SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #7
February 16, 2005
SANS 2005, in San Diego in early April (on the ocean) is the largest security and audit training conference and expo in the world. Extraordinary teachers present the most current tools and techniques.
Details at http://www.sans.org/sans2005
TOP OF THE NEWSThieves Get Very Sensitive Data on Federal and Commercial Employees
OMB's Evans Wants All Agencies to Use Air Force's Standardized, Securely Configured Model
Man Suing Bank for Cyber Theft Losses
Microsoft Releases IE 7.0 Beta Designed for Security
Gartner Warns Companies Not to be Hasty in Switch to Firefox
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Government Reform Committee Reorganized
Proposed Legislation Would Require Paper Audit Trail for Voting Machines
SPAM & PHISHING
EarthLink Files Four Civil Suits Against Alleged Spammers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
F-Secure Warns of Critical Flaw
MSN Messenger Exploit Published; Microsoft Makes Updates Mandatory
Symantec Warns of Buffer Overflow Flaw
BankAsh-A Trojan Disables Microsoft AntiSpyware, Steals Data
ATTACKS AND INTRUSIONS
Federal Agents Investigating Attacks on Alaska's State Computer Network
Mailman Flaw Exploited, Passwords Stolen
Wichita State University Servers Compromised
STATISTICS, STUDIES AND SURVEYS
Survey Finds 65% of Companies Plan Spending on Anti-Spyware
The Problem With the Not-So-Secret Question
VoIP Security Alliance Formed
*********************** Sponsored by NetIQ ******************************
Assure Compliance & Manage Risks with Free NetIQ eBook! Do you know how to secure your infrastructure and prove compliance with government regulations? Get the insight you need to assure compliance, secure your assets and manage your IT risks. Download a FREE copy of "The Practical Guide to Compliance & Security Risks".
Highlighted Security Training Programs of the Week
Houston, March 10-16, 9 tracks http://www.sans.org/lonestar05
San Diego, SANS 2005, 17 tracks + vendor expo http://www.sans.org/sans2005
Sydney, Australia, Feb. 19-26, 5 tracks http://www.sans.org/darlingharbour05
TOP OF THE NEWS
Thieves Get Very Sensitive Data on Federal and Commercial EmployeesIdentity thieves posing as legitimate businesses were able to access ChoicePoint profiles that include Social Security numbers, credit histories, criminal records and other sensitive material., ChoicePoint sent warning letters to 30,000 to 35,000 California consumers.
OMB Wants All Agencies to Use Air Force's Standardized, Securely Configured Model (9/7 February 2005)Officials at the Office of Management and Budget's (OMB) Office of e-Government and Information Technology consider the Air Force's decision to use standardized, securely configured software throughout the service could prove to be a good model for all federal agencies. The plan allows for automatic patch installation and saves a great deal of money on oth contract consolidation and cost avoidance for unnecessary patch testing. In a related story, OMB and DHS (Department of Homeland Security) officials will lead an interagency task force on developing common solutions for cyber security; the task force aims to increase common processes to save money.
[Editor's Note (Schneier): I agree that the decision to use standard, securely configured software is a good one. (See my essay on the subject from several years ago
.) I'm not sure, however, that "Microsoft" and "securely configured" belong in the same product description.
(Pescatore): Using standardized, security configured software across agencies is a good thing but the Air Force deal with Microsoft obviously only covered Microsoft products. Most large enterprises have much Linux and Unix software and having separate approaches for each vendors software makes no sense. Putting vulnerability management processes in place is much smarter than just saving money in the short run by locking into a single vendor.
(Paller): Two clarifications: Microsoft gets kudos for stepping up to help finalize the agreed upon benchmarks that had already gotten NSA, Center for Internet Security, NIST, and DISA support. Now there is one agreed upon set of benchmark configurations. Those benchmarks facilitated the Air Force procurement. Similar efforts for other operating systems and major applications are under way. This is not a Microsoft-only initiative. ]
Man Suing Bank for Cyber Theft Losses (8 February 2005)Miami businessman Joe Lopez is suing Bank of America for alleged "negligence in failing to protect his account from known risks" which resulted in an unauthorized wire transfer of more than US$90,000 from his on-line account. A forensic investigation of Lopez's PCs revealed they had been infected with the Coreflood Trojan which in theory allowed the cyber thieves to steal banking account numbers and passwords. Lopez's case alleges Bank of America knew of the danger posed by Coreflood but failed to inform its customers. The case is believed to be the first in which someone has sued a bank for cyber crime losses in the US; the attorney hopes the suit will attain class action status.
[Editor's Note (Ranum): This is an interesting case. If the plaintiff wins, then banks own responsibility for viruses and malcode on end-users' computers. My guess is that's not going to happen. ]
Microsoft Releases IE 7.0 Beta Designed for Security (15 February 2005)Mike Nash, corporate vice president of Microsoft's Security Business & Technology Unit, discusses the security enhancements in the version of Internet Explorer and then announces the beta of IE 7.0, a browser designed for safer browsing.
Gartner Warns Companies Not to be Hasty in Switch to Firefox (10 February 2005)Gartner warns that companies should think carefully before switching to Firefox. While the open source browser has seen a growing popularity, some of the features that make it so appealing may not last. As its market share grows, Firefox is likely to be targeted more frequently by malware and attackers.
[Editor's Note (Pescatore): What the most recent Gartner report actually concluded was "Organizations should not embark on a wholesale switch to Firefox in the near term, but should consider ways to manage browser coexistence because that is the most likely long-term outcome." The security issues were basically (1) while there are definite security advantages to using Firefox, those related to security through obscurity for Firefox won't last forever and (2) since most enterprises will need to have IE running even if users are mostly browsing with Firefox, so enterprises need to make sure they have configuration management and software update to patch Firefox vulnerabilities just like they do Windows vulnerabilities.
(Schneier): Gartner seems to be saying that the security aspects of Firefox will diminish as time goes on and it's targeted by more malware developers -- but this assumes that security is the only reason people use it. The article mentions the additional features, but doesn't take this into comparison in the prediction.
(Grefer): Several of the appealing Firefox features are also available for Internet Explorer when using the Internet Explorer add-on Maxthon (formerly known as MyIE2), a donate-ware product that may be used free of charge without donation.
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Government Reform Committee Reorganized (9 February 2005)Representative Tom Davis (R-Va.), who chairs the House Government Reform Committee, has eliminated the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. The issues covered by that subcommittee, including e-government, cyber security and information sharing, will now have the attention of the full committee. Davis also reorganized the seven subcommittees, all of which will have the opportunity to work on technology issues.
[Editor's Note (Schneier): I keep reading about various government agencies that are involved in cybersecurity. I'm not always a fan of centralization, but can't the government at least get its ducks sorted out, if not all in a row? ]
Proposed Legislation Would Require Paper Audit Trail for Voting Machines (10 February 2005)Legislators have introduced The Voting Integrity and Verification Act which would require touch screen, optical scanning and lever voting machines to include "a verifiable paper trail and audit capability in time for the 2006 elections." Some states already have similar requirements in place, but there is no such standard in 2002's Help America Vote Act. The proposed legislation has bipartisan support.
[Editor's Note (Schultz): The time for required paper audit trails in electronic voting is here; hopefully, this legislation will pass without any significant hitches. ]
SPAM & PHISHING
EarthLink Files Four Civil Suits Against Alleged Spammers (10/9 February 2005)On January 18, 2005, EarthLink filed four civil lawsuits against alleged spammers in California, Florida and Washington. The lawsuits were filed in District Court in Atlanta and accuse defendants of violating the CAN SPAM Act, the Computer Fraud and Abuse Act, and the Georgia Computer Systems Protection Act as well as state and federal racketeering laws. EarthLink announced the suits on February 9, and is seeking unspecified damages.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
F-Secure Warns of Critical Flaw (14/11 February 2005)F-Secure is urging users of its anti-virus products to apply patches for a critical code execution vulnerability that could allow buffer overflow attacks. The flaw lies in the way an anti-virus library processes ARJ archive files.
MSN Messenger Exploit Published; Microsoft Makes Updates Mandatory (11/9 February 2005)Code for exploiting a libpng vulnerability in MSN Messenger has been published on the Internet. Several examples of the code have been discovered, along with directions on how it can be used to cause MSN Messenger to crash or to run code remotely. Microsoft released a patch (MS05-009) for the critical vulnerability on Tuesday, 8 February and recommends that customers download and apply it as soon as possible. On Friday, 11 February, Microsoft began restricting MSN Messenger service to those with updated versions: MSN Messenger 6.2.0205 or the beta of MSN Messenger 7.0.
[Editor's Note (Tan): This is a good move by Microsoft to force those clueless users to upgrade. It will be better if Microsoft could take a further step by working with Internet service providers to ensure users' systems are forced to patch with this approach. ]
Symantec Warns of Buffer Overflow Flaw (10/9 February 2005)A flaw in the way an anti-virus scanning component processes .upx compressed files affects many Symantec products; the vulnerability could be exploited to create a buffer overflow, resulting in the injection and execution of malicious code. Symantec is encouraging users to apply appropriate updates.
Additional information may be found at
[Editor's Note (Tan): I am glad Symantec has improved its advisory. The original one was unclear and left many people confused. LiveUpdate may not fix your software. If you are using an old version, you may either need to purchase a new version or disable the vulnerable decomposer engine. ]
BankAsh-A Trojan Disables Microsoft AntiSpyware, Steals Data (10 February 2005)Microsoft is looking into reports of Trojan horse program, BankAsh-A, that attacks the company's anti-spyware product, which is still in beta. BankAsh-A tries to disable Microsoft AntiSpyware and to steal passwords and banking account information.
[Editor's Note (Shpantzer): This week's rash of stories of serious vulnerabilities in defensive applications is interesting. There used to be a time when these applications were trusted and, if you had them, you were doing alright against a vanilla attack against opportunistic targets. This past year we've seen more and more attack vectors that have anticipated these defensive applications, seeking to disable them, before continuing on to steal the data or hosing a third party site with hijacked bandwidth. ]
ATTACKS AND INTRUSIONS
Federal Agents Investigating Attacks on Alaska's State Computer Network (10 February 2005)The FBI is reportedly investigating denial-of-service attacks on Alaska's state computer network. The Department of Homeland security and the CIA are also believed to be involved, but officials are not commenting on the case.
Mailman Flaw Exploited, Passwords Stolen (10 February 2005)Attackers used a remote directory traversal attack to exploit a flaw in Mailman, the open-source mailing list manager program, and steal a password file belonging to the Full-Disclosure security discussion group. An advisory on the Mailman site urges vulnerable users to apply available patches.
Wichita State University Servers Compromised (9 February 2005)Three Wichita (KS) State University servers have been compromised, but the attacker did not steal any data, according to the university. The attacker was apparently looking for a place to store stolen music or movie files. The servers are reportedly watched 24 hours a day from a security room, but the intrusion occurred over the weekend when they were not being monitored. The FBI is looking into the matter.
STATISTICS, STUDIES AND SURVEYS
Survey Finds 65% of Companies Plan Spending on Anti-Spyware (14 February 2005)A Forrester Research survey of 185 North American companies found that 65% plan to spend money on protecting their systems from spyware. Although 80% of the companies already have spyware tools, the tools were deployed after infections had been discovered rather than proactively.
The Problem With the Not-So-Secret Question (9 February 2005)Bruce Schneier points out that the secret question method often used as authentication when passwords are forgotten is an even less secure protocol than are passwords. Schneier describes one occasion when he forgot his passwords and because he had generated a nonsense-random answer to the secret question by slapping at the keyboard, he had to call the organization to get his password reset. Schneier points out that it should be harder to access an account if a password is forgotten, not easier; the answers to secret questions are often easy to divine. Schneier concludes that "passwords have reached the end of their useful life."
VoIP Security Alliance Formed (8 February 2005)The VoIP Security Alliance comprises more than 20 security and networking organizations; the group plans to monitor and help mitigate new and existing VoIP security risks. Attacks on VoIP will become more likely as it becomes more widely used, and as data and voice networks converge.
[Editor's Note: (Shpantzer): I lurk on the email list maintained by voipsa.org and have learned quite a bit about this topic. ]
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit