FW: Security Wire Perspectives, Vol. 6, No. 16, February 26, 2004

[Howell, Paul]

-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity-152FA425290A13EB@lists.techtarget.com] 
Sent: Thursday, February 26, 2004 4:02 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 16, February 26, 2004


Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information resource
for enterprise IT professionals. Additional newsletters available at
http://searchsecurity.techtarget.com/?track=NL-358&Offer=swp .

IN THIS ISSUE:

A READ ON THE NEWS
*Gates Gets Mixed Reaction 
*Making Products Talk Vulnerabilities

HEADLINES
*RSA: Unpatched RPC Flaw Hangs Over Windows Shops
*New Mydoom Variant Carries Dangerous Payload
*Sealing Up Holes in Disclosures 
*Firewall Hole Cause for 'Alarm'
*Author: Hacking Has Its Boundaries

WEEKLY SECURITY PLANNER
*Are you throwing out company secrets? (Part 2 -- data destruction)

WHATIS WORD OF THE WEEK
*Vulnerability disclosure

CORRECTION

YOUR TWO CENTS
Readers sound off 

TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE

=====================================================

SECURITY WIRE PERSPECTIVES IS SPONSORED BY: Citrix

Provide a clear return on investment to your organization with the most
efficient Single Sign-on Solution.  * Increase Network Security.
* Reduce Help Desk Costs. * Simplify End User Computing.  FREE SINGLE
SIGN-ON ROI WHITEPAPER: Technology Analysis for Citrix(R)
MetaFrame(R) Password Manager.  Enterprise Management Assoc. reviews
challenges facing IT departments, the cost & complexity of password
management.  Click here:
http://searchSecurity.com/r/0,,25264,00.htm?track=NL-358&citrix 

=====================================================

A READ ON THE NEWS

*GATES GETS MIXED REACTION 
By Niall McKay

Bill Gates' keynote speech this week received a mixed reaction from
delegates at the RSA Conference. Some believe that the software giant's
recent interest in all things "secure" is an initiative led by the marketing
department, while others said that the company has taken stock of the
situation and is genuinely trying to deal with its security woes. 

Indeed, Arthur Coviello, president and CEO of RSA Security, said that he was
surprised to get the call from the Microsoft CEO to keynote the conference,
But, he said, he appreciated Gates candor about "the company's security
(woes)." 

Others quipped that Microsoft was present simply to crank up the market
machine. 

"Microsoft is here to sell its security product line," said Ben Laurie,
director of the Bunker, a secure data center based out of a nuclear shelter
in the United Kingdom. "It's coming to the end of its product life cycle, so
it's looking around for new revenue streams." 

At the Microsoft stand, which held one of the most prominent positions at
the trade expo, the company was demonstrating three new security products:
XP Service Pack 2; the Microsoft Baseline Security Analyzer 1.2
vulnerability assessment tool; and the ISA Firewall 2004 (beta). 

"We are providing tools that help our customers get ahead in securing their
systems,' said a spokesman for the company. 

Laurie said that he saw little evidence that Microsoft has made its products
more secure. There have been a number of serious Microsoft security
vulnerabilities exposed in the last twelve months. 

Mauricio Nanne, a manger with Sistemas Aplicativos, an IT reseller in
Guatemala City, agreed with Laurie's assessment. 

"Gates' speech was like an infomercial for Microsoft," said Nanne. "It was
very intelligent for him to do this conference, but I believe that he is
doing little to fix the underlying security technology -- it's just a
marketing strategy." 

One security professional who works for one of the major credit card
companies and asked to remain anonymous said that he saw Microsoft's
presence as a positive move. 

"The company stopped development for six weeks so that it could retool the
company to deal with the security issues," he said referring to when the
company stopped development to retrain engineers on how to write more secure
software. "I think that what Microsoft is doing is good for the industry and
good for the end user." 

"Microsoft is clearly doing a lot of good work with security," said Peter N.
Glaskowsky, principal analyst with In-Stat MDR, and editor of Microprocessor
Report. "They are coming up on 20 years of insecure software." 

Glaskowsky said that his company had given the software giant an award for
creating the most secure computing platform with Next-Generation Secure
Computing Base (NGSCB). "Certainly you could say that the company should
have addressed the security issue earlier, but it made a decision with
Window 2000 and Windows NT to make ease of use the top priority." 


*MAKING PRODUCTS TALK VULNERABILITIES
By Mathew Schwartz

Security managers are getting a new tool for combating application
vulnerabilities and "death by security bulletin" information overload. 

At the RSA Conference, the Application Vulnerability Description Language
(AVDL) technical committee, part of the Organization for the Advancement of
Structured Information Standards (OASIS), announced that the AVDL 1.0
specification is in the final-approval stage. It expects to finalize AVDL in
the next month or two -- less than a year after it was first proposed -- and
see it in wide use in the next 12-18 months. 

AVDL is an open source, XML-based specification for sharing vulnerability
information between products from different vendors. Companies need it:
Gartner Group says more than 70% of Web attacks target the application
layer, yet patching remains reactive and slow.

"Application vulnerabilities propagate so rapidly today that the old methods
of dealing with them no longer suffice," said John Pescatore, a vice
president at Gartner, in a statement. AVDL could help, he says, "by
dramatically reducing the time between the discovery of a new vulnerability
and the effective response at enterprise sites."

The key is allowing products to exchange information. "What we're going to
be able to do now that the AVDL 1.0 standard is out there is read AVDL
descriptions from any source, and then automatically generate a
recommendation for the customer based on that new vulnerability," says Wes
Wasson, vice president of marketing and chief strategy officer for
application security gateway vendor NetContinuum. 

For example, if code-scanning software detects application code
vulnerabilities, it can automatically share information, in AVDL format,
with in-house security gateways and patch management software from other
vendors, and each product can offer configuration recommendations. The end
result: security managers get an automated, less error prone way to patch
and protect against application security vulnerabilities. 

The standard has extensive backing; the working group includes Citadel, the
U.S. Department of Energy's Computer Incident Advisory Capability
(DOE-CIAC), GuardedNet, IBM, Microsoft, MITRE, NetContinuum, Qualys, SPI
Dynamics, Teros and WhiteHat.  

One AVDL proponent, DOE-CIAC, plans to release an AVDL-aware security portal
"to automatically interpret new application security alerts published in
AVDL format," said DOE-CIAC security incidence response manager John Dias in
a statement. Security managers should be able to more quickly view only the
alerts applicable to their environment, then implement patches. Dias said
AVDL "could substantially reduce the manual effort and response time
required to respond to a new vulnerability."

More information on AVDL: http://www.avdl.org
AVDL Specification:
http://www.oasis-open.org/committees/documents.php?wg_abbrev=avdl

=====================================================

HEADLINES
A look at other significant industry happenings from our sister publication,
Security Wire Daily

*RSA: Unpatched RPC Flaw Hangs Over Windows Shops SearchSecurity.com A
security researcher tells SearchSecurity.com that a patch for a 4-month-old
vulnerability in RPC may be on the way. That, however, doesn't lessen
current exposure. 
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95221
5,00.html?track=NL-358


*New Mydoom Variant Carries Dangerous Payload SearchSecurity.com The latest
variant of this year's biggest worm carries a malicious payload that deletes
files and directed infected machines to attack Microsoft and music industry
Web sites.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95222
5,00.html?track=NL-358


*Sealing Up Holes in Disclosures 
SearchSecurity.com
A new vulnerability information exchange between critical infrastructure
companies and the Department of Homeland Security offers assurances that
company disclosures won't be made public.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95184
1,00.html?track=NL-358


*Firewall Hole Cause for 'Alarm'
SearchSecurity.com
Users of ZoneAlarm personal firewalls should apply a patch to seal a hole in
many versions that could allow attackers to increase their system
privileges. 
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95179
5,00.html?track=NL-358


