.com.au/articles/2003/08/29/1062050651422.html
-http://www.sophos.com/virusinfo/articles/virustax.html

Malware Detection Will Move to Servers (28 August 2003)

The increasing sophistication of computer worms along with the escalating speeds at which they propagate will necessitate the use of predictive technologies to prevent outbreaks; these technologies require more power than desktop computers possess. It is likely that computer security will move to servers at ISPs or corporate networks.
-http://www.washingtonpost.com/ac2/wp-dyn/A56103-2003Aug27?language=printer
[Editor's Note (Northcutt): Oh boy, another widget. We can put this one next to the anti-virus scanner, the intrusion prevention device, the web server protector, the DDOS defenders, the IDS and send it's data to one of our five enterprise security console (centralized logging solutions). Then we will really be safe, Stephen said with unbridled sarcasm. Or ... we could demand decent operating systems and be done with the lot of them. ]

CCIA Critical of DHS Decision to Use Microsoft Products (28 August 2003)

Ed Black, CEO and president of the Computer & Communications Industry Association (CCIA), has written a letter to Department of Homeland Security (DHS) Secretary Tom Ridge expressing concern and dismay at the DHS's decision to make Microsoft the agency's "primary technology provider." The letter cites the need for well-engineered software and the benefits of diversity in a computing environment. Jonathan Zuck, president of the Association for Competitive Technology (ACT), which counts Microsoft among its members, counters that Black's letter is little more than an attempt to advance the business interests of CCIA members, which include Oracle Corp., Sun Microsystems and Nokia Corp.
-http://www.computerworld.com/printthis/2003/0,4814,84434,00.html
Black's letter to Ridge:
-http://www.ccianet.org/letters/dhs_030827.pdf
[Editor's Note (Schultz): Given its mission, I seriously question the DHS decision to use Microsoft products. ]

NetGear Routers Cause Inadvertent DoS on U of Wisconsin NTP Server (26 August 2003)

A flaw in some NetGear router products causes them to launch unintentional denial-of-service attacks on the University of Wisconsin's Network Time Protocol (NTP) server. NetGear routers are designed to request the time from this server, but in the event they do not receive a response, a flaw in the products causes them to repeatedly send requests until they do receive a response. NetGear will provide funds for the university to strengthen its network. The flaw affects NetGear router models RP614, RP614v2, DG814, MR814 and HR314; a firmware patch is available on the company's website.
-http://news.com.com/2102-1002_3-5068035.html?tag=ni_print

Sobig Variant Not Significant (26/27 August 2003)

Researchers at a Romanian anti-virus software company say they have discovered a Sobig variant that will try to contact seven Time Warner Telecom Simple Mail Transfer Protocol (SMTP) and domain name servers for instructions. Others in the anti-virus community see nothing extraordinary about the encrypted list of seven servers, and that it could simply be "part of
[the worm's ]
e-mail spreading routine."
-http://www.nwfusion.com/news/2003/0826twsobig.html
-http://www.eweek.com/print_article/0,3668,a=55958,00.asp
[Editor's Note (Ranum): I use such a service from my ISP. It's pretty ineffective. About 90% of the Email that I get through that account is still either viruses or spam. ]

---

SANS READING ROOM NEW PAPER OF THE WEEK

Home Security Patch Options For Corporate Security Managers

Timothy Rice presents and contrasts a wide array of solutions for the corporate security manager who wants to protect (by patching) the systems of home users who connect to the corporate systems. Since VPNs are essentially encrypted pipes, any vulnerability in the home system provides a direct patch for the attacker to penetrate the corporate system.
-http://www.sans.org/rr/last.php
(and scroll down to Timothy Rice's paper)