SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #39
September 29, 2004
Clarification: I received more than a dozen requests for clarification of Monday's research note on the new federal actions that "make bad security illegal." The Federal Trade Commission (FTC) action I was discussing is not yet public; I know about it because the attorney for the target company contacted me. It is a Gramm Leach Bliley (GLB) enforcement action against an organization that holds personal financial information and did not adequately protect its computers. GLB isn't just a banking and insurance law. Tens of thousands of other organizations also hold private data concerning client finances. Even schools and universities are covered by GLB (according to the Coalition of Higher Education Assistance Organization) and the FTC is serious about enforcing its regulations that became effective May 23, 2003. The FTC may well become more effective in improving security, and do more good in countering identity theft, than any other US-based organization - - private or public.
Alan
TOP OF THE NEWS
Federal Appeals Court Says Florida eVoting Paper Trail Lawsuit May ProceedIETF Disbands eMail Authentication Standard Working Group
Microsoft Files Suits Against Alleged Spammers and a Web Hosting Company
JPEG Vulnerability Exploits
Ernst & Young's 2004 Information Security Survey
THE REST OF THE WEEK'S NEWS
eVOTINGGroup Voices Concerns About Diebold Voting Software Flaws
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Putnam Sponsors Clinger-Cohen Amendment to House 9/11 Commission Recommendations Bill
Proposal to Move Cyber Security Chief Position to White House is Shelved
LEGISLATION
Bill Would Add Prison Time for False Domain Registration Info
SPAM & PHISHING
Opinion: Lack of eMail Authentication Scheme Consensus Could Lead to Battle
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
BSA Has 700 Active Investigations in U.S.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Networked Photocopiers' Content Can Be Exposed on Google
SP2 Update
Symantec Advisory Describes Flaws
STANDARDS AND BEST PRACTICES
FDIC Issues Instant Messaging Guidelines
MISCELLANEOUS
UK Bank Error Exposes Customer Information
FCC Accepting Public Comment on CALEA Applicability to High Speed ISPs and Internet Telephony Providers
Authorize.Net Targeted by DDoS Extortionists
Microsoft Will Step Up SP2 Distribution
Defense Dept. Removes Impediments to Voting Site for Overseas Citizens
****************** SPONSORED BY SANS CDI SOUTH *************************
Back to the Future: Find the Future of Information Security in New Orleans November 1 - 4 at SANS CDI South.
That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four topics important to your security program, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference. http://www.sans.org/cdisouth04/ *************************************************************************
TOP OF THE NEWS
Federal Appeals Court Says Florida eVoting Paper Trail Lawsuit May Proceed (27 September 2004)
Three judges from the 11th U.S. Circuit Court of Appeals have vacated a decision made by a federal judge which threw out a lawsuit asking for a paper trail for the state's touchscreen voting machines. The case was brought by U.S. representative Robert Wexler who argued that the electronic voting system, which does not produce a paper audit trail, makes manual recounts impossible.-http://www.usatoday.com/tech/news/techpolicy/evoting/2004-09-27-fla-evote-suit-o
n_x.htm
IETF Disbands eMail Authentication Standard Working Group (24/23/22 September 2004)
The Internet Engineering Task Force (IETF) has disbanded its MTA Authorization Records in DNS (MARID) working group, due largely to "fundamental disagreements" among members and the inability of the group to reach a consensus on any particular email authentication scheme. Recent problems included intellectual property and licensing concerns with Microsoft's proposed sender ID scheme.-http://asia.cnet.com/news/software/printfriendly.htm?AT=39194929-39037051t-39000
001c
-http://security.itworld.com/4774/040923antispam/pfindex.html
-http://www.eweek.com/print_article/0,1761,a=135754,00.asp
Microsoft Files Suits Against Alleged Spammers and a Web Hosting Company (24/23 September 2004)
Microsoft has filed lawsuits against eight individuals and one web hosting company for their alleged involvement in sending spam. Microsoft attorney Aaron Kornblum said the suit against the web hosting company marks the first time action has been taken against a web host that "caters to spammers."-http://security.itworld.com/4368/040923mssuit/pfindex.html
-http://www.theregister.co.uk/2004/09/24/ms_anti-spam_lawsuit/print.html
[Editor's Note (Schultz): Actions of this nature are one of the best hopes in the war against spam. Sooner or later legal woes caused by lawsuits such as Microsoft's will make the prospect of sending spam much less attractive. ]
JPEG Vulnerability Exploits (23/22 September 2004)
Two exploits for the recently disclosed JPEG vulnerability are now circulating on the Internet. An earlier proof-of-concept exploit could be used to crash or freeze vulnerable systems; the newer exploits could be used by attackers to run their own code on and take control of unpatched machines, according to the SANS Internet Storm Center CTO Johannes Ullrich.-http://www.computerworld.com/printthis/2004/0,4814,96124,00.html
-http://www.computerworld.com/printthis/2004/0,4814,96088,00.html
Ernst & Young's 2004 Information Security Survey (23 September 2004)
