Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security Wire Perspectives, Vol. 6, No. 14, February 19, 2004
- From: Howell, Paul
- Date: Thu Feb 19 05:44:22 2004
-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity-6A8F3EFBFD4401D7@lists.techtarget.com]
Sent: Thursday, February 19, 2004 4:01 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 14, February 19, 2004
Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information resource
for enterprise IT professionals. Additional newsletters available at
http://searchsecurity.techtarget.com/?track=NL-358&Offer=swp .
IN THIS ISSUE:
A READ ON THE NEWS
*Patching ASN.1 No Quick Call
*RSA Preview: Gates Facing Weary Crowd
HEADLINES
*Netsky-B Soars From Europe to the US
*Sun Combats Security Holes in Cancelled Cobalt Line
*The Privacy Fallacy
*Gartner Advises Firms to Deactivate Bluetooth
*Bagle-B Begins to Boil
*Ibiza Trojan Is a Trip
*ASN.1 Exploit Code Circulating; Universal Shellcode Only a Matter of Time
WEEKLY SECURITY PLANNER
Week 10: Are you throwing out company secrets? (Part 1 -- Physical
records)
WHATIS WORD OF THE WEEK
*Source code
YOUR TWO CENTS
Readers sound off on our Microsoft ASN.1 coverage
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE PERSPECTIVES IS SPONSORED BY: CipherTrust
*** EMAIL SECURITY: Spam: A Security Issue ***
Spammers are attacking the security and integrity of corporations. In this
white paper, you'll learn to defend your organization against these threats.
Topics include:
* The security threat presented by spam
* Spammer methods and techniques
* The impact, including liability and damage to your reputation
Request your white paper at:
http://searchSecurity.com/r/0,,24837,00.htm?track=NL-358&ciphertrust
=====================================================
A READ ON THE NEWS
*PATCHING ASN.1 NO QUICK CALL
By Shawna McAlearney
Despite being billed as one of the worst flaws ever found in Windows
software, many security managers and administrators didn't immediately apply
a patch for the ASN.1 parser library vulnerability, according to a recent
SearchSecurity.com minipoll.
Forty percent of respondents planned to test the patch prior to applying it,
while another 12% planned to apply it on a routine schedule, according to
the poll, which drew 138 responses immediately following news of the
vulnerability.
Interestingly, Microsoft said it took 200 days before releasing the patch to
make sure it didn't break other applications. That only 43% of those polled
planned to immediately apply the patch indicates internal QA remains a
critical component of an enterprise's patch management system -- regardless
of how well tested it is by the software maker.
Given that patch pattern, it's no wonder that 77% said the delay wasn't
warranted, according to the poll results.
This vulnerability is caused by integer overflows and other flaws in integer
arithmetic in the ASN.1 parser library in Microsoft Windows NT 4.0, 4.0 TSE,
2000, XP and Server 2003. It can permit an unauthenticated remote attacker
to execute arbitrary code with system privileges. According to the Computer
Emergency Response Team (CERT), any application that loads the ASN.1 library
-- including a number of cryptographic and authentication services -- could
serve as an attack vector.
Exploit code began circulating less than a week after the patch was
released, justifying the beliefs of one-third of poll respondents who said
it would happen within days of the patch. An additional 39% said exploit
code would begin circulating within a few weeks, but 18% said it was
circulating prior to the release of the patch, which took Microsoft more
than a half year to produce.
In other Microsoft news, leaked source code may be to blame for an Internet
Explorer vulnerability announced to the Bugtraq security mailing list.
However, experts say the "new" vulnerability was fixed by a patch long ago.
"This is a real vulnerability in old versions of IE5, but was fixed years
ago," said Thor Larholm, a senior security researcher at Newport Beach,
Calif.-based PivX Solutions.
"I believe that (the leaked source code) will cause a period of insecurity
with a hoard of vulnerabilities, followed by a hardened OS as a result of
vulnerabilities being exposed," said Larholm. "The weeks to come will show
whether there are any vulnerabilities left that are still exploitable, or if
Microsoft did a thorough job in its Trustworthy Computing initiative."
*RSA PREVIEW: GATES FACING WEARY CROWD
By Michael S. Mimoso
Microsoft chairman and CEO Bill Gates may not find a friendly reception when
he delivers the opening keynote address at the RSA Conference next week in
San Francisco.
