SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #43
October 29, 2003
What Are the 25 Best Internet Status Information Sites?
SANS' Internet Storm Center (http://isc.sans.org ) is assembling a list of the
25 web sites that provide the most useful information on the state of
the Internet. For example, the Cooperative Association for Internet
Data Analysis (CAIDA) has multiple projects measuring the performance
of the Internet. Similarly, Keynote's Internet Health Report shows in
near real time the latency between major backbone carriers. Sites like
these help keep track of what's happening and assist incident handlers
in understanding the full context of attacks or disruptions affecting
their networks and information systems. If you have a favorite site
that you regularly visit (or visit often during a major attack) and
would like to recommend it for the Top 25 list, please submit it to
firstname.lastname@example.org with subject Top Security Status Web Sites. Please reply
by Friday if possible. The first person to suggest each one that we
decide to include at the Storm Center portal will receive a SANS shirt.
TOP OF THE NEWSBill Would Require Security Benchmarks and Audit Results in SEC Reports
AOL Turning Off Windows Microsoft Messaging Service on Customers' Computers
Victoria's Secret Fined for Lax Web Site Security
Microsoft's Drop in Unearned Income Attributed to Security Concerns
THE REST OF THE WEEK'S NEWSDiebold Asks For Removal of Internal Documents from Web Sites
Maryland Legislators Want Non-Partisan Review of Report on Diebold Voting machine Security
EU Develops Cyber Crime Forensic Standard
DNS Security One Year Later
Federal Patch Distribution System Limited by Licenses, Lack of Capabilities
NIST Director Warns that Critical Infrastructure Security Systems are Weak
DHS and National Cyber Security Alliance to Launch Security Ad Campaign
Carnegie Mellon CyLab
PlanetLab Creates Overlay Network for Security Tool Testing
Judge Says FBI Cannot Go on Search and Destroy Mission
Intradepartmental Information Sharing Remains Difficult
Medical Center Security Audit
Censored Portions of DOJ Document Easily Exposed
Judge Dismisses Data Theft Lawsuit
UK Government to Establish Community-Specific Early Warning Units
VULNERABILITY UPDATES AND EFFECTSMicrosoft Messenger Exploit Code Circulating
Microsoft Revises Security Bulletins for Certain Foreign Language Editions of Windows
Update Fixes Opera Browser Vulnerability
************************ Sponsored by NetIQ *****************************
Security Event Management Made Easy
As security threats become more sophisticated and "blended" in nature, intelligent event correlation becomes a necessity to identify attack or policy violation patterns. Get the answers you need to deploy an effective Security Event Management solution.
Download NetIQ's free white paper, "Security Event Management Made Easy." Register now http://www.netiq.com/f/form/form.asp?id=2392&;origin=NS_Sans_102903
Highlighted Training Programs of the Week
If you have want to attend a big conference that provides bonus information on FISMA and DITSCAP and other legal requirements for security, mark your calendar for the Cyber Defense Initiative East in Washington, DC, December 4-5 and 8-13. The free evening program, alone, has more authoritative presentations than any of the other security conferences and the daytime programs are taught by people who have won a global competition as the best teachers in their subjects anywhere. Details: http://www.sans.org/cdieast03/
Here's what a recent attendee said about the quality of SANS training: "Fantastic Theory - a great source of knowledge - practical examples - good method of using and applying knowledge straight away." - - Craig Prentice, PricewaterhouseCoopers
TOP OF THE NEWS
Bill Would Require Security Benchmarks and Audit Results in SEC Reports (24 October 2003)It is expected that the Corporate Information Security Accountability Act of 2003 will be introduced in the House of Representatives next week. Sponsored by Rep. Adam Putnam (R-Fla.) the bill would require companies to hire independent security auditors and include the results in their annual reports. The companies would also be required to meet certain security benchmarks, to be determined by the Securities and Exchange Commission (SEC); the SEC would develop those standards within 60 days of the bill's passage.
[Editor's Note (Pescatore): I testified to Congress on this in July 2000. If we make publicly traded companies report on cyber-security readiness, boards of directors have to appoint someone to oversight which makes CEO's listen, which trickles down to CFOs/CIOs, etc. You can argue whether it worked *too* well for Y2K readiness, but it worked. The danger is that if it gets bogged down in trying to find one size fits all benchmarks or tests, it will drag on forever and the lack of agreement on specific metrics will serve as an excuse for nothing ever happening. So, force Boards of Directors to pay attention first, attack specifics later.
(Schultz): If a bill of this nature were ever passed, it would serve as a huge impetus for improved information security practices in corporate America. If history holds true, however, I'd expect well-orchestrated opposition to this bill from industry. ]
AOL Turning Off Windows Microsoft Messaging Service on Customers' Computers (23/24 October 2003)AOL has begun turning off the Windows Messenger feature on customers' computers; spammers have been exploiting a vulnerability in the feature. AOL says it has changed the settings for about 15 million customers so far and will continue to do it. It only turns off the feature if the user has administrative privileges on the computer. Some security experts are wary of the precedent set by entities going into users' computers and turning things off.
(Note: A related item about the exploit code is in the Vulnerabilities and Effects section below)
[Editor's Note (Shultz): AOL's actions seem well-intentioned, but I, too, am troubled by the invasiveness of these actions. Furthermore, what AOL is doing could be construed as a violation of the Computer Fraud and Abuse Act.
(Guest Editor Jason Fossen): Why not get the user's permission first and then make other (reversible) security-enhancing changes that really count? For example, AOL's setup program could ask whether to enable the built-in XP firewall, or to turn on Automatic Updates, or open a browser to the Windows Update site, or warn if the Administrator account has a blank password, etc. The trick is to do it without causing tech-support calls, of course.
(Northcutt): Personally I like doing my own system administration, but the AOL target audience will not know how or why to disable messenger. On a similar note, a friend of mine at a very large enterprise has a problem. A C-level executive wants to leave ports 135 - 139 and 445 open on their firewalls between parts of the organization. A sanitized paper is available at:
We would love your comments and recommendations on this. If we get enough usable replies to create a summary we will make that available to the community. If you would like to participate, send your comments to: MSRPC@sans.org ]
Victoria's Secret Fined for Lax Web Site Security (23 October 2003)Victoria's Secret will pay the state of New York a $50,000 fine for having lax security on its web site; the company has also promised to improve security practices. A glitch allowed customers to view others' orders. The company is notifying approximately 560 customers who were affected by the security problem.
[Editor's Note (Paller): The Federal Trade Commission in its finding against Guess! and now the New York Attorney General Spitzer in his settlement with Victoria's Secret, are making bad security a crime when it leads to privacy breaches. There are many more cases to come. (Shpantzer): It's curious that Victoria's Secret gets a fine from New York for allowing site visitors to view the size of the lingerie people ordered online, but Triwest (see story titled "Judge Dismisses Data Theft Lawsuit" below) gets a pass for losing control of over a half million military health claim records. What's worse, loss of confidentiality of lingerie size or your SSN and health insurance claims? ]
Microsoft's Drop in Unearned Income Attributed to Security Concerns (23/24 October 2003)A significant drop in unearned revenue for Microsoft can be attributed to heightened apprehensions about security. While Microsoft expected a dip of between $200 and $300 million, the company's unearned revenue actually dropped from $9 billion to $8.25 billion. Organizations are apparently delaying signing long-term contracts in the wake of MSBlast and other security concerns.
[Editor's Note (Pescatore): Microsoft attributed more than $700M in revenue drop largely to delayed software purchases due to Slammer/Blaster/SoBig hangovers. Magically, Microsoft CEO Ballmer then announces that SP2 of Windows XP (and later on SP1 for Windows Server
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) GOT WORMS? Not anymore. With WormScout, automatically protect your network. FREE WEBINAR. http://www.sans.org/cgi-bin/sanspromo/NB245
(2) ALERT - Spam threatens your email infrastructure. Learn more with our FREE WHITE PAPER http://www.sans.org/cgi-bin/sanspromo/NB246
(3) Simplify secure file transfer! Download a white paper and evaluation software. http://www.sans.org/cgi-bin/sanspromo/NB247
(4) "Why regulatory compliance is now your job" - BindView Webinar featuring Scott Blake http://www.sans.org/cgi-bin/sanspromo/NB248
Highlighted Security Guide
New Guide to Solaris Security - Now Available
Gold Standard for Solaris security: The Solaris CIS Level-1 Benchmark. "Securing Solaris 8 &; 9 Using the Center for Internet Security Benchmark" teaches everything about the processes and services running on those systems, the risks associated with running them, the best ways to run them safely, and the tools and techniques that will make it possible to easily eradicate dangerous default installations from your network. For more information please go to https://store.sans.org/store_item.php?item=93
THE REST OF THE WEEK'S NEWS
Diebold Asks For Removal of Internal Documents from Web Sites (27 October 2003)Diebold has sent "cease and desist" letters to a number of computer programmers, college students and at least one Internet service provider demanding that they remove purloined internal Diebold documents from their web sites. While most of the documents are relatively innocuous, some could be interpreted to cast aspersions on the security of Diebold's electronic voting machines.
Maryland Legislators Want Non-Partisan Review of Report on Diebold Voting machine Security (23 October 2003)Two Maryland Democratic legislators have asked the Maryland Department of Legislative Services to review a recent report on the security of Diebold's electronic voting machines. The state had initially put off a plan to use Diebold's technology when Johns Hopkins University researchers found security problems in the machines earlier this year. The state then commissioned a report on the matter which said security problems in the machines could be addressed. Of particular concern is the lack of a paper trail for voters to verify their choices.
[Editor's Note (Schneier): As a security expert, I am terrified that our nation is considering a voting infrastructure that will allow new and dangerous ways to fix elections. Any voting system needs to be held up to public scrutiny, and not hidden behind the DMCA. ]
EU Develops Cyber Crime Forensic Standard (27 October 2003)The European Union's (EU) Cyber Tools On-Line Search for Evidence (CTOSE) project "has developed a methodology" for ensuring that electronic evidence in cyber crimes is gathered and preserved so that it will be admissible in court. The project was funded by the European Commission's Information Society Technologies (IST) and brought together the expertise of the IT industry, academia and researchers.
[Editor's Note (Schultz): I consider this development to be a major one. Various forensics standards exist, but they don't have the clout that standards prescribed by the EU will have. ]
DNS Security One Year Later (24/27 October 2003)After last year's distributed denial of service (DDoS) attack on the Internet's 13 root servers, the server operators began deploying a routing technique called Anycast, which "more than double(s) the number of server farms available to handle the highest level DNS queries." DNS inventor Paul Mockapetris says that the DNS is "more robust at the top than it was a year ago, but the bottom layers are a little bit less safe than they were."
Paul Mockapetris Interview:
[Editor's Note (Pescatore): Making DNSSec and BGP improvements happen is like trying to rescue a bunch of kittens in the middle of a busy interstate highway - if you can't stop the traffic for a while, you might as well admit there will be ugly splats for a long time. We are better off building systems that assume the Internet is a low MTBF, low MTTR environment than hoping for it to ever be very high MTBF. We learned that about electricity a long time ago and the Internet will never equal the electric grid in terms of MTBF.
(Paller) For those readers who are wondering: MTBF is Mean Time Between Failures, the average interval of time that a component will operate before failing. MTTR means Mean-Time-To-Repair, the average amount of time needed to repair a component, recover a system, or otherwise restore service after a failure. ]
Federal Patch Distribution System Limited by Licenses, Lack of Capabilities (24 October 2003)According to the General Accounting Office (GAO), federal agencies have been unable to take advantage of the Federal Computer Incident Response Center's (FedCIRC) Patch Authentication and Dissemination Capability because of limited licenses and because the service does not provide important features that other, similar products include. The statement from GAO director of information security Robert F. Dacey was in response to earlier inquiries from the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census about why government computers continued to be vulnerable to worms and other cyber attacks.
NIST Director Warns that Critical Infrastructure Security Systems are Weak (24 October 2003)In a keynote speech at the National Science Foundation workshop on Critical Infrastructure Protection, National Institute of Standards and Technology (NIST) director Arden Bement said that the hardware and software systems used to control the country's critical infrastructure are antiquated and do not provide adequate security. Bement said the systems should be replaced with others that have security built in from the start.
DHS and National Cyber Security Alliance to Launch Security Ad Campaign (23 October 2003)The Department of Homeland Security (DHS) and the National Cyber Security Alliance plan to launch an advertising campaign designed to educate home users about defending themselves against computer attacks and cyber fraud. In addition to airing on radio and television, the advertisements will appear in newspapers, magazines and movie theaters.
Carnegie Mellon CyLab (23 October 2003)The Carnegie Mellon CyLab will focus on cybersecurity education, research and development and incident response and prediction. The Lab is comprised of staff, faculty and students from the university's engineering, computer science and public policy departments as well as representatives from CERT. Among projects currently underway is a research study that examines a way to tag IP packets so they can be traced back to the computer of origin.
PlanetLab Creates Overlay Network for Security Tool Testing (23 October 2003)A consortium of scientists from universities and private industry has created an overlay network that can be used as a test bed for Internet security tools. The network uses PCs as smart routers at each of its nodes; the smart routers can run applications to determine if a packet is safe or not before sending it on to the next node. The consortium, called PlanetLab, currently has about 250 PCs set up around the world; it hopes to have 1,000 PCs in two years.
Judge Says FBI Cannot Go on Search and Destroy Mission (22 October 2003)A federal judge denied the Justice Department's request to allow the FBI to search for computers that contain evidence related to a 1980s case and destroy that information. The case in question had once been public information but was since designated classified. The request did not specify which computers the FBI would be examining, nor did it explain how the information would be destroyed. The documents were available on line for nearly three weeks, during which time it is possible that people downloaded them onto other computers.
Intradepartmental Information Sharing Remains Difficult (22 October 2003)Both the Defense Department (DOD) and the Department of Homeland Security (DHS) have trouble sharing information within their own departments because of interoperability issues. Also, DHS is likely to start requiring Common Criteria certification for all information assurance technology it uses, as DOD already does. DOD plans to release a wireless networking policy in mid-November; the policy will apply to all wireless devices.
Medical Center Security Audit (22 October 2003)An unnamed New England medical center allowed technology journalist Joel Shore to observe the process of a third party security audit. The audit, which turned up some serious security problems, did not test for internal vulnerabilities.
Censored Portions of DOJ Document Easily Exposed (22/23 October 2003)The Justice Department (DOJ) released an electronic version of a report with certain parts censored out. However, the method used to censor out the sections was simple to circumvent. The report was released under the Freedom of Information Act (FOIA) in Adobe PDF format. It had started out as a Word document; the censor blacked out portions of the document by selecting the text to be hidden and choosing black as the highlight color.
[Editor's Note (Schneier): I've written about this problem before.
Eventually people will learn. ]
Judge Dismisses Data Theft Lawsuit (21 October 2003)A district court judge dismissed a class-action lawsuit that had been filed after a hard drive containing personal information of 562,000 military personnel was stolen from a health care contractor's office. The judge said that as there were no actual damages in the case, negligence was irrelevant.
UK Government to Establish Community-Specific Early Warning Units (20 October 2003)The UK government plans to develop a network of cyber event early warning units, called Warning, Advice & Reporting Points (Warps). Each unit will be oriented toward a specific group of entities with common interests, ensuring that only applicable security information will be passed along to Warp members. Warps will be rolled out to local authorities in April; the network could extend to include private sector as well at some time, though they would require private sponsorship.
VULNERABILITY UPDATES AND EFFECTS
Microsoft Messenger Exploit Code Circulating (23/25 October 2003)There is code circulating on the Internet that could be used to crash Windows-based computers. The code exploits a recently disclosed flaw in Microsoft's Messenger Service. Because the vulnerability affects so many versions of Windows, there is some fear that a widespread attack similar to MSBlast could be coming.
Microsoft Revises Security Bulletins for Certain Foreign Language Editions of Windows (23 October 2003)
Update Fixes Opera Browser Vulnerability (22 October 2003)
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/