From isn at c4i.org Fri Jun 3 01:29:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 3 01:43:48 2005 Subject: [ISN] Microsoft admits popular MSN site hacked in Korea Message-ID: http://www.signonsandiego.com/news/computing/20050602-1615-microsofthacked.html By Ted Bridis ASSOCIATED PRESS June 2, 2005 WASHINGTON - Microsoft acknowledged Thursday that hackers booby-trapped its popular MSN Web site in Korea to try to steal passwords from visitors. The company said it was unclear how many Internet users might have been victimized. Microsoft said it cleaned the Web site, www.msn.co.kr, and removed the dangerous software code that unknown hackers had added earlier this week. A spokesman, Adam Sohn, said Microsoft was confident its English-language Web sites were not vulnerable to the same type of attack. Korea is a leader in high-speed Internet users worldwide. Microsoft's MSN Web properties - which offer news, financial advice, car- and home-buying information and more - are among the most popular across the Web. The affected Microsoft site in Korea offers news and other information plus links to the company's free e-mail and search services. Its English-language equivalent is the default home Internet page for the newest versions of its flagship Windows software sold in the United States. The Korean site, unlike U.S. versions, was operated by another company Microsoft did not identify. Microsoft's own experts and Korean police authorities were investigating, but Microsoft believes the computers were vulnerable because operators failed to apply necessary software patches, said Sohn, an MSN director. "Our preliminary opinion here was, this was the result of an unpatched operating system," Sohn said. "When stuff is in our data center, it's easier to control. We're pretty maniacal about getting servers patched and keeping our customers safe and protected." Microsoft's acknowledgment of the hacking incident was the latest embarrassment for the world's largest software company, which has spent hundreds of millions of dollars to improve security and promote consumer confidence in its products. Security researchers noticed the suspicious programming added to the Korea site and contacted the company Tuesday. Microsoft traced the problem and removed the hacked computers within hours, Sohn said, but it doesn't yet know how long the dangerous programming was present. In recent days no customers have reported problems stemming from visits to the Web site, Sohn said. The hacker program scanned visitors' computers and tried to activate password-stealing software that was found separately to exist on some hacked Chinese Web sites. Microsoft said it was trying to decide whether to issue a broad public warning to recent visitors of the Korean site as it examines its own records to attempt to trace anyone who might have been victimized. -=- On the Net: Microsoft: www.microsoft.com From isn at c4i.org Fri Jun 3 01:29:32 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 3 01:43:54 2005 Subject: [ISN] FBI Probes Theft of Justice Dept. Data Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/05/31/AR2005053101379.html By Jonathan Krim Washington Post Staff Writer June 1, 2005 The FBI is investigating the theft of a laptop computer containing travel account information for as many as 80,000 Justice Department employees, but it is unclear how much personal data are at risk of falling into the wrong hands. Authorities think the computer was stolen between May 7 and May 9 from Omega World Travel of Fairfax, which is one of the largest travel companies in the Washington area and does extensive business with government agencies. Justice Department spokeswoman Gina Talamona said the data included names and account numbers from travel account credit cards issued to government employees by J.P Morgan Chase & Co. and its subsidiary Bank One Corp. She said the information did not include Social Security numbers or home addresses that often are used by identity thieves to establish credit or to purchase goods in other people's names. In addition, she said the account information was protected by passwords, although sophisticated hackers often can break into stored databases. Omega World Travel officials declined to comment on how the laptop was stolen or other elements of the case, as did the FBI, which is investigating. The theft is one of a spate of incidents over the past several months that have resulted in sensitive data on millions of U.S. consumers being stolen or exposed. In December, Bank of America Corp. lost computer tapes containing records on 1.2 million federal workers, including several U.S. senators. Talamona said that no Justice Department worker has reported suspicious activity on his or her financial accounts since the incident. The banks issuing the travel cards have placed alerts on the workers' accounts, Talamona said. She added that Omega World Travel has agreed to several changes to its security practices, including beefing up physical security at its offices, conducting a computer security review and ensuring that the stolen computer cannot be reconnected to the firm's network. The travel cards have not been canceled, Talamona said. ? 2005 The Washington Post Company From isn at c4i.org Fri Jun 3 01:29:52 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 3 01:43:58 2005 Subject: [ISN] N.K. hacking ability matches that of CIA, analyst says Message-ID: Forwarded from: William Knowles http://www.koreaherald.co.kr/SITE/data/html_dir/2005/06/03/200506030002.asp By Lee Sun-young 2005.06.03 (milaya@heraldm.com) North Korea has hundreds of well-trained cyber soldiers and its intelligence warfare capabilities are believed to have reached the level of the U.S. Central Intelligence Agency, a South Korean arms expert said yesterday. Computers are a rarity and Internet access is almost nonexistent for most people in the reclusive country, but Byun Jae-jung, researcher at a state-run Agency for Defense Development, believes that "North Korea is capable of cyber attacks on both the command and control system of the U.S. Pacific Command and the critical infrastructures of the U.S. mainland, such as electric power." "Our electronic warfare simulation indicates that North Korea's capability has reached a substantial level, unlike what is generally known to the outside world," Byun told the Defense Information Security Conference 2005 held yesterday at Korea University in Seoul. The conference is organized annually by the Defense Security Command and the Korea Information Security Agency. He said the simulation was based on reliable information from the DSC, but refused to give any details. According to him, the communist country since 1981 has been training about 100 hackers through an elite electronic warfare academy known as Mirim College and now operates a crack contingent of 500 or 600 cyber soldiers. The academy is believed to have changed its name from Mirim to Kim Il Military Academy and then to Pyongyang College. The North Korean hackers use Web servers from various countries, including the United States, to gather military information on South Korea, the United States and others and erode the online defense command network, he added. "The South Korean government spends only 2.5 percent of its information-related budget on information protection while the United States invests 8.8 percent," Byun said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Jun 3 01:30:12 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 3 01:44:01 2005 Subject: [ISN] Hacking fear drives up network security market Message-ID: http://www.vnunet.com/vnunet/news/2137429/hacking-fear-drives-network-security-market Robert Jaques vnunet.com 02 Jun 2005 Network security appliance and software sales are poised for explosive growth of 27 per cent to clock up revenues of $1.3bn in the first quarter of 2006, analysts have predicted. According to Infonetics Research's quarterly worldwide market share and forecast service, sales increased by five per cent between the last quarter of 2004 and the first quarter of 2005. Total annual revenue is expected to grow to $6.5bn by 2008. "This was a fairly quiet quarter overall, with Cisco's big jump in hardware secure router revenue clocking in as the only major event of the quarter," said Jeff Wilson, principal analyst at Infonetics Research. "The network security market will grow at a 15 per cent compound annual growth rate between 2004 and 2008, driven by the many new viruses, malware and targeted attacks that surface every day, compelling companies of all sizes to invest in security. Many areas in the market will continue single- and double-digit quarterly growth over the next few years." The Infonetics study found that Cisco is the worldwide leader in revenue market share in the overall network security appliance and software market, a position it has held since 2002. Check Point came in second in terms of worldwide revenue share, with Juniper close behind in third. Enterasys, ISS, McAfee, Nokia, Nortel, SonicWall and Symantec were identified as strong second-tier players, with significant revenue market share across a number of categories. VPN/firewall appliances and software make up the majority of revenue (78 per cent in the first quarter of 2005) with intrusion detection/prevention second at 14 per cent, and gateway antivirus third at eight per cent. North America accounted for 45 per cent of network security appliances and software revenue, according to the research, followed by EMEA at 29 per cent and Asia Pacific at 21 per cent. From isn at c4i.org Fri Jun 3 01:31:03 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 3 01:44:03 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-22 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-05-26 - 2005-06-02 This week : 57 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: infamous41md has reported four vulnerabilities in GNU Mailutils, which can be exploited to cause a DoS (Denial of Service) or compromise a vulnerable system. Please refer to Secunia advisory below for additional details. Reference: http://secunia.com/SA15442 VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: Mytob.CU - MEDIUM RISK Virus Alert - 2005-06-01 03:19 GMT+1 http://secunia.com/virus_information/18440/mytob.cu/ Mytob.bh - MEDIUM RISK Virus Alert - 2005-05-30 15:04 GMT+1 http://secunia.com/virus_information/18395/mytob.bh/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15470] CA Multiple Products Vet Antivirus Engine Buffer Overflow 2. [SA15546] Microsoft Internet Explorer "window()" Denial of Service Weakness 3. [SA15292] Mozilla Firefox Two Vulnerabilities 4. [SA15531] BIG-IP TCP Timestamp Denial of Service 5. [SA15528] Ubuntu update for mozilla-firefox 6. [SA15526] HP-UX ICMP Message Handling Denial of Service 7. [SA15525] HP-UX Unspecified Security Bypass Vulnerability 8. [SA15548] Nortel VPN Routers IKE Packet Handling Denial of Service 9. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 10. [SA15530] Fedora update for imagemagick ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15520] Terminator 3: War of the Machines Two Vulnerabilities [SA15564] JiRo's Upload System "password" SQL Injection Vulnerability [SA15560] NEXTWEB (i)Site Multiple Vulnerabilities [SA15557] Hummingbird InetD Components Buffer Overflow Vulnerabilities [SA15556] Stronghold 2 Nickname Denial of Service Vulnerability [SA15515] ZonGG "password" SQL Injection Vulnerability [SA15511] MaxWebPortal "memKey" SQL Injection Vulnerability [SA15539] FutureSoft TFTP Server 2000 Directory Traversal and Buffer Overflows [SA15540] Hosting Controller "jresourceid" SQL Injection Vulnerability [SA15546] Microsoft Internet Explorer "window()" Denial of Service Weakness [SA15522] SoftICE DbgMsg.sys Driver Denial of Service Vulnerability UNIX/Linux: [SA15579] Conectiva update for php4 [SA15529] Gentoo update for mailutils [SA15528] Ubuntu update for mozilla-firefox [SA15574] Red Hat update for gnutls [SA15523] NewLife Blogger Unspecified SQL Injection Vulnerabilities [SA15514] SGI IRIX update for telnet [SA15513] Red Hat update for imagemagick [SA15576] Red Hat update for postgresql [SA15570] Mandriva update for postgresql [SA15525] HP-UX Unspecified Security Bypass Vulnerability [SA15578] Conectiva update for gftp [SA15533] qmail Memory Corruption Vulnerability [SA15526] HP-UX ICMP Message Handling Denial of Service [SA15577] Red Hat update for openssl [SA15575] Trustix update for binutils [SA15554] Mandriva update for gdb [SA15544] Fast n Furious DtDNS Updater Command Line Argument Disclosure [SA15527] Ubuntu update for binutils/binutils-multiarch [SA15524] Ubuntu update for gdb [SA15512] Red Hat update for kernel [SA15530] Fedora update for imagemagick [SA15542] Clam AntiVirus on Mac OS X Privilege Escalation Vulnerability Other: [SA15541] PicoWebServer HTTP Request Processing Buffer Overflow [SA15548] Nortel VPN Routers IKE Packet Handling Denial of Service [SA15531] BIG-IP TCP Timestamp Denial of Service Cross Platform: [SA15537] PowerDownload "incdir" File Inclusion Vulnerability [SA15536] PeerCast URL Format String Vulnerability [SA15519] C'Nedra "READ_TCP_STRING()" Buffer Overflow Vulnerability [SA15510] PHP Poll Creator "relativer_pfad" File Inclusion Vulnerability [SA15569] Calendarix Advanced SQL Injection Vulnerabilities [SA15558] I-Man File Attachments Upload Vulnerability [SA15555] Qualiteam X-Cart Gold SQL Injection Vulnerabilities [SA15552] MyBulletinBoard Multiple Vulnerabilities [SA15550] ezUserManager Script Insertion and SQL Injection [SA15538] FreeStyle Wiki Attachments Script Insertion Vulnerability [SA15535] Ettercap "curses_msg()" Format String Vulnerability [SA15534] phpThumb() "src" Exposure of Sensitive Information [SA15532] NPDS Multiple Vulnerabilities [SA15521] Hosting Controller "UserProfile.asp" Authentication Bypass [SA15517] WordPress "cat_ID" SQL Injection Vulnerability [SA15516] PHPstat "check" Authentication Bypass Vulnerability [SA15562] Symantec Brightmail AntiSpam Static Database Password [SA15547] Jaws "term" Cross-Site Scripting Vulnerability [SA15543] PHPMailer "Data()" Denial of Service Vulnerability [SA15518] NikoSoft WebMail Unspecified Cross-Site Scripting Vulnerability [SA15545] Invision Power Board Privilege Escalation Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15520] Terminator 3: War of the Machines Two Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-27 Luigi Auriemma has reported two vulnerabilities in Terminator 3: War of the Machines, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15520/ -- [SA15564] JiRo's Upload System "password" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-01 Romty has reported a vulnerability in JiRo's Upload System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15564/ -- [SA15560] NEXTWEB (i)Site Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS Released: 2005-06-01 Trash-80 has reported some vulnerabilities in NEXTWEB (i)Site, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct SQL injection attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/15560/ -- [SA15557] Hummingbird InetD Components Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-05-31 Two vulnerabilities have been reported in Hummingbird InetD, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15557/ -- [SA15556] Stronghold 2 Nickname Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-31 Luigi Auriemma has reported a vulnerability in Stronghold 2, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15556/ -- [SA15515] ZonGG "password" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-27 Romty has reported a vulnerability in ZonGG, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15515/ -- [SA15511] MaxWebPortal "memKey" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-26 Soroush Dalili has reported a vulnerability in MaxWebPortal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15511/ -- [SA15539] FutureSoft TFTP Server 2000 Directory Traversal and Buffer Overflows Critical: Moderately critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2005-05-31 Tan Chew Keong has reported some vulnerabilities in TFTP Server 2000, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15539/ -- [SA15540] Hosting Controller "jresourceid" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-05-30 Soroush Dalili has reported a vulnerability in Hosting Controller, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15540/ -- [SA15546] Microsoft Internet Explorer "window()" Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-31 Benjamin Tobias Franz has discovered a weakness in Internet Explorer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15546/ -- [SA15522] SoftICE DbgMsg.sys Driver Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2005-05-30 Piotr Bania has reported a vulnerability in SoftICE, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15522/ UNIX/Linux:-- [SA15579] Conectiva update for php4 Critical: Highly critical Where: From remote Impact: Unknown, DoS, System access Released: 2005-06-01 Conectiva has issued an update for php4. This fixes some vulnerabilities, where some have an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15579/ -- [SA15529] Gentoo update for mailutils Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-27 Gentoo has issued an update for mailutils. This fixes some vulnerabilities, which can be exploited to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15529/ -- [SA15528] Ubuntu update for mozilla-firefox Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-05-27 Ubuntu has issued an update for mozilla-firefox. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/15528/ -- [SA15574] Red Hat update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-06-01 Red Hat has issued an update for gnutls. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15574/ -- [SA15523] NewLife Blogger Unspecified SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-30 Some vulnerabilities have been reported in NewLife Blogger, which can be exploited to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15523/ -- [SA15514] SGI IRIX update for telnet Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-26 SGI has issued an update for telnet. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15514/ -- [SA15513] Red Hat update for imagemagick Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-05-26 Red Hat has issued an update for imagemagick. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/15513/ -- [SA15576] Red Hat update for postgresql Critical: Moderately critical Where: From local network Impact: Unknown, Privilege escalation, DoS Released: 2005-06-02 Red Hat has released an update for postgresql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15576/ -- [SA15570] Mandriva update for postgresql Critical: Moderately critical Where: From local network Impact: Unknown, Privilege escalation, DoS Released: 2005-06-02 Mandriva has issued an update for postgresql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15570/ -- [SA15525] HP-UX Unspecified Security Bypass Vulnerability Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-05-27 A vulnerability has been reported in HP-UX, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15525/ -- [SA15578] Conectiva update for gftp Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-06-01 Conectiva has issued an update for gftp. This fixes a vulnerability, which can be exploited by malicious people to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/15578/ -- [SA15533] qmail Memory Corruption Vulnerability Critical: Less critical Where: From remote Impact: DoS, System access Released: 2005-05-31 Georgi Guninski has reported a vulnerability in qmail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15533/ -- [SA15526] HP-UX ICMP Message Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-27 HP has acknowledged a vulnerability in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15526/ -- [SA15577] Red Hat update for openssl Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-06-02 Red Hat has issued an update for openssl. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information or perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/15577/ -- [SA15575] Trustix update for binutils Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-01 Trustix has issued an update for binutils. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15575/ -- [SA15554] Mandriva update for gdb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-31 Mandriva has issued an update for gdb. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15554/ -- [SA15544] Fast n Furious DtDNS Updater Command Line Argument Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-30 A security issue has been reported in Fast n Furious DtDNS Updater, which may disclose sensitive information to malicious, local users. Full Advisory: http://secunia.com/advisories/15544/ -- [SA15527] Ubuntu update for binutils/binutils-multiarch Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-27 Ubuntu has issued updates for binutils and binutils-multiarch. These fix a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15527/ -- [SA15524] Ubuntu update for gdb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-27 Ubuntu has issued an update for gdb. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15524/ -- [SA15512] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation, Security Bypass Released: 2005-05-26 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information and gain escalated privileges. Full Advisory: http://secunia.com/advisories/15512/ -- [SA15530] Fedora update for imagemagick Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-27 Fedora has issued an update for imagemagick. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15530/ -- [SA15542] Clam AntiVirus on Mac OS X Privilege Escalation Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-05-30 Tim Morgan and Kevin Amorin have reported a vulnerability in Clam AntiVirus, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15542/ Other:-- [SA15541] PicoWebServer HTTP Request Processing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-30 Dennis Elser has reported a vulnerability in PicoWebServer, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15541/ -- [SA15548] Nortel VPN Routers IKE Packet Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-30 NTA-Monitor has reported a vulnerability in Nortel VPN Routers, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15548/ -- [SA15531] BIG-IP TCP Timestamp Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-27 F5 Networks has acknowledged a vulnerability in BIG-IP, which can be exploited by malicious people to cause a DoS (Denial of Service) on an active TCP session. Full Advisory: http://secunia.com/advisories/15531/ Cross Platform:-- [SA15537] PowerDownload "incdir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-31 SoulBlack Security Research has discovered a vulnerability in PowerDownload, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15537/ -- [SA15536] PeerCast URL Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-30 James Bercegay has reported a vulnerability in PeerCast, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15536/ -- [SA15519] C'Nedra "READ_TCP_STRING()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-27 Luigi Auriemma has reported a vulnerability in C'Nedra, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15519/ -- [SA15510] PHP Poll Creator "relativer_pfad" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-26 rash ilusion has reported a vulnerability in PHP Poll Creator, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15510/ -- [SA15569] Calendarix Advanced SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-01 DarkBicho has discovered some vulnerabilities in Calendarix Advanced, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15569/ -- [SA15558] I-Man File Attachments Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-06-01 A vulnerability has been reported in I-Man, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15558/ -- [SA15555] Qualiteam X-Cart Gold SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-31 Censored has reported some vulnerabilities in Qualiteam X-Cart Gold, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15555/ -- [SA15552] MyBulletinBoard Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-05-31 Some vulnerabilities have been reported in MyBulletinBoard (MyBB), which can be exploited by malicious people to conduct cross-site scripting, script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15552/ -- [SA15550] ezUserManager Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-06-01 Some vulnerabilities have been reported in ezUserManager, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15550/ -- [SA15538] FreeStyle Wiki Attachments Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-31 A vulnerability has been reported in FreeStyle Wiki and FSWikiLite, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15538/ -- [SA15535] Ettercap "curses_msg()" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-31 A vulnerability has been reported in Ettercap, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15535/ -- [SA15534] phpThumb() "src" Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-06-02 A vulnerability has been reported in phpThumb(), which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15534/ -- [SA15532] NPDS Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-05-30 NoSP and Romano has reported some vulnerabilities in NPDS, which can be exploited by malicious people to conduct cross-site scripting, script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15532/ -- [SA15521] Hosting Controller "UserProfile.asp" Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-05-31 A vulnerability has been reported in Hosting Controller, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15521/ -- [SA15517] WordPress "cat_ID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-30 A vulnerability has been reported in WordPress, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15517/ -- [SA15516] PHPstat "check" Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-05-27 SoulBlack Security Research has discovered a vulnerability in PHPstat, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15516/ -- [SA15562] Symantec Brightmail AntiSpam Static Database Password Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-06-01 A security issue has been reported in Symantec Brightmail AntiSpam, which can be exploited by malicious people to bypass security restrictions. Full Advisory: http://secunia.com/advisories/15562/ -- [SA15547] Jaws "term" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-30 Paulino Calderon has reported a vulnerability in Jaws, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15547/ -- [SA15543] PHPMailer "Data()" Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-31 Mariano Nu?ez Di Croce has reported a vulnerability in PHPMailer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15543/ -- [SA15518] NikoSoft WebMail Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-30 A vulnerability has been reported in NikoSoft WebMail, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15518/ -- [SA15545] Invision Power Board Privilege Escalation Vulnerability Critical: Not critical Where: From remote Impact: Privilege escalation Released: 2005-05-30 Rapigator has reported a vulnerability in Invision Power Board, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15545/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Sat Jun 4 14:23:19 2005 From: isn at c4i.org (InfoSec News) Date: Sat Jun 4 14:36:40 2005 Subject: [ISN] Hacker hits Duke system Message-ID: http://newsobserver.com/business/story/2471894p-8875992c.html By JEAN P. FISHER Staff Writer Jun 4, 2005 A hacker broke into the Duke University Medical Center computer system last week, stealing thousands of passwords and fragments of Social Security numbers, Duke officials said Friday. Duke is notifying about 14,000 people, roughly 10,000 of whom are medical center employees, that their information may have been compromised and is advising people to change passwords if they use the same one for multiple purposes. Other individuals affected include alumni of the Duke University School of Medicine, physicians and other clinicians who registered online for some types of continuing medical education at Duke and others who accessed certain Web pages maintained by the medical school. The incident is the latest in a series of security breaches nationally at banks and other major organizations that store personal information. This is one of the largest yet to hit the Triangle. Computer security failures have increased concern about identity theft and prompted some states to adopt laws that require speedy disclosure to people whose private information may be compromised. The General Assembly is considering an identity-theft protection bill that would mandate such notification. None of the Duke computer databases broken into contained personal financial data or patient information, according to the medical center. The hacker did grab about 5,500 computer passwords and the users' first and last names. In addition, the hacker stole about 9,000 partial Social Security numbers -- either the last four digits or the last six digits. Duke sites affected include training Web pages, which clinical research staff might have used to brush up on safety protocols, educational sites that clinicians participating in Web conferences would have signed into and internal pages employees might have visited to sign up as a volunteer for a Duke event or alumni function. "These weren't our core systems," said Asif Ahmad, the medical center's chief information officer. "These were more peripheral sites." Determined identity thieves can wreak havoc with just a name and a password, said Mark Durrett, director of product management and marketing for Covelight Systems, a Cary company that makes privacy protection and fraud management software. That's because most people, for convenience, use the same passwords for many different purposes, from bank accounts to e-commerce Web sites. "In a perfect world, we'd all have different user names and passwords for everything," Durrett said. "But the typical person will have one or two passwords they use for everything in their life." The Duke security breach occurred May 26 sometime between 1 a.m. and 4 a.m. A Duke computer system administrator detected the unauthorized user at about 4:30 p.m. the same day while conducting a routine check of logs that record activity on medical school Web sites. Such checks are made daily to watch for potential security breaches, Ahmad said. Once the unauthorized access was detected, Duke immediately shut down the Web pages affected. Then administrators cross-checked the names of people whose information was stolen with the names of employees and clinicians who have access to core computer systems, such as patients registration and scheduling, patient billing, accounts receivables and human resources. People on both lists had their passwords reset, Ahmad said. "It was not a lot of people -- it was literally in the teens," he said. Ahmad said the hacker apparently found a vulnerability in the software used to create the affected Web pages and exploited it to gain access to layers of the pages only administrators are supposed to see. Ahmad said the problem has since been fixed and the Web pages are up and running again. From isn at c4i.org Sat Jun 4 14:23:46 2005 From: isn at c4i.org (InfoSec News) Date: Sat Jun 4 14:36:42 2005 Subject: [ISN] Linux Advisory Watch - June 3rd 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 3rd, 2005 Volume 6, Number 22a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for qpopper, openssl, php4, bzip2, ImageMagick, bind, netpbm, gxine, imap4d, elfutils, gnutls, and postgresql. The distributors include Debian, Fedora, Gentoo, and Red Hat. --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- Importance of Information Security Management By Benjamin D. Thomas Organizations today rely on IT for distributed processing, automation of repetitive tasks, and electronic commerce. Processing that would have been done by hand years ago, is now completely executed on computers. This has evolved so much that it is no longer feasible and in some cases impossible to conduct business processing by hand. In the event of only a temporary loss of IT services, results could be catastrophic. Without a secure IT infrastructure, an organization risks the possibility of complete operational failure. The primary aim of information security is to preserve the confidentiality, integrity, and availability of information from unauthorized disclosure, unauthorized modification, destruction, or misuse. Failure to appropriately manage information security will put an organization at risk of loss of income, loss of competitive advantage, or possible legal penalties if not compliant with relevant regulations. Having the right information at the right time in the right hands of the right people is often the difference between profit/loss, and success/failure. It must be understood that information is a key business asset and preserving confidentiality, integrity, and availability to crucial to the continued success of any organization. Importance of Confidentiality Proper information security management can help protect against confidentiality breaches. In the event of an unauthorized disclosure of proprietary information, a company could loose millions to a competitor due to the loss of research and development time/capital and the competitive advantage of being first to market. Across the world, nations are passing legislation protecting the privacy of personal information. Failure to adequately protect against breaches in confidentiality may result in strictpenalties or prosecution for negligence. Importance of Integrity Ensuring data integrity is vital to ensure that appropriate business decisions are made with the information available. An unauthorized modification can either be intentional or unintentional. In either scenario, the outcome can be catastrophic. Data that has beenimproperly modified has the potential to result in bad information. Faulty information can lead to bad business decisions, which can ultimately result in business failure. At a financial institution a single misplaced digit could result in the loss of millions. It is extremely important that organizations have the ability to detect any violations of integrity and mitigate any possible damages that may occur from a breach. Importance of Availability Information availability is also a key aspect of information security management. Ensuring proper information availability will help an organization maintain its highest level of productivity. Information security availability planning involves contingency and disaster recovery as well as protecting against temporary technical glitches or recovering information from backup archives. By appropriately managing information availability, planning and facilitating a recovery strategy can ensure that business impact and loss of assets is minimized in the event of an incident. ---------------------- Measuring Security IT Success In a time where budgets are constrained and Internet threats are on the rise, it is important for organizations to invest in network security applications that will not only provide them with powerful functionality but also a rapid return on investment. http://www.linuxsecurity.com/content/view/118817/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New qpopper packages fix arbitrary file overwriting 26th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119199 * Debian: New PHP4 packages fix denial of service 26th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119203 * Debian: New bzip2 packages fix file unauthorised permissions modification 27th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119214 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: ImageMagick-6.2.2.0-2.fc3 26th, May, 2005 An malicious image could cause a denial-of-service in the xwd coder. The update fixes this issue. http://www.linuxsecurity.com/content/view/119206 * Fedora Core 3 Update: system-config-netboot-0.1.16-1_FC3 27th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119216 * Fedora Core 3 Update: system-config-bind-4.0.0-16 27th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119217 * Fedora Core 3 Update: netpbm-10.27-4.FC3 1st, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119230 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: gxine Format string vulnerability 26th, May, 2005 A format string vulnerability in gxine could allow a remote attacker to execute arbitrary code. http://www.linuxsecurity.com/content/view/119200 * Gentoo: Mailutils Multiple vulnerabilities in imap4d 27th, May, 2005 The imap4d server and the mail utility from GNU Mailutils contain multiple vulnerabilities, potentially allowing a remote attacker to execute arbitrary code with root privileges. http://www.linuxsecurity.com/content/view/119211 * Gentoo: Binutils, elfutils Buffer overflow 1st, June, 2005 Various utilities from the GNU Binutils and elfutils packages are vulnerable to a heap based buffer overflow, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119228 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: gnutls security update 1st, June, 2005 Updated GnuTLS packages that fix a remote denial of service vulnerability are available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119231 * RedHat: Moderate: postgresql security update 1st, June, 2005 Updated postgresql packages that fix several security vulnerabilities and risks of data loss are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119232 * RedHat: Moderate: openssl security update 1st, June, 2005 Updated OpenSSL packages that fix security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119233 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jun 6 12:21:57 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 6 12:33:02 2005 Subject: [ISN] Test shows voter fraud is possible Message-ID: http://www.tallahassee.com/mld/tallahassee/news/local/11811936.htm By Tony Bridges DEMOCRAT STAFF WRITER June 04, 2005 All it takes is the right access. Get that, and an election worker could manipulate voting results in the computers that read paper ballots - without leaving any digital fingerprints. That was the verdict after Leon County Elections Supervisor Ion Sancho invited a team of researchers to look for holes in election software. The group wasn't able to crack the Diebold system from outside the office. But, at the computer itself, they changed vote tallies, completely unrecorded. Sancho said it illustrates the need for tight physical security, as well as a paper trail that can verify results, which the Legislature has rejected. Black Box Voting, the non-profit that ran the test and published a report on the Internet, pointed to the findings as proof of an elections system clearly vulnerable to corruption. But state officials in charge of overseeing elections pooh-poohed the test process and dismissed the group's report. "Information on a blog site is not viable or credible," said Jenny Nash, a spokeswoman for the Department of State. It went like this: Sancho figured Leon County's security could withstand just about any sort of probing and wanted to prove it. He went to one of the most skeptical - and vocal - watchdogs of election procedures. Bev Harris, founder of Black Box Voting, had experience with voting machines across the country. She recruited two computer-security experts and made the trip to Tallahassee from her home in Washington state three times between February and late May. Leon County is one of 30 counties in Florida that use Diebold optical scanners. Voters darken bubbles on a sheet of paper, sort of like filling in the answers on the SAT, and the scanners read them and add up the numbers. So the task was simple. Get in, tamper with vote numbers, and get out clean. They made their first attempts from outside the building. No success. Then, they sat down at the vote-counting computers, the sort of access to the machines an employee might have. For the crackers, security protocols were no problem, passwords unnecessary. They simply went around them. After that, the security experts accomplished two things that should not have been possible. They made 65,000 votes disappear simply by changing the real memory card - which stores the numbers - for one that had been altered. And, while the software is supposed to create a record whenever someone makes changes to data stored in the system, it showed no evidence they'd managed to access and change information. When they were done, they printed the poll tapes. Those are paper records, like cash register tape, that show the official numbers on the memory cards. Two tapes, with different results. And the only way to tell the fake one? At the bottom, it read, "Is this real? Or is it Memorex?" "That was troubling," Sancho said. Leon County more secure A disaster? Not exactly. In Leon County, access to the machines is strictly controlled, limited to a single employee. The memory cards are kept locked away, and they're tracked by serial number. Those precautions help prevent any tampering. "You've got to have security over the individual who's accessing the system," Sancho said. In fact, "you've got to have good security and control over every step of this process." The trouble is, not every county is as closely run. In Volusia County, her group has found what they think was memory-card tampering during the 2000 election. More than 16,000 votes for Al Gore vanished. Harris said her research turned up memos - obtained from the elections supervisor's office - that blamed the failure on an extra memory card that showed up, and disappeared, without explanation. She believes that was an attempt to change the outcome of the election, but one carried out clumsily. The test in Leon County proved it was possible, if done by more experienced computer programmers, she said. So what does the Department of State say? Nash, the spokeswoman, said that the Diebold systems were designed to be used in secure settings, and that, by giving the testers direct access to the computers, Sancho had basically allowed them to bypass security. In other words, not much of a test. Except that the security experts were given only as much opportunity as any other election worker would have. Less so, considering that Sancho did not provide them with passwords or any other way to actually get into the programming. As for the exact vulnerabilities that Harris reported - and Sancho confirmed - Nash said no one from the state could comment, since they hadn't been present at the test. She added later that Sancho could request help from state certifiers if he had concerns, but had not asked yet. To read the entire report, visit www.BlackBoxVoting.org. Ion Sancho, supervisor of elections, will post a summary of the test results this weekend at www.leonfl.org/elect/ From isn at c4i.org Mon Jun 6 12:22:12 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 6 12:33:05 2005 Subject: [ISN] Hacker hits Duke system Message-ID: Forwarded from: Mark Bernard Dear Associates, fyi... if the hacker picked off employee information, which is likely better protected than the master database, than what about clinical patient records? I don't buy the story that those systems weren't touched. Most of these systems are network together and if anything mainstream data used by most organizations is more readily available than executive salary information. As hackers get smarter you can bet that they'll target more of the identity management systems such as Microsoft's Active Directory and Kerberos with its known weaknesses. Lots of people use the same user ids and passwords for both work and personal systems. So although the hackers may get no further with Duke they might start testing online banking systems or other such systems with their new found illegal information assets. Furthermore, aggregated data found on public systems such as Monster and Workopolis may help to further refine potential targets of economic opportunity from these illegally new found assets. Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Kenneth Blanchard: "The key to successful leadership today is influence, not authority." ----- Original Message ----- From: "InfoSec News" To: Sent: Saturday, June 04, 2005 3:23 PM Subject: [ISN] Hacker hits Duke system > http://newsobserver.com/business/story/2471894p-8875992c.html > > By JEAN P. FISHER > Staff Writer > Jun 4, 2005 > > A hacker broke into the Duke University Medical Center computer system > last week, stealing thousands of passwords and fragments of Social > Security numbers, Duke officials said Friday. > > Duke is notifying about 14,000 people, roughly 10,000 of whom are > medical center employees, that their information may have been > compromised and is advising people to change passwords if they use the > same one for multiple purposes. > > Other individuals affected include alumni of the Duke University > School of Medicine, physicians and other clinicians who registered > online for some types of continuing medical education at Duke and > others who accessed certain Web pages maintained by the medical > school. > > The incident is the latest in a series of security breaches nationally > at banks and other major organizations that store personal > information. This is one of the largest yet to hit the Triangle. From isn at c4i.org Mon Jun 6 12:22:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 6 12:33:08 2005 Subject: [ISN] Message storm knocks NYSE offline Message-ID: http://www.theregister.co.uk/2005/06/03/nyse_glitch/ By John Leyden 3rd June 2005 The New York Stock Exchange is re-examining its network after it was forced to close four minutes early at 3:56pm on Wednesday (1 June) because of a communications glitch. Trading opened on time (09:30 EDT) the following morning but the outage irked traders and raised questions about the reliability of a network described as "ultra reliable" following improvements made in the wake the September 11 terrorist attacks. The outage stemmed from a fault in a system designed to distribute market data and operate computer trading systems. NYSE Chief Executive John Thain said that both the main system and its backup were swamped with error messages, Reuters reports. He added that the exchange would carry out remedial work designed to prevent any repetition of the problem. A NYSE spokesman declined to expand on this explanation nor offer any insights into why a network touted for its reliability crashed. ? From isn at c4i.org Tue Jun 7 04:14:11 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 7 04:26:43 2005 Subject: [ISN] Personal Data for 3.9 Million Lost in Transit Message-ID: http://www.nytimes.com/2005/06/07/business/07data.html By TOM ZELLER Jr. June 7, 2005 In one of the largest breaches of data security to date, CitiFinancial, the consumer finance subsidiary of Citigroup, announced yesterday that a box of computer tapes containing information on 3.9 million customers was lost by United Parcel Service last month, while in transit to a credit reporting agency. Executives at Citigroup said the tapes were picked up by U.P.S. early in May and had not been seen since. The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small personal loans made to millions of customers through CitiFinancial's network of more than 1,800 lending branches, or through retailers whose product financing was handled by CitiFinancial's retail services division. The company said there was no indication that the tapes had been stolen or that any of the data in them had been compromised. It was, however, the latest in a series of recent data-security failures involving nearly every kind of institution that compiles personal information - ranging from data brokers like ChoicePoint and LexisNexis to financial institutions like Bank of America and Wachovia to the media giant Time Warner to universities like Boston College and the University of California, Berkeley. All these institutions have reported data breaches in the last five months, affecting millions of individuals and spurring Congressional hearings and numerous bills aimed at improving security in the handling of sensitive consumer information. The fear is that Social Security numbers, when combined with a consumer's name, address and date of birth, can be used by thieves to open new lines of credit, secure loans and otherwise steal someone's identity. Whether the recently reported breaches indicate an epidemic of data loss is unclear. Many privacy and security advocates have suggested that a California law, requiring that consumers be notified of data security breaches, has led to more confessions of data losses and increased awareness of a longstanding problem. "I think what we're seeing is a situation that's been going on for a long time," said Beth Givens, director of the Privacy Rights Clearinghouse, an advocacy group in San Diego, "and one which has only been made visible by California's law." The California law, which went into effect in July 2003, requires state government agencies as well as companies and nonprofit organizations - regardless of where in the country they do business - to notify California customers if the personal information maintained in their data files has been compromised. Yet in an age of transnational banks, Internet commerce and giant data aggregators, notifying only California residents when data on consumers all over the country is potentially lost or compromised has proved to be a public relations impossibility. (ChoicePoint was widely accused of planning to notify only California residents when it learned that information on at least 145,000 Americans had fallen into the hands of thieves; the company, however, said it was planning on nationwide notification all along.) Now, with each week bringing new reports of data loss, whether because tapes fell off the back of a U.P.S. truck or because data was electronically stolen by hackers or thieves, at least five other states - Arkansas, North Dakota, Georgia, Montana and Washington - have passed similar notification laws. As of last month, dozens of other states were considering similar laws. In the most recent incident, Citigroup executives say the box containing the tapes was handed over to U.P.S., along with other items for shipping, on May 2, under "special security procedures" that the bank required of the courier. One of those special procedures, said Citigroup's chief operations and technology officer, Debby Hopkins, included scanning the bar code on each package, rather than scanning only the single bar code on the shipment manifest, which is a summary document listing all the packages being moved in one shipment. According to Ms. Hopkins, just the summary document was scanned for the box, which was picked up in Weehawken, N.J., so U.P.S. was unable to track where in the delivery chain the box was lost. It was not until May 20 that an employee of Experian, the credit reporting agency that was to receive the tapes, called CitiFinancial to report that they had not arrived at Experian's data-processing center in Allen, Tex. An investigation by U.P.S. failed to locate the package. CitiFinancial has notified the Secret Service, which is called whenever there is a compromise of financial data. The agency is investigating the incident, and CitiFinancial has begun sending letters to all 3.9 million customers advising them of the loss and offering them 90 days of free enrollment in a credit-monitoring service. Other institutions with data-loss problems have also offered free credit-monitoring services, some for as long as a year. A spokesman for U.P.S., Norman Black, would not go into specifics on where or how the security system broke down, but said the courier was continuing its investigation. Mr. Black said blame ultimately lay with his company. "They tendered us a package and expected it to be delivered in the reliable way that we always do," he said, "and we had to go back to them and tell them that we can't find it." Mr. Black said that an exhaustive search of all U.P.S. facilities nationwide had turned up no sign of the package. "It's rare that it gets to the point where we can find no trace of it," he said. A spokesman for Experian, Donald A. Girard, said he had never seen an instance of a shipment of this kind simply disappearing, although he added that he and other credit agencies had been encouraging financial institutions to convert from tapes to encrypted electronic delivery of data. "Experian has been actively working for quite a while with all major data contributors to convert to electronic data transference," Mr. Girard said, "to mitigate risk in this process." Ms. Hopkins of Citigroup said that most of the company's divisions already did this, and that the CitiFinancial unit is scheduled to convert to such electronic transfers in July. She also said that the missing tapes, which were not encrypted, were created using mainframe-type computers and highly specialized hardware and software that would make it difficult - though not impossible - to extract data from them. And Ms. Givens of the Privacy Rights Clearinghouse said, "Your everyday dumpster diver may not know what to do with these tapes, but if these tapes ever find their way into the hands of an international crime ring, I think they'll figure it out." From isn at c4i.org Tue Jun 7 04:14:25 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 7 04:26:48 2005 Subject: [ISN] Woodward grills cybersecurity vets Message-ID: http://www.fcw.com/article89104-06-06-05-Web By Michael Arnone June 6, 2005 The federal government must become more proactive in finding and weeding out cyberthreats instead of just reacting to them, according to members of a panel discussion run by the journalist who helped bring down the president. Bob Woodward, who helped break the Watergate scandal with fellow Washington Post reporter Carl Bernstein, moderated a Gartner IT Summit panel of three former chiefs of federal cybersecurity chiefs. Woodward, assistant managing editor of the Post, asked his guests whether the majority of Internet users were aware of cyberthreats and the government's imperfect ability to stop attacks. The Internet is more secure now than it was because Internet service providers have built in many new controls to stop attacks, said Howard Schmidt, a former adviser to the Bush administration who helped implement the National Strategy for Securing Cyberspace. Users can also download free toolbars that add extra security, he said. Industry is reacting much faster to attacks than it used to, Schmidt said. Information sharing and analysis centers are becoming more operational but must share more information across industry sectors and with government intelligence analysts, he said. On many levels, the government and the private sector are doing a much better job at addressing problems that had plagued them for months or years, said Amit Yoran, former national cybersecurity director and current president of Yoran Associates. Security technology has gotten more effective and easier to use, he said. But most companies and organizations still prefer to wait until after an attack has happened to protect themselves from cyberthreats, Yoran said. Even non-terrorist attacks, like the Northeast blackout in 2004, offer a national opportunity to address vulnerabilities before they are maliciously exploited, he said. "We're missing the signs, almost like before September 11," Yoran said. The country has not mobilized enough against cyberthreats, panel members said. "There has not been enough of an investment at senior administration levels to make this an issue," said Roger Cressey, president of Good Harbor Consulting and former chief of staff to Bush's Critical Infrastructure Protection Board. The misconception exists that emphasizing cybersecurity would shortchange physical security, Cressey said. Physical security gets more attention because people can better envision consequences like explosions and body bags, he said. Cyberterrorism is sexy but shouldn't distract government and industry from the real issue: finding and fixing existing vulnerabilities, Cressey said. Woodward asked the panelists whether Bush needed a top strategist dedicated to a single goal -- cybersecurity -- much as Karl Rove focused on getting the president re-elected in 2004. A Rove-like individual could provide leadership on the issue and determine where the efforts are falling short, Cressey said. The House passed a fiscal 2006 budget bill that would enhance cybersecurity in many ways, including promoting the national cybersecurity director position to a full assistant secretary for cybersecurity. The House bill has many constructive elements, Yoran told Federal Computer Week after the panel concluded. Creating the assistant secretary will help integrate thinking about cybersecurity into the government's strategic thinking, he said. From isn at c4i.org Tue Jun 7 04:14:37 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 7 04:26:51 2005 Subject: [ISN] Bluetooth crack gets serious Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=3797 By Matthew Broersma Techworld 06 June 2005 Two security researchers say they have discovered a technique for taking control of Bluetooth-enabled mobile phones, even when the handsets have security features switched on. The technique is a practical implementation of a technique described by Ollie Whitehouse of security firm @Stake last year, which allows an attacker with specialised eqiupment to connect to a Bluetooth handset without authorisation. Once the connection is established, the attacker could make calls on the target's handset, siphon off data or listen in on data transfers between the device and, for example, a PC. Some security firms recommend financial traders avoid Bluetooth handsets because of the potential attack. The original method required an attacker to listen in on the initial connection procedure between two Bluetooth devices - called "pairing" - which occurs only rarely. The new attack however allows an attacker to force two devices to repeat the pairing procedure, allowing the attacker to listen in and determine the identification code (PIN) used to protect the connection. The researchers, senior lecturer Avishai Wool and graduate student Yaniv Shaked of Tel Aviv University's School of Electrical Engineering Systems, will present their paper, "Cracking the Bluetooth PIN", on Monday afternoon at the MobiSys conference in Seattle. Various security holes have already appeared in Bluetooth, which is becoming widely used in mobile phones and high-end "smartphones". However, most require a poor implementation of Bluetooth's security features, or for the device to be left in "discoverable" mode. Whitehouse's attack, by contrast, could be used against a handset with security features switched on. Whitehouse's attack is difficult to implement, because it requires the attacker to pick up some information during the pairing process. From this data, an attacker could determine the PIN for the connection, with the length of time depending on the number of digits in the PIN - under a second for four-digit PINs, which are standard on most devices. Wool and Shaked's attack goes a step further, describing three methods for forcing a repeat of the pairing process. Using the information from this exchange, the researchers were able to determine the PIN in 0.06-.3 seconds for a 4-digit PIN, according to the paper. For example, a user could be asked to re-enter the PIN number for connecting to his or her wireless headset, according to the paper. Once the two devices re-connected, the attacker would easily be able to crack the PIN in most cases. Many users could be fooled by this, since such re-pairing is built into the Bluetooth specification; in fact many devices have a mode requiring the user to re-enter their PIN each time a connection is made, the researchers said. "Taken together, this is an impressive result," said security expert Bruce Schneier in a Weblog post. Wool and Shaked recommend users refrain from entering their pairing PINs as much as possible, particularly in public places. Using longer PINs can also make a big difference, they said - even a six-digit PIN would take 10 seconds to crack, while a 10-digit number would require weeks, according to Whitehouse. Users may find they don't have a choice, since many devices only allow four-digit PINs. From isn at c4i.org Wed Jun 8 05:04:09 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 8 05:19:28 2005 Subject: [ISN] Gartner: Relax about overhyped security threats Message-ID: http://www.fcw.com/article89119-06-07-05-Web By Michael Arnone June. 7, 2005 Don't believe the hype about some of the computer security threats emphasized in industry and the media, two Gartner Research analysts said today. Lawrence Orans, a principal research analyst, and John Pescatore, vice president and research fellow, told attendees at the Gartner IT Security Summit in Washington, D.C., not to fear going ahead with projects that use voice over IP technology, Virtual Private Networks over the Internet and wireless hot spots. The computer-security experts also advised their audience not to waste time or money on products they don't need to meet federal regulations and protect against malware on mobile devices. The men debunked five popular security myths: * Eavesdropping risks makes VOIP telephony too insecure to use. Industry and the media overhype the danger of eavesdropping because it is as easy to eavesdrop on voice packets in a network as on data packets, Orans said. But eavesdropping is rare because perpetrators must access an IP phone through the company's intranet, he said. Companies that follow best practices to protect their data should have no trouble protecting their Internet telephony operations, Orans said. Eavesdroppers can be caught easily by scanning the network for unusual behavior, he said. Companies can encrypt their voice traffic to prevent trouble but is only necessary if they encrypt their data as well, he said. They can also use Internet-telephony handsets and tailor their firewalls to allow scanning, he said. * Malware on mobile devices will cause major business disruptions in the near future. The hype about antivirus products to protect cell phones and PDAs has been around since 2001, Pescatore said. But he said he predicted that viruses and other malware used against wireless mobile devices won't cost more than antivirus protections against them until the end of 2007 at the earliest. More Americans need to use smart phones and PDAs with always-on wireless capability, Pescatore said. Only 3 percent of American users had such items in 2004 and only 10 percent will have them by the end of 2005, they said. Mobile malware won't become an issue until more than 30 percent of Americans have them, he said. Additionally, mobile malware attacks won't become a real threat until the users of these wireless items commonly send locally executed software, he said. Lastly, too many operating systems and applications are in use to allow a large-scale attack, Pescatore said. One phone operating system will need at least 50 percent of the market and two others have 20 percent each to make such attacks feasible, he said. But "we may never reach the point where we don't have diversity in the cell phone operating system world," he said. Antivirus software on a phone won't protect against attacks on the wireless network, Pescatore said. "The end-client solution for malware is doomed," he said. It's more effective to block viruses on the network, he said. A potential attack method, however, could be hijacking a telecom company's ability to automatically update users' phones' operating systems, he said. Industry and government must create policies for using mobile devices and requiring network-based malware protection, Pescatore said. * Viruses will not destroy the Internet. Named after Andy Warhol's "15 minutes of fame" quip, a Warhol worm infects all vulnerable computers on the Internet within 15 minutes, Orans said. Only one such virus has appeared so far - the SQL Slammer worm in 2003, he said. Slammer doubled the number of infected computers every 8.5 seconds, Orans said. The attack just clogged most Internet Service Providers and did not affect most of the backbone, he said. The worm replicated itself until it ran out of bandwidth to keep propagating, he said. Companies and the government should feel confident that the Internet is powerful and robust enough to handle their Virtual Private Networks, Orans said. In next few years, he predicted that Internet will meet performance and security for 70 percent of business traffic and more than 50 percent of corporate wide-area-network traffic. * Compliance with government regulations equals security. The increased federal regulation prompted by Sarbanes-Oxley and similar legislation does not automatically lead to more security, Pescatore said. Organizations accommodating the explosion of new reporting requirements must ensure that their efforts lead to effective changes in how they operate, he said. "Investing in reporting over controls is security bulimia," Pescatore said. "We vomited out all these results but now we're weaker," he said. Organizations should use Sarbanes-Oxley and other legislation to justify priority shifts in 2006, Pescatore said. He said he predicted that the next round of regulatory legislation will concern identity theft. * Wireless hot spots are unsafe. The threat of "evil twins" setting up rogue access points to fool unsuspecting Internet users into thinking they are on real sites and then divulging confidential information is a red herring, Orans said. Users should use 802.1X protection, use token passwords instead of set ones, and use corporate VPNs for security, Orans said. Locations that offer hotspots should use software that monitors for evil twins and follow best practices for mobile end points, he said. Locations and users should also set up firewalls and turn off file- and print-sharing software in a wireless hot spot, he said. An unofficial poll of audience members found that 32 percent of those attending the talk thought that regulatory compliance was the most important of the five threats. From isn at c4i.org Wed Jun 8 05:04:32 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 8 05:19:33 2005 Subject: [ISN] Security claims asking for trouble Message-ID: http://www.smh.com.au/news/Next/Security-claims-asking-for-trouble/2005/06/06/1117910220376.html By Patrick Gray June 7, 2005 Next Two words that should never pass the lips of a software vendor are "it's secure", says Symantec's Dave Ahmad. Such statements draw the undivided attention of the world's security researchers, eager to poke holes in vendor grandstanding by finding security glitches in software touted as unbreakable. As the moderator of the Bugtraq security mailing list for the past four years, Mr Ahmad has seen his fair share of security vulnerability advisories. A free email subscription to Bugtraq has become a must-have for IT security consultants, managers, vendors, researchers and students alike. Software vendors use Bugtraq to disclose vulnerabilities - which can be used by hackers to break into computers using the software - and security researchers share findings and collaborate on the list. After four years on the job, Mr Ahmad, who is based in Calgary, Canada, has come to appreciate that hyping software as a safer substitute to products having a bad run with security flaws may not be the best way to grab market share. "When systems are touted as a secure alternative to the mainstream, that attracts (security) researchers," he says. "It's that hacker instinct: to go against the norm, to attack assumptions." Recent examples cited by Mr Ahmad are the open source Mozilla Firefox browser, described by some as a secure alternative to Internet Explorer, and Apple's flagship operating system, OS X, an alternative to Microsoft's Windows. The image of both Firefox and OS X as completely secure software has been eroded in recent months, with security researchers disclosing vulnerabilities in the browser and operating system software. Mr Ahmad, 25, first joined the company that maintains Bugtraq, SecurityFocus, at 18 to maintain the company's vulnerability database. He took over Bugtraq in September 2001 and has been running it ever since. SecurityFocus, an operator of an early-warning system and web-portal, as well as the Bugtraq mailing list and vulnerability database, was acquired in 2002 by security software maker Symantec. He's seen a lot of change in his time running Bugtraq. For example, vendors are more responsive to security concerns. "Microsoft has got better. The open source community has got better," Mr Ahmad says. "Even vendors like Oracle, who I don't think are the best right now, have been pressured by high-profile researchers . . . into reacting a little more quickly." However, according to Mr Ahmad, the recent downturn in the number of serious security vulnerabilities disclosed to the wider community comes not from increased product security, but an increasingly secretive research community. "In the last year or so there just haven't been those high-profile vulnerabilities," he says. "A lot of the good vulnerability researchers have stopped disclosing their findings." More and more, security companies are selling their vulnerability data, Mr Ahmad says. "They're keeping their vulnerabilities private and charging a subscription fee," he says. "Now that vulnerabilities have a value, they're worth something, people will pay for them, there's a motivation to keep them private." Even the bugs themselves have changed with time, Mr Ahmad says. Sometimes a breakthrough in security research will lead to a flood of vulnerabilities being disclosed. Technical methods for manipulating the memory "heap" on several operating systems, for example, were widely published in hacker magazines such as Phrack, Mr Ahmad says. That led to an onslaught of heap-related vulnerabilities being disclosed that were previously thought to be non-critical. "The level of sophistication is incredible now," he says. At the CanSecWest security conference held in May in Canada, Mr Ahmad was impressed by a presentation by US-based IT security outfit eEye Digital Security. The company's consultants demonstrated the exploitation of a kernel vulnerability in Windows, a glitch traditionally thought too difficult to use practically to compromise a computer system. "A few years ago it was inconceivable that this could be done, but we're pushing the limits because a lot of the low hanging fruit has been picked," Mr Ahmad says. From isn at c4i.org Wed Jun 8 05:05:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 8 05:19:36 2005 Subject: [ISN] Linux Security Week - June 6th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 6th, 2005 Volume 6, Number 24n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "An Introduction to Securing Linux with Apache, ProFTPd and Samba," "Employee Training & Education Can Mitigate Threats," and "Lack of Confidence in IT Security Industry." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, advisories were released for qpopper, openssl, php4, bzip2, ImageMagick, bind, netpbm, gxine, imap4d, elfutils, gnutls, and postgresql. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/119246/150/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * What is the point of encryption if you don.t know who for? 30th, May, 2005 Dr. Walter, Head of Cryptography for Comodo Inc. and chair of the Trusted Computing Group (TCG) Peripheral Working Group, has clarified the relationship between encryption and authentication. The blurred definition to date has split the Certificate Authority industry into two groups. Authorities such as Comodo and VeriSign compete head to head, to deliver high assurance digital certificates whilst other groups concentrate on the low assurance market. http://www.linuxsecurity.com/content/view/119220 * Sentry CD - A different firewall approach 30th, May, 2005 If you want to set up a Linux-based firewall, there's no need to run a bloated distribution that installs everything but the kitchen sink. If you are not afraid to get your hands dirty, and like having total control over your system, then Sentry Firewall CD (SFCD) is just what you need. It is a highly configurable, bootable CD that takes a minimalist approach to firewalling. http://www.linuxsecurity.com/content/view/119221 * Many unaware of browser-security link 1st, June, 2005 Many American online computer users are unaware that choice of browser affects Internet security, and few switch browsers even when they know the risk, a Norwegian study said Monday. http://www.linuxsecurity.com/content/view/119226 * Network Security to Take Top Spot 1st, June, 2005 Criminals aren't the only ones benefiting from the onslaught of threats that bombard corporate networks. Security vendors are also reaping the benefits. http://www.linuxsecurity.com/content/view/119234 * Zombie machines used in 'brutal' SSH attacks 2nd, June, 2005 It's a tedious activity that can put the best of IT administrators to sleep. But as security and compliance manager for a large U.S. healthcare organization, Adam Nunn has learned to study his network activity logs religiously. He knows that when the bad guys work overtime to break his defenses, those logs can be the first sign of trouble. http://www.linuxsecurity.com/content/view/119238 * An Introduction to Securing Linux with Apache, ProFTPd and Samba 2nd, June, 2005 While the vast majority of Linux users are hard-core techies, some may be using Linux because they want to try something new, are interested in the technology, or simply cannot afford or do not want to use Microsoft Windows. http://www.linuxsecurity.com/content/view/119236 * Review: FreeBSD 5.4 1st, June, 2005 One of the oldest Unix-like operating systems, FreeBSD, continues its advancement with the sixth release in the FreeBSD-5 series. Its developers have added nothing major, but have made many modifications, fixing a number of problems introduced in previous releases. FreeBSD 5.4 is the best release since 5.1, but it still may not be ready for prime time. http://www.linuxsecurity.com/content/view/119225 * A good morning with: Theo de Raadt 2nd, June, 2005 Everybody know that you're the OpenBSD and OpenSSH GURU and creator, one of most famous and used secure operating system nowaday. Why you created them? What did you need many years ago from os world when you created OpenBSD? What inspired you to write from scratch OpenBSD and OpenSSH? http://www.linuxsecurity.com/content/view/119235 * Employee Training & Education Can Mitigate Threats 31st, May, 2005 Many Internet threats are easily avoidable and just executed by employees who are simply unaware of their presence. Once briefed on basic Internet security, it is equally important to keep your employees educated as well. When new threats arise, send out memos alerting each employee of the threat, how to identify it, and what to do if and when they have it,. says security expert and Guardian Digital CEO Dave Wreski. http://www.linuxsecurity.com/content/view/119223 * Security Action Plans 1st, June, 2005 Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats. Security products can help businesses stem the flood of vulnerabilities, but IT teams also have to put in place processes to ensure that they're responding appropriately and being proactive in warding off potential dangers. Fact is, some companies spend too much on some parts of their organization and not enough on more-vulnerable areas. http://www.linuxsecurity.com/content/view/119227 * Fedora Directory Server Now Available To The Open Source Community 1st, June, 2005 The Fedora Project, a Red Hat-sponsored and community-supported, open source collaboration project, today announced at the Red Hat Summit the availability of Fedora Directory Server. By making Fedora Directory Server freely available to the open source development community, Red Hat is enabling and encouraging the development of secure, enterprise technologies and providing customers and partners with increased choice. The availability of Fedora Directory Server licensed under the GPL underscores Red Hat's true commitment to open source innovation. http://www.linuxsecurity.com/content/view/119229 * How to crack passwords, and why you should 2nd, June, 2005 Auditing passwords is a worthwhile venture, particularly in an environment that deals with sensitive information. Because systems encrypt passwords when they store them, you really can't properly judge the strength of a password unless you try to crack it. http://www.linuxsecurity.com/content/view/119237 * Hackers target voice over IP 2nd, June, 2005 Service providers need to focus more resources on voice over IP (VoIP) security if they are to provide the level of reliability and trust that subscribers have come to expect with traditional telephone services, analysts have warned. http://www.linuxsecurity.com/content/view/119239 * Yahoo!, Cisco Combine Antispam Efforts 2nd, June, 2005 Network equipment maker Cisco Systems Inc. and Internet portal Yahoo Inc. are combining their efforts to combat e-mail spam and forgery in a step that's expected to help expand adoption of the technology. http://www.linuxsecurity.com/content/view/119240 * Lack of Confidence in IT Security Industry 3rd, June, 2005 IT Security industry needs to convince citizens of its trustworthiness and the robustness of their products if it works to win a slice of the project associated with the introduction of ID cards. http://www.linuxsecurity.com/content/view/119247 * US biometric ID request raises ID concern in UK 30th, May, 2005 The UK government plans to issue its ID card as a passport with biometric identifiers stored in a chip . and the US wants those chips to be compatible with its own scanners, raising the possibility that US agencies could have access to the ID Card database. http://www.linuxsecurity.com/content/view/119219 * Cybersecurity czar will have hard road ahead 2nd, June, 2005 A spending bill likely to be passed this month will give the Department of Homeland Security's chief cybersecurity officer more clout but will not solve major issues in how the agency handles its job of protecting the nation's critical infrastructure, security experts said this week. http://www.linuxsecurity.com/content/view/119245 * On the track of script-kid terrorists 31st, May, 2005 CYBER terrorism is almost a dirty word among elite computer security professionals, and there's a high risk of being ridiculed if you use it in their midst. http://www.linuxsecurity.com/content/view/119222 * Israeli Police Charge 18 With Industrial Espionage 31st, May, 2005 Eighteen people have been arrested in one of Israel's largest industrial espionage schemes, police said Sunday, charging that business executives and private investigators used sophisticated software to infiltrate competitors' computers. The investigation implicated a car importer, two cell phone providers, and the nation's main satellite television company. Police said they were still sifting through documents and computer files to figure out the extent of the damage, but maintained that victims lost competitive bids and thousands of customers because of the spying. http://www.linuxsecurity.com/content/view/119224 * Hackers, Spammers Partner Up To Wreak Havoc 3rd, June, 2005 A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert said Thursday. http://www.linuxsecurity.com/content/view/119248 * New hack cracks 'secure' Bluetooth devices 3rd, June, 2005 Cryptographers have discovered a way to hack Bluetooth-enabled devices even when security features are switched on. The discovery may make it even easier for hackers to eavesdrop on conversations and charge their own calls to someone else.s cellphone. http://www.linuxsecurity.com/content/view/119250 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Thu Jun 9 01:15:44 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 9 01:29:44 2005 Subject: [ISN] Cybersecurity plagues Fort Hood Message-ID: Forwarded from: William Knowles http://www.fcw.com/article89132-06-08-05-Web BY Frank Tiboni Published on Jun. 8, 2005 LAS VEGAS - The Army's biggest base has a cybersecurity problem to match its size. Fort Hood, Texas, the largest Army base in the world and home of the 4th Infantry Division - the service's first digitized force - has a huge information security problem, said Maj. Gen. Dennis Moran, the Army's director of information operations, network and space in the Office of the Chief Information Officer. He spoke June 8 at the Army Information Technology Conference sponsored by the Army Small Computer Program. Some Army IT leaders think the best way to solve the information security problem at Fort Hood is to operate IT as an enterprise. For example, the base has 96 domains on the military's unclassified network. Consolidating e-mail, servers and storage systems would improve network management, operations and security, Moran said. But Fort Hood technology workers resisted the consolidation idea. The Army's IT leaders must resolve the tension between the Army's need to operate IT as an enterprise and IT workers' unique requirements at bases, Moran said. Fort Hood technology officials have attempted to improve information security by implementing products from Intrusion, for example, to strengthen network and spyware defenses. Fort Hood is the not the only major Army base with computer security problems. Fort Campbell, Ky., home of the 101st Airborne Division - the service's air assault helicopter force - was hacked in 2003, and the Army spent millions of dollars to rebuild the fort's systems. A top Army warfighting IT official echoed Moran's information assurance concerns servicewide. "Security is a major problem," said Chuck Pizzutelli, deputy program executive officer in the Army's Program Executive Office for Command, Control, Communications Tactical, which is part of the service's new Communications-Electronics Lifecycle Management Command. "Half of the IT architecture is a security overlay." Pizzutelli also spoke at the conference. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Jun 9 01:16:11 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 9 01:29:49 2005 Subject: [ISN] ISPs found innocent of aiding zombie attacks in 'trial' Message-ID: http://www.networkworld.com/news/2005/060705-gartner-isp.html By Grant Gross IDG News Service 06/07/05 ISPs were put on "trial" Tuesday, with hundreds of IT security professionals serving as jurors, for not doing enough to keep subscribers' computers from being compromised and used as tools in attacks on corporate networks. The plaintiffs, a couple of fictional companies hit by denial of service attacks, argued that ISPs could do more to prevent "zombie" machines used in attacks by scanning subscribers' computers, monitoring traffic and shutting down suspicious network uses. "ISPs are in the best position to take reasonable steps to diminish the threat," argued real-life cybersecurity lawyer Ben Wright, during a mock trial at the Gartner IT Security Summit in Washington, D.C. "It's very difficult to go out and find the hackers who are responsible for these attacks." But defense lawyer Stewart Baker, a partner in the Washington office of Steptoe and Johnson, argued that it would be a violation of privacy for ISPs to check subscribers' computers. It would be nearly impossible for ISPs to distinguish between legitimate Internet traffic, such as a subscriber's browser updating a weather map every few seconds, and a computer being used in a denial of service attack, added Baker, representing a group of fictional ISPs. In a distributed denial of service attack, hackers often first take over a group of thousands of computers by sending out a computer worm. The bad guys then use the group of so-called zombie machines, often tied together through an IRC (Internet relay chat) server called a botnet, to mass attack and crash a Web server. Some hackers use these denial of service attacks to extort money from companies by demanding cash to make the attack stop, according to some IT security experts. Wright compared the ISPs' relative lack of enforcement to the owner of a dangerous piece of property who doesn't buy a fence to keep others out. But Baker suggested it is a computer owner's responsibility to protect against malicious viruses and worms, not the ISP's. Baker asked the audience how many would be willing to stay at a hotel that offered Internet access in exchange for being allowed to scan their computers for possible security vulnerabilities or illegal files such as music downloads. No one in the audience raised a hand. "Suing us is like suing the telephone company for a bomb threat because they allowed it to be called in," said Rich Mogull, a cybersecurity analyst for Gartner Research and the expert witness for Baker and the ISPs. "There has to be an attacker someplace, and it doesn't seem like they're suing the attackers." The mock trial was a half-serious discussion on the responsibility of ISPs for the security of their subscribers' computers. No actual ISPs or denial-of-service-attack victims participate, and the trial veered into a debate over the meaning of "promiscuous" computers and even references to the current trial of pop music star Michael Jackson. Using electronic voting boxes, Gartner found that 71% of the audience of hundreds of IT security professionals agreed or strongly agreed that botnets are a serious problem for large businesses. But when asked who they sided with after the hour-long debate, only 30% of attendees backed the fictional corporations suing the fictional ISPs for a lack of zombie security measures. Fifty-four percent backed the ISP position, and the other 16% backed option three: Michael Jackson. Or, in other words, none of the above. Baker and Mogull argued that it would be nearly impossible for ISPs to monitor millions of computers connected to the Internet for a few thousand machines compromised at any one time, and it would be difficult to define what type of activity on an individual computer would be linked to a denial of service attack. But Wright and expert witness Amrit Williams, a cybersecurity analyst at Gartner Research, argued that ISPs are in the best position to track denial of service attacks. One audience member agreed, saying through their current scanning of traffic patterns, ISPs can see attacks as they develop, often before victimized companies know what's going on. "ISPs can see the activity, and they don't stop it," she said. "They're more than willing to turn a blind eye when our performance fails." But Baker noted that in many cases, ISPs see spikes in traffic coming from outside their networks, and they can do little to stop that traffic. "This is not the ISPs' Internet," he said. "The Internet is owned by no one." From isn at c4i.org Thu Jun 9 01:15:08 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 9 01:29:55 2005 Subject: [ISN] Gartner: Relax about overhyped security threats Message-ID: Forwarded from: security curmudgeon : Gartner: Relax about overhyped security threats : http://www.fcw.com/article89119-06-07-05-Web : : By Michael Arnone : June. 7, 2005 : : Don't believe the hype about some of the computer security threats : emphasized in industry and the media, two Gartner Research analysts said : today. First paragraph and this is just a set up for fun replies and cries of hypocrisy! I guess it is all in the wording though, as "nations .. conducting cyberwarfare" is very plausible, while "cyberterrorism" is only theory? These are the same people who said this about cyberterrorism: "To a large extent it comes down to motive.." http://www.zdnet.com.au/newstech/security/story/0,2000048600,20280859,00.htm Gartner's information security and risk research director has dismissed cyber-terrorism as a "theory". http://www.securitypipeline.com/news/showArticle.jhtml%3Bjsessionid=OB5UFEWRASQTMQSNDBGCKHQ?articleId=17301712 Much like the nuclear threat during the Cold War in the last century, cyberwarfare is a potential catastrophe that the U.S. and other nations must be prepared to combat, Gartner Inc. said. Given the rate of adoption of Internet-based technology, nations will have the ability to conduct cyberwarfare by 2005. http://www.nwfusion.com/news/2004/0920gartsec.html The list of security items a company probably doesn't need within the next five years includes personal digital signatures, quantum key exchanges, passive intrusion detection, biometrics, tempest shielding (to protect some devices from emanating decipherable data), default passwords, or enterprise digital rights management outside of workgroups, according to Victor Wheatman, vice president and research area director at Gartner, based in Stamford, Conn. With creative wording in mind, and Gartner's business model of pimping "research", let's look at what they said.. and what they have said. : The computer-security experts also advised their audience not to waste : time or money on products they don't need to meet federal regulations : and protect against malware on mobile devices. If I am reading this right, Gartner says don't buy products/services that are not needed to meet federal regulations? Because federal regulations like HIPAA and SOX make systems secure? But more on that later.. : * Eavesdropping risks makes VOIP telephony too insecure to use. : : Industry and the media overhype the danger of eavesdropping because it : is as easy to eavesdrop on voice packets in a network as on data : packets, Orans said. But eavesdropping is rare because perpetrators : must access an IP phone through the company's intranet, he said. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1020417,00.html In fact, VoIP is opening new channels for nations and terrorists to engage in cyberwarfare, Fraley wrote in a January 2004 research note for Gartner. While not specific to VOIP and eavesdropping, Gartner sure as hell states that deploying VOIP can be a big blow to security: http://www.silicon.com/research/specialreports/voip/0,3800004463,39129635,00.htm "There are lots of concerns about security on VoIP," said Nick Jones [a research vice-president for Gartner]. "Your security people may not realise they are opening their network. You can't use deep packet inspection. You just have to open up ports and hope everything is okay." : * Malware on mobile devices will cause major business disruptions in : the near future. : : The hype about antivirus products to protect cell phones and PDAs has : been around since 2001, Pescatore said. But he said he predicted that : viruses and other malware used against wireless mobile devices won't : cost more than antivirus protections against them until the end of : 2007 at the earliest. This is an interesting prediction when compared to another Gartner made: http://www.itwales.com/998551.htm Prediction: By 2008, the technological differences between PCs, mobile devices, e-books, TVs and cellular phones will be eradicated Also interesting when Gartner blurs the line further: http://www.senforce.com/pressrelease/pr-quad.htm Draper, Utah May 20, 2005 Senforce Technologies Inc. , the leader in location-aware endpoint security enforcement, today announced the company was placed in the Visionaries quadrant of Gartner, Inc.s Magic Quadrant for Personal Firewalls, 1H05*. Summarizing the report, Gartner says Personal firewalls strengthen a company's perimeter defenses by blocking attacks against individual workstations and mobile devices. So if mobile devices are essentially becoming the same as any other PC, and personal firewalls are key to protecting these devices, doesn't that suggest the next big worm could cause just as much damage to mobile devices as PCs? We know that they can cause more damage than the cost of anti-virus.. simple logic says they can also do the same to mobile devices. : More Americans need to use smart phones and PDAs with always-on wireless : capability, Pescatore said. Only 3 percent of American users had such : items in 2004 and only 10 percent will have them by the end of 2005, : they said. Mobile malware won't become an issue until more than 30 : percent of Americans have them, he said. Is this because numbers define an 'issue'? If 999,999 people are hit by a mobile device worm, no biggie. But if 1,000,000 are hit, then a "million" becomes a significant number and it is now an issue? Why 30%? This seems to be picking arbitrary numbers for importance, something I read about in an old book about lying with statistics. : * Compliance with government regulations equals security. : : The increased federal regulation prompted by Sarbanes-Oxley and similar : legislation does not automatically lead to more security, Pescatore : said. Organizations accommodating the explosion of new reporting : requirements must ensure that their efforts lead to effective changes in : how they operate, he said. : : "Investing in reporting over controls is security bulimia," Pescatore : said. "We vomited out all these results but now we're weaker," he said. : : Organizations should use Sarbanes-Oxley and other legislation to justify : priority shifts in 2006, Pescatore said. He said he predicted that the : next round of regulatory legislation will concern identity theft. Err wait, i'm confused! Gartner said: The computer-security experts also advised their audience not to waste time or money on products they don't need to meet federal regulations and protect against malware on mobile devices. Am I reading this wrong? The double negatives in this sentance throw me off I think... ? : * Wireless hot spots are unsafe. : : The threat of "evil twins" setting up rogue access points to fool : unsuspecting Internet users into thinking they are on real sites and : then divulging confidential information is a red herring, Orans said. http://www.macnewsworld.com/story/39872.html Wi-Fi Users Should Beware 'Evil Twins' The most recent cautionary advice came from UK researchers at Cranfield University who indicated "evil twin" Wi-Fi or 802.11 wireless networks may be used to pose as legitimate hot spots to steal passwords or other personal information Ken Dulaney, Gartner Latest News about Gartner vice president of mobile computing Can your network transform your business? See how AT&T can help., told TechNewsWorld that the issue may have more significance with the growing number of public Wi-Fi hot spots. So is this an issue or not Gartner? Perhaps Orans and Dulaney need to have a sit down to figure out the what the corporate line should be? From isn at c4i.org Thu Jun 9 01:16:40 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 9 01:30:03 2005 Subject: [ISN] Insecurity through obscurity Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,102307,00.html Opinion by Jian Zhen JUNE 08, 2005 COMPUTERWORLD Security through obscurity is probably one of the oldest tricks in the security book. The basic premise stems from the fact that people are trying to ensure security by hiding certain facts of their software or architecture design from regular users. This is equivalent to someone hiding a house key under a pot of plants in front of his house. However, Auguste Kerckhoffs, a 19th century Flemish cryptographer, said it should be assumed that attackers know the design of the entire security system, except for the keys. This concept, known as Kerckhoffs' law, basically rejected the notion of security through obscurity (your key hidden under your potted plant) and suggested that a system should be secure even if everything's public knowledge, except the key. Most administrators and developers these days are somewhat familiar with the various security concepts such as virus, worm, buffer or heap overflow, cross-site scripting and SQL injection. Since these concepts are fresh in their minds, they try to take explicit precaution to avoid these traps. However, they continue to develop software and products that rely on hiding certain trivial information, such as URL, username or other session information, and hope that users won't find them. They also try to hide this information in obvious places, such as hidden fields of a Web page or a different directory on a Web server. A case in point: Last March, Harvard Business School, along with a few other top business schools, suffered a huge embarrassment because its admission portal had a "break-in," as university officials called it (see story) [1]. ApplyYourself.com, a company that handles applications for Harvard and other elite institutions, had a Web portal where applicants could check on the status of their applications. Generally, Harvard's decisions go out on March 30. However, one applicant had figured out a way to obtain the status before that date. This applicant then posted it on a Web site for others to try. In the end, a total of 119 applicants tried this method. After finding out, Harvard decided to reject these 119 applicants regardless of their admission status (see story) [2]. Stanford University had made similar decisions recently, rejecting 41 applicants who tried this method. Lessons learned We are not here to argue whether Harvard and Stanford made the right decision or whether the action taken by the 119 applicants was ethical. However, there are some lessons to be learned here. First of all, ApplyYourself.com's method of hiding the admission status from the applicants was a great example of security through obscurity. In order to obtain the status early, the users took information that was readily available to them, modified the URL in their browsers and got access to their own admission status. There are at least two major mistakes here. First, ApplyYourself.com hid an ID field that users were not supposed to see in the Web page source. This ID was then used to construct the URL that would give the user the admission status. Second, ApplyYourself.com assumed that users would not have knowledge of the URL that would provide the status. However, anyone who applied to these schools through ApplyYourself.com would have seen the URL, and would have known what the URL looked like, as well as the parameters required to construct the URL. Given that this URL was provided to previous applicants, current applicants could easily obtain it by simply asking. These two grave mistakes left ApplyYourself.com scrambling to patch the security holes. Another good example of security through obscurity was demonstrated when hackers compromised Cisco Systems Inc.'s corporate network and stole more than 800MB of source code (see story)[3]. This incident caused quite a stir in the IT community, since Cisco's routers are responsible for managing a majority of the Internet traffic. Any security issues in the source code could become public. The publication of these security vulnerabilities -- still a possibility -- has the definite potential of causing major havoc on the Internet, possibly bringing it down on its knees. Microsoft Corp. has also experienced similar embarrassing incidents. In February 2004, portions of the source code for the Microsoft Windows NT and Windows 2000 operating systems were leaked (see story)[4]. The leaked source code could potentially allow hackers to identify security vulnerabilities in the Windows operating systems. Given the popularity of Windows in both consumer and corporate environments, this leak could be devastating to the whole Internet community. All these examples demonstratem the danger of the security-through-obscurity premise. There are many articles, books and seminars on this topic. Companies and software developers need to start with Kerckhoffs' law, assume that the algorithm and design of the software are known, and design security into the products and software in the beginning instead of retrofitting or patching security holes later. [1] http://www.computerworld.com/securitytopics/security/story/0,10801,100206,00.html [2] http://www.computerworld.com/databasetopics/data/story/0,10801,100261,00.html [3] http://www.computerworld.com/securitytopics/security/story/0,10801,93215,00.html [4] http://www.computerworld.com/softwaretopics/os/story/0,10801,90200,00.html From isn at c4i.org Thu Jun 9 01:17:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 9 01:30:14 2005 Subject: [ISN] Security UPDATE -- Browser Security; More About Security Through Obscurity -- June 8, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. A New Dimension in IT Infrastructure Management: Integrated KVM and Serial Console Control Systems http://list.windowsitpro.com/t?ctl=BB46:4FB69 Avoiding Availability Pitfalls in Microsoft Exchange Environments http://list.windowsitpro.com/t?ctl=BB41:4FB69 ==================== 1. In Focus: Browser Security; More About Security Through Obscurity 2. Security News and Features - Recent Security Vulnerabilities - Does Web Browser Choice Affect Security? - Setting Up Windows Server Update Services 3. Security Toolkit - Security Matters Blog - FAQ 4. New and Improved - Keep Your Windows PC Secure ==================== ==== Sponsor: Raritan Computer ==== A New Dimension in IT Infrastructure Management: Integrated KVM and Serial Console Control Systems In this free white paper learn how today's KVM and serial console control tools have evolved to meet the challenge of large, multiplatform, heterogeneous infrastructures data centers becoming ever more complex. Plus - discover the many benefits of integrated KVM and serial solutions, which include reduced downtime, mean-time-to-repair, lower costs and improved ROI. Download your copy now! http://list.windowsitpro.com/t?ctl=BB46:4FB69 ==================== ==== 1. In Focus: Browser Security; More About Security Through Obscurity ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net In a recent survey performed by Opera Software, approximately 32 percent of respondents had no idea whether the browser they choose affects their system's overall security (see the news item below). It's probably safe to assume that those people don't know how any application might affect their system's overall security. Some people might argue that using any browser other than Microsoft Internet Explorer (IE) is far safer. That might not be true depending on how someone uses IE. For example, if you load the latest patches, stay on top of the latest vulnerabilities and exploits, use add-on tools that increase security, and possibly modify certain registry settings, then IE can become much safer to use than it is in its default configuration. Plus, if you use Windows XP with Service Pack 2 (SP2), IE is much safer. If you subscribe to our WinInfo Daily UPDATE newsletter, you probably read last Friday's Short Takes edition in which Paul Thurrott mentioned that IE 7.0 is in development. It will undoubtedly be more secure than previous versions, but there's a catch: It will be available only for Windows XP and Windows Server 2003. At this time, it seems that Microsoft won't make the new browser version available for Windows 2000. Mainstream support for that OS ends June 30, but that doesn't mean that no security patches will be available. Since the company will provide free security patches until June 2010, I think we can assume that includes security patches for IE on Win2K. It's certainly possible to switch from IE to another browser on any Windows platform, but of course doing so presents problems because some application interfaces rely on the use of IE. This means that in many cases, you'll have to use two browsers, which isn't a big deal, but you do incur the added work of managing an additional application on your desktops. Last week, I wrote about security through obscurity. One reader wrote to say that in his opinion I completely missed the point of what the phrase "security through obscurity" really means. There's no sense arguing semantics. I'll just say that I was advocating adding as much security as possible even if the added amount is trivial. Another reader wrote with a comment that illustrates this point. He said that even though he knows a thief can quickly unlock his car door and steal the vehicle, he locks the car anyway. That about sums it up. However, there is the notion of cost, which I didn't cover last week. Some might argue that the cost of managing something like MAC address filtering on wireless Access Points (APs) is excessively expensive for the amount of security gained. This could be true depending on the size of your environment, the size of your budget and your ideas about where that money is best spent, and the manner in which you implement network management. Obviously, you have to decide that for yourself. A feature item below mentions a feature article about Windows Server Update Services (WSUS). You can read the complete feature article on our Web site and chat about WSUS with Doug Toombs today at 12 P.M. Eastern (9 A.M. Pacific). Learn more about the "WSUS Is Not for Wussies!" Web chat at http://list.windowsitpro.com/t?ctl=BB59:4FB69 ==================== ==== Sponsor: MessageOne ==== Avoiding Availability Pitfalls in Microsoft Exchange Environments When Microsoft Exchange is down, many businesses are down. Although many solutions are targeted at making Exchange email environments more reliable, a wide range of potential difficulties still lurk, waiting to interrupt service and, ultimately, your business. In this free white paper, discover the more common pitfalls that can lessen Exchange availability and the recommendations for what you can do to avoid the problem and better plan your Microsoft Exchange messaging environment. http://list.windowsitpro.com/t?ctl=BB41:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=BB4C:4FB69 Does Web Browser Choice Affect Security? A recent survey revealed that many people still don't realize how applications might affect overall system security. The survey revealed that 17 percent of respondents thought that the browser played no role in overall system security and 32 percent said they didn't know one way or the other. http://list.windowsitpro.com/t?ctl=BB4F:4FB69 Setting Up Windows Server Update Services Patch management is a headache for security administrators at most organizations. Windows Server Updates Services (WSUS) offers benefits for organizations of all sizes. In this article, John Howie walks you through the process of installing and configuring WSUS for your organization, obtaining updates, and configuring clients to use WSUS to obtain updates. http://list.windowsitpro.com/t?ctl=BB50:4FB69 ==================== ==== Resources and Events ==== Antispam product not working? Many email administrators are experiencing increased frustration with their current antispam products as they battle new and more dangerous email threats. In-house software, appliances, and even some services may no longer work effectively and require too much IT staff time to update and maintain or to satisfy the needs of different users. In this free Web seminar, learn how you can search for a better way to protect your email systems and users. http://list.windowsitpro.com/t?ctl=BB48:4FB69 Register For This Free Web Seminar--You Could Win a Windows IT Pro VIP Subscription! In this free Web seminar, learn what the most common fax messaging challenges encountered in the workforce are and solutions for how to turn these common fax "headaches" into cost-effective, easy-to-use, business communications. You'll also receive a free, industry white paper on fax deployment and integration techniques. Register now and you'll receive a 30-day software trial and a Starbucks gift card for attending! http://list.windowsitpro.com/t?ctl=BB45:4FB69 Diagnose and Resolve Performance Problems Maximizing application performance isn't easy, and database is only one component of today's complex, multi-tiered systems. In this free Essential Guide, learn how to follow a solid monitoring practice and troubleshoot issues before they get out of hand. You'll discover how you can ensure optimal SQL Server performance and satisfied users. http://list.windowsitpro.com/t?ctl=BB4B:4FB69 Get Ready for SQL Server 2005 Roadshow in Europe Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=BB49:4FB69 Recover Your Active Directory Get answers to all your Active Directory recovery questions here! Join industry guru Darren Mar-Elia in this free Web Seminar and discover how to use native recovery tools and methods, how to implement a lag site to delay replication, limitations to native recovery approaches and more. Learn how you can develop an effective AD backup strategy - Register today! http://list.windowsitpro.com/t?ctl=BB43:4FB69 ==================== ==== Featured White Paper ==== Antispam Product Not Working? In-house software, appliances, and some services may no longer work effectively and require too much IT staff time to update and maintain or to satisfy the email security needs of different users. In this free white paper, learn how a managed service solution can lower overhead and administrative costs, get more flexible end-user controls, improve service and support, and more. http://list.windowsitpro.com/t?ctl=BB42:4FB69 ==================== ==== Hot Release ==== Converting a Microsoft Access Application to Oracle HTML DB Get the most efficient, scaleable and secure approach to managing information using an Oracle Database with a Web application as the user interface. In this free white paper learn how you can use an Oracle HTML Database to convert a Microsoft Access application into a Web application that can be used by multiple users concurrently. You'll learn how to improve the original application by adding hit highlighting and an authorization scheme to provide access control to different types of users. Download this free white paper now! http://list.windowsitpro.com/t?ctl=BB47:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: TCPDUMP for Windows by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=BB55:4FB69 If you've been looking for a Windows-based version of the popular tcpdump tool, MicroOLAP Technologies offers MicroOLAP TCPDUMP for Windows, which the company says reproduces all the features found in the original tcpdump for UNIX. http://list.windowsitpro.com/t?ctl=BB4E:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=BB52:4FB69 Q: How can I enable the List Object security option in Active Directory (AD)? Find the answer at http://list.windowsitpro.com/t?ctl=BB51:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Keep Your Windows PC Secure WinKeeper Professional 4.85 is the most recent version of a suite of 12 Windows security utilities from WinKeeper Software. Spyware Doctor detects and cleans spyware, adware, Trojan horses, keyloggers, spybots, and other malware that might be on your PC. Security Task Manager lets you examine the processes that run on your computer and ensure that there are no intruders. BHO Cleaner lets you easily control the browser helper objects that have been installed on your computer. Other suite utilities can help you clear your IE history file, erase files, and manage passwords. WinKeeper Professional 4.85 runs under Windows 98/Me/NT 4.0/2000/XP and costs $34.95 for a single-user license. For more information, go to http://list.windowsitpro.com/t?ctl=BB5A:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Optimizing Disk-Based Backups for SMBs and Distributed Enterprises Combine disk-based backup with automated backup technology. Download now! http://list.windowsitpro.com/t?ctl=BB44:4FB69 Free Active Directory Recovery white paper Recover data in minutes with Quest Recovery Manager for AD http://list.windowsitpro.com/t?ctl=BB5B:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=BB56:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=BB4D:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From jericho at attrition.org Sun Jun 12 23:07:48 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun Jun 12 23:08:28 2005 Subject: [ISN] Test post, please ignore! Message-ID: We are working on upgrading the mail software here for faster delivery, bear with any test messages you receive tonight. This is for your own good and William Knowles' sanity! From isn at c4i.org Mon Jun 13 04:03:07 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 13 04:07:22 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-23 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-06-02 - 2005-06-09 This week : 52 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: The Mozilla Foundation has reintroduced the 7 year old "Frame Injection" vulnerability in Mozilla, FireFox, and Camino. More details, including a demonstration of the vulnerability can be found in the referenced Secunia advisories below. Reference: http://secunia.com/SA15601 http://secunia.com/SA15602 VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: TROJ_SMALL.AHE - MEDIUM RISK Virus Alert - 2005-06-03 11:58 GMT+1 http://secunia.com/virus_information/18574/trojsmall.ahe/ BOBAX.P - MEDIUM RISK Virus Alert - 2005-06-03 11:55 GMT+1 http://secunia.com/virus_information/18542/bobax.p/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 2. [SA11978] Multiple Browsers Frame Injection Vulnerability 3. [SA11966] Internet Explorer Frame Injection Vulnerability 4. [SA15602] Camino Frame Injection Vulnerability 5. [SA15605] Windows Remote Desktop Protocol Private Key Disclosure 6. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 7. [SA15292] Mozilla Firefox Two Vulnerabilities 8. [SA15598] WebSphere Application Server Administrative Console Buffer Overflow 9. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 10. [SA15546] Microsoft Internet Explorer "window()" Denial of Service Weakness ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15623] GoodTech SMTP Server "RCPT TO" Denial of Service Vulnerability [SA15595] WWWeb Concepts Events System "password" SQL Injection [SA15593] Liberum Help Desk "id" SQL Injection Vulnerability [SA15592] LiteWeb Protected File Access Vulnerability [SA15585] Crob FTP Server Buffer Overflow Vulnerabilities [SA15605] Windows Remote Desktop Protocol Private Key Disclosure [SA15618] Kaspersky Anti-Virus "klif.sys" Privilege Escalation Vulnerability UNIX/Linux: [SA15637] Red Hat update for xorg-x11 [SA15629] SUSE Updates for Multiple Packages [SA15628] Conectiva update for gaim [SA15625] SGI Advanced Linux Environment Multiple Updates [SA15616] Conectiva update for ethereal [SA15610] Debian update for mailutils [SA15582] tattle "getemails()" Shell Command Injection Vulnerability [SA15579] Conectiva update for php4 [SA15617] Conectiva update for krb5 [SA15611] Gentoo update for wordpress [SA15609] Sun ONE Application Server Unspecified File Disclosure [SA15607] Gentoo update for mailutils [SA15602] Camino Frame Injection Vulnerability [SA15588] GNU Mailutils "sql_escape_string()" SQL Injection Vulnerability [SA15587] Avaya Various Products Kernel Vulnerabilities [SA15624] Avaya CMS FTP Daemon Wildcard Denial of Service [SA15620] UnixWare update for wu-ftp [SA15614] Gentoo update for dzip [SA15578] Conectiva update for gftp [SA15621] UnixWare update for mysql [SA15619] SGI IRIX rpc.mountd "read-mostly" Exports Read/Write Access [SA15640] Red Hat update for kernel [SA15638] Red Hat update for dbus [SA15622] Mandriva update for a2ps [SA15615] Backup Manager Exposure of Archive Repository [SA15613] Sun Solaris Unspecified C Library Privilege Escalation [SA15612] Mandriva update for openssl [SA15580] Red Hat update for kdbg [SA15581] Red Hat update for ImageMagick [SA15604] GIPTables Firewall Insecure Temporary File Creation Other: Cross Platform: [SA15603] FlatNuke Multiple Vulnerabilities [SA15600] YaPiG Multiple Vulnerabilities [SA15596] MWChat "CONFIG[MWCHAT_Libs]" File Inclusion Vulnerability [SA15584] Popper "form" File Inclusion Vulnerability [SA15626] Invision Community Blog Module Two Vulnerabilities [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability [SA15597] RakNet Empty UDP Datagram Denial of Service Vulnerability [SA15586] phpCMS "language" Local File Inclusion Vulnerability [SA15583] Exhibit Engine SQL Injection Vulnerability [SA15598] WebSphere Application Server Administrative Console Buffer Overflow [SA15599] Dzip Directory Traversal Vulnerability [SA15594] CuteNews Template Creation PHP Code Execution Vulnerability [SA15590] MediaWiki HTML Attributes Cross-Site Scripting Vulnerability [SA15589] Lpanel Multiple Vulnerabilities [SA15627] C-JDBC Exposure of Cached Results ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15623] GoodTech SMTP Server "RCPT TO" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-06-08 Reed Arvin has reported a vulnerability in GoodTech SMTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15623/ -- [SA15595] WWWeb Concepts Events System "password" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-06 Romty has reported a vulnerability in WWWeb Concepts Events System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15595/ -- [SA15593] Liberum Help Desk "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-03 Dedi Dwianto has reported a vulnerability in Liberum Help Desk, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15593/ -- [SA15592] LiteWeb Protected File Access Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-06-03 Ziv Kamir has reported a vulnerability in LiteWeb, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15592/ -- [SA15585] Crob FTP Server Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-06-03 Leon Juranic has reported two vulnerabilities in Crob FTP Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15585/ -- [SA15605] Windows Remote Desktop Protocol Private Key Disclosure Critical: Less critical Where: From remote Impact: Hijacking Released: 2005-06-06 Massimiliano Montoro has reported a security issue in Microsoft Windows, which can be exploited by malicious people to conduct MitM (Man-in-the-Middle) attacks. Full Advisory: http://secunia.com/advisories/15605/ -- [SA15618] Kaspersky Anti-Virus "klif.sys" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-08 Ilya Rabinovich has reported a vulnerability in Kaspersky Anti-Virus, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15618/ UNIX/Linux:-- [SA15637] Red Hat update for xorg-x11 Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-09 Red Hat has issued an update for xorg-x11. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15637/ -- [SA15629] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-06-08 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges, by malicious users to conduct SQL injection attacks and by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15629/ -- [SA15628] Conectiva update for gaim Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-06-08 Conectiva has issued an update for gaim. This fixes a vulnerability and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/15628/ -- [SA15625] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Privilege escalation, DoS, System access Released: 2005-06-08 SGI has issued a patch for SGI Advanced Linux Environment. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain knowledge of certain information or gain escalated privileges, or by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), potentially overwrite arbitrary files on a user's system or compromise it. Full Advisory: http://secunia.com/advisories/15625/ -- [SA15616] Conectiva update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-06-07 Conectiva has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15616/ -- [SA15610] Debian update for mailutils Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-06-06 Debian has issued an update for mailutils. This fixes some vulnerabilities, which can be exploited to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15610/ -- [SA15582] tattle "getemails()" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-08 b0iler has reported a vulnerability in tattle, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15582/ -- [SA15579] Conectiva update for php4 Critical: Highly critical Where: From remote Impact: Unknown, DoS, System access Released: 2005-06-01 Conectiva has issued an update for php4. This fixes some vulnerabilities, where some have an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15579/ -- [SA15617] Conectiva update for krb5 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-06-07 Conectiva has issued an update for krb5. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15617/ -- [SA15611] Gentoo update for wordpress Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-06-07 Gentoo has issued an update for wordpress. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15611/ -- [SA15609] Sun ONE Application Server Unspecified File Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-06-07 A vulnerability has been reported in Sun ONE Application Server, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15609/ -- [SA15607] Gentoo update for mailutils Critical: Moderately critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2005-06-07 Gentoo has issued an update for mailutils. This fixes a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15607/ -- [SA15602] Camino Frame Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-06-06 A seven year old vulnerability has been re-introduced in Camino, which can be exploited by malicious people to spoof the contents of web sites. Full Advisory: http://secunia.com/advisories/15602/ -- [SA15588] GNU Mailutils "sql_escape_string()" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-06-07 Primoz Bratanic has reported a vulnerability in GNU Mailutils, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15588/ -- [SA15587] Avaya Various Products Kernel Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-06-03 Avaya has acknowledged some vulnerabilities in various products, which can be exploited to disclose information, gain escalated privileges, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15587/ -- [SA15624] Avaya CMS FTP Daemon Wildcard Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-08 Avaya has acknowledged a vulnerability in Call Management System (CMS), which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15624/ -- [SA15620] UnixWare update for wu-ftp Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-08 SCO has issued an update for wu-ftp. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15620/ -- [SA15614] Gentoo update for dzip Critical: Less critical Where: From remote Impact: System access Released: 2005-06-07 Gentoo has issued an update for dzip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15614/ -- [SA15578] Conectiva update for gftp Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-06-01 Conectiva has issued an update for gftp. This fixes a vulnerability, which can be exploited by malicious people to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/15578/ -- [SA15621] UnixWare update for mysql Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-06-08 SCO has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15621/ -- [SA15619] SGI IRIX rpc.mountd "read-mostly" Exports Read/Write Access Critical: Less critical Where: From local network Impact: Manipulation of data, Exposure of sensitive information Released: 2005-06-08 A security issue has been reported in SGI IRIX, which potentially can be exploited by malicious users to disclose and modify sensitive information. Full Advisory: http://secunia.com/advisories/15619/ -- [SA15640] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-06-09 Red Hat has issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15640/ -- [SA15638] Red Hat update for dbus Critical: Less critical Where: Local system Impact: Hijacking Released: 2005-06-09 Red Hat has issued an update for dbus. This fixes a vulnerability, which can be exploited by malicious, local users to hijack a session bus. Full Advisory: http://secunia.com/advisories/15638/ -- [SA15622] Mandriva update for a2ps Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-08 Mandriva has issued an update for a2ps. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15622/ -- [SA15615] Backup Manager Exposure of Archive Repository Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-06-08 A security issue has been reported in Backup Manager, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/15615/ -- [SA15613] Sun Solaris Unspecified C Library Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-06 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15613/ -- [SA15612] Mandriva update for openssl Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-06-07 Mandriva has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15612/ -- [SA15580] Red Hat update for kdbg Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-03 Red Hat has issued an update for kdbg. This fixes an old vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15580/ -- [SA15581] Red Hat update for ImageMagick Critical: Not critical Where: From remote Impact: DoS Released: 2005-06-02 Red Hat has issued an update for imagemagick. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15581/ -- [SA15604] GIPTables Firewall Insecure Temporary File Creation Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-06-06 Eric Romang has reported a vulnerability in GIPTables Firewall, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15604/ Other: Cross Platform:-- [SA15603] FlatNuke Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2005-06-07 Some vulnerabilities have been reported in FlatNuke, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, disclose potentially sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15603/ -- [SA15600] YaPiG Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2005-06-06 Some vulnerabilities have been reported in YaPiG, which can be exploited to remove or create arbitrary directories, conduct cross-site scripting attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15600/ -- [SA15596] MWChat "CONFIG[MWCHAT_Libs]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-03 Status-x has reported a vulnerability in MWChat, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15596/ -- [SA15584] Popper "form" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-03 Leon Juranic has reported a vulnerability in Popper, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15584/ -- [SA15626] Invision Community Blog Module Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-06-09 James Bercegay has reported two vulnerabilities in the Invision Community Blog module for Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15626/ -- [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-06-06 A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites. Full Advisory: http://secunia.com/advisories/15601/ -- [SA15597] RakNet Empty UDP Datagram Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-06-06 Luigi Auriemma has reported a vulnerability in RakNet, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15597/ -- [SA15586] phpCMS "language" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-06-03 Bernhard M?ller has reported a vulnerability in phpCMS, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15586/ -- [SA15583] Exhibit Engine SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-03 sk0L has reported a vulnerability in Exhibit Engine, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15583/ -- [SA15598] WebSphere Application Server Administrative Console Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-06-03 Esteban Mart?nez Fay? has reported a vulnerability in IBM WebSphere Application Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15598/ -- [SA15599] Dzip Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-06-07 Stefan Cornelius has discovered a vulnerability in Dzip, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15599/ -- [SA15594] CuteNews Template Creation PHP Code Execution Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-06-03 John Cantu has reported a vulnerability in CuteNews, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15594/ -- [SA15590] MediaWiki HTML Attributes Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-06 A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15590/ -- [SA15589] Lpanel Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-06-06 Zackarin Smitz has reported some vulnerabilities in Lpanel, which can be exploited by malicious users to disclose and manipulate sensitive information, and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15589/ -- [SA15627] C-JDBC Exposure of Cached Results Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-06-08 A security issue has been reported in C-JDBC, which can be exploited by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/15627/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Jun 13 04:03:56 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 13 04:09:25 2005 Subject: [ISN] State's Web systems bogged down Message-ID: http://www.duluthsuperior.com/mld/duluthsuperior/news/local/11877088.htm June 12, 2005 ASSOCIATED PRESS ST. PAUL - The delivery of thousands of driver's licenses and state identification cards was delayed recently and the state's vehicle registration Web site was suspended because of insecure Web pages and the limitations of an old computer system. As the Department of Public Safety works to bring its vehicle registration site back online, the Star Tribune of Minneapolis learned that other state agency Web sites may be vulnerable to computer hackers, including the Department of Transportation, the Board of Accountancy and the Health Professionals Services Program. Officials from the health program, which helps doctors and health workers who have problems with drugs, alcohol and mental or physical ailments, received an e-mail saying their Web site was being used to corrupt another computer system, said Monica Feider, manager of the program. A computer security company determined that a hacker had hijacked the program's Web site and gained access to its case management database. Feider disclosed the problem in a March 31 letter sent to nearly 2,000 health professionals. "The case management system database includes private and public information about you," she wrote. "The security company believes that the primary purpose of the attack was most likely to use our system to launch additional attacks against other organizations. The security company also reported that the breach may have been used to seek data for the purpose of identity theft." The database includes names, addresses, dates of birth and illnesses of the health workers. It also includes names and phone numbers of people who referred them to the program. "We don't know that any personal data was accessed. That's the most frustrating piece," she said. "If we could have ruled that out we wouldn't have had to send the letter. But because we couldn't say for certain, we decided to err on the side of caution." At the Board of Accountancy, a hacker forced a weeklong suspension of the online renewal system earlier this year. Forensic computer investigators determined the hacker didn't gain access to private data because it was stored on a separate server, said Doreen Johnson Frost, the board's executive director. At the Department of Transportation, a Web site that takes license plate and credit card information of motorists seeking passes to drive in freeway fast lanes had offered applications through an online link that was not secure. As many as 1,500 motorists were believed to have used the MnDOT site in April while it had an unsecured link, but it's unclear how many entered credit card data through that link or through other secured links. From isn at c4i.org Mon Jun 13 04:04:06 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 13 04:09:43 2005 Subject: [ISN] Linux Advisory Watch - June 10th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 10th, 2005 Volume 6, Number 23a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for krb4, mailutils, traversal, Wordpress, SilverCity, kdbg, ImageMagick, openssh, dbus, rsh, and the Red Hat kernel. The distributors include Debian, Gentoo, and Red Hat. --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- Business Case for Security By: Benjamin D. Thomas Establishing a business case is perhaps the first phase in any project initiation. Organizations that are successful maintain full justification for all business expenditure. An information security project is no different. An effective information security program requires visible support from executive management. To gain support, a persuasive business case is often necessary. An information security program will have numerous tangible and intangible benefits to any organization. It is the role of a business case to document these. To build a persuasive case for information security, it is important for practitioners to "to become more managerial in outlook, speech, and perspectives." (Information Security Management Handbook 4th Edition, Volume 2.) Stressing the technical benefits of information security is no longer sufficient because of the size and expenditure of information security programs. When making a case for information security, an emphasis should be placed on how proactive security mechanisms ensure that senior management will not be held liable for negligence. As IT has become more prominent in organizations, so have compliance and regulatory requirements. Today, senior management personnel are expected to demonstrate due care and due diligence in relation to information security. With this, information security must become an essential aspect of management. Addressing the overall benefits of information security is important as well. A business case should stress how information security can become a business enabler. It can be a company differentiator by offering increased levels of customer satisfaction and contributing overall to total quality management. Information security also provides a means to ensure against unauthorized behavior. Often trusting that internal employees will "do the right thing" is not enough. Information security related business cases should be written in a way that emphasizes all benefits of information security. ---------------------- Measuring Security IT Success In a time where budgets are constrained and Internet threats are on the rise, it is important for organizations to invest in network security applications that will not only provide them with powerful functionality but also a rapid return on investment. http://www.linuxsecurity.com/content/view/118817/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New krb4 packages fix arbitrary code execution 2nd, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119241 * Debian: New mailutils packages fix several vulnerabilities 3rd, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119249 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Mailutils SQL Injection 6th, June, 2005 GNU Mailutils is vulnerable to SQL command injection attacks. http://www.linuxsecurity.com/content/view/119254 * Gentoo: Dzip Directory traversal vulnerability 6th, June, 2005 Dzip is vulnerable to a directory traversal attack. http://www.linuxsecurity.com/content/view/119255 * Gentoo: Wordpress Multiple vulnerabilities 6th, June, 2005 Wordpress contains SQL injection and XSS vulnerabilities. http://www.linuxsecurity.com/content/view/119257 * Gentoo: SilverCity Insecure file permissions 8th, June, 2005 Executable files with insecure permissions can be modified causing an unsuspecting user to run arbitrary code. http://www.linuxsecurity.com/content/view/119267 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: kdbg security update 2nd, June, 2005 An updated kdbg package that fixes a minor security issue is now available for Red Hat Enterprise Linux 2.1. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119242 * RedHat: Moderate: ImageMagick security update 2nd, June, 2005 Updated ImageMagick packages that fix a denial of service issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119243 * RedHat: Low: openssh security update 2nd, June, 2005 Updated openssh packages that fix a potential security vulnerability and various other bugs are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119244 * RedHat: Low: dbus security update. 8th, June, 2005 Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119269 * RedHat: Low: rsh security update 8th, June, 2005 Updated rsh packages that fix various bugs and a theoretical security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/119270 * RedHat: Moderate: xorg-x11 security update 8th, June, 2005 Updated xorg-x11 packages that fix a security issue as well as various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119271 * RedHat: Updated kernel packages available for Red Hat 8th, June, 2005 Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This is the first regular update. http://www.linuxsecurity.com/content/view/119272 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jun 13 04:02:55 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 13 04:09:54 2005 Subject: [ISN] Crying wolf or calling it as it is? Message-ID: http://www.theage.com.au/articles/2005/06/13/1118514962314.html By Sam Varghese June 13, 2005 Tech research firm Gartner's recent advice [1] not to overhype security threats seems to contradict its track record, well-known security researcher Brian Martin says. Gartner was now dismissing "cyber-terrorism" as a theory, in contrast to a January 2004 statement [2] that "cyber-warfare is a potential catastrophe that the US and other nations must be prepared to combat," Martin said in a posting [3] to the InfoSec News mailing list [4]. He said Gartner's principal research analyst Lawrence Orans and vice-president John Pescatore had told the company's recent IT security summit "not to waste time or money on products they don't need to meet federal regulations and protect against malware on mobile devices." Mr Martin - better known as "Jericho" in the security community - wrote in response: "If I am reading this right, Gartner says don't buy products/services that are not needed to meet federal regulations? Because federal regulations like HIPAA and SOX make systems secure?" The Gartner staffers reportedly told the Washington audience that industry and the media had overhyped the dangers of eavesdropping on VoIP telephones. Mr Martin pointed to a January 2004 study [5] by the company which said that VoIP was opening new channels for nations and terrorists to engage in cyber-warfare. He said that while this was not specific to VoIP and eavesdropping, Gartner had earlier stated [6] that deploying VoIP could be a big blow to security. Gartner has claimed that for at least two more years, viruses and other malware used against wireless mobile devices would not cost more than anti-virus protections. But Gartner also predicted [7] in January that by 2008, the technological differences between PCs, mobile devices, e-books, TVs and cellular phones would be eradicated. "So if mobile devices are essentially becoming the same as any other PC, and personal firewalls are key to protecting these devices, doesn't that suggest the next big worm could cause just as much damage to mobile devices as PCs?" Martin said. He also pointed to confusion over wireless hot spots. At the Washington summit, Gartner had said the belief that hot spots were unsafe was a myth; Orans was quoted as saying that "the threat of 'evil twins' setting up rogue access points to fool unsuspecting internet users into thinking they are on real sites and then divulging confidential information was a red herring". Mr Martin said Gartner's vice-president of mobile computing, Ken Dulaney, had said exactly the opposite [8] in January this year. -=- [1] http://www.fcw.com/article89119-06-07-05-Web [2] http://www.securitypipeline.com/news/showArticle.jhtml%3Bjsessionid=OB5UFEWRASQTMQSNDBGCKHQ?articleId=17301712 [3] http://lists.jammed.com/ISN/2005/06/0016.html [4] http://www.infosecnews.org [5] http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1020417,00.html [6] http://www.silicon.com/research/specialreports/voip/0,3800004463,39129635,00.htm [7] http://www.itwales.com/998551.htm [8] http://www.macnewsworld.com/story/39872.html From isn at c4i.org Mon Jun 13 04:03:16 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 13 04:10:18 2005 Subject: [ISN] Insecurity through obscurity Message-ID: Forwarded from: Phil Hollows I can't claim to be familiar with Kerckhoffs Law - although it seems like common sense when planning to defend a security system - but I think the author here is stretching the point when it comes to security through obscurity. > Lessons learned > > First of all, ApplyYourself.com's method of hiding the admission > status from the applicants was a great example of security through > obscurity. In order to obtain the status early, the users took > information that was readily available to them, modified the URL in > their browsers and got access to their own admission status. This isn't security through obscurity, it's just thoughtless application design. "Hiding" the session key in a hidden field is merely a way to track state without it getting in the way of the user. The fact that fields / parameters that enabled users to get at (somewhat) privileged information were easily guessed is the *opposite* of security through obscurity. An obscure value would not have been guessable by the student. The writer confuses hiding application data for usability purposes with hiding it for security purposes. There was little secure about this app. In fact, my recollection is that the user could only look at their own data. The app itself seems to have been secure enough to prevent a visitor using this technique to look at someone else's data, which would have been much more serious. Didn't mention that in the article, of course, because that would spoil the premise. > There are at least two major mistakes here. First, ApplyYourself.com > hid an ID field that users were not supposed to see in the Web page > source. This ID was then used to construct the URL that would give > the user the admission status. A session or user variable. What were they thinking? Would the author prefer it to have been a cookie to make it a teensy bit harder? How would he like them to track state? > Second, ApplyYourself.com assumed that users would not have > knowledge of the URL that would provide the status. However, anyone > who applied to these schools through ApplyYourself.com would have > seen the URL, and would have known what the URL looked like, as well > as the parameters required to construct the URL. Given that this URL > was provided to previous applicants, current applicants could easily > obtain it by simply asking. I think the assumption here seems to be second guessing by the author of the developers' intent (and yes, this is also an assumption, so I'm equally guilty of the same sin). I think this is a fair assumption because the developers of the app aren't actually quoted in this "analysis." And if anyone can guess the URL, it's hardly obscure, is it? I mean, if you want to write an article about using obscurity or camouflage as a technique, fine. Just that this case isn't one of them. > These two grave mistakes left ApplyYourself.com scrambling to patch > the security holes. Their assumption was that nobody would guess the URLs. Yup, security hole. Poor application design, careless QA. Problem with security thru obscurity? Nope. > Another good example of security through obscurity was demonstrated > when hackers compromised Cisco Systems Inc.'s corporate network and > stole more than 800MB of source code (see story)[3]. This incident > caused quite a stir in the IT community, since Cisco's routers are > responsible for managing a majority of the Internet traffic. Any > security issues in the source code could become public. The > publication of these security vulnerabilities -- still a possibility > -- has the definite potential of causing major havoc on the > Internet, possibly bringing it down on its knees. And the reason why this is a security thru obscurity problem is ... errm ... well, we'll get back to you on that one as the author of this piece doesn't actually tell us. I guess I'll trust him on that one. (not). > Microsoft Corp. has also experienced similar embarrassing incidents. > In February 2004, portions of the source code for the Microsoft > Windows NT and Windows 2000 operating systems were leaked (see > story)[4]. The leaked source code could potentially allow hackers > to identify security vulnerabilities in the Windows operating > systems. Given the popularity of Windows in both consumer and > corporate environments, this leak could be devastating to the whole > Internet community. Oh, wait. Now I get it. Having the source code for the products is a de facto failure of security through obscurity. Of course! Obvious, really. We should all stop compiling and linking code and use interpreters instead, because going to machine code is clearly a poor attempt at security through obscurity. Then we'll be more secure. No mention of how the source code repositories were actually protected, nor of what systems or processes or policies failed that allowed the source code to be accessed. If there were security through obscurity failures here, that would be an interesting topic. > All these examples demonstratem the danger of the > security-through-obscurity premise. No, they don't. There are no demonstrations of security through obscurity in this article, successful or otherwise. > There are many articles, books and seminars on this topic. Companies > and software developers need to start with Kerckhoffs' law, assume > that the algorithm and design of the software are known, and design > security into the products and software in the beginning instead of > retrofitting or patching security holes later. True. What a shame this conclusion has nothing to do with the paragraphs above it, nor a debate around security through obscurity's valid place (or otherwise) in a comprehensive layered defense architecture, nor about the challenges of designing, writing and testing secure code. Phil www.openservice.com From isn at c4i.org Mon Jun 13 04:03:26 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 13 04:10:37 2005 Subject: [ISN] Trojan horse exec falls two flights Message-ID: http://www.jpost.com/servlet/Satellite?pagename=JPost/JPArticle/ShowFull&cid=1118197312211 By YAAKOV KATZ Jun. 8, 2005 Yitzhak Rath, CEO of the Modi'in Ezrahi [1] private investigation firm, arrested two weeks ago in connection with the Trojan horse virus industrial espionage affair, fell over the second floor railing in the stairwell at the Hayarkon Police Station in Tel Aviv on Wednesday. Rath was hospitalized in Ichilov Hospital in Tel Aviv in serious and unstable condition. Deputy Tel Aviv police chief Lt.-Cmdr. Dani Hen appointed a senior officer to investigate the incident. Police said that while it appeared Rath - following an interrogation session with Fraud Squad investigators - jumped out of the window to commit suicide, other possibilities were also being investigated. Rath was arrested two weeks ago on suspicion his private investigation firm planted a Trojan horse virus inside the computers of his clients' competitors to steal classified commercial information. The Trojan horse affair has implicated a number of leading companies in the country's largest-ever industrial espionage affair. Senior managers from leading companies, including Bezeq subsidiaries Yes and Pelephone and competing telecommunications giant Cellcom, were arrested for allegedly using the virus to obtain classified information from their competitors. Other companies accused were Meir Car Imports (importers of Volvo and Honda) and the Tami-4 mineral water retailer. Rath's company was one of several PI firms which allegedly purchased the virus from Michael Haephrati - an Israeli living in London and currently facing extradition to Israel - which they used to spy on their client's competitors. Rath's attorney, Zion Amir, said Wednesday that if police determined his client tried committing suicide he would not be surprised. "This is a very serious matter," Amir said. "It makes no sense that police have been keeping him in custody for 18 days on suspicion he may have worked together with Haephrati. Under these circumstances it comes as no surprise that someone might commit suicide." [1] http://www.mei.co.il/english/about.html From isn at c4i.org Mon Jun 13 04:03:42 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 13 04:11:03 2005 Subject: [ISN] Security guidelines for U.S. agencies due in July Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,102409,00.html By Jaikumar Vijayan JUNE 10, 2005 COMPUTERWORLD The National Institute of Standards and Technology (NIST) will soon begin releasing formal guidelines federal agencies can use to assess their compliance with a set of mandatory information security rules due to take effect early next year. The assessment guidelines, to be released in NIST Special Publication 800-53A early next month, are designed to enable periodic testing and evaluation of the security controls federal agencies need to put in place, said Ron Ross, project leader of NIST's Federal Information Security Management Act (FISMA) Implementation Project. The mandatory security rules themselves were released in February in a separate NIST document, called Special Publication 800-53 (download PDF) [1]. That document details the baseline security controls for different categories of federal information management systems. The security rules cover 17 different areas, including access control, incident response, business continuity and disaster recoverability, and will become a required Federal Information Processing Standard by year's end for all federal systems except those related to national security. The guidelines are designed to allow federal agencies to assess "if mandated controls have been implemented correctly, are operating as intended and are ... meeting the organization's security requirements," Ross said. The NIST assessment guidelines are "very closely aligned" to SP 800-53, Ross said. The first draft will detail assessment procedures for five of the 17 security controls described in the February document but will eventually include guidelines for all the rules. Every security control mandated in SP 800-53 will have an associated assessment method and procedure, Ross said. For example, a security requirement that federal agencies have formal information back-up processes will have an associated procedure describing how compliance can be evaluated, Ross said. The guide can be used for agency self-assessments, by certification agents and auditors to do independent testing and even by IT systems developers, according to Ross. "The goal of 800-53A is right on target," said Alan Paller director of research at the SANS Institute, a Washington-based security information center. Too often, a lack of clear guidelines leads to situations where mandated security controls are interpreted in different ways, Paller said. "The greatest mistake is when people write what needs to be done but not how it needs to be done," he said. How effective the guidelines will be depends on how much detail it provides to information security assessors, Paller said. "If it was written by people who have really protected systems and cleaned up after attacks, it is likely to provide what is absolutely needed," he said. On the other hand, if the document was crafted by "policy people" with little hands-on experience, it may not be of much practical value, he said. While such assessment guides can be useful, "if a lot of the underpinning details are not addressed it can give a false sense of compliance," said Will Ozier president of OPA Inc., a Vacaville, Calif.-based risk management consultancy. [1] http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf From isn at c4i.org Tue Jun 14 12:47:29 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 14 12:50:36 2005 Subject: [ISN] Linux Security Week - June 13th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 13th, 2005 Volume 6, Number 25n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "The meagre living of Linux virus writers," "Integrating and securing Linux without a silver bullet," and "Cracking WEP in 10 minutes." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, advisories were released for krb4, mailutils, traversal, Wordpress, SilverCity, kdbg, ImageMagick, openssh, dbus, rsh, and the Red Hat kernel. The distributors include Debian, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/119280/150/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Talking with Richard Stallman 12th, June, 2005 Let's start. Can you explain to our readers why you started with FSF in 1984? What did you need of? Why you created it? What I started in 1984 was the development of the GNU operating system. All the operating systems for modern computers of the day were proprietary; users were forbidden to share them, and could not get the source code to change them. The only way to use computers in freedom was to replace those systems with a free operating system. That's what GNU was meant to do. The Free Software Foundation was started in late 1985 to raise funds for GNU development, and more generally to promote free software. http://www.linuxsecurity.com/content/view/119289 * How well do you know your partner? 7th, June, 2005 For those of you who follow the news, you may have read the recent story of spy software discovered at some of Israel's leading companies which reads just like the spy stories we've been reading for years. http://www.linuxsecurity.com/content/view/119259 * Debian released without security update feature 8th, June, 2005 A configuration mistake in the new Debian Linux distribution has forced a fix less than 24 hours after the software was released. http://www.linuxsecurity.com/content/view/119266 * The meagre living of Linux virus writers 9th, June, 2005 According to anti-virus firm Trend Micro, the number of Linux viruses in the wild has not changed dramatically for two years, but its figure of 500 dangerous and exploitative programs dashing around the Internet seeking unprotected systems is cause for concern, until you look closer at the reasoning. http://www.linuxsecurity.com/content/view/119274 * Attack Trends: 2004 and 2005 7th, June, 2005 Counterpane Internet Security, Inc., monitors more than 450 networks in 35 countries, in every time zone. In 2004 we saw 523 billion network events, and our analysts investigated 648,000 security "tickets." What follows is an overview of what's happening on the Internet right now, and what we expect to happen in the coming months. http://www.linuxsecurity.com/content/view/119260 * Analysts say 'cloudy' forecast is OK 7th, June, 2005 The network security forecast is cloudy, and that's not a bad thing if you're to believe what analysts are saying at this week's Gartner IT Security Summit. http://www.linuxsecurity.com/content/view/119261 * What to ask when evaluating intrusion-prevention systems 8th, June, 2005 An intrusion-prevention system (IPS) is part of an overall security strategy to protect your network from attack. The IPS literally prevents an attack by blocking bad stuff, such as viruses or malformed packets, from getting into the company network. http://www.linuxsecurity.com/content/view/119268 * Secure Mac and Linux authentication 8th, June, 2005 CryptoCard (.com) makes a variety of secure authentication and ID management tools, and they just released support for OS X Tiger (they already did Panther). For the rest of you PC alternative fans, Linux support includes Red Hat, SuSE, and an easy compile option for Debian. http://www.linuxsecurity.com/content/view/119265 * Integrating and securing Linux without a silver bullet 10th, June, 2005 The difficulty in integrating Linux with legacy systems and securing IT systems are two of IT managers' most common complaints about Linux, says Peter Harrison, who canvassed many IT pros while writing The Linux Quick Fix Notebook, a new book from Prentice Hall PTR. In this tip, Harrison doesn't offer a quick fix, but he does offer sage advice about security and integration. http://www.linuxsecurity.com/content/view/119281 * Has Ransomware Learned from Cryptovirology? 6th, June, 2005 A secure cryptovirus, cryptotrojan or cryptoworm contains a payload that activates under a particular circumstance. When it activates, it generates a random symmetric key and encrypts the victim's files with it. This key is then encrypted in turn with the attacker's public key to produce an asymmetric ciphertext. http://www.linuxsecurity.com/content/view/119253 * Insecurity through obscurity 9th, June, 2005 Security through obscurity is probably one of the oldest tricks in the security book.The basic premise stems from the fact that people are trying to ensure security by hiding certain facts of their software or architecture design from regular users. This is equivalent to someone hiding a house key under a pot of plants in front of his house. http://www.linuxsecurity.com/content/view/119275 * Gartner IDs 'Over-Hyped' Security Threats 9th, June, 2005 Over-hyped security threats have made companies unnecessarily hesitant to roll out new technologies, such as Internet telephony and wireless networks, a research firm said Wednesday. http://www.linuxsecurity.com/content/view/119276 * A Tale of Two Hackers 6th, June, 2005 Lapping up the sunshine here outside a downtown cafe, Kevin Mitnick is apprehensive. He never asked to be the world's most high-profile convicted computer criminal, he says, and he's sick of media interviews dwelling on his criminal past. http://www.linuxsecurity.com/content/view/119252 * Israel espionage case points to new Net threat 10th, June, 2005 Executives of top telecom firms accused of spying on each other. A jealous ex-husband suspected of monitoring his former in-laws. Private investigators implicated in computer-hacking-for-hire; one now involved in a possible attempted suicide. So much bad publicity, government officials worry it might impact the entire nation's economy. http://www.linuxsecurity.com/content/view/119282 * Cracking WEP in 10 minutes 8th, June, 2005 Yesterday I started noticing referral traffic from myscreencast.com, a phpbb-based community site for finding and sharing screencasts. The most entertaining one I found is called Cracking WEP in 10 minutes. It was produced with Camtasia, but the action takes place in Whoppix, which describes itself thusly. http://www.linuxsecurity.com/content/view/119273 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jun 14 12:48:18 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 14 12:50:49 2005 Subject: [ISN] The High Costs of Hacking Message-ID: http://www.cio.com/archive/061505/tl_security.html BY MICHAEL JACKMAN June. 15, 2005 CIO Magazine One fixture of computer break-in stories is the estimated cost of these crimes. The price often runs as high as seven figures?totals hard to ken for merely pilfering the digits out of a few boxes of metal, plastic and silicon. One source of these high figures is the Department of Justice. Last year, the agency reported that a one-night hacking spree by a disgruntled ex-employee set back Cyber City, a computer network consultancy, more than $100,000 - and that Acxiom, a data broker, spent more than $7 million to repair 139 remote attacks against its database by a hacker in Boca Raton, Fla. Warehouses have burned to cinders, and the damage has been valued at less. So are these figures hype? While it's true that not all network mischief comes at such a high price, John Sgromolo, lead investigator for digital forensics at Verizon Communications and a former special agent with the United States Naval Criminal Investigative Service, says that such large sums are the real deal. More or less. Consider cases in which a hacker brings down a server that's used for selling products. "If you're averaging $3,000 an hour on this server, that's not hard to figure out based on how many hours it was down," Sgromolo says. Then there's the cost of replacing damaged equipment and the hours spent on repairs, installation and recovery. Nevertheless, he admits, these estimates "are fueled by another concern: criminal prosecution, including amounts for fines and restitution." Prosecutors tend to aim high, he says, while defendants argue for dismissing some of the costs. Even crimes that don't result in lost revenue can rack up significant bills. According to The Associated Press, the University of Texas spent $167,000 to mop up the mess presumably left by one of its former students, Christopher Andrew Phillips, who was indicted last November for breaking into UT's student records early in 2003. Phillips allegedly hauled off the identities of more than 37,000 students, faculty and staff. Student records may not have a lot of financial value, Sgromolo explains, but those records may need to be recreated. In addition, the university may have had to hustle to inform the victims, possibly requiring extra staff and overtime charges. UT officials weren't available for comment. In sum, there can be more value floating around inside those Internet-wired boxes than in a Brink's safe. Therefore, it's more important than ever for businesses to make sure their digital property is locked up tight. From isn at c4i.org Tue Jun 14 12:46:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 14 12:51:02 2005 Subject: [ISN] Motorola downplays data security breach Message-ID: http://www.theregister.co.uk/2005/06/13/motorola_worker_data_security_breach/ By John Leyden 13th June 2005 A pair of computers containing personal information on Motorola workers stolen from the office of a third party contractor has sparked a minor security flap. The theft from the Chicago-area offices of human resources outsourcing firm Affiliated Computer Services resulted in the disclosure of the names and social security numbers - but not financial information - of an unspecified number of Motorola staffers. "All employees were notified, but to this date there is no indication that any personal information has been compromised," ACS' chief marketing officer, Lesley Pool told Reuters. "It is clear that it was just an amateur burglary." Police are investigating the break-in which happened on the Memorial Day (US Bank Holiday) weekend of 28-30 May. ACS won a $650m 10-year contract to manage Motorola's human resources system in December 2002. Motorola has notified potentially affected staff by email. These workers are mainly based in the US and will be offered fraud insurance coverage at no charge. Motorola spokeswoman Jennifer Weyrauch said that no financial information was on the computers, adding that security safeguards used on the computers would make it difficult for thieves to swipe any information. Weyrauch declined to say whether the break-in would affect Motorola's relationship with ACS. The mobile phone and network equipment manufacturer is the latest in a growing list of firms affected by either customer or employee security breaches including Citigroup, MCI, ChoicePoint and Reed Elsevier. ? From isn at c4i.org Tue Jun 14 12:47:08 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 14 12:51:29 2005 Subject: [ISN] reconsidering physical security: pod slurping Message-ID: Forwarded from: Abe Usher pod slurping ------------ I've written a report that explores an idea that has been known by the security community for decades: physical security is important to information system security. A year ago a report was published by the Gartner Group warning that iPods (and other multi-gigabyte portable storage devices) pose a security risk for enterprises . I've created an application (*slurp.exe*) that demonstrates this concept. When the program is run from an iPod, it can __very__quickly__ copy thousands of interesting files* from a PC to an iPod. The full article and proof-of-concept application are available at: http://www.sharp-ideas.net Cheers, Abe Usher, CISSP * Office documents, *.pdf,*.xml, *.dbf, *.log, *.dat, *.txt, *.csv, *.htm, *.url, et cetera From isn at c4i.org Tue Jun 14 12:48:42 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 14 12:52:54 2005 Subject: [ISN] GAO: Feds miss mark on security reporting Message-ID: http://www.fcw.com/article89234-06-13-05-Web By Florence Olsen June. 13, 2005 Federal agencies need more detailed instructions to handle and report computer security threats, such as phishing, spyware and hacking, government auditors said in a report released today. Government Accountability Office auditors have found that most federal officials do not understand which computer security incidents they should report or how and to whom they should report them, even though such reporting is mandatory under the Federal Information Security Management Act. As a result, the Homeland Security Department's U.S. Computer Emergency Readiness Team, which handles incident reporting, is unable to coordinate and respond to cyberthreats that target multiple federal agencies. To remedy the lack of accurate and comprehensive reporting, the auditors recommended that Office of Management and Budget officials increase their oversight of agencies' efforts to detect, report and respond to emerging cybersecurity threats. The report identifies the perpetrators of such threats as hackers, insiders, phishers, spammers and botnet operators. Botnet operators control computers infected with "bot" viruses, which the operators use in denial-of-service attacks against targeted Web sites. The auditors also asked OMB officials, in coordination with DHS cybersecurity experts and the U.S. attorney general, to develop governmentwide guidelines on how to deal with such threats and how to report them to DHS and law enforcement agencies. In their response to the report, OMB officials agreed to expand their FISMA reporting requirements to include agencies' response to emerging threats. They also plan to issue a document this summer that will define computer incident terms and clarify the roles and responsibilities of federal agencies for reporting computer security incidents. The additional guidelines are needed, the auditors said, because most agencies have not fully addressed the risks of new cybersecurity threats as part of their agencywide information security programs. From isn at c4i.org Wed Jun 15 02:02:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 15 02:08:30 2005 Subject: [ISN] Hackers took data, Medica alleges Message-ID: http://www.startribune.com/stories/462/5457557.html Glenn Howatt Star Tribune June 15, 2005 Computer hackers twice stole sensitive and confidential data from Medica Health Plans computers in January and shut down parts of the company's computer system on four other occasions. The intruders downloaded the digital equivalent of a 140,000-page Microsoft Word document, Medica said in court papers, but the Minnetonka-based health plan was unable to determine what had been taken. In April, Medica obtained federal court orders against two former employees that it suspected of committing the security breaches. The orders required them to provide an accounting of the downloaded data and to turn over their personal computers for an inspection. Both defendants deny that they had violated Medica policies, as well as a federal law that prohibits the unauthorized use of electronic data. Medica has not referred the case to federal officials for prosecution, and the workers have not been charged with a crime. A Medica official said this week that it was unlikely that personal information about Medica's 1.2 million members had fallen into the wrong hands but that its investigation is continuing. The intruders seemed most concerned about company trade secrets and employee evaluations, a spokesman said. Health plans like Medica store the same types of sensitive private information that would be sought after by identity thieves: Social Security numbers, addresses, birth dates, employment information and names of relatives. Recent security breaches at the data giants LexisNexis and ChoicePoint, where sensitive personal information was lost to hackers or deceptions, as well as the loss of Bank of America data tapes containing personal financial information, are reigniting concerns about how to improve privacy protections. "Most of us in health care organizations have a tremendous amount of data," said Carol Quinsey of the American Health Information Management Association, which helps companies take data security measures. "It is bad enough that the health plan's security was breached," Quinsey said. "The next worse scenario would be if the [perpetrators] would use that data in a nefarious way and perpetuate identity theft." Medica spokesman Larry Bussey said that the health plan has no evidence that any of the information taken from its computers had yet been misused. "We believe that our system is very secure. We've never had any external break-in to the system," he said. Instead, according to Medica, two computer system employees conspired to disrupt Medica's system and to access confidential information. The employees, Austin Vhason and Pushpa Leadholm, were two of the six employees who had the power to set computer passwords, according to court documents. The two used this access to give extraordinary powers to computer log-ons used for training purposes, and they also created fake log-ons -- including one that was constructed from the backward spelling of "goddess," the documents said. Between them, the documents said, the employees used these accounts to download data, to cause some parts of the computer system to crash and to delete e-mail accounts of executives. They made copies of e-mails that contained reports from the chief executive to the board, performance reviews of information-systems personnel and communications to Medica's attorneys about ongoing lawsuits, the documents said. They also read e-mails about the company's investigation into the security breaches, using that information to cover their own tracks, according to the documents. "We do background checks on employees that have this level of access," Bussey said. "One thing you can't control for is someone abusing the trust you've placed in them." After hiring an outside computer forensics expert, Medica officials tracked much of this activity to the homes of the two employees, who accessed the system through their cable modems. Medica placed both employees on paid suspension in February and later fired them Both workers deny that they have done anything improper and allege that Medica filed the lawsuit to retaliate against them. Both employees had filed complaints that they were discriminated against because they were minority members. "My client feels that Medica was not providing the same opportunities to minorities as it was to Caucasians," Ryan Pacyga, the attorney representing Vhason, said Tuesday. Both employees had talked to the federal Equal Employment Opportunity Commission and a formal complaint was filed on March 31, according to attorney James Behrenbrinker, who represents Leadholm. "There is a claim alleging discrimination of race in national origin and retaliation," he said Tuesday. They cannot sue Medica for discrimination until federal authorities rule on the merits of their complaints, he said. "My client voluntarily turned over her computers" for inspection by Medica, he added. "Mrs. Leadholm wanted to cooperate and wanted to show them that she didn't do anything wrong. This is a bad deal for her." Medica spokesman Bussey said he would not comment on the discrimination charges. He said Medica stores data on several computer systems. The ones that were inappropriately accessed stored business information. Still, those computers contained data that Medica deemed sensitive and confidential. "They seemed to be more interested in business information," Bussey said. "They didn't seem to be even trying to get into places where member information would be stored." Computer security consultant Quinsey said there's only so much that a company can do to protect data from wayward employees. "What prudent employers have always done is have clear policies in place that say if employees abuse, then litigation will be filed and you will be appropriately challenged," she said. Although Medica has obtained court orders barring Vhason and Leadholm from disseminating any data they might have downloaded, a trial to determine whether they had acted improperly is pending while attorneys from both sides gather more information. From isn at c4i.org Wed Jun 15 02:03:47 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 15 02:09:18 2005 Subject: [ISN] GAO: Agencies not adequately addressing emerging cybersecurity threats Message-ID: Forwarded from: William Knowles http://www.gcn.com/vol1_no1/daily-updates/36080-1.html By William Jackson GCN Staff 06/14/05 Federal cybersecurity programs run the risk of becoming static and unresponsive in the face of emerging threats, according to the findings of a study by the Government Accountability Office. The study [1], titled "Emerging Cybersecurity Issues Threaten Federal Information Systems," focused on three challenges that have evolved rapidly in the last three years: spam, phishing and spyware. And the Federal Information Security Management Act could become a Maginot line against this blitzkrieg of new attacks. "Many agencies have not fully addressed the risks of emerging cybersecurity threats as part of their required agencywide information security programs," GAO found. Agencies are required to report all cybersecurity incidents, but there is no governmentwide guidance on which incidents should be reported. The most recent guidance was issued in 2000, before the formation of the U.S. Computer Emergency Readiness Team (US-CERT). "Lacking the necessary guidance, agencies do not have a clear understanding of which incidents they should be reporting, or how and to whom they should report," GAO concluded. As a result, government IT systems often remain exposed to unrecognized threats. Some help may be on the way from the Office of Management and Budget, charged with FISMA oversight, and the Homeland Security Department. OMB said it would begin incorporating new threats into its annual agency FISMA reviews. Together with US-CERT, it is developing a concept of operations and taxonomy for incident reporting, expected to be released this summer. Despite, or because of, the fact they are so common, spam, phishing and spyware often are not perceived as security threats, GAO found. Only one of 24 major executive branch agencies surveyed recognized the risk presented by spam for delivering malicious code or other attacks. Fourteen agencies reported that phishing had little or no impact, despite the fact that the FBI, IRS and Federal Deposit Insurance Corp. have been targeted in phishing scams. Spyware was recognized as a greater problem, with 11 agencies reporting some impact on productivity caused by the intrusive programs. Although a number of agencies have consumer awareness programs for these threats, there are no programs to educate users within the agencies. GAO recommended that: * Agencies include emerging threats in their required risk assessments and planning required under FISMA, and * OMB, DHS and the attorney general develop guidelines for comprehensive incident reporting [1] http://www.gao.gov/new.items/d05231.pdf *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Jun 15 02:04:25 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 15 02:10:42 2005 Subject: [ISN] REVIEW: "CISSP Exam Notes", K. Wan Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCISPEN.RVW 20050330 "CISSP Exam Notes", K. Wan, 2003, 988-97323-1-9, U$24.95 %A K. Wan kplab@pacific.net.hk %C Hong Kong %D 2003 %G 988-97323-1-9 %I KP Lab Limited %O U$24.95 http://www.kp-lab.com/ %O http://www.powells.com/cgi-bin/biblio?inkey=91-9889732319-0 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 196 p. (PDF ebook) %T "CISSP Exam Notes - All you need to pass the exam" This appears to be a self-published ebook, available from the author, in PDF format. Despite the fact that an ebook softcopy could readily be edited, it has not been updated in the two years since it was published: some of the CISSP requirements have changed since then, and the book does not reflect that. The ten domains of the CISSP CBK (Common Body of Knowledge) are covered in ten chapters, with the material provided in point form. The structure and flow of the material bears a striking resemblance to the slides in the (ISC)^2 CISSP review seminar. However, given minor discrepancies, I suspect that the book is not directly based on the (ISC)^2 slides, but rather on another course that, itself, was based on the (ISC)^2 CBK review seminar. (In response to the initial draft of this review, the author responded that his ebook was based on the other books that followed the course outline, rather than on the course itself.) (Wan's company, KP Lab, seems to be restricted to producing training guides for various certifications.) As noted, the points in the book follow the structure of the course slides. There is usually a sentence or phrase expanding or explaining each point from the Common Body of Knowledge listing, so the material is slightly longer than the subject outline that is available from the (ISC)^2 site. The explanations are, however, briefer even than those in the first edition of "The CISSP Prep Guide" by Krutz and Vines (cf. BKCISPPG.RVW), which is, itself, one of the tersest guides on the market. As with that work, and other similar texts, if you do not already know the content, this tome will not help you very much. Unlike most other CISSP study guides, there are no "sample" questions. Overall, the points are reasonably well selected. (The section on malware is very disappointing, and the section on legal concepts is rather weak.) The material is more up-to-date than any other besides the "Official (ISC)^2 Guide to the CISSP Exam" (cf. BKOIGTCE.RVW). In terms of books dealing with an overall familiarization with the topics to be covered on the CISSP exam, this one does have an advantage in price, and in speed of access. (I requested a copy directly from the author by email, and got it within two hours. If, for example, you are in a boot camp course situation, you may need all the help you can get, quickly.) copyright Robert M. Slade, 2005 BKCISPEN.RVW 20050330 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu E Pluribus Modem http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Jun 15 02:05:01 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 15 02:11:04 2005 Subject: [ISN] Shred It! Message-ID: http://www.theregister.co.uk/2005/06/14/secfocus_enron/ By Mark Rasch, SecurityFocus 14th June 2005 The worst thing you can do, of course, is to almost destroy these documents. There is an axiom in the world of electronic documents and records - "delete doesn't and restore won't." Indeed, forensic document recovery and reconstruction is a multi-million dollar business. Most companies have an ill-used document retention and destruction policy. In the wake of the United States Supreme Court's ruling in the Arthur Anderson case, a significant question was raised about how companies should draft and apply their policies regarding document retention and destruction, as well as the liability of all parties - including computer security professionals - for assisting in the destruction of electronic records. Unfortunately, rather than clarifying the situation, the Supreme Court's ruling may embolden those who wish to use security professionals for at best unethical and at worst illegal purposes. Document destruction policies Almost every large institution, government, commercial, or non-profit organization has some form of express or implied document retention or document destruction policy. Retention policies are much easier to develop than those for the destruction of documents. Essentially, any document that is required to be maintained by law (such as accountant audit papers, tax records, records relating to securities laws, contracts, etc.) should be retained for the time and in the form that is mandated by law. While this is simple in theory, it is more difficult in practice, as individual documents may be covered by a host of laws or regulations in a myriad of jurisdictions. For paper records, in a sense, it is less complicated. Typically, an employee retains paper documents either in a file or a pile until it is time to clean up. Then perhaps they will come into work wearing jeans, armed with a huge dumpster, and individually review files (carefully or not) and toss whatever does not appear needed or required (does one need those three year old copies of People magazine?). Thus, for paper records the default is only to store or archive that which appears to be needed, although this tends to depend on the vagaries of the individual - some being hopelessly disorganized, some suffering advanced Clean Desk Syndrome, and some being the ultimate pack rats. For electronic records, however the problem is much more complicated. First, as information security professionals, we are always concerned about maintaining the availability of information. Thus, we stress the need for frequent backups of data - onto external tape or hard drives and other removable media. Network data is backed up hourly, daily, weekly and monthly. Information is archived continuously, and frequently at a remote location. Thus, information exists in multiple locations. A typical corporate e-mail likely exists in as many as a dozen places - the sender's laptop (in three or four places) the outbound mail server, the backup of that server, the inbound mail server, the recipient?s computer, any CC's and of course, any potential printouts. Add to that the problem of telecommuters and people working from their personal PC's, people using USB thumb drive storage, and other portable hard drives (think iPod), and you are presented with a logistical nightmare. Why should an organization have document destruction policies? In the physical world, there is a very good reason to have a document destruction policy. There are only so many dead trees we can store - either at our office location or remotely. Storage is expensive, and it serves no purpose for documents that are no longer required to be kept or are no longer useful for our ongoing business. Indeed, because of the inability to quickly retrieve paper documents, they only represent a cost to the company. However, in the electronic world, storage costs are much lower. Indeed, to a great extent, it may be more expensive to effectively delete documents than it is to simply retain them. This is because the backups have already been made in the ordinary course of business. To delete documents, a company would have to remount the backup tapes, examine the files, determine which are needed and which are no longer needed, and effectively delete those that are no longer needed. They would archive the ones that are potentially needed, and repeat this process periodically. In addition, because the documents are stored in multiple locations, in order to be assured that a document was, in fact, deleted, this process would have to be repeated on multiple backups, desktops, laptops, etc. If a document is only partially deleted, then you still are required to produce the document in discovery, but you have greatly increased the cost of compliance. Generally, it is much cheaper to just store the documents. So why have a destruction policy for electronic records? To lawyers, the world is divided into two classes of people: defendants, and people who are going to become defendants. The thing that sets potential defendants apart is the fact that somebody is going to want their documents - perhaps a disgruntled former employee, an injured party, a former client or customer, a competitor, a regulator or prosecutor. Modern litigation is the art of discovery, which means making the other side pony up their records. The more records they have, the more expense, and the more information that might be potentially useful in litigation. Case-law is rife with offhand e-mails, memoranda and even preserved instant messages which become Exhibit One in a case against the company. Thus, a typical corporate document destruction policy might say that any document which is not required to be kept by law, or needed for the ongoing business of a company is to be deleted and destroyed after - oh, say, 15 seconds? Another reason for a document destruction policy is to protect privacy. Recent cases of theft or unauthorized access to massive databases of personal information point out the potential liabilities to companies for retaining such databases - particularly in an unsecured manner. What is worse for the companies suffering such breaches is the fact that the data stored may not even be needed by the company anymore, and may be outdated or obsolete. Thus, it represents only a potential liability to the company. The Anderson/Enron case Arthur Anderson was, of course, the accountant for the Enron Corporation. When Enron began to implode, one of Anderson's senior partners reminded employees about the Anderson document destruction policy, and advised them that "[I]f it's destroyed in the course of [the] normal policy and litigation is filed the next day, that's great. [W]e've followed our own policy, and whatever there was that might have been of interest to somebody is gone and irretrievable.' A short while thereafter, knowing both that Enron was imploding and that the relationship between Enron and Anderson would likely be under government scrutiny, Anderson's lawyer kept reminding the Enron team about the document retention policy and the need for them to adhere to it - nudge nudge, wink wink, know what I mean? Clearly the Enron team did, and they took the legal advice as a clear signal to start shredding thousands of documents. It was only after Arthur Anderson received a subpoena for the production of documents that they told employees to "stop shredding." The Supreme Court decision As read by the Supreme Court in the United States, the statute that Anderson was convicted of violating made it a crime to, "knowingly corruptly persuad[e]" another person "with intent to cause" that person to "withhold" documents from, or "alter" documents for use in, an "official proceeding." The problem with the conviction lay not in the charges, but rather with the way the jury was instructed on what was "corrupt." Ordinarily, to act "corruptly" implies that you do something more than willful and knowing, that you have some evil intent. The normal jury instruction regarding what is "corrupt" defines it as to act "knowingly and dishonestly, with the specific intent to subvert or undermine the integrity" of a proceeding. It would have been fine if the jury was told that. But, at the insistence of the government, the jury was told that there was no need for them to find that Anderson acted "dishonestly" and that it was enough if the accountants acted knowingly and with the intent to "impede" an investigation - even if they didn't know that there was a formal investigation. That's where the trial court went wrong. Virtually every document destruction policy is designed knowingly to "impede" some investigation at some date. I mean, that's why we are deleting the documents, after all - so they won't be there in the event of some later demand for them, whether by civil litigants, administrative agencies, or a federal grand jury. But not every document destruction is done "corruptly." The term means something more. The Supreme Court noted that "[d]ocument retention policies," which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. . . .It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances." As part of the Sarbanes Oxley legislation, the federal law used in the Anderson prosecution has been extended and modified to include not only inducing someone corruptly to destroy documents, but also to corruptly destroy them yourself. But it still must be done "corruptly," in other words, with some wrongful intent! The funny thing about the Anderson case is that, if properly instructed - whether under the old law, or the new one (which doesn't apply retroactively, of course) - a jury could still have convicted Anderson. Look, they knew that an investigation was on the way. The law did not require that the investigation actually have been started for them to have acted "corruptly." The instructions about the document destruction policy were targeted at the Enron team with the knowledge and clear intent that the documents must be destroyed so they would not be available for a specific investigation of specific wrongdoing. Or, at least a jury could so conclude from the evidence. It was the wording of the jury instruction that offended the Supreme Court, since it broadened the law to potentially criminalize every document destruction policy. Advice for the future So, how should this affect my document retention and destruction policy? The answer is, not very much. First, you should establish a clear and reasoned and workable policy. Second, to the greatest extent possible, security professionals should automate the process of document destruction (and ensure that the destruction includes all the many places where the document may exist) so you eliminate the inference that you deleted the documents for a nefarious reason. Any time you rely on employees to delete documents manually, you can be virtually assured that the documents won't be deleted - or won't be deleted properly. Your policy should ensure that it is applied to active and archived documents equally, and paper and electronic documents. Once you know, or reasonably should know that particular documents or categories of documents may be relevant to an actual or anticipated investigation or litigation, your document destruction policy should be suspended. While you can wait until the subpoena arrives (like Anderson did) before suspending the policy, provided that you don't act corruptly, you run the risk not only of criminal indictment but also a finding of what the law calls "spoliation" - the willful destruction of evidence or the failure to preserve potential evidence for another's use in pending or future litigation. In such a case a court could, in addition to finding you in contempt, allow a negative inference to be made in a civil case about what the missing documents would show, then order you at your own expense to attempt to reconstruct any missing documents, order you to pay fines, fees and costs, or otherwise punish you and your company. The post-Enron federal law has created broad categories of documents that must be retained and turned over, including for example the accounting work papers Anderson shredded. Companies should not take the recent Supreme Court decision as a green light to fire up the shredders, however. At best, it's a yellow light turning red. So my advice is either don't shred, or find a list of countries that don't allow extradition. And remember, even though Anderson won the battle, don't forget who won the war. Copyright ? 2005, Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. From isn at c4i.org Wed Jun 15 02:05:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 15 02:11:26 2005 Subject: [ISN] Microsoft Issues A Dozen Patches Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=UTJKSRJ15WVTCQSNDBCCKH0CJUMEKJVN?articleID=164303105 By Gregg Keizer TechWeb News June 14, 2005 Microsoft on Tuesday rolled out 10 security bulletins that covered 12 vulnerabilities, and for the first time, offered up its monthly patch batch using the revamped update services and tools for both individuals and enterprises. Three of the 12 vulnerabilities were marked as "Critical," Microsoft's most urgent alert level in its four-step warning system. All three affect OS components or flaws in Internet Explorer that have been patched multiple times in the past. Bulletins marked as MS05-025, 026, and 027, are the three with Critical vulnerabilities, said Microsoft, and affect Internet Explorer; the HTML help system in Windows 2000, XP, and Server 2003; and the Server Message Block (SMB) protocol in Windows 2000, XP, and Server 2003. "All three of these services have been patched in the past," said Mike Murray, the director of research at vulnerability management vendor nCircle. "In fact, one of the IE vulnerabilities, the XML redirection vulnerability, is just a new variant of an older vulnerability." Murray rejected the idea that the patch-repatch-patch-again process proves that Microsoft has a quality control problem. Instead, he laid the blame at the feet of smart vulnerability researchers and hackers. "There are some clever people figuring out previous patches, and then saying 'if I did X and Y, I could get around that patch,'" said Murray. Microsoft security program manager Stephen Toulouse naturally agreed. "It's more a matter of the focus that researchers bring to it [that decides which vulnerabilities get found,] he said. "One of the things that we do when we receive a report from a researcher is actually do code reviews to see, for instance, how the affected code interoperates. In these cases, the vulnerabilities were just different enough [from prior vulnerabilities] that they weren't caught in those earlier code reviews." The vulnerability with the potential to wreak the most havoc, said Murray and others, is MS05-027, the flaw in SMB, the protocol that Windows uses to share files, printers, and serial ports, and to communicate between computers. Similar to, but not a repeat of a bulletin released in February, 027 has the potential for being exploited by a worm on the order of, say, MSBlast, said Murray. "If you read the bulletin, it doesn't say anything about authentication," said Murray. "In other words, does an attacker need to have a valid log-in username and password? If not, and it doesn't require authentication, that means anyone can break into the box." Toulouse of Microsoft confirmed that the SMB vulnerability didn't require authentication, but stressed that the most likely result of an attack would be a less-dangerous denial-of-service. "Even so, we erring on the side of caution, and rating this as Critical because of the theoretical potential." nCircle's Murray took the word "theoretical" with a grain of salt. "If there's a way to exploit a vulnerability, hackers will do it," he said. "This is definitely serious. It's the only vulnerability of the bunch that could be exploited by a large-scale network worm," Murray said. But he also hedged his bets, perhaps because a similar call in February was quickly proved wrong after additional analysis. "We'll know more in the next six hours or so, as we examine the vulnerability." Other analysts also tagged MS05-027 as the one to watch. Neel Mehta, a team leader with Internet Security Systems' X-Force security research group, named it as his number 1 threat "because of its scope and the fact that user authentication's not required, nor user interaction." Writing an exploit for the SMB bug won't be easy -- Mehta called it "fairly challenging" -- but he said it wouldn't be long, perhaps within the week, that an exploit appeared. "It's actually more potentially dangerous than the February vulnerability in SMB," he added. "We're going to be tracking this carefully." Windows XP SP2 users who have left the by-default-enabled Windows Firewall in place are protected to some extent, said several of the researchers interviewed, since it automatically blocks the external ports used by the SMB service. "But if someone has disabled the firewall, or has turned file sharing on," Mehta explained, "they could be hit." It was the other two Critical bulletins -- one that fixes flaws in how IE processes PNG (Portable Network Graphics) image files, another in Windows' HTML Help -- that got the attention of another researcher, Alfred Huger, vice president of engineering for Symantec's security response team. "I think 025 and 026 are the ones I found the most alarming," said Huger. "Both the PNG and HTML vulnerabilities are dangerous because they can affect so many end targets. Essentially, anyone with IE that's unpatched is at risk. And we've seen how fast phishers and rogue Web sites are in picking up on graphics vulnerabilities." Like Mehta, Huger expects to see vulnerabilities soon. "There will be exploits within the week," he said, of the PNG bug. The remaining seven bulletins, which detail and patch four vulnerabilities marked as "Important" and four labeled "Moderate," cover a variety of Windows components or Microsoft applications, ranging from Outlook Web Access on the aging Exchange Server 5.5 to Microsoft Internet Security and Acceleration (ISA) Server 2000. Patches can be downloaded using the new Microsoft Update service or for enterprises, the just-released Windows Server Update Services. Those services, said Microsoft's Toulouse, were "working just fine" Tuesday in their debut. From isn at c4i.org Wed Jun 15 02:05:58 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 15 02:11:55 2005 Subject: [ISN] ITaP traces security breach to Belgium Message-ID: http://www.purdueexponent.org/interface/bebop/showstory.php?date=2005/06/15§ion=campus&storyid=index By Leroy Bridges Summer Editor 06-15-2005 The security breach that exposed more than 11,000 Social Security numbers has been traced to Belgium. Ken Morgan, director of communications of Information Technology at Purdue, confirmed, on Tuesday, that the incident involved Belgium and some sort of video. The University has an investigation underway to clearly identify the hackers and how the breach occurred. "This is currently a criminal investigation," Morgan said. "We can't really say much else because we don't know much right now." The breach happened in April that resulted in personal information of people linked to the University getting exposed. To prevent future problems, Morgan said that Purdue clearly needs a stronger pattern for computer security. "Many things need to change," Morgan said. "From new systems to new people, this process is a large one." Despite increased security and new systems, Morgan wants people to realize that this situation is a reality when using the computer and today's technology. "This is a job that will never be done," Morgan said. "Technologies continue to evolve so we will always be upgrading and changing systems to ensure protection. "But that doesn't mean this won't ever happen again." Once the investigation is finished, details regarding the breach will be available. From isn at c4i.org Wed Jun 15 02:03:18 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 15 02:12:20 2005 Subject: [ISN] Poll: Most Want U.S. to Make Internet Safe Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/06/15/AR2005061500175.html By TED BRIDIS The Associated Press June 15, 2005 WASHINGTON -- Most Americans believe the government should do more to make the Internet safe, but they don't trust the federal institutions that are largely responsible for creating and enforcing laws online, according to a new industry survey. People who were questioned expressed concerns over threats from identity theft, computer viruses and unwanted "spam" e-mails. But they held low opinions toward Congress and the Federal Trade Commission, which protects consumers against Internet fraud. "A lot of times, people get us confused with other agencies," said Lee Peeler, deputy director for the consumer protection bureau at the FTC, which has sued people accused of sending spam and spyware. The FBI scored more favorably among Internet users in the survey but still lower than technology companies, such as Microsoft Corp. and Dell Inc. The telephone survey of 1,003 likely voters was funded by the Washington-based Cyber Security Industry Alliance, a trade group that has lobbied the Bush administration to pay greater attention to Internet security. The alliance also has cautioned lawmakers against what it considers unnecessary security laws. "There are some mixed signals here," said Paul Kurtz, the group's executive director and a former White House cybersecurity official. "There is definitely a desire to see government provide more leadership, but there is some anxiety about what ultimately might come out." The survey, to be released Wednesday, said 71 percent of people believe Congress needs to pass new laws to keep the Internet safe. But Kurtz said Congress and the Bush administration should do a better job enforcing existing Internet laws against hackers, thieves and vandals and offer incentives for companies to improve security. "I don't think the public knows what it wants Congress to do, but it wants Congress to do something," said Dan Burton, the senior lobbyist for Entrust Inc., an online security company and member of the trade group. "They don't have a lot of confidence that Congress will do the right thing." The survey was conducted May 2-9 by Pineda Consulting, with a margin of error of 3 percentage points. It was limited to people who indicated they were almost certain or probably would vote in the next federal election. ___ On the Net: Cyber Security Industry Alliance: www.csialliance.org From isn at c4i.org Thu Jun 16 03:16:05 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 16 03:26:58 2005 Subject: [ISN] The High Costs of Hacking Message-ID: Forwarded from: security curmudgeon : http://www.cio.com/archive/061505/tl_security.html : : BY MICHAEL JACKMAN : June. 15, 2005 : CIO Magazine : While it's true that not all network mischief comes at such a high : price, John Sgromolo, lead investigator for digital forensics at Verizon : Communications and a former special agent with the United States Naval : Criminal Investigative Service, says that such large sums are the real : deal. More or less. : : Consider cases in which a hacker brings down a server that's used for : selling products. "If you're averaging $3,000 an hour on this server, : that's not hard to figure out based on how many hours it was down," : Sgromolo says. Then there's the cost of replacing damaged equipment and : the hours spent on repairs, installation and recovery. A good point, and something many folks in the industry have been pointing out for almost a decade now. The problem is these damage figures are put forth with little or no explanation. In the past we've seen reports of "millions of dollars of damage" to systems, but no justification for the figure, no explanation of how it was derived, and no logic could make the leap to such high numbers. We're all painfully aware of how damage figures can be manipulated by the prosecution as well. Look back to the Mitnick case in which Sun Microsystems was pressured into claiming an 82 *million* dollar loss for the theft of their source code. Did Sun ever mention this loss in their SEC filings? Do any of these companies that suffer "million" dollar losses at the hands of hackers report such losses? If not, isn't that fraud? In some cases we see a company claiming high damage figures due to "loss of information". Apparently negligence in backup policy is perfectly acceptable to the company. If it wasn't an evil hacker, it could just as well have been a cup of water spilled on a primary server that caused the loss. Some companies go so far as to count all the time and effort spent securing the system after a break-in as part of the damage cost. What should have been done proactively to prevent a break-in is now dumped in the lap of the person who broke in. If we applied that reasoning to non computer crimes, the courts would openly laugh at some damage figures. "yes your honor, the $13,500 damage figure for my bike getting stolen is perfectly reasonable. first, i had to buy the bike before it could get stolen which cost $250 bucks. then i had to buy a lock. i'm also including a portion of my rent which covers the locked garage it was kept in, the security surveillance system which we had to install to prevent it from happening again, my time and materials, the time spent by the police officer for taking my report and investigating the crime (my tax dollars pay his salary!), your honor's time..." From isn at c4i.org Thu Jun 16 03:17:33 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 16 03:27:59 2005 Subject: [ISN] New worm hits AIM network Message-ID: http://news.com.com/New+worm+hits+AIM+network/2100-7349_3-5748646.html By Joris Evers Staff Writer, CNET News.com June 15, 2005 A new worm spread quickly on America Online's AIM instant messaging service Wednesday afternoon but was contained within hours, experts said. The worm spread in instant messages with the text: "LOL LOOK AT HIM" and included a Web link to a file called "picture.pif." If that file was downloaded and opened, the worm would send itself to all contacts on the victim's AIM Buddy List, according to representatives from IM security companies Facetime and IMlogic. With earlier, similar worms, downloading and opening a file would also install a backdoor or other malicious code on the victim's PC, said Jonathan Christensen, chief technology officer at Facetime. It's not yet known if this latest worm does that. Both IMlogic and Facetime were investigating the picture.pif file Wednesday afternoon. The worm first appeared around 12 p.m. PDT and appears to have spread quickly until about 1:30 p.m., Christensen said. At that time, AOL likely put a filter on its AIM service, blocking the worm's spread, he said. Also, not much later, the malicious code was removed from the Web. "We are either currently blocking it, or we will be in the very near future," said Andrew Weinstein, an AOL spokesman. Facetime and IMlogic received several inquiries on the worm, signaling that it was widespread. The worm hit employees at Hewlett-Packard and prompted tech support at the Palo Alto, Calif., technology giant to send out an alert to employees. IMlogic has identified the worm as a variant of the Opanki worm, which first surfaced last month. The new variant has been rated a "medium" risk. The worm is the latest in an increasing number of cyberthreats that use instant messaging to attack Internet users. Just as with attachments and links in e-mail, instant message users should be careful when clicking on links that arrive in instant messages--even messages from people they know, experts have warned. From isn at c4i.org Thu Jun 16 03:15:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 16 03:28:13 2005 Subject: [ISN] To Find Solid Security Candidates, Look Beyond Tech Certificates Message-ID: http://www.eprairie.com/news/viewnews.asp?newsletterid=11552 By James Carlini ePrairie.com 6/15/2005 As more organizations see security and compliance as their top issues, they don't see where security really fits on the organization chart. There is a big secret that few executives know about in most organizations: Security is not a techie issue. It goes beyond knowing virus scans and firewalls. Security should be at an executive level because it's a business strategy and not a low-level function. In several semesters of network security classes, attendees from various organizations have debated this observation. For some reason, security is viewed as a job that's accomplished by adding some firewalls and making sure everyone's computer has the latest patches applied. The overall consensus after so much debate is that it's a much broader job that encompasses making policy and procedures as well as adding software to protect assets. HR's Quest For the Purple Squirrel Job descriptions that have high-level strategy and policy-making requirements along with technical requirements are the equivalent of looking for purple squirrels. You're never going to find one, and with that mix of skill sets required for the job, any candidate that fills the job is doomed for failure. Some human resource professionals look for the easy way out and require certificates. A certificate doesn't guarantee anything. You may be losing out on the best candidates if you're too focused on paper and not real experience. Many HR departments have become too reliant on certificates instead of trying to understand and search for the real skill sets needed for many jobs. Looking for project management professional (PMP) certificates for project management and technical certificates for Cisco and Microsoft, some HR people have become too focused on certificates instead of looking at the experience of the total individual. As one candidate pointed out to me in a phone conversation, a certificate doesn't guarantee a level of expertise to do the job. Real experience points out that "I already did the job" the certificate says I should be able to do. The question becomes: "Have organizations become too concerned about certificates and nothing else?" The answer is yes. More important, the rigid requirement for certificates doesn't guarantee any level of quality in candidates. This is something for some HR departments to evaluate again in their approach to screening and hiring candidates. A Typical Failed Job Description Here's a typical request for someone who's as rare as a purple squirrel. This was from a company that failed a Sarbanes-Oxley compliance test and is now looking for a new person to fill the role of security administrator. Read through the requirements and look at the disparity between the techie skill sets needed and the policy and procedures expertise that's also needed to understand and support Sarbanes-Oxley compliance issues. It's hard to find all that rolled into one person. Position: Security administrator Location: Anywhere in the U.S. Job Description: Our client is seeking a highly motivated individual who will function as a lead technical security administrator. Will have responsibility for overall security of the client's applications and operating environment. Must be able to manage and perform security reviews and audits, application-level vulnerability testing, risk analysis and security code reviews. Will be expected to evaluate and architect information security plans. Will be expected to own the information security operational, procedural and policy documentation. Will be responsible for ongoing review of security alerts and vulnerabilities and assessing applicability to applications, systems and operating environments supporting the business unit. Will have direct responsibility for responding to all security-related events, leading the client's technical event activities and acting as the liaison with other central and corporate security teams. Will be expected to track security-related events, vulnerabilities, applicability, remediation activities and provide ongoing status reporting. Will be expected to maintain a security-focused mindset within the client's IT team, provide training and necessary communication to the team. Will be expected to maintain currency on information technology security products and infrastructure. Will design and recommend security initiatives including custom-developed and commercial-protection technologies. * Must have a strong foundation and in-depth technical knowledge in security engineering, computer and network security, authentication and security protocols and cryptography * Must have a strong understanding of firewalls, intrusion detection, strong authentication, content filtering and enterprise security management * Five years of technical experience with increasing responsibility * Twp years of experience focused on information security * Detailed knowledge of common security protocols and network security topics * Intimate knowledge of system security vulnerabilities, network-based attacks and their mitigation * In-depth knowledge of common security protocols * Excellent organizational, written and verbal skills * Results oriented This company has focused on the technical skills but hasn't detailed what it needs from a compliance standpoint. In this case, the security will have to somehow understand the issues and impacts of Sarbanes-Oxley but those job attributes have yet to be clearly defined. My recommendation is that the company should break up the position into an executive-level and technical-level job. If this isn't done, the company is doomed to repeat its mistakes. A technical person isn't going to understand some of the higher-level issues and the high-level person isn't going to be able to keep up with all the techie issues. I have seen the same dilemma at several small financial firms. You can't give two full-time jobs to one person and expect them both to get done. Will people listen to opinions like mine? No. They won't until they suffer enough economic pain through fines and non-compliance disciplinary sanctions. Carlinism: Companies find better candidates when they look beyond certifications and into real-world experience. -=- James Carlini is an adjunct professor at Northwestern University. He is also president of Carlini & Associates. Carlini can be reached at carlini @ northwestern.edu or 773-370-1888. Copyright 2005 Jim Carlini From isn at c4i.org Thu Jun 16 03:16:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 16 03:28:30 2005 Subject: [ISN] Security UPDATE -- Supercharging Snort -- June 15, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Exchange & Outlook Administrator http://list.windowsitpro.com/t?ctl=C2C9:4FB69 Cost Control Through Remote Control: A practical approach to reducing the cost of supporting PC's in a multi-platform environment http://list.windowsitpro.com/t?ctl=C2BC:4FB69 ==================== 1. In Focus: Supercharging Snort 2. Security News and Features - Recent Security Vulnerabilities - WSUS Available, Microsoft Update Now Live, MBSA 2.0 on the Way - Cisco's New DDoS Protection Solution - IIS 6.0 Enhancements in Windows 2003 SP1 3. Security Toolkit - Security Matters Blog - FAQ 4. New and Improved - Manage Compliance and Vulnerability Remediation ==================== ==== Sponsor: Exchange & Outlook Administrator ==== Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools and solutions you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now! http://list.windowsitpro.com/t?ctl=C2C9:4FB69 ==================== ==== 1. In Focus: Supercharging Snort ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Certainly you've heard of the open-source Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Snort. Maybe you're one of the countless people who use it. If so, you know it's a great tool with a huge amount of support from the user community. You might also know that Sourcefire, the company behind Snort, offers a commercial version of Snort and other network-protection tools. When I recently visited the Snort.org Web site, I learned that you can now subscribe to the Sourcefire Vulnerability Research Team's certified rulesets, which means that you can receive the latest rulesets five days sooner than those rulesets are released to the general public. http://list.windowsitpro.com/t?ctl=C2D2:4FB69 Maybe you write your own rules in addition to using rulesets available at the Snort Web site. As with the source code for any application, the way a rule is written affects the performance of Snort. Poorly written rules take more time to process. A few extra microseconds of processing time here and there might not seem like a big deal, but when you consider an overall traffic load, those microseconds add up to full seconds really fast, and of course those seconds add up to minutes. The more efficient your rules, the more efficiently your IDS runs and the less likely that some sort of anomalous traffic-dropping occurs. So how can you determine how efficient your rules are? An easy way is to use the new TurboSnortRules online benchmarking tool, sponsored by VigilantMinds. TurboSnortRules is a Web-based service that lets you enter a rule and test its performance on various versions of Snort against a set of control data. The test output shows you how fast your rule operates on those selected versions. http://list.windowsitpro.com/t?ctl=C2D5:4FB69 As an example of how effective the service can be, take a look at the two sets of test results listed at the URLs below. Both tested rules are designed to detect Yahoo! Messenger logons. As you'll see in the results, one rule operates much faster than the other. http://list.windowsitpro.com/t?ctl=C2C5:4FB69 http://list.windowsitpro.com/t?ctl=C2C4:4FB69 For another example, look at the two sets of test results for rules designed to detect the Mytob Trojan horse (at the first two URLs below). One rule operates faster than the other, but in this case, the difference in speed isn't as dramatic as in the comparison of the Yahoo! Messenger rules. Even so, every little bit of speed improvement helps. One slow rule could cause Snort to begin dropping packets, which could jeopardize your overall security. See the third URL below too, which graphically illustrates the damage one poorly written rule can do. http://list.windowsitpro.com/t?ctl=C2C2:4FB69 http://list.windowsitpro.com/t?ctl=C2C3:4FB69 http://list.windowsitpro.com/t?ctl=C2D0:4FB69 Also at the TurboSnortRules site, you'll find a searchable database for looking up rules that are either part of the Snort distribution or that have been submitted to the site by administrators for testing. The database is a good way to find rules you might need but don't want to write yourself, and the related performance data shows you how well those rules perform. Another excellent resource at the site is the Snort Performance Wiki, which has a lot of useful suggestions about how to make Snort run as fast as possible. ==================== ==== Sponsor: Netopia ==== Cost Control Through Remote Control: A practical approach to reducing the cost of supporting PC's in a multi-platform environment While the price for personal computers continues to decline, the actual cost to own and operate PCs continues to rise. In this free white paper get the insights and solutions into some of the less visible, but very real costs of PC and LAN ownership. You'll learn a practical approach to reducing the cost of supporting PC's and customers in a multi-platform environment. Plus -- you'll also get a Cost Savings Model for help desks that demonstrates the cost savings that can be realized by implementing remote control technology. http://list.windowsitpro.com/t?ctl=C2BC:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=C2C0:4FB69 WSUS Available, Microsoft Update Now Live, MBSA 2.0 on the Way Have you been waiting for the release of the finished Windows Server Update Services (WSUS)? Wondering when the new Microsoft Update site will go live? Both are available now, and Microsoft Baseline Security Analyzer (MBSA) 2.0 is on the way. http://list.windowsitpro.com/t?ctl=C2CD:4FB69 Cisco's New DDoS Protection Solution Cisco Systems announced its new Distributed Denial of Service (DDoS) Protection solution that allows ISPs to protect their own networks, sell protected wholesale connections, and offer customers managed protection against DDoS attacks. http://list.windowsitpro.com/t?ctl=C2CC:4FB69 IIS 6.0 Enhancements in Windows 2003 SP1 Although most of the major Windows Server 2003 Service Pack 1 (SP1) changes concentrate on the core OS, SP1 doesn't neglect Microsoft IIS. The service pack contains several significant enhancements to IIS 6.0, the Web server application that's bundled with Windows 2003. Michael Otey outlines those changes in this brief summary on our Web site. http://list.windowsitpro.com/t?ctl=C2C8:4FB69 ==================== ==== Resources and Events ==== True High Availability -- Going Beyond Backup and Data Replication In this free Web seminar discover the various categories of high availability and disaster recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a non-disruptive, automatic switchover to a secondary server. Register Now! http://list.windowsitpro.com/t?ctl=C2BD:4FB69 Attend the Black Hat Briefings Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the briefings are designed to be pragmatic regardless of your security environment. Featuring 25 hands- on training courses and 10 conference tracks. Lots of Windows stuff profiled. http://list.windowsitpro.com/t?ctl=C2D7:4FB69 Get Ready for SQL Server 2005 Roadshow in Europe Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=C2BF:4FB69 Streamline Desktop Deployments Managing desktop software configurations doesn't have to be a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free Web seminar find out how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. You'll learn how to simplify the deployment and configuration process, starting with the new- application request, review, and approval process and progressing through software packaging and deployment. http://list.windowsitpro.com/t?ctl=C2BA:4FB69 Safeguard Your Exchange Servers -- Plus Receive A FREE eBook Managing storage growth, providing application resiliency, and handling small errors and problems before they grow are all important aspects of boosting your Exchange uptime. In this free Web seminar discover how storage and application management techniques for Exchange can be used to improve the resiliency and performance of your Exchange infrastructure. Register now and get your free eBook! http://list.windowsitpro.com/t?ctl=C2B7:4FB69 Win A Windows IT Pro VIP Subscription -- Register And You Could Win! In this free Web seminar, learn what the most common fax messaging challenges encountered in the workforce are and solutions for how to turn these common fax "headaches" into cost-effective, easy-to-use, business communications. You'll also receive a free industry white paper on fax deployment and integration techniques. Register now and you'll receive a 30-day software trial and a Starbucks gift card for attending! http://list.windowsitpro.com/t?ctl=C2BB:4FB69 ==================== ==== Featured White Paper ==== Security Management in a Multi-platform World In this free white paper you'll learn how to reduce management overhead when dealing with multiple platforms and the costs and benefits of a centralized "holistic" approach to security management. Get the ins and outs of managing multi-platform security and how you can safely, securely, and sanely manage the security infrastructure of complex, multi-platform environments. http://list.windowsitpro.com/t?ctl=C2B8:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=C2D3:4FB69 10 Security Patches Due June 14 Microsoft released 10 security updates on June 14, at least one of which is considered by the company to be critical. Seven of the patches are for Windows OSs, one corrects a problem in Windows Services for UNIX, the eighth corrects a problem in Exchange Server, and the ninth corrects a problem with Internet Security and Acceleration (ISA) Server and Small Business Server (SBS). Microsoft also scheduled a Webcast for today at 2 P.M. Eastern Time (11 A.M. Pacific Time) to discuss the security updates. http://list.windowsitpro.com/t?ctl=C2C1:4FB69 New Feature Pack for Windows Mobile 5.0 to Enhance Security Speaking last week at TechEd 2005, Steve Ballmer, chief executive officer of Microsoft, announced that the company's new Messaging & Security Feature Pack for Windows Mobile 5.0 will allow administrators to remotely enforce IT policy, remove all information from a device, and reset a device to its original state, including the ability to erase local device memory when the correct password isn't entered within the designated number of attempts. http://list.windowsitpro.com/t?ctl=C2CA:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=C2CF:4FB69 Q: Where is cached Universal Group information stored? Find the answer at http://list.windowsitpro.com/t?ctl=C2CB:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Why Do You Need the Windows IT Pro Master CD? There are three good reasons to order our latest Windows IT Pro Master CD. One, because it's a lightning-fast, portable tool that lets you search for solutions by topic, author, or issue. Two, because it includes our Top 100 Windows IT Pro Tips. Three, because you'll also receive exclusive, subscriber-only access to our entire online article database. Click here to discover even more reasons: http://list.windowsitpro.com/t?ctl=C2CE:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Manage Compliance and Vulnerability Remediation Citadel Security Software is now shipping Hercules 4.0. The new version adds two new modules: Hercules Compliance Manager, for auditing and reporting security policy compliance, and Hercules Remediation Manager, for managing vulnerability remediation and enforcing security policies. Hercules is available as a full suite or as individual modules. Citadel also now offers Hercules as a hardware appliance and in a pricing model that lets you pay for compliance audits and remediation actions as they're performed--these appliance and pay-per- use features are designed to make Hercules more appealing to smaller businesses. For more information, visit http://list.windowsitpro.com/t?ctl=C2D8:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Ensuring Protection and Availability for Microsoft Exchange Download this free white paper now! http://list.windowsitpro.com/t?ctl=C2B9:4FB69 Quest Software Eleven things you must know about quick AD recovery! http://list.windowsitpro.com/t?ctl=C2D9:4FB69 A New Dimension in IT Infrastructure Management: Integrated KVM and Serial Console Control Systems Reduce downtime, mean-time-to-repair, lower costs & improve ROI. http://list.windowsitpro.com/t?ctl=C2BE:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=C2D4:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=C2C6:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jun 16 03:17:05 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 16 03:28:43 2005 Subject: [ISN] Army probes royal security breach Message-ID: http://today.reuters.co.uk/news/newsArticle.aspx?type=topNews&storyID=2005-06-15T232732Z_01_MOR584362_RTRUKOC_0_SECURITY-BRITAIN.xml June 16, 2005 LONDON (Reuters) - Britain ordered an inquiry on Thursday into how a journalist carrying a dummy bomb breached security to enter the military academy where Queen Elizabeth's grandson Prince Harry is studying. The Sun newspaper said an undercover reporter posing as a student wandered unchallenged for seven hours around the prestigious Royal Military Academy Sandhurst where Harry began his army training in May. "I have demanded an immediate investigation into this serious security breach," Defence Secretary John Reid said in a statement. "I have instructed Sandhurst to change their procedures to prevent a recurrence." A Ministry of Defence spokesman said a review was under way and that changes would be made to security at the base. The prince, younger son of Prince Charles and the late Princess Diana, is being trained as an officer cadet and will be eligible for service after the 44-week course ends. The reporter photographed documents detailing the 20-year-old prince's routine and filmed him with students at the base in Berkshire, 30 miles (48 km) west of London. The newspaper printed a grainy front-page picture of the prince wearing a beret and carrying a rifle. The unnamed reporter said he gained access to the base by contacting its librarian. The academy's library is open to the public by appointment, the paper said. The reporter said once he had entered the base he made a fake bomb with wires and a clock before filming himself holding it outside a college building. He said he was finally challenged by a soldier seven hours after he arrived as he walked through an accommodation area. The reporter said he answered some questions before driving off. The incident was the latest in a series of high-profile breaches in royal security. In April, a journalist drove a package into the heart of Windsor Castle before Prince Charles' marriage to Camilla Parker-Bowles. Last year a man tricked his way into Windsor Castle by posing as a policeman, and in 2003 a comedian gate-crashed the 21st birthday party of Charles's older son Prince William. Security at many public buildings in Britain was increased after the September 11, 2001, attacks in the United States, and police chiefs said they feared bombings were inevitable. ? Reuters 2005. All Rights Reserved. From isn at c4i.org Thu Jun 16 03:17:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 16 03:28:50 2005 Subject: [ISN] `Legit' hackers set to target telecom firms in cyber attacks Message-ID: http://www.asahi.com/english/Herald-asahi/TKY200506150322.html By KOJI NISHIMURA The Asahi Shimbun 06/15/2005 Some of Japan's leading companies are about to deliberately set themselves up for sneak cyber attacks-but it's all part of a government plan to improve corporate online security. Under the plan starting next fiscal year, "legitimate" hackers will use typical cyber-attack methods-such as trying to infiltrate corporate networks or inundating Web sites with hits-to expose vulnerabilities. Their first targets will be in the telecommunications industry. It may sound like a frightening misuse of authority, but businesses should have nothing to fear as the "targets" will be limited to corporations that volunteer for the drills. The three-year program, with a budget of about 1.5 billion yen for the first year alone, is the brainchild of the Ministry of Internal Affairs and Communications, which oversees Internet service providers and other businesses. The mock attacks are aimed at helping businesses arm themselves against real cyber attacks by exposing system weaknesses and training personnel, sources said. Internet service providers already use sophisticated anti-virus software, firewalls and other protection against the rising threat of cyber attacks. But it is hard to tell how effective measures are until a hacker gets through. Another problem is businesses have little experience in working together to prevent damage from spreading, the sources said. The vulnerability of Internet businesses was demonstrated when Kakaku.com's database was invaded by a hacker in May, forcing the nation's top price-comparison Web site to shut down for about a week. The ministry plan includes setting up a task force of information security experts from universities and other institutions. Over several weeks, the team will stage surprise attacks on businesses that apply to take part. Because the attack will end when infiltration succeeds, it will not cause real damage to systems or data leaks, according to the sources. Through the exercise, companies will learn not only where problems lie, but also how well their crisis management plans work, the sources said. They can check when and how problems were detected and whether responses, including internal and external liaison, were adequate. The findings will be released publicly with the aim of improving anti-hacker protection. Participants' names won't be revealed, the sources said.(IHT/Asahi: June 15,2005) From isn at c4i.org Thu Jun 16 03:23:39 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 16 03:29:55 2005 Subject: [ISN] Researchers Stymied By Microsoft Vulnerability Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=ZHF4EG25UXDEUQSNDBGCKHSCJUMEKJVN?articleID=164303573 By Gregg Keizer TechWeb News June 15, 2005 Researchers on Wednesday were still dissecting one of the vulnerabilities patched by Microsoft Tuesday, and hadn't yet been able to "find the trick," said the head of one security firm's lab. Mike Murray, the director of research at vulnerability management vendor nCircle, has had his entire team picking through the patch provided by Microsoft to fix a flaw in Windows' SMB [1] (Server Message Block) protocol, and hasn't yet been able to find a way to exploit the vulnerability without going through authentication. "It's incredible," said Murray. "We've found all the functions and the overflow, but we haven't been able to find the unauthenticated [attack] vector. We've found the authenticated vector, but as for the other, nope." nCircle pulls apart disclosed vulnerabilities to create new methods of vulnerability detection, and in the short term, to provide guidance to its customers on the relative danger of flaws in applications and operating systems, including Windows. According to Microsoft, the SMB vulnerability, which was laid out in one of the ten security bulletins [2] released Tuesday, could be exploited remotely by an attacker without requiring authentication, in other words, without a legitimate Windows log-in username and password. Such an unauthenticated attack avenue, experts warned Tuesday, made the bug much more dangerous, and could lead to a worm-style assault that attacked any computer with the SMB service exposed to the Internet. "There's a trick to this one," said Murray. When asked if it was good news that his team couldn't find the exploit -- that if they couldn't perhaps attackers might not either -- he said "It only takes one person to figure out that trick, and then it'll break wide open." Even though the nCircle research team has so far failed to puzzle out the SMB vulnerability, Murray still thinks that it's the most dangerous of the 12 announced yesterday. "It's still the most threatening, by far," said Murray. "In fact, there are two vulnerabilities, not just one," he said. "[The second] is strictly a denial-of-service vulnerability, a way to crash the SMB service through an uninitialized variable. Maybe Microsoft missed it, or didn't think of it as a true vulnerability, since it was the [buffer] overflow they concentrated on." Murray said his bunch would continue examining the vulnerability until they found a way to hack SMB sans authentication. "This is a tough nut to crack," he admitted. "Or maybe Microsoft was just throwing us a red herring telling us that it could be exploited unauthenticated." [1] http://www.microsoft.com/technet/security/Bulletin/MS05-027.mspx [2] http://www.techweb.com/wire/security/164303082 From isn at c4i.org Fri Jun 17 01:45:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 17 01:50:26 2005 Subject: [ISN] Black Hat Briefings Announcements Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello ISN readers, I just wanted to let you know we got some new content on-line as well as a reminder about upcoming registration deadlines. Hope to see you there! REMINDER: Register before July 1st to take advantage of the earlier pricing! http://www.blackhat.com/html/bh-usa-05/bh-usa-05-index.html Speakers are selected for the USA summer show, July 27th and 28th. The speaking selections were the most difficult this year due to a large number of excellent submissions. Unfortunately we only have so much space and time, so some tough decisions were made. Check it out: http://www.blackhat.com/html/bh-usa-05/bh-usa-05-schedule.html Black Hat's Training line up for this summer is also the largest ever. http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-index.html Lots of new stuff is happening this year, including the Jericho Challenge, Black Hat Poker Tournament, Black Hat Golf Tournament, Executive Women's, Forum Workshop, Black Hat Public Hearings, and the mysterious Black Hat Awards Ceremony. If Caesars Palace is full, check this page for other hotels Black Hat have room blocks set aside: http://www.blackhat.com/html/bh-usa-05/bh-usa-05-venue.html Black Hat USA 2004 videos and presentations are now on-line! Please feel free to browse Black Hat's media collection and watch past speeches. http://www.blackhat.com/html/bh-media-archives/bh-archives-2004.html#USA-2004 NEW: The Black Hat store is now on-line. Buy Black Hat related merchandise, past conference CDs, and other shiny things. https://commerce.blackhat.com/merchandise/ Thank you, Jeff Moss -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQEVAwUBQrIiL0qsDNqTZ/G1AQLregf/ZTgPn9BeDGUgl9MB9o4BwcUtf0IyJoZP xNnUcKhKY3RBVOn7QbwyS3DfDq6FqVo1jSs+JMrUTDHQxfFXO3Vujpk/ucI55isz PN414GobgJW6ju721wG0jCZ8LPIT7zO6ee5qijfx2GFra6XqsLsoDgE1vtbkAYtJ CNdMcVbMyIzKClF0lkH7q5e57JtRB+qhTI+rSHRr2OL8eSgll05YbIOQ56aNjFEN 3WCRLY8CLCz9dZ/VZnOsJ9l2I7lHYAaq1818LFyplg8PQqIJfE1iliCMaIocoX5v cCIcu2NQqCU2sQcAWGtIlkcm0xu6HMBFiRQQwa8ZYbLDflO9yO+5Hw== =K7es -----END PGP SIGNATURE----- From isn at c4i.org Fri Jun 17 01:46:19 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 17 01:50:47 2005 Subject: [ISN] Top Open-Source Security Applications Message-ID: Forwarded from: Marjorie Simmons http://www.newsfactor.com//story.xhtml?story_id=100000024QCG By Mark Long June 14, 2005 According to most security professionals, a top-tier, open-source security tool must have sufficient history to allow a practitioner to use it with confidence. And it must have a sufficiently large developer base to ensure that fixes will be available in light of discovered vulnerabilities. Those responsible for enterprise security Latest News about Security are increasingly turning to open-source applications in lieu of security products based on proprietary code -- and for many good reasons. "Where open-source tools have an advantage in an enterprise is in their timeliness," said cryptography guru Ed Moyle of Security Curve. "Since no budget has to be allocated to deploy an open-source tool, it can often hit the ground faster than a commercial counterpart." On the other hand, there is the question of accountability, Moyle noted. "Since there is no commercial entity overseeing a tool, on whom can the enterprise place pressure for added features or support?" According to most security professionals, a top-tier, open-source security tool must have sufficient history to allow a practitioner to use it with confidence. And it must have a sufficiently large developer base to ensure that fixes will be available in light of discovered vulnerabilities. Also, it must have a reasonably large user base so that support questions will already have been answered in a public forum. But there are many tools that meet these requirements and are in fact deployed at many large companies. Tackling Basic Security Issues Anthony Nadalin, Chief Security Architect for IBM's software group, recommends Bouncy Castle crypto interfaces and OpenSSL -- an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols. "What most customers are looking for are secure, reliable transactions," Nadalin said. Bouncy Castle and OpenSSL form the basis for crypto and transport-level security, Nadalin said, which is one of the base requirements every customer has. Indeed, OpenSSL is at the top of nearly everyone's list. "I don't think the impact of OpenSSL can be overstated," said Yankee Group senior analyst Andrew Jaquith. "It single-handedly democratized encryption Latest News about encryption by making a very high-quality implementation available for everyone to use -- and all for free." OpenSSL is commercial-grade and interoperates with digital certificates issued by public certificate authorities like VeriSign Latest News about VeriSign, Thawte and GoDaddy Latest News about GoDaddy. "Equally important, it includes the ability to generate your own private certificates for testing purposes," he said. OpenSSL also includes a library of basic crypto functions essential for validating the integrity of downloads from third-party sites via checksum algorithms. Remote Connectivity OpenSSH is another software package that comes highly recommended. This open-source implementation of the Secure SHell (SSH) session technology is designed to let administrators and users open a command shell on a remote host. The impact of OpenSSH has been profound because it enables secure, safe and easy-to-use communications with remote hosts when used in tandem with public keys instead of passwords, said Jaquith. "There is no 'password' to be guessed -- the user either possesses the key (a physical file) or not." OpenSSH lets admins use public keys with a "key agent" on the client side so that communications can be effectively passwordless. "The upshot is that using OpenSSH with public keys instead of passwords makes session communications more secure and easier to use," Jaquith said. Like OpenSSL, OpenSSH is pretty much everywhere and comes standard on all commercial Linux Latest News about Linux distributions. "I wish Microsoft Latest News about Microsoft would just bite the bullet and include OpenSSH in Windows," Jaquith said. "It's much better than what they include now for a remote shell." Jaquith also suggested that every company should use it, in all cases, instead of telnet or other legacy session protocols. "You can, of course, compile OpenSSH for Windows yourself, or buy commercial versions from companies like F-Secure Latest News about F-Secure or SSH Corporation. Regulatory and Security Implications Still, OpenSSH and OpenSSL might not meet the needs of everyone, especially given that certain companies might be limited by the regulatory constraints of Federal Information Processing Standard (FIPS) 140-2, which requires that any cryptographic module be certified before it can be used for federal data processing. "While OpenSSL is currently being evaluated against FIPS 140, this certification is not yet completed," noted Moyle. "It is therefore inappropriate in a federal government context. The same is true of OpenSSH." Some companies use FIPS 140 as a guideline and require that deployed cryptographic tools be certified just like would be required in a government context. In these cases, the tools can't be used because they would violate policy. There have certainly been plenty of security flaws found in OpenSSH, OpenSSL and open-source packages like Apache Tomcat, observed Jaquith. "But generally speaking, any of the highly used packages have large user bases and a strong developer community that is motivated to fix things quickly," he said. "All of these packages have gone through multiple releases -- dozens of revisions, actually," Jaquith said. "In the long run, the stability and longevity of the code base is an asset." Scanning for Vulnerabilities When it comes down to it, no matter what security system you use, you'll need to test for security vulnerabilities in your code. Both Jaquith and Moyle rate Nessus as a top-tier open-source vulnerability scanner. "Every security assessment nerd worth his salt knows what Nessus is," said Jaquith. "It's a good open alternative to some of the vulnerability management services. Companies that don't have active vulnerability-assessment testing programs in place should start with Nessus." Particularly noteworthy is the fact that Nessus incorporates application-level vulnerability testing for common exploits. What that means, explained Jaquith, is that it will use a port scanner to identify the operating system and available services. Once it finds something, it will start iterating through a series of tests written in the Nessus Attack Scripting Language. The open-source vulnerability scanner then generates a report telling the administrator what it found -- evidence of missing patches, outdated software versions, susceptibility to buffer overflows and the like. Network Monitoring Applications Beyond tapping OpenSSH, OpenSSL and Nessus as their top-tier picks, security experts see considerable merit in the use of open-source applications for network monitoring, host-based firewalls and Java Latest News about Java 2 Enterprise Edition authentication and authorization. In particular, Moyle and Jaquith recommend the Nmap port scanner, which is designed to interrogate remote hosts to see what services they are running. The open-source application usually can detect the operating system correctly as well. "Nmap is one of those basic security-assessment tools that has a lot of uses," noted Jaquith. "For example, many companies use it to 'sweep' their networks to see what hosts are there, and to see if any of them are running services that would violate policy." Jaquith himself uses Nmap to scan his production server from time to time to verify that only certain services are running. Barracuda Networks vice president of engineering Zach Levow points to Nagios as one of the most widely used open-source, network-monitoring applications. "Utilizing a modular-based 'polling' system, administrators can monitor hardware appliances, network equipment, server equipment and various other electronic devices to check the health of the device," Levow noted. "In cases where machines are often being exploited or hacked, certain aspects of those devices will change very rapidly, thus triggering a monitoring alarm in Nagios, which can send an alert so the issue can be investigated," he added. Host-Based Firewalls IPTables and IPFW are host-based firewalls for Linux and BSD, respectively. Both of them do the same thing: They block access to particular server ports using a flexible rule-based-language. "If you've got Mac OS X Latest News about OS X, for instance, you've got IPFW under the covers -- with an absolutely fantastic and intuitive GUI, I might add," said Jaquith. The firewall software can be configured to reject connections -- typically the default -- or not respond at all. This is often called "stealth mode" because it makes the ports invisible, which frustrates scanners like Nmap. The firewall also can redirect traffic, serve as a gateway host for network address translation, or "shape" traffic for applications likeVoIP Latest News about VoIP. Finally, both packages can log suspicious packets, where they can be analyzed by an intrusion-detection system. "All major Linux distributions have IPTables, and all major BSDs have IPFW," Jaquith noted. "Companies should use them to block access to all ports other than those in use; running it in 'stealth' mode is also a good idea, in my view." J2EE Authentication and Authorization Many companies building serious Web-based applications now use commercial Java 2 Enterprise Edition servers like BEA Latest News about BEA Systems, IBM WebSphere Latest News about WebSphere and Oracle Latest News about Oracle Application Server, as well as open-source products that implement the J2EE specification, including Tomcat, JBoss and Jetty. To pass the compatibility test, all of these servers must support a particular set of authentication and authorization standards. The authentication part enables companies to plug in whatever method they choose -- looking up a password in a Lightweight Directory Access Protocol (LDAP) directory or database Latest News about database or demanding a digital certificate or a SecureID token. The authorization part maps the user to a set of named roles: customer, manager, administrator, auditor and so forth. This can be used by the Web application to allow or deny access to particular pages or program functions. All J2EE servers must have this capability to be considered J2EE-compliant. What this means is that the Java world has been able to develop a highly standardized way of thinking about role-based access control. "If you're building a Web-based application, you should be using J2EE security," Jaquith said. "Tomcat, in particular, is pervasive in enterprises for testing purposes, and increasingly for production applications. And there are plenty of do-it-yourselfers like me who use it in production." Every Bit as Good? Barracuda Networks' Levow sees considerable merit in the use of open-source antivirus and antispam tools, and specifically points to ClamAV as the largest and also most widely used open-source antivirus technology. "With a well-built team of contributors helping improve the accuracy and virus definitions as they enter the digital age, ClamAV is a highly respected and very accurate antivirus engine," said Levov. SpamAssasin, another widely used tool and one worth mentioning here, relies on a feature-rich code-base that is used to rate particular characteristics of e-mail on a point system. The administrators can then control how those e-mails will be treated, based on their point score. "With respect to the tools I've mentioned, I don't think there is any question that they are every bit as good as their commercial equivalents," Jaquith said. From the eyes of an attacker, said Jaquith, it certainly helps to have the source code. "But remember that most of the successful attacks are remote buffer overflows," he said. "You don't need access to the source to tell you how to mount a successful attack; either the server falls over when you throw voodoo packets at it, or it doesn't." Bottom Line on Coding "My view is that it is hard to compare both [open-source and proprietary security applications] on an equal footing," said CEO Mary Kirwan of international security consultancy Headfry, Inc. Kirwan is not convinced that quality code is invariably found in open-source applications, although she would like to be persuaded otherwise. "I suspect that the real issue is the extent to which anyone -- especially in the commercial sector -- is motivated to write decent code, with a continued emphasis on feature-rich environments and speed to market," Kirwan said. "If good coding habits and skills are taught in school, they are quickly abandoned in the real world, as promotions are rarely based on ability to spit out quality code." By contrast, Moyle believes that the support obtained from reading an archive of an open-source tool's user list often is more accurate and timely than the support paid for in the context of a commercial purchase. The actual delivery of the tool also is timely -- "usually just minutes for a download to complete rather than weeks or months waiting for the procurement cycle," he said. "From an audit perspective, it is beneficial that the source code is exposed." As a caveat, Moyle noted, the open-source community typically espouses the philosophy of release early, release often. "What this means in practice is that enterprises using a given tool need to keep abreast of patches and updates for the tools." From isn at c4i.org Fri Jun 17 01:46:36 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 17 01:51:08 2005 Subject: [ISN] Hacking charges to be dropped against Palm Beach high student Message-ID: http://www.sun-sentinel.com/news/local/palmbeach/sfl-616hacker,0,2819449.story?coll=sfla-news-palm By MISSY STODDARD sun-sentinel.com June 16 2005 WEST PALM BEACH - Charges will be dismissed against a 19-year-old Inlet Grove High student charged with hacking the Palm Beach County School District's computers if he completes parts of a deal agreed to in court on Thursday.. Ryan Duncan, of Palm Beach Gardens, has agreed to pay $2,025 in investigative costs and complete 100 hours of community service. He also has to write a letter of apology to the district. Under the agreement overseen by Circuit Judge Lucy Chernow-Brown, the 100 hours of community can be waived if Duncan agrees to work with the school district and a create a program on the seriousness of computer crime. Investigators believe Duncan illegally obtained a password that allowed him to access district servers. Duncan may have received the login information by looking over the shoulder of a computer technician who was working at Inlet Grove High School in Riviera Beach, where the teen is a student, district spokesman Nat Harrington said in an April interview. Duncan was arrested that month by school district police and charged with offenses against intellectual property, a felony. He was released on his own recognizance. Under the terms of Duncan's release, he is allowed computer access only at work, sheriff's officials said. He hacked into the system on nine occasions between December 2003 and February 2004, according to court documents. He created his own administrator account that allowed him to create other user names and IDs, documents show. He caused little damage, but the potential impact "could have been catastrophic," an investigator reported. School district officials used his Internet Protocol address, a unique identifying number, to track him through Adelphia, his Internet provider. Duncan told investigators that he knew his actions were illegal, but he was doing it only to gain knowledge, according to the report. Harrington said the accounts Duncan created were deleted. In addition, the district requires users to regularly change their passwords. But no additional security measures were needed, Harrington said, since this was a matter of someone illegally obtaining a password, not a case of someone unlocking the codes of the district's computer system. "It wasn't a security breach. It was analogous to stealing someone's keys to their house," he said. Staff writers Akilah Johnson and Scott Travis contributed to this report. From isn at c4i.org Fri Jun 17 01:45:16 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 17 01:52:17 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-24 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-06-09 - 2005-06-16 This week : 73 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released security bulletins for June, correcting vulnerabilities in various Microsoft products. All users of Microsoft products are advised to check Windows Update for available updates. Additional details about the vulnerabilities can be found in referenced Secunia advisories. Reference: http://secunia.com/SA15606 http://secunia.com/SA15669 http://secunia.com/SA15683 http://secunia.com/SA15689 http://secunia.com/SA15690 http://secunia.com/SA15693 http://secunia.com/SA15694 http://secunia.com/SA15695 http://secunia.com/SA15696 http://secunia.com/SA15697 -- Two vulnerabilities have been reported in Java Web Start and Sun Java Runtime Environment (JRE), which can be exploited by malicious people to compromise a user's system. More information and links to patches can be found in Secunia advisory below. Reference: http://secunia.com/SA15671 -- Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Refer to Secunia advisory below for details. Reference: http://secunia.com/SA15481 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 2. [SA15671] Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability 3. [SA11966] Internet Explorer Frame Injection Vulnerability 4. [SA15606] Internet Explorer Two Vulnerabilities 5. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 6. [SA11978] Multiple Browsers Frame Injection Vulnerability 7. [SA15602] Camino Frame Injection Vulnerability 8. [SA15659] Adobe License Management Service Vulnerability 9. [SA15292] Mozilla Firefox Two Vulnerabilities 10. [SA15683] Microsoft Windows HTML Help Input Validation Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15726] Bitrix Site Manager File Inclusion Vulnerability [SA15683] Microsoft Windows HTML Help Input Validation Vulnerability [SA15669] Microsoft Windows Step-by-Step Interactive Training Vulnerability [SA15697] Microsoft Outlook Web Access Script Insertion Vulnerability [SA15696] Microsoft Windows Web Client Service Vulnerability [SA15695] Microsoft Outlook Express News Reading Buffer Overflow [SA15689] Microsoft Agent Trusted Internet Content Spoofing Vulnerability [SA15677] Novell iManager OpenSSL Denial of Service Vulnerability [SA15676] Novell eDirectory MS-DOS Device Name Denial of Service [SA15694] Microsoft Windows Server Message Block Vulnerability [SA15659] Adobe License Management Service Vulnerability [SA15711] Finjan SurfinGate URL Encoded URL Filtering Bypass [SA15693] Microsoft ISA Server Two Vulnerabilities [SA15673] Symantec pcAnywhere Privilege Escalation Vulnerability [SA15690] Microsoft Telnet Client Information Disclosure Weakness UNIX/Linux: [SA15679] SUSE update for bzip2/gaim/pound [SA15663] Pico Server Directory Traversal and Buffer Overflow [SA15661] Gentoo update for libextractor [SA15652] WebHints Shell Command Injection Vulnerability [SA15651] libextractor Multiple Vulnerabilities [SA15715] Avaya telnet Two Vulnerabilities [SA15714] Avaya Multiple Ethereal Vulnerabilities [SA15706] SUSE update for opera [SA15692] Trustix update for multiple packages [SA15680] Conectiva update for cvs [SA15664] Gentoo update for ettercap [SA15656] FreeBSD update for bind9 [SA15700] ViRobot Linux Server Cookie Overflow Vulnerability [SA15685] Conectiva update for openslp [SA15720] Mandriva update for tcpdump [SA15719] Mandriva update for gedit [SA15716] Avaya Products xloadimage Vulnerability [SA15712] Avaya tcpdump Denial of Service Vulnerabilities [SA15707] Red Hat update for squid [SA15703] Mandriva update for rsh [SA15699] Avaya Various Products PHP Vulnerabilities [SA15691] Gentoo update for MediaWiki [SA15688] Red Hat update for tcpdump [SA15687] Red Hat update for squid [SA15686] Red Hat update for gftp [SA15684] Red Hat update for mikmod [SA15682] Red Hat update for gzip [SA15675] Red Hat update for sysreport [SA15667] Gentoo update for gedit [SA15662] Red Hat update for gedit [SA15655] FreeBSD update for gzip [SA15650] Fedora update for tcpdump [SA15646] FreeBSD update for tcpdump [SA15645] Ubuntu update for gedit [SA15665] Gentoo update for lutelwall [SA15647] LutelWall Insecure Temporary File Creation [SA15713] Red Hat update for telnet [SA15709] Kerberos V5 Telnet Client Information Disclosure Weakness [SA15702] Mandriva update for gaim [SA15701] Ubuntu update for gaim [SA15681] Gentoo update for gaim [SA15672] Slackware update for gaim [SA15649] Ubuntu update for gaim [SA15717] Avaya Various Products sharutils Vulnerabilities [SA15668] Gentoo update for shtool/ocaml-mysql [SA15666] ocaml-mysql Insecure Temporary File Creation Other: Cross Platform: [SA15678] e107 eTrace Plugin Shell Command Injection Vulnerability [SA15671] Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability [SA15658] Ovidentia FX "babInstallPath" File Inclusion Vulnerability [SA15657] Siteframe "LOCAL_PATH" File Inclusion Vulnerability [SA15653] e107 ePing Plugin Shell Command Injection Vulnerability [SA15710] Mambo "user_rating" SQL Injection Vulnerability [SA15708] Annuaire 1Two Cross-Site Scripting and Script Insertion [SA15660] Invision Gallery Two SQL Injection Vulnerabilities [SA15670] osCommerce HTTP Response Splitting Vulnerabilities [SA15654] Macromedia Products Privilege Escalation Vulnerability [SA15698] Adobe Reader / Adobe Acrobat Local File Detection Weakness [SA15648] gaim Two Denial of Service Weaknesses ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15726] Bitrix Site Manager File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, System access Released: 2005-06-16 D_BuG has discovered a vulnerability in Bitrix Site Manager, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15726/ -- [SA15683] Microsoft Windows HTML Help Input Validation Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-14 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15683/ -- [SA15669] Microsoft Windows Step-by-Step Interactive Training Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-14 iDEFENSE Labs has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15669/ -- [SA15697] Microsoft Outlook Web Access Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-14 Ga?l Delalleau has reported a vulnerability in Microsoft Exchange Server, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15697/ -- [SA15696] Microsoft Windows Web Client Service Vulnerability Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-06-14 Mark Litchfield has reported a vulnerability in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15696/ -- [SA15695] Microsoft Outlook Express News Reading Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-06-14 A vulnerability has been reported in Microsoft Outlook Express, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15695/ -- [SA15689] Microsoft Agent Trusted Internet Content Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-06-14 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to spoof certain information and potentially trick a user into installing a malicious program. Full Advisory: http://secunia.com/advisories/15689/ -- [SA15677] Novell iManager OpenSSL Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-06-13 Dennis Rand has reported a vulnerability in Novell iManager, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15677/ -- [SA15676] Novell eDirectory MS-DOS Device Name Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-06-13 Dennis Rand has reported a vulnerability in Novell eDirectory, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15676/ -- [SA15694] Microsoft Windows Server Message Block Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-06-14 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15694/ -- [SA15659] Adobe License Management Service Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-06-12 A vulnerability has been reported in some Adobe products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15659/ -- [SA15711] Finjan SurfinGate URL Encoded URL Filtering Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-06-15 Daniel Schroeter has reported a vulnerability in Finjan SurfinGate, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15711/ -- [SA15693] Microsoft ISA Server Two Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-06-14 Two vulnerabilities have been reported in Microsoft ISA Server 2000, which can be exploited by malicious people to manipulate contents in the web cache or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15693/ -- [SA15673] Symantec pcAnywhere Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-12 A vulnerability has been reported in pcAnywhere, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15673/ -- [SA15690] Microsoft Telnet Client Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-06-14 Ga?l Delalleau has reported a weakness in Microsoft Windows, which can be exploited by malicious people to gain knowledge of various information. Full Advisory: http://secunia.com/advisories/15690/ UNIX/Linux:-- [SA15679] SUSE update for bzip2/gaim/pound Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-06-12 SUSE has issued updates for bzip2, gaim, and pound. These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15679/ -- [SA15663] Pico Server Directory Traversal and Buffer Overflow Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2005-06-13 Rapha?l Rigo has reported some vulnerabilities in Pico Server, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15663/ -- [SA15661] Gentoo update for libextractor Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-10 Gentoo has issued an update for libextractor. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15661/ -- [SA15652] WebHints Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-13 blahplok has reported a vulnerability in WebHints, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15652/ -- [SA15651] libextractor Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-10 A vulnerability has been reported in libextractor, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15651/ -- [SA15715] Avaya telnet Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-06-15 Avaya has acknowledged two vulnerabilities in telnet, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15715/ -- [SA15714] Avaya Multiple Ethereal Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-06-15 Avaya has acknowledged some vulnerabilities in Ethereal included in some products, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15714/ -- [SA15706] SUSE update for opera Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-06-16 SUSE has issued an update for opera. This fixes a security issue and a vulnerability, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar, and by malicious people to trick users into executing malicious files. Full Advisory: http://secunia.com/advisories/15706/ -- [SA15692] Trustix update for multiple packages Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-06-14 Trustix has issued various updated packages. These fix some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15692/ -- [SA15680] Conectiva update for cvs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-06-13 Conectiva has issued an update for cvs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15680/ -- [SA15664] Gentoo update for ettercap Critical: Moderately critical Where: From remote Impact: System access Released: 2005-06-12 Gentoo has issued an update for ettercap. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15664/ -- [SA15656] FreeBSD update for bind9 Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-06-10 FreeBSD has issued an update for bind9. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15656/ -- [SA15700] ViRobot Linux Server Cookie Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-06-15 Kevin Finisterre has discovered a vulnerability in ViRobot Linux Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15700/ -- [SA15685] Conectiva update for openslp Critical: Moderately critical Where: From local network Impact: System access Released: 2005-06-13 Conectiva has issued an update for openslp. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15685/ -- [SA15720] Mandriva update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-16 Mandriva has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15720/ -- [SA15719] Mandriva update for gedit Critical: Less critical Where: From remote Impact: System access Released: 2005-06-16 Mandriva has issued an update for gedit. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15719/ -- [SA15716] Avaya Products xloadimage Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-06-15 Avaya has acknowledged a vulnerability in xloadimage, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15716/ -- [SA15712] Avaya tcpdump Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-15 Avaya has acknowledged some vulnerabilities in tcpdump, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15712/ -- [SA15707] Red Hat update for squid Critical: Less critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS Released: 2005-06-15 Red Hat has issued an update for squid. This fixes a security issue and two vulnerabilities, which can be exploited by malicious people to disclose sensitive information, spoof DNS lookups and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15707/ -- [SA15703] Mandriva update for rsh Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-06-15 Mandriva has issued an update for rsh. This fixes a vulnerability, which potentially can be exploited by malicious people to overwrite arbitrary files on a user's system. Full Advisory: http://secunia.com/advisories/15703/ -- [SA15699] Avaya Various Products PHP Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-06-15 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious, local users to access files outside the "open_basedir" root, and by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15699/ -- [SA15691] Gentoo update for MediaWiki Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-14 Gentoo has issued an update for MediaWiki. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15691/ -- [SA15688] Red Hat update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-14 Red Hat has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15688/ -- [SA15687] Red Hat update for squid Critical: Less critical Where: From remote Impact: Security Bypass, Spoofing, DoS Released: 2005-06-14 Red Hat has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to spoof DNS lookups and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15687/ -- [SA15686] Red Hat update for gftp Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-06-14 Red Hat has issued an update for gftp. This fixes a vulnerability, which can be exploited by malicious people to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/15686/ -- [SA15684] Red Hat update for mikmod Critical: Less critical Where: From remote Impact: System access Released: 2005-06-14 Red Hat has issued an update for mikmod. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15684/ -- [SA15682] Red Hat update for gzip Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-06-14 Red Hat has issued an update for gzip. This fixes a vulnerability, which potentially can be exploited by malicious people to extract files to arbitrary directories on a user's system. Full Advisory: http://secunia.com/advisories/15682/ -- [SA15675] Red Hat update for sysreport Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-06-14 Red Hat has issued an update for sysreport. This fixes a security issue, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/15675/ -- [SA15667] Gentoo update for gedit Critical: Less critical Where: From remote Impact: System access Released: 2005-06-12 Gentoo has issued an update for gedit. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15667/ -- [SA15662] Red Hat update for gedit Critical: Less critical Where: From remote Impact: System access Released: 2005-06-14 Red Hat has issued an update for gedit. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15662/ -- [SA15655] FreeBSD update for gzip Critical: Less critical Where: From remote Impact: System access Released: 2005-06-10 FreeBSD has issued an update for gzip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15655/ -- [SA15650] Fedora update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-10 Fedora has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15650/ -- [SA15646] FreeBSD update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-10 FreeBSD has issued an update for tcpdump. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15646/ -- [SA15645] Ubuntu update for gedit Critical: Less critical Where: From remote Impact: System access Released: 2005-06-10 Ubuntu has issued an update for gedit. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15645/ -- [SA15665] Gentoo update for lutelwall Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-13 Gentoo has issued an update for lutelwall. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15665/ -- [SA15647] LutelWall Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-13 Eric Romang has reported a vulnerability in LutelWall, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15647/ -- [SA15713] Red Hat update for telnet Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-06-15 Red Hat has issued an update for telnet. This fixes a weakness, which can be exploited by malicious people to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/15713/ -- [SA15709] Kerberos V5 Telnet Client Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-06-15 Ga?l Delalleau has reported a weakness in Kerberos V5, which can be exploited by malicious people to gain knowledge of various information. Full Advisory: http://secunia.com/advisories/15709/ -- [SA15702] Mandriva update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-06-15 Mandriva has issued an update for gaim. This fixes two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15702/ -- [SA15701] Ubuntu update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-06-16 Ubuntu has issued an update for gaim. This fixes a weakness in the processing of malformed MSN message, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15701/ -- [SA15681] Gentoo update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-06-13 Gentoo has issued an update for gaim. This fixes two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15681/ -- [SA15672] Slackware update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-06-14 Slackware has issued an update for gaim. This fixes two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15672/ -- [SA15649] Ubuntu update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-06-10 Ubuntu has issued an update for gaim. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15649/ -- [SA15717] Avaya Various Products sharutils Vulnerabilities Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-06-15 Avaya has acknowledged some vulnerabilities in sharutils included in various products, which potentially can be exploited by malicious, local users to conduct certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15717/ -- [SA15668] Gentoo update for shtool/ocaml-mysql Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-06-13 Gentoo has issued updates for shtool and ocaml-mysql. These fix a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15668/ -- [SA15666] ocaml-mysql Insecure Temporary File Creation Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-06-13 A vulnerability has been reported in ocaml-mysql, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15666/ Other: Cross Platform:-- [SA15678] e107 eTrace Plugin Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-13 Oliver has reported a vulnerability in the eTrace plugin for e107, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15678/ -- [SA15671] Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-14 Two vulnerabilities have been reported in Java Web Start and Sun Java Runtime Environment (JRE), which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15671/ -- [SA15658] Ovidentia FX "babInstallPath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-10 Status-x has reported a vulnerability in Ovidentia FX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15658/ -- [SA15657] Siteframe "LOCAL_PATH" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-10 PRI[l has reported a vulnerability in Siteframe, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15657/ -- [SA15653] e107 ePing Plugin Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-10 m00fd1 has reported a vulnerability in the ePing plugin for e107, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15653/ -- [SA15710] Mambo "user_rating" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-15 pokleyzz has reported a vulnerability in Mambo, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15710/ -- [SA15708] Annuaire 1Two Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-15 Sylvain Thual has reported some vulnerabilities in Annuaire 1Two, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/15708/ -- [SA15660] Invision Gallery Two SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-10 James Bercegay has reported two vulnerabilities in Invision Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15660/ -- [SA15670] osCommerce HTTP Response Splitting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-13 James Bercegay has reported some vulnerabilities in osCommerce, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15670/ -- [SA15654] Macromedia Products Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-10 A vulnerability has been reported in various Macromedia products, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15654/ -- [SA15698] Adobe Reader / Adobe Acrobat Local File Detection Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-06-15 A weakness has been reported in Adobe Reader and Adobe Acrobat, which can be exploited by malicious people to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/15698/ -- [SA15648] gaim Two Denial of Service Weaknesses Critical: Not critical Where: From remote Impact: DoS Released: 2005-06-10 Two weaknesses have been reported in gaim, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15648/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jun 17 01:46:56 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 17 01:52:28 2005 Subject: [ISN] Congress Reacts to Breach Onslaught Message-ID: http://www.internetnews.com/security/article.php/3513466 By Roy Mark June 16, 2005 WASHINGTON -- On a day marked by another major data security breach and more tough talk from Congress, the Federal Trade Commission (FTC) moved against a Fortune 500 company for its data protection practices. Testifying before a Senate panel investigating possible national legislation aimed at better data protection and a national data breach disclosure law, FTC Chairman Deborah Majoris said BJ's Wholesale Club agreed to settle FTC charges that it failed to take adequate measures to protect consumers' personal information. "For the first time we allege that inadequate data security can be an unfair business practice," Majoris told a Senate panel. "This action should provide clear notice to the business community to establish and maintain reasonable affirmative security measures." The settlement requires BJ's, which operates 150 warehouse stores and 78 gas stations in 16 states, to implement a comprehensive information security program while submitting to third-party security audits every other year for 20 years. According to the FTC complaint, BJ's failed to encrypt consumer information when it was transmitted or stored on the company's computers and created unnecessary risks by storing the data even when it no longer needed the information. In addition, the FTC alleges BJ's failed to use readily available security measures to prevent unauthorized wireless connections to its networks and failed to take sufficient measures to detect unauthorized access. Majoris' testimony came on the same day the Federal Deposit Insurance Corp. (FDIC) acknowledged it is in the process of notifying 6,000 current and former employees that their personally identifying information was possibly compromised in a 2004 data breach. FDIC spokeswoman Tibby Ford stressed the breach was not the result of a system hack, but the agency did not give any other details of the breach, citing an ongoing FBI investigation. "Identity theft is a growing problem which shows no signs of abating," Sen. Dianne Feinstein (D-Calif.) told the Senate Commerce Committee. "And why should it as long as people's sensitive personal information is so easily accessible in the marketplace?" Feinstein said that over the last two years, there have been 34 "major" data breaches involving the personal information of approximately 18 million individuals. According to the FTC, the total cost to individuals and business from identity theft was more than $52 billion. Sen. Conrad Burns (R-Calif.) added, "People have a right to be concerned and angry." A new survey released on Wednesday by Entrust (Quote, Chart) indicates they are. According to the survey of 1,003 likely U.S. voters, 97 percent of the respondents rate identity theft as a serious problem, with 48 percent saying they now avoid online purchases out of fear of their financial data being stolen. The survey also shows that 71 percent of Americans believe new laws are needed to protect consumer privacy. Sen. Gordon Smith (R-Ore.), who chaired the panel in Chairman Ted Stevens (R-Alas.) absence, said he would be introducing legislation to make it a "national obligation" for businesses and government agencies to have adequate security measures in place. Smith's legislation joins a growing list of bills, including legislation by Feinstein and Sen. Charles Schumer (D-N.Y.), that seek to address identity theft and impose a national data breach disclosure law. "Unless Congress, companies and consumers take action, this is an epidemic that threatens to spiral out of control," Schumer told the committee. "Congressional action must be quick and it must be comprehensive. "Identity theft is not a Democrat issue or a Republican issue -- it is a non-partisan consumer and economic crisis. There is no excuse for Congress failing to act in a bipartisan way." From isn at c4i.org Fri Jun 17 01:47:17 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 17 01:52:46 2005 Subject: [ISN] "Blue Hat" summit meant to reveal ways of the other side Message-ID: http://news.com.com/Microsoft+meets+the+hackers/2009-1002_3-5747813.html By Ina Fried Staff Writer, CNET News.com June 15, 2005 REDMOND, Wash. -- The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network. "It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe." The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed "Blue Hat"--a reference to the widely known "Black Hat" security conference, tweaked to reflect Microsoft's corporate color. The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target, illustrates how important security has become to the world's most powerful software company. Microsoft Chairman Bill Gates himself estimated earlier this year that the company now spends $2 billion a year--more than a third of its research budget--on security-related issues. Security has also become one of the main themes of the company's developer conferences, including last week's TechEd event, where Microsoft pitched security improvements in Windows to 11,000 attendees. Blue Hat was significant for other, less tangible reasons as well. It provided a rare glimpse inside the netherworld of computer security, where the ethical lines are sometimes fuzzy in the technological arms race between network engineers and the hackers who challenge them. During the course of the event, each side witnessed for the first time the inner workings, culture and psychology of the other. "I didn't know if we were going to end up with this massively adversarial experience or if this was going to be something of a collaborative mode between all of us," said Dan Kaminsky, one of the outsiders who presented at the conference. Like others in the hacker group--many of whom are known as "security researchers" in their professions--he noted that the relationship ended up being the collaborative sort. Still, in such a charged atmosphere, it didn't take long for emotions to show. Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident. Yet as painful as the lesson was, he was glad to see the crowd of engineers taking things personally. Thomlinson frequently makes similar entreaties to the engineers on the need for secure code, but he said his own lectures don't have the same effect. "It kind of hits people up here," Thomlinson said, pointing to his head. "Things are different when a group of programmers watches their actual code exploited. It kind of hits people in the gut." For two days, Microsoft staffers took these body blows repeatedly as they learned of various exploits. On day one, several dozen executives, including some of the company's most senior ones, were exposed to this simulated wrath in a makeshift boot camp. Among the participants were Jim Allchin, Microsoft's Windows chief, and Brian Valentine, head of core Windows operating system development. The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work. Allchin is not just any high-ranking software executive: In the technology industry, his name has become largely synonymous with the Windows operating system he oversees. A strong supporter of Blue Hat, Allchin wanted the Windows group not just to hear about security issues, but to see them as well. "I'd already been through lots of days of personal training on the tools that are used to do this," Allchin said about the work of the hackers. "I personally wanted to really do a deep dive and really understand from their perspective." It was a relatively safe way to get the experience. In a world where "white hats" are the security do-gooders and "black hats" are the hard-core villains, the hackers at Blue Hat were hardly representative of the dark side; if they had any pigment at all, it was no more than a tinge of gray. This could well be a significant reason Microsoft held the event--to woo an influential group that has the choice of reporting security flaws discreetly or going public with them. The software maker routinely preaches the benefits of what it calls "responsible disclosure." To the researchers, Microsoft's motivation was less important than the opportunity to meet in person with those who hold the keys to the kingdom and explain why they do the things they do. "It is rare that I can present to the people who are both responsible for and capable of fixing the issues that I cover," security researcher HD Moore said, adding that he doesn't plan to change his practice of giving companies 30 days before going public with issues. "I still have no desire to play e-mail tag with the (security response team) for a year for every bug that I find." But Moore did gain a better understanding of why it takes Microsoft so long to create patches and said his impression of the people who create the products have changed. "I still may not agree with their security policies and how they handle bug reports, but at least I know they actually believe what they are saying," he said. Others agreed. "They are taking this subject seriously. It was really cool to see," said Kaminsky, a security researcher who does work for telecommunications company Avaya. "At some point, there was a shift at Microsoft." That shift began in earnest with a well-publicized memo written by Gates on the concept of "trustworthy computing" in 2002. Security had long been a concern at Microsoft, but the issue became imperative after several high-profile attacks exposed the degree of its vulnerabilities. "The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will." It was this kind of impassioned rhetoric that won respect even among some of the more wary Microsoft participants. Noel Anderson, a wireless networking engineer on Microsoft's Windows team, became suspicious as soon as he walked into the hacking demo--and saw the giant wireless antenna at the front of the auditorium. Anderson decided that he should leave his laptop turned off, an instinct that saved him the embarrassment of falling into the hackers' trap, even though the hackers focused on a demo laptop. But under different circumstances, he thought to himself, "I might have even fallen for that." As a result, Anderson and his team walked away with some concrete ideas on how to make sure future versions of Windows are more resilient to wireless attacks. He also left the room with a new respect for the hackers behind the demonstration. "It's not just a bunch of disaffected teenagers sitting in their mom's basement," he said. "These are professionals that are thinking about these issues." The hackers, for their part, seemed equally impressed with the technical knowledge of the senior executives they encountered. At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up. "I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said. Yet regardless of the mutual admiration, some tense moments were inevitable during the confrontation. Microsoft developers, for instance, were visibly uncomfortable when Moore demonstrated Metasploit--a tool that system administrators can use to test the reliability of their systems to intrusion. But Metasploit also includes a fair number of exploits, as well as tools that can be used to develop new types of attacks. "You had these developers saying, 'Why are you giving the world these tools that make it so easy to do exploitation?'" Kaminsky said. They calmed down, he said, once the researchers were able to state their case. "We do regression testing in the real world of software development," Kaminsky said. "If we say, 'This thing isn't going to break,' then we need to test that. What these tools give is the ability to do this kind of testing, to be able to say not just, 'We did the best we could,' but 'We tried stuff and nothing worked.'" Nevertheless, he understands why not all Microsoft developers were satisfied with the explanation. "I'm also sure Ford wasn't too happy with (Ralph) Nader's reports in the late '60s," he said. "What do you mean you are telling people our cars can blow up?" By the end of the two days, those on both sides felt they had just scratched the surface and were more than willing to meet again. And executives such as Toulouse and Anderson said they came to a better understanding of what makes hackers tick. "We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys," Anderson said. "They were just as much geeks as we were." The next time a Blue Hat event is held, as promised by Microsoft, Kaminsky said he would jump at the chance to return--assuming Microsoft lets him back. "I'll be there next time, no matter what," he said. "I have some really interesting and devious plans coming up." From isn at c4i.org Fri Jun 17 01:45:32 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 17 01:53:01 2005 Subject: [ISN] U.K. government is target in e-mail attacks Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,102533,00.html By Scarlet Pruitt JUNE 16, 2005 IDG NEWS SERVICE LONDON -- Critical-infrastructure providers in the U.K. are being targeted in Trojan e-mail attacks designed to steal sensitive information such as passwords and documents, a national infrastructure security agency warned today. Tailored attacks against U.K. government departments, businesses and other organizations have been occurring for a significant period of time and have recently become more sophisticated, according to the National Infrastructure Security Co-ordination Centre (NISCC). The e-mail arrives with attachments containing Trojan horse viruses or links to Web sites that host Trojan files. A Trojan horse is an attack method in which malicious code is hidden in seemingly harmless files, and they can allow virus writers to gather information and remotely control infected machines without the owners' knowledge. Th e-mail subject headers have been written to appeal to recipients, often referring to recent news articles, the NISCC said in a briefing paper. Attacks normally focus on individuals working with commercially or economically sensitive data, it added. The subject headers and IP addresses of the e-mail suggest they are being sent from the Far East, the NISCC said. More than 300 U.K. government departments and businesses have been targeted in the attacks, according to antivirus firm Sophos PLC, which has been working with the NISCC to identify the threats. The NISCC has not revealed the specific target organizations, and it is unclear whether information has already been stolen, said Sophos security consultant Carole Theriault. However, the NISCC said that machines compromised by the attacks pose a threat to the confidentiality, integrity and availability of stored data and can be used to launch attacks on other networks. "They probably saw these Trojans and panicked and wanted to inform the public of it," Theriault said. But aside from being directed at government departments, the Trojans aren't very different from e-mail threats detected by researchers every day, according to Theriault. An increasing amount of attacks target specific kinds of users, and many have the ability to steal information and open back-door capabilities, she said. Still, the NISCC warning could serve to make computer users more aware of the sophistication and prevalence of new types of e-mail attacks. The NISCC advised possible recipients to update their antivirus software and to educate users. It advised administrators to examine firewall logs of critical systems for anomalous IP addresses and review mail server access logs for evidence of connections from unusual IP addresses. The agency has further information on detecting and mitigating the threats on its Web site [1]. [1] http://www.niscc.gov.uk/niscc/index-en.html From isn at c4i.org Mon Jun 20 02:31:09 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 20 02:41:22 2005 Subject: [ISN] Criminals breach Equifax security for second time Message-ID: Forwarded from: Mark Bernard Dear Associates, Did you catch this story? More break-ins and theft of consumer's private information. I guess that they didn't get the first solution implemented quickly enough. ========= beginning of excerpt ========== Criminals breach Equifax security for second time By SIMON AVERY Friday, June 17, 2005 Updated at 8:14 AM EDT TECHNOLOGY REPORTER http://www.globetechnology.com/ For the second time in about a year, the credit reporting company Equifax Canada Inc. has suffered a security breach that has given criminals access to personal financial information of hundreds of Canadians. The latest case came to Equifax Canada's attention several months ago, but was made public only yesterday. Criminals that breached the firewall gained access to 605 consumer files, which contain personal information ranging from names and addresses to type of bank loans and credit cards, payment obligations and social insurance numbers. Credit card and bank account numbers are not part of the files, but security experts say the information in the files can be used by criminals for identity theft and even to build bogus business accounts. "Their first goal is to steal as much as they can and then see what they can do with it," said Claudiu Popa, president of Informatica Corp., a network security consultancy in Toronto. A more sophisticated use would be to try to correlate some of the data with other financial information, and open merchant accounts using the stolen names. Those accounts could then be used to create bogus e-commerce sites that steal from unsuspecting on-line shoppers, he said. Neither Equifax nor police would say whether the information has been put to malicious use. A spokeswoman for Equifax Canada, Marie-Line Colangelo, said the company has informed, by mail, all the people affected, and the breach has been secured. It has also tagged the affected accounts with the heading "lost or stolen identification" to warn creditors to confirm the consumer's identity to protect against possible identity theft. She would not comment on whether the unauthorized access was by hackers breaking into Equifax Canada's computer systems, by physical theft of the information, or by other means. In a statement, the company said: "We have learned of an incident involving what appears to be the improper use of one of our customer's access codes and security passwords." The RCMP said it was contacted by Equifax Canada several months ago and has been conducting an investigation since then out of British Columbia, where most of the affected individuals live. Corporal Anthony Choy, an RCMP spokesman, would not say if the two security breaches were connected. The investigation into the first one is still under way and no arrests have been made, he said. A little over a year ago, Equifax reported that criminals posing as legitimate credit grantors had accessed the credit files of roughly 1,400 consumers, primarily in B.C. and Alberta. Mr. Popa said it's widely assumed in the security industry that the 2004 attack occurred when criminals managed to fool Equifax's on-line account system into granting administrator-like access -- known as an elevation of privilege attack. It's entirely possible that elements of the first crime were still present in Equifax Canada's computer system, allowing for a second breach, or that the criminals had help from the inside, Mr. Popa said. "For a credit reporting agency, this is a huge hit," he said. "All the trust goes out the window." ========= end of excerpt =========== Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Kenneth Blanchard: "The key to successful leadership today is influence, not authority." From isn at c4i.org Mon Jun 20 02:31:52 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 20 02:41:42 2005 Subject: [ISN] Linux Advisory Watch - June 17th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 17th, 2005 Volume 6, Number 24a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mikmod, tcpdump, yum, elinks, parted, system-config-securitylevel, checkpolicy, spamassassin, gaim, libextractor, Ettercap, shtool, gedit, MediaWiki, gzip, gftp, squid, rsh, sysreport, telnet, bz, and mc. The distributors include Fedora, Gentoo, and Red Hat. --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- SPF: Ready for Prime Time? by Pete O'Hara Introduction As of the time of this writing in the fight against SPAM a policy has been drafted to target sender address forging called SPF (Sender Policy Framework). The basic premise is to verify that the sender of an email is in fact who they by claim to be. If they are not then mail can be rejected. This could potentially eliminate a big percentage of SPAM and who wouldn't want that.. But there have been problems with SPF and it isn't the big solution that everyone had imagined when it first hit the scene. There are a couple of plaguing issues that keep it from becoming a mature solution with a standard. What is SPF? The first version of SPF (also know as "Classic" SPF) was a creation of Meng Wong, founder of Pobox.com. In short the scheme is based on domains publishing what servers are allowed to send mail for themselves using DNS TXT records. A receiving MTA can then look at the domain the sender is claiming to be from and the IP address of the connecting client and check the SPF (DNS TXT) record for that domain and verify if the client is allowed to send mail for the said domain. From the results the receiving MTA can take appropriate actions. The goal is to prevent sender forgery, one of the most common characteristics of spam. SPF was a proposal considered by IETF's MARID group. Summary I, as everyone else, would love to be able to block all SPAM and I certainly applaud all of the efforts that have been and are still being made. But it seems obvious that SPF alone isn't going to be the answer. It doesn't handle the forwarding issue and SRS isn't ready as a solution. One could argue that SPF can at least be used not to reject mail but to whitelist mail from senders that pass SPF checks. In view of spammers deploying SPF themselves this would actually be counter productive as it gives them a form of credibility. Based on the material presented here there are options other than standalone SPF that on the surface seem to provide a better solution but the cost is that they are more complex in that they require reputation/accreditation services. But does the lack of agreement on the simpler SPF (which turned out to be not so simple once the forwarding issues surfaced) foreshadow the difficulties in standardizing more elaborate proposals? If the trend towards reputation/accreditation gains momentum, which by the way would still require some form of sender validation to be established (you can't build a dependable reputation of a sender when it can't be verified), harmony on the architecture of such services seems a very long way off. Sender verification is a problem that certainly needs to be addressed but SMTP wasn't originally designed with this functionality in mind. Therefore a viable solution is not going to be as simple as publishing DNS records of authorized mail servers. SPF on it's own isn't the answer. Read Entire Article: http://infocenter.guardiandigital.com/documentation/spf.html ---------------------- Measuring Security IT Success In a time where budgets are constrained and Internet threats are on the rise, it is important for organizations to invest in network security applications that will not only provide them with powerful functionality but also a rapid return on investment. http://www.linuxsecurity.com/content/view/118817/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: mikmod-3.1.6-31.FC3 9th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119277 * Fedora Core 3 Update: tcpdump-3.8.2-9.FC3 9th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119278 * Fedora Core 3 Update: yum-2.2.1-0.fc3 13th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119303 * Fedora Core 4 Update: elinks-0.10.3-3.1 16th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119321 * Fedora Core 4 Update: mikmod-3.1.6-35.FC4 16th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119322 * Fedora Core 4 Update: tcpdump-3.8.2-13.FC4 16th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119323 * Fedora Core 4 Update: parted-1.6.22-3.FC4 16th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119324 * Fedora Core 4 Update: system-config-securitylevel-1.5.8.1-1 16th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119325 * Fedora Core 3 Update: checkpolicy-1.17.5-1.2 16th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119327 * Fedora Core 3 Update: selinux-policy-targeted-1.17.30-3.9 16th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119328 * Fedora Core 3 Update: spamassassin-3.0.4-1.fc3 16th, June, 2005 Important update for a Denial of Service vulnerability, plus more bug fixes from upstream. More details available at: http://wiki.apache.org/spamassassin/NextRelease http://www.linuxsecurity.com/content/view/119332 * Fedora Core 4 Update: spamassassin-3.0.4-1.fc4 16th, June, 2005 Important update for a Denial of Service vulnerability, plus more bug fixes from upstream. More details available at: http://wiki.apache.org/spamassassin/NextRelease http://www.linuxsecurity.com/content/view/119333 * Fedora Core 3 Update: gaim-1.3.1-0.fc3 16th, June, 2005 More bug and denial of service fixes. http://www.linuxsecurity.com/content/view/119334 * Fedora Core 4 Update: gaim-1.3.1-0.fc4 16th, June, 2005 More bug and denial of service fixes. http://www.linuxsecurity.com/content/view/119335 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: libextractor Multiple overflow vulnerabilities 9th, June, 2005 libextractor is affected by several overflow vulnerabilities in the PDF, Real and PNG extractors, making it vulnerable to execution of arbitrary code. http://www.linuxsecurity.com/content/view/119279 * Gentoo: Ettercap Format string vulnerability 11th, June, 2005 A format string vulnerability in Ettercap could allow a remote attacker to execute arbitrary code. http://www.linuxsecurity.com/content/view/119283 * Gentoo: GNU shtool, ocaml-mysql Insecure temporary file 11th, June, 2005 GNU shtool and ocaml-mysql are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/119284 * Gentoo: gedit Format string vulnerability 11th, June, 2005 gedit suffers from a format string vulnerability that could allow arbitrary code execution. http://www.linuxsecurity.com/content/view/119285 * Gentoo: GNU shtool, ocaml-mysql Insecure temporary file 11th, June, 2005 GNU shtool and ocaml-mysql are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/119286 * Gentoo: LutelWall Insecure temporary file creation 11th, June, 2005 LutelWall is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/119287 * Gentoo: Ettercap Format string vulnerability 11th, June, 2005 A format string vulnerability in Ettercap could allow a remote attacker to execute arbitrary code. http://www.linuxsecurity.com/content/view/119288 * Gentoo: Gaim Denial of Service vulnerabilities 12th, June, 2005 Gaim contains two remote Denial of Service vulnerabilities. http://www.linuxsecurity.com/content/view/119290 * Gentoo: TCPDump Decoding routines Denial of Service 13th, June, 2005 While working on the tcpdump issues solved in the original version of this GLSA, Simon L. Nielsen from FreeBSD Security Team discovered a similar infinite loop DoS vulnerability in the BGP handling code (CAN-2005-1267). http://www.linuxsecurity.com/content/view/119305 * Gentoo: MediaWiki Cross-site scripting vulnerability 13th, June, 2005 MediaWiki is vulnerable to a cross-site scripting attack that could allow arbitrary scripting code execution. http://www.linuxsecurity.com/content/view/119306 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: gzip security update 13th, June, 2005 An updated gzip package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119295 * RedHat: Moderate: gftp security update 13th, June, 2005 An updated gFTP package that fixes a directory traversal issue is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119296 * RedHat: Low: squid security update 13th, June, 2005 An updated squid package that fixes several security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119297 * RedHat: Low: rsh security update 13th, June, 2005 Updated rsh packages that fix a theoretical security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/119298 * RedHat: Moderate: gedit security update 13th, June, 2005 An updated gedit package that fixes a file name format string vulnerability is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/119299 * RedHat: Moderate: sysreport security update 13th, June, 2005 An updated sysreport package that fixes an information disclosure flaw is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/119300 * RedHat: Low: tcpdump security update 13th, June, 2005 Updated tcpdump packages that fix a security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119301 * RedHat: Low: mikmod security update 13th, June, 2005 Updated mikmod packages that fix a security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119302 * RedHat: Low: squid security update 14th, June, 2005 An updated squid package that fixes several security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119312 * RedHat: Moderate: telnet security update 14th, June, 2005 Updated telnet packages that fix an information disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119313 * RedHat: Low: bzip2 security update 16th, June, 2005 Updated bzip2 packages that fix multiple issues are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119329 * RedHat: Moderate: mc security update 16th, June, 2005 Updated mc packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119330 * RedHat: Moderate: gaim security update 16th, June, 2005 An updated gaim package that fixes two denial of service issues is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119331 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jun 20 02:32:16 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 20 02:41:55 2005 Subject: [ISN] Leak of secret plan to protect G8 leaders sparks security alert Message-ID: Forwarded from: William Knowles http://news.independent.co.uk/uk/politics/story.jsp?story=648029 By Francis Elliott Deputy Political Editor 19 June 2005 Tony Blair's preparations for the G8 summit were last night thrown into disarray as confidential security information relating to the Gleneagles meeting was leaked to The Independent on Sunday. Details of the effort to protect the eight most powerful people on the planet, code-named Operation Sorbus, including the location of special forces during the summit, have been revealed by a member of the intelligence community in Scotland appalled by ministers' "complacency". The information includes: * details of the threat, including assessments of the risk from chemical, biological and radiological attack; * an analysis of the Gleneagles resort's vulnerable areas; * maps showing the precise location of lines of reinforced fencing to keep out would-be suicide bombers and protesters; * and aerial photographs of the estate marking likely terrorist targets. For security reasons, the IoS will not disclose operational details, but we publish here the codename for the operation and official photographs showing the estate and hotel where George Bush, Vladimir Putin and other world leaders are staying for three days next month. The IoS was also told the location of a base to be used by special forces, the positioning of regular troops and details of a wrangle between US and British agents over the deployment of surface-to-air missiles. The whistleblower revealed the highly sensitive information because, he said, he wanted to shock ministers, who he claimed were taking for granted security arrangements for the summit. It takes place in three weeks' time. He said: "I have been increasingly appalled by the air of complacency surrounding this event, particularly as displayed by ministers. The release of a portion of non-operational material is intended as a wake-up call before that complacency becomes truly dangerous." David Davis, the shadow Home Secretary, said the leak was potentially an "immensely serious breach of national security". He said: "The immediate task for the Home Secretary must be to reappraise all aspects of security at the G8 in the light of this breach to ensure the safety and security of all those attending." The operation to secure Gleneagles is being led by Tayside police, supported by the security services and the Army, at an estimated cost of ?100m. The force is already braced for an influx of tens of thousands of people determined to register their protest at the resort itself. Concern is mounting within the intelligence community that the Government is failing to ensure all organisations are working smoothly together. Confidence in the security of high-profile figures was undermined last week when The Sun claimed to have secretly filmed Prince Harry as he trained at Sandhurst military academy after gaining access unchallenged. Today's revelation ahead of the G8 will be viewed with far greater alarm, however, since it calls into question Britain's ability to protect the world's leaders. Security services in the US, Russia and elsewhere will be closely monitoring preparations in Gleneagles to ensure that their premiers will be safe. They will have noted that Tayside police is already braced for the prospect of tens of thousands of protesters demonstrating on the perimeter of the hotel's grounds. The local authority has rejected an application for a march past the hotel, though as a concession, Perth and Kinross Council has given permission for a rally of up to 4,500 in the neighbouring town of Auchterarder on 6 July, the opening day of the summit. Protesters warn, however, that as many as 20,000 could descend to make their voice heard and are urging the police to accommodate organised demonstration. The former Labour MP Tony Benn and Alex Salmond, leader of the SNP, are among those calling on the Government to overturn the council ban. However, Bob Geldof, the organiser of Live8 who caused consternation by calling on a million people to gather in Edinburgh, is urging people to stay away from the Perthshire resort, saying it does not matter whether protesters are "1,000 miles or 1,000 yards" away. Nevertheless, it seems likely that some groups are determined to travel to the summit itself and police arrested three protesters in scuffles outside a preparatory G8 meeting of home affairs ministers in Sheffield on Thursday in a foretaste of what could occur. Security surrounding the annual G8 summit has been relentlessly increased each year, driven by fears of anarchist protest and terrorist attack. The 2001 summit in Genoa was marred by violent clashes and the death of one anti-globalisation protester. All the security material passed to this newspaper has now been destroyed. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Jun 20 02:32:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 20 02:42:21 2005 Subject: [ISN] Botnet Hunters Search for 'Command and Control' Servers Message-ID: http://www.eweek.com/article2/0,1759,1829347,00.asp By Ryan Naraine June 17, 2005 Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers. "The idea is to share information and figure out where the botnets are getting their instructions from. Once we can identify the command-and-control server, we can act quickly to get it disabled. Once the head goes, that botnet is largely useless," said Roger Thompson, director of malicious content research at Computer Associates International Inc. Thompson, a veteran anti-virus researcher closely involved in the effort, said the group includes more than 100 computer experts (unofficially) representing anti-virus vendors, ISPs, educational institutions and dynamic DNS providers internationally. "It's just a bunch of good guys that have an interest in shutting down these botnets. We are dealing here with some very skilled and sophisticated attackers who have proven they know how to get around the existing defense systems," Thompson said in an interview with Ziff Davis Internet News. Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines. "Once we get our hands on the Trojan or we get one of our own machines compromised, we can easily observe what it's doing and which server it is talking to," he said. "We started off trying to pinpoint the individual drones and getting those shut off, but that approach hasn't worked. As soon as you clean one up, it is replaced by another 20 or 100. We had to shift the focus toward the command-and-control." The C&C infrastructure is most often an IRC (Inter Relay Chat) server installed illegally on a high-bandwidth educational or corporate network. As Thompson explained, the botnet (short for "robot network") is a collection of broadband-enabled computers infected with worms and Trojans that leave back doors open for communication with the C&C. Earlier this month, anti-virus vendors spotted an alarming new virus attack that used three different Trojans? all communicating with each other?to disable anti-virus software and seed new botnets. Once a machine becomes infected, it automatically scans its own network to find other unpatched systems. "It has reached a stage where we are sure we are dealing with very smart, very savvy people who know their way around anti-virus scanning engines. They have figured out that they can get in, quickly disable the armor, then go out and download instructions," Thompson said. As the botnet grows, it becomes a lucrative asset to its owner, and Thompson said there is evidence that the compromised machines are being rented out for spam runs, distributed denial-of-service attacks linked to business blackmail and, more recently, for the distribution of adware/spyware programs. Randal Vaughn, professor of computer information systems at Baylor University, is the man responsible for gathering data and compiling statistics for the drone armies research and mitigation mailing list, one of the more active vigilante efforts. In an interview, Vaughn said the group has noticed quite a range of botnets, with some C&C servers managing as many as 100,000 compromised machines. "Some with have just 1,000 drones but some are quite large, and there's also a lot of cross-infections where one machine is talking to multiple command-and-controls," he said. In those cases, Vaughn said it becomes even tougher for an ISP or autonomous system operator to shut down the command center. "We've seen drones in multiple bot armies, and in some cases, they're even sold or traded from one owner to another." A key part of the vigilante effort, Vaughn said, is to work closely with the network operators to quickly strangle the botnet once the C&C is pinpointed. The operators of ASNs (autonomous system numbers) have been largely reticent in the past, but Vaughn said the relationship has improved because network operators now see a business value in clamping down on botnets. An ASN is a number assigned to a group of network addresses, managed by a particular network operator, sharing a common routing policy. Most ISPs, large corporations and university networks have an ASN. According to Vaughn's latest data, the ISPs that are most often plagued with botnet command-and-control include Yipes Communications Inc., Sago Networks, Inc., Staminus Communications and Korea Telecom. Gadi Evron, the Israeli government's CERT manager who oversees the vigilante effort, said the ASN network operators are becoming more proactive. "This month we would especially like to commend Staminus, who contacted us and have since made incredible efforts to deal with the threat. Also, we'd like to mention Internap for their continuous efforts," he said in a recent public update on the group's work. Evron reported that the Trojan horses used most in botnets include those recently spotted by anti-virus vendors?Korgobot, SpyBot, Optix Pro, Rbot, AgoBot, PhatBot. "I think our efforts are working. It's not eliminating the botnets, but it's slowing them down," CA's Thompson said. "A lot of it has been cleaned up, but the trouble is that the bad guys are learning as well. It's the classic cat-and-mouse game to find the command-and-controls before they figure out we're on the tail and start moving them around." Thompson, who is convinced that adware installation affiliate dollars are financing the growth of botnets, concedes that the war will never be won. "We've got to do something to mitigate it. Unless we get all the adware companies shut down and cut off the supply of money, it's always going to be there." Baylor University's Vaughn agreed. "Just last night, I saw a 10 percent increase in command-and-control detections, so we know they're being replaced just as fast." He declined to provide numbers on actual shutdowns but insisted that the group is seeing positive results. "We're breaking through the network operators and getting them to a level of awareness that is encouraging. Quite a few of the command-and-control centers are no longer showing up, so we know it's working," Vaughn added. Because the botnet scourge is an international issue, Vaughn said the group's efforts are sometimes stymied by a communication gap. "The command-and-controls have a tendency to hop around a bit. They can hop from one autonomous system to another in a matter of days, especially the very active ones, so it's always tough to start talking about being successful." Even when a C&C gets taken out, the drones within that botnet are still susceptible to infection because they are usually unpatched and vulnerable for future infection. "We have the other issue of cross-infections, where you kill one command-and-control and the drone is still talking to another one. These are patterns we're trying to identify," Vaughn said. Thor Larholm, senior security researcher at PivX Solutions LLC, said Vaughn's data is a good indication of the scale of the botnet problem. Larholm, who also participates in the vigilante initiative, said the detection of new infections and C&Cs are leading to "active cooperation" between researchers and ISPs. "A key part is to work with the ISPs to shut down Internet access to these compromised machines. A lot of the problem-solving lies in hands of ISPs, and sometimes they can be slow-moving." From isn at c4i.org Mon Jun 20 02:32:55 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 20 02:42:35 2005 Subject: [ISN] Identity theft of FDIC employees leads to bank fraud, union says Message-ID: http://www.govexec.com/dailyfed/0605/061705p1.htm By Daniel Pulliam dpulliam @ govexec.com June 17, 2005 Personal data including Social Security numbers on nearly 6,000 current and former Federal Deposit Insurance Corporation employees was stolen early last year, and some of the data has been used for fraudulent purposes. A June 10 letter [1] from the director of the agency's administration division states that the "unauthorized released" of the information included data on all FDIC employees that were in an official pay status since July 2002. There are about 5,200 current workers. The stolen data included names, birthdays, salaries, Social Security numbers and length of service information. The FBI and the agency's Office of Inspector General are investigating the theft. In a few of those cases, the letter states, "this information is known to have been used to obtain fraudulent loans from a credit union." An FDIC spokeswoman said that the agency first found out about the stolen data on March 30 when the agency's inspector general notified the agency that former FDIC employees were victims of apparent fraud. The next day, employees affected by the fraud were notified and it was not until June 9 that the extent of the stolen data was discovered. An FBI spokesman declined to comment on the investigation. The letter does not explain why it took so long for the agency to notify the employees or how the data was stolen other than it was a "security breach involving unauthorized access to personal information on a large number of current and former FDIC employees." According to the National Treasury Employees Union, which represents nearly 5,000 FDIC employees, at least 28 cases of identity theft have occurred, including loans taken out under the employees' names at a government credit union. The letter states that the loss of data was not the result of a failure of the agency's cybersecurity programs and that the agency is taking steps to make sure this does not happen again. In May, the Government Accountability Office released a report [2] stating that while FDIC had improved weaknesses in its cybersecurity controls, it had yet to establish a comprehensive security management program. In previous audits of the agency's cybersecurity standards, GAO found the agency severely deficient. According to an FDIC source, the data was culled from a stolen paper copy of the employee information and no electronic hacking occurred. In the letter, Arleas Upton Kea, the administration division director, encouraged all employees potentially affected by the security breach to obtain full credit reports from the three major credit bureaus. "You should remain vigilant over the next 12 to 24 months and promptly report incidents of suspected identity theft to the local police and the credit bureaus," Kea wrote. Though recent federal law allows people to get free annual credit reports, the law will not be implemented in the District of Columbia and in Mid-Atlantic and Northeastern states until Sept. 1, though some states in those regions have laws allowing for the free credit report. To cover the cost - estimated by the FDIC at about $30 - employees are told to submit a petty cash claim to the agency. On Thursday, NTEU President Colleen M. Kelley forwarded a letter [3] to FDIC's human resources associate director Miguel Torrado, asking the agency to obtain or pay for credit monitoring services from all three credit bureaus for the affected employees for at least a year. Kelley also asked the agency to give the employees and credit bureaus investigative reports so fraud alerts can be kept on their accounts for at least a year. "We expect the FDIC to do everything it can to help the impacted employees, including hiring a credit monitoring service and identity theft resolution company," Kelley said in a statement. This is the third known case announced this year of federal workers' personal data either being lost or stolen. Last month, travel credit card data [4] for about 80,000 Justice Department employees stored in a laptop was stolen from a travel agency's Fairfax, Va., office. Earlier this year, charge card data [5] for nearly 1.2 million federal employees, including some senators, went missing while Bank of America was shipping the data to a secure location. In both cases, no information has been released as to what happened to the data. [1] http://www.govexec.com/pdfs/nteuemployeeletter.doc [2] http://www.gao.gov/new.items/d04630.pdf [3] http://www.govexec.com/pdfs/nteufdicletter.pdf [4] http://www.govexec.com/dailyfed/0605/060305lb.htm [5] http://www.govexec.com/dailyfed/0205/022805p2.htm From isn at c4i.org Mon Jun 20 02:33:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 20 02:42:52 2005 Subject: [ISN] NIST to begin accrediting labs for voting system evaluations Message-ID: http://www.gcn.com/vol1_no1/daily-updates/36146-1.html By William Jackson GCN Staff 06/17/05 The National Institute of Standards and Technology has begun an accreditation program for laboratories that want to evaluate voting systems under the Help America Vote Act. The 2002 act contains standards that must be met, beginning in 2006, for mechanical, electromechanical and electronic voting systems used in federal elections. These standards include: * A method to let voters verify and correct their votes before the ballot is cast * A paper audit trail that will serve as the official record of the election in the event of a recount * Accessibility for persons with disabilities and non-English speakers * A test error rate of not more than one error in 500,000 ballot positions. The Election Assistance Commission enforces the standards, but accreditation of test labs is being done by NIST under the National Voluntary Accreditation Program (NVLAP). NIST announced plans for the program one year ago and held a public workshop on the plans in August. NVLAP accreditation is a requirement for final certification by the Election Assistance Commission. Applications are available and must be submitted by Aug. 16 for the first evaluation group. The first evaluations are expected to begin Sept. 15. Applications received after the initial deadline will be considered on an as-received basis. Laboratories must pay a nonrefundable, one-time application fee, as well as an on-site assessment fee and an annual technical-administrative support fee. Requirements and forms are available by calling (301) 975-4016; by writing to Voting System Testing Program Manager, NIST/NVLAP, 100 Bureau Dr., mail stop 2140, Gaithersburg, MD, 20899-2140; or by e-mailing nvlap@nist.gov. For more information contact Jeffrey Horlick of NVLAP at jeffrey.horlick @ nist.gov From isn at c4i.org Mon Jun 20 02:29:52 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 20 02:43:16 2005 Subject: [ISN] MasterCard Says 40 Million Files Are Put at Risk Message-ID: Forwarded from: jpippin http://www.nytimes.com/2005/06/18/business/18cards.html By ERIC DASH and TOM ZELLER Jr. June 18, 2005 MasterCard International reported yesterday that more than 40 million credit card accounts of all brands might have been exposed to fraud through a computer security breach at a payment processing company, perhaps the largest case of stolen consumer data to date. MasterCard said its analysts and law enforcement officials had identified a pattern of fraudulent charges that were traced to an intrusion at CardSystems Solutions of Tucson, Ariz., which processes more than $15 billion in payments for small to midsize merchants and financial institutions each year. About 13.9 million MasterCard accounts were compromised as well as those of unspecified numbers of Visa, American Express and Discover customers. The accounts affected included credit cards and certain kinds of debit cards. The F.B.I. said it was investigating. Sharon Gamsin, a MasterCard spokeswoman, said an infiltrator had managed to place a computer code or script on the CardSystems network that made it possible to extract information. She would not elaborate on how long the breach might have lasted, on when the inquiry began or on whether any infiltrators had been identified. She did say that the breach occurred this year. Deborah McCarley, a spokeswoman for the F.B.I. field office in Phoenix, said that her agency was trying to establish the scope of the breach and that "the investigation is just beginning." MasterCard said its investigation found that CardSystems, in violation of MasterCard's rules, was storing cardholders' account numbers and security codes on its own computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants' transactions but not retained by CardSystems. Bill Reeves, a Card Systems spokesman, said last night that "there is quite a bit of transactional data that goes back and forth," but he declined to say whether the company was inappropriately storing consumer data, as MasterCard indicated. CardSystems said it identified a potential security problem on May 22 or May 23 and contacted the F.B.I., then the Visa and MasterCard associations. It said steps were taken immediately to ensure all systems were secure. "Our goal is to cooperate fully with the F.B.I.," it said. According to MasterCard, an unauthorized person was able to exploit the security vulnerability and gain access to CardSystems' network, exposing cardholders' name, account numbers and expiration dates as well as the security code, typically three or four digits also printed on the credit card. "The processing companies are hubs for millions of payment records," said Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, a digital rights group based in Washington. "It is the juiciest target for an individual who wants account numbers. It is a honeypot for identity thieves." He suggested that customers monitor their bills for unauthorized charges and consider asking their card issuer for a new account number. MasterCard said other personal data that might contribute to identity theft, like Social Security numbers and dates of birth, was not stored on its cards and therefore not at risk. And it said credit card holders would not be liable for any fraudulent charges to their accounts. It said specific advice to cardholders as to precautions or recourse would have to come from the banks issuing the cards. Officials at major card issuers like Citigroup said they had been notified of the breach only recently - in some cases as late as yesterday - and were still assessing the scope of the problem. Janis Tarter, a spokeswoman for Citigroup's credit card division, said her company would notify customers likely to be at risk and more closely monitor any accounts that might have been affected. A Chase Card spokesman said his company was taking similar steps. MasterCard said the investigation began when it was notified by several banks that they had detected atypical levels of fraudulent charges. In turn, MasterCard began monitoring information from those accounts for common purchasing points. Using complex data-analysis systems and the assistance of an outside forensics firm, it was able to home in on an unspecified bank receiving spending data from merchants. "When we started to dig into it, working with the bank and working with their systems, we detected it couldn't be them and basically triangulated at the process and arrived at CardSystems Solutions," said John Brady, MasterCard's head of merchant risk services. He said CardSystems was "no longer storing the sensitive data." Although 40 million credit card accounts were said to have been put at risk, it is not clear whether data on all of those accounts, or only some, was actually stolen. Nor would MasterCard and investigators detail the number of individuals affected or dollar amounts involved in any of the fraud detected. The breach represents by far the largest in a relentless string of recent security failures at financial institutions, data aggregators, media companies and other organizations that compile, store and transmit consumer data. Just last week, the financial giant Citigroup announced that nearly four million consumer records, stored on magnetic computer tapes, had been lost during a routine shipment by United Parcel Service to a credit reporting agency. Those tapes were not encrypted and they have not yet been found. The growing concern over many of these breaches has been that information like Social Security numbers, names, addresses and dates of birth can be used to open new lines of credit, secure loans and otherwise engage in identity theft. But the account numbers exposed in the most recent incident are the real lingua franca of cybercriminals, who either use them to purchase stolen goods, secure cash advances or sell the numbers in bulk at underground sites on the Internet. Three of the most notorious online sites engaged in credit-card fraud and peddling, known as ShadowCrew, DarkProfits and CarderPlanet, were taken down in an extensive investigation by the F.B.I., known as Operation Firewall. But other sites - typically based in Russia and other parts of the former Soviet Union - continue to thrive, and "dumps" of credit-card numbers are routinely advertised, bought and sold. It is far from clear where the CardSystems data was being siphoned to, but Mark Rasch, the former head of computer crime investigations for the Justice Department and now senior vice president of Solutionary, a security company that has several payment processing outfits as clients, said the breach appeared to be particularly savvy. "We've seen data security breaches involving computer viruses and worms," Mr. Rasch said, "but not typically at a processor. What's unique about this is that it appears to be a very targeted attack, which makes it sound very clever and insidious." From isn at c4i.org Mon Jun 20 02:37:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 20 02:43:32 2005 Subject: [ISN] Hackers deface Beijing's security website Message-ID: http://news.ft.com/cms/s/8c70623e-e132-11d9-a3fb-00000e2511c8.html By Mure Dickie in Beijing June 20, 2005 Chinese hackers have defaced the website of a police-run security company that is leading a new effort to strengthen the Communist government's control over the internet. The action by unknown hackers against the website of the Beijing General Security Service Co comes amid its drive to recruit a corps of 4,000 "internet security guards" to monitor the online activities of people in the Chinese capital. "A security company that cannot even protect its own website can hardly talk about security," the hackers wrote in a notice that appeared on the site's news section last week. The action against Beijing General Security underlines the challenges Chinese officials face in their campaign to tame the internet. However, the company's continuing drive to recruit online overseers underlines Beijing's determination to prevent the internet from posing any challenge to the Communist party's monopoly on political power. "Agents of hostile forces at home and abroad are using the internet to engage in propaganda, infiltration, incitement and sabotage," an official of Beijing General Security said. "Strengthening management of the internet is of special significance for the strengthening of the party's ability to govern." The guards whom Beijing General Security is recruiting will be assigned to around 3,000 "internet access work-units", including telecommunications operators and internet service providers as well as 800 internet caf?s around the capital. Activities such as internet fraud, promoting the banned Falun Gong sect or online pornography are to be stopped and reported to police. China already uses a range of methods including automated scanning to crack down on online activity. Local websites are regularly shut down, thousands of overseas sites are blocked and internet dissidents are routinely harassed or jailed. International companies that operate internet businesses are expected to support such efforts and some have proved willing to do so. Microsoft's new Chinese joint-venture internet portal, for example, has been banned from using a range of potentially politically sensitive words including "democracy" and "freedom" to label personal websites set up using its free online blog service, MSN Spaces. From isn at c4i.org Tue Jun 21 01:54:34 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 21 01:58:47 2005 Subject: [ISN] Fake Documents Got Workers Into Nuke Plant Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/06/20/AR2005062000648.html By DUNCAN MANSFIELD The Associated Press June 20, 2005 KNOXVILLE, Tenn. -- Sixteen foreign-born construction workers with phony immigration documents were able to enter a nuclear weapons plant in eastern Tennessee because of lax security controls, a federal report said Monday. Controls at the Y-12 weapons plant have since been tightened and there was no evidence the workers had access to any sensitive documents, said the National Nuclear Security Administration, which oversees nuclear weapons facilities for the Department of Energy. However, the DOE inspector general's office said in the report issued Monday that its field agents found "official use only" documents "lying unprotected in a construction trailer which was accessed by the foreign construction workers" at the plant. "Thus, these individuals were afforded opportunities to access ... (this) information," the inspector general wrote. "We concluded that this situation represented a potentially serious access control and security problem." The report, initiated by a tip in 2004, said the workers had fake green cards that certified them to work in the United States. Their cases were turned over to the Immigration and Customs Enforcement agency for deportation. The Y-12 plant, created for the top-secret Manhattan Project that developed nuclear bombs in World War II, makes parts for nuclear warheads and is the country's principal storehouse for weapons-grade uranium. The plant in Oak Ridge, about 25 miles west of Knoxville, has been criticized for losing keys to sensitive areas and purported cheating on security drills, weaknesses that officials say have been corrected. In response to the foreign workers intrusion at the plant, visitors now must provide passports or birth certificates along with other background information. National Nuclear Security Administration spokesman Steve Wyatt said that agency and managers for Y-12 contractor BWXT became concerned earlier this year about the potential for uncleared workers entering a construction site within the Y-12 complex, mostly involving steel and concrete workers. He said the case was turned over the IG after investigators confirmed that some undocumented workers had access to the area. The inspector general said it was particularly concerned about allowing subcontractors to self-certify the citizenship of their employees, and that the Office of Counterintelligence didn't know foreign constructions workers were at the Y-12 site until it was notified by the inspector general's office. ___ On the Net: DOE Inspector General: http://www.ig.doe.gov From isn at c4i.org Tue Jun 21 01:54:13 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 21 01:59:02 2005 Subject: [ISN] Computers' Insecure Security Message-ID: http://www.businessweek.com/technology/content/jun2005/tc20050617_1613_tc024.htm By Sarah Lacy June 17, 2005 Software meant to protect PCs are now attack targets, revealing a rising number of flaws -- even more than those of Microsoft products Think you're safe because your computer has the latest antivirus program, complete with daily updates via the Web? Or maybe you figure the firewall you have installed will stop malicious software from reaching your machine. Well, you may not be as secure as you think. Hackers are increasingly finding flaws in the very programs designed to prevent attacks -- computer-security software. A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft (MSFT ) products. The majority of these weaknesses are found by researchers, academics, and security companies. Trouble is, hackers then take those findings and use it for nefarious purposes. SAME EXCUSE. Last year, researchers found 60 flaws in a variety of computer-security programs, almost double the 31 vulnerabilities discovered in 2003, according to Andrew Jaquith, a Yankee senior analyst who culled a national database of reported software vulnerabilities. Through May, 2005, 23 software glitches have been counted -- already up 50% over last year. And that figure doesn't include those yet to come this summer, when the biggest attacks are usually launched. So far this year, researchers have only found 22 vulnerabilities in Microsoft's products. The trend is an embarrassment for computer-security outfits who have made billions protecting PCs from cybercrooks. And much of that work has come from fixing, or protecting against, lapses in the security of Microsoft products. Now, it seems, the tables may be turning. Indeed, security concerns are offering the same reason for glitches as many software makers: "Everyone knows there's no way to have perfect software," says Jimmy Kuo, a research fellow with McAfee (MFE ). Symantec (SYMC ) has had the most reported vulnerabilities, with 16 documented last year (see BW Online, 6/17/05, "A New Frontier for Hackers?"). But so far this year, it has fared better: Through May, only two vulnerabilities were reported. BRAGGING RIGHTS. Still, Symantec is a target because it's the market leader. Hackers generally want to crack programs with the largest installed base -- thus offering the maximum impact for their exploits. That's one of the rationales Microsoft has used to explain why its products seem to have so many reported security glitches. But Jaquith points out that McAfee, the second-largest security player, decreased its vulnerabilities over the last year. "This is a leading indicator of the relative quality of the two products," he argues. Symantec executives declined to grant an interview. But the outfit did issue a statement saying the report compares the products of a single company -- Microsoft -- to the entire security industry. "This is not an apples-to-apples comparison," the statement said. Jaquith responds that the comparison was made because Microsoft has been hackers' target of choice. He notes that more broadly, security vulnerabilities grew at a pace greater than the whole software industry last year. What's driving the increasing discovery of flaws in the very products supposed to prevent attack? Part of it comes down to professional bragging rights. Computer-security consultants and researchers are always out to prove they can find vulnerabilities in software. The idea is: Once those holes have been discovered and made public, the businesses will move quickly to patch their programs. Having torn through Microsoft's operating system for years, security programs provides new opportunity for researchers. Meanwhile, many hackers have started finding flaws in security software out of necessity. The software has become so prevalent, it was blocking most modes of attack. WAKE-UP CALL. While more flaws are being found, only one has been exploited to launch a massive attack over the Internet. The Witty Worm, which targeted security concern Internet Security Systems' (ISSX ) software, was sent 72 hours after the vulnerability was disclosed on Mar. 20, 2004. A subset of ISS customers who get real-time patches over the Web were protected, but others were not, says ISS Chief Executive Thomas Noonan. The worm wrote over sections of infected hard drives, rendering the machines unusable. In all, 12,000 servers were infected. But the malicious software trashed more than hard drives: ISS's stock dropped about 5%, to $15.98, after the worm was announced. It has since climbed back, to close at $21.60 on June 16. ISS has only had three vulnerabilities in its history, but Noonan calls it a wake-up call nonetheless. "Less than 1% of our customers were compromised, but dealing with that 1% was enormous," he says. "It has affected a number of things we do internally." Noonan wouldn't comment further about the attack's repercussions, as it's under a company investigation. DANGEROUS DAWNING. That should have been a wake-up call to other companies as well. Jaquith advises vendors to ratchet up their internal testing. Both Symantec and McAfee recently acquired consulting firms that are experts in launching test attacks before the software is released. "They both have the tools in-house, it's a question of putting them to use," he says. Vendors say they're already taking the threats seriously. Indeed, a new reality may be dawning for the antivirus world -- code just isn't safe anymore, no matter how good. "Software is software," says Ken Silva, chief security officer for VeriSign (VRSN ). "I wouldn't classify it as a failure on the part of the security industry. Hackers are just getting a little smarter." If the security industry is going to keep growing at double-digit rates, it'll have to get a smarter, too. -=- Lacy is a BusinessWeek Online reporter in San Mateo, Calif. Edited by Ira Sager From isn at c4i.org Tue Jun 21 01:55:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 21 01:59:21 2005 Subject: [ISN] OMB modifies security reporting Message-ID: http://www.fcw.com/article89321-06-20-05-Web By Florence Olsen June 20, 2005 The Office of Management and Budget has issued new security reporting guidelines [1] that emphasize contractor oversight and data privacy protections. OMB officials, however, have not released the scoring templates used to determine agencies' grades for compliance with the Federal Information Security Management Act. Under the 2005 FISMA reporting guidelines issued June 13, agencies will have to answer new questions about data privacy and contractor oversight in reports they must submit to OMB by Oct. 7. When OMB officials added the new questions, they also dropped some old ones. Agencies, for example, will no longer have to report how many times they were victims of a malicious code attack because someone in the agency had not installed a necessary security patch. The new guidelines emphasize that agencies are responsible for ensuring that federal contractors maintain appropriate security controls on equipment used to deliver network or other managed services. The security controls also apply to contractor support staff, government-owned and contractor-operated equipment and contractor-owned equipment in which any federal data is processed or stored. "Agencies must ensure identical, not equivalent security procedures," according to the guidelines. That means agencies must make certain that federal contractors conduct risk assessments, develop contingency plans, certify and accredit their systems and everything else that federal agencies must do to comply with FISMA. The guidelines further state that those federal and contractor responsibilities must be spelled out in any contracts that agencies award. The guidelines' focus on contractor systems answers some criticisms that congressional auditors made in a recent report. The Government Accountability Office faulted OMB in May for not incorporating FISMA requirements into the Federal Acquisition Regulation, which governs federal contracting. Federal contractors have expressed mixed reactions to the heightened attention that GAO and OMB officials are giving to information systems security. Harold Gracey, executive consultant at Topside Consulting Group, said federal contractors already do a good job of protecting government information. But "it is worthwhile to follow up and make sure what people are saying they're doing is actually happening," he added. Others say the new scrutiny is justified. Federal contracts should be written as outsourcing contracts because that is what they are, said Jody Westby, managing director at PricewaterhouseCoopers. Most federal contracts lack adequate oversight provisions and requirements for contractor systems, she said. Such provisions are found in most master service agreements in the private sector because corporate managers treat all such agreements as outsourcing contracts, Westby said. Uniform federal contractual language covering not only information security but also workforce and physical security relative to IT systems would help ensure that contractors are maintaining proper security, she said. If OMB developed standard contractual clauses for security consistent with FISMA, everyone could benefit, Westby said. "FISMA is an enterprise security program," she said, and the related policy and technical guidance developed by the National Institute of Standards and Technology is "world class -- it's excellent." "Anybody who is handling data for the federal government should be able to comply with those standards," Westby said. But whether the contractor or the agency pays for the additional security oversight is something that would have to be worked out on a case-by-case basis if it is not included in standard contracting language, Westby said. "The cost of who pays for it is a discussion that needs to be had." [1] http://www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html From isn at c4i.org Tue Jun 21 01:56:16 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 21 02:00:43 2005 Subject: [ISN] Lost Credit Data Improperly Kept, Company Admits Message-ID: http://www.nytimes.com/2005/06/20/technology/20credit.html By ERIC DASH June 20, 2005 The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining those records. The official, John M. Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted. "We should not have been doing that," Mr. Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files." Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled. "CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it." The security breach was first reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards. MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been "exported from the system." CardSystems said yesterday that the file also contained data from other cards in proportion to the volume of business it handles from each company. That would translate to about 100,000 Visa accounts and roughly 30,000 others. It is not clear whether those numbers could yet grow. The details about CardSystems' handling of the data raised new questions about the effectiveness and enforcement of the standards established by the card companies for data protection and storage. To protect cardholders, Visa and MasterCard have long-established policies for the merchants and processors that handle transactions on their payment network. They require their processors, for example, to hire a certified outside assessor to do an annual security assessment. Processors must also conduct a quarterly self-evaluation and scans for network vulnerabilities. The card associations have also spent millions of dollars to upgrade their own computer systems with sophisticated fraud-detection software. Over the last two years, they have sent out teams to processor and merchant sites to review compliance. But one kink in this chain - one processor that fails to comply - can put untold numbers of cardholders at risk of fraud. "The standards themselves are very effectively written," said Tom Arnold, a partner at Payment Software Company, a consulting firm in San Francisco that advises and provides security assessments for merchants and processors. "The challenge in the industry can be when people don't fully comply or try to cut corners." Avivah Litan, an industry analyst at Gartner Inc., agreed. "If they are really serious about these programs, they should pay attention to how the processors are guarding the data, and they are not," she said. After the disclosure of the security breach at CardSystems, varying accounts were offered about the company's compliance with card association standards. Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said. It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so. Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise." Earlier, Mr. Perry of CardSystems said his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from the Visa payment associations in June 2004. CardSystems, based in Tucson, processes more than $15 billion in payments for small to midsize merchants and financial institutions each year. MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa and an unspecified bank in mid-May, had requested that CardSystems allow its independent forensics team, Ubizen, to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said. CardSystems said it contacted the F.B.I. offices in Tucson and Atlanta on May 23. The F.B.I. said Friday that its investigation was continuing. Only MasterCard affirmed that it knew of specific instances of fraud against its customers traced to the CardSystems breach. Visa said it was monitoring the situation but had yet to detect any fraud traceable to the case. Those companies, along with American Express and Discover, said their cardholders would not be liable for fraudulent charges on their accounts. Cardholders' concerns were largely referred to the card-issuing banks. Citigroup said the risk of identity theft to its cardholders was low but said it would closely monitor accounts. Chase Cards said that if cardholders spotted suspicious activity on their monthly or online statements, they should contact their bank. In such a case, identity theft experts said, it would be prudent to cancel the account. CardSystems is one of hundreds of processors that provide terminals to merchants and help banks process millions of transactions a day, electronically relaying cardholders' names, account numbers and security codes so that once a card is swiped, the sale will be authorized, the merchant will be paid and the customer will be billed. The processors area also a point in the matrix exposed to Internet traffic and possible intrusion. "They typically have a Web site where merchants sign on with and then the merchants can look at the daily transactions, the balance in their account," Edward Lawrence, a managing associate at the Auriemma Consulting Group in Westbury, N.Y., which advises credit card merchants and processors. "My guess is that a hacker would get into the Web site and somehow find their way past a firewall and through the passwords and encroach onto the programming system." Mr. Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account. Ms. Litan of Gartner said there was no reason for a processor to store security codes. "It's probably just laziness or they don't know the rules," she added. In addition, the data lost in the CardSystems case was apparently not encrypted. "If it was encrypted, the hacker would have gotten data but would not have known how to read it," said Mr. Lawrence of Auriemma Consulting. The 40 million accounts that passed through CardSystems during the period in question may be the largest case of exposed data to date. "There is going to be a lot of finger-pointing," said Susan Crawford, a professor of Internet law at Cardozo Law School. "It's a very complex situation, and we'll wind up for calls for very heavy-handed government regulation of data transmission." Yet, there may be little incentive for processors to change. Visa and MasterCard have said that payment processors that violate their rules must pay a penalty, but they do not disclose the amounts of those fines. And it is typically the merchant that bears the cost of data fraud. Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. "The retailers will pay for it and the issuing banks will get rich off it," Ms. Litan said. "It's just another revenue stream." "What is the incentive?" she added. "Staying out of the newspapers." From isn at c4i.org Tue Jun 21 01:55:28 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 21 02:01:07 2005 Subject: [ISN] Banks to spend more on IT security, survey says Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,102642,00.html By Mari-Len De Guzman JUNE 20, 2005 IDG NEWS SERVICE Investment in security has topped the banking sector's IT spending priority list for 2005, according to a study by the Info-Tech Research Group. Info-Tech's 2005 IT Budget and Staffing Report surveyed more than 1,400 IT decision-makers in various vertical industries, including finance, manufacturing, government, agriculture, health and professional services. Of the banks surveyed, 89% were in based in the U.S. Privacy regulations and other compliance challenges are the main factors driving banks to spend more to improve their security infrastructure, according to Jason Livingstone, an analyst at London, Ontario-based Info-Tech. "Certainly in the last few years, [security] has been right at the very top with respect to IT priorities, [and] it continues to gain prominence with banks," he said. Of the banks surveyed, 59% said they're planning to increase their investment levels for security, focusing on privacy and security of transactions. Seventy percent of the banks' IT executives said they will spend money on security software. Banks are ahead of companies in other sectors when it comes to implementing security technologies such as firewalls, virtual private networks, and antispam and intrusion-detection systems, with 80% saying they have adopted at least one of those systems, the survey said. Livingstone said that with new IT budgets, banks are looking at other forms of security enhancements, with an eye specifically on improving interbranch communication and online transactions. "Web site security is very critical. Virtually every bank has online banking, so there is great focus on protecting that customer interaction through their Web site," he said. Among the sectors surveyed, banking stood out as having the highest business growth, with 78% of respondents saying they are experiencing medium to high levels of growth, the report said. Banks spend a high proportion of their budgets on IT, and a big slice of that spending goes to secure their systems, said Livingstone. "The nature of their business means they have to, because they are dealing with their clients' bank accounts -- so security is a must-have." Better protection of consumer data and privacy of information are also some of the top issues among opinion leaders who took part in a recent study by Washington-based IQ Research and Consulting. Adobe Systems Inc. and security vendor RSA Security Inc. jointly commissioned that survey. Of 400 opinion leaders in the Washington area who were surveyed, 86% said that they think technology has a strong impact on consumer data protection, 44% said they felt that consumer data theft should be a top priority for government legislators. Creating more secure forms should also be among Congress's "top tier" issues, according to the survey. "Technology needs to fill the gap between technologies for sharing and technologies for safeguarding information," said Bruce Chizen, Adobe's CEO. Adobe is a leading provider of electronic documents software. Its most popular product, the Adobe PDF software, addresses security in electronic documentation and exchange through its read-only and password-protected features, among other things. Chizen said document-level security is a "necessary ingredient in addressing the gap and protecting the privacy, confidentiality and authenticity of information." From isn at c4i.org Tue Jun 21 01:55:58 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 21 02:01:25 2005 Subject: [ISN] Linux Security Week - June 20th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 20th, 2005 Volume 6, Number 26n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Top Open-Source Security Applications," "Cutting Through the Linux Security Hype," and "Mobile & Wireless World to focus on Wi-Fi, Security." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, advisories were released for mikmod, tcpdump, yum, elinks, parted, system-config-securitylevel, checkpolicy, spamassassin, gaim, libextractor, Ettercap, shtool, gedit, MediaWiki, gzip, gftp, squid, rsh, sysreport, telnet, bz, and mc. The distributors include Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/119336/150/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Talking with Richard Stallman 12th, June, 2005 1) Let's start. Can you explain to our readers why you started with FSF in 1984? What did you need of? Why you created it?
What I started in 1984 was the development of the GNU operating system. All the operating systems for modern computers of the day were proprietary; users were forbidden to share them, and could not get the source code to change them. The only way to use computers in freedom was to replace those systems with a free operating system. That's what GNU was meant to do. The Free Software Foundation was started in late 1985 to raise funds for GNU development, and more generally to promote free software. http://www.linuxsecurity.com/content/view/119289 * Book Review: "Apache Security" By O'Reilly 12th, June, 2005 I've just completed my review on "Apache Security" by O'Reilly."This book was written by Ivan Ristic, the author of the popular Apache web application firewall module mod_security. Naturally this book does discuss how to use mod_security to harden your system, but I'm happy to report it isn't his main area of focus. One of the first things that I do while reviewing a book is to find all the things that the text doesn't cover that it *really* should have and point them out in my review. Simply put this book has everything, and I do mean everything. Here's the low down on a per chapter basis." http://www.linuxsecurity.com/content/view/119291 * O'Reilly Releases "SSH, The Secure Shell: The Definitive Guide, Second Edition" 16th, June, 2005 The name looks like the sound you'd make to hush someone, which is not inappropriate if you think of SSH, the secure shell, as a means of silently sending information between computers. "SSH" is actually pronounced by spelling it aloud "S-S-H," and isn't a shell at all, but a protocol. The name was originally coined from the rsh utility, a Unix program that also provides logins. http://www.linuxsecurity.com/content/view/119319 * Top Open-Source Security Applications 15th, June, 2005 According to most security professionals, a top-tier, open-source security tool must have sufficient history to allow a practitioner to use it with confidence. And it must have a sufficiently large developer base to ensure that fixes will be available in light of discovered vulnerabilities. Pegasystems. Business Process Management (BPM) solutions offer organizations the agility critical to managing growth, productivity and compliance. Our solution unifies pure-play BPM with a sophisticated Business Rules Engine. Pegasystems makes it easy for people and systems to work together. http://www.linuxsecurity.com/content/view/119315 * Endian Firewall 15th, June, 2005 Endian Firewall is a turn-key Linux security distribution based on IPCop that turns a system into a security appliance. The features include a stateful packet inspection firewall, application-level proxies for various protocols (HTTP, POP3, SMTP) with anti-virus support, virus and spam filtering for E-mail traffic (POP and SMTP), content filtering of Web traffic and VPN (based on OpenVPN). http://www.linuxsecurity.com/content/view/119314 * Intrusion Protection Systems get hot 13th, June, 2005 Taxed with providing an ever-expanding range of complex security functions, IPS vendors are rising to the challenge, transforming their wares to go beyond simply identifying and stopping attacks based on updated threat profiles. http://www.linuxsecurity.com/content/view/119304 * McAfee Aims to Prevent Linux Attacks 14th, June, 2005 McAfee is looking to help protect against what it calls a dramatic increase of attacks on Linux systems. The company's Entercept intrusion prevention system -- already available for Windows and Solaris -- uses a combination of behavioral rules, signatures and a firewall to protect IT infrastructure from attack. http://www.linuxsecurity.com/content/view/119311 * Cutting Through the Linux Security Hype 17th, June, 2005 Do you think there are security benefits businesses could reap by simply switching to open source solutions?

Greenberg: Yes. A great number of security holes are because of Windows having glaring security holes in its browser and mail agent. Use Windows and Firefox, for example, instead of Windows and IE, and 80 percent of the security concerns vanish. The number of security threats in an OS-to-OS face off is about equal, from what I see. As . and if . Linux usage increases, the Linux threat level may increase. http://www.linuxsecurity.com/content/view/119337 * Java flaws open door to hackers 15th, June, 2005 Sun Microsystems has fixed a pair of security bugs in Java that could be exploited by attackers to take over computers running Windows, Linux and Solaris. http://www.linuxsecurity.com/content/view/119318 * Security Best Practices 13th, June, 2005 Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats. Security products can help businesses stem the flood of vulnerabilities, but IT teams also have to put in place processes to ensure that they're responding appropriately and being proactive in warding off potential dangers. Fact is, some companies spend too much on some parts of their organization and not enough on more-vulnerable areas. http://www.linuxsecurity.com/content/view/119294 * Easier controls improve security 14th, June, 2005 Computer Associates and RSA Security have released products to centralise security management and make policies easier to define and deploy. The aim is to make it simpler to implement complex data security measures. http://www.linuxsecurity.com/content/view/119307 * Is IPsec on borrowed time? 14th, June, 2005 For proof that hunger is growing in the information security community for Secure Sockets Layer-based virtual private networks, look at the latest offerings from Check Point Software and Juniper Networks. For insight on what the big deal is, ask Steve Smith, network manager for Erie, Pa.-based Saint Vincent Health System. http://www.linuxsecurity.com/content/view/119309 * Stealthy Trojan horses, modular bot software dodging defenses 14th, June, 2005 Software attack tools that turn PCs into remotely controlled zombies are getting better, but defenses are not keeping up, say security experts. The latest threats are tailored to attack specific companies, foregoing rapid spread and avoiding notice. Others use modular components, such as an infector that can be changed to defeat the latest antivirus software and a second-stage component that turns off PC defenses. http://www.linuxsecurity.com/content/view/119310 * Hashing exploit threatens digital security 15th, June, 2005 Cryptographers have found a way to snip a digital signature from one document and attach it to a fraudulent document without invalidating the signature and giving the fraud away. http://www.linuxsecurity.com/content/view/119316 * The State Of Internet Security 15th, June, 2005 While the scams that daily flood our e-mail in-boxes show no signs of abating, there is some good news for the users who have to sort through them all. So says VeriSign, in its latest "State of Internet Security" address covering the first three months of 2005. http://www.linuxsecurity.com/content/view/119317 * BindView Presents IT Security Compliance Best Practices for the C&A Process 16th, June, 2005 The C&A process is well-known by federal agencies as a highly manual process that artificially increases costs and delays, and isolates resulting data from other systems that might benefit from its use. The webinar will cover new methodologies and technologies for integrating the C&A process with an organization's IT security compliance and automation efforts to achieve success in meeting regulatory mandates and significantly reduce costs and delays. http://www.linuxsecurity.com/content/view/119320 * Top Open-Source Security Applications 17th, June, 2005 Those responsible for enterprise security are increasingly turning to open-source applications in lieu of security products based on proprietary code -- and for many good reasons. http://www.linuxsecurity.com/content/view/119340 * Most want government to make Internet safe 16th, June, 2005 Most Americans believe the government should do more to make the Internet safe, but they don't trust the federal institutions that are largely responsible for creating and enforcing laws online, a new industry survey says. http://www.linuxsecurity.com/content/view/119326 * Your ISP as Net watchdog 17th, June, 2005 The U.S. Department of Justice is quietly shopping around the explosive idea of requiring Internet service providers to retain records of their customers' online activities. http://www.linuxsecurity.com/content/view/119362 * Computer viruses become hacker informants 13th, June, 2005 An emerging breed of computer virus that keeps hackers informed about the latest weaknesses in computer networks has been discovered by security experts. http://www.linuxsecurity.com/content/view/119293 * Mobile & Wireless World to focus on Wi-Fi, security, RFID 14th, June, 2005 John Wade, CIO of the Saint Luke's Health System in Kansas City, Mo., said he faces many of the same problems confronting other CIOs when it comes to supporting mobile and wireless technology in a large organization. http://www.linuxsecurity.com/content/view/119308 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Jun 22 02:43:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 22 02:49:23 2005 Subject: [ISN] New Version of ISO17799 Published Message-ID: Forwarded from: Sue NEW VERSION OF ISO 17799 PUBLISHED The official revision of ISO 17799, the international computer security standard, has today been released. This new version has been under development for several years, and introduces a number of siginificant changes. The old version, originally published in 2000, has been withdrawn. The new standard now contains eleven 'core' chapters, as opposed to the original ten, with existing chapters being re-organized. The new format is as follows: 1) Security Policy 2) Organizing Information Security 3) Asset Management 4) Human Resources Security 5) Physical and Environmental Security 6) Communications and Operations Management 7) Access Control 8) Information Systems Acquisition, Development and Maintenance 9) Information Security Incident Management 10) Business Continuity Management 11) Compliance. ISO17799:2005 also introduces controls to address a range of new issues. These include topics such as outsourcing and patch management. In addition, other areas have been substantially extended or re-shaped, such as employment termination, and mobile communication. Steps have also been taken to enhance the "user friendliness" of the standard. OFFICIAL SOURCES The following official outlet (BSI) has been updated to provide copies of the new standard (as opposed to the old): http://www.standardsdirect.org/iso17799.htm The ISO 17799 Toolkit, the standard's support and starter kit, has also been updated to include the new version: http://www.17799-toolkit.com For further information see the ISO 17799 Newsletter archive site at: http://17799-news.the-hamster.com ---------------------------- Thanks and kind regards, Sue ISO 17799 Newsletter From isn at c4i.org Wed Jun 22 02:44:43 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 22 02:49:35 2005 Subject: [ISN] Computers' Insecure Security Message-ID: Forwarded from: security curmudgeon Cc: dailydave@lists.immunitysec.com : http://www.businessweek.com/technology/content/jun2005/tc20050617_1613_tc024.htm : By Sarah Lacy : June 17, 2005 : : Software meant to protect PCs are now attack targets, revealing a rising : number of flaws -- even more than those of Microsoft products : A new Yankee Group report, to be released June 20, shows the number of : vulnerabilities found in security products increasing sharply for the : third straight year -- and for the first time surpassing those found in : all Microsoft (MSFT ) products. The majority of these weaknesses are Already on unstable grounds with this wording. Journalists (and security folks) need to remember the difference between 'found' and 'reported' and 'disclosed'. : SAME EXCUSE. Last year, researchers found 60 flaws in a variety of : computer-security programs, almost double the 31 vulnerabilities : discovered in 2003, according to Andrew Jaquith, a Yankee senior analyst : who culled a national database of reported software vulnerabilities. *Sigh*, some day I will learn to smile and nod and not feel the need to reply to these studies. Until that time.. Cliff notes: 2004, 60 flaws in computer-security programs 2003, 31 flaws in computer-security programs unnamed nation database of vulnerabilities Culling a database is easy. Making a list of security products to search for in the first place might be a real chore. Moving past that, defining a vulnerability would be a key here, as CVE might group a few issues into one entry, and another database like X-Force or OSVDB may split them out into seperate entries. Last, what about products such as 'tcpdump' or 'ethereal'? Are these classified security products or administrative tools? Without this information, this article is basically fluff that can't be reasonably understood or trusted without the full report. Fortunately, I waited long enough to reply for the details to be released. http://www.yankeegroup.com/public/products/decision_note.jsp?ID=13157 We see that they use CVE and iCat for their data, but do not address the fact that CVE can merge seperate vulnerabilities into a single entry, nor do they address other questions above. iCat uses the CVE database and just adds some metrics. Some interesting points in this research: Yankee Group analysis of a well-known public vulnerability data source, ICAT, suggests that flaw finders have shifted their focus toward security products. 60 flaws in 2004, according to Yankee Group, and they say there is a shift to security product vulnerability research? Compare that to the total number of vulnerabilities released, and this is easily debated. From 2004 to May 2005 in particular, 77 disclosed vulnerabilities affected a wide array of security products. The incidents increased far faster than the rate for Microsoft (see Exhibit 1). This is a little misleading. First and second quarter of 2004 show security products going down, then taking a turn and moving up for third/fourth quarter of 2004, and heading back down for 2005. I'm not a statician, but this doesn't seem like a *trend* to me. Check Point and F-Secure saw a large increase in vulnerabilities in 2004 compared to the previous year, while vendors such as McAfee saw a significant decrease. A quick search (by vuln title) of OSVDB.org shows: 2003 2004 Check Point 1 6 F-Secure 1 10 McAfee 6 7 So two out of three on these statements, not bad! McAfee has had an increase it seems, just not so dramatic as F-Secure or Check Point. : Through May, 2005, 23 software glitches have been counted -- already up : 50% over last year. And that figure doesn't include those yet to come : this summer, when the biggest attacks are usually launched. So far this : year, researchers have only found 22 vulnerabilities in Microsoft's : products. iCat shows 2005 + "microsoft" having 54 entries and OSVDB.org shows 86 so far this year. Listing 22 vulnerabilities for Microsoft is what.. going by Microsoft Security Bulletins? MS05-034 being the latest, and 025-034 possibly being released after the research was completed.. suggests that might be the case. Anyone familiar with MS advisories know they can contain multiple vulnerabilities, even by CVE designation. So is the use of "22 vulnerabilities in Microsoft's products" creatively switching to a different method for counting? So far this research seems poorly done, so I hate to add fuel to the fire.. but if you search OSVDB.org for security products (and use a good list), you will find a lot more than mentioned in this report. There are already 17 vulnerabilities listed in 2005 searching for "firewall", compared to the 23 mentioned by Yankee Group. Branch out into other security products and you are well over 23. : Symantec (SYMC ) has had the most reported vulnerabilities, with 16 : documented last year (see BW Online, 6/17/05, "A New Frontier for : Hackers?"). But so far this year, it has fared better: Through May, only : two vulnerabilities were reported. Err, 43 Symantec issues in 2004... and 10 in 2005.. : BRAGGING RIGHTS. Still, Symantec is a target because it's the market : leader. Hackers generally want to crack programs with the largest : installed base -- thus offering the maximum impact for their exploits. : That's one of the rationales Microsoft has used to explain why its : products seem to have so many reported security glitches. But Jaquith : points out that McAfee, the second-largest security player, decreased : its vulnerabilities over the last year. "This is a leading indicator of : the relative quality of the two products," he argues. 2005, two McAfee reported vulns.. 2004, seven reported. That still leaves almost six months for the numbers to be the same. Hard to predict a trend off such limited data, especially when Yankee Group says: And that figure doesn't include those yet to come this summer, when the biggest attacks are usually launched. : ISS has only had three vulnerabilities in its history, but Noonan calls : it a wake-up call nonetheless. Huh?! Read the damn Yankee Group report! "One firm -ISS- accounted for four of these." Failing that, search a vulnerability database for ISS products and that "three" figure goes out the window. ISS RealSecure / BlackICE Rule Name Field Local [..] Apr 8, 2005 BlackICE/PC Protection Unprivileged User Local DoS Aug 14, 2004 TCP Reset Spoofing Apr 20, 2004 ISS RealSecure Network Sensor Malformed DHCP Packet DoS Apr 8, 2004 BlackICE Insecure Default Configuration Weakness Mar 31, 2004 BlackICE NIC Protection Failure Mar 31, 2004 ISS PAM Component ICQ Protocol Parsing Overflow Mar 18, 2004 ISS Multiple Products SMB Packet Handling Overflow Feb 27, 2004 RealSecure/BlackICE PAM Module SMB Packet Overflow Feb 24, 2004 BlackICE PC Protection blackd.exe Local Overflow Jan 28, 2004 BlackICE PC Protection Upgrade File Permission Weakness Jan 28, 2004 ISS RealSecure Server Sensor HTTPS Request DoS Sep 8, 2003 ISS RealSecure Server Sensor ISAPI Plug-in DoS Sep 8, 2003 BlackICE Defender XSS Detection Evasion Jun 17, 2003 ISS Security Scanner HTTP Remote Overflow Sep 18, 2002 ISS ICEcap Default Password Sep 12, 2002 BlackICE tcp.maxconnections Memory Consumption DoS Jun 19, 2002 BlackICE Agent System Standby Failure Jun 6, 2002 BlackICE / RealSecure Large ICMP Ping Packet Overflow Feb 4, 2002 ISS RealSecure Network Sensor Non-Standard [..] Sep 5, 2001 ISS RealSecure Server Sensor Non-Standard [..] Sep 5, 2001 ISS RealSecure Fragmented SYN Packet DoS Aug 22, 2000 BlackICE UDP Port Block Delay Jun 20, 2000 * ISS Security Scanner Installer Temporary File Symlink Feb 20, 1999 ISS Security Scanner Fingerd Scan Overflow Dec 3, 1998 ISS Security Scanner Command Line Overflow Jan 1, 1998 * Note: ISS purchased BlackIce around May 2001, so this one wouldn't really be held against them =) : DANGEROUS DAWNING. That should have been a wake-up call to other : companies as well. Jaquith advises vendors to ratchet up their internal : testing. Both Symantec and McAfee recently acquired consulting firms : that are experts in launching test attacks before the software is : released. "They both have the tools in-house, it's a question of putting : them to use," he says. Now *this* will prove to be interesting statistics down the road. Will the disclosed vulnerabilities in Symantec products go up/down after the purchase of @stake... From isn at c4i.org Wed Jun 22 02:45:07 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 22 02:49:50 2005 Subject: [ISN] Book Review - The Art of Computer Virus Research and Defense Message-ID: http://books.slashdot.org/books/05/06/21/1929244.shtml [ http://www.amazon.com/exec/obidos/ASIN/0321304543/c4iorg -- WK] Author: Peter Szor Pages: 713 Publisher: Addison Wesley Longman and Symantec Press Rating: 9 Reviewer: Jose Nazario ISBN: 0321304543 Summary: Clear, sweeping coverage of virus history and technical details TAOCVRD opens with Part 1: Strategies of the attacker. Here we get to start to think about malicious code from the original ideas and viewpoints of its makers. Chapter 1 opens up with various games of the classic computer science world, including Conway's Game of Life and Core Wars, which is still fun after all of these years. From this we can start to think about computer viruses as a natural extension of other self-replicating computer structures. What's great about this chapter is that you can actually understand, and share in, the fascination of replicating code. It's as if you can understand the pure world that some virus writers live in. Chapter 2 starts off the virus-analysis section, including some of the basics (like the types of malicious programs and their key features), as well as the naming scheme. Chapter 3, "Malicious Code Environments," serves as a lengthy and complete description of how various viruses work. The dependencies that you would expect to see, including OS, CPU, file formats, and filesystems, are all described. Then Szor goes on to describe how viruses work with various languages, from REXX and DCL to Python and even Office macros. Not all of the descriptions are lengthy, but you get to see how flexible the world of writing a virus can be. What I most enjoyed about the book overall is represented in this chapter, namely Szor's command of the history of the virus as well as his technical prowess, which he drops in as appropriate. Chapter 4 gets a bit more technical and now focuses on infection strategies. Again, Szor isn't afraid to delve into history or technical meat, including a lengthy and valuable section "An In-Depth Look at Win32 Viruses." If you don't feel armed to start dissecting viruses by this point, you're in luck: there's so much more to read. Chapter 5 covers in-memory strategies used by viruses to locate files, processes, and sometimes evade detection. Szor has a list of interrupts and their utility to the virus writer, providing a comprehensive resource to the virus analyst. Chapters 6 and 7 cover basic and advanced self protection schemes, respectively, used by viruses. TAOCVRD's completeness of information in a usable space, together with very functional examples and descriptions, is again evident. Szor walks you through a basic decryptor routine, for example, showing you how a self-contained virus can be both evasive and functional at the same time. Sadly little attention is given to various virus construction kits at the end of chapter 7, though. Chapters 8 and 9 get a little less technical and somewhat more historical. These chapters cover virus payloads and their classification (ie benevolent viruses, destructive viruses, etc) and computer worms, respectively. The overview of payloads is almost entirely historical, giving a great overview of how virus writers have used their techniques to cause havoc or just have "fun" from time to time. Chapter 9 gives a concise and valuable overview of computer worms, almost boiling about half of my worms book down into just one chapter in a clear and easy to use fashion. Part 1 concludes with chapter 10, which covers exploits and attack techniques used by worms and viruses. Again, Szor's clarity of explanation shines as he artfully gives a concise overview of how a buffer overflow attack works (including stack layout and address manipulation), heap-based attacks, format string attacks, and related methods. He then discusses these techniques in light of various historical examples, clearly explaining how they operated and were successful. If you've been yearning for a short overview of attack techniques and how malware has used them, this chapter is for you. Part 2 covers the defender's strategies. Chapter 11 serves as a nice introduction to this section by describing many of the current and advanced defense techniques such as some of the first and second generation scanners, code and system emulation, and metamorphic virus detection. This is all covered in nice technical detail, always at a reasonable level to not leave everyone in the dust. Through it all small examples are constantly given, which reinforce the text nicely. Chapter 12 is very similar, this time focusing on in-memory scanning and analysis techniques. Chapter 13 covers worm blocking techniques, focusing on host-based methods which can prevent the buffer overflow from being successful or the code from arbitrarily gaining network access again. Chapter 14 complements this with network specific defenses, including ACLs and firewalls, IDS systems, honeypots, and even counterattacks. These two chapters are a lot less technical than the previous two, but still quite valuable. By this point I'm sure you're ready to try your hand at virus analysis, and Szor is eager to help you out. In chapter 15 he gives you a great setup for virus analysis, including various tools and examples of how they work and what kind of information they give you. Finally, in chapter 16 you have the obligatory (and valuable) resource roundup which complements the references given in every chapter, as well. Overall I find Szor's book to be amazing, both in terms of its technical prowess over so many specifics in the field but also for its presentation. Without dumbing it down, Szor's able to communicate to most readers with clarity in a manner they'll understand, learn from, and be able to use. I think that many of us, especially those of us who get plundered in our email inboxes with malware, are curious to spend some time dissecting these beasts using techniques AV professionals use, and Szor's book does an exemplary job of introducing that world to us all. I consider this to be one of the most important computer security books I own due to it's clarity and completeness of coverage. http://www.amazon.com/exec/obidos/ASIN/0321304543/c4iorg From isn at c4i.org Wed Jun 22 02:45:22 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 22 02:50:07 2005 Subject: [ISN] Security Flaw Exposes CVS Purchase Data Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/06/21/AR2005062100999.html By MICHELLE R. SMITH The Associated Press June 21, 2005 PROVIDENCE, R.I. -- A security hole that allowed easy access to the purchase information of millions of CVS Corp.'s loyalty card customers prompted the company to pull Internet access to the data on Tuesday. The Woonsocket-based drugstore chain, which has issued 50 million of the cards, said it would restore Web-based access to the information after it creates additional security hurdles. The data security flaw in the ExtraCare card service was exposed Monday by the grassroots group Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN. It said anyone could learn what a customer had purchased with an ExtraCare card by logging on to a company Web site with the card number, the customer's zip code and first three letters of the customer's last name. Once logged on, a list of recent purchases could be sent to an e-mail account. Information about prescriptions was not provided, and the list of purchases was only available by e-mail. CASPIAN director Katherine Albrecht said a test she conducted showed a list of possibly embarrassing purchases, including condoms and a home pregnancy test kit, the date they were purchased and how much they cost. Albrecht applauded the company's move to make the data more secure but said she was still concerned. "This underscores the amount of data _ the very sensitive data _ about us that CVS has been collecting," she said. Eileen Howard Dunn, a CVS spokeswoman, said the company provides the information as a service to customers. She emphasized that prescription information was not available. CVS said the service had been in place about 6 months. "There's no material medical information on there at all," said Dunn, and CVS said only a very small number of customers had used the service. Spokesman Todd Andrews said CVS was working quickly to put in place either password protection or some other security measure. Until then, customers can get the information by calling customer service, he said. CVS said the company had no knowledge of anyone gaining access to customer information improperly. Andrews said customers' Social Security and credit card numbers were not posted and the information that was available could not lead to any identity theft. CVS has 5,400 stores in 36 states and the District of Columbia. From isn at c4i.org Wed Jun 22 02:45:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 22 02:50:20 2005 Subject: [ISN] Kaiser Permanente division fined $200k for patient data breach Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,102665,00.html By Linda Rosencrance JUNE 21, 2005 COMPUTERWORLD The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people. The DMHC said the information had been available on a publicly accessible Web site for as long as four years. A Kaiser spokeswoman referred questions about the incident to another Kaiser official, who did not respond to a request for comment. "Patients must be assured that health plans will, at all costs, do everything possible to protect confidential information," Cindy Ehnes, director of the DMHC, said in a statement. "As we work on broadening the use of electronic medical records to improve patient care on both the state and federal levels, health plans must make security of confidential information a top priority." An investigation by the agency found that Kaiser was responsible for the creation of a systems diagram Web site used as a testing portal by its IT staff. The site contained confidential patient information, including names, addresses, telephone numbers and lab results. According to the DMHC, Kaiser set up the site in 1999 without the prior consent of the affected patients. DMHC said it was concerned that Kaiser allowed the Web site to languish on the Web in an accessible format and did not act to remove it until its existence was brought to the attention of federal civil rights authorities in January (see Update: Kaiser Permanente patient data exposed online) [1]. In addition, Kaiser authorities chose not to inform state regulators until after the site had been reported to the media in March, the DMHC said. Kaiser has since informed all of its affected members about the incident. "Not only was this a grave security breach, Kaiser did not actively work to protect patients until after [it] had been caught," said Ehnes. "We're imposing this fine because we consider this act to be irresponsible and negligent at the expense of members' privacy and piece of mind." Under California state law, a health plan can be fined if it has violated the confidentiality of medical information without first obtaining an authorization from the patient. Berkeley, Calif., resident Elisa Cooper, a former Web coordinator at Kaiser Permanente, brought the breach to the attention of federal regulators and posted a link to the Kaiser Web site on her Web log last year. Kaiser then sued her for invasion of privacy and breach of contract. That case is still pending in Alameda County Superior Court (see Court orders blogger to stop posting Kaiser patient data) [2]. In addition, the DMHC ordered Cooper to stop posting the link to the information, which she did, said DMHC spokeswoman Lynne Randolph. "Her case is now closed." "I'm relieved that the DMHC has formally confirmed that Kaiser was responsible for posting the systems diagrams Web site. For three months I've been fending off Kaiser's attempts to pin that site on me, and I'm still being sued by Kaiser," Cooper said in an e-mail to Computerworld. Cooper said she fears Kaiser could drag her back and forth to court for years because she doesn't know how the legal system works and can't afford to hire a lawyer. "The DMHC determined the systems diagrams site had been publicly accessible since 1999, and it would still be there today if I hadn't pointed it out," she said. "I just hope the next whistleblower isn't afraid to file a complaint or talk about a problem they've discovered because of what happened to me. The DMHC still has not apologized for giving the public the impression I was the one who posted the Web site." Kaiser officials, who have been cooperating throughout the investigation, have until June 25 to present any information to dispute the state agency's findings, or the fine will be imposed, the DMHC said. [1] http://www.computerworld.com/industrytopics/healthcare/story/0,10801,100420,00.html [2] http://www.computerworld.com/industrytopics/healthcare/story/0,10801,100615,00.html From isn at c4i.org Wed Jun 22 02:46:00 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 22 02:50:40 2005 Subject: [ISN] ITL Bulletin for June 2005 Message-ID: Forwarded from: Elizabeth Lennon NIST'S SECURITY CONFIGURATION CHECKLISTS PROGRAM FOR IT PRODUCTS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The National Institute of Standards and Technology (NIST) is cooperating with other federal agencies, IT vendors, and with industry to advance the development and use of security configuration checklists. A security configuration checklist (sometimes called a security configuration guide, lockdown guide, hardening guide, security technical implementation guide, or benchmark) is basically a series of instructions for configuring an information technology (IT) product to an operational environment. Checklists can be useful tools for reducing vulnerabilities to systems, especially for small organizations with limited resources. IT vendors often create checklists for their own products, but other organizations such as consortia, academic groups, and government agencies have also developed them. Checklists can be used to counter threats to computers, such as remotely launched attacks through networks and the spread of malicious code through e-mails, malicious websites, and file downloads. Vulnerabilities in IT products are discovered almost daily. Because many IT products are designed to serve a wide variety of users, they may not provide needed restrictive security controls routinely. As a result, computers can be vulnerable to threats when the products are installed. Even experienced system administrators may find it difficult and time-consuming to identify the right set of security settings for many IT products. The NIST checklists program, described in this ITL Bulletin, serves both checklists developers, e.g., vendors, and users, e.g., federal agencies. NIST provides checklist developers with guidance for developing standardized, high-quality checklists to secure IT products. Checklist developers are invited to submit their well-documented and usable checklists to NIST for review and for listing in an easy-to-use repository of checklists. NIST has developed a formal process to review, update, and maintain the checklists in the repository. Users are invited to browse through the descriptions in the repository to locate a particular checklist. The checklists repository is organized by product category, vendor, and submitting organization, and currently includes over fifty checklists. Information about the program and access to the checklist repository is available from the NIST web page: http://csrc.nist.gov/checklists/. Why Checklists Are Needed The Cyber Security Research and Development Act of 2002 (Public Law 107-305) designates NIST to "develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government." Checklists provide a baseline of security to protect against common and dangerous threats, and they provide a consistent approach to securing systems. This is especially important for small organizations, which may not have the resources to investigate and develop their own security settings for installed products. Checklists alone cannot guarantee complete security, but they can reduce an organization?s vulnerabilities when used with well-developed guidance, leveraged with high-quality security expertise, vendor product knowledge, operational experience, and accompanied with tools. What are Checklists A security checklist in its simplest form can be a document that contains instructions or procedures for configuring an IT product to a baseline level of security. Checklists are also commonly referred to as lockdown guides, hardening guides, security technical implementation guides (STIGS), or benchmarks. A checklist could contain scripts, templates, and pointers to patches, or updates or firmware upgrades that can be applied to a product. A checklist might include any of the following: * Configuration files that automatically set various security settings (e.g., executables, security templates that modify settings, scripts); * Documentation (e.g., text file) that guides the checklist user to configure software manually; * Documents that explain the recommended methods for the secure installation and configuration of a device; and/or * Policy documents that set forth guidelines for activities such as audits, authentication security (e.g., passwords), and perimeter security. The instructions in a security configuration checklist can apply to administrative practices as well as security settings for an IT product to support improvements to the product's security. Often, successful attacks on systems are the direct result of poor administrative practices such as not changing default passwords or failure to apply new patches. While many checklists have been developed, they vary in quality, usability, and documentation, and they may not be kept current with software updates. The NIST program provides a consistent process for the development, review, and use of checklists. Examples of IT product technology areas that are included are: operating systems, database systems, web servers, e-mail servers, firewalls, routers, intrusion detection systems, virtual private networks, biometric devices, smart cards, telecommunication switching devices, and web browsers. The NIST Checklists Program NIST is currently working with other checklist-producing organizations including the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and the Center for Internet Security (CIS), as well as IT product vendors and vendors of configuration and management products. Ideally, product vendors create checklists as they release new products. The vendor is often in the best position to create the checklists; however, in some cases, third-party checklists may be submitted, such as from recognized security groups, state governments, and corporations. After testing their checklists and documenting them according to the guidelines of the program, checklist developers can submit a checklist package to NIST. NIST screens the checklist package for adherence to the development criteria and format. After addressing any identified issues with the checklist submitter, NIST posts the checklist for public review. Issues that are raised during the review will be referred to the checklist developer. After all issues have been addressed satisfactorily, the checklist or checklist description will be posted on the NIST checklist repository (http://csrc.nist.gov/checklists/repository/index.html). Checklist submitters are responsible for maintaining their checklists when new versions of the products appear. When the final checklist is listed, NIST will set up a periodic review schedule with the developer. The review will take place in one year, or sooner, depending upon factors such as the discovery of new vulnerabilities. If the developer decides to update the checklist, NIST will announce that the checklist is in the process of being updated. If the checklist contains major changes, it will be accepted as if it were a new submission; it must undergo the same reviews as a new submission. Outdated or incorrect checklists will be retired or archived. Checklist producers can use the special checklist program logo on their product literature or websites to show participation in the NIST program and ownership of a checklist on the repository. To use the logo, the producer must provide checklist-related assistance to users. The logo does not convey NIST endorsement of the checklist or IT product. See http://csrc.nist.gov/checklists Using Checklists Organizations usually conduct a requirements analysis before selecting and purchasing IT products. NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, provides useful guidance for federal agencies on conducting the requirements analysis and the subsequent risk assessment. Users should identify their functional needs to determine what functions an IT product must perform and what security controls should be used. Next, threats related to particular products and vulnerabilities that could be exploited in the product should be identified. Then the needed security controls should be determined to minimize or eliminate the likelihood of threats exploiting system vulnerabilities. After determining local operational product requirements, users can research and retrieve the checklists that match their operational environment and security requirements. Users are able to modify and document the checklist to take into account local policies and needs, test the checklist, and provide any feedback to NIST and the checklist developers after applying the checklist in their systems. Users can browse a database of checklist descriptions to locate and retrieve a particular checklist using a variety of different fields, including the following: * Checklist Summary: Summarizes the purpose of the checklist and its settings. * Status: Whether Candidate, Final, or Archived. * Version: Indicates the version or release number of the checklist. * Revision Date: States the date when the checklist was last revised. * Vendor: Contains the name of the manufacturer of the IT product. * Point of Contact: Provides the e-mail address where questions, comments, suggestions, and problem reports can be sent in reference to the checklist. The point of contact should be an e-mail address that the checklist developer monitors for checklist problem reports. * Product Category: The main product category of the IT product, e.g., firewall, Intrusion Detection System (IDS), operating system, web server, etc. * Product Name: The official IT product name. * Product Role: Specifies the primary use or function of the IT product as described by the checklist, e.g., Client Desktop Host, Web Server, Bastion Host, Network Border Protection, Intrusion Detection, etc. * Product Version: The specific software or firmware released version number of the IT product, including service pack or patch level as appropriate. * Rollback Capability: Whether the changes in product configuration made by applying the checklist can be rolled back, and if so, how to rollback the changes. * Target Audience: Intended audience that should be able to install, test, and use the checklist, including suggested minimum skills and knowledge required to correctly use the checklist. * Target Operational Environment: The IT product's operational environment, e.g., SOHO, Managed, Custom (with description such as Specialized Security-Limited Functionality or Legacy). * Testing Information: Platforms on which checklist was tested. Can include any additional testing-related information such as summary of testing procedures used. * Product Support: Vendor will accept support calls from users who have applied the checklist on their IT product; warranty for the IT product has not been affected. This support is required for participation in the Checklist Program and use of the Checklist Program logo. Operational Environments NIST has identified four types of operational environments to help developers to target their checklists to the security baselines that are associated with the different environments. Users can select the checklists that are most appropriate for their operating environments. * Small Office/Home Office (SOHO), sometimes called Standalone, describes small, informal computer installations that are used for home or business purposes. SOHO encompasses a variety of small-scale environments and devices, ranging from laptops, mobile devices, or home computers, to telecommuting systems located on broadband networks, to small businesses and small branch offices of a company. These environments may be less secure than the others and may be supported by less experienced system administrators. * Managed or Enterprise environments are environments that are structured in terms of hardware and software configurations, usually consisting of centrally managed workstations and servers protected from the Internet by firewalls and other network security devices. Generally, a skilled staff supports users and provides security from initial system deployment through system maintenance. The structure and the staff contribute to the implementation and maintenance of consistent security practices. * Custom environments contain systems in which the functionality and degree of security do not fit into the other two environments. There are two typical custom environments: o Specialized Security-Limited Functionality environments contain systems and networks at high risk of attack or data exposure. Protecting the security of these systems may be a higher priority than the usability of the systems or their interoperability with other systems. These systems have limited or specialized functionality in a highly threatened environment such as an outward facing firewall or public web server. Checklists for this environment are not recommended for home users or for large-scale, general purpose systems. A Specialized Security-Limited Functionality environment could be a subset of a SOHO or an enterprise environment. o Legacy environments contain older systems or applications that use older, less-secure communication mechanisms. Other machines operating in a legacy environment may need less restrictive security settings so that they can communicate with legacy systems and applications. These environments could exist within a SOHO or an enterprise environment. NIST Special Publication 800-70, Security Configuration Checklists Program for IT Products NIST recently issued NIST Special Publication 800-70, Security Configuration Checklists Program for IT Products. Written by Murugiah Souppaya, John Wack, and Karen Kent, this guide was developed with the sponsorship of the Department of Homeland Security (DHS) and is available on NIST's web pages ( http://csrc.nist.gov/checklists ). The publication discusses checklists and their benefits, and explains the operation of the checklists program. It describes the policies, procedures, and general requirements for participation in the program, and explains how to retrieve checklists from NIST's repository. It also provides general information about threat models and baseline technical security policies for associated operational environments. NIST has developed checklists for Microsoft Windows' 2000 and for Microsoft Windows XP systems. Draft Special Publication (SP) 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist: Recommendations of the National Institute of Standards and Technology, and NIST SP 800-43, The Systems Administration Guidance for Windows 2000 Professional, are both available at: http://checklists.nist.gov/repository/ How Checklists Will Help Federal organizations Checklists will help federal organizations carry out the requirements of the Federal Information Security Management Act (FISMA) of 2002 (Public Law 107-347). Section 3534(b) (2) (D) (iii) of this Act requires each agency to determine minimally acceptable system configuration requirements and ensure compliance with them. Accordingly, federal agencies, as well as vendors of products for the federal government, are encouraged to acquire or develop and share such checklists using the NIST repository. For More Information The NIST website ( http://csrc.nist.gov/checklists/ ) provides links to the checklist repository, announcements, answers to frequently asked questions, and to documents and forms for participation in the checklists program. Information is available about a workshop held by NIST in 2003 to identify federal government checklist activities and needs, voluntary efforts for building security checklists, and industry capabilities for developing checklists for IT products widely used by the federal government. Also available is information about XCCDF, a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. XCCDF provides a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, to help foster more widespread application of good security practices. NIST welcomes comments on all aspects of the checklists program. Comments may be submitted to checklists@nist.gov. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Wed Jun 22 02:43:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 22 02:50:59 2005 Subject: [ISN] Wireless Web puts personal data at risk Message-ID: Forwarded from: Mark Bernard Dear Associates, If you don't believe that this article speaks about something that could actually happen then why not attempt it in a controlled situation? If you don't succeed then you're likely not skilled enough to be successful and if you do well what else can I say. Many times while conducting penetration testing for my international clients against off shore targets I was told by both management and technical staff that a particular system and its information was safe, secure only to prove them wrong. The stakes were high, because you see in that particular organization if a system was penetrated the entire departments annual salary increase was withheld. That's company policy! Could there be other organizations who are so sure about the effectiveness of their own security systems? You bet, lots !! But not many who'll stake their annual salary increase on it...... Please note the reference to a new vulnerability known as Evil Twins. This vulnerability is created when somebody comes along and sets up a duplicate hotspot and uses it to capture private information. How easy would that be, very easy just ask your local Radio Shack retailer. What if someone did this just outside a legitimate business? Of course that might be illegal, but do you really think that somebody who's not planning on being caught or identified would be concerned if its right or wrong? Especially if there's a potential for financial gain. Please don't kid yourself.... Businesses need to follow through on the concept of due-diligence or standard-of-due-care, because many are managing security with true obscurity and obscurity is going they same way that the dinosaurs went. Enjoy the read ! Best regards, Mark. ========= beginning of excerpt ======== http://www.cnn.com/2005/TECH/internet/06/21/hotspot.hacking/index.html Wireless Web puts personal data at risk By Daniel Sieberg CNN June 21, 2005; ATLANTA, Georgia (CNN) -- What comes to mind when you think of wireless Web surfing? It may not be security, or lack of it. There are nearly 30,000 public wireless "hot spots" in the United States at places such as parks and cafes, but there's more to consider than just where to log on. The convenience comes with a caveat. "Understand that the information you're sending is very similar to standing up here in the park and shouting out all the information -- would I normally do that?" said Richard Rushing, a wireless expert with security firm Air Defense who visited an Atlanta park to show security vulnerabilities. Rushing is considered an "ethical hacker" and works with companies to strengthen their wireless networks. He said many people don't realize they could have all their personal data stolen while checking out their checking account. "It's great to be able to sit somewhere and work without having any wires attached, no nothing attached, but you have that risk that it comes back to," Rushing said. At the park, Rushing was able to log onto an unsecured hotel wireless signal in a matter of seconds. To illustrate how vulnerable such networks can be, Rushing then sent an e-mail and intercepted the entire contents of the message. He could've done the same thing to any of the dozens of people sitting nearby in the park. "At any point in time, I can reach out and touch everyone's laptop at the hot spot, and there's usually not any way of preventing that -- from me touching and looking at other people's stuff at the hot spot itself," Rushing said. He also demonstrated a growing concern called "evil twins" -- fake wireless hot spots that look like the real thing. For example, he said, a hacker could be sitting around the corner sending out a wireless signal. It may look like a legitimate one, even offering people a chance to sign up for service. But if you log on, the hacker then would have complete access to your machine. He said anybody with some tech know-how and the right tools can break into the basic level of wireless security that's commonly used. There are even how-to video instructions online. Rushing said people need to imagine that nothing is truly private at a wireless hot spot. "A lot of the time you really want to stay away from doing certain things at the hot spot that you would normally not do if you knew somebody would be watching," he said. Nevertheless, Rushing doesn't discourage using wireless. He tells people to be aware of what they're sending and the potential for theft. In other words, it's a good chance to read the baseball scores, but even if you're sitting by yourself, it doesn't mean you are all alone. There may be no wires attached, but the convenience still comes with strings. ========= end of excerpt =========== Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Kenneth Blanchard: "The key to successful leadership today is influence, not authority." From isn at c4i.org Wed Jun 22 02:44:11 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 22 02:51:17 2005 Subject: [ISN] Credit card hacking not hard Message-ID: http://www.madison.com/wsj/home/biz/index.php?ntid=44402&ntpid=2 Brian Bergstein AP technology writer 6/21/05 The numbers involved in the latest high-stakes cybercrime are astonishing: Burrowing into a payment-processing company's computers, a hacker apparently stole data on 200,000 credit and debit accounts and had access to 40 million. But that doesn't make the techniques required to pull off such a heist all that unusual. Security researchers say the murky online community of credit card thieves is increasingly sophisticated at exploiting weaknesses in financial networks. And even lesser mischief- makers, often derided as mere "script kiddies," can pick from a bundle of easily available tools that let them cut and paste the programming code needed to carry out attacks - without even understanding how it works. "I'd say a script kiddie could do this," said Jim Stickley, chief technical officer for TraceSecurity. "I don't think it would be difficult at all." Little has been publicly revealed about the attack on CardSystems Solutions, an Atlanta-based company that ferries card transactions between merchants and banks. The FBI and the company have been silent about details of the hack. Asked Tuesday whether one of the company's 115 employees could have been involved, Bill Reeves, CardSystems' senior vice president of marketing, said the company would not "rule anything in or out at this point." Even so, enough is known so computer security experts can make educated guesses. When the breach was announced Friday, MasterCard said someone had installed a virus-like program on CardSystems' network. CardSystems later acknowledged that the compromised data had been inappropriately stored for "research purposes" rather than deleted after transactions had ended. If that "research" had involved transferring data into less-secure parts of CardSystems' network - perhaps, say, so CardSystems programmers could run tests on real credit card records - outsiders who routinely probe systems for soft spots could have discovered the files. "In this day and age you have hundreds of attacks on every single Internet connection every single day," said Jonathan Rosenoer, director of risk and compliance solutions in IBM Corp.'s financial services practice. Once a weakness is found, how can it be exploited? Stickley offered one simple scenario: Someone could send a CardSystems employee an e- mail linking to a phony online greeting card. The link would produce the expected dancing dog or other jolly scene but in the background, a "Trojan horse" program would take root on the computer and prepare to relay information to an outsider. Because the program would enter through communications ports commonly left open for Web browsing, the attack would not be picked up by intrustion-detection software or blocked by a firewall. Robert Richardson, editorial director of the San Francisco- based Computer Security Institute, suspects the CardSystems hacker had to get into a database server rather than just an average Internet-connected computer. For that, "you'd need to be a notch above script kiddie," he said. Even so, he added, more and more automated tools now exist to unleash Trojan horses and other means of busting into complex systems. "They're moving up that food chain pretty fast." Tom Kelly, a former credit- fraud investigator for the Postal Service and Citigroup, said the CardSystems hack appears to be the work of a sophisticated ring that knew precisely what kind of file to grab. "Maybe they hack all kinds of different things and they just got lucky, but I think it's surprising," said Kelly, senior investigator at Stroz Friedberg, a computer forensics firm. "Can anybody - you and your friends - sit down, and if you're real computer savvy, get into this system? I don't think so. If you did it 24/7 and it was your job, I would say probably." Copyright ? 2005 Wisconsin State Journal From isn at c4i.org Thu Jun 23 05:08:38 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 23 05:12:57 2005 Subject: [ISN] Getting cleared Message-ID: http://www.mysanantonio.com/business/stories/MYSA062205.1E.Getting_cleared.3147f7ca.html Meena Thiruvengadam Express-News Business Writer 06/22/2005 Landing one of the 750 or so jobs the National Security Agency plans to fill in San Antonio in the next few years won't be easy. Each NSA hire will have to gain a top secret/special intelligence security clearance, and that means proving oneself to be trustworthy, honest, reliable, discreet and unquestionably loyal to the United States. That process can be long and tedious. There are forms to fill out, friends, family and associates that must be questioned, and a lie detector test to pass. "What they're looking for," said Richard Piske, vice president and general manager of Kelly FedSecure, an agency specializing in finding jobs for people with security clearances, "is something in your past someone could gain access to and use against you as a means to extract classified information." University of Texas at San Antonio graduate Thoa Vo is confident that government investigators won't find anything like that in her life. "I've always thought of myself as a clean-cut person," said the 26-year-old information systems major. "I don't do drugs or anything, and I don't have anything to hide." Vo was among the 5,000 candidates who attended the NSA's recent job fair here. As part of its largest recruitment effort since the Cold War, the NSA last year began a campaign to hire 7,500 people nationwide by 2008. Hundreds of NSA employees will work at the old Sony manufacturing plant at Loop 410 and Military Drive. Each person who'll work there - like every NSA employee - will have to pass a medical screening, drug test, polygraph exam, and an in-depth background investigation going back 10 years. "They're going to talk to your neighbors, your employers, your family, do a very thorough evaluation of your credit history, talk to creditors, and do a deep background screening of law enforcement records," Piske said. Finding people willing to withstand that type of scrutiny isn't hard. The challenge lies in finding someone who can both carry out the job and gain a clearance. A top-secret clearance, one of several clearance levels, is required for anyone who would have access to information that if disclosed without authorization would cause grave damage to national security. Applicants with credit problems, a history of drug use or certain criminal convictions on their records won't be automatically rejected. Considerations will include the nature of the incidents, the circumstances and motivations surrounding them, the age and maturity level at the time of the transgression and the likelihood of recurrence. Getting a clearance can take more than a year. Someone who's lived in the same place all of his or her life, had only a couple of jobs and whose family has been in the U.S. for at least two generations will get through the process most quickly. For someone who was born in a foreign country or has direct family living abroad, it will take longer. "At any given time there are between 400,000 and 500,000 people being investigated for security clearances," Piske said. Regardless of how long it takes, Jesus "Jesse" Sanchez is willing to wait it out. "This is an organization that's not going to go away," the IT specialist said of the NSA. "And I'm looking for a company to retire from." The Holmes High School graduate also doesn't mind having his life scrutinized. "Because of the way I was raised, I've made some good choices and I've stayed clear of trouble," he said. "I don't have anything I'm worried about them finding out." Still, the path to a security clearance and into an investigative government organization is stressful and at times embarrassing, said Lindsay Moran, a former operative with the Central Intelligence Agency. Moran had to undergo three interviews, two types of drug tests, a full physical with vision and hearing checks, aptitude exams, personality and psychological assessments and a polygraph exam. Past drug use, which she writes about in her book "Blowing My Cover: My Life as a CIA Spy," didn't keep her out of the agency. "When I was honest about my drug use, it became a nonissue," she said. But during her investigation, Moran was labeled a sexual deviant and asked intimate details about her personal life. Government investigators, whom Piske describes as "not particularly friendly," questioned her friends and associates. "There were a lot of demoralizing experiences," she said. "The only thing that enabled me to get through it was having a sense of humor." From isn at c4i.org Thu Jun 23 05:09:02 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 23 05:13:11 2005 Subject: [ISN] Interview with Marcus Ranum Message-ID: http://www.securityfocus.com/columnists/334 Federico Biancuzzi 2005-06-21 Could you introduce yourself? I am Marcus Ranum, Chief Security Officer of Tenable Network Security, Inc., the producers of the Nessus vulnerability scanner and a suite of security vulnerability management tools. I've been working in the computer security arena for about 20 years, now, and was the designer and implementor of a variety of security solutions in the past, including firewalls, VPNs, and intrusion detection systems. I like to think I've been around long enough and done a wide enough variety of things that I've achieved a pretty good perspective on the trade-offs inherent in security technology. I was the designer and implementor of the first commercial firewall product, the DEC SEAL, in 1990, and was the "inventor" of the proxy firewall concept. In 1992 I wrote the TIS Firewall Toolkit and Gauntlet firewall, and set up and managed The President's email server (whitehouse.gov) during its first year of operation. I was founder and CEO of Network Flight Recorder, an early innovator in the IDS market, as well. IPv6 should be the future. Do you see a more secure future then ? No, IPv6 isn't going to solve anything. IPv6 is just another network protocol, and if you look at where the problems are occurring in computer security, they're largely up in application space. From a security standpoint IPv6 adds very little that could offer an improvement: in return for the addition of some encryption and machine-to-machine authentication, we get a great deal of additional complexity. The additional complexity of the IPv6 stack will certainly prove to be the home of all kinds of fascinating new bugs and denial-of-service attacks. Also, don't forget that the current version of IP has encryption and authentication built in already - and that hasn't helped solve any problems at all. Do you think that the problem is that we can't develop a secure protocol, or that people who define standards underestimate security threats ? That's a profound question. There are a lot of factors that combine to defeat security in up-front design. For example, there's basic human nature: the guys who are defining standards can't resist the urge to leave their personal stamp on the future - which results in standards that generally have been assembled based on a process of negotiation by committee. That doesn't really work. That's what gives us these insanely complex multi-optioned heavily layered standards that nobody really understands: every person on the committee had to lobby to get his or her favorite feature included. I don't think that process in any way helps bring about useful security standards. A case in point would be the IETF's terrible fruitless attempts to establish a standard on IPSEC (IP crypto) It only took something like 9 years. Those of us in the commercial world who needed solutions just went ahead and solved the problem for ourselves while the IETF kept arguing. If I recall correctly, when we added IP crypto to our Gauntlet firewall in 1993, it took my engineer on that feature about two months to come up with a complete proprietary implementation. I don't think that the standards committees underestimate security threats; I just think they're too busy doing things that are more important to them -- like holding meetings and writing minutes, or whatever it is that they do all the time. The standards I've seen that try to address security all seem to be over-engineered and too late, while the standards that ignore security are usually rapidly adopted and full of security problems. It's a no-win situation either way. Do you have any idea how to improve the way RFCs get created ? I think the whole RFC process is obsolete. In fact, it never would have worked at all, if not for the fact that in the early days, nobody cared about the Internet. So the IETF could have their meetings and write their RFCs in a vacuum that was free of commercial interest. Once the Internet became a commercial phenomenon, you can see that the IETF's productivity basically went to zero because the vendors were all trying to pack the working groups with their people to make sure that their existing implementations got selected as the standard. That's pretty much what happened with IPSEC, for example. IETF nearly converged on an IPSEC standard several times until Cisco and other large vendors began making rumblings about "we won't support this" and "we hold patents on that" to try to keep the market divided. How would I improve it? I think if you look at what standards committees have become today, they're really little more than ratification bodies that rubber-stamp the de facto standard. Usually they tweak it a little bit to salve their pride but that is about it. I think we could do away with the whole standards thing very easily if a few customers just exercised their economic power a little bit intelligently. Big customers have huge power, but they seem to have forgotten that. If the CTOs of 10 FORTUNE 500 firms announced that they were deferring further purchases of VPN products until they saw proof of interoperability, and open published specifications that weren't encumbered by patents or licenses, the whole market would standardize practically overnight. Because the truth is nobody cares about standards - everyone cares about what you can do with interoperable systems. If customers just openly refused to do business with vendors that produce non-interoperable systems, the whole thing would clear up really fast. The RFC idea could be brought into the present day if it came from customers not vendors and dilettantes. How about if the CTO of AT&T announced "We're going to standardize on XYZ's implementation of online telephony" and the CTOs of GE, Verizon, Ford Motor [Company], and Citibank announced "we're doing that, too." Game over. Big customers need to drive standards by not tolerating market-dividing games from vendors. Sitting back and waiting for vendors to come up with standards means that they can divide the market while they're waiting to see who becomes the dominant player. Then everyone has to standardize on the dominant player anyhow. Right now, the whole way we do standards is 100% backwards. Just flip it around and it might work a whole lot better. If a standard protocol is broken or insecure, what is the best solution? Maybe supporting only some features or adding a crypto layer? If it's broken, adding crypto just makes it broken and hidden. If a standard protocol is broken, the best solution is to deprecate the standard and use something else. Just fix it and move on. It's not like standards are some kind of holy writ; nobody is going to be punished for ignoring bad standards, right? Remember the ISO networking protocols? Too late, too complicated, and everyone said "no thanks." We can do the same, and we should. Big customers should feel empowered to tell vendors (or standards committees, for that matter), "Nope. That sucks. No money for you, until you fix it." The customer is always right. Have you ever chosen to avoid a protocol because you considered it completely broken by design? All the time. I avoid 90% of the current internet protocols. It's a hard fight, though. When I was CTO of one company I kept having to fight to keep our sales team from using those stupid, "remote control your PC to give a customer demo" technologies. What kind of customer would give a vendor's sales rep control of their desktop? But people keep/kept asking for it. Eventually, these problems migrate from being technical problems to political problems, and then security goes out the window. What about WiFi? I waited for 8 years until the technology was fairly sorted-out before I spent any of my money on it. So, unlike all the "early adopters" who bought wireless access points with buggy crypto and huge security holes, I got something fairly decent for under $100, and it supports WPA which, by all accounts, is pretty good. Sometimes, patience is a terrific strategy. Wait and see what happens to the early adopters. If they're all getting hacked to pieces or spending tons of money on patches and upgrades and fixes to the stuff they bought - then it's not ready, yet. This seems obvious to me, but a lot of very senior IT managers don't appear to understand it. The longer you wait the more desperate the vendors will get, and, if you can articulate your requirements clearly, the more likely they'll listen to you. Do you see any new, interesting, or promising path for network security? Nope! I see very little that's new and even less that's interesting. The truth is that most of the problems in network security were fairly well-understood by the late 1980's. What's happening is that the same ideas keep cropping up over and over again in different forms. For example, how many times are we going to re-invent the idea of signature-based detection? Anti-virus, Intrusion detection, Intrusion Prevention, Deep Packet Inspection - they all do the same thing: try to enumerate all the bad things that can happen to a computer. It makes more sense to try to enumerate the good things that a computer should be allowed to do. I believe we're making zero progress in computer security, and have been making zero progress for quite some time. Consider this: it's 2005 and people still get viruses. How much progress are we making, really? If we can't get a handle on relatively simple problems such as controlled execution and filesystem/kernel permissions, how much progress are we going to make on the really hard problems of security, such as dealing with transitive trust? It's 2005, and IT managers still don't seem to know how to build networks that don't collapse when a worm gets loose on them. Security thinkers realized back in the early 80's that networks were a good medium for attack propagation and that networks would need to be broken into separate security domains with gateways between them. None of this is rocket science - I think that what we're seeing today is the results of this massive exuberance in the late 1990's in which everyone rushed to put all their mission critical assets onto these poorly protected networks that they then hooked to the Internet. That was a dumb idea, and that fact just hasn't sunk in, yet. Do you like the approach of De-Perimeterisation (moving the firewall from a centralized position to each host) ? I've heard of this concept under a variety of names before; it's been around for a long time. The problem is that, by itself, it won't work. Why push security down to the individual host level? Well, the obvious reason is that the network is not trustworthy. But, if the network is not trustworthy, how can any 2 hosts communicate safely? Most of the application protocols in use are still insecure and unencrypted. So, you set up little VPNs between each host, and you tunnel some applications over SSH or SSL. But that still doesn't work because you've now got a problem of transitive trust. If host A talks to host B and host B talks to host C, then a vulnerability in host B leaves host A open to attack from host C. Transitive trust is the "secret killer" of computer security but most of the time we never bump up against it in practice because it's easier for hackers to get in via simpler methods. We recently saw a case where a hacker made significant penetrations into some very secure systems using an attack against the trust relationships between the different systems in a large research community. The hacker compromised one researcher's account at a university and trapdoored the researcher's SSH client. When the researcher logged into a system at another research facility, the hacker now had the researchers' SSH password and was able to penetrate the next facility, set up a trapdoored SSH client there, and eventually he got the root account as the administrator SSH'd into a local server. The hacker had several months worth of fun and by the time it was all over, he had compromised several hundred systems and gained administrative privileges in 5 different research facilities across the Internet. Having per-desktop firewalls would not have helped at all in this type of scenario, unfortunately, since once the hacker was into the first system, they were operating entirely at an application level. To really secure systems, everything needs to be done 100% right at application layer, kernel layer, network layer, and at the boundary of the network. That's a huge undertaking and nobody has made any effort to tackle it directly because the resulting system would probably be unusable. The guys who wrote the rainbow series in the 1980's understood this and tried to get security practitioners to think about the problem, but solutions like that simply aren't commercially viable. So the security industry and many security users have been bouncing back and forth between, "let's secure the networks with firewalls and forget about host security," and, "let's secure the hosts and forget about the networks" Neither by itself will really work. I've seen some practitioners (coincidentally, the ones who sell file encryption products) saying "let's just secure the data! forget firewalls and network security! forget host security!" but that's an even worse idea. If you just secure the data, the the first person who installs a keyboard sniffer has your password and it's all over. Whenever someone tells you that there's a novel, easy, solution to security, it's either because they don't understand security or they're trying to sell you something that isn't going to work. What about buying a switch that includes a packet filter? This solution should provide a trustworthy network with the added bonus of isolating and filtering each host. It's not a technology problem, it's a management problem. There are plenty of tools that can be used to control inter-host trust, but they are generally not used because they're "too hard" or "inconvenient" or whatever. For example, the big Cisco switches all have the ability to process ACLs at high speed. Isolating and filtering each host is very possible and would be very effective using existing technology. Let's imagine a simple scenario: suppose I have a subnet consisting of 150 hosts that all access a local departmental server with file serviceand print service, etc. Further, let's imagine that the hosts on that subnet need Internet browsing access and access to an enterprise Email server (IMAP + SMTP) that sits someplace else on my corporate LAN. And, perhaps, some of my users need access to the mainframe for SQL, while others don't. So, I could put ACLs in the switch to, "allow all/all to the local subnet server," "allow IMAP, SMTP to the off-network mail server," "allow all, port 80, to the web caching proxy off-network," "allow {list} SQL to the mainframe," "default: deny all." That's not very hard, is it? Does Bob's workstation need to talk directly to Jane's? No? Then don't allow it. And a network like that is going to be extremely resistant to worms or active penetration. Of course nobody does that kind of thing: they just plug it all together, make it work, and then ignore it and hope it doesn't get hacked. In order to build really secure systems you need to understand the trust relationships between your systems and then build your systems to enhance and support your mission based on those trust relationships. But that's hard work that very few people have the courage and patience to undertake. So instead, they want to just throw technology at the problem - which won't work - because there is no amount of technology that can effectively build your trust relationships for you if you don't understand them yourself. The computer security industry is trapped in this backwards mindset in which its practitioners keep trying to "list and deny all the things that are bad" rather than "list and permit all the things that are necessary and good" It may have worked for a while, back when there were only a handful of attack techniques being used, but nowadays there are far more attack techniques than there are legitimate forms of traffic. Security system designers who focus on permitting only what is known to be good will always build systems that are more reliable, durable, and hack-proof. Do you see a growing gap between common hosts on the Internet and hosts managed by security people? Not really! Security practitioners these days have very little power to encourage other IT professionals to actually secure their systems. In fact, I'm pretty convinced that a lot of security practitioners really don't know how to secure systems at all. It's always a surprise to me when I talk to a security practitioner and they say something like, "I recommended against running [pick your favorite stupid online chat program] through our firewall but was overruled by one of our VPs who wanted to use it." Most of the firewalls that I've seen are configured with rulesets that are ridiculously loose. And the results show: 80% of corporate desktops are infected with spyware, 15% of them are infected with keystroke loggers. Is that better than the common home user's system? Maybe a bit, but hardly enough to make a difference. If we consider the Internet as a big local network, we will see that some of our neighbours keep getting exploited by spyware, virus, and so on. Who should we blame? OS producers? Or our neighbours that chose that particular software and then run it without an appropriate secure setup? There's enough blame for everyone. Blame the users who don't secure their systems and applications. Blame the vendors who write and distribute insecure shovel-ware. Blame the sleazebags who make their living infecting innocent people with spyware, or sending spam. Blame Microsoft for producing an operating system that is bloated and has an ineffective permissions model and poor default configurations. Blame the IT managers who overrule their security practitioners' advice and put their systems at risk in the interest of convenience. Etc. Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and [the] right to privacy. Copyright 2005, SecurityFocus From isn at c4i.org Thu Jun 23 05:08:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 23 05:13:26 2005 Subject: [ISN] Internal hackers pose the greatest threat Message-ID: http://www.vnunet.com/2138597 Robert Jaques vnunet.com 23 Jun 2005 Internal hackers pose the greatest threat to the IT systems of the world's largest financial institutions, according to the 2005 Global Security Survey released today by the financial services industry practices of Deloitte Touche Tohmatsu. Over a third of respondents admitted to having fallen victim to internal hack attacks during the past 12 months (up from 14 per cent in 2004) compared to 26 per cent from external sources (up from 23 per cent in 2004). Instances of phishing and pharming, in which hackers lure people into disclosing sensitive information using bogus emails and websites, rocketed during the past year, underscoring the human factor as "a new and growing weakness in the security chain". The study noted that the shift in tactics to exploit humans, rather than technological loopholes, is explained by the improved use of IT security systems. This includes the increased deployment of antivirus systems (98 per cent compared with 87 per cent in 2004), virtual private networks (79 per cent compared with 75 per cent) and content filtering and monitoring (76 per cent compared with 60 per cent). "Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats," said Adel Melek, a partner in the Canadian member firm of Deloitte Touche Tohmatsu. "But the rise and increased sophistication of attacks that target customers, and internal attacks, indicate that there are new threats that have to be addressed. "Strong customer authentication, training and increased awareness can play a significant role in narrowing this gap." However, the survey results show that security training and awareness have yet to top the agenda of chief information security officers, as less than half of respondents have training and awareness initiatives scheduled for the next 12 months. Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74 per cent) and reporting and measurement (61 per cent). The findings aligned with financial institutions' future investment plans in security, with 64 per cent of money set aside for security tools, compared with only 15 per cent for employee awareness and training. Ted DeZabala, a principal in the security services group at Deloitte & Touche LLP, said: "With threats such as identity theft, phishing and pharming on the rise, organisations should be implementing identity management solutions encompassing access, vulnerability, patch and security event management. "These solutions should be augmented by security training and awareness if organisations are to minimise the number of human behavioural threats. "Clearly, continued vigilance is needed to meet and exceed the requirements and truly protect corporate data from security threats." From isn at c4i.org Thu Jun 23 05:08:05 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 23 05:13:43 2005 Subject: [ISN] CardSystems' Data Left Unsecured Message-ID: http://www.wired.com/news/technology/0,1282,67980,00.html By Kim Zetter June 22, 2005 CardSystems Solutions -- the credit-card processing company that recently exposed 40 million debit and credit-card accounts in a cyber break-in -- failed to secure its network, even though the network had been certified secure to a data security standard, according to Visa. Since 2001, Visa and MasterCard have been touting a data security industry standard they developed in an effort to prevent credit-card data theft and stave off federal regulation. The standard has become a required criteria for businesses handling credit-card transactions. Visa spokeswoman Rosetta Jones told Wired News that CardSystems Solutions received certification in June 2004 that it was compliant with the standard, but an assessment after the breach showed it was not compliant. MasterCard International announced last Friday that intruders had accessed the data from CardSystems Solutions, a payment processing company based in Arizona, after placing a malicious script on the company's network. "Had they been following the rules and requirements, they would not have been compromised," Jones said. CardSystems did not return calls for comment. The company was due this month for an annual audit to determine its ongoing compliance with the standard when it discovered the data breach in May. "We sent in a forensic team (after the breach) and determined they were not compliant based on how they were managing data," Jones said. Jones would not provide specifics on what auditors found in their assessment. But when asked if it would be fair to say that the evidence indicated a failure to apply a firewall or maintain virus definitions -- two basic steps in securing a network -- she said, "That would be fair." The standard, called the Payment Card Industry Data Security Standard, or PCI, consists of 12 requirements (PDF), such as installing a firewall and anti-virus software and regularly updating virus definitions. It also requires companies to encrypt data, to restrict data access to people who need it and to assign a unique identifying number to people with access rights in order to monitor who views and downloads data. Although the standard was developed by Visa and MasterCard, it's endorsed by other credit-card companies. It applies to any merchant or service provider that processes, transmits or stores credit-card payments and places additional requirements on card issuers, such as banks, to ensure that merchants and service providers comply with the requirements and report breaches in a timely manner. The standard went into effect June 2001, although businesses had until June 30th of this year to validate that they were in compliance, Jones said. Since 2001, any business wishing to process credit-card transactions had to sign a contract binding them to the PCI standard and obtain a security audit from an approved assessor certifying their compliance. Jones said CardSystems had an assessor evaluate its compliance and submitted paperwork toward that compliance in June 2003. But Visa rejected it. "We felt that they had more work to do to become more fully compliant," Jones said, declining to disclose what prompted the rejection. A year later CardSystems submitted paperwork again and received certification in June 2004. Bruce Schneier, chief technology officer at Counterpane, a computer security firm that helps companies secure and monitor their networks, said the revelation highlights a universal problem with enforcing standards. "The standard not only has to be good, but the compliance process has to have integrity," Schneier said. "But a lot of (compliance involves) self-certification. It's things you say you do. And it's only audited minimally." CardSystems is a major processor of credit-card transactions. According to its website, it processes more than $15 billion annually in credit-card transactions for Visa, American Express, MasterCard and Discover. It also processes online transactions and Electronic Benefit Transfer transactions -- cards used by the government to dole out social welfare benefits such as food stamps and unemployment payments. Jones wouldn't say who performed the compliance assessment for CardSystems, but she noted that the assessor had to come from an approved list of auditors (PDF) that Visa and MasterCard maintains. Approved assessors go through a screening process. Jones said their reputation relies on making certain that they "assess (a company's) situation as truthfully and honestly as possible." Per the PCI standard agreement, Visa and MasterCard can fine merchants that don't comply with the data standard or they can withdraw the company's right to accept credit-card payments or process transactions. They could also conceivably collect damages from a company if the breach resulted in a massive data loss that required Visa or MasterCard to launch an expensive public relations campaign to counteract the loss of public confidence in their cards. "Visa and MasterCard could say 'you owe us $300,000 that we had to spend on attorneys' fees and PR consultants,'" said Chad King, a partner in the Texas law firm Hughes and Luce, who specializes in privacy and data security issues. "Now would they do that? It's unlikely. But if the merchant is Amazon.com, then maybe Visa would do it." The bank that issued the credit card and the merchant's bank could also be fined up to $500,000 per incident if a merchant or service provider they did business with was out of compliance with the standard at the time of a breach. Card issuers would also be subject to a $100,000 penalty if they failed to notify Visa's fraud control unit of a suspected or confirmed loss of data at one of their merchants or service providers. King said that many large merchants are already complying with the standards. "This is going to help smaller merchants and processors," he said. "It will make them sit up and take note: If you're going to play in the credit-card game, here are the rules." The compliance requirement for the data standard goes into effect as federal lawmakers are discussing legislation to regulate businesses that deal with sensitive personal information in the wake of other high-profile data breaches and security failures at companies like ChoicePoint, Bank of America and CitiBank. "They are really trying to hold up a banner and say we're self-regulating and we can do this ourselves," King said. "But I think ultimately we will see some federal regulation here." Schneier said the PCI standard has teeth, since it levies financial penalties and raises the cost of processing credit cards for companies that are caught not complying, but he said Visa and MasterCard now have to work out the compliance issues. "They're terrified that everybody will be afraid to use their credit card," Schneier said, about the motivation for the standard requirements. "They're trying to protect the integrity of their brands. So if they're not working, Visa and MasterCard will figure out how to make them work." Of course the standard will motivate companies only if they actually have to pay a price for non-compliance. Jones said that there is currently no plan to fine CardSystems Solutions for its lax security. The New York Times reported this week that federal banking regulators have launched an investigation into CardSystems' security procedures. From isn at c4i.org Thu Jun 23 05:10:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 23 05:14:42 2005 Subject: [ISN] Security UPDATE -- Phishing and Pharming -- June 22, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Download NOW and be the First-to-Know http://list.windowsitpro.com/t?ctl=CC34:4FB69 Testing Your Security Configuration http://list.windowsitpro.com/t?ctl=CC22:4FB69 ==================== 1. In Focus: Phishing and Pharming 2. Security News and Features - Recent Security Vulnerabilities - Three Previous Microsoft Security Bulletins Re-released - Setting Up Windows Server Update Services 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ 5. New and Improved - Rugged and Encrypted Laptop ==================== ==== Sponsor: TNT Software ==== Download NOW and be the First-to-Know Download ELM Enterprise Manager from TNT Software NOW and be the First-to-Know when changing conditions indicate security threats. ELM is the comprehensive monitoring, alerting and reporting solution that gives IT Managers confidence that their systems are continuously watched, and that they will be immediately alerted when suspicious activities occur. Security breaches can be minimized when real-time monitoring and alerting strategies are deployed. To experience the benefits of fortifying your security perimeter with ELM Enterprise Manager, take a FREE full featured, 10 system, 30 day evaluation test drive NOW. http://list.windowsitpro.com/t?ctl=CC34:4FB69 ==================== ==== 1. In Focus: Phishing and Pharming ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You've undoubtedly heard of "phishing," luring users (typically through email messages) to phony Web sites that imitate legitimate Web sites to try to trick users into divulging private information such as logon IDs, passwords, and account numbers. Phishing can lead to unauthorized monetary charges against your merchant accounts, unauthorized use of your services, and more. Tools such as CoreStreet's SpoofStick (at first URL below) and the Netcraft Toolbar (at second URL below) can help in some cases. Both tools are add-ons for Microsoft Internet Explorer (IE) and Mozilla Firefox that try to determine and display the real domain of the site you're visiting. http://list.windowsitpro.com/t?ctl=CC38:4FB69 http://list.windowsitpro.com/t?ctl=CC1F:4FB69 Recently, hackers are combining phishing with DNS poisoning or DNS hijacking--also known as "pharming." In a pharming attack, the attacker changes DNS records of the servers at an ISP or at the company that's the target of the attack or modifies a client system's HOSTS file or DNS settings. Obviously, protecting against such attacks means devising some method of establishing trust in DNS query results. The two tools I mentioned above don't help much against pharming. I know of three ways to help prevent pharming attacks. The first method is for a company to use a service, such as one recently announced by MarkMonitor, to monitor the company's DNS servers for unauthorized changes. When unauthorized changes are detected, MarkMonitor alerts the company so that it can begin working to correct the situation. http://list.windowsitpro.com/t?ctl=CC3C:4FB69 A second method, which is also new, is to use Next Generation Security's (NGSEC's) AntiPharming tool, which works at the client level (rather than the server level) to prevent unauthorized changes to a system's HOSTS file and local DNS settings. It also listens on the system's network interfaces to capture DNS query responses and then doublechecks those responses against "three secure DNS servers." The tool comes with three DNS servers preconfigured, and you can modify those server addresses as you see fit. The tool is available free for personal use and requires a fee for commercial use. http://list.windowsitpro.com/t?ctl=CC36:4FB69 Another new solution, Identity Cues from Green Armor Solutions, works at the Web site level. The first time a user logs on to an Identity Cues-protected Web site, the product generates colored visual cues that will then appear each time the user logs on to the site. A spoofed Web site won't be able to generate the same cues, so a user sent to a spoofed site will immediately know that he or she isn't visiting the legitimate Web site. Identity Cues is definitely a novel concept. http://list.windowsitpro.com/t?ctl=CC3D:4FB69 All three approaches sound like good ideas and would go a long way towards thwarting phishing and pharming. I suspect that there are other ways to help prevent pharming, but at this point I'm unaware of any other solutions. If you know of any, please send me an email message that fills me in on the details. === Calling All Windows IT Pro Innovators! Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the Windows IT Pro Innovators Contest! Grand-prize winners will receive a host of great prizes and a write-up in the November 2005 issue. Contest extended to July 1, 2005! To enter, click here: http://list.windowsitpro.com/t?ctl=CC29:4FB69 ==================== ==== Sponsor: Microsoft ==== Testing Your Security Configuration Over a decade ago the Department of Defense (DoD) released a statement saying, "Hack your network, or the hackers will do it for you." Today, vulnerability-scanning hackers, Internet-traveling worms, and roving bots are common. This free white paper will discuss how to identify and fix vulnerabilities, discover and use vulnerability assessment tools, evaluate your security investment and more. Download your free copy now! http://list.windowsitpro.com/t?ctl=CC22:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=CC28:4FB69 Three Previous Microsoft Security Bulletins Re-released Microsoft released ten security bulletins this month. Did you know the company also re-released three older security bulletins? Find out what they are and whether you need to load them in this story on our Web site. http://list.windowsitpro.com/t?ctl=CC2F:4FB69 Setting Up Windows Server Update Services Patch management is a headache for security administrators at most organizations. Microsoft has developed an improved patch-management product, called Windows Server Updates Services. WSUS offers benefits for organizations of all sizes, thanks to its flexibility, advanced features, and ease of deployment. John Howie walks you through the process of installing and configuring WSUS for your organization, obtaining updates, and configuring clients to use WSUS to obtain updates. http://list.windowsitpro.com/t?ctl=CC2D:4FB69 ==================== ==== Resources and Events ==== Anti-spam product not working? Many email administrators are experiencing increased frustration with their current anti-spam products as they battle new and more dangerous email threats. In-house software, appliances and even some services may no longer work effectively, require too much IT staff time to update and maintain, or satisfy the needs of different users. In this free Web seminar, learn how you can search for a better way to protect your email systems and users. http://list.windowsitpro.com/t?ctl=CC25:4FB69 Back By Popular Demand - SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=CC26:4FB69 Token Authentication: Getting It Right Perhaps you need tokens for management or mobile workers or your only applications that need token support are VPN, extranet access, or PC security. In this free Web seminar, join industry guru Randy Franklin Smith and learn how you can make a solid business case to management that justifies tokens. You'll also discover what the right combination of token devices and middleware can do. Plus - receive checklists of key evaluation and testing points for rollout time. Register now! http://list.windowsitpro.com/t?ctl=CC24:4FB69 Recover Your Active Directory Get answers to all your Active Directory recovery questions here! Join industry guru Darren Mar-Elia in this free Web Seminar and discover how to use native recovery tools and methods, how to implement a lag site to delay replication, limitations to native recovery approaches and more. Learn how you can develop an effective AD backup strategy - Register today! http://list.windowsitpro.com/t?ctl=CC23:4FB69 The Essential Guide to Exchange Preventative Maintenance Database health is the weakest link in most Microsoft Exchange Server environments. Download this Essential Guide now and find out how the ideal solution is an automated, end-to-end maintenance and management tool that provides a centralized view of the entire managed infrastructure. Get your free copy now! http://list.windowsitpro.com/t?ctl=CC27:4FB69 ==================== ==== Featured White Paper ==== Avoiding Availability Pitfalls in Microsoft Exchange Environments Many solutions are targeted at making Exchange email environments more reliable, however a wide range of potential difficulties still lurk, waiting to interrupt service and, ultimately, your business. In this free white paper, discover the more common pitfalls that can lessen Exchange availability and the recommendations for what you can do to avoid the problem and better plan your Microsoft Exchange messaging environment. http://list.windowsitpro.com/t?ctl=CC20:4FB69 ==================== ==== Hot Release ==== FREE Download - The Next Generation of End-point Security is Available Today. NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines from all types of malware even before Windows loads and without slowing them down. NetOp provides process & application control, real-time centralized management, automatic network detection & profiles and more. Try it FREE. http://list.windowsitpro.com/t?ctl=CC21:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: How will you use WSUS in your enterprise? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 32 votes. - 56% As my patch management infrastructure - 6% As a backup to SMS 2003 or other patch management infrastructure - 0% As a reporting tool to check on compliance with patches - 38% I won't be using WSUS New Instant Poll: Does your network firewall provide stateful application-layer inspection in addition to the traditional stateful packet inspection? Go to the Security Hot Topic and submit your vote for - Yes - No http://list.windowsitpro.com/t?ctl=CC32:4FB69 ==== 4. Security Toolkit ==== Security Matters Blog: Security Checklists and Scripts by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=CC37:4FB69 If you're looking for security checklists and helper scripts for Windows platforms, there are several available from Corp-Sec, a nonprofit group of IT professionals. In addition to those resources, you can also find scripts that help with incident response, a list of security mailing lists that you might want to join, whitepapers, and more. http://list.windowsitpro.com/t?ctl=CC2E:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=CC33:4FB69 Q: What's port 445 used for in Windows 2000 and later versions? Find the answer at http://list.windowsitpro.com/t?ctl=CC30:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Why Do You Need the Windows IT Pro Master CD? There are three good reasons to order our latest Windows IT Pro Master CD. One, because it's a lightning-fast, portable tool that lets you search for solutions by topic, author, or issue. Two, because it includes our Top 100 Windows IT Pro Tips. Three, because you'll also receive exclusive, subscriber-only access to our entire online article database. Click here to discover even more reasons: http://list.windowsitpro.com/t?ctl=CC31:4FB69 Monthly Online Pass = Quick Security Answers! Sign up today for your Monthly Online Pass and get 24/7 access to the entire online Windows IT Security article database, including exclusive subscriber-only content. That's a database of over 1,900 Security articles to help you get all the answers you need, when you need them. Sign up now for just US$14.95 per month: http://list.windowsitpro.com/t?ctl=CC2A:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Rugged and Encrypted Laptop Getac's MobileForce M220 ruggedized notebook computer is now available with Enova X-Wall 40-bit real-time cryptographic gateways. Once the encryption is activated, users and potential hackers must manually enter a 5-character alphanumeric preboot password to load the OS and view the contents of the drive. This password resides only in a Secret Key on the hard disk drive (not in the registry), making the drive seem unformatted if stolen and installed in another computer. The M220 with Enova X-Wall LX-40 security is designed for accounting and insurance audit, military, police, fire, homeland security, medical, and banking applications. It's priced at $3995 with significant volume and other discounts available. For more information, go to http://list.windowsitpro.com/t?ctl=CC3B:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Quest Software Eleven things you must know about quick AD recovery! http://list.windowsitpro.com/t?ctl=CC3E:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=CC39:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=CC2B:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Jun 24 01:22:20 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 24 01:28:29 2005 Subject: [ISN] AT&T plans CNN-style security channel Message-ID: http://www.networkworld.com/news/2005/062305-att-cnn-security.html By Stephen Lawson & Robert McMillan IDG News Service 06/23/05 Security experts at AT&T are about to take a page from CNN's playbook. Within the next year they plan to begin delivering a video streaming service that will carry Internet security news 24/7, according to the executive in charge of AT&T Labs. The service, which currently goes by the codename Internet Security News Network, (ISN) is under development at AT&T Labs, but it will be offered as an additional service to the company's customers within the next nine to 12 months, according to Hossein Eslambolchi, president of AT&T's Global Networking Technology Services and AT&T Labs ISN will look very much like Time Warner's Cable News Network, except that it will be broadcast exclusively over the Internet, Eslambolchi said. "It's like CNN," he said. "When a new attack is spotted, we'll be able to offer constant updates, monitoring, and advice." The online video channel will feature interviews with AT&T security professionals, as well as experts from a variety of different organizations like network hardware vendors and the U.S. Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT). All the while, news on the latest security vulnerabilities will stream across the bottom of the screen, much like the ticker symbols used by TV news networks, Eslambolchi said. "You will see... what viruses exist and where they came from," he said. AT&T also plans to provide its own analysis of Internet security threats, culled from probes of AT&T's massive TCP/IP networks that can be used to help predict where and when attackers will strike with new exploits. "We extract intelligence and knowledge from the network and we do data analysis, data mining, and we do artificial intelligence on the network," Eslambolchi said. "We use that to create a cybersecurity index to see where these worm and viruses and phishing and pharming attacks are coming from." While a number of information services and Web sites monitor Internet security, nobody has managed to develop a single point of contact that addresses all security concerns, said Andrew Jaquith, senior analyst with The Yankee Group in Boston. "There is really no good, consistent source for security information on the Internet," he said. AT&T's streaming video service would be the first attempt to meet need by using video, Jaquith said. "This sounds like something pretty innovative to me. Personally, I'd check it out." ISN is part of a larger research and development effort within AT&T to build new ways of protecting networks from attack. Called the "Cyber Security Defense Initiative," the effort has produced a number of technologies that the company is using to strengthen its TCP/IP network, Eslambolchi said. Eslambolchi likened the effort to former U.S. President Ronald Reagan's Strategic Defense Initiative, also known as Star Wars. "My strategy in AT&T is the Star Wars concept because I am not in a cold war with these crooks anymore, I am in a nuclear war," he said. "Every time they form a nuclear missile, I have to know where they are going to hit me and I have to devise a new defense mechanism." Using a Cyber Security tool called the Traffic Analysis System, AT&T was able to anticipate the Sasser worm outbreak 12 hours before it hit the Internet last year, Eslambolchi said. Later this month, another Cyber Security technology called Cloaking will go live, making it much more difficult for attackers to hit AT&T's Internet backbone, Eslambolchi said. "None of the routers on our backbone will have any big Internet routes in them," he said. "Our routers will never be visible to these crooks or anybody else." From isn at c4i.org Fri Jun 24 01:22:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 24 01:28:53 2005 Subject: [ISN] Virus puts N-plant data on Net Message-ID: http://www.yomiuri.co.jp/newse/20050624wo2a.htm The Yomiuri Shimbun June 24, 2005 Maintenance data on nuclear power plants were leaked and shown on the Internet after a computer virus attacked a personal computer of an employee of Mitsubishi Electric Corp.'s subsidiary in charge of plant inspections and maintenance, it was learned Thursday. Data equivalent to 31 floppy disks, including a draft report of power plant inspections, a repair manual, name lists of inspection workers and photographs of the inside of the plants, were leaked from the employee's privately owned PC. The plants included Tomari Nuclear Power Station of Hokkaido Electric Power Co., Sendai Nuclear Power Station of Kyushu Electric Power Co. and Mihama Nuclear Power Plant of Kansai Electric Power Co. As much of the information was confidential, the problem is expected to stir controversy over the security of information on nuclear power plants and other related facilities, nuclear experts said. Maintenance work on the plants was consigned by Mitsubishi Electric to its subsidiary, Mitsubishi Electric Plant Engineering Corp. based in Taito Ward, Tokyo. The company said the data leakage likely was caused by a computer virus that affected the laptop PC of an employee who was in charge of maintenance. The virus appears to be of a variety that infects Winny file-swapping software and reveals data through the software. Winny is free software available on the Internet with which users can share and swap documents, graphics, audio and other computer files stored on individual PCs via the Internet. Officials of the subsidiary said its employees were allowed to use privately owned PCs for work if they received permission from their superiors. They added that data-coding and other measures to prevent information leakage were not used on employees' private PCs. The Nuclear and Industrial Safety Agency has demanded the power companies submit a detailed report about the incident as soon as possible. Kazuo Matsunaga, director general of the agency, said, "Right now it hasn't been confirmed that information about nuclear material that is immediately legally problematic was leaked." The agency believes that there was no leakage of sensitive information that would constitute a violation of the Nuclear Reactor Regulation Law. Mitsubishi Electric said the leaked data included a draft report about checks on Tomari plant's No. 2 reactor and work manuals for repair work on Sendai plant's No. 1 reactor. The data also included a copy of an e-mail written by the employee to parent company officials that said he had discovered an abnormality in a part of a generator, but had not reported it to the power company. Mitsubishi Electric said it was investigating whether this apparent failure to report the incident to the company was true. A Mitsubishi Electric official said: "All the data were about power generators. They contained no information directly related to nuclear reactors." "We'll urgently confirm all details of the incident and totally reexamine information control systems," the official added. However, it is possible that highly secret information directly related to the safety of nuclear reactors could be leaked from private PCs belonging to employees. Information technology experts said the incident again confirmed lax information management in companies and government offices, and experts believe the problem likely will make the government and companies question whether their systems to control confidential and personal information are sufficient. There have been numerous incidences of information being leaked through Winny file-sharing. In addition, there are various methods to illegally obtain personal and confidential information via the Internet, such as hacking and phishing. Last year in Hokkaido, information on police investigations was leaked from a police officer's own PC. In March, names, health check results and other personal information on about 50 patients who had checkups at Tokyo Medical and Dental University Hospital in Bunkyo Ward, Tokyo, were found to have been leaked. Copyright 2005 The Yomiuri Shimbun From isn at c4i.org Fri Jun 24 01:23:48 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 24 01:30:44 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-25 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-06-16 - 2005-06-23 This week : 45 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Multiple browsers are vulnerable to the "Dialog Origin" vulnerability, which can be exploited by malicious people to spoof JavaScript Dialog boxes. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ For more information about this issue, please refer to the Secunia advisories below. Reference: http://secunia.com/SA15492 http://secunia.com/SA15491 http://secunia.com/SA15488 http://secunia.com/SA15474 http://secunia.com/SA15477 http://secunia.com/SA15489 -- Secunia Research has discovered multiple vulnerabilities in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks and to bypass certain security restrictions. Additionally, Secunia Research discovered a variant of the "Window Injection" vulnerability. More information can be found in the referenced Secunia advisories below. Reference: http://secunia.com/SA15008 http://secunia.com/SA15411 http://secunia.com/SA15423 http://secunia.com/SA13253 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15489] Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability 2. [SA15491] Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability 3. [SA15411] Opera "javascript:" URL Cross-Site Scripting Vulnerability 4. [SA15606] Internet Explorer Two Vulnerabilities 5. [SA15671] Java Web Start / Sun JRE Sandbox Security Bypass Vulnerability 6. [SA15474] Safari Dialog Origin Spoofing Vulnerability 7. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 8. [SA15488] Opera Dialog Origin Spoofing Vulnerability 9. [SA15492] Internet Explorer for Mac Dialog Origin Spoofing Vulnerability 10. [SA15008] Opera XMLHttpRequest Security Bypass ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15762] Fortibus CMS "username" and "ID" SQL Injection Vulnerabilities [SA15747] Ublog Reload SQL Injection and Cross-Site Scripting [SA15734] Cool Cafe SQL Injection and Disclosure of Sensitive Information [SA15769] i-Gallery "folder" Cross-Site Scripting and Directory Traversal UNIX/Linux: [SA15777] SUSE update for java2 [SA15755] Gentoo update for sun-jdk/sun-jre-bin/blackdown-jdk/blackdown-jre [SA15753] Gentoo update for peercast [SA15750] Slackware update for sun-jdk/sun-jre [SA15772] Fedora update for ruby [SA15766] Gentoo update for squirrelmail [SA15749] Sun ONE Messaging Server Unspecified Webmail Vulnerability [SA15741] SUSE Updates for gpg2/telnet/unace/horde [SA15740] Yaws Source Code Disclosure Vulnerability [SA15730] Red Hat update for mc [SA15773] Ubuntu update for tcpdump [SA15770] cPanel cpsrvd.pl Cross-Site Scripting Vulnerability [SA15768] Gentoo update for spamassassin/razor [SA15754] NanoBlogger Plugins Shell Command Injection Vulnerability [SA15751] Gentoo update for cpio [SA15729] Red Hat update for bzip2 [SA15728] Fedora update for spamassassin [SA15774] Ubuntu update for sudo [SA15771] Fedora update for sudo [SA15763] Novell NetMail File Ownership Security Issue [SA15759] Slackware update for sudo [SA15748] OpenBSD update for sudo [SA15744] Sudo Arbitrary Command Execution Vulnerability [SA15760] Avaya Products Telnet Client Information Disclosure Weakness [SA15731] Red Hat update for gaim Other: [SA15757] Enterasys Vertical Horizon Switches Two Security Issues [SA15765] Cisco VPN Concentrator Group Name Enumeration Weakness Cross Platform: [SA15767] Ruby XMLRPC Server Arbitrary Command Execution [SA15758] MercuryBoard "User-Agent" SQL Injection Vulnerability [SA15752] Trac Arbitrary File Upload/Download Vulnerability [SA15735] XAMPP "lang.php" Script Insertion and Information Disclosure [SA15732] Ultimate PHP Board Cross-Site Scripting and User Credentials Exposure [SA15775] Gentoo update for tor [SA15764] Tor Disclosure of Sensitive Information [SA15739] Razor-agents Denial of Service Vulnerabilities [SA15738] Contelligent Preview Privilege Escalation Vulnerability [SA15737] ajax-spell Cross-Site Scripting Vulnerability [SA15736] amaroK Web Frontend Exposure of User Credentials [SA15742] RealVNC Information Disclosure Weakness [SA15733] e107 Administrator Account Enumeration Weakness [SA15746] JBoss "org.jboss.web.WebServer" Information Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15762] Fortibus CMS "username" and "ID" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-21 Tamer Mohamed Hassan has discovered some vulnerabilities in Fortibus CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15762/ -- [SA15747] Ublog Reload SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-06-20 Dedi Dwianto has discovered two vulnerabilities in Ublog Reload, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15747/ -- [SA15734] Cool Cafe SQL Injection and Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-06-17 Donnie Werner has reported two vulnerabilities in Cool Cafe, which can be exploited by malicious people to conduct SQL injection attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/15734/ -- [SA15769] i-Gallery "folder" Cross-Site Scripting and Directory Traversal Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-06-21 Seyed Hamid Kashfi has discovered a vulnerability in i-Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose system information. Full Advisory: http://secunia.com/advisories/15769/ UNIX/Linux:-- [SA15777] SUSE update for java2 Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-22 SUSE has issued an update for java2. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15777/ -- [SA15755] Gentoo update for sun-jdk/sun-jre-bin/blackdown-jdk/blackdown-jre Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-20 Gentoo has issued updates for sun-jdk, sun-jre-bin, blackdown-jdk, and blackdown-jre. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15755/ -- [SA15753] Gentoo update for peercast Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-20 Gentoo has issued an update for peercast. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15753/ -- [SA15750] Slackware update for sun-jdk/sun-jre Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-20 Slackware has issued an update for sun-jdk/sun-jre. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15750/ -- [SA15772] Fedora update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-06-22 Fedora has issued an update for ruby. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15772/ -- [SA15766] Gentoo update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-22 Gentoo has issued an update for squirrelmail. This fixes several vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15766/ -- [SA15749] Sun ONE Messaging Server Unspecified Webmail Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-20 A vulnerability has been reported in Sun ONE Messaging Server, which may be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15749/ -- [SA15741] SUSE Updates for gpg2/telnet/unace/horde Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, System access Released: 2005-06-20 SUSE has issued updates for gpg2, telnet, unace and horde. These fix some vulnerabilities, which can be exploited by malicious people to gain knowledge of various information, conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/15741/ -- [SA15740] Yaws Source Code Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-06-17 M. Eiszner has reported a vulnerability in Yaws, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/15740/ -- [SA15730] Red Hat update for mc Critical: Moderately critical Where: From remote Impact: Unknown, Privilege escalation, DoS Released: 2005-06-17 Red Hat has issued an update for mc. This fixes several vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15730/ -- [SA15773] Ubuntu update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-22 Ubuntu has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15773/ -- [SA15770] cPanel cpsrvd.pl Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-22 A vulnerability has been discovered in cPanel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15770/ -- [SA15768] Gentoo update for spamassassin/razor Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-21 Gentoo has issued updates for spamassassin and razor. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15768/ -- [SA15754] NanoBlogger Plugins Shell Command Injection Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-06-21 A vulnerability has been reported in NanoBlogger, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15754/ -- [SA15751] Gentoo update for cpio Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-06-20 Gentoo has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious people to cause files to be unpacked to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/15751/ -- [SA15729] Red Hat update for bzip2 Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data, DoS Released: 2005-06-17 Red Hat has issued an update for bzip2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15729/ -- [SA15728] Fedora update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-17 Fedora has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15728/ -- [SA15774] Ubuntu update for sudo Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-06-22 Ubuntu has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to execute arbitrary commands with escalated privileges. Full Advisory: http://secunia.com/advisories/15774/ -- [SA15771] Fedora update for sudo Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-06-22 Fedora has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to execute arbitrary commands with escalated privileges. Full Advisory: http://secunia.com/advisories/15771/ -- [SA15763] Novell NetMail File Ownership Security Issue Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-06-21 A security issue has been reported in NetMail, which can be exploited by malicious, local users to delete or replace the NetMail binaries. Full Advisory: http://secunia.com/advisories/15763/ -- [SA15759] Slackware update for sudo Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-06-22 Slackware has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to execute arbitrary commands with escalated privileges. Full Advisory: http://secunia.com/advisories/15759/ -- [SA15748] OpenBSD update for sudo Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-06-21 OpenBSD has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to execute arbitrary commands with escalated privileges. Full Advisory: http://secunia.com/advisories/15748/ -- [SA15744] Sudo Arbitrary Command Execution Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-06-21 A vulnerability has been reported in sudo, which can be exploited by malicious, local users to execute arbitrary commands. Full Advisory: http://secunia.com/advisories/15744/ -- [SA15760] Avaya Products Telnet Client Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-06-21 Avaya has acknowledged a weakness in the telnet client included in certain products, which can be exploited by malicious people to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/15760/ -- [SA15731] Red Hat update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-06-17 Red Hat has issued an update for gaim. This fixes two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15731/ Other:-- [SA15757] Enterasys Vertical Horizon Switches Two Security Issues Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2005-06-21 Jacek Lipkowski has reported two security issues in various Enterasys Vertical Horizon switches, which can be exploited by malicious people to gain access to a debugging account, and by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15757/ -- [SA15765] Cisco VPN Concentrator Group Name Enumeration Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-06-21 NTA Monitor has reported a weakness in Cisco VPN 3000 Concentrator, which can be exploited by malicious people to gain knowledge of certain information. Full Advisory: http://secunia.com/advisories/15765/ Cross Platform:-- [SA15767] Ruby XMLRPC Server Arbitrary Command Execution Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-06-22 Nobuhiro IMAI has reported a vulnerability in Ruby, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15767/ -- [SA15758] MercuryBoard "User-Agent" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-22 4yka has reported a vulnerability in MercuryBoard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15758/ -- [SA15752] Trac Arbitrary File Upload/Download Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2005-06-20 Stefan Esser has reported a vulnerability in Trac, which can be exploited by malicious users to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15752/ -- [SA15735] XAMPP "lang.php" Script Insertion and Information Disclosure Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-06-17 A vulnerability has been reported in XAMPP, which can be exploited by malicious people to disclose potentially sensitive information and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15735/ -- [SA15732] Ultimate PHP Board Cross-Site Scripting and User Credentials Exposure Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-06-17 Alberto Trivero has reported some vulnerabilities and a security issue in Ultimate PHP Board, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/15732/ -- [SA15775] Gentoo update for tor Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-06-22 Gentoo has issued an update for tor. This fixes a vulnerability, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15775/ -- [SA15764] Tor Disclosure of Sensitive Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-06-22 A vulnerability has been reported in Tor, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15764/ -- [SA15739] Razor-agents Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-17 Two vulnerabilities have been reported in Razor-agents, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15739/ -- [SA15738] Contelligent Preview Privilege Escalation Vulnerability Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-06-17 A vulnerability has been reported in Contelligent, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15738/ -- [SA15737] ajax-spell Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-17 A vulnerability has been reported in ajax-spell, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15737/ -- [SA15736] amaroK Web Frontend Exposure of User Credentials Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-06-17 A security issue has been reported in the amaroK Web Frontend plugin for amaroK, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/15736/ -- [SA15742] RealVNC Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-06-20 class101 has reported a weakness in RealVNC, which can be exploited by malicious people to gain knowledge of various system information. Full Advisory: http://secunia.com/advisories/15742/ -- [SA15733] e107 Administrator Account Enumeration Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-06-17 Marc Ruef has discovered a weakness in e107, which can be exploited by malicious people to identify valid administrator accounts. Full Advisory: http://secunia.com/advisories/15733/ -- [SA15746] JBoss "org.jboss.web.WebServer" Information Disclosure Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2005-06-20 Marc Schoenefeld has reported a weakness in JBoss, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/15746/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jun 24 01:24:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 24 01:31:04 2005 Subject: [ISN] Interview with Marcus Ranum Message-ID: Forwarded from: security curmudgeon : http://www.securityfocus.com/columnists/334 : Federico Biancuzzi : : I am Marcus Ranum, Chief Security Officer of Tenable Network Security, : Inc., the producers of the Nessus vulnerability scanner and a suite of : security vulnerability management tools. I've been working in the : computer security arena for about 20 years, now, and was the designer : and implementor of a variety of security solutions in the past, : including firewalls, VPNs, and intrusion detection systems. I like to : think I've been around long enough and done a wide enough variety of : things that I've achieved a pretty good perspective on the trade-offs : inherent in security technology. : Do you see any new, interesting, or promising path for network security? : : Nope! I see very little that's new and even less that's interesting. : The truth is that most of the problems in network security were fairly : well-understood by the late 1980's. What's happening is that the same : ideas keep cropping up over and over again in different forms. For : example, how many times are we going to re-invent the idea of : signature-based detection? Anti-virus, Intrusion detection, Intrusion : Prevention, Deep Packet Inspection - they all do the same thing: try to : enumerate all the bad things that can happen to a computer. It makes : more sense to try to enumerate the good things that a computer should be : allowed to do. : : I believe we're making zero progress in computer security, and have been : making zero progress for quite some time. I'd agree with Ranum for the most part, as would most security folks that have been around a while. However, it's hard to swallow these comments when Ranum starts out saying he works for a company that does the same thing as others have for a decade or more, works on products that all work on the principal he scorns, and continues to profit off these solutions without changing them up or truly innovating them, no? : We recently saw a case where a hacker made significant penetrations into : some very secure systems using an attack against the trust relationships : between the different systems in a large research community. The hacker : compromised one researcher's account at a university and trapdoored the : researcher's SSH client. When the researcher logged into a system at : another research facility, the hacker now had the researchers' SSH : password and was able to penetrate the next facility, set up a : trapdoored SSH client there, and eventually he got the root account as : the administrator SSH'd into a local server. The hacker had several : months worth of fun and by the time it was all over, he had compromised : several hundred systems and gained administrative privileges in 5 : different research facilities across the Internet. Having per-desktop : firewalls would not have helped at all in this type of scenario, : unfortunately, since once the hacker was into the first system, they : were operating entirely at an application level. Recently? This describes attacks dating back to 1994 that I am personally aware of, longer before that with absolutely no doubt. Fifteen years later, all of the security products Ranum helped write, market and profit off of, still don't stop this kind of attack. What does that tell us? : Whenever someone tells you that there's a novel, easy, solution to : security, it's either because they don't understand security or they're : trying to sell you something that isn't going to work. Tenable delivers several varieties of enterprise security technology in one converged product suite offering. Each of these are easy to install, operate, and configure for secure information sharing across the entire enterprise. By combining many of these diverse technologies into one platform, Tenable is changing the way IT and Security organizations handle security for enterprise networks. : Truly, the only people who deserve a complete helping of blame are the : hackers. Let's not forget that they're the ones doing this to us. : They're the ones who are annoying an entire planet. They're the ones who : are costing us billions of dollars a year to secure our systems against : them. They're the ones who place their desire for fun ahead of everyone : on earth's desire for peace and [the] right to privacy. Just as we have to blame criminals for the locks on our doors, the car alarms, building alarms, video cameras and everything else 'security'.. right? Just like those evil fucking hackers that gave us script kiddy exploits to help keep ourselves hidden while hacking unix boxen? Or monitor other user's activity and compromise *their* privacy? Do you remember cloak2.c and spy.c perchance? /* * C L O A K * * Wrap yourself in a cloak of darkness (heh heh heh). * * Michael S. Baldwin, Matthew Diaz 1982 * * Marcus J. Ranum - 1983 - complete re-write and munging * added more options, and all kinds of evil - including the * ability to vanish from wtmp and acct as well as utmp. Added more * error checking and useful command syntax. Now you can attribute * all *YOUR* CPU usage to others when playing hack !!! * */ /* Marcus Ranum 1985 usage: spy & the program will exit cleanly when you log out. */ OMFG I AM SUING YOU FOR THE COST OF THE LOCKS ON MY WINDOWS!@$!$ hypocrite. From isn at c4i.org Fri Jun 24 01:25:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 24 01:31:26 2005 Subject: [ISN] REVIEW: "Brute Force", Matt Curtin Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKBRTFRC.RVW 20050531 "Brute Force", Matt Curtin, 2005, 0-387-20109-2, U$25.00/C$33.50 %A Matt Curtin http://ergo-sum.us/brute-force/ %C 233 Spring St., New York, NY 10013 %D 2005 %G 0-387-20109-2 %I Copernicus/Springer-Verlag %O U$25.00/C$33.50 800-842-3636, 212-460-1500, fax: +1-212-254-9499 %O http://www.amazon.com/exec/obidos/ASIN/0387201092/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0387201092/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0387201092/robsladesin03-20 %O Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation) %P 291 p. %T "Brute Force: Cracking the Data Encryption Standard" As the subtitle states, this is the story of the assessment of the strength (and weakness) of the Data Encryption Standard, particularly as computer power increased over time. Specifically, it is the tale of the formation and development of the DESCHALL operation, one of the forerunners of distributed.net. It is not just a story, though: Curtin tells the tale from a specific social and political perspective. An indication of this position is given in the forward, where John Gilmore reiterates the somewhat questionable assertion that DES was "deliberately ... flawed." Although this work does not address more technical aspects of cryptography, using hyperbolic arguments such as this may weaken the overall case of the book in regard to cryptographic censorship. There are forty-one very short chapters to the book, the first describing the particular machine that found the key for the first DESCHALL distributed cracking attempt. A brief history and background for cryptography is given in chapter two. Chapter three outlines the process of transforming Lucifer into DES. However, there are numerous errors in the account. Some are minor. (The Data Encryption Standard and the Data Encryption Algorithm are not equivalent: the algorithm is the engine, while the standard includes additonal functions for real world operations.) Other problems include issues such as the fact that the modification of S-boxes (the substitution function, which the book refers to as permutation) is mentioned, while that of the P-boxes (permutation) is not. Most references state that the Lucifer version finally submitted for DES was 70 bit, rather than 112 bit. It is quite misleading to say that a 112 bit key is "fifty-six times" as strong as a 56 bit key. The Diffie-Hellman objections to the 56 bit key length are not given in detail, which makes the arguments hard to assess. Not all the dates are given, which sometimes creates difficulty in following the thread. (In response to a first draft of this review, Curtin has noted that he has collected a fairly extensive errata for the book, and hopes to correct the issues in a second edition.) Chapter four is a rather mixed bag: despite the "Key Length" title, it touches on various algorithms, cryptanalytic concepts, and other topics. (There is a seeming confusion of the Vernam cipher with a one-time pad, and triple DES is generally considered to have an effective 112 or 113 bit key, rather than 168, due to the meet-in-the- middle attack.) The author's personal involvement with cryptology, and analysis of the feasibility of cracking cryptosystems, is outlined in chapters five through eight, culminating in a review of the possibilities of distributed computing. The technical, social, and political factors involved in creating and operating the DESCHALL team are discussed in chapters nine to thirty-eight. (It is odd that explanations of IP addresses almost always use the non-routable 192.168.x.x range. Specific IP addresses have a depressing tendency to changeand so non-routable addresses are often used in explanations, but it seems particularly inappropriate when the subject deals with identification and location of machines.) The material is fascinating, instructive, and even exciting at times. Interspersed are mentions of legislative debates and hearings into cryptographic policy during that time. Two chapters cover events subsequent to DES Challenge I, while analysis and lessons learned are reviewed in forty- one. The density of errors in the early chapters is unfortunate, since it is not representative of the work as a whole, and yet it may lead readers to distrust the facts in the book. In reality, there are significant points to be made, not only in terms of cryptography and public policy, but also in regard to distributed computing itself. The book is certainly useful for those interested in the issue of brute force attacks against cryptographic systems, and is an engaging read for anyone into technology. copyright Robert M. Slade, 2005 BKBRTFRC.RVW 20050531 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Keep your perspective: it's all only ones and zeros http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Fri Jun 24 01:22:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 24 01:31:50 2005 Subject: [ISN] Firm installs security after data loss Message-ID: http://www.theage.com.au/news/breaking/firm-installs-security-after-data-loss/2005/06/24/1119321882208.html Tucson, Arizona June 24, 2005 The operations center for a credit card processing firm whose security was breached by a hacker, exposing 40 million accounts to possible fraud, has put new security software in place. Marc Maiffret, a computer security specialist and co-founder of eEye Digital Security of Aliso Viejo, California, said his firm installed the security upgrade for Atlanta-based CardSystems Solutions' operations center here on June 10. On Friday, MasterCard International disclosed that 40 million credit card accounts belonging to it and other companies were exposed to possible fraud by a security breach at CardSystems Solutions' operations centre here, the latest in a string of recent breaches at financial institutions. Maiffret told the Arizona Daily Star that the upgrade his firm sold CardSystems Solutions was in place three days later. CardSystems may have initiated other measures as well in response to the breach, he added. Calls to Maiffret and spokesmen for eEye Digital and CardSystems Solutions were not returned immediately on Thursday. CardSystems Solutions is among a large number of companies processing financial transactions for credit card issuers that largely use custom-made software applications not initially designed with security components as their foremost need, Maiffret said. In addition, such third-party companies frequently must contend with budget constraints causing them to be stingy on computer security, he said. Those settings created favourable conditions for a skilled hacker to manipulate his way through a computer program seeking vulnerabilities, he added. "There is really no standard for how all this financial information gets pushed around, and all these companies push it around a little differently," Maiffret told the Star. "That means you also have all these little quirks and opportunities for a hacker who has the time to find weaknesses." From isn at c4i.org Fri Jun 24 01:23:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jun 24 01:32:13 2005 Subject: [ISN] OIC Members Should Cooperate To Ensure Cyber Security Message-ID: http://www.bernama.com.my/bernama/v3/news_business.php?id=140926 By Santha Oorjitham June 22, 2005 PUTRAJAYA, June 22 (Bernama) -- Organisation of Islamic Conference (OIC) members should set up Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) to collaborate and prevent or reduce cyber terrorism. National Information Communication Technology Security and Emergency Response (NISER) Centre director Lt Col Husin Jazri called on delegates at the 30th annual meeting of the Islamic Development Bank (IDB) Board of Governors to pass a resolution tomorrow to set up the OIC-CERT. CERT is a national or regional coordination centre, which tackles any emergency computer and network security incidents. Husin was moderating a session Wednesday on cyberspace security at the Knowledge and Information and Communications Technology for Development (KICT4D) conference, a side event of the IDB meeting, which had standing room-only for participants from Nigeria, Tunisia, Senegal, United Arab Emirates (UAE) and Pakistan as well as Malaysia. Noting that only seven of the 57 OIC members have CERTs or CSIRTs, he asked OIC members (of which the IDB is the investment arm), to contribute to an OIC-CERT collaboration, setting up an OIC-CERT task force and an interest group forum. (Malaysia has three CERTs: MyCERT for Malaysian Internet users; GCERT for federal, state and local governments, as well as statutory bodies; and Sabah CERT for users in the East Malaysian state.) OIC-CERT could increase the dissemination of cyber alerts, provide a platform to exchange ideas and expertise, jointly develop measures to deal with large-scale network security incidents and address information security and emergency response across regional boundaries, Husin said. Associate Professor Dr Ibrahim Kamel of the College of Information Systems at Zayed University in Dubai, UAE, noted that five West Asian countries (UAE, Kuwait, Saudi Arabia, Egypt and Iran) are among the top 10 countries vulnerable to hacking (Symantec Report 2003). Ibrahim pointed out that more nations are adding computer network warfare to their strategies, criminals are using cyberspace and critical infrastructures have become prime targets. As NISER's Husin stressed, "It's not 'Will I get hit?' but it's a matter of 'When will I get hit?'" From isn at c4i.org Mon Jun 27 05:24:22 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 27 05:29:09 2005 Subject: [ISN] Hacker sentenced to 4 months in prison Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/06/25/BAGJJDEEHP1.DTL Henry K. Lee June 25, 2005 A federal judge sentenced a Pleasant Hill man known as one of the most notorious hackers on the Internet to four months in prison Friday for breaking into federal government computers three years ago and defacing Web sites. Robert Lyttle, 21, who is known as one half of "The Deceptive Duo," pleaded guilty March 11 to five computer-hacking counts for illegally accessing the systems of the Department of Defense's Defense Logistics Information Service, the Office of Health Affairs and the NASA Ames Research Center. His illegal online activities caused $71,181 in damage, which he must pay in restitution, U.S. District Judge D. Lowell Jensen ordered Friday at a hearing in Oakland. The judge also sentenced Lyttle to four months of home detention under electronic monitoring. He will begin serving his sentence on Aug. 24. From isn at c4i.org Mon Jun 27 05:24:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 27 05:29:26 2005 Subject: [ISN] Thefts of U.S. technology boost China's weaponry Message-ID: http://washingtontimes.com/national/20050627-124855-6747r.htm By Bill Gertz THE WASHINGTON TIMES June 27, 2005 China is stepping up its overt and covert efforts to gather intelligence and technology in the United States, and the activities have boosted Beijing's plans to rapidly produce advanced-weapons systems. "I think you see it where something that would normally take 10 years to develop takes them two or three," said David Szady, chief of FBI counterintelligence operations. He said the Chinese are prolific collectors of secrets and military-related information. "What we're finding is that [the spying is] much more focused in certain areas than we ever thought, such as command and control and things of that sort," Mr. Szady said. "In the military area, the rapid development of their 'blue-water' navy -- like the Aegis weapons systems -- in no small part is probably due to some of the research and development they were able to get from the United States," he said. The danger of Chinese technology acquisition is that if the United States were called on to fight a war with China over the Republic of China (Taiwan), U.S. forces could find themselves battling a U.S.-equipped enemy. "I would hate for my grandson to be killed with U.S. technology" in a war over Taiwan, senior FBI counterintelligence official Tim Bereznay told a conference earlier this year. The Chinese intelligence services use a variety of methods to spy, including traditional intelligence operations targeting U.S. government agencies and defense contractors. Additionally, the Chinese use hundreds of thousands of Chinese visitors, students and other nonprofessional spies to gather valuable data, most of it considered "open source," or unclassified information. "What keeps us up late at night is the asymmetrical, unofficial presence," Mr. Szady said. "The official presence, too. I don't want to minimize that at all in what they are doing." China's spies use as many as 3,200 front companies -- many run by groups linked to the Chinese military -- that are set up to covertly obtain information, equipment and technology, U.S. officials say. Recent examples include front businesses in Milwaukee; Trenton, N.J.; and Palo Alto, Calif., Mr. Szady said. In other cases, China has dispatched students, short-term visitors, businesspeople and scientific delegations with the objective of stealing technology and other secrets. The Chinese "are very good at being where the information is," Mr. Szady said. "If you build a submarine, no one is going to steal a submarine. But what they are looking for are the systems or materials or the designs or the batteries or the air conditioning or the things that make that thing tick," he said. "That's what they are very good at collecting, going after both the private sector, the industrial complexes, as well as the colleges and universities in collecting scientific developments that they need." One recent case involved two Chinese students at the University of Pennsylvania who were found to be gathering nuclear submarine secrets and passing them to their father in China, a senior military officer involved in that country's submarine program. Bit by bit To counter such incidents, the FBI has been beefing up its counterintelligence operations in the past three years and has special sections in all 56 field offices across the country for counterspying. But the problem of Chinese spying is daunting. "It's pervasive," Mr. Szady said. "It's a massive presence, 150,000 students, 300,000 delegations in the New York area. That's not counting the rest of the United States, probably 700,000 visitors a year. They're very good at exchanges and business deals, and they're persistent." Chinese intelligence and business spies will go after a certain technology, and they eventually get what they want, even after being thwarted, he said. Paul D. Moore, a former FBI intelligence specialist on China, said the Chinese use a variety of methods to get small pieces of information through numerous collectors, mostly from open, public sources. The three main Chinese government units that run intelligence operations are the Ministry of State Security, the military intelligence department of the People's Liberation Army and a small group known as the Liaison Office of the General Political Department of the Chinese army, said Mr. Moore, now with the private Centre for Counterintelligence Studies. China gleans most of its important information not from spies but from unwitting American visitors to China -- from both the U.S. government and the private sector -- who are "serially indiscreet" in disclosing information sought by Beijing, Mr. Moore said in a recent speech. In the past several years, U.S. nuclear laboratory scientists were fooled into providing Chinese scientists with important weapons information during discussions in China through a process of information elicitation -- asking questions and seeking help with physics "problems" that the Chinese are trying to solve, he said. "The model that China has for its intelligence, in general, is to collect a small amount of information from a large amount of people," Mr. Moore said during a conference of security specialists held by the National Security Institute, a Massachusetts-based consulting firm. [...] From isn at c4i.org Mon Jun 27 05:22:51 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 27 05:29:39 2005 Subject: [ISN] Weak security makes HK top hacker target Message-ID: http://www.thestandard.com.hk/stdn/std/Front_Page/GF27Aa01.html Doug Crets June 27, 2005 Hong Kong's unsuspecting broadband Internet users are the most vulnerable on the planet to attacks by so-called ''zombie'' computers, according to a report by a British Internet security firm. While Hong Kong has increased its efforts to become more secure for shopping and banking, there are vulnerabilities in the system that broadband users are not even aware of, officials say. The fact is that clandestine users piggybacking on the unaware have multiplied so fast that it is nearly impossible to go onto the Internet without being victimized or hijacked. These hijacked computers send thousands of spam e-mails per minute, set up fake Web sites and cripple servers, according to the report, by Prolexic Technologies, a British firm that has presented Internet security solutions to the US Department of Homeland Security. Costs to workers from lost productivity reach as much as HK$10 billion a year, government officials say. Prolexic's 2005 ``Zombie Report,'' released last week, said Hong Kong, with 4.8 million broadband users, is the per capita leader in the number of computers that have been made into zombies by illicit users. ``We notice the major corporations, the banks, the government have done a lot in security to protect their servers, but at the same time the customers are not well aware of such things,'' said Roy Ko, an information specialist at the Hong Kong Computer Emergency Response Team Coordination Centre, started by the Hong Kong Productivity Council in 2002 to coordinate responses to technology problems. ``A lot of these [upgrades] are to protect clients who are not aware of the latest vulnerabilities,'' he said. According to a white paper by Internet firm CipherTrust, ``the most popular method for distributing the trojans [the programs hide in the victim's computer] that create zombies is via an e-mail attachment masquerading as an innocent file, such as a digital photo or contest entry form.'' Hong Kong government departments prefer not to comment on the figures because they question the methodology of the analysis, but Ko warned that Hong Kong users should spend more time educating themselves on trojan viruses. The Hong Kong Monetary Authority made it mandatory this year for local banks providing online banking to offer their users new security devices to prevent fraud from hackers who set up fake banking Web sites and encourage customers to enter passwords so they can steal their money. ``What happens with broadband is it's always on,'' said Andrew Lih, a professor of media studies at University of Hong Kong. ``If you just hook up directly to the DSL [digital subscriber line] modem, you're naked.'' Users can look at the logs on their routers, if they have them, to see just how vulnerable they are to these attacks. Routers take the fresh feed from the Internet and wire it into the computer, but they also absorb attacks from viruses flowing in through the Internet. ``You're talking about an attack a minute, sometimes a little flood every five or 10 seconds,'' Lih said. According to Nielsen/Net Ratings, ``The most popular Hong Kong shopping Web sites received 20 percent more visitors in the quarter ending August 2004 compared with the corresponding period a year ago.'' That was a rise of 320,000 people to 1.6 million. Imagine that this shopping is being done on computers that have outdated firewalls, or on PCs without updated systems. ``[Consumers] don't have a person to look after the system, so they don't know what is happening in the system,'' said Ko. ``There are a lot of these vulnerabilities reported every month, they have to keep updating and patching their system.'' Distributed denial-of-service attacks aren't the only problems on the government's mind. Spam e-mail drains productivity from workers. ``The government believes that it would be necessary to enact legislation to regulate unsolicited electronic messages after studying the submissions received at the consultation conducted last year,'' said Esther Mak, information officer for the Office of the Telecommunications Authority. The Hong Kong Internet Service Providers Association, an organization that represents the views of a group of businesses, such as New World Technologies, PCCW and City Telecom, said that there should be legislation that would bring about punishment. According to a June 2004 Legco consultation paper, ``Spam causes harm to ISPs because it uses large amount of bandwidth and storage space.'' That leads to poorly functioning ISPs and dissatisfied customers, not to mentioned a stress on ISPs who have to pay more to secure more. ``[They] need to build enormous capacity into their systems. The increased volume of e-mails can also significantly slow down the speed of Internet, overload servers and threaten network integrity,'' it reads. Poor service is only one thing users should concern themselves with, though, says one Internet security analyst. ``Each one of these PCs becomes a great gateway to funnel illegal funds. Tracking them is very hard,'' said Maren Leizaola, director of Web mail provider HK.Com. From isn at c4i.org Mon Jun 27 05:24:06 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 27 05:29:58 2005 Subject: [ISN] Inside Windows IT Security UPDATE -- June 24, 2005 Message-ID: ======================= Our name has changed! Make sure your copy of Inside Windows IT Security UPDATE doesn't get mistakenly blocked by antispam software! Be sure to add Inside_WindowsITSecurity_Update@list.windowsitpro.com to your list of allowed senders and contacts. ======================= This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows IT Security UPDATE. Download Your Risk-free Trial of UpdateEXPERT Now http://list.windowsitpro.com/t?ctl=D06A:4FB69 Remote Control Your Systems Anywhere from your Pocket PC http://list.windowsitpro.com/t?ctl=D069:4FB69 ======================= 1. What's New in the Latest Issue July 2005 Issue - Focus: Pick the Right Firewall - Feature: Firewall Appliances, Part 1 - Access Denied 2. New Additions to the Online Article Archive July 2004 Issue - Focus: Dissecting a Suspect Disk - Features - Access Denied ==== Sponsor: Download Your Risk-free Trial of UpdateEXPERT Now ==== UpdateEXPERT streamlines the tedious tasks of patching, allowing you to conserve IT resources. With UpdateEXPERT's centralized inventory and management, you can quickly and accurately patch every machine on your network, even those that are disconnected or remote. Plus, unlimited management consoles are included with all purchases. Be confident your business is completely secured. Test our powerful patch management solution for yourself today with a risk-free trial. Yes I want to try UpdateEXPERT! http://list.windowsitpro.com/t?ctl=D06A:4FB69 ======================= Windows IT Security is a monthly, paid, print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. Nonsubscribers can access all the newsletter content in the online article archive from the premiere issue of Windows IT Security (February 2001) through the print issue released 1 year ago and featured below. In addition to receiving the monthly print newsletter, subscribers can access all the newsletter content, including the most recent issue, at the Windows IT Security Web site. http://list.windowsitpro.com/t?ctl=D070:4FB69 Subscribe today and access all the issues online! http://list.windowsitpro.com/t?ctl=D067:4FB69 ======================= ==== 1. What's New in the Latest Issue ==== July 2005 Issue Focus: Pick the Right Firewall Learn which firewall appliance is right for you, get familiar with network ports, clean up your systems with Microsoft's free malware removal tool, and more. The following article is available at no charge to nonsubscribers for a limited time: Feature Firewall Appliances, Part 1 Firewalls aren't what they used to be, which is a good thing. As attacks have become increasingly sophisticated, firewall solutions have had to adapt. In this first part of a two-part series, we look at firewall solutions for low-security SMBs. --Thomas W. Shinder and Debra L. Shinder http://list.windowsitpro.com/t?ctl=D061:4FB69 Nonsubscribers now have access to the Q&As that run in every issue of Windows IT Security and are featured below. Access Denied Preventing Data Loss When Using EFS Back up the data recovery agent certificate and/or the user's EFS certificate and private key to prevent losing encrypted data. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=D05D:4FB69 Understanding the Importance of Host Firewalls Layer your security by using both a network firewall and firewalls on your workstations and servers. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=D065:4FB69 Subscribers have access to the entire contents of the July 2005 issue. For a list of the other articles available in this issue, visit the URL below. http://list.windowsitpro.com/t?ctl=D068:4FB69 ======================= ==== Sponsor: Remote Control Your Systems Anywhere from your Pocket PC ==== Manage Windows, Linux and Mac remotely from your Pocket PC. NetSupport Manager offers complete, scalable and secure remote control software for IT professionals. NSM is so easy to use, it will quickly help you reduce support costs and increase response rates. Perform remote support and management on multiple systems simultaneously over a LAN, WAN and the Internet. A great SMS add-on. New Mac beta. Named Editor's Choice by Network Computing magazine. Free 30 day trial. $99.00 1 user license. http://list.windowsitpro.com/t?ctl=D069:4FB69 ======================= ==== Events & Resources ==== (from Windows IT Pro and its partners) Anti-spam product not working? Many email administrators are experiencing increased frustration with their current anti-spam products as they battle new and more dangerous email threats. In-house software, appliances and even some services may no longer work effectively, require too much IT staff time to update and maintain, or satisfy the needs of different users. In this free Web seminar, learn how you can search for a better way to protect your email systems and users. http://list.windowsitpro.com/t?ctl=D059:4FB69 Back By Popular Demand - SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=D05B:4FB69 Token Authentication: Getting It Right Perhaps you need tokens for management or mobile workers or your only applications that need token support are VPN, extranet access, or PC security. In this free Web seminar, join industry guru Randy Franklin Smith and learn how you can make a solid business case to management that justifies tokens. You'll also discover what the right combination of token devices and middleware can do? Plus - receive checklists of key evaluation and testing points for rollout time. Register now! http://list.windowsitpro.com/t?ctl=D058:4FB69 Recover Your Active Directory Get answers to all your Active Directory recovery questions here! Join industry guru Darren Mar-Elia in this free Web Seminar and discover how to use native recovery tools and methods, how to implement a lag site to delay replication, limitations to native recovery approaches and more. Learn how you can develop an effective AD backup strategy ???????????????????????? Register today! http://list.windowsitpro.com/t?ctl=D057:4FB69 Get The SQL Server BI Essentials This eBook will give you a solid foundation for understanding where BI has come from and where it's headed. You'll learn about what's coming in SQL Server 2005 and help validate what you already know. Download this free eBook now to get the wealth of BI tips and techniques you shouldn't be without. http://list.windowsitpro.com/t?ctl=D05A:4FB69 ==== Featured White Paper ==== Avoiding Availability Pitfalls in Microsoft Exchange Environments Many solutions are targeted at making Exchange email environments more reliable, however a wide range of potential difficulties still lurk, waiting to interrupt service and, ultimately, your business. In this free white paper, discover the more common pitfalls that can lessen Exchange availability and the recommendations for what you can do to avoid the problem and better plan your Microsoft Exchange messaging environment. http://list.windowsitpro.com/t?ctl=D055:4FB69 ==== Hot Release: FREE Download - The Next Generation of End-point Security is Available Today ==== NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines from all types of malware even before Windows loads and without slowing them down. NetOp provides process & application control, real-time centralized management, automatic network detection & profiles and more. Try it FREE. http://list.windowsitpro.com/t?ctl=D056:4FB69 ======================= ==== 2. New Additions to the Online Article Archive ==== July 2004 Issue To access this issue of Windows IT Security, go to the following URL: http://list.windowsitpro.com/t?ctl=D066:4FB69 Focus: Dissecting a Suspect Disk Use the Penguin Sleuth Kit to analyze a compromised disk, integrate directories with Microsoft Identity Integration Server 2003 (MIIS), and learn about client tools for managing PKI trusts. Features Performing Forensic Analyses, Part 2 Analyzing a compromised hard disk is a time- and resource-intensive operation. Two tools--Sleuth Kit and Autopsy--can help you with this arduous task. --Matt Lesko http://list.windowsitpro.com/t?ctl=D064:4FB69 Secure Directory Access with MIIS Microsoft Identity Integration Server 2003 is a powerful tool for deploying directory-enabled applications while ensuring that data across individual directories remains synchronized. --John Howie http://list.windowsitpro.com/t?ctl=D062:4FB69 User-Side PKI Trust Management Learn how PKI administrators manage PKI user-side trust decisions. --Jan De Clercq http://list.windowsitpro.com/t?ctl=D05F:4FB69 Access Denied Letting Users View Security Logs Simply editing a GPO will let a group of users view Security logs but will also allow them to clear the logs. A more restrictive solution takes more work. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=D05C:4FB69 Using Log Parser to Audit Domain Logons The Log Parser tool lets you use SQL-like queries to extract data from log files. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=D060:4FB69 Understanding Wireless-Security Protocols The pursuit of wireless security has led to a plethora of protocols. Clear up the confusion with this high-level view of the relationship between 802.11, 802.1x, 802.11i, WEP, and WPA. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=D063:4FB69 The Importance of Windows XP SP2 The soon-to-be-released XP SP2 is so important to the security of your network that you should start testing it now. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=D05E:4FB69 ======================= ==== Announcement ==== (brought to you by Windows IT Pro) Monthly Online Pass = Quick Security Answers! Sign up today for your Monthly Online Pass and get 24/7 access to the entire online Windows IT Security article database, including exclusive subscriber-only content. That's a database of over 1,900 Security articles to help you get all the answers you need, when you need them. Sign up now for just US$14.95 per month: http://list.windowsitpro.com/t?ctl=D06D:4FB69 ==== Sponsored Link ==== Quest Software Eleven things you must know about quick AD recovery! http://list.windowsitpro.com/t?ctl=D073:4FB69 ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=D071:4FB69 About product news -- products@windowsitpro.com About your subscription -- securityupdate@windowsitpro.com About sponsoring UPDATE -- emedia_opps@windowsitpro.com ======================= This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and internal users. Subscribe today! ( http://list.windowsitpro.com/t?ctl=D06C:4FB69 ) View the Windows IT Pro Privacy policy at http://list.windowsitpro.com/t?ctl=D06B:4FB69 Windows IT Pro is a division of Penton Media Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All Rights Reserved. From isn at c4i.org Mon Jun 27 05:24:55 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jun 27 05:30:14 2005 Subject: [ISN] Q&A: ChoicePoint CISO on data breach Message-ID: http://www.networkworld.com/news/2005/062405-choicepoint-qa.html By Jaikumar Vijayan Computerworld 06/24/05 The massive data compromise at ChoicePoint earlier this year has made the Alpharetta, Ga.-based data aggregator something of a target for those calling for tougher data protection laws. In an interview with Computerworld, Rich Baich, ChoicePoint's chief information security officer, talked about the breach, the measures that have been put in place since then and the lessons inherent for other CISOs. You have in the past said that what happened at ChoicePoint was not really a security breach. Then what was it? It all comes down to how you define a breach and how you define an incident. This was fraud. Someone fraudulently provided authentication to the system. It's no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year. In fraud terms, it's called an account takeover. And that's what occurred. All I was trying to do was educate the press more than anything else that this was not what everyone would call a traditional hack. So has the press got it now? I see it's much better now because we're at 65-plus incidents (reported) so far this year, I believe. There are a couple that are being referenced as hacks that are truly hacks and the rest are fraud or lost tapes. There was one time people were screaming, "Rich, you're a victim of social engineering" and that "you're in charge of all the information because you're the information security officer." Well, am I in charge of the mailroom when someone loses mail? Because that's information as well. And that's all I am trying to say. People are trying to point to a person when we really need to be looking at things as an industry. But wouldn't better IT controls have helped? Sure. As an industry I think we have gotten better with our fraud analytics tools. There's technology that can do geographic IP locations. (Such tools) can help mitigate the risk. Then again, a very intelligent adversary can figure out a way around that by bouncing off proxy servers and different things. But there is some technology that can help mitigate the risk -- not stop it. So are you doing anything differently now? Yes, we absolutely are. We are looking at our entire credentialing process, the entire business process and how it's being done. We are looking at putting additional technologies in place and the way we do business with others. We actually went down to an even better level by looking at the type of data they need. Do they need stuff that relates to PII (personally identifiable information), or do they not? If your job function doesn't require that, then you don't get it. What's the take-away from that whole incident? What's your advice for CISOs? If you are going to have this role at a time when there is really no firm guidance, make sure you have selected a model to implement. ... I think today when people ask, "Are you providing adequate security?" that is such a big, open question and it may be interpreted by so many different people in so many different ways. I think if you have selected a model and you are implementing a program around that model I think you can be successful, regardless of what happens. Why are we hearing about so many major data compromises these days? What's happening? I think in general more organizations are reporting it. But I also think the processes and the technologies have matured so that they are now realizing it. You have to remember an incident is an incident only if it's reported. So, as frightening as it is, there is also a positive end to it because at least the people are catching it. Will the concern generated by the recent spate of data compromises inevitably result in more mandated controls? When people say they want to put controls in place, it may be difficult because what controls do you put for what kind information? Every good security practitioner knows you have to understand the assets and then you build protection profiles around it. So this particular asset may be a Type 1, and its protection profile may have five components to it. Type 2 may have 15 components and a Type 3 may have 26. The government may have a tough time labeling that. But I think something has to be done. Intervention is good. Education is better, and technology and processes make it more so. I think the incidents have caused a new focus within many organizations, and I think in the long run that itself will also help mitigate future risk. Are companies looking at compliance requirements more as a baseline set of controls they have to meet from a security standpoint, or as the ceiling? I think every company is always evolving to be stronger in their own maturity model when it comes to security. Our own focus more and more has been on data protection. We had a data destruction policy before this recent (Fair Credit Reporting Act) came along. We already had a destruction policy in place and software in place to erase hard drives and to make sure media could not be accessed when destroyed or sold. We have tried to stay ahead of the curve. But the toughest part about legislation right now is you don't know where it's coming from and you don't know to what to expect. There's a lot of legislation being done at the state level right now based on when you have to respond to customers. It can be difficult if there are 50 different requirements. So, hopefully we'll see some sort of federal guidance around that. You just released a book on what it takes to win as a CISO. So what does it take to win? Winning as a CISO is really about getting a seat at the boardroom table and becoming a true member of the senior executive team. It's when you are able to intertwine security into every business aspect. It's about leaning more toward risk rather than talking about security. If you ask every CISO what they do and what they are responsible for, I think you'll get a scattergram of responses. How can you win if you haven't decided what your responsibilities are? Salespeople know when they win because they bust out their quota. CEOs know when they win because they meet their earnings. Security officers win when there are no incidents. From isn at c4i.org Tue Jun 28 03:24:15 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 28 03:28:56 2005 Subject: [ISN] Cybersecurity group looks to Europe for help Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,102825,00.html By Scarlet Pruitt IDG NEWS SERVICE JUNE 27, 2005 There isn't a colored alert system indicating the threat level faced by global information systems. But if there were, former White House security director Paul Kurtz figures it would be bright orange for "high risk." "It's not appropriate to say the sky is falling, but I do think we are taking information security for granted," Kurtz said during an interview on Friday. It's this concern that prompted Kurtz, executive director of the Cyber Security Industry Alliance (CSIA), to come to Europe last week. CSIA, a public-policy advocacy group focused on cybersecurity issues, was launched in February 2004 by a handful of IT security firms, including RSA Security Inc., McAfee Inc. and Symantec Corp. It's now seeking to expand its membership in Europe and begin tackling issues across the Atlantic. Industry representatives approached Kurtz about his current job early last year, while he was serving as special assistant to the president and senior director for critical-infrastructure protection on the White House's Homeland Security Council. Those roles left him responsible for both physical and cybersecurity issues. "At first, I thought Washington needs a new association like a hole in the head. But then after I thought about it, I elected to leave the White House," Kurtz said. Part of the reason was that cybersecurity had been "put in the back seat" while physical security took precedence, he said. "It was very frustrating," Kurtz added. At CSIA, Kurtz and the member companies want to work on global cybersecurity issues such as privacy and information integrity, as well as help develop policies like notifying the public when personal information has been exposed in a data breach. The group is focused on enterprise issues and is CEO-driven -- its board comprises executives from McAfee, Symantec and RSA, among others. "The bottom line is that the private sector is going to get attacked," Kurtz said. The U.S. government isn't taking cybersecurity seriously enough, he said, noting that it reduced research and development spending for the area in its latest budget. One possible reason for the lack of concern is that some government officials still believe cybercriminals are "pimply-faced teenagers," not organized crime gangs, according to Kurtz. But for the private sector, the threat has become much more real as recent high-profile cases have grabbed headlines and shaken consumer confidence. In just one recent incident, it was revealed that some 40 million credit card numbers may have been accessed by a hacker who infiltrated the network of a company that processed payment information for MasterCard International Inc. (see "Security breach may have exposed 40M credit cards"). "As we've seen over the last few months, a lack of attention to detail can spill into the papers," Kurtz said. By motivating the private sector to take action against cyberthreats, CSIA hopes its work will have a spillover effect on the public sector. "We need to raise these issues, but at the same time, we need to make sure that the government doesn't overreact," Kurtz said. Overregulation is a concern for the industry. While IT companies want strong government leadership on IT security issues, at the same time, many of those polled by the CSIA don't trust the U.S. Congress to do what's right for the Internet, Kurtz said. "There's a lot of debate about the roles and responsibility of government and industry in information security. This is one of the things we are trying to work out," he said. Overall, the CSIA is promoting a holistic approach to security and is willing to work with the variety of concerned players, Kurtz said. In Europe, for instance, the organization has begun working with agencies such as the European Union's Article 29 working party on data protection. "We are in Europe to take the next step and really think about these issues more broadly," Kurtz said. The association expects to eventually extend into Asia, with the goal of establishing a global organization. "So often the U.S. rides in to save the day, but we do not want to bring a U.S. solution; we want to bring a harmonized solution," Kurtz said. From isn at c4i.org Tue Jun 28 03:24:28 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 28 03:29:18 2005 Subject: [ISN] ictQatar holds cyber security workshop Message-ID: http://www.menafn.com/qn_news_story_s.asp?StoryId=97747 The Peninsula 28/06/2005 Doha: Specialised workshop on cyber security awareness was held here yesterday by Qatar's Supreme Council for Information and Communications Technology (ictQatar) in collaboration with the Qatar Computer Emergency Response Team (Q-Cert). The importance of establishing an emergency response team to deal with cyber threats came up for discussion at the event. The workshop was third in a series of four that ictQatar and Q-Cert will hold. The workshops were held to offer a detailed overview of the various threats faced by computer networks and to gain inputs from experts in the fields in Qatar. They were conducted in cooperation with the CERT Coordination Centre, a division of the Software Engineering Institute of the Carnegie-Mellon University. The CERT-CC has responded to some 400,000 cyber security incidents worldwide that had affected hundreds of thousands of Internet websites. It had reported some 12,000 vulnerabilities and issued hundreds of security advisories and bulletins. It had helped the creation of some 200 such similar forums worldwide. The Q-Cert, it was learnt would be a pioneering organization of its kind in the GCC region. The workshop was conducted by Richard D Pethia, director of SEI's Networked Systems Survivability Program and team leader of Q-Cert. Pethia pointed out how computer networks were at an increased risk due to an increase in the number of hackers. Hamad Al Mannai, director of projects at ictQatar, also spoke at the workshop. From isn at c4i.org Tue Jun 28 03:24:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 28 03:29:41 2005 Subject: [ISN] Microsoft to help NPA fight cyber attacks. Message-ID: http://www.asahi.com/english/Herald-asahi/TKY200506280201.html 06/28/2005 The Asahi Shimbun U.S. software giant Microsoft Corp. will increase cooperation with the National Police Agency to give authorities an upper hand in the battle against cybercrimes and the spread of viruses, company founder Bill Gates said Tuesday. Under the agreement reached in April, Microsoft will inform the NPA about flaws and vulnerabilities in the Windows operating system before such information is made public. The company will also provide special engineering analyses that are needed in investigating cybercrimes, such as computer viruses, said Gates, who was visiting Tokyo for business purposes and a symposium. The NPA and Microsoft also agreed to establish hot lines so that engineers from both sides can better coordinate countermeasures while strictly controlling information, according to Microsoft. "We can contribute to enhancing information security and reducing cybercrimes," a Microsoft official said. Microsoft publicizes information on Windows glitches, but on a fixed schedule to prevent virus creators, computer hackers and others from exploiting such flaws for malicious purposes. With the early warnings from Microsoft, the NPA will be able to quickly take countermeasures against cybercrimes before the problems are publicized. Since technological information often contains corporate secrets, computer companies have been reluctant to provide data to NPA investigators, fearing that the secrets could be leaked to rival companies. But Microsoft said it has concluded similar agreements with police agencies in the United States and Europe. (IHT/Asahi: June 28, 2005) From isn at c4i.org Tue Jun 28 03:23:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 28 03:30:28 2005 Subject: [ISN] 13 teens face felonies Message-ID: http://www.berksmontnews.com/site/news.cfm?newsid=14742096 By Dan Roman 06/23/2005 Thirteen Kutztown Area High School students are facing felony charges for tampering with district-issued laptop computers. According to parent testimony and confirmed by an otherwise vaguely-worded letter from the Kutztown Police Department, students got hold of the system's secret administrative password and reconfigured their computers to achieve greater Internet and network access. Some students used the newfound freedom to download music and inappropriate images from the Internet. James Shrawder spoke on behalf of a group of parents of six of the accused at a June 20 school board meeting. He said the administration may have railroaded the process by not providing authorities with the whole story. "That's absurd," Superintendent Brenda S. Winkler said after the board meeting, in response to Shrawder's allegations that the administration withheld information until the end of the school year. Shrawder asked that the school board act in order to reverse the damage done by the administration. Shrawder said the secret password "50Trexler," was widely-known among the student body and distributed early in the school year. It allowed between 80 and 100 students to reconfigure their laptops, he said. The more computer-savvy students began to disable the administrations' ability to spy on the students' computer use. For others, it became a game, trying to outsmart the administration and compete with fellow students who held the secret, Shrawder said. "I don't know why this is such a big deal," he said. "At no time was the security of the server breached, and I don't know that it has cost the taxpayers any money." Winkler agreed that the server, where grades and other private records are stored, was never threatened. Shrawder acknowledged that the students broke school rules, but he and the other parents protested what they believe is the heavy-handed approach to the problem. Most of the students accused were freshmen, but a few were sophomores and juniors. None of the accused were seniors. Parents also worried that a felony conviction would permanently damage their child's record for an infraction that may otherwise have resulted in a grounding if it were discovered by a parent. "I don't think they knew what this could do to their future," said LeAnn Shoemaker, a parent of one of the accused. Her 15-year-old son John, who will be a sophomore next fall, agreed. "I knew it was against school policy," he said. "But I didn't know it was a felony." Winkler said the administration could not comment on student disciplinary action. "We continue to collaborate with police," she said. She also noted that charges have not been formally issued and could not comment on the perceived harsh penalty. School Board President Don C. Vymazal said he sympathized with the parents. "They are concerned and we would be too," he said. For the moment, parents were uncertain how to react to the threat of charges against their children. Paperwork is hung up in county juvenile court system and the only indication of the charges is the letter sent to parents and signed by Officer Walter J. Skavinsky of the Kutztown Police Department. The Skavinsky letter, dated May 31, says the police were contacted on May 2 by members of the high school staff. An investigation found that 13 students had violated the school's permitted use policy and gained greater access to the school's Internet and intranet resources. Skavinsky consulted with the Berks County District Attorney's office and recommended charges of "Computer Trespass," in violation of PA criminal code section 7615, which carries a third degree felony charge. The letter tells parents that juveniles charged with a crime "must present themselves in a timely manner to the arresting police department for the purposes of fingerprinting and identification." The iBook laptops were issued to all high school students last fall in an experimental program with Apple computers. The program will cost up to $900,000 over the next four years. Winkler reaffirmed the district's commitment to the program saying it has been "a learning experience." From isn at c4i.org Tue Jun 28 03:23:27 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 28 03:30:54 2005 Subject: [ISN] Group: Secure Bluetooth with long PINs Message-ID: http://news.com.com/Group+Secure+Bluetooth+with+long+PINs/2100-1002_3-5764838.html By Peter Judge Special to CNET News.com June 27, 2005 Bluetooth, the wireless connection used on PDAs and phones, is not safe unless you use an eight-digit PIN to secure devices, an industry group has warned. The Bluetooth Special Interest Group has told people to set eight-digit PINs when pairing two devices and to take other precautions, after a report described a way for hackers to crack the security codes on Bluetooth devices and seize control of them. For security, Bluetooth devices will not communicate until they have "paired"--a one-off process in which both devices must enter the same PIN, or personal identification number. A hacker that listens in on the pairing process can decode the PIN and then take control of the link, siphon off data or, potentially, take control of either of the devices. Because Bluetooth has a short range, and pairing is a one-off process between any two devices, most users were considered safe--until an extension of the attack was described this month by Yaniv Shaked and Avishai Wool of Tel Aviv University in Israel. The new attack can force two Bluetooth devices to come "unpaired," the researchers said. When the user pairs them again, the hacker can listen to the pairing process and crack the PIN. The simplest way to force Bluetooth devices to re-pair is to send a message that purports to come from one of them, claiming to have lost the key. Three ways to force re-pairing are described in "Cracking the Bluetooth PIN", presented by Avishai Wool and Yaniv Shaked of Tel Aviv University, at the Mobisys conference in Seattle. Previous Next The Bluetooth SIG's advice echoes that of Wool and Shaked--don't re-pair in a public place, where someone else might eavesdrop, and use a longer PIN. "When you pair devices for the first time, do this in private--at home or in the office," the SIG advised in a statement last week. "If your devices become unpaired while you are in public, wait until you are in a private, secure location before re-pairing your devices, if possible." "Always use an eight character alphanumeric PIN code as the minimum," the SIG said. "You only have to enter this once, so (a longer code) is not a hardship given the security benefits." The group agrees with the researchers that a PC can crack a four-digit code in a tenth of a second, but reckons an eight-digit PIN would take 100 years to break, making this crack "nearly impossible." Some devices, such as headsets, include a factory-set four-digit PIN, but most devices like phones allow users to set the PIN they want. The SIG is also at pains to assure people that the hack is only an academic paper at present. "The equipment needed for this process is very expensive and primarily used by developers only," its advice reads. "It is highly unlikely that a normal user would ever encounter such an attack." As ever, knowledge is important. "The attack also relies on a degree of user gullibility, so understanding the Bluetooth pairing process is an important defense," the SIG said. Peter Judge of ZDNet UK reported from London. From isn at c4i.org Tue Jun 28 03:24:01 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 28 03:31:17 2005 Subject: [ISN] Viruses, Security Issues Undermine Internet Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/06/25/AR2005062501284.html By Ariana Eunjung Cha Washington Post Staff Writer June 26, 2005 DENVER -- E-mails were flooding in from all over the country. Something strange was going on with the Internet, alarmed computer users wrote. Google, eBay and other big sites had suddenly disappeared. Kyle Haugsness scanned the reports and entered crisis mode. Part of the Internet was broken. For the 76th time that week. Haugsness was on duty for the Internet Storm Center, the closest thing to a 911 emergency-response system for the global network. He and a few colleagues began investigating and discovered that a hacker had taken advantage of yet another security hole. As many as 1,000 companies had effectively had their connections "poisoned," so when their employees typed in legitimate addresses they were taken to bogus Web destinations. Haugsness wrote up an alert and a suggested solution, and posted it on the Web. Then, Haugsness turned back to his inbox. In the few hours he had spent sleuthing that March day, several dozen e-mails detailing other suspected issues had piled up. Built by academics when everyone online was assumed to be a "good citizen," the Internet today is buckling under the weight of what is estimated to be nearly a billion diverse users surfing, racing, and tripping all over the network. Hackers, viruses, worms, spam, spyware and phishing sites have proliferated to the point where it's nearly impossible for most computer users to go online without falling victim to them. Last year, the Carnegie Mellon University CERT Coordination Center logged 3,780 new computer security vulnerabilities, compared with 1,090 in 2000 and 171 in 1995. Computer security firm Symantec Corp. over the past decade has catalogued 11,000 vulnerabilities in 20,000 technologies, affecting 2,000 vendors. "I'm very pessimistic about it all," said Haugsness, who has worked for the storm center for two years. "There are huge problems and outages all the time, and I see things getting worse." Originally developed by the Defense Department, the Internet is now a global electronic communications network made up of hundreds of millions of computers, servers and other devices run by various governments, academic institutions, companies and individuals. Because no one entity owns it, the network depends on goodwill to function smoothly. The Internet has become so huge -- and so misused -- that some worry that its power to improve society has been undermined. Now a movement is gathering steam to upgrade the network, to create an Internet 2.0. How, or even if, that could be done is a subject of much debate. But experts are increasingly convinced that the Internet's potential will never be met unless it's reinvented. "The Internet is stuck in the flower-power days of the '60s during which people thought the world would be beautiful if you are just nice," said Karl Auerbach, a former Cisco Systems Inc. computer scientist who volunteers with several engineering groups trying to improve the Internet. Many of the bugs in the Internet are part of its top layers of software, the jazzy, graphics-heavy, shrink-wrapped programs that come loaded on new computers or sold in retail stores. But some of the most critical issues were built into the network's core design, written decades ago and invisible to the average user. For example, a way to verify the identity of a sender of e-mail or other communications is just beginning to become available, meaning that many criminals roam the network with relative anonymity. And the system that matches addresses to Web sites is vulnerable to hackers, redirecting users to sites they never wanted to visit. Technological solutions for many of those problems have existed for years, but it's been difficult to build a consensus to implement them. Arguments about global politics, potential profits and ownership of intellectual property have plagued groups trying to fix things. "The problem with the Internet is that anything you do with it now is worth a lot of money. It's not just about science anymore. It's about who gets to reap the rewards to bringing safe technologies to people," said Daniel C. Lynch, 63, who as an engineer at the Stanford Research Institute and at the University of Southern California in the 1970s helped develop the Internet's framework. As the number of users exploded to more than 429 million in 2000 from 45 million in 1995, Lynch remembered watching in horror as hackers defaced popular Web sites and shady marketers began to bombard people's e-mail inboxes with so much spam that real messages couldn't get through. When the Internet's founding fathers were designing the network in the 1960s and 1970s, they thought a lot about how the network would survive attacks from the outside -- threats like tornados, hurricanes, even nuclear war. What they didn't spend much time thinking about was internal sabotage. Only several hundred people had access to the first version of the Internet and most knew each other well. "We were all pals," Lynch said. "So we just built it without security. And the darn thing got out of the barn." Years passed before the Internet's founders realized what they had created. "All this was an experiment. We were trying to figure out whether this technology would work. We weren't anticipating this would become the telecommunications network of the 21st century," said Vinton G. Cerf, 62, who with fellow scientist Robert T. Kahn, 66, helped draft the blueprints for the network while it was still a Defense Department research project. Even as he marveled at the wonders of instant messaging, Napster and other revolutionary tools that would not have been possible without the Internet, Leonard Kleinrock, 71, a professor at the University of California at Los Angeles who is credited with sending the first message -- "lo," for "log on" -- from one computer to another in 1969, began to see the Internet's dark side. "Right now the Internet is running amok and we are in a very difficult period," Kleinrock said. Some technologists have said the Internet or parts of it are so far gone that it should be rebuilt from scratch, and over the past decade there have been several attempts to do so. But most now agree that the network has become too big and unruly for a complete overhaul. For now groups are working on what are essentially bandages for the network. Today, a complicated bureaucracy of groups known by their abbreviations help govern the network: the IETF (the Internet Engineering Task Force, which comes up with the technical standards), ICANN (the Internet Corporation for Assigned Names and Numbers, which manages the naming system for Web sites) and the W3C (the World Wide Web Consortium, which develops technologies for the Web). But their power is limited and their legal standing murky. Some have recently argued that the United Nations should take over some regulatory functions. Firms have set up their own standards groups to suit their own interests. The one thing everyone seems to agree on is that security must be the priority when it comes to the next generation Internet. Major companies are promoting technology that will give recipients of e-mail "return addresses," or a better way of ensuring that senders are who they say they are, though the companies disagree on whose technology should be used. A group of scientists from the Internet Engineering Task Force, perhaps the most important standards-making body for the network, are working on a way to better collect and share information on computer intrusions. Internet2, a consortium of mostly academic institutions that has built a screaming-fast network separate from the public Internet, is testing a technology that allows users to identify themselves as belonging to some sort of group. Douglas E. Van Houweling, president of Internet2 and a professor at the University of Michigan, thinks the system could be used to limit access without using passwords to, say, chat rooms for women with children on a certain soccer team, or to subscribers of certain magazines or newspapers. "You've heard the saying that on the Internet nobody knows you're a dog, and that's of course the problem," Van Houweling said. "Authentication will allow communities to form where people are known and therefore can be trusted." But there's a trade-off for such security. The network becomes balkanized, with more parts of it closed to most people. Auerbach, who has been involved with ICANN and the IETF, said more security raises the "specter of central authorities." Lynch believes the Internet will never truly be secure, though, because of the diversity of software and devices that run on it. If one has a flaw, others are vulnerable. For years computer designers have tried to build a machine that lives up to the "orange book," a specification written by technologists at the predecessor to the National Institute of Standards and Technology. It describes a bug-free, completely secure computer that has to be built in a clean room with designers who have gone through extensive background checks and are not allowed to communicate with anyone. "There have been a few computer systems built like this for the military and they vanish, just vanish. Nobody talks about them anymore," Lynch said. "They have been created, but for the average person they may as well not exist." Until that perfect machine is built for consumers, it will be up to people like Haugsness at the Internet Storm Center to keep the network up and running. The center is operated by the SANS Institute, a Bethesda-based nonprofit dedicated to computer security. But most of its work is done by an eclectic group of volunteers who sign on remotely from around the world, including a former National Security Council staff member and a grandmother in Iowa. Haugsness is in his late twenties and is an avid snowboarder and mountain biker. One Sunday afternoon this month, Haugsness was at his company's office checking the storm center reports. One person said he had found a new variant of a program that allowed hackers to take over a computer by creating a "back door" through holes in its security system. There were also complaints about a few phishing e-mails that tried to trick people into giving up their personal information. Internet traffic patterns worldwide seemed fine -- only a few sections had congestion that would qualify as serious, or "red." Nothing "super bad" so far, Haugsness concluded. All in all, only about a half-dozen documented problems. That might have been considered a disaster a decade ago. But it was a pretty good day for the Internet in 2005. ? 2005 The Washington Post Company From isn at c4i.org Tue Jun 28 03:25:01 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jun 28 03:31:40 2005 Subject: [ISN] Suspected Computer Hacker Gets Diploma Message-ID: http://fox40.trb.com/news/ktxl-062705hacker,0,2946372.story?coll=ktxl-news-1 June 27, 2005 ELK GROVE -- The Laguna Creek High School senior who was suspended for allegedly hacking into the school's computer system received his diploma on Monday. There was no cap and gown, no pomp and circumstance. Still, it was graduation day for 18-year-old Alex Ochoa at Laguna Creek High School. The day his family had been waiting for came after the senior football player and honor student was suspended May 12th. In panel hearings, district officials said Ochoa changed his grades and the grades of 38 other students over a year and a half. "I was relieved they saw the truth. Still upset the investigation did not come up and that I had to miss graduation, that was hard," Alex Ochoa said. "He finally got to graduate, I knew he would but it's nice to see the diploma, he's my oldest son I missed the opportunity to see him cross the stage so did his grandparents, we'll never forget that," mother Patti Ochoa said. Ochoa and his mother maintain two other students placed the blame on him. District representatives would only say the panel decided not to recommend expulsion and allow Ochoa to receive his diploma though they did not offer any details on why. So for now, Ochoa and his family say they're glad this ordeal is over. Ochoa says he's still receiving a need-based scholarship to Occidental College, where he plans to play football in the fall. Meanwhile the district says they have since revised their computer security policies. Copyright ? 2005, KTXL From isn at c4i.org Wed Jun 29 01:04:33 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 29 01:11:20 2005 Subject: [ISN] IRS search for public records access ends with ChoicePoint Message-ID: http://www.gcn.com/vol1_no1/daily-updates/36239-1.html By Doug Beizer Contributing Staff Writer 06/28/05 The Internal Revenue Service has awarded ChoicePoint Government Services a contract worth as much as $20 million to serve as the agency's public records provider for batch processing projects, according to the company. Under a five-year contract, ChoicePoint will provide the IRS with access to its suite of custom data solutions. IRS officials will use ChoicePoint's public records data capabilities to support customized data retrieval requirements. ChoicePoint provides public records information about a person, asset or location, a company spokesperson said. The information can include current and former addresses, property ownership records and bankruptcy, lien or judgment information. These searches can be performed one at time or in bulk, which are known as batch searches. The IRS contract is for batch searches, the spokesperson said. "This award is consistent with our Government Services strategy of helping clients manage unique challenges by using ChoicePoint's customized data delivery capabilities," said Rob Russell, ChoicePoint Government Services assistant vice president for strategic development, based in Washington. Batch processing involves the automated delivery and processing of data files, which reduces the need for human intervention. More than 25 federal agencies use ChoicePoint batch solutions to support their daily activities, company officials said. ChoicePoint Government Solutions is a division of ChoicePoint Inc. of Atlanta. Doug Beizer is a staff writer for Government Computer News' sister publication, Washington Technology. From isn at c4i.org Wed Jun 29 01:03:49 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 29 01:11:40 2005 Subject: [ISN] New worm lures users with 'breaking news' Message-ID: http://www.networkworld.com/news/2005/062805-worm-kedebe-f.html By Scarlet Pruitt IDG News Service 06/28/05 Internet users alarmed over news of Michael Jackson's death or dark conspiracies behind the demise of Pope John Paul II should perhaps just be worried that they received another new e-mail worm. Researchers at security firm Sophos Tuesday warned of the spread of the Kedebe-F e-mail worm, which carries a variety of subject headers and messages touting breaking news. However, users who click on the attached file could have their security software and firewall disabled, according to Sophos. Possible messages include "someone sent me this document which is stolen from a secret government body ... about John Paul's death." Other messages try to entice recipients into opening the attached file by claiming Michael Jackson has died, Osama bin Laden has been captured by U.S. soldiers or the MyDoom e-mail worm author has been arrested by Microsoft, Sophos said. Using supposed "breaking news" to persuade users to open a message and click on an attachment is a long -favored method among virus writers, according to Sophos Senior Technology Consultant Graham Cluley. "This is a fairly common trick. It doesn't take Albert Einstein to think this one up," Cluley said. Although the worm is currently slow-spreading Cluley flagged it as an example of the kinds of social-engineered threats that users should watch out for. The worm spreads via e-mail or peer-to-peer file sharing networks. It appears to be targeted at both news hounds and geeks, with mentions of the MyDoom worm, Cluley said. Also, it spreads on peer-to-peer networks by copying itself to the directory for sharing information on the server, purporting to be source code for the Sasser worm. Users are advised to update their anti-virus software against the threat. From isn at c4i.org Wed Jun 29 01:04:07 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 29 01:11:55 2005 Subject: [ISN] Bogus analysis led to terror alert in Dec. 2003 Message-ID: http://msnbc.msn.com/id/8380365 By Lisa Myers, Aram Roston and the NBC Investigative Unit NBC News Investigative Unit June 27, 2005 WASHINGTON - Christmas 2003 became a season of terror after the federal government raised the terror alert level from yellow to orange, grimly citing credible intelligence of another assault on the United States. "These credible sources," announced then-Secretary of Homeland Security Tom Ridge, "suggest the possibility of attacks against the homeland around the holiday season and beyond." For weeks, America was on edge as security operations went into high gear. Almost 30 international flights were canceled, inconveniencing passengers flying Air France, British Air, Continental and Aero Mexico. But senior U.S. officials now tell NBC News that the key piece of information that triggered the holiday alert was a bizarre CIA analysis, which turned out to be all wrong. CIA analysts mistakenly thought they'd discovered a mother lode of secret al-Qaida messages. They thought they had found secret messages on Al-Jazeera, the Arabic-language television news channel, hidden in the moving text at the bottom of the screen, known as the "crawl," where news headlines are summarized. "Steganography" suspected U.S. officials tell NBC News that CIA experts - technicians working for the Directorate of Science and Technology - thought they had found numbers embedded in the crawl signaling upcoming attacks; dates and flight numbers, and geographic coordinates for targets, including the White House, Seattle's Space Needle, even the tiny town of Tappahanock, Va. What the analysts thought they had found was something called "steganography" - messages hidden inside a video image. President Bush and Ridge were briefed on the Al-Jazeera analysis, U.S. intelligence sources say. In an exclusive interview with NBC News, Ridge defended the government's actions, although he called the intelligence analysis "bizarre, unique, unorthodox, unprecedented." [1] "Maybe that's very much the reason that you'd be worried about it, because you hadn't seen it before," recalls Ridge. He says the administration had to take the suspected terror messages seriously, although "speaking for myself I've got to admit to wondering whether or not it was credible." Was he himself skeptical? "Yeah, we weren't certain," says Ridge. "Still, in the context of everything else (intelligence chatter and a terror attack in Saudi Arabia), we could not set it aside and dismiss it as not credible." So the United States raised the alert level and canceled flights. Critics question evaluation of the evidence "I'm astonished," says author and intelligence expert Jim Bamford, "that they would put so much credibility in such a weak source of intelligence." Bamford says the CIA shouldn't be criticized for considering the theory, but that analysts should have weighed how implausible it was. "What you have to do is judge the intelligence versus what your actions are going to be. And this is the equivalent, basically, of looking at tea leaves," Bamford says. Intelligence sources say that even within the CIA, the analysis was a closely guarded secret. Still, they say, some top CIA officials who learned about it were skeptical. Top officials at the Directorate of Operations, which conducts clandestine operations, and others who worked at the CIA Counterterrorism Center, felt that the whole theory was implausible and was being taken far too seriously. As discredited as the CIA's interpretation now is, experts say steganography is a valid subject for CIA analysis, and could be used by terrorists to hide data in files on the Web, in still photographs or in broadcast television images. "Steganography," says professor Nasir Memon of Polytechnic University in Brooklyn, N.Y., "is the art, if you will, of secret writing. And when two parties want to talk to each other and not let anybody know they are indeed communicating, they would use steganography." Memon is an expert in "steganalysis" ? using sophisticated software to locate hidden messages. He says such analysis is valuable but not always reliable, because there are many "false positives." In general, he says, "it's not something I would bet the farm on because there is a significant chance that it could be wrong." TV networks commonly hide digital "watermarks" in their video broadcasts, a legitimate use of video encoding to pass along innocuous digital information. The CIA's Al-Jazeera analysis is classified, and it is still unclear exactly what the CIA technicians were looking for in the network's "crawl." Ridge stands by alert Regardless, Ridge told NBC News that the CIA analysis certainly did turn out to be wrong. He confirms there were no secret terror messages. He also says there was no evidence that terrorists were actively plotting against aviation at the time. But Ridge insisted it was not a mistake to raise the alert level or to cancel the flights. "I think it was the right thing to do," he said. Even if raising the alert level frightened a lot of people? "We acted accordingly based on our best information and best conclusions and the information that we had at the time," Ridge said. Ridge added that the faulty CIA analysis was a significant factor in raising the alert level, but not the only factor. As for the CIA, a spokeswoman would not confirm or deny this report, but said it's the "agency's job to run all plausible theories to the ground, especially when American lives could be at risk." Lisa Myers is NBC's senior investigative correspondent and Aram Roston is an NBC investigative producer. [1] http://msnbc.msn.com/id/8380328/ From isn at c4i.org Wed Jun 29 01:04:22 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 29 01:12:15 2005 Subject: [ISN] Microsoft Ships Last-Minute Windows 2000 Update Rollup Message-ID: http://www.eweek.com/article2/0,1895,1832574,00.asp By Ryan Naraine June 28, 2005 With just two days to go before the expiration of mainstream support for Microsoft's Windows 2000 operating system, the software giant has provided an update rollup with more than 50 security patches and system reliability fixes. The update rollup, which replaces Windows 2000 SP5 (Service Pack 5), ships as a high-priority update on the Windows Update site [1], where it will be listed in the "Critical and Service Packs" category. In a security advisory [2] posted Tuesday, Microsoft Corp. said the rollup is applicable to Windows 2000 client and server releases and requires the prior installation of SP4. "[It] contains additional important fixes in files that have not previously been part of individual security updates [and] additional enhancements that increase system security, reliability, reduce support costs and support the current generation of PC hardware," the company said. But the company said the rollup initially will not be distributed over Automatic Updates because Windows 2000 customers are being transitioned to a new version of Windows Update. "Once the transition is complete, which is expected in early July, Automatic Updates will be enabled for the update rollup." [3] Microsoft said the rollup contains all security updates produced for Windows 2000 between the time SP4 was released and April 30, 2005, the time when the code was "locked down for final testing." Windows 2000 remains the most dominant operating system used in the enterprise, but once mainstream support ends June 30, analysts expect corporate migration to Windows XP to speed up. Microsoft divides its support life cycle into two phases: mainstream and extended. Once a product enters the extended support period, Microsoft charges for support. But the company still will provide Windows 2000 security patches for free through June 10, 2010. Microsoft has posted a Knowledge Base article [4] that describes the contents of the Windows 2000 update rollup. [1] http://windowsupdate.microsoft.com/ [2] http://www.microsoft.com/technet/security/advisory/891861.mspx [3] http://www.eweek.com/article2/0,1759,1822852,00.asp [4] http://support.microsoft.com/default.aspx/kb/891861?#XSLTH3185121123120121120120 From isn at c4i.org Wed Jun 29 01:04:45 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 29 01:12:32 2005 Subject: [ISN] Bagle commandeers PCs for zombie army Message-ID: http://news.com.com/Bagle+commandeers+PCs+for+zombie+army/2100-7349_3-5766772.html By Joris Evers Staff Writer, CNET News.com June 28, 2005 A new version of the Bagle virus is attempting to turn PCs into zombies for use in cyberattack networks. The variant surfaced over the weekend and was spammed to tens of thousands of Internet users, Ero Carrera, a researcher at F-Secure, said Tuesday. The antivirus software maker is calling the offshoot Mitglieder.CN, but it is known by other names, such as Bagle.BQ or Tooso.J, at other security companies. The latest Bagle behaves in a similar way to its predecessors that don't self-propagate. It arrives in an e-mail with a attachment. When the file is executed, the malicious program tries to disable firewalls and antivirus software. It then attempts to download and run a Trojan horse that hijacks the infected PC for use as part of a botnet. Botnets are groups of compromised PCs, often numbering in the thousands per network, that are rented out to relay spam, to launch denial-of-service attacks, or to perform other malicious acts. "Compromised PCs could be used to send out new variants of Bagle," for example, Carrera said. Bagle has spawned at least 70 variants since the virus emerged in January 2004. Some iterations have been more sophisticated than others, blending mass-mailing and Trojan horse techniques. Most antivirus companies updated their products over the weekend to protect customers against the new virus. "It is not going to be a major issue," Mikko Hypponen, director of research at F-Secure, said Monday. Symantec rates the new variant a low risk because it has not spread much. "Our rate of submissions is slowing down on that variant, so we don't consider it to be a significant threat," a Symantec representative said Monday. From isn at c4i.org Wed Jun 29 01:04:58 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 29 01:12:46 2005 Subject: [ISN] Prosecutors cut 6 counts in Acxiom hacker case Message-ID: http://www.ardemgaz.com/ShowStoryTemplate.asp?Path=ArDemocrat/2005/06/28&ID=Ar02306&Section=Business BY BRIAN BASKIN ARKANSAS DEMOCRAT-GAZETTE June 28, 2005 U.S. attorneys want to drop six of 144 charges against Florida spammer Scott Levine, two weeks before he stands trial on charges that he orchestrated a massive data theft from Little Rock's Acxiom Corp. The six charges relate to instances where Levine is accused of gaining access to an Acxiom server without downloading any data, according to a Friday filing in the U.S. District Court for Arkansas' Eastern District. "It's a tenuous theory to push that the crime was committed on those files," said U.S. Attorney Bud Cummins, who described the changes as routine before a trial. On July 11 in Little Rock, Levine will still face 133 counts of unauthorized access of a protected computer. Each catalogues a separate time between April 2002 and August 2003 when he reportedly downloaded information about consumers from Acxiom. The Boca Raton owner of the defunct bulk e-mail operation Snipermail.com Inc. also is being tried for conspiracy, money laundering, two counts of unauthorized possession of Acxiom passwords and obstruction of justice. U.S. attorneys also amended the indictment to ask that Levine forfeit a Boca Raton home he bought after selling a home named in the July indictment. Other homes near the property Levine owns sold recently for between $1.1 million and $2 million, according to real estate records. "He sold [the first] house out from under us before we got our claws into it," Cummins said. At Levine's July 2004 indictment, a U.S. attorney said the breach "may be the largest intrusion of personal data ever." None of the stolen information was used for identity theft. Instead, Levine is supposed to have integrated the stolen data into Snipermail databases and sold them to clients, according to the indictment. Levine may have hacked into Acxiom servers as early as November 2001 but was only made known in August 2003 when the company checked its servers in response to another hacking incident. Daniel Baas, an employee of an Acxiom partner in Ohio, stole millions of records between Dec. 10, 2002, and Jan. 2, 2003, but never used any of the data. He was sentenced in state 1 court in Ohio to 2 /2 years in prison in October. In March, he was sentenced to 45 months in federal prison by the U.S. District Court in Cincinnati. Acxiom collects and analyzes data about virtually all U.S. households. It sells consumer information for marketing purposes and assists clients with data processing. From isn at c4i.org Wed Jun 29 01:05:15 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jun 29 01:12:59 2005 Subject: [ISN] FBI looks into possible hacking Message-ID: Forwarded from: William Knowles http://www.jsonline.com/bym/news/jun05/337260.asp By RICK BARRETT rbarrett [at] journalsentinel.com June 28, 2005 The FBI is investigating whether a former P&H Mining Equipment employee hacked into the company's computer system from his home and copied files of projects he had worked on. The FBI has seized about a dozen computers from the suspect's Milwaukee home and is analyzing them for evidence that could result in criminal charges. The former employee, a computer systems administrator, has not been charged with a crime and is not being named for this article. "It takes us a while to work these cases to fruition," said Mike Johnson, cyber crimes supervisor for the Milwaukee office of the FBI. "They are time consuming, depending on how much data we find in the computers," he said. "Computer hard drives keep getting bigger, and the bigger they are, the longer it takes for us to get through them." P&H Mining Equipment, a division of Joy Global Inc., makes some of the world's largest mining shovels and draglines. One shovel alone can move about 360 tons of coal in 90 seconds. The company has operations in 46 countries. In a search warrant affidavit, FBI investigators said the former P&H employee was a systems administrator with the company before he was fired on April 1. Systems administrators have "root level" access to the computer systems they manage, which effectively gives them master keys to open any account and to read any file on their systems, according to the FBI. About six weeks after the P&H employee was fired, someone accessed the company's computer system from a remote location and turned off the monitoring programs on a company server, according to the FBI. The former employee was intimately familiar with the server because he built the system, FBI officials noted. The same day, about 3 gigabytes of data were copied from a computer folder with the former employee's name on it, to a computer with his home Internet address, according to the FBI. The files were then deleted and purged from the company system. Only a systems administrator would have the privileges to purge the files, which permanently removes them from the system, the FBI said. P&H had a backup tape of the former employee's folder, which indicated it contained about 3 gigabytes worth of data. The FBI subpoenaed the former employee's Internet service provider, in an effort to track the copied information. It also sought a search warrant to seize his personal computers, along with other computer equipment, disks, magazines and papers. Joy Global officials did not return Journal Sentinel calls asking about the alleged computer break-in and whether any damage was done to P&H computer systems. The former employee might have had help accessing the system, according to the FBI. The computer intrusion cost the company more than $5,000 in manpower, the agency noted in the search warrant affidavit. Randall Kaiser is a Milwaukee attorney representing the former employee. "This is definitely not a situation where he was trying to do any damage," Kaiser said of his client. "It's an unfortunate situation that we are trying to resolve." As many as half of all businesses experience break-ins from computer hackers, also called crackers, but most don't report it to law enforcement, according to a government report. As many as 70% of businesses included in a Computer Security Institute survey said they didn't report computer intrusions to the FBI because they didn't want negative publicity. About 85% of all computer break-ins are done by company insiders, said Michael Higgins, managing director of TekSecure Labs, a Woodbridge, Va., technologies firm that helps large companies protect their data. Higgins was not familiar with this particular FBI investigation. But he said it's not unusual for people to try and steal something from their former employers' computers, either for personal gain or as revenge for being fired. A fired computer administrator can cause a great deal of harm. "If you fire the guy with the keys to the kingdom, you had better do it very carefully," Higgins said. "There have been numerous cases where fired employees knew the back doors to get inside the company, and destroying data is one of the ways they use to get revenge." Companies should have a plan that spells out what steps to take when a computer systems manager leaves his employment, according to Higgins. Some plans can be thwarted if the former employee has personal contacts in the company willing to assist in a computer break-in. But any employee who offers help puts himself at tremendous risk, Higgins said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Jun 30 03:46:25 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 30 03:53:11 2005 Subject: [ISN] Senators propose sweeping data-security bill Message-ID: http://news.com.com/Senators+propose+sweeping+data-security+bill/2100-7348_3-5769156.html By Declan McCullagh Staff Writer, CNET News.com June 29, 2005 Corporate data-security practices would be hit with an avalanche of new rules and information burglars would face stiff new penalties under a far-reaching bill introduced Wednesday in the U.S. Senate. The bill represents the most aggressive--and at 91 pages, the most regulatory--legislative proposal crafted so far in response to a slew of high-profile security breaches in the last few months. "Reforms like these are long overdue," Sen. Patrick Leahy, a Vermont Democrat, said in a floor speech. "This issue and our legislation deserve to become a key part of this year?s domestic agenda so that we can achieve some positive changes in areas that affect the everyday lives of Americans." One portion of the bill, named the Personal Data Privacy and Security Act, restricts the sale or publication of Social Security numbers. Also, businesses would be prohibited from requiring SSNs except in a narrow set of circumstances such as obtaining credit reports and applying for a job or an apartment. Leahy, who had hinted at his plans in a speech in March and had his personal information lost by Bank of America, is co-sponsoring the bill with Pennsylvania Sen. Arlen Specter. Because Specter is the Republican chairman of the influential Judiciary committee, the measure could move swiftly through the normally torpid legislative process. "This is an evolving problem that is gigantic," Specter said at a press conference in the Capitol building. He predicted quick action because "we're not dealing with a highly controversial subject where there will be significant differences of opinion." While portions of the proposal are sure to be criticized by businesses that would be faced with more paperwork and compliance requirements, Congress nevertheless seems eager to act. In speech after speech, politicians have pledged to enact more laws to respond to the data mishaps--promises that have occasionally raised eyebrows because many of the intrusions were already illegal. Spurring politicians along has been series of security snafus involving firms including ChoicePoint--which claims to have fixed its problems--Bank of America, payroll provider PayMaxx, and Reed Elsevier Group's LexisNexis service. Other suggestions have included narrower measures to restrict the sale of SSNs or mandate notices of security breaches. Targeting "data brokers" The Personal Data Privacy and Security Act would: * Erect a complex regulatory infrastructure around "data brokers," defined as any company or nonprofit that is "collecting, transmitting, or otherwise providing personally identifiable information" of 5,000 or more people that are not customers or employees. Data brokers are required to follow European-style guidelines, including mandatory disclosure of a record to that individual. * Rewrite computer crime laws to create new penalties for database intrusions. The punishments: Fines and 10 years in prison for trespassing in a "data broker's" system, and 5 years in prison if a company or individual "willfully" conceals certain types of serious security breaches. * Mandate a "comprehensive personal data privacy and security program" for most businesses and individuals acting as sole proprietors--akin to what the Gramm-Leach-Bliley Act required. * Order companies and individuals acting as sole proprietors to offer notifications if a computer security breach "impacts more than 10,000 individuals." * Require review of federal sentencing guidelines for misuses of personally identifiable information, and authorize the Justice Department to hand grants to states to "enhance enforcement" of ID fraud-related crimes. * Create additional "privacy impact assessments" when a federal agency relies on a commercial database consisting "primarily" of information on U.S. citizens. If the database were worldwide in scope and did not consist "primarily" of U.S. citizen information, the requirement would not apply. Also, individual screening programs by federal agencies would have to be explicitly authorized by Congress. Previous Next The web of rules surrounding the "data broker" definition could prove problematic, warns Jim Harper, director of information policy at the free-market Cato Institute and a member of the Department of Homeland Security's data privacy advisory committee. "This is a disaster," Harper said, referring to the portion of the bill that permits individuals to access their records held by data brokers. "The idea is to increase security. But opening databases to access is not increasing security. The issue is supposed to be security and they're going to make databases less secure." Harper also warned that the definition of "data broker" might cover news or gossip Web sites that publish personal information in articles, alumni organizations, charities and more. They would be subject to database access requirements. "I can't imagine all the different entities that would fall into that realm," he said. CNET News.com's Anne Brouche contributed to this report. From isn at c4i.org Thu Jun 30 03:46:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 30 03:53:31 2005 Subject: [ISN] Veritas Software Under Attack Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=164903957 By Gregg Keizer TechWeb News June 29, 2005 One of the seven vulnerabilities recently found in various Veritas backup components is under attack, said security vendor Symantec Wednesday. The company -- which recently finalized a merger with Veritas -- recommended that users patch post haste. The multiple vulnerabilities in Veritas' Backup Exec first went public last week, when the Mountain View, Calif.-based storage software company released a slew of security advisories that outlined problems ranging from possible denial-of-service (DoS) attacks to remote execution of code. Veritas ranked five of the seven as "High" impact, its most dire threat level, while two were rated as "Low." Within two days of the vulnerabilities going public -- the researchers who discovered the vulnerabilities held the news until patches were produced by Veritas -- Symantec warned that an exploit had been released for one of the most dangerous bugs. That vulnerability, a buffer overflow flaw in Backup Exec's Remote Agent, could be exploited, said Symantec, by hackers passing an extra-long password to the Agent, software which listens on TCP port 10000 and accepts connections from the backup server when a backup is scheduled. One day later, Symantec began monitoring a sudden increase in port scanning for port 10000. SANS' Internet Storm Center detected the same spike in port sniffing. "Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit," the center warned in an online briefing Monday. According to Symantec's DeepSight Threat Network, the Cupertino, Calif.-based security giant's global network of sensors, the number of distinct IP addresses found scanning for port 10000 jumped from essentially zero on Sunday, June 26, to almost 8,000 by the end of the next day. "The increase is likely indicative of a bot network performing a consistent and controlled propagation to vulnerable hosts on the Internet," said Symantec in a DeepSight alert sent to customers. Although the actually exploit had yet to be captured, Symantec was sure the vigorous port scanning was a sign of it being used on a wide scale, and again recommended that Veritas users patch as soon as possible. As is typical, the bot author used several techniques to hide the code from analysts, and to make it difficult to predict which port may be used by the exploit to communicate back to its creator for additional instructions and/or software. A "honeypot" system that Symantec set up, however, grabbed a sample of the exploit on Thursday when an analyst was able to simulate a partial infection on a PC and trick the attacker into sending the rest of the code. "This is indeed the result of a malicious IRC-based bot program, known as W32.Toxbot," Symantec researchers said in the report issued Thursday. Toxbot, which was first discovered in March, can also use various Microsoft vulnerabilities, including those in SQL Server, DCOM, and LSASS, the trio that spawned Slammer, MSBlast, and Sasser, respectively. "The DeepSight team strongly encourages network and system administrators to take immediate action to patch or mitigate the threat in the vulnerability," the report continued. But what with the aggressive spread of Toxbot, it may be too late for some. "Machines that have been left unprotected following the original release [of the security bulletin] may have already been compromised or exposed to attack," Symantec's researchers warned. From isn at c4i.org Thu Jun 30 03:47:09 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 30 03:53:46 2005 Subject: [ISN] Hacker threat to records Message-ID: http://www.thesun.co.uk/article/0,,2-2005300108,00.html By JACQUI THORNTON Health Editor June 30, 2005 PLANS to put patients' medical records on a central computer will put millions at risk from hackers, GPs said yesterday. They fear that releasing information to the system would betray patients' trust, leaving people wide open to ID theft and other abuses. The new electronic health record system being overseen by Health Secretary Patricia Hewitt will allow doctors to see patient records anywhere in England. But Dr Eleanor Scott, a GP from Barnet, North London, told the British Medical Association's annual conference that there would be huge potential for unauthorised access. And patients may become reluctant to talk about stigmatising conditions such as sexually-transmitted diseases or mental illness. She added: "Any such database presents a minefield of confidentiality issues. Medical records could be accessed by many people working where security is difficult to achieve. "The risks of errors, unauthorised access, identity theft and malicious tampering are legion." She said the database would include details of hobbies, jobs, religion, family and friends. And Dr Scott told delegates in Manchester the system would cost more than ?30billion to set up - far more than the Government's national identity card scheme. Vivienne Nathanson, the BMA?s head of ethics, said the database may be useful but warned that 100 per cent security was "unachievable". Dr Simon Eccles, NHS head of IT, said people would not have to give information about certain medical conditions. From isn at c4i.org Thu Jun 30 03:47:51 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 30 03:54:00 2005 Subject: [ISN] Security UPDATE -- So You Found a Security Problem, Now What? -- June 29, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free download: Speed up your systems with Diskeeper http://list.windowsitpro.com/t?ctl=D577:4FB69 Symantec Storage and Systems Management Solutions http://list.windowsitpro.com/t?ctl=D587:4FB69 ==================== 1. In Focus: So You Found a Security Problem, Now What? 2. Security News and Features - Recent Security Vulnerabilities - No More Antigen for Unix and Linux - Firewall Appliances, Part 1 - Importing Security Settings into a GPO 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - SOHO Broadband Security Appliance ==================== ==== Sponsor: Executive Software ==== Free download: Speed up your systems with Diskeeper Keeping systems up and available to the users is vital! Slow, crash- prone systems have a devastating effect on productivity and security. Disk fragmentation is a major cause of crashes and slowdowns -- but who has the time to defragment every system, every day? The solution: Diskeeper, the Number One Automatic Defragmenter. Automatic defragmentation boosts performance and reliability and decreases Help Desk traffic. Click the link to get FREE fully-functional Diskeeper trialware. You'll discover why Diskeeper is the Number One Automatic Defragmenter with over 17 million sold. http://list.windowsitpro.com/t?ctl=D577:4FB69 ==================== ==== 1. In Focus: So You Found a Security Problem, Now What? ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Lots of people find security problems with hardware and software products, network services, Web sites, and more. Some find problems through day-to-day computer use; others search for security problems purposely either as a hobby or as part of their job. When you find a security problem, what do you do? The obvious answer is to contact the company that produced the product. However, alerting a company to your discovery of a problem in one of its products can be a challenge. Lots of companies simply don't prepare for reports of problems in their products and services. Their employees don't know what to do when people try to report problems. Nor do their Web sites or product documentation provide any information about who to contact for security matters. Like many of you, I subscribe to a lot of security mailing lists. I can't even begin to remember the number of times I've read a message to one of those lists from someone asking how to contact a given company. The messages typically say something like, "I found a security problem in Product XYZ. I tried to contact the company via email and received no response. Does anybody have security contact info for the company?" A good case in point happened last week. Someone found a problem in a widely used product and tried to contact the company via email and by phone. The person couldn't make it past the receptionist and so couldn't offer the information about the security problem to anybody in a position to do something about it. The person posted a description of the experience to a popular security mailing list, and now the company has to endure the embarrassment that comes along with public knowledge of its shortcomings--and the company's customers are more exposed to someone exploiting the publicized vulnerability. Had the company trained the receptionist to handle calls regarding security matters, the incident probably wouldn't have happened. As it turns out, the company in question read the message on the popular mailing list and quickly contacted the researcher. The company also quickly established a "security@" mailbox to which future reports can be sent. Of course, in other cases, it turns out that the person who posted the vulnerability details didn't try very hard to contact the vendor. I'll sidestep the endless debate about whether vulnerability information should be publicly posted and say that these situations point out that every company that provides products and services should have information listed in plain sight in the product documentation and on the company Web site that shows who to contact about security matters. Even if a company's Web site serves only as an advertising vehicle and not as an ecommerce site, the company should include such contact information. Likewise, when you're shopping for products, you should check whether a vendor lists security contact information. After all, you want the most secure products you can get, right? If a company doesn't provide a highly visible contact for security problems, the company is making it more difficult than necessary for people to report security problems directly to the company. And as I pointed out earlier, such difficulty can lead to vulnerabilities being publicly disclosed. The trend seems to be to establish a "security@" or possibly a "secure@" email address that people can use to report potential security problems. Vendors should consider establishing such an address, if they haven't already. ==================== ==== Sponsor: Symantec ==== Symantec Storage and Systems Management Solutions Symantec invites you to view a series of on-demand webcasts featuring Gartner Analysts to learn how Symantec's LiveState solutions can help ensure that your client devices are secure, available, and compliant with corporate standards -- from acquisition to disposal. Webcasts focus on Client Management Issues, Effective Patch Management, Protecting the Integrity and Availability of your Company's Information, and Discovery of IT Assets. Learn how to stay competitive in a world where change is inevitable. Find more information and register now at http://list.windowsitpro.com/t?ctl=D587:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=D579:4FB69 No More Antigen for Unix and Linux Microsoft completed its acquisition of Sybari and said it will discontinue new sales of Sybari Antigen for Unix and Linux. No surprise there. The company will continue sales of Antigen for other products. http://list.windowsitpro.com/t?ctl=D581:4FB69 Firewall Appliances, Part 1 When it comes to network security, the firewall is your primary line of defense. Firewalls have undergone a major transition in the past few years. In this two-part series, Thomas W. Shinder looks at popular firewall appliances and makes recommendations based on the size of your organization, the level of security you require, and the cost of the solution. http://list.windowsitpro.com/t?ctl=D57E:4FB69 Importing Security Settings into a GPO Unfortunately, you can't export a GPO's security settings. Moving settings from one GPO to another requires a fairly simple workaround. Randy Franklin Smith explains how to do it by using the Secedit command. http://list.windowsitpro.com/t?ctl=D57F:4FB69 ==================== ==== Resources and Events ==== The Essential Guide to Exchange Preventative Maintenance Database health is the weakest link in most Microsoft Exchange Server environments. Download this Essential Guide now and find out how the ideal solution is an automated, end-to-end maintenance and management tool that provides a centralized view of the entire managed infrastructure. Get your free copy now! http://list.windowsitpro.com/t?ctl=D578:4FB69 Show Us How You've Used Windows Technology in Innovative Ways If you've used Windows technology in creative ways to devise specific, beneficial solutions to problems your business has faced, we want you! Now's your chance to get the recognition you deserve. Enter the 2005 Windows IT Pro Innovators Contest now! You could win a complimentary conference pass to Exchange and Windows Connections in San Diego in late October 2005. http://list.windowsitpro.com/t?ctl=D57A:4FB69 Simplify, Automate and Reduce the Cost of Demonstrating Regulatory Compliance The need to comply with regulations has increased as legislation such as Sarbanes-Oxley, HIPAA, GLBA, and Basel II take effect. The growth of these mandates has caused an increase in manually intensive, compliance-related tasks that reduce IT efficiency. In this free Web seminar, learn how you can simplify, automate, and reduce the cost of achieving IT security and regulatory compliance. Register now! http://list.windowsitpro.com/t?ctl=D574:4FB69 Back By Popular Demand--SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=D576:4FB69 It Just Got Easier to Network With Your IT Peers! Windows IT Pro forums are easier to use, searchable, and complete with RSS feeds so that you'll always receive the latest discussion topics instantly! Check out the new and improved Windows IT Pro forums today. http://list.windowsitpro.com/t?ctl=D58A:4FB69 Congratulations to the 4th Annual Best of TechEd 2005 Awards winners! Windows IT Pro and SQL Server Magazine presented awards to Windows and SQL technology vendors in 12 categories and one overall winner at the Best of TechEd Awards in Orlando. The field included more than 260 entries and products were evaluated based on their strategic importance in the market, competitive advantage, and value to the customer. Click here to learn all of the Best of TechEd 2005 winners. http://list.windowsitpro.com/t?ctl=D589:4FB69 ==================== ==== Featured White Paper ==== Instant Recovery and Data Protection for SQL Servers Depending on your environment, Microsoft SQL Server may be your most critical application. In this free white paper, learn the data protection strategies you need to really protect your database, compare the costs, evaluate alternatives, and more! http://list.windowsitpro.com/t?ctl=D572:4FB69 ==================== ==== Hot Release ==== FREE Download -- The Next Generation of End-point Security is Available Today. NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines from all types of malware even before Windows loads and without slowing them down. NetOp provides process & application control, real-time centralized management, automatic network detection & profiles and more. Try it FREE. http://list.windowsitpro.com/t?ctl=D573:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Firefox 1.0.5 Just Around the Corner by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=D586:4FB69 Waiting for Firefox 1.0.5? You can get it now or later. The "nightly builds" of the new version are available, although the version is still in testing. If you're adventurous, download a copy now. If you like to play it safe, then you better wait for the official release, which undoubtedly is just around the corner. http://list.windowsitpro.com/t?ctl=D580:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=D584:4FB69 Q: How can I control which authentication methods my Active Directory (AD) domain supports? Find the answer at http://list.windowsitpro.com/t?ctl=D582:4FB69 Security Forum Featured Thread: Removing Access I just took a position as CIO. The previous CIO moved to another area of the business and no longer needs all the access she once gave herself. Can anyone recommend tools to scan the network drives to find where her account is assigned? We have Windows 2000 Active Directory (AD). Join the discussion at http://list.windowsitpro.com/t?ctl=D575:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Why Do You Need the Windows IT Pro Master CD? There are three good reasons to order our latest Windows IT Pro Master CD. One, because it's a lightning-fast, portable tool that lets you search for solutions by topic, author, or issue. Two, because it includes our Top 100 Windows IT Pro Tips. Three, because you'll also receive exclusive, subscriber-only access to our entire online article database. Click here to discover even more reasons: http://list.windowsitpro.com/t?ctl=D583:4FB69 Monthly Online Pass = Quick Security Answers! Sign up today for your Monthly Online Pass and get 24/7 access to the entire online Windows IT Security article database, including exclusive subscriber-only content. That's a database of over 1900 Security articles to help you get all the answers you need, when you need them. Sign up now for just $14.95 per month: http://list.windowsitpro.com/t?ctl=D57B:4FB69 ==================== ==== 4. New and Improved ==== by Dustin Ewing, products@windowsitpro.com SOHO Broadband Security Appliance Electronics Lifestyle Integration (ELI) announced the availability of its fully managed Eli broadband security appliance for home, small office/home office (SOHO), and remote-office Internet users. Eli combines a firewall, antispam and antivirus capability, a DSL modem, a cable router, VPN support, and a Web interface. Eli is designed to deliver the kind of managed security previously available to large enterprises at an affordable price for the SOHO consumer. Pricing is $199.99 per device, and managed service starts at $9.99 per month. For more information, go to http://list.windowsitpro.com/t?ctl=D58C:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Quest Software Eleven things you must know about quick AD recovery! http://list.windowsitpro.com/t?ctl=D58D:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=D588:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=D57C:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jun 30 03:48:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 30 03:54:17 2005 Subject: [ISN] Cyber attack threat worsening: experts Message-ID: http://www.gulf-times.com/site/topics/article.asp?cu_no=2&item_no=42550&version=1&template_id=36&parent_id=16 Staff Reporter 29 June, 2005 THE threat posed by Distributed Denial-of-Service (DDoS) continues to worsen as society becomes increasingly dependent on the reliability of the Internet, cyber security experts Dr Sven Dietrich and David Mundie have said. "There has been a marked increase of extortion cases using DDoS during 2004-2005, with attackers threatening online businesses with a denial of service (DoS) if the payment they demand is not made," they said. Dr Dietrich and Mundie, senior technical staffers of the Carnegie Mellon Software Engineering Institute (SEI), are in Qatar to give presentations at technical workshops on cyber security. The workshops are being organised on behalf of Qatar Computer Emergency Response Team (Q-CERT) by the Supreme Council for Information and Communication Technology (ictQATAR) and SEI. Q-CERT, scheduled for launch in September with support from Carnegie Mellon University's CERT Co-ordination Centre, is envisaged as a national organisation to conduct and co-ordinate a comprehensive set of cyber security activities. The forum is meant to adequately protect Qatar's critical infrastructure as cyberspace becomes the nervous system of government, business and education operations. "DDoS is a serious problem that disrupts the availability of systems, causes them to become inaccessible, unreliable, or to crash entirely," Dr Dietrich and Mundie said, recalling that DoS had already become a problem in the early 90s. The goal of a DoS attack is to disrupt some legitimate activity, such as browsing web pages, listening to an online radio, transferring money from a bank account, or even docking ships communicating with a naval port, as explained in "Internet Denial of Service: Attack and Defence Mechanisms," which has Dr Dietrich as an author. This DoS effect is achieved by sending messages to the target that interfere with its operation, and make it hang, crash, reboot, or do useless work. One way to interfere with a legitimate operation is to exploit a vulnerability present on the target machine or inside the target application. The attacker sends a few messages crafted in a specific manner that take advantage of the vulnerability. Another way is to send a vast number of messages that consume some key resource at the target such as bandwidth, CPU time, or memory. The target application, machine, or network spends all of its critical resources on handling the attack traffic and cannot attend to its legitimate clients. When the first massive DoS attacks took place in 1999 against University of Minnesota, Dr Dietrich had observed and analysed it in his capacity as a senior security architect at the NASA Goddard Space Flight Centre. "The first massive attacks on public websites including Yahoo and E*Trade happened in 2000 and in the period from then to now sophistication of attack tools has increased and at present there is an increase of extortion cases using DDoS," the experts said. The severity of a DoS attack reaches its peak when, for example, an attacker gains control over 100,000 machines and engages them in generating messages at a target. At this stage the attack becomes a DDoS. CERT Training and Education is offering a variety of courses with special emphasis on DDoS and defences, incorporating research approaches and concepts such as host system hardening and network hardening. From isn at c4i.org Thu Jun 30 03:48:36 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 30 03:54:37 2005 Subject: [ISN] RSS in Longhorn: The Security Question Message-ID: http://www.eweek.com/article2/0,1895,1833035,00.asp By Ryan Naraine June 29, 2005 Microsoft Corp.'s ambitious plan to bake RSS deep into the belly of Longhorn will open new attack vectors for spammers, phishers and malicious hackers, security experts say. "It is inevitable, without a doubt. When Longhorn comes out, attackers will pounce on every new thing to see if Microsoft did it correctly. You can bet RSS integration will be one of those things attackers will want to exploit," said John Pescatore, senior vice president of research at Gartner Inc. Looking to introduce the fast-growing content syndication technology to a mass audience, Microsoft plans to embed an RSS (Really Simple Syndication) platform to automatically distribute feeds into Windows applications, both its own and those from developers. The plan is for Longhorn to provide a common feed list of subscriptions and a common feed store of data in Longhorn, which will be available to applications through Windows APIs. The Redmond, Wash., company's vision also includes RSS discovery and easy-to-subscribe options in the upcoming Internet Explorer 7 browser refresh. With Longhorn, Microsoft will make RSS more understandable to the average, non-technical end user, but once the technology reaches critical mass it will surely become a lucrative target for malicious hackers. Richard Stiennon, director of threat research at anti-spyware company Webroot Software Inc., has long predicted that RSS will be used to serve up malicious code. "It's not yet a big target, but once RSS usage becomes as widespread as e-mail or instant messaging, the hackers will find a way to use it to distribute malware," Stiennon said in a recent interview with Ziff Davis Internet News. Gartner's Pescatore believes crackers will pounce on Microsoft's implementation of RSS to "see if any mistakes were made." "The RSS threat is a legitimate one, and Microsoft will have to be very careful about how it's baked into the OS. The potential for danger is very, very real," Pescatore said. "I see it more as a spam threat in the beginning," he added. "With RSS, users are automatically pulling in news feeds, so the authentication side has to be addressed to make sure people are getting the feed they subscribed to. I'm positive we'll see an RSS spam problem because spammers will find a way around the authentication weakness." Once weaknesses are identified, Pescatore believes the phishers will pounce and try to lure users to visit fake sites to steal confidential information. This type of threat is especially apparent on RSS search engines that pull results from multiple Web sites and present those as an RSS feed. Because Microsoft is embracing the use of enclosures to deliver attachments in RSS feeds, there is also a risk that rigged media files and other attachment types can find their way on a user's desktop. "We're seeing Podcasts become quite popular, and we already know that media player flaws can cause serious damage. Put them together and you will inevitably have problems," Pescatore added. "Any time a protocol has the word 'simple' in it, there will be complicated ways to attack it. We really haven't scratched the surface of the threats yet. There's a lot of active content flowing through RSS aggregators, and the malware writers will want to pounce." RSS aggregator developers have addressed security by stripping out potentially dangerous tags before the content is displayed to the end user, but unless server-client authentication is strengthened, Webroot's Stiennon said a RSS-enabled world will struggle to cope with malware. A Microsoft spokeswoman said the Longhorn developers working on RSS integration will use the mandatory SDL (Security Development Lifecycle) that outlines the cradle-to-grave procedures used for software creation at Microsoft. The SDL, which was formalized in 2004 for software coming out of Redmond, includes developer training, threat-modeling, code reviews and testing. The procedure is mandatory for all future Internet-facing software. The SDL framework, which covers four high-level principles covering every stage of software creation, was first implemented in Windows Server 2003, SQL Server 2000 Service Pack 3 and Exchange 2000 Server Service Pack 3, and Microsoft officials say the eventual security improvements have been significant. Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000, compared with just 24 advisories in Windows Server 2003. The numbers are the same for pre- and post-SDL advisories for SQL Server 2000 and Exchange Server 2000. From isn at c4i.org Thu Jun 30 03:48:51 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 30 03:55:00 2005 Subject: [ISN] OMB: IPv6 by June 2008 Message-ID: http://www.fcw.com/article89432-06-29-05-Web By David Perera Published on June 29, 2005 The federal government will transition to IP Version 6 (IPv6) by June 2008, said Karen Evans, the Office of Management and Budget's administrator of e-government and information technology. "Once the network backbones are ready, the applications and other elements will follow," she said today while testifying before the House Government Reform Committee. Worldwide, IPv6 is already replacing IPv4 as the Internet address protocol of choice. Under IPv4, networked devices are assigned a 32-bit address. That limits the number of addresses to 4.3 billion. Once an unthinkably large number, it's not enough in a world where cell phones can connect to the Internet. Some organizations already resort to assigning a single address to an entire internal network and using a translator for individual devices. IPv6, however operates on a 128-bit address standard, which provides 340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses. OMB officials will issue guidance shortly for the transition to IPv6, Evans said. That memo will include a requirement that agencies become familiar with some of the pitfalls associated with the new standard. Earlier this year, the U.S. Computer Emergency Response Team, part of the Homeland Security Department, issued a warning to agencies about the new protocol. Some firewalls and network intrusion-detection systems do not monitor IPv6 traffic, possibly allowing hackers into agency systems. Further, because IPv6 compatible devices automatically assign their own IP addresses, devices could be configured without authorization. Only the Defense Department has significantly prepared for IPv6, a Government Accountability Office report finds. In contrast, of the other 23 major agencies that are covered by the Chief Financial Officers Act of 1990, 21 lack transition plans, 19 have not inventoried IPv6 software and equipment, and 22 agencies lack business cases and have not developed cost estimates, the report states. The OMB memo will require agencies to assign a specific individual to coordinate transition planning. Agencies will have to develop and inventory existing IPv6-ready devices and conduct a transition impact analysis. The CIO Council will release more detailed guidance before the end of 2005, Evans added. From isn at c4i.org Thu Jun 30 03:49:04 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jun 30 03:55:16 2005 Subject: [ISN] Hacker logs onto FWP hunter database, but no information stolen Message-ID: http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt By NICK GEVOCK Chronicle Staff Writer June 29, 2005 A hacker broke into a Montana Department of Fish, Wildlife and Parks computer database containing personal information about hunters last month, but officials say no data was stolen. The hacker made it onto the FWP server that contained the state's hunter-harvest survey, FWP spokesman Ron Aasheim confirmed Tuesday. The database includes personal information about hunters, including Social Security numbers, along with data on where they hunted and whether they killed game. Upon discovering the hacking, FWP immediately contacted Sam Mason, a state data security specialist, who determined the hacker hadn't downloaded any information, Aasheim said. "He told us there's no reason for concern here with identity fraud or stealing of information," Aasheim said. "If there had been, we would have taken other actions and certainly contacting the public was one of them." The database, which was collected and maintained by FWP's Region 3 staff in Bozeman, was stored on a Montana State University computer system that lacked several security measures, including a "firewall," Aasheim said. But that's the fault of FWP, not MSU. "There were a couple of steps that we didn't take, just because of a lack of communication," he said. "We take full responsibility." Based on a review of the database after the incident, it appears that the hacker was looking for storage space for files, Mason said. Hackers often use such databases as a temporary location for storing pirated software so it can be downloaded by others without leaving a trail. Had any personal information been downloaded, the computer would have created a log of the transfer, but none was created, Mason said. "It seemed to be just a bunch of people throwing movies or pirated software around," Mason said. "Everything seemed to be quite safe." Luckily, Aasheim said, the agency's databases use Oracle software, which compresses inforamtion into a code that is not visible to hackers as readable text. In addition, the database takes up 12 gigabytes of disc storage that can't be accessed in pieces. A transfer of that size would take time, but the hacker was only on the server for a few minutes. Americans are increasingly fearful of identity theft, one of the fastest-growing crimes. Several large breaches of databases have occurred over the past year, including the theft of thousands of names from credit card companies and colleges. FWP has learned from the incident and is taking steps to prevent someone from hacking into other databases, Aasheim said. It is moving all of its databases to a state system that has multiple security steps built in. FWP also is hiring computer specialists to work at each of its seven regional headquarters, Aasheim said. "We've dodged a bullet, that's the good news," he said. "Now we've taken the steps to correct it."