SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #15
April 16, 2003
More free resources:
To help you stay on top of security product developments, free
technical white papers from 22 vendor-sponsors of the current SANS
Security Tools Poster are available. The vendors often put a great
deal of quality technical work into these papers (but not always.) To
choose the papers you'd like, visit http://www.sans.org/tools.php
This is a wonderful summer for giving your security skills a boost
and for getting moving on security skills certification. There are
large programs in Portland (OR), Monterey, Denver, and London.
And SANS' most popular summer conference is SANSFire in Washington
DC. SANSFire classes always fill up early and 300,000 brochures
will start arriving in mailboxes next week, so to get a place in
the class you want, we suggest you start choosing this week or next
week. Visit http://www.sans.org and click on SANSFire (or any of the
other programs) to see a brochure.
TOP OF THE NEWSOpenBSD Release Protected Against Buffer Overflow Attacks
Judge Throws Out ACLU's Challenge to DMCA
Richard Clarke, Mike Vatis and Mark Forman Speak to Government's Cyber Security Efforts
THE REST OF THE WEEK'S NEWSDisaster Recovery and Continuity Guidelines for Financial Institutions
Microsoft Issues Bulletins for Flaws in VM, Proxy Server 2.0 and ISA Server 2000
Mueller Outlines FBI Budget Request
GISRA Report Shows Progress, Leaves Room for Improvement
ISS Revises Cyber Incident Statistics for First Quarter of 2003
Windows Server 2003 License Key Leaked
Pyramid Scheme Spam Temporarily Brings Down Montana ISP
Secure Operating Systems
Letter Author Claims to have Breached Prison Computer Security
Digital Defense Apologizes for Releasing Samba Exploit Along with Advisory
Integrating IT and Physical Security
GAO Report Finds ISACs are Not Sharing Much information
********************** Sponsored by NetIQ *****************************
The 10 Reports Every CSO Lives For from NetIQ
Need to make sense of the security data that bombards you
daily? Download your free copy of the "The 10 Reports Every CSO Lives
For" from NetIQ to discover where to find key security information,
how to analyze it, and best of all, learn a few ways to improve how
you're managing security.
TOP OF THE NEWS
OpenBSD Release Protected Against Buffer Overflow Attacks (11 April 2003)The most recent release of OpenBSD should eliminate buffer overflows, according to the group's project leader. The group took three approaches to hardening the software. First, the location of the stack in memory is randomized. Second, the team added a tag to the memory structure that will detect address modifications. Finally, they managed to divide the main memory into two sections: writeable and executable; the pieces of data and programs, called "pages", would be stored in one or the other section, ensuring that no page is writeable and executable at the same time.
[Editor's Note (Schultz): Many kudos are in order here. If what the OpenBSD people are doing really works, they will put considerable pressure on other vendors and developers to do the same. Buffer overflow problems continue to plague operating systems and applications. Eliminating this category of vulnerabilities would be a major victory for the information security arena. (Schneier): It's great to see this kind of approach to buffer overflows. This is an example of building in security instead of trying to patch it afterwards. (Ranum): It's GREAT to see that at least a few people are smart enough to try to attack problems like this systemically, rather than keeping stuck in the fruitless "penetrate and patch" while loop. This is how to make progress in security: fundamental protections. (Shpantzer): Initiatives like this should be taught as case studies in computer science courses at the undergraduate level.]
Judge Throws Out ACLU's Challenge to DMCA (9 April 2003)US District Court Judge Richard Stearns has thrown out a lawsuit brought by the American Civil Liberties Union (ACLU) that challenged the Digital Millennium Copyright Act (DMCA). The suit was brought on behalf of a Harvard Law School student who wanted to reverse-engineer certain Internet content-filtering software.
Clarke, Vatis and Forman Speak to Government's Cyber Security Efforts (8/9 April 2003)At a congressional hearing, former presidential cyber security advisor Richard Clarke spoke critically of the government's cyber security efforts, saying the Department of Homeland Security needs to move more quickly to organize the National Cyber Security Center and that the Office of Management and Budget (OMB) should hire a full time chief information security officer devoted solely to cybersecurity. Clarke also said that congress should fund vulnerability scanning sensors on all federal networks. Michael Vatis, director of Dartmouth College's Institute for Security Technology Studies (ISTS), largely agreed with Clarke and recommended that the Securities and Exchange Commission (SEC) require companies to include their cybersecurity measures on their reports to the SEC. The OMB's Mark Forman maintained that the DHS would address cybersecurity, that the CIOs of various agencies would be responsible, and wants market forces to drive cyber security implementation.
[Editor's Note (Northcutt): I tell intrusion detection students that for every dollar they spend on an IDS, they should plan to spend a matching dollar on disk space to hold the detects. Similarly, for every dollar you spend on a vulnerability scanner, plan to spend a thousand dollars on the staff to handle the remediation. I support Richard Clarke's advice, but the scanners just find problems. There is no substitute for the trained admins to fix the problems. Speaking of trained admins, the best unix instructor in the field, Hal Pomeranz, is running a hands on, SANS unix security course in Raleigh NC April 28 - May 3, 2003. This course was designed to fit the small class model and is your opportunity to learn in a class with a great instructor to student ratio:
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) FOIL NETWORK ATTACKS BEFORE THEY'RE LAUNCHED! Automatically prevent
intrusions. FREE DEMO.
(2) Learn how to Arm Yourself Against Network Attacks. Free Guide.
(3) ALERT: How a Hacker Launches a SQL Injection Attack Step-by-Step-
THE REST OF THE WEEK'S NEWS
Disaster Recovery and Continuity Guidelines for Financial Institutions (11 April 2003)The Federal Reserve, the Office of the Comptroller of the Currency and the Securities and Exchange Commission have published a white paper outlining disaster recovery and business continuity guidelines for financial institutions. The guidelines include establishing a system that will allow for same day business recovery after a disaster; that time frame would ideally be reduced to two hours after a disaster. Many companies balked at an earlier proposal that suggested a minimum distance of 200-300 miles between primary and secondary data centers; the paper does not establish a minimum distance for back-up facilities.
Microsoft Issues Bulletins for Flaws in VM, Proxy Server 2.0 and ISA Server 2000 (10 April 2003)Microsoft has issued two security bulletins regarding vulnerabilities in Microsoft Virtual Machine (VM), Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000. The first security flaw is in the VM ByteCode Verifier and could allow an attacker to take remote control of a vulnerable machine. The vulnerability affects Windows 98, NT 4, 2000, XP and Me; Microsoft has issued a patch for VM Build 3810. A vulnerability in the Winsock Proxy service on Proxy Server 2.0 the Firewall service on ISA Server 2000 could result in denial-of-service attacks against both products. Patches are available for the vulnerabilities.
Mueller Outlines FBI Budget Request (10 April 2003)In his budget presentation to the U.S. Senate Commerce, Justice and State Appropriations Subcommittee, FBI director Robert Mueller said cybersecurity is the agency's third priority area. The budget request for the agency's Cyber Division for fiscal 2004 is $234 million; the figure includes the hiring of 77 new agents to work in combating cyber attacks and high tech crime.
GISRA Report Shows Progress, Leaves Room for Improvement (10 April 2003)The final draft of the report to the U.S. Congress under the Government Information Security Reform Act (GISRA) includes metrics on federal computer system security. While only 40% of systems had current security plans in 2001, that figure increased to 61% in 2002. Systems with security certification and accreditation rose from 27% to 40%, and systems that had undergone risk assessments rose from 44% to 64%. Mark Forman, associate director for information technology and e-government at the Office of Management and Budget (OMB), says that while there has been improvement, the figures are not where they should be; the OMB's goal for this fiscal year is to have 80% of federal systems certified and accredited.
ISS Revises Cyber Incident Statistics for First Quarter of 2003 (8 April 2003)A report from Internet Security Systems (ISS) found that the number of cyber attacks and security breaches increased 37% from the fourth quarter of 2002. The number was initially incorrectly reported to be 84%.
Windows Server 2003 License Key Leaked (8 April 2003)A volume license key for Microsoft Windows Server 2003 has been leaked to the Internet. Windows Server 2003 has not been officially released. Volume license keys are intended for corporate users with multiple systems. Microsoft is investigating. Copies of the Windows Server 2003 software, which is due to be released on April 24, have also appeared on line.
Pyramid Scheme Spam Temporarily Brings Down Montana ISP (8 April 2003)A Montana Internet service provider (ISP) was deluged with up to 20,000 e-mail messages an hour, causing the service to shut down briefly. The messages were part of an electronic pyramid scheme. The ISPs owner believes the attacks originated locally; the incident is under investigation.
Secure Operating Systems (8 April 2003)Secure operating systems (OSes) are either hardened or trusted OSes. Hardened systems are aimed at keeping intruders out of the system altogether; network ports and services can be removed to lock systems down. Trusted systems allow only people with specific access rights to view and manipulate data. If intruders gain root access to a properly configured trusted system, they do not control the system.
[Editor's Note (Grefer): A configured trusted system as described in the abstract would not have a traditional super user (root) account; rather, it would use role based access control (RBAC), therefore limiting rights to those necessary for any particular role. (Ranum): Trusted Operating systems are not news. They have been around since the early 80's - and didn't work then any better than they do now. ]
Letter Author Claims to have Breached Prison Computer Security (8 April 2003)The Arkansas Democrat-Gazette received a letter containing the social security numbers of several Arkansas prison employees from someone claiming to be an inmate. The author of the letter alleges that prison authorities were lax in allowing inmates to have access to computers. A prison spokeswoman says the information would not have been available through the Internet, but could have been found on the prison's computer system. The incident is being investigated.
Digital Defense Apologizes for Releasing Samba Exploit Along with Advisory (7/8 April 2003)The Samba team has released a patch for a vulnerability discovered by the security company Digital Defense. The vulnerability could allow attackers to compromise Samba servers connected to the Internet. Because the vulnerability was already being actively exploited, the Samba team and Digital Defense decided to release their advisories before all the vendors had time to address the problem. Digital Defense's advisory also included code for exploiting the vulnerability, without managerial approval; the company has apologized.
Integrating IT and Physical Security (7/10 April 2003)Integrating IT security with physical security can improve threat detection and response and streamline investigations. However, such integration may be hard to implement because it requires a significant change in business culture and processes.
GAO Report Finds ISACs are Not Sharing Much information (3 April 2003)A General Accounting Office (GAO) review of the Information Sharing and Analysis Centers (ISACs) for the Telecommunications, Electricity, Information Technology, Energy and Water critical infrastructures found that the clearinghouses are not sharing much information with the government. Some ISACs will not share information with other ISACs; some will not let the National Infrastructure Protection Center (NIPC) access their libraries of reported incidents. Some claim they fear that the information they provide may become accessible to the public through the Freedom of Information Act (FOIA).
[Editor's Note (Schneier): May I say, "I told you so?" ]
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editors: Bruce Schneier and Hal Pomeranz
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit