NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2004

SANS NewsBites Vol. 6 Num. 7

From: The SANS Institute (NewsBitessans.org)
Date: Wed Feb 18 2004 - 10:15:14 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Friday is the deadline for the early registration discount for SANS2004,
the largest security training conference. If you need a day or two
extra, email registrationsans.org and ask. There are sixteen tracks
at SANS2004 with special programs for auditors and techies ranging from
basic to the most advanced courses that can be found anywhere. And if
you have wanted your security and IT managers to get high level, but
practical knowledge about how to run a security program effectively,
SANS new Management Track (Track 12) is getting rave reviews.
Details: http://www.sans.org/sans2004

*************************************************************************
SANS NewsBites February 18, 2004 Vol. 6, Num. 7
*************************************************************************

TOP OF THE NEWS
  ASN.1 Vulnerability Exploit is Circulating
  Microsoft's ASN.1 Patch Lag Time Draws Mixed Reactions
  Software Flaw Caused Alarm Failure, Contributed to Blackout's Spread
  CA Employment Development Dept. Computer Security Breached
  Windows 2000 Code Leaked
  Windows Code Leak Investigation Focuses on Silicon Valley Company

THE REST OF THE WEEK'S NEWS
  Belgian Police Arrest Female Virus Writer
  IBM and Cisco Will Integrate Products
  DHS Inspector General to Study Department Systems
  Redbus Founder Charged with Blackmail and Interception of Communications
  China Developing Internet Emergency Response System
  New Framework Would Help Thwart Spammers
  Philippine Laws Inadequate to Prosecute Cyber Criminals
  Cisco's New WLAN Security Protocol
  FTC Warns that Anti-Spam Site is Not Affiliated with Government
  Flaw in Ticket Site Exposed Customer Data
  Increased Measures to Thwart Phishers in Singapore
  DHS Plans to Stop PADC
  Study Shows Companies Feel Spam is a Significant Security Threat
  FIPS 199 Takes Effect
  Programmer Posts Social Services Database On-Line
  Search Engines Find Secret Documents
  Sharman Networks to Challenge Court Order

VULNERABILITY UPDATES AND EFFECTS
  Ibiza Trojan Exploits IE Flaw; No Patch Yet Available
  Nachi.B Cleans Up After MyDoom
  Sophos Releases Upgrade for MIME Vulnerabilities
  Bluetooth Flaws Allow Data Theft, Phone Service Hijacking

BOOK REVIEWS
Beyond Fear by NewsBites Editorial Board Member Bruce Schneier

*********************** Sponsored by Net IQ *****************************

Policy White Paper from NetIQ
Tired of constantly firefighting? You need a more proactive and
effective means of managing your vulnerable security systems for policy
and compliance. Get the answers you need now!

Download a free white paper from NetIQ on "Proactive Security Policy
Enforcement: A Practical Approach for the Enterprise."
http://www.netiq.com/f/form/form.asp?id=2381&origin=NS_Sans_021804

**********************************************************************
This Week's Featured Security Training Program:

Security managers and analysts, system and network administrators,
auditors and forensic analysts will each find immersion training focused
on their special needs, and all taught by the highest-rated instructors
in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004

*************************************************************************

TOP OF THE NEWS

--ASN.1 Vulnerability Exploit is Circulating
(16 February 2004)
A denial-of-service exploit for a component of the recently acknowledged
Microsoft Abstract Syntax Notation 1 (ASN.1) flaw has been circulating
on the Internet; affected users are urged to apply the patch. The
vulnerability being exploited applies to Windows NT, Windows 2000,
Windows XP and Windows 2003 systems. The vulnerable dll is widely used
in authentication in these systems and exploitation of the vulnerability
can result in SYSTEM-level privileges, making this vulnerability a
particularly serious one.
http://www.theregister.co.uk/content/55/35592.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci950665,00.html
http://www.gcn.com/vol1_no1/security/24946-1.html
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
[Editor's Note (Tan): It is only a matter of time until a worm is
released in the wild.]

--Microsoft's ASN.1 Patch Lag Time Draws Mixed Reactions
(13 February 2004)
Microsoft first learned of the ASN.1 vulnerability in late July 2003;
the patch for the flaw was released on February 10, 2004. Some
researchers say that 200 days is far too long a time to wait. Others
say that Microsoft needed the time to ensure the quality of the patch.
Still others say that Microsoft placed too much importance on other,
less critical vulnerabilities and could have released this fix sooner
if it had shifted its priorities.
http://news.com.com/2102-1002_3-5158625.html?tag=st.util.print
[Editor's Note (Schneier): The claim is that Microsoft will release no
patch before its time. Does it really take 200 days to write a "quality
patch"? Apple released a major patch in its iTunes player within 24
hours. What's up with that?
(Northcutt): The rabbit runs deeper than this and the underlying problem
is almost certainly far bigger than the Microsoft ASN.1 implementation.
The first time Alan and I knew about ASN.1 problems was Feb. 2002 when
Andrew Baker, H.D. Moore, Marty Roesch, Glen Sharlun and I pulled an
all nighter with an impromptu test lab at the SANS Monterey Bootcamp.
We ran the Protos (SNMP coding fault) toolkit on a bunch of operating
systems and imagine our surprise when we traced one of the seg faults
back to an ASN.1 library call. We reported it in the appropriate
fashion to the authorities.
(Guest Editor Marcus Sachs): And it gets worse... ASN.1 Basic Encoding
Rules (BER) are used in a multitude of applications including cell phone
calls, Signaling System 7 (SS7), air traffic control systems, package
tracking, SCADA systems, X.9 financial transaction protocols, public
key cryptographic standards, voice over IP, video teleconferencing,
messaging systems, and public directory protocols. Each of these areas
is prone to errors caused by the way the ASN.1 BERs are implemented.
The US Federal Government is very aware of this issue and has been
quietly working to find and isolate as many as possible.
Ironically, Microsoft has a nice knowledge base article about ASN.1 -
last updated in Dec 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-%20us;252648
No mention of security issues.]

--Software Flaw Caused Alarm Failure, Contributed to Blackout's Spread
(11/13 February 2004)
A software bug in GE Energy's XE/21 system caused an alarm system
failure at FirstEnergy's Akron, Ohio control center in August 2003.
The flaw turned up during an extensive code audit in the weeks following
last summer's blackout in the northeastern United States. A FirstEnergy
spokesman says they have applied fixes to the software and are "stepping
up plans to replace the system" entirely.
http://www.securityfocus.com/printable/news/8016
http://www.cnn.com/2004/US/Northeast/02/13/blackout.ap/index.html
[Editor's Note (Schneier): I have long assumed that the blackout was
caused by a cascade of failures, and I have suspected Blaster as being
part of that mix:
http://www.schneier.com/crypto-gram-0312.html#1]

--CA Employment Development Dept. Computer Security Breached
(13 February 2004)
After a state agency computer's security was compromised, the California
Employment Development Department sent letters to people whose personal
information was on the affected computer, telling them their data may
have been viewed by an intruder. There is no evidence that any personal
information was accessed or abused. However, a California law enacted
last summer requires that people be informed in the event of a computer
security breach involving unencrypted personal data.
http://news.com.com/2102-7355_3-5158936.html?tag=st.util.print

--Windows 2000 Code Leaked
(13 February 2004)
Microsoft is working with law enforcement authorities to investigate
the posting of Windows 2000 and NT source code on the Internet. There
does not appear to have been a breach of internal Microsoft security or
of the Microsoft corporate network. The amount of code (600MB) that has
been posted accounts for only a small portion of the operating system
leading some (Microsoft included) to claim that the resulting danger is
minimal.
http://news.bbc.co.uk/1/hi/technology/3486011.stm
http://www.computerworld.com/printthis/2004/0,4814,90200,00.html
http://www.cnn.com/2004/TECH/biztech/02/13/microsoft.source/index.html
http://www.washingtonpost.com/ac2/wp-dyn/A38314-2004Feb12?language=printer
[Editor's Note (Schultz): Events such as this one show that the
arguments of those who say that proprietary systems are inherently more
secure than open source systems because the code is not available for
public inspection are flawed. Sooner or later proprietary source code
gets leaked, as has happened here. I'm not claiming that open source
systems are more secure, but rather am just pointing out that relying
on the proprietary nature of source code for security in reality amounts
to little more than "security by obscurity."
(Schneier): I'm not sure how big a difference this code leak is going
to make in the long run. It's not as if there's any shortage of Windows
vulnerabilities to exploit even without access to source code. More
interesting will be to see if it's true, as has long been rumored, that
Microsoft includes undocumented features to make life more difficult
for competitors.]

--Windows Code Leak Investigation Focuses on Silicon Valley Company
(13/16 February 2004)
Investigation into the source of the code leak points to a Silicon
Valley company called Mainsoft. Analysis of the leaked code indicates
it is the same code that the company had permission to view. An exploit
that takes advantage of the leaked code has appeared on a security
mailing list.
http://www.eweek.com/print_article/0,3048,a=119112,00.asp
http://news.bbc.co.uk/1/hi/technology/3491887.stm
http://www.securityfocus.com/news/8060
[Editor's Note (Schultz): I don't think that the exploit that has
surfaced so far is really all that significant. A far greater concern
is the exploits that will follow--ones that will be incorporated into
code for a new worm.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) WHITE PAPER - Spam threatens network security. Learn how to protect
your enterprise. REQUEST:
http://www.sans.org/cgi-bin/sanspromo/NB296

(2) Best Practices for Incident Response - Sign up for the
practitioner's guide at
http://www.sans.org/cgi-bin/sanspromo/NB297

(3) From SANS: HIPAA Security Implementation is a step by step guide
for IT staff of hospitals. Thorough and extremely cost effective.
https://store.sans.org/store_item.php?item=117

***********************************************************************

THE REST OF THE WEEK'S NEWS

--Belgian Police Arrest Female Virus Writer
(16 February 2004)
Belgian police have arrested a 19-year-old woman suspected of being a
virus writer. She has been charged with computer data sabotage and
could face up to three years in prison and a fine of up to 100,000 EUR.
If she is guilty of the allegations, she may be the first person to
write a virus or worm in the C# programming language?
http://www.theregister.co.uk/content/56/35580.html

--IBM and Cisco Will Integrate Products
(13 February 2004)
IBM and Cisco will integrate a number of their products to improve
defenses against network threats and simplify tasks such as security
policy compliance.
http://www.infoworld.com/article/04/02/13/HNibmciscosecurity_1.html
http://news.com.com/2102-7347_3-5158689.html?tag=st.util.print
http://www.computerworld.com/printthis/2004/0,4814,90202,00.html

--DHS Inspector General to Study Department Systems
(13 February 2004)
The IT Office of the Inspector General of DHS plans to study wireless
security policies and practices within the department, risk assessment
of mainframe computer operations and cyber security programs.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=24940

--Redbus Founder Charged with Blackmail and Interception of Communications
(13 February 2004)
Officers of the UK's National Hi Tech Crime Unit (NHTCU) have charged
Redbus Interhouse founder Cliff Stanford with conspiracy to blackmail
and violations of the RIPA Act 2000 (Regulation of Investigatory Powers
Act 2000). Stanford and George Nelson Liddell stand accused of breaking
into Redbus e-mail systems. Stanford co-founded Redbus Interhouse in
1999 but resigned in 2002.
http://www.theregister.co.uk/content/55/35561.html

--China Developing Internet Emergency Response System
(13 February 2004)
Lu Chengzhao, deputy director-general of the office of China National
Network and Information Security Coordinating group, says The People's
Republic of China is developing a public Internet emergency response
system. It is expected to be complete in five years.
http://fpeng.peopledaily.com.cn/200402/13/print20040213_134785.html

--New Framework Would Help Thwart Spammers
(12 February 2004)
A group called SMTP+SPF has published a draft of Sender Policy Framework
(SPF) which aims to "improve the SMTP protocol that governs e-mail
traffic." SPF would prevent address spoofing and SMTP server hijacking.
The group hopes to put the framework on the fast track to Internet
Engineering Task Force (IETF) approval so it can quickly become a
standard.
http://www.eweek.com/print_article/0,3048,a=119042,00.asp
[Editor's Note (Tan): I wonder how widely this will be adopted when it
is based on a whitelisting system. Maintaining such a system is not
easy.]

--Philippine Laws Inadequate to Prosecute Cyber Criminals
(12 February 2004)
Philippine law enforcement officials say current laws are not adequate
to prosecute cyber criminals. The country's Information Technology and
E-commerce Council is "pushing [for] a cybercrime law that would put
more teeth to existing laws on cybercrime."
http://www.inq7.net/inf/2004/feb/13/text/inf_1-1-p.htm
[Editor's Note (Schultz): The Philipines is only one of many countries
in the world without adequate cybercrime legislation. Such countries
comprise significant weak links in the fight against cybercrime.]

--Cisco's New WLAN Security Protocol
(12 February 2004)
Cisco has submitted a draft of a wireless WLAN security protocol to the
Internet Engineering Task Force (IETF). The protocol, Extensible
Authentication Protocol-Flexible Authentication via Secure Tunneling
(EAP-FAST), is designed to defeat dictionary attacks against unencrypted
passwords.
http://www.computerworld.com/printthis/2004/0,4814,90163,00.html
http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1028

--FTC Warns that Anti-Spam Site is Not Affiliated with Government
(12 February 2004)
The US Federal Trade Commission (FTC) issued a press release warning
people that http://www.unsub.us, a web site that promises to reduce
spam, is not affiliated with the government and could potentially result
in an increased volume of spam for those who submit their e-mail
addresses.
http://www.washingtonpost.com/ac2/wp-dyn/A37291-2004Feb12?language=printer

--Flaw in Ticket Site Exposed Customer Data
(12 February 2004)
Australia's Ticketmaster 7 web site contained a flaw that allowed
visitors to view other customers' information. Ticketmaster 7 says it
has closed down the service, which allowed people to view other people's
personal information simply by changing numbers in a URL.
http://australianit.news.com.au/common/print/0,7208,8660706%5E15331%5E%5Enbv%5E15306%2D15318,00.html

--Increased Measures to Thwart Phishers in Singapore
(11 February 2004)
The Singapore Network Information Centre (Sgnic) has started taking
steps to ensure that the .sg domain name is not abused by phishers.
Domain name applicants are required to submit documents from
professional organizations such as the Registry of Companies and
Businesses. Local registrars have also taken protective steps: one goes
through each domain name application in order to spot suspicious
registrations. Applicants requesting suspicious sounding domain names
are sent letters politely asking them why they are interested in such
a name.
http://computertimes.asia1.com.sg/news/story/0,5104,1967,00.html?

--DHS Plans to Stop PADC
(11 February 2004)
Deputy director of the United States Computer Emergency Response Team
(US CERT) Lawrence Hale says the Homeland Security Department (DHS) will
stop offering the Patch Authentication and Dissemination Capability
(PADC) service. Hale says that commercial alternatives to PADC offer
better support.
http://www.fcw.com/fcw/articles/2004/0209/web-patch-02-11-04.asp

--Study Shows Companies Feel Spam is a Significant Security Threat
(11 February 2004)
A study on the effects of spam on organizations commissioned by Network
Associates found that 90% of companies surveyed believed spam makes them
more vulnerable to security threats. 97% of the companies felt than
antispam technology should be part of their security plans.
http://zdnet.com.com/2102-1105_2-5157275.html?tag=printthis

--FIPS 199 Takes Effect
(10 February 2004)
The Commerce Department has approved a new Federal Information
Processing Standard for categorizing security risks to government
information and information systems. The National Institute of
Standards and Technology (NIST) developed FIPS 199, which took effect
on February 10, under the Federal Information Security Management Act
(FISMA).
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=24908
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

--Programmer Posts Social Services Database On-Line
(10 February 2004)
A contract programmer working for Livingston County, NY placed a
confidential database on line because he needed technical help. The
database, which contained Social Services department information, has
been removed from the Internet, and the programmer has been suspended
without pay. The county has contacted affected families and plans to
"do things a little differently [when it comes to] outsourcing this type
of work."
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=24918

--Search Engines Find Secret Documents
(9 February 2004)
Documents and data that organizations believe are secret or private turn
up surprisingly often in Internet searches; the information is
accessible because of misconfigured servers, security holes and human
error. Once a web page has been found by a search engine, it is nearly
impossible for it to return to its former obscurity.
http://www.washingtonpost.com/ac2/wp-dyn/A24053-2004Feb8?language=printer
[Editor's Note (Tan): The good thing is that if you lose a document,
you might be able to get it back using the search engine. : )
(Shpantzer): The robots.txt file is a double-edged sword. While it may
be a good way to keep ethical search companies from crawling specific
parts of your website, it also gives clues to snoops as to which areas
of the server are deemed too sensitive for public consumption.]

--Sharman Networks to Challenge Court Order
(9 February 2004)
Attorneys for KaZaA parent company Sharman Networks say the company
plans to challenge the validity of the court order used to seize
evidence from corporate offices, service providers and the homes of
company executives.
http://news.com.com/2102-1027_3-5156239.html?tag=st.util.print

VULNERABILITY UPDATES AND EFFECTS
--Ibiza Trojan Exploits IE Flaw; No Patch Yet Available
(13 February 2004)
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci950421,00.html

--Nachi.B Cleans Up After MyDoom
(12 February 2004)
http://www.pcpro.co.uk/news/news_story.php?id=53533
http://news.com.com/2102-7355_3-5158436.html?tag=st.util.print
http://www.gcn.com/vol1_no1/security/24929-1.html

--Sophos Releases Upgrade for MIME Vulnerabilities
(12 February 2004)
http://www.techworld.com/news/index.cfm?fuseaction=displaynews&newsid=1023

--Bluetooth Flaws Allow Data Theft, Phone Service Hijacking
(11 February 2004)
Tools for bluesnarfing, or stealing data from Bluetooth enabled phones,
is circulating on the Internet.
http://www.computerworld.com/printthis/2004/0,4814,90131,00.html
http://www.zdnet.com.au/news/communications/print.htm?TYPE=story&AT=39116165-2000061791t-10000003c

BOOK REVIEWS
--Beyond Fear by NewsBites Editorial Board Member Bruce Schneier
(11 February 2004)
http://www.theregister.co.uk/content/55/35499.html

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAM4W8+LUG5KFpTkYRAtZ6AJ9oqep10xw0wYBb3NX1Zuf4cb7AAQCgl+gG
IbxUlnpeRyF5w6XfUHgaW+U=
=9VSh
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]