From isn at c4i.org Tue Feb 1 04:01:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:45 2005 Subject: [ISN] NIST issues final draft of IT security controls Message-ID: http://www.gcn.com/vol1_no1/daily-updates/34930-1.html By William Jackson GCN Staff 01/31/05 The National Institute of Standards and Technology has released the final public draft of recommended security controls for federal systems, a fine-tuned version of a document that will become a mandatory Federal Information Processing Standard by the end of the year. The agency's IT Laboratory says this third version of Special Publication 800-53 [1] contains modest changes based on more than 400 responses to earlier releases. It is one of seven NIST publications being produced as required by the Federal Information Security Management Act. NIST released the initial draft in November 2003 and the second last September. Comments on the current draft can be e-mailed [2] to the agency's Computer Security Division until Feb. 11. The agency expects a final version to get Commerce Department approval by the end of February. "SP 800-53 has special significance in that the security controls contained in the recommended baselines will form the basis for those controls that will become mandatory in December 2005," NIST said in releasing the publication. "At that time, FIPS 200, Minimum Security Controls for Federal Information Systems, will take effect and be applicable to all federal information systems other than national security systems." The controls include management, operational and technical safeguards, and countermeasures that ensure the confidentiality, integrity and availability of government systems. They create baseline configurations for low, moderate and high risk systems. Changes in the current draft include: * The class designations management, operational and technical have been reinstated to more closely conform to the existing organization of agencies. security programs. * Guidance has been enhanced for evaluating public access systems and addressing scalability, with expanded risk-based considerations to provide more flexibility in establishing appropriate controls. * The concept of compensating security controls has been added to allow for equivalent or comparable controls not included in the publication. * The low baseline security controls have been adjusted to reduce the minimum controls for low-impact systems. * A new set of application-level security controls has been added. [1] http://csrc.nist.gov/publications/drafts/SP-800-53-FinalDraft.pdf [2] sec-cert [at] nist.gov From isn at c4i.org Tue Feb 1 04:01:35 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:47 2005 Subject: [ISN] Linux Security Week - January 31st 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 31st, 2005 Volume 6, Number 5n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Introduction to Troubleshooting Linux Firewalls," "Common Criteria Salvation For Email Security," and "Do 'irresponsible' security researchers help or hinder?" --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH: This week, articles were released for libtiff, ethereal, xpdf, squid, xtrlock, sword, unarj, enscript, zhcon, vdr, xine-lib, libpam-radius, kdebase, f2c, cups, alsa-lib, grep, kernel-utils, hal, im-sdk, gphoto, apr, tetex, koffice, kdegraphics, kdelibs, gaim, procps, mailman, mysql, awstats, less, kernel, and xpdf. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, and TurboLinux. http://www.linuxsecurity.com/content/view/118107/150/ ---------------------- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ --- A 2005 Linux Security Resolution Year 2000, the coming of the new millennium, brought us great joy and celebration, but also brought great fear. Some believed it would result in full-scale computer meltdown, leaving Earth as a nuclear wasteland. Others predicted minor glitches leading only to inconvenience. The following years (2001-2004) have been tainted with the threat of terrorism worldwide. http://www.linuxsecurity.com/content/view/117721/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * The encryption factor 27th, January, 2005 Quantum computing is set to revolutionise the way we work. Trouble is, it could crack any of today's security codes in a fraction of a second, says Charles Arthur.When bankers and spies begin to worry about advances in computing, the rest of us would do well to take notice. What makes them edgy are the advances being made in "quantum computing", which is, as might be expected from the name, as entangled and confusing a field to understand as the branch of physics on which it is based - quantum mechanics. http://www.linuxsecurity.com/content/view/118097 * Introduction to Troubleshooting Linux Firewalls 25th, January, 2005 Oh no you say not more management speak! Please, I get enough of that already! Fear not; we promise that we won't waste your time with YAUM (Yet Another Useless Methodology). We want you to find your problem and fix it quickly. So you can call this a process, a method, a way, or if you like, call it a methodology whatever works for you. What we don't want to do is fill your head with some useless babble. This methodology is hard won from years of solving problems. http://www.linuxsecurity.com/content/view/118057 * Patching up problems 28th, January, 2005 The race to plug network holes before attackers use them is running system managers ragged--so they're throwing up more barriers to stop intruders. http://www.linuxsecurity.com/content/view/118105 * SELinux: Playing with fire 26th, January, 2005 One of the much-talked-about features in Fedora Core 3 (FC3) is Security-Enhanced Linux, which some people believe will make Linux a truly military-grade secure operating system. But SELinux is available to secure many other distributions as well. http://www.linuxsecurity.com/content/view/118071 * Common Criteria Salvation For Email Security 26th, January, 2005 With the increasing threat of far more sophisticated attacks than just spam and viruses, email security is taking a leap forward. But in implementing new solutions, organisations open up the risk to additional vulnerabilities, because the products they have chosen may not provide an adequate level of security. http://www.linuxsecurity.com/content/view/118086 * The Role Of Email Security In Meeting Regulatory Requirements 27th, January, 2005 Corporate governance and regulation were one of the dominant themes of 2004 and look set to continue to be so throughout 2005. Corporate governance relates to how an organisation is run, and has repercussions for almost every department particularly Finance, HR, Auditing, Procurement and IT. Due to the nature of the potential content of email, ranging from a simple customer query to financial projections, the use of this application demands particular attention to ensure that its management helps to secure regulatory compliance. http://www.linuxsecurity.com/content/view/118092 * Developer Raps Linux Security Developer Raps Linux Security 26th, January, 2005 Brad Spengler of grsecurity characterized the Linux Security Model, or LSM, as merely a way to allow the National Security Agency's SELinux to be used as a module. "The framework is unfit for any security system that does anything remotely innovative, such as grsecurity and RSBAC [Rule Set-Based Access Control]," he declared. http://www.linuxsecurity.com/content/view/118084 +------------------------+ | Network Security News: | +------------------------+ * 'Evil twin' could pose Wi-Fi threat 26th, January, 2005 Researchers at Cranfield University are warning that "evil twin" hot spots, networks set up by hackers to resemble legitimate Wi-Fi hot spots, present the latest security threat to Web users. http://www.linuxsecurity.com/content/view/118085 * Hackers targeted by high-level system 25th, January, 2005 Running on Windows, Linux or Sun, Defiance TMS was made up of four elements. Defiance Monitor acted as the intrusion detection system (IDS), which would let IT staff monitor for threats. Defiance Gateway was the core IPS protection element, backed up by A Defiance Management Server to store logs and other security data, and the Defiance Security Console for system unified administration. http://www.linuxsecurity.com/content/view/118056 +------------------------+ | General Security News: | +------------------------+ * Coyotos, A New Security-focused OS & Language 25th, January, 2005 For those who haven't been following the EROS project, it has now migrated to the Coyotos project. EROS, the Extremely Reliable Operating System, was a project to create an operating system whose security relied on capabilities rather than the traditional Unix model of root or non-root. http://www.linuxsecurity.com/content/view/118055 * Open and safe? 25th, January, 2005 TRUE or false? Open source software like Linux is more secure than Microsoft Windows, a proprietary operating system because there seem to be more virus attacks against it. http://www.linuxsecurity.com/content/view/118054 * No end to security sector growth 27th, January, 2005 The South African IT security industry, worth R1.082 billion, is still growing, according to research firm BMI-TechKnowledge. According to the firm's latest findings on the local security market, the industry grew by about 16% in 2003, with that level of growth expected to continue throughout the forecast period 2003 to 2008. http://www.linuxsecurity.com/content/view/118090 * Do 'irresponsible' security researchers help or hinder? 27th, January, 2005 To many software makers and security consultants, flaw finder David Aitel is irresponsible. The 20-something founder of vulnerability assessment company Immunity hunts down security problems in widely used software products. But unlike an increasing number of researchers, he does not share his findings with the makers of the programs he examines. http://www.linuxsecurity.com/content/view/118095 * Run information security like you run your busines 28th, January, 2005 Do your CSO, CIO, information security professionals and software developers have measurable quotas and compensation for meeting or exceeding their information security numbers? Chances are, your firm is not running information security like a business unit with a tightly focussed strategy on customers, market and competitors. Without well-defined, standard, vendor-neutral threat models and performance metrics. there cannot be improvement; and improvement is what our customers want. http://www.linuxsecurity.com/content/view/118102 * US to tighten nuclear cyber security 26th, January, 2005 The US Nuclear Regulatory Commission (NRC) quietly launched a public comment period late last month on a proposed 15-page update to its regulatory guide "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants." The current version, written in 1996, is three pages long and makes no mention of security. http://www.linuxsecurity.com/content/view/118072 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Feb 1 04:02:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:49 2005 Subject: [ISN] Los Alamos missing disks never existed Message-ID: http://www.abqtrib.com/albq/nw_state/article/0,2564,ALBQ_19863_3508091,00.html By Leslie Hoffman The Associated Press January 29, 2005 Missing computer disks that virtually shut down Los Alamos National Laboratory during the summer never existed, a new Department of Energy report says, and the National Nuclear Security Agency has inflicted a multimillion-dollar penalty on the University of California for sloppy inventory control and security failures at the nuclear weapons lab. In a harshly worded review that described severe security weaknesses at the nuclear lab, the Energy Department concluded that bar codes were recorded for the disks but the disks themselves were never created. A separate FBI investigation supported that finding, according to the report released Friday. "Although the FBI has validated our conclusions that the `unaccounted for pieces of (classified removable electronic media) at the center of this investigation never were created and, therefore, (are) not missing from inventory,' the weaknesses revealed by this incident are severe and must be corrected," the report stated. The material was reported missing in July, and lab director Pete Nanos halted all work at the facility pending retraining of staff on security issues. Several workers were suspended and subsequently fired. The incident was merely the latest in a series of security breaches going back several years. Energy Secretary Spencer Abraham, annoyed at the persistent problems with security, decided in 2003 to put the management contract for the lab up for open bidding. A final version of proposals is expected to be unveiled next week, and the contract will go into effect for the winning bidder later this year. Because of the problems detailed in the new report, the NNSA announced it would slash the University of California's management fee, imposing the largest fee reduction ever on a national laboratory. UC will get only a third of the total fee it was eligible for as lab manager during the last fiscal year ending in September. Out of a possible $8.7 million, UC will get only $2.9 million. In slashing the fee, NNSA chief Linton Brooks said he was concerned about "major weaknesses in controlling classified material." Those weaknesses "are absolutely unacceptable, and the University of California must be held accountable for them," he said. UC officials on Friday accepted responsibility for the problems but pointed to the months of work they and lab officials have done reviewing Los Alamos' safety and security procedures since the initial shutdown. "We got walloped. Unfortunately, we deserve this," UC spokesman Chris Harrington said. "But what we have done is correct the problems and put the right system in place so that we don't have to take this type of hit again." Sen. Pete Domenici, an Albuquerque Republican, objected to the funding cut, saying the school has worked to make changes under difficult circumstances. "The NNSA has responded to the bad headlines by cutting the university's award fee unreasonably," he said. "That willingness to succumb to political pressure reveals to me that the university is doing a better job of standing up to criticism that is the NNSA. I had expected better from the NNSA." Lab watchdogs that have long criticized UC's management of the lab hailed the cut. "It's certainly a step in the right direction," said Pete Stockton of the Project on Government Oversight. Sen. Jeff Bingaman, a Silver city Democrat, said he understood the rationale behind the cut but noted that the most important issue should be making sure the safety and security challenges raised in the report released Friday are dealt with. The report highlighted areas in which DOE and NNSA officials believe corrective action was needed. They include enforcing accountability, improving overall handling of classified material and improving oversight of security at the lab. One of the report's recommendations called for holding the university accountable through the management fee. From isn at c4i.org Tue Feb 1 04:02:59 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:51 2005 Subject: [ISN] Attackers Could Bypass XP SP2 Security Mechanisms Message-ID: http://www.eweek.com/article2/0,1759,1757786,00.asp By Ryan Naraine January 31, 2005 Microsoft Corp. on Monday confirmed it was investigating a claim by a Russian security researcher that two key security technologies built into Windows XP Service Pack 2 could be easily defeated. The weaknesses were highlighted in a research paper [1] published by Alexander Anisimov of Positive Technologies and centers around XP SP2's heap protection and DEP (data execution prevention) security mechanisms. According to Anisimov, malicious hackers could bypass the two security mechanisms to execute arbitrary code on Windows systems running XP SP2. A successful attack could also allow arbitrary memory region write access (smaller or equal to 1016 bytes) and DEP bypass. Microsoft is disputing the crux of the researcher's claim, insisting it is not a security vulnerability. "An attacker cannot use this method by itself to attempt to run malicious code on a user's system. There is no attack that utilizes this, and customers are not at risk from the situation," a spokesperson for the software giant told eWEEK.com. She said the two security technologies built into XP SP2 are meant to make it more difficult for an attacker to run malicious software on the computer as the result of a buffer overrun vulnerability. "It's important to note that data execution protection and heap overflow protection were never meant to be foolproof; the purpose of these features is to make it more difficult for an attacker to run malicious software on the computer as the result of a buffer overrun," she said. Officials at the Microsoft Security Research Center plan to modify the technologies to address the reported weaknesses. The primary benefit of DEP is to help prevent code execution from data pages. In XP SP2 and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows. Execution protection, or NX (no execute), prevents code execution from data pages such as the default heap, various stacks and memory pools. Protection can be applied in both user- and kernel mode. [1] http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm From isn at c4i.org Tue Feb 1 04:04:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:53 2005 Subject: [ISN] Know thy hacker Message-ID: http://www.infoworld.com//article/05/01/28/05OPsecadvise_1.html By Bob Francis January 28, 2005 As I said last week [1], I recently attended a local meeting of the Information Systems Audit and Control Association (ISACA) to hear a presentation by Mark Loveless, who heads up the Razor research team at BindView. As well as talking about the many daunting threats that face security administrators, Loveless also spoke about the changing nature of the hackers and groups that are causing security threats. Many hackers are known as "black-hat" hackers, those who generally hack systems for personal gain or malicious reasons. The black-hat hacker either exploits these hacks for themselves or trades or sells that information. A "gray-hat" hacker hacks systems and software without the administrator's or developer's permission in order to uncover network or software problems. Many of these hackers used to operate alone but now work for organized crime, foreign governments, or spammers. According to Loveless, the black-market price for exploit code for a known flaw -- such as some of the recently announced Internet Explorer flaws -- is between $100 and $500. That's the price if no exploit code is currently available; after the exploit code is made available on public forums, the price drops to zero, under the "carrying coals to Newcastle" principle of economics. Exploit code for an unknown flaw is -- not surprisingly -- considerably more valuable: Prices for unknown exploits range between $1,000 and $5,000. Among the buyers of those codes are various foreign governments, foreign and domestic organized crime groups, and iDefense, a company that buys the exploits then informs its clients of the flaw. Want to know who has your e-mail address? Get in line. A list of 5,000 IP addresses of computers infected with spyware and ready and able to go into "bot" mode goes for $150 to $500. If you're in the black market for a list of 1,000 working credit card numbers, expect to fork over between $500 and $5,000. Some sites even will send you a couple of free numbers to test drive prior to purchase, Loveless says, while others have rating services of the different credit card number sellers, much like eBay. Prices were even cheaper for those numbers, although the price has increased since the U.S. Secret Service began Operation Firewall, an investigation that targets underground hacker organizations known as Shadowcrew, Carderplanet, and Darkprofits. What do these black-hat hackers working for spammers make for their trouble? According to Loveless, the annual salary of a top-end, skilled black-hat hacker working for spammers is between $100,000 and $200,000. Not bad -- although if you are caught, legal costs will eat that up in a matter of weeks. Apparently not all black-hat hackers are making the big bucks, however. I spoke recently with Dr. Bill Hancock, Savvis Communications. chief security officer and chairman of the FCC's National Reliability & Interoperability Council (NRIC) Homeland Security focus group on cyber-security, who says some black-hat hackers are wearing their hats under protest. Hancock had dinner with a hacker from Eastern Europe last year who said the Russian Mafia threatened his family if he did not perform work for them. "I think it shows how serious and how difficult a problem this can be," he says. Indeed, but it still pays to know your foe. [1] http://www.infoworld.com/infoworld/article/05/01/21/04secadvise_1.html From isn at c4i.org Tue Feb 1 04:05:23 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:56 2005 Subject: [ISN] REVIEW: "Modern Cryptography: Theory and Practice", Wenbo Mao Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKMDNCRP.RVW 20041207 "Modern Cryptography: Theory and Practice", Wenbo Mao, 2004, 0-13-066943-1, U$54.99/C$82.99 %A Wenbo Mao %C One Lake St., Upper Saddle River, NJ 07458 %D 2004 %G 0-13-066943-1 %I Prentice Hall %O U$54.99/C$82.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130669431/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0130669431/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0130669431/robsladesin03-20 %O tl s rl 1 tc 3 ta 3 tv 0 wq 1 %P 707 p. %T "Modern Cryptography: Theory and Practice" A "Short Description of the Book" states that it is intended to address the issue of whether various crypto algorithms are "practical," as opposed to just theoretically strong. This seems odd, since no algorithm is ready for implementation as such: it must be made part of a full system, and most problems with cryptography come in the implementation. The preface doesn't make things much clearer: it reiterates a "fit-for-application" mantra, but doesn't say clearly, at any point, why existing algorithms are not appropriate for use. The preface also suggests that this book is for advanced study in cryptography, although it states that security engineers and administrators, with special responsibility for developing or implementing cryptography, are also in the target audience. Part one is an introduction, consisting of two chapters. Chapter one outlines the idea of the first "protocol" of the book: a "fair coin toss" over the telephone, grounding the book firmly in the camp of cryptography for the purpose of secure communications. The remainder of the chapter points out all the requirements to make such an unbiased selector work, acting as a kind of sales pitch or "come on" to make you want to read the rest of the book. The promotion is slightly flawed by the fact that there is very little practical detail in the material (it takes a lot of work on the part of the reader to figure out that, yes, this system might work), excessive verbiage, and poor explanations. The stated "objectives" of the chapter, given at the end, say that you should have a "fundamental understanding of cryptography": this is true only in the most limited sense. Chapter two slowly builds a kind of pseudo-Kerberos system. Part two covers mathematical foundations. Chapter three deals with probability and information theory, four with Turing Machines and the notion of computational complexity, five with the algebraic foundations behind the use of prime numbers and elliptic curves for cryptography, and various number theory topics are touched on in chapter six. Part three addresses basic cryptographic techniques. Chapter seven deals with basic symmetric encryption techniques, touching on substitution and transposition, as well as reviewing the operations of DES (Data Encryption Standard) and AES (Advanced Encryption Standard). The insistence on converting all operations, and giving all explanations, in symbolic logic does not seem to have any utility, does not provide any clarity, and makes the material much more difficult than it could be. Asymmetric techniques, and attacks against them, are outlined in chapter eight. Finding individual bits of the message, a process examined in chapter nine, can, over time, result in an attack on the message or key as a whole. Chapter ten looks at data integrity, hashes, and digital signatures. Part four deals with authentication. Chapter eleven reviews various conceptual protocols, pointing out (for example) that there is a serious problem of key storage for challenge/response systems. A variety of real applications are considered in chapter twelve, and warnings issued about each. Issues of authentication specific to asymmetric systems are covered in chapter thirteen. Part five looks at formal approaches to the establishment of security. There is more asymmetric cryptographic theory in chapter fourteen. Chapter fifteen examines a number of provably secure asymmetric cryptosystems, while sixteen does the same for digital signatures. Formal methods of authentication protocol analysis are given in chapter seventeen. Part six discusses abstract cryptographic protocols. Chapter eighteen reviews a number of zero knowledge protocols, which provide the basis for authentication where the principals are not previously known to each other. The coin flipping protocol, initiated in chapter one, is revisited in chapter nineteen. Chapter twenty wraps up with a summary of the author's intentions for the book. The book is certainly for advanced study, but it is hardly suitable for security administrators, professionals, or even engineers. The mathematical material is quite demanding, and is seldom explained (as opposed to the clear explanations of the implications of the math that is given in, for example, "Applied Cryptography" [cf. BKAPCRYP.RVW], or even the equally advanced but much more comprehensible "Algebraic Aspects of Cryptography" [cf. BKALASCR.RVW]). However, there are points in the material that could be useful for practical cryptographic systems, provided one is dealing primarily with authentication of communications, and the possibility of physical access is ignored. The text would have been much more useful if the author could have been induced to provide some of the basic explanations in English, rather than leaving the reader to work out the math. copyright Robert M. Slade, 2004 BKMDNCRP.RVW 20041207 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to destroy. - Christopher Dawson, The Judgment of Nations http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Tue Feb 1 04:07:18 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:10:00 2005 Subject: [ISN] Iraq battle plan leak sparks overhaul of cybercrime-fighting techniques Message-ID: Forwarded from: William Knowles http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,99397,00.html By Paul Roberts JANUARY 31, 2005 IDG NEWS SERVICE The U.S. Department of Defense seized hundreds of computers and around 60TB of data as part of an investigation into how details of the U.S. invasion plan for Operation Iraqi Freedom were leaked to The New York Times, a Defense Department official said. The investigation ended in 2003 without finding the source of the leak. But it has prompted changes within the department, which is developing software tools and investigative strategies for computer crime cases that involve large amounts of data, said Lt.Col. Ken Zatyko, director of the DOD's Computer Forensics Laboratory. The investigation was prompted after details of the U.S.'s planned invasion of Iraq appeared in a series of newspaper articles in the Times beginning in July 2002. The articles revealed various details of the planned invasion and options that were being considered by military planners. Operation Iraqi Freedom was launched in March 2003. The Times articles set off an intense effort within the DOD to discover the source of the leak. Hundreds of computer servers and desktop systems were seized at a number of locations, including U.S. Central Command at MacDill Air Force Base in Tampa, Fla., and from military bases in the Persian Gulf region, including the U.S. naval base in Bahrain, Zatyko said. In all, about 60TB of data, including data stored on computer hard drives and other devices, was collected and brought back to the DOD's computer forensic lab at the Department of Defense Cyber Crime Center (DC3), he said. One Times reporter was also subpoenaed for information pertaining to the leak, but that subpoena was quashed, according to Catherine Mathis, vice president of corporate communications at The New York Times Co. At DC3, a team of computer forensics investigators searched through the data looking for evidence -- such as an e-mail message or document transfer -- that would link a particular individual to a Times reporter, Zatyko said. Ultimately, the investigation failed, in part because of the challenge of sifting through the huge volume of data, he said. "It was a 'needle in the haystack' case," Zatyko said. "The challenge is to reduce all that data and hone in on the document that was sent to the reporter." The investigators did discover a number of versions of a presentation that contained information linked to the articles, as well as e-mail messages to reporters. However, they couldn't find evidence that the presentation or other sensitive information was sent to the Times, and DC3's investigation ended in late 2003 without finding those responsible for the leaks, Zatyko said. There are a number of possible explanations for why the investigation failed. The best explanation is that the information wasn't transferred digitally to the Times, Zatyko said. "They could have just printed it out and provided it [to the reporter] as a hard-copy document," he said. The failure to find the source of the leak shows that reporters and their sources are getting sophisticated about covering their trails using IT, said Bob Giles, curator of the Nieman Foundation for Journalism at Harvard University. "The people inside the government are being smart about how they're [leaking information] and not doing it in a way that's going to get them caught," he said. The DC3 is changing the way it conducts large computer forensic investigations in the wake of the case, Zatyko said. In particular, the DC3 has established a section of its lab and a team of examiners just to work on cases with large data sets, replacing ad hoc teams created to address case requests as they come in. DC3 is also using a combination of commercial forensic software and proprietary tools to comb seized data stored on large capacity storage-area networks and network-attached storage devices. The new DC3 approach replaced individual examiners working on separate workstations, which led to inconsistencies in the forensic examination process and duplication of effort between examiners, Zatyko said. With the Iraq battle-plan leak investigation closed at DC3, forensic investigators are trying out the new techniques on a more common source of large data set investigations: child pornography cases, he said. "We're focusing on the child-porn issue and moving out from there," Zatyko said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Feb 2 06:09:18 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:19 2005 Subject: [ISN] Manhunt for Filipino hacker ensues Message-ID: Forwarded from: William Knowles http://news.inq7.net/infotech/index.php?index=1&story_id=26163 By Erwin Lemuel Oliva Feb 02, 2005 INQ7.net A MANHUNT for the alleged Filipino hacker of the government portal "gov.ph" and other government websites was launched after the suspect went into hiding, the police said Tuesday. Judge Antonio Eugenio of the Manila Regional Trial Court ordered the arrest of a certain JJ Maria Giner on January 24, 2005 for violating section 33a of the Electronic Commerce Law. Giner remains at large to date however. "He's now on top of our priority list," said Police Superintendent Gilbert Sosa of the Anti-Transnational Crime Division (ATCD) of the Philippine National Police Criminal Investigation and Detection Group (PNP-CIDG), in an interview. Sosa is also executive director of the Government Computer Security Incident Response Team (G-SIRT). According to the arrest warrant, the court set bail for Giner at 25,000 pesos (440 dollars). The Department of Justice decided last month that there was enough evidence to file charges against him. A copy of the DoJ?s resolution, obtained by INQ7.net, revealed that Giner had admitted to hacking the government websites but indicated that he had no intention to "corrupt, alter, steal or destroy" files contained in the computer systems that were compromised. The DoJ resolution indicated that Giner penetrated government websites of the National Economic and Development Authority, the National Book Development Board, the Philippine Navy, Dagupan City, as well as the web servers or computer systems hosting websites of the local Internet service provider Bitstop and UP Visayas Miagao in Iloilo. Giner also launched attacks against the websites of the Office of the Presidential Management Staff in Malaca?ang, the Task Force on Security of Critical Infrastructure, the Professional Regulatory Board, the Department of Labor and Employment, and the Technical Educational and Skills and Development Authority, according to the DoJ resolution. "It was discovered that the respondent attempted to penetrate the digital infrastructure of government agencies as well as private businesses. Several network infrastructure setups were first scanned by [Giner] for vulnerability exploits. Critical government infrastructure facilities were also probed. Allegedly, [Giner] listed all the possible attack scenarios and backdoor programs to penetrate the target systems," the resolution added. In his counter-affidavit, Giner admitted to sending an e-mail to the National Economic and Development Authority (NEDA), informing the agency about the vulnerability of its website to hackers. With this admission, he argued that if he had the intention of destroying or corrupting the system, he would not have informed the agency. The suspected hacker also denied launching a so-called "denial-of-service" attack on the Journal Group of Publications website that resulted in system overload of the computer system hosting it, his counter-affidavit said. The DoJ resolution however said that Giner had clearly violated section 33a of the E-commerce Law (RA8792) because he was not authorized to access government websites. "Intention is not essential in this mode as mere unauthorized access is a violation of the law," the resolution said. The DoJ resolution further revealed that Giner launched attacks in April 27, 2004 until May 7, 2004, three days before the country?s national elections. The resolution said that digital evidence gathered by the PNP?s ATCD-CIDG Computer Crime unit indicated that Giner launched his attack from Internet addresses issued by Asia Pacific Network Information Center to Globe Telecom. When police further traced the IP addresses, they led to the U. P. Miagao campus in Iloilo, registered under the name of Efren Servento. Police then found that the IP addresses were assigned to a Linux-based system that served as a "primary gateway" to almost 200 computers all over the U.P. Miagao network. Further probing this network led police computer investigators to the Information and Publications Office, and eventually to a computer used by alleged hacker Giner, who happened to be the webmaster and program developer of U.P. Miagao. Giner's computer hard drive was seized and gave police "vital information" indicating what had transpired before and during the alleged network intrusion of the gov.ph portal and the Journal Group of Publications website, recounted the DoJ resolution. A source privy to the case disclosed that the police almost lost Giner after some Globe employees allegedly informed U.P. Miagao of the ensuing police investigation. The same source added that Globe initially refused to cooperate with the police until it was issued a court subpoena. Who is Giner? The DoJ resolution further revealed that Giner is a contractual employee of U.P. Miagao but had access to the university?s computer systems as webmaster. The DoJ resolution indicated that he comes from a middle-class family, his father a retired PC soldier and his mother a teacher. An outstanding student during his primary years, Giner was accelerated from grade III to grade IV. He graduated with a Bachelor of Science in Marine Fisheries at the University of the Philippines in the Visayas and had never been charged with any criminal offense. According to a copy of his dossier obtained by INQ7.net, he has worked for Process Foundation-Panay, Inc. and the UP Visayas? Philippine Marine Transport Systems Project as research assistant. He also had evident skills in web development, database construction, model construction, and web interface development(HTML and JavaScript Programming), basic visual programming, MS Office applications, computer graphics design, and CRM Work. His other skills include First Aid and basic life support systems and scuba diving. His interests include fishes, gardening, cooking, computers, bio-toxins and poisons, arts (visual and music), underwater, coral reefs, islands. He speaks Hiligaynon, Kiniray-a, Filipino, English, and Cebuano. According to the DoJ resolution, Undersecretary Abraham Puruganan, head of the Task Force for the Security of Critical Infrastructure (TFSCI), is the main complainant in the "gov.ph" hacking case. On May 3, 2004, he filed a case against Giner in behalf of several government websites attacked from April to May 2004. Other complainants include the Office of the President, the Department of Interior and Local Government, and PNP CIDG-ATCD. Puruganan said the TFSCI has instructed the police to ask the Bureau of Immigration to issue a hold-departure order in case Giner decides to escape abroad. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Feb 2 06:09:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:21 2005 Subject: [ISN] Infighting Cited at Homeland Security Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A55552-2005Feb1.html By John Mintz Washington Post Staff Writer February 2, 2005 As its leadership changes for the first time, the Department of Homeland Security remains hampered by personality conflicts, bureaucratic bottlenecks and an atmosphere of demoralization, undermining its ability to protect the nation against terrorist attack, according to current and former administration officials and independent experts. Although the 22-month-old department has vast powers over the lives of travelers, immigrants and citizens, it remains a second-tier agency in the clout it commands within President Bush's Cabinet, the officials said. Pockets of dysfunction are scattered throughout the 180,000-employee agency, they said. There is wide consensus that the agency has made important strides in a number of areas, including establishing high-speed communications links with state and local authorities, researching sensors to detect explosives and biopathogens, and addressing vulnerabilities in the nation's aviation system. Its weaknesses, including scant progress in protecting thousands of U.S. chemical plants, rail yards and other elements of the nation's critical infrastructure, have received considerable public attention as well. Less well known is the role that turf battles, personal animosities and bureaucratic hesitancy have played in limiting the headway made by the infant department, an amalgam of 22 federal agencies that Congress merged after the Sept. 11, 2001, attacks, officials said. * The department made little progress protecting infrastructure because officials spent much of their time on detailed strategic plans for that task and believed they were technically prohibited by law from spending money on most such efforts. Others in government disagreed, and DHS officials did not reword the technical legal language until recent months. * Two arms of the department gridlocked over efforts to secure hazardous chemicals on trains -- one of Congress's most feared terrorist-attack scenarios. * Lengthy delays in deciding which agency would take the lead in tracking people and cargo at U.S. ports of entry resulted from similar disputes. Efforts to develop tamper-proof shipping containers were among the initiatives stalled. * The department's investigative arm, Immigration and Customs Enforcement (ICE), has operated under severe financial crisis for more than a year -- to the point that use of agency vehicles and photocopying were at times banned. The problem stems from funding disputes with other DHS agencies. Richard A. Falkenrath, who until last May was Bush's deputy homeland security adviser, said many officials at the department were so inexperienced in grasping the levers of power in Washington, and so bashful about trying, that they failed to make progress on some fronts. "The department has accomplished a great deal in immensely difficult circumstances, but it could have accomplished even more if it had had more aggressive and experienced staff," said Falkenrath, now a fellow at the Brookings Institution. "It would have done better if it had been less timid, less insular and less worried about facing down internal and external opposition." "This department is immensely powerful in society, given its central role in foreign trade, immigration and transportation," he added. "But it is far less powerful in interagency meetings and the White House situation room." Michael Chertoff, a federal appeals court judge who is Bush's nominee to succeed the department's first secretary, Tom Ridge, begins confirmation hearings today. He has been described as a no-nonsense administrator who would not hesitate to intercede in turf wars or get tough with recalcitrant bureaucrats. Growing Pains Homeland Security leaders accept many of the criticisms of the department's performance by government officials and experts but reject others as unfair. "Nobody fully understands the complexity of our task: to build a department out of 22 agencies, operate it, reorganize it, and design and build networks and systems that will defend the nation in perpetuity," said Ridge, who stepped down yesterday. Ridge is widely credited with managing the first phase of the most complicated government reorganization since the 1940s. But the former Pennsylvania governor also is noted for having a politician's desire to please all comers, which resulted in some policy quandaries remaining unaddressed for long periods, officials and experts said. Top DHS officials point out that much of their time has been spent crafting eight huge internal initiatives. Finished in some cases only in recent weeks, they map out the department's new information technology, payroll, personnel, procurement and other systems. Among other time-consuming initiatives were laying out new doctrines for counterterrorism preparedness that assigned the responsibilities of many agencies before and after an attack. Almost all this work, which involved tedious vetting by dozens of agencies, is now complete, but it was invisible to the public and will yield results only in the future, officials said. "These are a family of plans coming into play that's received virtually no publicity," said retired Coast Guard Adm. James M. Loy, deputy secretary of homeland security, who is widely described as the department's strongest manager. "When he comes, we want to say, 'Judge Chertoff, here is the strategic plan.' " All the while, Homeland Security has had to contend with the daily demands of searching air travelers, patrolling harbors, protecting the president, distributing threat warnings to state and local agencies, and many other duties. But several current and former officials said the department remains underfinanced and understaffed and suffers from weak leadership. "DHS is still a compilation of 22 agencies that aren't integrated into a cohesive whole," said its recently departed inspector general, Clark Kent Ervin, who released many critical reports and was not reappointed after a falling-out with Ridge. Asked for examples of ineffectiveness, he replied: "I don't know where to start. . . . I've never seen anything like it." Ervin cited a report from his office last month that DHS immigration inspectors had continued to let dozens of people using stolen foreign passports enter the United States -- even after other governments had notified the agency of the passport numbers. Using stolen passports is a well-known tactic of al Qaeda operatives. Even when immigration officials realized someone had entered the United States on a stolen passport, they did not routinely notify sister agencies that track illegal immigrants, the report said. When officials made missteps such as this, Ridge rarely intervened, Ervin said. "Tom Ridge is a prince of a man, but he's not a tough guy," he said. "Nobody's kicking anybody to do things" at Homeland Security, said Seth Stodder, former policy and planning director at the department's Customs and Border Protection agency. "There's a reluctance to make decisions that will be unpopular with the loser, so things just drift." Stodder and other government officials said the department's main problem is that, under pressure from the White House to keep staffing lean, it lacks a policy staff to study its largest strategic challenges. The Pentagon, by contrast, has 2,000 people doing that, he said. "It's very thinly staffed at the top of DHS, and there's no policy vision . . . thinking through the main threats," Stodder said. In the absence of such strategic thinking, he added, "DHS practices management by inbox, getting distracted by daily emergencies" such as a congressman's complaint about a late-arriving passport. Acknowledging that the lack of a policy staff was a mistake, DHS officials say one will be launched within days. Infrastructure Protection One of the department's biggest failings is its performance securing the U.S. infrastructure, some members of Congress and administration officials said. Fifteen people declined requests to apply for the undersecretary job supervising this area, and the person who took it, retired Marine Lt. Gen. Frank Libutti, was not confirmed until 2003. Libutti was unfamiliar with Washington's ways, as was his subordinate who directly oversaw infrastructure, former Coca-Cola Co. executive Robert P. Liscouski. Both became distracted by small bureaucratic obstacles they could have surmounted, other officials said. Members of Congress and others in the administration have expressed frustration at what they say are lengthy delays in producing a list of vulnerable infrastructure sites. Officials involved in infrastructure protection said some of the delays were caused by Liscouski, who, they said, at times failed to coordinate with others working on the matter. He has had several bitter arguments with members of Congress and their staffs, they said. Finally, the infrastructure division was at times distracted by arguments between camps of officials pressing the competing agendas of firms or other agencies offering plans to secure plants and landmarks, officials said. Liscouski denied that any such disputes distracted his office, and he denied failing to meet with colleagues. He said he met continually with them and had "an open-door policy." He disputed suggestions that his office dragged its feet in securing or preparing lists of infrastructure sites. "We worked with a sense of urgency, and we made significant progress," he said. "But this work had never been done before, and it was hard." Liscouski said that until the past few months, technical language in DHS budgets barred his office from spending money on chemical plants and other sites. Department officials said that within days they will announce distribution of $92 million, the first large expenditures for these purposes. The money will be given to states by a separate DHS bureaucracy. The infrastructure office also has been hobbled by turf fights. Another DHS agency -- the Transportation Security Agency (TSA), with 45,000 airport screeners -- said that a sentence in a budget law established it as overseer of security on trains, including ones moving dangerous chemicals. Hassles between TSA and infrastructure officials slowed progress, including efforts to secure chemicals that travel on tracks near the U.S. Capitol, for a year, officials said. "I'm sorry to say, since 9/11 we have essentially done nothing" to secure chemical plants and trains carrying chemicals, Falkenrath told Congress last week. "This [issue] stands out as an enormous vulnerability we had the authority to address." The TSA's claims that it supervises all transportation security also led to fights with DHS agencies that handle immigration and customs. The struggles delayed progress for a year on developing anti-tampering technology for shipping containers and deciding which databases to use to track foreigners and cargo entering the country, officials said. The fighting amounted to "a civil war within the U.S. government," one former official said. Eventually Ridge decided that the TSA should not lead the way on these issues. But an authoritative study released in December by the Center for Strategic and International Studies and the Heritage Foundation concluded that the TSA's actions led to years-long "policy impasses." It said the DHS section that oversees the agencies involved, and which refereed the struggles -- Border and Transportation Security -- was "not particularly effective" in straightening it out. Several officials described the undersecretary for Border and Transportation Security, former representative Asa Hutchinson (R-Ark.), as a consensus-builder who had difficulty demanding an end to the turf fights. Especially troublesome was a personality conflict between the affable Hutchinson and one of his subordinates, Robert C. Bonner, the aggressive head of Customs and Border Protection, whose airport and seaport inspectors investigate people and cargo. "There were knock-down, drag-out meetings every day" between leaders in some parts of the department, said Loy, who added that "management styles can pour gasoline" on such arguments. But he said the fights are now resolved. Asked about conflicts with Bonner, Hutchinson said: "I'd be enormously disappointed if I didn't have agency leaders who leaned forward and fought for their agencies." But, he added, "people who work under me know I make decisions." Through a spokesman, Bonner declined to comment. Loy, who once ran the TSA and will step down March 1, said the Homeland Security Department is fated to be criticized for its public failures, such as creating long lines at airports, and rarely praised for its success protecting the country. "Most of the publicity is bad, but that's the nature of our work," he said. "We operate in a fishbowl." From isn at c4i.org Wed Feb 2 06:10:14 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:23 2005 Subject: [ISN] RealPlayer and IE exploited Message-ID: http://www.theinquirer.net/?article=21042 By Nick Farrell 02 February 2005 AN EXPLOIT that takes advantage of holes in Real Player and IE has been released on the web. According to an advisory issued by the security outfit Secunia, RealMedia (.rm) files can open local files in the browser built into RealPlayer. This means a malicious website can load a local HTML document in a local context by using a re-written RealMedia file. The flaw exists on version 10.5 (build 6.0.12.1056) of RealPlayer but other versions could be affected as well. There is a workaround for the problem. You have to avoid opening RealMedia files from an untrusted source and restrict such files from being opened automatically from within browsers. So, not much that can be done then. From isn at c4i.org Wed Feb 2 06:10:26 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:25 2005 Subject: [ISN] Hackers break into Zimbabwe government website Message-ID: http://www.newzimbabwe.com/pages/email5.12221.html By Staff Reporter 02/01/2005 ZIMBABWEAN intelligence officials were investigating a major security breach this week after two computer wizards from the UK hacked into the government's website forcing it to go offline. New Zimbabwe.com was alerted to the breach by the hackers from Leicester, England. "The idea was to hack into the website and replace everything on there with slogans like 'Robert Mugabe is a tyrant'," one of the hackers told New Zimbabwe.com by telephone last night. "We were about to achieve our goal when the whole thing crashed," the hacker who has asked to remain anonymous said. "We will keep trying, the security is clearly lax." The government website http://www.gta.gov.zw is now offline and has been replaced by a server advert from the computer giant Microsoft. An intelligence source within the CIO's telcoms unit told New Zimbabwe.com last night: "This is a very serious security breach. We are trying to establish how this came about and we are treating it very seriously. The internet has become a major source of irritation for the government and the President has admitted as much." The government recently announced moves to monitor e-mails. The plan is for all internet service providers in Zimbabwe to forward to government any e-mail communications "likely to incite or cause alarm, fear or despondency" under the country's draconian Public Order and Security Act. At least two people have been arrested and charged. However, President Robert Mugabe's bid to play Big Brother has already suffered a major setback after the Supreme Court, sitting as a full bench, declared as unconstitutional legal provisions that give the President powers to eavesdrop, including the powers to intercept mail, telephone conversations and other such electronic telecommunications devices. The superior court upheld contentions by the Law Society of Zimbabwe (LCZ), a grouping of lawyers, who had filed the constitutional application arguing that the presidential powers provided for by the Posts and Telecommunication (PTC) Act violated section 20 of the Constitution. The lawyers were challenging section 98 and 103 of the PTC Act, which gives president powers to intercept mail, telephones, e-mail and any other form of communication. The Act also gave powers to the president to give any directions to a licensee requiring him or her to do or not to do a particular specified action. From isn at c4i.org Wed Feb 2 06:10:50 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:28 2005 Subject: [ISN] State computer worker says 'hacking' justified Message-ID: http://www.2theadvocate.com/stories/020205/new_hacking001.shtml By ADRIAN ANGELETTE Advocate Staff Writer 02.02.05 A state computer worker testified Tuesday that he did nothing wrong when he used the identifications of other state workers, including his boss, to gain access to computer files and to raise his access level in state computer systems. Andrew Mata, 44, claims he was not given the correct access level when he started work with his new job at the state and he used another computer worker's identification to set his access level to where he thinks it should have been. Mata also admitted getting into files that pertained to an investigation that ultimately led to his indictment. Mata testified that his new boss, John Pourciau, instructed him to find out what he could about the investigation. Mata has been on trial for more than a week on a charge of offenses against intellectual property. Mata testified that he was hired by the Louisiana Department of Health and Hospitals to be the administrator of the computer system that handled Medicaid for the state. Mata had worked at the state Department of Social Services before leaving for the Health and Hospitals job. Shortly after starting the job at Health and Hospitals, Mata testified that he tried to start work and thought he would have the same security clearances as he had with the Social Services. Mata testified he discovered a computer worker with Social Services, Bobby Collins, had lowered his access level. Prosecutor Mark Pethke said Mata used Collins' computer system identification to enter a "back door" of the system and raise his access level to that of an administrator -- a move that granted Mata broad access into Social Services systems. Mata testified that he did not consider this to be hacking into the state computer system, as prosecutors allege, because the program he entered was still in the testing phase and there was no data stored on the program at the time. "It's a test system. You are supposed to try to break it. If it breaks you fix it or go find something to replace it with," Mata testified. Pethke contends that Social Services workers kept removing Mata's elevated access clearance because he was no longer a Social Services employee and he wasn't supposed to have access to many sensitive files the office maintains. Mata testified he worked for Social Services for about 10 years and left the agency on good terms. He said he does not understand why Social Services employees were monitoring his actions just four days after he started his new job with Health and Hospitals. The investigation of Mata began in the spring of 1999. Mata testified that he needed the access because of Y2K problems that the state was concerned about at the time. Mata testified that the investigation and its consequences have been stressful on him and his family. "I want to clear my name and move on," Mata testified. The charge of offenses against intellectual property carries a penalty of up to five years in prison and a fine of up to $10,000. Mata was the last person to testify Tuesday in the trial. State District Judge Richard Anderson recessed the trial until today. When the trial resumes, Pethke and defense attorney Lewis Unglesby will make their closing arguments. Jurors are expected to get the case after lunch today. From isn at c4i.org Thu Feb 3 01:09:51 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:03 2005 Subject: [ISN] Theft of SAIC Computers Containing Stockholder Personal Information Message-ID: http://www.saic.com/cover-archive/announce/012805.html SAIC was victim to a break in at one of its corporate facilities on January 25, 2005, and several personal computers were stolen that contained personal information on current and former stockholders. The facility where the break in occurred serves in an administrative capacity and is not used for performance on any of our government or commercial contracts. SAIC filed a police report with San Diego authorities to report the theft and continues to fully cooperate with law enforcement officials to apprehend those individuals responsible and to attempt to recover the stolen property. We have no evidence that the thieves have accessed any personal information on these computers or that the purpose of the crime was identity theft, but we are notifying current and former stockholders as a precaution. We want to emphasize how strongly we regret this occurred and how deeply concerned we are about the inconvenience and the concern this is causing among our stockholders. The company has attempted to responsibly and proactively deal with this situation, and we recognize the importance of rapid response for our stockholders. Besides using multiple means to notify those affected, such as e-mail to employee stockholders, as well as those retirees and alumni for whom we have e-mail addresses, we have also have established a 24/7 help desk to assist employees and stockholders who might have questions or need assistance. We are implementing a program to make other resources, information and assistance available to our stockholders, including providing guidance on simple actions they can take to minimize the risk of identity theft. Again, we are troubled that this event occurred but are working round-the-clock to mitigate any impact on our stockholders. Information for Current and Former Stockholders We are taking the precaution of alerting you because the stolen computers contained personal information of current and former stockholders, including name, social security number, address, telephone number and stockholder records, including shares bought, sold and held. SAIC has established several resources to assist you. We have set up a prerecorded message for general information on this situation and answers to common questions regarding identity theft, at (888) 826-7377. If you have questions that are not covered in the recorded message, we have also set up a 24/7 Help Desk at (866) 478-0433. Those working outside of the United States should call (703) 676-5200. It is recommended that all current and former stockholders contact one of the three major credit bureaus at the phone numbers listed below to place a temporary fraud alert (90 days) on their credit file, at no charge, as a precautionary measure. Experian also allows you to place a fraud alert online at experian.com (www.experian.com). Both processes are extremely simple and should not take more than a couple of minutes. A fraud alert warns creditors to contact you before opening any new accounts or changing information on your existing accounts. Placing a fraud alert on your credit file will automatically result in notification to the other two credit bureaus. Equifax: 800-525-6285 Experian: 888-397-3742 TransUnion: 800-680-7289 All three credit bureaus will send copies of your credit report to you, upon request. When you receive your credit reports, look them over carefully for accounts you did not open, inquiries from creditors that you did not initiate, and inaccurate personal information. Even if you do not find any signs of fraud, it is recommended that you keep your fraud alert in place and check your credit reports every three months for the next year. If you should see anything you do not understand or find suspicious in your credit report, call the credit agency and your local police or sheriff's office to file a report of identity theft. You should also notify SAIC's Stockholder Help Desk at (866) 478-0433. The Stockholder Help Desk will provide information on additional resources that the Company will provide to any victims of identity theft, including the services of a company specializing in assisting victims of identity theft. Additional information on how best to respond to a possible identity theft is available at the federal government's central website for identity theft information (http://www.consumer.gov/idtheft) and at the California Attorney General's website (http://www.caag.state.ca.us/idtheft/tips.htm). Your patience and continued confidence in SAIC is greatly appreciated. Related Information * Federal Trade Commission: ID Theft Resources (http://www.consumer.gov/idtheft) * California Attorney General's website (http://www.caag.state.ca.us/idtheft/tips.htm) * Equifax (www.equifax.com) * Experian (www.experian.com) * TransUnion (www.transunion.com) From isn at c4i.org Thu Feb 3 01:11:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:05 2005 Subject: [ISN] Microsoft seeks security cooperation Message-ID: http://www.fcw.com/fcw/articles/2005/0131/web-mssec-02-02-05.asp By Brian Robinson Feb. 2, 2005 Microsoft officials have launched a program to create a community of governments at all levels worldwide to share information and conduct joint projects on network and information technology security. The program's goal is to more effectively handle viruses, worms and other incidents. Initial members of the Security Cooperation Program (SCP), announced by Bill Gates at Microsoft's Government Leaders' Forum in Prague, Czechoslovakia, are the governments of Canada, Chile, Norway and the United States, along with various state and local entities. The first challenge will be to obtain the trust relationships necessary for sharing information across national and governmental boundaries, said Stuart McKee, Microsoft's national technology officer, in an interview with Federal Computer Week. "The ability to share critical information is pretty low right now," he said. "Trusted relations [with another entity] is critical to both running and improving the security infrastructure." SCP members will have immediate access to Microsoft's incident response center, McKee said. During an incident, they will have real-time contact with Microsoft engineers and incident response engineers. Following an event, a feedback loop will be established to evaluate what happened, how effective the response was and what can be done to make it better the next time, McKee said. SCP participants will use all means of communication, including phones, e-mail, fax, text-messaging and collaboration tools such as Microsoft's SharePoint so they can do such things as post documents securely, he said. Delaware is one of the early state participants. The program could be a major boost to the state officials' attempts to handle their security problems, said Tom Jarrett, Delaware's chief information officer. Delaware is a heavy user of Microsoft products, he said. The state has its own security experts, but they don't have the specific expertise that Microsoft officials can offer. "We want to move out of a reactive environment" to security incidents, Jarrett said. ""So anything that helps us to affect things on a more proactive basis is very good for us." Based on discussions he's had with Microsoft officials about SCP, Jarrett said Delaware should quickly reap some benefits, particularly concerning core security issues, through access to Microsoft's security experts. "Traditionally we haven't had that level of access," he said. At least at the beginning, SCP outreach will be a major activity, McKee said. "The most important thing we can do is increase awareness about the need to focus on security as a critical business and government issue," he said. "Also to stress the fact that people also need to focus on it when they are not in the middle of an incident." If SCP membership balloons, there could be management problems, McKee said. But he said Microsoft officials would be ecstatic if such a large community evolved. "It will be a great problem to have," he said. Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite at mindspring.com From isn at c4i.org Thu Feb 3 01:11:35 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:07 2005 Subject: [ISN] Rowling to Potter fans: Watch out for phishing scams Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99442,00.html By Paul Majendie FEBRUARY 02, 2005 REUTERS Author J.K. Rowling is warning Harry Potter fans to watch out for Internet fraudsters claiming to be selling electronic copies of her latest wizard saga -- they are trying to steal bank and credit card details. In the latest phishing scam, fans were asked to hand over financial information to pay for a supposed copy of Harry Potter and the Half-Blood Prince, which is to be published on July 16. "Please, please protect yourselves, your computers and your credit cards and do not fall for these scams," the writer said, after her lawyers succeeded in closing down a fraudulent Web site that offered the latest Potter book in electronic form. Rowling, whose tales of a teenage wizard have turned her into a multimillionaire and revived children's passion for reading, warned that the scam artists could reappear. "I would bet the original manuscript of Harry Potter and the Half-Blood Prince itself that this will not be the last attempt to con HP fans before publication of the book," she said on her official site. Telling fans never to trust anyone who offers downloads of Potter books, Rowling said they could be laid open to computer viruses or hackers. "The only genuine copies of Harry Potter remain the authorized traditional book or audio tapes/cassettes/CDs distributed through my publishers," she said. Phishing frauds have become common over the past two years as more consumers have begun to do personal banking on the Internet. Banks advise their customers to be wary of any e-mail asking for personal details. Police suspect that organized crime gangs from Eastern Europe are the main culprits. Rowling's copyright lawyer, Neil Blair, told Reuters, "They were asking for money and people's credit cards. This was a phishing scam." Blair, who monitors the Internet for copyright infringements for Rowling, said, "We spotted it and also heard from a fan site called The Leaky Cauldron, which had alerted us. We got it shut down very quickly." According to Blair, Rowling has never granted licenses for electronic versions of any of her books. From isn at c4i.org Thu Feb 3 01:11:50 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:09 2005 Subject: [ISN] Hacker 'Mudge' Returns to BBN Message-ID: http://www.eweek.com/article2/0,1759,1758913,00.asp?kc=EWRSS03119TX1K0000594 By Dennis Fisher February 2, 2005 Security industry veteran and itinerant hacker Peiter Zatko decided this week to rejoin Internet pioneer BBN Technologies Inc. as a research scientist. Better known in security circles as Mudge, Zatko was one of the founding members of the L0pht Heavy Industries hacking team that later became the technical heart of @stake Inc. He left @stake several years ago and stayed away from the security industry for a while before resurfacing last year as the founding scientist at Intrusic Inc., a Waltham, Mass., startup. At BBN, Zatko is getting back to his roots in a sense. He worked at BBN in the 1990s, before joining @stake. BBN is a research and development firm that specializes in advanced security and networking projects. The company is best known as the contractor that built the ARPANET, the predecessor of today's Internet, for the U.S. Department of Defense. It has gone through several iterations since then but still does a large amount of government work as well as working with enterprises. Zatko gained a reputation in the late 1990s as not only a talented hacker, but also as a straight shooter unafraid to tell bureaucrats and executives what he thought of their security efforts. His penchant for delivering unvarnished opinions made him a sought-after consultant and speaker, both in the security industry and in Washington. Called to testify along with several other L0pht members before a Senate committee in 1998, Zatko famously told the senators that he or any of his cohorts could take down the Internet in a half hour. From isn at c4i.org Thu Feb 3 01:12:03 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:11 2005 Subject: [ISN] Spammers 'tricking ISPs' into sending junk mail Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39186364,00.htm Dan Ilett ZDNet UK February 02, 2005 Spam levels are about to skyrocket, according to experts who warned this week that spammers have developed a new way of delivering their wares. According to SpamHaus -- an anti-spam organisation which compiles blacklists blocking eight billion messages a day -- a new piece of malware has been created that takes over a PC and then uses it to send spam via the mail server of that PC's Internet service provider. This means the spam appears to come from the ISP, making it very hard for an anti-spam blacklist to block it. Previously, these zombie PCs have been used as mail servers to send spam emails directly to recipients. "The Trojan is able to order proxies to send spam upstream to the ISP," said Steve Linford, director of SpamHaus. Linford believes that this Trojan was written by the same people who write spamming software. Reports suggest that ISPs in the US have already been hit. "We've seen a surge in spam coming from major ISPs. Now all of the ISPs are having large amounts of spam going out from their mail servers," said Linford. This will cause serious problems for email infrastructures as it is impractical to block domain names from large ISPs. Linford predicts that ISPs will see a growth in the volume of bulk mail they send and receive over the next two months, with spam levels rising from75 percent of all email to around 95 percent within a year. "The email infrastructure is beginning to fail," Linford warned. "You'll see huge delays in email and servers collapsing. It's the beginning of the email meltdown." Linford said that ISPs need to act fast to take control of the problem. "They've got to throttle the number of emails coming from ADSL accounts. They are going to have to act quickly to clean incoming viruses. ISPs have so much spam -- they are too understaffed to call people up and tell them they have Trojans on their machines. And no one would know what you're talking about." ISPs BT and Thus didn't respond to requests for comment on this issue. Anti-spam company MessageLabs confirmed Linford's findings. "This ups the ante in the need for filters," said Mark Sunner, chief technology officer for MessageLabs. "It makes it more difficult for people who compile black lists, which is why spammers are doing this. It will put more pressure on ISPs to take greater interest in the traffic they carry and filter at source." The Information Commissioner's Office, the UK's point of call to report about spam, said it had received no complaints of bulk spam from ISPs. A statement from the ICO said, "As you are aware the ICO's role is to enforce the regulations (the Privacy and Electronic Communications (EC Directive) Regulations 2003. If it receives complaints regarding spam, the ICO needs to establish the source of the spam to take action. The ICO then contacts the company concerned." From isn at c4i.org Thu Feb 3 01:12:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:13 2005 Subject: [ISN] Root kit surfaces after Jabber attack Message-ID: http://www.theregister.co.uk/2005/02/02/jabber_attack/ By John Leyden 2nd February 2005 The Jabber Software Foundation (JSF) - the open source instant messaging organisation - has advised developers to check their code, after discovering that a hack attack against its website was more serious than first suspected. An audit conducted on JSF's web servers after an intrusion two weeks ago revealed a root kit on a machine hosting both the jabber.org website and the JabberStudio service. Subsequent investigations revealed the machine (hades.jabber.org) had been compromised for more than a year. The affected machine has been rebuilt and fully locked down. Dynamically generated pages were disabled on the site and the JabberStudio service was temporarily suspended as a precaution after JSF detected the January assault. JSF Executive Director Peter Saint-Andre said in a recent update that Jabber.org will restore its website to normal operation when it is satisfied that there is no security risk. Developers are urged to validate their code as a precaution. However, evidence suggests that other servers in the jabber.org infrastructure (such as the production Jabber server or the mailing list server) were unaffected by the security breach. Neither does much mischief seem to have been perpetrated on the compromised server. It's rare, but not unprecedented, for malicious hackers to load backdrops onto the web servers of application developers. Crackers owned the primary file servers of the GNU Project for five months in 2003, the Free Software Foundation admitted. In May 2001, infamous cracker Fluffy Bunny bragged that he had compromised the systems of the Apache Project. In October 2000, Microsoft's systems were comprehensively compromised by a cracker using the QAZ Trojan. Weeks later Microsoft's core web sites were again 0wn3d in an attack that went beyond the usual web page defacement. From isn at c4i.org Thu Feb 3 01:16:17 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:16 2005 Subject: [ISN] Security UPDATE -- Windows 2000 Support; IE; Spyware Study -- February 2, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Service Account Manager for your Data Center http://list.windowsitpro.com/t?ctl=85C:4FB69 Email Encryption and Compliance: The Answer to an Email Admin's Worst Nightmare http://list.windowsitpro.com/t?ctl=841:4FB69 ==================== 1. In Focus: Windows 2000 Support; IE; Spyware Study 2. Security News and Features - Recent Security Vulnerabilities - MCI to Acquire NetSec - SonicWALL Extends Managed Security Services Partner Program - Microsoft to Require Legitimate Windows for Downloads - IronPort C30 3. Security Matters Blog - New Updates for Ethereal and Snort - Need Help Automating Configuration of Routers and Firewalls? 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - Speedier Authentication ==================== ==== Sponsor: Lieberman Software ==== Service Account Manager for your Data Center Most organizations don't update all their service accounts regularly. Reason: it's too hard to do reliably with the built-in tools Microsoft provides (scripts don't make it much better). Lieberman Software's product: "Service Account Manager" has been reliably handling the most complex service account management issues of major corporations and government agencies since 1998. Complex issues such as service dependencies, logon cache, rights and memberships are handled easily. Try it for free on 10 systems for 30 days by going to our web site. Or, contact us for an on-line demo. http://list.windowsitpro.com/t?ctl=85C:4FB69 ==================== ==== 1. In Focus: Windows 2000 Support; IE; Spyware Study ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net As you know, Microsoft's blanket support for Windows NT Server has ended. The company will cease to provide online support of the product on January 1, 2007. However, Microsoft has released updates that apply to Windows NT components. For example, the company included an update for Microsoft Internet Explorer (IE) 6.0 Service Pack 1 (SP1) for Windows NT systems in its monthly security update release for January. You can read more about Windows NT support at the following URL: http://list.windowsitpro.com/t?ctl=848:4FB69 Microsoft recently announced that it will end standard support, including nonsecurity hotfixes, for Windows 2000 Server on June 30. Paid mainstream support will be available beginning on that date, paid extended support can be obtained until June 30, 2010. Security hotfixes will continue to be available, free for everybody, until March 31, 2007. http://list.windowsitpro.com/t?ctl=84D:4FB69 The company also recently said that it will release no new version of IE until the next version of Windows, code-named Longhorn, becomes available. Longhorn is currently scheduled for some time in 2006, but there are no guarantees that it will in fact be released then. Those of you who want an enhanced version of IE with better security, similar to the one in Windows XP SP2, will have to use third-party browser enhancements to bolster IE's functionality. As you know, Microsoft recently released a beta version of an antispyware solution that's based on the technology of GIANT Company Software, which Microsoft recently purchased. You can download a copy at the Microsoft Security at Home Web site. http://list.windowsitpro.com/t?ctl=84A:4FB69 My December 2, 2004 commentary, "A Flurry of Enterprise Spyware Solutions," provides a comprehensive list of the available and upcoming enterprise antispyware solutions. http://list.windowsitpro.com/t?ctl=853:4FB69 Just before I wrote that article, I found a useful study of various antispyware packages, but I failed to bookmark the site and lost track of it for a while. I recently came across the site again, and I think you'll find it very interesting. The site, Spyware Warrior, has a blog, forums, lists of products to avoid that contain spyware, and the study, by Eric L. Howes, that offers lots of valuable information about how various antispyware solutions perform. http://list.windowsitpro.com/t?ctl=85F:4FB69 http://list.windowsitpro.com/t?ctl=85A:4FB69 Howes says that the GIANT/Microsoft solution is among the best at detecting and removing various forms of spyware--good news for people who want to use a Microsoft solution. Howes' report explains his methodology and contains loads of data and test results gathered during various phases of testing in October 2004. Among his findings are that no one antispyware solution removes all forms of spyware, that even the best performers miss a quarter of spyware-related files and registry entries, and that prevention is preferable to removal. ==================== ==== Sponsor: Postini ==== Email Encryption and Compliance: The Answer to an Email Admin's Worst Nightmare New regulations, legal liability issues and evolving threats have recently bumped the issue of secure email transmission to the top of IT security managers' "To Do" list. In this free white paper you'll learn how simple and cost effective is it to implement TLS-based secure email transmission. Download this whitepaper now to find out how to support the dual goals of securing email transmission while preserving the administrator's ability to filter out spam, viruses and prevent email content policy violations. http://list.windowsitpro.com/t?ctl=841:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=84B:4FB69 MCI to Acquire NetSec MCI will acquire NetSec for approximately $105 million in cash. A joint press release says that MCI will combine its network intelligence with NetSec's managed security services and premise-based intelligence to create an expanded suite of offerings targeted at businesses and governments. http://list.windowsitpro.com/t?ctl=855:4FB69 SonicWALL Extends Managed Security Services Partner Program SonicWALL announced changes to its Managed Security Services Partner (MSSP) program that will give resellers a boost in establishing and building their managed services infrastructures. http://list.windowsitpro.com/t?ctl=854:4FB69 Microsoft to Require Legitimate Windows for Downloads by Paul Thurrott Microsoft announced a roadmap for moving to a future in which Windows users must prove that their OSs aren't pirated before they can download any software from Microsoft.com or Windows Update. The plan, dubbed Windows Genuine Advantage, is being phased in over time, although Microsoft will continue to let even pirated Windows versions download critical security patches through Automatic Updates. http://list.windowsitpro.com/t?ctl=857:4FB69 IronPort C30 By David Chenicoff IronPort Systems' IronPort C30 is a midrange email-security appliance for small-to-midsized businesses (SMBs). The appliance supports spam detection, virus protection, and content filtering, but what sets it apart are two advanced features: IronPort Reputation Filters and IronPort Virus Outbreak Filters. http://list.windowsitpro.com/t?ctl=856:4FB69 ==================== ==== Resources and Events ==== Free eBook! Keeping Your Business Safe from Attack: Passwords and Permission Master password and permissions basics with our newest free eBook and discover how to prevent most vulnerabilities and exploits with Microsoft's new tools. Firewalls, antivirus software, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) can all fail--but a strong permissions and authentication defense is priceless. Get the latest chapter now! http://list.windowsitpro.com/t?ctl=843:4FB69 Encryption and Certificate Services eBook In this new eBook, get the information you need to best deploy Windows Public Key Infrastructure (PKI) services in your IT environment. This free book explains the key components, concepts, and standards behind PKI and provides insight into how to put a Windows- rooted PKI into operation and how to keep it operational. Get the eBook now! http://list.windowsitpro.com/t?ctl=842:4FB69 Fax Servers: Integrate. Automate. Communicate Join industry expert David Chernicoff in this free Web seminar to learn the best way to integrate and automate fax from messaging systems such as Microsoft Exchange Server and Outlook; improve document handling and delivery; and more. You'll receive a complimentary 30-day software evaluation, whitepaper, and Starbuck's gift card just for attending! Register now. http://list.windowsitpro.com/t?ctl=845:4FB69 Is Your Messaging Infrastructure Ready for Tomorrow's Risks? Join industry security expert Randy Franklin Smith as he reveals the hottest security trends in the industry. Find out how SPIM, spyware, phishing, and malware evolve and become the latest threats for industrial espionage. You'll learn which kinds of attacks companies are reporting in increased numbers and the commonly held misconceptions about Microsoft security patches. You'll also discover how secure content management solutions (SCMs) can help your company defend against business and network integrity threats. Register now and ensure enterprisewide protection! http://list.windowsitpro.com/t?ctl=844:4FB69 ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=85B:4FB69 Check out these recent entries in the Security Matters blog: New Updates for Ethereal and Snort Two popular open-source security tools, Ethereal and Snort, were recently updated. The latest version of Ethereal is 0.10.9, and the latest version of Snort is 2.3.0 . If you use these tools, be sure to check out the latest versions, which undoubtedly contain bug fixes and improvements. http://list.windowsitpro.com/t?ctl=851:4FB69 Need Help Automating Configuration of Routers and Firewalls? I found a really slick tool that can help you automate configurations for Cisco routers, Cisco PIX firewalls, and Linux iptables and ip routes. It's called NetSPoC, which I believe is short for Network Security Policy Compiler. http://list.windowsitpro.com/t?ctl=850:4FB69 ==== 4. Security Toolkit ==== FAQ by John Savill, http://list.windowsitpro.com/t?ctl=858:4FB69 Q: Does Windows XP Service Pack 2 (SP2) have an updated Sysprep tool? Find the answer at http://list.windowsitpro.com/t?ctl=852:4FB69 Security Forum Featured Thread: Modifying Directory ACLs A reader writes that he accidentally modified the ACL of a directory on his disk and now he can't change it back. He said he has full access to the parent object and doesn't know why this isn't enough authority to change the ACL again. Have the answer? Join the discussion at http://list.windowsitpro.com/t?ctl=846:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Plus, paid subscribers receive exclusive online library access to every article we've ever published. Order now! http://list.windowsitpro.com/t?ctl=84F:4FB69 Nominate Yourself or a Friend for the MCP Hall of Fame Are you a top-notch MCP who deserves to be a part of the first-ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy: http://list.windowsitpro.com/t?ctl=849:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Speedier Authentication I/O Software offers SecureSuite XS 4.51, authentication management software that works with biometrics, smart cards, and tokens. SecureSuite XS's applications provide secure system logon, password bank/single sign-on, file encryption, and application locking. SecureSuite XS 4.51 integrates data compression, caching, and other optimizations to improve client-server authentication time and overall performance on WANs. The new release also adds to the number of authentication devices supported by SecureSuite XS. SecureSuite XS supports Windows Server 2003, Windows XP,and Windows 2000 and can be deployed as a standalone workstation product or in a client-server environment, using Active Directory (AD). For more information, go to http://list.windowsitpro.com/t?ctl=860:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=861:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=85D:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=84E:4FB69 View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=84C:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Feb 4 05:43:46 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:20 2005 Subject: [ISN] Test Site guards failed attack drill Message-ID: http://www.lasvegassun.com/sunbin/stories/lv-other/2005/feb/03/518233054.html By Mary Manning LAS VEGAS SUN February 03, 2005 Guards stationed at the Nevada Test Site to protect the nuclear weapons complex 65 miles northwest of Las Vegas apparently failed a recent test in which they faced a mock terrorist attack. Darwin Morgan, spokewman for the National Nuclear Security Administration, an agency within the Energy Department that runs the nuclear weapons complex, said Tuesday that unspecified deficiencies had been identified during the exercise, performed late last year to test the capability of Test Site guards to protect weapons-grade plutonium and highly enriched uranium stored at the site. In a force-on-force exercise, specially trained commandos under the Energy Department's Office of Independent Oversight and Performance Assurance staged a mock attack simulating a potential terrorist attack. Since the exercise at the end of last year, the National Nuclear Security Administration has "taken corrective actions" at the Test Site, Morgan said. The Nevada Test Site has always been a heavily guarded facility because it has tested nuclear weapons from 1951 until September 1992. The government is continuing nuclear-related activities at the site, conducting subcritical underground nuclear experiments that do not cause a nuclear chain reaction. Morgan said the security requirements at the Test Site have been raised because some special nuclear materials are being transferred for security reasons from Los Alamos, N.M., where they had been in an area known as Technical Area 18, to the Test Site. The special nuclear materials and some equipment from the New Mexico is to be transferred to the Device Assembly Facility at the Test Site, Morgan said. The Device Assembly Facility is a buried building guarded by gun turrets at either end, officials said. Morgan noted that "we have been growing the guard force." The Test Site expects to have 240 to 250 guards in place by the time the nuclear materials from New Mexico arrive, Morgan said. Exact numbers of guards and details about the Test Site are kept secret for security reasons, Morgan said. The Test Site is guarded by forces provided by Wackenhut Services Inc. under contract with the Energy Department. The department last year put the Nevada security contract out for bid along with its prime operating contract held by Bechtel Nevada. From isn at c4i.org Fri Feb 4 05:44:43 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:24 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-5 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-01-27 - 2005-02-03 This week : 65 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Qualcomm has released a new version of Eudora, which according to the vendor corrects some vulnerabilities, which can be exploited to crash the mail client. However, according to the security researcher who initially found the vulnerabilities, these can actually be exploited to run arbitrary code on a vulnerable system. Please refer to the Secunia advisory below for additional details. References: http://secunia.com/SA14104/ -- The Mozilla Foundation has released details about several vulnerabilities, which was corrected with the releases of Firefox 1.0, Mozilla 1.7.5, and Thunderbird 1.0. A listing of the vulnerabilities and additional details are available in the Secunia advisory below. References: http://secunia.com/SA14017/ VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: Bropia.F - MEDIUM RISK Virus Alert - 2005-02-03 06:25 GMT+1 http://secunia.com/virus_information/15107/bropia.f/ Bagle.BA - MEDIUM RISK Virus Alert - 2005-01-28 02:58 GMT+1 http://secunia.com/virus_information/12174/bagle.ba/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 2. [SA13969] DivX Player ".dps" Skin File Directory Traversal Vulnerability 3. [SA14017] Firefox / Mozilla / Thunderbird Multiple Vulnerabilities 4. [SA13482] Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting 5. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 6. [SA13599] Mozilla / Mozilla Firefox Download Dialog Source Spoofing 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 8. [SA13918] Sun Java Plug-In Two Vulnerabilities 9. [SA13862] Oracle Products 23 Vulnerabilities 10. [SA14061] Windows Registry Key Locking Denial of Service ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14113] Painkiller CD-Key Hash Buffer Overflow Vulnerability [SA14104] Eudora System Compromise Vulnerabilities [SA14116] DeskNow Mail and Collaboration Directory Traversal Vulnerabilities [SA14077] Eternal Lines Web Server Two Vulnerabilities [SA14073] Xpand Rally Denial of Service Vulnerability [SA14063] SnugServer FTP Server Directory Traversal Vulnerability [SA14054] War FTP Daemon Denial of Service Vulnerability [SA14053] Winmail Server Multiple Vulnerabilities [SA14106] Eurofull E-Commerce "nombre" Cross-Site Scripting [SA14087] RealPlayer RealMedia ".rm" Security Bypass Vulnerability [SA14080] SmarterMail Attachment Upload Vulnerability [SA14079] WebAdmin Multiple Vulnerabilities [SA14058] WebWasher Classic Server Mode Proxying Vulnerability [SA14078] IceWarp Web Mail Various Weaknesses [SA14075] Captaris Infinite Mobile Delivery Webmail Cross-Site Scripting [SA14061] Windows Registry Key Locking Denial of Service UNIX/Linux: [SA14103] Debian update for prozilla [SA14096] Debian update for squirrelmail [SA14086] Red Hat update for ethereal [SA14081] HP VirtualVault / Webproxy Apache Vulnerabilities [SA14065] Gentoo update for tikiwiki [SA14059] Gentoo update for ngircd [SA14056] ngIRCd "Lists_MakeMask()" Buffer Overflow Vulnerability [SA14112] Gentoo update for squid [SA14109] Red Hat update for enscript [SA14105] Gentoo update for enscript [SA14101] Fedora update for squid [SA14100] Mandrake update for imap [SA14099] Mandrake update for chbg [SA14097] Gentoo update for uw-imap [SA14093] Fedora update for openssl096b [SA14091] Squid Oversized Reply Header Handling Security Issue [SA14089] Gentoo update for clamav [SA14088] Avaya Intuity Audix Denial of Service Vulnerabilities [SA14085] Mandrake update for clamav [SA14084] Clam AntiVirus ZIP File Handling Denial of Service [SA14082] HP VirtualVault TGA Daemon Unspecified Denial of Service [SA14062] Fedora update for openswan [SA14057] UW-imapd CRAM-MD5 Authentication Bypass Vulnerability [SA14055] Mandrake update for evolution [SA14107] Red Hat update for cups [SA14095] AIX Unspecified NIS Client System Compromise Vulnerability [SA14098] Gentoo update for newspost [SA14094] newsfetch NNTP Response Handling Buffer Overflows [SA14092] Newspost "socket_getline()" Buffer Overflow Vulnerability [SA14069] Gentoo update for gallery [SA14111] Mandrake update for ncpfs [SA14072] fprobe Weak Hash Functions Denial of Service [SA14071] Dante FD_SET Overflow Vulnerability [SA14070] Gentoo update for ncpfs [SA14068] ncpfs Two Vulnerabilities [SA14121] Debian cpio Incorrect File Permissions [SA14115] Mandrake update for vim [SA14108] Red Hat update for perl-DBI [SA14102] Gentoo update for firehol [SA14067] Gentoo update for f2c [SA14066] Gentoo update for vdr [SA14052] Debian update for f2c Other: [SA14122] Cisco IP/VC 3500 Series Hard-Coded SNMP Community Strings [SA14060] Ingate Firewall Active Blocked PPTP Tunnel Security Issue Cross Platform: [SA14124] Mambo Global Variables Security Bypass Vulnerability [SA14064] Xoops Incontent Module Arbitrary File Content Disclosure [SA14090] PHP-Fusion "forum_search.php" Information Disclosure [SA14074] JShop Server "xProd" and "xSec" Parameters Cross-Site Scripting [SA14076] Squid WCCP Message Handling Buffer Overflow Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14113] Painkiller CD-Key Hash Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2005-02-03 Luigi Auriemma has reported a vulnerability in Painkiller, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14113/ -- [SA14104] Eudora System Compromise Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-03 John Heasman of NGSSoftware has reported some vulnerabilities in Eudora, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14104/ -- [SA14116] DeskNow Mail and Collaboration Directory Traversal Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS, System access Released: 2005-02-03 Tan Chew Keong has reported two vulnerabilities in DeskNow Mail and Collaboration, which can be exploited by malicious users to delete arbitrary files and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14116/ -- [SA14077] Eternal Lines Web Server Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2005-02-01 Two vulnerabilities have been reported in Eternal Lines Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14077/ -- [SA14073] Xpand Rally Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-31 Luigi Auriemma has reported a vulnerability in Xpand Rally, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14073/ -- [SA14063] SnugServer FTP Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-01-28 muts has reported a vulnerability in SnugServer, which can be exploited by malicious users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14063/ -- [SA14054] War FTP Daemon Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-28 MC.Iglo has discovered a vulnerability in War FTP Daemon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14054/ -- [SA14053] Winmail Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information, System access Released: 2005-01-28 Tan Chew Keong has reported some vulnerabilities in Winmail Server, which can be exploited by malicious users to disclose sensitive information, use a vulnerable system for port scanning other hosts, conduct script insertion attacks, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14053/ -- [SA14106] Eurofull E-Commerce "nombre" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-02 Security .Net Information has reported a vulnerability in Eurofull E-Commerce, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14106/ -- [SA14087] RealPlayer RealMedia ".rm" Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-02-01 http-equiv has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14087/ -- [SA14080] SmarterMail Attachment Upload Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-31 Soroush Dalili has discovered a vulnerability in SmarterMail, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14080/ -- [SA14079] WebAdmin Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2005-01-31 David Alonso P?rez has reported some vulnerabilities in WebAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14079/ -- [SA14058] WebWasher Classic Server Mode Proxying Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-01-28 Oliver Karow has discovered a vulnerability in WebWasher Classic, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14058/ -- [SA14078] IceWarp Web Mail Various Weaknesses Critical: Not critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-01-31 ShineShadow has reported two weaknesses in IceWarp Web Mail, which can be exploited by malicious users to gain knowledge of certain system information or sensitive information. Full Advisory: http://secunia.com/advisories/14078/ -- [SA14075] Captaris Infinite Mobile Delivery Webmail Cross-Site Scripting Critical: Not critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-01-31 Steven has reported a vulnerability in Infinite Mobile Delivery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14075/ -- [SA14061] Windows Registry Key Locking Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2005-01-31 Vladimir Kraljevic has reported a security issue in Windows, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14061/ UNIX/Linux:-- [SA14103] Debian update for prozilla Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-02 Debian has issued an update for prozilla. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14103/ -- [SA14096] Debian update for squirrelmail Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-02-02 Debian has issued an update for squirrelmail. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14096/ -- [SA14086] Red Hat update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-02-02 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14086/ -- [SA14081] HP VirtualVault / Webproxy Apache Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-01-31 HP has acknowledged some vulnerabilities in Virtualvault and Webproxy, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14081/ -- [SA14065] Gentoo update for tikiwiki Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-31 Gentoo has issued an update for tikiwiki. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14065/ -- [SA14059] Gentoo update for ngircd Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-01-31 Gentoo has issued an update for ngircd. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14059/ -- [SA14056] ngIRCd "Lists_MakeMask()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-01-31 Florian Westphal has reported a vulnerability in ngIRCd, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14056/ -- [SA14112] Gentoo update for squid Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, DoS Released: 2005-02-03 Gentoo has issued an update for squid, which fixes various vulnerabilities. One has an unknown impact, and others can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14112/ -- [SA14109] Red Hat update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-02 Red Hat has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14109/ -- [SA14105] Gentoo update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-03 Gentoo has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14105/ -- [SA14101] Fedora update for squid Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-02-02 Fedora has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14101/ -- [SA14100] Mandrake update for imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-02 MandrakeSoft has issued an update for imap. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14100/ -- [SA14099] Mandrake update for chbg Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-02 MandrakeSoft has issued an update for chbg. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14099/ -- [SA14097] Gentoo update for uw-imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-02 Gentoo has issued an update for uw-imap. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14097/ -- [SA14093] Fedora update for openssl096b Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-01 Fedora has issued an update for openssl096b. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14093/ -- [SA14091] Squid Oversized Reply Header Handling Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-02-01 A security issue with an unknown impact has been reported in Squid. Full Advisory: http://secunia.com/advisories/14091/ -- [SA14089] Gentoo update for clamav Critical: Moderately critical Where: From remote Impact: DoS, Security Bypass Released: 2005-02-01 Gentoo has issued an update for clamav. This fixes a vulnerability and a weakness, which allows malware to bypass detection and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14089/ -- [SA14088] Avaya Intuity Audix Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-01 Avaya has acknowledged some vulnerabilities in Intuity Audix R5, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14088/ -- [SA14085] Mandrake update for clamav Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-02-01 MandrakeSoft has issued an update for clamav. This fixes a vulnerability and a weakness, which allows malware to bypass detection and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14085/ -- [SA14084] Clam AntiVirus ZIP File Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-01 Reinhard Max has reported a vulnerability in Clam AntiVirus, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14084/ -- [SA14082] HP VirtualVault TGA Daemon Unspecified Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-31 A vulnerability has been reported in HP Virtualvault, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14082/ -- [SA14062] Fedora update for openswan Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-31 Fedora has issued an update for openswan. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14062/ -- [SA14057] UW-imapd CRAM-MD5 Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-01-28 A vulnerability has been reported in University of Washington IMAP server, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14057/ -- [SA14055] Mandrake update for evolution Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-01-28 MandrakeSoft has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system or by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14055/ -- [SA14107] Red Hat update for cups Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-02 Red Hat has issued an update for cups. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14107/ -- [SA14095] AIX Unspecified NIS Client System Compromise Vulnerability Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-01 A vulnerability has been reported in AIX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14095/ -- [SA14098] Gentoo update for newspost Critical: Less critical Where: From remote Impact: System access Released: 2005-02-03 Gentoo has issued an update for newspost. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14098/ -- [SA14094] newsfetch NNTP Response Handling Buffer Overflows Critical: Less critical Where: From remote Impact: System access Released: 2005-02-01 Niels Heinen has reported a vulnerability in newsfetch, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14094/ -- [SA14092] Newspost "socket_getline()" Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-02-01 Niels Heinen has reported a vulnerability in Newspost, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14092/ -- [SA14069] Gentoo update for gallery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-31 Gentoo has issued an update for gallery. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14069/ -- [SA14111] Mandrake update for ncpfs Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-02 MandrakeSoft has issued an update for ncpfs. This fixes two vulnerabilities and a potential issue, which can be exploited to perform certain actions on a vulnerable system with escalated privileges or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14111/ -- [SA14072] fprobe Weak Hash Functions Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-31 A vulnerability has been reported in fprobe, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14072/ -- [SA14071] Dante FD_SET Overflow Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-31 3APA3A has reported a vulnerability in Dante, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14071/ -- [SA14070] Gentoo update for ncpfs Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-01-31 Gentoo has issued an update for ncpfs, which fixes two vulnerabilities. The first can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and the second may potentially allow malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14070/ -- [SA14068] ncpfs Two Vulnerabilities Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-01-31 Erik Sjolund has reported two vulnerabilities in ncpfs. The first can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and the second may potentially allow malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14068/ -- [SA14121] Debian cpio Incorrect File Permissions Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-02-03 Debian has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious, local users to disclose and manipulate information. Full Advisory: http://secunia.com/advisories/14121/ -- [SA14115] Mandrake update for vim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-03 MandrakeSoft has issued an update for vim. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14115/ -- [SA14108] Red Hat update for perl-DBI Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-02 Red Hat has issued an update for perl-DBI. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14108/ -- [SA14102] Gentoo update for firehol Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-02 Gentoo has issued an update for firehol. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14102/ -- [SA14067] Gentoo update for f2c Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-31 Gentoo has issued an update for f2c. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14067/ -- [SA14066] Gentoo update for vdr Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-01-31 Gentoo has issued an update for vdr. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate sensitive information. Full Advisory: http://secunia.com/advisories/14066/ -- [SA14052] Debian update for f2c Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-28 Debian has issued an update for f2c. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14052/ Other:-- [SA14122] Cisco IP/VC 3500 Series Hard-Coded SNMP Community Strings Critical: Moderately critical Where: From local network Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-02-03 A security issue has been reported in some Cisco IP/VC Videoconferencing System models, which can be exploited by malicious people to read or manipulate configuration information. Full Advisory: http://secunia.com/advisories/14122/ -- [SA14060] Ingate Firewall Active Blocked PPTP Tunnel Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-01-28 Neil Watson has reported a security issue in Ingate Firewall, which may allow PPTP users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14060/ Cross Platform:-- [SA14124] Mambo Global Variables Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-03 A vulnerability has been reported in Mambo, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14124/ -- [SA14064] Xoops Incontent Module Arbitrary File Content Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-01-31 Larok has reported a vulnerability in the Incontent module for Xoops, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14064/ -- [SA14090] PHP-Fusion "forum_search.php" Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-02 TheGreatOne2176 has discovered a vulnerability in PHP-Fusion, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/14090/ -- [SA14074] JShop Server "xProd" and "xSec" Parameters Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-31 SmOk3 has reported a vulnerability in JShop Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14074/ -- [SA14076] Squid WCCP Message Handling Buffer Overflow Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-31 FSC Vulnerability Research Team has reported a vulnerability in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14076/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 4 05:45:00 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:26 2005 Subject: [ISN] State worker acquitted of hacking government computer Message-ID: http://www.tuscaloosanews.com/apps/pbcs.dll/article?AID=/20050203/APN/502030742 The Associated Press February 03, 2005 A state worker has been acquitted of charges of hacking into a computer system at the Department of Social Services in 1999. A state district court jury returned the verdict in favor of Andrew Mata on Wednesday. Prosecutors accused Mata of illegally entering the system and upgrading his own access. After he left DSS for a job with the Department of Health and Hospitals, Social Services personnel lowered Mata's access to their computer records. The alleged crime - offenses against intellectual property - occurred when Mata, using the codes of a Social Services computer worker, got back into the computer systems and restored his previous access, prosecutors said. But Mata testified he broke no laws and changed his access in the DSS computer back to where he thought it should have been and went to work on major projects related to the anticipated Y2K crisis. He said he was supposed to have the same status on both the DSS and DHH systems. The charge, which was filed against Mata in May 2001, carried up to five years in prison. From isn at c4i.org Fri Feb 4 05:45:11 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:29 2005 Subject: [ISN] Saddam Hussein "death" virus on loose Message-ID: http://www.theinquirer.net/?article=21080 By INQUIRER staff 03 February 2005 BRITISH ANTIVIRUS firm Sophos warned that a version of the Bobax-H worm is on the loose, disguised as pictures of a dead Saddam Hussein. According to Sophos, the worm carries different message warnings such as "Saddam Hussein: Attempted Escape. Shot Dead". Other versions carrying the same payload claim to have pictures of a captured Osama Bin Laden. Sophos said the worm, if activated, carries the same payload as the Sasser worm exploited. Graham Cluley, marketing director at Sophos, warned that many people opened emails to be abreast of the news. But he also hit out at those responsible for the security of Windows machines for not taking advantage of the patches that protect against Bobax. From isn at c4i.org Fri Feb 4 05:45:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:31 2005 Subject: [ISN] Huge security hole in .NET: Java creator Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39179932,00.htm By Renai LeMay ZDNet Australia 04 February 2005 Java creator James Gosling this week called Microsoft's decision to support C and C++ in the common language runtime in .NET one of the "biggest and most offensive mistakes that they could have made". Gosling, who is currently CTO of Sun's Developer Products group, made the comments as part of his speech to developers at an event in Sydney earlier this week. He further commented that by including the two languages into Microsoft's software development platform, the company "has left open a security hole large enough to drive many, many large trucks through". According to Gosling, the security hole is based upon the fact that several features of the older languages are ambivalent with regards to security: "C++ allowed you to do arbitrary casting, arbitrary adding of images and pointers, and converting them back and forth between pointers in a very, very unstructured way. "If you look at the security model in Java and the reliability model, and a lot of things in the exception handling, they depend really critically on the fact that there is some integrity to the properties of objects. So if somebody gives you an object and says 'This is an image', then it is an image. It's not like a pointer to a stream, where it just casts an image," said Gosling. Microsoft developer evangelist Charles Sterling didn't entirely disagree with Gosling's comments, but he sought to clarify the issue with .NET's security. Stirling pointed out that .NET defines different sorts of code. "Managed" code is code that is executed under the control of the .NET framework. New languages such as C# and Visual Basic.NET only produce managed code. However, Gosling is concerned about "unsafe" code, which is produced by traditional languages like C and C++. Unsafe code is old code that does not strictly follow the rules of type safety that .NET defines, and this sort of code requires additional permissions to execute. According to Sterling, "you as a developer take it upon yourself" to utilise unsafe code in your .NET applications. An important point is that the so-called unsafe code does have the potential to run faster than "managed" code due to some languages' ability to include machine-specific features that may sacrifice platform portability for speed. Sterling acknowledged this as he said that the choice between the two platforms is all about risk: if developers are willing to "accept the risk" of unsafe code then they may gain access to "the best performance system on the planet". Sterling also gave the debate a reality check when asked of his personal knowledge of .NET developers actually implementing C or C++ code under a .NET framework. Of the approximately one thousand developers that Sterling knows, he could only recall one directly developing under the C++ code. Whether this indicates an unwillingness on the part of developers to utilise code that is unsafe is notclear. From isn at c4i.org Mon Feb 7 08:30:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:29 2005 Subject: [ISN] Cisco: There is no fixed software for this issue. Message-ID: Forwarded from: security curmudgeon http://www.attrition.org/security/rant/cisco01.html Cisco: There is no fixed software for this issue. Fri Feb 4 01:55:02 EST 2005 Jericho I think it is time to give up on Cisco. Most professionals in the security industry have long since given up on vendors such as Microsoft and resigned ourselves to the fact that they don't understand security, and that for all the marketing and PR these companies never will. Year after year, we see stupid and trivial security bugs pop up in their software. Often times these are the same vulnerabilities reborn with a new product, or the same class of vulnerabilities creeping back into the code due to poor programming practices. In other cases, vulnerabilities are found and supposedly patched by vendors. Days or weeks later, it is discovered that the patch does not fully mitigate the original problem and can be bypassed and the software is still vulnerable. Yesterday, Cisco Systems, Inc. posted a new security advisory announcing a vulnerability in one of their product lines. This is not new for Cisco by any means as they have releaesed 155 security advisories dating back to June 1, 1995. Why is this one different? The proverbial straw that broke the camel's back perhaps. The issue is not that just another vulnerability affects their products, nor it is the amount of issues Cisco has posted over the years. While depressing to anyone responsible for the security of one of their devices, it is mostly manageable. Cisco has been fairly good about addressing problems in the past, providing patches and solid workarounds and eventually selling new versions of their software that aren't affected. Until now. There are two issues with the latest advisory covering a vulnerability in Cisco IP/VC Products. Either issue unto themselves should have Cisco customers up in arms demanding better products and better service. As long as companies continue to buy and support irresponsible and unethical vendors, they will continue to deliver over-priced insecure software. [..] From isn at c4i.org Mon Feb 7 08:31:03 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:31 2005 Subject: [ISN] J-CARD numbers leaked on Internet Message-ID: http://www.jhunewsletter.com/vnews/display.v/ART/2005/02/04/42025291bac2c By Katherine Brewer February 04, 2005 Over 2,100 Hopkins students, mostly juniors and seniors, must trade in their J-CARDS after the university discovered it had accidentally posted their names and J-CARDS numbers online this winter. The files, used in the spring 2003 Student Counsel elections, contained the names, birthdays and J-CARD numbers of over 4,000 students. The last four digits of 1,500 of these students' Social Security numbers were also posted. Many of the affected students have graduated, but all juniors and seniors and several graduate students who still have active J-CARDs were contacted through mail by Susan Boswell, dean of student life, on Jan. 24. Although there was no direct link to the leaked J-CARD information, it was accessible through search engines. A student who entered her name on http://www.google.com discovered the files and notified the school. The error was discovered on January 4, but administrators kept it private until all links to the material could be deleted. "It's not clear exactly how long they were online," said Dennis O'Shea, executive director of communications and public affairs for Hopkins. O'Shea also stressed that this would not happen again, because it was a transition year in StuCo balloting, and elections no longer involves entering J-CARD numbers. There is no evidence that the information was accessed and used illegally, but the university decided to take precautions and asked all those effected to trade in their J-CARDs for new one by Feb. 11. "The file was in a very obscure place. You would have had to gone looking for them," O'Shea said, "and most people wouldn't know what they were, even if they did find them." "Although the university feels strongly that any potential harm has been averted by the discovery and removal of the files, we nonetheless think it is advisable to err on the side of caution," Boswell wrote in an e-mail to affected students. The J-CARD office has extended its hours to 7 p.m. until Feb. 11 to help with the exchange, but students who do not exchange their cards by the scheduled date are subject to cancellation of their cards. To date, according to O'Shea's office, more than 750 students have made their J-CARD exchanges, out of the 2,100 juniors and seniors with active cards. "We do encourage all students who are affected to exchange," said O'Shea, "and remind them that they are subject to cancellation if they do not make the exchange by the deadline." Although there is very little that can be done with only the J-CARD number without the possession of the actual card, the university has notified local businesses that accept J-CARD to be on alert and asked affected students to keep tabs on their J-CARD accounts. "It doesn't really bother me much," said James Baird, a senior who has yet to trade in his card. "I suppose it's safer than doing nothing at all, but I'm kind of surprised they didn't figure this out a while ago." Some students expressed little concern about the information leak. "I don't really care that the information was on the Internet," said Mike Kong, a senior. At least one student did express feelings of frustration at the situation, especially in light of what he considered to be other general security failures. "For some reason, I don't have much confidence in the security measures at this school," said Matt Bassett, a junior. "This is just another example of a security failure; they can't even keep our personal information safe on the Internet." From isn at c4i.org Mon Feb 7 08:31:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:41 2005 Subject: [ISN] "The Bad Boys are also Terribly Clever" Message-ID: http://service.spiegel.de/cache/international/spiegel/0,1518,340395,00.html SPIEGEL Interview with Bill Gates January 31, 2005 Microsoft founder Bill Gates, 49, talks about the thorny issues of computer security, competition, software bundling and how he lives with the downsides of his wealth and fame. In addition to being the world's richest man, Gates is the founder of the world's most powerful software company. SPIEGEL: Mr. Gates you came to Munich this week specifically to initiate a project for more Internet security in Germany. The government sponsor is Labor and Economics Minister Wolfgang Clement. Why are you taking the initiative now? Gates: The enthusiasm about how computers, the Internet, and good software can help people is probably as large today as it ever was. A lot of fantastic things have happened in the past few years. Just think about how e-mail contact or digital business with photos or music have developed world-wide. But while we still work on wonderful further developments, some really serious issues are being forced onto the agenda, and we now have to ensure that they do not ever become a problem. This stretches from annoyance about a mailbox filled with junk advertising to the risk that your computer has been taken over by hackers to spy on your data. There is a lot to do, especially for Microsoft. SPIEGEL: You want to achieve that single-handedly? Gates: The bandwidth of problems is enormous. And not only individual companies are facing demands, but our entire industry. In meeting these demands we have to work together with governments and public agencies. Politics has to ensure the legal framework. SPIEGEL: And consumers? Gates: PC users will have to grapple more intensively with very practical questions. For example: Do I need regular updates of my software? That alone is a gigantic thing for us. When we offer an improvement to Windows via the Internet today, there are a few hundred million people who take up the offer, but also a few hundred million who do not do it. Or here's another question: How do my children use the Internet? If nothing else, that is a challenge now because at times kids handle the World Wide Web significantly better than parents. One thing we have to do is make computer use simpler in order to increase people's awareness of such questions. SPIEGEL: Did you underestimate the security problems? A few years ago, the chief concerns of your industry were making computers more efficient and hooking up as many houses as possible. Now security is of chief concern. Even Microsoft seems to have first become aware of the danger after Sept. 11. Gates: The terrorist attacks in 2001 just showed people up close where a lack of security can lead. Problems with computer security have more to do with the unbelievable success of the computer itself. The more successful the PC became, the more the downsides also became clear, such as: how can I prevent someone from stealing my credit cards off the Internet? In some areas, the bad boys are also terribly clever -- and occasionally more crafty than we had expected. SPIEGEL: Those who send spam advertising e-mails for example. Gates: I don't want to minimize the problem at all. We will still have a few years of fighting with that. But, there are many things that have already improved. On the other hand, problems in the area of data theft have increased. SPIEGEL: From which corner do you expect the greatest challenge? Virus makers? Hackers? Spam senders? Gates: There will always be people who try to take advantage of the medium by bothering us with marketing stuff, which is fast, easy, and cheap to distribute world-wide. We will be able to control that to some degree because the sources allow themselves to be traced back. The people who create advertisements for a certain company usually receive money from the company. That makes them traceable. We have been making enormous progress on this front. I worry more about whether our general dream will be fulfilled. SPIEGEL: What is that dream? Gates: That we can globally communicate with one another without mistrust and can do it more creatively. To do this, for example, it is important that your identity is safe on the Internet. In the end it involves a promise, the promise of the digital age. But I also do not believe that the current difficulties can really endanger that. SPIEGEL: Microsoft is not only a part of the solution, but also, because of its market power, part of the problem. When a company provides more than 90 percent of all personal computers with software it is inevitably a target for hackers interested in causing the most damage possible. Gates: There are actually a large number of operating systems in addition to Windows, for example, such as OS from Apple or Linux and Unix... SPIEGEL: ... but in the realm of normal personal computers, they don't play a large role worldwide. Gates: The truth is: the fewer operating systems there are within a company, the better it is from a security point of view. SPIEGEL: I beg your pardon? Gates: Simply because one must spend billions of dollars to ensure the security of each individual system. Our company has an unbelievable number of people who are solely responsible for this type of security around the clock. SPIEGEL: The particular charm of Linux is that it is an adaptable system that users can shape themselves. Gates: If everything runs under the same platform, however, you can better concentrate resources and more quickly repair errors. For instance, in a hospital where different systems are used, a single problem in one section cause the other systems to crash. Thus, from a security standpoint it is always better to focus on one system. SPIEGEL: But your small competitor Apple, for example, is much less frequently a victim of virus attacks ... Gates: ... put so sweepingly, that is not correct. Of course we are the largest target, simply because we have the most widely disseminated system. But it affects others in exactly the same way. Linux is, in many respects, even more significantly affected. SPIEGEL: In a few hours a Windows virus can travel across the world like an epidemic... Gates: ... above all because of our global popularity. But we know that. And we must apply still more time and money to it. However, spam or data theft are not questions of the operating system. For this, you also need laws and global standards. SPIEGEL: Once again: Windows is the most vulnerable. Gates: You could look at that in many ways. The speed with which, for example, the Linux community reacts to problems is not especially high -- that's because this system, unlike ours, simply does not keep thousands of people on standby to deal with problems. In this respect, a commercially distributed operating system also has decisive benefits. Sweeping judgments don't help because we all have to take the problems seriously. Even Linux developers know that there is no miracle cure in Linuxland. They, too, must continue to work and continue to make progress. [...] From isn at c4i.org Mon Feb 7 08:37:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:43 2005 Subject: [ISN] FBI Computers: You Don't Have Mail Message-ID: http://www.msnbc.msn.com/id/6919621/site/newsweek/ By Michael Isikoff and Mark Hosenball Newsweek http://www.amazon.com/exec/obidos/ASIN/B00005N7RT/c4iorg February 14th 2005 issue The FBI's computer woes got even worse last week when bureau officials were forced to shut down a commercial e-mail network used by supervisors, agents and others to communicate with the public. The reason, sources tell NEWSWEEK, was an apparent "cyberintrusion" by an outside hacker who officials fear had been tapping into supposedly secure e-mail messages since late last year. FBI spokesmen publicly sought to downplay the damage, saying the compromised commercial server - maintained by AT&T - was used exclusively for unclassified and "nonsensitive" communications that did not involve ongoing investigations. One example, they said, was notices from public-affairs offices' fbi.gov addresses to members of the press. But privately, officials were highly concerned - and recently notified the White House. One top FBI official says he regularly used his shut-down fbi.gov e-mail account to send messages to state and local police chiefs. Another source tells Newsweek that more than 3,000 old and current e-mail accounts were shut down. Others say the same apparently compromised server also provided accounts to other government agencies. Justice Department officials, who launched their own cybercrime investigation into the apparent intrusion, noted that there was no telling the potential damage at this point, given the common tendency for everybody to say too much - including making references to law-enforcement "sensitive" cases - even in theoretically routine e-mails. "This is an eye-opener for all of us," says one FBI official. The bigger question, sources say, was how the hackers penetrated the bureau's e-mails - and why it took the FBI so long to notify the rest of the government. The FBI e-mail system was erected with firewalls that were supposed to prevent even sophisticated hackers from penetrating. But while officials stressed there was no evidence that the apparent intruder or intruders were part of any terrorist or foreign intelligence organization, the authorities were still baffled as to how they got into the system. According to sources familiar with the investigation, one suspicion is that hackers either used sophisticated "password cracking" software that tries out millions of password combinations or somehow eavesdropped on Internet transmissions. Over the weekend, NEWSWEEK has learned, the Department of Homeland Security posted a computer-security alert to agencies throughout the federal government urging e-mail users to be more careful about choosing their passwords by avoiding obvious clues - like nicknames, initials, children's names, birth dates, pet names or brands of car. "Such information can be easily obtained and used to crack your password," the bulletin states. The e-mail compromise couldn't have come at a worse time for the bureau. Just last week, the Justice Department inspector-general released a report sharply criticizing the FBI's management of its new Virtual Case File computer system - a $170 million software upgrade that bureau officials now concede they may have to - scrap. The VCF system was supposed to make it much easier for agents to electronically access vital information relating to ongoing cases in different FBI offices. But the I.G. found that poor planning and ineffective management have resulted in a system that is nearly unworkable. FBI chief Robert Mueller, who sources say has personally briefed President George W. Bush on the matter, took responsibility "at least in part" for the fiasco before a Senate subcommittee. "No one is more frustrated and disappointed than I," he said. From isn at c4i.org Mon Feb 7 08:39:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:45 2005 Subject: [ISN] NSPW 2005 Call For Papers Message-ID: Forwarded from: Abe Singer Call for Papers New Security Paradigms Workshop Lake Arrowhead, California, USA September 20-23, 2005 http://www.nspw.org Background NSPW is a unique workshop that is devoted to the critical examination of new paradigms in security. We solicit and accept papers on any topic in information security subject to the following caveats: * Papers that present a significant shift in thinking about difficult security issues are welcome. * Papers that build on a previous shift are also welcome. * Contrarian papers that dispute or call into question accepted practice or policy in security are also welcome. * We solicit papers that are not technology centric, including those that deal with public policy issues and those that deal with the psychology and sociology of security theory and practice. * We discourage papers that represent established or completed works as well as those that substantially overlap other submitted or published papers. * We encourage a high level of scholarship on the part of contributors. Authors are expected to be aware of related prior work in their topic area, even if it predates Google. In the course of preparing an NSPW paper, it is far better to read an original source than to cite a text book interpretation of it. Our program committee particularly looks for new paradigms, innovative approaches to older problems, early thinking on new topics, and controversial issues that might not make it into other conferences but deserve to have their try at shaking and breaking the mold. Participation in the workshop is limited to authors of accepted papers and conference organizers. Each paper is typically the focus of 45 to 60 minutes of presentation and discussion. Prospective authors are encouraged to submit ideas that might be considered risky in some other forum, and all participants are charged with providing feedback in a constructive manner. The resulting intensive brainstorming has proven to be an excellent medium for furthering the development of these ideas. The proceedings, which are published after the workshop, have consistently benefited from the inclusion of workshop feedback. Call for Papers We welcome three categories of submission: * Research papers should be of a length commensurate with the novelty of the paradigm and the amount of novel material that the reviewer must assimilate in order to evaluate it. * Position papers should be 5 - 10 pages in length and should espouse a well reasoned and carefully documented position on a security related topic that merits challenge and / or discussion. * Discussion topic proposals. Discussion topic proposals should include an in-depth description of the topic to be discussed, a convincing argument that the topic will lead to a lively discussion, and supporting materials that can aid in the evaluation of the proposal. The later may include the credentials of the proposed discussants. Discussion topic proposers may want to consider involving conference organizers or previous attendees in their proposals. Important Dates * Submission deadline: Monday, 28 March 2005. * Notification of acceptance: Monday, 30 May, 2005. Submission Submissions must include the following: * The submission in PDF format, viewable by Adobe Acrobat reader. * A justification for inclusion in NSPW. Specify the category of your submission and describe, in one page or less, why your submission is appropriate for the New Security Paradigms Workshop. A good justification will describe the new paradigm being proposed, explain how it departs from existing theory or practice, and identify those aspects of the status quo it challenges or rejects. The justification is a major factor in determining acceptance. * An Attendance Statement specifying how many authors wish to attend the workshop. Accepted papers require the attendance of at least one author. Attendance is limited, and we cannot guarantee space for more than one author. No submission may have been published elsewhere nor may a similar submission be under consideration for publication or presentation in any other forum during the NSPW review process. In order to ensure that all papers receive equally strong feedback, all attendees are expected to stay for the entire duration of the workshop. We expect to offer a limited amount of financial aid to those who require it. See http://www.nspw.org for details of the workshop policies and for submission procedures. Further Information Simon Foley, General Chair University College Cork s.foley@cs.ucc.ie Abe Singer, Vice Chair San Diego Supercomputer Center abe@sdsc.edu John McHugh, Program Chair SEI/CERT jmchugh@cert.org Bob Blakley, Program co-Chair IBM blakley@us.ibm.com Karl Levitt, Local Chair UC Davis levitt@cs.ucdavis.edu NSPW is an ACSA Workshop From isn at c4i.org Tue Feb 8 03:52:11 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:11 2005 Subject: [ISN] Linux Security Week - February 7th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 7th, 2005 Volume 6, Number 6n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Getting to Know Linux Security: File Permissions," "Reporting Kernel Security Issues," and "Linux software can secure an entire network." --- >> LINUX SECURITY LIVE CHAT << Tuesday, February 8th 2005 from 11am-12pm EST. Title: Real World Linux Security Featured Guest: Bob Toxen Visit: http://www.linuxsecurity.com for information on how to participate! --- LINUX ADVISORY WATCH: This week, advisories were released for squirrelmail, prozilla, cpio, openswan, enscript, zlib, gaim, cvs, openssl, curl, ruby, rhgh, file, net-tools, gimp, squid, dump, mc, dbus, kdepim, xpdf, kernel, ngIRCd, tikiwiki, f2c, ncfs, clamav, imap, chbg, vim, perl-dbi, and ethereal. The distributors include Debian, Fedora, Gentoo, Mandrake, and Red Hat. http://www.linuxsecurity.com/content/view/118183/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Linux Security Cookbook 3rd, February, 2005 I read this book from cover to cover and consider it a great effort by the authors to cover many security issues related to not just Linux, but most *nix operating systems. Here's a chapter by chapter review of what I've observed in the book. http://www.linuxsecurity.com/content/view/118173 * Microsoft Claims Linux Security a Myth 31st, January, 2005 Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' http://www.linuxsecurity.com/content/view/118125 * Home User Security Guide 1st, February, 2005 I know many of you have received some nice to tech toys for Christmas recently, so its time to talk about making them secure and keeping them that way. http://www.linuxsecurity.com/content/view/118147 * Reporting Kernel Security Issues 2nd, February, 2005 A lengthy and interesting thread was started on the lkml by Chris Wright looking to define a centralized place to report security issues in the Linux Kernel. Chris offered his services in getting things set up, addressing his email to Linus Torvalds, Andrew Morton [interview], Alan Cox [interview] and Marcelo Tosatti [interview]. He explained that he wanted to centralize the information "to help track it, make sure things don't fall through the cracks, and make sure of timely fix and disclosure". The resulting discussion was joined by numerous members of the kernel hacking community, exposing a wide range of opinions. http://www.linuxsecurity.com/content/view/118161 * Linux can secure entire network 3rd, February, 2005 Tested over three months at IBM's Linux Test Integration Center (LTIC) by a seven-person team, the 87-page report [pdf] titled "Linux Security: exploring open source security for a Linux server environment" set out to test a wide range of open-source Linux products supported by IBM to see whether they could adequately protect a middleware environment. Only open source products were us http://www.linuxsecurity.com/content/view/118174 * Linux software can secure an entire network 3rd, February, 2005 An IBM report that tested the suitability of Linux software to secure an network its entirety has come to light months after it was originally published. http://www.linuxsecurity.com/content/view/118179 * Linux is mission critical for Czechs 31st, January, 2005 The Czech postal service is putting its faith in open source, by migrating a vital application onto SuSE Linux http://www.linuxsecurity.com/content/view/118135 * Penguins at the Gate 2nd, February, 2005 Only a few open-source vendors have borne the time and expense of having their software EAL-certified. Red Hat and Novell's SuSE Linux attained EAL3+ ratings in the last year, but many other vendors have yet to do the same. This raises a fundamental question: Does open-source software need security certifications to win global acceptance? http://www.linuxsecurity.com/content/view/118162 * IBM study tests Linux security 31st, January, 2005 To test open source security products, a study was conducted over a period of three months at the IBM Linux Test Integration Center. The goal for the security study was to deploy and compare various open source security tools that were available for free in the industry, and provide solution recommendations. http://www.linuxsecurity.com/content/view/118129 * Linux security is a 'myth', claims Microsoft 1st, February, 2005 A senior Microsoft executive, speaking exclusively to vnunet.com, has dismissed Linux's reputation as a secure platform as a "myth", claiming that the open source development process creates fundamental security problems. http://www.linuxsecurity.com/content/view/118142 * Best Security Software Solution Live Voting 2nd, February, 2005 SYS-CON's Readers' Choice Awards program is considered to be the most prestigious award program of the software industry and is often referred to as "the Oscars of the software industry." The products participating in the program are nominated by their vendors, customers, users, or SYS-CON readers. This year a record number of companies and products were nominated. Below is a list of all companies and products participating in the 2005 Readers' Choice Awards in each category. http://www.linuxsecurity.com/content/view/118160 * Identity Management: Controlling the Costs of Continuous Compliance 3rd, February, 2005 There are a number of technologies that can streamline your compliance effort so that your company remains compliant without incurring burdensome recurring costs. One such technology is identity management, which can help to establish repeatable, sustainable, cost-effective processes that respond quickly to organizational changes, enable continuous compliance and security, and create auditable histories of who had access to what information. http://www.linuxsecurity.com/content/view/118180 * MS Security Program No Threat to Linux, Advocate Says 4th, February, 2005 Bruce Perens, co-founder of the Open Source Initiative and leader of the Debian GNU/Linux distribution, said he believes Linux is simply more secure and can respond to potential threats at any time since it has an international developer base. http://www.linuxsecurity.com/content/view/118189 * RFID Vulnerability Expose 1st, February, 2005 A vulnerability in radio-frequency ID chips could put millions of users of wireless car key tags or speed pass payment devices at risk, according to a recent study by researchers at Johns Hopkins University and RSA Laboratories. http://www.linuxsecurity.com/content/view/118152 * Manhunt for Filipino hacker ensues 1st, February, 2005 A manhunt for the alleged Filipino hacker of the government portal "gov.ph" and other government websites was launched after the suspect went into hiding, the police said Tuesday. http://www.linuxsecurity.com/content/view/118149 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Feb 8 03:52:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:14 2005 Subject: [ISN] CodeCon Reminder Message-ID: Forwarded from: Len Sassaman We'd like to remind those of you planning to attend that CodeCon is fast approaching. CodeCon is the premier event in 2005 for the, and application developer community. It is a workshop for developers of real-world applications with working code and active development projects. Past presentations at CodeCon have included the file distribution software BitTorrent, the Peek-A-Booty anti-censorship application, the email encryption system PGP Universal, and Audacity, a powerful audio editing tool. Some of this year's highlights include Off-The-Record Messaging, a privacy-enhancing encryption protocol for instant-message systems, SciTools, a web-based toolkit for genetic design and analysis, and Incoherence, a novel stereo sound visualization tool. CodeCon registration is discounted this year: $80 for cash at the door registrations. Registration will be available every day of the conference, though ticket are limited, and attendees are encouraged to register on the first day to secure admission. CodeCon will be held February 11-13, noon-6pm, at Club NV (525 Howard Street) in San Francisco. For more information, please visit http://www.codecon.org. From isn at c4i.org Tue Feb 8 03:53:40 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:16 2005 Subject: [ISN] Privacy, Security, Trust 2005 Conference - Oct 12th...14th Message-ID: Forwarded from: Mark Bernard Dear Associates, Here's an event that might interest a few members conducting research in Privacy, Security and Trust areas; http://www.unb.ca/pstnet/pst2005/index.html fyi.... American's travelling to Canada for conferences can get GST taxes returned to them for spent on accommodations, gifts, etc... through the Canadian Visitor Rebate program. You can mail your receipts in or stop by the boarder and get cash-back on the spot at designated spots. For more information on VRP's here is the link; http://www.cra-arc.gc.ca/tax/nonresidents/visitors/tax-e.html Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Co-chair HTCIA IEC Membership Committee & Chairman, AC-HTCIA Media & Communications, Moncton 2005 e-mail: Mark.Bernard@TechSecure.ca Web: http://www.NB-HTCIA.org & http://www.htcia.org Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." From isn at c4i.org Tue Feb 8 03:53:55 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:19 2005 Subject: [ISN] Experts: International domain names may pose threat Message-ID: http://www.nwfusion.com/news/2005/0207experinter.html By Paul Roberts IDG News Service 02/07/05 Security experts are warning about a new threat to Web surfers: malicious Web sites that use international domain names to spoof the Web addresses of legitimate sites. The new trick is a variation of a known technique called the "homograph attack" and takes advantage of loopholes in the way some popular Web browsers display domain names that use non-English characters. It could allow malicious hackers and online identity theft groups to trick unsuspecting users into divulging sensitive personal information, according to advisories from The Shmoo Group, a hacker collective, and Secunia. The warning was published after a demonstration of the new kind of homograph attacks at ShmooCon, a hacker convention in Washington, D.C. Secunia, of Copenhagen, issued advisories on the new issue for users of affected browsers and declared the issue "moderately critical." Homograph attacks are a well-known trick in which character resemblance, for example, between the letter "O" and the number "0" is used to fool users into thinking that a bogus Web site actually belongs to a legitimate company. For example, malicious hackers might register the domain www.pcw0rld.com and design it to mimic the popular computer news Web site. The latest threat was first described by Evgeniy Gabrilovich and Alex Gontmakher, computer science students at Technion, the Israel Institute of Technology. The attack takes advantage of changes supported by Internet standards bodies such as the Internet Engineering Task Force (IETF) to allow domain names to be registered in national alphabets using non-English characters. The new Internationalized Domain Name (IDN) program makes it easier for non-English speakers to use the Web but also creates opportunities for malicious hackers, Gabrilovich and Gontmakher wrote. For example, attackers could register a Web domain bloomberg.com, which looks identical to the popular business news Web site, but in which the letters "o" and "e" have been substituted with identical-looking substitutes from the Cyrillic alphabet, used in the Russian language, creating a new domain, the authors said (see here .) In another example, the authors registered the domain www.microsoft.com, in which the English letters "c" and "o" in that domain were substituted with their Cyrillic counterparts. Links to the bogus Web sites in e-mail messages could be disguised by hiding the actual URL with non-English characters, such as "http://www.p.ypal.com," in the HTML code of the e-mail message. Affected Web browsers would make the trick work by cleaning up that URL and displaying it with the international character. In this example, it would look like www.paypal.com, said Dan Hubbard, senior director at WebSense. Some popular Web browsers, including The Mozilla Foundation's Firefox 1.0, Apple's Safari Version 1.2.5 and Opera Software ASA's Version 7.54 browser all render the IDN characters in a way that could be used in an attack, according to details released by The Shmoo Group. Ironically, Microsoft's Internet Explorer browser, a popular target for Web-based attacks, is not vulnerable to the IDN homograph attack, The Shmoo Group said. The homograph vulnerability has been talked about for a long time but has not been commonly used because Internet domain name registrars didn't support IDN. Now that many registrars do support it, the homograph attacks carry more weight, Hubbard said. "It's just another method for phishers to use," he said. The vulnerability will be particularly useful for attacking Web surfers who are using browsers other than Internet Explorer, and phishing scam artists may develop scams to use it when they detect that a potential victim is on a browser other than IE, he said. Web users were advised not to follow Web links from untrusted sources and to type in Web domains manually when in doubt. Internet users can also cut and paste suspect Web links into Windows Notepad or other text readers to see what character set the URL is written in, The Shmoo Group said. FireFox supports IDN by default, but users can disable it by typing about:config into the browser's address bar, locating the network.enableIDN option, and double clicking on it to set it to "false." From isn at c4i.org Tue Feb 8 03:54:17 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:21 2005 Subject: [ISN] Hold the Phone, VOIP Isn't Safe Message-ID: http://www.wired.com/news/technology/0,1282,66512,00.html By Elizabeth Biddlecombe Feb. 07, 2005 In recognition of the fact that new technologies are just as valuable to wrongdoers as to those in the right, a new industry group has formed to look at the security threats inherent in voice over internet protocol. The VOIP Security Alliance, or VOIPSA, launches on Monday. So far, 22 entities, including security experts, researchers, operators and equipment vendors, have signed up. They range from equipment vendor Siemens and phone company Qwest to research organization The SANS Institute. They aim to counteract a range of potential security risks in the practice of sending voice as data packets, as well as educate users as they buy and use VOIP equipment. An e-mail mailing list and working groups will enable discussion and collaboration on VOIP testing tools. VOIP services have attracted few specific attacks so far, largely because the relatively small number of VOIP users doesn't make them a worthwhile target. (A report from Point Topic in December counted 5 million VOIP users worldwide.) But security researchers have found vulnerabilities in the various protocols used to enable VOIP. For instance, CERT has issued alerts regarding multiple weaknesses with SIP (session initiation protocol) and with H.323. Over the past year, experts have repeatedly warned that VOIP abuse is inevitable. The National Institute of Standards and Technology put out a report last month urging federal agencies and businesses to consider the complex security issues often overlooked when considering a move to VOIP. NIST is a member of VOIPSA. "It is really just a matter of time before it is as widespread as e-mail spam," said Michael Osterman, president of Osterman Research. Spammers have already embraced "spim" (spam over instant messaging), say the experts. Dr. Paul Judge, chief technology officer at messaging-protection company CipherTrust, says 10 percent of instant-messaging traffic is spam, with just 10 to 15 percent of its corporate clients using IM. "It is where e-mail was two and a half years ago," said Judge. To put that in perspective, according to another messaging-protection company, FrontBridge Technologies, 17 percent of e-mail was spam in January 2002. It put that figure at 93 percent in November 2004. So the inference is that "spit" (spam over internet telephony) is just around the corner. Certainly, the ability to send out telemarketing voicemail messages with the same ease as blanket e-mails makes for appealing economics. Aside from the annoyance this will cause, the strain on network resources when millions of 100-KB voicemail messages are transmitted, compared with 5- or 10-KB e-mails, will be considerable. But the threat shouldn't be couched solely within the context of unlawful marketing practices. Users might also see the audio equivalent of phishing, in which criminals leave voicemails pretending to be from a bank, said Osbourne Shaw, whose role as president of ICG, an electronic forensics company, has led him to try buying some of the goods advertised in spam. In fact, according to David Endler, chairman of the VOIP Security Alliance and director of digital vaccines at network-intrusion company TippingPoint, there are many ways to attack a VOIP system. First, VOIP inherits the same problems that affect IP networks themselves: Hackers can launch distributed denial of service attacks, which congest the network with illegitimate traffic. This prevents e-mails, file transfers, web-page requests and, increasingly, voice calls from getting through. Voice traffic has its own sensitivities, which mean the user experience can easily be degraded past the point of usability. Furthermore, additional nodes of the network can be attacked with VOIP: IP phones, broadband modems and network equipment, such as soft switches, signaling gateways and media gateways. Endler paints a picture in which an attack on a VOIP service could mean people would eavesdrop on conversations, interfere with audio streams, or disconnect, reroute or even answer other people's phone calls. This is a concern to the increasing number of call centers that put both their voice and data traffic on a single IP network. It is even more of a concern for 911 call centers. But Louis Mamakos, chief technology officer at broadband telephony provider Vonage, says he and his team "spend a lot of time worrying about security" but the problems the company has seen so far have centered on "more pedestrian" threats like identity theft. Vonage has not yet signed up for the VOIP Security Alliance, said Mamakos, and employees already spend a lot of time working on security issues with technology providers. "I'm not sure if (VOIPSA) is a solution to a problem we don't have yet," he said. "We need to judge what the incremental value is in working with another organization." He also talked about how hard it would be to break into Vonage's service. Access to Vonage's signaling traffic requires authentication. The infrastructure is much more distributed than the websites that have been taken offline by denial of service attacks. And anyone wanting to eavesdrop on a Vonage phone conversation would have to be physically very close to the broadband connection leading to the target, as the farther away the eavesdropper is, the more commingled the target's voice traffic will be with other traffic on the network. Meanwhile Kelly Larrabee, a spokeswoman for the peer-to-peer VOIP provider Skype, noted that Skype users control what information about themselves is available and who can contact them. She also said end-to-end encryption is used to protect voice conversations. The only vulnerability so far, aside from uncertified third-party applications, is through file transfers -- and again, this is under user control. But these words could be like a red rag to a bull. As one commentator put it, a continuous duel is going on between network users and abusers, and spammers and hackers could well be reading this article. This poses the question of whether a group like the VOIP Security Alliance should refrain from announcing its efforts in the media and from making its membership and e-mail list free and open to all. In response, said VOIPSA's Endler, "The people we really have to worry about are already thinking about (how to misuse VOIP)." Today's effort is to ensure that VOIP systems are reinforced "before it gets to the point that there are easily available tools for the script kiddies to use," he said. From isn at c4i.org Tue Feb 8 03:54:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:24 2005 Subject: [ISN] Bush backs boost for cybersecurity Message-ID: http://www.fcw.com/fcw/articles/2005/0207/web-lob-02-07-05.asp By David Perera Feb. 7, 2005 President Bush's proposed budget for fiscal 2006 would spend 7 percent more on information technology security year-over-year and add cybersecurity to the stable of cross-agency lines of business. The budget request calls for a 7.2 percent increase in IT security spending for the coming year to $1.685 billion, up from the $1.572 billion congressional appropriations approved for fiscal 2005. The greatest change, in percentage and absolute terms, occurs in the Justice Department. Officials from that Cabinet agency want about $254.6 million in fiscal 2006, or 20.7 percent more than the $210.9 million approved for this fiscal year. Cybersecurity and information sharing are the two new cross-agency lines of business, according to a recent presentation from the Office of Management and Budget. OMB officials postulate that consolidation of common cybersecurity processes, services and technologies could improve government performance while driving down costs. Their decision to add two lines of business brings the number of such efforts to seven. The original five cost-saving efforts were launched in March 2004 as a way of consolidating federal agencies' back-office functions by creating cross-agency service centers and implementing common IT architectures. Of the existing lines of business, federal health architecture has so far been the most expensive in terms of development, modernization or enhancement funds spent and requested. Officials managing that line of business are spending $1.6 billion during fiscal 2005, and are requesting $1.9 billion for fiscal 2006. The initial target architecture for management of government health information is due by the end of fiscal 2005. Officials for the financial management line of business have spent or are requesting less than half the health architecture effort. Fiscal 2005 spending amounts to $612 million; the fiscal 2006 request is for $666 million. As part of the fiscal 2006 budget request, federal officials selected four agencies to provide cross-agency financial service management. Agencies may begin shutting off their own financial systems this fiscal year. The human resources management line of business is responsible for $202 million in expenses this fiscal year and expects to spend $164 million in fiscal 2006. Federal officials publicly named today cross-agency service providers for this line. Officials for the case management line of business are spending $120 million this year and want to spend $152 million in fiscal 2006. From isn at c4i.org Tue Feb 8 03:54:44 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:26 2005 Subject: [ISN] Tester claims 90% of VPNs open to hackers Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=136571 By Antony Savvas 8 February 2005 Security testing company NTA Monitor has claimed that 90% of virtual private networks are open to hackers. Over a three-year period of testing VPNs at large companies, NTA Monitor said 90% of remote access VPN systems have exploitable vulnerabilities, even though many companies, including financial institutions, have in-house security teams. Flaws include "user name enumeration vulnerabilities" that allow user names to be guessed through a dictionary attack because they respond differently to valid and invalid user names. Roy Hills, NTA Monitor technical director, said, "One of the basic requirements of a user name/password authentication is that an incorrect log-in attempt should not leak information as to whether the user name or password is incorrect. However, many VPN implementations ignore this rule." The fact that VPN user names are often based on people's names or e-mail addresses makes it relatively easy for an attacker to use a dictionary attack to recover a number of valid user names in a short period of time, said Hills. Passwords can also be made harder to crack by deploying a mixture of characters and numbers. Hills said a six-character password can be cracked in about 16 minutes using standard "brute force" cracking software. However, a six-character password combining letters and numbers could take two days to crack. From isn at c4i.org Tue Feb 8 03:55:20 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:29 2005 Subject: [ISN] Webroot Software Resigns from COAST Message-ID: Forwarded from: Paul Laudanski Original: http://castlecops.com/article-5721-nested-0-0.html In a very interesting turn around for COAST's credibility (and that of the folks who continue to remain as members), Webroot Software issued a press release: http://castlecops.com/article-5719-nested-0-0.html "Webroot Software announced today that after careful consideration, the company has decided to withdraw its membership from the Consortium of Anti-Spyware Technology Vendors (COAST). The company issued the following statement: Webroot has always considered our obligations to our customers as our most important mission as a company. We believe their protection, privacy and peace of mind are paramount and have developed products and supported public policies that reflect that view. Our founding of the Consortium of Anti-Spyware Technology Vendors, or COAST, also reflected that position." There is a very odd and long history about COAST. COAST was founded by other companies including Aluria Software. Aluria Software last year gave "Spyware Safe" status to WhenU. COAST recently added 180solutions to its membership. And now Webroot has left this organization. http://castlecops.com/article5669.html Some interesting information about Aluria Software their delisting of WhenU for their antispyware product, including how America Online insisted WhenU stay listed for their AOL members: http://castlecops.com/article-5524-nested-0-0.html 20 questions were sent to Aluria and they answered, electing not to answer one critical question about why two dictionaries exist: http://castlecops.com/article5618.html 1) AOL insists on WhenU being listed in Aluria's Spyware Eliminator 2) Outside of AOL, WhenU was listed as "Spyware Safe" and delisted in Aluria's Spyware Eliminator Out of roughly 1500 respondants, 85% no longer trust Aluria: http://castlecops.com/modules.php?name=Surveys&op=results&pollID=28&mode=nested&order=0&thold=0 Could COAST be Toast? Wayne Porter from Revenews decidedly thinks so: http://www.revenews.com/wayneporter/archives/000389.html#more Lavasoft was another defector from the COAST organization much earlier. It appears that with all the anti-spyware folks leaving COAST, the companies who remain are called into question on their motives. John Dvorak in his CBS Marketwatch weekley column stated: http://www.marketwatch.com/news/yhoo/story.asp?guid={65E7967A-DA81-451C-BE78-B5552FAC958C}&siteid=myyahoo&dist=myyahoo "There are many others including the highly regarded Spyware Eliminator from Aluria which seems to be in the middle of a conflict of interest debate you can read about at the Castlecops website at http://castlecops.com/article-5523-nested-0-0.html. Currently I cannot recommend this program until these issues are resolved." "Will COAST be Toast?" "Will Aluria be Eliminated?" Aluria has already taken measures in the past to stop comments about their own privacy policy. One smart reader spotted an old cache archive and found that Spywareguide was correct: http://castlecops.com/article-5516-nested-0-0.html A website called AdwareReport was highly critical of the Spywareguide article, but history has shown that Spywareguide reported on factual -- albeit dated -- Aluria privacy policy. BroadbandReports picked up on this Aluria defending their certification of WhenU: http://www.broadbandreports.com/shownews/58066?r=236 It appears that here too, public commentary does not favor Aluria. WildersSecurity picked up the story and made "The Lure of Aluria" available for readers: http://www.wilderssecurity.com/showthread.php?t=55643 This was one of the articles Spywareguide was ordered by Aluria to cease and desist. Earlier Suzi at SpywareWarrior is Baffled by Aluria: http://netrn.net/spywareblog/archives/2004/11/22/baffled-by-aluria/ SpywareInfo delisted Aluria from their database: http://www.spywareinfo.com/newsletter/archives/1104/4.php The companies that exist as members of COAST today (notice Webroot was not yet removed): http://www.coast-info.org/members.htm 1) http://www.pestpatrol.com/ 2) http://www.aluriasoftware.com/ 3) http://www.webroot.com/wb/index.php (Announced today they are no longer a member) 4) http://www.noadware.net/ 5) http://www.new.net/ 6) http://www.weatherbug.com/ It also appears 180solutions is not listed in the membership yet either. Weatherbug has known spyware: http://castlecops.com/startuplist-395.html http://castlecops.com/startuplist-2128.html 180solutions known spyware: http://castlecops.com/startuplist-4847.html http://castlecops.com/startuplist-5203.html http://castlecops.com/startuplist-4691.html http://castlecops.com/startuplist-5012.html http://castlecops.com/startuplist-5150.html http://castlecops.com/startuplist-5247.html http://castlecops.com/startuplist-5275.html http://castlecops.com/startuplist-6245.html http://castlecops.com/startuplist-6574.html http://castlecops.com/startuplist-6832.html I'm sure the public would like to know from Computer Associates who now own PestPatrol. Will they continue to remain partners with COAST? As Wayne put it, "Is COAST Toast"? trackbacks: http://alpha.revenews.com/MT/mt-tb.cgi/337 http://castlecops.com/trackback/News/5719 -- Regards, Paul Laudanski - Computer Cops, LLC. CastleCops(SM) - http://castlecops.com http://cuddlesnkisses.com | http://justalittlepoke.com | http://zhen-xjell.com From isn at c4i.org Wed Feb 9 07:01:17 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:37 2005 Subject: [ISN] FBI Van Burglarized; SWAT Rifles, Ammo Taken Message-ID: http://www.news4jax.com/news/4173456/detail.html [You would think having this fresh on their minds... http://www.cnn.com/US/9706/04/fbi.theft/ and maybe this... http://seclists.org/lists/isn/2002/Aug/0038.html you'd be a little more careful with what you leave unguarded - WK] February 7, 2005 JACKSONVILLE, Fla. -- Four sniper rifles, scopes and ammunition were stolen from an FBI SWAT van parked outside a Baymeadows Road hotel before dawn Sunday. The FBI said the guns belonged to a team from Atlanta in Jacksonville to provide extra security for the Super Bowl. A spokesman for the FBI said authorities are concerned these weapons are out on the street and are doing everything possible to try and find whoever took them. Four high-powered rifles with scopes and 80 rounds of 308 ammunition were taken from the unmarked, locked van parked outside the Holiday Inn at Baymeadows and Interstate 95. An agent parked the van at 3:45 a.m. and discovered a few hours later the padlock cut and van burglarized. An internal investigation is under way. The FBI asks anyone with information that could help recover the rifles to call their Jacksonville office at (904) 721-1211. From isn at c4i.org Wed Feb 9 07:01:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:40 2005 Subject: [ISN] =?iso-8859-1?q?Microsoft_issues_12_patches=2C_eight_of_them?= =?iso-8859-1?q?_for_critical=92flaws?= Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99621,00.html By Paul Roberts FEBRUARY 08, 2005 IDG NEWS SERVICE On the same day that it announced a deal to acquire antivirus software vendor Sybari Software Inc., Microsoft Corp. today released a total of 12 software patches designed to fix 16 vulnerabilities in Windows, Office and other products. Eight of the new patches are for "critical" security holes that could be used to run malicious code on affected computers, Microsoft said. The group of fixes represents one of the largest single-day releases of software updates since Microsoft switched to a monthly patching approach in October 2003. Microsoft provided patches for almost every supported version of Windows, including the recently issued Windows XP Service Pack 2. The company is trying to plug security holes in critical Windows components and in products such as its Internet Explorer Web browser and MSN Messenger instant messaging application. The most serious problems that Microsoft is trying to address with this month's patch release include the following: * A vulnerability in a component of MSN Messenger that renders the Portable Network Graphics image files used to display icons, such as smiley faces. If the flaw is successfully exploited, malicious code could be hidden in a buddy icon and launched whenever MSN users load their IM contact lists, Microsoft said. * A flaw in the Server Message Block (SMB) protocol that affects Windows XP, Windows 2000 and Windows Server 2003 and could be used to launch attacks on vulnerable systems from Web pages. SMB is used to communicate between Windows machines and to share network resources such as printers and files. * A vulnerability in the License Logging Service (LLS) used in Windows Server 2003, Windows 2000 and Windows NT Server 4.0. The logging service is a tool that helps customers manage software licenses for Microsoft's server products. The company said a remote attacker could use the vulnerability to cause LLS to fail, creating the potential for denial-of-service attacks on systems running Windows Server 2003. Attackers could install programs; view, change or delete data; or create new user accounts on Windows 2000 and NT Server 4.0 systems, Microsoft added. * Four holes in Versions 5 and 6 of Internet Explorer. One of the patches includes a fix for a "drag and drop" vulnerability that couldallow a remote attacker to use the Web to place an executable file on a Windows system without the user of the machine being shown a dialog box asking for approval for the download. With the exception of the Internet Explorer holes, Microsoft doesn't know of any active attacks attempting to exploit the vulnerabilities, which were all discovered by security researchers outside of the company, said Stephen Toulouse, program manager at Microsoft's Security Response Center. Microsoft recommends that companies assess their exposure to the vulnerabilities and make all applicable software patches as soon as possible, Toulouse said. Aware of the burden being placed on IT security managers by the large number of patches, Microsoft also released an enterprise-level scanning tool designed to help users detect vulnerable computers. The new tool supplements the Microsoft Baseline Security Analyzer, according to Microsoft. The company is also increasing the number of webcasts it holds to discuss deployment of the security updates, anticipating an increased need for help with this month's patch release, Toulouse said. From isn at c4i.org Wed Feb 9 07:01:58 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:42 2005 Subject: [ISN] Microsoft to buy Sybari Message-ID: http://www.fcw.com/fcw/articles/2005/0207/web-sybari-02-08-05.asp By Rutrell Yasin Feb. 8, 2005 Microsoft officials are moving into the virus protection business with an agreement to buy Sybari Software, a provider of anti-virus software. Company officials are counting on the acquisition to further provide enterprise customers with new solutions to protect them from malicious software. Microsoft officials bought Giant Company Software in December to protect Windows users from spyware and other deceptive software. The purchase of Sybari will aid in protecting messaging and collaboration servers from viruses, worms and spam, Microsoft officials said. "Enterprise customers face a complex set of attacks through their e-mail and collaboration infrastructure," said Mike Nash, corporate vice president of the Security Business Technology Unit at Microsoft, in a prepared statement. "Through this acquisition, we're excited to be able to provide customers with a server-level anti-virus solution that delivers advanced file and content-filtering capabilities and the use of multiple scan engines," he said. Nash added that this will give users "the most up-to-date protection possible." By being embedded within the server infrastructure it protects, Sybari Software provides an additional layer of messaging defense, stopping threats before they reach end users, Microsoft officials said. In addition, a single Sybari Software product will work with multiple versions of Microsoft Exchange and Lotus Notes. So when users migrate from one version to the next or deploy multiple versions long term, they can achieve lower maintenance and support costs, officials said. Sybari also offers solutions for Microsoft Office SharePoint Portal Server 2003 and Microsoft Windows SharePoint Services. Terms of the acquisition were not announced. Sybari will maintain all current operations until regulatory approval. Microsoft's move to strengthen virus protection for messaging and collaboration servers does not mean that enterprise customers won't need e-mail and messaging security solutions that offer a broader range of protection, according to officials at Symantec Corp., a leading provider of security management software. Organizations will still need integrated solutions that include scanning, filtering, archiving and recovery over heterogeneous networks, Symantec officials said. The Sybari "technology may help Microsoft help their customers more easily integrate antivirus solutions with Exchange, but still requires the scanning engines and support infrastructure from third party antivirus and antispam vendors," according to a statement issued by Symantec officials. "This acquisition does not provide Microsoft with the security and antivirus response infrastructure necessary to support the virus protection needs of enterprise customers. Detection is only as strong as the best engine plugged into the solution," the Symantec statement reads. From isn at c4i.org Wed Feb 9 07:02:10 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:44 2005 Subject: [ISN] Charges dropped against 'DDoS Mafia' Message-ID: http://www.theregister.co.uk/2005/02/08/ddos_mafia_case/ By John Leyden 8th February 2005 US prosecutors have dropped criminal complaints against four of five men accused of offering a denial of service attack for hire. Paul Ashley, the network administrator of CIT/FooNet, a web and IRC hosting company, and three alleged accomplices, Jonathan David Hall, Joshua James Schichtel, and Richard Roby were accused of organising attacks against the websites of rivals of Massachusetts businessman Jay Echouafni. Last month, charges against the group were dismissed at the request of prosecutors the O'Reilly Network reports. But an investigation remains open and charges could still be brought. "This just allows us to talk to defence attorneys and negotiate things before having to bring an indictment against a particular individual," prosecution lawyer Arif Alikhan told the O'Reilly Network. Charges against a fifth suspect in the case, Lee Graham Walker, a British man based in the UK, remain outstanding. Echouafni, former head of Orbit Communication, an online satellite TV retailer, was indicted separately last summer by a grand jury on five charges of aiding and abetting computer intrusion and conspiracy. He fled bail to become a fugitive from justice. His alleged role as a DDoS kingpin has earned him a spot of the FBI's most wanted list. From isn at c4i.org Wed Feb 9 07:02:31 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:47 2005 Subject: [ISN] First Monday February 2005 Message-ID: The February 2005 issue of First Monday (volume 10, number 2) is now available at http://firstmonday.org/issues/issue10_2/ ------- Table of Contents Volume 10, Number 2 - February 7th 2005 The media's portrayal of hacking, hackers, and hacktivism before and after September 11 by Sandor Vegh http://firstmonday.org/issues/issue10_2/vegh/ Abstract: This paper provides a thorough analysis of the mainstream media representation of hackers, hacking, hacktivism, and cyberterrorism. The intensified U.S. debate on the security of cyberspace after September 11, 2001, has negatively influenced the movement of online political activism, which is now forced to defend itself against being labeled by the authorities as a form of cyberterrorism. However, these socially or politically progressive activities often remain unknown to the public, or if reported, they are presented in a negative light in the mass media. In support of that claim, I analyze five major U.S. newspapers in a one-year period with 9-11 in the middle. I argue that certain online activities are appropriated for the goals of the political and corporate elite with the help of the mass media under their control to serve as pretext for interventions to preserve the status quo. Thus, the media portrayal of hacking becomes part of the elite's hegemony to form a popular consensus in a way that supports the elite's crusade under different pretexts to eradicate hacking, an activity that may potentially threaten the dominant order. ------- [...] From isn at c4i.org Thu Feb 10 05:21:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:20 2005 Subject: [ISN] Cyber-terror plan panned as "barmy" Message-ID: http://management.silicon.com/government/0,39024677,39127738,00.htm February 09 2005 By Will Sturgeon World Security Organisation is a non-starter... A controversial UK security vendor is calling for the creation of a World Security Organisation (WSO) to crack down on 'cyber-terror' as well as real world threats by air, land, sea and space. Yet some in the industry have criticised the 'cyber-terror' part of the plan, saying it is bogged down in fanciful thinking and hyperbole. One expert has even branded it "barmy". DK Matai, the chairman of mi2g will tomorrow night address the Oxford University Internet Institute with a proposal for a body which would tackle the issue of 'cyber-terrorism'. According to the company, he will address 60 attendees, including senior execs from the banking and insurance sectors as well as representatives from the academic, diplomatic, government and intelligence fields. Among the proposals he will present are the creation of "a global collaborative venture more powerful than Interpol" as well as plans to "reduce poverty levels in deprived areas from where radicals and organised crime members are recruited". But such bold claims have lead one leading anti-virus expert to brand the plans as "barmy". Speaking anonymously he told silicon.com: "We could just laugh this off as barmy, were it not for the fact that government, the City and now Oxford University actually take this self-appointed guru seriously. That's where I stop laughing and start worrying about the direction things are going." Addressing the specific accusations above a statement from mi2g said: "Far from engaging in hyperbole, we feel that our point of view is balanced and realistic." And Matai remains bullish about the role the WSO could play in ensuring greater safety for internet users and world governments. "The feedback we have received has been overwhelmingly in favour of The World Security Organisation," he said in a statement. "We invite further dialogue in this area because a significant need for such an institution has now been clearly identified by several countries." Central to any criticism of these plans is the fact that evidence of a genuine cyber-terror threat is yet to be presented by any respected body, according to Simon Perry, VP security strategy at CA who was recently invited to advise ENISA (the European Network and Information Security Agency) as a member of its permanent stakeholders group. Supporting this view, Pete Simpson, ThreatLab manager at Clearswift, told silicon.com: "There has not been a single cyber-terror threat. Not one. It's entirely fabricated and non-existent." Simpson suggested "political propaganda" and "commercial propaganda" may both be playing a part. Addressing whether the claims of mi2g should be regarded as genuine cause for concern, leading computer science academic, Ross Anderson, from Cambridge University, told silicon.com: "The use of the word 'cyber-terrorism' signals marketing rather than anything else." The other misconception with cyber-terror, according to CA's Perry, is the idea that terrorists will have a means of attack other than those attacks we see currently. From isn at c4i.org Thu Feb 10 05:23:15 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:22 2005 Subject: [ISN] Did U.S. Spy Agency Exchange E-Mails With '60s Pop-Singer? Message-ID: http://ap.tbo.com/ap/breaking/MGBAHT5M05E.html [I can almost see the NSA having an Eddie Izzard moment when writing out this security policy. "No, we can't do it... Who we got? Zingelbert Bembledack, Tringelbert Wangledack, Slut Bunwalla, Klingybun Fistelvase, Dindlebert Zindledack, Gerry Dorsey, Engelbert Humptyback, Zengelbert Bingledack, Engelbert Humperdinck, Vingelbert Wingledanck No, no, go back one. Go back one. "Engelbert Humperdinck." That's it!" :) - WK] By Ted Bridis Associated Press Writer Feb 10, 2005 WASHINGTON (AP) - Is Engelbert Humperdinck, the pop-singer icon once described in his liner notes as "kind of like James Bond, only with more chest hair," quietly exchanging e-mails with the super-secret National Security Agency? America's largest and most cryptic espionage organization indicated as much when it published new software security guidelines for federal agencies. An illustration of an NSA employee's e-mail inbox showed two messages that Humperdinck ostensibly forwarded in July to the spy agency. What could the government's top code-breakers be discussing over the Internet with Humperdinck, 68, whose velvety voice scored hits in the '60s and '70s with "Release Me" and "After the Lovin'" and led hysterical female fans to throw undergarments on stage? The NSA said it was only kidding. "Instead of using fictitious names as we try to do, this time a celebrity's name was used," the agency said in response to tongue-in-cheek inquiries from The Associated Press. "There was no harm intended. We've removed the name from the page and will substitute it." The NSA pulled the security guidelines off its Web site, although the document still was circulating on other Web sites. Humperdinck, known among friend as "Enge," did not respond over more than two weeks to phone calls and e-mail messages from the AP to his personal assistant, his manager or official fan club. Humperdinck, who grew up in Britain as the son of an army officer, picked up his unusual name in 1965 from the German opera composer best known for "HJansel and Gretel." He's sold more than 130 million records. His autobiography, "Engelbert: What's in a Name?," published last month, recounts his turbulent celebrity life and 40-year marriage that endured what he describes as hundreds of adulterous affairs. There were hints even in the NSA's security document that it wasn't really serious about exchanging e-mails with Humperdinck. It misspelled his name "Humperdink," and another illustration showed the spy agency received an e-mailed document from "James T. Kirk," the fictional captain from the "Star Trek" TV series and movies. -=- On the Net: NSA: www.nsa.gov Humperdinck's fan site: www.engelbert.com From isn at c4i.org Thu Feb 10 05:23:28 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:23 2005 Subject: [ISN] Symantec flaw leaves opening for viruses Message-ID: http://news.com.com/Symantec+flaw+leaves+opening+for+viruses/2100-1002_3-5569811.html By Robert Lemos Staff Writer, CNET News.com February 9, 2005 Symantec has issued a patch for a flaw in its scanning software that could cause a virus to execute, rather than catch it. The vulnerability affects an antivirus library used by the majority of Symantec's antivirus and antispam products, including Norton SystemWorks 2004 and Symantec Mail Security for Exchange, the security provider said on Tuesday. The software is aimed at a range of systems, from consumer desktops to large corporate mail servers, meaning the flaw could be used to take control of key corporate systems or to install programs to grab people's identity data. "The impact of this vulnerability is exaggerated by the fact that many e-mail and other traffic routing gateways make use of file-scanning utilities that make use of the vulnerable library," Symantec said in an advisory. "This could allow an attacker to potentially exploit high-profile systems used to filter malicious data, and potentially allow further compromise of targeted internal networks." Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said. But the flaw does not affect the latest versions of some of the products, such as Norton Antivirus 2005, the company said. "Symantec strongly recommends that customers ensure their products are up-to-date to protect against this vulnerability,"the company said in a statement. "To date, Symantec has not had any reports of related exploits of this vulnerability." Security information company Secunia, which rates the seriousness of software vulnerabilities, gave the Symantec flaw its second-highest threat grade, "highly critical." The problem exists in how the scanning code handles a compression format known as the Ultimate Packer for Executables (UPX). An attacker could create a virus designed to exploit the UPX flaw and send it to victims through e-mail or host it on a Web site. An unpatched Symantec scanner checking incoming e-mail or the Web pages that users browse would run the program instead of catching the virus. "The vulnerability can be triggered by an unauthorized remote attacker, without user interaction, by sending an e-mail containing a crafted UPX file to the target," Internet Security Systems, the company that found the flaw, stated in an advisory on Tuesday. The company said it notified Symantec of the issue when it found it. The flaw highlights the danger of weaknesses in the security software that acts as a gateway between the unfiltered Internet and internal corporate networks. Internet Security Systems experienced such problems firsthand a year ago, when a flaw in its own firewall software was targeted by a worm two days after the public release of an advisory. Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible. Internet Security Systems could not immediately provide a spokesperson to comment on the issue. The announcement of the flaw happened the same day that Microsoft released a dozen patches to fix holes in its Windows operating system and other applications. Microsoft also announced it intended to buy security company Sybari, which would put the software giant in direct competition with Symantec. Other products that use the Symantec antivirus scanning library include Symantec's Brightmail antispam software and Symantec Web Security. From isn at c4i.org Thu Feb 10 05:23:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:26 2005 Subject: [ISN] The curse of the secret question Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99628,00.html Opinion by Bruce Schneier Counterpane Internet Security Inc. FEBRUARY 09, 2005 COMPUTERWORLD It's happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a "secret question" to answer. Twenty years ago, there was just one secret question: "What's your mother's maiden name?" Today, there are more: "What street did you grow up on?" "What's the name of your first pet?" "What's your favorite color?" And so on. The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions. The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers. What can one do? My usual technique is to type a completely random answer -- I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don't remember how I authenticated myself to the customer service rep at the other end of the phone line.) Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can't possibly do it. I know this is a customer service issue, but it's a security issue too. And if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier. Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact. -=- Bruce Schneier is a security expert and chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif. His latest book is Beyond Fear: Thinking Sensibly About Security in an Uncertain World. He also publishes the monthly "Crypto-Gram" newsletter. He can be reached at his Web site, www.schneier.com/. From isn at c4i.org Thu Feb 10 05:23:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:30 2005 Subject: [ISN] Spyware Critic Knocked Offline by DDoS Attack Message-ID: http://www.eweek.com/article2/0,1759,1763273,00.asp By Ryan Naraine February 9, 2005 Harvard researcher Ben Edelman, one of the most vocal critics of spyware purveyors, fell victim to a massive DDoS (distributed denial-of-service) attack over the past 24 hours. Edelman's Web site, which publishes detailed research reports on spyware, was knocked offline for much of Monday and Tuesday by a DDoS attack that crippled the server capacity. "My prior Web host tells me I was the target of the biggest DDoS attack they've ever suffered?some 600MB per second," Edelman said. He told eWEEK.com the site was an obvious target for denial-of-service attacks because of his work to uncover controversial online schemes ranging from software installations through security holes to adware companies deleting each other's programs. Edelman's published reports also have highlighted venture capital investments in adware companies and detailed step-by-step evidence of "drive-by downloads" and confusing software-installation techniques. "These aren't nice practices, so I suppose it comes as no surprise that someone - perhaps some group or company that doesn't like what I'm writing - has sought to knock my site offline," Edelman said. Denial-of-service attacks are used by malicious hackers to flood a network with bogus requests, effectively slowing or crashing a server. "The bad guys have thousands or millions of zombies to use in [these attacks]," Edelman said. With the help of the nonprofit Internet Systems Consortium Inc., which has offered to host the site, Edelman said his research material was back online Wednesday morning. Edelman is a Ph.D. candidate at the Department of Economics at Harvard University and a student at Harvard Law School. From isn at c4i.org Thu Feb 10 05:24:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:32 2005 Subject: [ISN] Computer Hackers Place False Emergency Calls - Hiawatha Prank Call Message-ID: http://www.kcrg.com/article.aspx?art_id=95468&cat_id=123 [Note: I added the headline from another story on the same subject, this article had the most information, but the headline was lacking. - WK] By Dave Franzman KCRG-TV9 News February 09, 2005 The FBI will investigate the realistic, but fake, 911 call that sent officers rushing to a Hiawatha company on Tuesday. Hiawatha Police Chief Rick Pierce says the hoax became a federal case because the call originated from somewhere on the west coast...possibly from a stolen or "cloned" cell phone. Officers say three separate calls to 9-1-1 dispatchers Tuesday were so realistic people could hearing yelling and screaming and even gunfire in the background. But when police and ambulance units arrived at the Crystal Group office in Hiawatha they found no gunmen and only confused workers. Wednesday, investigators said they had a better idea of what may have happened. Chief Pierce says someone called several offices at the Crystal Group Tuesday asking about phone system passwords. One worker at the company mistakenly gave out a "pin" number. With that number, pranksters could dial from out of state, but make it appear the call originated at the Hiawatha business. Chief Pierce says he's convinced the person who faked the call was not an average hacker, but someone familiar with phone systems. No one connected with emergency dispatch at the Linn County Communications Center can recall anything this elaborate in the way of a fake 9-1-1 call. Officers say this call was especially dangerous not only to officers responding, but also for people at the company who could have reacted inappropriately to the appearance of armed officers. Hiawatha officials say they believe the FBI may have some experience with similar hoaxes elsewhere. Hiawatha police were unable to trace the origin of the call beyond somewhere on the west coast. From isn at c4i.org Thu Feb 10 05:24:30 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:34 2005 Subject: [ISN] Hacker hits WSU computers Message-ID: http://www.kbsd6.com/servlet/Satellite?pagename=KBSD/MGArticle/BSD_BasicArticle&c=MGArticle&cid=1031780744325 By Cindy Klose KWCH 12 Eyewitness News February 9, 2005 A computer hacker figured out a way to get into three servers at Wichita State University, but the college says no private information was taken. The computer servers hold information on as many as eight thousand students, faculty and former students. The university says the hackers didn't take any information off the computers, but were looking for places to hide stolen movies or music. WSU's Chief Information Officer Peter Zoller told Eyewitness News," we've had numerous attempts to break in, none have ever succeeded. We were surprised this one did, but fortunately we caught it early, and remedied the problem." Wichita State watches the servers 24 hours a day from a security room, but the hackers broke in over the weekend when no one was monitoring the system. The three servers the hacker got into held information from the College of Education, clients at the Speech Language-Hearing Clinic and International students. The FBI is looking into the case. From isn at c4i.org Fri Feb 11 03:37:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:50 2005 Subject: [ISN] Sniffer dog threatens online privacy Message-ID: http://www.theregister.co.uk/2005/02/10/sniffer_dog_ruling/ By Mark Rasch, SecurityFocus 10th February 2005 Comment - The Fourth Amendment to the US Constitution is supposed to be the one that protects people and their "houses, places and effects" against "unreasonable searches". Forty-two years ago, the US Supreme Court held that attaching a listening device to a public pay phone violated this provision because the Constitution protects people, not places, and because the Fourth Amendment prohibits warrantless searches without probable cause if the target enjoys a reasonable expectation of privacy. Last month the US Supreme Court effectively trashed this principle in a case that could have a profound impact on privacy rights online. The case, decided by the court on 24 January, had nothing to do with the Information Superhighway, but rather an ordinary interstate highway in Illinois. Roy Caballes was pulled over by the Illinois State Police for speeding. While one officer was writing him a ticket, another officer in another patrol car came by with a drug sniffing dog. There was absolutely no reason to believe that Caballes was a drug courier - no profile, no suspicious activity, no large amounts of cash. The driver could have been a soccer mom with a minivan filled with toddlers. Under established Supreme Court precedent, while the cops could have looked in the window to see what was in "plain view", the officers had neither probable cause nor reasonable suspicion to search Caballes' car, trunk, or person. Well, you know what happened next - the dog "sniff" indicated that there might be drugs in the trunk, which established probable cause to open the trunk, where the cops found some marijuana. Now here is where things get dicey for the internet. In upholding the dog's sniff-search of the trunk, the Supreme Court held that it did not "compromise any legitimate interest in privacy". Why? Because, according to the court, "any interest in possessing contraband cannot be deemed 'legitimate'." The search was acceptable to the court because it could only reveal the possession of contraband, the concealment of which "compromises no legitimate privacy interest". The expectation "that certain facts will not come to the attention of the authorities" is not the same as an interest in "privacy that society is prepared to consider reasonable," the court wrote. In other words, the search by the dog into, effectively, the entire contents of a closed container inside a locked trunk, without probable cause, was "reasonable" even though the driver and society would consider the closed container "private" because the search only revealed criminal conduct. The same reasoning could easily apply to an expanded use of packet sniffers for law enforcement. Currently, responsible law enforcement agencies limit their warrantless internet surveillance to the "wrapper" of a message, ie, email addresses or TCP/IP packet headers, unless they have a court order permitting a more intrusive search. Looking at the "outside" of the communication has been treated as similar to looking at the outside of a vehicle - and maybe peering into the window a bit. To peek inside the communication - read the content - required that you first get someone in a black robe involved. The experiences of Mr. Caballes (the soccer mom, or me or you ) changed all that. The government is practically invited to peek inside internet traffic and sniff out evidence of wrongdoing. As long as the technology - like a well-trained dog - only alerts when a crime is detected, it's now legal. As context-based search technology improves, the government may soon have the ability to take Carnivore one better and deploy "intelligent" packet search filters that will seek out only those communications that relate to criminal activity. They may already have it. Although these packet sniffing dogs sniff the packets of sinner and saint alike, they only bark at the sinner's emails. Thus, according to the new Supreme Court precedent, the sinner has no privacy rights, and the saint's privacy has not been invaded. In fact, the saint would not even know the search had taken place - internet surveillance is less noticeable than a dog sniff. I think Sun Microsystems' president Scott McNealy was only slightly ahead of his time when he said: "You already have zero privacy, get over it." We could pass a a constitutional amendment to protect our privacy rights, but I thought we did that on 15 December, 1791 when the Bill of Rights was ratified. Hopefully, this case will be limited to a dark desert highway, and not find its way onto the Infobahn. But somehow I doubt it. -=- SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. From isn at c4i.org Fri Feb 11 03:38:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:52 2005 Subject: [ISN] Security UPDATE -- Safer Mobile Surfing -- February 9, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Evaluate ScriptLogic Cloak & Get A Free T-Shirt http://list.windowsitpro.com/t?ctl=164B:4FB69 An Evaluation of the Total Cost of Ownership of Email Security Solutions http://list.windowsitpro.com/t?ctl=1636:4FB69 ==================== 1. In Focus: Safer Mobile Surfing 2. Security News and Features - Recent Security Vulnerabilities - February the 13th: Microsoft Issues Massive Number of Security Fixes - Microsoft to Purchase Sybari Software - Weakness in Windows XP SP2 Overflow Protection - SOHO Firewall Appliances 3. Security Matters Blog - Stop Users from Bypassing Group Policy - Two More Months to Opt Out of Windows XP SP2 4. Instant Poll 5. Security Toolkit - FAQ - Security Forum Featured Thread 6. New and Improved - Spam Firewall for Large Organizations ==================== ==== Sponsor: ScriptLogic ==== Evaluate Cloak & Get A Free T-Shirt If you're a security-conscious administrator, ScriptLogic has a new product that's a must-have, no matter how large or small your company is. Cloak is an innovative software solution that enhances the NTFS by providing increased security, more accurate audits, and a streamlined experience for network users. When you install Cloak on the Windows Server, users will only see the files and folders they have permission to access. Not only does Cloak filter network requests on file servers, it can also filter local activity, so it's ideal for Citrix Metaframe and Terminal Servers too! Download a 30-day evaluation today and get a free Cloak t-shirt. Go to http://list.windowsitpro.com/t?ctl=164B:4FB69 ==================== ==== 1. In Focus: Safer Mobile Surfing ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net I'm sure you read lots of different security-related blogs and Web sites. There are a bunch of them out there, and the number seems to keep right on growing. I've got dozens of them in my RSS reader, and I often find new ones that I want to read now and then. One interesting blog that I found some time ago is called Secureme. Not only is it informative, but the writing style is subtly humorous at times too. When I look at the "avatars" of the blog writers at the site, I'm not quite sure what's missing: a flashy mirrored disco ball and colored lights, or Santa's workshop. When you go to the blog, you'll see what I mean. http://list.windowsitpro.com/t?ctl=1651:4FB69 An interesting recent post at the blog ("No SSH server, no problem!" January 13) covered two tools, The Onion Router (TOR) and Privoxy, both of which can be used in a variety of situations, such as using them together to better protect your Internet communications when you're on the road. For example, if you're using a hotel's in-house network or a public wireless network, you could use TOR and Privoxy to help protect your network traffic. TOR is a routing technology that encrypts and routes your Internet traffic through a number of TOR servers before the traffic reaches its destination. Privoxy is a proxy server that helps protect your Internet privacy by removing or obscuring various content, such as your DNS queries, browser type, OS type, and more. You can configure Privoxy to communicate with TOR so that all your Web traffic is routed through the TOR network. I tried the two tools, and they seem to work all right. Setting up a TOR client is incredibly simple. Just install it, run it, and make sure there are open ports on your firewall to pass traffic. That's it! Privoxy is equally simple, except that to make it work with TOR, you'll need to add one line to the Privoxy configuration, which is explained in the TOR documentation. You can learn more about TOR and Privoxy and download copies at their respective Web sites. http://list.windowsitpro.com/t?ctl=1653:4FB69 http://list.windowsitpro.com/t?ctl=1652:4FB69 Until next time, have a great week. ==================== ==== Sponsor: Postini ==== An Evaluation of the Total Cost of Ownership of Email Security Solutions Quantifying the Total Cost of Ownership (TCO) of email security solutions is a notoriously difficult task. Discover how Total Cost of Ownership is much more than the initial acquisition cost of a solution, and how you can save thousands of dollars each year without sacrificing accuracy, control or effectiveness in protecting your email systems. Download this free whitepaper now! http://list.windowsitpro.com/t?ctl=1636:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=163B:4FB69 February the 13th: Microsoft Issues Massive Number of Security Fixes Yesterday, Microsoft issued a massive number of security bulletins and fixes as part of its regularly scheduled monthly security update release. The company released 12 security bulletins for various products, including several Windows versions, Exchange Server, Office XP, Windows Media Player, MSN Messenger, and SharePoint. Eight of the bulletins are rated as "critical," the company's most serious rating. http://list.windowsitpro.com/t?ctl=163D:4FB69 Microsoft to Purchase Sybari Software Microsoft announced yesterday that it has signed a definitive agreement to acquire Sybari Software, a New York-based company that develops antivirus, antispam, and content-filtering technologies. The acquisition will include all of Sybari's staff and technologies. http://list.windowsitpro.com/t?ctl=163C:4FB69 Weakness in Windows XP SP2 Overflow Protection Security company Positive Technologies released a white paper that explains what it considers to be weaknesses in the heap overflow protection and data execution protection in Windows XP Service Pack 2 (SP2). The two technologies are designed to help prevent intruders from taking advantage of unchecked buffers to launch malicious code within the OS. http://list.windowsitpro.com/t?ctl=1643:4FB69 SOHO Firewall Appliances Even if you have a home office or work for a small company, you still need to protect your valuable data and network. Firewalls have become a de facto standard for all organizations--large and small--as a frontline perimeter-based defense against attackers who want to steal your information, hijack your resources, and otherwise vandalize your network. Jeff Fellinge looks at several solutions in this Buyer's Guide. http://list.windowsitpro.com/t?ctl=1641:4FB69 ==================== ==== Resources and Events ==== InfoSec World 2005, April 4-6, 2005, Orlando, FL InfoSec World 2005 is where connections are made. Expand your knowledge with the hottest topics and get real-world strategies and tested techniques for meeting your toughest information security challenges. With a full spectrum of events, InfoSec World offers an array of stimulating programs, presentations, activities, networking opportunities and more! http://list.windowsitpro.com/t?ctl=164C:4FB69 Ensure Successful Token Authentication What's more secure than password protection? Attend this free Web seminar and learn how to protect your network and make your mobile and remote users more secure with token authentication. Discover ways to evaluate, test, and roll out token authentication to protect your investment, while making a solid business case to justify the costs. Register now! http://list.windowsitpro.com/t?ctl=1637:4FB69 Windows Connections Conference Spring 2005 Mark your calendar for Windows Connections Spring 2005, April 17-20, 2005, at the Hyatt Regency in San Francisco. Sessions jam-packed with tips and techniques you need to know to ensure success in today's enterprise deployments. Get the complete brochure online or call 203- 268-3204 or 800-505-1201 for more information. http://list.windowsitpro.com/t?ctl=1654:4FB69 Configuring Blade Servers for Your Application Needs Blade servers pack a lot of function into a small space, conserve power and are flexible. In this free Web seminar, industry guru David Chernicoff details the best use of 1P, 2P and 4P configurations using single and multiple enclosures; integrating with NAS and SAN and managing the entire enterprise from a single console. Register now and take advantage of blade servers' power and flexibility. http://list.windowsitpro.com/t?ctl=1638:4FB69 ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=164A:4FB69 Check out these recent entries in the Security Matters blog: Stop Users from Bypassing Group Policy I read a really interesting thread on the Focus on Microsoft mailing list. A list member said his users found a way to bypass Group Policy so that they could install unauthorized software on their machines. The users entered their logon credentials, then as soon as they were authenticated to the domain, they unplugged the network cable so that Group Policy Objects (GPOs) weren't downloaded to their machines. However, there are ways to foil this strategy. http://list.windowsitpro.com/t?ctl=1644:4FB69 Two More Months to Opt Out of Windows XP SP2 According to Microsoft's TechNet Flash newsletter, "the mechanism to temporarily disable delivery of Windows XP SP2 is available only for a period of 240 days (8 months) from August 16, 2004. At the end of this period (after April 12, 2005), Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1 systems." http://list.windowsitpro.com/t?ctl=1645:4FB69 ==== 4. Instant Poll ==== Results of Previous Poll: Is comment spam a problem on your company's blogs or Web forums? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 13 votes: - 23% Yes it was, but we solved it by requiring registration - 0% Yes, but we'll implement the new "rel" tag format to stop it - 0% Yes, but we don't plan to do anything about it - 77% No New Instant Poll: If your company uses Windows XP, do you use XP SP2? Go to the Security Hot Topic and submit your vote for - Yes - No, but we intend to - No, and we don't intend to http://list.windowsitpro.com/t?ctl=1646:4FB69 ==== 5. Security Toolkit ==== FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1647:4FB69 Q: How can I view a list of all applications on my computer that start at boot-up? Find the answer at http://list.windowsitpro.com/t?ctl=1642:4FB69 Security Forum Featured Thread: ISAPI Extension Access to DCOM Application Server Nicola has an Internet Server API (ISAPI) DLL that connects to a Distributed COM (DCOM) application server. The setup includes a Microsoft IIS server configured with integrated security and anonymous access disabled, a domain group to collect all the domain users that should be able to use the procedures in the DLL, and DCOM configured with an administrator account and launch/access permissions for the domain group. The setup works if the domain group is included in the local Administrators group, but Nicola doesn't want to put the domain group in the local Administrators group and wonders if there's some other configuration that will work. Join the discussion at http://list.windowsitpro.com/t?ctl=1639:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Plus, paid subscribers receive exclusive online library access to every article we've ever published. Order now! http://list.windowsitpro.com/t?ctl=1640:4FB69 ==================== ==== 6. New and Improved ==== by Renee Munshi, products@windowsitpro.com Spam Firewall for Large Organizations Barracuda Networks offers Barracuda Spam Firewall 800, a spam and virus appliance for large organizations and ISPs. Barracuda Spam Firewall 800 supports 30,000 active users and can handle nearly 1.3 million messages per hour. It's designed for reliability, including redundant hot-swap power supplies, RAID 5 disk storage, dual gigabit Ethernet ports, and clustering capabilities. Barracuda Spam Firewall 800 is priced at $17,999 for the appliance and $3999 per year for a subscription to the Energize Update service, which updates the appliance hourly with new spam rules and virus definitions. Barracuda also offers Spam Firewall models for smaller organizations. For more information, visit http://list.windowsitpro.com/t?ctl=164E:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=1655:4FB69 Quest Software See Active Directory in a whole new light. And get a free flashlight! http://list.windowsitpro.com/t?ctl=1656:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=164D:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=163F:4FB69 View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=163E:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Feb 11 03:39:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:54 2005 Subject: [ISN] Hackers target state's computer network Message-ID: http://www.adn.com/front/story/6140359p-6022520c.html By SEAN COCKERHAM Anchorage Daily News February 10th, 2005 JUNEAU -- The FBI is looking into a recent rash of cyberattacks that hit the state's computer network. "We are aware of it and it is a pending investigation so there is really very little I can say about it," FBI spokesman Eric Gonzalez said. Rep. Pete Kott, R-Eagle River, said a federal task force came to Alaska as part of the investigation. Kott said he believes the CIA and the Department of Homeland Security are also involved. Kott said he was briefed on the situation by state officials. "Anytime you've got the feds up in Alaska it's got to be a serious issue," Kott said. "The White House has been briefed on this." He said the federal team came to Anchorage about two weeks ago and took piles of data back to Washington, D.C., to analyze. Kott said the January attacks appear to have originated in Brazil, although hackers can disguise where their attacks are coming from. He said he was told there was a security breach, but it was unclear how widespread it was or which agencies were involved. "I don't think we were the only state affected," said Kott, who led the Legislature's Information Technology subcommittee last year. The Alaska Department of Administration, which oversees the state computer network, refused to answer questions about the investigation. "We have no response, no comment," department spokesman Joe Holbert said. Kott said the department was slow in letting the Legislature know about the problem. He said his office got wind of it and had to call state officials and ask what was going on. "They were shocked that we even knew about it," Kott said Wednesday. Stan Herrera, the state's director of enterprise technology services, said Tuesday that he was unaware of an FBI investigation. Herrera told the Daily News in late January that the state was looking into increased activity of cyberattacks on the state network that month. He described it as "denial of service" attacks that made computers unresponsive. He said he could provide no estimate on the breadth of the attack because it was still being analyzed. But he said there was no indication sensitive material was stolen from state computers. The state's computer network contains credit card numbers and other personal information that could be used for identity theft. Kott said there could also be "widespread havoc" if a hacker were to penetrate the Permanent Fund dividend division. The division director, Sharon Barton, said in an interview that there was no evidence of that. The Alaska Permanent Fund Corp., which handles the billions of dollars in fund investments, is not on the state network and officials said it was not breached. Fund technology director Marshal Kendziorek said he checked the logs closely when the state network was attacked. "We are extremely security conscious here, much more so than other places," Kendziorek said. "We've seen no intrusions." For the past decade, Kott said, officials have likely not given enough attention to beefing up the security of the state computer network. Kott said the Murkowski administration has moved, though, to review the system and to "basically come up with a better mousetrap." He said it's not a high priority among members of the Legislature. "Nobody understands computers. They know how to turn them on, turn them off, and to get onto the Internet," Kott said. Kott said planned security upgrades were speeded up after the January cyberattacks, although more will likely be needed. He said he expects the investigators to make recommendations. "If it's sizable, multimillion dollar upgrades, which I'm guessing it's going to be, then we have to take a serious look at it," Kott said. "I don't think we have any choice but to take care of the problem." From isn at c4i.org Fri Feb 11 03:39:23 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:56 2005 Subject: [ISN] BlackBerry maker gets NIST nod Message-ID: http://www.fcw.com/fcw/articles/2005/0207/web-nistberry-02-10-05.asp By Florence Olsen Feb. 10, 2005 National Institute of Standards and Technology officials named Research in Motion, the Canadian maker of the wireless BlackBerry, as the recipient today of NIST's 500th cryptographic module certification. Since 1995, NIST-approved laboratories have tested and validated hundreds of cryptographic hardware and software modules. NIST officials issued the 500th certificate to Research in Motion for its BlackBerry cryptographic kernel, firmware that performs all basic cryptographic functions for the BlackBerry. Certification means that the module conforms to Federal Information Processing Standard 140-2. Federal agencies are required to use only validated cryptographic modules. NIST officials operate the Cryptographic Module Validation Program in conjunction with the Canadian government. NIST officials have accredited nine laboratories in the United States, Canada and the United Kingdom to test cryptographic modules. A statement from Research in Motion officials said a number of government organizations are using handheld BlackBerrys to support continuity of operations planning. Federal BlackBerry users are storing emergency preparedness information, standard operating procedures, emergency call lists and other documents on the handheld computers. From isn at c4i.org Fri Feb 11 03:39:36 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:59 2005 Subject: [ISN] Hackers Quickly Target Newly Disclosed Microsoft Flaw Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=60300331 By Gregg Keizer TechWeb News Feb. 10, 2005 It didn't take hackers long to start banging hard on the vulnerabilities Microsoft disseminated Tuesday. Just a day after the Redmond, Wash.-based developer rolled out a dozen advisories containing 16 vulnerabilities, 10 of them tagged as "Critical," exploit code has gone public for one, Microsoft said late Wednesday. "Microsoft won't be happy that someone has posted information about how to take advantage of their critical security hole within 48 hours of their patch being released," said Graham Cluley, senior technology consultant for Sophos, in a statement. "Many computer users are bound to have not yet defended themselves," he added. Microsoft posted an online advisory to its Web site, confirming that exploit code exists. "Microsoft is aware of exploit code available on the Internet that targets an issue addressed this week by the update released with Microsoft Security Bulletin MS05-009," Microsoft said. The bulletin in question patched two vulnerabilities, one in Windows Media Player, the other in MSN Messenger and Windows Messenger, Microsoft's instant messaging clients. All three applications can be attacked using malformed PNG image files. According to other security firms' analyses, the exploit code -- dubbed Exploit-PNGfile by McAfee -- can instruct the infected machine to run any payload the hacker bundles with it. Possible payloads could include such typical malware as Trojans, backdoor components, or worms to wrench control from the real user, or even spyware such as key loggers to steal information and identities. Although exploit code is out and about, Microsoft said it had not yet seen any actual attack. "We will continue to actively monitor the situation and provide updated customer information and guidance as necessary," the advisory continued. Microsoft said that patched systems were immune from the exploit, and outlined recommended steps for both individuals and enterprises that included updating both Windows and MSN Messenger for the former, and either uninstalling MSN Messenger or blocking it in the latter. "MSN Messenger is not intended for corporate environments," Microsoft said. "Instead, use Windows Messenger, which is included with Windows." Another option is to download the beta of MSN Messenger 7, which is not susceptible to the exploit. One stumbling block in eliminating this vulnerability is that users must update MSN Messenger manually, since it's not part of Windows per se (unlike Windows Messenger, the similar-but-not-identical IM client bundled with the OS). "Although there is an automatic update notification system present in MSN Messenger, it can take a long time for it to actually inform the user about a newer version," wrote Kaspersky Labs in its alert on the issue. Core Security Technologies, the Boston security firm which first found the flaw and reported it to Microsoft in August 2004, said that the MSN Messenger bug was extremely dangerous. "Due to the particular characteristics of the MSN Messenger communications protocol, exploitation of the vulnerability is likely to pass unnoticed to network Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls that do not implement decoding and normalization of the MSN Messenger protocol encapsulated within HTTP," the company said in its own advisory posted Tuesday. Core also said that exploits could be crafted that would compromise unpatched machines "without crashing or disrupting the normal functioning of the MSN Messenger client application," making detection almost impossible by the end user. "This vulnerability is serious," said Sophos' Cluley. "Everyone should ensure their systems are properly protected with the security patch at the earliest opportunity." From isn at c4i.org Fri Feb 11 03:39:49 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:43:01 2005 Subject: [ISN] Flaw in mail-list software leaks passwords Message-ID: http://news.com.com/Flaw+in+mail-list+software+leaks+passwords/2100-1002_3-5571576.html By Robert Lemos Staff Writer, CNET News.com February 10, 2005 A previously unknown vulnerability in Mailman, a popular open-source program for managing mailing lists, has led to the theft of the password file for a well-known security discussion group. The theft, discovered this week and reported in an announcement to the Full Disclosure security mailing list on Wednesday, casts uncertainty on the security of other discussion groups that use the open-source Mailman package. By specially crafting a Web address, an attacker can obtain the password for every member of a discussion group. "Anyone with a Web browser can download a file off a vulnerable system--it's (easy to do)," said John Cartwright, co-founder and manager of the Full Disclosure mailing list. The attack, known as a remote directory traversal exploit, occurred on Jan. 2, according to Cartwright's investigation. "As far as our server goes, there is no evidence that any other files were accessed using this flaw." The flaw could have far-reaching consequences because some mailing list subscribers change their access code to a password that they reuse elsewhere. Since Mailman uses subscribers' e-mail as their user name, people who reuse passwords could put other accounts in jeopardy. Servers that run Apache 2.0 and Mailman are suspected to be immune to exploitation of the vulnerability, according to a security advisory on the Mailman Web site. "In any event, the safest approach is to assume the worst, and it is recommended that you apply this Mailman patch as soon as possible," the advisory stated. The Full Disclosure discussion list had used Mailman running on Apache 1.3, a vulnerable configuration. Companies and projects that distributed Mailman as part of their Linux distribution have already started releasing fixes for the problem. Debian, Ubuntu and Gentoo Linux have released advisories citing the problem and offering patches. From isn at c4i.org Fri Feb 11 03:40:03 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:43:03 2005 Subject: [ISN] Cybersecurity: It's Dollars and Sense Message-ID: http://www.businessweek.com/technology/content/feb2005/tc20050211_8713.htm By Bill Hancock FEBRUARY 11, 2005 Few CEOs grasp the case for investing in safeguards against hackers, worms, and the like. It's every chief information officer's duty to banish that innocence No one really wants to spend money on cybersecurity. Not only is it technically impossible to completely secure cyberspace, but the technology is complicated, the vocabulary arcane, and the expertise to make it happen hard to find -- and even harder to apply. Worse yet, most managers never learned how to calculate the value of -- and communicate the business case for -- cybersecurity. Yes, I realize that overall spending on cybersecurity continues to increase every year. Yet every executive I know is kicking and screaming about its cost along the entire way. 45,000 OPEN DOORS. The sad reality is that every computer network has cybersecurity exposures. This is due in large part to the fact that most software and computer systems focus on function, not security. Security is bolted to computer systems using things like firewalls and intrusion-detection systems. Additionally, the communications methods used to deliver data are over 30 years old, coming from a time when security was less of an issue. Compounding the problem, as software has become more sophisticated, the code used to write it has grown significantly. Conventional wisdom says you can expect to find about one bug for every 1,000 lines of software code -- and every bug is an opening for hackers. The 45 million-line operating system that runs your computer may have 45,000 ways to be breached by a hacker. These hackers are smart, and most have much more time to spend attacking you than a typical system administrator can spend defending against them. Attacks are also becoming increasingly automated, which compounds the problem. Computer worms and other autonomous, malicious programs can attack and infiltrate these complex environments in a relentless, methodical fashion. EASY AS ABC. Most senior executives are aware of these cybersecurity issues. The problem is that these issues rarely turn into funded information-technology projects when evaluated against other business priorities. Sure, every survey of chief information officers says cybersecurity is one of the very top issues for a company. Yet in most executive suites, cybersecurity is considered necessary to stay in business, but not to make the business bigger. So what if a PC gets hammered by a worm? It won't kill the business, and the expense to clean it up will be minimal. There's a way to deal with this dilemma. Chief information officers need to translate the IT priority of cybersecurity into a business priority that the CEO can't ignore. The basic framework I've used to build the business case for cybersecurity I call the ABC's of Security Management: Asset protection: Most businesses recognize that they must protect their physical and intellectual assets. For example, they can't let someone steal their patents. The same kind of rigor that is applied to valuing, protecting, and insuring traditional assets needs to be applied to cyberassets. If someone steals your customer- or product-development data base you could be put out of business. Brand protection: Every CEO is concerned about the outfit's brand. CEOs can increase the perceived value of the company through the equity they build in their brands. What if your company is hit by a hacker and all the credit-card data from the e-commerce wWeb site is compromised? What happens to the value of the brand -- and to your stock price? Compliance: Probably the strongest justification for investing in cybersecurity is that you don't have a choice: It's the law. Actually, it's lots of laws. Sarbanes-Oxley (SOX), Graham-Leach-Bliley (GLB), the Health Insurance Portability & Accountability Act (HIPAA), and the USA Patriot Act all have provisions that require securing IT applications, data, and infrastructure. SHINING EXAMPLES. Once you've used the ABC's to make cybersecurity a business priority, what next? While there is no cookbook for cybersecurity, there are some best practices I've seen at leading companies. Hire outside experts: The best approach is to integrate your internal IT expertise about applications, data, and business processes with outside expertise on how to identify and protect against cyberthreats. In most cases, you can save money by engaging these cybersecurity experts on a short term basis to do periodic assessments, audits, and updates of your security systems and procedures. Evaluate your IT suppliers: Ensure that the IT solutions you buy -- just like corporate networks, applications, servers, and storage -- follow the best practices for cybersecurity and can be included in your "chain of trust" to comply with government regulations. Take one step at a time: You can't solve all your cybersecurity problems at once. Build a list of your cybersecurity vulnerabilities and prioritize the items based on business value. Focus on the high-value items that keep the business running and allow it to grow. Cybersecurity is a journey, not a destination -- you'll never be completely done. The important thing is to keep moving forward, continuously improve, and focus on the details many think aren't so important. -=- Bill Hancock is Chief Security Officer of SAVVIS Communications and is chairman of the FCC's Network Reliability & Interoperability Council Homeland Security focus group on cybersecurity From isn at c4i.org Mon Feb 14 05:21:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:07 2005 Subject: [ISN] Break-In At SAIC Risks ID Theft Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A17506-2005Feb11.html [InfoSec News subscribers were alerted of this incident with the stolen SAIC computers first with the article on February 3rd 2005 at: http://www.attrition.org/pipermail/isn/2005-February/001118.html - WK] By Griff Witte Washington Post Staff Writer February 12, 2005 Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees. The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers. Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud. David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure. "I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem," said Kay, who lives in Northern Virginia. About 16,000 SAIC employees work in the Washington area. Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. "It's worrisome," said Inman, who also received notification of the theft last week. "If the security is sloppy, it raises questions." Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances. "We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it." Gary Hassen of the San Diego Police Department said there were "no leads." Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted. The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc. Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company. He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific. The theft comes at a time when the company, which depends on the federal government for more than 80 percent of its $7 billion annual revenue, is already under scrutiny for its handling of several contracts. Last week on Capitol Hill, FBI Director Robert S. Mueller III testified that the company had botched an attempt to build software for the bureau's new Virtual Case File system. The $170 million upgrade was supposed to allow agents to sift through different cases electronically, but the FBI has said the new system is so outdated that it will probably be scrapped. In San Antonio, SAIC is fighting the government over charges that the company padded its cost estimates on a $24 million Air Force contract. The case prompted the Air Force to issue an unusual alert to its contracting officials late last year, warning them that "the Department of Justice believes that SAIC is continuing to submit defective cost or pricing data in support of its pricing proposals." SAIC has defended its work for the FBI and the Air Force. Haddad said that criticisms are inevitable for a such a large company and that there is no pattern of poor performance. "I know people will try to jump to that kind of conclusion, but it's not an accurate reflection of how well this company is doing," he said. "This company has always prided itself on strong ethics." The company's alumni list reads like a roll call of the nation's highest-profile former officials, including former defense secretaries William J. Perry and Melvin R. Laird and former CIA director John Deutch. Current directors of the company include former chief counterterrorism adviser Gen. Wayne A. Downing. Founded by a group of scientists in 1969, SAIC has been growing in recent years at a rapid clip, right along with the government's appetite for high-tech services in information technology and national defense. The company named a new chief executive, Kenneth C. Dahlberg, in 2003, and he has set a goal of doubling the company's value within three to five years, Haddad said. Philip Finnegan, director of corporate analysis with Teal Group Corp., said SAIC is trying to push into the top tier of contractors -- a rarefied club that includes Boeing Co. and Lockheed Martin Corp. -- and that there are bound to be bumps along the way. "It's inevitable that they'll face problems," he said. Others are less sure that the company's recent difficulties don't add up to something more. "Is [the break-in] saying something about the quality of the company?" Kay said. "It's hard to say that. It's probably just random luck. But multiple occurrences of bad luck are often more than bad luck." From isn at c4i.org Mon Feb 14 05:23:01 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:09 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-6 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-02-04 - 2005-02-11 This week : 93 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Microsoft has released their monthly security bulletins for February, which correct vulnerabilities in various products. Users of Microsoft products are advised to visit Windows Update and check for available updates. Additional information can be found in referenced Secunia advisories below. References: http://secunia.com/SA11165 http://secunia.com/SA14190 http://secunia.com/SA14193 http://secunia.com/SA14192 http://secunia.com/SA14195 http://secunia.com/SA14177 http://secunia.com/SA14189 http://secunia.com/SA11634 http://secunia.com/SA14174 -- Multiple browsers have been reported vulnerable to a spoofing issue using IDN (International Domain Name). The problem is caused due to an unintended result of the IDN implementation, which allows using international characters in domain names. This can be exploited by registering domain names with certain international characters that resembles other commonly used characters, thereby causing the user to believe they are on a trusted site. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/ References: http://secunia.com/SA14166 http://secunia.com/SA14154 http://secunia.com/SA14163 http://secunia.com/SA14162 http://secunia.com/SA14165 http://secunia.com/SA14164 http://secunia.com/SA14209 -- Many products from Symantec and F-Secure have been reported vulnerable to a buffer overflow vulnerability, which can be exploited by malicious people to compromise a vulnerable system. A comprehensive list of affected products is available in referenced Secunia advisory below. References: http://secunia.com/SA14179/ http://secunia.com/SA14216/ VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla / Firefox / Camino IDN Spoofing Security Issue 2. [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow 3. [SA14164] Safari IDN Spoofing Security Issue 4. [SA14160] Mozilla / Firefox Three Vulnerabilities 5. [SA11165] Microsoft Internet Explorer Multiple Vulnerabilities 6. [SA14154] Opera IDN Spoofing Security Issue 7. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 8. [SA14188] Mac OS X Finder Insecure File Creation Vulnerability 9. [SA14165] Netscape IDN Spoofing Security Issue 10. [SA13818] Opera "data:" URI Handler Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14193] Microsoft Windows OLE / COM Two Vulnerabilities [SA14190] Microsoft Windows Drag and Drop Vulnerability [SA14177] Microsoft Office URL File Location Handling Buffer Overflow [SA14174] Microsoft Various Products PNG Image Parsing Vulnerabilities [SA14145] Foxmail Server "Mail From:" Buffer Overflow Vulnerability [SA14209] VeriSign i-Nav Plug-In IDN Spoofing Security Issue [SA14195] Microsoft Windows Hyperlink Object Library Buffer Overflow [SA14187] RealArcade Two Vulnerabilities [SA14172] ArGoSoft FTP Server Compressed Shortcut Upload Security Bypass [SA14169] 602LAN SUITE Webmail Arbitrary File Upload Vulnerability [SA14161] ArGoSoft Mail Server Directory Traversal Vulnerabilities [SA14146] RaidenHTTPD Relative Pathname Disclosure of Sensitive Information [SA14192] Microsoft Windows License Logging Service Buffer Overflow [SA14206] Netscape Three Vulnerabilities [SA14180] SharePoint Services Cross-Site Scripting and Spoofing Vulnerability [SA14134] LANChat Malformed Data Processing Denial of Service [SA14144] Microsoft Outlook Web Access "owalogon.asp" Redirection Weakness [SA14189] Windows Anonymous Named Pipe Connection Information Disclosure UNIX/Linux: [SA14167] Debian update for php3 [SA14156] Gentoo update for openmotif [SA14149] SUSE Updates for Multiple Packages [SA14140] Gentoo update for lesstif [SA14241] Red Hat update for squirrelmail [SA14229] Mandrake update for enscript [SA14227] Mandrake update for python [SA14223] Debian update for mailman [SA14222] Red Hat update for mailman [SA14220] HP-UX BIND Unspecified Denial of Service Vulnerability [SA14215] Debian update for evolution [SA14212] Ubuntu update for mailman [SA14211] Mailman "private.py" Directory Traversal Vulnerability [SA14208] SUSE update for squid [SA14207] Gentoo update for pdftohtml [SA14202] Gentoo update for python [SA14196] Fedora update for emacs [SA14194] Debian update for emacs20 [SA14191] Debian update for xemacs21 [SA14185] Ubuntu update for squid [SA14182] Frox Deny ACL Security Bypass Vulnerability [SA14178] UnixWare update for racoon [SA14168] Ubuntu update for emacs21-bin-common [SA14166] OmniWeb IDN Spoofing Security Issue [SA14164] Safari IDN Spoofing Security Issue [SA14162] KDE Applications IDN Spoofing Security Issue [SA14158] Debian update for python2.2 [SA14150] Fedora update for python [SA14148] GNU Emacs "popmail()" Format String Vulnerability [SA14137] Ubuntu Postfix IPv6 Relaying Security Issue [SA14133] Mozilla Application Suite "MSG_UnEscapeSearchUrl()" Buffer Overflow [SA14129] Ubuntu update for python [SA14201] Avaya krb5 Two Vulnerabilities [SA14132] HP CIFS Server Security Descriptor Parsing Integer Overflow [SA14130] Sun Solaris Samba Integer Overflow Vulnerability [SA14184] Fedora update for postgresql [SA14170] UnixWare / OpenServer TCP Connection Reset Denial of Service [SA14228] Mandrake update for squid [SA14157] Debian update for squid [SA14226] Mandrake update for mysql [SA14218] Debian update for xview [SA14213] XView "xv_parse_one()" Buffer Overflow Vulnerability [SA14203] Mandrake update for perl [SA14200] Avaya Various Products Kernel Vulnerabilities [SA14199] Mandrake update for perl-DBI [SA14198] IBM AIX auditselect Format String Vulnerability [SA14188] Mac OS X Finder Insecure File Creation Vulnerability [SA14186] Red Hat update for perl [SA14176] SCO OpenServer "enable" Buffer Overflow Vulnerability [SA14175] UnixWare update for foomatic-rip [SA14173] IBM AIX chdev Format String Vulnerability [SA14171] Gentoo update for postgresql [SA14159] osh "iopen()" Buffer Overflow Vulnerability [SA14152] Avaya PDS Multiple Privilege Escalation Vulnerabilities [SA14151] Debian update for postgresql [SA14139] Debian update for ncpfs [SA14138] Ubuntu update for cpio [SA14153] Avaya CMS UDP End Point Handling Denial of Service Other: [SA14136] Linksys PSUS4 Print Server HTTP POST Request Denial of Service Cross Platform: [SA14216] F-Secure Multiple Products ARJ Archive Handling Vulnerability [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow [SA14205] MyPHP Forum Multiple SQL Injection Vulnerabilities [SA14181] xGB Administrative User Authentication Bypass Vulnerability [SA14165] Netscape IDN Spoofing Security Issue [SA14163] Mozilla / Firefox / Camino IDN Spoofing Security Issue [SA14154] Opera IDN Spoofing Security Issue [SA14143] Chipmunk Forum Multiple SQL Injection Vulnerabilities [SA14142] CMScore Multiple SQL Injection Vulnerabilities [SA14141] BXCP "show" Local File Inclusion Vulnerability [SA14128] Python SimpleXMLRPCServer Library Module Vulnerability [SA14183] BrightStor ARCserve Backup Discovery Service Buffer Overflow [SA14160] Mozilla / Firefox Three Vulnerabilities [SA14135] PowerDNS Traffic Handling Denial of Service Vulnerability [SA14131] Claroline Add Course Script Insertion Vulnerability [SA14204] Emdros MQL Parser Memory Leak Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14193] Microsoft Windows OLE / COM Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2005-02-08 Cesar Cerrudo has reported two vulnerabilities in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14193/ -- [SA14190] Microsoft Windows Drag and Drop Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-08 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14190/ -- [SA14177] Microsoft Office URL File Location Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-08 Rafel Ivgi has reported a vulnerability Microsoft Office XP, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14177/ -- [SA14174] Microsoft Various Products PNG Image Parsing Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-08 Two vulnerabilities have been reported in various Microsoft products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14174/ -- [SA14145] Foxmail Server "Mail From:" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-02-08 Fortinet has reported a vulnerability in Foxmail Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14145/ -- [SA14209] VeriSign i-Nav Plug-In IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-09 Eric Johanson has reported a security issue in i-Nav Plug-In, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14209/ -- [SA14195] Microsoft Windows Hyperlink Object Library Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-08 Anna Hollingzworth has reported a vulnerability in Microsoft Windows, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14195/ -- [SA14187] RealArcade Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2005-02-09 Luigi Auriemma has reported two vulnerabilities in RealArcade, which can be exploited by malicious people delete arbitrary files or compromise a user's system. Full Advisory: http://secunia.com/advisories/14187/ -- [SA14172] ArGoSoft FTP Server Compressed Shortcut Upload Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-08 Remus Hociota has reported a vulnerability in ArGoSoft FTP Server, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14172/ -- [SA14169] 602LAN SUITE Webmail Arbitrary File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-08 Tan Chew Keong has reported a vulnerability in 602LAN SUITE, which can be exploited by malicious webmail users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14169/ -- [SA14161] ArGoSoft Mail Server Directory Traversal Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-09 Tan Chew Keong has reported some vulnerabilities in ArGoSoft Mail Server, which can be exploited by malicious users to disclose and manipulate sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14161/ -- [SA14146] RaidenHTTPD Relative Pathname Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-07 Donato Ferrante has reported a vulnerability in RaidenHTTPD, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14146/ -- [SA14192] Microsoft Windows License Logging Service Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-08 Kostya Kortchinsky has reported a vulnerability in some versions of Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14192/ -- [SA14206] Netscape Three Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-02-09 mikx has discovered three vulnerabilities in Netscape, which can be exploited by malicious people to plant malware on a user's system, conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14206/ -- [SA14180] SharePoint Services Cross-Site Scripting and Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Spoofing, Manipulation of data Released: 2005-02-08 A vulnerability has been reported in Windows SharePoint Services and SharePoint Team Services, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14180/ -- [SA14134] LANChat Malformed Data Processing Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-04 Donato Ferrante has reported a vulnerability in LANChat Pro Revival, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14134/ -- [SA14144] Microsoft Outlook Web Access "owalogon.asp" Redirection Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-02-08 Donnie Werner has reported a weakness in Microsoft Outlook Web Access (OWA), which potentially can be exploited by malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/14144/ -- [SA14189] Windows Anonymous Named Pipe Connection Information Disclosure Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2005-02-08 Jean-Baptiste Marchand has reported a weakness in Microsoft Windows XP, which can be exploited by malicious people to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/14189/ UNIX/Linux:-- [SA14167] Debian update for php3 Critical: Highly critical Where: From remote Impact: System access, Security Bypass Released: 2005-02-07 Debian has issued an update for php3. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14167/ -- [SA14156] Gentoo update for openmotif Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-07 Gentoo has issued an update for openmotif. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14156/ -- [SA14149] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-02-07 SUSE has issued updates for multiple packages. These fix various vulnerabilities, where some has an unknown impacts, and others can be exploited to cause a DoS (Denial of Service), perform spoofing and cross-site scripting attacks, disclose sensitive information, perform certain actions with escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14149/ -- [SA14140] Gentoo update for lesstif Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-02-07 Gentoo has issued an update for lesstif. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14140/ -- [SA14241] Red Hat update for squirrelmail Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Cross Site Scripting Released: 2005-02-11 Red Hat has issued an update for squirrelmail. This fixes three vulnerabilities, which can be exploited by malicious people to gain knowledge of sensitive information or conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14241/ -- [SA14229] Mandrake update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-11 MandrakeSoft has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14229/ -- [SA14227] Mandrake update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-11 MandrakeSoft has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14227/ -- [SA14223] Debian update for mailman Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-02-11 Debian has issued an update for mailman. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14223/ -- [SA14222] Red Hat update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-11 Red Hat has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14222/ -- [SA14220] HP-UX BIND Unspecified Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-10 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14220/ -- [SA14215] Debian update for evolution Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-02-10 Debian has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14215/ -- [SA14212] Ubuntu update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-10 Ubuntu has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14212/ -- [SA14211] Mailman "private.py" Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-10 John Cartwright has reported a vulnerability in Mailman, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14211/ -- [SA14208] SUSE update for squid Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, DoS, System access Released: 2005-02-11 SUSE has issued an update for squid, which fixes multiple vulnerabilities. One has an unknown impact, and others can be exploited to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14208/ -- [SA14207] Gentoo update for pdftohtml Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-10 Gentoo has issued an update for pdftohtml. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14207/ -- [SA14202] Gentoo update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-09 Gentoo has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14202/ -- [SA14196] Fedora update for emacs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-09 Fedora has issued an update for emacs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14196/ -- [SA14194] Debian update for emacs20 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-09 Debian has issued an update for emacs20. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14194/ -- [SA14191] Debian update for xemacs21 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-09 Debian has issued an update for xemacs21. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14191/ -- [SA14185] Ubuntu update for squid Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, DoS Released: 2005-02-08 Ubuntu has issued an update for squid, which fixes various vulnerabilities. One has an unknown impact, and others can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14185/ -- [SA14182] Frox Deny ACL Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-08 A vulnerability has been reported in Frox, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14182/ -- [SA14178] UnixWare update for racoon Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass, Manipulation of data, DoS Released: 2005-02-08 SCO has issued an update for racoon. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), establish unauthorised connections, bypass certain security restrictions, and conduct MitM (Man-in-the-Middle) attacks. Full Advisory: http://secunia.com/advisories/14178/ -- [SA14168] Ubuntu update for emacs21-bin-common Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-08 Ubuntu has issued an update for emacs21-bin-common. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14168/ -- [SA14166] OmniWeb IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in OmniWeb, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14166/ -- [SA14164] Safari IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Safari, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14164/ -- [SA14162] KDE Applications IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Konqueror, which can be exploited by a malicious web site to spoof the URL displayed in the address bar and status bar. Full Advisory: http://secunia.com/advisories/14162/ -- [SA14158] Debian update for python2.2 Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-07 Debian has issued an update for python2.2. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14158/ -- [SA14150] Fedora update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-07 Fedora has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14150/ -- [SA14148] GNU Emacs "popmail()" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-08 A vulnerability has been reported in GNU Emacs, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14148/ -- [SA14137] Ubuntu Postfix IPv6 Relaying Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-04 Ubuntu has issued an update for postfix. This fixes a security issue, which can be exploited by malicious people to use a vulnerable system as an open relay. Full Advisory: http://secunia.com/advisories/14137/ -- [SA14133] Mozilla Application Suite "MSG_UnEscapeSearchUrl()" Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-02-04 HP has confirmed a vulnerability in Mozilla Application Suite for Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14133/ -- [SA14129] Ubuntu update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-04 Ubuntu has issued updates for python2.2 and python2.3. These fix a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14129/ -- [SA14201] Avaya krb5 Two Vulnerabilities Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-10 Avaya has acknowledged some vulnerabilities in krb5, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious users to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14201/ -- [SA14132] HP CIFS Server Security Descriptor Parsing Integer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-04 HP has acknowledged a vulnerability in CIFS Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14132/ -- [SA14130] Sun Solaris Samba Integer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-04 Sun has acknowledged a vulnerability in Solaris, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14130/ -- [SA14184] Fedora update for postgresql Critical: Less critical Where: From remote Impact: Unknown, Security Bypass, Privilege escalation Released: 2005-02-08 Fedora has issued an update for postgresql. This fixes various vulnerabilities, where some have an unknown impact and others can be exploited by malicious users to gain escalated privileges or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14184/ -- [SA14170] UnixWare / OpenServer TCP Connection Reset Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-08 SCO has acknowledged a vulnerability in UnixWare and OpenServer, which can be exploited by malicious people to reset established TCP connections on a vulnerable system. Full Advisory: http://secunia.com/advisories/14170/ -- [SA14228] Mandrake update for squid Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2005-02-11 MandrakeSoft has issued an update for squid. This fixes a vulnerability and a security issue, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14228/ -- [SA14157] Debian update for squid Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2005-02-07 Debian has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14157/ -- [SA14226] Mandrake update for mysql Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2005-02-11 MandrakeSoft has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14226/ -- [SA14218] Debian update for xview Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-10 Debian has issued an update for xview. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14218/ -- [SA14213] XView "xv_parse_one()" Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-10 Erik Sj?lund has reported a vulnerability in XView, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14213/ -- [SA14203] Mandrake update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-09 MandrakeSoft has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14203/ -- [SA14200] Avaya Various Products Kernel Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-02-09 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14200/ -- [SA14199] Mandrake update for perl-DBI Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-09 MandrakeSoft has issued an update for perl-DBI. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14199/ -- [SA14198] IBM AIX auditselect Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-09 iDEFENSE has reported a vulnerability in IBM AIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14198/ -- [SA14188] Mac OS X Finder Insecure File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 vade79 has discovered a vulnerability in Finder, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14188/ -- [SA14186] Red Hat update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 Red Hat has issued an update for perl. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14186/ -- [SA14176] SCO OpenServer "enable" Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 A vulnerability has been reported in OpenServer, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14176/ -- [SA14175] UnixWare update for foomatic-rip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 SCO has issued an update for foomatic-rip. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14175/ -- [SA14173] IBM AIX chdev Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 iDEFENSE has reported a vulnerability in AIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14173/ -- [SA14171] Gentoo update for postgresql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 Gentoo has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14171/ -- [SA14159] osh "iopen()" Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 Charles Stevenson has reported a vulnerability in osh, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14159/ -- [SA14152] Avaya PDS Multiple Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-07 Avaya has acknowledged some vulnerabilities in PDS, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14152/ -- [SA14151] Debian update for postgresql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-07 Debian has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14151/ -- [SA14139] Debian update for ncpfs Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-04 Debian has issued an update for ncpfs. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14139/ -- [SA14138] Ubuntu update for cpio Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-02-04 Ubuntu has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious, local users to disclose and manipulate information. Full Advisory: http://secunia.com/advisories/14138/ -- [SA14153] Avaya CMS UDP End Point Handling Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2005-02-07 Avaya has acknowledged a vulnerability in CMS, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14153/ Other:-- [SA14136] Linksys PSUS4 Print Server HTTP POST Request Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-04 Rstack team has reported a vulnerability in Linksys PSUS4, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14136/ Cross Platform:-- [SA14216] F-Secure Multiple Products ARJ Archive Handling Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-10 ISS X-Force has reported a vulnerability in multiple F-Secure products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14216/ -- [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-09 ISS X-Force has reported a vulnerability in multiple Symantec products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14179/ -- [SA14205] MyPHP Forum Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-02-10 foster GHC has reported some vulnerabilities in MyPHP Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14205/ -- [SA14181] xGB Administrative User Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-08 Albania Security Clan has reported a vulnerability in xGB, which can be exploited by malicious people to bypass the user authentication and gain administrative access. Full Advisory: http://secunia.com/advisories/14181/ -- [SA14165] Netscape IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Netscape, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14165/ -- [SA14163] Mozilla / Firefox / Camino IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Mozilla / Firefox / Camino, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14163/ -- [SA14154] Opera IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Opera, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14154/ -- [SA14143] Chipmunk Forum Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-02-07 GHC vision has reported some vulnerabilities in Chipmunk Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14143/ -- [SA14142] CMScore Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-02-07 GHC vision has reported some vulnerabilities in CMScore, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14142/ -- [SA14141] BXCP "show" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-07 Majest has reported a vulnerability in BXCP, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14141/ -- [SA14128] Python SimpleXMLRPCServer Library Module Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-04 Graham Dumpleton has reported a vulnerability in Python, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14128/ -- [SA14183] BrightStor ARCserve Backup Discovery Service Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-08 Patrik Karlsson has reported a vulnerability in BrightStor ARCserve/Enterprise Backup, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14183/ -- [SA14160] Mozilla / Firefox Three Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-02-08 mikx has discovered three vulnerabilities in Mozilla and Firefox, which can be exploited by malicious people to plant malware on a user's system, conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14160/ -- [SA14135] PowerDNS Traffic Handling Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-04 A vulnerability has been reported in PowerDNS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14135/ -- [SA14131] Claroline Add Course Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-04 Yiannis Girod has reported a vulnerability in Claroline, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14131/ -- [SA14204] Emdros MQL Parser Memory Leak Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-09 Some vulnerabilities have been reported in Emdros, which potentially can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14204/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Feb 14 05:23:48 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:11 2005 Subject: [ISN] Clarke joins latest cyberterror debate Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39187582,00.htm Dan Ilett ZDNet UK February 11, 2005 Proposals for a World Security Organisation to tackle cyberterrorism continue to alarm experts, including former White House cybersecurity chief Richard Clarke Richard Clarke, the former White House cyber security advisor, has criticised a UK company for using the term "cyberterrorism". DK Matai, chairman of security consultancy company mi2g, put forward proposals to the Oxford University Internet Institute on Thursday night for a World Security Organisation to tackle cyberterrorism. Matai argued that the threat was so great that governments should consider setting up electronic counter-attack forces to battle radical groups and organised criminals online. In response Clarke, who was a security advisor to four US presidents, said he disliked use of the word "cyberterror" as he doesn't believe it actually exists. "Cyberterrorism is not a term I like," said Clarke, now chairman of Good Harbor Consulting. "Many different groups use cyber-vulnerabilities and it's hard to know who they are. Some may be terrorists, but not many. It's a very serious problem that costs millions, but it's not terrorism." Matai made his proposals in a lecture to the Oxford University Internet Institute, an academic forum that debates on the development of the Web. Members include Derek Wyatt MP, chairman of the All Party Internet Group, and Richard Allan MP, chairman of the European Information Society Group. Other security experts are also unconvinced that cyberterror poses a genuine threat, with one leading anti-virus expert branding the plans as "barmy". Last year, the UK president of the Information Systems Security Association Richard Starnes said that cyberterror was not yet a reality. "Cyberterrorism is a word that the press loves because it gets people to read stories," Starnes said. "A good portion of what we get is not terrorism. Terrorism is where you try and change the political situation of a country by using terror. Web defacements don't really count for that. Terrorists use the Internet for recruiting, fundraising and research, but not a lot else." Other observers share his scepticism. Speaking at the CeBIT technology fair last year, security expert Bruce Schneier, chief technology officer of Counterpane Internet Security, said the threat posed by cyberterrorism had been overestimated. He added that rather than fostering a climate of fear, disrupting the Net and other communications networks would probably just annoy people. From isn at c4i.org Mon Feb 14 05:24:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:13 2005 Subject: [ISN] Linux Advisory Watch - February 11th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 11th, 2005 Volume 6, Number 6a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for python, squid, php, emacs, postgres, evolution, mailman, hztty, hwbrowser, cups, hotplug, xpdf, kdegraphics, gallery, perl, and squirrelmail. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- Are Your Servers Secure? By Blessen Cherian In a word, No. No machine connected to the internet is 100% secure. This doesn't mean that you are helpless. You can take measures to avoid hacks, but you cannot avoid them completely. This is like a house when the windows and doors are open then the probability of a thief coming in is high, but if the doors and windows are closed and locked the probability of being robbed is less, but still not nil. What is Information Security? For our purposes, Information Security means the methods we use to protect sensitive data from unauthorized users. Why do we need Information Security? The entire world is rapidly becoming IT enabled. Wherever you look, computer technology has revolutionized the way things operate. Some examples are airports, seaports, telecommunication industries, and TV broadcasting, all of which are thriving as a result of the use of IT. "IT is everywhere." A lot of sensitive information passes through the Internet, such as credit card data, mission critical server passwords, and important files. There is always a chance of some one viewing and/or modifying the data while it is in transmission. There are countless horror stories of what happens when an outsider gets someone's credit card or financial information. He or she can use it in any way they like and could even destroy you and your business by taking or destroying all your assets. As we all know "An ounce of prevention beats a pound of cure," so to avoid such critical situations, it is advisable to have a good security policy and security implementation. Read complete feature story: http://www.linuxsecurity.com/content/view/118211/49/ ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Python2.2 packages fix unauthorised XML-RPC access 4th, February, 2005 For the stable distribution (woody) this problem has been fixed in version 2.2.1-4.7. No other version of Python in woody is affected. http://www.linuxsecurity.com/content/view/118182 * Debian: New squid packages fix several vulnerabilities 4th, February, 2005 LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting. http://www.linuxsecurity.com/content/view/118184 * Debian: New php3 packages fix several vulnerabilities 7th, February, 2005 http://www.linuxsecurity.com/content/view/118192 * Debian: New emacs20 packages fix arbitrary code execution 8th, February, 2005 http://www.linuxsecurity.com/content/view/118207 * Debian: New PostgreSQL packages fix arbitrary library loading 4th, February, 2005 http://www.linuxsecurity.com/content/view/118186 * Debian: New xemacs21 packages fix arbitrary code execution 8th, February, 2005 http://www.linuxsecurity.com/content/view/118210 * Debian: New xview packages fix potential arbitrary code execution 9th, February, 2005 http://www.linuxsecurity.com/content/view/118222 * Debian: New evolution packages fix arbitrary code execution as root 10th, February, 2005 Max Vozeler discovered an integer overflow in a helper application inside of Evolution, a free grouware suite. A local attacker could cause the setuid root helper to execute arbitrary code with elevated privileges. http://www.linuxsecurity.com/content/view/118234 * Debian: New mailman packages fix several vulnerabilities 10th, February, 2005 http://www.linuxsecurity.com/content/view/118235 * Debian: New hztty packages fix local utmp exploit 10th, February, 2005 http://www.linuxsecurity.com/content/view/118245 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: system-config-printer-0.6.116.1.1-1 4th, February, 2005 http://www.linuxsecurity.com/content/view/118187 * Fedora Core 3 Update: hwbrowser-0.19-0.fc3.2 4th, February, 2005 http://www.linuxsecurity.com/content/view/118188 * Fedora Core 3 Update: python-2.3.4-13.1 4th, February, 2005 An object traversal bug was found in the Python SimpleXMLRPCServer. http://www.linuxsecurity.com/content/view/118190 * Fedora Core 3 Update: postgresql-7.4.7-1.FC3.2 7th, February, 2005 http://www.linuxsecurity.com/content/view/118202 * Fedora Core 2 Update: postgresql-7.4.7-1.FC2.2 7th, February, 2005 http://www.linuxsecurity.com/content/view/118203 * Fedora Core 2 Update: cups-1.1.20-11.11 8th, February, 2005 A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted to correct this but the patch was incomplete. http://www.linuxsecurity.com/content/view/118212 * Fedora Core 3 Update: cups-1.1.22-0.rc1.8.5 8th, February, 2005 A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted to correct this but the patch was incomplete. http://www.linuxsecurity.com/content/view/118213 * Fedora Core 2 Update: hotplug-2004_04_01-1.1 8th, February, 2005 This update fixes updfstab in the presence of multiple USB plug/unplug events. http://www.linuxsecurity.com/content/view/118214 * Fedora Core 3 Update: emacs-21.3-21.FC3 8th, February, 2005 This update fixes the CAN-2005-0100 movemail vulnerability and backports the latest bug fixes. http://www.linuxsecurity.com/content/view/118219 * Fedora Core 2 Update: xpdf-3.00-3.8 9th, February, 2005 http://www.linuxsecurity.com/content/view/118223 * Fedora Core 3 Update: xpdf-3.00-10.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118224 * Fedora Core 3 Update: kdegraphics-3.3.1-2.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118225 * Fedora Core 2 Update: kdegraphics-3.2.2-1.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118226 * Fedora Core 2 Update: gpdf-2.8.2-4.1 9th, February, 2005 http://www.linuxsecurity.com/content/view/118230 * Fedora Core 3 Update: gpdf-2.8.2-4.2 9th, February, 2005 http://www.linuxsecurity.com/content/view/118231 * Fedora Core 3 Update: mailman-2.1.5-30.fc3 10th, February, 2005 There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files. http://www.linuxsecurity.com/content/view/118243 * Fedora Core 2 Update: mailman-2.1.5-8.fc2 10th, February, 2005 There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files. http://www.linuxsecurity.com/content/view/118244 * Fedora Core 2 Update: mod_python-3.1.3-1.fc2.2 10th, February, 2005 Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. http://www.linuxsecurity.com/content/view/118252 * Fedora Core 3 Update: mod_python-3.1.3-5.2 10th, February, 2005 Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. http://www.linuxsecurity.com/content/view/118253 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: pdftohtml Vulnerabilities in included Xpdf 9th, February, 2005 pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file. http://www.linuxsecurity.com/content/view/118221 * Gentoo: LessTif Multiple vulnerabilities in libXpm 6th, February, 2005 Multiple vulnerabilities have been discovered in libXpm, which is included in LessTif, that can potentially lead to remote code execution. http://www.linuxsecurity.com/content/view/118191 * Gentoo: PostgreSQL Local privilege escalation 7th, February, 2005 The PostgreSQL server can be tricked by a local attacker to execute arbitrary code. http://www.linuxsecurity.com/content/view/118199 * Gentoo: OpenMotif Multiple vulnerabilities in libXpm 7th, February, 2005 Multiple vulnerabilities have been discovered in libXpm, which is included in OpenMotif, that can potentially lead to remote code execution. http://www.linuxsecurity.com/content/view/118193 * Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer 8th, February, 2005 Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/118216 * Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer 10th, February, 2005 Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/118240 * Gentoo: Mailman Directory traversal vulnerability 10th, February, 2005 Mailman fails to properly sanitize input, leading to information disclosure. http://www.linuxsecurity.com/content/view/118242 * Gentoo: Gallery Cross-site scripting vulnerability 10th, February, 2005 The cross-site scripting vulnerability that Gallery 1.4.4-pl5 was intended to fix, did not actually resolve the issue. The Gallery Development Team have released version 1.4.4-pl6 to properly solve this problem. http://www.linuxsecurity.com/content/view/118251 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated perl-DBI packages 8th, February, 2005 Javier Fernandez-Sanguino Pena disovered the perl5 DBI library created a temporary PID file in an insecure manner, which could be exploited by a malicious user to overwrite arbitrary files owned by the user executing the parts of the library. The updated packages have been patched to prevent these problems. http://www.linuxsecurity.com/content/view/118217 * Mandrake: Updated perl packages fix 8th, February, 2005 Updated perl package. http://www.linuxsecurity.com/content/view/118218 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Updated Perl packages fix security issues 7th, February, 2005 Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 3. http://www.linuxsecurity.com/content/view/118195 * RedHat: Updated mailman packages fix security 10th, February, 2005 Updated mailman packages that correct a mailman security issue are now available. http://www.linuxsecurity.com/content/view/118239 * RedHat: Updated kdelibs and kdebase packages correct 10th, February, 2005 Updated kdelib and kdebase packages that resolve several security issues are now available. http://www.linuxsecurity.com/content/view/118246 * RedHat: Updated mod_python package fixes security issue 10th, February, 2005 An Updated mod_python package that fixes a security issue in the publisher handler is now available. http://www.linuxsecurity.com/content/view/118247 * RedHat: Updated emacs packages fix security issue 10th, February, 2005 Updated Emacs packages that fix a string format issue are now available. http://www.linuxsecurity.com/content/view/118248 * RedHat: Updated xemacs packages fix security issue 10th, February, 2005 Updated XEmacs packages that fix a string format issue are now available. http://www.linuxsecurity.com/content/view/118249 * RedHat: Updated Squirrelmail package fixes security 10th, February, 2005 An updated Squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3. http://www.linuxsecurity.com/content/view/118250 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: kernel bugfixes and SP1 merge 4th, February, 2005 Two weeks ago we released the Service Pack 1 for our SUSE Linux Enterprise Server 9 product. Due to the strict code freeze we were not able to merge all the security fixes from the last kernel update on Jan23rd (SUSE-SA:2005:003) into this kernel. http://www.linuxsecurity.com/content/view/118185 * SuSE: squid (SUSE-SA:2005:006) 10th, February, 2005 The last two squid updates from February the 1st and 10th fix several vulnerabilities. The impact of them range from remote denial-of-service over cache poisoning to possible remote command execution. http://www.linuxsecurity.com/content/view/118241 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Feb 14 05:24:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:16 2005 Subject: [ISN] Cisco readies security product blitz Message-ID: http://news.com.com/Cisco+readies+security+product+blitz/2100-7347_3-5573255.html By Marguerite Reardon Staff Writer, CNET News.com February 11, 2005 Cisco is preparing to announce a major overhaul of its security portfolio next week, with upgrades to several of its existing products. On Tuesday, at the RSA Conference in San Francisco, the company plans to announce the largest set of upgrades to its security products in three years, sources say. The new enhancements should help the company catch up to leading vendors, focusing on such areas as secure socket layer virtual private networks and intrusion prevention. The upgrades should also help Cisco fulfill its promise of a "self-defending" network, beefing up security on IP telephony and other applications, while also extending network protection to the desktop. And to help corporate customers keep track of new threats, sources say, Cisco is also improving its management products. Cisco declined to comment on the specifics of its announcements next week, but has scheduled a press briefing at the security show. Security is an important market for Cisco. It is one of six new areas Cisco has been focusing on to help expand its overall business. So far, security has been proven to be a good investment for the company. Last quarter, revenues from security products were up 30 percent from a year earlier. Cisco's strength in security has come not from having the best products in every category, but from having a wide breadth of offerings, analysts say. Next week's announcements should help level the playing field against the pure security vendors while cementing Cisco's dominance as a network-level security provider, they add. "Cisco isn't known as a security company," said Zeus Kerravala, an analyst with the Yankee Group. "They sell security as part of a network strategy. But it's clear they are serious about providing more security in the network. They are definitely the security leader among networking vendors." Nitty gritty One of the more important upgrades to be announced next week is on Cisco's SSL VPN product, sources say. SSL VPNs allow users to remotely connect to the corporate network using a standard Web browser. Currently, Cisco's product only supports Web-based applications. The new version will allow users to access some non-Web applications, too, such as e-mail residing on a corporate mail server. Such upgrades are an important addition to the product, since they will allow remote workers to use their Web browsers to connect to the corporate network rather than a difficult-to-manage IPsec client that must be pre-installed. SSL VPN competitors, such as Juniper Networks, through its Netscreen acquisition, and Aventail have been supporting non-Web applications in their products for some time. Cisco has also beefed up its intrusion detection product by adding prevention software that can correlate possible symptoms of a worm or virus attack to determine whether certain traffic should be blocked. The new software will put Cisco's product on par with those from traditional security companies such as McAfee, say experts. Cisco also plans to announce that it has added security features to its PIX Firewall that will make it more friendly to IP telephony protocols. The Cisco firewall has not been able to identify some of these protocols, leaving voice over IP traffic vulnerable to attacks. To give customers more choice with respect to how they deploy this technology, Cisco is updating its Internetwork Operating Software (IOS) so that many of these new security features can also run on its switches and routers, sources report. The company has also added more security features to its desktop security agent. This software is a big component of Cisco's Network Admission Control architecture, designed to prevent worms and viruses from entering the network. The security agent sits on individual workstations, identifying malicious code in communications between network software systems. When it detects a virus or worm, it denies access to the PC. Cisco has supposedly enhanced this software by adding new anti-spyware protection meant to identify and remove malicious programs before they jump from a PC to the network. Cisco also plans to introduce a new blade that fits into its Catalyst switches to help prevent denial-of-service attacks on Web servers. Finally, Cisco will announce improvements to its network management tools using some technology that it recently acquired from Protego. This technology, acquired in December, aggregates and correlates information about security threats, so that network managers can detect attacks. From isn at c4i.org Mon Feb 14 05:25:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:18 2005 Subject: [ISN] China's Big Export - When it comes to spying, Beijing likes to flood the zone Message-ID: http://www.time.com/time/magazine/article/0,9171,1027457,00.html http://www.amazon.com/exec/obidos/ASIN/B00007BK3L/c4iorg (Subscribe to Time Magazine) By BRIAN BENNETT Feb. 13, 2005 Ning Wen and his wife were arrested last fall at their home office in Manitowoc, Wis., for allegedly sending their native China $500,000 worth of computer parts that could enhance missile systems. As these naturalized citizens await trial, similar episodes in Mount Pleasant, N.J., and Palo Alto, Calif., point only to the tip of the iceberg, according to FBI officials keeping tabs on more than 3,000 companies in the U.S. suspected of collecting information for China. A hotbed of activity is Silicon Valley, where the number of Chinese espionage cases handled by the bureau increases 20% to 30% annually. Says a senior FBI official: "China is trying to develop a military that can compete with the U.S., and they are willing to steal to get [it]." But instead of assigning one well-trained agent to pursue a target, "the Chinese are very good at putting a lot of people on just a little piece and getting a massive amount of stuff home," says a U.S. intelligence official. The number of Chinese snoops is staggering, if only because average civilians are enlisted in the effort. FBI officials say state security agents in China debrief many visitors to the U.S. before and after their trips, asking what they saw and sometimes telling them what to get. The FBI, severely criticized for its investigation of physicist Wen Ho Lee in the mid-'90s, has added hundreds more counterintelligence agents and put at least one in every Energy Department research facility. The bureau also started cooperation initiatives with corporations, but still sees universities as a soft spot, with some 150,000 Chinese currently studying in the U.S. The FBI's three most recent counterintelligence arrests were of suspects who had held student visas at some point. To help sort the few who go to America to spy from the thousands who go there for a better life, the FBI relies heavily on Chinese informants. Says a high-ranking Silicon Valley agent: "We have almost more assets than we can deal with." - With reporting by Timothy J. Burger and Elaine Shannon From isn at c4i.org Mon Feb 14 05:25:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:19 2005 Subject: [ISN] IBM DB2 Flaws Found Message-ID: http://www.eweek.com/article2/0,1759,1764124,00.asp By Lisa Vaas February 11, 2005 Several flaws have been discovered in IBM's DB2 Universal Database that can be exploited to cause DoS attacks, to reveal sensitive information, to read and manipulate file content, or to compromise vulnerable systems. An advisory posted Thursday on the bug-reporting site Secunia rates the flaws as moderately critical, with IBM having already issued a FixPak for DB2 versions 8.x. IBM's advisory states that the vulnerabilities were discovered on Dec. 10. The new vulnerabilities follow close on the heels of three FixPaks that IBM released in October to address multiple vulnerabilities in DB2 on Linux, Unix and Windows platforms. The specifics on one of the flaws is that an error in the Windows platform relating to the way system resources are used can be exploited to cause a denial-of-service attack, to grab users' passwords or to view other query results. A second flaw has to do with processing of network messages while establishing a database connection or instance attachment. Attackers can exploit the flaw to execute arbitrary code. Another flaw deals with missing restrictions in some XML Extender user-defined functions. Exploits result in malicious users being able to read or manipulate file content. Finally, when creating certain databases within federated support, attackers can exploit a flaw that allows them to execute arbitrary code on vulnerable systems. IBM advises all users of Unix, Linux and Windows platforms, as well as users of DB2 UDB clients, servers and Connect gateway installations, to install FixPaks 6a, 6b and 7a. IBM advises all of the above users, plus users of DB2 XML Extender, to install FixPak 8. Windows-specific fixes in FixPak 8 also apply to DB2 clients, but the risk isn't serious, according to IBM, and therefore the fix isn't crucial. In general, IBM advises DB2 UDB administrators to upgrade all DB2 client, server and Connect gateway instances on all supported platforms to DB2 UDB Version 8.1 FixPak 8 "as soon as possible." The only exceptions are DB2 UDB client instances on Version 8.1 FixPak 6a, 6b or 7a, which don't need to move up to the FixPak 8 level. From isn at c4i.org Tue Feb 15 03:06:56 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:19 2005 Subject: [ISN] Hacker invades 'War of the Worlds' Web site Message-ID: http://news.com.com/Hacker+invades+War+of+the+Worlds+Web+site/2100-7349_3-5575660.html By Dan Ilett Special to CNET News.com February 14, 2005 A Brazilian hacker has defaced the Web site of Steven Spielberg's "War of the Worlds," which is set to be released in cinemas this summer, according to a security group. Zone-H.org, a Web site that records defacements, reported that the hacker broke into the Paramount Pictures-owned Web site on Sunday. The content, including a trailer for the movie featuring Tom Cruise, was replaced by black-and-white graphics and a message from the hacker. The defacer, who goes by the nickname "Un-root," apparently hacked the Linux system through a vulnerability in an Apache Web server. "That is embarrassing for them," said Jason Hart, director of security for WhiteHat UK. "If you look at Zone-H, there are a lot of hackers coming out of Brazil. It may be the increase in broadband or wireless access points. But there are certainly more." Hart added that poorly patched servers were often the cause of many defacements. "People are becoming more relaxed about security," Hart said. "It's about basic steps--just keep testing and have simple security frameworks. People think you need sophisticated answers, but you don't. Just make sure you have patch management." The site for "War of the Worlds," the film version of H.G. Wells' novel, had been restored by Monday lunchtime in the United Kingdom. Paramount Pictures was unable to comment on the incident at the time of writing. Last year, Brazilian federal police arrested 53 suspects on charges of stealing $93 million from online banking customers. Security experts have said that Brazil is a hacking hot spot of the world. From isn at c4i.org Tue Feb 15 03:07:30 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:22 2005 Subject: [ISN] Book Review - Kerberos: The Definitive Guide Message-ID: http://books.slashdot.org/books/05/02/14/210238.shtml Title: Kerberos: The Definitive Guide Author: Jason Garman Pages: 272 Publisher: O'Reilly and Associates Rating: 7/10 Reviewer: Jose Nazario ISBN: 0596004036 Summary: A comprehensive, cross platform guide to Kerberos Buy from Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004036/c4iorg I got started using Kerberos many moons ago, at my university. This is probably how many people got to know about it. While I didn't use it very much, it's there that I learned the basics and experimented a bit with Kerberos. Interest in it took off after Microsoft incorporated Kerberos authentication mechanisms into Windows 2000. Suddenly it wasn't such arcane knowledge. Two open source Kerberos implementations exist, the MIT reference implementation, and the Heimdal Kerberos implementation. Even then, there are two main versions which you can find, Kerberos IV and Kerberos V. Kerberos IV went away for most environments with the passing of the Y2K mark, but some legacy apps need support. So, you still have to deal with it on occasion. In writing Secure Architectures with OpenBSD, I got a lot more intimate with Kerberos, and even set up a decently sized realm in my house. Hence, I got to experience the turmoil of setup and debugging. A book like Kerberos: The Definitive Guide (K:TDG) would have been very welcome. Instead, I slogged my way through it, and got it to work for the most part. K:TDG will help you set up your Kerberos world by introducing you to the complex subject, terminology, and the pieces. Once you learn the basics, you recognize that a simple realm is actually somewhat easy to set up. The author, Jason Garman, uses a mixed Mac OS X, UNIX, and Windows environment, focusing on UNIX most of the time. The bulk of the examples deal with MIT Kerberos 5 version 1.3 (krb5-1.3) but should work for most versions. Some attention is given to the Heimdal implementation (which is integrated with BSD, for example), and for the most part you'll be OK. Windows examples are also pretty copious but always come second. If you're comfortable with UNIX, you'll easily be able to translate these into Windows examples to help bridge the Windows gaps. Chapter 1 is an obligatory Introduction, a short chapter that introduces the key concepts of Kerberos and what the book will cover. A very quick comparison of Kerberos to DCE, SESAME, and earlier versions of Kerberos is given. This chapter serves as a nice selling point for the book, it's the type of thing you'd flip through in the book store to decide if you should buy the book or not. Chapter 2 is a decent overview for the new user of Kerberos to the system and how it works. Kerberos is placed into its role in a AAA infrastructure - authentication, authorization, and accounting - as well as some caveats that are commonly made. You'll learn about core Kerberos features like tickets, realms, principles, instances, ticket granting tickets, and the ticket cache. A decent overview for practical purposes is given, but you will definitely want another resource if you're interested in diving headlong into Kerberos. These pieces come together in Chapter 3, where the actual protocols are described. They're laid out for a non-cryptographer, so go elsewhere if you want to learn the real formal material behind the system. Understanding the protocols is important to understanding the service as a whole. For someone new to Kerberos, you'll probably want to spend a little more time reading this to get oriented in the Kerberos world. The chapter doesn't mess around too much and delivers a fair treatment of the material. Chapter 4 is the meat of the book's material, setting up your implementation. It all starts with the KDC (key distribution center) and realm initialization. Again, the bulk of the treatment is on the MIT implementation on UNIX, with the Heimdal and then Windows sections following next. Slave KDCs are also introduced, which is useful for large environments. An OS X server is missing, but Kerberos clients for all three (UNIX, Windows and OS X) is given. The role of DNS is also explained well, a useful touch that's missing in some Kerberos documents I've used in the past. This chapter will get you started, and with some of the supplied documentation you should be up and running in no time. Chapter 5 is devoted to troubleshooting, an all too familiar task for a new Kerberos administrator. Common problems, their diagnosis, and resolution are discussed. I like the presentation of this chapter and think it will be useful for most real-world situations you'll encounter. Security concerns with Kerberos are covered in Chapter 6, which discusses concrete and abstract attacks on the Kerberos scheme. Since all of the security in Kerberos resides in your KDC hosts, obviously this covers some of the material. However, the clients can exposes your Kerberos realm to attacks, as well, and how to circumvent these problems is covered. A decent and practical chapter, and covered on both UNIX and Windows. In Chapter 7 a number of Kerberos enabled applications are discussed. After all, you can do more than just log on locally with Kerberos, you can use remote login programs like SSH, remote access scenarios like printing, and even control X via Kerberos. While not every application that I would have liked was covered, the treatment was fair and should get you started with a number of Kerberos enabled tools in your new realm. A strong selling point of the book is given in Chapter 8, titled Advanced Topics. Three main topics are discussed. The first is cross-realm authentication, where you have more than one separate Kerberos realm on your network but you want to have users switch between the two without creating accounts in the other. This can get tricky, and the book does a decent job of introducing it, but it's not as complete as it could be. The second main topic in this chapter is Kerberos 4 and 5 interoperability, which is relatively straightforward. Most Kerberos 5 implementations come with tools to process Kerberos 4 ticket scenarios to handle legacy applications. And finally, a really valuable section covers UNIX and Windows Kerberos interoperability, a hairy issue. Again, incomplete but strong enough that you should be able to get it working with some elbow grease. This is probably the most valuable chapter of the book, which does a decent job at the introductory level, but you'll be left to tie up a few loose ends on your own. An obligatory case study is given in Chapter 9, where you can see a number of configuration samples and even a mixed Windows-UNIX environment. Not terribly useful when compared to chapters 4 and 8, but overall worthwhile. It may answer some of your questions, even. Chapter 10 wraps up the book with looking at Kerberos futures, which isn't all that useful, honestly. What gets more useful is the appendix, which gives an administration reference. Lots of commands are given for MIT, Heimdal and even for Windows, so you can quickly jump there to refresh your memory on a topic. Overall this book is recommended if you need a place to start working on Kerberos, especially in a mixed environment. The MIT and Heimdal documents are a fair place to start for a UNIX only Kerberos realm, but if you find they aren't enough, this is probably the right book for you. The book's main strength is that it covers Kerberos on the three main platforms in use (Windows, OS X, and UNIX), although it could provide a deeper treatment to the mixed environment than it gives. Still, you should be able to use this as a starting point, and it's probably the best treatment I've seen so far on Kerberos setup and administration. From isn at c4i.org Tue Feb 15 03:07:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:24 2005 Subject: [ISN] Juvenile sentenced in Microsoft attack Message-ID: http://seattletimes.nwsource.com/html/localnews/2002178457_blaster12m.html By Maureen O'Hagan Seattle Times staff reporter February 12, 2005 A juvenile was sentenced yesterday in U.S. District Court to probation and community service in connection with a computer worm attack on Microsoft's main Web site. The juvenile admitted releasing a worm ? known as the RPCSDBOT ? in August 2003 and then directing infected computers to attack the Microsoft site. The site was shut down for about four hours. The U.S. Attorney's Office, which prosecuted the case, said federal law prevents it from releasing details about the juvenile, even the defendant's gender. It did say the juvenile was 14 when the crime occurred. The cyberattack occurred around the same time as another worm attack on Microsoft's Web site. In that case, Jeffrey Lee Parson, created a variant of the Blaster worm that infected about 1,200 Internet addresses. Parson, 19, a Minnesota resident, was sentenced last month to 1? years in prison. Initially, authorities wondered whether the two attacks were related, but they were not. At the juvenile's sentencing yesterday, the juvenile said, "Seventeen months ago, I made the worst mistake I ever made in my life. I did it out of curiosity and did not think I would cause any damage. I am sorry I created problems for people I did not even know." Judge Robert Lasnik took the juvenile's contrition to heart and replied, "You know what you did was wrong, and you aren't going to do it again." Lasnik sentenced the teen to three years of probation and required the teen to undergo mental-health counseling and perform 300 hours of community service. The judge also required the juvenile to update him by letter every six months, describing the community-service activities and how the experience has affected the juvenile. The U.S. Attorney's Office said yesterday that the investigation of the Blaster worm is continuing. From isn at c4i.org Tue Feb 15 03:07:54 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:27 2005 Subject: [ISN] WebTV hacker may get 'prison channel' Message-ID: http://sanjose.bizjournals.com/sanjose/stories/2005/02/14/daily13.html By Timothy Roberts February 14, 2005 A Louisiana man pleaded guilty Monday in U.S. District Court in San Jose to sending phony e-mail messages containing a malicious script that, when clicked on, reprogrammed WebTV boxes to dial up 9-1-1. David Jeansonne was accused of committing the crimes from his home in Metairie, La. He was charged in California because the WebTV computer servers are located in Santa Clara. WebTV is a product of Microsoft Corp. (NASDAQ: MSFT), that allows customers to use their TV sets as a monitor while connecting to the Internet. Mr. Jeansonne, 44, pleaded guilty to intentional damage to a protected computer causing a threat to public health and safety, and causing intentional damage to a protected computer causing at least $5,000 in damages. His sentencing is expected to take place in March. He faces up to 10 years in prison and a fine of up to $250,000 on each of the two counts. According to an affidavit Mr. Jeansonne targeted 18 people across the country from Rochester, N.Y., to San Diego, with whom he had had some exchange in the past. The hoax reached a total of 21 people. Police responded to 10 of the victims in July 2002 after their WebTV boxes dialed up 9-1-1. The FBI learned from WebTV that Mr. Jeansonne was a widely known computer hacker, whose WebTV account it had closed 17 times in the past. The FBI obtained an indictment and arrested Mr. Jeansonne on Feb. 18, 2004. The WebTV case underscores the need for computer users to take care when opening e-mail, says Christopher Sonderby, Assistant United States Attorney based in San Jose. "Don't click on e-mail links that you don't already know and trust," he says. From isn at c4i.org Tue Feb 15 03:08:12 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:30 2005 Subject: [ISN] You Call This Trustworthy Computing? Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=NKDW2KTVVSCQ4QSNDBCSKH0CJUMEKJVN?articleID=60400363 By John Foley InformationWeek Feb. 14, 2005 When Bill Gates takes the stage at the RSA conference in San Francisco this week, you can be sure he'll give an upbeat assessment of Windows security. The pending acquisition of security vendor Sybari Software Inc., disclosed last week, adds to a growing portfolio of products that promise to batten down Windows networks. And, as he's done in the past, Microsoft's chairman likely will detail other accomplishments and forward-looking plans that portray a company delivering on his 3-year-old promise to make Windows environments "trustworthy." It's a compelling message, except for one unavoidable fact: The software patches just keep coming. Microsoft last week issued a dozen security bulletins addressing 17 software vulnerabilities, tantamount to a shotgun blast of holes through the company's product line. Nine bulletins, many graded "critical" in importance, affect various versions of Windows. Others address problems with Microsoft's .Net Framework, SharePoint Services, Windows Media Player, MSN Messenger, Internet Explorer, and Office suite. Even Microsoft's most-secure operating system, Windows XP Service Pack 2, wasn't immune: More than half the bulletins involve SP2. To repair all the vulnerabilities in all affected products would require more than 60 patches on English-language computers alone. "It's an almost endless list," says Kyle Ohme, director of IT with Freeze.com, a Web-site operator that uses about four dozen Windows servers, some of which are IBM blade servers, to offer screen savers to millions of users each day. By Microsoft's own account, the vulnerabilities leave its software open to everything from buffer overruns to remote code execution. Just one day after Microsoft posted the patches, someone released exploit code to attack one of the vulnerabilities. "If we don't patch, we definitely have the ability to be exploited relatively soon," Ohme says. So Ohme and many IT professionals like him were busy last week assessing, downloading, testing, and deploying Microsoft's latest round of patches across their IT infrastructures. It's a process that can take days or even weeks. "For us, and the resources we have, it could [have been] a daunting task to get all of those patches to all of our systems quickly enough," says Daniel Hereford, data-security officer with First Bank and Trust Co. In January, the bank began using a service from Qualys Inc. to locate vulnerabilities and ensure that they're fixed, and now it reacts more quickly to Microsoft's monthly security bulletins. "Ninety percent of our software-security issues are centered around Windows," Hereford says. Despite all the work involved, it's an improvement compared with Windows security three years ago. In January 2002, following the Code Red and Nimda virus attacks that hit many Microsoft customers hard, Gates made "trustworthy computing" the company's top priority. Since then, Microsoft has trained its programmers to write more-secure code, established a predictable patch schedule, released more-secure operating systems (Windows Server 2003 and Windows XP), and acquired security products from other companies to fill gaps in its own line. "They've taken the right initiatives," Hereford says. There's still much more to do, as last week's bug blast and Sybari acquisition demonstrate. Key missing pieces are Windows Update Services and Microsoft Update, both of which promise to help companies roll out patches more quickly to Windows and other Microsoft products. Windows Update Services, which has been delayed twice, is in testing now and scheduled for availability by midyear. And, while Microsoft has acquired a variety of security companies and products over the past two years--including GeCAD Software (antivirus), Giant Company Software (spyware detection), and Pelican Software (behavior-based security)--it hasn't shown how or when all the pieces will fit together. Microsoft security VP Mike Nash last week tried to clear up some of the confusion. During a Webcast to discuss the newly issued patches and the Sybari acquisition, Nash said Microsoft is "working hard" on desktop antivirus software that's based on the GeCAD antivirus scanning engine. That software will be tweaked to work with the Sybari products this year. The Sybari acquisition is expected to close by midyear, pending regulatory approval (see story, All For One: Microsoft Ups Its Security Software Tools [1]). Nash acknowledged it's important that customers be able to manage Microsoft's security tools together. "We do think that there needs to be a management capability to allow enterprises to both control and monitor their security technologies like anti-spam and antivirus," he said. "We're currently working through specific requirements." There appears to be a ready market for security products that come directly from Microsoft. Last month, the company released a test version of the Giant Software tool, now called Windows AntiSpyware, and it's already been downloaded more than 5 million times. The product will go through at least one more test before release, Nash says. However, there's a problem: Windows AntiSpyware itself has become the target of virus writers. Malicious code aimed at the product attempts to suppress warning messages it displays and to delete all files within the program's folder. "This is the beginning of a wave of attempts to undermine the effectiveness of this new product," predicts Gregg Mastoras, senior security analyst with security software company Sophos plc. Microsoft officials insist things are moving in the right direction, pointing out that Windows Server 2003 has had half as many security bulletins as Windows 2000 Server over the same period, that the number of annual security bulletins is on a downward trend, and that there's a sharp increase in usage of its software-update services. Last week, the company released a test version of Windows Server 2003 Service Pack 1, which promises improved security. "We have made progress toward our goals," writes a company spokeswoman, "but there is still a lot of work to be done." That includes delivering a more bulletproof version of Windows. "They still haven't shipped a desktop operating system that was designed and coded after they started caring about security," says Gartner analyst John Pescatore via E-mail. The next-generation of Windows, code-named Longhorn, is due next year. Among other other security advances, Longhorn is expected to minimize situations in which PC users have administrative privileges, leaving systems more open to attack. Many customers credit Microsoft with making progress. "Microsoft is absolutely stepping up to the challenge," says Jason Stefanich, client-server engineering manager with Dow Corning Corp., where high-priority patches are usually completed within a day. Even so, Dow Corning is using a product from Ardence Inc. that moves the operating system off desktop PCs and onto servers, in part to provide better security and more manageable updates. And while the manufacturer uses Windows XP to drive those PCs, it hasn't yet upgraded to Service Pack 2, which Microsoft bills as its most-secure desktop environment. "It breaks a lot of [applications]. We can't have 8,000 people calling our help desk with issues," Stefanich says. "Microsoft missed the boat with SP2." So it goes. Microsoft customers are getting better at securing their Windows environments, partly because Microsoft is providing tools to help, but also through increased attention to internal processes, use of third-party products, and new tactics. Freeze has placed Windows' Internet Information Services, a favorite target of hackers, behind a firewall. Instead, its Windows-based Web servers run open-source Apache software. No one is calling Windows security easy. "It's a big pain," says an IT manager with an East Coast manufacturing company who manages about 200 PCs. "It's not something we feel is under our control." The company is contemplating a move to Microsoft's Systems Management Server to automate software updates. How are those done now? Manually, one computer at a time. Microsoft remains focused on making things better, says the spokeswoman. "Ultimately, what matters is not what we say, but what we do," she says. When Bill Gates talks this week, that's something to remember. -- With George V. Hulme and TechWeb's Gregg Keizer [1] http://www.informationweek.com/story/showArticle.jhtml?articleID=60400364 From isn at c4i.org Wed Feb 16 10:03:33 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:02 2005 Subject: [ISN] Flash Review: A Hacker Manifesto Message-ID: http://www.amazon.com/exec/obidos/ASIN/0674015436/c4iorg Title: A Hacker Manifesto Author: McKenzie Wark Pages: 160 pages Publisher: Harvard University Press Reviewer: f0rensik [at] attrition.org ISBN: 0674015436 A Hacker Manifesto is a tough read. I've found that reading some parts and then going back to others helps me make sense of it, but it's just very dense. Also, the author loves to say things in convoluted and difficult ways whenever he can. It's as if he's showing off how many big words he knows; and annoying as hell. What's frustrating is that I can tell that the author has some interesting ideas; I started to see glimmers of real concepts in the section on education, but it's buried under jargon. Reviewer bio, F0rensik is a recent MIT Computer Science grad, whose viewpoint is well respected around InfoSec News From isn at c4i.org Wed Feb 16 10:05:01 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:04 2005 Subject: [ISN] Hack.lu 2005 Call for Papers Message-ID: Forwarded from: Alexandre Dulaunoy == Call for Papers hack.lu 2005 == The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in the society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in August or September 2005 (soon to be defined). The convention is open to everyone. === Scope === Topics of interest include, but are not limited to : * Software Engineering * Honeypots/Honeynets * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security === Deadlines === Abstract submission : 1 April 2005 Full paper submission : 15 May 2005 === Submission guideline === Authors should submit a paper in English/French up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to : hack2005-paper(AT)hack.lu Submissions should also include the following: # Presenter, and geographical location (country of origin/passport) and contact info. # Employer and/or affiliations. # Brief biography, list of publications or papers. # Any significant presentation and/or educational experience/background. # Reason why this material is innovative or significant or an important tutorial. # Optionally, any samples of prepared material or outlines ready. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. === Publication and rights === Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. === Sponsoring === If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to supportus(AT)hack.lu === Web site and wiki === http://www.hack.lu/ From isn at c4i.org Wed Feb 16 10:05:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:17 2005 Subject: [ISN] White House Eyes NSA for Network 'Traffic Cop' Message-ID: Forwarded from: Jon Erickson http://www.washingtonpost.com/wp-dyn/articles/A25583-2005Feb15.html By Ted Bridis AP Technologiy Writer February 15, 2005 The Bush administration is considering making the National Security Agency -- famous for eavesdropping and code breaking -- its "traffic cop" for ambitious plans to share homeland security information across government computer networks, a senior NSA official says. Such a decision would expand NSA's responsibility to help defend the complex network of data pipelines carrying warnings and other sensitive information. It would also require significantly more money for the ultra-secret spy agency. The NSA's director for information assurance, Daniel G. Wolf, was expected to outline his agency's potential role during a speech Wednesday at the RSA technology conference in San Francisco. In an interview preceding his speech, Wolf told The Associated Press that computer networks at U.S. organizations are like medieval castles, each protected by different-size walls and moats. As the U.S. government moves increasingly to share sensitive security information across agencies, weaknesses inside one department can become opportunities for outsiders to penetrate the entire system, Wolf warned. Attackers could steal sensitive information or deliberately spread false information. "If someone isn't working on being a traffic cop, giving guidance on how secure they need to be, a risk that is taken by one castle is really shared by other castles," Wolf said. "Who's defining the standards? Who says how high the walls should be?" The NSA already helps protect systems deemed vital to the nation's security, such as those involved in intelligence, cryptography and weapons. Wolf said the administration is considering whether to designate its fledgling information-sharing efforts also under the NSA's purview. The White House Office of Management and Budget currently directs efforts by civilian agencies to secure their computer networks. The NSA's information security programs are highly regarded among experts. "Bring it on. This clearly ought to be done," said Paul Kurtz, a former White House cybersecurity adviser and head of the Washington-based Cyber Security Industry Alliance, a trade group. "This will raise the bar across the federal government to a far more secure infrastructure." Congress has directed the NSA and the Department of Homeland Security to study the architecture and policies of computers for sharing sensitive homeland security information. In the latest blueprint for U.S. intelligence spending, lawmakers warned that attackers always search for weak links and that connecting distant systems "will further increase the vulnerability of networks that originally were developed to be susbstantially isolated from one another." It's unclear how the NSA's efforts would affect private companies, which own and operate many of the electrical, water, banking and other systems vital to government. Wolf said the agency already works to secure such systems important to military installations, but he denied that NSA would have any new regulatory authority over private computers. "When we talk about being the traffic cop, we're not in charge of these networks," Wolf said. "We're not running these networks." It also was unclear how much the effort might cost. "If you're going to have a network that everyone in government can get into, that means some agencies are going to have to come up to meet new, higher standards, and that's expensive," said James Lewis, director of technology policy at the Center for Strategic and International Studies, a conservative think-tank. From isn at c4i.org Wed Feb 16 10:06:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:19 2005 Subject: [ISN] Security gaps in federal computers Message-ID: http://cnews.canoe.ca/CNEWS/Canada/2005/02/15/931808-cp.html February 15, 2005 OTTAWA (CP) - The personal information of Canadians is at risk due to "significant weaknesses" in government computer security that leave the digital door open to hackers and thieves, says the auditor general. In a highly critical report Tuesday, Sheila Fraser warns that federal agencies have failed to keep up with the demands of the electronic age, making sensitive files vulnerable. "If security weaknesses allowed someone to access a database or confidential information, Canadians' trust in the government would be greatly eroded," the report says. "Further, if a citizen's privacy were violated because of a failure to keep confidential information secure, it could cause that person hardship and seriously undermine the government's efforts to deliver services to Canadians electronically." Fraser told a news conference she was disappointed the government doesn't meet its own minimum standards for information technology security, even though most of them have been well known for more than a decade. The auditor general likened it to a homeowner leaving the back door open - eventually someone will break in. "Government must fill in the gaps," she said. "There are weaknesses in the system." But Fraser stopped short of urging Canadians to avoid using online federal services, saying she would continue to file her tax return by computer. Information security is becoming increasingly important given that the federal government wants Canadians to have electronic access to key information and transactions by the end of the year. Growing use of the Internet, portable computer devices and wireless technologies have made access to data easy and affordable, the report notes. "This environment provides more opportunities for problems to occur, such as theft of data, malicious attacks or criminal actions." Treasury Board President Reg Alcock, minister responsible for government security policy, acknowledged the concerns Tuesday but said it's a "tough area for any organization, because the technology's always changing," requiring ongoing vigilance. New Democrat MP Peter Julian said the government doesn't seem to be taking the auditor general's points as seriously as it should. Fraser found the Treasury Board Secretariat was "not adequately fulfilling its role of monitoring and overseeing" the state of security across the government. Last May, the secretariat surveyed 90 departments and agencies on their security practices. Of the 46 that responded, only one agency met the basic requirements of the government security policy and related standards. The survey found: * Sixteen per cent of departments didn't even have an information security policy. Of those that did, 33 per cent indicated it hadn't been formally approved by management. * More than one-quarter of departments didn't have a policy requiring a plan to keep critical systems and services running in the event of a major attack or power failure. Other internal studies flagged similarly worrisome problems. "Vulnerability assessments, conducted in departments and agencies over the last two years, have revealed significant weaknesses that, if exploited, could result in serious damage to government information systems," says Fraser's report. Despite the potential for difficulties, many departments and agencies had yet to adequately assess threats and risks to their computer systems. In addition, there was often lax control of access to sensitive data and programs by people without authority to see it, the report says. In some cases, computer passwords were not set properly, and most organizations had no comprehensive program for monitoring who was using their digital networks. Fraser says there have been some advances since 2002 when she last examined these issues, but overall the government has made "unsatisfactory progress." Reasons for the continuing gaps include lack of money and people, as well as little interest in information technology security among senior management, the report says. Fraser's recommendations include preparation of action plans indicating when each department and agency intends to comply with security requirements. The report says the Treasury Board Secretariat has "responded positively" to the recommendations and, in some cases, is already taking action. From isn at c4i.org Wed Feb 16 10:06:54 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:22 2005 Subject: [ISN] Bad O-S design blamed for rise in bots Message-ID: http://www.smh.com.au/news/Breaking/Bad-OS-design-blamed-for-rise-in-bots/2005/02/15/1108229972070.html By Sam Varghese February 15, 2005 Computer users are today forced to wear the side effects of operating systems which had been designed with functionality and not security in mind, a senior executive of a major anti-virus company says. Allan Bell, the marketing director for McAfee Asia Pacific, made the comment in connection with today's release of a pan-European study into crime and the internet, titled the Virtual Criminology Report. The study was commissioned by McAfee and conducted by security expert and computer criminologist Dr Peter Troxler, a researcher at ETH Zurich, the Swiss Federal Institute of Technology, with input from hi-tech crime units in Britain, France, Germany, the Netherlands, Spain and Italy. Bell said the study was borne out of the success of an earlier white paper, also on cyber crime in Europe. The paper was mostly done in-house and after a largely positive response, McAfee decided to undertake this broader study. The activity documented by Dr Troxler includes extortion and protection rackets, fraud and theft on a pan-European and global scale, as well as new net-only scams. Referring to specifics, Bell said one example of functionality providing a way into a user's computer was the auto-execution of attachments in Outlook Express. "Someone may receive a music file and this email client is set to play it as soon as the email is opened; a malicious attacker can send a music file and also attach code that executes in the background while the music is playing," he said. "It's nice for the user but it has a big downside." The study says cyber crime had evolved from the stage where lone individuals were staging exploits to prove something to their peers, to one where an organised 'cyber mafia' was mobilising thousands of zombies to commit crime on a global scale. It said in Russia, the Ministry of Internal Affairs counted 7053 cybercrime cases in 2003, almost double that in 2002 (3782); last year, that number was 4995 in the first half of the year. The study illustrates the extent to which cyber crime is now a silent affair - the machines which are used are owned by people who do not know they are part of a vast bot network. Bell said that the way things were done, it was extremely difficult to track the IP of the actual criminal with the degree of certainty required to bring about a conviction. The rate of growth of worms and malware was also increasing, with the study pointing out that while signature files for 300 new malicious threats was being put out per month some time back, today this figure had tripled to about 900 to 1000 per month, with the increase largely being in the number of bots. The study said that an estimated 70 percent of malicious code was written purely for profit. Further, organised gangs were recruiting lower-level attackers, the so-called script kiddies, and paying them to create malicious code for phishing, credit card and extortion scams. It quoted a spokesperson from Britain's National Hi-Tech Crime Unit (NHTCU) as saying: "We have seen intelligence to suggest that European organised crime is hiring hackers to carry out computer attacks." Gangs in Sweden, Latvia, and Russia were found to targeting business worldwide with British bookmakers and businesses in Australia and Japan affected. The study cited the case of Peter White a.k.a. 'iss' who offered the use of a bot in protection rackets for $US28,000 per month. Dr Troxler's investigation found that the going rate was as little as ?100 an hour for use of these bots. Dr Troxler also discovered evidence in Britain, the Netherlands, France and Italy of organised criminals exploiting script kiddies and hackers to do their bidding. In Germany, an organised network called Liquid FX had exploited the skills of young hackers to find vulnerable networks. The report found that more hardened criminals were hiding behind script kiddies to reduce their own exposure to risk, just as a drug runner would hide behind a teenaged dealer. Dr Troxler predicted that corporate espionage using bot-nets was one area that would see an increase in the next 12 months and cited the case of Jay Echouafi in Massachusetts who hired three script kiddies called Emp, Rain and sorCe to launch an attack on the websites of three competitors. They used a bot to launch the attack. Bell said the sole purpose of the study was to educate people and not to spread panic. From isn at c4i.org Wed Feb 16 10:07:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:25 2005 Subject: [ISN] IE 7.0 Leaves Windows 2000 Users Out in the Cold Message-ID: http://www.eweek.com/article2/0,1759,1765331,00.asp By Ryan Naraine February 15, 2005 SAN FRANCISCO - After months of hemming and hawing on plans for a standalone Internet Explorer upgrade before Longhorn, Microsoft Corp. now plans to push out a browser refresh by July or August this year. But the news that IE 7.0 will be available only to Windows XP SP2 (Service Pack 2) customers isn't likely to sit well with security experts who argue that the threat from the Firefox browser is at the center of Microsoft's aggressive anti-spyware and anti-virus plans. The percentage of Web surfers using Firefox has risen steadily since June, but Microsoft officials are sidestepping the issue altogether. "When you run a business and you worry only about what your competitors are doing, that's not a long-term business proposition. You really need to be listening to your customers and that's what we're doing," said Gytis Barzdukas, director of product management in Microsoft's security business technology unit. "Yes, Firefox has come out with technologies that customers are evaluating. But, at our end, we can't worry too much about that. Customers have told us they want us to take a leadership position in security and they want us to make sure we secure the browsing experience," Barzdukas said in an interview with eWEEK.com. Like Microsoft Chairman Bill Gates, who announced the new version of IE at the RSA Conference here, Barzdukas stressed that IE 7.0 will build on and expand the progress made with SP2 and put in place defenses against malware, spyware and phishing attacks. Asked to explain the rationale for limiting IE 7.0 to XP SP2 users when the majority of businesses are still running Windows 2000, Barzdukas left the door open slightly. "Windows XP SP2 is the scope of the project at the moment. That's what we feel comfortable committing to. We haven't closed the door on potentially providing it to other platforms," he said. However, Barzdukas argued that it was much easier for a company to consider migration to a new operating system than testing and deploying significant product upgrades. "When you do a certain amount of engineering, it gets to a tipping point. Customers have to decide whether to spend a lot of resources making sure their existing applications work properly. Or, they can decide that it's much more feasible to move to a new operating system," he said. "When we do all this engineering work, the architecture is changed significantly. In some cases, it's more expedient for customers to just move to a new operating system where the enhancements are easier to deploy," Barzdukas said. Last year, when Microsoft rolled out XP SP2 and declined to offer the security enhancements to Windows 2000 users, analysts grumbled that the Redmond, Wash.-based software giant was using security as a carrot to get businesses to upgrade. "Will customers be migrating [to XP] because they're trying to get the security benefits? Or are they spending money because Microsoft isn't shoring up Windows 2000 adequately? That's a legitimate question to ask," security analyst Michael Silver said at the time. Those criticisms are bound to resurface this time around as details of the security goodies in IE 7.0 start to dribble out. On the Internet Explorer blog, Dean Hachamovitch, head of the IE team, said the company would compare Windows 2000 customers' needs with the "engineering and logistical complexity" of back-porting the enhancements. "That's all I can say on that topic," he said. It's not yet clear if IE 7.0 will include nonsecurity enhancements that Web developers have been demanding. Those include fixed positioning in CSS (Cascading Style Sheets) and improved support for PNG (Portable Network Graphic). "We're not yet prepared to go into details about what will or won't be included in IE 7.0," Barzdukas said. The company has been using its Channel 9 Wiki to solicit feature ideas and feedback from IE users. From isn at c4i.org Wed Feb 16 10:07:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:27 2005 Subject: [ISN] Security lapses at nuclear plants spark terror fears Message-ID: http://news.scotsman.com/uk.cfm?id=176262005 JAMES KIRKUP POLITICAL CORRESPONDENT 16 Feb 2005 A LITANY of security failures at British nuclear sites has been revealed by government investigators, raising fears of a terrorist attack. The incidents, which even included a burglary, were uncovered by the Office for Civil Nuclear Safety (OCNS), an arm of the UK Atomic Energy Authority. The watchdog?s reports are not normally published, but have come to light because of the Freedom of Information Act. During the 12 months ending April 2004, the agency recorded more than 40 security breaches, including eight incidents it classified as "failures of security leading to unacceptable or undesirable consequences". The disclosure could not come at a worse time for the government, which is preparing to authorise the controversial construction of a new generation of nuclear power stations later this year. The security failures identified in the report included: * Security guards at nuclear plants failed to respond to intruder alarms when a burglary was in progress; * Two unauthorised people were able to walk unchallenged around restricted areas; * Classified information was left exposed to theft or electronic interception. Several laptops and at least one CD containing restricted data were stolen; * Carelessness in handling documents meant that "sensitive" documents were found by members of the public. While the breaches were not violations of security around nuclear material itself, access to information about the operations and lay-out of nuclear sites could make the difference between a terrorist attack succeeding and failing. Since the Twin Towers attacks on 11 September, 2001, security has been stepped up at sensitive British sites including nuclear plants. Last year, the Parliamentary Office of Science and Technology, which advises MPs, found that while nuclear plants were relatively well protected, the disclosure of information could make them vulnerable. A ground-based attack "would require detailed site-specific knowledge of plant operations and design", the office concluded. The OCNS report said that at least one attempt to gain access to restricted sites was foiled when two individuals with forged papers were turned away as they tried to enter a rail yard. While government spokesmen would not identify which nuclear plants were involved in the security breaches, it is understood that the incidents were spread across all civil atomic facilities in Britain. There are seven active nuclear sites in Scotland. Norman Baker, the Liberal Democrat environment spokesman, said the flaws revealed by the OCNS report had damaged the case for nuclear power. "The nuclear industry always has the potential to cause environmental, security and terrorism problems, which is why it is more important for the industry to follow correct procedures and precautions than if it was making baked beans," he said. "It is now clear that the industry has not been following those procedures." The Department of Trade and Industry has responsibility for the nuclear sector and the OCNS. A spokesman said: "The director of Civil Nuclear Security has undiminished confidence in existing security arrangements. These have been significantly enhanced since 11 September, 2001, and are continually reviewed." From isn at c4i.org Thu Feb 17 04:42:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:24 2005 Subject: [ISN] Flash Review: A Hacker Manifesto Message-ID: Forwarded from: security curmudgeon : http://www.amazon.com/exec/obidos/ASIN/0674015436/c4iorg : : Title: A Hacker Manifesto : Author: McKenzie Wark : Pages: 160 pages : Publisher: Harvard University Press : Reviewer: f0rensik [at] attrition.org : ISBN: 0674015436 : : A Hacker Manifesto is a tough read. I've found that reading some parts : and then going back to others helps me make sense of it, but it's just : very dense. Also, the author loves to say things in convoluted and : difficult ways whenever he can. It's as if he's showing off how many big : words he knows; and annoying as hell. This book is on my "to review" list as well. As f0rensik says, reading this book is more likely to cause more headache than deep thought. It is clear that Wark is well read and has thought about the topics extensively. His choice in how to present the material is lacking. Imagine a poorly translated and convoluted book on some obscure philosophy, apply it to the hacker mindset, and you have _A Hacker Manifesto_. Personally I am hoping Wark will go back and release a companion to this book that strips out all the 5 point words he could dig up, and expand on some ideas and put them in a little more real world context. In doing that, I believe Wark potentially have the next great piece on defining the hacker mindset, and exploring how they will continue to shape our future. From isn at c4i.org Thu Feb 17 04:43:58 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:27 2005 Subject: [ISN] Security UPDATE -- A New IPS Test Report -- February 16, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. An Evaluation of the Total Cost of Ownership of Email Security Solutions http://list.windowsitpro.com/t?ctl=21C9:4FB69 Security Administrator http://list.windowsitpro.com/t?ctl=21D2:4FB69 ==================== 1. In Focus: A New IPS Test Report 2. Security News and Features - Recent Security Vulnerabilities - Serious Flaws in Symantec and F-Secure Protection Products - Microsoft Investigating Anti-Anti-Spyware Trojan 3. Security Matters Blog - How to Detect Network Sniffers 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - A Faster IPS ==================== ==== Sponsor: Postini==== An Evaluation of the Total Cost of Ownership of Email Security Solutions Quantifying the Total Cost of Ownership (TCO) of email security solutions is a notoriously difficult task. Discover how Total Cost of Ownership is much more than the initial acquisition cost of a solution, and how you can save thousands of dollars each year without sacrificing accuracy, control or effectiveness in protecting your email systems. Download this free whitepaper now! http://list.windowsitpro.com/t?ctl=21C9:4FB69 ==================== ==== 1. In Focus: A New IPS Test Report ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You might recall that The NSS Group periodically releases in-depth test reports that can be very useful to security administrators looking for solutions. Over the past couple of years, I have written twice about the group's product testing for Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). In my September 24, 2003 article "Evaluating Intrusion Detection Systems," I wrote about the group's tests of IDSs for 10Mbps/100Mbps Ethernet and Gigabit Ethernet networks. In my March 17, 2004 article "Evaluating Intrusion Prevention Systems," I wrote about the group's tests of IPSs. http://list.windowsitpro.com/t?ctl=21D9:4FB69 http://list.windowsitpro.com/t?ctl=21D5:4FB69 The NSS Group recently finished its second round of tests and has made the results available online. According to the group, testing "consists of seven sections within three primary areas: performance and reliability, security accuracy, and usability." The group also said that "the brand new test suite contains more than 800 individual tests, many of which are run multiple times, to provide the most thorough and complete evaluation anywhere of IPS products available today." An interesting tidbit from the latest report is that nine vendors signed up for the recent tests. However four of the products didn't make the cut during stringent testing, so the final report covers the five remaining products. The current report includes detailed test information about BroadWeb NetKeeper NK-3256T 3.6.0, Fortinet FortiGate-800, SecureSoft Absolute IPS NP5G 1.1, Top Layer IPS 5500 3.3, and V-Secure V-100 7.0. A couple of other interesting notes are related to performance. During earlier tests, The NSS Group measured IDS and IPS top traffic- processing speeds of 1Gbps to 2Gbps; this year, top speeds well exceeded that threshold. So the group decided to launch a new multigigabit IPS test later this year. Ten vendors have reportedly already signed up for the next test. It's also interesting to note that industry analysts had previously claimed that IDS and IPS systems were things of the past. But something is seriously wrong with that "analysis," because IDS and IPS systems are still being used, and according to The NSS Group, the number of available products has actually grown! The group said that over the last year, it has improved the testing suite and introduced a new methodology to conduct in-depth tests of rate-based IPS systems, which gives a more accurate evaluation of their capabilities as compared to the evaluation of content-based IPS systems. The report itself is great information for security administrators looking for evaluations of prospective product choices. The report is also valuable in that it offers details about the group's test methodologies as well as about the hardware and software solutions the group uses to conduct its tests. As has been the case in the past, the results of the new report are freely available at the group's Web site (see the first URL below). If you missed the past reports, you can find those online too (see the second URL below). If you want a copy of all reports on CD-ROM or copies of selected reports in PDF format, you can purchase those at the Web site. http://list.windowsitpro.com/t?ctl=21DE:4FB69 http://list.windowsitpro.com/t?ctl=21E0:4FB69 Until next time, have a great week. ==================== ==== Sponsor: Security Administrator ==== Try a Sample Issue of Security Administrator! Security Administrator is the monthly newsletter from Windows IT Pro that shows you how to protect your network from external intruders and control access for internal users. As an added bonus, paid subscribers get access to over 1900 searchable articles on the Web. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here! http://list.windowsitpro.com/t?ctl=21D2:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=21D0:4FB69 Serious Flaws in Symantec and F-Secure Protection Products Internet Security Systems (ISS) reported that its X-Force research team has discovered a serious vulnerability in a Symantec parsing engine that's used in several of the company's products. ISS X-Force also discovered a critical flaw in F-Secure's antivirus and Internet security products. The flaw is in the way the products scan files that are compressed with ARJ compression. http://list.windowsitpro.com/t?ctl=21D7:4FB69 Microsoft Investigating Anti-Anti-Spyware Trojan by Paul Thurrott Microsoft is investigating a new electronic attack that attempts to disable the Microsoft AntiSpyware beta product so that it can surreptitiously install spyware on users' systems. http://list.windowsitpro.com/t?ctl=21D8:4FB69 ==================== ==== Resources and Events ==== Get Ready for SQL Server 2005 Roadshow in a City Near You Get the Facts about Migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=21CC:4FB69 Fax Servers: Integrate. Automate. Communicate Attend this free Web seminar and receive a complimentary 30-day software evaluation, industry whitepaper, and a Starbuck's gift card! Join industry expert David Chernicoff and learn how leading organizations are incorporating fax technologies to empower users and enhance existing investments in infrastructure and applications while providing substantial ROI. Register now! http://list.windowsitpro.com/t?ctl=21CD:4FB69 Sensible Best Practices for Exchange Availability Web Seminar If you're discouraged about not having piles of money for improving the availability of your Exchange server, join Exchange MVP Paul Robichaux for this free Web seminar and learn how to maximize your existing configuration. Survive unexpected outages, plan for the unplannable, and evaluate what your real business requirements are without great expense. Register now! http://list.windowsitpro.com/t?ctl=21C8:4FB69 Keeping Critical Applications Running in a Distributed Environment Get up to speed fast with solid tactics you can use to fix problems you're likely to encounter as your network grows in geographic distribution and complexity and learn how to keep your network's critical applications, such as Active Directory and Exchange, running. Don't miss this exclusive opportunity--register now! http://list.windowsitpro.com/t?ctl=21CA:4FB69 Discover All You Need to Know About 64-bit Computing in the Enterprise In this free Web seminar, industry guru Michael Otey explores the need for 64-bit computing and looks at the type of applications that can make the best use of it. He'll explain why the most important factor in the 64-bit platform is increased memory. Discover the best platform for high performance and learn how you can successfully differentiate, migrate, and manage between 32-bit and 64-bit technology. Register now! http://list.windowsitpro.com/t?ctl=21CB:4FB69 ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=21DF:4FB69 Check out this recent entry in the Security Matters blog: How to Detect Network Sniffers I found a new free tool that can help detect network sniffers on your network. The new tool, Promqry 1.0, was developed by Tim Rains at Microsoft. http://list.windowsitpro.com/t?ctl=21DA:4FB69 ==== 4. Security Toolkit ==== FAQ by John Savill, http://list.windowsitpro.com/t?ctl=21DB:4FB69 Q. How can I enable complex passwords on my Windows Server 2003 Active Directory (AD) domain? Find the answer at http://list.windowsitpro.com/t?ctl=21D6:4FB69 Security Forum Featured Thread: Monitoring File System Changes Jay wonders whether there's a utility that can monitor for file system changes when an application is installed. Jay wants to be able to detect all the files that have been added, deleted, or changed during the installation process. Join the discussion at http://list.windowsitpro.com/t?ctl=21CE:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Plus, paid subscribers receive exclusive online library access to every article we've ever published. Order now! http://list.windowsitpro.com/t?ctl=21D4:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com A Faster IPS TippingPoint, a division of 3Com, announced that the TippingPoint 5000E Intrusion Prevention System (IPS), which can perform total packet inspection at 5Gbps with real-world traffic, will ship next month. TippingPoint claims that the 5Gbps throughput rate is "more than double any other IPS's maximum rated throughput." TippingPoint 5000E comes with eight Gigabit Ethernet ports able to protect four network segments. The TippingPoint product line is automatically kept up-to-date through the Digital Vaccine service to protect against the latest worms, viruses, Trojan horses, Denial of Service (DoS) attacks, spyware, and Voice over IP (VoIP) threats. For more information about TippingPoint 5000E, go to http://list.windowsitpro.com/t?ctl=21E3:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=21E4:4FB69 Quest Software See Active Directory in a whole new light. And get a free flashlight! http://list.windowsitpro.com/t?ctl=21E5:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=21E1:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=21D3:4FB69 View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=21D1:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Feb 17 04:44:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:29 2005 Subject: [ISN] Software firms fault colleges' security education Message-ID: http://news.com.com/Software+firms+fault+colleges+security+education/2100-1002_3-5579014.html By Robert Lemos Staff Writer, CNET News.com February 16, 2005 SAN FRANCISCO -- Software companies are taking colleges to task for not producing computer science graduates who know how to create secure programs. In a two-hour panel session Tuesday at the Secure Software Forum here, Oracle, Microsoft and other software makers attempted to analyze why flawed software is still overwhelmingly the rule and not the exception in the industry. A major contributor, the companies said, is college students' lack of a good grounding in secure programming. "Unfortunately, if you are a vendor, you have to train your developers until the universities start doing it," said Mary Ann Davidson, chief security officer at Oracle, who kicked off the panel discussion that, while separate from the ongoing RSA Security Conference, addressed many of the same topics. The panel discussion is the software industry's latest soul-searching on security. While companies claim to want more secure software, in most cases, they have yet to put their money where their mouth is. Many software makers believe that better training of computer science graduates is a key step toward improving software quality, but some security researchers have criticized the industry, pointing out that industry demand for programmers generally does not give preference to those trained in secure programming. Fred Rica, a partner in PricewaterhouseCoopers' Threat and Vulnerability Assessment Services, likened the situation to sports. "Colleges produce athletes capable of going on to the NFL because their football programs know what is needed," he said. "We have to be very clear what types of skills we need from future graduates." Such thinking is driving Microsoft and other security companies to try and influence curricula at colleges. Microsoft has pledged $500,000 to 10 universities as part of a contest to create trustworthy-computing curricula, and several security firms have also established scholarships at a handful of schools. Private industry is not the only one attempting to kick-start better security education at universities. Several federal agencies, including the Department of Defense and the National Security Agency, have named several college programs as National Centers of Academic Excellence in a variety of security disciplines. Oracle's Davidson said education is only a start, noting that better tools need to be developed to spot common flaws. Such tools should be used by all developers because even well-trained, well-meaning developers can miss errors in programs. In one case, Oracle's security staff missed one out of 21 flaws during an audit, a mistake that cost the company $1 million to fix later, she said. "Even the people who 'get it' need good, automated tools," she said. However, others on the panel laid the blame for the problems squarely at the feet of software makers. Until companies are willing to foot the bill for security, applications will not get better, Rica said. When given a choice to put new features into a product or secure the old ones, software makers do not hesitate. "Functionality still trumps security," he said. "Functionality is still king." A Gartner study found that while companies put a lack of skills as a priority on their list of problems to be fixed, funding for developer training is second-to-last on their budgets. Ira Winkler, a security consultant and part of the panel, criticized the focus on college education and stressed that companies should not rely on schools to train developers. "I'm not going to hire someone straight out of college because they don't know anything," he said. "We need people who have on-the-job training." From isn at c4i.org Thu Feb 17 04:47:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:32 2005 Subject: [ISN] [Vmyths.com ALERT] mi2g issues absurdly precise guesstimates Message-ID: Forwarded from: Vmyths.com Virus Hysteria Alert Vmyths.com Virus Hysteria Alert Truth About Computer Security Hysteria 16 February 2005 CATEGORY: Hysteria related to a publicity stunt On 16 February 2005, computer security firm "mi2g" unveiled its guesstimates for "global economic damage" over the last nine years resulting from "all types of digital risk manifestations." Vmyths dismisses mi2g's figures as a blatant publicity stunt. Every guess in mi2g's report is absurdly precise. In 2004, for example, they calculated the total "global economic damage" at $456,134,500,000 to $557,497,700,000. These figures reveal an accuracy of plus or minus $100,000, worldwide, for "all types of digital risk manifestations" in 2004. mi2g used SEVEN significant figures in many of their guesses. In economic terms, it means mi2g's underlying data must be accurate TO THE DIME, if not to the penny. As in, "the MyDoom attack caused precisely $368,714.2 in total economic damage to corporate site X, while the Klez virus caused precisely $117,644.9 in total economic damage to military site Y..." No respected economics expert will declare five significant figures -- let alone seven! -- for the total cost of the World Trade Center attack in September 2001. It would violate the economic analogy for Heisenberg's Uncertainty Principle. Yet mi2g offers absurdly precise global computer security economic damage guesstimates for every year back to 1995. mi2g has never explained how THEY ALONE can acquire enough absurdly accurate microeconomic data to satisfy their macroeconomic forecast model. Assuming such a model even exists. mi2g has repeatedly declared "$1,500.00" for the cost of one manday. But here's the catch: they won't call it a manday. Rather, they call it an "equivalent person day." mi2g has never adequately defined this term. We've highlighted mi2g in multiple Hysteria Alerts and we maintain a "Hysteria roll call" resource on them dating back to 1999: mi2g "Hysteria roll call" resource: http://Vmyths.com/resource.cfm?id=64&page=1 Hysteria Alerts archive: http://Vmyths.com/resource.cfm?id=34&page=1 mi2g has threatened to sue Vmyths for libel (see < http://Vmyths.com/rant.cfm?id=497&page=4 > for details). For the record: we stand by our criticisms. However, Vmyths prides itself for an industry-leading "corrections and clarifications" page. Anyone may write to VeaCulpa@Vmyths.com to contest our claims & accusations. Anyone may visit http://Vmyths.com/rant.cfm?id=470&page=4 to rebut our opinions & criticisms. Do the math, folks. mi2g's guesstimates are a publicity stunt. Stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com Rob@Vmyths.com (319) 646-2800 CATEGORY: Hysteria related to a publicity stunt --------------- Useful links ------------------ Remember this when virus hysteria strikes http://Vmyths.com/resource.cfm?id=31&page=1 Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 False Authority Syndrome http://Vmyths.com/fas/fas1.cfm From isn at c4i.org Thu Feb 17 04:47:17 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:34 2005 Subject: [ISN] With D+ On Their Report Card, Federal Security Officers Try A Study Group Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=60401476 By Eric Chabrow InformationWeek Feb. 16, 2005 The consistent failure of many federal agencies to secure their IT systems effectively has prompted government officials to create a new organization, to be funded by the private sector, to help federal chief information security officers improve cybersecurity. The formation of the CISO Exchange, announced Wednesday, came as the House Government Reform Committee issued a federal computer security report card in which the average grade for 2004 was a D+. Federal CISOs need better guidance to comply with the 2002 law that requires agencies to secure their IT systems and networks. In a survey of one-quarter of federal CISOS, 70% say they want clarification of guidelines; 53% recommended that guidance be improved on the annual security control tests conducted by agencies' inspectors general. "It's not sufficient to keep admonishing these guys," says Stephen O'Keefe, the head of an IT public relations, research, and events firm, who will serve as the CISO group's executive. "We have to provide a forum where they can have a seat at the table, learn from others, and get feedback on ideas." The creation of the CISO Exchange was announced by Rep. Tom Davis, the Virginia Republican who chairs the Government Reform Committee and the federal CIO Council, a congressionally mandated group of CIOs who represent major federal departments and agencies. Unlike the CIO Council, the CISO Exchange will be an informal organization aimed at giving 117 federal departmental and agency CISOs a common voice. The exchange will be co-chaired by Justice Department CIO Van Hitch, who chairs the CIO Council's cyber security and privacy committee, and Government Reform Committee staff director Melissa Wojciak. Davis, in a statement, said the exchange is patterned after other government efforts to cross-pollinate ideas and best practices between the private sector and government in order "to move our government to the top of the class in IT security." The CISO Exchange will hold quarterly education meetings as well as produce a report on federal IT security priorities and operations. O'Keefe says 100% of CISO Exchange funding will come from business, mostly IT security companies and not government coffers. No company has been asked to commit money to the venture, since O'Keefe says that CISO Exchange wanted to await the announcement of the group's formation before soliciting contributions. He says a number of companies have expressed interest in supporting the exchange, which doesn't yet have a budget. Seven cabinet departments received a grade of F on their computer security report card: Agriculture, Commerce, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, and Veterans Affairs. The grades for Commerce and Veterans Affairs dropped from 2003 scores of C- and C, respectively. The biggest jump in performance occurred at Transportation, which received an A- after getting a D+ in 2003. The Agency for International Development had the highest grade, an A+, up from a C- in 2003. In the CISO survey, conducted by IT security management provider Telos Corp., an IT security management provider, the vast majority of security officers said there was no correlation with the scorecard grades they received and government funding of IT security initiatives. "If there are no incentives for agencies to continue to comply with FISMA requirements," Telos chief security officer Richard Tracy says, "what's the point?" From isn at c4i.org Thu Feb 17 04:47:31 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:36 2005 Subject: [ISN] Hacker who broke into mobile network pleads guilty Message-ID: http://www.cnn.com/2005/TECH/02/16/cell.phone.hacker.ap/ February 16, 2005 LOS ANGELES, California (AP) -- A hacker who broke into the network of T-Mobile USA Inc. and accessed personal information on hundreds of customers including a Secret Service agent has pleaded guilty to a felony hacking charge. Nicholas Lee Jacobsen, a 21-year-old computer engineer who now lives in Oregon, entered his plea Tuesday in U.S. District Court in Los Angeles. He faces up to five years in federal prison and a $250,000 fine when he is sentenced May 16. The break-in targeted the network of Bellevue, Washington-based T-Mobile USA, which has 16.3 million customers nationwide. It was discovered during a broader Secret Service investigation. T-Mobile acknowledged the hacker was able to view the names and Social Security numbers of 400 customers, all of whom it said were notified in writing about the break-in, which lasted at least seven months. The company said customer credit card numbers and other financial information were not revealed. Prosecutors alleged Jacobsen posted a notice on an online bulletin board that said he could look up the name, Social Security number, birth date and passwords for voice mails and e-mails for T-Mobile customers. Jacobsen was accused of targeting the desktop computer of a Secret Service agent on his trail. The agent, Peter Cavicchia, was also a T-Mobile customer and sometimes used the wireless network to communicate about the case, unaware it wasn't safe. Jacobsen was arrested in October in Orange County, where he used to live, and was later released on $25,000 bail. From isn at c4i.org Thu Feb 17 04:47:54 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:38 2005 Subject: [ISN] Researchers find security flaw in SHA-1 algorithm Message-ID: http://www.nwfusion.com/news/2005/0216reseafind.html By Paul Roberts IDG News Service 02/16/05 Security experts are warning that a security flaw has been found in a popular and powerful data encryption algorithm, dubbed SHA-1, by a team of scientists from Shandong University in China. The three scientists are circulating a paper within the cryptographic research community that describes successful tests of a technique that could greatly reduce the speed with which SHA-1 could be compromised. Although the cracking technique could not be carried out practically, it does compromise the integrity of the algorithm and could lead to more advanced attacks that would render SHA-1 useless, affecting many Internet security products that use it to generate digital signatures, according to Bruce Schneier, founder and CTO of Counterpane Internet Security. SHA-1 is a popular encryption algorithm that was developed by the U.S. National Security Agency (NSA) in 1995 after a weakness was discovered in a predecessor algorithm, called the Secure Hash Algorithm, or "SHA." The algorithm is among those most commonly used to generate "hashes," or unique strings of values that are used to encrypt and decrypt digital signatures, Schneier said. SHA-1 is used to create signatures by most of the popular security protocols on the Internet, including SSL and PGP (Pretty Good Privacy), he said. A research team of three scientists: Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, is circulating a paper called Collision Search Attacks on SHA-1 that describes methods for creating so-called "collisions" with the SHA-1 algorithm 2,000 times more quickly than had been possible before. "It's phenomenal research," Schneier said. "There's a lot of really impressive math." A "collision" is an occurrence in which two messages have an identical hash value. It opens the door to forging valid signatures generated using SHA-1. Cryptographers rely on "non repudiation" in algorithms, the concept that two identical hash signatures cannot be created by different signers, said Michael Szydlo, a senior research scientist at RSA Security's RSA Labs. The results of the paper mark a significant improvement over previous methods of cracking SHA-1 but still require a massive number of attempts to work -- a number expressed by 1 with thirty zeros after it, he said. That number of tries could take 1,000 years for a single personal computer to execute and is not practical for all but a few government entities, such as the National Security Agency (NSA), or wealthy private corporations to try, Schneier said. However, once an algorithm is broken, other scientists can often move quickly to refine the process and produce even better results, he said. "There's an old (U.S. National Security Agency) maxim: Attacks always get better. They never get worse," Schneier said. However, the approach used by the Chinese researchers is novel enough that cryptography experts aren't sure whether it can be refined, Szydlo said. The paper has not yet been published but will probably appear on the Web page of the International Association for Cryptographic Research, he said. Although practical attacks that target SHA-1 are still some time off, cryptographers will have to decide on a replacement for SHA-1 within the next couple of years, and organizations that rely on secure protocols that use SHA-1 will have to evaluate whether the algorithm is adequate to use for secure transactions, experts agree. "Do you want your online bank account vulnerable to a 1-in-1000 chance that someone could break it?" Schneier asked. From isn at c4i.org Fri Feb 18 04:27:32 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:19 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-7 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-02-10 - 2005-02-17 This week : 70 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Since the IDN Spoofing issue was reported again on 7th February, it has spawned a new intense debate about who is to blame and whether it actually constitutes a vulnerability. The issue is rather simple. Currently, it is possible to register domain names under e.g. the .com top level domain (TLD), which utilises national character sets such as Chinese, Scandinavian, Cyrillic, and others. This huge variety of characters can be used to display domain names, which appear very similar to traditional ASCII character based domains. This can obviously be exploited to trick people into believing that they are actually on a trusted web site in a much more convincing way than the usual obfuscated ASCII based domains names with missing dots, slight misspellings, use of "1" instead of "l" and so on. Those, who are in favour of using IDN domains, argue that either the browser vendors should spawn an informational message to the user whenever an IDN domain is visited with a clear indication of the individual national characters or that the registrars should blacklist domain names and characters that could be exploited trick the users. In other words, either users must live with yet another informational / warning pop-up about a potentially dangerous issue, or we all have to trust and rely on the registrars ability to figure out all possible malicious combinations of thousands of different characters, which most people have never seen before. While it is clear that the Internet to a certain degree discriminates the non-english speaking parts of the world because only a limited subset of the standard ASCII characters are allowed in domains names, the IDN standard actually allows for one very easy solution that won't discriminate anyone and at the same time will leave the domains as trustworthy as they are today: Allow the Japanese to use Japanese characters under .jp, the Chinese under .cn, the Germans under .de and so forth. This will effectively limit the use of national characters to national domains and the users, who are used to those characters - those users are also the users, who will truly benefit from the use of national characters. After all, the .com TLD was meant to be the commercial top level domain that could be used and accessed by businesses all over the world. Accessing a .com domain with Chinese letters would be almost impossible using an English keyboard. There are a lot of very good reasons why ICANN, the browser vendors, and other parties should go back to the drawing board and reconsider the implementation of the IDN standard before Microsoft launches IDN support in Internet Explorer, as this certainly will spawn a massive race between legitimate businesses, who try to protect their trademarks and the scamsters, who want to trick credit card details and other valuable information from the users. Being a Danish national, I appreciate being able to use the Danish national characters under the .dk top level domain, but I see absolutely no need for the use of those characters under .com and other international top level domains. Kind regards, Thomas Kristensen CTO, Secunia VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: Mydoom.AS - MEDIUM RISK Virus Alert - 2005-02-17 09:25 GMT+1 http://secunia.com/virus_information/15293/mydoom.as/ Mydoom.bb - MEDIUM RISK Virus Alert - 2005-02-17 03:19 GMT+1 http://secunia.com/virus_information/15463/mydoom.bb/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1.?? [SA14163] Mozilla Products IDN Spoofing Security Issue 2.?? [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow 3.?? [SA14160] Mozilla / Firefox Three Vulnerabilities 4.?? [SA11165] Microsoft Internet Explorer Multiple Vulnerabilities 5.?? [SA14164] Safari IDN Spoofing Security Issue 6.?? [SA14209] VeriSign i-Nav Plug-In IDN Spoofing Security Issue 7.?? [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 8.?? [SA14154] Opera IDN Spoofing Security Issue 9.?? [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 10. [SA14295] Linux Kernel Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14283] Sami HTTP Server Denial of Service and Directory Traversal [SA14274] IBM WebSphere Application Server JSP Source Code Disclosure [SA14304] Internet Explorer/Outlook Express Status Bar Spoofing [SA14256] ZoneAlarm / Integrity "NtConnectPort()" Hook Invalid Pointer Dereference UNIX/Linux: [SA14315] Ubuntu update for lesstif2 [SA14301] Conectiva update for XFree86 [SA14287] Debian update for awstats [SA14260] SGI Advanced Linux Environment update for less/xpdf [SA14259] SGI Advanced Linux Environment Multiple Updates [SA14318] Debian update for emacs21 [SA14308] Gentoo update for lighttpd [SA14307] Gentoo update for emacs/xemacs [SA14305] Mandrake update for emacs [SA14297] lighttpd "%00" Application Source Code Disclosure Vulnerability [SA14296] Ubuntu update for kernel [SA14295] Linux Kernel Multiple Vulnerabilities [SA14288] Mandrake update for mailman [SA14282] Gentoo update for opera [SA14281] Fedora update for xemacs [SA14279] Red Hat update for python [SA14267] Trustix Updates for Multiple Packages [SA14258] Conectiva update for evolution [SA14257] SUSE update for mailman [SA14252] SUSE Updates for Multiple Packages [SA14251] Red Hat update for squid [SA14314] Gentoo update for kdeedu [SA14306] KDE fliccd Buffer Overflow Vulnerabilities [SA14261] SGI Advanced Linux Environment update for krb5 [SA14303] Debian update for htdig [SA14290] Gentoo update for postgresql [SA14285] Sun Solaris FTP Server PASV Commands Denial of Service [SA14280] Red Hat update for postgresql [SA14276] Gentoo update for htdig [SA14275] Gentoo update for pdns [SA14271] Squid FQDN Lookup Denial of Service Vulnerability [SA14269] Gentoo update for mod_python [SA14255] ht://Dig "config" Parameter Cross-Site Scripting Vulnerability [SA14253] Open WebMail Login Page Cross-Site Scripting Vulnerability [SA14249] Ubuntu update for mod_python [SA14316] Gentoo update for wpa_supplicant [SA14310] Debian update for postgresql [SA14309] Mandrake update for rwho [SA14286] Sun Solaris ARP Flooding Denial of Service Vulnerability [SA14278] Debian update for netkit-rwho [SA14266] netkit-rwho rwhod Packet Validation Denial of Service [SA14265] Gentoo webmin Encrypted Root Password Disclosure [SA14300] Debian update for synaesthesia [SA14292] Gentoo update for VMware [SA14291] VMware Workstation gdk-pixbuf Path Searching Vulnerability [SA14277] Debian toolchain-source "tpkg-*" Privilege Escalation [SA14270] Linux Kernel Memory Disclosure and Privilege Escalation [SA14264] Gentoo update for perl [SA14254] KDE kdelibs dcopidlng Script Insecure Temporary File Creation [SA14250] Debian update for xpcd [SA14248] xpcd Buffer Overflow Vulnerabilities [SA14317] Debian update for typespeed [SA14312] Typespeed Format String Vulnerability Other: Cross Platform: [SA14311] HP Web-Enabled Management Software HTTP Server Buffer Overflow [SA14268] ELOG Two Vulnerabilities [SA14273] Quake3 Engine Query Handling Denial of Service Vulnerability [SA14272] CubeCart "language" Local File Inclusion Vulnerability [SA14263] Siteman Site Owner Registration Security Bypass Vulnerability [SA14293] BrightStor ARCserve Backup Discovery Service SERVICEPC Buffer Overflow [SA14299] AWStats Multiple Vulnerabilities [SA14298] BEA WebLogic Server/Express User Account Enumeration [SA14294] OpenConf Title Script Insertion Vulnerability [SA14289] PHP-Nuke Cross-Site Scripting Vulnerabilities [SA14262] NewsBruiser Comment System Security Bypass Vulnerability [SA14313] wpa_supplicant EAPOL-Key Frames Buffer Overflow [SA14284] Mercuryboard "debug" Debug Information Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14283] Sami HTTP Server Denial of Service and Directory Traversal Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2005-02-15 Ziv Kamir has reported two vulnerabilities in Sami HTTP Server, which can be exploited by malicious people to disclose sensitive information or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14283/ -- [SA14274] IBM WebSphere Application Server JSP Source Code Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-14 A vulnerability has been reported in WebSphere Application Server, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14274/ -- [SA14304] Internet Explorer/Outlook Express Status Bar Spoofing Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-02-17 bitlance winter has discovered a weakness in Internet Explorer/Outlook Express, which can be exploited by malicious people to trick users into visiting a malicious web site by obfuscating URLs. Full Advisory: http://secunia.com/advisories/14304/ -- [SA14256] ZoneAlarm / Integrity "NtConnectPort()" Hook Invalid Pointer Dereference Critical: Not critical Where: Local system Impact: DoS Released: 2005-02-14 iDEFENSE has reported a vulnerability in various ZoneAlarm products and Check Point Integrity Client, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14256/ UNIX/Linux:-- [SA14315] Ubuntu update for lesstif2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-02-17 Ubuntu has issued an update for lesstif2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14315/ -- [SA14301] Conectiva update for XFree86 Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-15 Conectiva has issued an update for XFree86. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14301/ -- [SA14287] Debian update for awstats Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-15 Debian has issued an update for awstats. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14287/ -- [SA14260] SGI Advanced Linux Environment update for less/xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-14 SGI has issued a patch for less and xpdf in SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14260/ -- [SA14259] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-02-14 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited to cause a DoS (Denial of Service), gain escalated privileges, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14259/ -- [SA14318] Debian update for emacs21 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-17 Debian has issued an update for emacs21. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14318/ -- [SA14308] Gentoo update for lighttpd Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-16 Gentoo has issued an update for lighttpd. This fixes a vulnerability, which can be exploited by malicious people to disclose some potentially sensitive information. Full Advisory: http://secunia.com/advisories/14308/ -- [SA14307] Gentoo update for emacs/xemacs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-16 Gentoo has issued updates for emacs and xemacs. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14307/ -- [SA14305] Mandrake update for emacs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-16 MandrakeSoft has issued an update for emacs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14305/ -- [SA14297] lighttpd "%00" Application Source Code Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-16 A vulnerability has been reported in lighttpd, which can be exploited by malicious people to disclose some potentially sensitive information. Full Advisory: http://secunia.com/advisories/14297/ -- [SA14296] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Exposure of sensitive information, DoS Released: 2005-02-16 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information or cause a DoS (Denial of Service), or by malicious people to cause a DoS or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14296/ -- [SA14295] Linux Kernel Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Exposure of sensitive information, DoS Released: 2005-02-16 Some vulnerabilities have been reported in the Linux kernel. These can be exploited by malicious, local users to gain knowledge of potentially sensitive information or cause a DoS (Denial of Service), or by malicious people to cause a DoS or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14295/ -- [SA14288] Mandrake update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-15 MandrakeSoft has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to gain knowledge of users' passwords. Full Advisory: http://secunia.com/advisories/14288/ -- [SA14282] Gentoo update for opera Critical: Moderately critical Where: From remote Impact: Spoofing, Exposure of system information, Privilege escalation, System access Released: 2005-02-15 Gentoo has issued an update for opera. This fixes some vulnerabilities, which can be exploited by malicious people to disclose some system information, spoof the content of websites, trick a user into executing malicious files and compromise a user's system. Full Advisory: http://secunia.com/advisories/14282/ -- [SA14281] Fedora update for xemacs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-15 Fedora has issued an update for xemacs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14281/ -- [SA14279] Red Hat update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-14 Red Hat has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14279/ -- [SA14267] Trustix Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-02-14 Trustix has issued updates for bind, clamav, cpio, cups, mod_python, perl, postgresql, python and squid. These fix some vulnerabilities, one with an unknown impact and others which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), disclose and manipulate sensitive information, bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14267/ -- [SA14258] Conectiva update for evolution Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-02-17 Conectiva has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14258/ -- [SA14257] SUSE update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-15 SUSE has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to gain knowledge of users' passwords. Full Advisory: http://secunia.com/advisories/14257/ -- [SA14252] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-02-14 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service) and compromise a user's system. Full Advisory: http://secunia.com/advisories/14252/ -- [SA14251] Red Hat update for squid Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-02-14 Red Hat has issued an update for squid. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), bypass certain security restrictions, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14251/ -- [SA14314] Gentoo update for kdeedu Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-17 Gentoo has issued an update for kdeedu. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14314/ -- [SA14306] KDE fliccd Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-16 Erik Sj?lund has reported some vulnerabilities in KDE, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14306/ -- [SA14261] SGI Advanced Linux Environment update for krb5 Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-14 SGI has issued a patch for krb5 in SGI Advanced Linux Environment. This fixes two vulnerabilities, which can be exploited to perform certain actions on a vulnerable system with escalated privileges or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14261/ -- [SA14303] Debian update for htdig Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-15 Debian has issued an update for htdig. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14303/ -- [SA14290] Gentoo update for postgresql Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-02-15 Gentoo has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14290/ -- [SA14285] Sun Solaris FTP Server PASV Commands Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-15 Sun has acknowledged an older vulnerability in Sun Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14285/ -- [SA14280] Red Hat update for postgresql Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS Released: 2005-02-14 Red Hat has issued an update for postgresql. This fixes various vulnerabilities, which can be exploited by malicious users to gain escalated privileges, cause a DoS (Denial of Service), or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14280/ -- [SA14276] Gentoo update for htdig Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-14 Gentoo has issued an update for htdig. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14276/ -- [SA14275] Gentoo update for pdns Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-14 Gentoo has issued an update for pdns. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14275/ -- [SA14271] Squid FQDN Lookup Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-14 A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14271/ -- [SA14269] Gentoo update for mod_python Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-14 Gentoo has issued an update for mod_python. This fixes a vulnerability, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14269/ -- [SA14255] ht://Dig "config" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-14 Michael Krax has reported a vulnerability in ht://Dig, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14255/ -- [SA14253] Open WebMail Login Page Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-14 Oriol Torrent Santiago has reported a vulnerability in Open WebMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14253/ -- [SA14249] Ubuntu update for mod_python Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-11 Ubuntu has issued an update for mod_python. This fixes a vulnerability, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14249/ -- [SA14316] Gentoo update for wpa_supplicant Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-17 Gentoo has issued an update for wpa_supplicant. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14316/ -- [SA14310] Debian update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2005-02-16 Debian has issued an update for postgresql. This fixes some vulnerabilities, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14310/ -- [SA14309] Mandrake update for rwho Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-17 MandrakeSoft has issued an update for rwho. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14309/ -- [SA14286] Sun Solaris ARP Flooding Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-15 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14286/ -- [SA14278] Debian update for netkit-rwho Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-14 Debian has issued an update for netkit-rwho. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14278/ -- [SA14266] netkit-rwho rwhod Packet Validation Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-14 Vlad902 has reported a vulnerability in netkit-rwho, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14266/ -- [SA14265] Gentoo webmin Encrypted Root Password Disclosure Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-02-14 Gentoo has issued an update for webmin. This fixes a security issue, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/14265/ -- [SA14300] Debian update for synaesthesia Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-15 Debian has issued an update for synaesthesia. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14300/ -- [SA14292] Gentoo update for VMware Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-15 Gentoo has issued an update for VMware. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14292/ -- [SA14291] VMware Workstation gdk-pixbuf Path Searching Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-15 Tavis Ormandy has discovered a vulnerability in VMware Workstation, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14291/ -- [SA14277] Debian toolchain-source "tpkg-*" Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-14 Sean Finney has reported some vulnerabilities in toolchain-source, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14277/ -- [SA14270] Linux Kernel Memory Disclosure and Privilege Escalation Critical: Less critical Where: Local system Impact: Unknown, Exposure of sensitive information, Privilege escalation Released: 2005-02-15 Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to disclose kernel memory or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14270/ -- [SA14264] Gentoo update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-14 Gentoo has issued an update for perl. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14264/ -- [SA14254] KDE kdelibs dcopidlng Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-14 Davide Madrisan has reported a vulnerability in KDE kdelibs, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/14254/ -- [SA14250] Debian update for xpcd Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-11 Debian has issued an update for xpcd. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14250/ -- [SA14248] xpcd Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-11 Erik Sj?lund has reported some vulnerabilities in xpcd, which may be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14248/ -- [SA14317] Debian update for typespeed Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-02-17 Debian has issued an update for typespeed. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14317/ -- [SA14312] Typespeed Format String Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-02-17 Ulf H?rnhammar has reported a vulnerability in Typespeed, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14312/ Other: Cross Platform:-- [SA14311] HP Web-Enabled Management Software HTTP Server Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-16 A vulnerability has been reported in HP HTTP Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14311/ -- [SA14268] ELOG Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-02-15 Two vulnerabilities have been reported in ELOG, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14268/ -- [SA14273] Quake3 Engine Query Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-14 Luigi Auriemma has reported a vulnerability in Quake3 Engine, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14273/ -- [SA14272] CubeCart "language" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-14 John Cobb has reported a vulnerability in CubeCart, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14272/ -- [SA14263] Siteman Site Owner Registration Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-15 A vulnerability has been reported in Siteman, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14263/ -- [SA14293] BrightStor ARCserve Backup Discovery Service SERVICEPC Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-15 cybertronic has reported a vulnerability in BrightStor ARCserve/Enterprise Backup, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14293/ -- [SA14299] AWStats Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2005-02-15 GHC has reported some vulnerabilities in AWStats, which potentially can be exploited by malicious, local users to gain escalated privileges, and by malicious people to disclose system information and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14299/ -- [SA14298] BEA WebLogic Server/Express User Account Enumeration Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-02-15 A security issue has been reported in WebLogic Server and WebLogic Express, which can be exploited by malicious people to enumerate valid user accounts. Full Advisory: http://secunia.com/advisories/14298/ -- [SA14294] OpenConf Title Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-15 RedTeam has reported a vulnerability in OpenConf, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14294/ -- [SA14289] PHP-Nuke Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-02-15 Janek Vind "waraxe" has reported two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14289/ -- [SA14262] NewsBruiser Comment System Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-02-17 Jarno has reported a vulnerability in NewsBruiser, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14262/ -- [SA14313] wpa_supplicant EAPOL-Key Frames Buffer Overflow Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-17 A vulnerability has been reported in wpa_supplicant, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14313/ -- [SA14284] Mercuryboard "debug" Debug Information Disclosure Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-02-15 Lostmon has discovered a weakness in Mercuryboard, which can be exploited by malicious people to disclose some system information. Full Advisory: http://secunia.com/advisories/14284/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 18 04:28:08 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:22 2005 Subject: [ISN] Clarke rips Microsoft over security Message-ID: http://seattlepi.nwsource.com/business/212437_rsaclarke17.html By TODD BISHOP SEATTLE POST-INTELLIGENCER REPORTER February 17, 2005 SAN FRANCISCO -- Don't expect Richard Clarke to rely on Microsoft Corp.'s anti-virus or anti-spyware programs to protect his own computer. "Given their record in the security area, I don't know why anybody would buy from them," the former White House cybersecurity and counterterrorism adviser said yesterday, when asked for his thoughts on Microsoft's forthcoming line of security software. The observation came during an impromptu interview on the sidelines of the RSA computer security conference in San Francisco, where Clarke took part in panel discussions with other experts in technological and national security. His take on Microsoft's planned security-software offerings underscores one of the major challenges the Redmond company will face as it proceeds -- the fact that many of the online threats encountered by computer users take advantage of vulnerabilities in the company's own products. Microsoft has been trying to reduce and fix vulnerabilities as part of a broader companywide initiative to improve security and related issues. Bill Gates this week also announced plans to supplement those efforts by offering anti-spyware software free to individual Windows users. The company also plans to release an anti-virus product this year and introduce a new version of Internet Explorer this summer -- about a year sooner than expected -- to boost security. But Clarke, during one panel discussion yesterday, called on Microsoft and other software companies to become more publicly accountable in their efforts to develop secure software. He said he asked Microsoft last year to disclose the specific quality-assurance practices it was following in the pursuit of more-secure software code. The idea, he said, would be for the software industry to collectively come up with a set of best practices for secure software development. Outside experts would then be able to judge how well each company lives up to those practices. "There's no fine involved, there's no liability involved, but the marketplace is better informed, and the marketplace works better when it knows what's going on," Clarke said, drawing a round of applause from the crowd at San Francisco's Moscone Center. Panelists compared the concept to the effort to hold public companies to standards for financial reporting under the Sarbanes-Oxley Act. Asked about the issue afterward, Clarke acknowledged that he doesn't believe Microsoft would ever agree to such a plan. In a statement responding to Clarke's comments, Microsoft said it has formalized its internal security efforts by adopting an official life cycle that it uses to develop secure software, in addition to publishing books and other materials about the methods it follows. At the same time, the company said it makes its security-related tools available to independent developers, works with other companies on security issues and offers formal training on security. "The market is demanding security now, and that hard work is going forward already," said Amy Roberts, director of product management in Microsoft's Security Business and Technology Unit, in the statement. During a panel discussion on technology regulation, Rick White, a former Republican congressman from Washington state, agreed with Clarke that it would be good to establish visible standards by which companies could be judged in the marketplace. "I think that's a blueprint for something that probably works," said White, now chief executive of technology lobbying organization TechNet. "It's just a question of how far you get the government involved." But on the subject of government involvement, White and Clarke disagreed, as illustrated by a related discussion of Internet service providers. Clarke said he would want to see government regulation of ISPs to ensure that they offer adequate levels of security to their customers. But White warned that regulation in general could hinder technological advances. "We have a great thing going in terms of innovation in this country," he said. "We're leading the world and we need to be able to continue to do that." Another panelist, security expert Bruce Schneier, said it was important to remember that the underlying goal of software companies is financial, no matter how well intentioned their security efforts. "Companies are not charities," Schneier said. "They don't do this stuff out of the goodness of their heart. They do it because the marketplace demands it, they do it because liability demands it, they do it because regulation demands it, they do it because competition demands it. Something has to demand it." Along those lines, he said, "The marketplace will only go so far." Clarke, who advised four presidents, rose to a new level of prominence last year with charges that President Bush failed to take the terrorist threat seriously prior to the Sept. 11 terrorist attacks. A book by Clarke and his testimony before the 9/11 Commission detailed his efforts to sound the alarm about terrorism. He raised similar themes yesterday, saying that industry and government need to pay greater attention to the risk of cyberterrorism. "Regulation is neither good nor bad -- it depends upon the industry and the regulation. There is smart regulation. But industry should bear this in mind when they resist any regulation: After we have a major incident, there will be much worse regulation than you could get now." From isn at c4i.org Fri Feb 18 04:28:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:24 2005 Subject: [ISN] Security Lacking at Major Canada Power Plants - TV Message-ID: Forwarded from: William Knowles http://www.metronews.ca/reuters_national.asp?id=56498 February 16, 2005 OTTAWA (Reuters) - Security at two of Canada's most important electricity generating plants is so lax that terrorists would have no trouble at all getting in, according to a television report. A team from the French-language RDI channel wandered around the Manic-5 and Robert Bourrassa hyrdo-electric plants in the remote James Bay area of French-speaking Quebec without seeing a single security guard. The plants, linked to a series of giant dams, supply power to Quebec and the north-eastern United States. In a special report, which was aired on Tuesday night, the RDI team drove in an unmarked van to the center of the Robert Bourassa generating station. They then passed through an unlocked door and made their way to the control panels without once being challenged. The plants are run by provincially-owned Hydro Quebec, which went to court on Tuesday to seek an injunction preventing RDI from showing the report on security grounds. Hydro-Quebec president Andre Caille said in a statement he was troubled by the RDI report, adding that "we are taking all the means at our disposal to ensure the security of our installations." The RDI team, which filmed the report last week, said they had not spotted a single close-circuit camera. At one point a reporter was seen scaling a gate near a major dam without being challenged. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Feb 18 04:29:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:26 2005 Subject: [ISN] Hackers "shoot" the security pros at the RSA Convention Message-ID: http://www.tomshardware.com/hardnews/20050217_180417.html By Humphrey Cheung February 17, 2005 San Francisco (CA) - From the second floor of the Moscone Convention Center, a trio of hackers points their Bluetooth Sniper Rifle at the show attendees below. Bluetooth devices have become commonplace, especially with the technical crowd at the RSA Convention. Maybe thousands of Bluetooth devices were worn by attendees. The guys at Flexilis may have scanned them all. James Burgess, from Flexilis, a wireless think tank, says that the BlueSniper gun is a very simple concept. "It's basically a gun stock, with an antenna on it. The thing that makes it cool is the gumstick PC built into the magazine. It is completely self-contained." Flexilis demonstrated a similar gun at the 2004 Defcon Convention in Las Vegas. That gun was hastily put together, basically with rubber bands and tie straps. This updated version was better looking and much bigger. So big the Flexilis guys had to mount it on a tripod. Constructing the gun was easy. A tube shaped antenna, tuned for Bluetooth frequencies, was attached to an aftermarket gun stock. LMR-400 cable connects the antenna to a miniature computer, located in the magazine of the gun. The total cost of the parts was less than $500. While the gun looks impressive, John Hering says, "The real magic happens inside the computer." The magazine containing a small computer is loaded into the gun. A bright blue LED glows on the outside of the gun, after the magazine is inserted and turned on. The computer is powered by a 400Mhz Xscale processor and has serial output. It accepts the Bluetooth signals from the antenna and has an MMC slot, which can store and accepts all the signals from the Bluetooth antenna. Kevin Mahaffey, the main programmer at Flexilis, explains their homegrown software can find vulnerable phones, list their services and perform exploits. During our demonstration, he only showed off the vulnerability and service scans, but he says that it would have been trivial to crash or even rip contact lists from vulnerable phones. In a few minutes of scanning, the group picked up more than one hundred phones. The phones were listed by the MAC address, which is the unique hardware address burned into every phone. All of this information can be stored on a MMC card inside the gumstick computer - making the BlueSniper gun self-contained. So for the security professionals at the RSA Security Conference, don't forget to look up, as you are being watched. From isn at c4i.org Fri Feb 18 04:29:42 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:29 2005 Subject: [ISN] RSA: Microsoft on 'rootkits': Be afraid, be very afraid Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99843,00.html By Paul Roberts FEBRUARY 17, 2005 IDG NEWS SERVICE Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals. The researchers discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco this week. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms. With names like "Hacker Defender," "FU" and "Vanquish," the programs are the latest generation of remote system-monitoring software that has been around for years, according to Mike Danseglio and Kurt Dillard, both of Microsoft's Security Solutions Group. The programs are used by malicious hackers to control, attack or ferret information from systems on which the software has been installed, typically without the owner's knowledge, either by a virus or after a successful hack of the computer's defenses, they said. Once installed, many rootkits run quietly in the background but can easily be spotted by looking for memory processes that are running on the infected system, monitoring outbound communications from the machine, or checking for newly installed programs. However, kernel rootkits that modify the kernel component of an operating system are becoming more common. Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio. In particular, some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools, said Danseglio. The increasingly sophisticated rootkits and the speed with which techniques are migrating from rootkits to spyware and viruses may be the result of influence from organized online criminal groups that value stealthy, invasive software, said Dillard One rootkit, called Hacker Defender, released about a year ago, even uses encryption to protect outbound communications and can piggyback on commonly used ports such as TCP Port 135 to communicate with the outside world without interrupting other applications that use that port, he said. The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products, the researchers said. In fact, some of the most powerful tools for detecting the rootkits are designed by rootkit authors, not security companies, they said. There are few strategies for detecting kernel rootkits on an infected system, especially because each rootkit behaves differently and uses different strategies to hide itself. It is sometimes possible to spot kernel rootkits by examining infected systems from another machine on a network, said Dillard. Another strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system, according to Dillard and Danseglio. Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research. The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said. Although rootkits are not unique to Windows, the popular operating system is a rich target and makes it easy for malicious hackers to disguise the presence of such programs, according to Jonathan Levin of Symantec Corp.'s @stake division, who attended the presentation at the RSA conference. The operating system's powerful application programming interfaces make it easy to mask behaviors on the system. Microsoft's Internet Explorer Web browser is also a frequent avenue for malicious hackers, viruses and worms that could drop a rootkit on a vulnerable Windows system, Levin said. Better tools could be built to detect the current crop of kernel rootkits. However, rootkit authors are adept at spotting new detection techniques and modifying their programs to slip around them, Danseglio said. "These people are smart. They're very smart," he said. From isn at c4i.org Fri Feb 18 04:30:06 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:31 2005 Subject: [ISN] Davis questions security of Treasury Web site Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35113-1.html By Mary Mosquera GCN Staff 02/17/05 Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, wrote today to Van Zeck, the Treasury Department's commissioner of the Public Debt, to express concern over the safety and security of personal information collected on the www.treasurydirect.gov Web site, which enables people to purchase government savings bonds electronically. Treasury received a D+ on the 2004 federal computer security scorecard Davis' committee released yesterday. "I am concern(ed) about the extent of personal information that is required to be disclosed on the Web site," Davis wrote. While many online financial transactions require individuals to submit their credit card account numbers, treasurydirect.gov instructs users to electronically transmit their Social Security number, driver's license number, bank routing number and account number, home address, date of birth and e-mail address, in addition to other personal information. "Expecting individuals to provide their personal banking account information rather than relying on their credit card information is troubling to me," Davis said. Transacting online purchases with a credit card provides a shield to consumers that is not available to individuals who transmit personal bank account routing and Social Security numbers over the Internet. Davis also found troubling a disclaimer in the Web site's privacy and security notice that Treasury cannot guarantee the confidentiality of the personal information as it travels across the Internet. However, the notice said the Bureau of the Public Debt uses the Secure Sockets Layer protocol and 128-bit encryption technology to protect the information. "We'll be taking a look at other Web sites. Part of the effort to promote e-gov is to have citizens feel confident that the information they provide will be safe and secure. Otherwise it will be hard to promote e-gov," said House Government Reform Committee spokesman Drew Crockett. From isn at c4i.org Fri Feb 18 04:31:57 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:33 2005 Subject: [ISN] Confidential data left on old PCs Message-ID: http://www.vnunet.com/news/1161309 [Time for our yearly report on how used hard drives bought from eBay elicit sensitive security information. Guess what, nothing has changed! http://seclists.org/lists/isn/2003/Jan/0072.html - WK] Peter Warren Computing 17 Feb 2005 Highly-sensitive information such as passwords and user names of company executives has been found on used computer disk drives bought on eBay. Researchers at the University of Glamorgan analysed some 100 randomly-sourced PC hard disks, and discovered that more than half contained data from organisations such as multinational companies, universities and a primary school. Data on the disks included: * staff records, passwords, internal emails and financial details * school reports, a list of pupils, and letters to parents * a document template for university degree certificates. Attempts had been made to destroy data on nearly half the disks in the study, but significant material remained intact. 'On at least seven of the disks that I have seen there was enough information to allow a hacker to get into an organisation,' said Dr Andy Jones, security research group leader for BT Exact, who examined the disks. The government issues guidelines to businesses and public bodies on the proper disposal of computer equipment, much of it freely available online. But the University of Glamorgan research, seen exclusively by Computing, suggests that even the most diligent organisations can still be affected. Information from Swedish insurance company Skandia was uncovered, even though the firm invests in data destruction. 'This is not embarrassing for us, it's absolutely horrifying,' said a Skandia spokeswoman. 'We pay to have our data wiped thoroughly, so we are going to have to investigate to discover how it happened and make sure it does not happen in the future.' Southampton University says it has launched an investigation, after passwords and staff emails were discovered by the research. The university uses a specialist company to wipe disks before disposal of equipment. 'We need to find out what happened and ensure it doesn't happen again,' said a spokeswoman. Agrochemicals company Monsanto says it will investigate how details of crop research from its Cambridge offices was found. 'We assume this is an isolated incident which has arisen during the restructuring of our Cambridge offices, when a number of IT items were disposed of at the end of their working lives,' said a spokesman. 'It seems a serious lapse in our procedures for the disposal of surplus IT kit has occurred.' Computing has requested that all disks and data recovered by the University of Glamorgan research are returned to their original owners or destroyed. From isn at c4i.org Tue Feb 22 09:13:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:23:52 2005 Subject: [ISN] Hackers post Paris Hilton's address book online Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99934,00.html [My understanding of the Danger Hiptop/T-Mobile Sidekick is that unlike Blackberry's or Palm PDA's, the Sidekick does a real time sync with the T-Mobile servers automatically. Update a note, take a photo or a phone number and the information is transmitted on the fly back to T-Mobile network servers, compromise the internal servers, and more then likely you wouldn't need physical access to PDA to steal the data. - WK] By Paul Roberts FEBRUARY 21, 2005 IDG NEWS SERVICE Hackers penetrated the crystalline ranks of Hollywood celebrity Saturday, posting the cellular phone address book of hotel heiress and celebrity Paris Hilton on a Web page and passing the phone numbers and e-mail addresses of some of Tinsel Town's hottest stars into the public realm. A copy of Hilton's T-Mobile USA Inc. cell phone address book appeared on the Web site of a group calling itself "illmob." The address book contains information on over 500 of Hilton's acquaintances, including super celebrities such as Eminem and Christina Aguilera. It is not known how the information was obtained, but the release of the contact book may be further fallout from a hack of T-Mobile's servers that came to light in January. The Hilton address book was posted on the illmob Web site early Sunday and is a simple HTML table listing the phone numbers and e-mail addresses for acquaintances, along with other useful information, such as the number of the San Francisco Hilton Hotel and celebrity attorney Robert Shapiro. The leak is bound to prompt a furious round of unplanned number changes among Hilton's coterie, after fans and curious Web surfers learned of the hack and began dialling their favorite celebrities. Eminem's phone number was changed. Limp Bizkit front man Fred Durst's voice mailbox was full. Tennis star Anna Kournikova's number was busy, despite repeated attempts to get through. Robert Shapiro's answering machine picked up when called and provided a number to page the star attorney in an emergency. There was no answer at Hilton's home, nor did sister Nicky Hilton answer calls to her phone. Reached by phone, actor Kevin Connelly, of the cable television show "Entourage," said he had received between 200 and 300 phone calls since early Sunday, as word of the hacked address book spread across the Internet. Connelly plays opposite Adrian Grenier in the HBO show about a young celebrity and his colorful entourage of old school chums. He declined to comment on whether he knew Hilton or why his name appeared in her T-mobile phone list. Connelly, who received at least one other call while on the line with this reporter, said he would likely change his phone number today to stop the harassment. It was unclear yesterday how the cell phone contact list was obtained. However, Hilton's was one of a number of celebrity cell phones that was reportedly compromised in an attack on T-Mobile's network that netted information on 400 of the company's customers, including sensitive information from the account of a U.S. Secret Service agent. In January, the Bellevue, Wash., mobile carrier acknowledged that Nicholas Jacobsen, a California-based hacker, compromised its internal computer systems in 2003 and viewed the Social Security numbers of 400 customers. T-Mobile, which is part of Deutsche Telekom AG, did not immediately respond to requests for comment late Sunday. Jacobsen pleaded guilty last week to one felony charge of accessing a protected computer and causing reckless damage. He is scheduled to be sentenced in May and faces a maximum possible sentence of five years imprisonment and a $250,000 fine. From isn at c4i.org Tue Feb 22 09:13:26 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:23:55 2005 Subject: [ISN] Book Review: Managing Information Security Risks: The OCTAVE Approach Message-ID: http://books.slashdot.org/books/05/02/21/2129224.shtml [http://www.amazon.com/exec/obidos/ASIN/0321118863/c4iorg - WK] Author: Christopher Alberts and Audrey Dorofee. Pages: 471 Publisher: Addison-Wesley Longman Rating: 5 Reviewer: Jose Nazario ISBN: 0321118863 Summary: An introduction to information security risk management using the OCTAVE method Authors Alberts and Dorofee are the principal developers of OCTAVE and are staff members at the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU), where CERT has offices. As such, they're the right people to describe OCTAVE. The CERT OCTAVE website area explains the process in more detail. Needless to say, OCTAVE is a very large, complex, heavy process for an organization to go through, with some arguable benefits. Very few organizations have done so to the best of my knowledge -- most of them are scared off by the complexity of the whole undertaking. This brings up a very important point. It's important to state the difference between a critique of the OCTAVE method and the book itself. OCTAVE is interesting in that it's an attempt to formalize the complex process of information security evaluations. Despite its shortcomings and turnoffs, it has a purpose, and I wont dispute it for the most part. The book, instead, covers an abbreviated format of OCTAVE. It's important to focus on the strengths and weaknesses of the book and not the topic. The books is organized into three main parts. Part 1 (covering chapters 1 and 2) is an introduction to the principles being discussed in the book. The method itself, and therefore these chapters, focus on a formal evaluation of information security risks and how to manage them. The principles focus on enumeration of assets, their threats and vulnerabilities, and then remediation of the threats to minimize the risk. The section introduces the core concepts to this philosophy. Part 2 of the book, covering chapters 3 through 11, server two main purposes, preparation and then execution of the method. Chapter 3 introduces the fundamentals of the OCTAVE method, specifically how the three phases (asset-based threat profiles, vulnerability identification, and security strategy planning) fit together. The inputs of the method and its outputs are then described; you'll be using them in later chapters. Chapter 4 helps you prepare for the approach in your organization, including how important it is to get management buy-in, who will participate, and how to organize the evaluation. Project managers will adore this chapter. The next few chapters cover the meat of the OCTAVE method. Chapter 5 covers processes 1 to 3, where assets are enumerated and the current state of the security profile is captured, as well. This step is crucial for building a baseline and knowing what you'll have to cover. Chapter 6 leads you through the threat profile, where you examine assets that you've identified as critical and the security requirements for them. And finally, in Chapter 7, the basic identification steps are done as you identify critical infrastructure components to examine later on. This is done so that you can work efficiently, as opposed to studying every asset in depth. By studying classes of assets you can (hopefully) achieve the same coverage without spending valuable time repeating the process. Chapters 8 and 9 deal with the commonly understood parts, the actual vulnerability and risk analysis. Chapter 8 discusses vulnerability assessment tools and some basic questions to ask about them, but leaves the actual evaluation of those tools up to another text. Chapter 9 then helps you undertake the actual risk analysis, such as the impact of any threat being realized or the probability that one would be encountered. This is what most people think of when they think of an information security audit. This gets to what is perhaps my biggest complaint about the book. It doesn't teach you how to think creatively about threats to information security. Instead, you're told to enumerate assets and threats against them via brainstorming, as though you'll somehow "get it" the first time (or every time). For someone new to the field, this can be hard, because not all assets are obvious -- and not all threats are understood. It's a hard skillset to teach, but it should have been attempted with more gusto. Chapters 10 and 11 close the big circle of an information security audit, by developing an information security protection strategy. It's basically a series of outlines of meetings and their agendas as you present the findings of the evaluation but are (obviously) vague in the absence of any concrete findings. This is probably a good time to raise another objection to this book. My second biggest complaint is that the authors never cut to the heart of what the OCTAVE method is trying to do. Sure, the book covers a stripped-down version of OCTAVE, but it doesn't ever get at how you can really adapt this to your organization. Instead, it's a series of rigid steps in the OCTAVE method. If you attempt to do something different for whatever reason, you're on your own. Again, an attempt to work in some flexibility beyond what is present in Chapter 12 (An Introduction to Tailoring OCTAVE, the start of part 3) would have been welcome. This chapter just keeps you inside the narrow confines of the OCTAVE approach. Chapter 13 attempts to bring this home by discussing the practical applications for an organization. They attempt to discuss how a small company would utilize OCTAVE, but to be honest it's so heavy and time-consuming it's hard to see how they would employ anything but the barest of concepts to their workflow. Three other examples are given: a very large distributed organization, an integrated Web portal service provider (which faces unique threats), and large and small organizations. Again, while this chapter attempts to show how to tailor OCTAVE to anything but the largest and most diligently staffed of organizations, it falls to get to the salient points of the method. Instead, it tries to foist the process on them. Finally, chapter 14 tries to bring it all home and discuss the information security life cycle of analysis, monitoring, control, and implementation (not in that order). They hope that OCTAVE has become a part of this process and show how it complements and matures this process. Instead, I wonder if an organization will think about the effort they just expended and be reluctant to do this again. The appendices are piles of worksheets, charts and workflows to go through with OCTAVE. You can make photocopies and use them if you implement the OCTAVE approach. It's very hard to take consider these methods strong enough when you read about the report card government agencies received for information security. While they may have not been following OCTAVE, it's hard to see how a book that so superficially treats the subject matter can help anyone do better. Almost everything is just a high-level line-item risk-and-mitigation strategy. Things like "Our organization cannot deliver effective or efficient health care without PIDS" and an impact of "High" are, to put it mildly, interesting in their superficiality. So many things are simply glossed over, yet so many worksheets remain. On the other hand, if a fair treatment of threats, assets, and the like were fully discussed the book would be many more volumes, a significantly more tedious tome, and too sensitive to the shifting sands of time. Overall the book does a decent job of covering OCTAVE's core premises, but doesn't really provide much beyond that. It's a complex process that doesn't work well for a number of organizations. Instead of helping organizations see how to use it, the authors simply keep presenting OCTAVE for what it is, which makes me question the value of this book beyond someone who has already decided to implement OCTAVE. It doesn't seem like it has a lot to offer anyone who doesn't have a large body of knowledge in information security management and a staff to deploy with worksheets in hand. The book simply fails to contribute greatly beyond the very narrow specifics of OCTAVE. From isn at c4i.org Tue Feb 22 09:13:40 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:23:57 2005 Subject: [ISN] Microsoft in Quandary Over Virus Security Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A43410-2005Feb22.html By Allison Linn The Associated Press February 22, 2005 SEATTLE -- If Microsoft Corp. doesn't do more to stem Internet attacks, the company risks further alienating customers unhappy with the multitude of threats already facing its ubiquitous software. Sell its own security products, on the other hand, and Microsoft faces a potential backlash from some of its allies - the companies that now provide an extra layer of security for its Windows operating system, Internet Explorer browser and other products. With a powerhouse like Microsoft becoming a direct competitor, they could get squeezed out. What a quandary. Last week, Microsoft Chairman Bill Gates confirmed plans to sell antivirus products to both consumers and big businesses by the end of the year. But the Redmond company is mum on cost and features. Speaking at a security conference, Gates also said the company would give consumers a free tool for combating spyware, a pesky and growing threat that can monitor users' activities, hinder computer performance and create other hassles. Microsoft also will sell a more sophisticated antispyware product to businesses. Executives in the security industry say they believe Microsoft's promise to continue sharing security information and working with other security companies even after it becomes a direct competitor. Analyst Gregg Moskowitz with Susquehanna Financial Group said both sides have an incentive to "continue to play nice with each other." The security companies are dependent on Microsoft to make sure their defenses run smoothly, while Microsoft cannot risk having competing security products break down and wreak more havoc on Windows, Moskowitz said. "A very significant number of people, if they don't have a good security experience, they're going to hold it against Microsoft - even if they're using another vendor," Moskowitz said. Still, John Schwarz, president and chief operating officer of Symantec Corp., would rather see Microsoft concentrate on fixing security flaws. "We believe they'd be better off in focusing on making sure that their platform, the Windows operating system, is less subject to attack," Schwarz said. Microsoft has worked feverishly to better secure its products, including updating Windows XP with a new firewall and other security measures. But given their widespread use, the products are near-constant targets of attacks that take advantage of loopholes and flaws to hijack computers, steal personal information and cripple businesses. McAfee Inc. President Gene Hodges calls its new competitor an example of "capitalism at its best." But he said it will only be a fair fight if all companies have a level playing field in which everyone sells, rather than gives away, products. Microsoft's move to sell antivirus software appears fair so far, Hodges said, though he said Microsoft's decision to give away an antispyware product could hurt smaller players who can't afford such giveaways. "We would have rather they entered the market for spyware and competed," Hodges said. Security companies including McAfee already sell antispyware products, generally charging between $30 and $40, though a few give away versions or trials for free. Microsoft has downplayed the competitive angle, saying they are simply responding to requests from customers for more protection options. Amy Roberts, a director with the company's security and business unit, said the company is most concerned about people who have no extra protection at all. Peter Kuper, an analyst with Morgan Stanley, believes Microsoft is most interested in protecting its Windows franchise, not finding a new way to make money. The security problems are costly and damaging to Microsoft's reputation, he said, and failure to address the threats could drive more customers to competing products such as the Mozilla Firefox browser or Apple Computer Inc.'s Mac OS computers. "They're not winning the war. They're not winning the battle," Kuper said. "So Microsoft is saying, `I don't care whether it's free, as long as it's something. That's better than nothing.'" Kuper isn't expecting Microsoft to immediately snag much market share from Symantec, McAfee and others. But he noted that, while Microsoft may not be looking at security as a big revenue stream, the cash-rich company could easily afford to undercut its competitors. Symantec's Schwarz said he worries that Microsoft's clout could also discourage smaller security companies from entering the market or staying in it, effectively reducing options for consumers. Microsoft's prior moves into new markets - including trouncing browser pioneer Netscape by shipping its Windows systems with Internet Explorer, now such a common target of Web-based attacks - have gotten the company in hot water with antitrust regulators in the United States and Europe. But for now at least, some competitors say they aren't planning to take this battle to court. Symantec's Schwarz argues that his company's products will have an edge, especially with business customers, because they protect more than just Microsoft products. And McAfee's Hodges said he's confident his company's reputation will keep customers loyal. "I'd rather fight Microsoft in the marketplace because we're convinced we can whip them," Symantec Chief Executive John Thompson said at the security conference where Gates spoke. "So this is not about showing up in Washington or whining on someone's doorstep about what Microsoft can or might do." From isn at c4i.org Tue Feb 22 09:13:55 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:23:59 2005 Subject: [ISN] Thinking Outside the Security Box Message-ID: http://www.wired.com/news/privacy/0,1848,66647,00.html By Ryan Singel Feb. 18, 2005 SAN FRANCISCO -- The 2005 version of the nation's pre-eminent cybersecurity conference features hundreds of speakers and 275 exhibitors bombarding the estimated 13,000 attendees with PowerPoint presentations and free USB memory keys in an effort to sell their particular firewall, smart card or fingerprint reader. To find some of the most interesting offerings on the floor, Wired News met up with cryptography expert Jonathan Callas, who has been attending the RSA Conference since 1993, when the show had fewer attendees than there are exhibitors in 2005. Callas currently serves as the CTO of PGP, a company that sells encryption software to corporations and government and is now working to make e-mail encryption easy for almost anyone with a computer. Callas took time from working the floor to give Wired News a kick-the-tire tour of the expo, where vendors vie to scan the high-tech conference badges of potential clients or partners. Here are three companies that Callas thought were interesting enough to turn over his badge to for scanning -- not the best or worst of show, just a few he found innovative and clever, or worth a further look. As usual, RSA included a slew of biometric applications, from iris readers to fingerprint scanners. Though Callas started the tour expressing skepticism about previous years' biometric offerings, he turned over the badge to at least one company selling a fingerprint reader. Privaris is a small Fairfax, Virginia-based startup that makes a key-chain-size fingerprint fob that can be used to log on to a computer, open a garage door or enter a building. The reader, which has 300 Kb worth of memory, matches a person's fingerprint to a template stored on the device, and then sends an encrypted security code to any remote reader, using either Bluetooth or low-frequency RFID (without being vulnerable to bluesnarfing). The $179 fob, which has been on the market for just eight months, has already been tested by North Carolina law enforcement to verify the identities of truck drivers who haul hazardous materials, and is one of two fingerprint-based technologies in a Transportation Security Administration-funded pilot program to tighten airport worker security, according to Megan Prosser, product manager for Privaris. Though the mention of biometrics often invokes worries of Big Brother, privacy should not be a concern, according to Prosser. "The fingerprint template never leaves the device, so there's no need for a biometric database, which eliminates privacy concerns," Prosser said. Callas likes the idea since it takes something like a secure parking access card that works well enough and makes it better, by adding a layer of authentication. "They are one-plussing it," Callas said. Callas also counts himself a fan of WholeSecurity, a company that works to prevent spoofing, worms, key logging and phishing attacks. But the company's software eschews the typical strategy of relying on blacklists of virus names or of websites pretending to be PayPal. Instead, the company's software looks for behaviors or signs that a website with the Citibank logo is fake or that a computer on a corporate network is trying to send out information in a sneaky manner. Callas prefers this approach to relying on lists that might only get updated after attacks have been reported elsewhere. "WholeSecurity is cool because they are behavior-based," Callas said. "Their rules are that nobody should be e-mailing this information or that this application should not be sniffing and that you should not be going to an unknown website with Citibank's logo and entering password information." While most computer users won't find themselves using the full, always-on power of WholeSecurity's software -- which is sold only as enterprise software -- many already use the company's technology without even knowing it. For example, eBay included the company's anti-phishing algorithms in its Internet Explorer toolbar. Though Callas is a technologist through and through, he also likes the simplicity of a service called Authentify, which helps cut down on online fraud using an antique technology known as the telephone. Companies use Authentify to verify a customer's ID when a person first signs on to their bank account or if an account primarily used for checking balances is used at 4 a.m. to transfer $10,000 to an account in the Ukraine, according to CEO Peter Tapling. The software pops up a screen that informs the user that a quick phone call to one of the phone numbers associated with the account is necessary to complete the transaction. The company then calls the number and asks for some authentication information or records the person's voice. Though two years ago Authentify executives were wondering whether they had a decent business model, last year the company handled 4 million transactions and called 165 countries using voice recordings in 30 different languages. One ISP, which found itself battling to keep spammers from signing up for accounts and then sending millions of e-mails before the new accounts got terminated, has eradicated the problem by using Authentify and simply requiring new customers to have their responses taped. "For real customers, it is very easy. For phishers, it's game over," Tapling said. Callas loves the simplicity of the solution, which he compared to the days of bulletin board systems, when administrators concerned about unknown people dialing into their modem bank would call the prospective user back on a regular phone line. "Spammers don't want to have their voice recorded on tape," Callas said. "This is a great deterrent factor. It gets rid of untraceablity, which a lot of network attacks rely on." From isn at c4i.org Tue Feb 22 09:14:06 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:24:01 2005 Subject: [ISN] Singapore Unveils Plan to Battle 'Cyber Terror' Message-ID: http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=7698536 Feb 22, 2005 SINGAPORE (Reuters) - Singapore is to spend $23 million over three years to battle online hackers and other forms of "cyber-terrorism" in one of the world's most connected countries, government officials said Tuesday. Describing the infrastructure behind the Internet as a "nerve system" in Singapore, Deputy Prime Minister Tony Tan said a new National Cyber-Threat Monitoring Center would maintain round-the-clock detection and analysis of computer virus threats. "We cannot afford to treat the threats from cyber terrorists, cyber criminals and irresponsible hackers lightly," Tan said in a speech while unveiling an information-technology security "master plan" in the tech-savvy city-state. "Infocomm security is as important in protecting Singapore as is physical security at our borders," added Tan, who is also Coordinating Minister for Security and Defense. Singapore has one of the world's highest Internet penetration rates, with 50-60 percent of its 4.2 million people living in homes wired to the Internet. The affluent, predominantly ethnic Chinese island has also steadily tightened security since the September 2001 attacks on the United States, from patrols of heavily armed police in busy shopping districts to tighter security at border points. In 2003, Singapore passed strict legislation to allow monitoring of all computer activity and for police to take pre-emptive action to protect state computers from cyber attack. Tan said the money would also be used to help businesses tighten security for online financial transactions while guiding them to work with the government in maintaining cyber security. The Cyber-Threat Monitoring Center will link up with companies that provide anti-virus systems and governments running similar centers, including the United States and Australia. It is expected to be fully operational by the second half of 2006. From isn at c4i.org Tue Feb 22 09:14:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:24:03 2005 Subject: [ISN] From layers to assurance Message-ID: http://www.fcw.com/fcw/articles/2005/0214/web-assurance-02-18-05.asp By Florence Olsen Feb. 18, 2005 SAN FRANCISCO - The problem of securing software continues to preoccupy Homeland Security Department and Defense Department officials, many of whom say the commonly used "layered defense" against insecure and malicious applications is not working. Layered-defenses rely on security measures added to each level through which data passes, including networks, systems and applications. However, that approach "is riddled with holes," said Joe Jarzombek, the Pentagon's deputy director for software assurance. A better approach, said Jarzombek and others who spoke here at the RSA Conference, may be to spend more on software assurance testing and better training ? perhaps even mandatory certification ? of software developers. "We want to shift the paradigm from patch management to software assurance," said Hun Kim, deputy director for policy and strategic initiatives at DHS' National Cyber Security Division. Government interest in secure software extends beyond DHS and DOD to Capitol Hill, Jarzombek said. As part of a new Software Assurance Initiative at DHS, department officials are working with members of the Institute of Electrical and Electronics Engineers to collect the best available knowledge of secure software development, Kim said. DHS and IEEE will then make it available free to colleges and universities for developing new courses in software assurance. Another aspect of the software initiative, Kim said, will be to help acquisition officials buy secure software using DHS-developed standards, specifications and acquisition language for software assurance. Kim said he hopes that everything achieved through the DHS program will have far-reaching benefits. "We're trying to raise the level of software assurance for the nation, not just DHS," he said. DOD officials, who are working with National Security Agency officials on a variety of similar initiatives, said the lack of software assurance warrants more attention and funding than it has received. Some software products are attacked or infiltrated with malicious code even before they are shipped, Jarzombek said. One aspect of NSA's software assurance program is investigating how software products, especially commercial products, are built. DOD's software consumers know little about "who is doing the code and what is in the code," said Daniel Wolf, director of the Information Assurance Directorate at NSA. Lawmakers are concerned about the outsourcing of software coding overseas, but the same problem exists with domestic outsourcing, said Ron Moritz, senior vice president and chief security strategist at Computer Associates, which makes software security products. "There's no difference whether you're outsourcing to Virginia or offshore if you don't have mechanism to understand what you're getting back," he said. Software assurance testing such as NSA officials conduct through a program known as the National Information Assurance Partnership is a proven way to improve the quality and trustworthiness of software, Wolf said. Software company officials have criticized NIAP as too time-consuming and expensive, but it has nevertheless improved software security, Wolf said. NIAP personnel have found that between 35 percent and 45 percent of the products submitted for evaluation have security problems, which the vendors then fix, Wolf said. "We've also seen products disappear from the market" after an evaluation, he said. But primarily because the NIAP program has drawn considerable criticism, DHS officials have commissioned the Institute for Defense Analyses to review it, Kim said. In addition to more rigorous software assurance testing, employee training and certification may finally get the attention they deserve, said Robert Lentz, director of the Information Assurance Directorate at DOD. Employees who operate military networks are not certified for that responsibility, but Pentagon officials are going to change that, he added. Some officials interested in software assurance think it might be a good idea if software developers had to certify their work and be held liable if software is faulty or unsafe. In disciplines such as mechanical and civil engineering, engineers must certify that a bridge they have built is safe, Wolf said. "Should we do the same in software? Where's the accountability?" Accountability, he said, should be more than a coupon for the next software release. From isn at c4i.org Tue Feb 22 09:14:51 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:24:06 2005 Subject: [ISN] Linux Security Week - February 21st 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 21st, 2005 Volume 6, Number 8n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Securing Linux with Mandatory Access Controls," " Providing Database Encryption," and "Wi-Fi Alliance to Beef up Security." --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH: This week, advisories were released for libXpm, evolution, mailman, hztty, xpcd, sympa, netkit-rwho, toolchain, htdig, synaestheia, awstats, typespeed, emacs, gftp, python, openoffice, kernel, kdeedu, gallery, webmin, perl-squid, ht/dig, opera, vmware, lighttpd, kstars, midnight commander, drakextools, cpio, enscript, mysql, rwho, kdelibs, xpdf, libtiff, vim, ethereal, thunderbird, and squid. The vendors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118366/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * What's The Best VoIP System For SMBs? 15th, February, 2005 Making phone calls using a broadband Internet connection, more fondly known as VoIP (Voice over Internet Protocol), is becoming more and more popular with corporations of every size. The prospect of paying a flat fee for unlimited long-distance phone calls is appealing to every company that has struggled to balance the need to conduct business phone calls with the price of those calls. Calling plans are now available that provide unlimited minutes to any U.S. or Canadian phone number by routing the voice traffic over an existing broadband connection shared with the company's Internet access. http://www.linuxsecurity.com/content/view/118334 * Why Not Truth? 14th, February, 2005 Ultimately cryptographers want some form of quantum repeater--in essence, an elementary form of quantum computer that would overcome distance limitations. A repeater would work through what Albert Einstein famously called "spukhafte Fernwirkungen," spooky action at a distance. http://www.linuxsecurity.com/content/view/118283 * Researchers: Digital encryption standard flawed 17th, February, 2005 In a three-page research note, three Chinese scientists -- Xiaoyun Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a visiting researcher at Princeton University -- stated they have found a way to significantly reduce the time required to break a algorithm, known as the Secure Hashing Algorithm, or SHA-1, widely used for digital fingerprinting data files. Other cryptographers who have seen the document said that the results seemed to be genuine. http://www.linuxsecurity.com/content/view/118359 * Researchers find security flaw in SHA-1 17th, February, 2005 Security experts are warning that a security flaw has been found in a powerful data encryption algorithm, dubbed SHA-1, by a team of scientists from Shandong University in China. The three scientists are circulating a paper within the cryptographic research community that describes successful tests of a technique that could greatly reduce the speed with which SHA-1 could be compromised. http://www.linuxsecurity.com/content/view/118360 * How To Shop For A VPN 14th, February, 2005 Get clued in on what to look for in enterprise-class products, including the ins and outs of software vs. appliances, LAN-to-LAN vs. remote access, SSL, IPsec, and other decisions you need to make. With a virtual private network creating safe access for your Internet-connecting users, you can rip out expensive frame relay, leased lines and modem dial-up banks in favor of a secure WAN connection. For any network that connects remote users to the Internet, a VPN gateway provides three essentials for your data: authentication, confidentiality and integrity. http://www.linuxsecurity.com/content/view/118288 * Linux Magazine: mod_perl, Part Two 14th, February, 2005 As I mentioned last month, having persistent Perl code means that some steps of your application can be reused rather than repeated. One very easy optimization is keeping your database handles open between web hits, rather than reopening them on each new hit. The Apache::DBI module (found in the CPAN) does the work for you by altering the way normal DBI connections are processed. If your application is like most, you simply add PerlModule Apache::DBI to the configuration file, and it just magically works. http://www.linuxsecurity.com/content/view/118290 * Deploy an application with Cerise Web server 16th, February, 2005 Use Ruby as your programming language to create a simple application. This article shows you how to create a guestbook Web application with the Cerise Web server and the Ruby programming language. You'll use RSS 1.0 as the file format for the guestbook entries and XSLT for transforming files to HTML. http://www.linuxsecurity.com/content/view/118347 * HITB E-Zine: Issue #36 Released 20th, February, 2005 After a nice Chinese New Year break we are pleased to bring you Issue #36 of the HITB e-zine. This is a pretty interesting issue with an exclusive article on Red Hat PIE Protection written by Zarul Shahrin as well as an article on building a simple wireless authenticated gateway using OpenBSD by Rosli Sukri (member of the HITB CTF Crew). http://www.linuxsecurity.com/content/view/118389 * Evaluating Your Firewall 14th, February, 2005 Are you an administrator or security analyst who watches over a firewall with a hundred or more rules? Or perhaps a hired gun who must review a firewall with years of crusty buildup? Are you creating a test lab that involves a wide variety of networks, servers, and risks? If you're interested in enterprise-level firewalls, this article will help you make sense of common failures in processes and tools. We'll focus on enterprise-grade business and networking issues that affect firewalls. (Penetration studies and piercing firewalls from the outside will be covered in a later article.) http://www.linuxsecurity.com/content/view/118293 * SWsoft Unveils Virtuozzo 2.6.1 for Linux 15th, February, 2005 The latest version of the Virtuozzo server virtualization solution features several new enhancements, including a new Virtuozzo control center, automatic update utility, stateful firewall support and VPN support. http://www.linuxsecurity.com/content/view/118337 * Clever service has key to e-mail security 14th, February, 2005 How can you be sure your e-mails are safe from prying eyes? To most of us e-mailing mom or even sending work-related e-mails, security really isn't of great concern. But for people to whom security is of great importance, sending sensitive documents over the Internet carries an extremely high degree of risk. http://www.linuxsecurity.com/content/view/118284 * More advisories, more security 15th, February, 2005 More and more, we see articles questioning the security of a given platform based solely on the number of advisories published - and this approach is simply wrong, writes Thierry Carrez, of Gentoo Linux. http://www.linuxsecurity.com/content/view/118304 * Is Linux Security A Myth? 17th, February, 2005 There are rare occasions in IT when a particular architecture reaches a point where it stops being purely IT driven and takes on a life of its own. The last year has seen the open source movement reach such a cult status and at the vanguard of open source fashion can be found the Linux operating system. Whilst the platform appeals at several levels for potential users, some of a philosophical nature and others far more concrete, it is noticeable that a couple of its qualities have recently been called into question. http://www.linuxsecurity.com/content/view/118357 * Why VoIP is raising new security concerns 16th, February, 2005 New technology often leads to improved productivity, but it also arrives with new IT challenges, often centering on security. "With any new technology, security functions tend to be the last area that matures," noted Pete Lindstrom, Research Director at Spire Security LLC, a market research firm focusing on security issues. Voice over IP (VoIP) has begun to make significant inroads in the enterprise, so IT managers need to be aware of the unique security challenges it presents. http://www.linuxsecurity.com/content/view/118344 * Security firms show united front 16th, February, 2005 A joint system for reporting and grading security vulnerabilities is going to be launched today. With an eye to guiding companies on which software problems to patch first, Cisco, Symantec and Qualys plan to launch a joint grading system for security vulnerabilities. The ratings will consist of three numbers, Gerhard Eschelbeck, the chief technology officer at security information provider Qualys said on Tuesday. The first will be a baseline estimate of the severity of the flaw. The second will rate the bug depending on how long it has been around, and therefore how likely it is that companies have patched against it. http://www.linuxsecurity.com/content/view/118346 * Securing Linux with Mandatory Access Controls 15th, February, 2005 Some in the security industry say that Linux is inherently insecure, that the way Linux enforces security decsions is fundamentally flawed, and the only way to change this is to redesign the kernel. Fortunately, there are a few projects aiming to solve this problem by providing a more robust security model for Linux by adding Mandatory Access Control (MAC) to the kernel. http://www.linuxsecurity.com/content/view/118305 * Is Linux Security A Myth? 16th, February, 2005 There are rare occasions in IT when a particular architecture reaches a point where it stops being purely IT driven and takes on a life of its own.The last year has seen the open source movement reach such a cult status and at the vanguard of open source fashion can be found the Linux operating system. Whilst the platform appeals at several levels for potential users, some of a philosophical nature and others far more concrete, it is noticeable that a couple of its qualities have recently been called into question.

{mos_sb_discuss:13}

http://www.linuxsecurity.com/content/view/118342 * Defense picks two for PKI 16th, February, 2005 Defense Department officials selected two companies to provide digital certificate validation for the department's public-key infrastructure (PKI), a decision that some officials feel could spur a faster move to paperless e-government. After a yearlong, worldwide pilot test, military officials chose Tumbleweed Communications and CoreStreet as the two certificate validation providers for its Identity Protection and Management Program, which includes the Common Access Card smart card program. http://www.linuxsecurity.com/content/view/118349 * Novell taps open source for security 15th, February, 2005 For Novell, security and open source belong together. The Waltham, Mass.-based company said Monday that it will submit the programming interfaces for eDirectory to two open-source projects, allowing developers to use Novell's directory program to authenticate network access. Novell also detailed a partnership with Linux security company Astaro to create a security appliance that runs Novell's SuSE Linux operating system. http://www.linuxsecurity.com/content/view/118303 * Novell boosts its Linux security credentials 16th, February, 2005 Novell has unveiled a SuSE Linux-based soft appliance designed to protect businesses against security threats from hackers, viruses, worms and spam. http://www.linuxsecurity.com/content/view/118341 * SuSE Linux awarded government security cert 18th, February, 2005 IBM and Novell announced at LinuxWorld today that SuSE Linux Enterprise Server 9 has become the first distribution to complete Evaluation Assurance Level (EAL) 4+. http://www.linuxsecurity.com/content/view/118374 * Security show tackles online threats 14th, February, 2005 The security industry, in the business of paranoia, will be looking over its shoulders more frequently at the annual RSA Security Conference this week. http://www.linuxsecurity.com/content/view/118281 * Liberty Alliance Releases ID Standard For Web Services 14th, February, 2005 The Liberty Alliance Project on Friday unveiled the public draft release of a framework for identity-based web services. The latest release of ID-WSF 2.0 is the first of three that will each add greater depth to the identity-management framework. The final specification including all three releases is expected to be available by end of the year. Phase one extends ID-WSF 2.0 to include support for SAML 2.0 from the Organization for Advancement of Structured Information Sciences, an international standards body. http://www.linuxsecurity.com/content/view/118287 * The Threat Within - Why Businesses Need To Manage And Monitor Employee Email Usage 14th, February, 2005 In a few short years, email has become a major part of the national psyche and a business-critical tool of communication. However, while companies have been more than willing to embrace the business benefits of email, they continue to remain oblivious to many of the responsibilities this new form of communication brings, particularly as it affects their employees. It is a commonly held misconception, due to the informal traditions of electronic communication, that e-mails carry less weight than letters on headed notepaper. http://www.linuxsecurity.com/content/view/118291 * Security firms show united front 16th, February, 2005 With an eye to guiding companies on which software problems to patch first, Cisco, Symantec and Qualys plan to launch a joint grading system for security vulnerabilities. The ratings will consist of three numbers, Gerhard Eschelbeck, the chief technology officer at security information provider Qualys said on Tuesday.The first will be a baseline estimate of the severity of the flaw. The second will rate the bug depending on how long it has been around, and therefore how likely it is that companies have patched against it. The third will measure the threat a vulnerability poses to a specific corporate network. Each will take five or six factors into account for the measurement. http://www.linuxsecurity.com/content/view/118343 * Providing Database Encryption 16th, February, 2005 As databases become networked in more complex multi-tiered applications, their vulnerability to external attack grows. We address scalability as a particularly vital problem and propose alternative solutions for data encryption as an enterprise IT infrastructure component. In this paper, we explore a new approach for data privacy and security in which a security administrator protecting privacy at the level of individual fields and records, and providing seamless mechanisms to create, store, and securely access databases. http://www.linuxsecurity.com/content/view/118348 * Novell makes open source security moves 18th, February, 2005 The Waltham, Massachusetts-based company has released the APIs to the open source community to enable open source developers to make use of Novell's eDirectory identity management platform. http://www.linuxsecurity.com/content/view/118375 * Watch Out for Spies With Friendly Faces 18th, February, 2005 As tech-savvy people, we know by now that we have to worry about technology being used to invade our privacy. But we tend to focus on the stuff that's deliberately snooping on us: spyware, keyloggers, Trojan horses, and other software and hardware designed with malicious intent. An even bigger risk, though, can come from the tools we usually trust--helpful gadgets and programs that weren't built to spy on us but can be used that way. http://www.linuxsecurity.com/content/view/118376 * Passwords? We don't need no stinking passwords 16th, February, 2005 RSA 2005: Concerns over online security are continuing to slow consumer e-commerce growth. A quarter of the respondents in a recent survey have reduced their online purchases in the past year and 21 per cent refuse to conduct business with their financial institutions online because of security fears. More than half (53 per cent) of the 1,000 consumers quizzed believe that basic passwords fail to provide sufficient protection for sensitive personal information. http://www.linuxsecurity.com/content/view/118350 * F-Secure exploit patched 14th, February, 2005 F-Secure has become the latest security firm to be embarrassed by a flaw in its flagship security product line, but the company manged to patch the flaw while it was still only 'theoretical' F-Secure has released a patch for a serious flaw in its antivirus products, the second time in a week a security company has warned of a risk in its software. http://www.linuxsecurity.com/content/view/118282 * WLAN Users Lack Support 14th, February, 2005 Setting up a wireless LAN can be as easy as sticking a plug into an outlet. But even technology-savvy customers are complaining that security can be a hassle due to problems with documentation and support. While industry standards bodies are making strides to ensure that even consumer-level WLAN hardware is effective and secure, the user manuals that come with the hardware continue to leave a lot to be desired. "The biggest challenge is inconsistent nomenclature and presentation of the basic components," said Christopher Bell, a software developer in Los Angeles whose home-office WLAN has included wireless routers from Linksys Inc. and Microsoft Corp. as well as myriad PC brands. http://www.linuxsecurity.com/content/view/118289 * Wi-Fi Alliance to beef up security 14th, February, 2005 Security remains the key issue deterring enterprise users from making major investments in Wi-Fi, despite all the improvements over the past year. Whether real or perceived, the security risks of wireless LANs are still holding deployments back. Conscious of this, the Wi-Fi Alliance is trying to beef up standard security still further. It has already agreed to a dual-layer security approach, with WPA2 (the brand name for the 802.11i standard) supporting advanced functions including AES encryption, while the more basic WPA originally an interim standard en route to 802.11i will be kept for devices that require less stringent security and lower costs, particularly in the consumer space. http://www.linuxsecurity.com/content/view/118292 * Teething problems for wireless LANs 17th, February, 2005 WIRELESS LAN is an emerging trend, but as with most young technologies, it is plagued by insecurities. John Martin, IBM principal security specialist and security practice leader, spends his days advising corporate enterprises on risk management. The whole end-to-end process must be secure, regardless of the type of industry, he says. http://www.linuxsecurity.com/content/view/118358 * Mesh Networking Soars to New Heights 19th, February, 2005 Mesh Networking and community wireless broadband reached new heights with a world first for Locustworld MeshAP PRO when a Shadow microlight aircraft flew over Lincolnshire UK and successfully tested air to ground mesh networking and voice over broadband. South Witham broadband (Lincolnshire UK) joined forces with Make Me Wireless (Australia) and using LocustWorld MeshAP PRO and Asterisk VoIP equipment, seamlessly created air to ground voice communications at 2000 feet with the 16 node South Witham community broadband network. http://www.linuxsecurity.com/content/view/118387 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Feb 23 02:06:59 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 23 02:15:47 2005 Subject: [ISN] How Paris Got Hacked? Message-ID: http://www.macdevcenter.com/pub/a/mac/2005/01/01/paris.html By Brian McWilliams 02/22/2005 Paris Hilton's Chihuahua couldn't protect her Hollywood home from a burglary last summer. So why was Hilton counting on her dog to protect her T-Mobile account from intruders? Despite repeated attacks on her T-Mobile email and telephone records in recent months, the actress and heiress has persisted in using the little dog's name to secure her password at the T-Mobile site. Like many online service providers, T-Mobile.com requires users to answer a "secret question" if they forget their passwords. For Hilton's account, the secret question was "What is your favorite pet's name?" By correctly providing the answer, any internet user could change Hilton's password and freely access her account. Hilton makes no secret of her affection for her Chihuahua. Last August, Hilton offered a reward of $5,000 when her beloved pet disappeared after the house she shared with sister Nicole was burglarized. An anonymous source provided O'Reilly Network with a screen grab, proving he was able to access the contents of Hilton's T-Mobile inbox as of Tuesday morning. Another image confirmed that Hilton's "secret answer" was her dog's name. Upon being notified Tuesday, T-Mobile corrected the potential security vulnerability in Hilton's account. Last weekend, Hilton's T-Mobile online account was accessed by intruders calling themselves "The Niggas at DFNCTSC." The trespassers posted the contents of her address book, notes, and photo folder on the internet. In January, Hilton reportedly suspected that a "hacker" had access to her email account and was reading messages there. It's unclear how those intruders gained access to Hilton's account. A T-Mobile spokesperson said the company is "actively investigating" the situation. Weak passwords are cited as one of the top twenty internet security vulnerabilities by the SANS Institute. Account information belonging to Hilton and other T-Mobile users has been circulating in the computer underground since at least late March of 2004. A California man named Nicholas Jacobsen has admitted to hacking into T-Mobile's servers and accessing records on at least 400 customers. (Last week, security professionals openly speculated about how Jacobsen gained access to the wireless provider's internal systems.) According to court papers, Jacobsen, who used the online alias Ethics, offered to sell the stolen information on an online message board on March 15, 2004. Jacobsen also apparently provided excerpts of the data to friends and colleagues. A log file of a March 2004 instant-message conversation apparently between Ethics and an associate includes a section containing Hilton's T-Mobile phone number, password, social security number, and other confidential information. Password hint systems like the one used by T-Mobile are common on the internet. Online service providers including the MSN Hotmail service have encountered security breaches involving attackers correctly answering "secret questions" and then locking victims out of their accounts. T-Mobile representatives said Hilton uses a Sidekick II, a communication device that offers wireless telephone and internet access as well as a built-in flash camera. -=- Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines. From isn at c4i.org Wed Feb 23 02:07:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 23 02:15:50 2005 Subject: [ISN] Book Review: The Mezonic Agenda: Hacking the Presidency Message-ID: Forwarded from: Doctor Spook Title: The Mezonic Agenda: Hacking the Presidency Author: Dr. Herbert Thompson & Spyros Nomikos Pages: 387 pages Publisher: Syngress; 1 edition (September 14, 2004) Reviewer: Dr. Spook ISBN: 1931836833 Buy From Amazon: http://www.amazon.com/exec/obidos/ASIN/1931836833/c4iorg I really wanted to like this book. It's always good to see interesting fiction by practitioners in the field. Unfortunately, this isn't it. The authors would have been better served by an editor, something that seems to have been lacking from start to finish. From page 6 onward, the typographical errors are shameful. The grammar needs work, and I'm surprised at the effort by someone who professes a Phd. in Applied Math, Florida (update). It's an entertaining thought, enclosing a CD, creating a "hacking" contest, with the prize being free admission to the Black Hat Conference held annually in Las Vegas (and its bad older brother, Defcon, held right after). I offer the following limited analysis of the software: The enclosed CD is meant for a MS Windows operating system, and needs flash enabled for the full glory. Needless to say, in a security conscious world, the investigations my group made had more to do with hex editors and unix tools than in allowing the program to install on a defenseless computer. My favorite moment with strings? Type the full path to the output file: Type the full path to the encrypted file: \___/ ( ) \ / / \ I_ _I I I [_____________] [] ::::::::: [] [] ::*****:: [] [] :|:::::|: [] [] :| (_) |: [] / _ \ _____________ Success...the key is yours! What is the key: 51d2b210d1ad862d781f065eb22d9370 Well, there you go. On another note, for someone who wants a good read of fiction, by someone in the field, let me recommend "The Bug," by Ellen Ullman, noted Wired columnist, and author of that memoir of the very recent past, "Close to the Machine." Both books give you a glimpse into the real world of programming and programmers, and are a thoughtful gaze into the passion that eats at the heart of most computer afficionados. The Bug; ISBN: 0-385-50860-3 http://www.amazon.com/exec/obidos/ASIN/0385508603/c4iorg Close to the Machine; ISBN: 0-87286-332-8 http://www.amazon.com/exec/obidos/ASIN/0872863328/c4iorg -=- Dr. Spook is a security researcher, currently employed in the defense industry, who prefers anonymity. The good doctor has associates in most TLAs, and in some security groups as well. When not absorbed with the latest debacles from a wide array of software and hardware vendors, Dr. Spook is amused by the interesting puzzles left in the works of such notables as Elias Ashmole and John Dee. From isn at c4i.org Wed Feb 23 02:07:52 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 23 02:15:53 2005 Subject: [ISN] Eye on Offshoring: Lessons From the Tsunami Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,99756,00.html Advice by Scott Warren International Network Services Inc. FEBRUARY 21, 2005 COMPUTERWORLD While government and relief agencies around the world continue to funnel humanitarian aid to the victims of the Asian tsunami, multinational businesses are scrambling to assess their exposure to disasters of this sort, not just in terms of their own people and facilities around the world, but also to the suppliers of services they are ever more reliant upon. Businesses that have offshored services to India, China and other distant locations must understand the impact a natural disaster can have on their suppliers' facilities and infrastructures just as clearly as they understand their own vulnerabilities, and they must make plans to recover from any such disasters, wherever they may strike. Business continuity planning must be a critical component of all offshoring initiatives. Whether a company uses a strategy of offshore outsourcing or is simply a multinational with offshore facilities, a well-defined and -tested business continuity plan is a must. A fairly common question I hear during the development of such plans is, "What is the likelihood of a natural disaster occurring that will significantly disrupt our operations?" My response is always that there is an exponentially greater potential for disruption from a natural disaster in the developing world because of lower building-code standards, a general lack of preparedness and less mature business models. Recognizing this reality, companies must ensure that their business continuity plans extend to include their suppliers' facilities and infrastructures as well as their own. The Asian tsunami is a stark example of the potential for widespread devastation, particularly because of the incredible loss of life that occurred. Unfortunately, many people have the impression that this was a once-in-a-century event. While it's true that disasters on this scale are rare, how many people can recall that in 1975 an earthquake hit Tangshan, China, killing 242,000 people and severely damaging or destroying 78% of its industrial buildings? Even putting aside such colossal disasters, total yearly damage from accumulated smaller events is far more than most people think. For instance, the Philippines, on average, is struck by more than 20 typhoons per year, resulting in significant physical damage and loss of life. Unless you are very familiar with the Asian region, you would likely underestimate the chance of a natural disaster disrupting your supplier's operations. Fortunately, initial reports indicate almost no damage to the Indian Ocean undersea communications infrastructure, other than that part in close proximity to the epicenter of the earthquake that triggered the tsunami. Also fortunate were suppliers of offshoring services in Chennai, India, such as Tata Group and Wipro Technologies, which reported no damage to their infrastructures and no loss of personnel. But several U.S. expatriates, many of who managed or held key leadership positions in offshore facilities for U.S. and Western European businesses, were killed. It's common knowledge within the expatriate community (of which I was a member) that senior-level U.S. executives in the region frequented the devastated locations. With this in mind, a solid business continuity plan must also prepare for the sudden loss of business leadership. For the most part, companies that choose to offshore, in my view, tend to be myopically focused on the lower cost associated with a given country or geographic area to the exclusion of its ability to meet Western standards for quality, safety, etc. Many governments also offer economic incentives to companies that locate facilities in more disadvantaged areas. As a result, companies that choose to offshore must conduct more extensive due diligence and business continuity planning. If your company contracts for offshore outsourcing services today or plans to in the future, you need to sit down with your provider and review its business continuity plan in detail. Start with these questions, then build upon this list as it relates to your specific industry: * When was your business continuity plan created? * What incidents and/or disasters are planned for? * When was the plan last tested/updated? * What are your plans for loss of employees and/or executives? * Do you have an alternate business continuity site? * What is the level of insurance coverage at the site? * What are your plans to restore the primary site, and how long would it take? * Have you arranged for construction, support and IT services? * Who makes the determination to move to the alternate site? * Where is the alternate site, and how easy is it to get to? * How will your employees travel to the alternate site? * Will there be sufficient accommodations for you to visit the site? * How is your communications infrastructure configured to support the alternate site? * How will our service-level agreements be affected? * Will you need to augment your staff? * Will you need to temporarily bring some services back to the U.S. or to another location? * What is the priority for restoration of services? (This is particularly important because some companies negotiate a priority for restoration. You need to know where you are on this list.) One key lesson that should be taken from the tsunami tragedy is that companies that use offshore services should develop a global strategy across multiple suppliers. I always recommend to my clients that they consider only global providers of offshore outsourcing. The advantage of this approach is that they gain the ability to move services fairly rapidly to other parts of the world when necessary. Most U.S. and Western European companies have developed business continuity plans to address natural disasters that occur locally. For instance, most U.S. companies recovered rather quickly from the multiple hurricanes that hit Florida this fall. U.S. firms should apply the same due diligence to offshore suppliers, particularly those in developing parts of the world. Failure to do so could result in losses from a single event that far exceed the savings accumulated over multiple years from lower costs. In this case, the old nostrum "caveat emptor" was never more apropos. -=- Scott Warren is a consulting principal in the Irving, Texas, office of International Network Services Inc., where he specializes in offshoring. He lived in Asia for three years, has worked in 24 countries and has deployed IT to more than 200 countries. From isn at c4i.org Wed Feb 23 02:08:14 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 23 02:15:55 2005 Subject: [ISN] FBI Issues Warning About Computer Virus Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A45131-2005Feb22.html The Associated Press February 22, 2005 WASHINGTON - The FBI warned Tuesday that a computer virus is being spread through unsolicited e-mails that purport to come from the FBI. The e-mails appear to come from an fbi.gov address. They tell recipients that they have accessed illegal Web sites and that their Internet use has been monitored by the FBI's "Internet Fraud Complaint Center," the FBI said. The messages then direct recipients to open an attachment and answer questions. The computer virus is in the attachment. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner," the FBI said in a statement. The bureau is investigating the phony e-mails. The agency earlier this month shut down fbi.gov accounts, used to communicate with the public, because of a security breach. A spokeswoman said the two incidents appear to be unrelated. -=- On the Net: FBI's Internet Crime Complaint Center:http://www.ic3.gov From isn at c4i.org Wed Feb 23 02:08:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 23 02:15:58 2005 Subject: [ISN] Feds prepare security test Message-ID: http://www.fcw.com/fcw/articles/2005/0221/web-cyber-02-22-05.asp By Florence Olsen Feb. 22, 2005 SAN FRANCISCO -- The federal government and several international partners will hold a cyber preparedness exercise in November, Homeland Security Department officials said here at the RSA Conference. Its purpose is to give federal agencies an opportunity to test their plans for responding to a direct or indirect attack on the computer networks that control the nation's critical infrastructure such as power plants and oil pipelines. The exercise will be unclassified, and the public will be informed, said Hun Kim, deputy director of the National Cyber Security Division at DHS. Although the federal government's best cyber experts say they don't know what kind of attack to expect, they can offer scenarios of what a cyber winter might be. G. Rick Wilson, special assistant for strategic policy at the National Security Agency's Information Assurance Directorate, said he doubts that a cyber winter would be caused by a massive denial-of-service attack on critical routers and servers. "I don't think it's going to be loud and noisy," he said. Instead, Wilson said he suspects that sophisticated intruders would quietly try to wreak havoc, causing a loss of confidence in the interconnected system of networks and information systems on which the nation's economy and security now depends. "Somebody's going to figure out how to get across a low wall and get on the inside, and they're not going to go in a chat room and talk about it," Wilson said. "We're talking about a sophisticated adversary." Wilson, continuing with his hypothetical scenario, said the adversary would "remain hidden until something happens, maybe something in the geopolitical sphere." Finding a hidden enemy and cleaning up the damage in such a scenario would be extremely difficult, Wilson said. "You're going to have not only national security issues; you're going to have privacy issues. I'll leave it at that," he said. From isn at c4i.org Thu Feb 24 12:22:16 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 24 12:53:09 2005 Subject: [ISN] Security UPDATE -- RSA Conference 2005 Highlights -- February 23, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Best Practices for Establishing and Enforcing a Security Policy in Your Business http://list.windowsitpro.com/t?ctl=2DB7:4FB69 The Email Security Annual Review & Threat Report http://list.windowsitpro.com/t?ctl=2DBB:4FB69 ==================== 1. In Focus: RSA Conference 2005 Highlights 2. Security News and Features - Recent Security Vulnerabilities - The New Phish Report Network - Identity Web Services Framework Now Supports SAML 2.0 3. Security Matters Blog - McAfee Will Scan your Wi-Fi Config for Vulnerabilities - Add SonicWALL to Your List of Enterprise Antispyware Solutions 4. Instant Poll 5. Security Toolkit - Web Chat - FAQ - Security Forum Featured Thread 6. New and Improved - A Second Factor of Authentication for Windows ==================== ==== Sponsor: Microsoft ==== Best Practices for Establishing and Enforcing a Security Policy in Your Business With all the viruses, Trojans, spyware, malware, and malicious attacks out there, is your company as prepared as it can be to fend off these threats? This white paper will provide you with detailed information for establishing and enforcing a security policy so that you have a safety net to fall back on and can ensure that you're making the right decisions at a demanding time. Specifically, you'll go through the process of creating a security policy and creating an incident response plan to prepare your organization for the worst- case scenario. Download this free white paper now! http://list.windowsitpro.com/t?ctl=2DB7:4FB69 ==================== ==== 1. In Focus: RSA Conference 2005 Highlights ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net RSA Conference 2005 took place last week in San Francisco with more than 275 vendors and more than 200 conference sessions. The last I heard, conference organizers were saying that 13,000 people attended, but that count wasn't official. One thing I am sure about is that with that many vendors and conference sessions, nobody saw everything! There were some interesting announcements at the conference, so if you were not among the thousands who did attend, then here are a few of the highlights from the show: In his keynote address, Computer Associates (CA) Executive Vice President Russell Artzt pointed out that business executives must now pay very close attention to security concerns at all levels of the company and be ready to thoroughly account for their decision-making processes, primarily due to government regulations such as Sarbanes- Oxley. Cisco Systems announced a new phase of its Self-Defending Network technology. The company said that the new Adaptive Threat Defense phase addresses threats at multiple layers, simplifies architectural designs, and provides enterprisewide containment and control. http://list.windowsitpro.com/t?ctl=2DC1:4FB69 RSA Security announced the Security Authentication Roadmap, in which the company will provide a standards-based, enterprise-enabled platform for overall credentials management using strong authentication. The company also announced the RSA Authentication Service, which will help provide consumers with "enterprise-class protection" during their online activities; an RSA SecurID Appliance that provides two-factor authentication for businesses with fewer than 1,000 employees; and RSA SecurID SID700 and SID800 USB-enabled authentication devices. http://list.windowsitpro.com/t?ctl=2DDA:4FB69 Microsoft Chairman Bill Gates announced in his keynote speech that the company will launch new security initiatives that include various software updates, such as a future release of Internet Explorer (IE) 7.0 for Windows XP systems, the scheduled March release of a beta version of its unified Windows Update Service (WUS), Microsoft Baseline Security Analyzer (MBSA) 2.0, the release to manufacturing of Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition, and Rights Management Services (RMS) Service Pack 1 (SP1). Gates also announced the formation of the Secure Software Forum in partnership with several other companies and the worldwide expansion of its Most Valuable Professional (MVP) program to help developers communicate with each other about developing secure applications. http://list.windowsitpro.com/t?ctl=2DC5:4FB69 Shavlik Technologies announced several new products, including NetChk Epicenter, a common GUI for NetChk applications that lets administrators scan numerous systems and applications, view scan results, and correct security problems. The company also announced that it will release patch-management solutions for Unix and Linux platforms--including AIX, HP-UX, Red Hat Linux, and Solaris--sometime in the second quarter of 2005. The company also announced NetChk Spyware and NetChk Shares, which lets administrators discover shared resources on one or more computers, remove shared resources, restrict anonymous access, and test for weak passwords. http://list.windowsitpro.com/t?ctl=2DDF:4FB69 Identity management solution provider Abridean joined the BlackBerry ISV Alliance Program, thereby forming a relationship with Research in Motion (RIM). Abridean will help simplify and automate management of Blackberry user accounts in BlackBerry Enterprise Server in combination with other messaging and enterprise systems. http://list.windowsitpro.com/t?ctl=2DDE:4FB69 http://list.windowsitpro.com/t?ctl=2DE1:4FB69 DesktopStandard released PolicyMaker Application Security, which helps adminitrators enforce the practice of giving users the minimum privileges that they need on Windows-based desktops and selectively elevate privileges for users who need them. http://list.windowsitpro.com/t?ctl=2DD6:4FB69 Priva Technologies announced an upgrade to its Cleared Security Platform, which uses multifactor authentication in a single-point, end-to-end solution. The product now supports authentication for Web services, Microsoft .NET technology, email signing, and public key infrastructure (PKI). http://list.windowsitpro.com/t?ctl=2DDC:4FB69 Seaway Networks released a pretty slick product: the Trident NCA2000- L7P Intrusion Prevention Accelerator Card. The Intrusion Detection System/Intrusion Prevention System (IDS/IPS) card can be used to convert servers into filtering appliances. The board provides 2Gbps of full duplex data processing and pattern matching, including processing of network layers 2-7. http://list.windowsitpro.com/t?ctl=2DD8:4FB69 Lyris Technologies improved the detection of phishing and other email- related threats in its MailShield Server product with an upgrade to the embedded Mailshell SpamCompiler engine. Lyris said that MailShield Server is available for Windows and Solaris platforms, and a MailShield Pro version for Windows can record all SMTP transactions and provide a searchable audit trail of all incoming and outgoing messages. http://list.windowsitpro.com/t?ctl=2DE0:4FB69 http://list.windowsitpro.com/t?ctl=2DDB:4FB69 http://list.windowsitpro.com/t?ctl=2DDD:4FB69 And last, but certainly not least, Intense School presented its Live Online Professional Hacking class, led by Ralph Echemendia. The class teaches participants how to think like an intruder so they can protect themselves proactively rather than having to react defensively to intrusions. http://list.windowsitpro.com/t?ctl=2DD9:4FB69 ==================== ==== Sponsor: Postini ==== The Email Security Annual Review & Threat Report This "must read" white paper for email administrators and security professionals features a comprehensive overview of changes in email threats and the regulatory environment in 2004, and previews issues and expectations for 2005. Review the latest statistical trends in spam, virus and email attacks, and get an overview of how organizations are responding to these threats; get a sneak preview from analysts and experts into emerging issues and concerns that may help inform email security strategies and implementations for 2005. Register now and get the key trend data on spam, virus and email attacks from 2004! http://list.windowsitpro.com/t?ctl=2DBB:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=2DC0:4FB69 The New Phish Report Network Microsoft, eBay, PayPal, and Visa have teamed with WholeSecurity to launch the Phish Report Network. The network will serve as a worldwide antiphishing aggregation service. http://list.windowsitpro.com/t?ctl=2DCA:4FB69 Identity Web Services Framework Now Supports SAML 2.0 Liberty Alliance has released the second draft of its Identity Web Services Framework (ID-WSF), which now includes support for the Organization for the Advancement of Structured Information Standards (OASIS) Security Assertion Markup Language (SAML) 2.0 specification. Both ID-WSF and SAML provide methods of handling identity in conjunction with the use of Web services. http://list.windowsitpro.com/t?ctl=2DC9:4FB69 ==================== ==== Resources and Events ==== Minimize the Likelihood of Downtime in Your Exchange Implementation. In this free, on-demand Web seminar, discover how to ensure continuous Exchange application availability. Learn how to take preemptive, corrective action without resorting to a full system failover. Or in extreme cases, discover solutions that perform a graceful, automatic switchover to a secondary server, ensuring continuous Exchange application availability. View the archive today! http://list.windowsitpro.com/t?ctl=2DB9:4FB69 Get Essential Security Tips in This Free eBook Knowing where to find answers fast to secure your systems against attack can often mean the difference between shutting the door to various threats (e.g., malware, viruses, Trojans) and declaring defeat. This free eBook provides you with quick answers to help you make the most of your security. Get the entire eBook and start securing your systems! http://list.windowsitpro.com/t?ctl=2DBA:4FB69 Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Get the information you need to securely implement a network based around Microsoft products in the latest chapter of this eBook. Find out how to secure your network against threats, and learn about topics such as antivirus, VPNs, spyware, DMZs, content filtering, Browser Helper Objects, patching, quarantining, intrusion detection, and event notification. Get this eBook today! http://list.windowsitpro.com/t?ctl=2DB8:4FB69 Get the Entire eBook: "Content Security in the Enterprise--Spam and Beyond" This eBook explores how to reduce and eliminate the risks from Internet applications such as email, Web browsing, and Instant Messaging by limiting inappropriate use of these applications, eliminating spam, protecting corporate information assets, and ensuring that these vital resources are secure and available for authorized business purposes. Download this free eBook now! http://list.windowsitpro.com/t?ctl=2DBE:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=2DBC:4FB69 ==================== ==== Hot Release ==== Symantec ON iPatch -- Automated Patch Management On its first "patch Tuesday" of 2005, Microsoft released three software updates to fix security holes in its popular Windows operating system. Symantec ON iPatch provides an automated patch management solution that can handle today's growing number of patches. To learn more visit us at: http://list.windowsitpro.com/t?ctl=2DD3:4FB69 ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2DD1:4FB69 Check out these recent entries in the Security Matters blog: McAfee Will Scan your Wi-Fi Config for Vulnerabilities McAfee launched a new free service that uses a downloadable ActiveX control to scan your wireless networking configuration for vulnerabilities. The company's new Wi-FiScan Web page says that the service can suggest security measures to correct problems that it finds in your configuration. http://list.windowsitpro.com/t?ctl=2DC8:4FB69 Add SonicWALL to Your List of Enterprise Antispyware Solutions You can add SonicWALL to the list of enterprise antispyware solutions. The company announced the addition of "dynamic spyware detection and prevention capabilities" to its line of gateway security offerings. http://list.windowsitpro.com/t?ctl=2DC6:4FB69 ==== 4. Instant Poll ==== Results of Previous Poll: If your company uses Windows XP, do you use XP SP2? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 27 votes. - 63% Yes - 26% No, but we intend to - 11% No, and we don't intend to New Instant Poll: Do you think Microsoft should offer Internet Explorer (IE) 7.0 for Windows 2000 platforms? Go to the Security Hot Topic and submit your vote for - Yes - No http://list.windowsitpro.com/t?ctl=2DCD:4FB69 ==== 5. Security Toolkit ==== Web Chat: Group Policy Darren Mar-Elia will answer your questions about troubleshooting Group Policy in a chat February 24, 12:00 P.M. EST. Look for his article, "Troubleshooting Group Policy-Related Problems," in the February 2005 issue of Windows IT Pro magazine, and join the chat at http://list.windowsitpro.com/t?ctl=2DC2:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=2DCE:4FB69 Q. What's the Microsoft Windows Malicious Software Removal Tool? Find the answer at http://list.windowsitpro.com/t?ctl=2DCB:4FB69 Security Forum Featured Thread: Possible IIS 6.0 and XMLHTTP Security Issue A forum participant has a client application that creates XML documents that include both text and bin.base64 nodes. Posting is done from the client application using the MSXML2.XMLHTTP.4.0 component to the Active Server Pages (ASP) server application on Microsoft IIS 6.0. The request is loaded into an MSML2.DOMDocument.4.0 object. Sometimes the loading fails and the request is empty. The failure doesn't happen on an IIS 5.1 server. Join the discussion at http://list.windowsitpro.com/t?ctl=2DBD:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Plus, paid subscribers receive exclusive online library access to every article we've ever published. Order now! http://list.windowsitpro.com/t?ctl=2DC7:4FB69 Nominate Yourself or a Friend for the MCP Hall of Fame Are you a top-notch MCP who deserves to be a part of the first- ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy: http://list.windowsitpro.com/t?ctl=2DBF:4FB69 ==================== ==== 6. New and Improved ==== by Renee Munshi, products@windowsitpro.com A Second Factor of Authentication for Windows Entrust announced Entrust IdentityGuard for Microsoft Windows, which adds a second factor of authentication for users logging on to Windows desktops. In addition to entering his or her username and password, a user is asked to enter a set of numbers and or characters. The user must find the correct characters on a grid supplied by his or her organization on a wallet-sized plastic card, in conjunction with a building-access card, or in electronic form for portable devices accessing the corporate network. Entrust IdentityGuard for Microsoft Windows will be available for beta in first quarter 2005, with commercial availability in second quarter 2005. For more information, go to http://list.windowsitpro.com/t?ctl=2DCF:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Automate Patch Management with Symantec ON iPatch http://list.windowsitpro.com/t?ctl=2DE2:4FB69 Quest Software See Active Directory in a whole new light. And get a free flashlight! http://list.windowsitpro.com/t?ctl=2DE3:4FB69 DynaComm i:scan from FutureSoft True Enterprise anti-spyware, network- wide from a central console http://list.windowsitpro.com/t?ctl=2DE4:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2DD5:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=2DC4:4FB69 View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=2DC3:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Feb 24 12:23:19 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 24 12:53:12 2005 Subject: [ISN] Black Hat Europe and Asia 2005 early bird registrations are about to close! Message-ID: Forwarded from: Jeff Moss Hello InfoSec readers. I wanted to pass on a last announcement for our International conferences. Black Hat Europe and Asia 2005 early bird registrations are about to close! By registering now, Black Hat Briefings Europe attendees can save 200 Euro, Black Hat Briefings Asia attendees save 200 SGD. After February 28, registration will be full price. This year we offer more training classes in Asia and Europe than ever. We are near capacity on some of our training offerings, so register now and save 200 SGD or 200 Euro on training. If you are unable to attend the Asia or Europe shows, please visit our extensive archive of previous events. Hundreds of presentations are available in streaming RealAudio and RealVideo formats. Registration for both Asia and Europe events can be found at: http://www.blackhat.com/html/bh-registration/bh-registration.html Archives of past shows and streaming media can be found at: http://www.blackhat.com/html/bh-multimedia-archives-index.html Thank you. Jeff Moss From isn at c4i.org Thu Feb 24 12:23:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 24 12:53:15 2005 Subject: [ISN] Feds square off with organized cyber crime Message-ID: http://www.theregister.co.uk/2005/02/23/feds_nostalgic_for_old_school_hackers/ By Kevin Poulsen SecurityFocus 23rd February 2005 RSA 2005 - Computer intruders are learning to play well with others, and that's bad news for the Internet, according to a panel of law enforcement officials and legal experts speaking at the RSA Conference in San Francisco last week. Christopher Painter, deputy director of the Justice Department's computer crime section, spoke almost nostalgically of the days when hackers acted "primarily out of intellectual curiosity." Today, he says, cyber outlaws and serious fraud artists are increasingly working in concert, or are one and the same. "What we've seen recently is a coming together of these two groups," said Painter. Ronald Plesco, counsel to the National Cyber-Forensics and Training Alliance, a computer forensics organization established by the FBI and private industry, agreed, and pointed to the trend in recent years of spammers building networks of compromised computers to launder their fraudulent email offerings. Tim Rosenberg, a research professor at the George Washington University, warned of "multinational groups of hackers backed by organized crime" and showing the sophistication of prohibition-era mobsters. "This is not about little Jimmy Smith breaking into his ex-employer's website and selling information to competitors," he said. "What we're seeing is just sheer, monstrous" levels of crime." Painter acknowledged that recreational hackers are still out there, but he believes they're a minority. He reads the future of cyber crime and investigation in the joint Secret Service and Justice Department "Operation Firewall" crackdown on Internet fraud rings last October, in which 19 men were indicted for allegedly trafficking in stolen identity information and documents, and stolen credit and debit card numbers. At the center of Operation Firewall was an online forum called Shadowcrew, which served as the trading floor for an underground economy capable of providing a dizzying array of illicit products and services, from credit card numbers to details on consumers worthy of having their identities' stolen. "Individuals all over the world would work together to hack into systems, steal information and then sell information," said Painter. "[It was] a very, very highly structured, organized network." Faced with that kind of organization, law enforcement agencies are turning to undercover operations, said Painter. To take down Shadowcrew, the Secret Service secretly busted a high level member of the group, turned him into an informant, and operated him undercover for more than a year, according to court records. "Law enforcement was essentially running that group at one point," said Painter. Painter prosecuted Kevin Mitnick in the 1990s, and he still insists that, from the victim's point of view, old-fashioned recreational hackers are as bad as today's multi-disciplined cyber criminals. "But it was a simpler time," he admitted after the presentation. From isn at c4i.org Thu Feb 24 12:23:59 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 24 12:53:18 2005 Subject: [ISN] Paris Hilton worm spreads Message-ID: http://news.zdnet.com/2100-1009_22-5587278.html By Dan Ilett ZDNet (UK) February 23, 2005 An e-mail worm promising explicit pictures of hotel heiress Paris Hilton is spreading widely, antivirus experts warned on Wednesday. The mass-mailing worm, Sober.K, is currently the third most commonly encountered virus, making up 10 percent of all viruses detected in the last 24 hours, Sophos reported. "This latest variant of the Sober worm may catch out the unwary as they open their e-mail in-box," said Graham Cluley, senior technology consultant at Sophos. "Although much-publicized virus outbreaks in the past should have made users more nervous of double-clicking on unsolicited e-mail attachments, some still find it hard to resist," he added. "All users should be reminded to follow safe computing guidelines, and PCs should be kept automatically updated with the latest antivirus protection." The new Sober variant sends itself in German and English, using a variety of subject lines, including "Paris Hilton, pure!" and "Paris Hilton SexVideos." The Zafi.D virus, which was released last year, is Sophos' most prevalent, accounting for 27.6 percent of all reports in the last 24 hours. The Harry Potter Netsky.P worm is in second position with 22.4 percent. Hilton shot to prominence after starring in a home video that became an Internet phenomenon. On the same day that Sober.K was discovered, it was reported that hackers had broken into Hilton's cell phone and stolen the telephone numbers of celebrities before posting them online. A second, more dangerous worm that uses similar bait, Ahker.C, was also discovered this week. The Ahker-C worm disables antivirus and firewall settings, and blocks access to some Web sites. It sends itself with the subject line "Paris Hilton...download it!" and a file called "ParisXXX.zip", which contains the virus. From isn at c4i.org Thu Feb 24 12:35:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 24 12:53:19 2005 Subject: [ISN] Largest hacker group in China dissolves Message-ID: http://news.xinhuanet.com/english/2005-02/22/content_2603191.htm www.chinaview.cn 2005-02-22 BEIJING, Feb. 22 -- Honkers Union of China (HUC), the earliest and largest hacker group in China and ranking number five in the world, has announced its dissolution and has shut down its website at the same time. Membership FEE of this group was once as high as 80,000. It has drawn both praises and blames as it participated in confronting foreign hackers on numerous occasions. According to Shenzhen's media, HUC's founder Lion claimed in his open letter, "Honkers Union has existed in name only for a long time, and its website has been closed down several times before. However, I am reluctant to let go of things that accompanied me while I grew up. That is why HUC has lasted so long." In December of 2000, webmaster Lion took the initiative to set up HUC. It was a non-governmental organization with a wide variety of members, including businessmen, students, teachers and professionals in network safety. From isn at c4i.org Fri Feb 25 04:46:39 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 25 04:53:45 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-8 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-02-17 - 2005-02-24 This week : 57 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Two vulnerabilities have been reported in PuTTY, which can be exploited by malicious people to compromise a user's system. The vendor has an updated version available. Please see Secunia advisory below for details. References: http://secunia.com/SA14333 -- Apple has acknowledged a vulnerability in Java for Mac OS X, which can be exploited by malicious people to compromise a user's system. The vulnerability was initially fixed by Sun on the 23rd November 2004. Additional details can be found in referenced Secunia advisories below. References: http://secunia.com/SA14346 http://secunia.com/SA13271 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla Products IDN Spoofing Security Issue 2. [SA14295] Linux Kernel Multiple Vulnerabilities 3. [SA14333] PuTTY Two Integer Overflow Vulnerabilities 4. [SA14304] Internet Explorer/Outlook Express Status Bar Spoofing 5. [SA14335] Microsoft Internet Explorer Popup Title Bar Spoofing Weakness 6. [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow 7. [SA14160] Mozilla / Firefox Three Vulnerabilities 8. [SA14346] Apple Mac OS X update for Java 9. [SA13712] Yahoo! Messenger File Transfer Filename Spoofing 10. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14350] Bontago Nickname Handling Buffer Overflow Vulnerability [SA14344] TrackerCam Multiple Vulnerabilities [SA14365] SD Server Directory Traversal Vulnerability [SA14349] Xinkaa WEB Station Directory Traversal Vulnerability [SA14372] ArGoSoft FTP Server "SITE COPY" Shortcuts Security Issue [SA14367] Verity Ultraseek Search Request Cross-Site Scripting [SA14335] Microsoft Internet Explorer Popup Title Bar Spoofing Weakness UNIX/Linux: [SA14346] Apple Mac OS X update for Java [SA14364] cURL/libcURL NTLM and Kerberos Authentication Buffer Overflows [SA14363] Gentoo update for putty [SA14361] Gentoo update for gproftpd [SA14352] SUSE Updates for Multiple Packages [SA14340] GProftpd Log Parser Format String Vulnerability [SA14331] Gentoo update for mc [SA14330] Astaro update for BIND [SA14334] Fedora update for kdeedu [SA14376] Debian update for libapache-mod-python [SA14375] SUSE update for squid [SA14370] Fedora update for squid [SA14368] Debian update for squid [SA14355] Red Hat update for imap [SA14354] glFTPd "SITE NFO" Directory Traversal Vulnerability [SA14348] Tarantella Products User Account Enumeration Security Issue [SA14347] Debian update for bidwatcher [SA14343] Ubuntu update for squid [SA14341] Gentoo update for gftp [SA14339] Gentoo update for squid [SA14332] Debian update for gftp [SA14325] Mono ASP.NET Unicode Conversion Cross-Site Scripting [SA14324] Bidwatcher eBay Format String Vulnerability [SA14323] Mandrake update for kdelibs [SA14320] Mandrake update for postgresql [SA14371] Fedora update for postgresql [SA14328] fallback-reboot Daemon Status Denial of Service Vulnerability [SA14321] Ulog-php SQL Injection Vulnerabilities [SA14357] Red Hat update for cpio [SA14356] Red Hat update for vim [SA14345] IBM AIX Perl Interpreter Privilege Escalation Vulnerabilities [SA14338] Sun Solaris kcms_configure Arbitrary File Manipulation Vulnerability [SA14374] Fedora update for gaim [SA14322] Gaim Two Denial of Service Weaknesses Other: [SA14353] Thomson TCW690 Cable Modem Two Vulnerabilities [SA14366] GigaFast EE400-R Broadband Router Two Vulnerabilities [SA14358] ADP Elite System Max 9000 Series Local Shell Access Cross Platform: [SA14337] Mambo "GLOBALS['mosConfig_absolute_path']" File Inclusion [SA14369] iGeneric iG Shop SQL Injection Vulnerabilities [SA14362] phpBB Avatar Functions Information Disclosure and Deletion [SA14359] unace Directory Traversal and Buffer Overflow Vulnerabilities [SA14351] Biz Mail Form Open Mail Relay Vulnerability [SA14342] IRM LDAP Login Security Bypass Vulnerability [SA14336] Batik Squiggle Browser Unspecified Security Bypass [SA14333] PuTTY Two Integer Overflow Vulnerabilities [SA14326] vBulletin "template" PHP Code Injection Vulnerability [SA14319] WebCalendar "webcalendar_session" SQL Injection [SA14327] Arkeia Backup Client Type 77 Request Processing Buffer Overflow [SA14360] MediaWiki Multiple Vulnerabilities [SA14329] Invision Power Board SML Codes Script Insertion Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14350] Bontago Nickname Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-21 Luigi Auriemma has reported a vulnerability in Bontago, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14350/ -- [SA14344] TrackerCam Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2005-02-21 Luigi Auriemma has reported some vulnerabilities in TrackerCam, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks, disclose system and sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14344/ -- [SA14365] SD Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-02-22 CorryL has reported a vulnerability in SD Server, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14365/ -- [SA14349] Xinkaa WEB Station Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-02-21 Luigi Auriemma has reported a vulnerability in Xinkaa WEB Station, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14349/ -- [SA14372] ArGoSoft FTP Server "SITE COPY" Shortcuts Security Issue Critical: Less critical Where: From remote Impact: Unknown Released: 2005-02-23 Cirpian Radu has reported a security issue with an unknown impact in ArGoSoft FTP Server. Full Advisory: http://secunia.com/advisories/14372/ -- [SA14367] Verity Ultraseek Search Request Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-22 Michael Krax has reported a vulnerability in Verity Ultraseek, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14367/ -- [SA14335] Microsoft Internet Explorer Popup Title Bar Spoofing Weakness Critical: Less critical Where: From remote Impact: Spoofing Released: 2005-02-21 bitlance winter has discovered a weakness in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/14335/ UNIX/Linux:-- [SA14346] Apple Mac OS X update for Java Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-23 Apple has acknowledged a vulnerability in Java for Mac OS X, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14346/ -- [SA14364] cURL/libcURL NTLM and Kerberos Authentication Buffer Overflows Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-22 infamous41md has reported two vulnerabilities in cURL/libcURL, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14364/ -- [SA14363] Gentoo update for putty Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-22 Gentoo has issued an update for putty. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14363/ -- [SA14361] Gentoo update for gproftpd Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-21 Gentoo has issued an update for gproftpd. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14361/ -- [SA14352] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, DoS, System access Released: 2005-02-22 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited to gain escalated privileges, bypass certain security restrictions, enumerate valid users, overwrite files, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14352/ -- [SA14340] GProftpd Log Parser Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-21 Tavis Ormandy has reported a vulnerability in GProftpd, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14340/ -- [SA14331] Gentoo update for mc Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-02-18 Gentoo has issued an update for mc. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or execute arbitrary code. Full Advisory: http://secunia.com/advisories/14331/ -- [SA14330] Astaro update for BIND Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-02-18 Full Advisory: http://secunia.com/advisories/14330/ -- [SA14334] Fedora update for kdeedu Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-18 Fedora has issued an update for kdeedu. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14334/ -- [SA14376] Debian update for libapache-mod-python Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-23 Debian has issued an update for libapache-mod-python. This fixes a vulnerability, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14376/ -- [SA14375] SUSE update for squid Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-23 SUSE has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14375/ -- [SA14370] Fedora update for squid Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-23 Fedora has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14370/ -- [SA14368] Debian update for squid Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-23 Debian has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14368/ -- [SA14355] Red Hat update for imap Critical: Less critical Where: From remote Impact: System access Released: 2005-02-21 Red Hat has issued an update for imap. This fixes an older vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14355/ -- [SA14354] glFTPd "SITE NFO" Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-02-22 Paul Craig has reported a vulnerability in glFTPd, which can be exploited by malicious users to detect the presence of local files and disclose some system and sensitive information. Full Advisory: http://secunia.com/advisories/14354/ -- [SA14348] Tarantella Products User Account Enumeration Security Issue Critical: Less critical Where: From remote Impact: Exposure of system information Released: 2005-02-21 A security issue has been reported in Secure Global Desktop Enterprise Edition and Tarantella Enterprise, which can be exploited by malicious people to enumerate valid user accounts and disclose some system information. Full Advisory: http://secunia.com/advisories/14348/ -- [SA14347] Debian update for bidwatcher Critical: Less critical Where: From remote Impact: System access Released: 2005-02-21 Debian has issued an update for bidwatcher. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14347/ -- [SA14343] Ubuntu update for squid Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-21 Ubuntu has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14343/ -- [SA14341] Gentoo update for gftp Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-02-21 Gentoo has issued an update for gftp. This fixes a vulnerability, which can be exploited by malicious people to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/14341/ -- [SA14339] Gentoo update for squid Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-21 Gentoo has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14339/ -- [SA14332] Debian update for gftp Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-02-18 Debian has issued an update for gftp. This fixes a vulnerability, which can be exploited by malicious people to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/14332/ -- [SA14325] Mono ASP.NET Unicode Conversion Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-22 Andrey Rusyaev has discovered a vulnerability in Mono, which potentially can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/14325/ -- [SA14324] Bidwatcher eBay Format String Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-02-18 Ulf H?rnhammar has reported a vulnerability in Bidwatcher, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14324/ -- [SA14323] Mandrake update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data, Privilege escalation Released: 2005-02-18 MandrakeSoft has issued an update for kdelibs. This fixes two vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct FTP command injection attacks. Full Advisory: http://secunia.com/advisories/14323/ -- [SA14320] Mandrake update for postgresql Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS Released: 2005-02-18 MandrakeSoft has issued an update for postgresql. This fixes various vulnerabilities, which can be exploited by malicious users to gain escalated privileges, cause a DoS (Denial of Service), or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14320/ -- [SA14371] Fedora update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2005-02-23 Fedora has issued an update for postgresql. This fixes some vulnerabilities, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14371/ -- [SA14328] fallback-reboot Daemon Status Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-22 A vulnerability has been reported in fallback-reboot, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14328/ -- [SA14321] Ulog-php SQL Injection Vulnerabilities Critical: Less critical Where: From local network Impact: Manipulation of data Released: 2005-02-21 Some vulnerabilities have been reported in Ulog-php, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14321/ -- [SA14357] Red Hat update for cpio Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Manipulation of data Released: 2005-02-21 Red Hat has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious, local users to disclose and manipulate information. Full Advisory: http://secunia.com/advisories/14357/ -- [SA14356] Red Hat update for vim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-21 Red Hat has issued an update for vim. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14356/ -- [SA14345] IBM AIX Perl Interpreter Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-21 IBM has acknowledged two vulnerabilities in the perl interpreter in AIX. These can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14345/ -- [SA14338] Sun Solaris kcms_configure Arbitrary File Manipulation Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-02-22 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to manipulate the contents of arbitrary files. Full Advisory: http://secunia.com/advisories/14338/ -- [SA14374] Fedora update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-02-23 Fedora has issued an update for gaim. This fixes two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14374/ -- [SA14322] Gaim Two Denial of Service Weaknesses Critical: Not critical Where: From remote Impact: DoS Released: 2005-02-18 Two weaknesses have been reported in Gaim, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14322/ Other:-- [SA14353] Thomson TCW690 Cable Modem Two Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, DoS Released: 2005-02-21 MurDoK has reported two vulnerabilities in Thomson TCW690 Cable Modem, which can be exploited by malicious people to cause a DoS (Denial of Service) and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14353/ -- [SA14366] GigaFast EE400-R Broadband Router Two Vulnerabilities Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2005-02-22 Gary H. Jones II has reported two vulnerabilities in GigaFast EE400-R Broadband Router, which can be exploited by malicious people to cause a DoS (Denial of Service) and disclose some sensitive information. Full Advisory: http://secunia.com/advisories/14366/ -- [SA14358] ADP Elite System Max 9000 Series Local Shell Access Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-02-22 rootfiend has reported a vulnerability in ADP Elite System Max 9000 Series, which can be exploited by malicious users to gain local shell access to a vulnerable system. Full Advisory: http://secunia.com/advisories/14358/ Cross Platform:-- [SA14337] Mambo "GLOBALS['mosConfig_absolute_path']" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-21 A vulnerability has been reported in Mambo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14337/ -- [SA14369] iGeneric iG Shop SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-02-23 John Cobb has reported some vulnerabilities in iG Shop, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14369/ -- [SA14362] phpBB Avatar Functions Information Disclosure and Deletion Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-02-22 AnthraX101 has reported two vulnerabilities in phpBB, which can be exploited by malicious users to disclose and delete sensitive information. Full Advisory: http://secunia.com/advisories/14362/ -- [SA14359] unace Directory Traversal and Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-23 Ulf H?rnhammar has discovered some vulnerabilities in unace, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14359/ -- [SA14351] Biz Mail Form Open Mail Relay Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-22 Jason Frisvold has reported a vulnerability in Biz Mail Form, which can be exploited by malicious people to use it as an open mail relay. Full Advisory: http://secunia.com/advisories/14351/ -- [SA14342] IRM LDAP Login Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-21 Fulvio Civitareale has reported a vulnerability in IRM, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14342/ -- [SA14336] Batik Squiggle Browser Unspecified Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-22 A vulnerability has been reported in Batik, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14336/ -- [SA14333] PuTTY Two Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-21 Ga?l Delalleau has reported two vulnerabilities in PuTTY, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14333/ -- [SA14326] vBulletin "template" PHP Code Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-22 pokleyzz has reported a vulnerability in vBulletin, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14326/ -- [SA14319] WebCalendar "webcalendar_session" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-02-18 Michael Scovetta has reported a vulnerability in WebCalendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14319/ -- [SA14327] Arkeia Backup Client Type 77 Request Processing Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-21 John Doe has reported a vulnerability in Arkeia, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14327/ -- [SA14360] MediaWiki Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-02-22 Some vulnerabilities have been reported in MediaWiki, which can be exploited by malicious users to delete arbitrary files, and by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14360/ -- [SA14329] Invision Power Board SML Codes Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-21 Daniel A. has reported a vulnerability in Invision Power Board, which potentially can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14329/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 25 04:47:14 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 25 04:53:48 2005 Subject: [ISN] Hilton hack underscores mobile security lapses Message-ID: http://www.commsdesign.com/story/showArticle.jhtml?articleID=60403328 By Junko Yoshida EE Times Feb 24, 2005 PARIS - The gory if inconsequential details of how hotel heiress and professional celebrity Paris Hilton's cellphone address book was hacked this week nevertheless generated a buzz among engineers in the mobile phone industry. The address book in question was stored on Hilton's Side Kick II smart phone, and backed up on a T-Mobile server. Kevin Kissell, an architect at MIPS Technologies Inc., said he wondered "whether the hackers accessed numbers stored in the phone ? a default for most mobiles ? or on the SIM card." He also wondered "whether the outcome might have been different if Ms. Hilton had stored her numbers on the SIM." T-Mobile wouldn't discuss its investigation. A company spokesman, however, suggested that "someone had access to one of Ms. Hilton's devices and/or knew her account password." Most reports postulated an attack on T-Mobile's server rather than the client. Speculation was based on the fact that T-Mobile's database was hacked last year by 22-year-old Nicols Jacobsen, who pleaded guilty earlier this month. Nonetheless, speculation was rampant regarding how hackers might have snagged her account password. Possible scenarios ranged from correctly guessing the name Hilton's dog to the theft of records and passwords stored in her SideKick II. The phone's Bluetooth interface was also cited. Hackers could have accessed T-Mobile's database using SQL (structured query language) injections, said David Naccache, vice president, research and innovation at Gemplus, based here. By adding SQL to a query, Naccache said it's possible to manipulate a database in ways not anticipated by administrators. Or, Hilton could have handed her phone to an acquaintance who extracted the information, said Naccache. "You need a key to the door in order to get into a house," he said. "But you can also get into the house through a window." Naccache, a forensic expert, said a hack was possible anywhere between the handset and the network. Even if the server was hacked rather than the client, Kissell's questions remain valid for chip vendors, SIM card manufacturers and mobile handset companies. All are racing to add security features to next-generation phone and network designs. Added Mike Yonker, director of Technology Strategy at Texas Instruments Inc., "This incident really stresses the need for stronger security. Consumers have reason to question even the security of the servers where their data is stored at the mobile operator." From isn at c4i.org Fri Feb 25 04:47:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 25 04:53:49 2005 Subject: [ISN] Network to research protection Message-ID: http://australianit.news.com.au/articles/0,7204,12366219%5E15306%5E%5Enbv%5E,00.html James Riley FEBRUARY 25, 2005 A NEW research network of universities and private sector organisations has been charged with improving protection of Australia's critical infrastructure. Launched by Attorney General Philip Ruddock in Canberra, the Research Network for a Secure Australia (RNSA) will create collaborate research projects in the areas of IT security, physical infrastructure security, and surveillance and intelligent systems. The creation of the research network is being funded through a five-year, $2 million Australian Research Council grant and aims to draw together existing expertise from Australian universities. Mr Ruddock said the network would seek to align Australian research into critical infrastructure protection with the needs of local law enforcement, intelligence agencies and the private sector. In addition to meeting the needs of local critical infrastructure protection, Mr Ruddock said the RNSA would also create potential products and expertise that could resent an export opportunity. "It's in this field of critical infrastructure protection that it's essential for our research meets the needs of those who own the key assets and are responsible for their protection," Mr Ruddock said. The RNSA brings together three universities. The University of Melbourne will manage the administrative operation of the network, and spearhead research into physical security in areas like blast modelling, protective materials and smart buildings and infrastructure. The Australia Defence Force Academy (ADFA) at the University of New South Wales in Sydney will oversee all surveillance and intelligence systems research. The Queensland University of Technology will provide co-ordination to the IT infrastructure security, including intrusion detection, computer forensics and the design of cryptographic algorithms. Mr Ruddock said the primary goal of the new system would be in sharing research to create a better environment for innovating in the "fight against terrorism". "It will facilitate the exchange of information and knowledge. It will stimulate debate. It will generate new ideas. It will encourage innovation. "And it will encourage them to think laterally about how to best protect our national security, and critical infrastructure in particular. From isn at c4i.org Fri Feb 25 04:47:57 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 25 04:53:51 2005 Subject: [ISN] Spy fears spook IBM-Lenovo deal Message-ID: Forwarded from: William Knowles http://www.theregister.co.uk/2005/02/24/ibm_lenovo_spooks/ By Andrew Orlowski 24th February 2005 For years the Chinese government fretted that the US was using its technology lead to spy on the country - but now the tables are turned. The US government has much deeper concerns about what China can glean from the historic Lenovo-IBM PC deal than recent reports have indicated. Concessions offered by IBM to the US Treasury's Committee on Foreign Investment in the United States were rejected yesterday, Bloomberg reports. The Committee is worried that IBM's North Carolina facility presents opportunities for industrial espionage. Even the IBM customer list - and the US government is a very big customer indeed - could divulge information the US doesn't want China to see. And keeping this list private is one of the concessions apparently made by IBM. (Although it isn't clear how Lenovo can support IBM government staff if it doesn't know who or where they are.) Another concession includes prohibiting Lenovo employees from certain buildings. IBM had been asked not to transfer R&D staff to the facility, but rejected the suggestion. The Committee has until March 14 to file its report to the President. In the late 1990s the PRC was worried that domestic CDMA networks were vulnerable to US political interference, as they use the DoD's GPS satellites to synchronize their base stations. However, a source told your reporter that Chinese government officials didn't object to monitoring of traffic on the ill-fated Iridium network. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Feb 25 04:48:09 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 25 04:53:55 2005 Subject: [ISN] Flaw threatens T-Mobile voice mail leaks Message-ID: http://news.com.com/Flaw+threatens+T-Mobile+voice+mail+leaks/2100-1002_3-5589608.html By Robert Lemos Staff Writer, CNET News.com February 24, 2005 A convenient voice mail feature has likely opened up many T-Mobile subscribers' voice mail boxes to unauthorized attackers armed with a simple hack, the embattled cellular service provider acknowledged on Thursday. The attack, publicized by wireless security firm Flexilis, could be used to download a person's voice mail or take control of the victim's voice mail functions, provided the attacker knew the subscriber's phone number. "The attacker would be able to listen to the victim's voice mail, record the voice mail to a file on a remote server, and also make calls out from the system posing at the victim," said John Hering, director of business development for Flexilis. "This can all be done from a public pay phone, which is extremely difficult to trace." While Flexilis did not give details of the flaws, at least one Internet site has pointed out that T-Mobile's voice mail system can be accessed by anyone who uses a service to spoof caller ID. T-Mobile acknowledged the problem, but said that the solution is simple: Users should set their voice mail to require passwords. "By default, customers are not required to put a password on their voice mail," said spokesman Bryan Zidar. "If you enable the password protection, it solves the problem." Zidar said the issue has no relation to the high-profile privacy hits suffered by Paris Hilton and other celebrities or a previous incident where an online intruder had access to the mobile phone system. T-Mobile is still investigating that case and has not released how the information was stolen. "The silver lining of this Paris Hilton thing, is it is an opportunity for customers to take further steps to protect their data," Zidar said. Flexilis also advised T-Mobile subscribers to change their voice mail setting to require a password from the mobile device. From isn at c4i.org Fri Feb 25 04:48:23 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 25 04:53:58 2005 Subject: [ISN] Q&A: Rep. Davis on latest federal IT security report card Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100010,00.html By Jaikumar Vijayan FEBRUARY 24, 2005 COMPUTERWORLD House Government Reform Committee Chairman Tom Davis (R-Va.) last week released the 2004 federal government computer security scorecard, which gave federal agencies an overall D+ average (see story) [1]. Several agencies, including the Department of Homeland Security and the Department of Energy, scored F's for the second year running. Others, such as the Department of Transportation, showed big improvements. In this interview with Computerworld, Davis talked about the government's performance on the score card and warned that more mandates could be on the way if federal agencies don't fix their security issues soon. What are your conclusions about the overall performance of government agencies? I think it is improving, but it's not improving fast enough at this point. The overall agency scores rose by 2.5 points, but they still scored a D+. We just need to continue to give this focus, and hopefully we won't have some kind of cyberattack or cyber-Pearl Harbor. We have to be inspired by that to try and stay ahead of the curve. Why are some agencies faring so well while others appear to be struggling? Leadership. It's about leadership. It basically goes to the CIO and the agency heads and their ability to coordinate on this. They have to get this focused. They need to get a plan, [and] they need to execute on it. Some agencies have put the resources into it, and others haven't. We have independently verified these scores. Some have still a long way to go. What's the incentive to improve when there are no funding or other repercussions for bad grades? I don't know if you want to punish people by withholding funding. That makes it even tougher for them to meet their goals. But I think there may be an embarrassment factor. If you want to have career advancement and you come off an agency that has got a bad FISMA [Federal Information Security Management Act] grade, it probably isn't going to help you move to the next level. I think this is part of the evaluation process. Eventually, I think there will be a funding attachment. These score cards are fairly new, and we are trying to get an appropriations buy-in. Many of the recommended security controls for federal agencies will become mandated requirements by the end of this year. What impact will that have on the score cards next year. Mandates are better than suggestions, unfortunately. You hate to get to the point where you have to mandate things that need to get done. But I think that is the way Congress will react, with more mandates on agencies that will put more burden on them. We would rather have [agencies] solve the issues themselves. But if they can't do that, I think they'll get a lot more mandates. You identified several areas where federal agencies overall need to improve, including annual reviews of contractor systems, testing of contingency plans and incident reporting. What is the problem? [Federal agencies] don't have the finances for it. The basic problem is that we are asking them to do this in some cases without giving them a lot of new money. As a result of that, they just check it off like they do all their other priorities. They are kind of waiting for additional money to come through. We ask the agencies to do a lot of things. This is just one. You had identified a need for each agency's inspector general to standardize the evaluation process to ensure the accuracy of their reports and make sure that fair comparisons can be made between the agencies. What's being done? We haven't made any changes yet. That will be based on the responses we get from the different agencies. How will the CISO Exchange that you announced recently help improve things? Hopefully, we will get people to come from agencies that have done it going into agencies that haven't done it and show them how to do it. You get some pollination that way. [1] http://www.computerworld.com/governmenttopics/government/story/0,10801,99846,00.html From isn at c4i.org Fri Feb 25 04:48:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 25 04:54:00 2005 Subject: [ISN] Firefox Patch Fixes Vulnerabilities And Crashes Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=ZEU4XWPELZQMIQSNDBCSKHSCJUMEKJVN?articleID=60403364 By John Foley InformationWeek Feb. 24, 2005 It's time to update the millions of Firefox 1.0 browsers that have been downloaded over the past 11 weeks. The Mozilla Foundation on Thursday released its first security update to Firefox, comprising a series of patches intended to prevent spoofing and phishing attacks and fix glitches that cause the browser to crash. The security update, Firefox 1.0.1, can be downloaded immediately at www.mozilla.org, and it will be available within a few days via Firefox's automatic update feature. "I'd encourage users to get this release, especially if they've been prone to phishing attacks or spoofing," says Chris Hofmann, director of engineering with Mozilla, a nonprofit software-development organization. "A lot of work in this release focuses on those areas." The update covers a handful of security vulnerabilities and approximately 40 other fixes related to browser performance based on user feedback to Mozilla. The security vulnerabilities range from "moderately critical" in nature to not critical. None of them are highly critical, and there are no known exploits for any of the vulnerabilities, Hofmann says. One security patch addresses the problem of international domain name spoofing, in which a hacker could potentially spoof a Web site through the international characters in the browser. The fix involves putting "funny-looking characters" in the susceptible area of the browser, though Hofmann acknowledges it's only a temporary solution. Security firm Secunia described the IDN spoofing vulnerability in a bulletin earlier this month. The update is also meant to prevent cross-site scripting, in which an attacker gains access to data entered on a Web site by manipulating the browser. Firefox 1.0 has been downloaded 27 million times since it was released on Dec. 7. In the process, the no-cost browser has cut into Microsoft Internet Explorer's dominant share of the browser market. IE's market share on Windows PCs had slipped to 92.7% in mid-January, from 96.7% in June, while Firefox's share rose, according to WebSideStory Inc., a Web-analytics firm that tracks browser usage. WebSideStory is expected to release updated Web-browser statistics next week. From isn at c4i.org Mon Feb 28 05:36:15 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 28 05:43:42 2005 Subject: [ISN] Linux Advisory Watch - February 25th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 25th, 2005 Volume 6, Number 8a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for emacs, gftp, bidwatcher, mailman, squid, mod_python, kdeedu, gamin, pcmcia, openssh, postgresql, gimp, midnight commander, gproftpd, cyrus imap, cups, kdelibs, xpdf, uim, cpio, and vim. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- VULNERABILITIES IN WEB APPLICATIONS By Raymond Ankobia The Internet has made the world smaller. In our routine usage we tend to overlook that "www" really does mean "world wide web" making virtually instant global communication possible. It has altered the rules of marketing and retailing. An imaginative website can give the small company as much impact and exposure as its much larger competitors. In the electronics, books, travel and banking sectors long established retail chains are increasingly under pressure from e-retailers. All this, however, has come at a price ever more inventive and potentially damaging cyber crime. This paper aims to raise awareness by discussing common vulnerabilities and mistakes in web application development. It also considers mitigating factors, strategies and corrective measures. The Internet has become part and parcel of the corporate agenda. But does the risk of exposing information assets get sufficient management attention? Extension of corporate portals for Business-to Business (B2B) or developments of websites for Business-to-Customer (B2C) transactions have been largely successful. But the task of risk assessing vulnerabilities and the threats to corporate information assets is still avoided by many organisations. The desire to stay ahead of the competition while minimising cost by leveraging technology means the process is driven by pressure to achieve results. What suffers in the end is the application development cycle; - this is achieved without security in mind. Section 1 of this paper introduces the world of e-business and sets the stage for further discussions. Section 2 looks at common vulnerabilities inherent in web application development. Section 3 considers countermeasures and strategies that will minimise, if not eradicate. some of the vulnerabilities. Sections 4 and 5 draw conclusions and look at current trends and future expectations. The TCP/IP protocol stack, the underlying technology is known for lack of security on many of its layers. Most applications written for use on the Internet use the application layer, traditionally using HTTP on port 80 on most web servers. The HTTP protocol is stateless and does not provide freshness mechanisms for a session between a client and server; hence, many hackers take advantage of these inherent weaknesses. TCP/IP may be reliable in providing delivery of Internet packets, but it does not provide any guarantee of confidentiality, integrity and little identification. As emphasised in [1], Internet packets may traverse several hosts between source and destination addresses. During its journey it can be intercepted by third parties, who may copy, alter or substitute them before final delivery. Failure to detect and prevent attacks in web applications is potentially catastrophic. Attacks are loosely grouped into two types, passive and active. Passive attackers [6] engage in eavesdropping on, or monitoring of, transmissions. Active attacks involve some modification of the data stream or creation of false data streams [6]. Read Entire Article: http://www.linuxsecurity.com/content/view/118427/49/ ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New emacs21 packages fix arbitrary code execution 17th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118356 * Debian: New gftp packages fix directory traversal vulnerability 17th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118362 * Debian: New bidwatcher packages fix format string vulnerability 18th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118384 * Debian: New mailman packages really fix several vulnerabilities 21st, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118391 * Debian: New squid packages fix denial of service 23rd, February, 2005 Updated packages. http://www.linuxsecurity.com/content/view/118411 * Debian: New mod_python packages fix information leak 23rd, February, 2005 Updated packages. http://www.linuxsecurity.com/content/view/118416 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: kdeedu-3.3.1-2.3 17th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118361 * Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.80 17th, February, 2005 Updated. http://www.linuxsecurity.com/content/view/118364 * Fedora Core 3 Update: policycoreutils-1.18.1-2.9 17th, February, 2005 Updated. http://www.linuxsecurity.com/content/view/118365 * Fedora Core 3 Update: gamin-0.0.24-1.FC3 18th, February, 2005 This update fixes a number of annoying bugs in gamin especially the Desktop update problem in the GNOME environment that affected a number of users. http://www.linuxsecurity.com/content/view/118386 * Fedora Core 3 Update: pcmcia-cs-3.2.7-2.2 21st, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118397 * Fedora Core 2 Update: gaim-1.1.3-1.FC2 22nd, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118404 * Fedora Core 3 Update: gaim-1.1.3-1.FC3 22nd, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118405 * Fedora Core 3 Update: openssh-3.9p1-8.0.1 22nd, February, 2005 This update changes default ssh client configuration so the trusted X11 forwarding is enabled. Untrusted X11 forwarding is not supported by X11 clients and doesn't work with Xinerama. http://www.linuxsecurity.com/content/view/118406 * Fedora Core 3 Update: postgresql-7.4.7-3.FC3.1 22nd, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118407 * Fedora Core 2 Update: postgresql-7.4.7-3.FC2.1 22nd, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118408 * Fedora Core 2 Update: squid-2.5.STABLE8-1.FC2.1 22nd, February, 2005 This update fixes CAN-2005-0446 Squid DoS from bad DNS response http://www.linuxsecurity.com/content/view/118409 * Fedora Core 3 Update: squid-2.5.STABLE8-1.FC3.1 22nd, February, 2005 This updat3 CAN-2005-0446 Squid DoS from bad DNS response http://www.linuxsecurity.com/content/view/118410 * Fedora Core 3 Update: gimp-help-2-0.1.0.7.0.fc3.1 24th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118424 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Midnight Commander Multiple vulnerabilities 17th, February, 2005 Midnight Commander contains several format string errors, buffer overflows and one buffer underflow leading to execution of arbitrary code. http://www.linuxsecurity.com/content/view/118363 * Gentoo: Squid Denial of Service through DNS responses 18th, February, 2005 Squid contains a bug in the handling of certain DNS responses resulting in a Denial of Service. http://www.linuxsecurity.com/content/view/118382 * Gentoo: GProFTPD gprostats format string vulnerability 18th, February, 2005 gprostats, distributed with GProFTPD, is vulnerable to a format string vulnerability, potentially leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118383 * Gentoo: gFTP Directory traversal vulnerability 19th, February, 2005 gFTP is vulnerable to directory traversal attacks, possibly leading to the creation or overwriting of arbitrary files. http://www.linuxsecurity.com/content/view/118388 * Gentoo: PuTTY Remote code execution 21st, February, 2005 PuTTY was found to contain vulnerabilities that can allow a malicious SFTP server to execute arbitrary code on unsuspecting PSCP and PSFTP clients. http://www.linuxsecurity.com/content/view/118395 * Gentoo: Cyrus IMAP Server Multiple overflow vulnerabilities 23rd, February, 2005 The Cyrus IMAP Server is affected by several overflow vulnerabilities which could potentially lead to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/118417 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated cups packages fix 17th, February, 2005 Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like cups, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. http://www.linuxsecurity.com/content/view/118367 * Mandrake: Updated gpdf packages fix 17th, February, 2005 Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like gpdf, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. http://www.linuxsecurity.com/content/view/118368 * Mandrake: Updated kdelibs packages fix 17th, February, 2005 A bug in the way kioslave handles URL-encoded newline (%0a) characters before the FTP command was discovered. Because of this, it is possible that a specially crafted URL could be used to execute any ftp command on a remote server, or even send unsolicited email. http://www.linuxsecurity.com/content/view/118369 * Mandrake: Updated KDE packages address 17th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118370 * Mandrake: Updated xpdf packages fix 17th, February, 2005 Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications that use embedded versions of xpdf. The updated packages are patched to deal with these issues. http://www.linuxsecurity.com/content/view/118371 * Mandrake: Updated PostgreSQL packages 17th, February, 2005 A number of vulnerabilities were found. http://www.linuxsecurity.com/content/view/118372 * Mandrake: Updated tetex packages fix 17th, February, 2005 Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like tetex, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. http://www.linuxsecurity.com/content/view/118373 * Mandrake: Updated uim packages fix 24th, February, 2005 Takumi ASAKI discovered that uim always trusts environment variables which can allow a local attacker to obtain elevated privileges when libuim is linked against an suid/sgid application. This problem is only exploitable in 'immodule for Qt' enabled Qt applications. The updated packages are patched to fix the problem. http://www.linuxsecurity.com/content/view/118425 * Mandrake: Updated squid packages fix 24th, February, 2005 The squid developers discovered that a remote attacker could cause squid to crash via certain DNS responses. The updated packages are patched to fix the problem. http://www.linuxsecurity.com/content/view/118426 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: cpio security update 18th, February, 2005 An updated cpio package that fixes a umask bug and supports large files (>2GB) is now available. This update has been rated as having low security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/118378 * RedHat: Low: imap security update 18th, February, 2005 Updated imap packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118379 * RedHat: Low: vim security update 18th, February, 2005 Updated vim packages that fix a security vulnerability are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118380 * RedHat: Important: cups security update 18th, February, 2005 Updated cups packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118381 * RedHat: Important: kernel security update 18th, February, 2005 Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118385 * RedHat: Moderate: imap security update 23rd, February, 2005 Updated imap packages to correct a security vulnerability in CRAM-MD5 authentication are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118418 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: squid remote denial of service 22nd, February, 2005 Squid is an Open Source web proxy. A remote attacker was potentially able to crash the Squid web proxy if the log_fqdn option was set to "on" and the DNS replies were manipulated. http://www.linuxsecurity.com/content/view/118403 * SuSE: cyrus-imapd buffer overflows 24th, February, 2005 This update fixes one-byte buffer overruns in the cyrus-imapd IMAP server package. http://www.linuxsecurity.com/content/view/118423 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Feb 28 05:36:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 28 05:43:45 2005 Subject: [ISN] Cyber warriors anticipate center Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2005/0221/web-jtfg-02-25-05.asp By Frank Tiboni Feb. 25, 2005 Personnel in the military's new cyberdefense organization hope to operate a new command center by late spring. The facility will include new hardware and software to help workers of the Joint Task Force-Global Network Operations (JTF-GNO) operate, manage and defend the military's computer networks. "It will be a state-of-the-art facility," said Army Brig. Gen. Dennis Via, deputy commander of the JTF-GNO. He spoke Feb. 23 at the Defense Department Global Information Grid Enterprise Services conference held by the Association for Enterprise Integration, an industry trade group. Via said JTF-GNO personnel need a new command center to perform their global mission. He declined to discuss its cost and the companies doing the work. Military officials will update the secure compartmentalized information facility (SKIF) of JTF-GNO's predecessor organization, the Joint Task Force-Computer Network Operations, Via said. A SKIF should ensure that people cannot eavesdrop on the voice, video and data monitored and transmitted there. Work started there in December and should end in May. JTF-GNO employees temporarily work in the Global Network Operations and Security Center operated by the Defense Information Systems Agency, Via said. The opening of the new command center coincides with JTF-GNO becoming fully operational. Task force officials also plan in May to issue updated guidelines for overseeing the military's networks called the Joint Concept of Operations, he said. In June, Defense Secretary Donald Rumsfeld created JTF-GNO and named the director of the Defense Information Systems Agency, Air Force Lt. Gen. Harry Raduege, to oversee it to achieve a more cohesive operation, management and protection of the military's networks. In November, DOD officials approved the Global Information Grid Network Operations and Defense plan that identifies four officials in the military services that will report to Raduege. The task force falls under Strategic Command, one of the military's nine unified combatant commands that either oversee use of combat forces in a geographic region or provide a capability and develop doctrine for them. Strategic Command oversees the operation and protection of the military's networks and information operations to include psychological operations and perhaps computer network attack. The formation of and foundation for JTF-GNO comes after task force officials in 2004 tabulated 74,053 incidents including attempted intrusions on the military's networks ... the most since DOD officials started publicly announcing them in 2001. They reported 40,076 incidents in 2001, 43,086 in 2002 and 54,688 in 2003. "The threat is becoming more aggressive and sophisticated," said Via. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Feb 28 05:36:56 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 28 05:43:52 2005 Subject: [ISN] Security Firms Follow Unwritten Code When Digging Up Dirt On Each Other Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=POBBDHOZK2B4AQSNDBCCKH0CJUMEKJVN?articleID=60403683 By Gregg Keizer TechWeb News Feb. 25, 2005 A critical vulnerability was spotted Thursday in the anti-virus engine used by Trend Micro's entire line of client, server, and gateway security products, the third such disclosure this month of flaws in major security firms' software. As in the other two instances with Symantec and F-Secure, the Trend Micro vulnerability was discovered by Internet Security Systems, an Atlanta-based security provider, and revolved around the processing of a compressed file format. The Trend Micro flaw related to the ARJ file format, which, said ISS, could be used by a hacker to "gain unauthorized access to networks and machines being protected by Trend Micro AntiVirus Library." The affected titles include Trend Micro's Messaging Suite, VirusWall, ScanMail, and PC-cillin lines, among others. A complete list has been posted on Trend Micro's Web site. An attacker would only have to send an e-mail containing a specially-crafted ARJ file to the target system to compromise the system, added ISS. Previously, ISS spotted similar vulnerabilities in how Symantec's products handled UPX files and how F-Secure's dealt with ARJ compressed files. For its part, Trend Micro dubbed the vulnerability "critical," and posted fixes to the affected software on its Web site. Customers were urged to download the updated anti-virus scanning engine from here as soon as possible. Users who don't update manually will receive automatic updates the middle of next week. While vulnerabilities within security products are rare -- at least in comparison to, say, operating systems such as Windows -- they're not unheard of. And by one analysts' take, they're fair game. "Within the security community, anytime one finds any vulnerability, it's kosher to make it public if the researcher follows the protocol for responsible disclosure," said John Pescatore, a vice president at Gartner and one of the research firm's security gurus. In that unwritten protocol, he said, researchers don't publicly disclose a vulnerability until they've alerted the vendor and given it time -- 30 to 45 days at least -- to fix the problem. ISS followed that protocol in all three instances of revealing vulnerabilities in anti-virus firms' products. "I haven't heard any negative rumblings in the security community about what ISS is doing," said Pescatore. "They've been very above board." Trend Micro agrees. "ISS is really great to work with," said Bob Hansmann, the product marketing manager for Trend Micro in North America. According to Pescatore, it's crucial that security software get the once over. "It's even more important than looking for vulnerabilities in Windows or Oracle," he said. "People have a feeling of security when they're using a security product, and if there's a vulnerability in a firewall, for instance, nothing behind that firewall is protected. Everything's exposed." Trend Micro agreed here, too. "We're actually really happy that people are doing this. The industry needs something like this, not because we need to stir up anything politically [between companies] but because different people tend to look at problems different ways," said Hansmann. But the practice of one security firm investigating another could be considered inappropriate, said Pescatore, if abused. In the past, various anti-virus firms took potshots at each other, not in public, but by touting the weaknesses in rivals to analysts like Pescatore. In practice, he said, there's an unwritten rule not to poke in competitors' products, for fear of unleashing the beast. "It's like the old days between the U.S. and the Soviet Union. Neither dared use the Bomb." Likewise, if one vendor picked on a rival, it could only expect that in return. But the market dynamic is different here, Pescatore said. "ISS doesn't sell anti-virus products, so they're not really direct competitors with Trend Micro, Symantec, and F-Secure. They do get publicity out of this, though." "Maybe in a year or so, we'll look back and see a pattern, and go, 'okay, that's why ISS was digging into anti-virus code,'" said Hansmann, "but for now, we appreciate what they've done." ISS itself isn't a stranger to vulnerabilities. About a year ago, the Witty worm exploited an unpatched vulnerability in ISS' BlackICE firewall, infected 10,000 to 50,000 systems, and erased data on some machines. "If there's one thing I would tweak ISS about," said Pescatore, "it would be that I'm assuming we'll never see anything like the Witty worm in the future if ISS has the time to look for vulnerabilities in other companies' products." It's not easy to dig up vulnerabilities, said Pescatore: "it takes skill," he said. "You would have thought they'd been looking at their own products." ISS did not respond to requests for comment. From isn at c4i.org Mon Feb 28 05:37:10 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 28 05:43:54 2005 Subject: [ISN] 'No Execute' Flag Waves Off Buffer Attacks Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A55209-2005Feb26.html By John Breeden II Special to The Washington Post February 27, 2005 Pour a 12-ounce can of soda into an eight-ounce glass, and you've got spilled soda and a sticky mess. Hackers know this principle, too. But when they apply it in crafting viruses and worms, the mess is a lot harder to clean up -- and, until recently, to prevent. These exceedingly common "buffer overflow" exploits are one of the most common ways computers get infected by viruses and worms, from the "Great Internet Worm" of 1988 to 2003's Blaster. They attack programs written in the widely-used C and C++ programming languages. A malicious application will try to bowl them over with a too-large chunk of data that hides some executable code. Once that overflow crashes the target program, the embedded code can run and perform whatever mischief it's assigned -- deleting your data or turning your PC into a "zombie" that infects other machines or relays spam. In other words, instead of plain old soda, you spilled Evil Cola that isn't content to stain the table but will try to hijack it. If programmers wrote perfect software that could never be crashed by an overload of data, buffer overflow attacks would be a thing of the past. Various defensive techniques can also squelch overflow attacks, and other programming languages, such as Java, don't permit them at all (at the cost of slower performance). But rewriting or replacing every program in existence just isn't going to happen anytime soon. With last year's Service Pack 2 update to Windows XP, however, there is a new defense. In that update, Microsoft built in special code called the "no execute" (NX) flag that, when run on compatible processors, blocks code from running in the memory areas targeted by overflow attacks. Finding those compatible processors may not be easy. AMD offers NX support (which it calls "Enhanced Virus Protection") on all its Athlon 64 chips. But at Intel -- which trailed AMD in adding this technology to its consumer hardware -- the selection is much more random. Intel spokeswoman Claudine Mangano said the following processors offer NX support, which Intel calls "Execute Disable Bit Functionality": 520J, 530J, 540J, 550J, 560J, 570J, 630, 640, 650, 660 and "Extreme Edition" Pentium 4 desktop processors, plus the 730, 740, 750, 753, 758, 760 and 770 Pentium M laptop processors. Pair up the right processor with an SP2 edition of Windows XP (Microsoft's Windows Server 2003 with Service Pack 1, Red Hat Enterprise Linux 3 Update 3 and SuSE Linux 9.2 also offer NX), and your system should run just as it did before in daily use. We have yet to see any programs break on an NX-enabled machine. To test this feature in action, we ran a simple buffer-overflow test that, on a computer without SP2, flashed a message on the screen to signal a successful takeover. We ran the same test on a desktop with an AMD Athlon 64 processor and a laptop with a new Intel Pentium M chip, and the attack program got nowhere. This defense wasn't without its cost: Each time, the computer crashed as the attacking program tried to batter its way into the NX-protected neighborhood. A single buffer overflow should be blocked without incident by NX, but this barrage was too much. A system crash, however, still beats losing control of the computer. NX cannot defeat all attacks. Participants on hacker newsgroups are already mulling over ways to circumvent this barrier, and NX can't stop tactics that don't employ buffer overflows. NX is worth incorporating into your security plan -- either when you buy your next Windows computer, or by (finally) installing SP2 on your NX-ready machine -- but you'll still need to back it up with an up-to-date antivirus program, a firewall and one or more anti-spyware utilities. From isn at c4i.org Mon Feb 28 05:37:26 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 28 05:43:57 2005 Subject: [ISN] Bank loses credit-card info of 1.2M federal workers Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100061,00.html By Joanne Morrison FEBRUARY 26, 2005 REUTERS Computer tapes containing credit-card records of U.S. Senators and more than a million U.S. government employees are missing, Bank of America said yesterday, putting the customers at increased risk of identity theft. The security breach, which included data on a third of the Pentagon's staff, angered lawmakers already concerned after criminals gained access to thousands of consumer profiles in a database maintained by a data profiling company, ChoicePoint Inc. (see story) Bank of America Corp. did not release details of how the tapes were lost, but Sen. Charles Schumer, a New York Democrat, said he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers. "Whether it is identity theft, terrorism or other theft, in this new and complicated world baggage handlers should have background checks and more care should be taken for who is hired for these increasingly sensitive positions," Schumer said. Social security numbers, addresses and account numbers were on the tapes for 1.2 million account holders, of which about 900,000 belonged to Defense Department employees, Defense Department spokesman Bryan Whitman said. The tapes contained information from the accounts of dozens of U.S. Senators and from employees of federal agencies, officials monitoring the situation said. Bank of America said the small number of computer data tapes were lost in December while being shipped to a back-up data center. It said there was no evidence of crime resulting from the loss but the U.S. Secret Service was investigating the case. No thefts Although the tapes were lost months ago, bank officials were only allowed to notify cardholders when they received permission from federal law enforcement authorities, Bank of America spokeswoman Eloise Hale said. "The investigation to date has found no evidence to suggest the tapes or their content have been accessed or misused, and the tapes are now presumed lost," the bank said in a statement. Sen. Patrick Leahy, a Vermont Democrat, said he hoped the fact that Senate information was among the lost data would spur Congress to pay attention to a "rapid erosion of privacy rights" due to faulty data security. Bank of America, based in Charlotte, N.C., said it would monitor customer accounts detailed on the data tapes and cardholders would be contacted if unusual activity is detected. It said government cardholders would not be liable for unauthorized use of their cards. Officials at the General Services Administration, which manages federal employee travel credit-card accounts, could not be reached for comment but U.S. banking regulators said they were tracking the case. "The bank notified us and we've been monitoring the situation," said Kevin Mukri, a spokesman for the Office of the Comptroller of the Currency, which regulates Bank of America. Bank of America routinely ships back-up data tapes for storage at different locations in case any offices are damaged by fires or flood. The Defense Department has posted information about the issue for its employees on its Web site. (Additional reporting by Aleksandrs Rozens and Michele Gershberg in New York, and Andrea Shalal-Esa and Mark Felsenthal in Washington) From isn at c4i.org Mon Feb 28 05:37:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 28 05:44:00 2005 Subject: [ISN] Sidekick 2 hacks - Re: Hilton hack underscores mobile security lapses Message-ID: Forwarded from: Anonymous Sidekick Developer I just read the last ISN article about the Sidekick hacking. I cringe when people who don't really don't know anything about the Sidekick start making statements and don't even look at the abilities of the device in question. Sorry about using the remailer, I am a developer for Danger's Hiptop/Sidekick, as I would like to continue to be a developer. Some facts about the Sidekick (called the Hiptop, everywhere except Tmobile) 1. It's not Bluetooth. There are no production Sidekicks with Bluetooth. There's a good chance that there are working prototypes, but nothing available for consumers yet. You can rule out bluesnarfing or any type of Bluetooth hacking/virus/sniffing. The Sidekick has to Bluetooth hardware. 2. The sim card storage capasity is so small there is virutally no data on it that the Sidekick could use. The only thing the Sidekick stores on a sim card is around 30 sms text messages (depending on the sim card). The Sidekick stores its data on the 16mb (color Sidekick) 32mb (Sidekick II) internal device memory, and also on a backend server run by Danger Inc, the company that created the Sidekick/Hiptop. 3. It's the backend that got hacked, not the actual phone. As a sidekick developer and user, the screenshots I saw online are from the backend server. Danger's backend service is the backbone of the device, all data is backed up on those servers. This is done for two reasons, A Sidekick device is not the sole location of data, if truck runs over your Sidekick you can take the sim card, put it in a new Sidekick and all your data, contacts, and email will be wirelessly downloaded to your new device. Secondly, Sidekick users can to log in to tmobiles website and use the website like they would their sidekick, any changes are made to both the backend and their device. 4. Tmobile uses their account page on their website (tmobile.com) to allow access to the backend system. Therefore, anyone that could steal, or guess a Tmobile.com phone number, username, or password could have full access to all the data on that customer's Sidekick. 5. By default, for Sidekicks the sim card is used mostly for user identification on the network, all data entered onto the Sidekick is stored on the device memory and the backend server, not the sim card. There is also no user selectable option to change this. The only thing stored on the sim card is sms messages. 6. Tmobile Sidekick users are given an email address for their device in the format USERNAME@tmail.com. It appears that Paris's e-mail was ParisHilton@tmail.com. I would have hoped that Tmobile would have had her pick something different when they started using her in their Sidekick TV commercials. Now that we have a username, it's just a hop skip and a jump to find the password. One of the "forgot your password" questions on Tmobile is "what is your favorite pet's name?" Its not hard to imagine someone trying the name of her dog, Tinkerbell, as an answer. The dog's name has previously been the the tabloids and hollywood tv shows after last year when the dog was lost for a short while. I honestly believe this whole incident happened because of a few reasons. First, poor selection of a username by Paris herself, or whomever didn't advice her to choose something a little more obscure, instead of her name. Second, using any type of public knowledge as a backup security question, such as your favorite pet's name, when you are a fairly well known public figure, is not very smart. Hopefully, that puts to rest some of the bad information going around and being picked up and reprinted. On Fri, 25 Feb 2005 8:29 am, InfoSec News wrote: > http://www.commsdesign.com/story/showArticle.jhtml?articleID=60403328 > > By Junko Yoshida > EE Times > Feb 24, 2005 > > PARIS - The gory if inconsequential details of how hotel heiress and > professional celebrity Paris Hilton's cellphone address book was > hacked this week nevertheless generated a buzz among engineers in > the mobile phone industry. > > The address book in question was stored on Hilton's Side Kick II > smart phone, and backed up on a T-Mobile server. > > Kevin Kissell, an architect at MIPS Technologies Inc., said he > wondered "whether the hackers accessed numbers stored in the phone > ??? a default for most mobiles ??? or on the SIM card." He also > wondered "whether the outcome might have been different if Ms. > Hilton had stored her numbers on the SIM." > > T-Mobile wouldn't discuss its investigation. A company spokesman, > however, suggested that "someone had access to one of Ms. Hilton's > devices and/or knew her account password." > > Most reports postulated an attack on T-Mobile's server rather than > the client. Speculation was based on the fact that T-Mobile's > database was hacked last year by 22-year-old Nicols Jacobsen, who > pleaded guilty earlier this month. > > Nonetheless, speculation was rampant regarding how hackers might > have snagged her account password. > > Possible scenarios ranged from correctly guessing the name Hilton's > dog to the theft of records and passwords stored in her SideKick II. > The phone's Bluetooth interface was also cited. > > Hackers could have accessed T-Mobile's database using SQL > (structured query language) injections, said David Naccache, vice > president, research and innovation at Gemplus, based here. By adding > SQL to a query, Naccache said it's possible to manipulate a database > in ways not anticipated by administrators. > > Or, Hilton could have handed her phone to an acquaintance who > extracted the information, said Naccache. "You need a key to the > door in order to get into a house," he said. "But you can also get > into the house through a window." Naccache, a forensic expert, said > a hack was possible anywhere between the handset and the network. > > Even if the server was hacked rather than the client, Kissell's > questions remain valid for chip vendors, SIM card manufacturers and > mobile handset companies. All are racing to add security features to > next-generation phone and network designs. > > Added Mike Yonker, director of Technology Strategy at Texas > Instruments Inc., "This incident really stresses the need for > stronger security. Consumers have reason to question even the > security of the servers where their data is stored at the mobile > operator." From isn at c4i.org Mon Feb 28 05:37:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 28 05:44:02 2005 Subject: [ISN] Hackers may target pacemaker technology Message-ID: http://www.seacoastonline.com/news/02242005/news/66202.htm [This is just pandering for the racy headline than anything else, when you look at the steps to attack a pacemaker remotely, the physical attack is way easier. - WK] By Joe Adler jadler@seacoastonline.com February 24, 2005 PORTSMOUTH - Although praised by doctors for their convenience, the emerging technology of remote-from-home defibrillators has caused some to fear that hackers could someday interfere with a patient's treatment for heart ailments. Defibrillators, also commonly known as pacemakers, can be half the size of a person's palm and fit tightly inside the chest wall. The device relays information to a physician about a patient's heart rate and rhythm, and can "shock" a heart back into rhythm when it suffers from fibrillation. As defibrillators become more common, and doctors attend to many more patients with the devices, ICDs (implantable cardioverter-defibrillators) are being tailored to relay information from outside the examination room, according to Dr. Mark Jacobs, a Portsmouth Regional Hospital cardiologist. The Food and Drug Administration has already approved - and medical technology companies are already marketing - equipment for the devices that can transmit a patient's heart-monitoring information, such as an electrocardiogram, through phone lines. A cardiologist can assess a patient's progress while the patient is miles away. "As the technology changes, more and more of this is being done at the home for patients with an inability to be transported," Jacobs said. "Some patients go to Florida, and they're living here only part time." With breakthroughs in defibrillator technology come security concerns. The remote relaying system - which allows patients to hold a wand above their chest and transmit information through an answering machine-sized contraption - is encrypted. But like any telecommunications, there is the small risk of a hacker obtaining sensitive information, Jacobs said. He added that, while the FDA has not approved it, technology now exists to allow physicians to program ICDs through the phone lines. Currently, heart disease patients have regular checkups to fine tune their defibrillators. "The devices aren't perfect. As people change medication, their defibrillators need to be adjusted, or a battery can start to be depleted," Jacobs said. "If it's approved that we are able to re-program the device over the phone, it's theoretically possible that someone could intercept that call and reprogram someone's device in an adverse fashion." Peter Gove, vice president for St. Jude Medical, which sells a home remote monitoring system for defibrillators, said the technology for remote reprogramming of the devices is a long a way off, but "moving in that direction." "(Patients) today typically visit their physicians on regular basis to have the device interrogated," Gove said. Gove added that St. Jude's product is careful not to transmit any personal information about patients. Despite the concern, Jacobs said the transmitters now on the market are a godsend for his patients with busy schedules, and they are equipped with encryption devices to protect their information. "They like it because it is very convenient," he said. "They don't have to interrupt their schedule. If they're having a problem, they can call up and it can be evaluated immediately. It saves them from not going to work for half a day." From isn at c4i.org Mon Feb 28 05:38:13 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 28 05:44:05 2005 Subject: [ISN] Hackers invaded state Web sites 72 times in five years Message-ID: http://www.thejournalnews.com/apps/pbcs.dll/article?AID=/20050226/BUSINESS01/502260306/1066/BUSINESS01 By BARBARA WOLLER THE JOURNAL NEWS February 26, 2005 Raising new concerns about identity theft, a report released this month by a legislative committee found that information on Web sites of state agencies and authorities has been hacked at least 72 times in six years. The report - "Tip of the Iceberg: New York State Government's Losing Battle Against Hackers" - is from the Assembly's Committee on Oversight, Analysis and Investigations. It looks at break-ins and Web site defacements that occurred between 1999 to early December 2004 in the computer systems of entities such as the state's Department of Motor Vehicles, the Department of Education, the Department of Correctional Services and the New York Power Authority. Web site defacement occurs when information on a particular site is replaced by a message or image posted by a hacker. Identify theft can occur when personal information, such as Social Security and credit card numbers are stolen for fraudulent use. The Federal Trade Commission said identify theft has been its top consumer complaint for five years. "We rely on business and government when we give them personal information ... that they'll keep it safe and secure," said State Sen. Jeff Klein, D-Bronx, who headed the Assembly's oversight committee that wrote the report before he was elected to the State Senate last year. "Unfortunately, the state and private companies are not keeping that information safe, which can lead to ID theft." For example, the report said that in September a computer virus crippled the internal systems of the state education department and brought its computer network to a halt. The worst case occurred, Klein said, when the Web site of the State Division of Military and Naval Affairs, which tracks information on where the state's National Guard troops are stationed, was defaced. But William Pelgrin, director of the state Office of Cyber Security and Critical Infrastructure Coordination, said that no consumer information was compromised in any of the incidents in the Assembly report. "The report has a lot of information that is misleading and inaccurate," Pelgrin said. "They took some of the data and misinterpreted it." As for the defacement against the military and naval affairs Web site, Pelgrin said the federal government has jurisdiction over that network and the incident involved other issues, such as outsourcing. Pelgrin said he does not want to minimize any defacement. "But just because we're taking them seriously doesn't mean we're not secure," he said, adding that the sites are constantly monitored. Separately, another security breach was brought to light this month when ChoicePoint announced that as many as 145,000 consumers . including about 9,370 in New York, may have had their personal information stolen when security in its database was breached by a fraud ring. ChoicePoint is based in Alpharetta, Ga., and collects data to verify identification and credentials for business, government and other entities for purposes including employment background checks. Klein introduced legislation that passed the Assembly last year that would require governmental agencies and businesses to notify consumers when security breaches occur. Currently, California is the only state with such a law. Assemblyman James Brennan, D-Brooklyn, who succeeded Klein as chairman of the Committee on Oversight, Analysis and Investigations, will re-introduce the bill in the Assembly this year. The "Tip of the Iceberg" report recommends that * Klein's bill to require victim notification in the case of a cyber security breach become law. * A full explanation of the 72 intrusions cited in the report be provided to the Legislature. * Minimum standards should be set for State Information Security officers. * The state Division of Military and Naval Affairs reassess its relationship with its Web hosting provider because of the hacking incident. Klein said state cyber security officials say no information has been taken but it is hard to be sure. "That's why it's so important we have some type notification in place," he said.