SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #52

November 11, 2005

TOP OF THE NEWS

Bumpy Road Ahead for Sony's XCP Digital Rights Management Software
Pay To Use Password Hacking Database Debuts
Banks Begin Piloting Layered Authentication Technologies

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
17 Arizonans Face Money Laundering and Identity Theft Charges
Man Who Allegedly Provided Rogue Dialer Technology Arrested
SPYWARE, SPAM & PHISHING
FTC Complaint Shuts Down Alleged Spyware and Adware Distributor
Phishing Scam Pretends to be Cash Prize From Google
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Breplibot Trojan Horse Program Exploits Sony's DRM
Patches Available for Image Processing Vulnerabilities in Windows
Doomboot.G Includes Pirated, Operable Anti-Virus Software
Lupper Worm Targets Linux Systems
ATTACKS & INTRUSIONS & DATA THEFT
Verizon Files Suit to Stop Florida Company From Gathering Customer Information
Stolen Desktop PC Contained Credit History Data on 3,600 Individuals
MISCELLANEOUS
Irish Teachers, School Administrators to Receive Internet Safety and Security Training

---

*************************** Sponsored by NetIQ **************************
Automating IT Security Audits to Ensure Compliance White Paper Available Get the information you need to develop a policy compliance program that treats compliance management as a long-term program; leverages effective solutions to consistently achieve better results; and ensures your investment is adequately offset by effective risk management. Download this free white paper now. http://www.sans.org/info.php?id=924
*************************************************************************
A few words from SANS students:

"An awesome class! Loaded with practical, in-depth knowledge and focused. Useful and downright scary tools that are pure oxygen. Should be a required baseline for any network or security professional." Brian Viglione, DirecTV

"I've attended SANS on and off since 1998 and it keeps on getting better... Classes stay current and evolve with the industry needs." Joe Dietz, Qwest

"Can't say enough good things about the instructor. Best teacher I have ever had from any teaching facility yet! Great information, great presentation!" Daniel Shafer, Bonfils Blood Center

Schedule of upcoming classes: www.sans.org
************************************************************************

---

TOP OF THE NEWS

Bumpy Road Ahead for Sony's XCP Digital Rights Management Software (10/9/8 November 2005)

Sony's XCP copy protection software is set to face several challenges. Computer Associates says it has begun classifying the software as spyware, which means the company's anti-spyware software will soon start searching for and removing the DRM software. In addition, the Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy (ALCEI-EFI), an Italian digital rights organization, has filed a complaint with Italy's cyber crime investigation unit alleging that the DRM software violates several Italian computer security laws by damaging users' systems and behaving like malicious software. ALCEI-EFI also plans to ask the European Union to investigate. Also, a class action lawsuit against Sony has been filed in California asking that Sony stop manufacturing CDs with the XCP copy protection and seeking damages for Californians who have bought CDs with the software; another class action lawsuit is expected to be filed in New York on behalf of all US citizens.
-http://www.computerworld.com/printthis/2005/0,4814,106064,00.html
-http://news.bbc.co.uk/1/hi/technology/4424254.stm
-http://www.usatoday.com/tech/news/2005-11-09-sony-usat_x.htm
[Editor's Note (Schultz): What a can of worms. The entertainment industry needs better protection against piracy. Sony's DRM software provides this kind of protection, but, unfortunately, with all kinds of unintended side effects. Right now it appears that the legal fallout from this DRM software is just the tip of the iceberg. ]

Pay-To-Use Password Cracking Database Debuts

Passwords may have lost their ounce of value because of a new service, using a 500 gigabyte database of pre-cracked passwords. Anyone with a password hash or password file can send it in for instant cracking.
-http://www.theregister.co.uk/2005/11/10/password_hashes/
[Editor's Note (Pescatore): A 500 GB Crack database being offered in an application service provider "pay per view" model is a pretty big deal, especially because it most likely means there are similar super-Crack capabilities that have been built and being used privately.
(Paller) Sensitive government (and government contractor) password files are apparently available for purchase from brokers in the Ukraine. This new service makes those files of immediate value to nation-states and other attackers. For those CEOs and government officials who know that your files have been stolen but haven't told anyone for fear of embarrassment, this would be a very good time to change to two-factor authentication. ]

Banks Begin Piloting Layered Authentication Technologies (8/7 November 2005)

Bank of America will provide two-factor authentication technology to its US customers within the next six months. The technology is currently optional for residents of 20 states, but some time next year will be required of all Bank of America customers who wish to conduct business on line. Federal regulators recently issued guidelines for financial institutions, mandating compliance with additional authentication technologies by the end of 2006. In October 2005, the UK's Lloyds TSB began a trial run of two-factor authentication using tokens for 30,000 of its on line banking customers.
-http://www.silicon.com/financialservices/0,3800010322,39153981,00.htm
-http://www.newsfactor.com/story.xhtml?story_id=02000000GT00

