SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #8
February 25, 2004
A note about professional growth for security and audit professionals. We are often asked, by people with strong security and audit skills, how they can become more visible in the community and grow professionally. The most satisfying answer to that question is "Become a mentor." When you teach others you get more than simple appreciation. You get a network of people who know and trust you; you get visibility among your peers for having been selected to mentor others; you get economic compensation; and if the people you mentor think you are extraordinary, you may even get opportunities to teach at a SANS conference. Because the mentoring program is so effective, you also get a deep satisfaction that you are actually helping. Our SANS training conferences are again starting to sell out. The only way we can hope to help hundreds of thousands of auditors and security professionals keep up with the changing skills requirements is by expanding our Local Mentor Program. We have programs in more than 100 cities around the world. If you are interested, email info@sans.org with the subject "Local Mentor Opportunities".
Alan
TOP OF THE NEWS
Bill Gates Announces Security Improvements In WindowsDHS Protected Critical Infrastructure Information (PCII) Program
Reactions to DHS PCII Program Vary
Study Indicates Firewall and VPN Spending Will Double in Three Years
Homeland Security Department's CIO Council Security Priorities
THE REST OF THE WEEK'S NEWS
Former ViewSonic Employee Gets Prison Sentence for Wiping Out DataMinnesota Man Charged with Breaking Into USPS Server
Judge Rules DVD-Copying Products are Illegal
Internet Society of China Blacklists More Spam Servers
Phishing Attacks Increased by 50% in One Month
Phishers Target National Australia Bank Customers
Phony Police E-Mail Tries to Get Keystroke Logger Onto People's Computers
Fiscal 2004 Budget Cuts NIST Funding
Yankee Group Survey Finds Anti-Virus, IDS and Firewalls Top Spending Lists
Web Application Security Consortium
Audit Finds Sensitive Data on Discarded North Carolina State Government Computers
Microsoft Warns Alleged Windows Code Posters
STORIES ABOUT E-VOTING
Groups Encourage Use of Paper Absentee Ballots Instead of E-VotingOhio Secretary of State Wants to Buy New Voting Machines
Judge Denies Group's Request to Prevent Use of Diebold E-Voting Machines in Election
Ireland E-Voting Debate
VULNERABILITY UPDATES AND EFFECTS
IE 5 Flaw Found in Leaked Windows Source CodeMicrosoft Encourages Move to IE 6 Service Pack 1
Cisco VoIP Security Problems
Linux Kernel Flaws
Buffer Overflow Flaw in ZoneAlarm Firewall
Two Versions of NetSky are Spreading
Sun Offers Updates for Cobalt Vulnerabilities
Microsoft Releases Security Update CD
Bagle Variant Spreading
*********************** Sponsored by Net IQ *****************************
Need security policies? Don't start from scratch.
Check out "Information Security Policies Made Easy," the best security policy resource guide available, with 1,300+ ready-to-use security policies, easily customizable for any organization. Also, don't miss our step-by-step guide, "Information Security Roles & Responsibilities Made Easy."
Check them both out now.
http://www.netiq.com/f/form/form.asp?id=2202&origin=NS_SANS_022504
**********************************************************************
This Week's Featured Security Training Program:
Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004
*************************************************************************
TOP OF THE NEWS
Bill Gates Announces Security Improvements In Windows (24 February 2004)
In his keynote address at the RSA conference today, Microsoft's Bill Gates sounded like a "born again" security advocate, and he announced some surprisingly useful new capabilities. Examples: firewalls turned on by default in XP SP2 and firewalls that ask the user for permission to open a port when an application needs it open, and automatically close the port after the application finishes its job. Many other valuable features are listed in the article.-http://www.internetnews.com/dev-news/article.php/3317301
[Editor's Note (Paller): Microsoft has announced some important changes, but as Bill Gates said in his speech, "the job's not done." Consider this to be a first installment on paying a large debt to users. And please, if you buy enough software from Microsoft for them to pay attention to you, make sure you list specific security settings in your procurement documents. If you need a set to specify, follow the National Security Agency or the Center for Internet Security benchmarks. They work. (www.cisecurity.org) When enough big buyers demand safer configurations, Microsoft will start delivering safer systems to all of us, and then even small businesses and home users will have security baked in. ]
DHS Protected Critical Infrastructure Information (PCII) Program (18/19/20 February 2004)
The Department of Homeland Security (DHS) has launched an initiative for companies to inform them about vulnerabilities in the nation's critical infrastructure. The Protected Critical Infrastructure Information (PCII) program will allow companies to let DHS know about security problems in their products with the reassurance that the information will not be released to the general public.-http://www.fcw.com/fcw/articles/2004/0216/web-dhs-02-18-04.asp
-http://www.computerworld.com/printthis/2004/0,4814,90290,00.html
-http://zdnet.com.com/2102-1105_2-5162732.html?tag=printthis
[Editor's Note (Schneier): Since this is a voluntary program, I can't see it having any useful effect. ]
Reactions to DHS PCII Program Vary (20 February 2004)
Critics of the PCII Program say that it could weaken rather than strengthen security because the government cannot require the companies to fix the flaw or disclose it to the public. Furthermore, if information about a reported vulnerability is leaked to the public, the companies are immune from liability under the law. Proponents of the program say it allows for more detailed information than informal reporting allowed.-http://www.securityfocus.com/news/8090
Study Indicates Firewall and VPN Spending Will Double in Three Years (20 February 2004)
According to a study from business information analyst Datamonitor, global spending on VPN and firewall technology will grow to nearly $6 billion by 2007, doubling the present level of spending in just three years. North America is the largest security market; Datamonitor predicts that Latin America and Asia Pacific will be the fastest growing security markets over the next three years.-http://www.theregister.co.uk/content/5/35708.html
-http://www.theregister.co.uk/content/55/35704.html
[Editor's Note (Northcutt): the article goes on to say SSL based VPNs are a primary growth segment. I would have hoped for IPSec, but that fixation on the destination IP address is a bit of a problem. Other literature on the market appears to support that assertion, sigh.
-http://www.marketresearch.com/researchindex/932918.html
-http://zdnet.com.com/2100-1105_2-5140548.html]
Homeland Security Department's CIO Council Security Priorities (17 February 2004)
The DHS CIO Security Council has set eight technology priorities to concentrate on this year. The eight areas of focus are information sharing, mission rationalization, information technology security, development of a single information and technology infrastructure, enterprise architecture, portfolio management, governance and IT human resources.-http://www.govexec.com/dailyfed/0204/021704c1.htm
-http://www.fcw.com/fcw/articles/2004/0216/web-dhs-02-17-04.asp
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) FREE White Paper: "Why the web browser is the most dangerous hacking tool"
http://www.sans.org/click.php?id=333
(2) Best Practices for Incident Response - Sign up for the practitioner's guide at
http://www.sans.org/click.php?id=334
(3) From SANS: HIPAA Security Implementation is a step by step guide for IT staff of hospitals. Thorough and extremely cost effective.
https://store.sans.org/store_item.php?item=117
***********************************************************************
THE REST OF THE WEEK'S NEWS
Former ViewSonic Employee Gets Prison Sentence for Wiping Out Data (23 February 2004)
Former ViewSonic employee Andrew Garcia has been sentenced to one year in prison for breaking into the company's computer system and wiping out critical data two weeks after he was fired.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=18100201
[Editor's Note (Shpantzer): Garcia accessed the server he used to administer "two weeks after he had been terminated," despite the fact that Viewsonic promptly revoked his credentials. What happened? It turns out that he had other sysadmin passwords, and used those to gain access and delete critical files.
-http://www.silicon.com/networks/lans/0,39024663,10006299,00.htm
It gets worse: Garcia "was previously convicted of two felonies"
-http://www.usdoj.gov/criminal/cybercrime/garciaArrest.htm
Lessons learned? 1. Consider changing associated sysadmin credentials when firing a co-worker 2. Institute background checks and hiring standards for IT positions that have elevated privileges. ]
Minnesota Man Charged with Breaking Into USPS Server (21 February 2004)
Joshua Linsk of Minneapolis has been charged with breaking into and damaging a US Postal Service web server. Linsk also allegedly broke into another computer at a different organization to obtain credit card numbers. If convicted, Linsk could face a prison sentence of up to 15 years and/or a fine of as much as $500,000.-http://www.kare11.com/news/news-article.asp?NEWS_ID=59863
Judge Rules DVD-Copying Products are Illegal (20 February 2004)
A federal judge in California has ruled that 321 Studios' DVD-copying products are illegal, and gave the company seven days to stop distributing the products in question. The judge wrote that federal law makes selling such products illegal despite consumers' rights to make personal copies of movies they have purchased. 321 Studios plans to ask for an emergency stay that would allow their products to remain on store shelves while appealing the judge's ruling.-http://news.com.com/2102-1025_3-5162749.html?tag=st.util.print
[Editor's Note (Schneier): Whatever happened to the customer's right to make a legal backup of the product? Not only is this ruling unreasonable, it's essentially unenforceable. This product may stop being sold, but DVD duplicating programs are going to keep being distributed.
(Grefer): The real damage is not done so much by folks who make backup copies of their DVDs, going through the effort of decrypting it, converting it into a different format and burning it onto a CD, but rather by professional black market organizations that make bit-copies of the DVDs, thereby not hassling with the copy protection.
-http://obi-wan.kenobi.it/cynicalsecurity/archives/001260.html]
Internet Society of China Blacklists More Spam Servers (20 February 2004)
Chinese authorities have blacklisted 656 spam servers around the world; the servers will be monitored by the Internet Society of China (ISC) and will be blocked if they continue to send spam to mainland China Internet users after March 20. This is the third such list the ISC has released since September 2003.-http://news.com.com/2102-1024_3-5162355.html?tag=st.util.print
-http://www.pcworld.com/resource/printable/article/0,aid,114867,00.asp
Phishing Attacks Increased by 50% in One Month (19 February 2004)
The Anti-Phishing Working Group found that there were 52% more phishing attacks in January 2004 than in December 2003. 40% of the attacks used the guise of the financial sector; 34% pretended to be retailers.-http://www.ecommercetimes.com/perl/story/32906.html
-http://www.theregister.co.uk/content/55/35635.html
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=25000
[Editor's Note (Pescatore): NewsBites readers may remember our mention of the need for "Caller ID" for the Internet to combat phishing. Lo and behold, at his keynote speech at this week's RSA Security Conference, Bill Gates announced a Caller ID for the Internet initiative to combat phishing. ]
Phishers Target National Australia Bank Customers (18 February 2004)
Phishers have sent e-mails that purport to be from National Australia Bank (NAB) and lead users to a site that tries to collect their Australian National ID and Internet banking passwords. The URL for the phony site has been blocked.-http://www.pcworld.idg.com.au/index.php?id=1041815809&fp=2&f%20pid=1
Phony Police E-Mail Tries to Get Keystroke Logger Onto People's Computers (17 February 2004)
The Australian High Tech Crime Centre has warned people that cyber criminals are sending out e-mails that claim to be from the federal police and suggesting that they are under investigation. The links that purport to provide further details actually install keystroke loggers on users' computers.-http://australianit.news.com.au/articles/0,7204,8707873^15319^^nbv^15306,00.html
[Editor's Note (Shpantzer): The keystroke logger is particularly nasty as it gets passwords even if they are not sent in clear text. ]
Fiscal 2004 Budget Cuts NIST Funding (13 February 2004)
The National Institute of Standards and Technology's (NIST) acting chief of staff says that a $22 million budget cut in fiscal 2004 means that NIST will have to cut back "substantially" on its cyber security work as well as completely stop all work for the Help America Vote Act. NIST's Manufacturing Extension Partnership (MEP) will also see significant cuts in staffing and other areas.-http://www.govexec.com/news/index.cfm?mode=report2&articleid=27658&printerfriend
lyVers=1&
Yankee Group Survey Finds Anti-Virus, IDS and Firewalls Top Spending Lists (18/19 February 2004)
A Yankee Group survey of 404 decision-makers at medium to large companies found 54% of the respondents believe security budgets will increase over the next three years; just 8% believe they will decrease. Half of the respondents also have the same top three items on their security spending lists: anti-virus, intrusion detection and prevention systems (IDS and IPS) and firewalls. The survey also found that the average annual cost for patching desktop computers is $254. Some companies are delaying patch application until multiple patches or service packs become available.-http://www.esj.com/security/print.asp?editorialsId=860
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci951006,00
.html
[Editor's Note (Schultz): Once again the a well-known industry analyst group's prediction that intrusion detection technology is on the wane appears to be out of touch with reality, as shown by the Yankee Group's recent survey findings. ]
Web Application Security Consortium (18 February 2004)
The Web Application Security Consortium plans "to create a classification system for application security vulnerabilities, attacks and other threats." The group also plans to develop industry best practices in secure coding.-http://www.eweek.com/print_article/0,3048,a=119490,00.asp
[Editor's Note (Pescatore): We really do need the security industry to drive some standard XML schema/DTD for vulnerability descriptions. The AVDL effort, CVE and WASC ought to align to do this. ]
Audit Finds Sensitive Data on Discarded North Carolina State Government Computers (18 February 2004)
The North Carolina state auditor's department found sensitive data on the hard drives of used state government computers that had been sent to the Surplus Property Agency for sale to the public. The data they found included social security numbers, bank account numbers and passwords that would allow access to the state computer network. The review was the first conducted following a 2002 requirement that agencies erase data from their computers before submitting them to the Surplus Property Agency.-http://www.wilmingtonstar.com/apps/pbcs.dll/article?AID=/20040218/APN/402180853&
