Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #47

November 23, 2004


As the first two stories show, this was a very good week in security. Buyers have begun to say they will purchase software and systems only from suppliers that take responsibility for security. The vendors have to agree or lose the revenue. And the ISPs have begun to use free security as a competitive weapon a move that will make millions of computers a bit safer.

Alan

TOP OF THE NEWS

Air Force Enlists Microsoft to Streamline Networks, Enhance Security
AOL Offers Security-Enhanced Service
Petco Settles FTC Privacy Violation Charges
FTC Alleges Mortgage Companies Violated Gramm-Leach-Bliley Act

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Judge Rules Keystroke Logger Did Not Violate Federal Wiretap Laws
Two Men Receive Suspended Sentences for Theft of Data Used in Extortion Scheme
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
China is Developing Cyber Attack Capabilities
More Funding Needed For Security R&D, IT Committee Says
SPAM & PHISHING
Phishing Victims Still Learning the Hard Way
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
New Sober Variant Spreading Rapidly
Oracle Announces 2005 Quarterly Patch Release Schedule
More IE Vulnerabilities
Patch Released for Flaw in Cisco Security Agent
STANDARDS AND BEST PRACTICES
Disaster Recovery Best Practices
STATISTICS, STUDIES AND SURVEYS
VeriSign Internet Security Intelligence Briefing
MISCELLANEOUS
Now is Not the Time for Government Cyber Security Standards


************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) FREE White Paper: "Why the web browser is the most dangerous hacking tool" http://www.sans.org/info.php?id=662

(2) Earn a Norwich University Masters Degree in Information Security in 24 months. http://www.sans.org/info.php?id=663

(3) Stop Cyber Attacks Now.
FREE White Paper: How to Evaluate Intrusion Prevention Systems http://www.sans.org/info.php?id=664

************************************************************************* Highlighted Cybersecurity Training: Washington, DC, Dec. 7-14, 2004

The nation's best instructors will be in DC teaching great courses for
**Auditors who want the technical skills so critical to successful audits.
**Security Managers interested in best practices and SANS exclusive "security make-over"
**Security professionals seeking CISSP (a trademark of (ISC)2) certification who want a more effective course.
**Technical security professionals with hands-on responsibility: Hacker Exploits; Intrusion Detection In-Depth; Introduction to Information Security; SANS Security Essentials; Firewalls, VPNs, and Perimeter Protection; Securing Windows; Securing Linux/Linux; System Forensics, Investigation & Response; .Net Security.

http://www.sans.org/cdieast04
*************************************************************************

TOP OF THE NEWS

Air Force Enlists Microsoft to Streamline Networks, Enhance Security (19 November 2004)

As part of its "One Air Force, One Network" strategy, the US Air Force has enlisted Microsoft to help simplify its networks and software contracts. Software and support contracts will be consolidated and "will result in standard security configurations for all Microsoft desktop and server software" which will be updated with necessary patches on-line. In addition, the move should save the agency an estimated US$100 million over six years.
-http://news.com.com/2102-7355_3-5457344.html?tag=st.util.print
-http://www.fcw.com/fcw/articles/2004/1115/web-afmicro-11-19-04.asp
[Editor's Note (Northcutt): Brilliant! Work with your suppliers to receive the systems already configured to a safe and known state and then use a template to return them to the proper configuration when they drift. This could actually work and save money; a much better concept than the Navy's NMCI.
(Paller) This project provides proof that secure systems are less expensive than insecure systems. There's a $100 million in savings from consolidated procurement and at least that much again, every year, in savings from 40,000 staff members who don't have to deal with testing and patching. Furthermore this demonstrates how to implement the minimum security configuration rules of FISMA that OMB has made top priority for agency compliance. Major corporations will follow when the Air Force testing proves the feasibility and effectiveness of this approach. ]

AOL Offers Security-Enhanced Service (18 November 2004)

America Online is now offering AOL 9.0 Security Edition as a free upgrade to current subscribers in the US; versions for other countries may be released at a later date. The new edition includes anti-virus protection, simplified spam controls and IM spam blocking in addition to the enhanced parental controls and pop-up blockers included in the basic edition. AOl 9.0 Security Edition also alerts subscribers to unauthorized banking or credit card transactions and offers enhanced spyware protection.
-http://www.theregister.co.uk/2004/11/18/aol_security_edition/print.html
[Editor's Note (Pescatore): This is really what needs to happen in the consumer Internet service market. The service providers need to compete on how free from spam, viruses and worms their services are, vs. hoping to gain additional revenue per seat to protect consumers from threats the ISPs are delivering. Imagine if bottled water companies said "Yes, we know our water tastes horrible. For an extra $5 per month we will remove the bad taste from our product."
(Schneier): This is a good step forward, especially if it can be done in a way to make it mostly invisible to the user. A user can't succumb to a phishing attack if he doesn't see it.
(Paller): SANS will be publishing the ISP Security Rating Report Card that will allow consumers to recognize where they can find the safest services. It is currently under development. If you have developed any criteria for rating security on ISPs please email me at paller@sans.org ]

Petco Settles FTC Privacy Violation Charges (17 November 2004)

Petco Animal Supplies has settled Federal Trade Commission charges that it violated both privacy promises made to customers and federal law because of security flaws in its eCommerce web site, www.PETCO.com. An SQL-injection vulnerability potentially exposed as many as 500,000 customer credit card numbers. Among the terms of the settlement: Petco may not misrepresent the extent to which customer information is protected on its eCommerce site, and the company must put in place a comprehensive security program that will be evaluated by an independent auditor every other year for the 20-year term of the settlement. Each violation of the settlement could result in a fine of US$11,000.
-http://www.securityfocus.com/printable/news/9957
-http://www.ftc.gov/opa/2004/11/petco.htm
[Editor's Note (Schultz): A fine of only $11,000 doesn't seem like much of a deterrent. ]

FTC Alleges Mortgage Companies Violated Gramm-Leach-Bliley Act (17 November 2004)

The Federal Trade Commission has issued an administrative complaint against one mortgage company and has reached a settlement agreement with another regarding charges both violated the Gramm-Leach-Bliley Act's Safeguard Rule. The rule requires financial companies to provide reasonable protection for customers' personal and financial data.
-http://rismedia.com/index.php/article/articleprint/8396/-1/1/

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Judge Rules Keystroke Logger Did Not Violate Federal Wiretap Laws (19 November 2004)

A federal judge in California has ruled that Larry Ropp did not violate wiretap laws when he used a keystroke logging device to spy on his employer, and has dismissed charges against Ropp. In his ruling, judge Gary Feess said that intercepting keystrokes between the keyboard and the CPU did not meet the "interstate or foreign commerce" clause of the Federal Wiretap Act, though he did say that Ropp had "engaged in a gross invasion of privacy."
-http://www.securityfocus.com/printable/news/9978
[Editor's Note (Pescatore): Another example of how much faster technology moves compared to laws and regulations. The wiretap laws apply only to intercepting the transmission of messages, not the preparation of messages, since wiretap laws were written around phone messages - you can't intercept phone calls during preparation, unless you do some really scary bioengineering.
(Shpantzer): See the decision in Counsilman:
-http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf
for the line of thinking in the keylogger case that helped set the precedent for this one. See also the entire case history of the Scarfo keylogger case here:
-http://www.epic.org/crypto/scarfo.html]

Two Men Receive Suspended Sentences for Theft of Data Used in Extortion Scheme (19 November 2004)

The Tokyo District Court has given two men suspended jail sentences for stealing personal data belonging to customers of broadband service provider Softbank. The data was passed on to four other people who allegedly threatened to make the stolen data public unless Softbank paid them between JPY 1 - 2 billion (approximately USD$9.7 million - US$19.3 million). They are on trial separately.
-http://www.securityfocus.com/printable/news/9975

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

China is Developing Cyber Attack Capabilities (17 November 2004)

US deputy undersecretary of defense Richard Lawless told the US-Taiwan Business Council last month that China is developing cyber attack capabilities that could allow them to launch computer-based attacks against Taiwan's critical infrastructure, including utilities and other vital communications networks.
-http://www.taipeitimes.com/News/taiwan/archives/2004/11/17/2003211401/print
[Editor's Note (Northcutt): This is not news, there have been reports of Chinese - Taiwan cyberwarfare since the 90s. Last year the Taiwan cabinet reported they were under systematic attack.
-http://www.taipeitimes.com/News/front/archives/2003/09/04/2003066387]

More Funding Needed For Security R&D, IT Committee Says (19 November 2004)

A government advisory panel subcommittee chaired by an MIT faculty member says the government has shortchanged basic research into cybersecurity and should at least quadruple the money available for civilian research.
-http://www.gcn.com/vol1_no1/daily-updates/27979-1.html

SPAM & PHISHING

Phishing Victims Still Learning the Hard Way (19/18 November 2004)

A compelling series of three articles about phishing include interviews with nearly a dozen phishing victims underscores the rampant growth of these attacks and what steps are being taken to mitigate the problem.
-http://www.washingtonpost.com/ac2/wp-dyn/A59347-2004Nov18?language=printer
-http://www.washingtonpost.com/ac2/wp-dyn/A59349-2004Nov18?language=printer
-http://www.washingtonpost.com/ac2/wp-dyn/A61916-2004Nov19?language=printer
[Editor's Note (Paller): It is extraordinary that the Washington Post.com journalists were able to find actual victims willing to discuss what happened. Their stories bring the problem to life for readers. If you have security awareness training in your organization, these stories will be great handouts. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

New Sober Variant Spreading Rapidly (19 November 2004)

A new variant of the Sober worm began spreading late last week. Sober arrives in an email attachment and uses its own SMTP engine to spread to other email addresses it finds on the infected computer. Machines running Windows 95, 98, ME, NT, XP, 2000 and 2003 are vulnerable. It places two copies of itself on machines it infects.
-http://www.techweb.com/article/printableArticle.jhtml?articleID=53700897&sit
e_section=700028

Oracle Announces 2005 Quarterly Patch Release Schedule (19/18 November 2004)

Oracle has announced its quarterly patch release schedule for next year. Security bulletins and their attendant patches will be released on January 18, April 12, July 12 and September 18 2005. the schedule was designed to avoid blackout dates; many companies are reluctant to update systems at the end of business quarters.
-http://asia.cnet.com/news/software/printfriendly.htm?AT=39201900-39037051t-39000
001c

-http://www.nwfusion.com/news/2004/1118orpatch.html

More IE Vulnerabilities (18/17 November 2004)

Three more security flaws have been found in Microsoft's Internet Explorer version 6 web browser. Microsoft is investigating the vulnerabilities that could allow malicious content to slip past without warnings and cookies to be overwritten in order to hijack a web session. Microsoft was critical of the fact that the vulnerabilities were disclosed without first giving the company time to work on fixes.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39201735-39037064t-39000
005c

-http://www.eweek.com/print_article2/0,2533,a=139487,00.asp

Patch Released for Flaw in Cisco Security Agent (16 November 2004)

Cisco has released a patch for a crafted time attack vulnerability in its Cisco Security Agent software that could be exploited to circumvent the product's security. Users are encouraged to upgrade to CSA version 4.0.3.728.
-http://www.theregister.co.uk/2004/11/16/csa_flaw/print.html
-http://www.cisco.com/warp/public/707/cisco-sa-20041111-csa.shtml

STANDARDS AND BEST PRACTICES

Disaster Recovery Best Practices (18 November 2004)

The CIO Executive Council offers eight best practices for disaster recovery, including aligning disaster recovery with application development and ensuring that the disaster plan can be implemented no matter who is (present).
-http://www.computerworld.com/printthis/2004/0,4814,97620,00.html

STATISTICS, STUDIES AND SURVEYS

VeriSign Internet Security Intelligence Briefing (17/16 November 2004)

VeriSign's most recent Internet Security Intelligence Briefing, released last week, found that security incidents in the third quarter increased 150% over the same period last year. VeriSign attributes the increase to malware writers with increasingly sophisticated skills and an interest in financial gain rather than notoriety.
-http://www.techweb.com/article/printableArticle.jhtml?articleID=53200186&sit
e_section=700028

-http://asia.cnet.com/news/security/printfriendly.htm?AT=39201552-39037064t-39000
005c

MISCELLANEOUS

Now is Not the Time for Government Cyber Security Standards (15 November 2004)

Bob Dix, staff director of the technology and information policy subcommittee of the US House of Representatives Committee on Government Reform, says now is not the time for governmental cybersecurity standard mandates; an incentive approach, possibly including investment tax credit and liability limits for those who adopt best practices is preferable to the threat of punishment for failing to adhere to standards. SEC CSO Chrisan Herrod says there's no consensus on standards. Different business sectors and businesses of different sizes are likely to have different requirements.
-http://www.nwfusion.com/news/2004/1115panelgovt.html
[Editor's Note (Ranum): He's right!! Now is not the time. Ten years ago was the time. (Schneier): If now isn't the time, when is? And if the government can't secure its own networks, how can it help anyone else secure theirs?
(Pescatore): While the "safe harbor" approach has its own set of risks, hoping that government regulations would increase security (as opposed to just increasing spending on security) is much more problematic than market driven approaches.
(Schultz): Is the problem that there is no consensus for standards, or is it instead that few organizations are willing to spend what it takes to conform to them? (Paller and Tan) Cybersecurity regulations and standards (like FISMA and HIPAA and Gramm Leach Bliley) may not be the best way, but they sometimes help the IT department to push forward security improvements. ]


===end===

NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/