SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #46
November 14, 2001
Good news on the benchmarks front. The Windows 2000 security benchmark
and automated testing tools are ready as is an automated scanner for
the SANS/FBI Top Twenty Internet Security Threats. They are all free
and you can get them at www.cisecurity.org. The Solaris benchmark
and tool is already done and is in wide use; other UNIX will follow
shortly. The new Cisco Router security benchmark and testing tool
is meeting extraordinarily positive response in testing by members
of the Center for Internet Security and Cisco insiders.
These new tools couldn't come at a better time because their use
offers one of the few survival strategies for information security
officers who are facing unprecedented scrutiny from senior management.
TOP OF THE NEWS9 November 2001 Subcommittee Fails 16 Agencies on Computer Security
9 November 2001 Instant Messaging Security Issues
9 November 2001 IE Vulnerability Allows Outsiders to Access Cookies
7 November 2001 Former IRS Worker Sentenced in Computer Sabotage Case
5 November 2001 CERT/CC Issues Advisory on Printer Network Vulnerabilities Special Focus on Vulnerability Disclosure: Five Stories
6 November 2001 Disclosure: White Hat Group Threatens "Information Anarchy"
7 November 2001 Disclosure: Microsoft Shirking Responsibility
6 & 9 November 2001 Disclosure: Group to Develop Guidelines
9 November 2001 Disclosure: Gartner Commentary
August 2001 IEEE Analyzes Life Cycle Of Vulnerabilities
THE REST OF THE WEEK'S NEWS9 November 2001 Students Develop and Demonstrate PIN Hack
9 November 2001 Police Find Pirated Microsoft Products in Singapore
9 November 2001 European Cybercrime Treaty Ready for Adoption
8 November 2001 Former HP Employee Allegedly Committed a Plethora of Security Transgressions
8 November 2001 Tips for Avoiding Socially Engineered Hacks
8 November 2001 FAA Fixes Server Used by Spammers
7 November 2001 Malicious Code Commandeers Searches
7 November 2001 Cooperate on Security or Face Regulation
1 & 5 November 2001 Quantifying Return on Security Investment (ROSI)
1,2 & 6 November 2001 Three Opinions on National IDs
15 October 2001 Web Site Encryption Survey
*********************** Sponsored by Websense ************************
WHAT DO CISCO, MICROSOFT AND CHECK POINT HAVE IN COMMON?
They're all integrated with Websense, the leading Internet filtering
software solution. Transparently monitor, manage and report on traffic
from your internal networks to the Internet. Maximize your network
bandwidth, increase productivity and reduce legal liability.
Try Websense free for 30-days http://www.websense.com?id=100109
TOP OF THE NEWS
9 November 2001 Subcommittee Fails 16 Agencies on Computer SecurityTwo-thirds of the 24 major government agencies received failing marks on their most recent "computer security report cards." The congressional Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations began the practice of assigning grades following passage of the Government Information Security Reform Act (GISRA). Office of Management and Budget's (OMB) associate director for information and e-government Mark Forman points out that there is no significant correlation between security spending and performance, and maintains many security problems could be addressed by installing upgrades and complying with policies and procedures.
[Editor's (Paller) Note:NASA was the only agency to earn a full grade improvement from 2000 to 2001. One of NASA's key breakthroughs was to pick a benchmark minimum security configuration for every operating system and then measure every computer against the benchmark. Sysadmins competed to have the most secure systems, and security heroes were produced. The bottom line: fewer successful attacks despite rapidly increasing attempted compromises. SANS will have a complete program on NASA's methods, and the lessons learned by other higher-rated agencies, during the Cyber Defense East conference in two weeks in Washington. ]
9 November 2001 Instant Messaging Security IssuesAs instant messaging (IM) services increase in popularity we are likely to see a parallel increase in related security issues. Because most security products do not address IM services, companies need to implement clear policies regarding IM use.
9 November 2001 IE Vulnerability Allows Outsiders to Access CookiesMicrosoft has warned that an Internet Explorer (IE) vulnerability allows specially constructed web sites and e-mails to access cookies stored on customers' computers; web sites are not restricted from accessing cookies placed there by other sites. The cookie information can be used to tinker with web accounts. Microsoft recommends users disable active scripts. Microsoft is displeased the security firm that originally detected the problem chose to go public with the information so soon.
--7 November 2001 Former IRS Worker Sentenced in Computer Sabotage Case
5 November 2001 CERT/CC Issues Advisory on Printer Network VulnerabilitiesCERT/CC warned that vulnerabilities in line printer daemon implementations could allow intruders to obtain root privileges and initiate denial of service attacks. There are patches for some of the vulnerabilities.
Focus on Disclosure: Microsoft's Trusted Computing ConferencePrivacy advocates, policy makers and security experts convened at Microsoft's Trusted Computing Conference to develop guidelines for vulnerability disclosure. Scott Culp's essay
6 November 2001 Disclosure: White Hat Group Threatens "Information Anarchy"In response to Microsoft's efforts to suppress vulnerability disclosures, a group of white hat hackers is asking experts to inundate software companies with bug reports
Information Anarchy proposal
7 November 2001 Disclosure: Microsoft Shirking ResponsibilityResearchers say Microsoft is shirking its responsibility for attending to security holes in its products by making it harder for vulnerabilities to be disclosed.
6 & 9 November 2001 Disclosure: Group to Develop GuidelinesMicrosoft, together with five security companies, announced they plan to form a group that will devise policies and guidelines for responsible vulnerability disclosure. Group members who discover new security flaws would not be allowed to publish exploits for 30 days, giving the affected companies time to create a patch or workaround. Critics are wary of Microsoft's motives.
9 November 2001 Disclosure: Gartner CommentaryA Gartner commentary observes that most attacks are perpetrated after a patch has been released instead of when the vulnerability information is released, and that restricting vulnerability information harms security. Gartner proposes that companies be given two weeks to develop a patch or workaround before a vulnerability is made public, with additional time allowed if regression testing is necessary.
August 2001 IEEE Analyzes Life Cycle Of VulnerabilitiesUsing data obtained from CERT, the authors found that the primary catalyst driving a dramatic increase in system compromises is not the disclosure of the vulnerability details. In each of the three case studies presented (phf, IMAP, BIND) the researchers found that the automation of the exploitation, not the disclosure, served as the catalyst for widespread intrusions."
****************** Also Sponsored by Oblix, Inc. *********************
Oblix NetPoint. Security Starts with the Right Foundation.
REDUCE costs, Strengthen SECURITY and GAIN competitive advantage
with an integrated identity management system. Oblix NetPoint (TM),
the only Web access management solution that forms the foundation
for your entire e-business network.
Learn more about securing your e-business infrastructure with a FREE
Oblix White Paper. Visit http://www.oblix.com/reply/sans1101
THE REST OF THE WEEK'S NEWS
9 November 2001 Students Develop and Demonstrate PIN HackTwo Cambridge University computer science doctoral students have devised a method for obtaining banking customers' personal identification numbers (PINs) and demonstrated the attack on an IBM 4758 computer. Only people with access to banks' computer systems could perpetrate the hack. IBM officials maintain that built-on protections in the "real world" would prevent the success of such an attack, which was demonstrated under laboratory conditions. The students have placed copies of their program on the web.
[Editor's (Murray) Note: As I understand it from both the original paper, from IBM, and from Ross Anderson, who supervises these students, this vulnerability can be exploited only by insiders with extraordinary access to the encryption engine. ATMs have always been high on Ross' list of targets. ]
9 November 2001 Police Find Pirated Microsoft Products in SingaporePolice raids in Singapore netted over 4,000 pirated copies of Microsoft software products, the majority of which were Windows XP. People convicted of software piracy in Singapore could be sentenced to as many as seven years in prison.
9 November 2001 European Cybercrime Treaty Ready for AdoptionThe final draft of the European cybercrime treaty is ready for adoption by member countries. Privacy advocates are concerned the treaty will impinge on citizens' civil rights, and ISPs maintain they could be saddled with the costly responsibility of retaining quantities of data. The treaty will go into effect when five states, at least three of which must be Council of Europe member countries, ratify it.
8 November 2001 Former HP Employee Allegedly Committed a Plethora of Security TransgressionsA former Hewlett-Packard employee allegedly sabotaged Superdome performance tests by sending reset commands, reformatting disks and cutting cables. Hock-Beng Lim also allegedly copied large quantities of a co-worker's e-mail, connected to machines on which he did not have access privileges, and deleted evidence that connected him to the problems.
8 November 2001 Tips for Avoiding Socially Engineered HacksBecause hackers can use many small, seemingly innocuous pieces of gathered information to initiate an attack, companies are well advised to be on their guard against social engineering - exploiting people's naturally helpful natures into disclosing sensitive information. Among other security precautions, the author of this article advises asking for identity authentication before offering sensitive information and when you see strangers in your work area and using a shredder that cross-cuts documents into confetti-like pieces.
8 November 2001 FAA Fixes Server Used by SpammersThe Federal Aviation Administration (FAA) has secured a server that had been being used by unscrupulous people to distribute spam that advertised a work-at-home money making scheme.
7 November 2001 Malicious Code Commandeers SearchesMalicious code embedded in some web sites can cause Internet Explorer to send surfers where they don't want to go. Some of the guilty sites have instructions for undoing the "enhancements." While it is unclear which vulnerability is being exploited, security expert Georgi Guninski recommends that users disable scripting in both IE and the Outlook e-mail program.
7 November 2001 Cooperate on Security or Face RegulationSpeaking at the Trusted Computing conference, Washington DC lobbyist Michael O'Neill urged companies in the technology industry to work together to shore up Internet security, or run the risk of government regulation.
1 & 5 November 2001 Quantifying Return on Security Investment (ROSI)Researchers from Stanford, MIT's Sloan School of Management and @Stake have come up with a way to quantify the return on security investment (ROSI). They determined that the earlier secure practices are built into project design, the higher the ROSI. @Stake is also researching the return on investment from hardening systems to specific needs and the value of incident readiness. Such quantifiable data should help managers justify security spending.
1,2 & 6 November 2001 Three Opinions on National IDsStephen Hunt, CEO of Datastrip Inc., proposes biometric national IDs that would not need to access a database (much like the system being introduced at Amsterdam's Schiphol airport.) Eddie Schwartz, senior vice president at Guardent, Inc., refutes arguments raised against proposed national IDs, including compromised privacy and cost, and maintains such a system would benefit the IT industry and national security, and improve individuals' control over their personal data. Maryfran Johnson, editor in chief of Computerworld, isn't convinced that presently available technology can adequately protect the data that would be stored on national ID cards. Hunt:
Amsterdam story: 24 October 2001 (this appeared in SANS NewsBites Vol. 3, No. 44)
(Free registration is required to visit this site) Schwartz:
15 October 2001 Web Site Encryption SurveyAn Information Week survey of 500 web sites found that two-thirds of them use encryption to protect company data, and 43% use encryption on both stored and transmitted data.
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail email@example.com with the subject: Subscribe NewsBites
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz