Opinion: The No-Spin Zone
In this week's SecurityWatch column, Russ Cooper tackles physical security issues surrounding Bank of America's "loss" of computer backup tapes, the hacking vulnerability inherent in leftover FTP servers and issues raised by a recent Bagle variant.
- By Russ Cooper
- March 22, 2005
Bank of America "lost" computer backup tapes shipped offsite for
storage in December. The tapes contained financial information on
more than 1 million U.S. federal employees, including numerous U.S.
Notice how we keep hearing about identity information being lost, but
we rarely hear how it was lost? The marketing spin machine kicks into
high gear and says "Telling people the information was lost or stolen
makes us look like a victim. Telling people how it was lost or stolen
due to our incompetence or lack of due diligence will make them
distrust us, so don't do that."
If you're like me, you're getting tired of waiting for the phone call
or letter from your bank or finance company telling you all your
personal information has been compromised. With few exceptions, there's
nothing we can do but wait for the bell to toll for us.
This Bank of America information "loss" should serve to remind
companies that store sensitive information offsite that the storage and
transportation of that information should be treated as securely as the
data would be if it were in house and in use. All too often this isn't
the case. This extends to the disposal of old storage media. Remember,
while the thieves may simply want the media to sell for its basic
value, loss of sensitive information contained on such media can be far
Watch out for the WU-ftpd (Washington University FTP daemon) DIR
wildcard Denial of Service vulnerability. A vulnerability exists in wu-
ftpd which allows anyone who can connect to the FTP server and issue a
DIR command to cause the server's CPU to consume all of its resources
and become unresponsive. Wu-ftpd is implemented in most Unix and Linux
The most remarkable thing about this vulnerability is that there are
still people using FTP for file transfers, and particularly that people
are still using wu-ftpd. Wu-ftpd is one of the most notorious programs
around with respect to consistently being vulnerable to attack. This
particular vulnerability is a variation on a similar vulnerability
discovered in November 2001.
FTP was depreciated many years ago when HTTP became mature enough to be
able to handle restarting a file transfer after it had been
interrupted. All FTP use should have been transferred to HTTP at that
time (around 1997), but FTP remains popular today primarily because the
owners of FTP servers lack the skill to make the transition, and don't
wish to disrupt the typically important role of their FTP environments.
Implementing HTTP transfers isn't extremely difficult, but it does
require separating HTTP file transfer functionality from other, more
typical, HTTP functionality. For example, allowing HTTP file transfers
to a Web site that also presents pages to Web browser visitors means
ensuring that the uploads can't replace the pages they want to display.
This means implementing extensive file and directory permissions. While
this can all be done with a Web server, it's much easier to do with an
FTP server because this functionality is part of basic FTP server
The bottom line is that this vulnerability isn't likely to rear its
ugly head in the form of mass attacks, but it should serve as yet
another wake-up call for anyone still using FTP as a means of
transferring files, especially users of wu-ftpd.
New Bagle variants are being released so quickly that anti-virus
vendors are having a hard time keeping up. New variants of the Bagle
virus have been released every several hours, and to at least some
insiders appear to be tied to the release of virus definitions by
McAfee. Virus writers are taking on the AV companies head-on -- and
Virus writing seems to be getting downright industrial, with new
viruses being turned out like Henry Ford turned out Model Ts. It takes
time to decrypt the encrypted viruses, and more to figure out how to
identify the contents reliably. Heuristics -- the ability to look at an
object abstractly rather than specifically -- is getting better at
identifying new variants, but it's still not efficient enough to
completely replace virus definition files.
Here's the biggest problem with all this. The industry has focused so
much on selling brainless solutions to consumers regarding security
issues that when those solutions become ineffective, as in the case of
these Bagle variants, consumers are left vulnerable. If consumers
believe that anything that makes it past their defenses is safe, why
wouldn't they open virus-laden emails? Emphasis should have been placed
on consumer education, which could have been made more obvious to the
consumer by strict penalties for failure to follow the educational
guidelines (as described in my Internet Penalties Plan at
If you think you have the solution without imposing penalties for those
consumers who invoke viruses or bots, find some investors -- you've got
a billion-dollar idea there!
Russ Cooper is a Senior Information Security Analyst with
Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of
NTBugtraq, www.ntbugtraq.com, one of the industry's most influential
mailing lists dedicated to Microsoft security. One of the world's most-
recognized security experts, he's often quoted by major media outlets
on security issues.
Russ Cooper's Security Watch column appears every Monday in the
Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.