Windows & .NET Magazine Security UPDATE--June 4, 2003

1. In Focus: Cybercrime; Microsoft Hotfix; Eliminating Spam

by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

The Computer Security Institute (CSI) released the "2003 Computer Crime and Security Survey," its eighth annual report conducted in association with the FBI. The report shows that despite shifts in trends, cybercrime remains a serious problem, as you well know.

Highlights from the report show that financial losses from security breaches have dropped by about 56 percent. Last year, respondents reported losses of about $455,848,000; this year, respondents reported losses of about $201,797,340. However, though financial losses dropped, roughly the same number of incidents occurred.

The report indicates a huge drop in losses from financial fraud, the most costly security problem. Last year, losses totaled $116 million; this year, losses totaled about $9.1 million. The largest losses came through the theft of proprietary information, with respondents reporting an average loss of about $2.7 million. For the second most costly security problem, however, Denial of Service (DoS) attacks, losses increased about 250 percent--to more than $65.6 million.

According to CSI Director Chris Keating, "The trends the CSI/FBI survey has highlighted over the years are disturbing. \[Cybercrimes\] and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks; furthermore, such incidents can result in serious damages ... Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly adequate staffing and training of information security practitioners in both the private sector and government." If you want to see the complete survey results, you can obtain a copy by submitting a request form at the CSI Web site \[http://www.gocsi.com/forms/fbi/pdf.html\].

Microsoft Hotfix Speaking of cyber attacks, you're probably aware that Microsoft has released a new security bulletin, MS03-019 (Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution). According to Microsoft, the problem affects Windows 2000 and Windows NT systems. The company initially rated the problem's severity as "moderate," noting that the DoS would lead to the server rebooting itself.

However, Mark Maiffret of eEye Digital Security pointed out that according to his company's tests as well as the tests that vulnerability discoverer Brett Moore conducted, the problem is far more serious than Microsoft first indicated. The tests show that the problem isn't simply a Denial of Service (DoS) issue. According to Maiffret, "If you're running Windows Media Services on IIS, attackers can spawn a remote shell command prompt on your vulnerable system." Microsoft has modified the vulnerability rating to "important" and re-released its related security bulletin. Administrators should patch their systems soon as possible to avoid having an intruder running rampant through a remote command shell.

Eliminating Spam Because I've mentioned junk mail recently, I want to share a couple of my experiences in "taking out the trash." I run a mail server with a good built-in filtering subsystem. Typically, I receive anywhere from several hundred messages per day (weekdays) to 50 messages per day (weekend days). On average, my basic filters can eliminate at the gateway about 30 percent of the junk mail that I receive. But that's simply not effective enough.

I've found that if I relay my email messages through a server running a Bayesian filtering system, I can eliminate more than 95 percent of the junk mail once destined for my Inbox. For details about Bayesian filtering, visit Paul Graham's Web site \[http://www.paulgraham.com/articles.html\], on which you'll find several excellent articles.

Several Bayesian filtering systems are commercially available today. However, because many of you are under serious budget constraints, you might need a shareware solution. The shareware filtering solution I use now is SpamAssassin \[http://www.spamassassin.org\], which many of you already know and use. Although SpamAssassin was developed for Linux platforms, you can install it on Win32-based systems. (You can also integrate it into Microsoft Outlook, Lotus Notes, and Novell GroupWise.) You can find details about how to use SpamAssassin on Win32 platforms \[http://www.openhandhome.com/howtosa.html\]. Because Windows users typically prefer a GUI interface to handle configuration, check into the Windows-based GUI configuration interface \[http://www.openhandhome.com/saconf.html\] for SpamAssassin. SpamAssassin can probably also be integrated to work with Microsoft Exchange Server, but I haven't come across exact details. If you can direct me to such information, please send me an email message.

SpamAssassin has many slick features, such as automatic learning for whitelist creation. As with all junk-mail filtering software, you'll have to tweak the parameters to suit your mail influx. After a few days of use, you should be able to filter out 95 percent or more of the junk mail you receive. So if you need a cheap way to deal with junk mail and you have time to spend on such a project, be sure to check out SpamAssassin.