SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #29
July 23, 2003
The first story below describes a critical Microsoft vulnerability
(MS03-026) that affects Windows NT, Windows 2000, Windows 2003 Server,
and Windows XP. A worm using this vulnerability would find more than
ten times as many potential victims as Code Red. If an efficient worm
is launched, so many infected systems will be searching for victims that
you will not be able to download the patches before being infected. Do
not rely entirely on blocking traffic to port 135 as a defense.
Install the patches. If you needed a reason to launch a sweeping
vulnerability elimination program on all Windows systems -- including
the home computers from which your users connect to your corporate
systems -- this is it.
TOP OF THE NEWSMicrosoft Warns of Critical Flaw
Cisco Routers Vulnerable: Exploit Circulating
Music Industry Wins Nearly 900 Subpoenas
Bill Would Jail Song Swappers
THE REST OF THE WEEK'S NEWSClarke Advocates Grassroots User Action To Protect Critical IT
Private Sector Executives Lament Loss of Stature for Cybersecurity in Government
FTC Targets Growing Form of Identity Theft
Congress Going Slowly On Privacy Regulation
Authentication Spending To Rise Because Of Government Spending
KPMG Says Small Firms Have Terrible Security
Senate Blocks Funding For TIA
US Passports To Have Facial Recognition Chips
Programmers Automating Credit Card Theft Tasks
Security Risks in Voice Over IP
Mumu Worm Shows Security Manager Remote Office Security Flaws
Virtual Private Networks Pose Threat When Home Computers Are Exploited
TUTORIALTips For Thwarting Insider Threat
A Poor Man's Guide To Forensics On Windows
*************** Sponsored by Internet Security Systems ***************
Prioritize Patching and Remediation Efforts
With the X-Force(tm) Catastrophic Risk Index, Internet Security Systems
has introduced a unique listing of the most severe and potentially
detrimental cyber-attacks. Bring immediate focus to your patching and
Click for information.
TOP OF THE NEWS
Microsoft Warns of Critical Flaw (16/18 July 2003)Microsoft announced a critical flaw in most Windows systems, including Windows 2003 Server, the first system to be built entirely under the Trusted Computing Initiative (TCI). The flaw allows attackers to take over the victim's computer and install and run malicious code. In response, some users questioned the value of Microsoft's Trusted Computing Initiative.
CERT Bulletin updated Monday:
Editor's Note (Schultz): Critics of the TCI should recall the number of vulnerabilities that surfaced in the first few months after the release of previous Windows products such as Windows NT and Windows 2000. The current number of vulnerabilities in Windows Server 2003 pales in comparison. ]
Cisco Routers Vulnerable: Exploit Circulating (17/18 July 2003)A security vulnerability in Cisco IOS devices allows attackers to shut down routers by sending a small number of packets. An exploit was quickly published and it has been used by attackers.
The Cisco advisory:
Music Industry Wins Nearly 900 Subpoenas (18 July 2003)US courts are approving roughly 75 new subpoenas per day requested by the music industry to compel Internet service providers to provide the names and mailing addresses of users known by their nicknames. Some of the subpoenas were granted on claims that as few as five songs were being offered, indicating the industry is going after more than the most egregious pirates.
Bill Would Jail Song Swappers (17 July 2003)Michigan Rep. Conyers and California Rep. Berman introduced a bill in the US House of Representatives that would define the value of making copyrighted material available through a computer network at 10 times the retail value. In many cases, that would make the act a felony potentially punishable by jail time.
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: "How a Hacker Uses SQL Injection to Steal Your Data"
(2) Earn a Norwich University Master's Degree in Information Security
in 24 months.
(3) Got SecureCRT? Get VShell server for UNIX today.
Download a free trial.
(4) Control spam! - Top 10 enterprise techniques to control spam
THE REST OF THE WEEK'S NEWS
Clarke Advocates Grassroots User Action To Protect Critical IT (22 July 2003)Saying that the government should not be counted on to protect the critical infrastructure, former White House security czar Richard Clarke called for users to organize and set security standards themselves.
Private Sector Executives Lament Loss of Stature for Cybersecurity in Government (21 July 2001)An article claims that corporate executives claim the position to head the Department of Homeland Security's cybersecurity division would be too low in the organization to be effective. The article claims that a former senior administration official said that many people are wary of the position because "of what the official characterized as 'an axis of evil' comprising the National Economic Council, the Office of Science and Technology Policy and the Office of Management and Budget (OMB) -- agencies that have sought to redirect the administration's attention to other priorities."
FTC Targets Growing Form of Identity Theft (21 July 2003)Hackers are increasingly using fake web sites to steal information. On July 21st, the Federal Trade Commission announced it had brought its first case and obtained a lifetime ban and a financial fine for a 17-year old California boy who was accused of setting up a fake web site appearing to be an America Online site.
Congress Going Slowly On Privacy Regulation (18 July 2003)Senator Diane Feinstein has no co-sponsors for her bill to require companies to notify consumers when a database containing private information has been compromised. The bill was modeled after a California law that went into effect July 1.
[Editor's Note (Schultz): I would hope that any law requiring notification of privacy compromises would be better than the recently enacted California law, which in effect specifies no penalties for failure to comply. (Schneier) A law with no teeth in it isn't much of a law. Given the problems I've heard about the California version, I'd rather see how that one shakes out before barging ahead with national legislation. ]
Authentication Spending To Rise Because Of Government Spending (17 July 2003)The Yankee Group projects that spending on authentication systems should rise from $1.4 to $2.2 billion in the next five years, primarily because of increased spending by the Department of Homeland Security and other government agencies.
KPMG Says Small Firms Have Terrible Security (18 July 2003)Smaller firms have weak security with only a single layer of defense. They also have difficulty hiring security experts with skills necessary to safeguard their systems.
Senate Blocks Funding For TIA (14/17 July 2003)The U.S. Senate explicitly stopped funding for the Total Information Awareness (TIA) project being managed by the Defense Advanced Research Projects Agency (DARPA). The House of Representatives had previously restricted TIA activities, but did not cut off funding. TIA's fate now rests in the hands of a Congressional Conference committee.
US Passports To Have Facial Recognition Chips (16 July 2003)In a boost for biometrics, US passports will carry images of faces and other biometric data on a chip. Pilot projects are scheduled to begin in 15 months, with full-scale implementation to start in 2006.
Programmers Automating Credit Card Theft Tasks (12 July 2003)The HoneyNet Project reports that it found an "open and helpful" community of credit card thieves. Power (ab)users are making it easier for newcomers to break into the credit card theft business by automating many tasks.
Security Risks in Voice Over IP (17 July 2003)In the first of a three-part series, Siemens' Joel Pogar explains the security risks associated with voice over IP networks and the principal methods of mitigating those risks.
Mumu Worm Shows Security Manager Remote Office Security Flaws (7 July 2003)Mathias Thurman reports how the quest to eradicate the Mumu worm led to the discovery of widespread vulnerabilities in remote offices of his company.
Virtual Private Networks Pose Threat When Home Computers Are Exploited (6 July 2003)Many corporate executives falsely believe that their systems are protected when their users rely on virtual private networks (VPNs). However, if a hacker gains control of an "always-on" home computer, that hacker has a direct pipe into the corporate network with all the privileges of the person who usually uses the computer.
[Editor's Note (Grefer): While a VPN secures communications between systems, including small office and home office (SOHO) connectivity to corporate networks, a security policy needs to be in place detailing the requirements to abide by in order to be allowed to connect. Enforcing such policies is not a trivial task. Many companies therefore have chosen to not allow access to their corporate environment from personally-owned computers, but rather require their staff to use a corporate computer, on which the users does not have administrator privileges, and that has been secured by experienced IT staff. Corporate policy then usually dictates that this system must be used solely for business purposes ]
Tips For Thwarting Insider Threat (14 July 2003)Dan Verton of Computerworld has compiled three lists of tips from the experts on how to lessen the risk of insider threat: (1) People - 8 tips, (2) Process - 7 tips, (3) Technology - 5 tips. It's useful and practical advice.
A Poor Man's Guide To Forensics On Windows (July 18 2003)Koon Tan has developed a step by step set of instructions to find and use the tools to perform forensics in a windows environment.
[Editor's Note (Paller): Mr. Tan's paper is one of more than 1,100 practical research papers developed by candidates for GIAC Security Essentials Certification. Although it is extraordinarily good, many of the others are, as well. The SANS Reading Room, where these papers can be found, is an extraordinary collection original research by experienced front-line practitioners. There is nothing like it anywhere else on the Internet. It has papers in more than 70 categories ranging from Auditing and Application Security to Windows and Wireless. Take a look:
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit