SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #34
August 25, 2004
If you have a SANS Roadmap to Network Security 2004 poster around the office and want to win $50 or $100, please send updates to any of the sections, to email@example.com, subject Roadmap updates. The ten best will win financial prizes. Complete ideas only, with urls and suggested text. Deadline September 15.
The contest applies to the "Roadmap to Network Security" side, not to the "Security Tools and Services" side. We have a wonderful new tools poster coming to you that shows all the key elements of a defense in depth, and even provides short lists of tools that have proven to work effectively for each element. You will get the new poster only if we have your surface mail address on file. Please go to portal.sans.org today and ensure your mailing data is current.
TOP OF THE NEWSLondon Internet Exchange Members Adopt Code of Practice to Thwart Spammers
Yankee Group Study Suggests Most Large Companies will Outsource Security by End of the Decade
Study: Organizations Not Taking Mobile Device Security Concerns to Heart
WINDOWS XP SP2 NEWS
Some Universities are Displeased with XP SP2 Release Timing
Flaws Found in XP SP2
Windows XP SP2 Now Available to Home Users
THE REST OF THE WEEK'S NEWSCOPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Court Says Morpheus and Grokster are Not Liable for Their Customers' Activity
RIAA Suits Against Individuals Proceeding
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Says Security Configuration Checklist Program Will be Ready Before the End of the Year
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
AOL Looking Into Flaw that Exposed Users' Portfolios to Others
Oracle is Moving to Monthly Patch Release Schedule
New Download.Ject Variant Spreads Through AOL Instant Messenger and ICQ
Cisco Releases an Advisory and a Patch for Router Software Flaw
Yahoo Fixes Cross-Site Scripting Vulnerabilities in eMail System
Cyberharassment Q & A
Japanese Bank to Use RFID Document Management System
Marketing Ploy Turns Virus Hoax
Internet Storm Center Survival Time Confirmation Prompts University to Quarantine Inadequately Patched Computers
Researchers Describe Flaws in Encryption Algorithms
Opinion: Call to Ban Portable Storage Media Misses the Point
Microsoft Announces $1 Million for Secure Computing Curriculum Development
*************************** Sponsored by NetIQ **************************
FREE audiocast: Join noted information security expert and SANS trainer, Eric Cole, for NetIQ's free audiocast, "10 Ways to More Effectively Secure Active Directory" on August 26th, 12:30pm CST. Get the tips you need to achieve higher levels of security in your day-to-day Active Directory operations. Register now for this informative event.
Featured Training Program of the Week
Back to the Future: Find the Future of Information Security in New Orleans November 1 - 4 at SANS CDI South.
That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four different topics, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference.
TOP OF THE NEWS
London Internet Exchange Members Adopt Code of Practice to Thwart Spammers (18 August 2004)Internet Service Providers (ISPs) that belong to the London Internet Exchange (LINX) have approved "a code of practice" to shut down web sites that are advertised by spam, even when the spam itself comes from a third party or another network. LINX also would like to see ISPs take down web sites that sell spamming tools. LINX hopes to spread the standard across the globe in a concerted effort to put spammers out of business. LINX boasts 150 members, including most major ISPs in the UK as well as some in continental Europe, the US and Asia.
[Editor's Note (Schultz): If the rest of the world were to follow the LINX's lead, spam would be far less of a problem than it is now.
(Ranum): Since it costs about $80 to commission a 1.5million recipient spam, this make for an effective denial-of-service attack. Simply spam out a message on behalf of your target. Of course this is not a new attack vector. Such attacks have been possible for years; this just raises the ante. ]
Yankee Group Study Suggests Most Large Companies will Outsource Security by End of the Decade (23 August 2004)According to a Yankee group study, nearly 90% of big US companies will outsource security by 2010. Apart from the cost savings, the reasons companies are moving toward outsourced security include the fact that attacks are arriving more and more swiftly, giving companies little time to put appropriate defenses in place. In addition, companies need to focus on compliance with HIPAA and Sarbanes-Oxley regulations. Finally, it is becoming more difficult to describe network perimeters.
Study: Organizations Not Taking Mobile Device Security Concerns to Heart (20 August 2004)According to a study from Forrester Research, most organizations have not put mobile device management systems in place despite the security threats the devices pose. Of the companies surveyed for the study, only 9% had deployed systems to manage mobile devices; an additional 20% were piloting or planned to deploy a management plan.
WINDOWS XP SP2 NEWS
Some Universities are Displeased with XP SP2 Release Timing (23 August 2004)The timing of Windows XP SP2's release has proven frustrating for some colleges and universities. There are concerns that SP2 could interfere with applications already running on the schools' systems, and that the volume of traffic created by students downloading the update could overwhelm campus networks. Some technical administrators have blocked the automated update feature. Others are distributing the update on CD, and some schools are encouraging students to download SP2 because their memories of the rampant Blaster infections of last autumn are all too clear.
