Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 6 Num. 7
- From: The SANS Institute
- Date: Wed Feb 25 11:25:54 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A note about professional growth for security and audit professionals.
We are often asked, by people with strong security and audit skills,
how they can become more visible in the community and grow
professionally. The most satisfying answer to that question is "Become
a mentor." When you teach others you get more than simple appreciation.
You get a network of people who know and trust you; you get visibility
among your peers for having been selected to mentor others; you get
economic compensation; and if the people you mentor think you are
extraordinary, you may even get opportunities to teach at a SANS
conference. Because the mentoring program is so effective, you also get
a deep satisfaction that you are actually helping. Our SANS training
conferences are again starting to sell out. The only way we can hope to
help hundreds of thousands of auditors and security professionals keep
up with the changing skills requirements is by expanding our Local
Mentor Program. We have programs in more than 100 cities around the
world. If you are interested, email info@sans.org with the subject "Local
Mentor Opportunities".
Alan
*************************************************************************
SANS NewsBites February 25, 2004 Vol. 6, Num. 8
*************************************************************************
TOP OF THE NEWS
Bill Gates Announces Security Improvements In Windows
DHS Protected Critical Infrastructure Information (PCII) Program
Reactions to DHS PCII Program Vary
Study Indicates Firewall and VPN Spending Will Double in Three Years
Homeland Security Department's CIO Council Security Priorities
THE REST OF THE WEEK'S NEWS
Former ViewSonic Employee Gets Prison Sentence for Wiping Out Data
Minnesota Man Charged with Breaking Into USPS Server
Judge Rules DVD-Copying Products are Illegal
Internet Society of China Blacklists More Spam Servers
Phishing Attacks Increased by 50% in One Month
Phishers Target National Australia Bank Customers
Phony Police E-Mail Tries to Get Keystroke Logger Onto People's
Computers
Fiscal 2004 Budget Cuts NIST Funding
Yankee Group Survey Finds Anti-Virus, IDS and Firewalls Top Spending
Lists
Web Application Security Consortium
Audit Finds Sensitive Data on Discared North Carolina State Government
Computers
Microsoft Warns Alleged Windows Code Posters
STORIES ABOUT E-VOTING
Groups Encourage Use of Paper Absentee Ballots Instead of E-Voting
Ohio Secretary of State Wants to Buy New Voting Machines
Judge Denies Group's Request to Prevent Use of Diebold E-Voting
Machines in Election
Ireland E-Voting Debate
VULNERABILITY UPDATES AND EFFECTS
IE 5 Flaw Found in Leaked Windows Source Code
Microsoft Encourages Move to IE 6 Service Pack 1
Cisco VoIP Security Problems
Linux Kernel Flaws
Buffer Overflow Flaw in ZoneAlarm Firewall
Two Versions of NetSky are Spreading
Sun Offers Updates for Cobalt Vulnerabilities
Microsoft Releases Security Update CD
Bagle Variant Spreading
*********************** Sponsored by Net IQ *****************************
Need security policies? Don't start from scratch.
Check out "Information Security Policies Made Easy," the best security
policy resource guide available, with 1,300+ ready-to-use security
policies, easily customizable for any organization. Also, don't miss
our step-by-step guide, "Information Security Roles & Responsibilities
Made Easy."
Check them both out now.
http://www.netiq.com/f/form/form.asp?id=2202&origin=NS_SANS_022504
**********************************************************************
This Week's Featured Security Training Program:
Security managers and analysts, system and network administrators,
auditors and forensic analysts will each find immersion training focused
on their special needs, and all taught by the highest-rated instructors
in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004
*************************************************************************
TOP OF THE NEWS
--Bill Gates Announces Security Improvements In Windows
(24 February 2004)
In his keynote address at the RSA conference today, Microsoft's Bill
Gates sounded like a "born again" security advocate, and he announced
some surprisingly useful new capabilities. Examples: firewalls turned
on by default in XP SP2 and firewalls that ask the user for permission
to open a port when an application needs it open, and automatically
close the port after the application finishes its job. Many other
valuable features are listed in the article.
http://www.internetnews.com/dev-news/article.php/3317301
[Editor's Note (Paller): Microsoft has announced some important
changes, but as Bill Gates said in his speech, "the job's not done."
Consider this to be a first installment on paying a large debt to users.
And please, if you buy enough software from Microsoft for them to pay
attention to you, make sure you list specific security settings in your
procurement documents. If you need a set to specify, follow the
National Security Agency or the Center for Internet Security benchmarks.
They work. (www.cisecurity.org) When enough big buyers demand safer
configurations, Microsoft will start delivering safer systems to all of
us, and then even small businesses and home users will have security
baked in.]
--DHS Protected Critical Infrastructure Information (PCII) Program
(18/19/20 February 2004)
The Department of Homeland Security (DHS) has launched an initiative
for companies to inform them about vulnerabilities in the nation's
critical infrastructure. The Protected Critical Infrastructure
Information (PCII) program will allow companies to let DHS know about
security problems in their products with the reassurance that the
information will not be released to the general public.
http://www.fcw.com/fcw/articles/2004/0216/web-dhs-02-18-04.asp
http://www.computerworld.com/printthis/2004/0,4814,90290,00.html
http://zdnet.com.com/2102-1105_2-5162732.html?tag=printthis
[Editor's Note (Schneier): Since this is a voluntary program, I can't
see it having any useful effect.]
--Reactions to DHS PCII Program Vary
(20 February 2004)
Critics of the PCII Program say that it could weaken rather than
strengthen security because the government cannot require the companies
to fix the flaw or disclose it to the public. Furthermore, if
information about a reported vulnerability is leaked to the public, the
companies are immune from liability under the law. Proponents of the
program say it allows for more detailed information than informal
reporting allowed.
http://www.securityfocus.com/news/8090
--Study Indicates Firewall and VPN Spending Will Double in Three Years
(20 February 2004)
According to a study from business information analyst Datamonitor,
global spending on VPN and firewall technology will grow to nearly $6
billion by 2007, doubling the present level of spending in just three
years. North America is the largest security market; Datamonitor
predicts that Latin America and Asia Pacific will be the fastest growing
security markets over the next three years.
http://www.theregister.co.uk/content/5/35708.html
http://www.theregister.co.uk/content/55/35704.html
[Editor's Note (Northcutt): the article goes on to say SSL based VPNs
are a primary growth segment. I would have hoped for IPSec, but that
fixation on the destination IP address is a bit of a problem. Other
literature on the market appears to support that assertion, sigh.
http://www.marketresearch.com/researchindex/932918.html
http://zdnet.com.com/2100-1105_2-5140548.html]
--Homeland Security Department's CIO Council Security Priorities
(17 February 2004)
The DHS CIO Security Council has set eight technology priorities to
concentrate on this year. The eight areas of focus are information
sharing, mission rationalization, information technology security,
development of a single information and technology infrastructure,
enterprise architecture, portfolio management, governance and IT human
resources.
http://www.govexec.com/dailyfed/0204/021704c1.htm
http://www.fcw.com/fcw/articles/2004/0216/web-dhs-02-17-04.asp
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) FREE White Paper: "Why the web browser is the most dangerous
hacking tool"
http://www.sans.org/click.php?id=333
(2) Best Practices for Incident Response - Sign up for the
practitioner's guide at
http://www.sans.org/click.php?id=334
(3) From SANS: HIPAA Security Implementation is a step by step guide for
IT staff of hospitals. Thorough and extremely cost effective.
https://store.sans.org/store_item.php?item=117
***********************************************************************
THE REST OF THE WEEK'S NEWS
--Former ViewSonic Employee Gets Prison Sentence for Wiping Out Data
(23 February 2004)
Former ViewSonic employee Andrew Garcia has been sentenced to one year
in prison for breaking into the company's computer system and wiping
out critical data two weeks after he was fired.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=18100201
[Editor's Note (Shpantzer): Garcia accessed the server he used to
administer "two weeks after he had been terminated," despite the fact
that Viewsonic promptly revoked his credentials. What happened? It
turns out that he had other sysadmin passwords, and used those to gain
access and delete critical files.
http://www.silicon.com/networks/lans/0,39024663,10006299,00.htm
It gets worse: Garcia "was previously convicted of two felonies"
http://www.usdoj.gov/criminal/cybercrime/garciaArrest.htm
Lessons learned? 1. Consider changing associated sysadmin credentials
when firing a co-worker 2. Institute background checks and hiring
standards for IT positions that have elevated privileges.]
--Minnesota Man Charged with Breaking Into USPS Server
(21 February 2004)
Joshua Linsk of Minneapolis has been charged with breaking into and
damaging a US Postal Service web server. Linsk also allegedly broke
into another computer at a different organization to obtain credit card
numbers. If convicted, Linsk could face a prison sentence of up to 15
years and/or a fine of as much as $500,000.
http://www.kare11.com/news/news-article.asp?NEWS_ID=59863
--Judge Rules DVD-Copying Products are Illegal
(20 February 2004)
A federal judge in California has ruled that 321 Studios' DVD-copying
products are illegal, and gave the company seven days to stop
distributing the products in question. The judge wrote that federal
law makes selling such products illegal despite consumers' rights to
make personal copies of movies they have purchased. 321 Studios plans
to ask for an emergency stay that would allow their products to remain
on store shelves while appealing the judge's ruling.
http://news.com.com/2102-1025_3-5162749.html?tag=st.util.print
[Editor's Note (Schneier): Whatever happened to the customer's right to
make a legal backup of the product? Not only is this ruling
unreasonable, it's essentially unenforceable. This product may stop
being sold, but DVD duplicating programs are going to keep being
distributed.
(Grefer): The real damage is not done so much by folks who make backup
copies of their DVDs, going through the effort of decrypting it,
converting it into a different format and burning it onto a CD, but
rather by professional black market organizations that make bit-copies
of the DVDs, thereby not hassling with the copy protection.
http://obi-wan.kenobi.it/cynicalsecurity/archives/001260.html
]
--Internet Society of China Blacklists More Spam Servers
(20 February 2004)
Chinese authorities have blacklisted 656 spam servers around the world;
the servers will be monitored by the Internet Society of China (ISC)
and will be blocked if they continue to send spam to mainland China
Internet users after March 20. This is the third such list the ISC
has released since September 2003.
http://news.com.com/2102-1024_3-5162355.html?tag=st.util.print
http://www.pcworld.com/resource/printable/article/0,aid,114867,00.asp
--Phishing Attacks Increased by 50% in One Month
(19 February 2004)
The Anti-Phishing Working Group found that there were 52% more phishing
attacks in January 2004 than in December 2003. 40% of the attacks used
the guise of the financial sector; 34% pretended to be retailers.
http://www.ecommercetimes.com/perl/story/32906.html
http://www.theregister.co.uk/content/55/35635.html
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25000
[Editor's Note (Pescatore): NewsBites readers may remember our mention
of the need for "Caller ID" for the Internet to combat phishing. Lo and
behold, at his keynote speech at this week's RSA Security Conference,
Bill Gates announced a Caller ID for the Internet initiative to combat
phishing.]
--Phishers Target National Australia Bank Customers
(18 February 2004)
Phishers have sent e-mails that purport to be from National Australia
Bank (NAB) and lead users to a site that tries to collect their
Australian National ID and Internet banking passwords. The URL for the
phony site has been blocked.
http://www.pcworld.idg.com.au/index.php?id=1041815809&fp=2&f%20pid=1
--Phony Police E-Mail Tries to Get Keystroke Logger Onto People's Computers
(17 February 2004)
The Australian High Tech Crime Centre has warned people that cyber
criminals are sending out e-mails that claim to be from the federal
police and suggesting that they are under investigation. The links that
purport to provide further details actually install keystroke loggers
on users' computers.
http://australianit.news.com.au/articles/0,7204,8707873^15319^^nbv^15306,00.html
[Editor's Note (Shpantzer): The keystroke logger is particularly nasty
as it gets passwords even if they are not sent in clear text.]
--Fiscal 2004 Budget Cuts NIST Funding
(13 February 2004)
The National Institute of Standards and Technology's (NIST) acting chief
of staff says that a $22 million budget cut in fiscal 2004 means that
NIST will have to cut back "substantially" on its cyber security work
as well as completely stop all work for the Help America Vote Act.
NIST's Manufacturing Extension Partnership (MEP) will also see
significant cuts in staffing and other areas.
http://www.govexec.com/news/index.cfm?mode=report2&articleid=27658&printerfriendlyVers=1&;
--Yankee Group Survey Finds Anti-Virus, IDS and Firewalls Top Spending Lists
(18/19 February 2004)
A Yankee Group survey of 404 decision-makers at medium to large
companies found 54% of the respondents believe security budgets will
increase over the next three years; just 8% believe they will decrease.
Half of the respondents also have the same top three items on their
security spending lists: anti-virus, intrusion detection and prevention
systems (IDS and IPS) and firewalls.
The survey also found that the average annual cost for patching desktop
computers is $254. Some companies are delaying patch application until
multiple patches or service packs become available.
http://www.esj.com/security/print.asp?editorialsId=860
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci951006,00.html
[Editor's Note (Schultz): Once again the a well-known industry analyst
group's prediction that intrusion detection technology is on the wane
appears to be out of touch with reality, as shown by the Yankee Group's
recent survey findings.]
--Web Application Security Consortium
(18 February 2004)
The Web Application Security Consortium plans "to create a
classification system for application security vulnerabilities, attacks
and other threats." The group also plans to develop industry best
practices in secure coding.
http://www.eweek.com/print_article/0,3048,a=119490,00.asp
[Editor's Note (Pescatore): We really do need the security industry to
drive some standard XML schema/DTD for vulnerability descriptions. The
AVDL effort, CVE and WASC ought to align to do this.]
--Audit Finds Sensitive Data on Discarded North Carolina State
Government Computers
(18 February 2004)
The North Carolina state auditor's department found sensitive data on
the hard drives of used state government computers that had been sent
to the Surplus Property Agency for sale to the public. The data they
found included social security numbers, bank account numbers and
passwords that would allow access to the state computer network. The
review was the first conducted following a 2002 requirement that
agencies erase data from their computers before submitting them to the
Surplus Property Agency.
http://www.wilmingtonstar.com/apps/pbcs.dll/article?AID=/20040218/APN/402180853&cachetime=5&template=printart
[Editor's Note (Ranum): I know several researchers who buy used hard
disks on Ebay and at surplus stores looking for exactly this kind of
stuff. The only possible excuse is that the information found might have
been out of date.]
--Microsoft Warns Alleged Windows Code Posters
(17/18 February 2004)
Microsoft has sent cease-and-desist letters to several people who have
downloaded stolen Windows source code from the Internet, warning them
that such activity is illegal. The letter requests that they stop
posting the files and that they erase any copies of the code they
possess. Microsoft is also sending warnings to people who search for
the code on peer-to-peer file sharing networks. There are no details
available about how Microsoft knows who has downloaded or searched for
the code.
http://www.eweek.com/print_article/0,3048,a=119396,00.asp
http://zdnet.com.com/2102-1105_2-5161205.html?tag=printthis
http://www.computerworld.com/printthis/2004/0,4814,90270,00.html
STORIES ABOUT E-VOTING
--Groups Encourage Use of Paper Absentee Ballots Instead of E-Voting
(20 February 2004)
Activist groups in California and Maryland are encouraging voters to
use paper absentee ballots in the upcoming primary elections because
the electronic machines both states intend to use could be vulnerable
to fraud and do not provide a paper audit trail.
http://www.wired.com/news/print/0,1294,62364,00.html
--Ohio Secretary of State Wants to Buy New Voting Machines
(20 February 2004)
In an attempt to bring Ohio into compliance with the Help America Vote
Act, Secretary of State J. Kenneth Blackwell will ask the state
Controlling Board for $128 million to purchase new voting machines.
Some state legislators want the funding rejected until questions about
the voting system's security have been answered. If the funding request
is denied, Blackwell's office will propose a move to optical scan ballot
systems which leave a paper trail.
http://www.daytondailynews.com/localnews/content/localnews/daily/0220vote.html
--Judge Denies Group's Request to Prevent Use of Diebold E-Voting Machines in Election
(17/19 February 2004)
A group of California citizens filed a request for a temporary
restraining order that would require the counties using Diebold's
electronic voting machines to install additional safeguards on the
machines before the state's upcoming primary election. The group also
sued to stop the state and Diebold from using voting machines with
security problems. The judge ruled that the state could use the Diebold
machines in the upcoming election.
http://www.wired.com/news/print/0,1294,62323,00.html
http://www.theregister.co.uk/content/6/35664.html
[Editor's Note (Schultz): It's really disturbing to see that states and
even some national governments are planning to use electronic voting
systems without providing reasonable assurance that they are
sufficiently secure and tamperproof.]
--Ireland E-Voting Debate
(16 February 2004)
Ireland's Minister for the Environment Martin Cullen says newly
introduced electronic voting machines "will improve democracy." Those
opposed to using the machines question the system's reliability, and
the government has rejected their requests for printed backups of
ballots.
http://news.com.au/common/printpage/0,6093,8696999,00.html
Vulnerability Updates and Effects
--IE 5 Flaw Found in Leaked Windows Source Code
(23 February 2004)
http://www.computerworld.com/printthis/2004/0,4814,90326,00.html
--Microsoft Encourages Move to IE 6 Service Pack 1
(17 February 2004)
http://www.crn.com/Components/printArticle.asp?ArticleID=48010
--Cisco VoIP Security Problems
(20 February 2004)
http://www.theregister.co.uk/content/55/35716.html
--Linux Kernel Flaws
(19/20 February 2004)
http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci951284,00.html
http://www.computerworld.com/printthis/2004/0,4814,90359,00.html
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25033
http://www.eweek.com/print_article/0,3048,a=119669,00.asp
--Buffer Overflow Flaw in ZoneAlarm Firewall
(19 February 2004)
http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1063
http://download.zonelabs.com/bin/free/securityAlert/8.html
--Two Versions of NetSky are Spreading
(18 February 2004)
http://zdnet.com.com/2102-1105_2-5161036.html?tag=printthis
http://www.computerworld.com/printthis/2004/0,4814,90264,00.html
--Sun Offers Updates for Cobalt Vulnerabilities
(18 February 2004)
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci950995,00.html?track=NL-358
--Microsoft Releases Security Update CD
(18 February 2004)
The CD will contain all critical patches through October 2003 for Windows XP, Me, 2000, 98 and 98 SE.
http://www.internetnews.com/dev-news/print.php/3314501
[Editors' Note (Multiple): This CD may be useful in ensuring a box is
patched before it is connected to the internet. There are so many
automated attack tools running on the Internet, scanning for vulnerable
machines, that many machines are compromised before they can complete
the patch downloading process from Microsoft.]
--Bagle Variant Spreading
(17 February 2004)
http://zdnet.com.com/2102-1105_2-5160268.html?tag=printthis
http://www.eweek.com/print_article/0,3048,a=119308,00.asp
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAPJ6w+LUG5KFpTkYRAlBwAJ4hCSS3Dpj4iVQ/Tm9VEn6Q9Y+CRgCgldIf
8J0fr2N1ikvjIg3sIjbX+04=
=c0w0
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
