SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #38
September 24, 2003
TOP OF THE NEWSUS Department of Energy Uses Procurement Power To Force Better Security From Software Vendors
FBI Agent Reels in Phishing Suspects
Servers Listed on eBay Contained Bank Customer Data
Melissa Author Helped FBI Track Other Worm Authors
THE REST OF THE WEEK'S NEWSNo Trojan in Snort, Says Roesch
NIST Releases Draft Publications
Microsoft Gives Away Security Update CDs in Japan
IDS Market is Growing
Swen Worm is Spreading
Electronic Voting Machine Audit Complete
Buffer Overflow Vulnerability in Sendmail
IBM Issues Patch for DB2 Vulnerabilities
Sentence for Computer Intrusion Includes Restitution and Public Service
Exploit Code for New Windows Vulnerabilities is on Internet
Gale Norton Offers Contradictory Statements About Interior IT Security
Should Common Criteria Certification be Required for All Government Purchases?
Parson Enters Not Guilty Plea at Arraignment
Buffer Management Vulnerability in OpenSSH
DHS to Hold Cyber Security Summit
Solaris Vulnerability Could Allow Root Access
Man Pleads Guilty in "Phishing" Case
******************* Sponsored by Tripwire, Inc. ***********************
MANAGE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER.
Tripwire integrity management solutions pinpoint changes to your
servers and network devices, accelerating discovery and increasing
uptime, making you the hero of your IT organization.
Click here to get a FREE copy of our Security Exploit and Vulnerability
TOP OF THE NEWS
US Department of Energy Uses Procurement Power To Force Better Security From Software VendorsKaren Evans, CIO of the Department of Energy, announced a software procurement contract that calls for the vendor (Oracle) to deliver safely configured versions of its software and to maintain the security settings even as new patches are delivered. She was joined in the announcement by the Center for Internet Security - the not-for-profit organization that helped create the minimum standards for securing Oracle, and senior representatives from the Department of Defense, the Department of Homeland Security, and the White House. This is the first demonstration of how the federal government's buying power can be harnessed to provide incentives to vendors to deliver safer software and keep it that way. Three weeks ago, President Bush named Evans to replace Mark Forman to oversee the government's $50 billion IT budget, so her Energy/Oracle initiative is likely to spread to other agencies and other software.
[Editor's Note (Paller): From all of us who have felt frustrated that vendors deliver insecure software and force users to experience the pain, thank you Karen Evans. ]
FBI Agent Reels in Phishing Suspects (19 September 2003)A group running a phishing scam, in which people are asked to visit a certain website and provide credit card and other personal information in order to update their accounts, made the mistake of sending the phony e-mail to an FBI agent who specializes in computer fraud. The FBI agent noted that the billing site webpage was served by Geocities, which seemed an unlikely place for it to be. With help from NIPC and Yahoo, the agent was able to trace the identities of those allegedly responsible for the scam.
Servers Listed on eBay Contained Bank Customer Data (18/19 September 2003)Two servers containing Bank of Montreal customer data were momentarily offered for sale on eBay. Geoff Ellis had obtained the servers from a company in Ontario with the intent of fixing them up and reselling them; he removed them from the eBay sale after he found that they still contained bank customer information. Ellis contacted the bank, which sent a security team to retrieve the hard drives. Bank of Montreal VP and CISO Robert Garigue said the bank's policy is to scrub hard drives before selling equipment. The bank is contacting affected customers to let them know their information was not compromised.
Melissa Author Helped FBI Track Other Worm Authors (18 September 2003)Recently unsealed court documents indicate that Melissa worm author David Smith helped federal agents track down other malware writers, including Dutch worm writer Jan DeWitt and UK worm author Simon Vallor. Smith apparently used a false identity to communicate with the malware writers. Smith's sentence for damage caused by Melissa could have been 10 years, but was reduced to 20 months.
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) EVERY NETWORK ATTACK BEGINS WITH AN ATTACKER.
Neutralize the source. FREE Demo.
(2) Got SecureCRT? Get VShell server for UNIX today.
Download a free trial.
(3) WHITE PAPER - Beyond Sobig: Achieving Email Security
*** Request Paper
THE REST OF THE WEEK'S NEWS
No Trojan in Snort, Says Roesch (22 September 2003)Despite rumors that Trojan horse code has been inserted into Snort, the author of the open source intrusion detection system (IDS) says it is not true. Martin Roesch, author of Snort, acknowledges that one of his servers was compromised, but notes that it is physically and logically separate from the Snort code repository. The machine in question was used as a "sacrificial box" to chat on IRC without risking compromise to the real network. Roesch says the code has undergone three audits since March of this year.
NIST Releases Draft Publications (22 September 2003)The National Institute of Standards and Technology (NIST ) has recently released the final draft of Federal Information Processing Standard (FIPS) Publication 199, "Standards for Security Categorization of Federal Information and Information Systems" as well as a draft of NIST special publication 800-61, Computer Security Incident Handling Guide. Comments on the latter may be sent to IncidentHandlingPub800firstname.lastname@example.org through October 15, 2003.
FIPS Publication 199:
Draft Computer Security Incident handling Guide:
Microsoft Gives Away Security Update CDs in Japan (19 September 2003)Microsoft's Japanese unit began giving away CDs containing all available security updates for Windows XP. The company started the giveaway at Japan's World PC Expo and had given away 25,000 disks in two days, half the duration of the show. The decision to offer the cumulative fixes comes in part as a response to a request from Japan's Ministry of Economy, Trade and Industry (METI) for a simpler way to get Windows updates.
[Editor's Note (Shpantzer): Some people who use illegal/counterfeit versions of XP installed on their systems find out that the XP service pack doesn't install, because the XP software is not properly registered. While this is one way for Microsoft to promote legal software, it's also a great way to keep many systems permanently unpatched, and we're all downrange of these systems when they get compromised. ]
IDS Market is Growing (19 September 2003)Market watcher IDC says that the intrusion detection market has grown 29.2% over the last year; the firewall/VPN security appliance market rose 7.5%. These statistics fly in the face of statements made earlier this year that intrusion detection systems are going the way of the dinosaur.
[Editor's Note (Schultz): If Gartner has any integrity, it will retract the mindless prediction it made about the demise of intrusion detection several months ago. ]
Swen Worm is Spreading (18/19 September 2003)The Swen or Gibe.F e-mail worm arrives in the guise of a downloadable cumulative security patch for a variety of Microsoft vulnerabilities. The worm exploits a flaw in Internet Explorer that was disclosed in March 2001. In addition using its own SMTP engine to send itself to e-mail addresses harvested from infected computers, Swen can spread through IRC and peer-to-peer services; it turns on file sharing and creates a shared directory containing several copies of itself under different names. The worm is spreading quickly.
[Editor's Note (Northcutt and others): This is a pretty good fake, it will fool a number of unsuspecting people. This comes down to a security awareness issue. Does everyone in your organization know that Microsoft never sends updates by email? If not, that should be your awareness tidbit of the month and definitely added to your regular security awareness curriculum. ]
Electronic Voting Machine Audit Complete (18 September 2003)The audit of Diebold Election Systems' touch-screen voting machines ordered by Maryland Governor Robert Ehrlich is complete. Ehrlich requested the audit after researchers found security flaws in the code for some Diebold voting terminals; the state of Maryland put a $55.6 million contract with Diebold on hold pending the audit's results. The state's Department of Budget and Management and the State board of Elections are reviewing the report; a version edited for public consumption should be available soon.
[Editor's Note (Shpantzer): For an excellent analysis of the original Diebold voting machine vulnerabilities, see this chilling report from the Johns Hopkins University Infosec Research Institute:
Diebold published a response to the above report:
and the cryptography team replied in kind with:
Buffer Overflow Vulnerability in Sendmail (18 September 2003)The Computer Emergence Response Team Coordination Center (CERT/CC) has issued an advisory warning of a buffer overflow vulnerability in Sendmail. The vulnerability affects versions of Sendmail prior to 8.12.10, as well as commercial releases of Sendmail such as Sendmail Switch, Sendmail Advanced Message Server (SAMS), and Sendmail for NT. Users may upgrade to version 8.12.10, which addresses the vulnerability, or apply a patch.
IBM Issues Patch for DB2 Vulnerabilities (17/18 September 2003)IBM has released a patch for a pair of buffer overflow vulnerabilities in certain versions of its DB2 database; the vulnerabilities could be exploited to gain administrative permissions on unpatched machines. The vulnerabilities are in the db2licm and db2dart components of DB2 Version 7.2 for Linux running on either x86 or S/390 architectures.
Sentence for Computer Intrusion Includes Restitution and Public Service (17 September 2003)Richard W. Gerhardt of St. Joseph, MO, has been sentenced to three years probation for breaking into the Nestle USA computer system. Gerhardt will also pay $10,000 in restitution to the company and spend 250 hours of community service speaking to groups about the dangers of computer intrusion.
Exploit Code for New Windows Vulnerabilities is on Internet (17 September 2003)Source code is circulating on the Internet that could be used to exploit recently acknowledged vulnerabilities in the Distributed Component Object Model (DCOM) component of Microsoft Windows. The three flaws are similar to the flaw exploited by the MSBlast worm and its variants. The code was found on a public web site frequented by malware writers. Affected users are urged to download the free patch from Microsoft's website.
Gale Norton Offers Contradictory Statements About Interior IT Security (17 September 2003)Interior secretary Gale Norton gave conflicting reports about the security of department information technology systems. In an August 11 court filling, Norton said her department's "IT systems are secure, for purposes of Internet connectivity ... and sufficient security measures are presently in place to protect
unauthorized Internet access." In a September 8 statement to the Office of Management and Budget (OMB), Norton wrote that her department "has not established access controls that limit or detect inappropriate access to information technology and related resources, thereby increasing the risk of unauthorized modification, loss or disclosure of sensitive or confidential data."
Should Common Criteria Certification be Required for All Government Purchases? (17/18) September 2003)Government and industry officials offered testimony at a House Subcommittee hearing regarding the question of whether or not Common Criteria certification should be required for all governmental purchases. Presently the certification is required for the Defense Department and for other systems that deal with national security. Some witnesses told the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census that requiring civilian agencies to adopt Common Criteria evaluation for security product purchases would result in more products being offered for evaluation and thus more secure products in the marketplace overall. Others said that the Common Criteria certification is no guarantee of security.
[Editor's Note (Shpantzer): Indeed, Common Criteria is not a guarantee of security. Example: The Windows 2000 suite is certified at the EAL4+ level, which, incidentally, is higher than HP-UX11i, SuSe Linux Enterprise Server V8 and Sun Solaris 8. What does that mean? Nothing, really. (Schultz): It seems to me that requiring Common Criteria certification is worth a try. We've tried the opposite approach (the "caveat emptor" approach) and it hasn't seemed to work so well, as evidenced by all the security problems we've seen in so many vendor products. Our editors' comments from June, 2002, still seem valid: (Murray): The issue is not only whether or not a product "meets the Common Criteria" but also whether or not it has even been evaluated against the criteria. Most products are not. Evaluations are very expensive even for products that were developed with evaluation in mind. While it is assumed that evaluated products will be more secure than unevaluated ones, this is less than certain. (Grefer) Be careful what you ask for, you might get it. Evaluation/certification is quite expensive and narrows down the number of competitors. (Paller): It is difficult to prove, in practice, that products meeting the Common Criteria, reliably provide greater security than those that do not. Unsafe configuration negates safe design. For the Common Criteria to meet the goal of improving security, it needs to be complemented with Common Configuration benchmarks like those being developed by NSA, DHS, and the Center for Internet Security. ]
Parson Enters Not Guilty Plea at Arraignment (17/18 September 2003)A lawyer for Minnesota teen Jeffrey Lee Parson entered a plea of not guilty to charges he created and spread a minor variant of the MSBlast worm. Parson was arraigned in Seattle (WA). Parson has been under house arrest since August, leaving only to attend work and school, and is prohibited from using computers.
Buffer Management Vulnerability in OpenSSH (16/17 September 2003)The Computer Emergency Response Team Coordination Center (CERT/CC) has issued an advisory warning of a buffer management vulnerability in versions of OpenSSH prior to 3.7.1. An OpenSSH advisory contains patches for versions 3.7, 3.6.1 and earlier.
DHS to Hold Cyber Security Summit (16 September 2003)Homeland Security Department (DHS) assistant secretary of infrastructure protection Robert Liscouski told the House Homeland Security Committee's Cybersecurity, Science and Research subcommittee that the DHS plans to hold a cybersecurity summit sometime this fall. Among the goals of the summit are the development of a "common threat and vulnerability protocol" and a "vulnerability reduction initiative." Summit participants will also create a National Cyber Security Road Map "with specific milestones and metrics for raising security across the country." Participants will include representatives from federal, state and local government as well as all areas of the private sector.
Solaris Vulnerability Could Allow Root Access (16 September 2003)A vulnerability in the Solstice AdminSuite of certain versions of Sun Microsystems Solaris and trusted Solaris could be exploited to give attackers root access on vulnerable machines. The vulnerability can be exploited by sending special Remote Procedure call (RPC) packets to the sadmind daemon, which uses a weak authentication system. The flaw affects Solaris versions 7,8 and 9, and trusted Solaris versions 7 and 8 on the Sparc and x86 platforms. Sun's advisory contains a workaround but says that "patches are not planned at this time." An exploit for the vulnerability has been found in the wild.
Man Pleads Guilty in "Phishing" Case (15 September 2003)Matthew Thomas Guevara of Chicago has pleaded guilty to wire fraud in connection with a "phishing" scam that used a phony web site to trick MSN customers into divulging personal and credit card information, which he used to make fraudulent purchases. Guevara will be sentenced in early December and faces a maximum sentence of five years in prison and a fine of as much as $250,000.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit