-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites December 12, 2002 Vol. 4, Num. 50
***********************************************************************

VULNERABILITY DISCLOSURE POINT/COUNTERPOINT
3 December 2002 ISS Publishes Vulnerability Disclosure Guidelines
  -- Bill Murray's Counterpoint
  -- Marcus Ranum's Counterpoint
  -- The Fisher Plan for Vulnerability Reporting (for NewsBites Reader
        Review)

THE REST OF THE WEEK'S NEWS
9 December 2002 Alleged DeCSS Author's Trial to Begin
5 December 2002 Prosecution Rests in Elcomsoft DMCA Case
9 December 2002 Israeli Police Arrest Man for Allegedly Stealing
                   80,000 Credit Card Numbers
9 December 2002 Patching Is Insufficient As A Security Strategy
5 December 2002 Microsoft Security Bulletins for IE, Outlook
6 & 9 December 2002 Microsoft Changes Risk Rating for IE Vulnerability
                       to Critical
9 December 2002 Samba Vulnerability
6 December 2002 DMCA Public Comment Deadline
6 December 2002 FBI Hiring More IT People
6/7/9 December 2002 Feds Raid Ptech, Find No Evidence of Backdoors
                       in Software
5 December 2002 Cyberterrorism Fears Feed Surveillance
5 December 2002 Sophos Malware Statistics for 2002
5 December 2002 Tower Records' Site Exposes Customer Data
5 December 2002 Sydney Wildfires Threaten Cyber Infrastructure
5 December 2002 Travel Companies' Systems Hacked
5 December 2002 Lagel.A Worm Deletes Files
3 December 2002 Texas Academic Hospitals' Security Found Wanting
3 December 2002 No Fix Yet from RealNetworks
3 December 2002 Distributed Denial of Service Attack Primer
2 December 2002 Mastercard Develops Business Continuity Plan
29 November 2002 Phreakers Manipulate Voice Mail Systems
26 November 2002 CIO Tech Poll Indicates Security Spending Will
                    Increase in 2003
4 December 2002 Asian Businesses Plan to Spend More on Security

SECURITY TRAINING UPDATE
SANS Cyber Defense Initiative Conferences in
* San Francisco (Dec 15-20/02) - http://www.sans.org/CDI02
* New Orleans (Jan 13-18/03) - http://www.sans.org/CDI03NewOrleans
* Austin (Jan 12-17/03) - http://www.sans.org/CDI03Austin
* San Antonio (Jan 25-30/03) - http://www.sans.org/CDI03SanAntonio
feature SANS most popular immersion training tracks, from Security
Essentials to Auditing to Hacker Exploits, to Intrusion Detection
to UNIX and Windows hardening. The instructors at these programs
include all of SANS top rated faculty. San Francisco also features a
special evening program for all attendees on Implementing a SANS/FBI
Top Twenty vulnerability remediation program.
*Also programs in Orlando, San Diego, Sydney, New York and Honolulu
See http://www.sans.org

****** This Issue Sponsored by VeriSign - The Value of Trust **********

Secure all your Web servers now - with a proven 5-part strategy. The
FREE Server Security Guide shows you how:
- - DEPLOY THE LATEST ENCRYPTION and authentication techniques
- - DELIVER TRANSPARENT PROTECTION with the strongest security without
disrupting users. And more.

Get your FREE Guide now:
http://www.verisign.com/cgi-bin/go.cgi?a=n06120109620057000

***********************************************************************

VULNERABILITY DISCLOSURE COUNTERPOINT
We lead this week with ISS's announcement of its own vulnerability
disclosure guidelines.

 --3 December 2002 ISS Publishes Disclosure Guidelines
Internet Security Systems (ISS) has published guidelines it will follow
for public disclosure of software vulnerabilities. ISS has met with
criticism over instances in which it released news of vulnerabilities
to the public without giving the developers adequate time to address
the problem. The guidelines are the same for both proprietary and
open source software developers.
http://www.computerworld.com/securitytopics/security/story/0,10801,76374,00.html
Guidelines:
http://documents.iss.net/literature/vulnerability_guidelines.pdf

Bill Murray responds to ISS's proposed disclosure guidelines
The general rule for vulnerabilities is "Tell me (early) but do not
tell anyone else (even late)."

The underlying rule of professional ethics dictates that one use
conservatively all professional privileges, knowledge, skills,
and abilities.

This is the troubling part. "Unless other disclosure arrangements have
been made with the vendor in advance, X-Force will publicly disclose
after 30 days from the initial vendor notification." 30 days from
vendor notification is at best arbitrary. For those vulnerabilities
that simply result from programming errors, it may be adequate for
publication of a simple fix. For those vulnerabilities that are more
fundamental, design or invention may be required and 30 days may not
be adequate. For those vendors with adequate resources and no higher
requirements, 30 days may be adequate, for others not. However, one
must also consider the users of the product. Their vulnerability
goes up dramatically when ISS publishes, and a portion of 30 days
may be totally inadequate even for individual response, much less
for collective response.

One's vulnerability is to some extent a function of the cost of
attack to one's adversary. His cost is very different on the day
after ISS publishes than it was on the day before. It seems clear
to me that discovery confers responsibility and that responsibility
confers some authority. However, it is arrogance for ISS to make
this decision unilaterally when they profit but both the cost of the
fix and the consequences of delay are paid by everyone else.

Marcus Ranum responds to ISS's proposed disclosure guidelines.

"I couldn't agree more. A minor amplification: since ISS _researched_
the vulnerability - the issue is not "discovery" - it's not as
if the Xforce was walking down the street and found it on the
sidewalk. They LOOKED for it. In a sense, they CO-CREATED it. What
these "vulnerability researchers" want nobody to realize is that they
are digging these problems out of where they are buried and rubbing
them in our faces. They ARE NOT PART OF THE SOLUTION; THEY ARE PART
OF THE PROBLEM. If there was such a thing as a TRUE "vulnerability
researcher," it would be someone who was working _within_ the vendor's
organization, with access to source code, committed to quickly and
quietly fixing bugs.

The "grey-hat" hacker community has done a FANTASTIC job of marketing
their approach as valuable and a community service.

In fact, it is a gigantic scam that is used to market security products
and services by keeping customers in a state of fear, uncertainty,
and doubt. The ethics are clear; our hacker friends have managed to
appeal to moral relativism and their own "helplessness to help in a
productive manner" to excuse a slaughter of the innocents."

The Fisher Plan - for NewsBites' Reader Review

Discussions with Dennis Fisher, security reporter for eWeek magazine,
have resulted in a preliminary plan for a new system of reporting,
correcting, and providing public credit for finding vulnerabilities
in information systems. The plan arose in the days following October
2, 2002, when Richard Clarke told two hundred people attending the
SANS/FBI Top Twenty Vulnerabilities briefing in Washington, "Look
for vulnerabilities. If you find one, tell the vendors and if they
are not responsive, tell the government." Dennis rightfully pointed
out that the government is a large organization and connecting with
the right person would be nearly impossible.

Hence, the Fisher Plan: There would be established a reporting
center for new vulnerabilities, either inside the government
or outside (that's one of the things that needs to be decided)
along with reporting guidelines that required sufficient data to
ensure the person doing the reporting has found something real.
All reports will be recorded and immediately passed both to the vendor
(which may have already received it from the person who found it)
and multiple government or government-funded centers of excellence
such as CERT/CC and the research group of the National Infrastructure
Protection Center.

The centers of excellence would identify how critical the vulnerability
might be and would set a priority for correcting the problem. (The
scale is yet to be determined but can be modeled after SANS Critical
Vulnerability Analysis rating scale or the CERT/CC rating scale
or both).

Government officials will monitor the vendor's progress and exert
appropriate high-level pressure on the vendors for rapid response of
important vulnerabilities.

When a method of eliminating the vulnerability is found, it will
be published by the vendor and at the same time, the person or
organization that found the vulnerability will be awarded both public
recognition and a sum of money which may come from the government
or may be provided by the SANS Institute. (Financial remuneration is
controversial; your feedback would be appreciated.)

That's the outline. We are interested in feedback from all readers,
but especially from those people who have successfully discovered
vulnerabilities in widely-used systems and software. Send your comments
to infosans.org with the subject "Fisher Plan."

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) ALERT! Outsmart Web Application Attackers - FREE 15-day WebInspect
Download http://www.sans.org/cgi-bin/sanspromo/NB109

(2) Download Now--NT OBJECTives Fire & Water FREE security toolkit
http://www.sans.org/cgi-bin/sanspromo/NB110

***********************************************************************

THE REST OF THE WEEK'S NEWS
 --9 December 2002 Alleged DeCSS Author's Trial to Begin
The trial of Jon Johansen, the Norwegian teenager accused of creating
the DeCSS DVD encryption-breaking program, is set to begin. Johansen
says he created the program so he could watch the DVDs he purchased
on his Linux-based computer.
http://zdnet.com.com/2100-1106-976510.html
http://www.cnn.com/2002/TECH/biztech/12/09/dvd.kid.ap/index.html
http://www.washingtonpost.com/wp-dyn/articles/A29266-2002Dec9.html

 --5 December 2002 Prosecution Rests in Elcomsoft DMCA Case
Federal prosecutors rested their case against Elcomsoft, the Russian
software company on trial for violating the Digital Millennium
Copyright Act (DMCA) by selling a program that circumvents Adobe's
e-book software.
http://online.securityfocus.com/news/1743

 --9 December 2002 Israeli Police Arrest Man for Allegedly Stealing
                    80,000 Credit Card Numbers
Israeli police have arrested Daniel Sternberg on suspicion of breaking
in to the computer system of an unnamed, large U.S. electronics
company and stealing as many as 80,000 customer credit card numbers.
The FBI is involved in the case as well.
http://www.cnn.com/2002/TECH/internet/12/09/israel.hacker.ap/index.html

 --9 December 2002 Patching Is Insufficient As A Security Strategy
Too many system and network administrators use standard installations
and then try to patch their systems as time allows. Sadly that
strategy is flawed. Only through careful secure configuration
can administrators hope to have a defense worthy of the name.
Most administrators do not have sufficient training to configure their
systems safely and senior managers do not provide the leadership to
allow them to get it.
http://www.eweek.com/article2/0,3959,758258,00.asp

 --5 December 2002 Microsoft Security Bulletins for IE, Outlook
Microsoft has issued two security bulletins, one a cumulative
patch Internet Explorer (IE) 5.5 and 6.0 and another for an e-mail
header processing flaw in Outlook 2002. The Outlook patch requires
prior installation of Office XP Service Pack 2. Microsoft met with
criticism for rating both vulnerabilities "moderate;" the web object
vulnerability in IE is quite serious.
http://news.com.com/2100-1001-976206.html
http://www.eweek.com/article2/0,3959,748736,00.asp
IE Bulletin: http://www.microsoft.com/technet/security/bulletin/MS02-068.asp
Outlook Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-067.asp
[Editor's Note (Schultz): The more deserved and serious criticism
is that Microsoft products have a plethora of security flaws that
constantly need to be fixed--what a mess Microsoft has caused!]

 --6 & 9 December 2002 Microsoft Changes Risk Rating for IE
                        Vulnerability to Critical
Microsoft updated its security bulletin (MS02-068) for a vulnerability
in Internet Explorer 5.5 and 6.0, raising the risk rating from moderate
to critical. The change came in response to comments made on Bugtraq.
http://news.com.com/2100-1001-976440.html
http://www.computerworld.com/securitytopics/security/story/0,10801,76529,00.html
http://www.eweek.com/article2/0,3959,754178,00.asp
http://zdnet.com.com/2100-1105-976440.html

 --9 December 2002 Samba Vulnerability
A security hole in Samba versions 2.2.2 through 2.2.6, inclusive,
could allow an attacker to gain root control of a machine running
the vulnerable and widely-used software. Patches are available from
various Linux distribution developers, and Samba 2.2.7, which does
not have the flaw, has been released.
http://zdnet.com.com/2110-1105-976441.html
http://us6.samba.org/samba/whatsnew/samba-2.2.7.html

 --6 December 2002 DMCA Public Comment Deadline
The deadline for public comment on the Digital Millennium Copyright
Act (DMCA) is December 18, 2002.
http://www.pcworld.com/news/article/0,aid,107751,00.asp
Comment form: http://www.copyright.gov/1201/comment_forms/index.html

 --6 December 2002 FBI Hiring More IT People
Of the more than 900 special agents the FBI hired in the first
nine months of 2002, about 100 were IT professionals; the FBI
expects to hire even more computer savvy agents in the coming year.
Though special agent candidates usually need to have up to 10 years
of experience in their fields, that requirement is being waived for
computer science graduates.
http://www.informationweek.com/story/IWK20021206S0022
[Editor's Note (Schultz): It is good to see that the FBI is recognizing
one of its most serious deficiencies--lack of technical skills--and
is trying to do something about it.
(Shpantzer): To qualify under the computer science exception to the
work experience requirement, a candidate that has any bachelor's
degree may substitute a CCNP or CCIE for a computer science degree.
See www.fbijobs.com under Special Agent. There are also several
support positions open for IT professionals that don't want to go on
raids and make arrests. They are typically higher paying but do not
offer the popular allure of 'the badge and the gun' that comes with
being an agent in the field.]

 --6, 7 & 9 December 2002 Feds Raid Ptech, Find No Evidence of
                           Backdoors in Software
Federal investigators raided Massachusetts software company Ptech based
on suspicion that it had ties to al-Qaeda. Ptech sells software to
federal agencies that conduct classified work; among their clients are
the U.S. Air Force, the Federal Aviation Administration and the FBI.
The company's software was searched for possible back doors, though
none was found.
http://www.computerworld.com/securitytopics/security/story/0,10801,76462,00.html
http://www.computerworld.com/securitytopics/security/story/0,10801,76487,00.html
http://gcn.com/vol1_no1/security/20598-1.html
http://www.washingtonpost.com/wp-dyn/articles/A20580-2002Dec6.html
http://www.nipc.gov/publications/infobulletins/2002/ib02-011.htm
http://www.gcn.com/vol1_no1/daily-updates/20603-1.html
[Editor's Note (Murray): This is a troubling report. On the one
hand, I have little confidence in the ability of the FBI or anyone
else to vet more than a tiny bit of code for a backdoor in 72 hours.
On the other hand, there seems to be little reason beyond coincidence
to believe that one was ever present.]

 --5 December 2002 Cyberterrorism Fears Feed Surveillance
Governments may be using the lurking possibility of cyberterrorism
to ramp up surveillance programs that in turn impinge upon citizens'
civil liberties. A cyber attack with a catastrophic effect would be
much harder to launch than would a physical act of terrorism; there
is fear that a cyber attack could be launched along with a physical
attack, which could amplify the catastrophe.
http://www.guardian.co.uk/online/story/0,3605,853535,00.html
[Editor's Note (Schultz): The U.S. government raid on Ptech described
in the previous story, on the alleged grounds that this company had
ties with Al Quada, is just the beginning of the kind of trouble we
are likely to see in the U.S. increasingly in the future.]

 --5 December 2002 Sophos Malware Statistics for 2002
Sophos has published statistics for the most frequently reported
malware during 2002. Top three were Klez, followed by Bugbear and
Badtrans.
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,76408,00.html
http://www.sophos.com/pressoffice/pressrel/uk/20021204yeartopten.html

 --5 December 2002 Tower Records' Site Exposes Customer Data
A security hole in Tower Records' web site exposed customer data,
including names, addresses and items purchased, for several hours
last week. The flaw was in a script that placed customers' order
numbers in a URL; by altering the numbers, others' data could be
viewed. Credit card information was not exposed. Tower has changed
their site so that customers must log in with a password and e-mail
address before looking at their order information.
http://news.com.com/2100-1017-976271.html

 --5 December 2002 Sydney Wildfires Threaten Cyber Infrastructure
Wildfires in and around Sydney, Australia are burning near or beneath
major transmission lines, causing data loss and corrupted files.
Businesses need to address this sort of event in their continuity
plans.
http://www.zdnet.com.au/newstech/enterprise/story/0,2000025001,20270469,00.htm
[Editor's Note (Shpantzer): UPS technology is often overlooked as it
is not as 'sexy' as firewalls and IDS. Proper UPS deployment is one
of the best investments in data integrity an organization can make,
as power irregularities routinely damage hardware and crash critical
applications such as databases.]

 --5 December 2002 Travel Companies' Systems Hacked
A hacker broke in to travel companies' computer systems and manipulated
them to give cash refunds to credit cards he had taken out under
fictitious names. Some suspect that former employees of a company
that supplies software to travel firms are behind the thefts.
http://www.ds-osac.org/view.cfm?KEY=7E475D434254&type=2B170C1E0A3A0F162820
[Editor's Note (Murray): Real criminals, if not most rogue hackers,
work at the application layer where the money is.]

 --5 December 2002 Lagel.A Worm Deletes Files
The Lagel.A worm arrives as an executable e-mail attachment; if it
is activated, it will delete files on D, E, F and G drives.
http://zdnet.com.com/2100-1105-976187.html
http://www.net-security.org/virus_news.php?id=138

 --3 December 2002 Texas Academic Hospitals' Security Found Wanting
The Texas State Auditor's Office has found that weak security
for computer systems at the state's academic hospitals could allow
medical data to be accessed and altered and further, cyber intruders
could disrupt systems that underlie healthcare at the facilities.
The report did not detail the vulnerabilities, but the auditor's
office did inform the various affected facilities.
http://www.gcn.com/vol1_no1/daily-updates/20580-1.html

 --3 December 2002 No Fix Yet from RealNetworks
RealNetworks still has not released a workable fix for vulnerabilities
in its RealPlayer and RealOne products. A patch posted several
weeks ago was taken down when the researcher who found the original
buffer overflow flaws found that the patches themselves were flawed.
The researcher has since found five additional buffer overflow flaws
in the products.
http://www.eweek.com/article2/0,3959,743317,00.asp

 --3 December 2002 Distributed Denial of Service Attack Primer
This article describes what distributed denial of service (DDoS)
attacks are and discusses ways to survive and prevent them.
http://online.securityfocus.com/infocus/1647
[Editor's Note (Murray): The article addresses ingress filtering
without noting that the controls necessary to do this are best placed
upstream from the target, for example at the ISP. It is silent
on egress filtering. It does talk about community vigilance but
neglects to give examples about how such vigilance can be automated.
Our readers will want to have prior agreements with their ISPs and
egress filtering to ensure that the origin addresses on packets that
they send agree with the address of the system that sends them or,
at least, are within their own address space.]

 --2 December 2002 Mastercard Develops Business Continuity Plan
Mastercard International is developing a disaster recovery plan that
will comply with possible new Securities and Exchange Commission
regulations that would require financial services to have a two-hour
system recovery window. The back-up facility is likely to be several
hundred miles from its data processing center so that people could
drive there in several hours if necessary. They will also be able
to control the site remotely.
http://www.nwfusion.com/news/2002/1202mastercard.html

 --29 November 2002 Phreakers Manipulate Voice Mail Systems
Phone phreakers figured out how to break into a certain brand of voice
mail systems and reconfigure them to create new mailboxes from which
they could make long distance calls. Businesses across the country
have been affected by the problem.
http://www.seacoastonline.com/news/rock/11292002/news/777.htm

 --26 November 2002 CIO Tech Poll Indicates Security Spending Will
                     Increase in 2003
According to a poll conducted by CIO Magazine, CIOs plan to focus
spending in 2003 on security and B2B2C initiatives. IT budgets are
expected to increase 5.1% over the next year; more than half of the
301 CIOs polled said they planned to increase their security spending
in the next year.
http://www2.cio.com/techpoll/1202_techreport.html

 --4 December 2002 Asian Businesses Plan to Spend More on Security
A survey conducted by International Data Corp. (IDC) found that Asian
businesses plan to increase their spending on Internet security to
between 9 and 17% of their IT budget.
http://www.hindustantimes.com/news/181_113846,0003.htm
[Editor's Note (Paller): These numbers are not credible. They could
reflect misclassification of costs (such as allocating all standard
system administration and network management costs to security), or
they could reflect self interest by security people putting down high
numbers in hopes of persuading their management to spend more. Or,
they could be accurate - but if they are accurate, Asian companies
are spending three times as much as US and European companies.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9911c+LUG5KFpTkYRAvI1AJ9d52EskYCZpsJ8FnujJIOXQwadywCeMbH8
Mo59zMp5HooHEUwZhBLqj6A=
=60AX
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]