Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 6 Num. 9
- From: The SANS Institute
- Date: Wed Mar 03 12:50:19 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites March 3, 2004 Vol. 6, Num. 9
*************************************************************************
NEW CYBERSECURITY LEGISLATION AND LEGAL DECISIONS AFFECTING SECURITY
Putnam Drafting Amendment to Clinger-Cohen Act
Court Says Earlier Decision in DeCSS Posting Case Violated Defendant's
Free Speech Rights
Panel Discusses Security Regulation
Louisiana Man Arrested, Charged with Cyber Terrorism Under USA PATRIOT
Act
Outcome of Password-Sharing Case is Cause for Concern
Interview with US Senator Bob Bennett
NEW SECURITY ORGANIZATIONS
Software Companies Form Cyber Security Industry Alliance
Group Wants to Bring Physical and IT Security Together
Security Metrics Consortium
THE REST OF THE WEEK'S NEWS
FBI Confiscates Servers in Investigation
VoIP Security Awareness Found Lacking
Concern Mounts Over China's Wireless Standard Requirements
Microsoft To Offer Reduced-Price Software Development Tools in Some
Asian Countries
Student Charged with Breaking Into Roommate's E-Mail Account
Teen in MSBlast Case Admits to Other Cyber Attacks and Intrusions
F-Secure Apologizes for Sending Virus
Malicious Coders Reverse Engineer Patches to Create Exploits
Yukon (SQL Server) Will Ship with Some Features Turned Off
CIA Report Will Address Cyber Terrorism Threat to Critical
Infrastructure
Patching is Burdensome, Takes Time
Microsoft is Reviewing Leaked Code
Gates on Microsoft's Security Endeavors
Cyber Crime Costs UK Companies Billions in 2003
Missouri Bank Sent Unencrypted Customer Data to Programmer
VULNERABILITY UPDATES AND EFFECTS
NetSky.D Spreading Rapidly
Five Bagle Variants Released Over the Weekend
Flaw in Mac OS X 10.3.2 Could Allow Password Transmission in Clear Text
WinZip Vulnerability
MSN Explorer Flaw Allows Free Access to Premium Services
MyDoom.F Carries Nasty Payload; NetSky.C Continues to Spread
Bizex Worm Targets ICQ Instant Messenger Users
************************** Sponsored by NetIQ *************************
Need security policies?
Don't start from scratch. Check out "Information Security Policies Made
Easy," the best security policy resource guide available, with 1,300+
ready-to-use security policies, easily customizable for any
organization. Also, don't miss our step-by-step guide, "Information
Security Roles & Responsibilities Made Easy."
Check them both out now.
http://www.netiq.com/f/form/form.asp?id=2202&origin=NS_SANS_030304
***********************************************************************
This Week's Featured Security Training Program:
Because SANS 2004 is nearly sold out, showing that employers are once
again saying yes to requests for effective training, we have added six
new conferences between May and July: Colorado Springs, Chicago,
Baltimore, Kansas City (Overland Park), Denver and Minneapolis.
Find details at http://www.sans.org
But there's still space in most of the courses at our mega-conference
in Orlando April 1-9. Security managers and analysts, system and
network administrators, auditors and forensic analysts will each find
immersion training focused on their special needs, and all taught by
the highest-rated instructors in the US. And it is all in Orlando
Florida.
http://www.sans.org/sans2004
*************************************************************************
NEW CYBERSECURITY LEGISLATION AND LEGAL DECISIONS AFFECTING SECURITY
--Putnam Drafting Amendment to Clinger-Cohen Act
(23 February/1 March 2004)
Representative Adam Putnam (R-Fla.) is drafting an amendment to the
Clinger-Cohen Act which would add cyber security to enterprise
architecture requirements for government agencies. In addition, the
Corporate Information Security Working Group (CISWG) convened by Rep.
Putnam plans to submit recommendations to Putnam today (March 3) on
improving cyber security in government and the private sector. Putnam
is Chairman of the Government Reform Subcommittee on Technology,
Information Policy, Intragovernmental Relations and the Census.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25044
http://www.fcw.com/fcw/articles/2004/0301/web-bobdix-03-01-04.asp
[Editor's Note (Pesactore): Representative Putnam keeps doing great
stuff to try to get the government to improve the security of its own
computer systems, and lead by example. While amending Clinger-Cohen to
include cyber security may not sound sexy, to make progress in
government you have to embed security requirements into government
agencies' lifeblood - bureaucracy.]
--Court Says Earlier Decision in DeCSS Posting Case Violated
Defendant's Free Speech Rights
(1 March 2004)
California's Sixth Circuit Court of Appeals overturned a lower court
order that barred the posting of the DeCSS DVD decryption tool on the
Internet. The court found that the order violated defendant Andrew
Bunner's free speech rights; the court also agreed with his attorneys
that by the time Bunner posted the code on the Internet, it was no
longer secret.
http://news.com.com/2102-1026_3-5166887.html?tag=st.util.print
[Editor's Note (Schultz): This ruling is consistent with previous court
rulings, but it is disconcerting that copyright holders lose just
because someone publicly posts copyrighted information.]
--Panel Discusses Security Regulation
(26 February 2004)
A panel comprised of representatives from business and government
discussed the role the government should take in regulating Internet
security.
http://www.eweek.com/print_article/0,1761,a=120346,00.asp
--Louisiana Man Arrested, Charged with Cyber Terrorism Under USA
PATRIOT Act (26 February 2004)
FBI agents arrested David Jeansonne of Louisiana under a provision of
the federal computer crime statute of the USA PATRIOT Act. Jeansonne
allegedly tricked 18 MSN TV users into running a script on their
machines that changed their dial up number to 911, resulting in false
emergency calls. Jeansonne was charged under the USA PATRIOT Act
because the act posed "a threat to public health or safety."
http://www.securityfocus.com/news/8136
--Outcome of Password-Sharing Case is Cause for Concern
(1 March 2004)
A federal court ruled that Berkshire Information Systems violated the
Computer Fraud and Abuse Act when it obtained a password and userid from
a competitor's client and used it to access the competitor's network.
The author of this article questions the interpretation of "damage" in
this case.
http://www.securityfocus.com/columnists/222
--Interview with US Senator Bob Bennett
(25 February 2004)
Senator Bob Bennett (R-Utah) discusses defending the US critical
infrastructure from cyber attacks and information sharing with
journalist Dan Farber. Senator Bennett received the RSA Award for
Excellence in the Field of Public Policy at last week's conference.
http://techupdate.zdnet.com/techupdate/stories/main/Information_sharing_is_key_to_thwarting_cyber_attacks_print.html
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) FREE White Paper: "Hackers New Trick- LDAP Injection Attacks"
http://www.sans.org/click.php?id=341
(2) From SANS: HIPAA Security Implementation is a step by step guide for
IT staff of hospitals. Thorough and extremely cost effective.
https://store.sans.org/store_item.php?item=117
***********************************************************************
NEW SECURITY ORGANIZATIONS
--Software Companies Form Cyber Security Industry Alliance
(25 February 2004)
The Cyber Security Industry Alliance (CSIA) aims to work with government
to avoid cyber security legislation that is not in accord with their
agenda; the group concedes that some federal requirements that don't
prove too burdensome for technology companies could help improve
security. Among the CSIA's immediate priorities is the development of
industry-wide standards for reporting and sharing information about
security threats.
http://www.washingtonpost.com/ac2/wp-dyn/A3455-2004Feb24?language=printer
http://news.com.com/2102-7355_3-5165204.html?tag=st.util.print
--Group Wants to Bring Physical and IT Security Together
(25 February 2004)
The Open Security Exchange (OSE) aims to develop interoperability
standards for physical and IT security. OSE has submitted
specifications for its Physical Security Bridge to IT Security to the
Security Industry Association under its Open Systems Integration and
Performance Standards initiative; the group also soon plans to release
a white paper on credentials management and smart card.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25072
[Editor's Note (Pescatore): This is a popular notion that makes no sense
to me. Beyond the fact that combined facility/network access cards span
both groups, there is very little similarity between running a physical
security program and running a network or information security program.
