ACCTTS-VICnrt(c) Charter & Mission Statement

MS-VulnerabilityHandling.htm
Rev: 12/23/01 7:27 AM

Quick Intro to
"CyberCrime Fighting" for All Stakeholders

Simple Computing Safeguards
for Small Business and Home Computer Users
www.acctts.com/dimens-1.html#A11A

Visit www.nipc.gov to learn about password protection practices!

National Infrastructure Protection Center

Trust But Verify:
A Guide to Using E-mail Correspondence
December 2001

The White House recently announced that the Friendship Through Education organization (www.friendshipthrougheducation.org) established an e-mail pen pal program with school children in the United States, Bahrain, Pakistan, and Egypt.

The goal is to promote peace and understanding between the citizens of the United States and Islamic nations. In support of this initiative the National Infrastructure Protection Center (NIPC) is providing some recommended security practices so that U.S. school children may participate safely, protecting the computer systems they use at home, school, or library. The program has excellent potential to build a peace bridge between cultures. Our recommendations are designed to assist teachers and parents to guide the participating students to practice good computer security habits, not only for this program, but always.

"Trust but verify" is a slogan that is appropriate for securing computers from malicious code passed as an e-mail attachment. It is very difficult to know exactly who is on the other end of an e-mail or chat session, as passwords do get lost and stolen. Most computer users know that they should beware of opening e-mail from strangers. But countless viruses have continued to spread and re-spread, because they were sent via e-mail from someone who appeared to be trusted. Individual computer users can drastically reduce the spread of viruses and other malicious computer code with a few simple steps including verifying the authenticity of an attachment before opening it.

Developers of computer viruses have been successful using social engineering to victimize the typical computer user. We have witnessed many viruses spread by e-mail attachments, masked by subject lines that are designed to be enticing to the recipient.

The computer virus developer’s goal is to manipulate authorized trusted users to unwittingly circumvent computer defenses and allow a malicious code infection. Even users who exercise disciplined adherence to security policies have been lured to open attachments titled "Anna Kournikova," "I Love You," and recently "Peace between America and Islam" which exploited human emotion about the violent acts of September 11, 2001.

We may have difficulty understanding the motivations of virus developers, but we must recognize that it is consistent with their methodology to exploit curiosity. We should expect to see viruses designed to proliferate by association with popular themes or ideas. As headlines develop regarding news events or issues popular with the audience, expect to see those used as e-mail subject lines to mask a malicious attachment.

NIPC and computer industry partners publish advisories to educate computer users of best security practices. Many of these publications recommend consideration of the following steps to reduce the chance of computer virus infections:

Close the preview pane of your e-mail program. The preview pane is the feature that shows you the contents of an e-mail before you choose to open it. It is often displayed below the pane that displays a list of e-mails, their titles and time of receipt or transmission.

Disable the Java script and Active-X features of your web browser. Java and Active-X were designed to run more advanced features and to use services or make changes on the computer you are using. Unless these features are explicitly required, it is safer to deactivate them to prevent malicious scripts from infecting or compromising the computer or the network.

Equip your computer with an anti-virus program, maintain the most current version, and select the user options that give you the most protection. There are several different types, not just different brands.

Some anti-virus programs search for specific file "signatures," others monitor a computer program’s activity and prohibit virus-like behavior. There are also cost-free scans from vendors via the Internet that can scan your hard drive and removable disks. Ensure that your anti-virus program will screen attached files.

Save attachments to a disk before opening. Do not open the attachment directly from the e-mail program. Save it to a disk, preferably a removable disk, and then scan the disk with an anti-virus program.

Do not open e-mail attachments from strangers, regardless of how enticing the subject line may be. In addition to e-mails containing damaging computer viruses, there has been malicious spam. The spam plays off human curiosity. It may be an e-mail message or a redirection to another web page. The action is often to solicit donations to organizations claiming to be charities, or barraging computers with pop-up advertising.

Be suspicious of any unexpected e-mail attachments from someone you do know. It may have been sent without that person’s knowledge from an infected machine. The Sircam virus continues to spread by automatically e-mailing itself between users who expect to communicate. Also, someone might have stolen a trusted person’s password and is pretending to be that trusted person.

Verify suspicious e-mail. In the event you receive e-mail from someone you know, that has a suspicious title or attachment, contact the sender or the program coordinator by telephone or send them a new e-mail asking them to verify that they did intend to send you that e-mail.

Toward the development of industry standards
for security vulnerability handling
Background

Industry convergence around the need to develop and institutionalize a code of conduct for responsible handling of security vulnerabilities

SafeNet 2000: Working group to develop
guiding principles for security professionals . . .
(http://www.scia.org/SignificantEvents/MSFT_safenet_2000.htm)

Other influencers throughout the industry have noted the need
for standardized, broadly-embraced processes.

Several conference participants have taken the initiative to begin the process of developing standards

@stake

Bindview

Foundstone

Guardent

Internet Security Systems

Microsoft

More to follow

Will form an organization to drive this effort forward

Long-term Objectives

Develop industry standards for handling security vulnerabilities

Comprehensive

Encompass all parties and activities in the vulnerability handling process

Collaborative

Define a framework through which all parties can work effectively and collegially to protect users from harm

Broadly accepted

Embraced by a critical mass within the industry

Plan:

Proposed standard to be developed by members

Submitted for ratification by associate members

Made available for review by the general public as part of RFC process

Near-term Objectives

Adopt several specific practices
even as we pursue our long-term goals

Immediately bolster security

Demonstrate the feasibility of these practices

Members commit themselves to:

Report and address security vulnerabilities
thoroughly and expeditiously

Observe a grace period before disclosing details
of exploiting newly-announced security vulnerabilities.

Exercise due diligence when developing security tools,
to limit their use to only lawful purposes

Reporting and Addressing Vulnerabilities

Purpose: To assure that vulnerability reports are given appropriate weight and proper steps are taken to protect customers as quickly as possible.

Members who discover vulnerabilities will inform the vendor in a timely and thorough manner

Members whose products are the subject of a report will immediately acknowledge receipt, investigate it thoroughly and expeditiously, and provide timely status updates to the discoverer.

Members’ security advisories will provide detailed information that lets users understand the vulnerability, the risk it poses and whether it affects them, and how to defend against it. Members will use best efforts not to disclose details that can be directly used to exploit the vulnerability.

Grace Period

Purpose: Give users a reasonable interval during which
to protect their systems against newly reported vulnerabilities

Begins with public notice of vulnerability, and lasts for 30 days

Is immediately curtailed if vulnerability becomes actively exploited

During grace period, members will exercise best efforts to avoid disclosing details that can be directly used to exploit the vulnerability

Does not apply to sharing information
with responsible parties such as:

Law enforcement authorities
Recognized infrastructure protection organizations
Other communities in which enforceable frameworks
exist to deter onward uncontrolled distribution

After expiration of the grace period,
members may release additional details of the vulnerability.

Security Tools

Purpose: Take reasonable steps to ensure that vulnerability demonstration and security assessment tools
can only be used for lawful purposes.

Members will limit tools’ use via one or more
of the following measures:

Non-invasive assessment techniques

E.g., scan for vulnerability using techniques that do not involve exploiting it.

Run-time restrictions

E.g., require the user to have administrative privileges
on the target system before running or scan only limited IP addresses.

Limited distribution channels

E.g., distribute tools only within communities
in which enforceable frameworks exist to deter onward uncontrolled distribution

Proposed Organizational Framework

Members

Industry-leading companies who are actively engaged
in security research and network defense, and leading software vendors.

Will draft proposed standards and commit people and resources
to driving the effort forward

Associate Members

Influential vendors and organizations within the security community
who support the goals of the organization

Will ratify Members’ proposed standard before it is submitted
to the formal process

Advisory Board

Influential customers of the security community
who support the goals of the organization

Will provide guidance and feedback to Members and Associate Members

Next Steps

Solicit additional participation

Draft bylaws and establish procedures

Develop a web presence to provide information about our status and progress

Select topics for initial standards work and develop timelines for deliverables

Ahoy - CyberCrime Fighters (2001-12-20)

Capella's on-line bookstore should make this software solution
more available & visible Via www.securemicrosoft.com/scan/start.asp
http://www.google.com/search?hl=en&q=%22SafeNet+2000%22

Does this security awareness flyer / promo webpage still work?
@
www.acctts.com/trust-factors/Capella%20University%20%20Online%20CyberThreats%20Workshop.htm

----- Original Message -----

From: "Minnesota Road Runner" <beepbeep@minnesotaroadrunner.com>
To: <BBURKHART@mn.rr.com>
Sent: Thursday, December 20, 2001 5:42 PM
Subject: Road Runner Security Alert

> 12/20/01
>
>
> Dear Road Runner Customer,
>
> This is an urgent notification for our customers using Microsoft Windows ME,
> XP or who have installed the Windows XP Internet Connection Sharing client on
> Windows 98 or 98SE. You are strongly urged to take immediate action
> regarding a critical Microsoft security flaw. This security flaw does not
> effect Macintosh users.
>
> At the end of this notification is a broad technical summary. Here's the
> short one:
>
> Multiple flaws in XP allows a malicious user to exploit a security hole which
> allows complete access to any default installation of Windows XP. With the
> access this security flaw gives, the cracker would be able to launch Denial
> of Service (DoS) attacks or numerous other illegal activities. This can all
> be done remotely and any complaints about these activities would lead back to
> your modem if your system was vulnerable to this attack.
>
> This is, according to Microsoft, an "unprecedented" risk to consumers due to
> this flaw in the Windows operating system. The official Microsoft bulletin
> can be reached by clicking below.
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bull
etin/MS01-059.asp
>
> Fox News is reporting on it, http://foxnews.com/story/0,2933,41282,00.html,
> and CNN's coverage can be found by clicking at,
http://www.cnn.com/2001/TECH/ptech/12/20/microsoft.hackers.ap/index.html
>
> Road Runner has also provided a link on it's Help and Member Services page at
> http://help.rr.com for your convenience.

>
> All Windows XP customers are urged to install the patches available at the
> above Microsoft link as soon as possible. Windows 98, 98SE or ME Customers
> are strongly urged to patch their computers as soon as possible if they have
> installed and are running the Universal Plug and Play service or who have
> installed the Windows XP Internet Connection Sharing client on Windows 98 or
> 98SE..
>
> This has the potential to be much worse than the Code Red or Nimda viruses,
> because the payload can be whatever the attacker chooses. It might be a
> port scanning of other computer users, it might be spam email sent from your
> computer, it could be something much worse such as re-formatting your hard
> drive which would cause you to need to re-install everything on your system.
>
>
> Sincerely,
>
> Anthony Olson
> Regional Security and Abuse Coordinator
> Road Runner
>
>
>
> Technical Summary
>
> Systems Affected:
> Microsoft Windows XP (All default systems)
> Microsoft Windows 98 (Certain configurations)
> Microsoft Windows 98SE (Certain configurations)
> Microsoft Windows ME (Certain configurations)
>
> Description:
> Windows XP ships by default with a UPNP (Universal Plug and Play) Service
> which can be used to detect and integrate with UPNP aware devices. Windows
> ME does not ship by default with the UPNP service, however some OEM versions
> do provide the UPNP service by default. Also its possible to install the
> Windows XP Internet Connection Sharing on top of Windows 98, therefore
> making it vulnerable.
>
> "UPNP architecture offers pervasive peer-to-peer network connectivity of PCs
> of all form factors, intelligent appliances, and wireless devices. UPNP
> architecture leverages TCP/IP and the Web to enable seamless proximity
> networking in addition to control and data transfer among networked devices
> in the home, office, and everywhere in between." as described on upnp.org.
>
> This advisory covers three vulnerabilities within Microsoft's UPNP
> implementation. A remotely exploitable buffer overflow to gain SYSTEM level
> access to any default installation of Windows XP, a Denial of Service (DoS)
> attack, and a Distributed Denial of Service (DDoS) attack.
> The SYSTEM Remote exploit
>
> The first vulnerability, within Microsoft's implementation of the UPNP
> protocol, can result in an attacker gaining remote SYSTEM level access to
> any default installation of Windows XP. SYSTEM is the highest level of
> access within Windows XP.
>

> The DoS and DDoS
>
> UPNP consists of multiple protocols, one of which being the Simple Service
> Discovery Protocol (SSDP). When a UPNP enabled device is installed on a
> network, whether it be a computer, network device, or even a household
> appliance, it sends out an advertisement to notify control points of its
> existence. On a default XP installation, no support is added for device
> control as it would be the case in an installation of UPNP from "Network
> Services".
>
> Although Microsoft added default support for an "Internet Gateway Device." if
> a sniffer is run on a network with XP, XP can be observed searching for this
> device as XP is loading. This support was added to aid leading network
> hardware manufactures in making UPnP enabled "gateway devices".
> By sending a malicious spoofed UDP packet containing an SSDP advertisement,
> an attacker can force the XP/ME client to connect back to a specified IP
> address and pass on a specified HTTP/HTTPS request.
>
> A malicious attacker could specify a charge service on a remote machine
> causing the XP client to connect and get caught in a tight read/malloc
> loop. Doing this will throw the machine into an unstable state where CPU
> utilization is at %100 and memory is being allocated to the point that it is
> totally consumed. This basically makes the remote XP system completely
> unusable and requires a physical power off shutdown.
>
> Attackers could also use this exploit to control other XP machine's, forcing
> such machines to perform Unicode attacks, double decode, or random CGI
> exploiting. Due to the insecure nature of UDP an attacker can exploit
> security holes on a web server using UPNP with almost total anonymity.
> One of the bigger problems, and why this can become a DDoS attack, is that
> this SSDP announcement can be sent to broadcast addresses and multicast. It
> is therefore possible to send one UDP packet causing all XP machines on the
> target network to be navigated to the URL of choice, performing an attack of
> choice.
>
> Also since parts of the UPNP service are implemented as UDP, it makes all
> of these attacks ***completely untraceable***.

http://www.startribune.com/stories/789/916466.html

www.startribune.com

http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm

Feds grill Microsoft over XP problems

Ted Bridis
Associated Press
Dec 22 2001 12:00AM

WASHINGTON -- The FBI's top cyber-security unit warned consumers and corporations Friday night to take new steps beyond those recommended by Microsoft Corp. to protect against hackers who might try to attack major flaws discovered in the newest version of Windows software.

The FBI's National Infrastructure Protection Center said that, in addition to installing a free software fix offered by Microsoft on the company's Web site, consumers and corporations using Windows XP should disable the product's ``universal plug and play'' features affected by the glitches.

The FBI did not provide detailed instructions how to do this. Microsoft considers disabling the ``plug and play'' features unnecessary.

The company acknowledged this week that Windows XP suffers from serious problems that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. The glitches were unusually serious because they allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.

Outside experts cautioned that disabling the affected Windows XP features threatens to render unusable an entire category of high-tech devices about to go on the market, such as a new class of computer printers that are easier to set up. But they also acknowledged that disabling it could afford some protection against similar flaws discovered in the future.

The FBI also warned professional computer administrators to actively monitor for specific types of Internet traffic that might indicate an attack was underway.

A top Microsoft security official, Steve Lipner, sought to reassure consumers and companies that installing the free fix was the best course of action to protect their systems.

Friday's warning from the FBI's cyber-protection unit came after FBI and Defense Department officials and some top industry experts sought reassurance from Microsoft that the free software fix it offered effectively stops hackers from attacking the Windows XP flaws.

The government's rare interest in the problems with Windows XP software, which is expected to be widely adopted by consumers, illustrates U.S. concerns about risks to the Internet. Friday's discussions came during a private conference call organized by the National Infrastructure Protection Center.

During the call, Microsoft's experts acknowledged the threats posed by the Windows XP problems, but they assured federal officials and industry experts that its fix - if installed by consumers - resolves the issues.

Microsoft declined to tell U.S. officials how many consumers downloaded and installed its fix during the first 24 hours it was available. Experts from Internet providers, including AT&T Corp., argued that information was vital to determine the scope of the threat.

Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.

Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it.

``The patch is effective,'' said Lipner, Microsoft's director of security assurance, in an interview afterward with

The Associated Press.

Officials expressed fears to Microsoft about electronic attacks launched against Web sites and federal agencies during next week's Christmas holidays from computers running still-vulnerable versions of Windows, participants said.

Several experts said they had already managed to duplicate within their research labs so-called ``denial of service'' attacks made possible by the Windows XP flaws. Such attacks can overwhelm Web sites and prevent their use by legitimate visitors.

Another risk, that hackers can implant rogue software on vulnerable computers, was considered more remote because of the technical sophistication needed.

The FBI's cyber-security unit has been concerned about the threat and warned again Thursday that the potential of ``denial of service'' attacks is high. The agency said people have indicated they plan to target the Defense Department's Web sites, as well as other organizations that support the nation's most important networks.

---

On the Net:

http://www.nipc.gov

http://www.microsoft.com/security

www.securemicrosoft.com

MS-VulnerabilityHandling.htm