---

************************** Sponsored Links: *****************************
1) ALERT: Most powerful content filtering solution - confirmed by independent tests. Get the full report! http://www.sans.org/info.php?id=925
2) Don't miss!! NISPOM and DCID 6/3 compliance webinar from SenSage: "Negotiating the Classified Network Audit Labyrinth" with Dan Barahona. http://www.sans.org/info.php?id=926
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

17 Arizonans Face Money Laundering and Identity Theft Charges (10/8 November 2005)

Seventeen Arizona residents named in an indictment face charges of money laundering, fraud, conspiracy and identity theft for using fraudulently obtained credit and debit card numbers to make phony cards; they then allegedly used those cards to steal money from accounts through ATMs. The card information allegedly came from overseas Phishers; those named in the indictment allegedly wired those accomplices half of the money they reportedly stole (US$300,000).
-http://www.informationweek.com/story/showArticle.jhtml?articleID=173601750
-http://www.tucsoncitizen.com/news/local/110805a4_ATMs

Man Who Allegedly Provided Rogue Dialer Technology Arrested (10 November 2005)

Morten Sondergaard Pedersen, a Danish man who allegedly sold technology that switched Internet users' computer connections from local numbers to expensive international numbers has been arrested in Germany. His arrest coincides with British Telecom's threat to sue 800 customers for not paying their phone bills; all 800 say they were the victims of the covert switching technology. Those affected say their connections were switched when they attempted to close pop-up advertisements. Mr. Pedersen's arrest comes as part of a Europe-wide investigation into people using the Internet to commit fraud.
-http://technology.timesonline.co.uk/article/0,,19509-1865592,00.html

[Editor's Note: (Shpantzer): This is one of the oldest tricks in the online age. An oldie but goodie from the mid 90's:
-http://www.ftc.gov/opa/1997/02/audiotex.htm]

SPYWARE, SPAM & PHISHING

FTC Complaint Shuts Down Alleged Spyware and Adware Distributor (10 November 2005)

The US District Court for the Central District of California in Los Angeles has ordered a business to stop downloads of alleged spyware and adware. The court has also frozen the assets of an organization doing business under a variety of names. The actions were taken as a result of a Federal Trade Commission (FTC) complaint alleging that when users believe they are downloading free music files, ring tones or free upgrades and security patches, the web sites and affiliates actually download adware and spyware to their computers.
-http://www.computerworld.com/printthis/2005/0,4814,106112,00.html
-http://www.ftc.gov/opa/2005/11/enternet.htm
-http://www.ftc.gov/os/caselist/0523135/0523135.htm

Phishing Scam Pretends to be Cash Prize From Google (9/8 November 2005)

A new phishing campaign purports to be an announcement from Google that the recipient has won US$400. The spam email with the message also has a link to a phony Google site where users are asked to supply their addresses and credit card information. The phishing web site, which was hosted in the US, was shut down within 24 hours after the scam was detected.
-http://news.com.com/2102-7349_3-5940682.html?tag=st.util.print

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Breplibot Trojan Horse Program Exploits Sony's DRM (10 November 2005)

Malware authors have begun exploiting Sony's digital rights management (DRM) technology to hide their malicious code on computers. The Breplibot Trojan horse program takes advantage of the fact that the technology hides files with names beginning with $sys$ to dropped cloaked files onto computers. The files are detectable only with the help of rootkit scanners. This particular Trojan horse program arrives as an attachment; the accompanying email message says the file is a photograph that a business magazine wants to use in a forthcoming issue and asks the recipient to check the picture.
-http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/
[Editor's Note (Tan): F-Secure has reported seeing another bot trying to hide under Sony DRM.
-http://www.f-secure.com/weblog/#00000701]

Patches Available for Image Processing Vulnerabilities in Windows (9/8 November 2005)

