LAST CHANCE to save $600 Off Online Courses

SANS NewsBites - Volume: VII, Issue: 44


The critical vulnerabilities (in Microsoft and Symantec software) this week highlight the immediate need to help software developers learn to write secure applications. They want to learn but haven't been given the opportunity by their managers. The best course that we have found for web application developers is posted at http://www.sans.org/webapp_baltimore And the complete six-track Baltimore SANS security training program is at http://www.sans.org/innerharbor2005 Both will be held in mid November on Baltimore's beautiful Inner Harbor.

Alan

*************************************************************************
SANS NewsBites                     October 14, 2005                    Volume: VII, Issue: 44
*************************************************************************
TOP OF THE NEWS

  EU Justice Ministers Agree to Move Ahead with Commission's Compromise Data Retention Proposal
  Proposed EU Directive on Intellectual Property Would Force Criminalization of Patent Infringement
  Spyware Studies Show People Believe ISPs and IT Departments Should Do More to Protect Them

THE REST OF THE WEEK'S NEWS

  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   Another Critical Security Flaw in Symantec (Veritas) Software
   New Versions of OpenSSL Fix Man-in-the-Middle Flaw
   Microsoft's October Security Update
   Mozilla Foundations Releases New Version of Firefox 1.5 Beta
  STATISTICS, STUDIES & SURVEYS
   Security Needs to be Addressed More Broadly
  MISCELLANEOUS
   Microsoft and Yahoo Plan to Make IM Services Interoperable
   Who Should be Accountable for Software Code Problems?
   Spyware's Growth Attributed to Increasing Sophistication of Techniques and Inadequate User Precautions


*************************** Sponsored by Dell **************************
Exclusive discount for SANS members! Take 15% off already low Dell Outlet prices on all refurbished Dell PowerEdge(tm) servers and PowerVault(tm) storage (One coupon per person; five units per coupon). Hurry! Limited time offer. Enter this exclusive SANS coupon code at checkout: J07251K14RFB00

For more details, go to http://www.dell.com/outletservers or call 1-888-518-3355.

Why buy refurbished? http://www.dell.com/whybuyoutlet
*************************************************************************

TOP OF THE NEWS

EU Justice Ministers Agree to Move Ahead with Commission's Compromise Data Retention Proposal
Justice ministers from the 25 EU member states have backed off from their stance that would have forced data retention legislation through without legislative approval that would have required telecommunications companies in member states to retain phone and Internet records for two years. The justice ministers will include the European Commission and European Parliament in deciding the matter. The compromise proposal from the European Commission says member states should be able to have more freedom in deciding their data retention laws than what the council mandates.
-http://www.iht.com/bin/print_ipub.php?file=/articles/2005/10/12/business/data.ph
p

-http://euobserver.com/9/20083
[Editor's Note (Hoepman): The added value of retaining this data, compared to the cost, is debatable. A study by the Erasmus University instigated by the Dutch Ministry of Justice failed, despite its aim, to prove any such benefits. ]


Proposed EU Directive on Intellectual Property Would Force Criminalization of Patent Infringement (5 October 2005)
The Foundation for Information Policy Research is warning that a proposed European directive that would criminalize patent infringement will have a chilling effect on technology start-ups in the UK. The directive would force the UK to criminalize patent infringement. Patent infringement has thus far been a civil matter, not a criminal matter. Among the problems FIRP foresees arising from the Intellectual Property Rights Enforcement Directive are damage to competition, dampening of development and increasing pressure for censorship.
-http://www.theregister.co.uk/2005/10/05/fipr_ip_offense/print.html
-http://www.fipr.org/copyright/ipred2.html
[Editor's Note (Shpantzer): This would not be so ominous if the patent landscape hadn't become so ridiculous, as it has become in recent years. If you have a good lawyer you can patent just about anything as a landmine for your competition.
-http://www.eff.org/patent/
The fact that civil law is taking care of patent disputes is a good thing since it's less chilling on innovation, as some patents are overly broad. Getting sued and settling with the supposed 'inventor' is one thing, but getting criminally prosecuted for a patent infringement is another altogether. Lawyers joke amongst themselves that "a prosecutor can indict a ham sandwich." Put that together with meaningless patents and you're going to send innovators scrambling away from making progress. ]


Spyware Studies Show People Believe ISPs and IT Departments Should Do More to Protect Them (12/11 October 2005)
A survey of Internet users by NOP found 51 percent believe their ISPs should block spyware, though only 36 percent of respondents actually know what spyware is. According to a study from Trend Micro, nearly 40 percent of corporate computer users in the US believe their IT departments are not doing enough to protect their systems from spyware; 53 percent said they need more education to understand the threat spyware poses. While 14 percent of Japanese and 23 percent of German corporate computer users report encountering spyware on their work systems, that number for US corporate users is 40 percent. Only 45 percent of those who had run into spyware on their computers believed their security had been compromised. In addition, 52 percent of US corporate users and 64 percent of Japanese corporate users say their IT departments should be doing more to educate other users about the risks that attend spyware.
-http://www.theregister.co.uk/2005/10/11/spyware_survey/print.html
-http://www.networkingpipeline.com/showArticle.jhtml?articleID=172300373
[Editor's Note (Paller): ISPs will protect users when the buyers demand that service. Government leadership is the only proven method of catalyzing rapid change - and it is simple. Just put the requirement into the procurement documentation so any ISP that wants to sell to government needs to protect their users or be excluded from consideration. Governments in Europe and Asia and state governments in the US can lead if the US Federal government is focused on other issues to lead by example.
(Schneier): So long as ISPs or IT departments make any claims toward providing protection, most people will assume that's all they need to make themselves safe. Most people are happier not knowing about malware infestation, as long as it doesn't affect them personally.
(Dhamankar): ISPs should work together to prevent both spyware and phishing attacks. Spyware poses a direct threat to the enterprise, so most admins are interested in stopping spyware. Phishing, on the other hand, is a breach more at the user level and hence not a priority at the sys admin level. ]



************************Sponsored Links:*********************************
1) SANS Tool Talk Webcast - Log Management for Large Enterprises - get compliant, mitigate risk, protect data
http://www.sans.org/info.php?id=895

2) FREE CYA (Cover Your Apps) T-shirt from SPI Dynamics when you evaluate WebInspect
http://www.sans.org/info.php?id=896

3) Earn your Master's degree in Information Security from an NSA - recognized online program.
http://www.sans.org/info.php?id=897
*************************************************************************

THE REST OF THE WEEK'S NEWS

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


Another Critical Security Flaw in Symantec (Veritas) Software (11 October 2005)
Symantec software was found to have yet security flaw. NetBackup 4.5, 5.0, 5.1 and 6.0, running on all platforms and all versions, are affected by the vulnerability, according to a posting on Veritas' support site. Johannes Ullrich, CTO of Internet Storm Center, the Internet's early warning system, said: "The problem with this vulnerability is it's not only running on all the desktops but, even worse, if a malicious hacker gets into the backup server, they have access to all your backup information. A few months ago, there was a similar (Veritas) backup problem that was widespread and caused a lot of headaches. People who didn't patch quickly last time will do it much faster this time."
-http://software.silicon.com/security/0,39024655,39153328,00.htm
[Editor's Note (Paller): Vulnerabilities in back up are high priority attack targets - as US Cert reported the last time a critical flaw in Veritas software was reported. ]


New Versions of OpenSSL Fix Man-in-the-Middle Flaw (12 October 2005)
The Open SSL Project has released a new version of OpenSSL, addressing a flaw that could be exploited to circumvent security protections in a man-in-the-middle attack. The vulnerability affects all versions prior to 0.9.7h and 0.9.8a. Users can work around the flaw by disabling SSL 2.0 in the OpenSSL-based application, or by upgrading the OpenSSL server software to version 0.9.7h or later or 0.9.8a or later.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1133405,0
0.html

-http://www.openssl.org/news/secadv_20051011.txt
-http://www.securiteam.com/securitynews/6Y00D0AEBW.html


Microsoft's October Security Update (12/11 October 2005)
Microsoft's monthly security update for October 2005 includes fixes for vulnerabilities in Windows, Internet Explorer and Exchange Server. Two of the flaws are similar to the Windows Plug and Play vulnerability that was disclosed in August and could be exploited with the same technique used by the Zotob family of malware. Microsoft also updated its Windows Malicious Software Tool utility, a free program that detects and removes malware from computers. The tool will be automatically downloaded, installed and run on Windows 2000, XP and Server 2003 systems with Windows Update or Microsoft Update.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39277279-39000005c
-http://www.us-cert.gov/cas/techalerts/TA05-284A.html
-http://www.computerworld.com/printthis/2005/0,4814,105320,00.html
-http://www.techweb.com/wire/security/172300508
-http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx
[Editor's Note (Schultz): Having no choice regarding having the Windows Malicious Software Tool utility downloaded when users update their systems is not a good thing. Many users already run updated anti-virus and anti-spyware software and keep up with patches. Users should instead have an option whether or not to download this tool. ]


Mozilla Foundations Releases New Version of Firefox 1.5 Beta (10 October 2005)
Mozilla has released a new version of the Firefox 1.5 beta; the first version was released last month. Beta 2 does not include major new features, but does address a number of security concerns. The final release of Firefox 1.5 is expected before the end of the year.
-http://www.computerworld.com/printthis/2005/0,4814,105293,00.html


STATISTICS, STUDIES & SURVEYS


Security Needs to be Addressed More Broadly (6 October 2005)
The Economist Intelligence Unit says that nearly two-thirds of the 218 senior risk managers that they surveyed say their companies have experienced "significant" financial damage due to IT problems, which include both system failure and attacks by cyber criminals. Forty-eight percent of those surveyed said IT and security problems pose a significant risk to their business operations. In addition, 57 percent of the respondents said remote working increases exposure to electronic threats. EIU editorial director Daniel Franklin said that digital risk should not be left just to IT managers, but should be a concern and focus shared by all involved in enterprise risk management strategy.
-http://software.silicon.com/security/0,39024655,39153094,00.htm
[Editor's Note (Schneier): It seems odd to combine system failure -- presumably an internal problem -- and malware -- an external problem -- in these statistics, but the upshot is that computer systems need to be both more stable and more resistant to malware. Which is hardly a surprising conclusion. ]


MISCELLANEOUS


Microsoft and Yahoo Plan to Make IM Services Interoperable (12 October 2005)
The announcement from Microsoft and Yahoo that they plan to make their instant messaging services interoperable has raised some concerns that the arrangement could be fertile ground for a significant worm infestation as the worms could spread faster and farther; the combined number of users is estimated to be around 275 million. The systems are expected to be able to be interoperable by early 2006. The concern is amplified by the fact that the incidence of malware that targets IM services has been increasing.
-http://news.com.com/2102-7349_3-5894198.html?tag=st.util.print
-http://www.computerworld.com/printthis/2005/0,4814,105361,00.html


Who Should be Accountable for Software Code Problems? (12 October 2005)
Former White House cyber security advisor Howard Schmidt said that software developers should be held personally accountable for problems in the code they write. He would also like to see better training for people who write software code. Mr. Schmidt alluded to a Microsoft survey that said 64 percent of software developers said they were not confident they could write secure applications. The British Computer Society believes the accountability should rest with the companies and not the individual coders. One BCS representative observed that businesses need to accept some level of accountability for the software they purchase, making sure it is adequately patched and properly installed.
-http://news.com.com/2102-1002_3-5893849.html?tag=st.util.print
[Editor's Note (Paller) Users have always taken the lion's share of responsibility because the vendors force them to. The vendors, led by Microsoft, have run a hugely successful marketing program that the Wall Street Journal's computer columnist Walt Mossberg called "blame the user." As long as they can shift the blame to the user, they don't have to take responsibility for the damage they are doing by selling broken software.
(Schneier): I've long held that the way to improve software security is to make the companies selling it responsible for their flaws. The only way to create secure software is to build it in from the beginning, and at this point companies have no economic incentive to do so. Creating accountability would be a major step forward. (Shpantzer): Accountability is code for lawsuits and regulations. On the operational side, how do we describe 'adequately patched and properly installed' with enough specificity for a generic computing environment?
(Hoepman): During a lecture I gave the other day at law school, one of the students asked whether the model of the pharmaceutical industry wouldn't be appropriate for the software industry as well: a software company should be able to prove that it performed good coding practices and that the software passed all the prescribed tests, before it could be released (after which it would normally not be liable for any damages caused by the software). ]


Spyware's Growth Attributed to Increasing Sophistication of Techniques and Inadequate User Precautions (11 October 2005)
The problem of spyware is growing due to increasing sophistication of the technology and users' failure to take adequate precautions against the surreptitious malware. Spyware programs have been found that gather keystrokes, capture screenshots and gather data for behavioral analysis and common word recognition to compile user profiles.
-http://software.silicon.com/security/0,39024655,39153230,00.htm


===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/preferences.php