SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #50
December 17, 2003
Correction: Last week we told you about Bruce Schneier's essay exploring whether the Blaster worm had a role in the August blackout. But we forgot the URL. Here it is:
We hope to see you at the largest information security conference in history with over 600 hours of training. In 6 more days (On December 23) the website for SANS 04, April 1-9, 2004 Orlando on the Disney property will be available at www.sans.org. Don't miss this one!
TOP OF THE NEWSSpammers Indicted in Virginia
Classified Disks Missing at Los Alamos National Laboratory
Government Cyber Security Report Card Analysis
European Banks to test Facial Recognition Authentication Software
THE REST OF THE WEEK'S NEWSSecurity Manager's Journal
Sobig-F to Blame for Spam
Treasury Gives $2 Million for Financial Services ISAC Upgrades
SCO Web Site Hit by DDoS Attack
Beta Windows XP Service Pack 2 to be Released Soon
Roundtable Focuses on Government Regulation, DHS Role in Cybersecurity
Man Fined for Trying to Install Keystroke Logger
Johnson Appointed DHS Security Chief
Putnam Pushes for Cyber Security Accountability
Windows 98 Moves to Non-Supported Phase Next Month
Worm Propagation in Networks
Phony e-Mail Caused Police Switchboard Denial of Service
Developer Error Exposes Database
Air Force Establishing Network Operations and Security Center
Considering Camera Phone Policies
Voting Machine Companies Form Election Technology Council
DHS and Private Sector Need to Work Together for Cybersecurity
VULNERABILITY UPDATES AND EFFECTSMicrosoft Investigating IE Vulnerability
Buffer Overflow Vulnerability in Windows Workstation Service
No Microsoft Patch Release in December
XP Fix Unexpectedly Delivered
********************** Sponsored by Tripwire, Inc. **********************
MANAGE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER.
Tripwire integrity management solutions pinpoint changes to your servers and network devices, accelerating discovery and increasing uptime, making you the hero of your IT organization. Click here to get a FREE copy of our Security Exploit and Vulnerability Matrix Poster.
Highlighted Immersion Training Conference of the Week
CDI West, in San Diego at the end of January, is the place to find all six of SANS most popular courses, including Forensics, Hacker Exploits, Firewalls, Securing Windows, Intrusion detection, and SANS Security Essentials. It also offers an interactive vendor exposition and an extensive evening programs. And San Diego in the winter is lovely.
San Diego: http://www.sans.org/cdiwest04
TOP OF THE NEWS
Spammers Indicted in Virginia (11/12 December 2003)Jeremy James, a.k.a. Gaven Stubberfield, and Richard Rutowski have been indicted on charges they conspired to send out large quantities of spam in violation of Virginia's anti-spam law. In addition to exceeding the legal volume for spam, they are accused of falsifying information to disguise the spam's origin. If they are convicted, they could each receive a five-year prison sentence and be ordered to pay a fine of up to $2,500.
[Editor's Note (Ranum): Most states already have legislation regarding spam, and the recent, much-touted national spam legislation actually weakens some of it. For example, in many states it is a serious crime to send pornographic spam under a falsified Subject: line that does not clearly indicate its nature. Unfortunately, few states are trying to enforce the law. I applaud Virginia for its leadership. ]
Classified Disks Missing at Los Alamos National Laboratory (12 December 2003)A routine inventory of classified electronic storage media at Los Alamos National Laboratory (LANL) found nine floppy disks and one large-capacity storage disk unaccounted for. LANL officials have instituted a "limited security stand-down" for all employees who work with classified data; they will not be permitted to handle removable electronic media until they undergo retraining. Officials at LANL believe the disks were probably destroyed "as part of a regularly scheduled disposal process."
[Editor's Note (Schneier): It's stories like this that give federal agencies their failing grades. And the stories keep coming and coming. ]
Government Cyber Security Report Card Analysis (11/12 December 2003)Despite the overall low grades given to the government for cyber security, the improvements can be viewed in a positive light. For instance, while the Department of Transportation's grade rose from an F last year to a D+ this year, the improvement is due to a score increase from 28 to 69. In addition, several agencies' grades did improve significantly; the Nuclear Regulatory Commission's grade rose from a C to an A, and the National Science Foundation's grade rose from a D- to an A-. Federal Information Security Management Act (FISMA) regulations are likely to bring about greater improvement in next year's report card.
[Editor's Note (Schultz): Improvements such as those mentioned in this news item should indeed be viewed as positive. It takes time to improve security in today's computing environments.
(Northcutt): Northcutt: A word document with the grades themselves is available:
European Banks to test Facial Recognition Authentication Software (11 December 2003)European Internet banks will begin testing facial recognition authentication software. Customers who participate in the trial will have their facial biometrics stored either on their own PCs or on smart cards; the stored faces will be verified with web cams. The marketing director of the company that makes the software says it can detect when people try to use video footage or a model of a head to trick the system.
[Editor's Note (Schneier): This is a proper use of biometrics -- for authentication and not for identification. It'll be interesting to see what bugs show up in actual use.
(Pescatore): Facial recognition has failed miserably in most trials, but using it indoors for people sitting in front of PCs provides a very technology friendly environment. However, limiting customer's ability to do online banking only from PCs that have a web cam (and possibly a smart card reader) eliminates a lot of the convenience of online banking. An alternative is the use of SMS messaging and cell phones for strong authentication, a technique which has see widespread success in the European Union.
(Grefer) Assurances from marketing are not very assuring. The "BioFace" study currently conducted by the Fraunhofer Institut IGD on behalf of the BSI (Bundesamt fx81r Sicherheit in der Informationstechnik, Germany's Federal Information Security Agency) and the BKA (Bundeskriminalamt, Germany's Federal Bureau of Investigations), concluded that the algorithms employed by various vendors still offer vast opportunities for improvement.
The same article machine-translated into English:
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT - Spam is an attack on your email systems. Protect your enterprise. WHITE PAPER
(2) Simplify secure file transfer! Download a white paper and evaluation software.
(3) Get the story behind the headlines. Computer security intelligence from the experts
THE REST OF THE WEEK'S NEWS
Security Manager's Journal (15 December 2003)Security Manager's Journal author "Vince Tuesday" describes how his company deployed firewalls to protect its network and that of their parent company from each other.
Sobig-F to Blame for Spam (9/12 December 2003)According to MessageLabs' end-of-year report, the Sobig-F and other similar worms are responsible for two-thirds of all spam.
[Editor's Note (Grefer): This serves as a reminder that personal firewalls are essential. In a dial-up configuration, a personal firewall may be the only defense a consumer has. Microsoft's firewall shipped with Windows XP provides a false sense of security because it doesn't check outgoing traffic. Once malware like Sobig-F has established itself on the system and tries to "call home," a full-fledged personal firewall is one of the few means of detecting and stopping such unauthorized communication. ]
Treasury Gives $2 Million for Financial Services ISAC Upgrades (9/10 December 2003)The Financial Services Information Sharing and Analysis Center (FS/ISAC) will receive $2 million from the Treasury Department for upgrades, which include network enhancements to expand service and create a secure real-time information sharing forum.
SCO Web Site Hit by DDoS Attack (10/11/12/15 December 2003)The SCO Group says its www.sco.com website was the target of a distributed denial of service (DDoS) attack last week. The site was also the target of DoS attacks in May and August of this year. SCO servers were back on line approximately two days after the attack began.
SCO's servers were hit by denial of service attacks again over the weekend and on Monday.
Beta Windows XP Service Pack 2 to be Released Soon (12 December 2003)Microsoft will release a beta of Windows XP Service Pack 2 (SP2) before the end of the year; the beta will be made available to several hundred thousand testers, largely software developers and IT professionals, through Microsoft's Developer Network. Along with the usual updates and rollups, SP2 will include improvements to XP's overall security. A final version of SP2 should be out by June of 2004.
[Editor's Note (Pescatore): Currently, less than 10% of enterprise desktops are running Windows XP while 50% or so are on Windows 2000. The XP improvements will mostly benefit consumer users. While XP's penetration will be higher (and Windows 2000 lower) by 2Q04, Microsoft should commit to issuing significant Windows 2000 Desktop security updates by then as well. ]
Roundtable Focuses on Government Regulation, DHS Role in Cybersecurity (12 December 2003)Three security analysts took part in a roundtable teleconference in which they debated the best ways to improve cyber security. Sanctum CEO Peggy Weigle expressed support for government regulation. Former White House cyber security advisor Richard Clarke is more reluctant about regulations, saying they should be carefully thought out and should include third-party audits. Clarke was also critical of DHS for allowing the first Cyber Security Summit to be sponsored by a small group of IT vendors. John Pescatore, vice president of research for Gartner, would like to see the government leading by example, and called for more liability for software manufacturers.
[Editor's Note (Ranum): What nobody seems to want to admit is that security is not something that is achieved through consensus and debate. It's achieved through high-level policy-setting by those with the knowledge and enforced by those with the power and will. Right now security looks like a well-funded football that everyone's scrambling to grab hold of. ]
Man Fined for Trying to Install Keystroke Logger (12 December 2003)The Johannesburg Commercial Crime Court convicted Innocent Madlala under South Africa's Electronic Communications and Transactions (ECT) Act for attempting to install a keystroke-logging device on an Internet banking computer. Madlala was fined R20,000, approximately US$3178.
[(Grefer): This is a huge fine in a country where the average annual household income is approximately US$16,800. ]
Johnson Appointed DHS Security Chief (12 December 2003)Jack Johnson has been officially appointed Department of Homeland Security's (DHS) chief security officer.
Putnam Pushes for Cyber Security Accountability (11 December 2003)Representative Adam Putnam (R-Fla.) last month tabled legislation that would have required companies to include results of independent security audits in their annual reports after various organizations asked if they could have the chance to develop accountability standards without government regulation. The Corporate Information Security Working Group has met twice to develop best practices and guiding principles in that hope that private sector organizations would voluntarily adopt them. If the group does not achieve its goal, Putnam says he will reintroduce his legislation as soon as next spring.
W32/Yaha-Y Worm (11 December 2003)A variant of the Yaha worm, dubbed W32/Yaha-Y or Win32.Yaha.Z, is spreading. The worm blocks access to anti-virus web sites, tries to install a key logger and may try to launch a denial of service attack against certain targets.
Windows 98 Moves to Non-Supported Phase Next Month (11 December 2003)A recently released paper warns that Microsoft's plan to move Windows 98 to "the non-supported phase" in January 2004 will mean an increase in threats for those still running the operating system; an accompanying survey of 670 companies found 80% running at least one computer with Windows 98 or 95. While people using the older OS can still get on line help, Microsoft will no longer be obligated to provide hotfixes for vulnerabilities.
[Editor's Note (Schultz): Microsoft's dropping support of Windows 98 is not by any means any kind of catastrophe for the security community. This OS is not at all conducive to security in the first place. Hopefully, dropping support of Windows 98 will trigger more use of Windows XP, which (despite the many vulnerabilities that have surfaced in this OS) is not all that bad from a security perspective. ]
Worm Propagation in Networks (10 December 2003)This article analyzes the propagation behavior of three different worm families in networks.
Phony e-Mail Caused Police Switchboard Denial of ServiceCambridgeshire (UK) police have arrested a man suspected of sending hoax e-mail messages to people informing them their credit cards had been debited x9c399.95 (approximately US$698) for an iPod. The e-mail encouraged them to phone a customer service number, which was actually the Cambridgeshire police main switchboard number; the deluge of calls caused a denial of service attack on the switchboard.
[Editor's Note (Schneier): This is a modern-day version of the pizza attack. (Ed: The pizza attack involved ordering pizza from dozens of outlets and asking that it be delivered to a person - the victim - who didn't want it and didn't want to pay for it.) ]
Developer Error Exposes Database (9 December 2003)A developer error allowed a widely used database containing people's names, social security numbers and other personal information to be accessed by the public for several hours last week. A developer had apparently opened access to the database while LocatePlus.com, the company that provides the database service, was testing an application to make the database available on wireless devices. LocatePlus logs users' Internet addresses, so it has a record of who accessed the database during its vulnerable period.
Air Force Establishing Network Operations and Security Center (9 December 2003)The Air Force is setting up a Network Operations and Security Center (AFNOSC) to "identify network security issues, vulnerabilities and attempted intrusions and attacks and develop appropriate responses."
Considering Camera Phone Policies (9 December 2003)META Group vice president for Technology Research Services Jack Gold recommends that companies develop clear policies regarding the use of camera phones on business premises; they should also consider whether the devices should be allowed on site at all. Camera phones could be used to photograph proprietary information.
Voting Machine Companies Form Election Technology Council (9 December 2003)Six electronic voting machine companies have created the Election Technology Council, which has three main focus areas: creating an industry code of ethics, developing certification and standards recommendations and reviewing security best practices.
[Editor's Note (Schneier): Do I hear the sound of wagons circling? ]
DHS and Private Sector Need to Work Together for Cybersecurity (8 December 2003)Members of the House Homeland Security Select Subcommittee on Cybersecurity, Science and Research and Development spoke to the need for the Department of Homeland Security (DHS) to develop strong relationships with the private sector in order to effectively guard against cyber attacks.
[Editor's Note (Ranum): This is a constant and useless refrain. If the government wants to get serious about cybersecurity they can. Continually pointing at the private sector is a cop-out. ]
VULNERABILITY UPDATES AND EFFECTS
Microsoft Investigating IE Vulnerability (10/11/12 December 2003)Flaw could allow phishers to spoof web sites.
Buffer Overflow Vulnerability in Windows Workstation Service (10 December 2003)A patch released in November addresses the problem, but workarounds recommended at the same time, which suggested using a firewall to block certain UDP and TCP ports, will not work because the new vector of attack uses a different UDP port.
No Microsoft Patch Release in December (10 December 2003)Microsoft says it will not be releasing its monthly security package in December because they have "nothing that has passed the bar from a quality perspective."
XP Fix Unexpectedly Delivered (11 December 2003)A fix was unexpectedly delivered to some Windows XP systems last week, despite Microsoft's announcement that they were not sending out a December security package. The fix was originally issued in November, but only to XP systems running Microsoft's Internet Information Service (IIS). A change in distribution parameters caused the fix to be distributed to a wider range of XP systems.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Bruce Schneier, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit