SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #54

November 18, 2005

TOP OF THE NEWS

Defense Department Mandates Automated Patching
Trusted Download Program Will Certify Adware
FBI, Defense Department Buying Information from ChoicePoint

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
"Vindictive" Spammer Receives Six-Year Sentence
Chinese Police Arrest Alleged IM User Name Thief
POLICY & LEGISLATION
Proposed Canadian Law Seeks to Maintain Communications Interception as Technology Progresses
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Sony's DRM Problems Continue
UK Recorded Music Industry Body Files 65 Copyright Violation
Lawsuits UK Parliamentary Group Holding Public Inquiry on DRM
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Warns Exploit Code Available for RPC Flaw
New Sober Worm Variants Spreading
MISCELLANEOUS
Iowa State University Hosts Cyber Defense Competition 2005 November 18-19

---

************************ Sponsored by Qualys ****************************
IDENTIFY NETWORK SECURITY WEAKNESSES WITH FREESCAN

FreeScan from Qualys provides unparalleled, actionable vulnerability intelligence that allows organizations to identify and secure vulnerable assets. With FreeScan you receive the ability to Discover all assets across the network, Identify and remediate threats and vulnerabilities with validated patches and fixes. Try FreeScan Today! http://www.sans.org/info.php?id=932

************************** Security Training Update: ********************

"SANS has the answers to real-life problems and can fill in the education gaps that on the job training causes." Carol Templeton, Univ. of Tennessee

SANS 2006 brochures started arriving in mail boxes this week. More immersion training tracks than ever before. Plus many new short courses for people who already have mastered their areas of security. A big security tools exposition. And Orlando in February is great.

Details: www.sans.org/sans2006/

SANS training at home or at your place of employment or in other cities: www.sans.org/

"With SANS training, leading industry professionals share the latest knowledge and practices that work for them - you can not get this information anywhere else!" Douglas K Shamlin, US Navy

"I can not believe how much I learned in 6 days!" Kenny Johnson, US Air Force
*************************************************************************

---

TOP OF THE NEWS

Defense Department Mandates Automated Patching (17 November 2005)

The US Defense Department has mandated the use of automated security tools throughout the department. The move is aimed at better protecting department networks. The Communication Tasking Order policy directive, which was released on November 3, 2005, establishes a phased timeline for compliance.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37584
[Editor's Note (Pescatore): Faster patching good, fewer patches required best. Completely automated patching no so good - the reason so many patches are required is that "software engineering" is still largely an oxymoron - and this holds for the software engineering around patches, too. Rapid patch QA procedures are what is needed, then automated push out. ]

Trusted Download Program Will Certify Adware (15 November 2005)

TRUSTe's Trusted Download Program is an initiative designed to give computer users control over what they allow to be downloaded to and installed on their machines. The program will certify downloadable adware applications for which developers have been clear about their functionalities. Computer users must give their consent before downloading the software and again before installing the software. The software must have easy instructions for uninstalling and ads that are displayed must contain the name of the ad-serving software. The sponsoring companies, AOL, CNET, Computer Associates, Verizon and Yahoo!, will not do business with adware companies that do not have certification.
-http://news.com.com/2102-1029_3-5954668.html?tag=st.util.print
-http://www.eweek.com/print_article2/0,1217,a=165452,00.asp
-https://www.truste.org/docs/program_requirements.doc
[Editor's Note (Pescatore): Hmmm, this seems to assume that *anyone* would want *any* adware installed on their PC. I'm pretty sure most people don't want anyone to install bumper stickers on the windshield of their car, which is what adware is pretty much like.
(Shpantzer): This is risky as it could legitimize adware, however, certain software distribution models may soon involve opt-in adware in exchange for free or lower-cost software services. Gmail's free 2GB of storage is supported by contextual ads, and Windows/Office Live is an interesting twist from Microsoft, offering individuals and small businesses "an online internet presence... at no charge through an advertising-supported model." ]

FBI, Defense Department Buying Information from ChoicePoint (11 November 2005)

Documents obtained under the Freedom of Information Act (FOIA) indicate that the FBI and the Department of Defense have been purchasing services from data aggregator ChoicePoint. While laws govern the ways in which the government can conduct surveillance on US citizens, private organizations are not subject to the same constraints. Initially the purchased services were commercially available ChoicePoint products, but later it appears that ChoicePoint designed an exclusive system for the government. Chris Hoofnagle, a researcher with the Electronic Privacy Information Center (EPIC), voiced the question "at what point do ChoicePoint's records become the equivalent of a 'system of records,' an official collection that is subject to government regulation and oversight and that must be publicly announced?".
-http://govexec.com/story_page.cfm?articleid=32802&printerfriendlyVers=1&
[Editor's Note (Schultz): This appears to be a worst case scenario. Not only are there legitimate privacy-related concerns about gathering information about individuals in this manner, but ChoicePoint also has a badly blemished record concerning its ability to protect such information. I'd urge US readers to write their Congressional representatives to express their concerns about this "unholy alliance" between the FBI and ChoicePoint. ]

---

****************************** Sponsored Links: *************************
1) ALERT: Get the Industry's Best Web Filter For Thousands Less Than Websense. Check it out! http://www.sans.org/info.php?id=934
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

"Vindictive" Spammer Receives Six-Year Sentence (17/16 November 2005)

British police have sentenced Peter Francis-Macrae to six years in jail. Francis-Macrae sent spam offering to sell .eu domain names even though he had no authority to do so; his efforts earned him GBP 1.6 million (US$2.75 million). When law enforcement officials began to close in on him, Francis-Macrae started making violent threats against people. Francis-Macrae has so far refused to disclose to police the location of more than GBP 400,000 (US$688,000) in proceeds from his activities that he withdrew from a building society. Francis-Macrae was found guilty of fraudulent trading, concealing criminal property, threatening to destroy or damage property, making threats to kill and blackmail. The judge in the case told Francis-Macrae that he is "one of the most vindictive young men" he has ever seen.
-http://technology.timesonline.co.uk/article/0,,20409-1876066,00.html
-http://www.theregister.co.uk/2005/11/17/spammer_jailed/print.html
-http://news.bbc.co.uk/1/hi/england/cambridgeshire/4442772.stm
-http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39154333
,00.htm

Chinese Police Arrest Alleged IM User Name Thief (16 November 2005)

Police in China have arrested a man who is suspected of stealing and selling numeric user names from the QQ instant-messaging service, a popular IM application in China. The unnamed man has admitted to stealing and selling the names for years; he allegedly decrypted and changed the passwords. QQ now has an estimated 173 million active user accounts; new names must be nine digits or longer. People are apparently willing to pay a price for the shorter names of older accounts, which hold a higher status.
-http://www.infoworld.com/article/05/11/16/HNstealingimnames_1.html

POLICY & LEGISLATION

Proposed Canadian Law Seeks to Maintain Communications Interception as Technology Progresses (15 November 2005)

Proposed legislation in Canada aims to protect law enforcement's ability to intercept communications. The Modernization of Investigative Techniques Act will require telephone and Internet service providers to incorporate communications interception capability into new technology. Court authorization will still be required before communication can be intercepted. The proposed legislation would also require the telephone companies and ISPs to provide subscriber contact information upon request by designated law enforcement and Canadian Security Intelligence Service (CSIS) officials. All requests for identifying information would be recorded.
-http://www.psepc.gc.ca/media/nr/2005/nr20051115-en.asp
[Editor's Note (Grefer): Just like similar efforts in several European countries and the U.S., this legislative effort is likely to cause concern about who will be expected to foot the bill. One way or another, this will be the consumer, be it through increased rates if the service provider has to advance the cost, or through taxes in case the government would be compelled to provide financing and/or incentives. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Sony's DRM Problems Continue (17/16/15 November 2005)

Researchers have noted that the uninstaller released by Sony BMG to remove its controversial XCP digital rights management (DRM) creates an even bigger security problem than that created by the installation of the DRM software. Users must request the uninstaller program using an on line form. The request forms download and install an ActiveX control called CodeSupport, which remains on users' computer systems. CodeSupport does not verify that the code it downloads and installs comes from Sony or First4Internet, the DRM vendor. CodeSupport apparently allows any web site to download, install and run arbitrary code on PCs. Users can protect themselves by not accepting code for download onto their computers from First4Internet. The first uninstall tool has been replaced with one that appears to be safe. Sony is recalling the CDs with the XCP DRM software on them; people who have already purchased the CDs can exchange them for XCP-free copies.
-http://www.washingtonpost.com/wp-dyn/content/article/2005/11/16/AR2005111602242_
pf.html
-http://www.informationweek.com/story/showArticle.jhtml?articleID=173603259
-http://www.freedom-to-tinker.com/?p=927
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39291240-39000005c

UK Recorded Music Industry Body Files 65 Copyright Violation Lawsuits (15 November 2005)

The BPI, the UK's counterpart to the US's Recording Industry Association of America (RIAA) has filed lawsuits against 65 individuals for sharing digital music files without the permission of the copyright holders. BPI has filed copyright infringement lawsuits against more than 150 people; of those, 70 have agreed to pay as much as GBP 6,500 (US$11,200) to settle the cases out of court. In addition, the Irish Recorded Music Association (IRMA) plans to take legal action in 50 additional cases against "serial file sharers." Approximately 20,000 people around the world have been sued for copyright infringement.
-http://www.theregister.co.uk/2005/11/15/music_biz_sues_2100/print.html
-http://www.enn.ie/frontpage/news-9653349.html

UK Parliamentary Group Holding Public Inquiry on DRM (15 November 2005)

The UK's All Party Parliamentary Internet Group (Apig) is soliciting public comment on digital rights management (DRM) and related concerns. The results will form the basis for recommendations the group will make to Parliament on how to deal with DRM. The group wants to put together a report that represents all points of view, not just those of commercial enterprises. Written evidence will be accepted through December 21, 2005. Some people who submit written comments will be asked to provide spoken evidence to MPs at a later date.
-http://management.silicon.com/government/0,39024677,39154238,00.htm
-http://www.theregister.co.uk/2005/11/15/outlaw_parliament_drm/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Warns Exploit Code Available for RPC Flaw (17 November 2005)

Microsoft has issued an advisory warning that a vulnerability in its implementation of the Remote Procedure Call (RPC) protocol could be exploited to create denial-of-service conditions. The advisory notes that proof-of-concept exploit code is publicly available. The flaw affects Windows 2000 Service Pack 4 and Windows XP Service Pack 1. Microsoft has suggested workarounds to protect vulnerable systems from exploits.
-http://www.eweek.com/print_article2/0,1217,a=165664,00.asp
-http://news.com.com/2102-1002_3-5958846.html?tag=st.util.print
-http://www.microsoft.com/technet/security/advisory/911052.mspx

New Sober Worm Variants Spreading (15 November 2005)

Several new variants of the Sober worm have been detected; computers become infected only if users click on the attachments that accompany the email. The worm spreads with its own SMTP (Simple Mail Transfer Protocol) engine. In an odd twist, German police in Bavaria predicted the appearance of the Sober worm variants in a press release just one day before the worms began to be spotted. The press release even contains the text that would appear in the email messages that accompany the worm. The Bavarian police released no further details regarding this peculiarity, noting that it was part of an ongoing investigation.
-http://www.eweek.com/print_article2/0,1217,a=165415,00.asp
-http://www.computerworld.com/printthis/2005/0,4814,106236,00.html
-http://www.securityfocus.com/brief/49

MISCELLANEOUS

Iowa State University Hosts Cyber Defense Competition 2005 November 18-19 (16/10 November 2005)

Students at Iowa State University will take part in the school's 2005 Cyber Defense Competition. Twelve teams of four to six students will be protecting business information, unlike similar exercises at military academies in which students are charged with protecting warfare-related data. Another detail that makes this competition different is that the students are given the equipment to create their own networks rather than being given an established network to protect. The "hackers" in this case are a group of local IT professionals, many of whom are members of the FBI's InfraGard. The teams must protect their networks for 18 hours; each member of the winning team will receive a US$100 gift certificate good at the University's book store. The competition will take place this weekend (November 18-19, 2005) at Iowa State University's Internet Scale Event and Attack Generation Environment, which receives funding from the US Department of Justice.
-http://informationweek.com/story/showArticle.jhtml?articleID=173603268
-http://www.iastate.edu/~nscentral/news/2005/nov/cyber.shtml
-http://1william.design.iastate.edu/~nate/CDCSite/
[Editor's Note (Schultz): With all the negative and depressing news in the information security arena, this news item represents a refreshing change. The competition at Iowa State will go a long way in increasing interest in information security on campus. Additionally, it will serve as a model of innovation in information security training and awareness.
(Ranum): I see "hacking contests" as a depressing sign of how far our industry still has to go, in order to mature. While it's less exciting and lacks the "reality TV zing" of a hacking contest, it'd be more instructive to do a design contest for the best abstract security design for given networks with given requirements. Hacking contests and red-team reviews focus almost entirely on the details of an unrealistic/constructed situation - thereby teaching an approach that more resembles "penetrate and patch" than good design principles.
(Pescatore): Ideally this type of thing wouldn't be necessary, but given the reality of the security level of software (which includes the software on appliances and network equipment), teaching college students they better be prepared to protect PCs, servers and networks is a great thing.]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/