SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #24
June 19, 2003
TOP OF THE NEWSProposed Legislation Would Allow Spammers to be Sued
Bugbear Targets Banks; FBI is Investigating
THE REST OF THE WEEK'S NEWSCERT/CC Vulnerability Info Leaked Again
Software Piracy Ring Busted
Indian Law Seeks to Allay Fears of Foreign Data Exposure
New Trojan Spreading
Spammers May be Spreading AVF Virus
Man Sentenced for Sandia National Laboratories, Elgin AFB Intrusions
Man Admits to Attack on Al-Jazeera Web Site
Legal Issues Raised by Honeypots
Thai Cyber Vandals Must Help the Site They Defaced
Junior High School Student Faces Expulsion for Deleting Teachers' Grade Files
Microsoft to Buy Anti-Virus Firm
Canadian Survey Finds IT Security Spending on the Rise
UK Police May Call in IT Professionals for Cyber Crime Help
Cisco Rolling Out Security Upgrades
SPECIAL SECTION: "IS IDS DEAD?"Gartner IDS Report Evokes Strong Response
GUEST EDITORIALBruce Schneier on CyberTerrorism?
********* Sponsored by Check Point Software Technologies Ltd.**********
Defend Your Network Against Damaging Application-level Attacks
Organizations across the board are facing serious threats from attackers
attempting to misuse critical business applications. Check Point
FireWall-1 NG with Application Intelligence (tm) is redefining Internet
security by providing protection against these new and growing sets of
Read more in the white paper: http://www.checkpoint.com/adv/sans_appint
TOP OF THE NEWS
Proposed Legislation Would Allow Spammers to be Sued (13 June 2003)US Senator Charles Schumer (D-NY) has introduced legislation that would allow attorneys general, ISPs and individuals to file civil suits against spammers. Dubbed the Stop Pornography and Abusive Marketing, or SPAM Act, the bill would also require commercial e-mail to have accurate headings and subject lines, have unsubscribe directions that work and be labeled as advertising.
Bugbear Targets Banks; FBI is Investigating (9/10/11 June 2003)The FBI is now investigating the Bugbear.B worm because is reportedly targets financial institutions; the FBI has warned banks to be especially vigilant because the worm's code allegedly contains domain names for more than 1,000 banks worldwide. Bugbear.B installs a keystroke logger, sends captured passwords back to one of several mailboxes and can install backdoors on infected machines. The FBI hopes to track down the worm's author.
THE REST OF THE WEEK'S NEWS
CERT/CC Vulnerability Info Leaked Again (16 June 2003)Information from a Computer Emergency Response Team Coordination Center CERT/CC vulnerability report intended for affected software vendors has been leaked to a discussion list. The report described a flaw in PDF readers for Unix that could allow execution of malicious code. The information was to be released June 23. Other vulnerabilities being investigated by CERT/CC were posted to a discussion list in March.
Software Piracy Ring Busted (16 June 2003)A successful sting operation on a software piracy ring has netted Italian police 181 arrests and approximately 118 million euros (US$139.6 million) worth of pirated software. The Business Software Alliance (BSA) lent support to the effort.
Indian Law Seeks to Allay Fears of Foreign Data Exposure (16 June 2003)Legislators in India have nearly completed drafting the Data Protection Act. The law will ensure that data belonging to foreign companies outsourcing work to India will not be shared with their rivals.
New Trojan Spreading (10/13 June 2003)Researchers believe a new, "third-generation Trojan horse" program is infecting machines on the Internet. While the details of the Trojan's actions are not complete, what is known is that it scans random IP addresses and probes with a TCP SYN request with window size of 55808. It can also spoof the IP addresses of the packets it sends. It is capable of scanning 90% of the Internet's IP addresses in a 24-hour period.
[Editor's Note (Grefer): Readers should take into account the wise counsel of Marty Lindner, team leader for incident handling at CERT/CC, who said, "There is nothing there that hasn't been seen before." The media coverage seems to rely on a press release by a vendor touting its behavior-based intrusion detection solutions. Marketing hype alert! ]
Spammers May be Spreading AVF Virus (13 June 2003)The infection of about 500,000 computers with the AVF virus is thought to be the work of spammers. The virus installs a back door on infected machines and uses it to send out spam.
Man Sentenced for Sandia National Laboratories, Eglin AFB Intrusions (13 June 2003)Adil Yahya Zakaria Shakour, who broke into computers at Sandia National Laboratories and Eglin Air Force Base, has been sentenced to one year and one day in federal prison. The eighteen-year-old will also pay more than $88,000 in restitution and have only restricted computer use for three years after his release.
Man Admits to Attack on Al-Jazeera Web Site (12 June 2003)Web designer John Racine II has admitted to launching a redirect attack on Al-Jazeera, an Arab news web site. Racine has pleaded guilty to two charges of wire fraud and unlawful interception of an electronic communication. He is expected to receive a sentence of three years probation and a $1,500 fine.
Legal Issues Raised by Honeypots (12 June 2003)Lance Spitzner offers his opinions of the legal questions of entrapment, privacy and liability raised by the use of honeypots. Spitzner points out that as yet, there have not been any legal precedents set regarding honeypots.
Thai Cyber Vandals Must Help the Site They Defaced (12 June 2003)As punishment for defacing Thailand's Information and Communication Technology's (ICT) web site, Thai university undergraduate students have been ordered to work on the site.
Kifie-D Worm (12 June 2003)The Kifie-D worm spreads via e-mail, peer-to-peer file sharing networks and instant messaging systems. After copying itself to local drives and editing the Registry, the worm displays a message warning of a critical error in an application. The worm's payload, which is launched on a Sunday, includes overwriting DOC and TXT files in Windows folders, attempting to disable anti-virus software and mailing itself out to addresses in the Outlook address book.
Junior High School Student Faces Expulsion for Deleting Teachers' Grade Files (11 June 2003)A New Jersey seventh grader allegedly broke into his junior high school's computer system and deleted the grade files of 10 teachers. The security breach delayed the mailing out of school progress reports. The student may be expelled.
[Editor's Note (Schneier): At least they're not treating it like a felony as happened in a similar situation some time ago. This is bad behavior, but it's not serious criminal behavior. Being a dumb kid should not cause the ruin of your life. ]
Microsoft to Buy Anti-Virus Firm (10/11 June 2003)Microsoft intends to buy Romanian anti-virus company GeCAD; while it is acquiring the company's intellectual property, Microsoft does not intend to continue to develop GeCAD's products. Major anti-virus software vendors on one hand view the acquisition as acknowledgment from Microsoft that protection from viruses is important to cybersecurity; on the other hand, they are quick to point out that anti-virus software alone is not enough to adequately protect users from malware threats.
Canadian Survey Finds IT Security Spending on the Rise (10 June 2003)A Canadian study, Pulse of Internet Security in Canada, found that 73% of 150 C-level Canadian executives surveyed are spending more on security now than they were a year-and-a-half ago. 61% of the executives said security is among their top five priorities Half of those surveyed said they have had a security breach.
UK Police May Call in IT Professionals for Cyber Crime Help (10 June 2003)The UK government plans to ask IT professionals to join the ranks of the police force as special constables to help apprehend crackers and malware creators. The plan is part of a larger cybercrime strategy currently under consideration.
Cisco Rolling Out Security Upgrades (17/21 May 2003)Cisco is introducing a plethora of hardware and software upgrades aimed at boosting the security of and adding features to its VPNs; it is also upgrading its security management software to simplify support and management of secure networks.
SPECIAL SECTION: "IS IDS DEAD?"
Gartner IDS Report Evokes Strong Response (11/13 June 2003)A recent Gartner report calls intrusion detection systems (IDS) "a market failure" and recommends that IT managers instead focus their spending on firewalls. Gartner maintains that IDS will be obsolete by 2005 due to their expense and lack of effectiveness. Cited problems with IDS include false positives and negatives and the need for full-time monitoring. Vendors disagree with the report's assertions.
Several NewsBites editors certainly took exception, so we set aside a special section for this discussion: (Grefer): Distributed IDS with all their sensors can provide a wealth of information not readily available from the intrusion prevention systems he is touting. The audit function of an IDS should not be eliminated from an information security in depth strategy without spending considerable thought on the ramifications of such a decision. (Schultz): The Gartner Group has done it again--made yet another wild prediction from its "ivy tower" in the complete absence of hands-on experience or having to live with the consequences of its prescriptions. Part of what Gartner has said, namely that intrusion detection involves a high financial cost, is true, but writing off intrusion detection altogether, as Gartner has done, is completely irresponsible. (Ranum): In private communications with Stiennon (the Gartner analyst), he offered the shocking fact that - for all that they are hyping IPS - the team at Gartner "doesn't know anyone who is using an IPS in inline mode." That runs utterly contrary to the perception they are trying to create that IPS is the "wave of the future" It just shows that P.T. Barnum underestimated severely when he made his famous assessment of Gartner's customer base. "There's a Gartner Customer born every minute." (Northcutt): HYPE ALERT, they aren't actually saying ditch IDS, they are really saying use a firewall with IDS capability instead, the so called intrusion protection approach. This is an ancient discussion; is an all in one plastic stereo like the one you had in your college dorm room better than a carefully selected set of devices. It comes down to the level of investment an organization wants to make, is the increase in quality worth the price from an organization's perspective? Since well over 50% of most organization's value is intellectual property, the answer is probably a resounding yes; it is worth having monitoring systems and people trained to analyze what they detect. An intrusion detection system with trained analysts provides a means of seeing the attacks and adjusting your defenses. IPS does not. Here's what other smart people say about the value of IDS: Arrigo Trizulli - Phd. & IDS Designer, Geneva The reason IDS has been ineffective is that it has been badly deployed and nobody bothered to train the analysts. An initial, guaranteed, road to failure in any security model is to deploy monitoring systems and then never look at the screens. Then you can complete the failure by mis-configuring the monitoring systems: CCTV cameras pointing at the sky have rarely caught burglars coming through the front door. Jamie French IDS Analyst, Ottawa Winn Schwartau's concept of time based security is key here. You need the ability to detect malicious network activity. Until you detect, you can't prevent or react! Ben Bower Lead Author Windows 2000 Professional - The Gold Standard, Canberra Prevention is nice, Detection is a must. Until prevention is 100% we will always require detection. Detection is the last line of defense that many organizations possess. Mark Cooper - Author Intrusion Signatures and Analysis 3rd edition. Manchester UK IDS systems are the (NSA/CIA/FBI/MI5/whatever) of the IT world. They give you a real-time picture of who's trying to do what to your business, so you can head the bad guys off at the pass
The Risks of CyberterrorismThe threat of cyberterrorism is causing much alarm these days. We have been told to expect attacks since 9/11; that cyberterrorists would try to cripple our power system, disable air traffic control and emergency services, open dams, or disrupt banking and communications. But so far, nothing's happened. Even during the war in Iraq, which was supposed to increase the risk dramatically, nothing happened. The impending cyberwar was a big dud. Don't congratulate our vigilant security, though; the alarm was caused by a misunderstanding of both the attackers and the attacks.
These attacks are very difficult to execute. The software systems controlling our nation's infrastructure are filled with vulnerabilities, but they're generally not the kinds of vulnerabilities that cause catastrophic disruptions. The systems are designed to limit the damage that occurs from errors and accidents. They have manual overrides. These systems have been proven to work; they've experienced disruptions caused by accident and natural disaster. We've been through blackouts, telephone switch failures, and disruptions of air traffic control computers. In 1999, a software bug knocked out a nationwide paging system for a day. The results might be annoying, and engineers might spend days or weeks scrambling, but the effect on the general population has been minimal.
The worry is that a terrorist would cause a problem more serious than a natural disaster, but this kind of thing is surprisingly hard to do. Worms and viruses have caused all sorts of network disruptions, but it happened by accident. In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability. We simply don't understand the interactions well enough to predict which kinds of attacks could cause catastrophic results, and terrorist organizations don't have that sort of knowledge either -- even if they tried to hire experts. The closest example we have of this kind of thing comes from Australia in 2000. Vitek Boden broke into the computer network of a sewage treatment plant along Australia's Sunshine Coast. Over the course of two months, he leaked hundreds of thousands of gallons of putrid sludge into nearby rivers and parks. Among the results were black creek water, dead marine life, and a stench so unbearable that residents complained. This is the only known case of someone hacking a digital control system with the intent of causing environmental harm.
Despite our predilection for calling anything "terrorism," these attacks are not. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That causes annoyance and irritation, not terror.
This is a difficult message for some, because these days anyone who causes widespread damage is being given the label "terrorist." But imagine for a minute the leadership of al Qaeda sitting in a cave somewhere, plotting the next move in their jihad against the United States. One of the leaders jumps up and exclaims: "I have an idea! We'll disable their e-mail...." Conventional terrorism -- driving a truckful of explosives into a nuclear power plant, for example -- is still easier and much more effective.
There are lots of hackers in the world -- kids, mostly -- who like to play at politics and dress their own antics in the trappings of terrorism. They hack computers belonging to some other country (generally not government computers) and display a political message. We've often seen this kind of thing when two countries squabble: China vs. Taiwan, India vs. Pakistan, England vs. Ireland, U.S. vs. China (during the 2001 crisis over the U.S. spy plane that crashed in Chinese territory), the U.S. and Israel vs. various Arab countries. It's the equivalent of soccer hooligans taking out national frustrations on another country's fans at a game. It's base and despicable, and it causes real damage, but it's cyberhooliganism, not cyberterrorism. There are several organizations that track attacks over the Internet. Over the last six months, less than 1% of all attacks originated from countries on the U.S. government's Cyber Terrorist Watch List, while 35% originated from inside the United States. Computer security is still important. People overplay the risks of cyberterrorism, but they underplay the risks of cybercrime. Fraud and espionage are serious problems. Luckily, the same countermeasures aimed at cyberterrorists will also prevent hackers and criminals. If organizations secure their computer networks for the wrong reasons, it will still be the right thing to do.