Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #39

October 01, 2003

TOP OF THE NEWS

Poll Finds Legislation Drives Security Spending
Maryland Election Officials Review Audit Report, OK Use of Diebold
Voting Technology
Bill Would Require Agency Policies for Peer-to-Peer Networking
Unprotected Site Attacked 10 Times More Often than Site with Firewall

THE REST OF THE WEEK'S NEWS

@Stake CTO Dan Geer Loses Job Over Paper Critical of Microsoft Monoculture
Web Security Firm Executive Accused Of Hacking Military
New Exploits for Unpatched IE Object Data Vulnerability
Juvenile Arrested in Connection with RPCSdbot Worm
Spam Blacklist Sites Down After Denial-of-Service Attacks
UK's NHTCU Revises Guide for Retrieving and Preserving Electronic Evidence
State Department Computer System Hit with Welchia Worm
Government Use of Peer-to-Peer Not Secure

NEW VULNERABILITIES IN MAJOR SYSTEMS

Critical Unchecked Buffer Vulnerability in DirectX
OpenSSH Issues Patch for Pluggable Authentication Modules (PAMs)


************************** Sponsored by NetIQ *************************
Security White Paper
Tired of constantly firefighting? You need a more proactive and
effective means of managing your vulnerable security systems for policy
and compliance. Get the answers you need now! Download a free white
paper from NetIQ on "Proactive Security Policy Enforcement: A Practical
Approach for the Enterprise."
http://www.netiq.com/f/form/form.asp?id=2381&origin=NS_Sans_100103
***********************************************************************

TOP OF THE NEWS

Poll Finds Legislation Drives Security Spending (29 September 2003)

A PricewaterhouseCoopers/CIO Magazine poll of 7,500 senior information technology executives found that an increase in security spending is largely due to compliance with recent legislation, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and California's Security Breach Information Act. The poll's results appear to support the argument for legislated security requirements rather than self-regulation.
-http://news.com.com/2102-7355_3-5083758.html?tag=ni_print
[Editor's Note (Schneier): People will only spend for security to the limit of their damages. Increase their risk--liabilities, laws, whatever--and you increase their spending. It's Economics 101. (Schultz): There are no surprises here; legislative compliance is a huge consideration within industry. This points to the need for more information security-related legislation, given that (with the exception of the banking/financial community) self regulation is for the most part not working.
(Northcutt): We haven't been willing to regulate ourselves, and so now our lawmakers feel obligated to help us. However, none of the proposed legislation addresses the root problem; we are working with operating systems and application software that are so bad, they are very difficult to operate securely. (Grefer): Self-regulation tends to result in minimalist approaches, quite often limiting efforts to as little as the self-regulated industry can get away with. Proper legislation can fix this problem by providing a frame-work defining minimum requirements. ]

Maryland Election Officials Review Audit Report, OK Use of Diebold Voting Technology (25 September 2003)

Maryland election officials plan to move ahead with a $55.6 million contract with Diebold Election Systems that would provide the state with touch screen election systems despite an audit that says the system presents "a high risk of compromise." The audit report was prepared by Science Applications International (SAIC) and includes a 23 item "action list" for securing the voting machines. Maryland Board of Elections CIO Pamela Woodside said the technology has to be recertified before it can be used in an election.
-http://www.wired.com/news/print/0,1294,60583,00.html
-http://www.dbm.maryland.gov/dbm_search/technology/toc_voting_system_report/
votingsystemreportfinal.pdf
[Editor's Note (Schneier): This is wrong in so many different ways. Looks like a bad case of head-in-the-sand to me. ]

Bill Would Require Agency Policies for Peer-to-Peer Networking (24/25 September 2003)

The House Government Reform Committee introduced HR 3159, or the "Government Network Security Act of 2003," which would require agencies to develop policies to protect their computer systems from the security risks of peer-to-peer networking. The impetus behind the legislation is the concern that confidential data could be inadvertently shared over the network; the bill does not prohibit the use of peer-to-peer applications.
-http://www.eweek.com/print_article/0,3048,a=108069,00.asp
-http://www.fcw.com/fcw/articles/2003/0922/web-netw-09-24-03.asp
-http://www.gcn.com/vol1_no1/daily-updates/23674-1.html

