SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #38
September 22, 2004
Microsoft's .NET is surprisingly successful in the application development space, despite its "fat client" (Microsoft calls it "smart client") approach. We have just added a full course on .NET Security to CDI East in Washington, DC, December 7-14. If you are building applications in .NET at least one of your developers or system administrators should be an expert on .NET Security. See http://www.sans.org/cdieast04
TOP OF THE NEWS
FTC Considers Offering Bounties for Spammer ConvictionsAOL Will Not Support Sender ID
AOL To Offer Two-Factor Authentication
Microsoft Will Open Office 2003 Code to Certain Government Agencies
Microsoft and Cisco Proposed End-to-End Security Architectures Not Presently Compatible
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESMan Arrested in Connection with Cisco Source Code Theft
USD87 Million Worth of Pirated Software Seized; 11 Indicted
Father and Son Sentenced in Software Piracy Case
Man Pleads Guilty in Identity Theft Case
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Some LANL Employees Lose Jobs Over Security Incidents, Others Cleared or Demoted
LEGISLATION
Conference Urges International Cyber Crime Convention Ratification
Legislators Propose Homeland Security Act Amendments
SPAM & PHISHING
Phishers Target Gmail Accounts
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Microsoft Tests License Validation System on Download Site
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
MyDoom.Y
Microsoft Offers Advance Information on Patches
Mozilla Addresses 10 Flaws Brought to Light by Bug Bounty Program
Microsoft Offers Patch for *Critical* JPEG Vulnerability
Samba Patches Denial-of-Service Vulnerabilities
STANDARDS AND BEST PRACTICES
Four Steps to Securing Systems
The Six Secrets of the Best Practices Group
STATISTICS, STUDIES AND SURVEYS
Symantec's Internet Security Threat Report for First Half of 2004
MISCELLANEOUS
Computer Company Offers Sasser Author a Job
Software Glitch Causes Flight Problems in Southern California
New Chip Promises Improved Security
Symantec Corrects Misidentification of Program as Trojan
SECURITY GUIDANCE
A Step By Step Guide for Making PKI and PGP Work Together
************************ Sponsored by Symantec **************************
Managed Security Services by Symantec. Our global intelligence network spans 40 countries and monitors threats 24 hours a day, providing your enterprise with the benefits of a world-class security infrastructure while sparing you the complications of building your own. Click here to download our free white paper and take a virtual tour.
http://ad.doubleclick.net/clk;9652170;10288331;d?https://ses.symantec.com/SOC
*************************************************************************
Featured Training Program of the Week
Back to the Future: Find the Future of Information Security in New Orleans November 1 - 4 at SANS CDI South.
That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four topics important to your security program, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference. http://www.sans.org/cdisouth04/ *************************************************************************
TOP OF THE NEWS
FTC Considers Offering Bounties for Spammer Convictions (17 September 2004)
The US Federal Trade Commission would like to be able to prosecute more spammers, but given the lack of admissibility of much of the evidence they use in identifying spammers, this has proven problematic. What they need is hard, admissible evidence, probably provided by an insider. Such evidence would likely be provided only if there were a bounty program, much like Microsoft's $250,000 bounty for the successful prosecution and conviction of malware authors.-http://www.silicon.com/research/specialreports/thespamreport/print.htm?TYPE=stor
y&AT=39124098-39025001t-40000011c
AOL Will Not Support Sender ID (17/14/13 September 2004)
America Online says it will not support Microsoft's Sender ID anti-spam protocol. The decision follows reservations expressed by a working group within the Internet Engineering Task Force (IETF) and the open source community regarding Microsoft's licensing restrictions. AOL will support the sender policy framework (SPF). AOL cited concerns with lack of support for sender ID within open-source community and interoperability issues.-http://www.computerworld.com/printthis/2004/0,4814,96022,00.html
-http://www.computerworld.com/printthis/2004/0,4814,95910,00.html
-http://asia.cnet.com/news/software/printfriendly.htm?AT=39194048-39037051t-39000
001c
-http://www.theregister.co.uk/2004/09/13/ietf_bounces_sender_id/print.html
-http://news.zdnet.com/2102-3513_22-5364075.html?tag=printthis
AOL To Offer Two-Factor Authentication (21 September 2004)
Bringing two-factor authentication to the masses, AOL will offer a keychain token for $10 to start and $2 per month for one screen name and $5 per month for up to seven screen names. Six digit passwords on the tokens will change every 60 seconds.-http://www.pcworld.com/news/article/0,aid,117873,00.asp
Microsoft Will Open Office 2003 Code to Certain Government Agencies (20/19 September 2004)
Microsoft plans to add Office 2003 to its Government Security Program, which allows international government agencies access to the source code of the company's software products. Currently, the only other products available under this program are current versions of Windows. Governments must meet intellectual property protection requirements in order to participate in GSP. However, Microsoft's director of Shared Source Initiative Jason Matusow says the move is neither an attempt to promote upgrades to Office 2003 nor in response to the growing threat of open source software, despite the opinions of some to the contrary.-http://asia.cnet.com/news/software/printfriendly.htm?AT=39194292-39037051t-39000
001c
-http://www.newsfactor.com/story.xhtml?story_id=27049#story-start
-http://www.eweek.com/print_article/0,1761,a=135556,00.asp
-http://www.washingtonpost.com/ac2/wp-dyn/A35150-2004Sep20?language=printer
(this site requires free registration) Editor's Note (Pescatore): Competition is a wonderful thing. Traction by Linux and OpenOffice occurs and Microsoft greatly expands its Shared Source Initiative (for whatever reason). Seems like just yesterday that exposing source code was viewed as the end of the free world.
Microsoft and Cisco Proposed End-to-End Security Architectures Not Presently Compatible (20 September 2004)
Microsoft and Cisco have both proposed "end to end" security architectures that not only scan networks for malware, but also check to see that machines that want to connect to the network meet established security policies. While there is talk that the two architectures will someday be interoperable, they presently each use their own Radius server for enforcing security policies. Companies that use both Microsoft and Cisco products would therefore need to have a Radius server from each vendor.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39194289-39037064t-39000
005c
[Editor's Note (Pescatore): In both wireless security, and in these network access control efforts, Microsoft and Cisco are pushing their own approaches vs. driving open standards. This is slowing down adoption of WLANs and network access control, and creating openings for other companies that are supporting industry standards. ]
************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop Cyber Attacks Now. FREE White Paper: How to Evaluate Intrusion Prevention Systems http://www.sans.org/info.php?id=592
(2) Pen Tester Tools: SPI ToolKit includes; SQL Injector, Cookie Cruncher,& SPI Fuzzer http://www.sans.org/info.php?id=593
(3) Earn a Norwich University Master's Degree in Information Security in 24 months. http://www.sans.org/info.php?id=594
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Man Arrested in Connection with Cisco Source Code Theft (20/17 September 2004)
UK police arrested a 20-year-old man on September 3 in connection with the theft of Cisco source code. The man was arrested in the wake of raid on several homes; investigators are examining property confiscated during the raids, including a number of PCs. More than 800MB of Cisco source code was posted to a Russian security site in May of this year.-http://news.bbc.co.uk/1/hi/technology/3672242.stm
-http://news.com.com/2102-7349_3-5371807.html?tag=st.util.print
-http://www.computerworld.com/printthis/2004/0,4814,96044,00.html
USD87 Million Worth of Pirated Software Seized; 11 Indicted (17/16 September 2004)
A two-year investigation has culminated in conspiracy charges being brought against 11 people in what is possibly the largest seizure of pirated software in the US. The software and accompanying documentation have an estimated value of USD30 million, and could be as much as USD87 million. All 11 have been indicted and were scheduled to appear before a judge on Monday, 20 September. If they are convicted, they face federal prison sentences of between 15 and 75 years.-http://seattlepi.nwsource.com/business/191178_msftcounter17.html
-http://www.nwfusion.com/news/2004/0916fbiseize.html
Father and Son Sentenced in Software Piracy Case (17/14 September 2004)
A criminal court in Stuttgart, Germany has sentenced two men two men on charges of piracy of Microsoft software. Dieter Rimmele received a sentence of three years without parole; his father, Hubert Rimmele, received a 16-month jail sentence and was ordered to perform 100 hours of community service. Several days later, German police arrested four people for allegedly selling pirated software, movies, games and music over the Internet.-http://www.computerworld.com/printthis/2004/0,4814,95908,00.html
-http://www.infoworld.com/article/04/09/17/HNgermanraid_1.html
Man Pleads Guilty in Identity Theft Case (15/14 September 2004)
Former Teledata employee Philip Cummings has pleaded guilty to one count each of conspiracy, fraud and wire fraud for his role in an identity theft scheme. Cummings's position at Teledata gave him access to user names and passwords which allowed him and his alleged accomplices to access and download credit reports from all three major credit bureaus. His sentencing is scheduled for January 11; he could receive a maximum prison term of 50 years. Cummings and an alleged accomplice stole more than 30,000 credit reports. Two other alleged conspirators are scheduled to go to trial on November 3.-http://www.computerworld.com/printthis/2004/0,4814,95941,00.html
-http://www.msnbc.msn.com/id/6001526/
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Some LANL Employees Lose Jobs Over Security Incidents, Others Cleared or Demoted (16/15 September 2004)
Of the 23 people suspended from their jobs at Los Alamos National Laboratory (LANL) this summer in the wake of an investigation triggered by security problems, four have been fired, one is likely to resign, 7 have been demoted, 10 have been cleared of any wrongdoing and one is still on investigative leave.-http://www.theregister.co.uk/2004/09/16/los_alamos_sackings/print.html
-http://www.wired.com/news/print/0,1294,64973,00.html
-http://www.kansas.com/mld/eagle/news/nation/9674248.htm
-http://www.santafenewmexican.com/news/4379.html#
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/09/16/LAB.TMP&type=
printable
[Editor's Note (Schultz): The security problems at Los Alamos, as unfortunate as they are, provide a powerful case study that can be used in security training and awareness programs. They poignantly show the kinds of consequences that occur when security is neglected. ]
LEGISLATION
Conference Urges International Cyber Crime Convention Ratification (20/17/15 September 2004)
A Council of Europe conference held last week in Strasbourg, France aimed to hasten international ratification of the council's 2001 Cybercrime Convention, which would help bring cyber crime laws around the world "into harmony." The international treaty has been signed and ratified by just 8 nations; 30 other countries have signed the convention but have not ratified it. Signatories include both members and non-members of the Council of Europe.-http://www.msnbc.msn.com/id/6013284/
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39194281-39037064t-39000
005c
-http://www.theregister.co.uk/2004/09/17/euro_cybercrime_conference/print.html
-http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG
Legislators Propose Homeland Security Act Amendments (14 September 2004)
Legislators have proposed two amendments to the Homeland Security Act. The Cybersecurity Enhancement Act (HR 5068) would establish the position of an assistant secretary for cyber security who would be responsible for coordinating DHS efforts to secure the nation's critical IT infrastructure. This person would also have authority over the National Communications System. The Science and Technology Enhancement Act (HR 5069) includes a measure to encourage colleges and universities to develop cyber security professional development programs and associate degree programs.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=27281
-http://www.fcw.com/fcw/articles/2004/0913/web-secre-09-14-04.asp
SPAM & PHISHING
Phishers Target Gmail Accounts (15 September 2004)
Some phishers are now trying to steal Gmail accounts. The phishing email informs Gmail users that they can invite friends to sign up for a Gmail account if they fill out a form that includes their Gmail address and password. Gmail accounts are in demand because of their limited availability. Google does send out free invitations for users to send to friends, but all the users need to do is click on a button, rather than providing their personal account information.-http://news.com.com/2102-1032_3-5367986.html?tag=st.util.print
[Editor's Note (Tan): People were excited by gmail's requirement that only invitees could use it. It was a good marketing strategy for Gmail. Now it turns out to be good bait for the phisherman, as well. ]
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Microsoft Tests License Validation System on Download Site (20/17 September 2004)
As part of its anti-piracy effort, Microsoft is piloting a feature on its Download center web site to check if the versions of Windows people have on their computers are licensed. The program, Windows Genuine Advantage, is voluntary for now. Those with unlicensed versions of Windows can still get their downloads, but only after viewing information about software piracy.-http://www.infoworld.com/article/04/09/17/HNmstrialspiracylock_1.html
-http://asia.cnet.com/news/software/printfriendly.htm?AT=39194285-39037051t-39000
001c
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
MyDoom.Y (17 September 2004)
The latest MyDoom variant, MyDoom.Y, includes a picture of Sasser author Sven Jaschan as well as details about how the malware works.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39194056-39037064t-39000
005c
Microsoft Offers Advance Information on Patches (17 September 2004)
Microsoft has been offering its bigger customers three business days' notice before releasing its security updates. The advance notice includes the number of fixes in the upcoming scheduled monthly bulletin, which products are affected and the severity of the threat ratings. The program is apparently available to anyone who is willing to sign a confidentiality agreement with Microsoft, but has been criticized as being exclusive because it is not advertised.-http://australianit.news.com.au/common/print/0,7208,10792467%5E15331%5E%5Enbv%5E
15306%2D15318,00.html
Mozilla Addresses 10 Flaws Brought to Light by Bug Bounty Program (15 September 2004)
The Mozilla Foundation has released new versions of its Mozilla and Mozilla Firefox browsers and Thunderbolt email reader. The new versions address flaws in all three products, some of which could allow attackers to run arbitrary code on vulnerable machines. The ten vulnerabilities were identified as a result of Mozilla's recently launched Security Bug Bounty Program, which offers USD500 to the researchers who discover the flaws.-http://www.computerworld.com/printthis/2004/0,4814,95934,00.html
-http://www.theregister.co.uk/2004/09/15/mozilla_patches/print.html
Microsoft Offers Patch for *Critical* JPEG Vulnerability (15/14 September 2004)
Microsoft has released a patch for a critical vulnerability in the way in which Windows, Office and developer tools software process JPEG images. An infected file can run malicious program on vulnerable computers; users are infected just because they viewed the specially crafted JPEG image.-http://www.computerworld.com/printthis/2004/0,4814,95914,00.html
-http://www.securityfocus.com/printable/news/9508
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39193726-39037064t-39000
005c
-http://www.kb.cert.org/vuls/id/297462
-http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
-http://www.microsoft.com/security/bulletins/200409_jpeg.mspx
[Editor's Note (Tan): This is an ugly one. The list of affected software is huge and the GDI+ Detection tool provided by Microsoft is also not really helpful. The good thing is that the newly release Win XP SP2 is free from this vulnerability. ]
Samba Patches Denial-of-Service Vulnerabilities (14 September 2004)
The Samba Team has released a patch for two denial-of-service vulnerabilities in its software. There have been no reports of the flaws being exploited. The flaws affect Samba versions 3.0 and newer; the just-released 3.0.7 version fixes the vulnerabilities.-http://news.zdnet.com/2102-1009_22-5366503.html?tag=printthis
STANDARDS AND BEST PRACTICES
Four Steps to Securing Systems (20 September 2004)
Security experts list four steps government agency officials should take to secure their IT systems. First, conduct a systems inventory and risk analysis. Second, set baseline security controls with the guidance of technical documents from the National Institute of Standards and Technology. Third, monitor systems continuously and fix vulnerabilities as they arise. Finally, train employees in systems security procedures.-http://www.fcw.com/fcw/articles/2004/0920/pol-4tips-09-20-04.asp
The Six Secrets of the "Best Practices Group" (15 September 2004)
Among the myriad pieces of information gleaned from the 2004 Global Information Security Survey, conducted jointly by CIO Magazine, CSO Magazine and PricewaterhouseCoopers, are the six secrets of what they call the "Best Practices Group" -- those organizations whose confidence in their security is highest. Those in the Best Practices Group spend a larger percentage of their IT budget on security than do other organizations. They are also more likely to separate information security from IT and merge it with physical security. Best Practices Group members are also more likely to conduct penetration tests, develop a risk assessment process to "classify and prioritize threats and vulnerabilities," define an overall security architecture and establish a quarterly review process of their security's effectiveness.-http://www.cio.com/archive/091504/security.html?printversion=yes
[Editor's Note (Paller): If you are wondering, as I was, what makes "best practices" better than other practices, the study description tells you it is because those people who used them said they were very confident in their security despite the fact that they experienced more security incidents than other respondents? Hmmmm. ]
STATISTICS, STUDIES AND SURVEYS
Symantec's Internet Security Threat Report for First Half of 2004 (20/19 September 2004)
Symantec's Internet Security Threat Report shows that at least 1,237 new software vulnerabilities came to light in the first half of 2004, an average of almost 48 new flaws each week. The survey also warned of a significant increase in the number of bot networks, or groups of zombie computers that can be manipulated to conduct distributed denial-of-service attacks, spread malware or used as anonymous spam relays. More than 30,000 machines a day were hijacked. In addition, the survey noted the appearance of nearly 4,500 new Windows-based attacks, four-and-a-half times the number counted in the first half of 2003. The volume of successful attacks declined in the first half of 2004.-http://news.bbc.co.uk/1/hi/technology/3666978.stm
-http://www.vnunet.com/news/1158220
-http://news.com.com/2102-7349_3-5374399.html?tag=st.util.print
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1007181,0
0.html
-http://www.nytimes.com/2004/09/20/technology/20secure.html?pagewanted=print&
position=
(this site requires free registration)
MISCELLANEOUS
Computer Company Offers Sasser Author a Job (20 September 2004)
Sven Jaschan, the German teen who has been charged with creating and releasing the Sasser worm, has been offered a job by Lueneburg, Germany-based security solution provider Securepoint where he will be trained to create firewalls. Securepoint director Lutz Hausmann said that Jaschan told him in an interview that he did not realize the repercussions the worm would have "until it was too late."-http://australianit.news.com.au/common/print/0,7208,10819809%5E15331%5E%5Enbv%5E
15306%2D15318,00.html
[Editor's Note (Grefer): I think Securepoint, through this action, is sending the wrong message. In a labor market with a high unemployment rate such offers virtually invite malware authoring since it provides a venue for the authors to set themselves apart from the rest. ]
Software Glitch Causes Flight Problems in Southern California (20 September 2004)
A glitch in a Microsoft-based computer system along with human oversight allegedly caused a "three-hour radio breakdown" that caused serious problems for aircraft in Southern California. The system needed to be reset every thirty days in order to avoid data overload but it was performed at the wrong time and an internal clock shut the system down. The Federal Aviation Administration had been planning to fix the problem.-http://www.zdnet.com.au/news/software/print.htm?TYPE=story&AT=39159927-20000
61733t-10000002c
[Editor's Note (Grefer): When lives are at stake, our tolerance of the idiosyncrasies of Microsoft-based computer systems should not be quite as high. ]
New Chip Promises Improved Security (20/17/16 September 2004)
National Semiconductor has introduced the SafeKeeper Trusted I/O hardware products, which contain Trusted Platform Modules for secure storage of passwords, digital certificates and other sensitive information. The devices comply with Trusted Computing Group standards and protect BIOS, operating systems and applications from attacks or unauthorized modification.-http://www.eweek.com/print_article/0,1761,a=135446,00.asp
-http://news.zdnet.com/2102-1009_22-5374031.html?tag=printthis
-http://www.internetnews.com/ent-news/print.php/3409591
Symantec Corrects Misidentification of Program as Trojan (16/14 September 2004)
Symantec's Norton Anti-Virus has misidentified Freegate, a program that allows Internet users in China to bypass government-blocked sites, as a Trojan horse program. Users needed to deactivate NAV if they wish to use Freegate. Symantec later reexamined Freegate and decided to remove it from its list of virus definitions; there are apparently similarities between Freegate's behavior and that of Trojans.-http://www.theregister.co.uk/2004/09/14/symantec_targets_freegate/print.html
-http://www.theregister.co.uk/2004/09/16/symantec_relabels_freegate/print.html
SECURITY GUIDANCE
A Step By Step Guide for Making PKI and PGP Work Together
Two weeks ago, we announced a mini research effort to explore the interoperability of PKI and PGP. The short answer is that it can be done. SANS wishes to thank Ridge Cook and Bob Palko for their efforts and support. A set of step by step instructions with screenshots can be found here:-http://home.twcny.rr.com/tmccune1/PGP_X509s.pdf
If you are interested in the self signed cert concept, you might want to check out XCA.
-http://www.hohnstaedt.de/xca.html
However, be warned that PGP 7 and 8 do not passphrase protect the secret key portion of the imported X.509. The bottom line; if you have a team of experts that eat and breathe crypto, you can do this and place the appropriate safeguards in place. Otherwise at least until the bug in PGP 7 and 8 is fixed, the practice of using X.509 certificates in PGP is not advisable for most organizations.
During the project I was introduced to a wonderful high signal, low noise newsgroup and given permission to share it with you, please be respectful and read before posting. news://news.securecomp.org/WebOfTrust
Essentially yours,
Stephen
Stephen Northcutt - Director of Training and Certification The SANS Institute
808.823.1375 (f) 808.823.1374
===end===
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
====================
