SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #47

October 25, 2005

TOP OF THE NEWS

Legislators Disappointed with Lack of Progress in Critical Infrastructure Security
Exploit Code Posted for Oracle Flaw
Botnet Allegedly Controlled by Dutch Trio Comprised 1.5 Million Computers

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING
Former Intermix CEO to Pay US$750,000 in Spyware Case
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Swedish Digital Media Bodies May Gather Suspected File-Traders' IP Addresses
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
New Botnet Client Detected
Another Microsoft Patch Proves Problematic
Cisco Customers Unaccustomed to Updates
STANDARDS & BEST PRACTICES
VoIPSA to Release Security Threat Taxonomy
STATISTICS, STUDIES & SURVEYS
More Than 80 Percent of DNS Servers May be Vulnerable to Pharming
MISCELLANEOUS
Software Identifies and Quarantines Computers Infected with Malware
UK Police to Add Facial Biometrics to Identification Systems
Schneier: Hold Manufacturers, Not Developers, Responsible for Unsecure Code
National Hi-Tech Crime Unit to Launch On-Line Safety Program for Home Users and Small Businesses
UK Home Office to Test Biometrics in Anticipation of ID Card System
EFF Cracks Color Laser Printer Codes

---

********************** Sponsored by Bindview ****************************

Are You Prepared for the PCI-Data Security Standard? Join BindView for a live Webcast where you will get an overview of the PCI-Data Security Standard; how the standard's 12 major requirements impact IT; and how automated solutions can help demonstrate compliance with these requirements to satisfy an audit. Click http://www.bindview.com/Events/GetEvents.cfm?NUM=1491&AD=AD-SANS1110WBNR-Q40
5 to register

*************************************************************************

---

TOP OF THE NEWS

Legislators Disappointed with Lack of Progress in Critical Infrastructure Security (24/18 October 2005)

US legislators are unhappy with the lack of progress made in securing the nation's critical infrastructure from cyber attacks. The Bush administration has missed deadlines for developing a National Infrastructure Protection plan, determining vulnerabilities and identifying ways to address those vulnerabilities. Furthermore, Andy Purdy, acting director of DHS' National Cyber Security Division, says he has just two full-time staffers working on improving SCADA (Supervisory Control and Data Acquisition) networks for critical infrastructure facilities. Mr. Purdy told legislators that his department will present the owners of critical infrastructure with cost-benefit analyses for investing in SCADA security.
-http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801392_
pf.html
-http://www.eweek.com/print_article2/0,1217,a=163373,00.asp
[Editor's Note (Pescatore): NERC and others (NIST's Process Control Security Requirements Forum, (PCSRF), the chemical industry Data eXchange (CIDX), DHS' Process Control Security Forum (PCSF), the American Gas Association (AGA)) have done a lot of the blocking and tackling needed to move SCADA and process control systems requirements to a higher level of security. Has the federal government taken any steps to require these higher levels of security requirements from all suppliers of power and energy to the government?
(Paller): There is evidence of movement toward rapid implementation of improved security technology, in the form of the multi-national/multi-sector SCADA Security Summit. That's where vetting of the most promising technical solutions will be reviewed and drafting of common procurement language will begin. By acting together using common procurement specifications for secure SCADA systems, critical infrastructure asset owners can persuade the vendors to deliver safer systems very quickly. Information about the Summit will be posted on Thursday, October 25. For a heads-up email when it is posted, send your name and employer and email to info@sans.org with the subject SCADA Summit. ]

Exploit Code Posted for Oracle Flaw (21 October 2005)

Exploit code for a buffer overflow vulnerability in some versions of Oracle's database server is available on the Internet. The code appeared on the Internet just days after the security update was released on October 18. The exploit code could be used by attackers with user credentials on vulnerable databases or remotely with the help of an SQL injection attack to crash the database.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4625
-http://www.computerworld.com/printthis/2005/0,4814,105615,00.html
-http://isc.sans.org/diary.php?storyid=785
[Editor's Note (Hayler): The reverse-engineering of security patches to develop exploits is now commonplace, and requires far less effort than actually hunting for the flaws themselves. ]

Botnet Allegedly Controlled by Dutch Trio Comprised 1.5 Million Computers (21 October 2005)

