Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #11

March 17, 2004


Stop Blaming the Victims

In case you missed Walt Mossberg's "Personal Technology" column in the Wall Street Journal last Thursday, I excerpted a few key paragraphs and placed them at the end of this issue of NewsBites. The bottom line is this: Mossberg, the most widely-read and respected analyst of personal computer technology, is calling on Microsoft and other technologists to "stop blaming the victims" for security breaches and solve the problem instead.

The software vendors could have done a much better job of protecting their clients. Their officers have admitted as much. This nation, and every other nation, has a right to better treatment from the software vendors.

The National Strategy To Secure Cyberspace, unveiled by President Bush more than a year ago, clearly outlined the best approach to accelerating security improvements in products: using federal procurement power. However, behind closed doors, the software vendors' highly-paid lobbyists in Washington have bottled up nearly every initiative that would have allowed the government to use its procurement power to require significant security improvements. All of us must work together to make sure they cannot do that in secret any more.

Alan

TOP OF THE NEWS

Internet Cutoff Ordered at Interior
FBI Seeks Increased Wiretapping Capabilities
Senate Judiciary Committee Members Request Probe of Possible Criminal Conduct
China Won't Back Down From Wireless Standard Stance
US Senators Draft Legislation Requiring Paper Trails from All Voting Machines
ISPs File Suits Against Spammers Under Can-Spam Act

THE REST OF THE WEEK'S NEWS

US House Democrats Fault DHS On Cybersecurity
Web-Hosting Company Informs Customers of Security Breach
New USB Authentication Tokens: Inexpensive and Effective
California State Senators Want Touch-Screen Voting Machines Banned for November Election
Ohio Middle School Student Suspended for Deleting Student Records
Australian Banking Group Dismisses Financial Impact of Phishing Attacks
Linux Should Follow Microsoft's Lead in Making Security Easier
Job Applicants Hiring Cyber Criminals to Put Their Names in University Databases
Cyber Defense Product Will Launch Counter-Attacks
Countries Could Use Cyber Attacks to Enforce Laws
Comcast Cracking Down on Zombie Spam Relays
Three Important Steps Toward Mitigating Vulnerabilities

CORRECTION

To the Editorial Note on Copyright and DeCSS

VULNERABILITY UPDATES AND EFFECTS

Office XP Patch Disables Spam Filters and Creates Denial-of-Service Condition on PCs
Outlook Flaw Upgraded to Critical
Patch Available for IBM DB2 Database Flaw
Sun Issues Patches for Solaris Vulnerability
Microsoft's Monthly Update Addresses Flaws in MSN Messenger, Windows Media Services and Outlook
Message in Netsky.K Code Says It's the Last Version
New Versions of Netsky Suggests Code Was Published
Patches Available for HP Tru64 Unix OS Vulnerabilities

EXCERPTS FROM WALT MOSSBERG'S WALL STREET JOURNAL COLUMN

Stop Blaming the Victims


************************** Sponsored by NetIQ *************************

Free Security Event Management Guide

Do you need more efficient, automated log management methods and tools to manage the terabytes of information generated by your Security Event Management systems?

Download our free guide, "Log Management: Closing the Loop on Security Event Management," to discover the crucial role that log management plays as part of a complete Security Event Management solution.
http://www.netiq.com/f/form/form.asp?id=2469&origin=NS_SANS_031704

***********************************************************************
This Week's Featured Security Training Program:

Because SANS 2004 is nearly sold out, showing that employers are once again saying yes to requests for effective training, we have added six new conferences between May and July: Colorado Springs, Chicago, Baltimore, Kansas City (Overland Park), Denver and Minneapolis.
Find details at http://www.sans.org

But there's still space in most of the courses at our mega-conference in Orlando April 1-9. Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida.
http://www.sans.org/sans2004

***********************************************************************

TOP OF THE NEWS

Internet Cutoff Ordered at Interior (16 March 2004)

A federal judge in Washington yesterday ordered the Interior Department to shut down most of its employees' Internet access and some of its public Web sites after concluding that the agency has failed to fix computer security problems that threaten millions of dollars owed to Native Americans. The order is the third the judge has handed down regarding computer security concerns at the agency since 2001.
-http://www.washingtonpost.com/wp-dyn/articles/A61546-2004Mar15.html

FBI Seeks Increased Wiretapping Capabilities (12 March 2004)

A proposal from the FBI to the Federal Communications Commission (FCC) asks that all broadband Internet providers be required to rewire their networks to allow police easier wiretapping capabilities. The proposal as drafted could be interpreted to require companies to build back doors into everything from instant messaging to game services.
-http://news.com.com/2102-1028_3-5172948.html?tag=st.util.print
[Editor's Note (Pescatore): We all knew this was coming when the CALEA act was passed. Back then CALEA stayed focused on voice wiretaps and staying away from email and the Internet allowed the privacy groups to save face and stop fighting CALEA. But we're entering the inevitable cycle: attack (2001), more perceived threat, more surveillance (2004), abuse of the surveillance, backlash, not enough surveillance, attack, repeat. ]

Senate Judiciary Committee Members Request Probe of Possible Criminal Conduct (12 March 2004)

Democratic and Republican members of the Senate Judiciary Committee together asked Attorney General Ashcroft to appoint a professional prosecutor to determine whether Republican aides violated criminal laws when they accessed and leaked Democratic files.
-http://www.washingtonpost.com/ac2/wp-dyn/A52023-2004Mar11?language=printer

China Won't Back Down From Wireless Standard Stance (11/12 March 2004)

China will not change its position on requiring companies that wish to do business in the country to use its WAPI wireless encryption standard. As a result, Intel says it will stop selling its Centrino chip in China. The US government has been critical of China's position on the matter, deeming the decision an "unfair trade barrier."
-http://www.americasnetwork.com/americasnetwork/article/articleDetail.jsp?id=8847
8

-http://asia.internet.com/news/article.php/3324601
[Editor's Note (Pescatore): This, along with China's announcement that it is taking a similar home grown stance towards trusted computing platforms, is a big deal. China is repeating the mistakes the US made with the Clipper chip and export control fiascos. Nothing good can happen by trying to control and likely weaken the encryption built into wireless and PCs. However, China is a very attractive target for PC hardware, software and wireless vendors - Intel is taking a courageous stance. ]

US Senators Draft Legislation Requiring Paper Trails from All Voting Machines (11 March 2004)

Democratic Senators Hillary Rodham Clinton and Bob Graham say they have drafted legislation that would require all jurisdictions to use voting machines that provide paper trails so that recounts could be conducted if necessary. Senator Graham pointed out poll worker errors that prevented some people from voting in Florida's recent primary election. Clinton cited Diebold CEO Walden O'Dell's statement that "he was committed to bringing in votes for President Bush."
-http://www.cnn.com/2004/ALLPOLITICS/03/10/voting/index.html
[Editor's Note (Schultz): If O'Dell really said what he was alleged to have said, this is truly terrifying. There are already many ways to subvert elections; what assurances do we really have that highly partisan employees (or in this case a CEO) have not rigged voting machines to deliver the results they want? ]

ISPs File Suits Against Spammers Under Can-Spam Act (10 March 2004)

America Online, Earthlink, Yahoo and Microsoft are filing lawsuits against hundreds of alleged spammers under the recently passed Can-Spam Act. The complaints allege the defendants sent deceptive marketing e-mail messages, used open proxies and did not provide unsubscribe directions.
-http://zdnet.com.com/2102-1105_2-5172038.html?tag=printthis
-http://www.theregister.co.uk/content/55/36167.html


************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) Secure your network's future. Get 25% off MSRP on Symantec DeepSight Alert Services.
http://www.sans.org/click.php?id=357

(2) Event Log Strategies: Free white paper plus archiving, monitoring, and analysis software!
http://www.sans.org/click.php?id=358

***********************************************************************

THE REST OF THE WEEK'S NEWS

US House Democrats Fault DHS On Cybersecurity (12 March 2004)

Democrats on the House Homeland Security Committee say the new department is not doing enough to defend the nation's information infrastructure or to leverage IT in its own activities. The report called for raising the level of cybersecurity within the Department and establishing a National Crisis Coordination Center to guide private sector and government response to cyber events.
-http://gcn.com/vol1_no1/daily-updates/25249-1.html

Web-Hosting Company Informs Customers of Security Breach (12 March 2004)

Texas-based web-hosting company Allegiance Telecom informed 4,000 customers that their usernames and passwords were compromised in a recent intrusion. While the nature of the exposed data does not specifically fall under California's security breach disclosure law, SB 1386, a company spokesman said, "it's the correct thing to do under the circumstances."
-http://www.securityfocus.com/printable/news/8240

New USB Authentication Tokens: Inexpensive and Effective (12 March 2004)

New USB authentication tokens are less expensive than their predecessors and offer more security in the form of multifactor authentication.
-http://www.internetweek.com/story/showArticle.jhtml?articleID=18312205
[Editor's Note (Paller): USB tokens are a very effective technology for ensuring you know who is accessing your computers.
(Shpantzer): Multi-factor authentication has been a security dream for years, realized by the more resource-intensive organizations. Now it may be approaching realistic cost and usability points for true mass deployment.
(Pescatore): USB tokens are poised to charge the two factor authentication hill: prices are down, everything has USB connectors now, people are accustomed to USB memory dongles. The only fly in the ointment is that USB connectors are still in horribly inconvenient places on most PCs or consumer gear. Also, mini-USB connectors are starting to show up on cell phones and PDAs - device incompatibility coming. I still think using text messaging to cell phones will cause cell phones to be the first most widely used token to augment passwords. ]

California State Senators Want Touch-Screen Voting Machines Banned for November Election (11 March 2004)

Two California senators plan to ask California Secretary of State Kevin Shelley to ban the use of touch-screen voting machines in November's general election. The two cited voting problems in the state's recent primary election that prevented some people from voting. If Shelley does not ban the machines, the senators will likely bring the issue to the State Legislature.
-http://www.siliconvalley.com/mld/siliconvalley/8161054.htm

Ohio Middle School Student Suspended for Deleting Student Records (11 March 2004)

An Ohio middle school student allegedly broke into a school computer and deleted files related to a computerized student reading program. He is currently under a 10-day suspension; his parents and school administrators are discussing the possibility of his expulsion. The school district is investigating the possibility that other students were involved in the incident.
-http://www.morningjournal.com/site/news.cfm?newsid=11111924&BRD=1699&PAG=461&dep
t_id=46371&rfi=6

-http://www.newsnet5.com/news/2910889/detail.html
Here's the sequel:
-http://www.morningjournal.com/site/news.cfm?BRD=1699&dept_id=46368&newsid=111178
45&PAG=461&rfi=9

[Editor's Note (Grefer): The software the school was using had such weak security (no access control and required Administrator privileges to run) that the loss of the files could have been an accident.
(Paller): Grefer's theory is possible, and may even be an effective legal defense, but opportunistic file losses are very rarely accidental. ]

Australian Banking Group Dismisses Financial Impact of Phishing Attacks (11 March 2004)

Despite a marked increase in phishing attacks in recent months, the Australian Bankers' Association (ABA) says the resulting losses "are not material enough" to justify spending time and money on improving online banking security. ABA CEO David Bell says credit card fraud (and other forms of graft) are more pressing concerns. Experts say online banking should use two-layer authentication.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39116536-200006174
4t-10000005c

[Editor's Note (Tan): The problem is not the size of the financial loss; it is the loss of trust in online banking. Phishing will be growing threat. the US Department of Justice has recognized the size of the problem and recently published a special report on phishing
-http://www.antiphishing.org/DOJ_Special_Report_On_Phishing_Mar04.pdf]

Linux Should Follow Microsoft's Lead in Making Security Easier (11 March 2004)

The author of this piece believes that Linux could learn something from Microsoft's renewed focus on security. Windows XP Service Pack 2 marks a shift toward making security tools easier for Microsoft customers to use. While Linux has good tools, they are not as easy to use. If Linux is to increase its presence in the desktop OS market, developers need to make security easier.
-http://news.com.com/2102-7355_3-5172209.html?tag=st.util.print

Job Applicants Hiring Cyber Criminals to Put Their Names in University Databases (11 March 2004)

As the current job market becomes more competitive, some applicants have reportedly paid people to break into university databases and insert their names into class lists. Criminal lawyers say people could be charged with a felony for breaking into university databases and applicants who get jobs based on false information could be charged with fraud.
-http://www.cnn.com/2004/TECH/ptech/03/11/resumes.fraud.reut/index.html
[Editor's Note (Schneier): I wonder if this is a direct result of colleges outsourcing graduation verification. ]

Cyber Defense Product Will Launch Counter-Attacks (10 March 2004)

Symbiot plans to introduce a defense product that the company claims will launch counterstrikes when targeted with distributed denial of service (DDoS) and other attacks. The counterattacks could range from blacklisting upstream providers to a full-fledged DDoS. Experts raised legal and ethical concerns: attacks often come from hijacked machines, DDoS attacks probably wouldn't be considered self-defense and could violate anti-hacking laws, and attacks could cause collateral damage.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39148215-39020330t-10000025c
[Editor's Note (Schultz): A product of this nature was inevitable. We can in a way take consolation in that a myriad of tools that produce denial of service and other negative outcomes are already widely available on the Internet anyway.
(Shpantzer): You could use this as a test for new IT security employees. Ask them what they think of using such a product. If they approve wholeheartedly, you know you need to keep looking for a mature professional without cyber-Rambo fantasies. ]

Countries Could Use Cyber Attacks to Enforce Laws (10 March 2004)

Fordham University law professor Joel Reidenberg believes governments could soon begin using denial-of-service attacks, worms and packet blocking to enforce their laws.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39148211-39020645t-10000025c
[Editor's Note (Pescatore): This comment applies to both this and the previous article: Long ago, we 'sorta' learned that wiring shotguns to our deadbolts wasn't a good way to defend our houses or our jewelry stores. I'm pretty sure Acme Inc. or the Republic of Leavemealonia launching a denial of service attack against Our Lady of Perpetual Responsibility's zombied web site isn't going to be a good idea.
(Schneier): I predict that if this actually happens, the unintended consequences will be greater than the intended ones. ]

Comcast Cracking Down on Zombie Spam Relays (9 March 2004)

Comcast has been contacting customers whose computers have been hijacked and used as zombie spam relays; in some cases Comcast has cut off service. The company is also helping affected customers secure their computers.
-http://www.computerworld.com/printthis/2004/0,4814,90946,00.html
[Editor's Note (Ranum): Hats off to Comcast! ]

Three Important Steps Toward Mitigating Vulnerabilities (9 March 2004)

Speaking at Computerworld's Premier 100 IT Leaders Conference, SANS Institute director of research Alan Paller described the seven most common and dangerous cyber attacks. He also described three steps CIOs can take to mitigate the vulnerabilities: (1) implementing an automated vulnerabilities mitigation system for existing systems; (2) defining and enforcing secure configurations for users' systems and denying network access to systems that do not comply and (3) requiring that secure configurations be built into all products they purchase. Paller placed special emphasis on giving the system administrators a real chance to succeed by limiting the initial goals and recognizing progress.
-http://www.computerworld.com/printthis/2004/0,4814,90955,00.html
[Editor's Note (Tan): Ensuring that administrators will not feel defeat is important. Too often, managers see only what people have not done well and not what they have done well. It's like soccer; you often remember only the mistakes made by the goalkeepers, not those fantastic saves he made. ]

CORRECTION

CORRECTION:

Last week's SANS NewsBites contained an editorial comment by Gene Schultz that stated that copyright holders may lose copyright protection when someone publicly posts copyrighted information. Although this has historically been true in some cases, it does not apply to last week's item describing the court ruling concerning the DeCSS code, which is an original implementation of a reverse-engineering protocol (CSS). As such, copyright considerations are not applicable.


VULNERABILITY UPDATES AND EFFECTS

Office XP Patch Disables Spam Filters and Creates Denial-of-Service Condition on PCs (11 March 2004)


-http://www.zdnet.co.uk/print/?TYPE=story&AT=39148314-39020375t-10000003c
[Editor's Note (Tan): Perhaps this is why some people consider patching to be a dirty word. ]

Outlook Flaw Upgraded to Critical (10/11 March 2004)


-http://news.bbc.co.uk/1/hi/technology/3501122.stm
-http://www.computerworld.com/printthis/2004/0,4814,90992,00.html
-http://www.microsoft.com/technet/security/Bulletin/MS04-009.mspx

Patch Available for IBM DB2 Database Flaw (10 March 2004)


-http://www.eweek.com/print_article/0,1761,a=121421,00.asp

Sun Issues Patches for Solaris Vulnerability (10 March 2004)


-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci954450,00
.html

Microsoft's Monthly Update Addresses Flaws in MSN Messenger, Windows Media Services and Outlook (9/10 March 2004)


-http://zdnet.com.com/2102-1104_2-5171898.html?tag=printthis
-http://www.computerworld.com/printthis/2004/0,4814,90970,00.html

Message in Netsky.K Code Says It's the Last Version (9 March 2004)


-http://zdnet.com.com/2102-1105_2-5171743.html?tag=printthis

New Versions of Netsky Suggests Code Was Published (11/12 March 2004)

The absence of messages in the code, along with the fact that the new versions do not try to remove Bagle, suggests that someone other than the original author launched the variants.
-http://news.zdnet.co.uk/internet/security/0,39020375,39148309,00.htm

Patches Available for HP Tru64 Unix OS Vulnerabilities (9 March 2004)


-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci954238,00
.html


EXCERPTS FROM WALT MOSSBERG'S WALL STREET JOURNAL COLUMN

Stop Blaming the Victims

"What we consumers need is a simple, unified protection plan to counter all of these threats (viruses, worms, Trojan horses, spam, spyware, etc.). And the computer, software, and Internet industries have badly failed us in this regard. They would rather dump the security mess in the laps of users than solve it at the level where a solution really belongs: in the operating system, or hardware, or online provider's servers.

"Not only that, but members of the techie class that runs these industries, and the IT departments at big companies, have been quoted recently as blaming the security problem on average, nontechnical users. If only those stupid users wouldn't open e-mails with hidden viruses, the techies say, the trouble would go away.

"Well, I have a word for these contemptuous techies: Save your energy for solving the problem instead of blaming its victims. Mainstream users shouldn't have to be IT experts to operate their computers."



===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/