Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security Wire Perspectives, Vol. 6, No. 15, February 23, 2004
- From: Howell, Paul
- Date: Mon Feb 23 07:57:49 2004
-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity-657149A841A6FF1C@lists.techtarget.com]
Sent: Monday, February 23, 2004 4:01 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 15, February 23, 2004
Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information resource
for enterprise IT professionals. Additional newsletters available at
http://searchsecurity.techtarget.com/?track=NL-358&Offer=swp
IN THIS ISSUE:
A READ ON THE NEWS
*Bluetooth Hygiene for the Enterprise
*RSA Preview: Crypto Panel 'Less About Crypto'
HEADLINES
*Yankee Says Patching Costs Companies Millions
*Critical Flaw Found in Linux Kernel
*Netsky No Longer Flying High
SOUND BYTES
*With Friends Like These, You Don't Need Enemies
By Paul Schmehl, AVIEN
LINKS TO THE INDUSTRY
YOUR TWO CENTS
Readers sound off on the likelihood of further exploiting the ASN.1 flaw
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE PERSPECTIVES IS SPONSORED BY: TruSecure
Want to learn how to get information security-related proposals and
initiatives approved by your organization's corporate executives? Join
TruSecure, Thursday, Feb. 26th, for a live webcast to learn: HOW to make
security make sense to executives, HOW to develop solid arguments for
justifying new security spending, and HOW corporate governance, organization
maturity, and strategic security objectives help justify new spending plans.
Click here to register!
http://searchSecurity.com/r/0,,24997,00.htm?track=NL-358&trusecure
=====================================================
A READ ON THE NEWS
*BLUETOOTH HYGIENE FOR THE ENTERPRISE
By Mathew Schwartz
In the face of two recent Bluetooth vulnerabilities -- bluesnarfing and a
backdoor attack -- security managers must reexamine their company's
Bluetooth deployments. Its short-range wireless technology
-- available in newer computers, PDAs and mobile phones -- is intended to
replace physical cables. The attacks exploit, wirelessly, security
weaknesses in some Bluetooth-enabled mobile phones.
A snarf attack, able to quietly steal calendar and phone book information,
could be especially dangerous since most Bluetooth devices ship with the
wireless technology active.
Security consultancy A.L. Digital's chief security officer, Adam Laurie,
discovered the snarf attack while testing phones for his own company's
deployment. Since then, he's created software to log the vulnerable
Bluetooth devices walking past his office in Chiswick, a London suburb; it
sees 40 a day.
"I suspect if you went into a much more densely populated area, like London,
you'd have a much higher number of machines," he says, adding that practical
attack range, using a laptop with a Class 1 Bluetooth dongle, would be 100
feet.
An automated attack tool, snarfing everything in range, could be especially
dangerous, says security researcher Mark Rowe at U.K.-based Pentest. "For
example, outside a politician's house."
Unless users are watching their mobile device while it's bluesnarfed they
won't know data's been purloined. Experts recommend immediately deactivating
Bluetooth on unpatched phones (see list: http://www.bluestumbler.org ).
Don't, however, discard all things Bluetooth. "This is not a problem with
the Bluetooth specification; it is a problem with certain manufacturers'
handsets," says Anders Edlund, marketing director of the Bluetooth Special
Interest Group (SIG). SIG released the Bluetooth standard; it's up to
manufacturers to implement it.
Some, however, fault SIG for not requiring more security. "The Bluetooth
specification details the implementation of a secure link but doesn't
require it," according to a report by Gartner analysts Martin Reynolds and
Michael Gomez.
At risk, of course, is sensitive corporate information. For example, in
August a former Morgan Stanley vice president sold his old Blackberry on
eBay. Only, as the buyer reported, he neglected to password-protect or erase
200 sensitive corporate e-mails, plus corporate directories, all of which
competitors would have loved.
Of course, outright theft is still much more likely than a snarf attack.
Research firm International Data Corp. says hundreds of thousands of mobile
phones are reported missing every year.
Experts recommend three ways any company using Bluetooth can better secure
itself. First, Gartner says, "disable Bluetooth unless there is a compelling
reason to activate it." That means enlisting IT to build PCs and configure
devices with Bluetooth deactivated, educating users to -- at least --
deactivate Bluetooth when not in use and keep it off in questionable areas.
For all mobile devices, remember "strong crypto is your friend," says
Laurie. Give users password vaults -- software to encrypt information
-- for the PINs and passwords users inevitably store on devices. Also
mandate password access for every device, SIM or memory card. Then check to
ensure users comply.
*RSA PREVIEW: CRYPTO PANEL 'LESS ABOUT CRYPTO'
By Michael S. Mimoso
Time was when the RSA Conference used to be all about cryptography.
At its origin 13 years ago, RSA was an intimate gathering of 50 or so
algorithm-talking cryptographers spread out through a few hotel conference
rooms. Today, thousands of IT security professionals descend on San
Francisco to talk about the security issues of the day, reducing
cryptography to a smaller component of the show.
Still the Cryptographers Panel, scheduled for tomorrow at 11 a.m., remains
one of the conference highlights, if for no other reason, the star power it
attracts to the stage.
Crypto heavyweights Ron Rivest and Adi Shamir, who along with William
Shipley founded RSA Data Security [which eventually became RSA Security upon
the acquisition of Security Dynamics in the late '90s] are mainstays on the
panel as are Sun Microsystems CSO Whitfield Diffie, Paul Kocher, president
of Cryptography Research Inc., and moderator Bruce Schneier, CTO at
Counterpane Internet Security Inc.
"If you follow the path from Bruce Schneier to Paul Kocher to Peter Neumann,
you find yourself with a cryptographer who is very well known for his work
in other areas of security, an expert in cryptography implementation
problems, and a master of secure operating system design and general
analysis of real-world security problems," Diffie said.
The blend of the panelists' experience provides attendees with a solid
reality check on what's happening in security and how it applies to their
day-to-day responsibilities.
"The interesting thing is that [the panel is] becoming less and less about
cryptography," Schneier said. "It's a good forum because people on the panel
have interesting things to say and people want to listen to them."
Diffie explained that the panel often discusses the newest cryptosystems,
attacks and applications of cryptography. Organizational and political
developments, along with technological trends often are good agenda topics.
A year ago, the panel kicked around the key lengths they favored for RSA.
"This year, we may find ourselves discussing the impact of the Department of
Homeland Security, the FBI's desire for expanded wiretapping, the future of
Trusted Platform Modules, or the influence of Hollywood's quest for 'Digital
Rights Management,'" Diffie said.
Sometimes panelists identify trends that become ubiquitous in a short time
span.
"I can remember three years ago, Ron Rivest talking about RFID tags, and now
they're mainstream," said Sandra LaPedis, general manager of the RSA
Conference. "The panel usually provides a glimpse into security's future,
not just cryptography. They all understand the practical applications of
security, and it's fascinating to hear what they talk about."
RSA special events:
http://searchsecurity.techtarget.com/specialEvents/1,289653,sid14_gci946896,
00.html?track=NL-358
=====================================================
HEADLINES
A look at other significant industry happenings from our sister publication,
Security Wire Daily
*Yankee Says Patching Costs Companies Millions
SearchSecurity.com
Patching systems is a major pain in the pocketbook. The Yankee Group has
found it costs more than $1 million a year per patch to keep 5,000 desktops
up to date.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95100
6,00.html?track=NL-358
*Critical Flaw Found in Linux Kernel
SearchEnterpriseLinux.com
A second serious mremap vulnerability was discovered this week. New versions
of the Linux kernel were released to address the problems.
http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_g
ci951284,00.html?track=NL-358
*Netsky No Longer Flying High
SearchSecurity.com
The Netsky worm that took off earlier this week has had its wings clipped
and is no longer as serious a threat to networks, according to antivirus
vendors.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95131
3,00.html?track=NL-358
=====================================================
**Conference Survey**
Tell us what you'd like to see at the next Information Security Decisions
conference. Who are the top three speakers you'd like to hear? Sessions
you'd like to attend? What can we do to help you get more out of our
conference? Please take a minute to share your thoughts with us!
mailto:jglossner@techtarget.com
=====================================================
SOUND BYTES
*With Friends Like These, You Don't Need Enemies
By Paul Schmehl
There aren't many things that people agree on, especially when it comes to
the Internet, but spam and viruses are two things that are almost
universally despised. When the two are combined, a groundswell of Internet
anger arises and the ubiquitous discussion vehicles that the Internet offers
fill with posts of indignation and outrage.
The collective angst rose to new heights recently when a new virus, named
...well ...depending on which antivirus vendor is your favorite.....Mydoom,
Novarg or Mimail..., broke out. As viruses go, Mydoom was special. It took
advantage of curiosity to begin its launch, and in a burst of creativity
furthered its spread by sending messages to non-existent e-mail addresses to
create bounces. Within a few days it was one of the most prolific viruses in
the history of the Internet.
Network administrators, who from long experience know exactly what to do
when a virus outbreak occurs, sprang into action, threw up quick filters to
catch the virus, contacted their antivirus vendors for updates and watched
their networks for signs of trouble. Help desks and support personnel braced
themselves for the inevitable calls about occasional infections that slipped
past the filters and successfully enticed users to help it spread.
Support calls increased as well with questions and comments from worried
users. "Is this e-mail from the virus?" "Am I infected?" "Why am I getting
all these bounce messages?" "Are you sure I'm protected?" "I'm sure you're
probably aware of this, but I thought I'd let you know there's a new virus
out." "Have you heard about this new virus?" The questions and helpful
suggestions go on and on and on.
So why is the antivirus industry deliberately adding to the workload? Some
antivirus vendors decided a while ago that detecting a virus was the perfect
opportunity to advertise their products. So, whenever their software catches
a virus, off goes an advertisement for their product, to both the "sender"
and the "recipient," encouraging people to buy their software. If the e-mail
went to the person whose computer was actually infected, it might be worth
doing. But many of them go to innocent bystanders who may never have a virus
infection in their life. Modern viruses forge the sender address and the
industry knows that.
At least there is some sanity in the industry. When Sobig-F was released
last Sept., Fridrik Skulason posted an open letter
(http://www.f-prot.com/news/gen_news/open_letter_10sept2003.html ) blaming
the industry for the deluge of unnecessary mail. Recently he updated his
letter (http://www.f-prot.com/news/gen_news/open_letter_30jan2004.html ) to
address the Mydoom outbreak and to respond to Brian Martin's article
(http://www.attrition.org/security/rant/av-spammers.html ) "Anti-Virus
Companies: Tenacious Spammers."
Will antivirus vendors get the message? Only time will tell. One thing is
for certain. Spamming the Internet with ads in the middle of a virus
outbreak is no way to win friends and influence people.
PAUL SCHMEHL is an adjunct information security officer at the University of
Texas at Dallas and a founding member and board member of AVIEN, the Anti
Virus Information Exchange Network. His responsibilities include protecting
the university from the many viruses and worms that circulate on the
Internet.
Please send any comments on this article to
mailto:SWPcomments@infosecuritymag.com
=====================================================
*Information Security Decisions, Hosted by Information Security
Magazine*
Qualify for complimentary admission to our 3-day Information Security
Decisions conference in New York City, April 19-21. Return to the office
with critical security action plans, unbiased expertise, and maybe a
Mercedes-Benz SLK230 too! Find out more:
http://infosecurityconference.techtarget.com/?track=NL-358&Offer=swdmb
=====================================================
LINKS TO THE INDUSTRY
Happenings
New York Metro Network Security Forum
W-Th, November 2004 (Please see Web site for date and location.) Roundtables
and case studies with all-new topics for 2004, including application IDS and
firewalls, patch management and wireless security. Optional workshop.
http://www.ianetsec.com/forums/nym_forum/nym_splash_2004.htm
Other current industry events:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281973,0
0.html?track=NL-358
Security training:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281975,0
0.html?track=NL-358
Industry Notebook
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95078
6,00.html?track=NL-358
Market Monitor
Current security company stock prices:
http://searchSecurity.com/r/0,,22258,00.htm?track=NL-358&n/a
SearchSecurity.com Top 10
Weekly recap of top news stories and security tips by our sister site
SearchSecurity.com:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci91316
1,00.html?track=NL-358
=====================================================
YOUR TWO CENTS
Have an opinion on a Security Wire Perspectives article? We're interested in
your feedback. E-mail your letters to Shawna McAlearney (
mailto:smcalearney@infosecuritymag.com ), and include your name, title and
organization. Letters may be edited for space and clarity.
*ASN.1 Exploit Code Circulating; Universal Shellcode Only a Matter of Time
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95066
5,00.html?track=NL-358
What I am most worried about is when they turn this code into a two-phase
worm. This is going to make MyDoom and CodeRed look like a minor annoyance.
--Richard Starnes, CISSP, director of incident response, Managed Security
Operations Centre (MSOC)
Here is the critical point about this vulnerability that *everyone* has
missed so far: People have been exploiting this hole for years.
How do I know? The vulnerability didn't come into existence 200 days before
the fix. The vulnerability has been there for years. The vulnerability was
not created by the folks that reported it to Microsoft, it was only
"discovered" by them. Just because nobody has come forward to say that they
were already exploiting it two years ago does not prove that nobody was. In
fact, it is impossible to prove that nobody was.
Think about it, if you are serious about gaining unauthorized access to
systems, possibly for gain, and you find a hole that nobody else seems to be
aware of, would you tell everyone? For a certain type of hacker, the answer
is no!
--Stephen Cobb, CISSP
*Microsoft ASN Flaw May Be Biggest Defect Ever Found
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94983
0,00.html?track=NL-358
I'll admit to being one of those security admins who didn't really know much
about ASN.1 before reading of this vulnerability. But I think David
Kennedy's assertion that it's too complicated a vulnerability for hackers to
bother with underestimates the problem.
Seems to me that, if I were a virus writer, I would view Kennedy's comments
as a gauntlet -- I'd go out of my way to prove him wrong and design an
exploit for the "biggest defect ever found." --Steven Lovaas, network
security administrator, Poudre School District
Do we need a "digital 9-11" before we are willing to admit that the "higher
fruit" is often more inviting?
Comparing "digital terrorism" to the real world variety, I am inclined to
believe it would have been simpler to board a bus, walk into a crowd and set
of an explosive, than to coordinate the logistics required to pull off the
attack on 9-11, yet the "higher fruit" was exactly what was picked.
We would do well to respond more quickly to security issues, starting with a
frank look at ourselves as both, part of the problem, and part of the
solution, instead of sitting around "drinking Mountain Dew" while we wait
for the "vendor" to fix the problems.
Was it low or high hanging fruit which motivated Newton? --Michael Kaufman,
director of information technology, Southern Ventures Corp.
::::::::::::::::::::: ABOUT THIS NEWSLETTER ::::::::::::::::::::::
Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an
e-mail newsletter brought to you on Mondays and Thursdays by Information
Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or redistribution
without the express written authorization of Information Security and
TechTarget.
Permission requests, questions or comments should be e-mailed to Shawna
McAlearney, online editor, mailto:smcalearney@infosecuritymag.com.
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
_____________________________________________________________________
To unsubscribe from "Security Wire Perspectives":
Go to unsubscribe:
http://SearchSecurity.com/u?cid=476947&lid=559334&track=NL-358
Please note, unsubscribe requests may take up to 24 hours to process; you
may receive additional mailings during that time. A confirmation e-mail will
be sent when your request has been successfully processed.
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
