From: Ed DeJesus [mailto:dejesus@compuserve.com] 
Sent: Monday, October 13, 2003 1:10 PM
To: ed.dejesus@Baltimore.com
Subject: SECURITY WIRE DIGEST, VOL. 5, NO. 77, OCTOBER 13, 2003


SECURITY WIRE DIGEST, VOL. 5, NO. 77, OCTOBER 13, 2003
Security Wire Digest is a newsletter published by Information 
Security, the industry's leading source of security news and 
information.

For daily news, please visit our sister site, SearchSecurity 
(http://www.searchsecurity.com).

IN THIS ISSUE:
*Exploit Code Targets Recent RPC Flaws
*nmap Gains Service Identification Features 
*Group Pushes Cyber/Physical Security Integration 
*P2P, Open SSL Make List of Biggest Internet Security Holes 
*Tech Unit Examines Viruses for Authors' Identities 
*SEC Links College Student to Illegal Trade 

SECURITY PERSPECTIVES
*Microsoft Smears Lipstick On a Pig

MARKET MONITOR

TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE

=====================================================

SECURITY WIRE DIGEST IS SPONSORED BY: DataPower XML Web 
Service Security

XML Web Services security keeping you up at night?

XML Web Services present new security threats to the most 
important apps. XML/SOAP was specifically designed to tunnel 
through the firewall, requiring a new layer of XML-aware 
security gateways to provide filtering, access control, XDoS 
protection, XML DSIG and other essential security functions. 
DataPower pioneered the hardware-based approach to XML Web 
Services security, freeing its customers from software 
install headaches and performance problems.

Click here for XML Web service security whitepapers and Webcasts on 
XML security topics ranging from introductory to advanced 
technical content.

http://www.datapower.com/m/isnl1013.html

=====================================================

*EXPLOIT CODE TARGETS RECENT RPC FLAWS
Long-anticipated exploit code targeting the most recent 
Microsoft RPC vulnerabilities is circulating and may 
compromise even patched XP systems. Other versions of Windows 
might be vulnerable but haven't been tested.

"This code is a universal exploit, which means that it can be 
used against any version of Windows that is not patched," 
says Aaron Schaub, a security analyst at intelligence firm 
TruSecure. "However, there have been unconfirmed reports that 
it will still work against Windows XP SP1 even with all 
additional security updates installed."

The code exploits a slight variant in the RPCSS (the Remote 
Procedure Call portmapper, which directs traffic for 
different services using RPC) vulnerability documented in 
Microsoft Security Bulletin MS03-039.

Experts report seeing increased activity on TCP port 135, 
which is associated with the vulnerable service.

If the exploit works against fully patched Windows XP 
systems, the best defense against the attack is to turn off 
the service, if possible. Windows XP uses this service 
extensively and turning it off isn't a viable option in many 
situations. If the service can't be turned off, the use of 
firewalls or access control lists to restrict access to 
vulnerable systems can reduce the chances of attack, says Schaub.

A patch was released to correct the "Buffer Overrun In RPCSS 
Service Could Allow Code Execution" (MS03-039) 
vulnerabilities; which deal with RPC messages for DCOM 
activation. According to Microsoft, two of the flaws could 
allow arbitrary code execution; and the third could result in 
a denial of service. The flaws affect Windows NT 
4/2000/XP/Server 2003 and result from incorrect handling of 
malformed messages.

Many security experts have speculated that the release of a 
worm using this code could come at any time. In August, the 
prolific Blaster worm ripped through networks worldwide by 
exploiting a similar RPC/DCOM vulnerability for which a patch 
had been released more than three weeks before. 
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp


*NMAP GAINS SERVICE IDENTIFICATION FEATURES
How can nmap, the popular network port scanning utility, top 
its appearance in "Matrix Reloaded" under the able fingers of 
Carrie-Anne Moss? By adding features such as optional 
detection of services, including version number.

The new version of nmap improves its prowess at exploring 
networks and supporting security audits. Nmap can still scan 
ports in stealth mode, rapidly pinging multiple hosts in 
parallel to test which ones are available.

"The big news for the recent release is a new version 
detection capability to determine what service protocol is 
running on a port," reports Fyodor Vaskovich, CTO of 
Insecure.org. "In many cases, it can determine the 
application name and version number as well." This is 
especially useful for administrators of the "security by 
obscurity" school who assign non-default ports to services. 
Nmap can also handle SSL encryption and support IPv6.

Nmap is available for Windows and many UNIX flavors (plus 
handhelds like HP's iPAQ and Sharp's Zaurus), in both GUI and 
command-line modes. No word yet on whether the new nmap will 
have a role in "Matrix Revolutions." http://insecure.org/nmap 


*GROUP PUSHES CYBER/PHYSICAL SECURITY INTEGRATION
A plan to consolidate physical and cybersecurity information 
is currently being reviewed by the Security Industry 
Association's (SIA) Standards Committee.

Called the Physical Security Bridge to IT Security 
Specification (PHYSBITS), Forrester analyst Steve Hunt says 
such integration is "onerous to impossible. It's almost 
impossible to perform anything other than aggregation of 
events or comparing physical intrusion event data to logical 
intrusion event data."

PHYSBITS was created by the Open Security Exchange (OSE), a 
group of security manufacturers and suppliers--founders 
include Computer Associates, Tyco and smart card 
companies--formed to push new cyber/physical security 
standards, or simplify existing ones. OSE Executive Director 
Eric Maurice says that within eight months OSE should release 
data standards.

The ultimate goal is to close the gap between physical and 
cybersecurity practices. For example, while a large number of 
closed-circuit surveillance cameras available today transmit 
video via IP networks, they don't transmit or store 
information in a standard way, making it tough to tackle "the 
vulnerabilities...the risks related to session hijacking [or] 
authenticating to this camera," says Maurice. PHYSBITS would 
give companies a way to enforce a total security policy.

Hunt, who recently joined the OSE board, notes that "it's 
initiatives like OSE that will move us toward a more 
efficient and effective security architecture." 
http://www.opensecurityexchange.org/press/pr20031002.html

=====================================================

*ADVERTISEMENT*

STOP SPYWARE. RECLAIM BANDWIDTH. PROTECT YOUR DATA.

Spyware knows no boundaries. It infiltrates enterprises, 
stealing confidential data and using up network bandwidth. 
Now you can stop spyware and reduce help desk calls with a 
single solution: Integrity. To learn more, download Zone 
Labs' FREE white paper, "How to Stop Spyware."

http://altfarm.mediaplex.com/ad/ck/2955-16655-6930-0

=====================================================

*P2P, OPEN SSL MAKE LIST OF BIGGEST INTERNET SECURITY HOLES 
Peer-to-peer file sharing and Open SSL are finally getting 
their due--landing on this year's Top 20 Most Critical 
Internet Security Vulnerabilities list created by the SANS 
Institute. Others, like Microsoft's IIS Server and Unix's 
Sendmail, are more obvious entries since they are among the 
computing world's most popular programs.

The recently released list is intended to help security 
managers prioritize their own security programs by seeing 
what security experts worldwide deem the biggest threats 
requiring immediate attention.

Other vendors have their own vulnerability lists, but the 
SANS rundown focuses on flawed services, applications and 
practices, rather than malware that exploits them. Its 
authors have also compiled a detailed analysis of how 
specific vulnerabilities affect each service.

"The list can be used as a benchmark to measure one's 
security against," said Gerhard Eschelbeck, VP of engineering 
at Qualys, which offers a scanning tool for finding 
vulnerabilities. "There are 20 classes of vulnerabilities in 
the SANS list, which represent over 300 specific vulnerabilities."

There are plenty of new vulnerabilities on the list, 
including in Outlook and Outlook Express. But given the 
publicity surrounding exploits of these programs, their 
inclusion isn't surprising.

Also included are programs like Windows Remote Access 
Services, which include flaws in Remote Procedure Calls (RPC) 
that spawned the Blaster and Nachi worms this summer. RPC was 
also highlighted on the Unix list, as was Sendmail, the BIND 
Domain Name System and the Apache Web server.

For a complete list and remediation tips: 
http://isc.sans.org/top20.html


*TECH UNIT EXAMINES VIRUSES FOR AUTHOR IDENTITIES
We already know that virus and worm code sometimes reveals 
telltale details about its author. Now a British crime unit 
wants to see if these writers have links to terrorist organizations.

Britain's National High-Tech Crime Unit (NHTCU) has been 
working with antivirus vendors to examine malicious code for 
clues as to who or what the malware is targeting. In 
particular, NHTCU wants to know if there's a link between 
cyberattacks and extremist groups, according to news reports.

The group will be hard-pressed to find any answers, says 
Graham Cluley, senior technology consultant for antivirus 
vendor Sophos.

Despite the 85,000 viruses in existence, notes Cluley, "there 
have been very few virus writers actually caught," and then 
it's usually because of malware-writer stupidity. For 
example, accused Blaster variant writer Jeff Parson, 18, of 
Minnesota reportedly left his Web site address in the code.

"This idea that we would look in the code and see if it was 
written by a terrorist or teenager is very hard to 
do...there's nothing that 's going to say copyright Al-Qaeda 
2003." And if it does, is it true? asks Cluley.

The NHTCU was unavailable for comment on its motives or 
methodology. But Det. Chief Superintendent Len Hynds, who 
heads the unit, told Reuters news service, "It's a tactic 
that could be utilized. We've seen legitimate programs used 
in a way that allows people to have remote access to 
compromised systems. And similarly, viruses, Trojans and 
worms can be used by organized crime to launch attacks."


*SEC LINKS COLLEGE STUDENT TO ILLEGAL TRADE
Using a Trojan keystroke logger and an investor's 
gullibility, federal prosecutors say a Pennsylvania college 
student hatched an elaborate scheme to break into an online 
brokerage account to sell Cisco Systems stock options before 
they expired.

"We have never brought a case like this one," John Reed 
Stark, chief of the SEC's office of Internet enforcement, 
told The New York Times. The SEC says this is the first known 
case of securities fraud prosecution involving computer 
hacking and identity theft allegations.

In papers filed last week, investigators say Van Dinh, 19, of 
Pheonixville, Pa., offered members of an online stock 
pickers' forum a software program to help with stock charts. 
But the program was actually a monitoring tool that captured 
keystrokes and allowed Dinh to gain access to a Massachusetts 
investor's online brokerage account, authorities said. Dinh 
then allegedly cleaned out the account, using its nearly 
$47,000 to buy his own Cisco options and avoid $37,000 in losses.

"He essentially guaranteed there was a marketplace for the 
options that he sold, at least some of them," Stark told the 
Associated Press. SEC investigators said Dinh used ISPs in 
Europe and Australia, as well as an anonymizer, to hide his 
identity but still left evidence that led to his arrest. "No 
matter how many steps someone takes to cover their tracks, 
there are just too many trails," Stark said.

=====================================================

*ADVERTISEMENT*

OPTIMIZE AND SECURE YOUR ENTERPRISE NETWORK - FREE 

Time's running out - don't miss your chance to gain 
complimentary admission to "Networking Decisions: Optimize 
and Secure Your Enterprise Network." Sponsored by Information 
Security magazine, the conference arrives in Atlanta November 
5-7 for three days of proven network security expertise. Top 
speakers from Gartner, Forrester Research, Yankee Group and 
more deliver unbiased insight. Information and registration: 
http://networkingdecisions.com/?Offer=swdnd
 
======================================================

SECURITY PERSPECTIVES 

*MICROSOFT SMEARS LIPSTICK ON A PIG
by John Hogan 
In the run-up to last week's Worldwide Partner Conference, 
Microsoft sent out the top guns from its enterprise 
management division to get the community juiced about 
Redmond's "securing the perimeter" initiative.

Well, you can smear lipstick on a pig, but it's still a swine.

Despite CEO Steve Ballmer's promises during his keynote 
speech Thursday in New Orleans, it doesn't appear that 
Windows will be substantially more secure anytime soon.

It's a sign of progress that Microsoft freely admits that 
patches are a feeble way to secure computer systems. It's 
also nice that the company will dedicate a Web site to 
security issues and update the free Software Update Services 
(SUS) tool. And it's dandy that it will tell OEMs to ship 
XP-based machines with the Windows Internet Connection 
Firewall (ICF) turned on. But Microsoft is being disingenuous 
if it expects its customers and partners to believe that 
these are anything more than stopgap measures.

And Gartner isn't very chipper on the subject of Windows. 
CNET reports that the research firm planned to issue a report 
last week that adds its voice to the chorus crying out about 
the dangers of worldwide reliance on Microsoft software. The 
Gartner report is expected to urge businesses to diversify 
their desktop software or get swept up in an inevitable 
"cascading failure" caused by an Internet worm or virus.

Ballmer needs to adopt a more conciliatory approach. 
Reasonable people understand that software security isn't a 
problem that can be solved overnight. If Microsoft is up 
front about its challenges, it might be rewarded with a little slack.

John Hogan (mailto:jhogan@techtarget.com) is the news editor 
for SearchWin2000.com, our sister site, which covers the 
enterprise Windows platform.

Read the entire editorial: 
http://searchwin2000.techtarget.com/columnItem/0,294698,sid1_g
ci931636,00.html


=====================================================
MARKET MONITOR

Market Monitor is a weekly stock performance review of select 
information security companies. The prices indicated reflect 
the official close and don't reflect after-hour trading.

COMPANY/SYMBOL....................10/03.....10/10.....Change
Aladdin/ALDN......................7.84......8.58......9%
Blue Coat Systems/BCSI............12.06.....14.99.....24%
BMC Software/BMC..................13.95.....14.81.....6%
Computer Associates/CA............26.96.....23.01.....-15%
Check Point/CHKP..................17.88.....17.92.....0%
Cisco Systems/CSCO................20.76.....20.8......0%
3Com Corp./COMS...................6.65......6.8.......2%
CyberGuard/CGFW...................11.21.....11........-2%
Datakey/DKEY......................0.72......0.78......8%
Enterasys/ETS.....................4.15......3.98......-4%
Entrust/ENTU......................4.33......4.65......7%
Hifn/HIFN.........................8.29......8.65......4%
Hewlett-Packard/HPQ...............20.3......21........3%
IBM/IBM...........................90.64.....92.68.....2%
Identix Inc./IDNX.................6.........5.83......-3%
Internet Sec. Sys./ISSX...........13.21.....14.11.....7%
Intrusion Corp./INTZ..............0.86......0.93......8%
Lucent Technologies/LU............2.22......2.35......6%
Netegrity/NETE....................11.54.....12.61.....9%
NetScreen/NSCN....................22.16.....23.43.....6%
Network Associates/NET............14.87.....14.91.....0%
Novell/NOVL.......................5.82......5.99......3%
Red Hat/RHAT......................10.45.....10.85.....4%
Rainbow/RNBO......................9.74......10.71.....10%
RSA Security/RSAS.................15.77.....16.5......5%
SafeNet/SFNT......................38.31.....39.99.....4%
Secure Computing/SCUR.............12.2......12.72.....4%
SonicWALL/SNWL....................6.17......6.8.......10%
Symantec/SYMC.....................65.5......64.73.....-1%
TippingPoint Technologies/TPTI....15.4......17........10%
Trend Micro/TMIC..................22.4......25.6......14%
Tumbleweed/TMWD...................6.32......6.5.......3%
Unisys/UIS........................13.89.....14.2......2%
Vasco Data Sec./VDSI..............2.67......2.84......6%
VeriSign/VRSN.....................13.98.....14.6......4%
Wave Systems/WAVX.................2.78......2.95......6%
WatchGuard/WGRD...................5.33......6.18......16%

=====================================================
Security Wire Digest (BPA E-Mail Audit Report, June 2002*) is 
an e-mail newsletter brought to you on Mondays and Thursdays 
by Information Security magazine. Questions or comments 
should be e-mailed to Shawna McAlearney, online editor, 
mailto:smcalearney@infosecuritymag.com.


=====================================================
Security Wire Digest is published by Information Security, a 
TechTarget publication.

Copyright (c) 2003, Information Security and TechTarget. No 
reuse or redistribution without the express written 
authorization of Information Security and TechTarget. To 
obtain reuse permission, contact Larry Walsh 
(mailto:lwalsh@infosecuritymag.com).

*A copy of the BPA 
Audit is available for download at: 
http://www.bpai.com/library/statement_files/s3> 43h0j2.pdf



=====================================================
To SUBSCRIBE to Security Wire Digest, go to: 
http://infosecuritymag.bellevue.com

To UNSUBSCRIBE from 
SecurityWire Digest, go to: 
http://infosecuritymag.bellevue.com/USL.asp?> EM=dejesus@compuserve.com

To OPT OUT of third-party mailings, go to: 
http://infosecuritymag.bellevue.com/US.asp?E=dejesus@compuserv
e.com

To CHANGE your e-mail address, go to:
http://infosecuritymag.bellevue.com/CEL.asp?EM=dejesus@compuserve.com

To subscribe or renew your existing subscription to Information Security
magazine, print edition, please go to: http://www.submag.com/sub/is