SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #12
March 24, 2004
In the category of free, useful software: On Tuesday, the Center for Internet Security released an updated Windows Security Scoring Tool along with the Windows XP Benchmark for Secure Configuration. The XP scoring capability has four levels that correspond with Microsoft's security levels. You can test your system to see how safely configured it is, get a numerical score, and then see what needs to be done to raise the score. (A more complete announcement is at the end of this issue of NewsBites.) Download it free from http://www.cisecurity.org (But use it to test only your own personal machine unless your employer is a CIS member. Member organizations can distribute it and use it on all the systems they own.)
TOP OF THE NEWSBack-Up Tape of Citibank Customer Transactions is Lost
Possible Customer Data Compromise at BJ's Wholesale Club Computer System
Former FBI Analyst Faces Charges of Unauthorized Data Access
Equifax Canada Data Compromised
San Diego State University Financial Aid Server Security Breached
Interior Ordered Off Line Again
ARTICLES ON SPAMAOL Sees 27% Decline in Spam
Only US Receives More Spam than China
Asia-Pacific Region Joins in Fighting Spam
Korea Wants to Halve Spam Volume
THE REST OF THE WEEK'S NEWSMan Pleads Guilty to Phishing Charges
Researchers Modeling Attacker Methods
GAO Publication Describes Varieties of Security Products
Voting Machine Problems Highlight Need for Paper Trail
Investigation Indicates Betting Sites Are Being Targeted by DDoS Attacks
Task Force Action Plans: Early Warning System, Increased Security Awareness
Windows XP SP2 RC1 Available to Beta Testers
China Shuts Down Blog Sites for Objectionable Content
Management Practices of High-Performing IT Organizations
US President Putnam Questions Agencies About IT Security
Opinion: Assessments Do Not Solve Problems
Treasury Dept. Will Outsource Some FISMA Security Evaluations
Company to Offer Open Source Insurance Policies
Plaxo Fixes Phishing Vulnerability
Internet Security Threat Report
Book on Security Holes Includes Some Zero-Day Vulnerabilities
Outsourcing and Data Security
New Zealand Man First to be Charged Under New Crimes Amendment (No. 6) Act
Alleged Software Pirate Fights Extradition to US
VULNERABILITY UPDATES AND EFFECTSMalicious "Witty" Worm Exploits Firewall Holes and Overwrites Data on Hard Drives
Symantec Releases Fixes for Product Vulnerabilities
Bagle Variants Q, R, S & T Exploit IE Object Data Remote Execution Vulnerability
Bagle Variants N, O & P Hide Zip File Password in Graphic File, Seek to Destroy Netsky
Phatbot Trojan Spreads via P2P Technology, Launch DDoS Attacks and Steals Data
Fixes Available for OpenSSL Flaws
Macromedia Releases Patches for Two Vulnerabilities
CIS ANNOUNCEMENT OF WINDOWSXP SECURITY BENCHMARK AND FREE TESTING TOOL
************************** Sponsored by NetIQ *************************
Need security policies?
Don't start from scratch. Check out "Information Security Policies Made Easy," the best security policy resource guide available, with 1,300+ ready-to-use security policies, easily customizable for any organization. Also, don't miss our step-by-step guide, "Information Security Roles & Responsibilities Made Easy."
Check them both out now.
This Week's Featured Security Training Program:
We have added ten new conferences between May and July. In the US: Colorado Springs, Chicago, Baltimore, Kansas City (Overland Park), Denver and Minneapolis. Plus Munich, Germany (late April) and Melbourne and Gold Coast Australia, Vancouver, Canada, and London, England. Find details at http://www.sans.org
TOP OF THE NEWS
Back-Up Tape of Citibank Customer Transactions is Lost (19 March 2004)A back-up tape containing a month's worth of Japanese Citibank customer transactions was lost while being transported to a data center in Singapore. The information on the tape included account holders' names, addresses, account numbers and balances. Citibank intends to inform affected customers by letter.
[Editor's Note (Shpantzer): Back-ups are subject to all kinds of hazards, theft and accidental loss being only a couple on the list. One auditor at a recent SANS conference told the group that she had staked out a bank's back-up storage contractor, to see what kind of vulnerabilities she could find in the process. She saw the van pull up to the loading dock of the storage facility, and the driver parked the entire box of tapes on the building's generator while he took a break. The data was gone because of the generator's electromagnetic energy. ]
Possible Customer Data Compromise at BJ's Wholesale Club Computer System (19/12 March 2004)Law enforcement agencies and credit card companies are investigating a possible security breach of the BJ's Wholesale Club computer system. The problem was brought to light when credit card companies began reporting possible fraudulent activity on customers' accounts.
Former FBI Analyst Faces Charges of Unauthorized Data Access (17 March 2004)Former FBI investigative analyst Jeffrey D. Fudge will face trial in Dallas on felony charges stemming from allegations he accessed FBI data without authorization. Fudge allegedly shared the information he discovered with his family and friends. If convicted of all charges against him, Fudge could face a 50-year prison sentence or a fine of as much as 250 million USD.
Equifax Canada Data Compromised (17 March 2004)Equifax Canada has informed more than 1,400 people that the security of their credit files was compromised; the breach apparently narrowly targeted a specific geographic area, raising concerns that the attackers were well-funded, otherwise all of Equifax Canada's database would have been be compromised.
San Diego State University Financial Aid Server Security Breached (17 March 2004)San Diego State University is contacting 178,000 students, alumni and employees following an apparent intrusion in a university server containing names, social security numbers and financial aid reports. The breach occurred in December 2003; attackers used the server to send spam and transfer files. The breach was discovered in February 2004, when the server was taken off the network. The FBI has also been notified. This is not the first case of computer intrusion at the university; late last year, school officials warned about 1,000 people after a library server was compromised.
Interior Ordered Off Line Again (16 March 2004)For the third time in as many years, a federal judge has ordered the Interior Department to remove many of its systems from the Internet. Systems involved with energy and mineral trust for American Indians were again found to be lacking adequate security measures. Systems that are vital to police work and fire services are allowed to remain on line, as are other bureaus that did not own the data in question.
[Editor's Note (Schneier): How many other departments would be ordered off-line if they underwent the same sort of scrutiny that the Dept. of Interior has?
(Pescatore): Because of the class action lawsuit against the Bureau of Indian Affairs, the DoI is being held to a higher standard than other government agencies, and even most commercial enterprises. However, the continuing increase in identity theft due to mismanaged servers at credit card agencies, online merchants, universities and other enterprises means that either identity theft legislation or class action lawsuits aren't far away. More judges may make similar calls to tell other organizations to disconnect until the can protect their customers data. That would end up being much more expensive than fixing the problems in the first place. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) WHITE PAPER - Spam threatens network security. Learn how to protect your enterprise. REQUEST: http://www.sans.org/click.php?id=364
(2) (At SANS) 20 free vendor technical security white papers - numerous areas of security discussed. http://www.sans.org/click.php?id=365
ARTICLES ON SPAM
AOL Sees 27% Decline in Spam (19 March 2004)America Online spokesman Nicholas Graham says the company has noted a 27% decrease in spam since February 20. During that same period, daily AOL customer complaints about spam were cut nearly in half, from 12.7 million to 6.8 million.
[Editor's Note (Grefer): No surprise there. The longer an ISP can fine tune spam filters the more efficient the filters become. Also, through implementation of their spam service site blocking, spammers do not get "automatic address verification" through embedded web bugs and graphics anymore. ]
Only US Receives More Spam than China (18 March 2004)According to the Internet Society of China, in 2003, spam accounted for nearly one in every three e-mails received in China. Chinese servers received at least 150 billion spam e-mails last year, placing the country just behind the US in volume of spam received.
Asia-Pacific Region Joins in Fighting Spam (22 March 2004)The passage of the anti spam legislation in other parts of the world, together with recent legal action brought against spammers by four major Internet service providers (ISP) has inspired Asia-Pacific governments and businesses to examine "measures" they can take to stem spam's tide. Japan already has anti-spam legislation in place; Australia's anti-spam laws take effect in April.
