SANS NewsBites - Volume: V, Issue: 49

*************************************************************************
SANS NewsBites                     December 10, 2003                    Volume: V, Issue: 49
*************************************************************************
TOP OF THE NEWS

  Federal Government Gets An Overall Grade of D on Computer Security
  Heckenkamp Attorneys to Challenge Pre-Trial Computer Use Restrictions
  Congress Approves CAN-SPAM Act
  Ohio Delays Deployment of Electronic Voting Machines After Testing Reveals Vulnerabilities

MORE NEWS FROM THE NATIONAL CYBER SECURITY SUMMIT

  Cyber Security Task Forces Develop Initiatives
  Ridge and Liscouski Urge Industry to Boost Security Efforts
  Yoran Announces Creation of Federal CISO Council

OTHER NEWS

  Spanish Police Arrest Alleged Worm Author
  Merrill Lynch Survey: CIOs Considering Open Source
  FTC Investigating Security and Privacy at PetCo Web Site
  Sophos Notes Recent Spike in Trojans
  Survey Indicates Many Security Officers Feel Prepared for Cyber Attack
  Red Hat Likely to Receive Common Criteria Certification Soon
  Mimail-L Worm Attacks Anti-Spam Site
  Cyber Attack Clean Up Costs Significantly Higher Than Estimated
  Johansen Enters Not Guilty Plea in DeCSS Case Appeal Hearing
  FAA's Android Cyber Defense System

ESSAY

  Schneier on Whether Blaster Had A Role In the August Blackout?

VULNERABILITY UPDATES AND EFFECTS

  Oracle Issues Security Alert for SSL Vulnerabilities
  Patch Available for Rsync Vulnerability Used in Gentoo Attack
  Buffer Overflow Vulnerability in Yahoo Instant Messenger
  Vulnerability in Cisco Aironet Wi-Fi Access Points
  Workaround Available for DHCP Flaw in Mac OS X


*********************** Sponsored by NetIQ ****************************

Need security policies? Don't start from scratch...
"Information Security Policies Made Easy" is the best security policy resource guide you can buy, with 1300+ ready-to-use security policies that can be quickly customized for any company. Build best practice security policies in half the time and expense.

Download a free policy now! http://www.netiq.com/products/pub/default.asp

*************************************************************************
Highlighted Immersion Training Conference of the Week
CDI West, in San Diego at the end of January, is the perfect program for any military information security people or contractors who support military or intelligence agency programs. It will have a special bonus program on new threats and tools and techniques of the cyber warrior. If you work with the military and are interested in the cyber warrior program, email info@sans.org with the subject "Cyber Warrior Training." San Diego is also the place to find all six of SANS most popular courses, including Forensics, Hacker Exploits, Firewalls, Securing Windows, Intrusion detection, and SANS Security Essentials. It also offers an interactive vendor exposition and an extensive evening programs. Besides San Diego in the winter is lovely.
San Diego: http://www.sans.org/cdiwest04

*********************************************************************

TOP OF THE NEWS

Federal Government Gets An Overall Grade of D on Computer Security (9 December 2003)
Representative Adam Putnam announced scores for each of twenty-four federal agencies and the government as a whole. The government earned an overall grade of D which was an improvement over last year's F, but fourteen agencies received grades below C-minus, and eight failed. Representative Tom Davis, who joined Rep. Putnam in the announcement, particularly noted his concern that 79% of agencies had not completed an inventory of their critical systems.
-http://www.fcw.com/fcw/articles/2003/1208/web-grades-12-09-03.asp
[Editor's Note (Paller): The best part of the story (not covered in the articles) is that two of the agencies that made huge strides did so by finding ways to radically lower the cost of certification and accreditation, without significantly lowering the quality. As other agencies learn what those two leaders did, we can expect much of the money allocated to unnecessarily expensive C&A to be shifted to configuration improvement, vulnerability reduction and other stronger defenses. ]


Heckenkamp Attorneys to Challenge Pre-Trial Computer Use Restrictions (3 December 2003)
Attorneys for Jerome Heckenkamp, who allegedly broke into eBay's computers, plan to challenge court-ordered pre-trial restrictions on his computer use. Currently, Heckenkamp may use only a drone computer to review evidence in his legal case. An attorney on Heckenkamp's defense team believes the restrictions violate both the federal Bail Reform Act, which requires that "least restrictive" conditions be placed on defendants prior to their trials, and Heckenkamp's First Amendment rights. A hearing on the issue is scheduled for December 16.
-http://www.securityfocus.com/news/7576


