SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #23
June 09, 2004
Please welcome Howard Schmidt to the NewsBites editorial board. Howard headed the President's Critical Infrastructure Protection Board and continues to be one of the most respected thought leaders in information security. He offers several valuable insights this week, and he adds luster to an already extraordinary group of editors for whom we are very grateful.
We've had lots of requests for data about the What Works project that will guide you to, and educate you about, the commercial tools that have proven to be most effective for each critical security function. Until that project is ready, please use the very valuable information at SANS "Security Products Explained" page. http://www.sans.org/securityproducts It explains the major categories of security tools and services, lists currently available products, and gives pointers to free white papers.
Alan
TOP OF THE NEWS
Evans Details OMB Information Security GuidelinesMissing DEA Laptop Contains Information on Investigations and Informants
Survey: IT Execs Say Federal Regulation Compliance is "Extremely Important"
GAO Makes Agency Patch Management Recommendations
THE REST OF THE WEEK'S NEWS
IT Security Spending to Rise, According to StudyMan Pleads Guilty in Lowe's Wireless Intrusion Case
Released Enron Tape Serves as Reminder
Researchers Say Worst-Case Worm Could Cost USD$50 Billion
Unpatched Laptops Pose Threat to Internal Networks
Microsoft Extends License To Support Cold Servers for Disaster Recovery
RCMP Arrest Suspected US Government Computer Intruder
Sun to Release Solaris Code Under Open-Source License
Lessons From the Witty Worm
Tokyo Police Arrest Disgruntled, Demoted Employee for Alleged Server Intrusion
Survey: Companies Plan to Spend Money on Compliance Technology
Tokyo Police Arrest Two for Alleged Data Theft, Extortion
Microsoft Should Focus on Increasing the Number of Secure Machines
Windows Attack Would not Prove Catastrophic to Internet, Say Researchers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Two Moderate Priority Vulnerabilities in Microsoft's Monthly PackageApple Patches OS X Hole
NetSky.P Masquerades as Harry Potter Game
Korgo Worm Steals Passwords, Credit Card Numbers
Cisco Addresses Linksys Flaw
Plexus Worm Spreads Through LSASS and DCOM Vulnerabilities
Opera Updates Browser to Address Phishing Vulnerability
********************* Sponsored by BindView *****************************
A fresh look at Patch Management.
Free Webinar: "Patch Management and Regulation: Meaning, Measurability, and Madness." Join META Group analyst Paul Proctor June 24 where he will discuss how organizations can develop a good risk management posture that is survivable, repeatable and measurable. He'll also cover patch management as a component of regulatory compliance. Register for this BindView sponsored Webinar at: http://www.bindview.com/Events/GetEvents.cfm?NUM=1057&AD=NS-SANS-0624-WBNR-Q
204-R
*************************************************************************
Highlighted Training Program Of The Week
SANS in London (June 21-26) Five of our most popular tracks including Hacker Exploits, SANS SecuritY Essentials, Forensics, and more. http://www.sans.org/london04
SANSFIRE in Monterey, CA (July 5-13) offers you 14 immersion training tracks in one of the most beautiful places in America -- Monterey California. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too. http://www.sans.org/sansfire2004
*************************************************************************
TOP OF THE NEWS
Evans Details OMB Information Security Guidelines (3/2 June 2004)
In testimony before the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Karen Evans, the Office of Management and Budget's (OMB) administrator of electronic government and information technology, described the changes to the OMB's guidelines for federal information security. Agencies will be required to list their operating systems for which they have applied minimum configuration standards in a report submitted to the OMB and Congress. Agencies will also be required to provide more information about their patching practices and their use of vulnerability scanners, penetration tests and other security measures.-http://www.fcw.com/fcw/articles/2004/0531/web-omb-06-03-04.asp
-http://www.govexec.com/story_page.cfm?articleid=28643&printerfriendlyVers=1&
amp;
[Editor's Note (Schmidt): OMB, in Karen Evans, finally has someone leading the charge who understands security and who knows what to do about it. The only thing missing is the authority to hold people accountable and to make changes now, not after years of reports and more reports.