[Editor's Note (Schneier): I have every confidence that the Asian effort will be fully as effective as the U.S. CAN-SPAM laws have been. ]
Korea Wants to Halve Spam Volume (19 March 2004)The Korean government aims to cut the amount of spam in half by the end of 2004. The country's Ministry of Information and Communication (MIC) hit 68 spammers with stiff fines and sent warnings to an additional 127 entities.
THE REST OF THE WEEK'S NEWS
Man Pleads Guilty to Phishing Charges (22 March 2004)Zachary Hill of Houston pleaded guilty to charges related to a phishing scam that targeted America Online and Paypal customers. Hill will be sentenced on May 17.
Researchers Modeling Attacker Methods (19 March 2004)Researchers at the Florida Institute of Technology are working on modeling cyber attackers' methods in the hopes of eventually developing new security tools. The group has received more than $1million in funding for this ongoing project to create detailed models of both the intent and the semantics of every possible hacker attack. The group has also created a computer language to describe these models.
[Editor's Note (Pescatore): This is a perennially popular area for research funding but is sort of like studying rain drops in order to fix a leak in the roof. Turns out that it doesn't matter what the raindrops look like, or how they fall - close the windows and patch the roof and you don't get wet. ]
GAO Publication Describes Varieties of Security Products (19/16 March 2004)The General Accounting Office (GAO) has released Technologies to Secure Federal Systems, a study of commercially available security products broken down into 18 types of tools in five categories: access control, system integrity, cryptography, auditing and monitoring and configuration management and assurance. The study hopes to help agencies identify and choose appropriate technologies for their systems.
[Editor's Note (Pescatore): This report is so basic that if any security manager in any government agency actually learns anything, I'm scared to death. ]
Voting Machine Problems Highlight Need for Paper Trail (19 March 2004)Wired Magazine reports that an optical scanning machine used to read paper ballots in Napa County, California for the March 2 election failed to record more than 6,000 votes. The machine was improperly calibrated and did not read certain types of ink. While the miscount did not affect the outcome of any of the races, it underscores the need for having a paper trail against which to check electronic voting results.
Investigation Indicates Betting Sites Are Being Targeted by DDoS Attacks (19/17 March 2004)Online betting sites are being targeted by extortionists demanding money to stave off threatened denial-of-service attacks. With the help of server monitoring company Netcraft, BBC News Online monitored twenty sites, sending queries every 15 minutes and noting the response time. While it is not possible to determine the precise cause of an outage by this method, some of the 35 outages noted did show characteristics suggesting the sites were being targeted by denial-of-service attacks. Thirty-five outages were reported. When contacted, people at most betting sites didn't say what was causing their outages, but some eventually admitted they were under denial-of-service attacks or had received extortion threats.
Task Force Action Plans: Early Warning System, Increased Security Awareness (18/16 March 2004)Two of five task forces formed under the National Cyber Security Partnership have released action plans for improving national cyber security. One of the plans calls for the creation of an early warning system for cyber security events; the other offers cyber security awareness guidelines for home and small-business users. The guidelines have been criticized for being "vendor-driven."
Windows XP SP2 RC1 Available to Beta Testers (18 /17 March 2004)Beta testers were able to receive Windows XP Service Pack 2 (SP2) Release Candidate 1 (RC1) late last week. RC1 includes Windows Security Center, a tool that makes it easy for users to access security settings. A pop-up blocker will be on by default as will a built-in firewall; Windows messenger is turned off.
China Shuts Down Blog Sites for Objectionable Content (18 March 2004)Chinese government officials closed two web sites that housed thousands of personal blogs. Some Chinese Internet users said the Web log sites were shut because one or more personal Web pages carried opinions on a letter from a well-known doctor to China's senior leadership asking them to reassess the 1989 Tiananmen Square pro-democracy protests.
[Editor's Note (Pescatore): I remember thinking back in 1987 when the Phil Donahue show began to be aired in the old USSR that the end was near for that closed society. Watching China try to play "block the Internet Twister" is deja vu all over again. ]
Management Practices of High-Performing IT Organizations (17 March 2004)In the first of a pair of related articles on high-performing IT organizations, Gene Kim describes three management practices such organizations employ: enforcing change management processes, fostering a "culture of causality", and "integrating security teams into change management processes."
[Editor's Note (Schneier): This seems awfully buzzword-heavy, but I suppose there's value in looking at systems that work well and trying to analyze why. ]
US President Putnam Questions Agencies About IT Security (22/17/16 March 2004)During a hearing on information security, Adam Putnam, chair of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, chastised government agencies for moving too slowly in their efforts to secure their computer systems. The agencies received a collective security grade of "D" for 2003. Some agencies showed marked improvement; the Nuclear Regulatory Commission and the National Science Foundation both received individual grades of "A."
Opinion: Assessments Do Not Solve Problems (22 March 2004)Richard Forno offers his opinion that "annual assessments are an exercise in bureaucratic idleness designed to 'address' but not 'resolve' security problems in any meaningful fashion." He goes on to say that activity, in this case accreditation and certification, has become confused with progress, or actually fixing problems.
[Editor's Note (Pescatore): For enterprises that are in denial, bringing in an outsider to do a security assessment is unfortunately often the only way to convince management there is a problem. This isn't peculiar to the security industry - most of the consulting world exists to tell management the same thing their own people were trying to tell them. But Rik is certainly right that stopping at step four (doing a fearless inventory of yourself) of the 12 step program to becoming more secure is too often what happens. ]
Treasury Dept. Will Outsource Some FISMA Security Evaluations (16 March 2004)Treasury Department Inspector General Jeffrey Rush Jr. says his office plans to outsource Federal Information Security Management Act (FISMA)-mandated evaluations of non-national security systems. Rush's office lost 70% of its auditing staff last year to the Department of Homeland Security.
Company to Offer Open Source Insurance Policies (16 March 2004)Taking advantage of a unique market niche, New York-based Open Source Risk Management LLC plans to offer policies to companies that use open-source software but are worried about being sued by SCO.
Plaxo Fixes Phishing Vulnerability (16 March 2004)Plaxo, an on line contacts management company, says it has fixed a security hole that would have allowed phishers to steal customers' passwords.
Internet Security Threat Report (15 March 2004)Symantec's most recent Internet Security Threat Report says that while the number of software vulnerabilities has remained fairly constant, they have become more severe and easier to exploit. The report found that viruses increased 250% in the second half of 2003 over the same period in 2002.
Book on Security Holes Includes Some Zero-Day Vulnerabilities (15 March 2004)A group of security researchers has written The Shellcoder's Handbook: Discovering and Exploiting Security Holes. The book contains instructions for writing code to exploit software vulnerabilities, including several zero-day, or previously undisclosed, vulnerabilities. The book is targeted at network administrators who want to close security holes in their systems. The book is scheduled for release on March 22.
Outsourcing and Data Security (15 March 2004)Advice for maintaining the security of data when it's been outsourced includes asking to see a security audit, setting up a clean room that prevents workers from taking any data out, limiting workers' access to data, and knowing your workers.
[Editor's Note (Shpantzer): Some DRM vendors make software that allows for post-delivery content restrictions, whether viewing or printing. There are even customized products for portals that focus on sensitive data-entry cubicle-farms, such as those often seen in outsourcing projects. ]
New Zealand Man First to be Charged Under New Crimes Amendment (No. 6) Act (15 March 2004)A New Zealand man who was granted name suppression is the first person to be charged under the country's Crimes Amendment (No 6) Act, which imposes stiff penalties for cyber crimes. The charges stem from alleged damages caused to a Maryland company's web site and computer systems. One of the charges the man faces carries a maximum sentence of 7 years in prison; another carries a maximum 2-year sentence. The Crimes Amendment (No 6) Act passed last year after four years in parliament.
Alleged Software Pirate Fights Extradition to US (14 March 2004)Hew Raymond Griffiths of New South Wales Australia is fighting extradition to the US to face piracy charges. Griffiths is allegedly the leader of the DrinkOrDie piracy group. Several US members of the group have been in jail for as long as four years; others are awaiting trial and sentencing. If Griffiths is convicted in the US, he could face a 10-year prison term and a 500,000 USD fine.
VULNERABILITY UPDATES AND EFFECTS
Malicious "Witty" Worm Exploits Firewall Holes and Overwrites Data on Hard Drives (21 March 2004)
[Editor's Note (Tan): If you are running the vulnerable BlackICE version and you have not corrected the problem, you will be infected immediately when you connect your system to the Internet. Imagine trusting the firewall to protect your system from attacks, but the firewall actually causes the damage. This worm spreads like Slammer, fast and destructive, through UDP. And being memory resident, most anti-virus scanners are not able to detect it. From what I have seen, SANS Internet Storm Center is the first site that reported this worm. Johannes Ullrich has done a great job in getting the alert out and elevating to yellow infocon level. ]
Symantec Releases Fixes for Product Vulnerabilities (19 March 2004)
Bagle Variants Q, R, S & T Exploit IE Object Data Remote Execution Vulnerability (19/18 March 2004)
[Editor's Note (Tan): This is going to be a record. Hitting Z soon, so what is the letter after Z? ]
Bagle Variants N, O & P Hide Zip File Password in Graphic File, Seek to Destroy Netsky (16/15 March 2004)
Phatbot Trojan Spreads via P2P Technology, Launch DDoS Attacks and Steals Data (21/18/17 March 2004)
Fixes Available for OpenSSL Flaws (19/17 March 2004)The flaws affect a number of Cisco products; fixes are available.
Macromedia Releases Patches for Two Vulnerabilities (16 March 2004)
CIS ANNOUNCEMENT OF WINDOWSXP SECURITY BENCHMARK AND FREE TESTING TOOL
March 23, 2004 - The Center For Internet Security("CIS") announced today the public release of a new Benchmark (v.1.1.3) for Windows XP Professional and an updated Windows Scoring Tool (v.2.1.12). Both the Benchmark and the Scoring Tool are available for download, free of charge, from the CIS web site, www.cisecurity.org.
CIS Benchmarks specify technical security controls that strengthen a system's defenses against malicious attacks. The Benchmarks are unique because security professionals from around the world contribute to the consensus security configuration recommendations. This group of security professionals includes the public/private user community, as represented by CIS member organizations, as well as representatives from participating software vendors.
CIS Scoring Tools evaluate host systems, comparing their security configurations against the Benchmarks. They produce easy to understand reports that rate system security on a simple numeric scale.
The CIS Benchmark for Windows XP Professional contains four levels of technical control settings intended for use in XP Professional systems, enabling users to choose the consensus security configuration most appropriate for their particular environments. The four names and security level definitions are consistent with Microsoft's published security configuration guides. The four security levels are:
LEGACY: Settings in this level are designed for XP Professional systems that need to operate with older systems such as Windows NT, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system.
ENTERPRISE STANDALONE: Settings in this level are designed for XP Professional systems operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended XP Professional technical controls.
ENTERPRISE LAPTOP: These settings are nearly identical to the Enterprise Standalone settings, but with modifications appropriate for mobile users whose systems must operate both on and away from the corporate network. In environments where all systems are Windows 2000 or later, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended XP Professional technical controls.
HIGH: Settings in this level are designed for XP Professional systems in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment.
The updated CIS Scoring Tool (v2.1.12) checks the conformity of Windows XP Professional operating system configuration as compared to the Windows XP Professional Benchmark (v1.1.3). The tool also evaluates host systems as compared to the CIS Benchmarks for Windows NT and 2000.
The Scoring Tool download package is available via the CIS website at www.cisecurity.org.
The download package contains the CIS Benchmarks, the Benchmark security templates (INF files), the scoring tool, and a detailed users' guide for installation and use of the tool. It also contains 14 other publicly available Windows security templates for selective use.
In addition to these security resources for Windows XP Professional, CIS also distributes consensus Benchmark and Scoring Tools free of charge for Windows 2000 and NT, Solaris, Linux and HP-UX operating systems, as well as Cisco Router IOS and Oracle Database.
CIS Benchmarks are updated with configuration recommendations that mitigate new vulnerabilities as they are identified. Continuous feedback from users ensures broad consensus regarding the recommended technical controls. More information on CIS, its Benchmarks, and Tools can be obtained from the CIS website, www.cisecurity.org.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
-----END PGP SIGNATURE-----