Congress Approves CAN-SPAM Act (8 December 2003)
The US House of Representatives unanimously approved the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act which includes provisions requiring that those who send marketing e-mails use a functioning return address or a link to a form that allows recipients of the e-mail to unsubscribe. The bill's critics don't expect it to have much effect on the amount of spam US citizens receive, as much of it comes from abroad.
-http://zdnet.com.com/2100-1105_2-5116940.html
[Editor's Note (Pescatore): The US Congress has the most amazing ability to create acronyms - the PATRIOT act and this one are clear examples. If they had been in charge of naming Carnivore (the FBI email tapping device) it would have been called SECURE Mail - Secret Electronic Capture of Unlegal Reprehensible Email
(Grefer): An equal amount of time and money invested in this Act should be spent on development and implementation of defense mechanisms right at the border of each provider (i.e. ISP). The majority of spam can be identified by checking the "Received:" fields of email messages passing through. A quick DNS lookup by name and reverse lookup by IP address, followed by determining if whether match, would allow elimination of vast amount of junk mail. ]


Ohio Delays Deployment of Electronic Voting Machines After Testing Reveals Vulnerabilities (3 December 2003)
The state of Ohio must ask the Federal Election Commission for an extension to comply with a law, passed after the 2000 presidential election, that requires upgrades to improve vote-counting accuracy. The state will not have electronic voting machines in place in all counties before the 2004 presidential election because testing of four different voting machines turned up a variety of security problems.
-http://www.wired.com/news/business/0,1367,61467,00.html



************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Invest in the best network protection. Introducing the Microsoft(r) Security Readiness Kit.
http://www.sans.org/cgi-bin/sanspromo/NB266

(2) FREE WHITE PAPER - Spam is no longer simply a nuisance. Act to secure your email systems.
http://www.sans.org/cgi-bin/sanspromo/NB267

(3) Considering vulnerability assessment? Read the latest nCircle white paper about the ten most common pitfalls.
http://www.sans.org/cgi-bin/sanspromo/NB268

***********************************************************************

MORE NEWS FROM THE NATIONAL CYBER SECURITY SUMMIT

Cyber Security Task Forces Develop Initiatives (4/8 December 2003)
Five cyber security task forces comprised of government and industry members met at last week's National Cyber Security Summit. The groups have already developed specific programs and initiatives aimed at protecting US computer systems from cyber attacks. They are expected to release white papers with frameworks for implementation by March 1, 2004.
-http://www.fcw.com/fcw/articles/2003/1208/news-alliance-12-08-03.asp
-http://zdnet.com.com/2100-1104_2-5113630.html


Ridge and Liscouski Urge Industry to Boost Security Efforts (3 December 2003)
In a speech at the National Cyber Security Summit in Santa Clara, CA, DHS secretary Tom Ridge and DHS assistant secretary for infrastructure protection Robert Liscouski called upon industry to help secure the nation's infrastructure. They suggested that regulation might be coming if industry doesn't take its security responsibilities seriously.
-http://www.gcn.com/vol1_no1/daily-updates/24332-1.html
-http://www.eweek.com/print_article/0,3048,a=113831,00.asp
-http://www.msnbc.com/news/1000828.asp?0dm=C22AT
[Editor's Note (Schultz): I fear that there is nothing more than the same old rhetoric here. The US government seems to feel that the threat of regulation will prompt industry to tighten security, but industry has heard this kind of threat many times before and virtually nothing has resulted from it.
(Schneier): The computer industry consists of for-profit companies, not charities. Ridge isn't going to get anywhere securing our nation's infrastructure by asking nicely. ]


Yoran Announces Creation of Federal CISO Council (8 December 2003)
At the Cyber Summit in Silicon Valley, Amit Yoran, Director of National Cyber Security Division of DHS, announced plans to create a federal Chief Security Officer (CSO) Council. The Federal Information Security Management Act (FISMA) requires that every government agency have a security official.
-http://www.fcw.com/fcw/articles/2003/1208/news-chiefs-12-08-03.asp
[Editor's Note (Paller): On December 9, Larry Hale, who directs the US CERT and reports to Mr. Yoran, told a gathering of Federal CISOs that the proposed program would be a forum that met periodically and also had an online discussion capability. It would enable the CISOs to share lessons learned and collaborate on new initiatives and would operate in conjunction with the OMB and the Federal CIO Council and possibly NIST. ]


OTHER NEWS

Spanish Police Arrest Alleged Worm Author (3 December 2003)
Spanish police has arrested a man suspected of writing the W32/Raleka worm, which exploited a Windows RPC service vulnerability in Windows 2000 and XP. Raleka infected more than 120,000 computers in August of this year; the arrest is the first of its kind in Spain.
-http://www.computerworld.com/printthis/2003/0,4814,87763,00.html


Merrill Lynch Survey: CIOs Considering Open Source (5 December 2003)
A Merrill Lynch survey of 100 CIOs found that 58 are considering open source software for desktops because of its security record. Two-thirds of those surveyed say it's unlikely they will upgrade to Office 2003 in the next year.
-http://www.vnunet.com/News/1151313
In a related story, an IBM survey showed 25% of companies are trying out Linux and expect it to become their core operating system at some point in the future.
-http://www.silicon.com/software/os/0,39024651,39117247,00.htm


FTC Investigating Security and Privacy at PetCo Web Site (5 December 2003)
The Federal Trade Commission (FTC) is investigating security and privacy practices at PetCo after an "independent programmer" discovered the company's web site was vulnerable to an SQL injection attack that could reveal the contents of a database containing 500,000 customer credit card numbers. The same programmer earlier discovered a similar vulnerability on the Guess web site.
-http://www.securityfocus.com/news/7581


Sophos Notes Recent Spike in Trojans (4 December 2003)
Anti-virus firm Sophos has noted a significant increase in the number of reported Trojans during fall of 2003. In August, 2 of the 18 threats it found were Trojans; by November, 21 of 57 threats were Trojans. Some Trojans enable spammers to use compromised machines to send out their unsolicited e-mail. President Bush plans to sign a bill that would hold companies liable if spam is sent from their machines, even if it was the result of an attack. Sophos also predicts that next year will see an increase in Unix attacks as well as a rise in the number of blended threats, like Sobig and Mimail.
-http://www.newsfactor.com/perl/printer/22801/
-http://www.theregister.co.uk/content/56/34326.html
[Editor's Note (Pescatore): for years we've talked about the concepts of downstream liability and attractive nuisance as being existing legal concepts that could be applied to enterprises that leave their computer systems in vulnerable condition. Doesn't seem like we need new legislation until someone figures out how any such legislation could ever be enforced. ]


Survey Indicates Many Security Officers Feel Prepared for Cyber Attack (4 December 2003)
A survey released by the Business Software Alliance (BSA) and the Information Systems Security Association (ISSA) reports that while reported security incidents have increased 40% over last year, 75% of IT security officers and administrators felt their organizations were adequately prepared for a major cyber attack. 87% said their organizations are up to date on patching. 65% of respondents believe their organizations are at risk for major cyber attacks.
-http://www.computerworld.com/printthis/2003/0,4814,87800,00.html
-http://www.gcn.com/vol1_no1/daily-updates/24333-1.html
[Editor's Note (Schultz): The numbers on up-to-date patching here seem high compared to those from previous, similar surveys. Could the reason be that security administrators, people who are more likely to know what to do regarding security countermeasures than other IT professionals, were surveyed?
(Paller): The saddest part of this study is that it reinforces one of the greatest lies of security - that organizations that keep their systems patched but do not harden operating systems are keeping their systems safe. A few weeks ago the Red Team/Blue Team meeting of DoD proved that a fully patched Windows system could be taken over without great effort. It's time to stop pretending, and start making sure every system administrator can prove he/she knows how to safely configure a system before being given root or administrator privileges. Not asking them to demonstrate those skills in advance is akin to allowing pilots to fly airplanes without ever demonstrating they can fly in bad weather. ]


Red Hat Likely to Receive Common Criteria Certification Soon (3 December 2003)
Red Hat Linux is close to receiving Common Criteria certification, which will allow the open source software to be used in governments and other organizations. Oracle is sponsoring Red Hat's certification.
-http://news.zdnet.co.uk/business/0,39020645,39118251,00.htm


Mimail-L Worm Attacks Anti-Spam Site (2/3 December 2003)
Mimail.L uses multiple methods of deception to entice users into revealing personal information (including credit card numbers) and can even encrypt attachments, enabling them to pass through virus walls undetected. The Mimail-L mass mailer worm is also designed to attack anti-spam site the Spamhaus Project.
-http://www.theregister.co.uk/content/56/34299.html
-http://news.bbc.co.uk/1/hi/technology/3287965.stm
-http://www.computerworld.com/printthis/2003/0,4814,87766,00.html


Cyber Attack Clean Up Costs Significantly Higher Than Estimated (2 December 2003)
A survey of Corporate IT Forum members found that the average cost for cleaning up after a worm attack was 122,000 (US$212,380), four times the amount the UK's Department of Trade and Industry (DTI) predicted last year. Costs may be even higher for smaller companies that don't have adequate resources to implement a strong security policy.
-http://www.silicon.com/software/security/print.htm?TYPE=story&AT=39117165-39
024655t-40000024c



Johansen Enters Not Guilty Plea in DeCSS Case Appeal Hearing (2 December 2003)
Jon Johansen, the Norwegian man who was acquitted of piracy charges for his creation of the DeCSS utility which can be use to circumvent copy protection on DVDs, has pleaded not guilty in an appeal hearing in Oslo. The Motion Picture Association of America (MPAA) hopes to prove that Johansen broke Norwegian law when he circumvented DVD copy protection.
-http://zdnet.com.com/2100-1104_2-5112515.html


FAA's Android Cyber Defense System (1 December 2003)
The Federal Aviation Administration's (FAA) Android Cyber Defense system is a computer security program that emulates the human body as a defense system. The key elements of the system include boundary protection, analogous to the skin, quarantine capabilities comparable to the immune system and network monitoring, much like monitoring human vital signs. In addition, new software has to get approval from the CIO Office, system developer and system operator before it can be installed.
-http://www.fcw.com/fcw/articles/2003/1201/pol-cyber-12-01-03.asp


ESSAY

Schneier on Whether Blaster Had A Role In the August Blackout?
Bruce Schneier suggests that the Blaster may have had a role in the August 14 blackout, particularly in disabling Ohio utility FirstEnergy's critical alarm systems. Workers didn't stop the cascade, he argues, because they did not know it was happening because their computers were being taken over by Blaster. They admit the computers were out, and don't have a better explanation for why they were out.
-http://news.com.com/2010-7343-5117862.html?tag=nefd_gutspro
[Editor's Note (Pescatore): Whether MSBlast did or not contribute to the blackout doesn't really matter, down time is down time. The fact is that worms like Blaster should be considered the normal environment for systems that are connected to networks. If the power companies don't trim trees from power lines, or if they run systems on vulnerable operating systems, same effect - blackouts. ]


VULNERABILITY UPDATES AND EFFECTS

Patch Available for Rsync Vulnerability Used in Gentoo Attack (5 December 2003)

-http://news.zdnet.co.uk/internet/security/0,39020375,39118330,00.htm
-http://rsync.samba.org/


Buffer Overflow Vulnerability in Yahoo Instant Messenger (4 December 2003)
Yahoo has released an update.
-http://www.eweek.com/print_article/0,3048,a=113931,00.asp
-http://messenger.yahoo.com/security/update4.html


Vulnerability in Cisco Aironet Wi-Fi Access Points (3/4 December 2003)
The flaw affects Aironet 1100, 1200 and 1400 access points; Cisco has issued a patch for the vulnerable versions of its IOS software.
-http://zdnet.com.com/2100-1105_2-5113232.html
-http://www.infoworld.com/article/03/12/03/HNciscohole_1.html
[Editor's Note (Pescatore): Imagine if Ethernet wall jacks had software that had vulnerabilities and needed to be patched. Wireless access points really ought to move to being very dumb devices, with all the smarts back at the switch. ]


Workaround Available for DHCP Flaw in Mac OS X (3 December 2003)

-http://www.computerworld.com/printthis/2003/0,4814,87773,00.html


===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/