IT administrators and security officers have had a rugged last 12 months
keeping their Windows systems and networks safe from worms and serious
programming flaws. At RSA, they will see Gates for the first time in front
of a security-only audience and undoubtedly will greet his claims about
Trustworthy Computing and a renewed commitment to security with skepticism.
In 2003, network-aware worms like Slammer and Blaster blew through gaping
holes in services delivered by Microsoft products like SQL Server and
Windows Remote Procedure Call. Already this year, the Doomjuice worm has
spread via ports left open by the Mydoom worm, the first significant e-mail
worm of the year.
These are the incidents that will hang over Gates' address, which is
expected to touch on securing corporate environments and helping customers
manage their security operations, a Microsoft spokeswoman said.
"Security is a top priority for Microsoft. RSA is the most important event
for the security industry," the spokeswoman said. "This is an indication of
how much of a priority security is for Microsoft and the industry."
Gates' keynote is one of several presentations from industry luminaries.
Also addressing general sessions are RSA will be RSA Security CEO Art
Coviello, Symantec CTO Robert Clyde, Computer Associates senior vice
president Ron Moritz, Sun software vice president Jonathan Schwartz,
VeriSign CEO Stratton Sclavos, author P.J. O'Rourke and ABC News chief
congressional analyst Cokie Roberts.
Attendees have 15 session tracks to choose from, with a heavy focus on
identity and access management, according to Sandra LaPedis, general manager
for the RSA Conference.
"Organizations are looking for relief from the administrative burdens of
managing multiple identities on multiple systems," LaPedis said. She added
that tracks will be offered that will focus on viruses, spam and patch
management among other hot security issues.
Other tracks include the business of security, government, secure Web
services, developers, cryptography, two hackers and threats tracks, a new
applied security track and others.
Attendees can also earn credits toward their CISSP certification, or take
the exam during the conference.
The highlight of last year's conference was a spirited general session on
the value of hiring a reformed hacker for penetration testing in the
enterprise. Hewlett-Packard Co. chief security strategist Ira Winkler and
convicted hacker Kevin Mitnick squared off before a packed auditorium in an
emotional debate that dissolved at times into personal attacks on both
sides.
Though Winkler is scheduled to head a couple of sessions and participate on
a panel, no similar showdowns are expected. Instead, some of the featured
panels include gatherings on zero-day exploits, penetration testing,
Sarbanes-Oxley and lessons from the worm wars.
The RSA Conference is also hosting an invitation-only forum for CISOs and
CIOs called the Executive Security Action Forum. The group, made up of
decision makers from the Fortune 500 and federal government meet for the
first time on Monday. "[The forum will] focus discussions on critical issues
ranging from secure business organization, compliance and regulation, supply
chain, technology landscape and connecting business with government," said
RSA Conference general manager Sandra LaPedis. During the daylong meeting,
participants are expected to toss around ideas on information sharing
between the public and private sectors. They expect to make this an annual
event prior to RSA.
=====================================================
HEADLINES
A look at other significant industry happenings from our sister publication,
Security Wire Daily
*Netsky-B Soars From Europe to the US
SearchSecurity.com
Netsky-B, a new mass mailer worm, started spreading strongly in Europe this
morning. Antivirus experts warn the worm packs a double wallop as it can
spread via e-mail and through network file shares.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95108
4,00.html?track=NL-358
*Sun Combats Security Holes in Cancelled Cobalt Line SearchSecurity.com More
vulnerabilities have been discovered in Sun Microsystems' Cobalt line of
appliances including some that can allow remote attackers to run arbitrary
code on systems.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95099
5,00.html?track=NL-358
*The Privacy Fallacy
SearchCRM.com
Protecting customer privacy eats up costs, right? If you do it right, one
consultant argues it might actually make you money.
http://searchsecurity.techtarget.com/newsItem/0,289139,sid14_gci951019,00.ht
ml?track=NL-358
*Gartner Advises Firms to Deactivate Bluetooth SearchMobileComputing.com
Following security warnings about Bluetooth from handset makers Nokia and
Sony Ericsson, Gartner is advising most enterprises to deactivate Bluetooth
on their mobile devices.
