SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #1

January 07, 2004

TOP OF THE NEWS

Phony FBI e-Mail Contains Malware Attachment
Government Agencies Take Steps to Improve IT Security
IRS Encryption Standards for On-Line Returns
e-Mail Rumor Causes Run on Bank

THE REST OF THE WEEK'S NEWS

Watchdog Group Sues Over Restrictive Copy-Protection Scheme
Tech Consortium to Promote DRM System
Norwegian Police Won't Appeal Johansen's Acquittal
Johansen Cracks iTunes DRM Scheme
Alabama County to Employ Fingerprint Identity Authentication for Workers
Lamo to Accept Plea Bargain
RIAA Lawsuits Spur Downturn in Downloading
Jitux.A and PE_QUIS.A Worms
Social Discovery Sites' Security Lacking
Federal Judge Dismisses Spam Case on Jurisdiction Technicality
Hoax e-Mail Urges Users to Download Security Software
Cyber Blackmail Artists Target Individuals in the Workplace
e-Mail Exploits Terrorism Fears to Plant Trojan Horse Program
What's in Store for 2004

ANALYSIS

Spam Filters In an Operating Environment (More on using SPAM Cop wisely)

VULNERABILITY UPDATES AND EFFECTS

Mremap Vulnerability in Linux Kernel

---

************************ Sponsored By SANS 2004 ***************************
Look for your 100 page SANS 2004 guide and your Roadmap to Network Security poster arriving this week or early next week in your surface mail box. More than 400,000 were mailed out in 9 x 12 envelopes and in clear plastic wrap. SANS 2004, April 1-9, in Orlando, Florida, is the first Security Mega Training Conference with more than 600 hours of training and exciting new courses for advanced technologists, auditors,managers, and even for beginners. Please choose your courses early.SANS courses are filling up even earlier now that the recession seems to be over and employers are saying yes to training requests once again.(3 of 6 courses in San Diego were already full nearly a month before the conference starts). If you don't want to wait for the brochure to arrive, you can find all the course descriptions and guides to choosing the right courses at:http://www.sans.org/sans2004

"Current information, intelligent treatment, and great communication and presentation skills. This was the best training conference I've attended in quite a long career in computing."
Darnell Jones, RIS

"This is everything I need to do my day to day job".
Michael Goad, Tech Data Corp.

"I learned so much I can take home and implement immediately."
Mark Kastner, I_TECH Corp

If you need help persuading your boss that SANS courses are better than any other and really worth the time and money, email info@sans.org with the subject "SANS2004 justification" and tell us which track or tracks you are thinking of attending. We have an extraordinary new resource for you - a list of the actions past students said they took to improve security as a result of their attending SANS training: real payoff for your employers.

***************************************************************************

---

TOP OF THE NEWS

Phony FBI e-Mail Contains Malware Attachment (6 January 2003)

Some people have been receiving e-mail messages purporting to be from the FBI and informing them that they will be indicted on charges of illegal downloading. The e-mail includes an attachment that claims to be the evidence taken from their computers but which really contains malware. Closer examination of the e-mail message reveals grammatical and factual clues that it is not authentic.
-http://www.theage.com.au/articles/2004/01/06/1073268005348.html

Government Agencies Take Steps to Improve IT Security (5 January 2004)

Several government agencies that received low or failing marks on last year's IT security report card are adopting measures to address their IT security problems. The Department of Justice (DOJ) has an IT Security Council that is comprised of top security officials from each of the many DOJ organizations. The Environmental Protection Agency (EPA) has developed an application that can test computers' security and keep track of the amelioration of problems that it finds. DOJ and EPA both improved a full letter grade from last year to this.
-http://www.eweek.com/print_article/0,3048,a=115639,00.asp

IRS Encryption Standards for On-Line Returns (30 December 2003)

Starting in 2005, the IRS will require professional tax preparers, software vendors and third-party transmitters to use specified encryption measures when they send returns over dedicated lines. They will need, at a minimum, a 128-bit FIPS encryption method. The software standards will be published by March 31 of this year. Registered users will be able to take advantage of a secure web test facility by the end of July of this year
-http://www.gcn.com/vol1_no1/daily-updates/24524-1.html.

e-Mail Rumor Causes Run on Bank (30 December 2003)

A rumor spread by e-mail caused a run on Japan's Saga Bank. A message sent from a cell phone to members of a mailing list suggested that Saga bank would go bankrupt; customers withdrew 18 billion yen (approximately US$169.4 million) from the bank the next day, double the previous day's withdrawals.
-http://www.yomiuri.co.jp/newse/20031230wo27.htm

---

************************ SPONSORED LINKS ******************************
Privacy notice: Some of these links redirect to non-SANS web pages.

