Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security Wire Perspectives, Vol. 6, No. 20, March 11, 2004
- From: Howell, Paul
- Date: Thu Mar 11 06:31:31 2004
-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity-1F771CA57A0AA851@lists.techtarget.com]
Sent: Thursday, March 11, 2004 4:01 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 20, March 11, 2004
Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information resource
for enterprise IT professionals. Additional newsletters available at
http://searchsecurity.techtarget.com/?track=NL-358&ad=478106&Offer=swp .
IN THIS ISSUE:
A READ ON THE NEWS
*Don't Rush to Strip the Zip
*Senate Takes Aim at Spyware
HEADLINES
*New Security Appliance With No Static Rules
*HP Fixes Multiple Remote Takeover Vulnerabilities
*Worm Writers' War of Words Throwback to Days of Old
*Solaris Flaw in "Passwd" Command Allows Root Privileges
WEEKLY SECURITY PLANNER
Week 13: Social Engineering, the Low-tech Side of High-tech
WHATIS WORD OF THE WEEK
*Social engineering
YOUR TWO CENTS
Readers sound off on virus advisories
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE PERSPECTIVES IS SPONSORED BY: Consul
Demystifying Compliance -- Managing Security to Complex Requirements
Pressures to protect an organization's systems and information come from
various sources; forcing organizations to manage their security to a
multitude of varying security and privacy requirements. FISMA, GLBA, HIPAA,
PIPEDA, CA SB1386, NERC/FERC, PATRIOT, SOX, and EU DPA - what appears to be
a long list in the technical acronym soup is really a collection of
regulatory/legislative mandates that leave information security managers
scratching their head.
Join Principal Analyst Mike Rasmussen, Research Leader for Forrester
Research Inc. and Consul on March 18, 2004 for an exclusive webinar on the
steps an organization must address when building an information security
compliance program that effectively manages business requirements.
http://searchSecurity.com/r/0,,26082,00.htm?track=NL-358&ad=478106&consul
=====================================================
A READ ON THE NEWS
*DON'T RUSH TO STRIP THE ZIP
By Edward Hurley
Some security-conscious souls may have started blocking all .zip files at
the gateway, given the wide variety of worms taking advantage of the file
type in recent weeks. However, some experts say security managers shouldn't
jump the gun.
Worms traveling as .zip files aren't new. Sobig-E did so last June -- just
one of dozens unleashed in the last few years. The writers of the Bagle
worms added an interesting twist by sending their creations as
password-protected .zips with the password included in the message,
prompting debate over how best to protect enterprises against this growing
threat.
Some companies purposely strip out password protected .zip files because
traditionally, antivirus scanners can't detect worms within them. That's
changed, with a few of the major antivirus software vendors now scanning
password-protected .zip files.
Few would argue against blocking or stripping executable files such as
.exes, .scrs and .pifs. Doing a risk assessment for such files is a snap.
The risks posed by such files, often used by worm writers, aren't offset by
significantly pressing business reasons to permit them.
By contrast, many businesses have a legitimate reason for accepting .zip
files. "It's time to begin considering blocking .zip because of the
proliferation of .zip viruses," said Greg Francis, senior system
administrator at Gonzaga University in Spokane, Wash. "We're not ready to do
that yet, though, because it's such a useful file type."
Antivirus experts agree with Francis. While blocking .zip files may be
useful for preventing worms, a business case can be made for letting them
in. "People shouldn't get paranoid about .zip files. They are relatively
safe," said Vincent Gullotto, vice president of McAfee AVERT.
When considering to strip or not to strip, companies need to balance the
risks posed by .zip files with the potential productivity loss if they
aren't allowed in. Bob Gullet, director of network technology at the College
of American Pathologists, knows full well the challenges posed by stripping
.zips. "We block any .zip file that is password protected," he said. "Some
people aren't perfectly happy, but we do provide FTP server space for people
who need to transfer files to business partners."
Gullotto said companies should revisit their decisions over what files to
block. "As with everything in security, you can't set up something today and
think will be safe in six months. Things change."
*SENATE TAKES AIM AT SPYWARE
By Mathew Schwartz
A new federal bill hopes to eliminate spyware -- software that quietly
relays user information or even keystrokes to outsiders -- and rein in
adware, which prompts those annoying pop-up advertisements. The goal is to
protect users from identify theft and organizations from
intellectual-property loss.
The SPYBLOCK Act, introduced by senators Ron Wyden (D-Ore.), Conrad Burns
(R-Mont.) and Barbara Boxer (D-Calif.), prohibits installation of software
on a user's computer without consent, and requires reasonable uninstall
procedures. Also illegal would be sharing a user's information with third
parties without explicit approval, sending users to fake Web sites in
phishing attacks, or using browser vulnerabilities to force "drive-by
downloads." The Federal Trade Commission (FTC) and state attorneys general
would enforce the bill, and could file injunctions and levy fines.
Utah, Iowa and California state legislatures also are weighing antispyware
bills.
The legislation comes amid reports of a spyware epidemic, according to new
research from the University of Washington (UW), as reported by New
Scientist magazine. Scans of the 31,000 computers connected to the UW
network revealed 1 in 20 were running one of four spyware
programs: Cydoor, eZula, the former Gator or SaveNow. Given the university's
computer-savvy user base, researchers surmise infection rates are much
higher in the general population.
Further making the case against spyware and adware, UW researchers were able
to fool Gator and eZula -- which have built-in mechanisms for downloading
updates and further third-party software onto a user's PC -- into accepting
and running executable files.
Software distributors seem to be on notice. Gator, for example, recently
changed its name to Claria Corp. Claria spokesperson Elena Kochergina says
the latest version of its software -- free, but for the cost of adware --
contains a "plain English end-user license agreement" outlining any products
or advertising deals the product proposes to install, and "does not request
or hold on to any personally identifiable information."
Yet could Spyblock live up to its name? Many security experts are
withholding judgment. "We still need to examine it to see what the
unintended consequences might be," says Ari Schwartz, an associate director
for privacy rights group the Center for Democracy and Technology (CDT).
In fact, current legislation could be enough to corral spyware companies.
"We believe they're already breaking laws by deception," says Schwartz. For
example, the CTD filed a "deceptive practices" complaint with the FTC over
software company MailWiper, which develops Spy Wiper software. The complaint
alleges that MailWiper hijacks users' browsers, altering homepage settings
and funneling deceptive advertising.
The problem is untangling what spyware does, and who's behind it. "For us to
track down this company, we had to work with a range of people ... then
spend days tracing it back," he says. The message: enforcing Spyblock
wouldn't be easy, especially if a trace-back ends overseas.
Senators seek to protect computer users from "spyware," hidden downloads
http://wyden.senate.gov/media/2004/02262004_spyware.html
CDT Report: "Ghosts in Our Machines: Background and Policy Proposals on the
"Spyware" Problem" (PDF) http://www.cdt.org/privacy/031100spyware.pdf
Report spyware via the CDT's Campaign Against Spyware
http://www.cdt.org/action/spyware
=====================================================
HEADLINES
A look at other significant industry happenings from our sister publication,
Security Wire Daily
*New Security Appliance With No Static Rules
SearchSecurity.com
A UNC-Charlotte duo has developed a plug-and-play appliance that analyzes
traffic in real time and without static rules to detect network anomalies.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95425
0,00.html?track=NL-358&ad=478106
*HP Fixes Multiple Remote Takeover Vulnerabilities SearchSecurity.com HP
Tru64 UNIX administrators need to apply vendor patches for highly critical
security vulnerabilities that could allow a remote attacker to take over
affected systems.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95423
8,00.html?track=NL-358&ad=478106
*Worm Writers' War of Words Throwback to Days of Old
SearchSecurity.com
The recent worm war between the creators of the Netsky and Bagle worms
represents a throwback of sorts to when worm writers would boast and brag to
all who would listen.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95402
2,00.html?track=NL-358&ad=478106
*Solaris Flaw in "Passwd" Command Allows Root Privileges SearchSecurity.com
Solaris administrators will need to apply patches to seal a vulnerability in
the operating system that could let a local user gain root privileges.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95445
0,00.html?track=NL-358&ad=478106
=====================================================
*ADVERTISEMENT*
Provide a clear return on investment to your organization with the most
efficient Single Sign-on Solution. * Increase Network Security.
* Reduce Help Desk Costs. * Simplify End User Computing. FREE SINGLE
SIGN-ON ROI WHITEPAPER: Technology Analysis for Citrix(R)
MetaFrame(R) Password Manager. Enterprise Management Assoc. reviews
challenges facing IT departments, the cost & complexity of password
management. Click here:
http://searchSecurity.com/r/0,,26081,00.htm?track=NL-358&ad=478106&citrix
=====================================================
WEEKLY SECURITY PLANNER
In an effort to help busy security managers, CISSP Shelley Bard's weekly
column will build upon the concept of the perpetual calendar (
http://www.searchSecurity.com/tip/1,289483,sid14_gci948651,00.html?track=NL-
358&ad=478106 ), offering a schedule of reminders for a proactive, strategic
security plan. For an archive of previous columns, please visit:
http://searchsecurity.techtarget.com/tipsIndex/0,289482,sid14_tax295570_alpD
_idx0,00.html?track=NL-358&ad=478106
Week 13: Social Engineering, the Low-tech Side of High-tech
WHEN: Can be an occasional security awareness point in your organizational
education, training and awareness program, done as necessary when incidents
occur in current events.
WHY: Next week convicted hacker Kevin Mitnick will be interviewed at a
conference in Orlando, so this is as good a time as any to talk about social
engineering.
If anyone unknown to you asks for key security information, your first
thought should be Just Say No. A classic case recounts Mitnick's compromise
of Novell's most important software product, NetWare. In February 1994, a
system administrator at Novell got a phone call at home late one night from
Mitnick, who introduced himself as a Novell employee. He said he was on
vacation and needed to connect to the network to work on a project. Having
never met the employee, the sysadmin called the employee's voicemail to
verify the voice on it matched. But Mitnick was one step ahead of the admin
-- he had called a Novell network techie earlier and convinced him to reset
the employee's voicemail password. Then Mitnick left his own voice on the
recording. "It seemed plausible. I gave him an account," said the sysadmin.
Once given access, Mitnick stole a copy of the secret code for NetWare.
Other common practices that fall under social engineering include spoofed
e-mails that ask you to verify your name and password in an e-mail or to
open an attachment containing a virus, worm or Trojan horse. Social
engineering doesn't have to involve a person directly; it makes use of
people's trusting nature to steal key information via multiple methods. The
term, in fact, originally was coined by hackers to describe socializing
techniques they developed for obtaining vital information from system and
phone operators.
Mitnick firmly believes Novell's gullible employees shouldn't have trusted
him when he showed up at their offices wearing a stolen phone company
technician's uniform and asking for access to the company's phone system. To
Mitnick, the 20,000 credit card numbers he was caught with "were all from
stupid people who shouldn't have trusted" him. Mitnick was convicted for
stealing intellectual property [source code] from many companies like Sun
Microsystems, SGI, Digital Equipment, Motorola and Nokia.
STRATEGY: It's your job to be paranoid. But most people who aren't paid to
be paranoid aren't; they are trusting people who use their systems as a tool
to get their job done. Tell everyone in your organization the ways, and ONLY
those ways, that you will need to give or get key security information.
Several other layers should be in place and practiced to make sure that
information like passwords are handled correctly.
MORE INFORMATION: Any search engine will help you find articles by Ira
Winkler and Winn Schwartau, who have written copiously on the subject. If
you want more in-depth information, many good but hard-to-find books are
still in circulation. Also, books about intelligence-gathering, cyber or
otherwise, often have chapters and excerpts about this specific aspect.
SHELLEY BARD, CISSP, is a senior security network engineer with Verizon
Federal Network Systems (FNS). An infosecurity professional for 17 years,
Bard has briefed and written infosecurity assessments and technical reports
for the White House and Department of Defense, special interest groups,
industry and academia. Please e-mail any comments to
mailto:securityplanner@infosecuritymag.com
Opinions expressed in this column are those of Shelley Bard and don't
necessarily reflect those of Verizon FNS.
Dan LoPresto, CISSP, an access management and information security
specialist with a national brokerage firm, contributed to this article.
NEXT WEEK: Viruses -- when nice worms run amok
=====================================================
*Information Security Decisions, Hosted by Information Security
Magazine*
Qualify for complimentary admission to our 3-day Information Security
Decisions conference in New York City, April 19-21. Return to the office
with critical security action plans, unbiased expertise, and maybe a
Mercedes-Benz SLK230 too! Find out more:
http://infosecurityconference.techtarget.com/?track=NL-358&ad=478106&Offer=s
wdmb
=====================================================
WHATIS WORD OF THE WEEK: Social engineering
In computer security, social engineering is a term that describes a
non-technical kind of intrusion that relies heavily on human interaction and
often involves tricking other people to break normal security procedures. A
social engineer runs what used to be called a "con game." For example, a
person using social engineering to break into a computer network would try
to gain the confidence of someone who is authorized to access the network in
order to get them to reveal information that compromises the network's
security. They might call the authorized employee with some kind of urgent
problem; social engineers often rely on the natural helpfulness of people,
as well as on their weaknesses. Appeal to vanity, appeal to authority and
old-fashioned eavesdropping are typical social engineering techniques.
Another aspect of social engineering relies on people's inability to keep up
with a culture that relies heavily on information technology. Social
engineers rely on the fact that people are not aware of the value of the
information they possess and are careless about protecting it. Frequently,
social engineers will search dumpsters for valuable information, memorize
access codes by looking over someone's shoulder (shoulder surfing) or take
advantage of people's natural inclination to choose passwords that are
meaningful to them but can be easily guessed. Security experts propose that
as our culture becomes more dependent on information, social engineering
will remain the greatest threat to any security system. Prevention includes
educating people about the value of information, training them to protect it
and increasing people's awareness of how social engineers operate.
Other security definitions:
http://searchsecurity.techtarget.com/glossary/0,294242,sid14,00.html?track=N
L-358&ad=478106
=====================================================
YOUR TWO CENTS
Readers sound off
With Friends Like These, You Don't Need Enemies
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci951891,00.html?tr
ack=NL-358&ad=478106
I agree with the article, but would like to add a bit.
There are too many geek details in the warnings. Not many people care about
long lists of registry keys or the port numbers that a backdoor will listen
to. In fact, 99.99% of Internet users won't read these details anyway, much
less understand them, and they will stop reading alerts if they are too
technical. They just want to be able to identify the malware when it comes
in so they can know how to avoid getting infected.
And they want to get an idea of the effects on their PCs if they do get
infected. The 99.99% do not need any more information than that in the
format I use below to warn friends of new viruses.
Also, those vendors who are nice enough to give away free removal tools
should include the tool availability link in their warning.
The tool doesn't have to be ready when the warning is issued, but it is nice
to know that there is going to be one if needed.
I suggest a format like this:
TIME TO UPDATE YOUR ANTIVIRUS PROGRAM!!!!
MAKE SURE YOU HAVE A FIREWALL INSTALLED AND PROPERLY CONFIGURED
Virus Name:
Aliases:
Virus Type: As determined by the AV vendor
Operating Systems Affected:
Effects on a PC: List the destructive actions
How to identify it: List files added and location. Show characteristics of
incoming e-mail containing the malware, etc. Link to source article and
additional information: MS Bulletins, etc
--Howard B. Mirkin, LCDR, U.S. Navy (retired)
::::::::::::::::::::: ABOUT THIS NEWSLETTER ::::::::::::::::::::::
Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an
e-mail newsletter brought to you on Mondays and Thursdays by Information
Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or redistribution
without the express written authorization of Information Security and
TechTarget.
Permission requests, questions or comments should be e-mailed to Shawna
McAlearney, online editor, mailto:smcalearney@infosecuritymag.com.
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
_____________________________________________________________________
To unsubscribe from "Security Wire Perspectives":
Go to unsubscribe:
http://SearchSecurity.com/u?cid=478106&lid=559334&track=NL-358&ad=478106
Please note, unsubscribe requests may take up to 24 hours to process; you
may receive additional mailings during that time. A confirmation e-mail will
be sent when your request has been successfully processed.
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