Ernst & Young's 2004 Information Security Survey, which includes data from 1,233 organizations, found that most concentrate on external security threats, like viruses and worms, but neglect insider security threats. Respondents named lack of user security awareness the top impediment to information security, yet only 28% of respondents named user education as a top priority for the coming year. Ernst & Young recommends that organizations create a security-conscious environment from the top down, with management leading by example.-http://www.theregister.co.uk/2004/09/23/insider_risk/print.html
-http://www.vnunet.com/news/1158301
-http://www.vnunet.com/news/1158287
[SANS Note (Northcutt): A dollar invested in awareness training yields far more results than buying yet another security gadget. SANS offers three opportunities to attend Security Awareness Train the Trainer, a NIST SP 800-50 compliant program:
Virginia 10/15/04:
-http://www.sans.org/nova_cissp04/description.php?tid=98
Chicago 10/19/04:
-http://www.sans.org/ttt_chicago04/
New Orleans 11/04/04:
-http://www.sans.org/cdisouth04/description.php?tid=121]
************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: Top 14 Web Application Attack Techniques and Methods to Combat Them http://www.sans.org/info.php?id=600
(2) Free Internal Security Informational Kit from Check Point: Protect your network now. http://www.sans.org/info.php?id=601
*************************************************************************
THE REST OF THE WEEK'S NEWS
eVOTING
Group Voices Concerns About Diebold Voting Software Flaws (23/22 September 2004)
Black Box Voting, a consumer group concerned about the security of electronic voting, has described vulnerabilities in Diebold's Global Election Management System (GEMS) voting software that could allow attackers to alter vote totals. The flaws allow attackers to manipulate a voting ledger in Diebold machines by opening a text editor and typing in a six-line Visual Basic Script. Diebold maintains there are checks and balances in place that would detect the altered voting totals.-http://www.nwfusion.com/news/2004/0923consugroup.html
-http://www.wired.com/news/print/0,1294,65031,00.html
-http://www.blackboxvoting.org/?q=node/view/78
-http://www.blackboxvoting.org/?q=node/view/77
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Putnam Sponsors Clinger-Cohen Amendment to House 9/11 Commission Recommendations Bill (27 September 2004)
Representative Adam Putnam (R-Fla.) has attached a Clinger-Cohen Act amendment to the 9/11 Commission Recommendations Implementation Act of 2004 (HR 5024) that would require government agencies to get very specific about cyber security during the planning and acquisition phases of systems development. Putnam chairs the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=27454
Proposal to Move Cyber Security Chief Position to White House is Shelved (24/23 September 2004)
House Republican leaders have revised a proposal that would have moved many cyber security functions from the Homeland Security Department to the Office of Management and Budget (OMB). The proposal originally had a new Office of Critical Infrastructure Information Protection at OMB and gave the administrator responsibilities including threat analysis, attack warnings, network vulnerability reduction and coordination with both public and private organizations. The new version gives OMB some added responsibilities regarding the security of U.S. critical infrastructure information networks, but the security chief position remains at DHS.-http://msnbc.msn.com/id/6082092/
-http://www.computerworld.com/printthis/2004/0,4814,96126,00.html
-http://www.govexec.com/story_page.cfm?articleid=29564&printerfriendlyVers=1&
amp;
LEGISLATION
Bill Would Add Prison Time for False Domain Registration Info (21 September 2004)
The U.S. House of Representatives has approved legislation that would increase prison sentences for convicted criminals who have used false information in their web domain registrations. The bill does not make using false information in site registrations a crime in and of itself. The bill also establishes punishments for those convicted of using false labels to trick people into buying pirated software, music and videos. The bill now must be approved by the Senate before it becomes law.-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=6297075
SPAM & PHISHING
Opinion: Lack of eMail Authentication Scheme Consensus Could Lead to Battle (24 September 2004)
In his commentary, David Berlind remarks that MARID's demise sets the stage for a "David and Goliath" battle in the realm of sender authentication, similar to what ensued between Internet Explorer and Netscape Navigator.-http://news.zdnet.com/2102-1009_22-5380508.html?tag=printthis
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
BSA Has 700 Active Investigations in U.S. (23 September 2004)
Though the incidence of software piracy has dropped from 50% to 33% over the last 10 years, the Business Software Alliance still keeps busy; the software publishers watchdog organization presently has 700 active investigations in the United States. The penalties for companies using pirated software can add up: copyright holders can sue for damages and profits, as well as for statutory damages of as much as US$150,000 per instance of piracy.-http://www.computerworld.com/printthis/2004/0,4814,96109,00.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Networked Photocopiers' Content Can Be Exposed on Google (24 September 2004)
Carefully crafted searches on Google can reveal login details for photocopiers that are network connected; attackers can use the information to see what is being copied. Organization security staff should check Google regularly for cached information on company domain names; Google will remove information if requested.-http://www.zdnet.co.uk/print/?TYPE=story&AT=39167848-39020375t-10000025c
SP2 Update (23 September 2004)
Microsoft has posted an update for SP2 to its download site. Microsoft had released a temporary fix shortly after SP2's release, but this patch is considered permanent. The flaw, which affects VPN users, concerns problems with the OS when programs connected to loopback addresses other than 127.0.0.1.-http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=ZQMJEDY2JWXXMQ
SNDBCCKHY?articleId=47902514&printableArticle=true
[Editor's Note (Schultz); Once again this shows that the best approach in dealing with Microsoft's service packs and hot fixes is to wait a while before downloading and installing them. ]
Symantec Advisory Describes Flaws (23 September 2004)
Symantec has released an advisory warning of three vulnerabilities in its Firewall/VPN Appliance and Gateway Security products. The flaws could be exploited to allow a firewall appliance to be shut down remotely, identify active services in the WAN interface and change firewall configurations. Symantec Firewall/VPN Appliance 100, 200 and 200R models have all three flaws; gateway security 320, 360 and 360R have two.-http://www.eweek.com/print_article/0,1761,a=135817,00.asp
-http://www.sarc.com/avcenter/security/Content/2004.09.22.html
STANDARDS AND BEST PRACTICES
FDIC Issues Instant Messaging Guidelines (21 September 2004)
The Federal Deposit Insurance Corporation (FDIC) has issued instant messaging (IM) guidelines which, while intended for organizations within the financial industry, are sensible enough for companies in any industry to adopt. The guidelines include setting up firewalls to block incoming and outgoing public IM traffic, creating rules to block IM delivery and file sharing and deploying strong antivirus and patch management programs. Two vendors have announced that their products are compliant with the new guidelines.[Editor's Note (Northcutt): Northcutt: the FDIC guidance is here:
-http://www.fdic.gov/news/news/financial/2004/fil8404a.html
The document reflects the continuing trend of blending IM with P2P that started with Chatster and would have better served the financials by addressing both technologies overtly. I would add one more recommendation; mandate an IM technology that allows instant messages to be encrypted. If you are willing to fill in your personal information details, facetime has a nifty IM monitor so you can assess the IM traffic at your site:
-http://www.facetime.com/forms/rtmonitor_request.aspx
MISCELLANEOUS
UK Bank Error Exposes Customer Information (27/25 September 2004)
HFC Bank erred when it sent out an email to 2,600 customers that included the entire distribution list, thus exposing everyone's email addresses; this was compounded by automated out-of-office responses that revealed phone numbers and other personal details. The bank has admitted that its error violated the law and has credited the accounts of all affected 50GBP (approximately US$90). Despite the gesture, some customers are considering legal action against the bank.-http://www.theregister.co.uk/2004/09/27/e-bank_email_blunder/print.html
-http://news.bbc.co.uk/2/hi/programmes/moneybox/3689480.stm
FCC Accepting Public Comment on CALEA Applicability to High Speed ISPs and Internet Telephony Providers (24 September 2004)
The Federal Communications Commission is inviting public comment on a proposal that interprets the 1994 Communications Assistance for Law Enforcement Act (CALEA) as applying to Internet traffic, so high speed Internet providers and managed Internet telephony providers would be required to incorporate "surveillance backdoors" into their design so that law enforcement could employ wiretaps when needed. The FCC comment deadline is November 8, 2004.-http://www.securityfocus.com/printable/news/9582
-http://edocket.access.gpo.gov/2004/04-20705.htm
Authorize.Net Targeted by DDoS Extortionists (23/21 September 2004)
Credit card processing company Authorize.Net has been the target of a distributed denial-of-service (DDoS) attack which started after the company received an extortion letter.-http://www.theregister.co.uk/2004/09/23/authorize_ddos_attack/print.html
-http://www.wired.com/news/print/0,1294,65039,00.html
Microsoft Will Step Up SP2 Distribution (22 September 2004)
Microsoft plans to speed up the distribution of SP2, saying it plans to meet the goal of 100 million copies within two months of the service pack's release. The two-month period began on August 18 when the automatic download of SP2 became available. So far, only 20 million copies have been downloaded. About half of the roughly 390 million Windows installations worldwide are some form of XP, meaning that even after reaching the 100 million copy goal, Microsoft will have reached only half of XP users.-http://asia.cnet.com/news/software/printfriendly.htm?AT=39194629-39037051t-39000
001c
Defense Dept. Removes Impediments to Voting Site for Overseas Citizens (22 September 2004)
Many Americans living abroad found they were unable to connect to a Defense Department web site for the Federal Voting Assistance Program, which provides information about obtaining absentee ballots and voting but does not allow people to vote on-line. A Pentagon spokesperson the problem was caused by the fact that foreign ISPs are blocked when government computers detect probes coming from the network. The Defense Department has made changes that should make it easier for people to access the site.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39194621-39037064t-39000
005c
-http://www.reuters.com/newsArticle.jhtml?storyID=6310532
===end===
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/