cachetime=5&template=printart
[Editor's Note (Ranum): I know several researchers who buy used hard disks on Ebay and at surplus stores looking for exactly this kind of stuff. The only possible excuse is that the information found might have been out of date. ]
Microsoft Warns Alleged Windows Code Posters (17/18 February 2004)
Microsoft has sent cease-and-desist letters to several people who have downloaded stolen Windows source code from the Internet, warning them that such activity is illegal. The letter requests that they stop posting the files and that they erase any copies of the code they possess. Microsoft is also sending warnings to people who search for the code on peer-to-peer file sharing networks. There are no details available about how Microsoft knows who has downloaded or searched for the code.-http://www.eweek.com/print_article/0,3048,a=119396,00.asp
-http://zdnet.com.com/2102-1105_2-5161205.html?tag=printthis
-http://www.computerworld.com/printthis/2004/0,4814,90270,00.html
STORIES ABOUT E-VOTING
Groups Encourage Use of Paper Absentee Ballots Instead of E-Voting (20 February 2004)
Activist groups in California and Maryland are encouraging voters to use paper absentee ballots in the upcoming primary elections because the electronic machines both states intend to use could be vulnerable to fraud and do not provide a paper audit trail.-http://www.wired.com/news/print/0,1294,62364,00.html
Ohio Secretary of State Wants to Buy New Voting Machines (20 February 2004)
In an attempt to bring Ohio into compliance with the Help America Vote Act, Secretary of State J. Kenneth Blackwell will ask the state Controlling Board for $128 million to purchase new voting machines. Some state legislators want the funding rejected until questions about the voting system's security have been answered. If the funding request is denied, Blackwell's office will propose a move to optical scan ballot systems which leave a paper trail.-http://www.daytondailynews.com/localnews/content/localnews/daily/0220vote.html
Judge Denies Group's Request to Prevent Use of Diebold E-Voting Machines in Election (17/19 February 2004)
A group of California citizens filed a request for a temporary restraining order that would require the counties using Diebold's electronic voting machines to install additional safeguards on the machines before the state's upcoming primary election. The group also sued to stop the state and Diebold from using voting machines with security problems. The judge ruled that the state could use the Diebold machines in the upcoming election.-http://www.wired.com/news/print/0,1294,62323,00.html
-http://www.theregister.co.uk/content/6/35664.html
[Editor's Note (Schultz): It's really disturbing to see that states and even some national governments are planning to use electronic voting systems without providing reasonable assurance that they are sufficiently secure and tamperproof. ]
Ireland E-Voting Debate (16 February 2004)
Ireland's Minister for the Environment Martin Cullen says newly introduced electronic voting machines "will improve democracy." Those opposed to using the machines question the system's reliability, and the government has rejected their requests for printed backups of ballots.-http://news.com.au/common/printpage/0,6093,8696999,00.html
VULNERABILITY UPDATES AND EFFECTS
IE 5 Flaw Found in Leaked Windows Source Code (23 February 2004)
-http://www.computerworld.com/printthis/2004/0,4814,90326,00.html
Microsoft Encourages Move to IE 6 Service Pack 1 (17 February 2004)
-http://www.crn.com/Components/printArticle.asp?ArticleID=48010
Cisco VoIP Security Problems (20 February 2004)
-http://www.theregister.co.uk/content/55/35716.html
Linux Kernel Flaws (19/20 February 2004)
-http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci95
1284,00.html
-http://www.computerworld.com/printthis/2004/0,4814,90359,00.html
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=25033
-http://www.eweek.com/print_article/0,3048,a=119669,00.asp
Buffer Overflow Flaw in ZoneAlarm Firewall (19 February 2004)
-http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1063
-http://download.zonelabs.com/bin/free/securityAlert/8.html
Two Versions of NetSky are Spreading (18 February 2004)
-http://zdnet.com.com/2102-1105_2-5161036.html?tag=printthis
-http://www.computerworld.com/printthis/2004/0,4814,90264,00.html
Sun Offers Updates for Cobalt Vulnerabilities (18 February 2004)
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci950995,00
.html?track=NL-358
Microsoft Releases Security Update CD (18 February 2004)
The CD will contain all critical patches through October 2003 for Windows XP, Me, 2000, 98 and 98 SE.-http://www.internetnews.com/dev-news/print.php/3314501
[Editors' Note (Multiple): This CD may be useful in ensuring a box is patched before it is connected to the internet. There are so many automated attack tools running on the Internet, scanning for vulnerable machines, that many machines are compromised before they can complete the patch downloading process from Microsoft. ]
Bagle Variant Spreading (17 February 2004)
-http://zdnet.com.com/2102-1105_2-5160268.html?tag=printthis
-http://www.eweek.com/print_article/0,3048,a=119308,00.asp
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/