If I'm the President of the United States and I see the Secret Service
replacing guns with PDAs and outsourcing the agents who surround me with
a call center in Bangalore, I'm going to hide in the basement.]
--Security Metrics Consortium
(25 February 2004)
The Security Metrics Consortium (SecMet), a group made up of CIOs, hopes
to develop quantitative network security metrics.
http://www.eweek.com/print_article/0,3048,a=120180,00.asp
THE REST OF THE WEEK'S NEWS
--VoIP Security Awareness Found Lacking
(2 March 2004)
Research from META Group shows that companies moving to VoIP often do
not grasp the security risks associated with the technology.
Additionally, "existing IP telephony products and projects" lack
adequate security.
http://australianit.news.com.au/common/print/0,7208,8837492%5E15331%5E%5Enbv%5E15306%2D15319,00.html
--Concern Mounts Over China's Wireless Standard Requirements
(1 March 2004)
US government and industry groups hope to work with China on developing
international wireless standards. China presently requires that the
Wireless Authentication and Privacy Infrastructure (WAPI) encryption
scheme be built into every wireless device used in the country before
June 2004. That scheme is not compatible with WEP and AES schemes which
are used in IEEE's 802.11x standards. There is also considerable
concern over China's requirement that companies that choose to use WAPI
must partner with one of a chosen group of Chinese companies; this flies
in the face of a World Trade Organization (WTO) provision that says that
foreign companies may not be treated differently from domestic
companies.
http://www.cmpnetasia.com/PrintArticle.cfm?Artid=23034
[Editor's Note (Pescatore): this is just as bad as when the US tried to
have export controls on crypto. The original security standards for WLAN
(Wired Equivalent Privacy) were developed during the era of export
controls, and WEP was weak and flawed. Open reviews and improvements
lead to WiFi Protected Access and the coming 802.1x standard that
includes AES - strong security. The Chinese government forcing a closed
standard (WAPI) and mandating who produces the crypto will end up being
WEP all over again.]
--Microsoft To Offer Reduced-Price Software Development Tools in Some
Asian Countries
(1 March 2004)
In an attempt to increase its share of the market in China and other
developing Asian countries, Microsoft plans to offer products at reduced
prices. Microsoft has encountered difficulties in China where an
estimated 90% of the software in use is pirated. In addition, the use
of Linux is encouraged in China.
http://fpeng.peopledaily.com.cn/200403/01/eng20040301_136172.shtml
[Editor's Note (Paller): This story may not seem relevant to the
security field, but it is. As Microsoft feels more and more pressure
from the growing Linux movement, the company will be forced to
accelerate its security improvements to balance the perceived security
advantages that Linux offers to potential buyers.]
--Student Charged with Breaking Into Roommate's E-Mail Account
(26 February 2004)
Iowa State University student Nicholas Jensen has been charged with
breaking into his former roommate's e-mail account and sending phony
messages to people under the roommate's name. If convicted, Jensen
could face fines and a three-year prison sentence.
http://www.usatoday.com/tech/news/2004-02-26-gay-mail_x.htm
[Editor's Note (Grefer): Given that the majority of mail servers still
do not require authentication of users sending mail, there's a chance
that the student could have sent these messages without breaking into
anything.]
--Teen in MSBlast Case Admits to Other Cyber Attacks and Intrusions
(26 February 2004)
Jeffrey Parson, the Minnesota teenager accused of releasing an MSBlast
variant last summer, has admitted to other computer misdeeds, according
to federal prosecutors. Parson admitted to launching attacks against
the Motion Picture Association of America (MPAA) and the Recording
Industry Association of America (RIAA), as well as storing digital
content on computers that he broke into.
http://www.startribune.com/stories/789/4630324.html
--F-Secure Apologizes for Sending Virus
(26 February 2004)
Anti-virus company F-Secure has e-mailed an apology to customers who
were inadvertently sent the Netsky.B virus through an e-mail list.
F-Secure director of anti virus research Mikko Hypponen said the company
has taken steps to guard against a repeat of the event; the e-mail list
should not have been accepting external e-mails and the problem has been
corrected.
http://www.vnunet.com/News/1153081
--Malicious Coders Reverse Engineer Patches to Create Exploits
(26 February 2004)
David Aucsmith, chief technology officer for Microsoft's security
business unit, says that crackers reverse engineer patches for security
flaws to create exploits. Aucsmith says he knows of only one case in
which an exploit surfaced before a patch was released. Aucsmith also
remarked that the US$5 million fund established to reward people who
provide information leading to the prosecution of those responsible for
worms and viruses has been effective. Without providing details,
Aucsmith said that law enforcement organizations around the world are
acting on information received as a result of the reward fund.
http://news.bbc.co.uk/1/hi/technology/3485972.stm
http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39169523-39001150t-39000005c
--Yukon (SQL Server) Will Ship with Some Features Turned Off
(25 February 2004)
Yukon, the code name for the next version of Microsoft's SQL Server,
will ship with certain features turned off in the interest of security.
Core functionality features will be left on, and engineers are working
to make sure that users will be able to turn on desired features easily.
http://www.eweek.com/print_article/0,1761,a=120237,00.asp
[Editor's Note (Schultz): This all seems too good to be true--a clear
step in the right direction. Hopefully, other vendors will follow suit.
(Pescatore): As Shakespeare once said about software design: "Ay,
there's the rub." Its good to see software designers finally accepting
"turn everything off that isn't explicitly enabled" as design
philosophy. Let's hope they don't succumb to the temptation to include
wizards that undo all that with one click.]
--CIA Report Will Address Cyber Terrorism Threat to Critical
Infrastructure
(24/25 February 2004)
This week, the CIA, along with the FBI, the Department of Homeland
Security and the Pentagon, will publish a National Intelligence Estimate
(NIE) on the threat cyber terrorism poses to US critical infrastructure.
The estimate/report is likely to be classified. News of the report came
during a Senate Judiciary subcommittee hearing on cyber terrorist
threats and capabilities. Two members of the committee expressed
concern that the threat of cyber terrorism and physical attacks against
critical infrastructure is not receiving high-level attention.
http://www.computerworld.com/printthis/2004/0,4814,90448,00.html
http://www.washingtonpost.com/ac2/wp-dyn/A3314-2004Feb24?language=printer
--FBI Confiscates Servers in Investigation
(24 February 2004)
FBI agents have confiscated servers from CIT Hosting as part of an
Internet crime investigation. According to the warrant, the FBI is
investigating the possibility that someone hosted on CIT's network
launched a cyber attack.
http://www.eweek.com/print_article/0,3048,a=120169,00.asp
--Patching is Burdensome, Takes Time
(24 February 2004)
Data collected over a period of two years by vulnerability assessment
firm Qualys indicate that it takes companies a month to halve "the
number of vulnerable computers connected to the Internet." The data
were mentioned in support of concerns about patching voiced by members
of a discussion panel at the RSA Security Conference last week.
http://news.com.com/2102-7355_3-5164650.html?tag=st.util.print
--Microsoft is Reviewing Leaked Code
(24 February 2004)
Microsoft is conducting an "in-depth security review" of leaked Windows
code. The code was reviewed before it was released, but the security
review process has become more sophisticated since then. Because the
code (Windows 2000 and NT 4.0) is old, many of its flaws have already
been addressed with patches or service packs.
