SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #7
February 18, 2004
TOP OF THE NEWSASN.1 Vulnerability Exploit is Circulating
Microsoft's ASN.1 Patch Lag Time Draws Mixed Reactions
Software Flaw Caused Alarm Failure, Contributed to Blackout's Spread
CA Employment Development Dept. Computer Security Breached
Windows 2000 Code Leaked
Windows Code Leak Investigation Focuses on Silicon Valley Company
THE REST OF THE WEEK'S NEWSBelgian Police Arrest Female Virus Writer
IBM and Cisco Will Integrate Products
DHS Inspector General to Study Department Systems
Redbus Founder Charged with Blackmail and Interception of Communications
China Developing Internet Emergency Response System
New Framework Would Help Thwart Spammers
Philippine Laws Inadequate to Prosecute Cyber Criminals
Cisco's New WLAN Security Protocol
FTC Warns that Anti-Spam Site is Not Affiliated with Government
Flaw in Ticket Site Exposed Customer Data
Increased Measures to Thwart Phishers in Singapore
DHS Plans to Stop PADC
Study Shows Companies Feel Spam is a Significant Security Threat
FIPS 199 Takes Effect
Programmer Posts Social Services Database On-Line
Search Engines Find Secret Documents
Sharman Networks to Challenge Court Order
VULNERABILITY UPDATES AND EFFECTSIbiza Trojan Exploits IE Flaw; No Patch Yet Available
Nachi.B Cleans Up After MyDoom
Sophos Releases Upgrade for MIME Vulnerabilities
Bluetooth Flaws Allow Data Theft, Phone Service Hijacking
BOOK REVIEWSBeyond Fear by NewsBites Editorial Board Member Bruce Schneier
*********************** Sponsored by Net IQ *****************************
Policy White Paper from NetIQ
Tired of constantly firefighting? You need a more proactive and effective means of managing your vulnerable security systems for policy and compliance. Get the answers you need now!
|| Download a free white paper from NetIQ on "Proactive Security Policy Enforcement: A Practical Approach for the Enterprise."
This Week's Featured Security Training Program:
Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida, in early April.
TOP OF THE NEWS
ASN.1 Vulnerability Exploit is Circulating (16 February 2004)A denial-of-service exploit for a component of the recently acknowledged Microsoft Abstract Syntax Notation 1 (ASN.1) flaw has been circulating on the Internet; affected users are urged to apply the patch. The vulnerability being exploited applies to Windows NT, Windows 2000, Windows XP and Windows 2003 systems. The vulnerable dll is widely used in authentication in these systems and exploitation of the vulnerability can result in SYSTEM-level privileges, making this vulnerability a particularly serious one.
[Editor's Note (Tan): It is only a matter of time until a worm is released in the wild. ]
Microsoft's ASN.1 Patch Lag Time Draws Mixed Reactions (13 February 2004)Microsoft first learned of the ASN.1 vulnerability in late July 2003; the patch for the flaw was released on February 10, 2004. Some researchers say that 200 days is far too long a time to wait. Others say that Microsoft needed the time to ensure the quality of the patch. Still others say that Microsoft placed too much importance on other, less critical vulnerabilities and could have released this fix sooner if it had shifted its priorities.
[Editor's Note (Schneier): The claim is that Microsoft will release no patch before its time. Does it really take 200 days to write a "quality patch"? Apple released a major patch in its iTunes player within 24 hours. What's up with that?
(Northcutt): The rabbit runs deeper than this and the underlying problem is almost certainly far bigger than the Microsoft ASN.1 implementation. The first time Alan and I knew about ASN.1 problems was Feb. 2002 when Andrew Baker, H.D. Moore, Marty Roesch, Glen Sharlun and I pulled an all nighter with an impromptu test lab at the SANS Monterey Bootcamp. We ran the Protos (SNMP coding fault) toolkit on a bunch of operating systems and imagine our surprise when we traced one of the seg faults back to an ASN.1 library call. We reported it in the appropriate fashion to the authorities.
(Guest Editor Marcus Sachs): And it gets worse... ASN.1 Basic Encoding Rules (BER) are used in a multitude of applications including cell phone calls, Signaling System 7 (SS7), air traffic control systems, package tracking, SCADA systems, X.9 financial transaction protocols, public key cryptographic standards, voice over IP, video teleconferencing, messaging systems, and public directory protocols. Each of these areas is prone to errors caused by the way the ASN.1 BERs are implemented. The US Federal Government is very aware of this issue and has been quietly working to find and isolate as many as possible. Ironically, Microsoft has a nice knowledge base article about ASN.1 - last updated in Dec 2003:
No mention of security issues. ]
Software Flaw Caused Alarm Failure, Contributed to Blackout's Spread (11/13 February 2004)A software bug in GE Energy's XE/21 system caused an alarm system failure at FirstEnergy's Akron, Ohio control center in August 2003. The flaw turned up during an extensive code audit in the weeks following last summer's blackout in the northeastern United States. A FirstEnergy spokesman says they have applied fixes to the software and are "stepping up plans to replace the system" entirely.
[Editor's Note (Schneier): I have long assumed that the blackout was caused by a cascade of failures, and I have suspected Blaster as being part of that mix:
CA Employment Development Dept. Computer Security Breached (13 February 2004)After a state agency computer's security was compromised, the California Employment Development Department sent letters to people whose personal information was on the affected computer, telling them their data may have been viewed by an intruder. There is no evidence that any personal information was accessed or abused. However, a California law enacted last summer requires that people be informed in the event of a computer security breach involving unencrypted personal data.
Windows 2000 Code Leaked (13 February 2004)Microsoft is working with law enforcement authorities to investigate the posting of Windows 2000 and NT source code on the Internet. There does not appear to have been a breach of internal Microsoft security or of the Microsoft corporate network. The amount of code (600MB) that has been posted accounts for only a small portion of the operating system leading some (Microsoft included) to claim that the resulting danger is minimal.
[Editor's Note (Schultz): Events such as this one show that the arguments of those who say that proprietary systems are inherently more secure than open source systems because the code is not available for public inspection are flawed. Sooner or later proprietary source code gets leaked, as has happened here. I'm not claiming that open source systems are more secure, but rather am just pointing out that relying on the proprietary nature of source code for security in reality amounts to little more than "security by obscurity."
(Schneier): I'm not sure how big a difference this code leak is going to make in the long run. It's not as if there's any shortage of Windows vulnerabilities to exploit even without access to source code. More interesting will be to see if it's true, as has long been rumored, that Microsoft includes undocumented features to make life more difficult for competitors. ]
Windows Code Leak Investigation Focuses on Silicon Valley Company (13/16 February 2004)Investigation into the source of the code leak points to a Silicon Valley company called Mainsoft. Analysis of the leaked code indicates it is the same code that the company had permission to view. An exploit that takes advantage of the leaked code has appeared on a security mailing list.
[Editor's Note (Schultz): I don't think that the exploit that has surfaced so far is really all that significant. A far greater concern is the exploits that will follow--ones that will be incorporated into code for a new worm. ]
*********************** SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) WHITE PAPER - Spam threatens network security. Learn how to protect your enterprise. REQUEST:
(2) Best Practices for Incident Response - Sign up for the practitioner's guide at
(3) From SANS: HIPAA Security Implementation is a step by step guide for IT staff of hospitals. Thorough and extremely cost effective.
THE REST OF THE WEEK'S NEWS
Belgian Police Arrest Female Virus Writer (16 February 2004)Belgian police have arrested a 19-year-old woman suspected of being a virus writer. She has been charged with computer data sabotage and could face up to three years in prison and a fine of up to 100,000 EUR. If she is guilty of the allegations, she may be the first person to write a virus or worm in the C# programming language?
IBM and Cisco Will Integrate Products (13 February 2004)IBM and Cisco will integrate a number of their products to improve defenses against network threats and simplify tasks such as security policy compliance.
DHS Inspector General to Study Department Systems (13 February 2004)The IT Office of the Inspector General of DHS plans to study wireless security policies and practices within the department, risk assessment of mainframe computer operations and cyber security programs.
Redbus Founder Charged with Blackmail and Interception of Communications (13 February 2004)Officers of the UK's National Hi Tech Crime Unit (NHTCU) have charged Redbus Interhouse founder Cliff Stanford with conspiracy to blackmail and violations of the RIPA Act 2000 (Regulation of Investigatory Powers Act 2000). Stanford and George Nelson Liddell stand accused of breaking into Redbus e-mail systems. Stanford co-founded Redbus Interhouse in 1999 but resigned in 2002.
China Developing Internet Emergency Response System (13 February 2004)Lu Chengzhao, deputy director-general of the office of China National Network and Information Security Coordinating group, says The People's Republic of China is developing a public Internet emergency response system. It is expected to be complete in five years.
New Framework Would Help Thwart Spammers (12 February 2004)A group called SMTP+SPF has published a draft of Sender Policy Framework (SPF) which aims to "improve the SMTP protocol that governs e-mail traffic." SPF would prevent address spoofing and SMTP server hijacking. The group hopes to put the framework on the fast track to Internet Engineering Task Force (IETF) approval so it can quickly become a standard.
[Editor's Note (Tan): I wonder how widely this will be adopted when it is based on a whitelisting system. Maintaining such a system is not easy. ]
Philippine Laws Inadequate to Prosecute Cyber Criminals (12 February 2004)Philippine law enforcement officials say current laws are not adequate to prosecute cyber criminals. The country's Information Technology and E-commerce Council is "pushing (for) a cybercrime law that would put more teeth to existing laws on cybercrime."
[Editor's Note (Schultz): The Philippines is only one of many countries in the world without adequate cybercrime legislation. Such countries comprise significant weak links in the fight against cybercrime. ]
Cisco's New WLAN Security Protocol (12 February 2004)Cisco has submitted a draft of a wireless WLAN security protocol to the Internet Engineering Task Force (IETF). The protocol, Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), is designed to defeat dictionary attacks against unencrypted passwords.
FTC Warns that Anti-Spam Site is Not Affiliated with Government (12 February 2004)The US Federal Trade Commission (FTC) issued a press release warning people that
a web site that promises to reduce spam, is not affiliated with the government and could potentially result in an increased volume of spam for those who submit their e-mail addresses.
Flaw in Ticket Site Exposed Customer Data (12 February 2004)Australia's Ticketmaster 7 web site contained a flaw that allowed visitors to view other customers' information. Ticketmaster 7 says it has closed down the service, which allowed people to view other people's personal information simply by changing numbers in a URL.
Increased Measures to Thwart Phishers in Singapore (11 February 2004)The Singapore Network Information Centre (Sgnic) has started taking steps to ensure that the .sg domain name is not abused by phishers. Domain name applicants are required to submit documents from professional organizations such as the Registry of Companies and Businesses. Local registrars have also taken protective steps: one goes through each domain name application in order to spot suspicious registrations. Applicants requesting suspicious sounding domain names are sent letters politely asking them why they are interested in such a name.
DHS Plans to Stop PADC (11 February 2004)Deputy director of the United States Computer Emergency Response Team (US CERT) Lawrence Hale says the Homeland Security Department (DHS) will stop offering the Patch Authentication and Dissemination Capability (PADC) service. Hale says that commercial alternatives to PADC offer better support.
Study Shows Companies Feel Spam is a Significant Security Threat (11 February 2004)A study on the effects of spam on organizations commissioned by Network Associates found that 90% of companies surveyed believed spam makes them more vulnerable to security threats. 97% of the companies felt than antispam technology should be part of their security plans.
FIPS 199 Takes Effect (10 February 2004)The Commerce Department has approved a new Federal Information Processing Standard for categorizing security risks to government information and information systems. The National Institute of Standards and Technology (NIST) developed FIPS 199, which took effect on February 10, under the Federal Information Security Management Act (FISMA).
Programmer Posts Social Services Database On-Line (10 February 2004)A contract programmer working for Livingston County, NY placed a confidential database on line because he needed technical help. The database, which contained Social Services department information, has been removed from the Internet, and the programmer has been suspended without pay. The county has contacted affected families and plans to "do things a little differently (when it comes to) outsourcing this type of work."
Search Engines Find Secret Documents (9 February 2004)Documents and data that organizations believe are secret or private turn up surprisingly often in Internet searches; the information is accessible because of misconfigured servers, security holes and human error. Once a web page has been found by a search engine, it is nearly impossible for it to return to its former obscurity.
[Editor's Note (Tan): The good thing is that if you lose a document, you might be able to get it back using the search engine. : )
(Shpantzer): The robots.txt file is a double-edged sword. While it may be a good way to keep ethical search companies from crawling specific parts of your website, it also gives clues to snoops as to which areas of the server are deemed too sensitive for public consumption. ]
Sharman Networks to Challenge Court Order (9 February 2004)Attorneys for KaZaA parent company Sharman Networks say the company plans to challenge the validity of the court order used to seize evidence from corporate offices, service providers and the homes of company executives.
VULNERABILITY UPDATES AND EFFECTS
Ibiza Trojan Exploits IE Flaw; No Patch Yet Available (13 February 2004)
Nachi.B Cleans Up After MyDoom (12 February 2004)
Sophos Releases Upgrade for MIME Vulnerabilities (12 February 2004)
Bluetooth Flaws Allow Data Theft, Phone Service Hijacking (11 February 2004)Tools for bluesnarfing, or stealing data from Bluetooth enabled phones, is circulating on the Internet.
Beyond Fear by NewsBites Editorial Board Member Bruce Schneier (11 February 2004)
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit