Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 6 Num. 10
- From: The SANS Institute
- Date: Wed Mar 10 09:58:30 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
*************************************************************************
SANS NewsBites March 10, 2004 Vol. 6, Num. 10
*************************************************************************
TOP OF THE NEWS
Court Upholds Decision Deeming Broad e-Mail Subpoenas As Cyber
Intrusions
China Urged to Reconsider Stance on WLAN Security Standard
CPAs Show Leadership in Information Security
SPYBLOCK Act Takes Aim at Spyware
THE REST OF THE WEEK'S NEWS
SCO.com Back On-Line
Inside the Defense Computer Forensics Lab
National Strategy to Secure Cyberspace Has Had Minimal Impact, Say
Executives
Companies Require Customers to Waive Right to Sue if Personal Data is
Compromised
Security Improvements in Windows XP SP2 Could Break Some Applications
Report on Senate Judiciary Committee Network Security
CEOs: Security's Improved Since September 11
F-Secure Improves Security After Sending Out NetSky
OMB Finds Agencies Lagging in FISMA Compliance
Phishing Scheme Gets More Subtle
OMB: Agencies' Interpretation of Security Incidents Varies
Earthlink Will Test E-Mail Sender Authentication Technology
Worms Consume Broadband Profits
Are Worm Variants Due to a Grudge Match?
Researchers Find Spyware in 5% PCs Connected to University Network
Survey: Viruses and Attacks Up 25% at UK Companies
GAO Finds Security Problems at USDA
Companies Opt for Off-the-Shelf Compliance Products
VULNERABILITY UPDATES AND EFFECTS
Microsoft Announces MSN Messenger Vulnerability and Two Others
Sober.D Poses as MyDoom Patch
Linux Kernel Vulnerability Allows Privilege Escalation
Flaw in Apple's QuickTime Player Allows Remote Code Execution
************************** Sponsored by NetIQ *************************
Free Security Event Management Guide
Do you need more efficient, automated log management methods and tools
to manage the terabytes of information generated by your Security Event
Management systems?
Download our free guide, "Log Management: Closing the Loop on Security
Event Management," to discover the crucial role that log management
plays as part of a complete Security Event Management solution.
http://www.netiq.com/f/form/form.asp?id=2469&origin=NS_SANS_031004
***********************************************************************
This Week's Featured Security Training Program:
Because SANS 2004 is nearly sold out, showing that employers are once
again saying yes to requests for effective training, we have added six
new conferences between May and July: Colorado Springs, Chicago,
Baltimore, Kansas City (Overland Park), Denver and Minneapolis.
Find details at http://www.sans.org
But there's still space in most of the courses at our mega-conference
in Orlando April 1-9. Security managers and analysts, system and
network administrators, auditors and forensic analysts will each find
immersion training focused on their special needs, and all taught by
the highest-rated instructors in the US. And it is all in Orlando
Florida.
http://www.sans.org/sans2004
*************************************************************************
TOP OF THE NEWS
--Court Upholds Decision Deeming Broad e-Mail Subpoenas As Cyber
Intrusions
(5 March 2004)
A federal appeals court has upheld an August 2003 decision that "overly
broad" subpoenas for e-mail "qualify as computer intrusions." The
Justice Department has said the ruling has made it more difficult for
law enforcement officials to procure private e-mail.
http://www.securityfocus.com/printable/news/8199
--China Urged to Reconsider Stance on WLAN Security Standard
(4 March 2004)
Intel Chief Technology Officer (CTO) Pat Gelsinger plans to meet with
Chinese government officials to discuss China's WLAN security standard,
WLAN Authentication and Privacy Infrastructure (WAPI), which uses a
protocol that is incompatible with the Wired Equivalent Privacy (WEP)
protocol. There is also concern that foreign companies wishing to
participate in the Chinese WLAN market have no choice but to partner
with Chinese firms, as they are the only ones who have the details of
WAPI technology. In addition, US Secretary of State Colin Powell, US
Secretary of Commerce Donald Evans and White House Trade representative
Robert Zoellick have written a joint letter to Chinese Deputy Prime
Ministers Wu Yi and Zeng Peiyan asking them to reconsider their position
on the issue.
http://www.computerweekly.com/articles/article.asp?liArticleID=128868&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1
http://news.com.com/2102-7351_3-5170025.html?tag=st.util.print
--CPAs Show Leadership in Information Security
The American Institute of Certified Public Accountants Inc. (AICPA) is
integrating the Center for Internet Security technical benchmarks into
its Trust Services auditing guidelines. This positions AICPA's audit
guidelines as the only ones that enable different auditors to get
comparable and consistent results in their security audits.
http://www.computerworld.com/printthis/2004/0,4814,90866,00.html
--SPYBLOCK Act Takes Aim at Spyware
(2 March 2004)
Three US Senators have introduced the Software Principles Yielding
Better Levels of Consumer Knowledge (SPYBLOCK) Act which would make it
illegal to download software onto people's computers from the Internet
without their permission, and would require companies that offer
software for downloading to disclose what their programs do and what
type of information they collect. Advertisements generated by spyware
would have to be clearly labeled as such. Furthermore, the proposed
legislation would allow states to sue violators in federal court and
the FTC to impose fines and civil penalties.
http://www.washingtonpost.com/ac2/wp-dyn/A23307-2004Mar2?language=printer
[Editor's Note (Ranum): Much spyware already hides "user permission" in
a click license of some form. SPYBLOCK is going to be as helpful about
spyware as CAN-SPAM has been for spam. Anyone still getting spam now
that it's illegal? ;)
(Schultz): This bill appears to be exactly what is need to stem the
proliferation of spyware.]
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) WHITE PAPER - Spam threatens network security. Learn how to protect
your enterprise.
REQUEST: http://www.sans.org/click.php?id=351
(2) Best Practices for Incident Response - Sign up for the
practitioner's guide at
http://www.sans.org/click.php?id=352
***********************************************************************
THE REST OF THE WEEK'S NEWS
--SCO.com Back On-Line
(8 March 2004)
The SCO.com web site is back on the Internet after a month-long
distributed denial-of-service attack launched by computers infected with
MyDoom. The attack was supposed to begin on February 1 and end on
February 12, but because some computers' clocks were set incorrectly,
it lasted several weeks longer.
http://zdnet.com.com/2102-1105_2-5171499.html?tag=printthis
--Inside the Defense Computer Forensics Lab
(8 March 2004)
The Defense Computer Forensics Lab (DCFL) accepts, stores and analyzes
digital evidence gathered in cases involving the military. This article
describes the Lab's process for extracting and analyzing digital
evidence, which can include damaged hard drives, tapes and cell phones;
it also details the intrusion analysis squad's involvement in the
investigation of Defense Department network intrusions. DCFL
investigators receive special training to preserve the integrity of the
data.
http://www.nwfusion.com/research/2004/0308dod.html
--National Strategy to Secure Cyberspace Has Had Minimal Impact, Say
Executives
(8 March 2004)
Corporate executives say the National Strategy to Secure Cyberspace
(NSSC) has had little or no impact on the way their companies plan for
and invest in security. Many companies have implemented security plans
for other reasons, including compliance with the Health Insurance
Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act.
http://www.computerworld.com/printthis/2004/0,4814,90863,00.html
--Companies Require Customers to Waive Right to Sue if Personal Data
is Compromised
(5 March 2004)
Companies are increasingly requiring customers to waive their right to
sue if their information is stolen from the company's networks
regardless of what security measures the company has in place. The
trend is likely motivated by several recent high-profile cases in which
the Federal Trade Commission took action against companies that failed
to adequately secure customer data despite assurances that the
information would be protected.
http://www.washingtonpost.com/ac2/wp-dyn/A31874-2004Mar4?language=printer
--Security Improvements in Windows XP SP2 Could Break Some Applications
(4/5 March 2004)
Microsoft wants software developers to test their code against the
upcoming Windows XP Service Pack 2 beta; it contains security
improvements that could prevent some applications from working
correctly. Microsoft is also offering an online training course
designed to educate developers about the implications of the changes.
The Service Pack will also allow customers to opt in to automatic
security updates.
http://www.computerworld.com/printthis/2004/0,4814,90849,00.html
http://www.washingtonpost.com/ac2/wp-dyn/A29328-2004Mar4?language=printer
http://www.internetnews.com/ent-news/print.php/3322381
--Report on Senate Judiciary Committee Network Security
(5 March 2004)
Investigators say a "significant lack of security" allowed Republican
Senate Judiciary Committee staffers to access Democratic documents on
a committee's network. Senate Sergeant-at-Arms William H. Pickle hired
an outside forensics team to investigate the matter. The security
problems were attributed to the administrator's "lack of experience,
training and oversight." Since the discovery of the problem, Republican
and Democratic committee staffs have been put on their own LANs, each
with its own administrator. The report recommended security
improvements, including establishing technical skills assessment,
certification and education for administrators and requiring that all
new employees be given ethics and computer security training.
http://www.washingtonpost.com/ac2/wp-dyn/A31803-2004Mar4?language=printer
http://zdnet.com.com/2102-1105_2-5170987.html?tag=printthis
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25196
Report:
http://judiciary.senate.gov/print_testimony.cfm?id=1085&wit_id=2514
http://judiciary.senate.gov/print_testimony.cfm?id=1085&wit_id=3088
--CEOs: Security's Improved Since September 11
(5 March 2004)
A recently released survey for 100 CEOs from "leading US companies" says
that nearly all have improved both physical and cyber security since
the September 11 attacks. Cyber security spending has increased 10%
and most CEOs expect spending to remain steady or increase slightly in
2004. About 90% of those surveyed said they test their emergence
response plans once a year; 40% test at least twice a year.
http://www.computerworld.com/printthis/2004/0,4814,90852,00.html
--F-Secure Improves Security After Sending Out NetSky
(4 March 2004)
F-Secure has increased security for its customer mailing lists after
inadvertently sending out a version of NetSky in late February.
F-Secure director of antivirus research Mikko Hypponen said the company
will no longer accept outside e-mail to its list and will block
attachments.
http://news.com.com/2102-7349_3-5170277.html?tag=st.util.print
[Editor's Note (Grefer): Please use this incident as a reminder to check
the settings of your mailing lists. If your mailing list is intended
for one way communication, i.e. a newsletter or alerts, make sure that
you allow content only from a trusted source - typically from a specific
account within your company - to be sent out, after it has passed a
validation process. If you are operating a discussion list, consider
running it as a moderated list, preferably with scanning of
attachments.]]
--OMB Finds Agencies Lagging in FISMA Compliance
(3/4 March 2004)
An Office of Management and Budget (OMB) review of nearly 8,000 agency
computer systems found that just 62% have been certified and accredited
by an inspector general or a third-party entity. The OMB had set a goal
of having 80% of systems certified by December 2003. Only 78% of
systems evaluated had undergone risk assessment and 73% have up-to-date
IT security plans. OMB will require agencies to address these problems
before they're allowed to spend money on development, enhancement or
modernization in fiscal 2004. Despite having missed OMB targets,
agencies did improve in each of the seven categories OMB evaluated.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25149
http://www.fcw.com/fcw/articles/2004/0301/web-fisma-03-03-04.asp
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25156
OMB's Annual Report to Congress (Fiscal 2003):
http://www.whitehouse.gov/omb/inforeg/fy03_fisma_report.pdf
--Phishing Scheme Gets More Subtle
(3 March 2004)
An especially artful phishing scheme aimed at Westpac on-line banking
customers even goes so far as to include an oft-repeated caveat: the
bank will never ask for personal or log-in details in e-mail. The link
in the phony e-mail opens a fake Westpac website in front of the real
Westpac site. Customers are instructed to log on to the site and
"verify their credentials." After the information has been entered,
the customer receives a phony error message and is sent to the bank's
actual web site.
http://news.zdnet.co.uk/internet/security/0,39020375,39147979,00.htm
--OMB: Agencies' Interpretation of Security Incidents Varies
(3 March 2004)
Disparate levels of security incident reporting from various US
government agencies have prompted Office of Management and Budget (OMB)
officials to step back and figure out how to understand reporting
requirements. Last year, the Department of Health and Human Services
reported 348.9 million incidents while the Department of Housing and
Urban Development reported just one.
http://www.fcw.com/fcw/articles/2004/0308/news-crash-03-08-04.asp
[Editor's Note (Shpantzer): It seems like HHS is reporting security
events rather than security incidents, whereas HUD is underreporting
altogether.]
--Earthlink Will Test E-Mail Sender Authentication Technology
(3 March 2004)
Earthlink plans to start testing technology to reduce the amount of spam
and malicious e-mail its users receive.
http://www.computerworld.com/printthis/2004/0,4814,90746,00.html
--Worms Consume Broadband Profits
(3 March 2004)
According to a study from Internet traffic management form Sandvine,
worms will cost Broadband ISPs as much as USD $370 million worldwide.
At any given moment, between 2 and 12% of all Internet traffic on ISP
networks is malicious.
http://news.com.com/2102-7355_3-5169232.html?tag=st.util.print
http://www.theregister.co.uk/content/56/35963.html
http://www.theglobeandmail.com/servlet/story/RTGAM.20040303.gtsandmar2/BNPrint/Technology/
--Are Worm Variants Due to a Grudge Match?