Unprotected Site Attacked 10 Times More Often than Site with Firewall (23 September 2003)

PSINet Europe and PanSec International set up two dummy websites that looked like European banking websites. One of the sites was unprotected while the other had a firewall. The unprotected site received 19,128 attacks over a two-month period; the server with the firewall received 1,672. However, one third of the attacks against the protected server were "high risk" attacks, meaning that a poorly configured firewall or the discovery of a new vulnerability could lead to a compromised server. PSINet Europe group product manager Neil Downing said that more than half of the company's customers do not use firewall protection.
-http://silicon.com/news/500013-500001/1/6105.html


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop Network Attacks versus just Detecting.
Intrusion Prevention Essentials White Paper
http://www.sans.org/cgi-bin/sanspromo/NB233
(2) FREE WHITE PAPER - Beyond Sobig: Achieving Email Security
*** Request paper
http://www.sans.org/cgi-bin/sanspromo/NB234
(3) Are you ready for the next NIMDA/CODE RED/BLASTER?
Live Demo
http://www.sans.org/cgi-bin/sanspromo/NB235
**********************************************************************

THE REST OF THE WEEK'S NEWS

@Stake CTO Dan Geer Loses Job Over Paper Critical of Microsoft Monoculture (24/25/26/29 September 2003)

A paper released by the Computer and Communications Industry Association and authored by a number of security experts argues that the ubiquity of Microsoft products in government, business and homes leaves computer systems wide open for security problems. A more diverse computing environment would hinder the spread of worms and other cyber attacks. The CCIA did not commission the report; @Stake CTO Dan Geer, whose name appears on the report, said of the signatories "this is a personal initiative of these people. It was paid for by no one." Geer lost his job as a result of the report.
-http://www.gcn.com/vol1_no1/daily-updates/23664-1.html
-http://www.washingtonpost.com/ac2/wp-dyn/A2328-2003Sep25?language=printer
-http://www.computerworld.com/printthis/2003/0,4814,85358,00.html
-http://www.eweek.com/print_article/0,3048,a=108295,00.asp
-http://www.ccianet.org/papers/cyberinsecurity.pdf
[Editor's Note (Northcutt): Dan was kind enough to give me five minutes of his time. He confirms he was "fired by press release," or we would not have run this story. The paper he helped write wrote is fairly well grounded, not sensational, and the danger of monoculture is well known. However, there is usually a reason for monoculture; it is hard to imagine trying to do real business using open office on whatever version of Red Hat Linux is out this week. (Schultz): I would imagine that @Stake's reason for terminating Geer's employment is that (at least in the past--I do not know about the present) Microsoft has been a client of this consultancy. Still, what Geer and others said in the report, namely that there is a Microsoft monoculture that creates enormous security problems for the IT community, is not only true, but in and of itself it also does not really constitute an attack against Microsoft. What happened to Geer thus seems unjust. (Schneier): Dan Geer's firing has made the report a much bigger story than it would have been otherwise. ]

Web Security Firm Executive Accused Of Hacking Military (30 September 2003)

Brett Edward O'Keefe, president of an Internet security firm has been indicted on Monday on six counts of conspiracy to access military, government and private computers. He is accused of sharing military files with news media to generate favorable publicity for his San Diego company, ForensicTec Solutions Inc.
-http://www.cnn.com/2003/TECH/internet/09/30/computer.case.ap/index.html

New Exploits for Unpatched IE Object Data Vulnerability (28/29 September 2003)

Attackers are apparently exploiting the Object Data security hole in Microsoft Internet Explorer (IE) to steal AIM (AOL Instant Messenger) account names and passwords and to install Trojan horse programs on vulnerable computers. A patch for the vulnerability was originally released in August, but it did not adequately address the problem in IE versions 5.01, 5.5 and 6.0. In late September, Microsoft said it would release a revised patch, but has not yet done so.
-http://www.cnn.com/2003/TECH/internet/09/27/microsoft.browser.reut/index.html
-http://www.computerworld.com/printthis/2003/0,4814,85512,00.html
-http://www.silicon.com/news/500013-500001/1/6192.html

Juvenile Arrested in Connection with RPCSdbot Worm (26 September 2003)

The Department of Justice said that a juvenile has been arrested in connection with the release of the Spybot worm, which is also known as Randex.E and RPCSdbot, and which installs a Trojan horse program on infected computers. The worm exploits the same Microsoft vulnerability exploited by MSBlast and its variants.
-http://news.com.com/2102-7349_3-5083096.html?tag=ni_print
-http://www.msnbc.com/news/972467.asp

Spam Blacklist Sites Down After Denial-of-Service Attacks (26 September 2003)

Two websites that post spam blacklists are no longer running because of massive denial-of-service attacks launched against them. In addition, an ISP took a spam blacklist offline after it saw signs of an attack.
-http://www.newsfactor.com/perl/story/22374.html
-http://www.computerworld.com/printthis/2003/0,4814,85439,00.html

UK's NHTCU Revises Guide for Retrieving and Preserving Electronic Evidence (26 September 2003)

The UK's National Hi-Tech Crime Unit (NHTCU) has written and released a revised version of its Good Practice Guide for Computer-based Electronic Evidence; the new version addresses the handling of PDAs and mobile phones. Because electronic data can be inadvertently corrupted, investigators need to seize, quarantine and take a forensic picture the devices.
-http://silicon.com/news/500007-500001/1/6179.html
-http://www.nhtcu.org/ACPO%20Guide%20v3.0.pdf
[Editor's Note (Shpantzer): Here are some other links from the US side that might help, as well:
-http://www.usss.treas.gov/electronic_evidence.shtml
-http://www.ntrcfl.org/Resources/NIJ_Guide.pdf
-http://www.cybercrime.gov/s&smanual2002.htm
and
-http://www.cybercrime.gov/searching.html]

State Department Computer System Hit with Welchia Worm (24/25 September 2003)

The Welchia worm infected an unclassified US State Department "Consular Lookout and Support System," or CLASS, causing a nine-hour shutdown. During that time, embassies and consulates could not conduct background checks for visas. The infection underscores the need for the government to improve its computer patch management systems.
-http://www.fcw.com/fcw/articles/2003/0922/web-state-09-24-03.asp
-http://www.gcn.com/vol1_no1/daily-updates/23648-1.html
-http://news.com.com/2102-7349_3-5081360.html?tag=ni_print
-http://www.newsfactor.com/perl/printer/22370/

Government Use of Peer-to-Peer Not Secure (26 September 2003)

A staff report compiled for the House Government Reform Committee found significant security problems with peer-to-peer applications on government computer systems. In some cases, people using the file-sharing programs had inadvertently made available confidential information such as medical records and tax returns. The peer-to-peer programs also installed spyware on computers.
-http://www.gnutellanews.com/article/8179

NEW VULNERABILITIES IN MAJOR SYSTEMS

[IMPORTANT NOTE: If you are responsibility for security of important

systems, you should also subscribe to the Critical Vulnerability Analysis, a weekly report that provides details on how to protect yourself against exploits of the critical new vulnerabilities and new broad-based attacks discovered each week. Register (it is free) at
-http://www.sans.org/newsletters/cva/]

Critical Unchecked Buffer Vulnerability in DirectX (24 September 2003)


-http://computerworld.com/printthis/2003/0,4814,85291,00.html
-http://www.microsoft.com/technet/security/bulletin/MS03-030.asp

OpenSSH Issues Patch for Pluggable Authentication Modules (PAMs) (23 September 2003)


-http://news.com.com/2102-1002_3-5081163.html?tag=ni_print