http://searchsecurity.techtarget.com/newsItem/0,289139,sid14_gci950843,00.ht
ml?track=NL-358
*Bagle-B Begins to Boil
SearchSecurity.com
A new variant of the Bagle worm appeared this morning as workers return from
a long holiday weekend.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95086
7,00.html?track=NL-358
*Ibiza Trojan Is a Trip
SearchSecurity.com
Beware of a Trojan masked as a travel Web site. It takes you to places you'd
rather not see.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95042
1,00.html?track=NL-358
*ASN.1 Exploit Code Circulating; Universal Shellcode Only a Matter of Time
SearchSecurity.com
The first exploit of the Windows ASN.1 vulnerability has surfaced. While the
security community waits to see if the malware gains traction, Microsoft is
still taking it on the chin for waiting six months to release the patch to
one of the biggest holes in the software maker's history.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95066
5,00.html?track=NL-358
=====================================================
**Conference Survey**
Tell us what you'd like to see at the next Information Security Decisions
conference. Who are the top three speakers you'd like to hear? Sessions
you'd like to attend? What can we do to help you get more out of our
conference? Please take a minute to share your thoughts with us!
mailto:jglossner@techtarget.com
=====================================================
WEEKLY SECURITY PLANNER
In an effort to help busy security managers, CISSP Shelley Bard's weekly
column will build upon the concept of the perpetual calendar (
http://www.searchSecurity.com/tip/1,289483,sid14_gci948651,00.html?track=NL-
358 ), offering a schedule of reminders for a proactive, strategic security
plan. For an archive of previous columns, please visit:
http://searchsecurity.techtarget.com/tipsIndex/0,289482,sid14_tax295570_alpD
_idx0,00.html?track=NL-358
Week 10: Are you throwing out company secrets? (Part 1 -- physical
records)
WHEN: Review policy and paper output and holdings at least annually
WHAT: Among the types of discarded information that should be
destroyed: accounts payable and receivable; financial information; business
correspondence; drafts and obsolete contracts; obsolete personnel records;
arbitration/grievance files; job applications; insurance forms and records;
medical records; legal documents; payroll records; classified documents;
customer or client lists and records; ballots and obsolete negotiables
(bearer bonds, coupons), etc.
WHY: We spend so much time protecting our systems that we sometimes forget
about the paper result. If your company doesn't enforce a shredding policy,
company-confidential or proprietary documents probably end up in the trash.
Files with confidential corporate financial or customer information could
give your competitors an unfair advantage. If found by "dumpster diving,"
for example, your company could be sued out of existence. Just last week, a
television news station in Orlando, Fla., found the private information of
hundreds of medical center patients, including financial records, medical
charts and lab tests, in an open dumpster. The records included details of
sexually transmitted diseases, psychological problems, even addictions and
intimate details about a patient's sex life. State and federal government
agencies are getting involved, and patients are considering taking legal
action. A doctor is quoted as saying he believed all such documents were
shredded; a facility manager blames the person transporting the records to
the shredding facility for disposing of them improperly.
STRATEGY: Shredding is a cost-effective and secure solution for your record
destruction requirements. Some companies recycle the shreds, making you feel
better about all the paper you're shredding. You can put shredders on site,
or hire a company to shred your documents. Usually they charge by the pound
being destroyed and offer locked containers to be placed around your site on
a nominal rental basis. Some companies will pick up your documents to take
to their shred facility, and some drive to your site and shred your material
right in the truck while you're watching. I prefer this method -- as
illustrated above, you don't know what really happens once a truck, or an
employee, removes your documents. Place bins or shredders near printers, in
data-producing areas like R&D, personnel, payroll, contracts and legal, etc.
MORE INFORMATION: A requirement of both HIPAA and Sarbanes-Oxley is that
patient records not involved in an investigation, audit or litigation be
destroyed on a regular schedule as approved by the proper officials at the
facility, so that "there is no possibility of reconstruction of
information." Visit the U.S. Department of Health & Human Services' Web site
http://www.hhs.gov/ocr/hipaa or the official DHHS web site for
Administrative Simplification http://aspe.os.dhhs.gov/admnsimp . Please
note, there are more stringent security requirements for destroying Top
Secret and COMSEC documents; the National Security Agency mandates that an 8
1/2" x 11" piece of paper be reduced to 12,000+ particle-size pieces.
Chances are you don't need that much -- just find a destruction solution
that works for your organization while not making it a target for any type
of federal or civil actions.
SHELLEY BARD, CISSP, is a senior security network engineer with Verizon
Federal Network Systems (FNS). An infosecurity professional for 17 years,
Bard has briefed and written infosecurity assessments and technical reports
for the White House and Department of Defense, special interest groups,
industry and academia. Please e-mail any comments to
mailto:securityplanner@infosecuritymag.com
Opinions expressed in this column are those of Shelley Bard and don't
necessarily reflect those of Verizon FNS.
NEXT WEEK: Are you throwing out company secrets? (Part 2 -- Data
destruction)
=====================================================
*Information Security Decisions, Hosted by Information Security
Magazine*
Qualify for complimentary admission to our 3-day Information Security
Decisions conference in New York City, April 19-21. Return to the office
with critical security action plans, unbiased expertise, and maybe a
Mercedes-Benz SLK230 too! Find out more:
http://infosecurityconference.techtarget.com/?track=NL-358&Offer=swdmb
=====================================================
WHATIS WORD OF THE WEEK: Source code
Source code and object code refer to the "before" and "after" versions of a
computer program that is compiled before it is ready to run in a computer.
The source code consists of the programming statements that are created by a
programmer with a text editor or a visual programming tool and then saved in
a file. The object code file contains a sequence of instructions that the
processor can understand but that is difficult for a human to read or
modify. For this reason and because even debugged programs often need some
later enhancement, the source code is the most permanent form of the
program.
When you purchase or receive operating system or application software, it is
usually in the form of compiled object code and the source code is not
included. Proprietary software vendors usually don't want you to try to
improve their code since this may create additional service costs for them.
Lately, there is a movement to develop software (Linux is an example) that
is open to further improvement and here the source code is provided.
In large program development environments, there are often management
systems that help programmers separate and keep track of different states
and levels of code files. For script (noncompiled or
interpreted) program languages, such as JavaScript, the terms source code
and object code do not apply since there is only one form of the code.
Other security definitions:
http://searchsecurity.techtarget.com/glossary/0,294242,sid14,00.html?track=N
L-358
=====================================================
YOUR TWO CENTS
Readers sound off
*Microsoft Patch Delay May Contribute to Early Exploit
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95014
9,00.html?track=NL-358
I find that your "Microsoft patch delay may contribute to early exploit"
article is nothing more than sensationalist reporting in as much that the
author is once again taking the opportunity to "slag-off Microsoft" for its
inaction.
Whilst the article itself could have been balanced, it is evident that the
author is either fickle, or very malleable in her approach to Microsoft, in
the fact that the report fails to highlight the reason for the issued patch,
nor does it explain which Operating Environments are affected, (Win2000,
WinXP(Pro, Home, 64-bit) and NT4 (Workstation, Server, and Terminal server
patched with MS-03-041)), nor does it direct the reader to the Microsoft
Knowledge Base, which would provide more information. As with many of your
professional audience I am looking for an article that delivers the
information, and which should be reasonably balanced, with fair journalism;
which this article is definitely not -- and definitely should have been
"spiked at the first read" for if this is professional journalism, then I
question the neutrality and professionalism of your organization. -Arthur
Pounder, international IT support technician
Editor's note: This article appeared several days after the ASN.1
vulnerability was announced and was meant as a follow-up to information
already circulating. Links in the Headlines section directed readers to
additional articles on the ASN.1 vulnerability.
::::::::::::::::::::: ABOUT THIS NEWSLETTER ::::::::::::::::::::::
Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an
e-mail newsletter brought to you on Mondays and Thursdays by Information
Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or redistribution
without the express written authorization of Information Security and
TechTarget.
Permission requests, questions or comments should be e-mailed to Shawna
McAlearney, online editor, mailto:smcalearney@infosecuritymag.com.
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
_____________________________________________________________________
To unsubscribe from "Security Wire Perspectives":
Go to unsubscribe:
http://SearchSecurity.com/u?cid=476796&lid=559334&track=NL-358
Please note, unsubscribe requests may take up to 24 hours to process; you
may receive additional mailings during that time. A confirmation e-mail will
be sent when your request has been successfully processed.
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