Microsoft has warned in Microsoft Security Bulletin MS05-053 that critical flaws in Windows XP, Windows Server 2003 and Windows 2000 with SP4 could be exploited to execute arbitrary code or cause a denial-of-service condition. The flaws lie in the way Windows handles some graphics files and can be exploited by embedding malicious code in digital images and tricking users into viewing those images. Patches for the flaws are available from Microsoft.
-http://isc.sans.org/diary.php?storyid=835
-http://isc.sans.org/diary.php?storyid=833
-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
005-11-08T221125Z_01_FLE879884_RTRIDST_0_OUKIN-UK-MICROSOFT-SECURITY.XML
-http://www.channelregister.co.uk/2005/11/09/ms_november_patch_tuesday/print.html
-http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
-http://www.us-cert.gov/cas/techalerts/TA05-312A.html
[Editor's Note (Tan): A Trojan exhibiting behavior similar to the Enhanced Metafile vulnerability of MS05-053 has been reported but the discoverer has yet to confirm whether it is exploiting the MS05-053 vulnerability. It makes sense to get your system patched as soon as possible.
-http://isc.sans.org/diary.php?storyid=836
-http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_EMFSPLOIT.A]

Doomboot.G Includes Pirated, Operable Anti-Virus Software (9 November 2005)

Doomboot.G, a Trojan horse program that attacks Symbian-based mobile phones, includes a fully working but pirated copy of an anti-virus application called ExoVirusStop. Ironically, mobile phone malware has been known to pretend to be a security application in order to trick people into installing it. Users with legitimate copies of the anti-virus application are not in danger.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39221467-20000
61744t-10000005c

Lupper Worm Targets Linux Systems (8/7 November 2005)

The Lupper worm, also known as Linux.Plupii, is a blended threat. It attacks Linux systems by exploiting three web services security holes: the XML-RPC for PHP Remote Code Injection flaw; the AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability; and the Darryl Burgdorf Webhints Remote Command Execution Vulnerability. Lupper installs a backdoor to allow attackers to control the system. The SANS Internet Storm Center is reporting that Lupper is spreading in the wild.
-http://www.theregister.co.uk/2005/11/07/linux_worm/print.html

-http://software.silicon.com/security/0,39024655,39154004,00.htm
-http://www.eweek.com/print_article2/0,1217,a=164632,00.asp
-http://www.pcworld.com/news/article/0,aid,123461,00.asp
-http://isc.sans.org/diary.php?storyid=823
-http://isc.sans.org/diary.php?storyid=829

ATTACKS & INTRUSIONS & DATA THEFT

Verizon Files Suit to Stop Florida Company From Gathering Customer Information (10 November 2005)

A court has granted a temporary injunction in a suit brought by Verizon against a Florida company called the Global Information Group. The company allegedly impersonated Verizon employees and attempted to gather confidential information from Verizon wireless customers. The temporary injunction prohibits Global Information from contacting Verizon customers and from sharing customer information with third parties. In addition, the court issued an order allowing Verizon to seize the data the company had allegedly collected. Verizon has also filed a civil suit against the Global information Group.
-http://www.washingtonpost.com/wp-dyn/content/article/2005/11/09/AR2005110902133.
html
-http://informationweek.com/story/showArticle.jhtml?articleID=173600741
[Editor's Note: (Shpantzer): Verizon is spending good money on going after this group yet derives little direct monetary benefit from this suit, or the one it filed against a similar operation in September. Is this good corporate citizenship or is Verizon working to build a reputation as a hard target that fights back?]

Stolen Desktop PC Contained Credit History Data on 3,600 Individuals (9 November 2005)

A desktop computer stolen in October from a regional office of TransUnion LLC contains Social Security numbers and other personal information belonging to more than 3,600 consumers. TransUnion LLC is one of three companies in the US that keeps records of individuals' credit histories. TransUnion sent out notices on October 21 informing those affected by the theft and offering a year of free credit report monitoring. TransUnion vice president for corporate affairs Colleen Tunney said the company is investigating why the data was stored on an individual computer and not on a secure corporate network.
-http://www.washingtonpost.com/wp-dyn/content/article/2005/11/08/AR2005110801573.
html
-http://www.computerworld.com/printthis/2005/0,4814,106083,00.html
-http://www.informationweek.com/story/showArticle.jhtml?articleID=173601231

MISCELLANEOUS

Irish Teachers, School Administrators to Receive Internet Safety and Security Training (9 November 2005)

Ireland's National Centre for Technology in Education is sponsoring workshops across the country in November and December for teachers to provide special training about Internet and IT security. Called Internet Safety and Security for Schools, the workshops will describe online safety issues regarding students and steps schools can take to minimize risks. In addition, industry experts will speak about security issues and provide guidelines for managing them. Those invited to attend workshops include teachers, school principals, Information and Communications Technology (ICT) coordinators and parent representatives.
-http://www.siliconrepublic.com/news/news.nv?storyid=single5655
[Editor's Note (Schultz): What a wonderful idea. Educators are computer-dependent, but I suspect that the vast majority has not received an appreciable amount of security training and awareness training. Additionally, Ireland's National Centre for Technology in Education will in effect also be educating students because this Center will "train the trainers," so to speak. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/