SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #17
April 28, 2004
TOP OF THE NEWSIndustry Task Force to Vendors: Build More Secure Products!
South Carolina Man First to be Charged Under Cyber Stalking Law
China Postpones WAPI Standard Deadline Indefinitely
International Banking Law Requires Sharing Cyber Attack Details with Auditors and Insurance Companies
Tower Records Reaches Settlement in Security Breach Investigation
THE REST OF THE WEEK'S NEWSExploits Circulating for Windows SSL Vulnerability
UK MP Group Looks Into Revising Computer Misuse Act to Cover DoS Attacks
DHS Plans to Establish Secure Network Operation Center with Private Sector
Universities are Looking Beyond Technological Fixes to Improve Cyber Security
International Cybercrime Treaty Raises Civil Liberties Concerns
International Piracy Raids Target Warez Groups
California Panel Recommends Banning Diebold Voting Machines
Alleged Braindumper Not Charged
TCP Threat Exaggerated
India Likely to Pass New Data Protection and Privacy Laws
Military Academy Cadets Participate in Network Defense Exercise
Study: Anti-Spam Technology is Effective
Indiana State University Server Breach
DoD Wants Central Software Assurance Lab
Phishing Scams Increase, New Tactics Emerge
Attackers Deface Indonesian Election Web Site But Fail to Access Data
Should Federal Cyber Security Research Results be Classified?
VULNERABILITY UPDATES AND EFFECTSeCommerce Security Vulnerabilities
Bagle.Y Spreads Through eMail and Network Shares
NetSky.Z targets Three Education Sites with DDoS Attacks
Trj/Small.B Trojan Exploits Known IE Vulnerability
TCP Exploit Detected
Yahoo Repairs Flaw in its Web-Based eMail System
Cisco Fixes TCP Flaw
SNMP Vulnerability in Cisco Internetwork Operating System (IOS)
NetSky.Y is High-Level Threat
NetSky.X Spreads in a Variety of Languages; Payload Launches DDoS Attacks Against 3 German Web Sites
Buffer Overflow Vulnerability in Linux Kernel
Buffer Overflow Vulnerability in Linux Kernel
TASK FORCE REPORTTask Force Report On Industry Security Lapses And Recommendations For Improvements
********************* Sponsored by BindView *****************************
ISO 17799 Best Practices Webinar
Join us for an online event where compliance and security executives share best practices for implementing an ISO 17799 information security program. Learn how to manage the internal politics, regulatory concerns, and resource constraints of an ISO 17799 project.
Register and download the whitepaper, "Implementing ISO 17799: A Practical Guide".
Highlighted Training Programs Of The Week
1. SANS Security Bootcamp (May 9-16 in Baltimore) will be one of the best training opportunities of the year - smaller classes, plus evening bootcamps. You won't find a better opportunity for immersion training.
2. SANSFIRE offers you 14 immersion training tracks in one of the most beautiful and romantic places in America -- Monterey California - in early July. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too.
Register soon to get a seat at your choice of courses.
TOP OF THE NEWS
Industry Task Force to Vendors: Build More Secure Products! (22 April 2004)An industry task force established at the CyberSummit organized by the US Department of Homeland Security recently issued a report that calls on vendors (including many of the companies that served on the task force) to create products that are more secure out of the box instead of placing the onus of security on the users. The report flies in the face of industry claims that market forces will create more secure products.
[Editor's Note (Paller): Some of the more interesting recommendations are reproduced at the end of this issue of NewsBites. Note especially the first one on the list.
(Schneier): Market forces will create more secure products only when the companies creating the products have some incentive to make more secure products -- such as liability for their insecure products.
(Multiple Editors): Most independent observers have now been persuaded that the vendors' and their Washington lobbyists were misleading the nation when they claimed that market forces would solve the security problem. Apparently they were acting selfishly to minimize their costs and maximize their profits at the expense of people who bought their vulnerable software, and in so doing they damaged the nation's ability to protect its critical infrastructure. ]
South Carolina Man First to be Charged Under Cyber Stalking Law (24 April 2004)A Columbia, SC, man has been arrested on charges of cyber stalking. Robert James Murphy, the first person in the country to be prosecuted under a 1997 law equating obscene email messages with obscene phone calls, pleaded not guilty in US District Court. Murphy was charged with 26 counts of using his computer to "annoy, abuse, threaten and harass" a Seattle woman; he could face up to two years in prison for each count.
[Guest Editor (Detective Greg Roberts of Seattle PD. He is familiar with the case and knows the victim and the investigators/prosecutors.): This case exemplifies the myriad obstacles facing the criminal justice system, both investigative and prosecutorial, in addressing cyberstalking crimes. At the time that Ms. Ligon started receiving these threats, cyberstalking laws were few and far between. She helped change that by advocating for victims to legislatures and law enforcement agencies. The fact that this case got to trial at all is newsworthy. Success thus far in this case is due to the very tenacious, coordinated efforts of Assistant U.S. Attorney; Senior Deputy Prosecuting Attorney Ivan Orton (King County, WA); City of Seattle CISO Kirk Bailey; and not least Joelle Ligon, an unusually tough and articulate woman who refused to be a passive victim and channeled her frustrations into effective efforts to change the system. ]
China Postpones WAPI Standard Deadline Indefinitely (23/22 April 2004)China will suspend its proposed Wireless LAN Authentication and Privacy Infrastructure (WAPI) standard which would have required foreign companies to license the technology through Chinese vendors. The standard was perceived as an unfair trade barrier
[Editor's Note (Pescatore): This is a very good thing. WLAN security standards are already fractured with 802.1x being overly broad, 802.11i taking forever, and WPA/WPA2 being driven by WLAN vendor needs, not enterprise security needs. The last thing we need is yet another wireless security standard.
(Schneier): I am glad to hear this. There are already too many wireless standards out there. It would have been even more confusing to have a separate one that only worked in China. ]
International Banking Law Requires Sharing Cyber Attack Details with Auditors and Insurance Companies (22 April 2004)To comply with new international banking laws known as the Basel II regulations, UK banks will be required to maintain databases with details of cyber attacks they have suffered over the last three years. The information will be shared with insurance companies and auditors. The banks will have to bear the brunt of the cost of establishing capabilities to log and monitor attacks on their networks. International regulators will step into the picture in 2007.
Tower Records Reaches Settlement in Security Breach Investigation (21 April 2004)Tower Records has reached a settlement with federal investigators relating to a lapse in security on the music retailer's site that exposed customers' order histories to others. Under the terms of the settlement, Tower Records will "establish and maintain a comprehensive information security program, which will be certified by an independent expert within six months, and biannually thereafter for ten years." Tower must also not misrepresent its security measures; it will be fined $11,000 for each instance in which the settlement is violated.
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) FREE White Paper: "Outsmart the Top 10 Web Application Attacks!"
(2) Knowledge Improves Security. Visit www.securitywhitepaper.com for a complimentary white paper from Microsoft.
THE REST OF THE WEEK'S NEWS
Exploits Circulating for Windows SSL Vulnerability (20/26 April 2004)Windows users are strongly urged to install a recently released patch that addresses vulnerabilities in Windows Secure Socket Layer (SSL) because exploits for the vulnerabilities are reportedly circulating on the Internet. Security professionals expressed concern that a worm could follow.
UK MP Group Looks Into Revising Computer Misuse Act to Cover DoS Attacks (26 April 2004)The All-Party Internet group (APIG), which is made up of UK MPs (Members of Parliament), is examining how to amend Britain's Computer Misuse Act so that it covers denial-of-service attacks; these are not illegal under the act as it is written. APIG is compiling evidence from parties interested in the issue. The joint vice-chairman of APIG, Richard Allan MP, also wants to look at the possibility that "ethical hacking" should be protected, citing a law which allows defendants to argue that their actions were necessary to prevent something worse from occurring.
[Editor's Note (Ranum): A definition of "ethical hacking" that required (for example) a signed release/consent from the target would be of use to the community. If this is not handled carefully, the existing grey area "I did it for their own good!" remains open. Note that existing laws already cover this quite well. "Authorized user" status would confer with a simple letter. ]
DHS Plans to Establish Secure Network Operation Center with Private Sector (25 April 2004)The US government hopes to establish a secure network operation center that would gather and analyze data from the various Information Sharing and Analysis Centers (ISACs) and that would be run by the DHS and a civilian contractor. One of the goals of the center is to help the private sector work more closely with the DHS. The government plans to offer private companies Freedom of Information Act exemptions for the sharing of security information.
Universities are Looking Beyond Technological Fixes to Improve Cyber Security (23 April 2004)A cyber security survey conducted by Educause, a group of higher education IT professionals, found that of the 435 schools responding to the survey, two-thirds required anti-virus software on all computers that belong to their institutions, while only one-third of the schools required the same of students' computers. Schools are increasingly looking beyond merely technological fixes to "softer" areas such as involving university administration and developing security policies and procedures.
[Editor's Note (Pescatore): Actually, we're seeing universities finally moving *towards* "merely technological fixes" and away from just those "softer" areas, like policies and procedures that actually don't stop anything. Not only have universities been getting hit with RIAA and SPA letters about music and pirated software servers on their networks, they've been finding out that most of their need to expand their network capacity has been driven by illegal activities eating up the majority of their bandwidth. Security spending by universities and school systems is one of the highest growth verticals. ]
International Cybercrime Treaty Raises Civil Liberties Concerns (23 April 2004)Civil libertarians have expressed concern about the implications of an international cyber crime treaty that they believe could require the participating countries to violate people's civil liberties at the request of other countries. The Council of Europe's Convention on Cybercrime aims to coordinate cybercrime laws between countries. Signatories would have to enact laws allowing government Internet surveillance, search and seizure of email and computer records as well as requiring ISPs to maintain logs related to investigations. One of the treaty's provisions requires countries to provide "mutual assistance" to other countries by using those powers to help conduct investigations across borders. Supporters of the treaty say the way it is written would prevent the abuse of the power of request.
[Editor's Note (Schultz): The provisions of this treaty do indeed sound draconian from a civil liberties standpoint. At the same time, however, the provision requiring mutual assistance in dealing with investigations that cross countries' borders is the type of thing that will greatly facilitate dealing with international cybercrime. ]
International Piracy Raids Target Warez Groups (23/22/21 April 2004)Law enforcement officials around the world conducted 120 raids in 10 countries and 27 US states against web sites suspected of distributing pirated software, movies and music . Authorities took down the suspect sites and seized computers; as yet, no arrests have been made.
California Panel Recommends Banning Diebold Voting Machines (26/23/22 April 2004)California's Voting Systems and Procedures Panel has unanimously recommended that the state not use the 15,000 Diebold electronic voting machines in the November election; the machines were used in the March primary and had numerous problems. This particular recommendation affects just four California counties; the panel will make a recommendation about machines used in 10 other counties this week. California Secretary of State Kevin Shelley has the final word in the situation. Other states have found problems with other vendors' products as well.
[Editor's Note (Schultz): It's good that momentum is building for banning the use of voting systems with serious security flaws. I've read that Diebold has even apologized for the flaws in its systems. ]
Alleged Braindumper Not Charged (22 April 2004)Garry Neale, the Texas man whose assets were seized nearly two years ago as part of an investigation of a "braindumping" complaint from Microsoft, has had those assets returned by court order. The complaint alleged that by selling Microsoft certification examination questions, Neale had violated Texas statutes regarding the theft of trade secrets. Neale's attorneys successfully argued that his assets should be returned to him because of defects in the original search warrants -- most notably lack of probable cause as there was no evidence that the questions were trade secrets. No charges have been filed against Neale.
TCP Threat Exaggerated (21 April 2004)Paul Watson, the man credited with discovering a flaw in the TCP protocol that allows communications sessions to be blocked, says that reports have exaggerated the threat the vulnerability poses to the Internet.
India Likely to Pass New Data Protection and Privacy Laws (21 April 2004)India's National Association of Software and Service Companies (NASSCOM) believes that the Indian parliament will pass new data protection and privacy laws. The new laws should quell foreign companies' concerns about the security of the work they outsource to businesses in India.
Military Academy Cadets Participate in Network Defense Exercise (21 April 2004)A number of military academies including West Point and the US Naval Academy, will take part in a four-day computer network defense exercise. The National Security Agency (NSA) will be behind the "attacks." The exercise is one of defense, hence "hacking back" and creating DDoS monsters is off limits. The exercise will run 24-hours a day despite the fact that cadets have to be in bed by 11:30pm.
