SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #46

November 17, 2004

TOP OF THE NEWS

Sarbanes Oxley Section 404 Now in Effect
SecurePoint Loses Business Partner Over Hacker Hire

INFORMATION TECHNOLOGY VENDOR SECURITY PROBLEMS

Oracle Criticized for Being Tight-Lipped About Patch Details
Microsoft Investigating SP2 Vulnerabilities
Denial-of-Service Vulnerability in Cisco Switches and Routers
Microsoft Security Bulletin Has Fix for ISA Spoofing Flaw
New MyDoom Variant Exploits IFrame Vulnerability and Monthly Patch Release
Firefox Version 1.0 Released; Older Versions Have Holes

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Man Arrested for Allegedly Selling Windows Source Code
Alleged Phisher Arrested in Boston
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
The Evolution of Cyber Security at the Federal Reserve
SPAM & PHISHING
Yahoo and EarthLink to Test DomainKeys
Spammer's Trial Reveals Mailing List Sources
STANDARDS AND BEST PRACTICES
Alliance Publishes ATM Cyber Security Guide
MISCELLANEOUS
The Importance of Reviewing Business Interruption Policies Carefully

---

***Sponsored by Internet Security Systems -- A New Standard in Security**

All intrusion prevention systems (IPS) are not created equal. Find out the difference between reactive and preemptive IPS appliances.
Preemptive IPS solutions shield vulnerabilities AND block threats.
Reactive IPS solutions only block attacks. Download the FREE whitepaper, "Defining the Rules of Preemptive Protection: The ISS Intrusion Prevention System," to learn more

www.iss.net/proof/ipswp/sans/11174

************************************************************************
Highlighted Cybersecurity Training: Washington, DC, Dec. 7-13, 2004

The nation's best instructors will be in DC teaching great courses for **Auditors who want the technical skills so critical to successful audits.
**Security Managers interested in best practices and SANS exclusive "security make-over"
**Security professionals seeking CISSP (a trademark of (ISC)2) certification who want a more effective course.
**Technical security professionals with hands-on responsibility:
Hacker Exploits; Intrusion Detection In-Depth; Introduction to Information Security; SANS Security Essentials; Firewalls, VPNs, and Perimeter Protection; Securing Windows; Securing Linux/Linux; System Forensics, Investigation & Response; .Net Security.

http://www.sans.org/cdieast04
*************************************************************************

---

TOP OF THE NEWS

Sarbanes-Oxley Section 404 Now in Effect (15 November 2004)

Section 404 of the Sarbanes-Oxley Act took effect on Monday, requiring publicly traded companies to have in place policies and controls to "secure, document and process material information regarding their financial results." Organizations that are subject to Sarbanes-Oxley are expected to spend US$1.13 billion this year on compliance technology; that figure is likely to grow to US$1.62 billion next year.
-http://news.zdnet.com/2102-1009_22-5453279.html?tag=printthis
[Editor's Note (Paller): Interviews we've done with corporate executives have uncovered a deep anger at consultants who are charging exorbitant fees and staffing projects with very young and inexperienced people. ]

SecurePoint Loses Business Partner Over Hacker Hire (15 November 2004)

German antivirus company H+BEDV Datentechnik has called a halt to its partnership with SecurePoint because of that firm's decision to hire the young man who allegedly created Sasser. H+BEDV chief executive Tjark Auerbach said his company does not want any part of its product development to be associated with an alleged malware writer.
-http://news.zdnet.com/2102-1009_22-5453166.html?tag=printthis
[Editor's Note (Northcutt): This is a bigger story than it may appear. People who create worms and allow them to spread probably should be in prison, not working for a security company.
-http://practice.findlaw.com/blogger-0804.html
Also, SecurePoint is not just a firewall company. They sell a VPN and personal firewall, this is reminiscent of Cathedral Software in the movie, The Net. ]

---

************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) ALERT: ARE YOU VULNERABLE TO A 'SQL INJECTION' ATTACK? FREE Product Trial http://www.sans.org/info.php?id=651

(2) Stop Cyber Attacks Now. FREE White Paper: How to Evaluate Intrusion Prevention Systems http://www.sans.org/info.php?id=652

(3) Stop online threats now. Learn about McAfee(r) SCM, an integrated solution to protect your business. http://www.sans.org/info.php?id=653

(4) Enable secure remote SSL VPN access: Free Web Security Informational Kit! http://www.sans.org/info.php?id=657

*************************************************************************

---

INFORMATION TECHNOLOGY VENDOR SECURITY PROBLEMS

Oracle Criticized for Being Tight-Lipped About Patch Details (12 November 2004)

Gartner analysts have taken Oracle to task for not providing adequate information about a patch the company released in August and again in October. Oracle has not made clear what will happen if users do not apply the patch. Oracle has also declined to say whether or not older, unsupported versions of its products are affected by the flaw.
-http://www.techweb.com/article/printableArticle.jhtml?articleID=52601314&sit
e_section=700028
-http://www.vnunet.com/news/1159356

Microsoft Investigating SP2 Vulnerabilities (12/11 November 2004)

Microsoft is looking into reports of as many as 10 vulnerabilities in Windows XP Service Pack 2. A security research firm reported it found a number of flaws which could allow attackers to gain remote control of a system or to download potentially malicious code onto a vulnerable system. The firm did not wait for Microsoft to have a patch ready before it made the vulnerabilities public, once again raising the question of responsible disclosure. The company claims it gave Microsoft adequate time to address the flaws before their public announcement.
-http://news.com.com/2102-1002_3-5449269.html?tag=st.util.print
-http://www.computerworld.com/printthis/2004/0,4814,97478,00.html
-http://www.vnunet.com/news/1159322

Denial-of-Service Vulnerability in Cisco Switches and Routers (11 November 2004)

Cisco has warned of Denial-of-Service vulnerabilities in a number of its switches and routers, even when they are properly configured. The problem lies in the way the software handles dynamic host configuration protocol (DHCP) packets, and affects IOS version 12.2S with DHCP server or relay agent enabled. Cisco has made a patch and workarounds available.
-http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=2BXSOZRAGYXGCQ
SNDBCCKH0CJUMEKJVN?articleId=52600816&printableArticle=true
Cisco advisory:
-http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml

Microsoft Security Bulletin Has Fix for ISA Spoofing Flaw (10 November 2004)

Microsoft's November monthly security bulletin contains a patch for a spoofing vulnerability in its Internet Security and Acceleration Server 2000 software. The flaw is also found in Microsoft Proxy Server 2.0.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39200570-39037064t-39000
005c
-http://www.microsoft.com/technet/security/bulletin/MS04-039.mspx

New MyDoom Variant Exploits IFrame Vulnerability and Monthly Patch Release (10 November 2004)

It is possible that the new MyDoom variant was released to coincide with Microsoft's monthly security bulletin; the worm exploits the IFrame vulnerability which was not addressed in November's update, because, according to Microsoft, it was discovered only a few days before the monthly update was due and the company did not believe it had time to develop a stable patch.
-http://news.com.com/2102-7349_3-5446624.html?tag=st.util.print

Firefox Version 1.0 Released; Older Versions Have Holes (10/9 November 2004)

Shortly after releasing Firefox Version 1.0, Mozilla announced that earlier versions of its browser contain vulnerabilities which could allow password theft through file shares, file extension spoofing during downloads and denial-of-service.
-http://www.infoworld.com/article/04/11/10/HNfirefoxholes_1.html
-http://www.eweek.com/print_article2/0,2533,a=139010,00.asp
-http://www.vnunet.com/news/1159275
[Editor's Note (Tan): It just shows that no browser is fully secure. The one that gets the most attention gets hit. ]

---

THE REST OF THE WEEK'S NEWS

STANDARDS AND BEST PRACTICES

Alliance Publishes ATM Cyber Security Guide (10 November 2004)

The Global ATM Security Alliance has published a guide to cash machine cyber security as a proactive measure; ATMs are increasingly moving to Windows and other commonly used platforms. Though ATMs are generally on private networks or VPNs, the possibility of undocumented Internet connections always exists, as does the possibility of malicious code sneaking in via laptops connected to the system. Last year, the Nachi worm exploited the RPC DCOM vulnerability in Windows to compromise ATMs at two different financial institutions.
-http://www.securityfocus.com/printable/news/9903
[Editor's Note (Pescatore): Let's see: ATM machines have been around for 20 years and are now coming out with security standards as a "proactive" measure?? I guess that means that in about 2020 the Global Voting Machine Security Alliance will proactively provide security guidelines for voting machines? ]

ARRESTS, CONVICTIONS AND SENTENCES

Man Arrested for Allegedly Selling Windows Source Code (11/9 November 2004)

William P. Genovese has been arrested for allegedly selling source code for Microsoft Windows NT 4.0 and 2000. The charge of unlawfully distributing a trade secret carries a maximum prison sentence of 10 years and a fine of as much as US$250,000. Genovese maintains he is "being singled out" because Microsoft has been unable to find the person or people who stole the code in the first place.
-http://www.computerworld.com/printthis/2004/0,4814,97373,00.html
-http://www.securityfocus.com/printable/news/9912

Alleged Phisher Arrested in Boston (10 November 2004)

Boston police have arrested an alleged phishing scam artist. Andrew Schwarmkoff has been arraigned on counts of fraud, larceny, identity theft and receiving stolen goods. Schwarmkoff, who is alleged to be a Russian mobster, was ordered held in lieu of US$100,000 bail.
-http://www.techweb.com/article/printableArticle.jhtml?articleID=52600627&sit
e_section=700028
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39200964-39037064t-39000
005c

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

The Evolution of Cyber Security at the Federal Reserve (9 November 2004)

The Federal Reserve's cyber security practices have grown out of their experience. Prior to the advent of Blaster, patches were deployed on weekends to minimize disruption; now they are deployed during the week. After Sasser, the Federal Reserve decided to filter out all incoming executable attachments.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=27859
[Editor's Note (Ranum): "Default deny" attachment filtering has been a good idea all along. ]

[Editor's Note (Pescatore): We're seeing more Gartner clients move to blocking all incoming executables in external email attachments, since standard anti-viral protection has been too reactive. One client did an audit of two weeks of incoming email and found that less 1/2 of 1% of executables in attachments were of business value. ]

SPAM & PHISHING

Yahoo and EarthLink to Test DomainKeys (15 November 2004)

Yahoo and EarthLink plan to begin testing DomainKeys anti-spam technology. DomainKeys is thought to provide better security than Microsoft's anti-spam technology, known as SenderID, but it requires more computing power and is more difficult to implement. DomainKeys is already being used by Google's Gmail and Indian ISP Sify.
-http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=6808454
--Spammer's Trial Reveals Mailing List Sources (15 November 2004)

MISCELLANEOUS

The Importance of Reviewing Business Interruption Policies Carefully (15 November 2004)

UK company Tektrol had five independent copies of the source code for its energy-saving product. In December 2001, two were inadvertently destroyed by a worm disguised as a holiday greeting card. Several weeks later, thieves stole two computers that contained copies of the code as well as the only hard copy of the code. While Tektrol had business interruption insurance which covered losses from theft, losses caused by the worm infection were excluded. The justice in the case did not find in favor of Tektrol because, he reasoned, either incident on its own would not have caused business interruption, and if either incident were excluded from coverage, the company could not recover damages. The author points out that the worm infection, which occurred first and was not covered, did not cause an interruption to Tektrol's business; only after the theft was Tektrol's business interrupted.
-http://www.securityfocus.com/printable/columnists/276

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/