(2/3 March 2004)
Text in the code of recently released multiple variants of MyDoom,
NetSky and Bagle appear to indicate that the rash of malware is the
result of a battle between competing virus-writing groups.
http://www.eweek.com/print_article/0,1761,a=120716,00.asp
http://zdnet.com.com/2102-1105_2-5168983.html?tag=printthis
http://www.computerworld.com/printthis/2004/0,4814,90767,00.html
http://www.eweek.com/print_article/0,1761,a=120741,00.asp
http://www.newsfactor.com/story.xhtml?story_title=Worm_Writers_Continue_Verbal_Warfare&story_id=23291&category=netsecurity
--Researchers Find Spyware in 5% PCs Connected to University Network
(4 March 2004)
A study conducted by computer scientists at the University of Washington
in Seattle found that just over 5% of computers connected to the
university's network contained one of four specific spyware programs.
They estimate that the real world figure may be larger because students
are more tech savvy than ordinary home users and because there are more
spyware programs than just the four the study searched for. The
researchers also discovered that two of the programs could be exploited
to run unauthorized code on the computers.
http://www.newscientist.com/news/print.jsp?id=ns99994745
[Editor's Note (Ranum): This is on the low side, by my experience. Even
corporate networks are greatly infested with the stuff. One company I
know had a 90% spyware infestation on user desktops. The presence of so
much spyware indicates one thing: corporate users don't look at their
outgoing firewall logs anywhere NEAR as much as they ought to.]
--Survey: Viruses and Attacks Up 25% at UK Companies
(2 March 2004)
The UK's Department of Trade and Industry will publish a survey showing
that half of UK businesses fell victim to viruses or distributed
denial-of-service attacks last year, a 25% increase over last year's
statistics.
http://news.zdnet.co.uk/0,39020330,39147959,00.htm
http://www.pcpro.co.uk/front_frameset/front_ad_tr.php
--GAO Finds Security Problems at USDA
(1/2 March 2004)
A General Accounting Office (GAO) report says that the US Department of
Agriculture (USDA) has "critical, pervasive information security control
weaknesses" which could leave the agency's proprietary data, financial,
agricultural and marketing data vulnerable to exposure or modification.
The GAO's recommendations include implementing a comprehensive security
management program; despite several initiatives, USDA has taken to
improve its security, the GAO says it is not progressing quickly enough.
http://www.govexec.com/dailyfed/0304/030104tdpm2.htm
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25107
http://www.fcw.com/fcw/articles/2004/0301/web-usda-03-01-04.asp
http://www.computerworld.com/printthis/2004/0,4814,90709,00.html
http://www.gao.gov/new.items/d04154.pdf
--Companies Opt for Off-the-Shelf Compliance Products
(1 March 2004)
Large companies seeking to comply with Section 404 requirements of the
Sarbanes-Oxley Act are choosing off-the-shelf products in lieu of
developing their own, in-house software. The companies say they save
time and money by purchasing the software; the vendors will customize
and maintain the products. The Securities and Exchange Commission (SEC)
has granted a one-year extension on compliance for companies that meet
certain criteria.
http://www.computerworld.com/printthis/2004/0,4814,90595,00.html
http://www.computerworld.com/printthis/2004/0,4814,90611,00.html
VULNERABILITY UPDATES AND EFFECTS
--Microsoft Announces MSN Messenger Vulnerability and Two Others
(9 March 2004)
In its monthly vulnerability announcement, Microsoft told users that
two security patches should be applied immediately, including one that
patches the first vulnerability in MSN Messenger 6.0.
http://news.com.com/2100-1002-5171898.html
--Sober.D Poses as MyDoom Patch
(8 March 2004)
http://zdnet.com.com/2102-1105_2-5171243.html?tag=printthis
http://www.eweek.com/print_article/0,1761,a=121095,00.asp
http://www.computerworld.com/printthis/2004/0,4814,90899,00.html
--Linux Kernel Vulnerability Allows Privilege Escalation
(8 March 2004)
http://www.theregister.co.uk/content/55/36097.html
--Flaw in Apple's QuickTime Player Allows Remote Code Execution
(3 March 2004)
http://www.computerworld.com/printthis/2004/0,4814,90765,00.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFATwMF+LUG5KFpTkYRAhUEAJ9HnNYwa914ePruxKONOncx2792qQCfZ6Bl
4qOjrYd7/w1lVHdikVK7YRU=
=+rWj
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