http://www.computerworld.com/printthis/2004/0,4814,90431,00.html
--Gates on Microsoft's Security Endeavors
(24/26 February/1 March 2004)
Speaking at last week's RSA Security Conference, Bill Gates described
a number of new security measures in Microsoft products. Service Pack
2 for Windows XP, expected to be released this spring, will include an
expanded firewall and a pop-up blocker in Internet Explorer. In
addition, SP2 will include Windows Security Center, which will allow
users to view their security settings and receive advice on addressing
vulnerabilities. The announcement of the new security features drew
mixed reactions.
http://news.com.com/2102-7349_3-5164162.html?tag=st.util.print
http://fpeng.peopledaily.com.cn/200403/01/eng20040301_136172.shtml
http://www.eweek.com/print_article/0,1761,a=120502,00.asp
--Cyber Crime Costs UK Companies Billions in 2003
(24 February 2004)
The results of a survey conducted by the UK's National Hi Tech Crime
Unit (NHTCU) estimate that cybercrime cost British companies billions
of pounds last year. The financial sector was hit most often.
Although 83% of the 201 companies participating in the survey said they
had been affected by cybercrime in 2003, less than 25% of the companies
reported the incidents to police. More than 25% of the companies do
not conduct regular security audits.
http://www.reuters.com/printerFriendlyPopup.jhtml?type=internetNews&storyID=4425312
--Missouri Bank Sent Unencrypted Customer Data to Programmer
(22 February 2004)
Southern Commercial Bank, which is based in St. Louis, Missouri, may
have compromised customers' privacy of 40,000 customers when it sent
unencrypted personal data, including bank account and social security
numbers, to an independent programmer. A branch bank VP sent the
information in an attachment; the Missouri Division of Finance is
investigating the case.
http://www.stltoday.com/stltoday/business/stories.nsf/0/9D53CE21E23D8AB486256E430024A17A?OpenDocument&Headline=E-mail+ensnarls+bank+in+privacy+inquiry
VULNERABILITY UPDATES AND EFFECTS
--NetSky.D Spreading Rapidly
(1 March 2004)
http://www.zdnet.co.uk/print/?TYPE=story&AT=39147916-39020375t-10000025c
--Five Bagle Variants Released Over the Weekend
(1 March 2004)
http://www.zdnet.co.uk/print/?TYPE=story&AT=39147909-39020330t-10000025c
http://www.eweek.com/print_article/0,1761,a=120567,00.asp
[Editor's Note (Tan): Bagle and NetSky are fighting with each other. In
NetSky.F, researchers found the following text: "Skynet AntiVirus -
Bagle - you are a looser!!!!" This NetSky worm variant tries to remove
Bagle worm infection if it finds it on an infected computer. And in
Bagle.K, a message is embedded saying, "Hey, NetSky, f*ck off you
b*tch!"]
--Flaw in Mac OS X 10.3.2 Could Allow Password Transmission in Clear Text
(27 February 2004)
http://www.eweek.com/print_article/0,1761,a=120526,00.asp
--WinZip Vulnerability
(27 February 2004)
http://www.eweek.com/print_article/0,1761,a=120451,00.asp
--MSN Explorer Flaw Allows Free Access to Premium Services
(26 February 2004)
http://news.com.com/2102-1032_3-5165970.html?tag=st.util.print
--MyDoom.F Carries Nasty Payload; NetSky.C Continues to Spread
(24/25 February 2004)
http://www.wired.com/news/print/0,1294,62401,00.html
http://www.eweek.com/print_article/0,3048,a=120236,00.asp
http://www.computerworld.com/printthis/2004/0,4814,90468,00.html
http://www.computerworld.com/printthis/2004/0,4814,90491,00.html
--Bizex Worm Targets ICQ Instant Messenger Users
(24/25 February 2004)
http://www.techweb.com/wire/story/TWB20040224S0006
http://www.eweek.com/print_article/0,3048,a=120235,00.asp
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFARdxt+LUG5KFpTkYRAnbHAJwKahFbj4+JhvhKgfhv9YmTRM4bPwCdEAve
KnTgN/pq5Mk+76KbAE/Yrg8=
=tLIS
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
