- Email: [email protected]
Cisco unveils integrated security appliance family
NEWS
Vulnerabilities so far this year - A-V, Oracle, Media Players and Microsoft
Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843645 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com
continued from page 1
"These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and in our offices," according to Alan Paller, director of research for the SANS Institute. "We're publishing this list as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected." The SANs Institute has zoomed in on flaws, which affect many systems, are widely unpatched, allow remote control and are available on the Internet for hackers to exploit. A new category has been added to the list cross platform applications. The list is a quarterly update of the annual SANs Institute summary of dangerous flaws. TippingPoint and Qualys also contributed to the research:
Editor: Terry Ernest-Jones In-House Editor: Sarah Hilley Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, California University, Berkeley Lab; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) LImited
2
Network Security
Cisco unveils integrated security appliance family
Flaws in Windows systems: · · · · · · ·
Windows License Logging Service Overflow (MS05-010). Microsoft Server Message Block(SMB) Vulnerability (MS05-011). Internet Explorer Vulnerabilities (MS05-014 and MS05-008). Microsoft HTML Help ActiveX Control Vulnerability (MS05-001). Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013). Microsoft Cursor and Icon Handling Overflow (MS05-002). Microsoft PNG File Processing Vulnerabilities (MS05-009).
Cross Platform Applications: · · · · ·
Computer Associates License Manager Buffer Overflows. DNS Cache Poisoning Vulnerability. Multiple Antivirus Products Buffer Overflow Vulnerabilities. Oracle Critical Patch Update. Multiple Media Player Buffer Overflows (RealPlayer, Winamp and iTunes).
B C
rian McKenna
isco has launched a family of multifunction security appliances that integrates VPN, firewalling, and intrusion prevention technologies.
The supplier’s ASA 5500 series controls network and application traffic, delivers VPN connectivity, and reduces, it says, the overall deployment, operations costs and complexity that would otherwise be associated with this level of comprehensive security. The family is being badged as part of the company’s ‘Adaptive Threat Defense’ phase of the Cisco ‘Self-Defending Network’ (SDN) security strategy. Andy Oldfield, manager of technical marketing, Cisco, EMEA said: “we’ve focused on real world networks where most services are turned on. We can all do tests with only one service running and then claim big figures. It’s also an extensible platform. This is not the end. We’ll be enhancing a lot of the capability around deep network inspection and the adaptive day zero self-defence. That is where we are looking”. The appliance family is designed to extend from small and medium sized businesses to large enterprises, and is built for concurrent services, scalability, and unified management. The application security services available on the series provide application inspection and control of bandwidthintensive peer-to-peer services (P2P) such as Kazaa and Instant Messaging (IM), Web URL access controls, protection and integrity validation of core business applications like database services, and numerous applicationspecific protections for Voice over IP (VoIP) and multimedia services. The series also provides VPN IPSec and SSL services that help ensure the VPN connection does not become a conduit for threats such as worms, viruses and hackers. The company says convergence of IPSec and SSL-VPN within
May 2005
NEWS the series makes it adaptable to any VPN deployment scenario including site-tosite, managed desktop, full or limited corporate network access, and partner or extranet access. "No other organization out there that can match the breadth of solution we have”, said Oldfield. Pricing: ASA 5510: starting at $3495. ASA 5520: starting at $7995. ASA 5540: starting at $16,995.
Check Point upgrades security platform
C
heck Point has announced a unified security platform for its perimeter, internal and web security products.
Dubbed the NGX platform, it’s being presented as a major upgrade to the core technology underlying the company’s firewall and management suite. The company says it delivers new features and extended functionality to more than 20 Check Point products. Nick Lowe, director, UK, Ireland and South Africa, Check Point commented: “this is a major announcement, not just a re-badging of our perimeter, internal and web security products. "The big issue today is how you manage a full end-to-end security system. The current situation in enterprises is not cost-effectively sustainable, given the very complex environments that exist in enterprises now. "NGX provides a centralized management console to monitor, control and enforce all the end points — perimeter, internal and VPN endpoints”, he added. The company says the product also includes enhanced capabilities for ensuring the confidentiality and availability of voice communications. "The Voice over IP piece takes you beyond classical protocol compliance", said Lowe. Chris Christiansen, Vice President of Security Products and Infrastructure at IDC said: "it is becoming more critical for enterprises to be able to easily manage and receive security information from a suite of security products. “
May 2005
In brief US INTERNAL REVENUE SERVICE SECURITY PANNED Security measures at the US tax collector, the Internal Revenue Service, have been criticised in a report. Tax payers' details are not adequately protected, the report by the General Accounting Office says, and could lead to wide-scale identity theft. "This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately," says James Sensenbrenner, chairman of the House Judiciary Committee. The General Accounting Office points out that when it carried out its last security review in 2002, it found 53 weaknesses. Since then, the IRS has corrected or mitigated 32. However a total of 39 further weaknesses have occurred, raising the current total to 60. CHINA BECOMES MAIN 'ZOMBIE' SOURCE Most new 'zombies' now come from China. Chinese Internet users who leave their computers unprotected are contributing to zombie proliferation, according to a report produced by the email security vendor CipherTrust. More than 20% of the 157,000 new zombies which are identified daily come from China, the report says. This beats the USA which accounts for 16% and South Korea (10%). The company tracks these figures using its IronMail email gateway appliances used by customers around the world. Internet users in China are growing at a rate of around 15 million per year. CARNEGIE MELLON BREACH Carnegie Mellon University has warned that Social Security numbers and other personal information of at least 5000 students, graduate alumni, and employees may have been accessed when its systems were breached. The breach was discovered in the second week of April 2005 and University officials said it did not know how long the system had been vulnerable. However, on the plus side, there was no indication that the information had been used for illegal or malicious activities. The personal information concerned graduates from the Tepper School of Business between 1997 and 2004, as well as the School's current graduate students, doctoral applicants from 2003 to 2005, applicants to the Masters of Business Administration program from September 2002 to May 2004 and administrative employees. DETAILS OF 1.4m CREDIT CARDS STOLEN FROM US RETAILER The US company, Retail Ventures has reported that personal information from 108 stores of its DSW Shoe Warehouse subsidiary has been stolen. The information includes names, account numbers and transaction amounts, from 1.4 million credit cards used to buy wares at DSW stores, mostly between mid-November 2004 and mid-February 2005. Within 24 hours
of discovery of the theft, DWS said it had contacted federal law enforcement and brought in a security firm to begin forensic investigation. UK SECURITY CO-ORDINATION CENTRE INSUFFICIENT The UK's National Infrastructure Security Co-ordination Centre (NICSS) is not adequate to protect the UK from cyber attack, according to the former Metropolitan Police Authority, Lord Harris of Haringey. He warns that the present defences for the critical national infrastructure limited NICSS to an advisory role, with no authority to requisition systems in time of national crisis. Harris believes the NICSS cannot fulfil its remit. He proposes new powers to regulate security for the critical national infrastructure. INSTANT MESSAGING WORM GABBY BURIED A worm in America Online's (AOL's) instant messaging network has been eradicated by the ISP. The worm, Gabby.a resembled 'Kelvir' found on Microsoft's instant messaging network. Users received a text message with the words 'Hey check out this!' A link then downloaded and installed the payload, a variant of the Spybot worm. The malicious code was detected using IMLogic's Threat Center and AOL prevented further distribution from its servers. THEFT OF 500,000 CUSTOMERS' RECORDS ALLEGED Seven bank employees, a business owner, and a state worker have been charged in New Jersey with taking part in a scheme to sell the financial records of more than 500,000 bank customers, and sell them on to law firms and collection agencies. Police say that the ring leader, Orazio Lembo got hold of lists of people wanted for debt collection, and sent the information over to the bank workers. They then checked the names against their client lists. The bank workers were paid $10 for each account they gave to Lembo. SECURITY AUDIT ENFORCED FOR ONLINE RETAILERS From June 30, all E-commerce sites with internal systems that process, store or transmit cardholder information will have to comply with the Payment Card Industry (PCI) Data Security Standard or face major fines. The initiative is backed by organizations including MasterCard, Visa and American Express. The standard requires that Internet retailers carry out a 12-step security audit, which will be certified annually and checked every three months. The move is in response to a series of security breaches that resulted in the theft of credit card details.
Network Security
3
Vulnerabilities so far this year - A-V, Oracle, Media Players and Microsoft
Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843645 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com
continued from page 1
"These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and in our offices," according to Alan Paller, director of research for the SANS Institute. "We're publishing this list as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected." The SANs Institute has zoomed in on flaws, which affect many systems, are widely unpatched, allow remote control and are available on the Internet for hackers to exploit. A new category has been added to the list cross platform applications. The list is a quarterly update of the annual SANs Institute summary of dangerous flaws. TippingPoint and Qualys also contributed to the research:
Editor: Terry Ernest-Jones In-House Editor: Sarah Hilley Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, California University, Berkeley Lab; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) LImited
2
Network Security
Cisco unveils integrated security appliance family
Flaws in Windows systems: · · · · · · ·
Windows License Logging Service Overflow (MS05-010). Microsoft Server Message Block(SMB) Vulnerability (MS05-011). Internet Explorer Vulnerabilities (MS05-014 and MS05-008). Microsoft HTML Help ActiveX Control Vulnerability (MS05-001). Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013). Microsoft Cursor and Icon Handling Overflow (MS05-002). Microsoft PNG File Processing Vulnerabilities (MS05-009).
Cross Platform Applications: · · · · ·
Computer Associates License Manager Buffer Overflows. DNS Cache Poisoning Vulnerability. Multiple Antivirus Products Buffer Overflow Vulnerabilities. Oracle Critical Patch Update. Multiple Media Player Buffer Overflows (RealPlayer, Winamp and iTunes).
B C
rian McKenna
isco has launched a family of multifunction security appliances that integrates VPN, firewalling, and intrusion prevention technologies.
The supplier’s ASA 5500 series controls network and application traffic, delivers VPN connectivity, and reduces, it says, the overall deployment, operations costs and complexity that would otherwise be associated with this level of comprehensive security. The family is being badged as part of the company’s ‘Adaptive Threat Defense’ phase of the Cisco ‘Self-Defending Network’ (SDN) security strategy. Andy Oldfield, manager of technical marketing, Cisco, EMEA said: “we’ve focused on real world networks where most services are turned on. We can all do tests with only one service running and then claim big figures. It’s also an extensible platform. This is not the end. We’ll be enhancing a lot of the capability around deep network inspection and the adaptive day zero self-defence. That is where we are looking”. The appliance family is designed to extend from small and medium sized businesses to large enterprises, and is built for concurrent services, scalability, and unified management. The application security services available on the series provide application inspection and control of bandwidthintensive peer-to-peer services (P2P) such as Kazaa and Instant Messaging (IM), Web URL access controls, protection and integrity validation of core business applications like database services, and numerous applicationspecific protections for Voice over IP (VoIP) and multimedia services. The series also provides VPN IPSec and SSL services that help ensure the VPN connection does not become a conduit for threats such as worms, viruses and hackers. The company says convergence of IPSec and SSL-VPN within
May 2005
NEWS the series makes it adaptable to any VPN deployment scenario including site-tosite, managed desktop, full or limited corporate network access, and partner or extranet access. "No other organization out there that can match the breadth of solution we have”, said Oldfield. Pricing: ASA 5510: starting at $3495. ASA 5520: starting at $7995. ASA 5540: starting at $16,995.
Check Point upgrades security platform
C
heck Point has announced a unified security platform for its perimeter, internal and web security products.
Dubbed the NGX platform, it’s being presented as a major upgrade to the core technology underlying the company’s firewall and management suite. The company says it delivers new features and extended functionality to more than 20 Check Point products. Nick Lowe, director, UK, Ireland and South Africa, Check Point commented: “this is a major announcement, not just a re-badging of our perimeter, internal and web security products. "The big issue today is how you manage a full end-to-end security system. The current situation in enterprises is not cost-effectively sustainable, given the very complex environments that exist in enterprises now. "NGX provides a centralized management console to monitor, control and enforce all the end points — perimeter, internal and VPN endpoints”, he added. The company says the product also includes enhanced capabilities for ensuring the confidentiality and availability of voice communications. "The Voice over IP piece takes you beyond classical protocol compliance", said Lowe. Chris Christiansen, Vice President of Security Products and Infrastructure at IDC said: "it is becoming more critical for enterprises to be able to easily manage and receive security information from a suite of security products. “
May 2005
In brief US INTERNAL REVENUE SERVICE SECURITY PANNED Security measures at the US tax collector, the Internal Revenue Service, have been criticised in a report. Tax payers' details are not adequately protected, the report by the General Accounting Office says, and could lead to wide-scale identity theft. "This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately," says James Sensenbrenner, chairman of the House Judiciary Committee. The General Accounting Office points out that when it carried out its last security review in 2002, it found 53 weaknesses. Since then, the IRS has corrected or mitigated 32. However a total of 39 further weaknesses have occurred, raising the current total to 60. CHINA BECOMES MAIN 'ZOMBIE' SOURCE Most new 'zombies' now come from China. Chinese Internet users who leave their computers unprotected are contributing to zombie proliferation, according to a report produced by the email security vendor CipherTrust. More than 20% of the 157,000 new zombies which are identified daily come from China, the report says. This beats the USA which accounts for 16% and South Korea (10%). The company tracks these figures using its IronMail email gateway appliances used by customers around the world. Internet users in China are growing at a rate of around 15 million per year. CARNEGIE MELLON BREACH Carnegie Mellon University has warned that Social Security numbers and other personal information of at least 5000 students, graduate alumni, and employees may have been accessed when its systems were breached. The breach was discovered in the second week of April 2005 and University officials said it did not know how long the system had been vulnerable. However, on the plus side, there was no indication that the information had been used for illegal or malicious activities. The personal information concerned graduates from the Tepper School of Business between 1997 and 2004, as well as the School's current graduate students, doctoral applicants from 2003 to 2005, applicants to the Masters of Business Administration program from September 2002 to May 2004 and administrative employees. DETAILS OF 1.4m CREDIT CARDS STOLEN FROM US RETAILER The US company, Retail Ventures has reported that personal information from 108 stores of its DSW Shoe Warehouse subsidiary has been stolen. The information includes names, account numbers and transaction amounts, from 1.4 million credit cards used to buy wares at DSW stores, mostly between mid-November 2004 and mid-February 2005. Within 24 hours
of discovery of the theft, DWS said it had contacted federal law enforcement and brought in a security firm to begin forensic investigation. UK SECURITY CO-ORDINATION CENTRE INSUFFICIENT The UK's National Infrastructure Security Co-ordination Centre (NICSS) is not adequate to protect the UK from cyber attack, according to the former Metropolitan Police Authority, Lord Harris of Haringey. He warns that the present defences for the critical national infrastructure limited NICSS to an advisory role, with no authority to requisition systems in time of national crisis. Harris believes the NICSS cannot fulfil its remit. He proposes new powers to regulate security for the critical national infrastructure. INSTANT MESSAGING WORM GABBY BURIED A worm in America Online's (AOL's) instant messaging network has been eradicated by the ISP. The worm, Gabby.a resembled 'Kelvir' found on Microsoft's instant messaging network. Users received a text message with the words 'Hey check out this!' A link then downloaded and installed the payload, a variant of the Spybot worm. The malicious code was detected using IMLogic's Threat Center and AOL prevented further distribution from its servers. THEFT OF 500,000 CUSTOMERS' RECORDS ALLEGED Seven bank employees, a business owner, and a state worker have been charged in New Jersey with taking part in a scheme to sell the financial records of more than 500,000 bank customers, and sell them on to law firms and collection agencies. Police say that the ring leader, Orazio Lembo got hold of lists of people wanted for debt collection, and sent the information over to the bank workers. They then checked the names against their client lists. The bank workers were paid $10 for each account they gave to Lembo. SECURITY AUDIT ENFORCED FOR ONLINE RETAILERS From June 30, all E-commerce sites with internal systems that process, store or transmit cardholder information will have to comply with the Payment Card Industry (PCI) Data Security Standard or face major fines. The initiative is backed by organizations including MasterCard, Visa and American Express. The standard requires that Internet retailers carry out a 12-step security audit, which will be certified annually and checked every three months. The move is in response to a series of security breaches that resulted in the theft of credit card details.
Network Security
3