SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #9
March 03, 2004
NEW CYBERSECURITY LEGISLATION AND LEGAL DECISIONS AFFECTING SECURITYPutnam Drafting Amendment to Clinger-Cohen Act
Court Says Earlier Decision in DeCSS Posting Case Violated Defendant's Free Speech Rights
Panel Discusses Security Regulation
Louisiana Man Arrested, Charged with Cyber Terrorism Under USA PATRIOT Act
Outcome of Password-Sharing Case is Cause for Concern
Interview with US Senator Bob Bennett
NEW SECURITY ORGANIZATIONSSoftware Companies Form Cyber Security Industry Alliance
Group Wants to Bring Physical and IT Security Together
Security Metrics Consortium
THE REST OF THE WEEK'S NEWSFBI Confiscates Servers in Investigation
VoIP Security Awareness Found Lacking
Concern Mounts Over China's Wireless Standard Requirements
Microsoft To Offer Reduced-Price Software Development Tools in Some Asian Countries
Student Charged with Breaking Into Roommate's E-Mail Account
Teen in MSBlast Case Admits to Other Cyber Attacks and Intrusions
F-Secure Apologizes for Sending Virus
Malicious Coders Reverse Engineer Patches to Create Exploits
Yukon (SQL Server) Will Ship with Some Features Turned Off
CIA Report Will Address Cyber Terrorism Threat to Critical Infrastructure
Patching is Burdensome, Takes Time
Microsoft is Reviewing Leaked Code
Gates on Microsoft's Security Endeavors
Cyber Crime Costs UK Companies Billions in 2003
Missouri Bank Sent Unencrypted Customer Data to Programmer
VULNERABILITY UPDATES AND EFFECTSNetSky.D Spreading Rapidly
Five Bagle Variants Released Over the Weekend
Flaw in Mac OS X 10.3.2 Could Allow Password Transmission in Clear Text
MSN Explorer Flaw Allows Free Access to Premium Services
MyDoom.F Carries Nasty Payload; NetSky.C Continues to Spread
Bizex Worm Targets ICQ Instant Messenger Users
************************** Sponsored by NetIQ *************************
Need security policies?
Don't start from scratch. Check out "Information Security Policies Made Easy," the best security policy resource guide available, with 1,300+ ready-to-use security policies, easily customizable for any organization. Also, don't miss our step-by-step guide, "Information Security Roles & Responsibilities Made Easy."
Check them both out now.
This Week's Featured Security Training Program:
Because SANS 2004 is nearly sold out, showing that employers are once again saying yes to requests for effective training, we have added six new conferences between May and July: Colorado Springs, Chicago, Baltimore, Kansas City (Overland Park), Denver and Minneapolis. Find details at http://www.sans.org
But there's still space in most of the courses at our mega-conference in Orlando April 1-9. Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida.
NEW CYBERSECURITY LEGISLATION AND LEGAL DECISIONS AFFECTING SECURITY
Putnam Drafting Amendment to Clinger-Cohen Act (23 February/1 March 2004)Representative Adam Putnam (R-Fla.) is drafting an amendment to the Clinger-Cohen Act which would add cyber security to enterprise architecture requirements for government agencies. In addition, the Corporate Information Security Working Group (CISWG) convened by Rep. Putnam plans to submit recommendations to Putnam today (March 3) on improving cyber security in government and the private sector. Putnam is Chairman of the Government Reform Subcommittee on Technology, Information Policy, Intragovernmental Relations and the Census.
[Editor's Note (Pesactore): Representative Putnam keeps doing great stuff to try to get the government to improve the security of its own computer systems, and lead by example. While amending Clinger-Cohen to include cyber security may not sound sexy, to make progress in government you have to embed security requirements into government agencies' lifeblood - bureaucracy. ]
Court Says Earlier Decision in DeCSS Posting Case Violated Defendant's Free Speech Rights (1 March 2004)California's Sixth Circuit Court of Appeals overturned a lower court order that barred the posting of the DeCSS DVD decryption tool on the Internet. The court found that the order violated defendant Andrew Bunner's free speech rights; the court also agreed with his attorneys that by the time Bunner posted the code on the Internet, it was no longer secret.
[Editor's Note (Schultz): This ruling is consistent with previous court rulings, but it is disconcerting that copyright holders lose just because someone publicly posts copyrighted information. ]
Panel Discusses Security Regulation (26 February 2004)A panel comprised of representatives from business and government discussed the role the government should take in regulating Internet security.
Louisiana Man Arrested, Charged with Cyber Terrorism Under USA PATRIOT Act (26 February 2004)FBI agents arrested David Jeansonne of Louisiana under a provision of the federal computer crime statute of the USA PATRIOT Act. Jeansonne allegedly tricked 18 MSN TV users into running a script on their machines that changed their dial up number to 911, resulting in false emergency calls. Jeansonne was charged under the USA PATRIOT Act because the act posed "a threat to public health or safety."
Outcome of Password-Sharing Case is Cause for Concern (1 March 2004)A federal court ruled that Berkshire Information Systems violated the Computer Fraud and Abuse Act when it obtained a password and userid from a competitor's client and used it to access the competitor's network. The author of this article questions the interpretation of "damage" in this case.
Interview with US Senator Bob Bennett (25 February 2004)Senator Bob Bennett (R-Utah) discusses defending the US critical infrastructure from cyber attacks and information sharing with journalist Dan Farber. Senator Bennett received the RSA Award for Excellence in the Field of Public Policy at last week's conference.
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) FREE White Paper: "Hackers New Trick- LDAP Injection Attacks"
(2) From SANS: HIPAA Security Implementation is a step by step guide for IT staff of hospitals. Thorough and extremely cost effective.
NEW SECURITY ORGANIZATIONS
Software Companies Form Cyber Security Industry Alliance (25 February 2004)The Cyber Security Industry Alliance (CSIA) aims to work with government to avoid cyber security legislation that is not in accord with their agenda; the group concedes that some federal requirements that don't prove too burdensome for technology companies could help improve security. Among the CSIA's immediate priorities is the development of industry-wide standards for reporting and sharing information about security threats.
Group Wants to Bring Physical and IT Security Together (25 February 2004)The Open Security Exchange (OSE) aims to develop interoperability standards for physical and IT security. OSE has submitted specifications for its Physical Security Bridge to IT Security to the Security Industry Association under its Open Systems Integration and Performance Standards initiative; the group also soon plans to release a white paper on credentials management and smart card.
[Editor's Note (Pescatore): This is a popular notion that makes no sense to me. Beyond the fact that combined facility/network access cards span both groups, there is very little similarity between running a physical security program and running a network or information security program. If I'm the President of the United States and I see the Secret Service replacing guns with PDAs and outsourcing the agents who surround me with a call center in Bangalore, I'm going to hide in the basement. ]
Security Metrics Consortium (25 February 2004)The Security Metrics Consortium (SecMet), a group made up of CIOs, hopes to develop quantitative network security metrics.
THE REST OF THE WEEK'S NEWS
VoIP Security Awareness Found Lacking (2 March 2004)Research from META Group shows that companies moving to VoIP often do not grasp the security risks associated with the technology. Additionally, "existing IP telephony products and projects" lack adequate security.
Concern Mounts Over China's Wireless Standard Requirements (1 March 2004)US government and industry groups hope to work with China on developing international wireless standards. China presently requires that the Wireless Authentication and Privacy Infrastructure (WAPI) encryption scheme be built into every wireless device used in the country before June 2004. That scheme is not compatible with WEP and AES schemes which are used in IEEE's 802.11x standards. There is also considerable concern over China's requirement that companies that choose to use WAPI must partner with one of a chosen group of Chinese companies; this flies in the face of a World Trade Organization (WTO) provision that says that foreign companies may not be treated differently from domestic companies.
[Editor's Note (Pescatore): this is just as bad as when the US tried to have export controls on crypto. The original security standards for WLAN (Wired Equivalent Privacy) were developed during the era of export controls, and WEP was weak and flawed. Open reviews and improvements lead to WiFi Protected Access and the coming 802.1x standard that includes AES - strong security. The Chinese government forcing a closed standard (WAPI) and mandating who produces the crypto will end up being WEP all over again. ]
Microsoft To Offer Reduced-Price Software Development Tools in Some Asian Countries (1 March 2004)In an attempt to increase its share of the market in China and other developing Asian countries, Microsoft plans to offer products at reduced prices. Microsoft has encountered difficulties in China where an estimated 90% of the software in use is pirated. In addition, the use of Linux is encouraged in China.
[Editor's Note (Paller): This story may not seem relevant to the security field, but it is. As Microsoft feels more and more pressure from the growing Linux movement, the company will be forced to accelerate its security improvements to balance the perceived security advantages that Linux offers to potential buyers. ]
Student Charged with Breaking Into Roommate's E-Mail Account (26 February 2004)Iowa State University student Nicholas Jensen has been charged with breaking into his former roommate's e-mail account and sending phony messages to people under the roommate's name. If convicted, Jensen could face fines and a three-year prison sentence.
[Editor's Note (Grefer): Given that the majority of mail servers still do not require authentication of users sending mail, there's a chance that the student could have sent these messages without breaking into anything. ]
Teen in MSBlast Case Admits to Other Cyber Attacks and Intrusions (26 February 2004)Jeffrey Parson, the Minnesota teenager accused of releasing an MSBlast variant last summer, has admitted to other computer misdeeds, according to federal prosecutors. Parson admitted to launching attacks against the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA), as well as storing digital content on computers that he broke into.
F-Secure Apologizes for Sending Virus (26 February 2004)Anti-virus company F-Secure has e-mailed an apology to customers who were inadvertently sent the Netsky.B virus through an e-mail list. F-Secure director of anti virus research Mikko Hypponen said the company has taken steps to guard against a repeat of the event; the e-mail list should not have been accepting external e-mails and the problem has been corrected.
Malicious Coders Reverse Engineer Patches to Create Exploits (26 February 2004)David Aucsmith, chief technology officer for Microsoft's security business unit, says that crackers reverse engineer patches for security flaws to create exploits. Aucsmith says he knows of only one case in which an exploit surfaced before a patch was released. Aucsmith also remarked that the US$5 million fund established to reward people who provide information leading to the prosecution of those responsible for worms and viruses has been effective. Without providing details, Aucsmith said that law enforcement organizations around the world are acting on information received as a result of the reward fund.
Yukon (SQL Server) Will Ship with Some Features Turned Off (25 February 2004)Yukon, the code name for the next version of Microsoft's SQL Server, will ship with certain features turned off in the interest of security. Core functionality features will be left on, and engineers are working to make sure that users will be able to turn on desired features easily.
[Editor's Note (Schultz): This all seems too good to be true--a clear step in the right direction. Hopefully, other vendors will follow suit.
(Pescatore): As Shakespeare once said about software design: "Ay, there's the rub." Its good to see software designers finally accepting "turn everything off that isn't explicitly enabled" as design philosophy. Let's hope they don't succumb to the temptation to include wizards that undo all that with one click. ]
CIA Report Will Address Cyber Terrorism Threat to Critical Infrastructure (24/25 February 2004)This week, the CIA, along with the FBI, the Department of Homeland Security and the Pentagon, will publish a National Intelligence Estimate (NIE) on the threat cyber terrorism poses to US critical infrastructure. The estimate/report is likely to be classified. News of the report came during a Senate Judiciary subcommittee hearing on cyber terrorist threats and capabilities. Two members of the committee expressed concern that the threat of cyber terrorism and physical attacks against critical infrastructure is not receiving high-level attention.
FBI Confiscates Servers in Investigation (24 February 2004)FBI agents have confiscated servers from CIT Hosting as part of an Internet crime investigation. According to the warrant, the FBI is investigating the possibility that someone hosted on CIT's network launched a cyber attack.
Patching is Burdensome, Takes Time (24 February 2004)Data collected over a period of two years by vulnerability assessment firm Qualys indicate that it takes companies a month to halve "the number of vulnerable computers connected to the Internet." The data were mentioned in support of concerns about patching voiced by members of a discussion panel at the RSA Security Conference last week.
Microsoft is Reviewing Leaked Code (24 February 2004)Microsoft is conducting an "in-depth security review" of leaked Windows code. The code was reviewed before it was released, but the security review process has become more sophisticated since then. Because the code (Windows 2000 and NT 4.0) is old, many of its flaws have already been addressed with patches or service packs.
Gates on Microsoft's Security Endeavors (24/26 February/1 March 2004)Speaking at last week's RSA Security Conference, Bill Gates described a number of new security measures in Microsoft products. Service Pack 2 for Windows XP, expected to be released this spring, will include an expanded firewall and a pop-up blocker in Internet Explorer. In addition, SP2 will include Windows Security Center, which will allow users to view their security settings and receive advice on addressing vulnerabilities. The announcement of the new security features drew mixed reactions.
Cyber Crime Costs UK Companies Billions in 2003 (24 February 2004)The results of a survey conducted by the UK's National Hi Tech Crime Unit (NHTCU) estimate that cybercrime cost British companies billions of pounds last year. The financial sector was hit most often. Although 83% of the 201 companies participating in the survey said they had been affected by cybercrime in 2003, less than 25% of the companies reported the incidents to police. More than 25% of the companies do not conduct regular security audits.
Missouri Bank Sent Unencrypted Customer Data to Programmer (22 February 2004)Southern Commercial Bank, which is based in St. Louis, Missouri, may have compromised customers' privacy of 40,000 customers when it sent unencrypted personal data, including bank account and social security numbers, to an independent programmer. A branch bank VP sent the information in an attachment; the Missouri Division of Finance is investigating the case.
VULNERABILITY UPDATES AND EFFECTS
NetSky.D Spreading Rapidly (1 March 2004)
Five Bagle Variants Released Over the Weekend (1 March 2004)
[Editor's Note (Tan): Bagle and NetSky are fighting with each other. In NetSky.F, researchers found the following text: "Skynet AntiVirus - Bagle - you are a looser!!!!" This NetSky worm variant tries to remove Bagle worm infection if it finds it on an infected computer. And in Bagle.K, a message is embedded saying, "Hey, NetSky, f*ck off you b*tch!" ]
Flaw in Mac OS X 10.3.2 Could Allow Password Transmission in Clear Text (27 February 2004)
WinZip Vulnerability (27 February 2004)
MSN Explorer Flaw Allows Free Access to Premium Services (26 February 2004)
MyDoom.F Carries Nasty Payload; NetSky.C Continues to Spread (24/25 February 2004)
Bizex Worm Targets ICQ Instant Messenger Users (24/25 February 2004)
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit