News

Opinion: The No-Spin Zone

In this week's SecurityWatch column, Russ Cooper tackles physical security issues surrounding Bank of America's "loss" of computer backup tapes, the hacking vulnerability inherent in leftover FTP servers and issues raised by a recent Bagle variant.

Physical

Bank of America "lost" computer backup tapes shipped offsite for storage in December. The tapes contained financial information on more than 1 million U.S. federal employees, including numerous U.S. senators.

Notice how we keep hearing about identity information being lost, but we rarely hear how it was lost? The marketing spin machine kicks into high gear and says "Telling people the information was lost or stolen makes us look like a victim. Telling people how it was lost or stolen due to our incompetence or lack of due diligence will make them distrust us, so don't do that."

If you're like me, you're getting tired of waiting for the phone call or letter from your bank or finance company telling you all your personal information has been compromised. With few exceptions, there's nothing we can do but wait for the bell to toll for us.

This Bank of America information "loss" should serve to remind companies that store sensitive information offsite that the storage and transportation of that information should be treated as securely as the data would be if it were in house and in use. All too often this isn't the case. This extends to the disposal of old storage media. Remember, while the thieves may simply want the media to sell for its basic value, loss of sensitive information contained on such media can be far more costly.

Hacking

Watch out for the WU-ftpd (Washington University FTP daemon) DIR wildcard Denial of Service vulnerability. A vulnerability exists in wu- ftpd which allows anyone who can connect to the FTP server and issue a DIR command to cause the server's CPU to consume all of its resources and become unresponsive. Wu-ftpd is implemented in most Unix and Linux distributions.

The most remarkable thing about this vulnerability is that there are still people using FTP for file transfers, and particularly that people are still using wu-ftpd. Wu-ftpd is one of the most notorious programs around with respect to consistently being vulnerable to attack. This particular vulnerability is a variation on a similar vulnerability discovered in November 2001.

FTP was depreciated many years ago when HTTP became mature enough to be able to handle restarting a file transfer after it had been interrupted. All FTP use should have been transferred to HTTP at that time (around 1997), but FTP remains popular today primarily because the owners of FTP servers lack the skill to make the transition, and don't wish to disrupt the typically important role of their FTP environments.

Implementing HTTP transfers isn't extremely difficult, but it does require separating HTTP file transfer functionality from other, more typical, HTTP functionality. For example, allowing HTTP file transfers to a Web site that also presents pages to Web browser visitors means ensuring that the uploads can't replace the pages they want to display. This means implementing extensive file and directory permissions. While this can all be done with a Web server, it's much easier to do with an FTP server because this functionality is part of basic FTP server configuration.

The bottom line is that this vulnerability isn't likely to rear its ugly head in the form of mass attacks, but it should serve as yet another wake-up call for anyone still using FTP as a means of transferring files, especially users of wu-ftpd.

Malicious Code

New Bagle variants are being released so quickly that anti-virus vendors are having a hard time keeping up. New variants of the Bagle virus have been released every several hours, and to at least some insiders appear to be tied to the release of virus definitions by McAfee. Virus writers are taking on the AV companies head-on -- and winning.

Virus writing seems to be getting downright industrial, with new viruses being turned out like Henry Ford turned out Model Ts. It takes time to decrypt the encrypted viruses, and more to figure out how to identify the contents reliably. Heuristics -- the ability to look at an object abstractly rather than specifically -- is getting better at identifying new variants, but it's still not efficient enough to completely replace virus definition files.

Here's the biggest problem with all this. The industry has focused so much on selling brainless solutions to consumers regarding security issues that when those solutions become ineffective, as in the case of these Bagle variants, consumers are left vulnerable. If consumers believe that anything that makes it past their defenses is safe, why wouldn't they open virus-laden emails? Emphasis should have been placed on consumer education, which could have been made more obvious to the consumer by strict penalties for failure to follow the educational guidelines (as described in my Internet Penalties Plan at www.ntbugtraq.com/fines.asp.

If you think you have the solution without imposing penalties for those consumers who invoke viruses or bots, find some investors -- you've got a billion-dollar idea there!

Russ Cooper is a Senior Information Security Analyst with Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most- recognized security experts, he's often quoted by major media outlets on security issues.

Russ Cooper's Security Watch column appears every Monday in the Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

Featured