 |
The VeriSign Security Review
|
January 2006
Hackers relentlessly exploited several critical Microsoft vulnerabilities
and launched another zero-day attack. A busy month for phishers as new
scams target the navy and air force community. And two years after the
first enterprise SOX compliance efforts, the court system is having
its say on SOX.
Welcome to 2006! Eyes Open.
In this issue:
Hot Topics
Standards and Regulations
News from VeriSign
Ask a VeriSign
Consultant
Security Events
Hot Topics
Zero-Day Attack Prompts Microsoft Patch
In the latest zero-day attack, malicious code
targeted at the Microsoft
.WMF vulnerability (MS06-001) hit the wild before the security
community knew about it, causing a massive chain reaction of snort signature
development, debates over next steps, independent patching, and, finally,
Microsoft’s official patch release two weeks after the attack.
The attack targets a graphics rendering engine
vulnerability in Windows 2000, Windows XP, and Windows Server 2003.
Approximately 1000 Web sites were affected. Separate attacks were launched
via Instant Messaging and email spam.
VeriSign iDefense Security Intelligence Service
has upgraded threat levels to 3 (Elevated) and 4 (High) at the height
of the crisis. The user community was pleased when Microsoft decided
to release an unscheduled patch to stop this threat from spreading more
widely. The VeriSign rating has since returned to 2 (Guarded).
Back
to Top
December Threat Summary
November’s infamous Sober outbreak threatened
to resume after January 6th, but has so far been dormant. VeriSign iDefense
Security Intelligence Service has more details, and VeriSign continues
to monitor URLs generated and probed by Sober-infected systems.
Multiple vulnerabilities were identified in
the Linux kernel, which could be exploited by remote or local attackers
to cause a denial of service. Fixes are available through upgrading
to Linux Kernel 2.6.15.1, http://www.kernel.org/
A public exploit targeted at the Veritas NetBackup
Volume Manager Daemon (vmd) vulnerability is available. An attacker
could send a packet to Volume Manager and launch a denial-of-service
attack remotely. Symantec has issued a support advisory.
Apple QuickTime, widely deployed in Windows
and Mac systems as well on the popular iPods, has five critical flaws
all to do with image handling. These flaws have the potential for arbitrary
code execution or buffer over flow, and they affect QTIF, TIFF, and
GIF images. Apple has provided a patch for all five flaws.
The BlackBerry Enterprise Server may be vulnerable
to denial-of-service attacks, according to a group of German hackers.
An attacker could launch a DoS attack by sending “specially crafted”
packets to the router, according to a vulnerability note posted on the
U.S. Computer Emergency Readiness Team’s Web site. The result could
be disrupted communications between the BlackBerry Enterprise Server
and BlackBerry devices. BlackBerry has developed a fix for the reported
vulnerability.
Windows Wi−Fi Flaw Detailed
Hackers have exposed details of a previously
undocumented flaw in Microsoft's handling of Wi−Fi which affects
users of Windows 2000 and XP. A security researcher explained that the
issue centers on the way in which the operating systems look for wireless
networks during startup. When a Wi−Fi equipped laptop starts up
using Windows 2000 or XP it immediately starts scanning for wireless
networks. If none is found it sets up an ad hoc link using the name
of the last wireless network accessed. If a hacker was aware of the
last used network ID, it could be used to establish a direct local link
with the Windows PC offering access to all local drives. However, the
problem only arises if the target machine is not running a firewall.
One of the changes in Windows XP SP2 turns the built-in firewall on
by default. For more information, visit http://www.vnunet.com/vnunet/news/2148609/microsoft−wi−flaw−
found
Back
to Top
New Phishing Scams
Several new phishing scams emerged in the last
month, one preying on sympathizers of recent mining accident, and two
others targeting U.S. Navy and Air Force personnel.
The US Federal Bureau of Investigations (FBI)
issued a warning on Jan. 11, 2006, alerting Internet users of a new
phishing e-mail requesting financial aid for Randy McCloy Jr., the sole
survivor of the
West Virginia mine explosion that killed 12
men. The e-mail appears as though it is from a doctor treating the survivor.
The doctor reportedly describes the McCloy’s condition and discusses
the funds needed for a full recovery. Internet users who receive any
such e-mails are asked to file a complaint with the Internet
Crime Complaint Center.
In addition, naval seamen who use the Navy
Knowledge Online (NKO) Web portal and Air Force personnel with access
to the Air Force Portal are also exposed to phishing emails leading
them to fictitious Websites. Users are urged to double check the Website
address and to change their portal password if they believe they have
fallen victim to the scams.
Back
to Top
Standards and Regulations
Court Excludes Foreign SOX Whistleblower
The Sarbanes-Oxley whistleblower protections
do not extend to foreigners working in overseas subsidiaries of American
firms, a US appeals court has ruled. The ruling involved an Argentinean
who worked for Brazilian subsidiaries of Boston Scientific, who complained
of being fired for reporting revenue over-statements by the subsidiaries.
The ruling did not address the status of American citizens working overseas
for foreign subsidiaries, or foreigners working directly for public
US companies. Learn more from the IT
Compliance Institute.
Back
to Top
California’s New Anti-phishing Law In Effect
California legislation that took effect this
month includes a new law intended to protect consumers against phishing. Senate
Bill 355 makes Internet phishing a crime in California.
Phishing is the practice of using e−mail
to entice recipients to divulge personal information, such as Social
Security numbers or credit card numbers, in order to commit fraud.
Back
to Top
News from VeriSign
VeriSign Hosts Panel Discussion on FFIEC Compliance
VeriSign continues to host discussions on helping
financial institutions comply with the FFIEC guidance for online banking.
The latest will be a breakfast panel on January 26th in New York. Among
the panelists are Jonathan Penn, Principal Analyst from Forrester Research,
Robert D. Lee, Senior Technology Specialist from the Federal Deposit
Insurance Corporation, and Michael Aisenberg, Director of Policy at
VeriSign. The panel will discuss proven approaches of create a safe
online banking environment, including strategies for federated identity
and token sharing. For more information, see recordings of the
last panel discussion.
Back
to Top
VeriSign to Report Financial Results
VeriSign will announce fourth quarter financials
on January 26th after the close of U.S. financial markets.
There will be a live teleconference call on
January 26th at 2:00 pm (PT) accessible at (800) 210-9006 (US) or (719)
457-2621 (international). A listen-only live web cast of the Q4
earnings conference call will also be available at www.verisign.com
or www.streetevents.com.
A replay of this call will be available at (888) 203-1112 (passcode:
4947853) or (719) 457-0820 (passcode: 4947853 – international) beginning
at 5:00 pm (PT) on January 26th and will run through February 3rd.
Back
to Top
Ask a VeriSign Consultant
Each month, our highly experienced security consultants
share their expertise in an area of your concern. This month, senior
product manager Doug Barbin discusses log monitoring. Send your questions
to askverisignsecurity@verisign.com.
Q: Monitoring server logs is so much processing power, storage,
and my staff's time. What do I need to know to monitor logs effectively?
A: You're not alone - logging is a pain. Every day it
seems like there is more and more data you to assemble, parse, and analyze.
The good news is that good logging practice not only helps with your
compliance efforts, but it is good for security. More specifically,
if you ever have to do some sort of incident investigation, there is
no better source of data than the logs from the individual hosts.
The following are examples of things you need to know:
What to collect? You can collect as much as
you want. The better answer is critical servers, network devices,
and other hosts. Pay specific attention to the regulatory requirements
with which you need to comply. For instance, with Sarbanes-Oxley
(SOX), you’ll want to monitor all systems that process financial data
as well as the surrounding network routers, switches, etc. that support
and protect them. For PCI, your concern is those systems processing
credit card data, for HIPAA, patient health data, etc. There is
a perception out there that there are certain types of bad things that
you want to pay attention to based on the regulation. That’s not
true. You want to monitor as much as possible on those systems
that may have regulated or protected data. How much do I need
to collect and keep? This isn’t as easy as it sounds. SOX
wants you to keep audit records for a year, PCI about the same, but
none of them really specify in what format or how quickly you need to
have access to it. On top of complying with the latest regulations,
you may still need to store data longer for Intellectual Property requirements,
SEC regulations, or NASD regulations. Check with your legal counsel.
How often do I need to review the logs? There are three dependencies
here that drive the frequency of reporting. 1) The more critical
the system, the higher the frequency of manual review of summary reports.
2) The volume of the logs will also drive the frequency. If there
is too much data to reasonably perform the review weekly then daily
may be required. 3) If you have custom signatures set up to notify
or alert you to significant events, then you won’t be required to perform
spot reviews as frequently. Most of VeriSign’s Host Log Monitoring
customers review reports that are generated on a weekly basis.
In addition, many of them have rules set up so that if a high-severity
event is logged against a high-criticality system, or if a series of
events have occurred, they will be notified by our Security Operations
Center. What do I look for? In general you are looking for irregularities.
Examples may include a user accessing a sensitive system that they either
don’t have access to or don’t often access it. It could also include
the creation or deletion of accounts and/or the elevation of a particular
user’s privileges. Failed logon attempts are always of interest.
Monitoring logs is demanding on processes, storage, and human attention.
A lot of processes can be automated; storage will continue to be more
cost-efficient; an outsourcing it can save you human resources.
In evaluating potential solutions, look to see which ones really do
actually save you time and money allowing your analysts to focus on
investigating real threats to the organization and its critical assets.
Doug Barbin is a senior product manager at VeriSign.
He manages VeriSign’s Host Log Monitoring offering.
Back
to Top
Security Events
January 30-31, 2006
Net-ID
2006
Berlin, Germany
February 6-8, 2006
Demo06
Phoenix, AZ
February 13-17, 2006
RSA
Conference 2006
San Jose, CA
February 22-23, 2006
Unified
Compliance Summit
Las Vegas, NV
Back
to Top
|
Worldwide Sites