(1) Earn a Norwich University Master's Degree in Information Security in 24 months.
http://www.sans.org/cgi-bin/sanspromo/NB276

(2) Invest in the best network protection. Introducing the Microsoft(r) Security Readiness Kit.
http://www.sans.org/cgi-bin/sanspromo/NB277

(3) FREE WEB SEMINAR - Explore how Spam threatens your email security, with Gartner and CipherTrust.
http://www.sans.org/cgi-bin/sanspromo/NB278

(4) [SANS] Check out SANS new School Store for just released books on Business Law, Securing Solaris, Computer Security Incident Handling and other books and merchandise found nowhere else.
https://store.sans.org/

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Watchdog Group Sues Over Restrictive Copy-Protection Scheme (5 January 2004)

A Belgium-based European consumer watchdog group is suing EMI, Universal Music, Sony Music and BMG for selling CDs with copy protection that prevents them from playing on computers and car stereos. The protection scheme also prevents people from making back-up copies of disks they have purchased.
-http://www.wired.com/news/print/0,1294,61791,00.html
[Editor's Note (Schultz): This is a twist--suing music companies for implementing copyright protection schemes. I predict that this lawsuit will not get very far. ]

Tech Consortium to Promote DRM System (5 January 2004)

Five powerful technology companies plan to launch a "campaign" to convince the film and recording industries that they have come up with an effective digital rights management (DRM) system. If the technology consortium, which is called Project Hudson, is successful in establishing and controlling DRM standards, it stands to reap significant benefits.
-http://www.nytimes.com/2004/01/05/business/05share.html?pagewanted=print&pos
ition=

Norwegian Police Won't Appeal Johansen's Acquittal (5 January 2004)

Norwegian police will not appeal the recent acquittal of Jon Johansen on piracy charges. Johansen created the DeCSS utility which can be used to circumvent DVD copy protection.
-http://news.com.com/2102-1025_3-5134835.html?tag=st_util_print

Johansen Cracks iTunes DRM Scheme (5 January 2004)

Jon Johansen has created and released code that unlocks iTunes music and allows users to play the songs on GNU/Linux computers.
-http://theregister.co.uk/content/6/34712.html

Alabama County to Employ Fingerprint Identity Authentication for Workers (5 January 2004)

Employees paid by the hour in Jefferson County, Alabama will be required to use fingerprint readers to verify their identities and guard against overtime fraud.
-http://www.theregister.co.uk/content/55/34704.html

Lamo to Accept Plea Bargain (5 January 2003)

Adrian Lamo is scheduled to appear in US District Court in New York on Thursday January 8th to accept a plea bargain. Lamo is facing federal felony charges for allegedly gaining unauthorized access to the New York Times' computer network.
-http://news.com.com/2102-7348_3-5135351.html?tag=st_util_print
[Editor's Note (Schultz): This is one of a rapidly growing number of accounts that indicate that law enforcement is doing a much better job in pursuing cases in which someone has obtained unauthorized access to computing systems. People who used to try to sell security consulting services on the basis of their unauthorized activity are now increasingly facing criminal charges. ]

RIAA Lawsuits Spur Downturn in Downloading (4 January 2004)

Research from the Pew Internet and American Life project found that the number of people who downloaded music from the Internet fell from 35 million in the spring of 2003 to 18 million in a four-week period in early winter 2003. The Recording Industry Association of America's (RIAA) approximately 400 lawsuits filed against people who had illegally downloaded music is a likely reason for the decline. In addition, use of peer-to-peer file sharing networks such as KaZaA and Grokster fell significantly over the past year.
-http://news.com.com/2102-1027_3-5134691.html?tag=st_util_print

Jitux.A and PE_QUIS.A Worms (2/5 January 2004)

The Jitux.A worm spreads through MSN Messenger. Though it carries no destructive payload, it does send messages to other MSN Messenger users every five minutes in an attempt to spread. It affects Windows 2000, 95, 98, Me, NT, XP and Windows Server 2003. The PE_QUIS.A worm, also named W32.HLLP.Belzy@mm, spreads through Outlook and carries a destructive payload. It infects .exe files in certain folders and affects Windows 95, 98 and Me.
-http://news.com.com/2102-7349_3-5134559.html?tag=st_util_print
-http://www.computerworld.com/printthis/2004/0,4814,88762,00.html

Social Discovery Sites' Security Lacking (2 January 2004)

Social discovery web sites are gaining popularity, but tend to place performance over privacy and security concerns. One's login page sends passwords in the clear; another uses unique session IDs, which are easily defeated. Intruders on these sites prey on others' reputations.
-http://www.theregister.co.uk/content/55/34687.html

Federal Judge Dismisses Spam Case on Jurisdiction Technicality (30 December 2003)

A federal judge in Virginia dismissed a lawsuit brought by America Online (AOL) against computer technicians for allegedly conspiring to deliver spam to AOL users. In his ruling, Chief Judge Claude Hilton of the US District Court for the Eastern District of Virginia said the Virginia courts did not have jurisdiction over the defendants, who are from Florida. AOL says the decision is based on a technicality; they may resubmit the lawsuit.
-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4059848
-http://www.internetweek.com/e-business/showArticle.jhtml?articleID=17200037

Hoax e-Mail Urges Users to Download Security Software (30 December 2003)

The Bank of England has intercepted over 100,000 phony e-mail messages which purport to come from a Bank of England administrator and which urge recipients to download an attachment that will protect customers' financial data from cyber fraud. Bank technicians are working with the UK's National Hi-Tech Crime Unit (NHTCU) to discern what the attachment actually does and where it came from.
-http://news.bbc.co.uk/1/hi/business/3357239.stm
-http://news.com.com/2102-7349_3-5134038.html?tag=st_util_print
[Editor's Note (Shpantzer): Luckily this round was a dud. The payload was not effective
-http://www.sophos.com/virusinfo/articles/antikl_dam.html]

Cyber Blackmail Artists Target Individuals in the Workplace (29/30 December 2003)

Cyber extortionists have been targeting office workers with e-mail threatening to download illegal content onto their PCs, release viruses or erase files if they don't pay up. The ransom they demand is usually small, so people often pay, and then they are targeted again because they have been identified as a "soft touch."
-http://www.computerworld.com/printthis/2003/0,4814,88623,00.html
-http://www.enterprise-security-today.com/perl/story/22925.html
[Editor's Note (Northcutt): This story doesn't seem accurate to me. It has been picked up by dozens of news organizations, including Reuters, yet all of the articles seem to be based on the same source, comments by Mikko Hypponen from F-Secure. There appears to be no additional validation. Please, if you have examples of this sort of email would you send them to me with as many mail headers intact as possible? (Yes I know headers can be spoofed, thank you.). Stephen@sans.org ]

e-Mail Exploits Terrorism Fears to Plant Trojan Horse Program (29 December 2003)

An e-mail spreading in Malaysia exploits terrorism fears by warning of planned attacks in that country and providing a link to what it says is a site with more pertinent information. In truth, the link causes a virus to be installed on users' computers; the virus, which bears similarities to the Backdoor.Tofger Trojan horse program, attempts to connect to three different Internet hosts.
-http://news.com.com/2102-7349_3-5133874.html?tag=st_util_print

What's in Store for 2004 (29 December 2003)

A variety of opinion pieces on what 2004 holds for enterprise IT.
-http://www.computerworld.com/printthis/2003/0,4814,88379,00.html

---

ANALYSIS

Spam Filters In An Operational Environment Analysis by Stephen Northcutt

In SANS/GIAC status report #17, (www.sans.org/newsletters/statusupdates/17.php ) I editorialized that using research grade spam filters in an operational production environment could be a bad idea. I am sticking to my guns, it appears that Security Focus was blacklisted twice in the past 10 days; the lack of a whitelist for known leaders during Internet crises is reckless. Without such a safety mechanism, it would be simple for an attacker to blacklist, CERT, SANS/dshield/Internet Storm Center, SecurityFocus, Department of Homeland Security, NIPC just before releasing an attack. A number of people have written with comments on the editorial ranging from "Right on" to "SANS loves Spam". But the most well written/well reasoned comment was from Charles Oriez and is shown below:

There are several ways to properly manage the use of a Spamcop-like dnsbl in such a fashion as to protect your resources while at the same time limiting the damage from false positives. I have been using Spamcop on client systems for years with few false positives and few problems, in part because of the effective safeguards that we put in place.

For an automated list such as Spamcop where false positives tend to disappear quickly, consider refusing the connection with a 400 series transient failure message rather than a 500 series permanent failure message. True Spam sources seldom disappear from the Spamcop list before the sending server gives up, but false positives almost always will. Also, during that window of time, the alert systems administrator, who should be monitoring system logs for this and other problems anyway, can step in to white list an appropriate CIDR (65.173.218.0/24 in the case of SANS) fairly quickly. The 400 series error being returned at that point would then have cleared up and the mail would have been delivered.

You can also use Spamcop and any of the other 500 plus dnsbls in a fashion other than as a binary accept/reject decision point. Spam Assassin(tm), for instance, uses a scoring system based in part on the appearance of the originating IPA in Spamcop and other dnsbls, to determine the likelihood that a particular email is spam. Score high enough, and the suspect email is diverted to a separate mailbox for further review. The system can be adjusted in numerous ways to reduce the risk of false positives, and since mail is merely diverted instead of deleted, important missing emails can still be accessed by the end user.

The problem of course is the proliferation of spam. Cut off the connectivity of spammers, immediately, permanently, and without exception, and the imperfect solutions cease to be required.

---

VULNERABILITY UPDATES AND EFFECTS

Mremap Vulnerability in Linux Kernel (5 January 2004)

Developers have released a fixed version.
-http://www.computerworld.com/printthis/2004/0,4814,88763,00.html
-http://www.eweek.com/print_article/0,3048,a=115654,00.asp
-http://news.com.com/2102-1002_3-5135129.html?tag=st_util_print
-http://isec.pl/vulnerabilities/isec-0013-mremap.txt
-http://www.kernel.org/

---

===end===


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, JohnPescatore, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/