VeriSign Security Review

October 2005

Hackers are quick to take advantage of any vulnerability. ZoTob and other exploits attacked millions of vulnerable MS05-039 computers in five days. In this issue, VeriSign analyzes this classic lifecycle threat and urges companies to conduct intelligent lifecycle threat monitoring and analysis. We also share a recent survey on messaging security that reveals formidable challenges ahead.

VeriSign is glad to report that OATH, an open standard initiative it helped start with IBM, has grown rapidly and just welcomed Apache as a new member.

Finally, with scores of Hurricane Katrina and Rita-related domain names registered, VeriSign urges organizations to use care when accessing unknown sites.

In this issue:

PnP Exploit Sets Lifecycle Risk Trend

Moroccan officials arrested 18-year-old Faird Essebar, aka “Diab10,” for allegedly authoring ZoTob, one of the bots that exploited the MS05-039 Plug-and-Play (PnP) vulnerability and wreaked temporary havoc in August. VeriSign analyzed the lifecycle of ZoTob, revealing a worrying trend.

VeriSign iDefense Security Intelligence identified in early June that Diab10 was responsible for at least one and likely more variants of MyTob, a bot that emerged as the top malicious code threat by the summer 2005. After Microsoft’s disclosure of the PnP vulnerability, the first worm to exploit it was ZoTob.A, which pointed to an IRC server called diab10.turkcoders.net. Two additional PnP exploiting bots emerged within 48 hours, pointing to the same IRC server to remotely control zombies. Other variants continue to follow.

The ZoTob incident followed a classic lifecycle risk scenario as has been seen with former notable threats such as Blaster and Sasser, yet it was carried out with far higher sophistication, speed, and criminal motivation. Instead of having one big worm take the world by storm, the trend is to send out many minor variants of the code quickly to gain control over many computers. This under-the-radar approach makes it more difficult for some to properly assess risks. While Blaster emerged 26 days after Microsoft disclosed MS03-026, Sasser took 19 days after MS04-011, and ZoTob took only five days to affect millions of computers. Unlike Blaster and Sasser, MyTob and ZoTob are ultimately motivated by money. Financial gains come from a plethora of ways including performing denial of service (DoS) attacks for hire, CD-key theft, identity theft, industrial espionage, and adware/spyware installations.

With more actors aggressively developing public exploit code for criminal financial gain, the trend of rapid exploitation will continue. VeriSign urges risk managers to incorporate intelligent lifecycle threat monitoring and analysis. ZoTob proved that even high-security organizations could not respond fast enough to stave off exploitation. Extensive intelligence, lifecycle risk analysis, and mitigation measures must be made available to organizations prior to publicly-available software patches.

Messaging Security A Challenge for Enterprises

Protecting e-messaging systems costs $117.34 per user per year for companies with fewer than 2,500 employees, and $62.87 per user per year for those with 2,500 or more employee, according to Osterman Research.

The research firm’s study, Messaging Security Market Trends 2005-2008, reveals the challenges of messaging security. Two-thirds of the surveyed companies report inadequate Email archiving. Two in five say large Email attachments are taxing their messaging capability. Most alarmingly, nearly all surveyed companies have had their networks penetrated by a virus, worm, or other form of malware through Email.

More at http://www.informationweek.com/story/showArticle.jhtml?articleID=170702044.

Apache joins OATH

The Apache Software Foundation is among the eight security companies and two major financial institutions to join the Initiative for Open AuTHentication (OATH) in the last 30 days.

OATH is a collaborative effort of IT industry leaders - VeriSign and IBM are founding members - to provide a reference architecture for strong authentication across all devices and networks. As financial transactions continue to move online and as companies provide more mobile productivity options for employees, strong, two-factor authentication is gaining traction. The benefit of OATH’s single, open authentication standard for users on all devices, including mobile phones, PDAs, laptops, and WiFi access points, has led to support by industry heavyweights as well new specialists. OATH membership doubled since its inception 18 months ago to include Apache, Encentuate, Identia, Renesas, Audio SmartCard, and Iteon. Two financial institutions, representing millions of customers, are also among the new members to collaborate on end-user authentication.

At this year’s Mobile Business Expo in Chicago, member companies will gather at the OATH pavilion. For more information, visit www.openauthentication.org.

VeriSign Launches Unified Authentication 3.0

VeriSign unveiled Version 3.0 of its Unified Authentication solution to include VeriSign Secure Storage Tokens, additional user and token store support, and self-install capabilities to help strong authentication proliferate in the enterprise.

The VeriSign Unified Authentication Secure Storage Token is the industry's first all-in-one token to combine One-Time Password (OTP) and PKI authentication with Secure Storage and smart card technology, enabling a variety of security-related applications. The token includes a USB flash drive to enable the transfer and encryption of files to and from the storage device.

Built on the Open AuTHentication (OATH) architecture, VeriSign Unified Authentication maximizes deployment flexibility by supporting industry standard database protocols such as LDAP user stores and ODBC user and token stores. The new self-install capability of VeriSign Unified Authentication will help administrators speed up deployment and save professional service costs. Version 3.0 also provides additional interoperability by supporting Windows 2003 Server, Red Hat Linux ES 3.0, and Solaris 9 for all components. These new devices and features make it possible for enterprises to enable strong authentication in virtually all networks, applications, and user locations.

For more information on enabling strong authentication for your enterprise, visit http://www.verisign.com/products-services/security-services/unified-authentication/index.html.

Linux Firefox Vulnerability Found

A new vulnerability in Firefox 1.0.6 running on Linux could allow hackers to seize control of affected systems. If users with Firefox as the default browser are tricked into following a malicious link in an external application, hackers could execute arbitrary shell commands. Confirmed Linux versions are Fedora Core 4 and Red Hat Enterprise Linux 4. More at http://www.theregister.co.uk/2005/09/21/linux_firefox_security_bug/

NIST Releases New Drafts

The National Institute of Standards and Technology released twelve new draft documents including “Guide to Malware Incident Prevention and Response,” “Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response,” and “Minimum Security Requirements for Federal Information and Information Systems.” You can receive notification of new document releases by subscribing at http://csrc.nist.gov/compubs-mail.html.

NSA Gains Patent on Internet Geo-Location Process

The National Security Agency has been issued a patent on a geo-location process (US Patent 6,947,978) that reportedly tries to pinpoint Internet users based on their IP addresses. According to The Register (UK), the system “uses the latency of connections together with a network topology map to scope the approximate location of net users.” The patent description explains that the process apparently would not be able to track dial-up connections beyond the service provider, nor would it likely be effective in tracking anonymous proxy services attempting to mask their real location. More at http://theregister.co.uk/2005/09/22/nsa_geolocation_patent/

Ask A VeriSign Consultant

Question: There were reports of possible WiFi misuse. What role does WiFi play in my compliance planning and execution?

Answer by Branden R. Williams:

Wireless networks are targets for both casual and targeted malicious attacks. The best way to mitigate risks around wireless networks are to ensure you are using technologies such as VPN, WPA or WPA2/802.11i to encrypt and authenticate users of your wireless networks. Firewalls should always be installed between wireless networks and the corporate wired network. Additionally, many enterprise wireless solutions have features such as Wireless Intrusion Prevention Systems (IPS) and Rogue Access-Point Locators that can help you prevent someone from misusing your wireless network, and prevent a rogue access-point from fully bridging your wired network.

When looking at compliance and Wi-Fi, the solutions are generally expensive, and somewhat limited. The best solution is to limit the scope of the compliance regulations and remove wireless from the picture. For example, in the Payment Card Industry (PCI) world, wireless technologies are heavily regulated. You must have firewalls between the wireless networks and the wired infrastructure, and you must use a more advanced encryption solution than just Wired-Equivalent Privacy (WEP). Technologies like WPA, LEAP and WPA2/802.11i are required for compliance. If you are dealing with legacy equipment, contain wireless users with firewalls, and require a VPN connection together with strong authentication to be used in order to access the corporate LAN. If you are looking at a new deployment, be sure to deploy an 802.11i standard that uses an encrypted version of the Extensible Authentication Protocol (EAP), such as EAP-TTLS, EAP-FAST or PEAP. At any rate, deploying VPNs inside these advanced technologies would only be a benefit to the overall security of the installation and should be seriously considered.

Branden Williams is a Principal Consultant at VeriSign. He is a Certified Information System Security Professional (CISSP), Checkpoint Certified Security Administrator (CCSA), and Checkpoint Certified Security Expert (CCSE).

Opinion: Breach Notification Laws Don’t Address Lack of Standards

By Michael Aisenberg, Director of Policy, VeriSign, Inc.

As of August, 17 states have passed breach notification laws requiring data custodians to notify the public about cyber security breaches that compromise confidential information. More are calling Congress to pass legislations at the federal level. Legislatures, in reacting to press reports about breaches of personal data, may be overlooking critical elements of the issue. Breach notification laws are focusing on what happens after a problem occurs. This is essentially locking the barn door after the cows have escaped. In our view, energy is better spent on building stronger and more reliable barns in the first place.

The most critical issue is not the single abuse of “identity theft” but the pervasive set of practices comprising “data custody.” Persistent problems are: 1) lack of recognition of the broad spectrum of personal identification information (PII); 2) narrow definition of data custodians and their consequential lack of deployment of adequate data custody practices; 3) inconsistent and inadequate utilization of tools by those who are attempting data custody.

PII includes more than just social security numbers and addresses. Many seemingly innocuous data may become valuable identifiers when paired with other PII and powerful search capability. Also, the definition of a “Data Custodian” must be expanded to include all organizations that hold sensitive customer data, not just data brokers. Current statutory schemes such as HIPAA, GLBA, and the FTC define a number of financial data custodians. These definitions should expand to include universities, employers, and other non-governmental organizations that hold key PII elements.

Industry best practices and standards must be clearly articulated, based on broad consensus and widely disseminated by non-proprietary and expert standards bodies. Best practices change over time. It is therefore preferable that regulatory agencies such as the FTC or stands bodies such as NIST, ANSI, and ISO define them separately. Examples of information security standards include ISO 17799, BS 7799, CoBIT, and Information Security Governance Framework. Indusry-led standards are preferable to regulatory standards, but either is feasible.

Laws regarding individual notification have an appropriate role, but they are not the cornerstone of the issue and do not address the fundamental need of better and broader use of best custodial practices. Legislation must ensure that the duties and responsibilities of data custodians are well defined. It is critical that universities, airlines, employers, and other custodians of PII elements unambiguously know what their responsibilities are in protecting confidential data in order to comply.

Security Events

October 16-21, 2005
Gartner Symposium/IT Expo 2005
Orlando, Florida

October 17-19, 2005
RSA Conference Europe
Vienna, Austria

October 17-19, 2005
IPComm 2005
Las Vegas, Nevada

October 24-27, 2005
Futurecomm
Florianopolis, Brazil

October 31-November 3, 2005
Financial Services ISAC, Fall Meeting
Boca Raton, Florida

November 6-8, 2005
BITS Financial Services Outsourcing Conference
Washington, D.C.

November 13-16, 2005
Computer Security Institution 32nd Annual Conference
Washington, D.C.