Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 6 Num. 11
- From: The SANS Institute
- Date: Wed Mar 17 12:03:59 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stop Blaming the Victims
In case you missed Walt Mossberg's "Personal Technology" column in the
Wall Street Journal last Thursday, I excerpted a few key paragraphs and
placed them at the end of this issue of NewsBites. The bottom line is
this: Mossberg, the most widely-read and respected analyst of personal
computer technology, is calling on Microsoft and other technologists to
"stop blaming the victims" for security breaches and solve the problem
instead.
The software vendors could have done a much better job of protecting
their clients. Their officers have admitted as much. This nation, and
every other nation, has a right to better treatment from the software
vendors.
The National Strategy To Secure Cyberspace, unveiled by President Bush
more than a year ago, clearly outlined the best approach to accelerating
security improvements in products: using federal procurement power.
However, behind closed doors, the software vendors' highly-paid
lobbyists in Washington have bottled up nearly every initiative that
would have allowed the government to use its procurement power to
require significant security improvements. All of us must work together
to make sure they cannot do that in secret any more.
Alan
*************************************************************************
SANS NewsBites March 17, 2004 Vol. 6, Num. 11
*************************************************************************
TOP OF THE NEWS
Internet Cutoff Ordered at Interior
FBI Seeks Increased Wiretapping Capabilities
Senate Judiciary Committee Members Request Probe of Possible Criminal
Conduct
China Won't Back Down From Wireless Standard Stance
US Senators Draft Legislation Requiring Paper Trails from All Voting
Machines
ISPs File Suits Against Spammers Under Can-Spam Act
THE REST OF THE WEEK'S NEWS
US House Democrats Fault DHS On Cybersecurity
Web-Hosting Company Informs Customers of Security Breach
New USB Authentication Tokens: Inexpensive and Effective
California State Senators Want Touch-Screen Voting Machines Banned for
November Election
Ohio Middle School Student Suspended for Deleting Student Records
Australian Banking Group Dismisses Financial Impact of Phishing Attacks
Linux Should Follow Microsoft's Lead in Making Security Easier
Job Applicants Hiring Cyber Criminals to Put Their Names in University
Databases
Cyber Defense Product Will Launch Counter-Attacks
Countries Could Use Cyber Attacks to Enforce Laws
Comcast Cracking Down on Zombie Spam Relays
Three Important Steps Toward Mitigating Vulnerabilities
CORRECTION
To the Editorial Note on Copyright and DeCSS
VULNERABILITY UPDATES AND EFFECTS
Office XP Patch Disables Spam Filters and Creates Denial-of-Service
Condition on PCs
Outlook Flaw Upgraded to Critical
Patch Available for IBM DB2 Database Flaw
Sun Issues Patches for Solaris Vulnerability
Microsoft's Monthly Update Addresses Flaws in MSN Messenger, Windows
Media Services and Outlook
Message in Netsky.K Code Says It's the Last Version
New Versions of Netsky Suggests Code Was Published
Patches Available for HP Tru64 Unix OS Vulnerabilities
EXCERPTS FROM WALT MOSSBERG'S WALL STREET JOURNAL COLUMN
************************** Sponsored by NetIQ *************************
Free Security Event Management Guide
Do you need more efficient, automated log management methods and tools
to manage the terabytes of information generated by your Security Event
Management systems?
Download our free guide, "Log Management: Closing the Loop on Security
Event Management," to discover the crucial role that log management
plays as part of a complete Security Event Management solution.
http://www.netiq.com/f/form/form.asp?id=2469&origin=NS_SANS_031704
***********************************************************************
This Week's Featured Security Training Program:
Because SANS 2004 is nearly sold out, showing that employers are once
again saying yes to requests for effective training, we have added six
new conferences between May and July: Colorado Springs, Chicago,
Baltimore, Kansas City (Overland Park), Denver and Minneapolis.
Find details at http://www.sans.org
But there's still space in most of the courses at our mega-conference
in Orlando April 1-9. Security managers and analysts, system and
network administrators, auditors and forensic analysts will each find
immersion training focused on their special needs, and all taught by
the highest-rated instructors in the US. And it is all in Orlando
Florida.
http://www.sans.org/sans2004
***********************************************************************
--Internet Cutoff Ordered at Interior
(16 March 2004)
A federal judge in Washington yesterday ordered the Interior Department
to shut down most of its employees' Internet access and some of its
public Web sites after concluding that the agency has failed to fix
computer security problems that threaten millions of dollars owed to
Native Americans. The order is the third the judge has handed down
regarding computer security concerns at the agency since 2001.
http://www.washingtonpost.com/wp-dyn/articles/A61546-2004Mar15.html
--FBI Seeks Increased Wiretapping Capabilities
(12 March 2004)
A proposal from the FBI to the Federal Communications Commission (FCC)
asks that all broadband Internet providers be required to rewire their
networks to allow police easier wiretapping capabilities. The proposal
as drafted could be interpreted to require companies to build back doors
into everything from instant messaging to game services.
http://news.com.com/2102-1028_3-5172948.html?tag=st.util.print
[Editor's Note (Pescatore): We all knew this was coming when the CALEA
act was passed. Back then CALEA stayed focused on voice wiretaps and
staying away from email and the Internet allowed the privacy groups to
save face and stop fighting CALEA. But we're entering the inevitable
cycle: attack (2001), more perceived threat, more surveillance (2004),
abuse of the surveillance, backlash, not enough surveillance, attack,
repeat.]
--Senate Judiciary Committee Members Request Probe of Possible Criminal
Conduct
(12 March 2004)
Democratic and Republican members of the Senate Judiciary Committee
together asked Attorney General Ashcroft to appoint a professional
prosecutor to determine whether Republican aides violated criminal laws
when they accessed and leaked Democratic files.
http://www.washingtonpost.com/ac2/wp-dyn/A52023-2004Mar11?language=printer
--China Won't Back Down From Wireless Standard Stance
(11/12 March 2004)
China will not change its position on requiring companies that wish to
do business in the country to use its WAPI wireless encryption standard.
As a result, Intel says it will stop selling its Centrino chip in China.
The US government has been critical of China's position on the matter,
deeming the decision an "unfair trade barrier."
http://www.americasnetwork.com/americasnetwork/article/articleDetail.jsp?id=88478
http://asia.internet.com/news/article.php/3324601
[Editor's Note (Pescatore): This, along with China's announcement that
it is taking a similar home grown stance towards trusted computing
platforms, is a big deal. China is repeating the mistakes the US made
with the Clipper chip and export control fiascos. Nothing good can
happen by trying to control and likely weaken the encryption built into
wireless and PCs. However, China is a very attractive target for PC
hardware, software and wireless vendors - Intel is taking a courageous
stance.]
--US Senators Draft Legislation Requiring Paper Trails from All Voting
Machines
(11 March 2004)
Democratic Senators Hillary Rodham Clinton and Bob Graham say they have
drafted legislation that would require all jurisdictions to use voting
machines that provide paper trails so that recounts could be conducted
if necessary. Senator Graham pointed out poll worker errors that
prevented some people from voting in Florida's recent primary election.
Clinton cited Diebold CEO Walden O'Dell's statement that "he was
committed to bringing in votes for President Bush."
http://www.cnn.com/2004/ALLPOLITICS/03/10/voting/index.html
[Editor's Note (Schultz): If O'Dell really said what he was alleged to
have said, this is truly terrifying. There are already many ways to
subvert elections; what assurances do we really have that highly
partisan employees (or in this case a CEO) have not rigged voting
machines to deliver the results they want?]
