Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 6 Num. 6
- From: The SANS Institute
- Date: Wed Feb 11 11:47:49 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Late Breaking News:
Microsoft released three new security bulletins yesterday. One of them
affects the Abstract Syntax Notation (ASN) library which is used by many
of the security and authentication services on Windows OSes.
This is a CRITICAL update which needs to be addressed as soon as
possible. The ASN library is used in essentially every network daemon.
VPN clients, HTTPs, NTLM authentication. If you remember, ASN.1 issues
where behind the spree of OpenSSL bugs last year. Run Windows update
now. Don't delay.
Microsoft's Security Bulletin:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-007.asp
You'll notice in this issue an increase in stories about information
security in Asia. For the expanded coverage we can thank Koon Yaw Tan
of the Infocomm Development Authority of Singapore, who has graciously
agreed to join the NewsBites editorial board.
Alan
*************************************************************************
SANS NewsBites February 11, 2004 Vol. 6, Num. 6
*************************************************************************
TOP OF THE NEWS
DHS Creates Three New IT Security Organizations
OMB: Security Must Come First
Study Shows Most Web Applications Have Vulnerabilities
Tracking Legal Liability For Security Breaches
INTERNET VOTING STORIES
Pentagon Won't Use SERVE Internet Voting System
Michigan Goes Ahead with Internet Voting
** Also see Matt Bishop's Letter to the Editor at the End of NewsBites
THE REST OF THE WEEK'S NEWS
South Korea Spammers Fined
Music Industry Investigators Raid KaZaA Offices
DHS's Amit Yoran Interviewed
Man Pleads Guilty in PayPal Phishing Case
Senator Calls for Mandatory Alerts
Bill Would Increase Penalties for Cyber Criminals Who Falsify Web
Registration Information
Treasury Department Warns of Fraudulent Fee Notices and Phishing Scheme
Microsoft Releases Hidden Data Removal Tool
Chinese Government to Crack Down on Spam
Mobile Phone Spam a Growing Problem in Asia
VULNERABILITY UPDATES AND EFFECTS
New Mydoom Variant
Microsoft Releases XML Update for IE Patch
Denial-of-Service Attack Vulnerability in OpenBSD Implementation of
IPv6
Check Point Firewall Vulnerabilities
RealNetworks Update for Media Player Vulnerabilities
Cisco Offers Upgrades for Flaw in Catalyst 6000/6500 Switches and Cisco
7600 Routers
LETTER TO THE EDITOR
Matt Bishop Clarifies the eVoting Vulnerability Study
************************* Sponsored by Check Point **********************
Check Point Software presents InterSpect, the first and only complete
Internal Security Gateway that blocks the spread of worms and attacks
inside the network.
Built specifically to protect internal networks, Check Point InterSpect
provides intelligent worm defense, network zone segmentation, quarantine
capabilities, and LAN protocol protection all in one easy to deploy
appliance that protects your network from threats within.
View a FREE Analyst webinar on Internal Network Security
CLICK HERE NOW
http://www.sans.org/cgi-bin/sanspromo/NB292
**********************************************************************
This Week's Featured Security Training Program:
Security managers and analysts, system and network administrators,
auditors and forensic analysts will each find immersion training focused
on their special needs, and all taught by the highest-rated instructors
in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004
*************************************************************************
TOP OF THE NEWS
--DHS Creates Three New IT Security Organizations
(9 February 2004)
The Homeland Security Department (DHS) has created three organizations
to bolster IT defenses and coordinate system threat responses. The new
organizations are the Government Forum of Incident Response Teams
(G-FIRST), the Chief Information Security Officers Forum and the Cyber
Interagency Incident Management Group.
http://www.gcn.com/vol1_no1/daily-updates/24896-1.html
[Editor's Note (Schultz): Why three organizations when there are already
too many incident response teams and capabilities within the US
government?]
--OMB: Security Must Come First
(5 February 2004)
The Office of Management and Budget (OMB) Administrator for E-Government
and IT Karen Evans wants agencies to spend money getting their IT
security up to snuff before they "develop, modernize or enhance" any
systems. Agencies that have demonstrated good security (practices) are
exempt from this requirement.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=24856
http://www.fcw.com/fcw/articles/2004/0202/web-ombsecurity-02-05-04.asp
[Editor's Note (Schneier): Doesn't upgrading security count as
"developing, modernizing, or enhancing" systems? Seems like a false
dichotomy, even if it's a good priority.]
--Study Shows Most Web Applications Have Vulnerabilities
(5 February 2004)
A four-year test of more than 250 Web applications found that at least
92% of them were vulnerable to attacks including cross-site scripting,
SQL injection and parameter tampering. WebCohort's Application Defense
Center conducted the test, which looked at applications on "e-commerce,
online banking, enterprise collaboration and supply chain management
web sites."
http://www.vnunet.com/News/1152521
--Tracking Legal Liability For Security Breaches
(4 February 2004)
Scott Berinato of CIO Magazine provides a summary of recent litigation
in which user organizations are paying for their security mistakes. A
new case filed against Microsoft claiming that the company's dominance
may give it an affirmative responsibility for foreseeable losses --
including identity theft.
http://www.computerworld.com/printthis/2004/0,4814,89854,00.html
[Editor's Note (Schultz): The fact that software vendors have for so
long successfully evaded responsibility for the problems bugs in their
software have caused is troubling. Hopefully, a change in which vendors
are increasingly held responsible for faulty software is imminent.
(Ranum): I've seen discussions of this article in which people with a
greater understanding of the law have pointed out that the conclusions
drawn from this article are much more far-reaching than they should be,
given the significance of the litigation.]
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) FREE White Paper: "Why the web browser is the most dangerous
hacking tool"
http://www.sans.org/cgi-bin/sanspromo/NB293
(2) Invest in the best network protection. Introducing the Microsoft(r)
Security Readiness Kit.
http://www.sans.org/cgi-bin/sanspromo/NB294
(3) Event Log Strategies: Free white paper plus archiving, monitoring,
and analysis software!
http://www.sans.org/cgi-bin/sanspromo/NB295
(4) From SANS: HIPAA Security Implementation is a step by step guide for IT staff of hospitals. Thorough and extremely cost effective.
https://store.sans.org/store_item.php?item=117
***********************************************************************
STORIES ABOUT INTERNET VOTING
--Pentagon Won't Use SERVE Internet Voting System
(5 February 2004)
Citing concerns about the security of the Secure Electronic Registration
and Voting Experiment (SERVE), the US Defense Department has decided
against using it in the forthcoming elections. The decision came just
over a week after a report was released questioning the system's
integrity. The system may be used if, after further study, it appears
that voting integrity can be assured. SERVE was developed to allow
Americans living abroad, including those in the armed forces, to use
the Internet to vote. Seven states had hoped to use the system in
upcoming elections.
http://www.computerworld.com/printthis/2004/0,4814,89902,00.html
http://news.com.com/2102-1029_3-5154321.html?tag=st.util.print
Text of the Panel's Report: http://www.servesecurityreport.org/paper.pdf
[Editor's Note (Schneier): I suspect that this is more a nod to
publicity and realpolitik than to any perceived need on the Pentagon's
part to fix security, but it's nevertheless the right choice at this
point. Of course, the correct choice would have been to build a system
that didn't fall over at the first push.]
--Michigan Goes Ahead with Internet Voting
(6 February 2004)
Despite the Pentagon's decision, Michigan decided to go ahead with its
Internet voting system. Michigan Democratic Party spokesman Jason Moon
said their system is different from the Pentagon's but scientists who
found flaws in the Pentagon system said the Michigan system has many of
the same problems.
http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4304882
THE REST OF THE WEEK'S NEWS
--South Korea Spammers Fined
(9 February 2004)
South Korea's Fair Trade Commission has fined 25 spammers between 1
million and 7 million KRW ($860-$6020 USD) for violations of the
E-Commerce Consumer Protection Law.
http://times.hankooki.com/lpage/biz/200402/kt2004020919282811860.htm
[Editor's Note (Shpantzer): Unless the fines and subsequent penalties
for re-offending get heavier, this is a low cost of doing business for
spammers.]
--Music Industry Investigators Raid KaZaA Offices
(6 February 2004)
Music Industry Piracy Investigations, an industry-owned group, raided
the offices of peer-to-peer network KaZaA to gather evidence in a
copyright breach case/music piracy. They also raided the offices of
Sharman Networks, KaZaA's parent company, as well as the homes of two
company executives, several universities and service providers.
http://www.wired.com/news/print/0,1294,62192,00.html
http://news.com.com/2102-1027_3-5154506.html?tag=st.util.print
http://news.bbc.co.uk/2/hi/entertainment/3465251.stm
--DHS's Amit Yoran Interviewed
(6 February 2004)
The first story is an interview with Amit Yoran, head of the Homeland
Security Department's (DHS) National Cyber Security Division. In the
second story, Yoran says DHS is exploring alternatives to the Patch
Authentication and Dissemination Capability (PADC).
http://www.washingtonpost.com/ac2/wp-dyn/A12893-2004Feb4?language=printer
http://gcn.com/vol1_no1/security/24857-1.html
--Man Pleads Guilty in PayPal Phishing Case
(5 February 2004)
Alec Scott Papierniak of Minnesota has pleaded guilty in federal court
to wire fraud; he admitted to using a phishing scheme to steal funds
from PayPal customers and to sending keystroke-logging software to some
of his victims. Papierniak has agreed to pay restitution; he will be
sentenced in May.
http://www.theregister.co.uk/content/55/35365.html
--Senator Calls for Mandatory Alerts
(4 February 2004)
Senator Charles Schumer (D-NY) would like to see the Homeland Security
Department's (DHS) National Cyber Security Division (NCSD) to "become
the functional equivalent of the Centers for Disease Control," sending
mandatory alerts to critical infrastructure and service providers
through secure channels when cyber attacks reach a prescribed threshold.
Schumer spoke critically of the NCSD's newly launched plan, which sends
virus alerts via e-mail; he fears that format could be exploited to
spread viruses.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=24843
--Bill Would Increase Penalties for Cyber Criminals Who Falsify Web
Registration Information
(4/7 February 2004)
Representatives Howard Berman (D-Calif.) and Lamar Smith (R-Texas) last
week introduced the Fraudulent Online Identity Sanctions Act, a bill
that calls for increased penalties for cyber criminals who falsify
information in their web site registrations. While one of the bill's
sponsors initially wanted to criminalize all false web site
registrations, he changed his mind after it was pointed out to him that
some people have a legitimate need to protect their identities on line.
Berman also wants the bill expanded to hold registrars accountable for
ensuring the registration information is accurate.
http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4284484
http://www.wired.com/news/print/0,1294,62198,00.html
[Editor's Note (Pescatore): This is a touchy issue, and legislation
should be the last resort. The first resort should be ICANN forcing
registrars to enforce existing guidelines on the accuracy of
registration information.]
--Treasury Department Warns of Fraudulent Fee Notices and Phishing Scheme
(4 February 2004)
The US Treasury Department has issued an alert, warning of two
"fraudulent schemes." The first is a phishing scam, which has already
generated some press; in the second, bank customers receive phony
"ANTI-TERRORIST STOP ORDER letters" telling them they must pay a $25,000
fee for a certificate in order to conduct further transactions.
http://www.fcw.com/fcw/articles/2004/0202/web-phish-02-04-04.asp
http://www.nasdr.com/mem_alert2004_03.htm
--Microsoft Releases Hidden Data Removal Tool
(2 February 2004)
Microsoft has released Remove Hidden Data Add-In Tool, which will remove
data such as change tracking and comments from documents. The tool
works with Microsoft Word, Excel and PowerPoint files for Office
XP/2003.
http://www.theregister.co.uk/content/4/35277.html
http://www.microsoft.com/downloads/details.aspx?FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360&displaylang=en
[Editor's Note (Shpantzer): Unfortunately the vast majority of users
still haven't switched to the latest versions of office, so this will
continue to be a problem for quite a while. One does not need to be a
sophisticated hacker to get the metadata, it is retreivable with a hex
editor, or even at the end of the data stream if you open a Word doc
with the notepad application. Go to www.office.miscrosoft.com and search
'metadata' for tips on how to remove this from your documents.
(Schneier): About bloody time. Hidden data has been a problem with
Office files since before Word, Excel, et al. were clumped into Office.
Of course, it would have made more sense to build the applications
without the hidden data problems in the first place. It'll be
interesting to see if there's any fallout from data missed or unintended
consequences, of course.]
--Chinese Government to Crack Down on Spam
(2 February 2004)
Chinese government ministries are working together to fight spam; the
government hopes that by June, 90% of the country's e-mail servers will
have measures in place to prevent spam. The government is especially
concerned with spam's potential for distributing pornography and
subversive political material.
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/7855530.htm
--Mobile Phone Spam a Growing Problem in Asia
(2 February 2004)
Spammers are increasingly targeting mobile phone users in Asia. DoCoMo
is taking measures like blocking messages that don't have specified
recipients; it has also cut off more than 2,000 lines for spam abuse
and in some instances has sought damages.
http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=4267497
[Editor's Note (Ranum): This is inevitable. As statistical anti-spam
filters and heuristic methods improve, most end-point software will be
increasingly able to react to spam. It's the captive devices, in which
a user will be unable to update the firmware, that will be unable to
react. Pagers, cell phones, PDAs, bluetooth devices, etc., will all be
targeted by spammers.]
VULNERABILITY UPDATES AND EFFECTS
--New Mydoom Variant
(9 February 2004)
The Mydoom.C virus, also known as SyncZ or Doomjuice, uses computers
infected with the original Mydoom virus to launch a denial of service
attack on Microsoft's web site. It does not spread through e-mail; it
does, however, leave a copy of the original Mydoom source code on the
hard drive of each infected computer, possibly as an attempt to obscure
the code's origin.
http://www.computerworld.com/printthis/2004/0,4814,90005,00.html
http://www.eweek.com/article2/0,4149,1522236,00.asp
http://www.msnbc.msn.com/id/4224954/
--Microsoft Releases XML Update for IE Patch
(6 February 2004)
The update is part of recently released Service Packs.
http://www.eweek.com/print_article/0,3048,a=118538,00.asp
--Denial-of-Service Attack Vulnerability in OpenBSD Implementation of IPv6
(6 February 2004)
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci949128,00.html
--Check Point Firewall Vulnerabilities
(4/6 February 2004)
Attackers are already aware of and exploiting one of the flaws to
install backdoors on vulnerable systems, according to Internet Security
Systems (ISS). Check Point has released a patch for one of the flaws
but not the other because they no longer support the software in which
the flaw exists.
http://news.com.com/2102-1002_3-5153635.html?tag=st.util.print
http://www.nwfusion.com/news/2004/0205isswarns.html
http://www.theage.com.au/cgi-bin/common/popupPrintArticle.pl?path=/articles/2004/02/06/1075854052508.html
http://www.us-cert.gov/cas/techalerts/TA04-036A.html
--RealNetworks Update for Media Player Vulnerabilities
(5/6 February 2004)
http://www.eweek.com/print_article/0,3048,a=118452,00.asp
http://news.com.com/2102-7349_3-5154193.html?tag=st.util.print
http://www.theregister.co.uk/content/55/35390.html
http://www.newsfactor.com/story.xhtml?story_title=RealNetworks_Sounds_Security_Alarm&story_id=23138&category=netsecurity
http://service.real.com/help/faq/security/040123_player/EN/
--Cisco Offers Upgrades for Flaw in Catalyst 6000/6500 Switches and Cisco 7600 Routers
(4 February 2004)
http://www.nwfusion.com/news/2004/0204cisflaw.html
LETTER TO THE EDITOR
--Matt Bishop Clarifies the eVoting Vulnerability Study
Matt Bishop, America's leading security academic and the author of the
definitive college text on Information Security, wrote to us about an
item in last week's NewsBites regarding a study of the security of
Diebold electronic voting machines. Obviously he played a role in the
study.
Our summary of the news read:
- --Study Finds Vulnerabilities in e-Voting Hardware
(29 January/1 February 2004)
A study conducted by RABA Technologies found that the Diebold electronic
voting system slated to be used in Maryland's March presidential primary
elections found that while the system tabulated votes accurately, it
remained vulnerable to tampering that could affect the authenticity of
each vote. The study, which was commissioned by Maryland's legislative
services department, focused on the system's hardware.
http://www.wired.com/news/print/0,1294,62109,00.html
http://tn01.com/usatoday/sbct.cgi?s=906902457&i=932220&m=1&d=5392237
RABA's Report: http://www.raba.com/press/TA_Report_AccuVote.pdf
Matt commented:
The study did not "focus[ed] on the system hardware", nor did the study
find problems in the hardware only; it also found problems in the
software. The hardware problems arose in four places: first, in the
ability to pick the locks on the machines; second, in the ability to
disconnect the wires connecting the monitor; third, in the ability to
put the machine into an internal loop by repeatedly shoving the voter
card in as it tried to eject; and fourth, to use a bogus smart card.
The rest of the problems were in software, and I'd argue that the smart
card problem was a software problem as well, since once the passwords
that protected the smart cards were discovered (and they were very easy
to find; the report explains that they were first guessed, then found
in another way), bogus cards could be made.
Further, all the attacks on the GEMS server were software-based; the
only hardware components were the lack of protection of the USB port
and a potential attack on the phone switch (which wasn't necessary; a
bit of social engineering would have worked just as well).
Newsbites item made it sound like the study targeted only the hardware,
and that the only flaws the study found were in the hardware, so if you
protected the hardware of the systems, you were fine. All of this is
completely false; the study targeted the systems as they would be used
in an election, flaws were found in the software, and protecting the
hardware is not enough; changes had to be made to the software too (see
for example recommendations 1, 3, 4, 5, 6, 7, 8, and 9 on p. 22; the
general recommendations go even further).
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAKi3D+LUG5KFpTkYRAjbBAJ0W01d+MmDDRk+0caskSCNnOgki6wCglfnT
dwSd2cDY4jKj0YIl/bnBygs=
=OUGX
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