(Paller): Just a week after her testimony, Federal agencies are scrambling to ensure they have minimum configuration standards in place. Preliminary data show that most agencies have suggested that NSA or SANS or other guides be used, but they are now migrating away from guides. Instead they are adopting the Center for Internet Security benchmarks because the latter are more specific, reflect significant vendor input, and include free testing tools that measure the configurations and report numeric scores. OMB guidance specifically requires that agencies monitor configurations, a task that is impossible without automated tools. Tools and benchmarks for eight different operating systems may be downloaded from www.cisecurity.org ]
Missing DEA Laptop Contains Information on Investigations and Informants (7 June 2004)
A Drug Enforcement Administration laptop computer is missing; it contains information on as many as 100 DEA investigations and on DEA confidential informants. An auditor in the Justice Department's Office of the Inspector General reported the laptop had been stolen three weeks ago; after further questioning, he changed his story and said that he accidentally damaged the machine and destroyed it and threw it in a dumpster because he was so embarrassed.-http://www.msnbc.msn.com/id/5092991/site/newsweek
[Editor's Note (Schultz): What a story! If entered in an upcoming Liars' Club contest, this explanation of the missing laptop would have a good chance of winning.
(Schmidt): HAS: Aside from any disparity on lost, stolen or destroyed computers, it is not a difficult thing to use strong encryption on the file level at a minimum, but just as easy to use it for the drive itself. There should be a mandatory policy within the government that "Sensitive, but Unclassified" information should be encrypted. ]
Survey: IT Execs Say Federal Regulation Compliance is "Extremely Important" (7 June 2004)
The 10th annual Network World 500 survey found that 60% of the Network IT executives polled believe that ensuring compliance with new federal regulations over the next year is "extremely important." Almost half plan to upgrade or purchase new applications to aid them in complying with regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act.-http://www.nwfusion.com/news/2004/0607nw500survey.html
[Editor's Note (Northcutt): The full survey will be complete June 14 and is worth putting on your calendar. Early data shows an important trend: that security duties are continuing to transition to operations IT managers. Also, a real surprise for the "Intrusion Detection is Dead" vocal minority; IDS, along with anti-spam software, is at the top of managers' buying lists. ]
GAO Makes Agency Patch Management Recommendations (3 June 2004)
A General Accounting Office (GAO) report finds that patch management practices across government agencies are inconsistent; the report recommends that the Office of Management and Budget (OMB) require agencies to report to them on their patch management practices and that the federal government consider reviving a centralized patch management service for civilian agencies. Sixteen of 24 agencies have patch management policies; 14 have established procedures. Only 10 of the 24 test all patches before they are installed.-http://www.fcw.com/fcw/articles/2004/0531/web-patch-06-03-04.asp
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26081
[Editor's Note (Schmidt): The government, like any enterprise, should have centralized management and decentralized execution for vulnerability assessment, policy management, encryption and patch management. Leaving it up to each to decide, reduces the likelihood anything will be fixed soon. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: How Hackers Use LDAP Injection to Steal Your Data and Bypass
Authentication
http://www.sans.org/click.php?id=466
(2) Alert: Top 8 SPAM BLOCKING methods. *** FREE White Paper ***
http://www.sans.org/click.php?id=467
*************************************************************************
THE REST OF THE WEEK'S NEWS
IT Security Spending to Rise, According to Study (7 June 2004)
Spending on information technology security at US companies is predicted to grow to between 8 and 12% of an organization's IT budget by 2006, according to a study from Meta Group.-http://zdnet.com.com/2102-1105_2-5227840.html?tag=printthis
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26147
Man Pleads Guilty in Lowe's Wireless Intrusion Case (7/4 June 2004)
Brian Salcedo has pleaded guilty to four counts of wire fraud and unauthorized computer access for his role in an attempt to exploit a vulnerable wireless network and steal credit card numbers from Lowe's computer networks. Though Salcedo could face a sentence of up to 18 years, prosecutors are expected to ask for leniency in exchange for Salcedo's cooperation in other related investigations.-http://www.computerworld.com/printthis/2004/0,4814,93708,00.html
-http://www.securityfocus.com/printable/news/8835
Released Enron Tape Serves as Reminder (4 June 2004)
The recently released tape of two traders' callous discussion of the California power market manipulations should serve as a reminder to companies to make sure their employees know that anything they say or write on electronic media could come back to haunt them.-http://www.securitypipeline.com/trends/index.jhtml
Researchers Say Worst-Case Worm Could Cost USD50 Billion (4 June 2004)
According to researchers at the nonprofit International Computer Science Institute (ICSI) associated with the University of California at Berkeley, a worst case worm could cause USD$50 billion in "direct damages": lost productivity and data and the cost of equipment and repair. The researchers modeled a scenario in which a worm that exploited an unpublished vulnerability was released onto the Internet.-http://www.techweb.com/wire/story/TWB20040604S0006
Unpatched Laptops Pose Threat to Internal Networks (4 June 2004)
Unpatched laptop computers pose a security threat to computer networks; while some desktop PCs on internal networks may not be patched against recent worms, they are still protected by corporate firewalls. Unpatched laptops could then introduce worms into the organizations' internal networks, causing infections to spread quickly though the unpatched desktops. Unpatched vulnerable new computers contribute to the continued spread of older infections, such as the MSBlast worm.-http://www.zdnet.co.uk/print/?TYPE=story&AT=39156799-39020375t-10000025c
[Editor's Note (Schmidt): One thing vendors can do to help reduce this problem is to set up new laptops to only connect to, and accept data from, an update site until ALL patches are installed. It is not hard to imagine DDoS attacks exceeding 2 GBS with an unpatched broadband-connected PC. Reports show that a new, unpatched system on a broadband connection is often compromised within 15 minutes. ]
Microsoft Extends License To Support Cold Servers for Disaster Recovery (4 June 2-004)
Customers of Microsoft's Software Assurance licensing program may use Windows server software on servers used for disaster recovery, also known as "cold servers" at no additional cost.-http://www.idg.com.hk/cw/printstory.asp?aid=20040604001
RCMP Arrest Suspected US Government Computer Intruder (3 June 2004)
At the request of the FBI, Royal Canadian Mounted Police have arrested a man who allegedly broke into a router that is connected to a US Supreme Court warehouse; the individual arrested is also suspected of compromising a number of computers.-http://cnews.canoe.ca/CNEWS/Law/2004/06/03/pf-484817.html
Sun to Release Solaris Code Under Open-Source License (3/2 June 2004)
Sun Microsystems plans to release Solaris source code under an open-source license. Details regarding what license will be used, how much of the code will be released and when it will be released have not yet been decided.-http://www.computerworld.com/printthis/2004/0,4814,93592,00.html
-http://www.eweek.com/print_article/0,1761,a=128737,00.asp
-http://www.eweek.com/print_article/0,1761,a=128734,00.asp
Lessons From the Witty Worm (2 June 2004)
Despite its relatively small target and low media coverage, the Witty worm raises some chilling points about the future of malware. Witty infected the entire population of its targeted products within 45 minutes; the worm was released through a bot network. Witty is also the first worm to target specific security products.-http://www.computerworld.com/printthis/2004/0,4814,93584,00.html
Tokyo Police Arrest Disgruntled, Demoted Employee for Alleged Server Intrusion (2 June 2004)
Tokyo police have arrested a man who allegedly broke into a Takachiho University server after the university demoted him. Royoichi Nakayama allegedly used a password to access the server and read others' mail, rendering the bulletin board inaccessible. Nakayama was formerly employed by the university as a computer expert, but was transferred to a position as a clerk at the institution's library after the university found him responsible for problems with the computer system's security.-http://www.merit.edu/mail.archives/netsec/msg00299.html#internal14512
-http://news.tbs.co.jp/headline/tbs_headline-e972090
Survey: Companies Plan to Spend Money on Compliance Technology (1 June 2004)
Data gathered by Forrester Research indicates that many companies required to abide by Sarbanes-Oxley regulations plan to spend money on technology to help with compliance. Last year, 85% of executives surveyed said there would be little or no change in their spending as a result of Sarbanes-Oxley; this year, 77% of those surveyed said they plan to increase spending as a result of the need to comply with regulations. 60% of those surveyed said they would be spending more on security as a result of Sarbanes-Oxley.-http://www.newsfactor.com/story.xhtml?story_title=Survey--Execs-Change-Sarbox-Pl
ans&story_id=24307&category=netsecurity
Tokyo Police Arrest Two for Alleged Data Theft, Extortion (1 June/31 May 2004)
Police in Tokyo have arrested two men for allegedly obtaining Softbank customer information and attempting to extort money from the Tokyo-based organization.-http://www.theregister.co.uk/2004/06/01/softbank_dat_leak/print.html
-http://news.com.au/common/story_page/0,4057,9700470%255E15322,00.html
Microsoft Should Focus on Increasing the Number of Secure Machines (31 May 2004)
Bruce Schneier points out that the security of each computer on the Internet depends on the security of others; Microsoft's decision not to make Windows XP SP2 available to unlicensed users puts everyone's security at risk.-http://www.nwfusion.com/columnists/2004/0531schneier.html
[Editor's Note (Grefer): It should be easy enough to split SP2 into a Security Pack (SP2a), available regardless of the licensing situation, which would address known security issues, and an Application Service Pack (SP2b), available only to licensed users, which fixes annoyances of and installs improvements for existing components.
(Paller): There is strong disagreement among the NewsBites editors on this point. Several argued last week that asking Microsoft to patch pirated systems is simply wrong. We're going to run this item and comment, allowing Bruce Schneier and Roland Grefer to have the last words, and then drop the subject. ]
Windows Attack Would not Prove Catastrophic to Internet, Say Researchers (28 May 2004)
Researchers at George Mason University have published a report asserting that an attack on Windows would not cause a catastrophic Internet failure. Using data from network simulations created by the university's Infrastructure Mapping Project, the researchers concluded that Windows attacks would not cause such a catastrophe because Microsoft products do not lie at the core of the network. The report contrasts with one released last year by the Computer and Communications Industry Association (CCIA) that warned of the national security danger posed by the Windows monoculture.-http://news.netcraft.com/archives/2004/05/28/report_microsoft_not_a_threat_to_us
_national_security.html
[Editor's Note (Grefer): The author's conclusion that the Internet's resiliency is due to Microsoft's smaller presence in web server software, where the article's author assert MS holds just 21 percent of the market, is a dangerous over-simplification; the Internet is not just constituted of the Web. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Two Moderate Priority Vulnerabilities in Microsoft's Monthly Package (08 June 2004)
Microsoft released patches for "moderate" flaws in Crystal Reports (redistributed with Outlook 2003 and other MS products) and in IDirectPlay4 used in multiplayer network games.,-http://www.pcworld.com/news/article/0,aid,116439,00.asp
Apple Patches OS X Hole (7 June 2004)
Apple has released a patch for a critical flaw in Mac OS X. No exploits for the vulnerability have been reported.-http://zdnet.com.com/2102-1105_2-5228038.html?tag=printthis
NetSky.P Masquerades as Harry Potter Game (4 June 2004)
The NetSky.P worm is spreading in large part by exploiting widespread interest in Harry Potter; the worm appears in peer-to-peer networks claiming to be a Harry Potter computer game.-http://www.theregister.co.uk/2004/06/04/netsky-p_harryp/print.html
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39181869-39001150t-3
9000005c
Korgo Worm Steals Passwords, Credit Card Numbers (4/3 June 2004)
The Korgo worm, which exploits the same Local Security Authority Subsystem Service (LSASS) vulnerability as Sasser, opens a back door that allows the installation of a keystroke-logging program used to harvest passwords and credit card numbers.-http://news.bbc.co.uk/2/hi/technology/3776247.stm
-http://www.theregister.co.uk/2004/06/03/korgo_worm
-http://www.smh.com.au/articles/2004/06/03/1086203543424.html
[Editor's Note (Schultz): The fact that this worm installs a keystroke logger makes it particularly dangerous. I foresee the need to inform California residents of possible compromise of their personal data (per California statute SB1386) if Korgo infects systems that they use as well as certain systems such as personnel database systems that are used for entry and retrieval of personal data. ]
Cisco Addresses Linksys Flaw (4/2 June 2004)
Cisco has posted a beta version of new firmware to correct a flaw in the Linksys WRTS54G 802.11g wireless router. The flaw that could allow attackers to obtain administrative access.-http://news.com.com/2102-7349_3-5226918.html?tag=st.util.print
-http://www.internetnews.com/infra/article.php/3362321
Plexus Worm Spreads Through LSASS and DCOM Vulnerabilities (4/3 June 2004)
The Plexus worm, which is also known as Explet.A, can spread through the Local Security Authority Subsystem Service (LSASS) vulnerability exploited by Sasser, a hole in the Distributed Component Object Model (DCOM) interface which has been exploited by the Blaster worm and through email attachments and file sharing networks. Plexus uses code recycled from the MyDoom worm, according to Kaspersky Labs.-http://www.computerworld.com/printthis/2004/0,4814,93592,00.html
-http://www.theregister.co.uk/2004/06/03/plexus_worm
-http://www.techweb.com/wire/story/TWB20040603S0007
Opera Updates Browser to Address Phishing Vulnerability (3 June 2004)
Opera has released a new version of its browser to fix a vulnerability that phishers could exploit to display a fake address to potential victims. The new version of the browser, 7.51, was released on June 3.-http://www.theregister.co.uk/2004/06/03/opera_cuts_phishing/
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