The number of Windows-based computers allegedly controlled by three Dutch men arrested last month has turned out to be significantly greater than was first believed. Law enforcement officials initially estimated the number of compromised PCs ensnared in the botnet that they reportedly built at 100,000, which made it the largest ever detected; the number of compromised machines was later found to be 1.5 million.
-http://www.vnunet.com/vnunet/news/2144375/botnet-operation-ruled-million
-http://isc.sans.org/diary.php?storyid=778
[Editor's Note (Hoepman): These estimates are believed to be pretty much unfounded guesswork. ]

---

**********************************************************************

Amazingly Effective Security Training Programs in Baltimore and San Diego and Amsterdam and Ten Other Cities: Hacker Exploits, Certification Training for DoD GIAC Cert requirements, more.
http://www.sans.org

************************ Sponsored Links *****************************

1) FREE CYA (Cover Your Apps) T-shirt from SPI Dynamics when you evaluate WebInspect http://www.sans.org/info.php?id=905

2) Centrally managed, host-based firewall protection to proactively secure your corporate network. Free NetOp trial available.
http://www.sans.org/info.php?id=906

3) Earn your Master's degree in Information Security from an NSA - recognized online program. http://www.sans.org/info.php?id=907

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING

Former Intermix CEO to Pay US$750,000 in Spyware Case (21 October 2005)

Brad Greenspan, former CEO and founder of Los Angeles-based Intermix Medias Inc., has agreed to pay US$750,000 in penalties and returned profits to settle a case brought by New York Attorney General Eliot Spitzer. Mr. Greenspan was accused of ordering Intermix employees to bundle adware with other software; Intermix was accused of bundling adware and spyware with other free programs, which caused the stealth software to be installed, unbeknownst to consumers, on millions of computers across the country. Spitzer sued Intermix in April; the company agreed to pay US$7.5 million in penalties over three years to settle; they also agreed to stop distributing adware.
-http://www.consumeraffairs.com/news04/2005/ny_spyware.html
-http://www.technewsworld.com/story/qJxm7qrYd4Lekx/Spitzer-Intermix-Ex-CEO-Agree-
on-Settlement.xhtml

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Swedish Digital Media Bodies May Gather Suspected File-Traders' IP Addresses (21 October 2005)

The Swedish branch of the International Federation of the Phonographic Industry and Antipiratbryan are no longer required to obtain permission before gathering the IP addresses of Swedish citizens who are allegedly sharing copyright-protected content. However, they would still need the cooperation of ISPs.
-http://www.theregister.co.uk/2005/10/21/hunt_for_swedish_filesharers/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

New Botnet Client Detected (24 October 2005)

The Mocbot botnet client spreads by exploiting the same Microsoft vulnerability exploited by the Zotob worm, (patch described in Microsoft Security Bulletin MS05-039). Mocbot attempts to connect to two servers located in Russia, which are apparently down or overloaded. Mocbot does not exploit the flaw addressed by Microsoft security bulletin MS05-047 as was previously suggested, although the exploit codes are similar.
-http://www.theregister.co.uk/2005/10/24/pnp_botnet_encore/print.html

Another Microsoft Patch Proves Problematic (21 October 2005)

A problem with Microsoft's patch for a flaw in DirectShow, which was described in Microsoft Security Bulletin MS05-050 could conceivably lead users to apply the wrong patch. Users who have versions 8.0 or 9.0 of DirectX (which contains DirectShow) could mistakenly apply the patch for DirectX version 7.0 and be unaware that their systems are unprotected. Last week Microsoft acknowledged that another one of the patches in its October release could cause additional problems if users had changed certain default settings.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39283303-39000005c
-http://www.computerworld.com/printthis/2005/0,4814,105646,00.html
-http://support.microsoft.com/kb/909596
-http://isc.sans.org/diary.php?storyid=784

Cisco Customers Unaccustomed to Updates (20 October 2005)

Cisco CSO John Stewart says that because Cisco customers are unaccustomed to updating their network hardware operating system on a regular basis, many are still running old versions of the company's Internetwork Operating System (IOS). Mr. Stewart says Cisco has not adopted automatic patching because its customers do not want it. He hopes that the outcome of an unexpected vulnerability disclosure earlier this year will be that Cisco IOS users upgrade to the latest version to protect their systems.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39217949-20000
61744t-10000005c
[Editor's Note (Pescatore): The issue is more that it has been really, really painful to update IOS. It isn't a patch action, it is a shut down and reload the OS action, which is very disruptive to the network and very manpower intensive. While the best solution is always better software development processes to reduce vulnerabilities, software vendors (and switch vendors ship a lot of software) have to invest a lot to make the patch process easier and faster for their customers. Microsoft learned this back during the worms of 2001 and now most enterprises can patch Windows much, much faster with much less pain. ]

STANDARDS & BEST PRACTICES

VoIPSA to Release Security Threat Taxonomy (24 October 2005)

The VoIP (Voice over Internet Protocol) Security Alliance will release a Taxonomy Threat Model to help entities address policies regarding VoIP deployment. VoIPSA includes members from the hardware, software and telephone carrier industries. The taxonomy classifies and describes IP telephony security threats. This should provide the "industry (with) a common reference point to deal systematically with ... security issues." The four broad "phyla" of the taxonomy are denial-of-service, traffic modification, signal interception and bypass of refused content.
-http://www.eweek.com/print_article2/0,1217,a=163371,00.asp
-http://www.networkingpipeline.com/showArticle.jhtml?articleID=172303368&_loo
pback=1
[Editor's Note (Shpantzer): Before the era of mainstream VoIP, a hacker got into HP's voicemail system and leaked a voicemail from HP's top executive. Imagine what a months' worth of live VoIP conversations would do in terms of damage or potential for extortion.
-http://www.computerworld.com/governmenttopics/government/legalissues/story/0,108
01,70061,00.html]

STATISTICS, STUDIES & SURVEYS

More Than 80 Percent of DNS Servers May be Vulnerable to Pharming (24 October 2005)

The results of a recent survey indicate that 84 percent of DNS servers around the world might be vulnerable to pharming attacks, which use DNS cache poisoning or domain hijacking to redirect Internet users to specially crafted web sites designed to steal their personal information. Some suggestions for protecting against DNS vulnerabilities include splitting external name servers into authoritative name servers and forwarders, and restricting recursion and filtering traffic to and from external name servers.
-http://www.theregister.co.uk/2005/10/24/dns_security_survey/print.html
-http://dns.measurement-factory.com/surveys/sum1.html
-http://isc.sans.org/presentations/dnspoisoning.php
[Guest Editor Note (Pescatore): In the interest of disclosure, this survey was funded by a company that sells secure DNS servers. However, most thorough security audits do find that the majority of DNS servers have glaring vulnerabilities.
(Ullrich): I think this study is missing the point. Pharming, or a DOS attacks against the misconfigured DNS server creates part of the problem, but the really big problem, Instead, is that open recursive DNS servers can be used to amplify DDoS attacks.
(Tan): DNS poisoning is not something new. It just becomes more apparent when coupled with phishing and fraud attacks. Securing DNS system isn't a rocket science. Protecting DNS/BIND has been one of SANS Top 20 items since Year 2000. The steps are detailed at
-http://www.sans.org/top20/.]

MISCELLANEOUS

Software Identifies and Quarantines Computers Infected with Malware (21 October 2005)

Researchers at the University of Indianapolis have developed software that detects and quarantines PCs infected with spyware and viruses. The software works by identifying unusual and suspicious traffic patterns, identifying the machines involved and moving them to a closed virtual LAN where users see a screen that explains the situation and describes how to get help. One drawback is that the system currently does not work with wireless devices. False positives amount to about one in 50 or 60 quarantined computers.
-http://www.computerworld.com/printthis/2005/0,4814,105623,00.html
[Editor's Note (Pescatore): The University of Florida built software called Icarus a few years ago that was similar, but more oriented towards blocking P2P and file sharing storms. There are a lot of commercial products that have come out since 2003 that provide similar network access control functions and quarantining. A 2% false alarm rate is pretty high - a 10,000 person company having 200 people per day kicked off the network and calling the help desk would be a problem. ]

UK Police to Add Facial Biometrics to Identification Systems (21/ October 2005)

The UK's Police IT Organization plans to incorporate facial biometrics into its systems to help identify criminal suspects more accurately. The system currently uses fingerprints; PITO director of information Fred Preston said the combined power of the two biometric methods will help ensure that the right people go into and come out of prison. The change is to take place over the next five years.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39232934-39020351t-10000013c

Schneier: Hold Manufacturers, Not Developers, Responsible for Unsecure Code (20 October 2005)

In response to Howard Schmidt's recent argument "that software developers should be held personally accountable for the security of the code they write," Bruce Schneier says the manufacturers, not the developers, should be held accountable. Mr. Schneier argues that security is not a technological problem, but an economic one; in order for software security to improve, companies have to feel the economic impact of offering a product with poor security. Currently, that cost is borne by the consumers. If consumers had the ability to sue the manufacturers, things might change.
-http://www.wired.com/news/print/0,1294,69247,00.html
[Editor's Note (Schmidt): It is unfortunate that my comments were reported inaccurately; at least Dan Farber has been trying to correct the inaccurate reports with his blog
-http://blogs.zdnet.com/BTL/?p=2046
I do not support PERSONAL LIABILITY for the developers NOR do I support liability against vendors. Vendors are nothing more then people (employees included) and anything against them hurts the very people who need to be given better tools, training and support.
(Hoepman): Holding manufacturers responsible certainly changes the economics of software production. Given the fact that bug-free code is a holy grail, the question is whether some kind of due diligence limit should be imposed (ie you will not be held liable if you can prove you invested a reasonable effort to avoid bugs). Otherwise most software manufacturers will quickly be out of business.
(Paller) Several leading organizations are already shifting some rational level of responsibility to the vendors. They have inserted a clause in their software procurement saying that "The vendor certifies it has tested its software against the SANS Top 20 (www.sans.org/top20) and that the software does not contain any of those widely known vulnerabilities." Then if it is found to be vulnerable because of a well known-vulnerability, the vendor has a contractual liability. Similar language requiring other software tests and certifications is also being used. ]

National Hi-Tech Crime Unit to Launch On-Line Safety Program for Home Users and Small Businesses (20 October 2005)

The UK's National Hi-Tech Crime Unit plans to launch an on-line safety campaign called get Safe Online aimed at businesses with fewer than 10 employees as well as on-line consumers. According to the NHTCU, these two groups are the "most susceptible" to common security threats. Large companies tend to make their employees more security-aware.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39232449-39020375t-10000025c
-http://technology.guardian.co.uk/weekly/story/0,16376,1595598,00.html
[Editor's Note (Hayler): The UK National Infrastructure Security Co-ordination Centre (NISCC) launched a similar program earlier this year:
-http://www.itsafe.gov.uk/
Despite some early publicity, it is now rarely mentioned in press reports or other places where the target audience might see it. Let's hope this new initiative receives better long term exposure. ]

UK Home Office to Test Biometrics in Anticipation of ID Card System (24/20/17 October 2005)

The UK Home Office plans to test the accuracy of biometric technology; specifically, fingerprint-matching technology will be tested on 2,500 UK citizens. The bill was approved by MPs, but requires approval from the House of Lords before obtaining Royal Assent. UK Home Office Minister Tom McNulty said the country's proposed ID card system would be capable of checking three separate biometrics: facial, iris and fingerprints, which would include all 10 digits. Both MPs and Lords have expressed concern over the amount of personally identifiable data the cards will hold. In a separate story on using multiple biometrics, researcher John Daugman maintains that more is not always better; combining a strong biometric test with a weaker one can provide less reliable results
-http://www.theregister.co.uk/2005/10/17/mcnulty_fingers_id_problem/print.html
-http://www.silicon.com/publicsector/0,3800010409,39153530,00.htm
-http://www.silicon.com/publicsector/0,3800010409,39153604,00.htm
-http://www.theregister.co.uk/2005/10/19/daugman_multi_biometrics/print.html
John Daugman: Comparing Multiple Biometrics
-http://www.cl.cam.ac.uk/users/jgd1000/combine/combine.html
[Editor's Note (Schultz): It is good to learn that the UK Home Office is planning to first test the biometric system on the type of people who will have to interact with a system of this nature. Hopefully, the results of the testing will be available to the public. I predict that many more problems will surface than meet the eye. ]

EFF Cracks Color Laser Printer Codes (17 October 2005)

The Electronic Frontier Foundation has cracked codes embedded in certain color printers that are designed to help the government identity currency counterfeiters. Yellow dots arranged in grids on every color page printed by Xerox Corp.'s DocuColor color laser printers are visible only with the help of a magnifying glass or under blue light; certain dots correspond to printers' serial numbers as well as the date and time the document was printed.
-http://seattlepi.nwsource.com/business/1700AP_Printer_Tracking_Codes.html
(The second story on this page)
-http://www.eff.org/news/archives/2005_10.php
-http://www.eff.org/Privacy/printers/docucolor/
[Editor's Note (Shpantzer): Old news to people who know... It's also possible to tell if you used a specific camera for digital film based on the peculiarities of the CCD chip.]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/