Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #31

August 03, 2005

TOP OF THE NEWS

UK Police Want to Make Withholding Encryption Key an Offense
Companies Offer Bounties for Vulnerability Submissions
Senate Panel Approves Council of Europe's Convention on Cybercrime

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
In-Q-Tel Head Says Information Sharing Hindered by Excessive Security Concerns
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
British Phonographic Industry Takes Five to Court Over Alleged Illegal Music Downloading
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Users Urged to Upgrade to Opera 8.02
Updates Available for Certain Anti-Virus Vulnerabilities
Symantec: Rewards for Malware Author Conviction Losing Efficacy
ATTACKS, INTRUSIONS & DATA THEFT
Two Servers Breached at University of Colorado
STATISTICS, STUDIES & SURVEYS
Identity Theft Woes Linger
MISCELLANEOUS
Researcher Permanently Enjoined from Talking About Cisco Vulnerability
FBI Investigating Researcher Who Disclosed Cisco Vulnerability
Cisco warns of IOS IPv6 Flaw, Urges Upgrade
Despite Injunction, Cisco Flaw Information is Still Available
Microsoft Genuine Advantage Now Mandatory for Updates
Methods for Circumventing Genuine Advantage Validation Process Already Available
Follow-up: Kushnir's Murder Unrelated to Spam


****************** Sponsored by VanDyke Software ************************

Free security software! Buy SecureCRT (Secure Shell terminal emulator) by September 9 and get SecureFX (SFTP file transfer client) free. SecureCRT 5.0 offers a tabbed, multi-session interface and an SFTP tab for secure file transfers. Simplify server management, remote access, and data tunneling with named firewalls, customizable configuration, and scripting. Download an evaluation copy today!

http://www.vandyke.com/go.php?id=sans0805

********************** SECURITY TRAINING NEWS ***************************

1) SANS Network Security 2005 in New Orleans (October) opened for registration. Our second largest conference with about 20 tracks. You should have received (in the US and Canada) your new WhatWorks poster and the conference program, If you would like the conference program in booklet form, email your surface mail address to info@sans.org with subject NS2005 program and poster.
Online details: http://www.sans.org/ns2005
Online Poster: http://www.sans.org/whatworks

2) SANS Silicon Valley (September) just opened for registration. 12 tracks and a vendor exposition. http://www.sans.org/siliconvalley2005/

Why Attend SANS Training Instead of Less Effective Courses?
"SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)

************************************************************************ *

Announcing the SANS Advisor
A newsletter that gets straight to the point with tips and breaking news on IT Security, Audit, Privacy. Volume 1, Number 1 is complimentary and available for downloading from:
http://www.sans.org/newsletters/advisor/1.2.pdf
If you enjoy SANS Advisor and want to make sure you are notified when the next edition comes out, sign up at www.sans.org/newsletters

********************************************************************

TOP OF THE NEWS

UK Police Want to Make Withholding Encryption Key an Offense (26 July 2005)

Buried within a long list of requested changes to counter terrorism legislation from the UK Association of Chief Police Officers is a suggestion to amend the Regulation of Investigatory Powers Act to include a specific offense of withholding an encryption key. The ACPO also wants the power to "attack" web sites with content that promotes terrorism or other activities deemed unacceptable. Allowable methods of attack are not made clear.
-http://www.techworld.com/security/news/index.cfm?NewsID=4106
-http://www.acpo.police.uk/asp/news/PRDisplay.asp?PR_GUID={423FD3C2-2791-403A-B5D
0-8FC6B5476B0B}

[Editor's Note (Schneier): This is a very chilling step, since it potentially criminalizes anyone who wishes to keep data secret, regardless of how benign the actual data might be.
(Shpantzer): If I have a safe in my office and refuse to give up the combination, would that also be an offense? As for the issue of attacking websites, the best treatment I've seen of the theoretical issues of use of force in cyberspace is Strategic Warfare in Cyberspace, by Gregory Rattray ]

Companies Offer Bounties for Vulnerability Submissions (26/24 July 2005)

TippingPoint has announced that it will pay researchers for information about security flaws; the amount of payment will depend on the flaw. The company says it will work only with "reputable researchers." TippingPoint will also inform vendors about the flaws and update their own products to protect their customers from exploits until the vendors release patches. A day after TippingPoint began offering money for information about flaws, iDefense announced that it is doubling the bounties it will pay for vulnerability submissions. Internet Security Systems does not pay for vulnerability information, maintaining that to do so is tantamount to having someone else do their research for them.
-http://news.zdnet.com/2102-1009_22-5802411.html?tag=printthis
-http://news.com.com/2102-7350_3-5806059.html?tag=st.util.print
[Editor's Note (Pescatore): What a crazy world software is. The sellers of software continue to ship their products with enough flaws left in to feed an entire security industry *and* competing bounty programs for anyone who wants to find vulnerabilities. Imagine if the toy industry said "hey, Moms - we will pay you if you find new ways your kids can choke on our products."
(Schultz): The ethics of paying "vulnerability bounty hunters" for reporting vulnerabilities is at best marginal. All the companies that pay such bounties care about is their own financial interests, not the good of the Internet community at large." ]

Senate Panel Approves Council of Europe's Convention on Cybercrime (26 July 2005)

The US Senate Foreign Relations Committee has approved the Council of Europe's Convention on Cybercrime. The approval means the treaty will be brought to a floor vote later this year. Senate approval is considered symbolic as so much of the treaty's content is already part of US law. However, an addition to the treaty requires the nations that ratify it imprison people who use the Internet to publicly insult people based on race or ethnic origin. The US Department of Justice says the addition is unconstitutional as it would violate the First Amendment.
-http://news.com.com/2102-7348_3-5805561.html?tag=st.util.print


************************** Sponsored Links:******************************

1) Latest Hacker Target: Critical Web Applications- White Paper From SPI Dynamics
http://www.sans.org/info.php?id=837

2) Is endpoint protection the weakest link in your network security?
FREE analyst report: Enforcing Endpoint Security.
http://www.sans.org/info.php?id=835

3) Ten-week online "Cryptography with Lab" course from Denver University in partnership with Timberline Technologies.
http://www.sans.org/info.php?id=836
************************************************************************ *

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

In-Q-Tel Head Says Information Sharing Hindered by Excessive Security Concerns (27 July 2005)

Gilman Louie, who heads the CIA's venture capital firm In-Q-Tel, says that disproportionate concerns about the security of agency networks has created impediments to information sharing. Agencies are not putting information on their systems due to the fear surrounding IT security; information is not being shared. According to Mr. Louie, The reasons email does not work across agencies are lack of trust and an emphasis on the unattainable -- perfection.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=36512

[Editor's Note (Pescatore): Boy, a lot of issues rolled up in one here. The intelligence community has *many* barriers to sharing information - most are political, fear of security problems is mostly just a cover story. The never ending quest for the mythical "trusted enclave" has both fed many research budgets while simultaneously providing an excuse for hoarding information.
(Schneier): Is it actually a fear of network security issues that's causing the lack of sharing, or a desire to maintain each group's own purview? ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

British Phonographic Industry Takes Five to Court Over Alleged Illegal Music Downloading (1 August 2005)

The British Phonographic Industry is taking five alleged illegal music downloaders to court. The five defendants allegedly made nearly 9,000 songs available on line. More than 60 other people in the UK who shared music illegally have already settled out of court, paying fines of up to 6,500 GBP (US$11,507).
-http://news.bbc.co.uk/2/hi/entertainment/4735821.stm
-http://www.msnbc.msn.com/id/8786641/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Users Urged to Upgrade to Opera 8.02 (28 July 2005)

Opera Software is recommending that Windows users upgrade to Opera 8.02 which addresses three vulnerabilities, the most serious of which - an error in the way extended ACSII codes are handled in the download dialog - -- could be exploited to trick people into executing a malicious file. The other two flaws are an image dragging vulnerability and a link-hijacking problem.
-http://www.eweek.com/print_article2/0,1217,a=156898,00.asp
-http://www.opera.com/download/

Updates Available for Certain Anti-Virus Vulnerabilities (29/28 July 2005)

According to researchers, vulnerabilities in a number of anti-virus software tools could allow attackers to take over vulnerable systems. Ethereal versions 0.8.5 through 0.10.11 contain multiple vulnerabilities, including one in the zlib compression library; all the problems have been fixed in Ethereal version 0.10.12. Vulnerabilities in components that process different file formats in ClamAV 0.86.1 and have been addressed on 0.86.2. A buffer overflow in a number of Sophos products has been fixed in some versions but not in others.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4120
-http://www.theregister.co.uk/2005/07/29/sophos_buffer_overflow_bug/print.html

Symantec: Rewards for Malware Author Conviction Losing Efficacy (20 July 2005)

Symantec has said that it does not believe that offering rewards for information leading to arrest and conviction of those responsible for Internet worms and viruses is effective any longer. This is attributed to the fact that the number of large-scale worms is dwindling and the number of small-scale, for-profit worms is on the rise. Even so, Microsoft intends to maintain its program that helped catch Sasser author Sven Jaschan and which paid US$250,000 to two people instrumental in tracking him down.
-http://www.newsfactor.com/story.xhtml?story_id=37381

ATTACKS, INTRUSIONS & DATA THEFT

Two Servers Breached at University of Colorado (22 July 2005)

The University of Colorado has hired a forensic investigator to look into security breaches of two of the school's servers. A server at the College of Architecture contains information on approximately 900 students and faculty members, while a Health Services server contains information on approximately 42,000 students and university staff. No credit card information was stored on either server and there is no evidence that the information was stolen or has been misused. The university is informing people whose information was stored on the servers by letter and by email; in addition, the school has established a web site and a hot line to answer questions and provide information to those affected by the breaches.
-http://www.thedenverchannel.com/technology/4757407/detail.html

STATISTICS, STUDIES & SURVEYS

Identity Theft Woes Linger (26 July 2005)

A study from Nationwide Mutual Insurance Company found that 28% of those who experienced identity theft were unable to completely restore their good names even a year after the theft had been discovered and efforts had been made to remediate the damage. The average fraudulent charge made to accounts was nearly US$4,000; 16% of those answering the survey said they had to pay for some or all of those charges. Only 17% of those surveyed said they were notified of suspicious activity by their banks or creditors.
-http://www.techweb.com/wire/security/166402606

MISCELLANEOUS

Researcher Permanently Enjoined from Talking About Cisco Vulnerability (29 July 2005)

Researcher Michael Lynn, who last week resigned from his position at Internet Security Systems to speak at the Black Hat Security Conference on how to remotely compromise Cisco routers, has agreed to refrain from speaking about the vulnerability or his exploit techniques in the future. Mr. Lynn and his attorney agreed to "a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at DEF CON." Mr. Lynn may, however, conduct "further research on Cisco products, provided it is done legally." Cisco takes issue not with the existence of a flaw but with the method Mr. Lynn chose to disclose the information.
-http://www.securityfocus.com/news/11260
-http://informationweek.com/story/showArticle.jhtml?articleID=166403564
-http://www.wired.com/news/print/0,1294,68328,00.html
-http://www.techworld.com/security/news/index.cfm?NewsID=4124
-http://www.siliconvalley.com/mld/siliconvalley/12255870.htm?template=contentModu
les/printstory.jsp

FBI Investigating Researcher Who Disclosed Cisco Vulnerability (29 July 2005)

The FBI is investigating Michael Lynn for violating trade secrets that belong to former employer Internet Security Systems. Mr. Lynn had resigned from ISS after the company warned him not to speak about the vulnerability he had discovered in Cisco routers while reverse engineering the router's operating system at ISS's request.
-http://www.wired.com/news/print/0,1294,68356,00.html

Cisco warns of IOS IPv6 Flaw, Urges Upgrade (1 August/29 July 2005)

Two days after Michael Lynn's presentation at the Black Hat Security Conference, Cisco issued an advisory warning of a flaw in the way older versions of its Internetwork Operating System (IOS) router software processes IPv6 packets. The flaw could allow denial of service and possible arbitrary code execution attacks. Cisco is encouraging users to upgrade to a fixed version of IOS which was released in April.
-http://www.theregister.co.uk/2005/08/01/cisco_ipv6_black_hat_vuln/print.html
-http://news.zdnet.com/2102-1009_22-5810669.html?tag=printthis
-http://www.us-cert.gov/cas/techalerts/TA05-210A.html
-http://www.cisco.com/en/US/products/products_security_advisory09186a00804d82c9.s
html

Despite Injunction, Cisco Flaw Information is Still Available (31 July 2005)

DEF CON attendees have taken it upon themselves to use the information Mr. Lynn presented at the Black Hat Security Conference to try to compromise Cisco routers in their possession. One of the researchers remarked that the action Cisco took simply drew attention to the vulnerability. In addition, slides that appear to be from Mr. Lynn's presentation and documents relating to the incident have been posted on a number of web sites.
-http://www.securityfocus.com/news/11263
-http://news.zdnet.com/2102-1009_22-5812611.html?tag=printthis
-http://www.computerworld.com/printthis/2005/0,4814,103598,00.html

Microsoft Genuine Advantage Now Mandatory for Updates (26 July 2005)

Microsoft's Genuine Advantage program has now become mandatory. As of July 26, 2005, users who want downloads from Windows Update, Microsoft Update for Windows, or the Microsoft Download Center must allow the program to verify that they are using a valid version of the Windows operating system. If the OS is found to be counterfeit, users have several options. Some will be eligible for free legitimate copies of Windows; they need to provide Microsoft with the source of the phony software, proof of purchase and the actual CD. Users who do not have all the information can still file a report and will be permitted to purchase a legitimate copy of Windows at a discounted price. Security updates are exempt from Windows Advantage and will be available to everyone.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4102
-http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=166402462
[Editor's Note (Schneier); Kudos to Microsoft for exempting security updates from this program. It's to everyone's advantage to have security updates, even for pirated copies. ]

Methods for Circumventing Genuine Advantage Validation Process Already Available (1 August 2005)

Just one day after Microsoft Windows Genuine Advantage went into effect, methods for bypassing the validation process are available on the Internet. Microsoft is investigating, but says it doesn't consider it to be a security threat and will likely address it as the system is routinely updated.
-http://www.techworld.com/security/news/index.cfm?NewsID=4134
[Editor's Note (Pescatore): Until there are changes in both the PC hardware platform and Windows, that support a true trusted execution environment, any attempts to protect software with software are going to be broken pretty easily, just as WGA was. Once the Longhorn/Vista operating system ships and runs on new PC mother board platforms, we will actually have a chance to make a leap forward - assuming the bounty seeking vulnerability hunters don't have a field day when the new hardware and software hits the market. ]

Follow-up: Kushnir's Murder Unrelated to Spam (26 July 2005)

Russian police say the murder of known spammer Vardan Kushnir in Moscow was the result of a robbery and unrelated to his spamming activities.
-http://mosnews.com/news/2005/07/26/kushnirclonidine.shtml


===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/