--ISPs File Suits Against Spammers Under Can-Spam Act
(10 March 2004)
America Online, Earthlink, Yahoo and Microsoft are filing lawsuits
against hundreds of alleged spammers under the recently passed Can-Spam
Act. The complaints allege the defendants sent deceptive marketing
e-mail messages, used open proxies and did not provide unsubscribe
directions.
http://zdnet.com.com/2102-1105_2-5172038.html?tag=printthis
http://www.theregister.co.uk/content/55/36167.html
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) Secure your network's future. Get 25% off MSRP on Symantec
DeepSight Alert Services.
http://www.sans.org/click.php?id=357
(2) Event Log Strategies: Free white paper plus archiving, monitoring,
and analysis software!
http://www.sans.org/click.php?id=358
***********************************************************************
THE REST OF THE WEEK'S NEWS
--US House Democrats Fault DHS On Cybersecurity
(12 March 2004)
Democrats on the House Homeland Security Committee say the new
department is not doing enough to defend the nation's information
infrastructure or to leverage IT in its own activities. The report
called for raising the level of cybersecurity within the Department and
establishing a National Crisis Coordination Center to guide private
sector and government response to cyber events.
http://gcn.com/vol1_no1/daily-updates/25249-1.html
--Web-Hosting Company Informs Customers of Security Breach
(12 March 2004)
Texas-based web-hosting company Allegiance Telecom informed 4,000
customers that their usernames and passwords were compromised in a
recent intrusion. While the nature of the exposed data does not
specifically fall under California's security breach disclosure law, SB
1386, a company spokesman said, "it's the correct thing to do under the
circumstances."
http://www.securityfocus.com/printable/news/8240
--New USB Authentication Tokens: Inexpensive and Effective
(12 March 2004)
New USB authentication tokens are less expensive than their predecessors
and offer more security in the form of multifactor authentication.
http://www.internetweek.com/story/showArticle.jhtml?articleID=18312205
[Editor's Note (Paller): USB tokens are a very effective technology for
ensuring you know who is accessing your computers.
(Shpantzer): Multi-factor authentication has been a security dream for
years, realized by the more resource-intensive organizations. Now it
may be approaching realistic cost and usability points for true mass
deployment.
(Pescatore): USB tokens are poised to charge the two factor
authentication hill: prices are down, everything has USB connectors now,
people are accustomed to USB memory dongles. The only fly in the
ointment is that USB connectors are still in horribly inconvenient
places on most PCs or consumer gear. Also, mini-USB connectors are
starting to show up on cell phones and PDAs - device incompatibility
coming. I still think using text messaging to cell phones will cause
cell phones to be the first most widely used token to augment
passwords.]
--California State Senators Want Touch-Screen Voting Machines Banned
for November Election
(11 March 2004)
Two California senators plan to ask California Secretary of State Kevin
Shelley to ban the use of touch-screen voting machines in November's
general election. The two cited voting problems in the state's recent
primary election that prevented some people from voting. If Shelley
does not ban the machines, the senators will likely bring the issue to
the State Legislature.
http://www.siliconvalley.com/mld/siliconvalley/8161054.htm
--Ohio Middle School Student Suspended for Deleting Student Records
(11 March 2004)
An Ohio middle school student allegedly broke into a school computer
and deleted files related to a computerized student reading program.
He is currently under a 10-day suspension; his parents and school
administrators are discussing the possibility of his expulsion. The
school district is investigating the possibility that other students
were involved in the incident.
http://www.morningjournal.com/site/news.cfm?newsid=11111924&BRD=1699&PAG=461&dept_id=46371&rfi=6
http://www.newsnet5.com/news/2910889/detail.html
Here's the sequel:
http://www.morningjournal.com/site/news.cfm?BRD=1699&dept_id=46368&newsid=11117845&PAG=461&rfi=9
[Editor's Note (Grefer): The software the school was using had such weak
security (no access control and required Administrator privileges to
run) that the loss of the files could have been an accident.
(Paller): Grefer's theory is possible, and may even be an effective
legal defense, but opportunistic file losses are very rarely
accidental.]