Study: Anti-Spam Technology is Effective (21 April 2004)An IDC study indicates that using anti-spam technology can significantly reduce the amount of spam received. The study found that in a company with 5,000 email users, anti-spam systems saved the company more than $780,000 (USD) and reduced the amount of time employees spent dealing with email by 50%.
Indiana State University Server Breach (21 April 2004)Someone breached the security of a server at Indiana State University's Office of Strategic Planning, Institutional Research and Effectiveness. While it is not known if the intruder gained access to the data contained on the server, university officials plan to send letters to the 30,000 students and 5,000 faculty and staff members whose information may have been compromised. The server has been taken off line, the university's Office of Information Technology is investigating the incident and the university is sharing fraud alerts with credit bureaus.
DoD Wants Central Software Assurance Lab (20 April 2004)Cyber security managers in the Defense Department want Donald Rumsfeld to create a virtual high assurance software laboratory for the whole department. The goal is to "create a single organization responsible for software integrity and information assurance." Presently labs scattered across the country do software certification.
Phishing Scams Increase, New Tactics Emerge (23/20/19 April 2004)The number of phishing scams circulating on the Internet has increased dramatically over the last six months. eMail security company MessageLabs detected 279 phishing emails in September 2003; in January 2004 the number grew to 337,050 and fell back to 215,643 in March. Phishers are regularly coming up with new angles to trick people into revealing personal information or allowing Trojans and keystroke loggers to be downloaded onto their machines. The Federal Deposit Insurance Corporation has warned banks about a phishing email that appears to be from the FDIC; this particular scam claims the FDIC has teamed with credit card companies to provide a program that protects those who enroll from credit card fraud.
Attackers Deface Indonesian Election Web Site But Fail to Access Data (20 April 2004)Attackers defaced Indonesia's General Election Commission website, replacing the names of many of the various parties with nonsense names. Evidence indicates that the attackers also tried to access the site's data and recovery centers but were unsuccessful.
Should Federal Cyber Security Research Results be Classified? (19 April 2004)DARPA and DHS officials at president's ITAC meeting disagreed about whether or not results of federal cyber security research should be classified. DARPA officials spoke in favor of keeping the results classified as weapons are more and more using networks to communicate - -- therefore the networks need to be protected. DHS officials, on the other hand, favor making the results public because it would then benefit privately held critical infrastructure.
[Editor's Note (Pescatore) I know, let's put export controls on security findings! Maybe have a government approved chip that implements Deep Packet Inspection! We'll call it the Blipper chip. Sheesh, haven't we learned yet that the US has no monopoly on computer security smarts?
(Schneier): Haven't we already learned this lesson? Classifying cyber security research is just plain dumb. ]
VULNERABILITY UPDATES AND EFFECTS
eCommerce Security Vulnerabilities (26 April 2004)This article discusses a variety of ecommerce security vulnerabilities, including SQL injection, cross-site scripting price manipulation and buffer overflows. The author describes how each can be exploited and touches briefly on countermeasures.
Bagle.Y Spreads Through eMail and Network Shares (26 April 2004)
NetSky.Z targets Three Education Sites with DDoS Attacks (23 April 2004)
Trj/Small.B Trojan Exploits Known IE Vulnerability (23 April 2004)
TCP Exploit Detected (23 April 2004)
Yahoo Repairs Flaw in its Web-Based eMail System (22 April 2004)
Cisco Fixes TCP Flaw (22 April 2004)
SNMP Vulnerability in Cisco Internetwork Operating System (IOS) (21 April 2004)
NetSky.Y is High-Level Threat (21 April 2004)
NetSky.X Spreads in a Variety of Languages; Payload Launches DDoS Attacks Against 3 German Web Sites (20 April 2004)
Buffer Overflow Vulnerability in Linux Kernel (19 April 2004)
TASK FORCE REPORT
Task Force Report On Industry Security Lapses And Recommendations For ImprovementsThe report on Technical Standards, released by one of the CyberSummit Task Forces established and supported by ITAA, BSA, and TechNet, contains some of the most illuminating and useful information ever published by the vendor community. For the first time, the vendors have defined the most important security errors they have made (and continue to make). These are fundamental errors that are causing extreme pain and high cost for users. The admission that the vendors are making such mistakes, and that the mistakes must be corrected, are the essential first steps in improving cybersecurity in America.
ITAA, BSA, and Technet deserve the nation's hearty approbation for taking the high road in allowing this report to be published. The report's admissions demonstrate a new level of acceptance of responsibility for security problems, on behalf of their association members - the large software and hardware vendors. It suggests the beginning of a new era of closer cooperation between vendors and users in solving the difficult problems outlined in the report.
To make good on this refreshing commitment to improve the security of the products, vendors of cyber software and hardware need to follow through on each of the recommendations they made.
The Task Force listed the following needs for improvement in vendor practices relating to software security:
1. Devise more realistic security testing of their products in real-world situations.
[According to the task-force report, "All too often, product testing is done in a lab setting that almost never reflects how the products will actually be deployed in a user's environment." ]
2. Take a more proactive role in the development of and collaboration on product security recommendations.
3. Provide more substantive security recommendations, configuration checklists, best practices, assumptions, dependencies, and considerations in their product documentation.
4. Work with their ISVs, IHVs and OEMS to better certify common security configurations impacting a set of products rather than developing secured configurations in isolation.
5. Develop baseline security recommendations (if applicable) that apply to all user communities or environments. These could serve as the foundation for more comprehensive sets of recommendations that may apply only to specific risk profiles or product combinations.
6. Take a more proactive role in the development of and collaboration on product security recommendations.
7. Make every attempt to ensure that products that are configured in accordance with their security configuration recommendations are left in a vendor-supported state.
8. Clearly delineate the product versions for which the security configuration recommendations apply, and maintain product security recommendations as products are patched, updated or enhanced.
9. Ensure that security recommendations are available at or near the actual product launch date.
[The Task Force report goes on to say, "Many times such recommendations are provided well after the product has been deployed in many environments leaving those users in a potentially vulnerable state for weeks or even months." ]
10. Leverage heightened forms of collaboration with user communities and government organizations, where possible, to improve the security capabilities and out-of-the-box security posture of their products.
11. Endeavor to provide both secure and supported product configurations. Vendors should not hide behind claims of unsupportability but instead actively participate in the development of supported baseline security configurations and recommendations for their products.
12. Collaborate more directly with their user communities to better determine what changes are commonly made to their products during or immediately after installation to improve upon their out-of-the-box security posture. Using this information, vendors may be able to change default configuration parameters to make products more secure by default.
13. Make secure by default a product release requirement.
14. Provide stronger out-of-the-box security configurations and/or provide supported capabilities and tools that simplify and automate the process of securing their products.
15. Vendors that deliver products supporting multiple installation or risk profiles should provide and support at least one configuration profile that implements a baseline level of security. This option should be the default. A user installing the product should be able to override this option based on specific site policies and requirements.
16. More clearly document the out-of-the-box security risks and assumptions for their products including any external dependencies that may exist such as requirements for the device to exist only on a "private network." Vendors should provide recommended (secure) deployment scenarios as part of product documentation.
17. Develop awareness plans to educate users and vendors about the risks of out-of-the-box security configurations and the need to tune the security configuration of products for their specific security policies, requirements and risk profiles.
18. Respect the installed security configuration of products when patches are applied or upgrades performed. Where possible, such user configurable settings should not be overwritten thereby possibly degrading the security posture of the upgraded product.
19. Include with their products, a tool or capability that allows a user to quickly and easily report on the security posture of the installed product. This information can then be used to identify common security configuration changes and to help simplify ongoing security administration and management.
20. Perform quality assurance and functional testing of their products using baseline security configurations commonly used by their customers. To be effective, however, consumers, user groups and the U.S. Government should collaborate with vendors on the development of these common security configurations.
21. Provide baseline security assessment or management capabilities with their products. Individual products should, either natively or in conjunction with another tool, evaluate the deployed configuration of a product against a set of baseline recommended practices reporting any inconsistencies detected. Such tools can be very useful in detecting common product configuration errors or baseline product-specific security risks. Organizations looking for more comprehensive capabilities could then deploy a security policy and/or vulnerability management product.
22. Provide stable and documented interfaces for managing the configuration of their products. As part of this effort, users should encourage the use of standard protocols and formats where possible so that a given vendor's product is able to easily integrate into an organization's security and policy management infrastructure.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Guest Editor: Eugene Spafford
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit