Department of Accounting & Law
State University of New York at Albany
Acc 661 Auditing of Advanced Accounting Information Systems
Jagdish S. Gangolly (Spring, 2003)
Recent News Items of Interest (January 23, 2003)
The Following items are taken from numerous sources such as ZDNet Tech Update Today, InformationWeek Daily. They are quite time-sensitive, and therefore it is important that you browse them as soon as possible. If you wait for long, they may not be available.
- Opposition to Data Retention Grows in Europe
A multi-party coalition of 38 European Parliament members have recommended that the European Council and some Member States abandon their plans to monitor and retain data on people's private communications. Condemning the practice of data retention as a violation of the European Convention of Human Rights, its case law, and the EU Data Protection Directive, the group argued for alternative solutions to fight crime and urged the adoption of stricter limits on the storage and use of communications for law enforcement. As an example of less privacy-invasive measures, the coalition argued that preservation of data on a case-by-case basis would be more suitable to achieve the objectives pursued by police and security agencies.
Concurrently, in Great Britain, a parliamentary committee has rejected the government's current data retention proposal, in which it had planned to retain private communications data for up to a year. The All Party Internet Group ("APIG"), a parliamentary inquiry panel, examined the Home Office's data retention scheme, which is part of the Anti-Terrorism Crime & Security Act 2001 ("ATCS"). They concluded that the government's proposals were impractical, the cost of retention had been underestimated, and the concept of data retention appeared to be violating the UK Human Rights Act, which incorporates the European Convention on Human Rights into English Law. They also showed that the industry was not willing or able to comply with mandatory data retention requirements, and recommended that the Home Office negotiate with industry players a "targeted data preservation" scheme instead, as a more viable option. In reaction to the report, the UK government denied some of its findings, rejected the idea of data preservation as the most adequate solution to fight crime, and promised to establish a better dialogue with industry, without mentioning how it would address civil liberties issues. The Home Office nevertheless made clear that if industry actors could not agree on a voluntary code of practice on data retention, the government would go forward with the planned retention.
The crucial issue in the current debate on electronic surveillance of communications data under the new EU Directive on Privacy and Electronic Communications (2002/58/EC) is whether law enforcement authorities can justifiably claim that the retention of all people's private communications data for long periods and in a systematic fashion is necessary to fight crime and terrorism. The "communications data" referred to in the European context are all traffic and location data held by Internet service providers and landline and mobile telephone companies about their customers. This includes people's browsing patterns, phone and e-mail details (geographic location of mobile phone users, call time and duration, number dialed, callers' and recipients' names, e-mail addresses), chat room user IDs, credit cards, etc. The European Council is currently working on a framework decision that could make the principle of data retention -- which can be defined as the systematic and mandatory storage of large categories of traffic and location data for a specified period -- compulsory for all EU Member States; however, data preservation -- the storage of specific data related to a particular criminal investigation of a specified individual for a specified period of time, accessed pursuant to legal and constitutional safeguards and subject to judicial review -- is favored in most countries.
For more information and news items about data retention, see EPIC's
Data Retention page:
All Party Internet Group report:
- Viruses Get Smarter
A new generation of viruses will be more sophisticated, more difficult to detect and more dangerous.
- Slow Response To Slammer Worm Points To NIPC Woes
Despite a seemingly slow response to the worm's appearance over the weekend, an NIPC spokesman denied there was any delay in responding to the Slammer threat.
Microsoft Slammed By Its Own Vulnerability
The software giant had problems this weekend after the W32.Slammer worm infested unpatched host machines on the company's network.
Slammer Worm News
A round-up of articles from around the Web on the Slammer worm
- New Laws Put New Rules On ID Management
New laws are requiring companies to protect the personal information of their users. Security expert Bill Malik examines how identity management technology should fit into your company's plans for meeting this need.
Dueling Business Models In Identity Management
The Liberty Alliance and Microsoft have pursued different strategies as they seek market share in the hot area of identity management. Who will win? Contributor Mark Willoughby says there's room for both.
- SAPPHIRE/SLAMMER WORM
A new worm that affects Microsoft SQL Server--called the Sapphire or SQL Slammer worm--is traveling the Internet, occasionally causing severe network traffic loads. The worm exploits a security hole in SQL Server for which Microsoft issued a patch in July 2002. Microsoft has published a Web page that contains information about the worm, and the company recommends that users patch their SQL Server systems immediately or load the recently released SQL Server Service Pack 3 (SP3), which contains the previously released patch. Also, companies that use Cisco routers should be aware that Cisco has issued an advisory recommending that users adjust their router configurations in certain scenarios to avoid router overload. For more information, see the following URLs:
- Getting the Most From Intrusion Detection Systems
The good news, vendors and analysts say, is that enterprise IT organizations are deploying intrusion detection systems (IDS) in greater numbers. The bad news is that they're probably not making effective use of them.
A recent study published by market research firm Meta Group indicates that even as interest in IDS has risen among Global 2000 organizations, companies often view their completed IDS deployments as failures. That's because, says Meta Group analyst Christian Byrnes, many companies often adopt IDSes as technical solutions, without giving much thought to the operational issues associated with managing them.
- ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, )
* SLAMMER/SAPPHIRE WORM AND SHADES OF CODE RED
As you probably know by now, a tiny worm began traveling the Internet over the past weekend. Known as either Slammer or Sapphire, the worm affects unpatched Microsoft SQL Server machines. Patches to prevent
the vulnerability the worm exploits have been available since July 2002.
The worm doesn't damage an infected machine, nor does it compromise any data on an infected machine. However, it does prove a simple concept: A tiny worm (376 bytes) with only the essential amount of code can spread rapidly and consume large amounts of bandwidth in the process.
Some people compare this worm with the Code Red worm that affected Microsoft IIS systems last year. However, far more IIS systems than SQL Server machines are online, and the Slammer/Sapphire worm's impact is proving to be relatively short-lived. As Chris Rouland, director of Internet Security Systems' (ISS's) X-Force said in an "InfoWorld" interview, the worm's impact has already lessened significantly. As of Sunday, its impact was more comparable to that of the Nimda virus,
which affects Microsoft Outlook clients. According to ISS monitoring, Nimda and Slammer/Sapphire both propagated at about 10,000 attacks per hour on Sunday.
By now, I'm sure Slammer/Sapphire's activity has lessened even further (although it's possible for it to flare up again), whereas the most serious affects of Code Red were probably felt for a longer period. Overall, Nimda is probably more expensive to clean up than Slammer/Sapphire. Even so, the thing Slammer/Sapphire did that Nimda didn't do was severely affect network communications. In some cases, networks went down entirely for brief periods of time.
The reason that some networks went offline was probably twofold. First, the worm consumed a lot of bandwidth, sometimes saturating a given network's total capacity. Second, the worm affected Cisco Systems routers, which countless networks across the Internet use. The worm affected some Cisco routers because of the way those routers were
configured to log packets. In some cases, routers were configured to block all traffic to port 1434 and to log all denied packets, such as those destined for blocked port 1434, which SQL Server typically uses. So the worm traffic in conjunction with the logging overwhelmed some routers. To read Cisco's recommendations regarding configuration adjustments, view the related Web page at the first URL below. To see a graph of how the worm affected traffic at a few of the larger
networks, visit the second URL below.
Another problem with this worm is that it also affects Microsoft SQL Server Desktop Engine (MSDE), which ships inside a lot of products, some from Microsoft and many others from third parties. These products include Visual Studio .NET (Architect, Developer, and Professional Editions), ASP.NET Web Matrix Tool, Microsoft Office XP Developer Edition, Microsoft Developer Network (MSDN) Universal and Enterprise subscriptions, and Microsoft Access. But those products represent just the tip of the iceberg. To see the huge list of products that use MSDE--many of which are probably installed on your systems--visit the SQL Security Web site at the URL below. The list is updated as those who maintain the list become aware of more products that use MSDE.
A Microsoft Web page offers information about the Slammer/Sapphire worm, including patch information (see the first URL below). As always, be sure to read the fine print associated with patches and related articles before you load any patches. Also, consider loading the recently released SQL Server Service Pack 3 (SP3). And if you want a tool that will scan your SQL Server systems to determine whether they're vulnerable, then you can download such a tool courtesy of eEye
Digital Security (see the second URL below).
To help prevent such attacks from being successful, administrators must patch systems as quickly as possible. They need to maintain firewalls in a deny-all-traffic-until-otherwise-authorized configuration. Also, they must conduct any remote administration that requires opening nonessential ports through a VPN and some kind of remote terminal software. When all the hype around this new worm has finally fizzled out, I hope that businesses will have learned how important it is to take defensive actions sooner rather than later.
1