--Australian Banking Group Dismisses Financial Impact of Phishing Attacks
(11 March 2004)
Despite a marked increase in phishing attacks in recent months, the
Australian Bankers' Association (ABA) says the resulting losses "are
not material enough" to justify spending time and money on improving
online banking security. ABA CEO David Bell says credit card fraud (and
other forms of graft) are more pressing concerns. Experts say online
banking should use two-layer authentication.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39116536-2000061744t-10000005c
[Editor's Note (Tan): The problem is not the size of the financial loss;
it is the loss of trust in online banking. Phishing will be growing
threat. the US Department of Justice has recognized the size of the
problem and recently published a special report on phishing
http://www.antiphishing.org/DOJ_Special_Report_On_Phishing_Mar04.pdf]
--Linux Should Follow Microsoft's Lead in Making Security Easier
(11 March 2004)
The author of this piece believes that Linux could learn something from
Microsoft's renewed focus on security. Windows XP Service Pack 2 marks
a shift toward making security tools easier for Microsoft customers to
use. While Linux has good tools, they are not as easy to use. If Linux
is to increase its presence in the desktop OS market, developers need
to make security easier.
http://news.com.com/2102-7355_3-5172209.html?tag=st.util.print
--Job Applicants Hiring Cyber Criminals to Put Their Names in
University Databases
(11 March 2004)
As the current job market becomes more competitive, some applicants have
reportedly paid people to break into university databases and insert
their names into class lists. Criminal lawyers say people could be
charged with a felony for breaking into university databases and
applicants who get jobs based on false information could be charged with
fraud.
http://www.cnn.com/2004/TECH/ptech/03/11/resumes.fraud.reut/index.html
[Editor's Note (Schneier): I wonder if this is a direct result of
colleges outsourcing graduation verification.]
--Cyber Defense Product Will Launch Counter-Attacks
(10 March 2004)
Symbiot plans to introduce a defense product that the company claims
will launch counterstrikes when targeted with distributed denial of
service (DDoS) and other attacks. The counterattacks could range from
blacklisting upstream providers to a full-fledged DDoS. Experts raised
legal and ethical concerns: attacks often come from hijacked machines,
DDoS attacks probably wouldn't be considered self-defense and could
violate anti-hacking laws, and attacks could cause collateral damage.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39148215-39020330t-10000025c
[Editor's Note (Schultz): A product of this nature was inevitable. We
can in a way take consolation in that a myriad of tools that produce
denial of service and other negative outcomes are already widely
available on the Internet anyway.
(Shpantzer): You could use this as a test for new IT security employees.
Ask them what they think of using such a product. If they approve
wholeheartedly, you know you need to keep looking for a mature
professional without cyber-Rambo fantasies.]
- --Countries Could Use Cyber Attacks to Enforce Laws
(10 March 2004)
Fordham University law professor Joel Reidenberg believes governments
could soon begin using denial-of-service attacks, worms and packet
blocking to enforce their laws.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39148211-39020645t-10000025c
[Editor's Note (Pescatore): This comment applies to both this and the
previous article: Long ago, we 'sorta' learned that wiring shotguns to
our deadbolts wasn't a good way to defend our houses or our jewelry
stores. I'm pretty sure Acme Inc. or the Republic of Leavemealonia
launching a denial of service attack against Our Lady of Perpetual
Responsibility's zombied web site isn't going to be a good idea.
(Schneier): I predict that if this actually happens, the unintended
consequences will be greater than the intended ones.]
--Comcast Cracking Down on Zombie Spam Relays
(9 March 2004)
Comcast has been contacting customers whose computers have been hijacked
and used as zombie spam relays; in some cases Comcast has cut off
service. The company is also helping affected customers secure their
computers.
http://www.computerworld.com/printthis/2004/0,4814,90946,00.html
[Editor's Note (Ranum): Hats off to Comcast!]
--Three Important Steps Toward Mitigating Vulnerabilities
(9 March 2004)
Speaking at Computerworld's Premier 100 IT Leaders Conference, SANS
Institute director of research Alan Paller described the seven most
common and dangerous cyber attacks. He also described three steps CIOs
can take to mitigate the vulnerabilities: (1) implementing an automated
vulnerabilities mitigation system for existing systems; (2) defining
and enforcing secure configurations for users' systems and denying
network access to systems that do not comply and (3) requiring that
secure configurations be built into all products they purchase. Paller
placed special emphasis on giving the system administrators a real
chance to succeed by limiting the initial goals and recognizing
progress.
http://www.computerworld.com/printthis/2004/0,4814,90955,00.html
[Editor's Note (Tan): Ensuring that administrators will not feel defeat
is important. Too often, managers see only what people have not done
well and not what they have done well. It's like soccer; you often
remember only the mistakes made by the goalkeepers, not those fantastic
saves he made.]
- -- CORRECTION: Last week's SANS NewsBites contained an editorial
comment by Gene Schultz that stated that copyright holders may lose
copyright protection when someone publicly posts copyrighted
information. Although this has historically been true in some cases, it
does not apply to last week's item describing the court ruling
concerning the DeCSS code, which is an original implementation of a
reverse-engineering protocol (CSS). As such, copyright considerations
are not applicable.
VULNERABILITY UPDATES AND EFFECTS
--Office XP Patch Disables Spam Filters and Creates Denial-of-Service
Condition on PCs
(11 March 2004)
http://www.zdnet.co.uk/print/?TYPE=story&AT=39148314-39020375t-10000003c
[Editor's Note (Tan): Perhaps this is why some people consider patching
to be a dirty word.]
--Outlook Flaw Upgraded to Critical
(10/11 March 2004)
http://news.bbc.co.uk/1/hi/technology/3501122.stm
http://www.computerworld.com/printthis/2004/0,4814,90992,00.html
http://www.microsoft.com/technet/security/Bulletin/MS04-009.mspx
--Patch Available for IBM DB2 Database Flaw
(10 March 2004)
http://www.eweek.com/print_article/0,1761,a=121421,00.asp
--Sun Issues Patches for Solaris Vulnerability
(10 March 2004)
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci954450,00.html
--Microsoft's Monthly Update Addresses Flaws in MSN Messenger, Windows
Media Services and Outlook
(9/10 March 2004)
http://zdnet.com.com/2102-1104_2-5171898.html?tag=printthis
http://www.computerworld.com/printthis/2004/0,4814,90970,00.html
--Message in Netsky.K Code Says It's the Last Version
(9 March 2004)
http://zdnet.com.com/2102-1105_2-5171743.html?tag=printthis
--New Versions of Netsky Suggests Code Was Published
(11/12 March 2004)
The absence of messages in the code, along with the fact that the new
versions do not try to remove Bagle, suggests that someone other than
the original author launched the variants.
http://news.zdnet.co.uk/internet/security/0,39020375,39148309,00.htm
--Patches Available for HP Tru64 Unix OS Vulnerabilities
(9 March 2004)
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci954238,00.html
EXCERPTS FROM WALT MOSSBERG'S WALL STREET JOURNAL COLUMN
"What we consumers need is a simple, unified protection plan to counter
all of these threats (viruses, worms, Trojan horses, spam, spyware,
etc.). And the computer, software, and Internet industries have badly
failed us in this regard. They would rather dump the security mess in
the laps of users than solve it at the level where a solution really
belongs: in the operating system, or hardware, or online provider's
servers.
"Not only that, but members of the techie class that runs these
industries, and the IT departments at big companies, have been quoted
recently as blaming the security problem on average, nontechnical users.
If only those stupid users wouldn't open e-mails with hidden viruses,
the techies say, the trouble would go away.
"Well, I have a word for these contemptuous techies: Save your energy
for solving the problem instead of blaming its victims. Mainstream
users shouldn't have to be IT experts to operate their computers."
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAWE03+LUG5KFpTkYRAnGPAKCELHOHuKlHhI0dSoy2TazSGwDW9QCcCI7a
JGNfgyaGhrfQ5xjww3zYZgE=
=zzMT
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
