The No-Spin Zone
The spin needs to stop here when companies lose millions of people's confidential information.
Bank of America
"lost" computer backup tapes
shipped offsite for storage in December 2004. The tapes contained financial
information on more than 1 million U.S. federal employees, including numerous
Notice how we keep hearing about identity information being lost, but we rarely
hear how it was lost? The marketing spin machine kicks into high gear and says
"Telling people the information was lost or stolen makes us look like a
victim. Telling people how it was lost or stolen due to our incompetence or
lack of due diligence will make them distrust us, so don't do that."
If you're like me, you're getting tired of waiting for the phone call or letter
from your bank or finance company telling you all your personal information
has been compromised. With few exceptions, there's nothing we can do but wait
for the bell to toll for us.
This Bank of America information "loss" should serve to remind companies
that store sensitive information offsite that the storage and transportation
of that information should be treated as securely as the data would be if it
were in house and in use. All too often this isn't the case. This extends to
the disposal of old storage media. Remember, while the thieves may simply want
the media to sell for its basic value, loss of sensitive information contained
on such media can be far more costly.
Watch out for the WU-ftpd (Washington University FTP
daemon) DIR wildcard Denial of Service vulnerability. A vulnerability exists
in wu-ftpd which allows anyone who can connect to the FTP server and issue a
DIR command to cause the server's CPU to consume all of its resources and become
unresponsive. Wu-ftpd is implemented in most Unix and Linux distributions.
The most remarkable thing about this vulnerability is that there are still
people using FTP for file transfers, and particularly that people are still
using wu-ftpd. Wu-ftpd is one of the most notorious programs around with respect
to consistently being vulnerable to attack. This particular vulnerability is
a variation on a similar vulnerability discovered in November 2001.
FTP was depreciated many years ago when HTTP became mature enough to be able
to handle restarting a file transfer after it had been interrupted. All FTP
use should have been transferred to HTTP at that time (around 1997), but FTP
remains popular today primarily because the owners of FTP servers lack the skill
to make the transition, and don't wish to disrupt the typically important role
of their FTP environments.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Implementing HTTP transfers isn't extremely difficult, but it does require
separating HTTP file transfer functionality from other, more typical, HTTP functionality.
For example, allowing HTTP file transfers to a Web site that also presents pages
to Web browser visitors means ensuring that the uploads can't replace the pages
they want to display. This means implementing extensive file and directory permissions.
While this can all be done with a Web server, it's much easier to do with an
FTP server because this functionality is part of basic FTP server configuration.
The bottom line is that this vulnerability isn't likely to rear its ugly head
in the form of mass attacks, but it should serve as yet another wake-up call
for anyone still using FTP as a means of transferring files, especially users
New Bagle variants are being released so quickly that
anti-virus vendors are having a hard time keeping up. New variants of the Bagle
virus have been released every several hours, and to at least some insiders
appear to be tied to the release of virus definitions by McAfee. Virus writers
are taking on the AV companies head-on—and winning.
Virus writing seems to be getting downright industrial, with new viruses being
turned out like Henry Ford turned out Model Ts. It takes time to decrypt the
encrypted viruses, and more to figure out how to identify the contents reliably.
Heuristics—the ability to look at an object abstractly rather than specifically—is
getting better at identifying new variants, but it's still not efficient enough
to completely replace virus definition files.
Here's the biggest problem with all this. The industry has focused so much
on selling brainless solutions to consumers regarding security issues that when
those solutions become ineffective, as in the case of these Bagle variants,
consumers are left vulnerable. If consumers believe that anything that makes
it past their defenses is safe, why wouldn't they open virus-laden e-mails?
Emphasis should have been placed on consumer education, which could have been
made more obvious to the consumer by strict penalties for failure to follow
the educational guidelines (as described in my Internet
If you think you have the solution without imposing penalties for those consumers
who invoke viruses or bots, find some investors—you've got a billion-dollar
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.