SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #13
March 31, 2004
TOP OF THE NEWSThe Indirect Costs of Security Breaches
Study: The Effect of Malware on European Small Businesses
Stolen GMAC Financial Services Laptops Contain Unencrypted Customer Data
California Man Indicted for Placing Keystroke Logger on Employer's Computer
30% of Companies Surveyed Had "Serious" Malware Infection in 2003
THE REST OF THE WEEK'S NEWSProof-of-Concept Exploits for Cisco Released
Network Security Group Releases Information Sharing Spec
DHS CIO's Priorities Include Information Sharing and Data Security
Microsoft Ships Office Accelerator for Sarbanes-Oxley
Sender Policy Framework Fights Spam
Executives Could Face Liability for Inadequate Security
US Lawmakers Address Illegal File Sharing
High-Speed Internet Access Company Customer Data Leaked
Report: Asia-Pacific Network Security Market Growth Predicted
Dial-Up Connections Impede Software Updates
Interior Department Back On Line - For Now
Australian Court Magistrate Blocks Extradition Attempt
Microsoft's Patch Assurance Security Service
Chinese Government Bans Internet Cafes Near Schools
Educating Programming Students Could Improve Software Security Down the Road
OASIS Releases PKI Action Plan
Dutch Man Receives Ten Year Sentence for Internet Extortion
Vendors Express Concerns with Spyware Bill
Trial of Blaster.F Author Begins in Romania
RIAA Files More Lawsuits Against Alleged File Sharers
RIAA Web Site Downed by MyDoom Variant
Lieberman Questions DHS
Accounting and Insurance Group Developing Cyber Risk Index
Routing Protocol Security
VULNERABILITY UPDATES AND EFFECTSAnalysis: Rapid Witty Release, Spread Indicates Patching Model is Flawed
Another Bagle Variant Detected
NetSky.Q Launches DDoS Attacks Against Several Sites
Mywife Virus, Snapper Worm Detected
Apparent Server Breach at GNOME Delays Release of GNOME 2.6
Cross-Site Scripting Vulnerability in Web Based E-Mail Services
Apache HTTP Server 2.0.49 Fixes Denial of Service and Terminal Emulator Exploits
******************Sponsored by Internet Security Systems ****************
NEW! Accountability, Reliability, Guaranteed Protection...What Are You Waiting For?
Internet Security Systems Managed Security Services provide organizations with a comprehensive outsourced solution for security management, monitoring, response and around-the-clock guaranteed protection of business operations. Find out how ISS can offer Guaranteed Protection and get protected now.
This Week's Featured Security Training Program:
We have added ten new conferences between May and July. In the US: Colorado Springs, Chicago, Baltimore, Kansas City (Overland Park), Denver and Minneapolis.
Plus Munich, Germany (late April) and Melbourne and Gold Coast Australia, Vancouver, Canada, and London, England.
Find details at http://www.sans.org
TOP OF THE NEWS
The Indirect Costs of Security Breaches (29 March 2004)Companies that suffer security breaches incur both direct costs, such as lost productivity and overtime pay for those cleaning up the breach's aftermath, and indirect costs, such as loss of customer confidence, lost sales and legal liabilities. A group of researchers at the University of Maryland's Smith School of Business studied the effects of security breaches on the value of companies in the stock market. Problems in which companies' systems were hit with worms, viruses or denial-of-service attacks appeared to have no effect on a company's stock market value. However, breaches that exposed personal data did appear to have a negative impact on the companies' stock market value.
[Editor's Note (Schultz): This could very well be a landmark study. Organizations do not really assess the direct cost of security-related incidents very well in the first place, but they are often not at all aware of the indirect costs of incidents. This study promises to sensitize organizations to the type and amount of indirect costs associated with incidents. ]
Study: The Effect of Malware on European Small Businesses (29 March 2004)According to research from McAfee Security, 22% of Europe's small businesses (those with fewer than 20 employees) have had to temporarily shut down in order to recover from malware attacks. The average cost of cleaning up from the attacks, including lost income, is 5,000 EUR. McAfee's data came from a survey of 500 companies in Italy, Spain, France, Germany, The Netherlands and the UK.
Stolen GMAC Financial Services Laptops Contain Unencrypted Customer Data (25 March 2004)Two laptops stolen from the car of a GMAC Financial Services employee contained personal data, including names, Social Security numbers and credit scores, belonging to more than 200,000 people. The data is password-protected but not encrypted. GMAC Financial Services is contacting the affected customers, warning them that their personal information may have been compromised and advising them to place fraud alerts on their credit files.
[Editor's Note (Shpantzer): Customers with compromised accounts should at least get free credit monitoring, not just a notification letter. ]
California Man Indicted for Placing Keystroke Logger on Employer's Computer (24 March 2004)A federal grand jury last week indicted Larry Lee Ropp for intercepting electronic communication. Ropp allegedly installed a keystroke logger on a manager's computer while still employed at Bristol West Insurance Group/Coast National Insurance Company. Ropp claims he was collecting data under the auspices of the California Department of Insurance in connection with a class action lawsuit against Bristol; the Department of Insurance maintains it did not authorize Ropp's activity. Regardless of his intentions or affiliations, Ropp's alleged actions were illegal. If convicted, he could face up to five years in prison.
[Editor's Note (Shpantzer): See these links for a fascinating case of legal use by the FBI of a keylogger system in convicting Philadelphia mobster Nicodemo Scarfo. There was some controversy as to whether keyloggers are wiretaps or searches. We might see the Scarfo verdict referenced in Ropp's case. Overall Scarfo case information:
30% of Companies Surveyed Had "Serious" Malware Infection in 2003 (22 March 2004)A study from ICSA Labs found that 30% of the 300 companies surveyed said they had a serious computer virus outbreak in 2003, double the figure for 2002. A serious outbreak was defined as one in which 25 or more PCs were infected with the same virus at the same time. Disaster recovery costs rose to about 100,000 USD per incident in 2003. ICSA content security programs manager Larry Bridwell says that 2004 could be even worse. Everyone must take their responsibilities seriously; companies need to be proactive about network security and employee education, vendors need to provide more secure software and antivirus companies need to develop and use more effective heuristics.
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) FREE White Paper: "Outsmart the Top 10 Web Application Attacks!"
(2) 20 free vendor technical security white papers spanning many areas of security
THE REST OF THE WEEK'S NEWS
Proof-of-Concept Exploits for Cisco Released (29 March 2004)A group of grey-hats has released proof-of-concept code for exploiting nine vulnerabilities in Cisco Systems' networking kit. The flaws were already known and Cisco is encouraging customers to install the available upgrades and workarounds.
Network Security Group Releases Information Sharing Spec (29/26 March 2004)The Regional Alliance for Infrastructure and Network Security has released the Open Specification for Sensitive Information Sharing. RAINS aims to develop a standards-based infrastructure that will allow organizations to share information securely across heterogeneous networks.
DHS CIO's Priorities Include Information Sharing and Data Security (29 March 2004)Department of Homeland Security CIO Steven Cooper says that among his department's top priorities are information sharing, IT infrastructure integration and data security. The DHS hopes that by the end of this year its six WANs will be consolidated into one network for both classified and unclassified information. The DHS has also "developed a five-year plan to create a unified information security infrastructure," addressing concerns in the DHS Inspector General's report that just 42% of DHS systems have security plans, 37% have been certified and accredited and 39% undergone a risk assessment.
[Editor's Note (Tan): Five years is a bit too long. Security is dynamic. Probably long before the five years have passed, DHS will need a major revision. ]
XML Security (29 March 2004)Though the use of XML and web services applications is growing, many companies are not aware of the security risks they pose. The risks are likely to increase as web services expand beyond internal applications and trusted partners.
[Editor's Note (Schultz): XML-related security concerns have indeed largely been overlooked so far. An XML document can override a pointer to its Document Type Definition (DTD), enabling a perpetrator to create a malicious XML document to send in lieu of the original XML document. A perpetrator could also create an excessively large XML document, causing denial of service in the receiving system. These are just two of the many potential abuses of XML. ]
Microsoft Ships Office Accelerator for Sarbanes-Oxley (29 March 2004)Microsoft has shipped the Office Solution Accelerator for Sarbanes-Oxley which will help companies comply with the Act's internal financial controls documentation and review requirements. The Accelerator includes tools, templates and best practices guides and is available at no charge to customers.
Sender Policy Framework Fights Spam (29/22 March 2004)These articles provide a detailed explanation of how the Sender Policy Framework helps prevent spam from being sent. SPF has been submitted to the Internet Engineering Task Force for consideration as a standard.
Executives Could Face Liability for Inadequate Security (28 March 2004)Some security and legal experts say that executives could face civil and criminal penalties for failing to adequately protect their computer networks. A portion of the Sarbanes-Oxley Act requires that executives vouch for the adequacy of their internal controls; auditors are staring to count cybersecurity among those controls. The Gramm-Leach-Bliley Act has already had similar repercussions; the Federal Trade Commission (FTC) brought action against drug manufacturer Eli Lilly for inadvertently disclosing e-mail addresses of some of its customers who were using Prozac. In addition, a Maine state panel ruled that Verizon Communications should have known it would be vulnerable to last year's Slammer worm and therefore had to make infrastructure payments to the state even while their network was down.
US Lawmakers Address Illegal File Sharing (27 March 2004)US legislators are taking aim at people who violate copyrights by sharing music files on peer-to-peer networks. The draft legislation in the House would lower the burden of proof for the Justice Department to "pursue criminal prosecution." It would also impose fines and prison sentences of up to 10 years. A bill introduced in the Senate would allow the Justice Department to introduce civil cases against those sharing files.
High-Speed Internet Access Company Customer Data Leaked (26 March 2004)High-speed Internet access wholesaler ACCA Network CO. has confirmed that some customer data was leaked in spring 2003. The company says that data on at least 201 customers was definitely leaked, and cannot "rule out the possibility" that data on all 1.4 million present and past customers was compromised.
Report: Asia-Pacific Network Security Market Growth Predicted (26 March 2004)A report from consulting firm Frost and Sullivan predicts that the network security market in the Asia-Pacific region will grow by 13.9% a year over the next three years from 753.6 million USD this year to 994 million USD in 2006. Banking and finance will account for the largest share of that market, followed by government agencies.
Dial-Up Connections Impede Software Updates (26 March 2004)Scott Granneman observes that for people who have dial up modems, downloading patches and updates for their operating systems is a monumental task. He points out that the Windows Security Update CD available for free from Microsoft is by and large a very good thing.
[Editor's Note (Grefer): While this CD definitely is helpful in the U.S., Granneman's argument is not as valid as in a European environment. Most consumers in the States pay flat fee for unlimited local calls, thereby virtually eliminating the cost associated in countries like Germany with such huge downloads. ]
Interior Department Back On Line - For Now (26/25 March 2004)The US Court of Appeals for the District of Columbia Circuit has allowed the Interior Department to reconnect to the Internet until the court hears the case, temporarily voiding an order from the US District Court for the District of Columbia. A federal judge had ordered most of the Department's systems removed from the Internet on March 15 because security problems that affected Indian trust-fund payments had not been fixed.
Australian Court Magistrate Blocks Extradition Attempt (25 March 2004)Australian Local Court Magistrate Daniel Reiss has blocked US federal prosecutors' attempt to extradite Hew Raymond Griffiths to face charges of criminal copyright infringement. Griffiths is allegedly a ringleader of the DrinkOrDie software piracy group. The charges Griffiths faces in the US could bring him 10 years in prison and a fine of as much as 500,000 USD if he is convicted. Reiss said the extradition attempt did not provide enough specific information about Griffiths's activities. Reiss also said the alleged offenses occurred in Australia, and that Griffiths was never a fugitive.
Microsoft's Patch Assurance Security Service (25 March 2004)Companies participating in Microsoft's Patch Assurance Security Service will receive free security audits. The goal of the program, which Microsoft is offering to its enterprise customers, is to encourage patch management best practices and increase the number of users who regularly apply software updates.
Chinese Government Bans Internet Cafes Near Schools (25 March 2004)The Chinese government has banned Internet cafes from operating within 200 meters of residential areas or schools. The government is concerned about young people being exposed to "unhealthy online information." There are already rules in place prohibiting minors from entering Internet cafes, but many are believed to ignore those rules. China's General Administration for Industry and Commerce (GIAC) has warned that businesses caught flouting the rules would face stiff penalties.
Educating Programming Students Could Improve Software Security Down the Road (25 March 2004)Speaking at the FOSE conference on government technology, deputy director of DHS US CERT Lawrence Hale said that the problem of worms and viruses could in part be dealt with if computer programming students were taught to develop software in accordance with methods known to eliminate vulnerabilities.
[Editor's Note (Paller): The lack of such training is a scandal - especially given the number of schools that are being named by the US government as Centers of Excellence, but where security is an afterthought for the computer science students. We conducted a survey of more than 100 computer science department heads. In all but a tiny number of schools, secure programming is not explicitly taught or it is offered as a stand alone, optional course. That's the equivalent of making safety skills optional for pilots. It is time for employers to stop coddling colleges and demand that they teach safe programming as part of the required curriculum.
(Ranum): I find it ironic when you couple this concept with the fact that consistently books on how to HACK computers or write trapdoors, rootkits, or malware sell MUCH better than books on how to secure computers. I think the programming students are learning about security. Just not the right kind. ]
OASIS Releases PKI Action Plan (25 March 2004)The Organization for the Advancement of Structured Information Standards (OASIS) has released their PKI Action Plan. The adoption of PKI has been hindered by incompatible standards, difficulties with implementation and legacy system integration.
Dutch Man Receives Ten Year Sentence for Internet Extortion (24 March 2004)A Dutch court has sentenced a man to ten years in prison on blackmail and attempted murder charges. The man poisoned desserts produced by Campina, a dairy company, and tried to extort 200,000 EUR. He ordered Campina to place the money in a bank account, get a credit card for the account and use a card reader to harvest data from the card's magnetic stripe. He then had the company put that information together with the card's PIN number into a picture using steganography and post it on the Internet. The man downloaded the picture with the hidden information from his home computer using an anonymity service which cooperated with Dutch police and the FBI to uncover the man's identity.
Vendors Express Concerns with Spyware Bill (24 March 2004)At a Senate Commerce, Science and Transportation Communications Subcommittee hearing, IT vendor representatives voiced concerns about the recently introduced legislation that would ban spyware. Some of the witnesses expressed concern that making information-collecting software illegal could have a negative impact on future technologies. Unless the problem posed by spyware is very clearly defined, other "essentially harmless" technologies could be outlawed.
Trial of Blaster.F Author Begins in Romania (23 March 2004)The trial of Dan Dumitru Ciobanu, the Romanian man charged with spreading Blaster.F last summer, has commenced. The case is significant because it will be a test for tough new Romanian cybercrime laws. If convicted of the charges against him, Ciobanu will face a prison sentence of between 3 and 15 years.
RIAA Files More Lawsuits Against Alleged File Sharers (23 March 2004)The Recording Industry Association of America (RIAA) has filed lawsuits against 532 individuals, including 89 people at universities across the country, for illegally sharing music files. The individuals in the case are anonymous; the RIAA hopes to uncover their identities through the courts.
RIAA Web Site Downed by MyDoom Variant (23/25 March 2004)The Recording Industry Association of America's (RIAA) web site was down for at least five days in a row last week; the outage is thought to have been caused by a variant of MyDoom that targeted the RIAA site with a distributed denial-of-service (DDoS) attack. Late last week, the site was intermittently available and is now running an alternative to Microsoft IIS 6.0.
Lieberman Questions DHS (23 March 2004)In a letter to DHS Secretary Tom Ridge, Senator Joseph Lieberman (D-Conn.) maintains that "far too little progress has been made" in the Department's efforts to implement the National Strategy to Secure Cyberspace, a responsibility which falls to the DHS. The letter asks for specific explanations about DHS efforts to secure the Internet, digital control systems, improve the quality of software being produced. Lieberman also asked for clarification about the purposes of US CERT and the Cyber Warning and Information network and their respective relationships to the extent CERT/CC at Carnegie Mellon University and the Early Warning Alert Network recently proposed by the National Cyber Security Partnership.
Accounting and Insurance Group Developing Cyber Risk Index (22 March 2004)The Global Security Consortium (GSC) which at present includes the accounting firms of PricewaterhouseCoopers, Ernst & Young, Deloitte & Touche LLP, KPMG International and the insurance company AIG International Inc., is developing the Risk Preparedness Index (RPI). The Index was initially for use within the insurance and accounting industries, but now may have a broader focus. The GSC is talking with industry groups like The Open Group standards body in an effort to gain endorsements.
Routing Protocol Security (March 2004)Though organizations address security through the use of VPNs, intrusion detection systems and firewalls, routing protocols are often neglected. Once an attacker has compromised a router, it can be used to conduct man-in-the-middle attacks, altering data that is sent or "injecting" phony traffic into the network. Routers can also be targeted by DDoS attacks. Advice for defending against these problems includes the use of routing filters and cryptographic authentication.
VULNERABILITY UPDATES AND EFFECTS
Analysis: Rapid Witty Release, Spread Indicates Patching Model is Flawed (29/26/24 March 2004)Witty has also reportedly disrupted service at several web-hosting companies.
Another Bagle Variant Detected (26 March 2004)Bagle.U requires users to launch an executable attachment in order to become infected.
NetSky.Q Launches DDoS Attacks Against Several Sites (29 March 2004)
Netsky.P Spreading (25 March 2004)
Mywife Virus, Snapper Worm Detected (25 March 2004)
Apparent Server Breach at GNOME Delays Release of GNOME 2.6 (24 March 2004)
Cross-Site Scripting Vulnerability in Web Based E-Mail Services (23 March 2004)
Apache HTTP Server 2.0.49 Fixes Denial of Service and Terminal Emulator Exploits (23 March 2004)
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit