From: The SANS Institute (NewsBitessans.org)
Date: Tue Oct 25 2005 - 12:36:36 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites October 25, 2005 Vol. 7, Num. 47
*************************************************************************

TOP OF THE NEWS
  Legislators Disappointed with Lack of Progress in Critical Infrastructure Security
  Exploit Code Posted for Oracle Flaw
  Botnet Allegedly Controlled by Dutch Trio Comprised 1.5 Million Computers

********************** Sponsored by Bindview ****************************

Are You Prepared for the PCI-Data Security Standard? Join BindView for
a live Webcast where you will get an overview of the PCI-Data Security
Standard; how the standard's 12 major requirements impact IT; and how
automated solutions can help demonstrate compliance with these
requirements to satisfy an audit. Click
http://www.bindview.com/Events/GetEvents.cfm?NUM=1491&AD=AD-SANS1110WBNR-Q405
to register

*************************************************************************

THE REST OF THE WEEK'S NEWS

  SPYWARE, SPAM & PHISHING
    Former Intermix CEO to Pay US$750,000 in Spyware Case
  
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Swedish Digital Media Bodies May Gather Suspected File-Traders' IP Addresses
  
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    New Botnet Client Detected
    Another Microsoft Patch Proves Problematic
    Cisco Customers Unaccustomed to Updates
  
  STANDARDS & BEST PRACTICES
    VoIPSA to Release Security Threat Taxonomy
  
  STATISTICS, STUDIES & SURVEYS
    More Than 80 Percent of DNS Servers May be Vulnerable to Pharming
  
  MISCELLANEOUS
    Software Identifies and Quarantines Computers Infected with Malware
    UK Police to Add Facial Biometrics to Identification Systems
    Schneier: Hold Manufacturers, Not Developers, Responsible for Unsecure Code
    National Hi-Tech Crime Unit to Launch On-Line Safety Program for
       Home Users and Small Businesses
    UK Home Office to Test Biometrics in Anticipation of ID Card System
    EFF Cracks Color Laser Printer Codes

**********************************************************************
Amazingly Effective Security Training Programs in Baltimore and San
Diego and Amsterdam and Ten Other Cities: Hacker Exploits,
Certification Training for DoD GIAC Cert requirements, more.
http://www.sans.org

************************ Sponsored Links *****************************

1) FREE CYA (Cover Your Apps) T-shirt from SPI Dynamics when you
evaluate WebInspect http://www.sans.org/info.php?id=905

2) Centrally managed, host-based firewall protection to proactively
secure your corporate network. Free NetOp trial available.
http://www.sans.org/info.php?id=906

3) Earn your Master's degree in Information Security from an NSA -
recognized online program. http://www.sans.org/info.php?id=907
***********************************************************************

TOP OF THE NEWS

 --Legislators Disappointed with Lack of Progress in Critical
    Infrastructure Security
(24/18 October 2005)
US legislators are unhappy with the lack of progress made in securing
the nation's critical infrastructure from cyber attacks. The Bush
administration has missed deadlines for developing a National
Infrastructure Protection plan, determining vulnerabilities and
identifying ways to address those vulnerabilities. Furthermore, Andy
Purdy, acting director of DHS' National Cyber Security Division, says
he has just two full-time staffers working on improving SCADA
(Supervisory Control and Data Acquisition) networks for critical
infrastructure facilities. Mr. Purdy told legislators that his
department will present the owners of critical infrastructure with
cost-benefit analyses for investing in SCADA security.
http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801392_pf.html
http://www.eweek.com/print_article2/0,1217,a=163373,00.asp
[Editor's Note (Pescatore): NERC and others (NIST's Process Control
Security Requirements Forum, (PCSRF), the chemical industry Data
eXchange (CIDX), DHS' Process Control Security Forum (PCSF), the
American Gas Association (AGA)) have done a lot of the blocking and
tackling needed to move SCADA and process control systems requirements
to a higher level of security. Has the federal government taken any
steps to require these higher levels of security requirements from all
suppliers of power and energy to the government?
(Paller): There is evidence of movement toward rapid implementation of
improved security technology, in the form of the
multi-national/multi-sector SCADA Security Summit. That's where vetting
of the most promising technical solutions will be reviewed and drafting
of common procurement language will begin. By acting together using
common procurement specifications for secure SCADA systems, critical
infrastructure asset owners can persuade the vendors to deliver safer
systems very quickly. Information about the Summit will be posted on
Thursday, October 25. For a heads-up email when it is posted, send your
name and employer and email to infosans.org with the subject SCADA
Summit.]

 --Exploit Code Posted for Oracle Flaw
(21 October 2005)
Exploit code for a buffer overflow vulnerability in some versions of
Oracle's database server is available on the Internet. The code
appeared on the Internet just days after the security update was
released on October 18. The exploit code could be used by attackers
with user credentials on vulnerable databases or remotely with the help
of an SQL injection attack to crash the database.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4625
http://www.computerworld.com/printthis/2005/0,4814,105615,00.html
http://isc.sans.org/diary.php?storyid=785
[Editor's Note (Hayler): The reverse-engineering of security patches to
develop exploits is now commonplace, and requires far less effort than
actually hunting for the flaws themselves.]

 --Botnet Allegedly Controlled by Dutch Trio Comprised 1.5 Million Computers
(21 October 2005)
The number of Windows-based computers allegedly controlled by three
Dutch men arrested last month has turned out to be significantly greater
than was first believed. Law enforcement officials initially estimated
the number of compromised PCs ensnared in the botnet that they
reportedly built at 100,000, which made it the largest ever detected;
the number of compromised machines was later found to be 1.5 million.
http://www.vnunet.com/vnunet/news/2144375/botnet-operation-ruled-million
http://isc.sans.org/diary.php?storyid=778
[Editor's Note (Hoepman): These estimates are believed to be pretty much
unfounded guesswork.]

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING
 --Former Intermix CEO to Pay US$750,000 in Spyware Case
(21 October 2005)
Brad Greenspan, former CEO and founder of Los Angeles-based Intermix
Medias Inc., has agreed to pay US$750,000 in penalties and returned
profits to settle a case brought by New York Attorney General Eliot
Spitzer. Mr. Greenspan was accused of ordering Intermix employees to
bundle adware with other software; Intermix was accused of bundling
adware and spyware with other free programs, which caused the stealth
software to be installed, unbeknownst to consumers, on millions of
computers across the country. Spitzer sued Intermix in April; the
company agreed to pay US$7.5 million in penalties over three years to
settle; they also agreed to stop distributing adware.
http://www.consumeraffairs.com/news04/2005/ny_spyware.html
http://www.technewsworld.com/story/qJxm7qrYd4Lekx/Spitzer-Intermix-Ex-CEO-Agree-on-Settlement.xhtml

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Swedish Digital Media Bodies May Gather Suspected File-Traders' IP Addresses
(21 October 2005)
The Swedish branch of the International Federation of the Phonographic
Industry and Antipiratbryan are no longer required to obtain permission
before gathering the IP addresses of Swedish citizens who are allegedly
sharing copyright-protected content. However, they would still need the
cooperation of ISPs.
http://www.theregister.co.uk/2005/10/21/hunt_for_swedish_filesharers/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --New Botnet Client Detected
(24 October 2005)
The Mocbot botnet client spreads by exploiting the same Microsoft
vulnerability exploited by the Zotob worm, (patch described in Microsoft
Security Bulletin MS05-039). Mocbot attempts to connect to two servers
located in Russia, which are apparently down or overloaded. Mocbot does
not exploit the flaw addressed by Microsoft security bulletin MS05-047
as was previously suggested, although the exploit codes are similar.
http://www.theregister.co.uk/2005/10/24/pnp_botnet_encore/print.html

 --Another Microsoft Patch Proves Problematic
(21 October 2005)
A problem with Microsoft's patch for a flaw in DirectShow, which was
described in Microsoft Security Bulletin MS05-050 could conceivably lead
users to apply the wrong patch. Users who have versions 8.0 or 9.0 of
DirectX (which contains DirectShow) could mistakenly apply the patch for
DirectX version 7.0 and be unaware that their systems are unprotected.
Last week Microsoft acknowledged that another one of the patches in its
October release could cause additional problems if users had changed
certain default settings.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39283303-39000005c
http://www.computerworld.com/printthis/2005/0,4814,105646,00.html
http://support.microsoft.com/kb/909596
http://isc.sans.org/diary.php?storyid=784

 --Cisco Customers Unaccustomed to Updates
(20 October 2005)
Cisco CSO John Stewart says that because Cisco customers are
unaccustomed to updating their network hardware operating system on a
regular basis, many are still running old versions of the company's
Internetwork Operating System (IOS). Mr. Stewart says Cisco has not
adopted automatic patching because its customers do not want it. He
hopes that the outcome of an unexpected vulnerability disclosure earlier
this year will be that Cisco IOS users upgrade to the latest version to
protect their systems.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39217949-2000061744t-10000005c
[Editor's Note (Pescatore): The issue is more that it has been really,
really painful to update IOS. It isn't a patch action, it is a shut
down and reload the OS action, which is very disruptive to the network
and very manpower intensive. While the best solution is always better
software development processes to reduce vulnerabilities, software
vendors (and switch vendors ship a lot of software) have to invest a lot
to make the patch process easier and faster for their customers.
Microsoft learned this back during the worms of 2001 and now most
enterprises can patch Windows much, much faster with much less pain.]

STANDARDS & BEST PRACTICES
 --VoIPSA to Release Security Threat Taxonomy
(24 October 2005)
The VoIP (Voice over Internet Protocol) Security Alliance will release
a Taxonomy Threat Model to help entities address policies regarding VoIP
deployment. VoIPSA includes members from the hardware, software and
telephone carrier industries. The taxonomy classifies and describes IP
telephony security threats. This should provide the "industry [with] a
common reference point to deal systematically with ... security issues."
The four broad "phyla" of the taxonomy are denial-of-service, traffic
modification, signal interception and bypass of refused content.
http://www.eweek.com/print_article2/0,1217,a=163371,00.asp
http://www.networkingpipeline.com/showArticle.jhtml?articleID=172303368&_loopback=1
[Editor's Note (Shpantzer): Before the era of mainstream VoIP, a hacker
got into HP's voicemail system and leaked a voicemail from HP's top
executive. Imagine what a months' worth of live VoIP conversations
would do in terms of damage or potential for extortion.
http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,70061,00.html ]

STATISTICS, STUDIES & SURVEYS
 --More Than 80 Percent of DNS Servers May be Vulnerable to Pharming
(24 October 2005)
The results of a recent survey indicate that 84 percent of DNS servers
around the world might be vulnerable to pharming attacks, which use DNS
cache poisoning or domain hijacking to redirect Internet users to
specially crafted web sites designed to steal their personal
information. Some suggestions for protecting against DNS
vulnerabilities include splitting external name servers into
authoritative name servers and forwarders, and restricting recursion and
filtering traffic to and from external name servers.
http://www.theregister.co.uk/2005/10/24/dns_security_survey/print.html
http://dns.measurement-factory.com/surveys/sum1.html
http://isc.sans.org/presentations/dnspoisoning.php
[Guest Editor Note (Pescatore): In the interest of disclosure, this
survey was funded by a company that sells secure DNS servers. However,
most thorough security audits do find that the majority of DNS servers
have glaring vulnerabilities.
(Ullrich): I think this study is missing the point. Pharming, or a DOS
attacks against the misconfigured DNS server creates part of the
problem, but the really big problem, Instead, is that open recursive DNS
servers can be used to amplify DDoS attacks.
(Tan): DNS poisoning is not something new. It just becomes more apparent
when coupled with phishing and fraud attacks. Securing DNS system isn't
a rocket science. Protecting DNS/BIND has been one of SANS Top 20 items
since Year 2000. The steps are detailed at http://www.sans.org/top20/.]

MISCELLANEOUS
 --Software Identifies and Quarantines Computers Infected with Malware
(21 October 2005)
Researchers at the University of Indianapolis have developed software
that detects and quarantines PCs infected with spyware and viruses. The
software works by identifying unusual and suspicious traffic patterns,
identifying the machines involved and moving them to a closed virtual
LAN where users see a screen that explains the situation and describes
how to get help. One drawback is that the system currently does not
work with wireless devices. False positives amount to about one in 50
or 60 quarantined computers.
http://www.computerworld.com/printthis/2005/0,4814,105623,00.html
[Editor's Note (Pescatore): The University of Florida built software
called Icarus a few years ago that was similar, but more oriented
towards blocking P2P and file sharing storms. There are a lot of
commercial products that have come out since 2003 that provide similar
network access control functions and quarantining. A 2% false alarm rate
is pretty high - a 10,000 person company having 200 people per day
kicked off the network and calling the help desk would be a problem.]

 --UK Police to Add Facial Biometrics to Identification Systems
(21/ October 2005)
The UK's Police IT Organization plans to incorporate facial biometrics
into its systems to help identify criminal suspects more accurately.
The system currently uses fingerprints; PITO director of information
Fred Preston said the combined power of the two biometric methods will
help ensure that the right people go into and come out of prison. The
change is to take place over the next five years.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39232934-39020351t-10000013c

 --Schneier: Hold Manufacturers, Not Developers, Responsible for Unsecure Code
(20 October 2005)
In response to Howard Schmidt's recent argument "that software
developers should be held personally accountable for the security of the
code they write," Bruce Schneier says the manufacturers, not the
developers, should be held accountable. Mr. Schneier argues that
security is not a technological problem, but an economic one; in order
for software security to improve, companies have to feel the economic
impact of offering a product with poor security. Currently, that cost
is borne by the consumers. If consumers had the ability to sue the
manufacturers, things might change.
http://www.wired.com/news/print/0,1294,69247,00.html
[Editor's Note (SCHMIDT): It is unfortunate that my comments were
reported inaccurately; at least Dan Farber has been trying to correct
the inaccurate reports with his blog http://blogs.zdnet.com/BTL/?p=2046
I do not support PERSONAL LIABILITY for the developers NOR do I support
liability against vendors. Vendors are nothing more then people
(employees included) and anything against them hurts the very people who
need to be given better tools, training and support.
(Hoepman): Holding manufacturers responsible certainly changes the
economics of software production. Given the fact that bug-free code is
a holy grail, the question is whether some kind of due diligence limit
should be imposed (ie you will not be held liable if you can prove you
invested a reasonable effort to avoid bugs). Otherwise most software
manufacturers will quickly be out of business.
(Paller) Several leading organizations are already shifting some
rational level of responsibility to the vendors. They have inserted a
clause in their software procurement saying that "The vendor certifies
it has tested its software against the SANS Top 20 (www.sans.org/top20)
and that the software does not contain any of those widely known
vulnerabilities." Then if it is found to be vulnerable because of a
well known-vulnerability, the vendor has a contractual liability.
Similar language requiring other software tests and certifications is
also being used.]

 --National Hi-Tech Crime Unit to Launch On-Line Safety Program for Home
    Users and Small Businesses
(20 October 2005)
The UK's National Hi-Tech Crime Unit plans to launch an on-line safety
campaign called get Safe Online aimed at businesses with fewer than 10
employees as well as on-line consumers. According to the NHTCU, these
two groups are the "most susceptible" to common security threats. Large
companies tend to make their employees more security-aware.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39232449-39020375t-10000025c
http://technology.guardian.co.uk/weekly/story/0,16376,1595598,00.html
[Editor's Note (Hayler): The UK National Infrastructure Security
Co-ordination Centre (NISCC) launched a similar program earlier this
year: http://www.itsafe.gov.uk/ Despite some early publicity, it is now
rarely mentioned in press reports or other places where the target
audience might see it. Let's hope this new initiative receives better
long term exposure.]

 --UK Home Office to Test Biometrics in Anticipation of ID Card System
(24/20/17 October 2005)
The UK Home Office plans to test the accuracy of biometric technology;
specifically, fingerprint-matching technology will be tested on 2,500
UK citizens. The bill was approved by MPs, but requires approval from
the House of Lords before obtaining Royal Assent. UK Home Office
Minister Tom McNulty said the country's proposed ID card system would
be capable of checking three separate biometrics: facial, iris and
fingerprints, which would include all 10 digits. Both MPs and Lords
have expressed concern over the amount of personally identifiable data
the cards will hold. In a separate story on using multiple biometrics,
researcher John Daugman maintains that more is not always better;
combining a strong biometric test with a weaker one can provide less
reliable results
http://www.theregister.co.uk/2005/10/17/mcnulty_fingers_id_problem/print.html
http://www.silicon.com/publicsector/0,3800010409,39153530,00.htm
http://www.silicon.com/publicsector/0,3800010409,39153604,00.htm
http://www.theregister.co.uk/2005/10/19/daugman_multi_biometrics/print.html
John Daugman: Comparing Multiple Biometrics
http://www.cl.cam.ac.uk/users/jgd1000/combine/combine.html
[Editor's Note (Schultz): It is good to learn that the UK Home Office
is planning to first test the biometric system on the type of people who
will have to interact with a system of this nature. Hopefully, the
results of the testing will be available to the public. I predict that
many more problems will surface than meet the eye.]

 --EFF Cracks Color Laser Printer Codes
(17 October 2005)
The Electronic Frontier Foundation has cracked codes embedded in certain
color printers that are designed to help the government identity
currency counterfeiters. Yellow dots arranged in grids on every color
page printed by Xerox Corp.'s DocuColor color laser printers are visible
only with the help of a magnifying glass or under blue light; certain
dots correspond to printers' serial numbers as well as the date and time
the document was printed.
http://seattlepi.nwsource.com/business/1700AP_Printer_Tracking_Codes.html
(The second story on this page)
http://www.eff.org/news/archives/2005_10.php
http://www.eff.org/Privacy/printers/docucolor/
[Editor's Note (Shpantzer): Old news to people who know... It's also
possible to tell if you used a specific camera for digital film based
on the peculiarities of the CCD chip. ]

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDXmF8+LUG5KFpTkYRAre7AKChEX1LOTQUyW7JmrcFicYe6006EQCgl8/Y
wo8bIeJNCsuizvRRrHq68rs=
=h2lR
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]