*Author: Hacking Has Its Boundaries
SearchEnterpriseLinux.com
In this interview, author Joe Grand delves into the hacking skills essential
to an administrator's skill set, and he describes how hacking and Linux go
hand in hand.
http://searchenterpriselinux.techtarget.com/qna/0,289202,sid39_gci951573,00.
html?track=NL-358

=====================================================

*Information Security Decisions, Hosted by Information Security
Magazine*

Qualify for complimentary admission to our 3-day Information Security
Decisions conference in New York City, April 19-21. Return to the office
with critical security action plans, unbiased expertise, and maybe a
Mercedes-Benz SLK230 too! Find out more: 
http://infosecurityconference.techtarget.com/?track=NL-358&Offer=swdmb 

=====================================================

WEEKLY SECURITY PLANNER

In an effort to help busy security managers, CISSP Shelley Bard's weekly
column will build upon the concept of the perpetual calendar (
http://www.searchSecurity.com/tip/1,289483,sid14_gci948651,00.html?track=NL-
358 ), offering a schedule of reminders for a proactive, strategic security
plan. For an archive of previous columns, please visit:
http://searchsecurity.techtarget.com/tipsIndex/0,289482,sid14_tax295570_alpD
_idx0,00.html?track=NL-358

Week 11: Are you throwing out company secrets? (Part 2 -- data
destruction)

WHEN: Review policy at least annually.

WHY: As with paper files (discussed last week), confidential corporate
financial or customer information data found on discarded floppies and CDs
could give your competitors an unfair advantage or provide grounds for a
lawsuit that could wipe out your company. 

At least one of these laws applies to your organization: 

--The Federal Privacy Act protects the privacy of individuals and businesses
by holding government agencies and the private sector liable for any
personal information released to unauthorized individuals. 

--If you are already in the middle of a suit, the Sarbanes-Oxley Act makes
destroying documents related to a federal investigation a serious crime.
And, as Arthur Andersen learned only too well, the act of destroying
evidence in anticipation of a lawsuit can lead a jury to conclude the
information would have been damning.

--The Gramm-Leach-Bliley Act requires companies engaged in financial
activities to provide secure handling of client records and information.  

--HIPAA, the Health Insurance Portability & Accountability Act, protects
security and privacy of private health information.

--State and local legislation is being proposed and passed throughout the
nation in response to constituent alarm over privacy protection and identity
theft -- all laws supported by fines and the right to sue for damages. 

STRATEGY: Paper isn't the only thing that can fall into the wrong hands.
Data can be gleaned from any data storage medium, such as linear tape and
CDs, if the data isn't electronically "shredded" first. There are a number
of programs that completely obliterate data
-- just read the reviews in the computer magazines. 

The magnetic signals on the disk should be so thoroughly scrambled that the
original data can't be recovered, even through the use of specialized
hardware or software -- if you want to re-use the medium. If you don't
intend to re-use it, physically destroy computer disks, tapes, microfilm,
microfiche, x-rays, etc. And don't forget media from a backup site.
Companies offer this service, but if you destroy enough media regularly it
may be cost-effective to buy a machine to safely destroy everything on site.


If your organization chooses to destroy media, be aware that increasing
pressure to recycle IT products -- as a result of e-waste hazards and
accompanying regulations -- has set the stage for higher disposal costs.
Also, IT equipment disposal services may be working through brokers to send
it to illegal waste dumps in the United States or developing countries -- a
controversial practice, as potentially hazardous materials could be released
as the materials decompose. 

Establish best practices, thoroughly check out vendors and create an audit
trail so your organization won't be a future candidate for fines or negative
publicity. While e-waste applies more to system parts like circuit boards
and CRTs, you should keep this trend in mind.

MORE INFORMATION: Good search engines will help you find a shred program
that will work for you. If you're physically destroying media, the local
yellow pages list these services.


SHELLEY BARD, CISSP, is a senior security network engineer with Verizon
Federal Network Systems (FNS). An infosecurity professional for 17 years,
Bard has briefed and written infosecurity assessments and technical reports
for the White House and Department of Defense, special interest groups,
industry and academia. Please e-mail any comments to
mailto:securityplanner@infosecuritymag.com

Opinions expressed in this column are those of Shelley Bard and don't
necessarily reflect those of Verizon FNS.

NEXT WEEK: Quality of your Web site copyright, privacy policy and links 

=====================================================

CORRECTION

Monday's Security Wire Digest story entitled "RSA Preview: Crypto Panel
'Less About Crypto'" erroneously identified William Shipley as a founder of
RSA Data Security. Also, Security Dynamics acquired RSA Data Security, which
later became RSA Security. We regret the error. 

=====================================================

WHATIS WORD OF THE WEEK: Vulnerability disclosure

Vulnerability disclosure is the practice of publishing information about a
computer security problem, and a type of policy that stipulates guidelines
for doing so. Either the person or organization that discovers the
vulnerability or a responsible industry body, such as the Computer Emergency
Response Team (CERT), may make the disclosure, sometimes after alerting the
vendor and allowing them a certain amount of time to fix the problem before
publishing the information. 

The question of how much information to provide and when to make it public
is a contentious issue. Some people argue for full and immediate disclosure,
including the specific information that could be used in an exploit taking
advantage of the vulnerability; others believe that limited information
should be made available to a select group after some specified amount of
time has elapsed since the vulnerability was found; and still others believe
that no vulnerability information should be published at all. 

A number of organizations are establishing vulnerability disclosure
policies. According to CERT's policy, for example, they will: inform the
vendor about a vulnerability as soon as practically possible after they
receive a report; advise the reporter of changes in the status of the
vulnerability; and, under most circumstances, disclose the information to
the public 45 days after the problem is reported, whether the vendor has
dealt with the issue or not. 

Other security definitions:
http://searchsecurity.techtarget.com/glossary/0,294242,sid14,00.html?track=N
L-358

=====================================================

YOUR TWO CENTS
Readers sound off

*Patching ASN.1 No Quick Call
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95143
3,00.html?track=NL-358

First, I really enjoy reading your articles in Security Wire Perspectives.
However, as one of the 138 respondents to the survey last week, I question
the conclusions from the somewhat flawed questions. If you want to know how
long it will take to get the patch put on then ask that question. Don't ask
about the process that will be used and then make a statement about when it
will be done. I was trying to decide between put it on after testing or
follow a routine schedule. I decided to be one of the 12% that will follow a
routine schedule. It should be noted that the routine schedule we will
follow is the one geared toward having the patch applied to 15,000 PCs and
1,400 servers within 10 days of the monthly release of patches by Microsoft.


We got burned by Blaster, but it actually did us a favor by showing us that
there are major costs to not patching. With MS03-026 it took from July 25th
to August 11 to move from sample exploit code to Blaster. MS03-039 has never
been exploited to my knowledge. If MS04-007 was released out of cycle we
would probably roll it to the clients and our outward facing servers right
away, hit the key infrastructure boxes like DNS servers, domain controllers
and exchange servers fairly quickly and wait for the monthly cycle for the
other servers if at all possible. I would probably change my response on the
survey to test before release.

Every chance I get, I reinforce with Microsoft that releases out of cycle
are not good and release in cycle are good. --Maury G. Robert, CISSP 

:::::::::::::::::::::  ABOUT THIS NEWSLETTER  ::::::::::::::::::::::

Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an
e-mail newsletter brought to you on Mondays and Thursdays by Information
Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or redistribution
without the express written authorization of Information Security and
TechTarget.
 
Permission requests, questions or comments should be e-mailed to Shawna
McAlearney, online editor, mailto:smcalearney@infosecuritymag.com.
 
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
 
_____________________________________________________________________

To unsubscribe from "Security Wire Perspectives":
 
Go to unsubscribe:
http://SearchSecurity.com/u?cid=477263&lid=559334&track=NL-358
 
Please note, unsubscribe requests may take up to 24 hours to process; you
may receive additional mailings during that time. A confirmation e-mail will
be sent when your request has been successfully processed.
 
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494

------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------