[Editor's Note (Pescatore): SP2 is interfering with broken applications that needed to be changed. If universities or anyone else want to continue to run risky applications, they shouldn't move to SP2.]
Flaws Found in XP SP2 (20/19/18 August 2004)Danish security company Secunia has uncovered a security flaw in Microsoft's Internet Explorer that affects Windows XP, even on systems that have been updated with SP2. The vulnerability affects IE 5.01, 5.5 and 6.0, and involves "insufficient validation of drag-and-drop events issued from the Internet zone." Secunia advises disabling active scripting in IE or using a different browser until a fix is available. In addition, German security company Heise has released information about a vulnerability in SP2 that could allow untrusted files to be downloaded without first displaying a warning message. Heise researchers have admitted that the vulnerabilities are largely theoretical and that no exploit code for them presently exists.
[Editor's Note (Schultz): WXP SP2 has a number of user interface problems, too. For example, you can go to the Security Center and find that the Windows firewall is turned on, yet it might not actually be working because it has not been enabled for the local area network to which a host is connected.
(Pescatore): I hope no one expected SP2 to mean the end of Windows vulnerabilities being found. Until we see operating systems take more minimalized approaches, resisting the temptation to jam more and more functionality into an OS, there will be no end in sight to the need for vulnerability management. ]
Windows XP SP2 Now Available to Home Users (19 August 2004)Microsoft has begun sending out Windows XP Service Pack 2 to home users. The first people to get the update will be those who have turned on the automatic update feature. Microsoft will place a limit on the number of home PCs updates each day so company servers will not become overwhelmed. Microsoft expects that everyone who wants SP2 will have it by October.
************************** SPONSORED LINKS ******************************
Privacy notice: One of these links redirect to non-SANS web pages.
(1) ALERT: Are Your Web Applications Vulnerable to Fuzzing Attacks?-
(2) SANS Training In Your City
More than fifty SANS programs will start during the next few weeks in
cities all over the world - from San Antonio to Singapore, from
Washington to Copenhagen. To see what is running in your neighborhood
look at: http://www.sans.org/local/">http://www.sans.org/local/ and http://www.sans.org/
THE REST OF THE WEEK'S NEWS
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Court Says Morpheus and Grokster are Not Liable for Their Customers' Activity (20 August 2004)The 9th US Circuit Court of Appeals last week upheld a lower court decision that said peer-to-peer software developers Morpheus and Grokster are not liable for copyright infringement committed by people using their products. The decision means that peer-to-peer software companies cannot be shut down for their customers' actions, but does not say that file sharing is legal. System design was a key factor in the decision; Morpheus and Grokster do not have central servers.
[Editor's Note (Shpantzer): This doesn't change what enterprises should do about P2P: Write policy against it. Use tools that enforce the policy via detection of the dormant applications (i.e. not just scanning for bandwidth and open ports) ]
RIAA Suits Against Individuals Proceeding (20 August 2004)The Recording Industry Association of America (RIAA) continues to pursue lawsuits against individuals for copyright violations in which music is illegally downloaded. While people would like to fight the lawsuits, they more often than not find it too expensive and end up settling with the RIAA. Nearly 4,000 people have been sued since the RIAA began filing the suits in September 2003.
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Says Security Configuration Checklist Program Will be Ready Before the End of the Year (19 August 2004)The National Institute of Standards and Technology (NIST) will have a security configuration checklist program complete before the year's end. Also known as security benchmarks or lockdown guides, the checklists "describe the software options and settings that users can choose to minimize the security risks" that attend specific hardware or software. The lists will be available through a web portal, checklists.nist.gov, and NIST envisions them being used by everyone: government agencies, developers, businesses and citizens.
[Editor's Note (Guest: Lee Imrey): Security benchmarks for various systems have been developed by organizations such as the Center for Internet Security (CIS), and have already been recommended by NIST. Hopefully the new guidelines will build on the work already done, and introduce a compatible set of guidelines. Vendor-support for these guidelines will help raise the security baseline throughout government and industry. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
AOL Looking Into Flaw that Exposed Users' Portfolios to Others (20 August 2004)America Online is investigating a possible security problem that allowed some customers to view others' online financial portfolios. While AOL maintains no personally identifiable information was exposed, it has taken some steps to prevent a recurrence. The man who alerted AOL to the problem has also informed the Federal Trade Commission.
Oracle is Moving to Monthly Patch Release Schedule (20/19/18/17 August 2004)Following Microsoft's lead, Oracle has announced that it is moving to a monthly patch release model. Oracle did not specify when the monthly patches would begin, but did say that a predictable schedule would better meet their customers' needs. Oracle has recently been criticized for holding back some fixes for vulnerabilities in its database software.
[Editor's Note (Pescatore): Having regular patch releases on a monthly schedule proved to be a net plus for enterprises but this raises an interesting scenario: Microsoft chose the 2nd Tuesday of each week because enterprises didn't want patches coming out during the last two weeks of a quarter or the first week. No one wants patches coming out on Mondays or Fridays - pretty soon the second Tuesday, Wednesday and Thursday of each month will be the vulnerability trifecta days.]
New Download.Ject Variant Spreads Through AOL Instant Messenger and ICQ (20 August 2004)A new variant of the Download.Ject worm, which, like its predecessor, infects vulnerable systems with a Trojan horse program and keystroke logger, also generates pop-up ads that link to pornographic web sites. People who have installed Windows XP SP2 or patches from Microsoft's out-of-cycle release MS04-25 are not vulnerable to the worm. It arrives via AOL Instant Messenger or ICQ.
Cisco Releases an Advisory and a Patch for Router Software Flaw (19 August 2004)Cisco has released a patch for a flaw in some versions of its router software that place networks at risk for denial-of-service attacks. The vulnerability exists in Cisco's Internetwork Operating System routing software versions 12.0S, 12.2 and 12.3. Cisco has also released an advisory.
Yahoo Fixes Cross-Site Scripting Vulnerabilities in eMail System (19 August 2004)Yahoo has repaired two cross-site scripting vulnerabilities in its email system. Yahoo addressed the problems by fixing code on its servers; customers do not need to download a patch.
Cyberharassment Q & A (23 August 2004)This article defines cyberharassment and cyberstalking, offers advice for avoiding becoming a victim and discusses how current law views cyberharassment and cyberstalking.
Japanese Bank to Use RFID Document Management System (18 August 2004)NEC Corp. is developing a RFID-based document management system for Japan's Bank of Nagoya; the bank plans to deploy the system in April 2005. The system is designed to be used in combination with other security technologies for document protection. For instance, used in conjunction with an employee identification system, the bank can keep track of who has accessed which documents.
Marketing Ploy Turns Virus Hoax (18 August 2004)An unusual, and some would say ill-conceived, advertising campaign for a new version of the video game Resident Evil has resulted in an unwarranted virus scare; people were receiving unsolicited SMS messages on their mobile phones telling them they had been infected with the nonexistent T-Virus. The company that developed the marketing ploy has issued a press release acknowledging that it was done to promote the game and no virus exists. However, in 1996 another marketing strategy used a virus hoax and warnings about the Irina virus circulated for years afterward.
Internet Storm Center Survival Time Confirmation Prompts University to Quarantine Inadequately Patched Computers (18 August 2004)A network administrator at the University of Massachusetts at Amherst tested SANS Internet Storm Center's findings about the amount of time it takes an unpatched system to be compromised once it is connected to the Internet, and indeed, the two machines he connected to the network were infected within 20 minutes, just as the ISC had warned. The university is now checking computers to make sure they are up to date with patches before allowing them to connect to the network.
Researchers Describe Flaws in Encryption Algorithms (19/17 August 2004)Researchers presented three separate papers at the Crypto 2004 conference detailing vulnerabilities in three different encryption algorithms. French computer scientist Antoine Joux delivered a paper on a flaw in MD5 which is used with digital signatures. Four Chinese researchers delivered a paper describing a flaw in SHA-0 and two Israeli researchers were scheduled to deliver a paper on weaknesses in SHA-1.
[Editor's Note (Tan): Finding a weakness in a widely used crypto algorithm is a big thing - like beating one of the favourites in the Olympic Games. This shows the achievement of excellent research work. ]
Opinion: Call to Ban Portable Storage Media Misses the Point (16 August 2004)The author of this opinion column believes that the call to ban portable storage media in the workplace overlooks the fact that internal security is a human issue. If someone can access information, they can steal it; the solution, he says, is to know your employees and to use technology that gives them access only to the information they need.
Microsoft Announces $1 Million for Secure Computing Curriculum Development (2 August 2004)Microsoft will make available $1 million as a request for proposal to develop secure computing curricula in computer science, business and law. Microsoft also announced a $1 million New Faculty Fellowship program which will award five $200,000 fellowships to "exceptional new computer science faculty members."
[Editor's Note (Pescatore): It seems to me that as long as we treat "secure computing" as some separate entity we will only make limited progress in moving forward. I'd rather see the million bucks go towards figure out why all those software developers were trained to write such poor code and changing that part of the curriculum.
(Paller): Echoing John Pescatore's comments, and raising the ante: US government funding organizations should establish a standard requirement for universities that seek funding for infosec research: that they ensure that security is woven into each computer science and computer engineering programming course offered by the school. The effectiveness of such programs can easily be tested using an examination of security skills of all the graduates of computer science and computer engineering programs. One such test has been developed and is being vetted. Employers that would like to verify the security skills of the programmers they hire might find the exam useful. ]
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/