Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security Wire Perspectives, Vol. 6, No. 12, February 12, 2004
- From: Howell, Paul
- Date: Thu Feb 12 06:36:02 2004
-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity-FD033513210D38A8@lists.techtarget.com]
Sent: Thursday, February 12, 2004 4:01 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 12, February 12, 2004
Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information resource
for enterprise IT professionals. Additional newsletters available at
http://searchsecurity.techtarget.com/?track=NL-358&Offer=swp .
IN THIS ISSUE:
A READ ON THE NEWS
*Microsoft Patch Delay May Contribute to Early Exploit
*Watch Those V-cards!
HEADLINES
*Microsoft ASN Flaw May Be Biggest Flaw Ever Found
*Doomjuice Worm Feeds off Mydoom
*Windows Security Track Record Improving
*Juniper Networks to Buy Netscreen Technologies
WEEKLY SECURITY PLANNER
*Week 9: Banners in support of system monitoring
WHATIS WORD OF THE WEEK
*ASN.1
YOUR TWO CENTS
Readers sound off on secure coding
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE PERSPECTIVES IS SPONSORED BY: F-Secure
Free White Paper - Fortified SSH: A Cost-effective Way to Enable Network
Security
SSH has proven to be the choice of network managers looking to deliver
critical network security while lowering implementation and maintenance
costs. SSH rigorously controls remote access, cryptographically secures
internal data transfers, and enables end-to-end security in communications
with business partners and customers. This white paper explores the enhanced
features of SSH in protecting data and provides analysis delivering a
favorable ROI verses Open Source alternatives. Click Here for your free
white
paper: http://searchSecurity.com/r/0,,24536,00.htm?track=NL-358&fsecure
=====================================================
A READ ON THE NEWS
*MICROSOFT PATCH DELAY MAY CONTRIBUTE TO EARLY EXPLOIT
By Shawna McAlearney
Experts are fuming over the lengthy delay -- 200 days -- between when
Microsoft Corp. was first notified of a critical vulnerability affecting all
supported versions of Windows and when it decided to release a patch. The
primary issue: how confidential was the information detailing the flaw and
when can we expect the first exploit.
"Everyone in the industry (and that includes the underground) knows that
CERT and most vendors don't release advisories until they have a fix
available," said Richard Forno, a security consultant and former CSO of the
InterNIC. "In the interim, the underground and industry are talking about
it, and the bad guys have a pretty defined window of opportunity to mess
with people."
"If Microsoft really considered this a serious or critical vulnerability for
nearly all Windows users, it should have been a 'drop-everything-and-fix'
thing resolved in a short period of time," said Forno. "Nearly 200 days to
research and resolve a 'critical' vulnerability on such a far-reaching
problem is nothing short of gross negligence by Microsoft, and is a direct
affront to its much-hyped Trustworthy Computing projects and public
statements about how security is playing much more important role in its
products."
A Microsoft spokesperson responded to the large time lapse with this
statement: "Security response requires a delicate balance of speed and
quality. This investigation required us to evaluate several aspects and
instances of this pervasive functionality in order for our engineers to
create a comprehensive and high quality fix. This was an instance in which
due diligence required us to very carefully evaluate the broadest possible
implications of a single anomaly reported to us."
The vulnerability can permit an unauthenticated, remote attacker to execute
arbitrary code with system privileges. According to the Computer Emergency
Response Team (CERT), any application that loads the ASN.1 library could
serve as an attack vector. "In particular, ASN.1 is used by a number of
cryptographic and authentication services such as digital certificates
(x.509), Kerberos, NTLMv2, SSL and TLS," according to the advisory.
Client-server systems are affected.
When a New York Times reporter also questioned the lag time, Microsoft
senior program manager Stephen Toulouse replied that a quick response could
introduce another vulnerability if hastily
created: "We don't just produce a fix, we produce a comprehensive fix," he
said.
But the flaw's discoverer believes more could have been done, given the
possible ramifications.
"It's the biggest Microsoft flaw we've found -- maybe the biggest ever
found," said Marc Maiffret, chief hacking officer at Aliso Viejo,
Calif.-based eEye Digital Security. "Because it's in a shared component, it
has multiple avenues for attacks -- everything from file sharing to IPSec."
Added Scott Blake, vice president of information security at Houston-based
BindView Corp.: "We believe attacks will be conducted remotely over the
Internet, via e-mail and by browsing Web pages. We expect to see rapid
exploitation -- it's simply a case of when it materializes."
Experts recommend immediately patching vulnerable systems, focusing on the
most critical systems first.
"Administrators should concentrate on their most critical network security
infrastructure, such as domain controllers, Exchange servers, VPNs or
firewalls, and worry about desktops and file/print servers later," said Russ
Cooper, TruSecure's surgeon general and editor of the NTBugtraq security
mailing list.
Patch: http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
**Editor's Note**
Please share your ASN.1 vulnerability stories and comments with us:
mailto:swpcomments@infosecuritymag.com
*WATCH THOSE V-CARDS!
By Shawna McAlearney
With the specter of Valentine's Day looming, security managers should take
note of the increased threat posed by electronic greeting cards sent to
their employees.
Experts say e-cards pose several different dangers to enterprises, such as
disguising a virus or worm masquerading as a love token. Also a threat are
greetings that link to a malicious URL that allows an attacker to execute
code on an unwary user's system.
Sixty-four percent of 58 SearchSecurity.com minipoll respondents said
e-cards were a threat to their enterprise and more than half (51%) rated the
threat as moderate.
We hear it every year, but still the threat persists. "If someone sends you
a Valentine's e-card, at best they're an unromantic cheapskate; at worst,
they're sending you a virus," said Chris Wraight, then technical director of
Sophos Inc said in an interview two years ago.
Nothing has apparently changed.
"We advocate the old-fashioned approach -- flowers, chocolates or a romantic
meal for two," he mused. "These gestures are much more seductive and don't
carry any risk of infection."
Security professionals say it's sound advice and have frequently warned that
malicious code can easily be transmitted through e-cards.
"It's a bit of a shame, but it's only a matter of time before really
malicious code exploits e-cards; the problem is that they are html- and
script-based," said Roger Thompson, VP of product development at PestPatrol
Inc., a Carlisle, Pa.-based developer of security tools. "Other than keeping
your antivirus software up to date, the only mitigations are to disable html
in e-mail or to reactively block bad Web sites at your firewall as they are
discovered."
The ePolicy Institute and Bellevue, Wash.-based Clearswift, which provides
security software for electronic communications, published a list of "tips
for corporate e-mail and instant messaging users -- and employers -- eager
to keep their messages clean, compliant and as risk-free as possible."
First, clearly spell out in a security policy what type of language, images
and other content is -- and isn't -- allowed in electronic messaging Give
employees explicit notice that they don't have a reasonable expectation of
privacy, and educate employees about confidentiality and compliance
concerns.
Also establish and enforce a written e-mail and IM retention and deletion
strategy, making certain electronic business records are retained and
archived while separating and purging nonessential, non-business record
messages. And enforce e-mail and IM policy and training programs with
policy-based content filtering software that works in concert with your
written e-mail and IM policies.
Minipoll respondents were divided on the best form of mitigation: 41% said
they would filter executable files; 30% would train users not to open them;
and 28% would ban them by blocking the main e-card sites and creating
filters.
More tips:
http://www.clearswift.com/news/pressreleases/ValentineTipsFeb04.pdf
Stories:
http://www.clearswift.com/news/pressreleases/CautionaryTalesFeb04.pdf
=====================================================
HEADLINES
A look at other significant industry happenings from our sister publication,
Security Wire Daily
*Microsoft ASN Flaw May Be Biggest Flaw Ever Found SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94983
0,00.html?track=NL-358
Experts are concerned about a recently announced Windows vulnerability,
which affects multiple versions of the operating system. The flaw can be
exploited in a variety of ways to remotely attack systems.
*Doomjuice Worm Feeds off Mydoom
SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94963
6,00.html?track=NL-358
A new network worm appeared yesterday, which takes advantage of machines
compromised by Mydoom-A. After infecting machines, Doomjuice tries to launch
a distributed denial-of-service attack on Microsoft's Web site.
*Windows Security Track Record Improving
SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94935
0,00.html?track=NL-358
An analysis of Microsoft's security endeavors, licensing and software plans
by analyst firm Gartner found that the software giant's security track
record has improved significantly despite a tendency to shift blame for
security compromises to hackers and worm writers.
*Juniper Networks to Buy Netscreen Technologies SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94935
1,00.html?track=NL-358
Juniper Networks announced Monday morning it will acquire Netscreen
Technologies, a provider of network security products, in a $4 billion stock
swap.
=====================================================
*ADVERTISEMENT*
Provide a clear return on investment to your organization with the most
efficient Single Sign-on Solution. * Increase Network Security.
* Reduce Help Desk Costs. * Simplify End User Computing. FREE SINGLE
SIGN-ON ROI WHITEPAPER:Technology Analysis for Citrix(r) MetaFrame(r)
Password Manager. Enterprise Management Assoc. reviews challenges facing IT
departments, the cost & complexity of password management.
Click here: http://searchSecurity.com/r/0,,24535,00.htm?track=NL-358&citrix
=====================================================
WEEKLY SECURITY PLANNER
In an effort to help busy security managers, CISSP Shelley Bard's weekly
column will build upon the concept of the perpetual calendar (
http://www.searchSecurity.com/tip/1,289483,sid14_gci948651,00.html?track=NL-
358 ), offering a schedule of reminders for a proactive, strategic security
plan. For an archive of previous columns, please visit:
http://searchsecurity.techtarget.com/tipsIndex/0,289482,sid14_tax295570_alpD
_idx0,00.html?track=NL-358
Week 9: Banners in support of system monitoring
WHEN: review at least annually, or when legal guidance changes
WHAT: A banner statement advising users that by using the system they
consent to monitoring. If the user proceeds after this banner appears on
their screen then "implied consent" exists. "Express consent" is easier to
prove should a case end up in court and is obtained through a signed or
"click through" user acknowledgment that tells users their rights and
responsibilities, and that their actions may be monitored. Using a network
sniffer or auditing tools to monitor e-mail to see what employees are up to
(a.k.a. "unauthorized
monitoring") constitutes an illegal action.
WHY: There are two reasons to use a warning and monitoring banner: it acts
as a "no trespassing" sign that establishes to users they are now entering
your system; and it states your policy on monitoring.
Intercepting another person's communications -- including e-mail and stored
information -- without their knowledge or consent violates privacy rights
and the Fourth Amendment's prohibition on unreasonable searches and
seizures. The key here is to establish in advance the rights and
expectations of all parties -- employees, employers, IT staff, consultants,
and, yes, even hackers. You should also consider questions like the privacy
rights of customers and clients, business partners and even telecommuters.
Three main federal statutes apply -- The Electronic Communications Privacy
Act (ECPA), the Stored Wire and Electronic Communications and Transactional
Records Access Act and The Computer Fraud and Abuse Act, which were amended
by the USA Patriot Act. Many states have statutes that deal with the
intentional interception of communications or with intentional unauthorized
access to computers.
STRATEGY: If asked to monitor someone, you should involve your legal
counsel. Proceed carefully, as alerting a government agency may result in
your system being seized for further analysis, and may create liability for
you or your organization. Failing to report may likewise result in
regulatory liability. If a government agency is going to be involved, make
sure it's a decision by the highest levels of your organization, not you. In
the meantime, post a banner on your Web site that reflects your legal
counsel's guidance, and establishes expectations of privacy and the right to
monitor.
MORE INFORMATION: For details on the statutes mentioned above, see
http://www.usiia.org/legis/ecpa.html for the ECPA;
http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/121/toc.h
tml for the Stored Wire and Electronic Communications and Transactional
Records Access Act; and http://www.epic.org for the Computer Fraud and Abuse
Act.
SHELLEY BARD, CISSP, is a senior security network engineer with Verizon
Federal Network Systems (FNS). An infosecurity professional for 17 years,
Bard has briefed and written infosecurity assessments and technical reports
for the White House and Department of Defense, special interest groups,
industry and academia. Please e-mail any comments to
mailto:securityplanner@infosecuritymag.com
Opinions expressed in this column are those of Shelley Bard and don't
necessarily reflect those of Verizon FNS.
Mark D. Rasch, Esq., Senior VP and chief security counsel at Solutionary
Inc., contributed to this article.
NEXT WEEK: Are you throwing out company secrets?
=====================================================
**ASN.1 Minipoll**
Please take a minute to answer our minipoll questions on Microsoft's latest
critical vulnerability.
http://searchsecurity.techtarget.com/news/0,289141,sid14,00.html?track=NL-35
8
=====================================================
WHATIS WORD OF THE WEEK: ASN.1
ASN.1 (Abstract Syntax Notation One) is a standard way to describe a message
(a unit of application data) that can be sent or received in a network.
ASN.1 is divided into two parts: (1) the rules of syntax for describing the
contents of a message in terms of data type and content sequence or
structure and (2) how you actually encode each data item in a message. ASN.1
is defined in two ISO standards for applications intended for the Open
Systems Interconnection (OSI)
framework:
ISO 8824/ITU X.208 specifies the syntax (for example, which data item comes
first in the message and what its data type is). ISO 8825/ITU X.209
specifies the basic encoding rules for ASN.1 (for example, how to state how
long a data item is).
Other data types that can be specified include: INTEGER, BOOLEAN, REAL, and
BIT STRING. An ENUMERATED data type is one that takes one of several
possible values. Data items can be specified as OPTIONAL (not necessarily
present).
Other security definitions:
http://searchsecurity.techtarget.com/glossary/0,294242,sid14,00.html?track=N
L-358
=====================================================
YOUR TWO CENTS
Readers sound off
*Secure Coding? Absolutely!
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci948304,00.html?tr
ack=NL-358
While I agree with Mary Ann Davidson's assertions that programmers need to
improve the robustness of their code, I would point out that her comparison
between code construction and bridge construction is flawed. I have observed
and, yes, studied bridges for most of my adult life (spanning over fifty
years now), and I have yet to locate a single secure bridge. I've seen lots
of robust bridges -- bridges that are properly designed to handle trains,
trucks and cars.
I've also seen some bridges that have been constructed in much the same
manner as some current code. One that comes to mind is the Oakland-Alameda
bridge near San Francisco that lost a 30 foot section during an earthquake
in 1989. The bridge was designed for the traffic loads anticipated, but not
the stresses of a temblor. And shortly after the Sept. 11 terrorist attacks,
my son and many of his compatriots were called up to provide "security" for
bridges and tunnels in New York and New Jersey that had no intrinsic
security.
In summary, it seems that bridges and tunnels require external security
measures, much as current software does. And, while the hope is that most
bridges are designed to handle not only normal expected loads, but also
foreseeable but infrequent external stressors (floods, earthquakes, etc.),
this isn't the case with software. Many programs, from operating systems
through media players, seem to require frequent reloads, complete system
restarts, etc. I'm glad that the software (firmware?) that runs my car
doesn't require such frequent reloads to function correctly. But I would
never argue that my car is "secure." And, observation should show that a car
is more secure than a bridge, and certainly more secure that most software.
I say most because I have used hardened Linux successfully as a firewall
with little concern for its security -- after all, it's a single-purpose
program developed by a lot of qualified folks and has functioned as expected
without problems. I just wish that most commercial software, and bridges,
had the same level of inherent security.
--Neil Norlund
::::::::::::::::::::: ABOUT THIS NEWSLETTER ::::::::::::::::::::::
Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an
e-mail newsletter brought to you on Mondays and Thursdays by Information
Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or redistribution
without the express written authorization of Information Security and
TechTarget.
Permission requests, questions or comments should be e-mailed to Shawna
McAlearney, online editor, mailto:smcalearney@infosecuritymag.com.
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
_____________________________________________________________________
To unsubscribe from "Security Wire Perspectives":
Go to unsubscribe:
http://SearchSecurity.com/u?cid=476375&lid=559334&track=NL-358
Please note, unsubscribe requests may take up to 24 hours to process; you
may receive additional mailings during that time. A confirmation e-mail will
be sent when your request has been successfully processed.
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
